Darknet Diaries - Ep 43: PPP
Episode Date: July 23, 2019This is the story about how I acquired a black badge from DEFCON (pictured above).We also hear the story about who PPP is, and their CTF journey at DEFCON.This episode was sponsored by Nord V...PN. Visit https://nordvpn.com/darknet and use promo code “DARKNET”.This episode was sponsored by Detectify. Try their web vulnerability scanner free. Go to https://detectify.com/?utm_source=podcast&utm_medium=referral&utm_campaign=DARKNET
Transcript
Discussion (0)
Okay, so this one time at DEF CON.
See, DEF CON is in Las Vegas, and Vegas never sleeps.
Well, neither does DEF CON.
After the conference ends for the night, the place morphs into a night party.
So after me and some friends spend the whole day at DEF CON,
we went and ate dinner, freshened up, and headed back to DEF CON to check out the scene.
We were told there's this rocking party in this one conference room.
So we all pop in and check it out. It was loud, like really loud. The room was actually quite
small, about the size of a small classroom. On one end of the room was a DJ spinning tunes.
He looked bored as he was doing it. The room had bright red lights everywhere with intense
black lights shining in your face. I looked around. There were, like, me, my three friends, the DJ,
and two other guys in this room.
The two other guys were bumping their heads to the DJ,
but their eyes looked like they were lost in deep thought.
And that was it.
The place was dead.
Pretty much as soon as I came into the room, I knew this.
The music sucked.
The lights were blinding.
I wanted to leave right away.
I scanned the room to look around.
Oh, there's an ice chest over there.
Let's go check it out.
Ah, it's empty.
There's a photo booth in the corner.
No, no thank you.
I told the boys, let's go.
This sucks.
We head for the door.
I take one last look over my shoulder
and I see four girls and two guys
come out of the photo booth.
Now this was a regular sized photo booth,
way too small for six people to fit into it.
The room was so disorienting that I didn't put that together.
And so we walked out and looked for another party.
We ended up going down to the pool and hanging out there.
The next day, my friend told me about this banging party at DEF CON last night.
I was like, where was it?
He's like, oh, it was in this one conference room.
I'm like, I was in that exact conference room and that party was not banging.
He's like, well, did you go through the photo booth? Yeah. The photo booth was the doorway into the actual
party. They staged an entirely fake party just outside the real party to fool me. And I was
properly fooled. What a smokescreen. Why didn't I register that six people coming out of a photo
booth was weird. I don't know, but I feel like this story kind of sums up what DEF CON is like.
It's crazy stuff happening all over right in front of your nose,
but you kind of need the right set of eyes to see exactly what's happening or you'll miss it.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Dark by Delete Me.
I know a bit too much about how scam callers work. They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete.me.
Delete.me is a subscription service that finds and removes personal information from hundreds of data brokers' websites.
And continuously works to keep it off.
Data brokers hate them because Delete.me makes sure your personal profile is no longer theirs to sell. I tried it and they immediately got busy scouring the internet for
my name and gave me reports on what they found. And then they got busy deleting things. It was
great to have someone on my team when it comes to my privacy. Take control of your data and keep
your private life private by signing up for Delete.me. Now at a special discount for Darknet
Diaries listeners. Today, get 20% off your Delete.me plan when you go to join deleteme.com Thank you. That's join, delete me, dot com, slash the security of your organization, give them a call. I'm sure they can help. But the
founder of the company, John Strand, is a teacher and he's made it a mission to make Black Hills
Information Security world-class in security training. You can learn things like penetration
testing, securing the cloud, breaching the cloud, digital forensics, and so much more. But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive,
and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers,
head on over to BlackHillsInfosec.com
to learn more about what services they offer
and find links to their webcasts
to get some world-class training.
That's BlackHillsInfosec.com.
BlackHillsInfosec.com.
It's summertime.
You know what that means?
Summer Hacker Camp.
And there's so many stories that come out of Summer Hacker Camp,
and I want to talk about a few.
What's Summer Hacker Camp, you say?
This is what we call the week around DEF CON in Las Vegas.
See, DEF CON is the largest hacking conference in the world,
but there are like four or five or six or 12 security conferences
all happening at the same time that week.
It's just crazy.
First, the week starts out with Black Hat.
Black Hat is a security conference, but it's more geared towards professionals.
