Hacker contest aims for better security

An ethical hacking contest at the annual DefCon conference in Las Vegas is aiming to promote better security practice.

The Root Fu contest pits eight teams – including some experts from US federal agencies - against each other in a test of network defence and hacking skills. Each team has to defend their own server and applications while trying to break into the servers of the seven other teams.

Crispin Cowan, chief scientist at Linux security seller Immunix and the leader of the Immunix team, said: "This sort of adversarial testing shows what is possible and not - with security. We value this competition, because we think it is a better evaluation of security than common criteria."

Such comments conflict with tough talk from top-level US. officials who still look at hackers as a threat. Laws such as the Digital Millennium Copyright Act and the Cybersecurity Enhancement Act have focused on punishing hackers. But knowledgeable security experts see practicing such skills with Root Fu-like challenges as a necessary way to improve security.

Adam Shostack, chief technology officer for security start-up Informed Security, said: "The reality is that you may have hostility at a high level, but the people who know their stuff decided to come."

Each team had to run five web services on a variant of Unix known as BSD. The services consisted of the music streaming application IceCast, a web news portal based on Slashcode, two ads, and a multiuser text-based role-playing game known as FurryMuck. Each team accumulated points for having the applications available. The longer a service was up, the more points its supervising team won. However, each team lost points if a service it was running became compromised.

The game was created and is officiated by the hacker group Ghettohackers. The Immunix team lost a large lead and was caught up by the Anomaly team, which won the competition this week.

Alan Harper, a security engineer with the Defence Information Systems Agency (DISA), said competitions like Root Fu could help others understand that all hacking isn't bad.

He said: "There is an understanding, more and more, of ethical hacking. The technique is the same, but the intent is different. It's not something that we have to hide from our peers at work."

Root Fu - a hackerish name that derived from the super user's name on Unix systems, root, and the final syllable of Kung Fu - may have also settled a long-debated point about whether hackers make the best defenders.

Cowan said: "The offensive attackers have been doing the best code auditing. They attack, find the holes and then tell the defenders on the team."

The experience underscores that knowing how to attack systems is a critical skill in learning how to defend them. Others have maintained that you can't trust hackers, but Cowan stressed that it's all about the ethics of the hacker.

He said: "Hacking tools should not be illegal, but if I use them to break into your computer, then I'm a criminal."

Robert Lemos writes for CNET News.com