To an outsider, it looks like some strange endurance sport. The gymnasium holds 15 competing teams, but as Tyler Nighswander describes it, “everyone stares at their laptops for 36 hours.” Nighswander, a Carnegie Mellon senior studying computer science and physics, is leading a team of CMU students who are defending their three-year title at the world’s largest student hacking contest, called the CSAW Cybersecurity Competition.
The game is called Capture the Flag, or “CTF,” but it’s almost nothing like the summer-camp game of sneaking through the woods at night. Instead, teams must overcome a variety of technical challenges, breaking through layers of cybersecurity guarding a computer server. The online qualifying round drew 722 teams from around the world. At the finals, held on the campus of New York University’s Polytechnic Institute, CMU faces teams from schools with respected tech programs, such as Boston University, Georgia Tech, and the U.S. Air Force and military academies.
Competitions like CSAW don’t make many national headlines, and the competitors themselves represent a fairly small community of experts, according to Nighswander. But they’re on the radar of several industry heavyweights, which sponsor the events: tech giants (Intel, Cisco), defense contractors (Lockheed Martin), and the U.S. Army, Air Force, and Department of Homeland Security, just to mention a few. The challenges are meant to encourage a new generation of cybersecurity experts capable of answering what U.S. President Barack Obama has called a national security crisis. And Nighswander says that several alumni of the CMU team have pursued careers in computer security.
The CMU student-run hacking organization started four years ago with the in-joke name “The Plaid Parliament of Pwning,” or PPP. This top-ranked team competes in more than a dozen challenges per year. Most take place online, with the PPP fielding its full complement of up to 24 students, alumni, and staff. For premier contests, the team competes face to face, traveling to Manhattan, Las Vegas, and even overseas to Russia and Korea. Those events usually limit teams to four or five members.
For CSAW, the group decided to field two CMU student teams. Nighswander leads PPP1, which includes computer science students Maxime Serrano, Alex Reece, and John Davis. The second team, PPP2, consists of Robbie Harwood, Ryan Goulden, Garrett Barboza, and George Hotz, who is a famous young hacker who recently transferred to CMU.
After the computer science students fly together to New York City, they break into their teams when they reach the hotel: From this point until the end of the contest, the two teams are rivals.
In the end, PPP1 wins, followed by PPP2—CMU domination again. After 36 hours of high-pressure competition, the sleepless hackers might be expected to be prickly with one another, but Nighswander says PPP has a ritual that rebuilds camaraderie: “We sleep for a while,” he says, “then we go out to some Korean barbecue place.”
—Aaron Jentzen (DC’12)