You'll see people here wearing the typical business casual attire.
There are a lot of vendors all over the place trying to sell you solutions
on keeping your network more secure.
And of course, there's talks and workshops at Black Hat too. But Black Hat is super expensive. So another
conference started up at the same time that Black Hat is going on, but it's more community-ran.
It's called B-Sides. So while Black Hat is happening, B-Sides, a security conference,
is happening just a few blocks away, and it's completely free. It's a great place to meet
people and socialize with other security
minded folks. Here the dress is more casual. Cargo pants, t-shirts, that's more common. At B-Sides
you'll see a lot of amazing talks too from fantastic security professionals. A lot of these
talks are rejected from Black Hat so some are really great and only a handful of vendors are
here so you're not like overwhelmed with people selling you stuff. And I should also mention that
there are security B-Sides conferences all over the world, and they're all community-ran.
So you might want to check to see if there's a B-sides in your town
and go to that because it's great.
So now, as the weekend comes, so does DEF CON.
DEF CON is Friday, Saturday, Sunday.
Now, DEF CON at its core is a hacker conference.
The people you see here are sometimes wearing mohawks.
They often dress in all black and have a bunch of electronics
dangling out of their backpacks.
The crowd is younger compared to Black Hat, too. I've ran into many high school kids at DEF CON, but I've never seen a high schooler black hat. Yeah, DEF CON has talks, a lot of talks.
There's like tracks all over the place on so many subjects. And there are speakers there who will
show you how they've hacked into so many things. But DEF CON is also big on being hands-on. There
are a ton of villages with all kinds of things to try hacking into.
There's a car hacking village, a picklock village, a voting machine village,
a biohacking village, a social engineering village, and so many more.
Each of these places, you get to learn hands-on how to hack stuff.
It's a fantastic way to learn, and you can spend your whole time at DEF CON
never going to see a single talk because there's so much to do.
DEF CON has vendors, but these vendors are different.
They aren't selling you solutions to keep your network secure.
They're selling you hacks and exploits to break into networks.
Things like antennas, lockpicks, electronics, rubber duckies,
keyloggers, pwn plugs, and so much more.
It's so much fun to wander the vendor hall
and see all the latest tech that you can just pick up for a few bucks
and start practicing hacking in just a few minutes.
Oh, and while at DEF CON, there are many other conferences happening within and around DEF CON. It's weird, but there's Queer
CON, Hush CON, Vet CON, Goth CON, and even DEF CON, as in D-E-A-F for those hard of hearing.
And there's Roots, which is a conference just for kids. There's also Diana Initiative, which is a
conference that focuses on women in security careers. So yeah, there's like a dozen cons going on all over town. The week of August 5th in Las Vegas, Nevada is the place to
be for security professionals around the world. I could go on and on about all there is to do at
DEF CON, but what I want to talk about for the rest of this episode are the contests. There's so
many contests at DEF CON too. And here is where I learned the most. I love joining contests with one goal. The goal is to not get last place. If I can beat anyone else, I feel like it's a victory
for me. But let me tell you, it's not so easy to do that. There are contests on cracking passwords,
like who can crack the most amount of passwords in a weekend. And there's writing contests and
beard contests and scavenger hunts and a bunch trivia contests, and so many more. But one year,
there was a contest I just couldn't ignore. The thing is, I didn't even know it was a contest.
Here's what happened. This was DEF CON 19. The year was 2011. Upon registering into DEF CON,
you're given a little badge. Now, this badge serves one purpose. It's your pass into DEF CON.
Without it, security will stop you and throw you out. But being a hacker con, a paper badge is kind of easy to counterfeit, right?
So the organizers started making electronic badges, ones that had a little blinky lights at first,
and then LCD screens. And then when you're a badge had a microphone built into it. And eventually these badges became pretty elaborate little electronic devices. People loved it.
But it was kind of a pain to design a cool new electronic gizmo every
year, so the organizers decided to do an electronic badge one year and a non-electronic badge the next.
