Hacking America

Cyberteams duke it out in the World Series of hacking

Sabrina Korber, CNBC Producer
Finding the best hacker in the room

If endurance, skill, and strategy were the only classifications required for an activity to be considered sport, competitive hacking could be the newest "sport" gaining popularity.

With Capture the Flag (CTF) competitions popping up all over the world, it won't be long before such competitions become more mainstream. And though there may not be a draft for competitive hackers yet, corporations of all sizes have spent at least $70 billion on cybersecurity this year, and experts say that number will continue to rise.

Not to mention the unemployment rate for information security professionals is less than 0 percent, guaranteeing jobs for the guys you're about to meet

CNBC gained exclusive access to one team, favored to win the 2013 DefCon CTF title, known among hacker circles as the "World Series of hacking."

The Plaid Parliament of Pwning (PPP) team, made up of accomplished information security researchers from Carnegie Mellon University, graciously let our cameras follow them over three days as they tirelessly worked to claim this most coveted prize.

Night before the competition begins

For the last few weeks I've been corresponding with Tyler Nighswander, 22, the captain of PPP, arranging the details of our shoots and schedule at DefCon, which entry into as press with a camera is difficult enough. Tyler has been exceedingly accommodating and vague at the same time, so I keep pestering him with text messages to find out when we can meet the team for a first round of interviews.

(Read more: Hackers' next target: May be the ball game?)

Original plans to follow defending champions Samurai fell through because of some members' privacy concerns. At DefCon, the self-described "oldest, continuous and one of the largest hacker conventions around," concerns about revealing one's identity are more often the norm rather than the exception. So I was thrilled when every member of PPP agreed to let CNBC be a fly on the wall for a few days.

Thurs., Aug. 1, 5 p.m.

Tyler texts to say that the entire team has already started prepping for the CTF, which begins tomorrow morning at 10 a.m., and that we can join them in their Rio Hotel room.

We walk in to a room full of 20-something college students or recent grads, being careful not to trip over the maze of network cables they've assembled to begin their quest. Needless to say, every scarce outlet in the hotel room is being utilized, leaving us begging for one for our lights for the camera.

We start posing questions to understand what they anticipate over the next three days and why DefCon's CTF title is so coveted, when the prize is merely material.

Max Serrano, 19, the youngest of the competition group, says he wouldn't call himself a "hacker" necessarily, although some people would.

"I just like seeing how things work," he says. "We've done a bunch [of CTF competitions]. I actually don't know how many we've done. It's like double-digit numbers. It's mostly just a fun thing. We learn a lot. Going to competitions is just a huge learning experience because there's always something new that they throw at you."

Carnegie Mellon's hacking team at DefCon Capture the Flag displays a computer rigged with a scrolling neon marquee reading, “MESS WITH THE BEST, DIE LIKE THE REST.”
Source: CNBC

After solving 75 computer problems created by the CTF organizers, Legitimate Business Syndicate, for qualification rounds over the summer, PPP managed to beat out 897 other teams from around the world to become one of 20 competing in the 2013 CTF. (Incidentally, they were the only team to solve all 75.)

All of the members agree that they must be prepared for absolutely anything. But I still don't know what that means in terms of computers and coding.

"For instance, we're preparing shell code for a variety of architectures and different platforms since we're not exactly sure what they're going to throw at us this year," says Ricky Zhou, 23, who is in the competition for the third year.

Despite the rules changing to limit competing teams to only eight people, PPP didn't let that stop them from bringing everyone that is an active member of PPP back home.

"As a team we try to send as many people as possible to Vegas just because it's a fun team trip and not everybody necessarily gets to travel to some of the other competitions," Zhou added.

(Read more: Defense networks vulnerable: Expert)

Just this year, PPP has traveled to Moscow, Seoul and New York, and collected prize money of $20,000 to $30,000, which all goes toward future travel for the team.

Next, we're introduced to George Hotz, 23, who prefers to tell us his name is "Tom Cr00se." (Several months later we learned that Hotz is the infamous one who cracked the iPhone at 17 and asked to use his real name in this article.)

Now, as a new member of PPP, Hotz claims his role is to be the comic relief, which must be true, because the previously noisy room has fallen silent so everyone can listen into the jokes he's going to feed me during his 15 minutes of fame.

(Watch: Hacking America: The CryptoLocker virus)

The Plaid Parliament of Pwning team in their signature T-shirts at DefCon’s Capture the Flag competition.
Source: CNBC

"What do I do? I exploit stuff. OK, so I have a philosophy and it's 'keep hacking elite' and if we have the skills and they don't, we win! You ever read Sun Tzu, 'The Art of War'? You got to know your enemy better than they know themselves. You see they don't all believe me, but I know the architecture's going to be ARM 64," says Hotz, and the room bursts into uncontrollable laughter.

I naively ask why that is so funny and one of them kindly explains that it's impossible for the competition to be based on ARM 64 architecture because it has yet to be released.

After interviewing each of the eight team members—all equally brilliant yet modest in discussing their skills—I turn to Nighswander, PPP's captain, who also led the team to near-victory last year. They finished second after team Samurai, losing their lead in the final hours of the game. I get Nighswander to reluctantly admit this year the stakes are higher.