At DEFCON 19, the badges that were given were simply a solid metal, non-electronic. Some say
it was even made out of titanium. I paid for my ticket into DEFCON and was given one of these
metal badges. It was like a dark gray metallic
looking thing. It was round. It had an eye of Horus cut out in the middle of it and it simply said
H3 on it. No mention of DEFCON on the badge itself, which is kind of weird. The H stood for
human, which is what the standard admission is to DEFCON. Some said V, and that's for vendors,
and some said S, that's for speakers. Some said G, for goon. Those
are the security guards. Yeah, even the security guards have badges. But connected to the badge
was a lanyard. On the lanyard, it said DEFCON 19. And that's the only English it had. But what it
also had was a lot of strings of ones and zeros. These strings were 13 characters long, and there
were 15 strings of these. Now. These ones and zeros weren't printed
here by accident. I knew this was some kind of puzzle, so I started poking at it. Nothing in
my mind is 13 characters long, though. It's not IPv4 or IPv6, not ASCII, not HEX. Hmm.
When you register at DEF CON, you're given a schedule, too. A little black book. I was looking
at the book, and on page 4, something stood out. It said, Hack upon Xylem. For some reason, the way it looked, it had similar
symbols as the lanyard. So I copied all the ones and zeros off the lanyard and put them in a row.
I tried to put the clues together somehow. Strangely enough, Hack upon Xylem also had 13
characters in it. So by arranging it all in the right way, Hack upon Xylem also had 13 characters in it. So by arranging it all in the right way,
Hack Upon Xylem became the key to unlock what the lanyard was saying. By doing this,
I discovered the hidden message was launch key nopmix. Now I have a launch key. But what's this
for? There was a strange URL in the book with X's in it. I typed the URL with not mix in where the
X's are and boom, it gave me a secret webpage. The secret website said something like, you have
discovered us. We are the brotherhood of Horus. We have accepted your launch code and the sleeper
agents are now active. It went on to say that there are sleeper agents at DEF CON that are
infiltrating Project Xylem and that I must find them and expose them. The website went on to show me 10 pictures of these agents
and each picture looked like a spy took them.
This was getting serious now.
There was a note saying that I was now part
of the Brotherhood of Horus.
I think I just got recruited to help out.
I think this Brotherhood of Horus group
was trying to send a message out to get someone to help
but didn't want it to be too obvious
or the sleeper agents would know.
It was on. I was ready for this. Forget about the talks I wanted to go to. I wanted to play this
game. Time for the next clue. The website told me I had to get an ace of spades and hand it to one
of the sleeper agents, but I have to write the password on the card. And when I give it to the
agent, they will look at the ace of spades. If it's the right password, they'll then give me the inside information I need.
I was told to do this as discreet as possible, or else the agents will not do it.
Well, okay, this is getting good, but I need a password.
What's the password?
Notmix?
No, that's just a launch code.
I don't want to blow this and try Notmix and it not work.
I think I better look for another password.
The bottom of the pages in DEF CON had a little puzzle. It took me a long time, but I solved what
it said, and it said, find code word ghost. I looked all over the conference for a ghost. I
didn't see one. But there were huge pieces of artwork stuck to the floor of the conference,
giant circles with the words DEF CON on them, but with lots of strange symbols too. One had
Japanese writing on
it. So I stood there and profiled people, looking for anyone who might know like they speak Japanese.
I asked people and eventually found someone who could read Japanese. He told me the Japanese
symbol on the floor said ghost. I found the code word ghost. And this led me to a logic puzzle,
which I had to solve to find another clue.
But I still didn't have the password. At this point, running all over the conference looking
for clues and standing on top of them for 30 minutes at a time, writing things down and asking
people for help, I started finding other people who were solving the same puzzle as me.
So we started trading information. I told them how I solved one thing, and then they would tell me what that password was.
The password was Little Sister.
Excellent.
Me and a friend found an ace of spades, and we wrote Little Sister on it,
and started looking for sleeper agents.
But this was hard.
I was looking for one of ten people in a crowd of 10,000 people.
All I had was their picture, too, not like I can ask for names or anything.
So I stood in the
hallway staring at every person walking by, trying to recognize if any of them matched the faces in
the photos. Nothing. Nobody. And people were a little weirded out by me too, staring at everyone.
Then I met another team solving the puzzle and they told me they just saw one of the agents in
the vendor area. Quickly, I ran down and spotted them. He had a Z on his
badge, which was really strange. At this point, I realized I'm playing an ARG, an alternate reality
game, a game that combines the real world with fantasy, and I was having a blast. I very casually
walked up to him, handed him the card. I said nothing. He looked at the card, looked around for a moment, and told me the code. Candy.
Candy.
That's it?
I typed it into the website, that mysterious URL we saw earlier, and candy worked.
I was supposed to send a message to something.
The something was garbled.
I had the message, but I didn't know where to send it.
So I had to solve this little puzzle to figure out what it was, and it turned out to be an email address. So I sent the message to the email address and somebody responded on the
email, which gave me a next clue. And that clue made me believe that I needed to gather all the
different badges at the conference, stack them up on top of each other. And then that will give me
the key to unlock the code. So me and a few friends started going to every person at the conference looking
at their badge to see if it was one I hadn't seen before or a new one or a different one.
I wanted to see the vendor's one, the human one, the contestant ones, the black badges,
the goon badges. And I took a photo of everyone and I traced it on a piece of paper and I documented
it as best I could every single badge. And this took hours and hours and hours. Finally, I felt
like I got them all traced on a piece of paper. hours and hours. Finally, I felt like I got
them all traced on a piece of paper. And when I did that, I noticed there were certain notches
in some positions. And so I'm starting to think these notches mean something. The notches are the
key or the code or something. But this is madness. I mean, what kind of key is a bunch of notches in
30 different badges? How do you use that to decipher a string of numbers? I couldn't do it.
My friends couldn't do it. And at this point, it's Sunday now. The conference is almost over.
I gave up. I wouldn't be able to solve this. I've got to go home soon. So I start asking around.
None of the teams have actually solved it. We were all stuck on that same exact last step.
So we grabbed a corner of a conference room at DEF CON and all the teams came together to try
to figure it out. We brought a big screen TV in and started putting all the clues on it and discussing all the
possibilities. And we went over everything we tried with each other. And this gave us new ideas
to try, but those ideas weren't working either. And the conference was pretty much done now. There
were no more talks happening. The place was starting to clear out. It was closing. We were
at the end of our time, but we needed to solve this. So we kept at it, plugging away at this last puzzle.
At this point, there were about 20 of us from eight different teams, all in the same room,
sweating over this puzzle.
At some point, one guy squeaked.
We all looked and he was furiously writing something out on a piece of paper.
And he said, hang on, hang on.
This might be it.
And he wrote out a string.
And just like that, the puzzle was solved.
We quickly emailed the clue in and got a that, the puzzle was solved. We quickly emailed
the clue in and got a response. Infiltration successful. Congratulations on completing the
badge puzzle. Yes, we all roared with excitement and there were high fives. We solved it. The puzzle
was created by a guy named Lost and he said he'll come to us and give us a reward. We told him we're
in this conference room and he shows up and gives us the prize. A black badge.
It was also made of titanium and looked like the Punisher skull.
Holy cow, the black badge is the most coveted prize at DEF CON.
Only a few contests have the black badge as a reward.
It's like a gold medal for hackers.
And it actually has real value.
Your black badge gets you free entry to DEF CON for life.
Lost handed it to us. We were all smiling and loving this moment. But then he said, but we can only have
one. And we're like, but there's 20 of us. How are we supposed to split one amongst us all?
And he said, well, you'll have to figure that out. Sorry, guys. We were all pretty mad at this
because this is not a puzzle that one person can solve. But only one person gets a prize? It's just not fair.
But that was that. One badge for our group of 20 people.
Well, we agreed which team should get the badge based on their performance,
and they'd figure out something special to do with it.
We all exchanged email addresses, went home.
The next year, lo and behold, that winning team came through.
They spent the year making replicas of the Black Skull badge. It looked the same in every way except it was about three-quarter
size and they printed on the top of it Brotherhood of Horus, which is what we called ourselves during
this challenge. This was a cool little trophy to keep and I still have it right here in front of me
on my desk and I look at it all the time.
So you tell me, did I win the black badge?
I don't think so.
I don't get free passes at DEF CON.
But did I help 1 20th of the way to get the black badge for the team?
Hell yes, I did.
I spent my entire DEF CON weekend on that one puzzle.
And I don't remember a single other thing from DEF CON 19.
But that's what it takes to win these contests. If you're
going to compete to win in a contest, it'll be one of the hardest, craziest weekends you'll ever
experience. Today, the badges at DEF CON have gone nutso. Because people love those electronic
badges so much, people just started making their own badges. Some designate what hacker group you're
with, some designate what city you're from, and others show what skills you have. But most people
wear them because they're just fun. Blinking lights, little video games, swappable parts,
Wi-Fi strength meters. These things add up quick. Many people will just wear like 10 or more badges
around their neck at DEF CON, kind of like collecting them. This is what's called badge life.