"There's definitely something on the line in terms of how good a team we are and we beat most people most of the time and this is kind of the final showing where it's kind of—it all comes down to this—sort of. So, it'd be nice to win," he says.

Friday, Aug. 2, 9 a.m.

Just after 8 a.m. we meet team PPP outside the doors of the competition room, they're looking ragged already, having been up most of the night, but tell us they are confident they've prepared all they could for the 24 hours of online competition that's about to get underway.

As the teams get ushered in to get "wired" up, organizers of the CTF refuse to let us in with cameras as many other competitors would be unwilling to be photographed.

I explain we are only focused on PPP and promise to keep our cameras in their corner of the room, but some of the "Goons"—DefCon's name for volunteers willing to babysit press at the conference—still aren't convinced and think we may be assisting PPP in the competition.

After several conversations, just short of getting on my knees and begging, we reach a mutual understanding and are finally allowed in.

With just 20 minutes to go before the competition starts, PPP is clearly on edge. But they still look like the team to beat, donning their "Hacking Team" T-shirts as they bang on their keyboards and nervously tap their feet on the floor. They've also rigged up what I call their "Super Computer" which displays a neon marquee with the message, "MESS WITH THE BEST, DIE LIKE THE REST."

Thomas Samson | AFP | Getty Images

Since this is both an attack and defense CTF, the message is apropos. The objective: While working to infiltrate other teams' servers to capture flags and points, teams are also defending their own server and flags for the win.

Friday, Aug. 2, 7 p.m.

After a solid ten hours at the computer screens, team PPP gathers for dinner and to discuss next steps. With 5,545 points and the lead they tell us they're "content" but not enough to sleep yet.

"We've got two challenges to work on tonight," says Ryan Goulden, 20. "The ones we haven't solved yet. None of the other teams have solved them either and we think we've made progress on those so hopefully tomorrow morning as soon as the competition starts we'll have two new attacks going."

They maintain every team is still in the game at this point but sleepless nights are crucial to maintaining a lead. Especially because the architecture the organizers decided to throw at them is ARM—not one PPP has much experience with.

"We're not getting cocky at all yet," says Alex Reece, 22. "We're going to spend tonight buckling down, trying to make sure we're ready because coming in tomorrow morning, who knows what's going to happen."

Sat., Aug. 3, 7 p.m.

At the end of day 2 and another 10 hours off the clock, the music is much louder and eyes much wearier. When I meet PPP again, I'm impressed with the lead they've managed to hold and capitalize on, but as a team, they're no less relieved by their performance.

In the final minutes, they analyze the competition. "They've been slowly creeping up. Wait, NO! That is a lot, since we didn't go up [in points], we didn't gain any points that round," Serrano tells Hotz.

"We didn't gain any points that round," Hotz acts surprised, then assumes his cool demeanor, "What-ever. We'll deal with it tomorrow."

But this team, nearly tasting victory for the second year in a row, is unwilling to leave anything to chance and has one last sleepless night ahead of them.

We check in with the organizers to get the scoop on the scoreboard.

"Since they've been here, PPP has just shot up to the top of the scoreboard and pretty much remained there," says Vito Genovese of Legitimate Business Syndicate. "They can absolutely hold [their lead], but at the same time we've been telling some of the other teams that are high up on the scoreboard, that this game isn't PPP's game."

Meanwhile, the defending champions, Samurai, are still aiming to unseat PPP. Michael "Borski" Borohovski, Samurai team member and co-founder of Tinfoil Security, says the team's friendly rivalry with PPP is nothing but mutual respect.

He recalls last year's win by a slim margin with PPP in second and holds out hope for a comeback in this year's final round.

"We're not the hottest right now. Tonight's going to be a lot of work, but it'll be fun," Borski says.

I still can't imagine what's so fun about three sleepless nights, and I ask him why all these hackers continue to come back year after year for nothing but an Uber badge and a black leather jacket.

(Read more: Health care exchanges vulnerable to attack)

"The vast majority of security researchers are not working for governments, are not working against each other but are working simply to find flaws in systems," Borski says. "We're all spread out across the country, across the world, and then once a year we come to this mecca of security conferences, if you will, and get to learn from each other. But CTF in particular I continue to play because every single year, I find out just how much I don't know."

Capturing the hacking flag

Sat., Aug. 3, 10 p.m. (final night)

Back in the hotel room, PPP Co-Founder Brian Pak, 24, is fueling up on Red Bull, and to my disbelief, all of PPP claims they really haven't consumed that much of it.

Goulden is explaining an unsolved challenge to Hotz, as he and fellow team member Zhou have exhausted all possibilities of solving it. Fresh eyes are needed.

With just four hours of online competition time left and at least a 4,000 point lead, some members are finally starting to feel confident and anticipate the win.

"It's one of those things where you have a lead," says PPP Co-Founder Andrew Wesie, 24. "So last year we had a lead and then we lost in the last hour, so now we have a lead again and so it's just four more hours to go—is it going to happen again?"

After the awards ceremony

PPP did hold onto their lead to win, racking up 15,048 points, over 7,000 more than the second place team and everyone was thrilled, albeit exhausted.

Despite not receiving any cash (as in other CTFs), they all say the Uber badges (which get them into DefCon free for life) and the black leather jackets grant them bragging rights, which makes it all worth it.

—By CNBC's Sabrina Korber