So that's the story about how I kind of, sort of, almost won a black badge.
But after the break, we'll talk to a guy who won four of them.
This episode is sponsored by SpyCloud.
With major breaches and cyberattacks making the news daily,
taking action on your company's exposure is more important than ever.
I recently visited Spycloud.com to check
my darknet exposure and was surprised by just how much stolen identity data criminals have at their
disposal. From credentials to cookies to PII. Knowing what's putting you and your organization
at risk and what to remediate is critical for protecting you and your users from account
takeover, session hijacking, and ransomware. SpyCloud exists
to disrupt cybercrime, with a
mission to end criminals' ability to
profit from stolen data.
With SpyCloud, a leader in identity threat protection,
you're never in the dark about your
company's exposure from third-party breaches,
successful phishes, or info-stealer infections.
Get your free Darknet
exposure report at
spycloud.com slash darknetdiaries.
The website is spycloud.com slash darknetdiaries.
Carnegie Mellon is a university in Pittsburgh, Pennsylvania,
and one of the schools they have there is the School of Computer Science.
Here is where they teach IT.
So basically there's a computer research group at Carnegie Mellon, and it was David Brumley's
research group. David Brumley is a professor at Carnegie Mellon who teaches courses on computer
security and has a research group there who does analysis on security threats. And there are a
bunch of people there doing all sorts of interesting computer security research. And one of the
researchers was like, you know,
it would be fun if like I was playing in CTFs or something.
So he's like, oh, you know, maybe I'll look.
He wanted to look around for students to join another CTF team.
CTF stands for capture the flag.
It's a hacker competition.
Basically, whoever is running the competition hides a flag somewhere in a computer
and you have to find it.
And it's not usually an actual flag.
It's like a secret word or something. And it's just to prove that if you know it, then you'll get the points.
But here's the thing. In a hacker CTF, they often tell you exactly where the flag is on the computer,
but you just don't have permission to see it. So you need to hack into the machine somehow to see
it. And this is great fun because it teaches you how to hack with real hands-on experience.
And so one student really wanted to play these and asked his professor, David Brumley.
David looked around for some online CTF teams for the student to join,
but came up with a different idea.
He was like, well, actually, you know, we've got all these like security researchers here.
Like maybe we should just form a team ourselves and kind of see how that goes.
And maybe that'd be more fun.
The CTF team at Carnegie
Mellon was formed. The first big CTF that was coming up they all wanted to compete in was
called Seesaw. This is sort of an entry level CTF, and it only allows students who are undergraduates
to compete. It was at NYU, just a few states over, but the team needed more people to help
and compete. And they're like, oh, we should find some other, like a couple other people that we know who are in security. So then myself and one other person joined up.
Oh, I should mention, this is Tyler we're talking to. And in 2009, he was an undergrad student at
Carnegie Mellon. And he just joined this CTF group. At that time, the captain was a guy called
Brian Pack. And then there were a few other, basically just a handful of other people.
So myself and then like two other undergrads and then a few grad students who were all interested in computer security stuff.
And this team wasn't even studying computer security at this university.
I think we're all studying computer science in general, but happen to be
interested in security things. So that's kind of how it started. So they started studying for their
first CTF, Seesaw. And when they went to register to compete, they had to come up with a name for
themselves. So they named it PPP, which stands for Plaid Parliament of Pony. The school color
for Carnegie Mellon is plaid, which, you know,
one could argue isn't a real color. Instead of doing PPP, it used to be P-POP, Plaid Parliament
of Pony. And we eventually shortened that. Now the seesaw competition, it was a ways away. So
in the meantime, they began practicing, well, hacking. And I remember one of my friends,
Andrew Wiese, who is one of the first people on the team, he'd basically go and, you know, we'd be, you know, walking around campus or something somewhere.
And he'd just, you know, list off some assembly to me and be like, you know, what does that do?
And I'd have to like sit there and think or, you know, he'd ask me, what's a function prologue look like in x86 assembly or just kind of weird, weird things like that.
For the team to practice, they would sit down and solve some Jeopardy style CTFs.
This is where you're giving a challenge to solve and you solve it.
Maybe something like read the contents of this file that you don't have permission to read,
or find the hidden message in this file,
or decrypt these files that you don't have the key to,
or find a way into this web server.
And so the team would try these things and learn all about hacking,
and they got better as they went. So their confidence was building and they were getting better and
better. And then they headed out to Seesaw to compete in New York for this CTF. And there were
a bunch of other teams competing, but there were only three questions. You had eight hours to
complete it and there was no scoreboard. So it was hard to know if anyone was doing right or wrong
the whole time. They did their best, submitted some answers,
time was up. So I remember sitting there, you know, at the awards ceremony, and you know, they always
go like third, second, first, and we're like, okay, I hope we did well, I hope we did well, and like they
announced third, and they were like, ah, shoot, like, okay, well, we didn't get third, and then they announced
second, and we were like, oh, that's the team I would have expected to win.
That's weird.
And then they announced first, and it was our team.
And we're like, oh, man.
And we were so excited because we were very much not expecting that.
Whoa, nice.
Their first big win.
Like, they actually won money for this competition.
Something really small, I don't remember.
It was probably like $500 in a plaque.
It was a pretty short-lived celebration
because we had to go back to classes
after the weekend or whatever.
So we didn't get to spend much time doing anything fun.
But we were all super excited
because it was a success for us,
which we weren't even expecting.
But this win wasn't small.
It proved that this small team they formed had big potential.
So they immediately started looking for more CTFs to join and play.
Winning is addictive,
and they were going to as many of these hacker competitions as they could.
One of the things that was kind of funny for our team that we always joked about
is we played in all these really obscure Korean CTFs.
I guess South Korea has always had more of this kind of CTF scene,
or at least in the early days they did.
So Brian Pak, who is the founder of PPP, is Korean, speak Korean, so he'd find us these kind of weird CTFs and we'd start playing them,
and we'd get all these weird things. So throughout the year we were playing all these kind of weird CTFs and we'd start playing them and we'd get all these weird things.
So throughout the year, we were playing all these kind of weird, obscure CTFs where we have to like have him translate stuff because we don't understand what's going on.
And we started doing pretty well at most of those during the year.
So for some of them, we were getting, you know, at least top three or so.
And there are a few other competitions. There's ICTF, which is run by the University of California, Santa Barbara, which is a super
popular one for universities. So we played in that and I think we did okay our first year.
This became their obsession for everyone on the team. CTF, CTF, CTF, all the time, everywhere.
And they were qualifying through online challenges. And then when they'd get accepted,
they'd fly to that place to compete.
New York, California.
Many of these CTFs would pay for their flight
and room and entry if you qualified.
The team wasn't winning all that much money,
but they were still doing really well.
And they were starting to get to know
some of the other teams they were competing against too.
But PPP was doing so many more CTFs than anyone else.
If you looked around
at the time, you know, most of the other teams would, you know, play maybe three competitions
a year, whereas PPP was playing in, you know, like 20 or 30 competitions a year. So it was mostly
just kind of a trial by fire where we're, you we're just jumping in and doing all the CTF problems that we could.
And it turns out that that's a really good way to get very good at CTFs.
This student-ran team at Carnegie Mellon was picking up some new students, too.
The only requirement to be in PPP was just to be a student and be interested in security.
People were fascinated with what this team was doing, and they wanted to learn hacking, too.
So they'd come by to a practice session and join up.
The team started growing a little bit.
And because of the sheer number of competitions they competed in,
they learned a lot of tricks on hacking and really refined their skills.
They were writing their own exploits, learning classic cryptography and solving ciphers,
and learning how to reverse engineer software like pros.
Let's talk about reverse engineering a little bit.
This is an extremely important skill for these hackers. See, what a typical penetration tester does is scan a computer
for known vulnerabilities. And then when they find that vulnerability, they exploit it using a tool
that someone else already made. But see, here's where these CTFs are different than penetration
tests. Some of these advanced CTFs, you're told to exploit some software to get a flag. But the
thing is, that software was just created specifically for this challenge.
Meaning, it was just created last week, and there's no known vulnerability for it.
Your scanners won't work here.
Your off-the-shelf hacking tools don't work here.
And you have to somehow find vulnerabilities yourself.
And that's where reverse engineering comes in.
Since you can't look at the source code to see what the software is doing,
your only option is to look at the machine code in assembly language.
This is very low-level commands,
like you're almost looking at the ones and zeros going across the wire.
It's not quite, but almost, right?
You're looking at where the data is stored and moved
and how it's changed in the memory,
and then piecing all this together to get an idea of what the program does.
This is what's called reverse engineering. And you use a disassembler like IDA Pro to do that with,
completely taking the software apart and looking inside of it and looking for its flaws. So the
team has to do that on some of these challenges. It's crazy hard, super technical, and intense to
try to get this done within the time allotted. But they kept at it, getting better at it and better at it,
doing CTF after CTF for a whole year,
doing as many challenges that they could.
And one of the big competitions they wanted to compete in
was called CodeGate, which is a really big competition in Korea.
We managed to qualify for the competition
and managed to convince a bunch of our teachers
to give us some time off to travel to Korea to play in a hacking competition.
So we went there and, you know, all of the teams there were kind of like the big names in CTF at the time.
But, you know, especially as university students, we were going there.
These were more like people who were in industry or professionals or things like that.
They get all set up and begin the competition.
I know we were doing pretty well through most of it.
And actually at some parts of the game, we ended up getting, we were like in first for a little bit. But then in like the last, you know, 30 minutes of the 24 hour
competition, the Swedish team managed to solve some something else and they got up to first place.
The end of the competition, it was the Swedish team and then us and then the Spanish team.
But again, you know, for us, like the fact that we even got top three was kind of mind blowing and shocking.
And it was super exciting. And also, in contrast to like Seesaw, where it is kind of a bunch of American universities, which is, you know, it's good.
You know, it's tough competition. But this was kind of like felt like the real deal. And then in the end, I don't remember exactly, but I think that the prize
was something like $5,000 or $10,000 in addition to having, you know, all our flights and hotels
paid for to South Korea, which is, you know, a lot kind of sexier than going to New York from
Pittsburgh. Now things are heating up for the members of PPP to travel to a prestigious hacker
conference, see a lot of the other to travel to a prestigious hacker conference,
see a lot of the other top CTF teams competing there too,
and to get second place among them?
Whoa, that means this team really does have a lot of potential.
And they're just getting started.
Soon as they got back home, they immediately started looking for more CTFs to do.
So, you know, we basically almost every weekend,
we'd kind of hole up in some building on the corner of campus and we'd work on these competitions for, you know, 24 or 48 hours straight.
And then we go back to class on Monday.
But again, you know, if you think about it, you know, running, you know, 40 hours a week for a year, that's like 2000 hours. So, you know, spending 2000 hours or
something a year on this after a few years, you start to accrue skills pretty quickly.
And that brings us to DEF CON. Remember DEF CON, right? The largest hacker conference in the world
with tons of competitions all over the place. Well, the most prestigious competition at DEF CON is the CTF.
It's the main event. The DEF CON CTF is like the World Series of CTFs. It's the most challenging,
most competitive, and it earns you the most bragging rights of any other CTF.
The team at PPP decided to give it a try. Now, months before DEF CON is a qualification for CTF,
they only accept a certain amount of teams. And this is played online from anywhere in the world.
And you have a limited amount of time to solve the problems
and hack as much stuff as you can.
So PPP gave it a shot to qualify.
I think it was a 72-hour competition.
We played it and we did, I mean, you know,
I'd say we did pretty respectable,
but we ended up in something like 11th or 12th place,
which was kind of shocking to us because you know up to that point we had been like doing you know top top five or something
for most of the competitions we played but one of the things we didn't realize is there was kind of
like this second group of people who play ctfs but only only play in, you know, DEFCON and a couple other competitions.
So a lot of the people who are in industry kind of didn't bother playing these smaller
contests.
They'd only play DEFCON.
I wouldn't say we got our butts kicked, but we didn't do very well.
Whoa, see what I mean?
Even though PPP was hot stuff winning competitions all over the world, they didn't even qualify for the DEF CON CTF.
DEF CON only accepted like the top 10 teams that year, and they didn't make it.
The teams here are just that high caliber, best in the world at hacking.
And PPP had to go back to practicing.
Around this time, the school year started back up at Carnegie Mellon,
which brought some new students interested in hacking to help.
And with the summer being over, the PPP team was excited to get back into CTFs.
Everyone's always kind of excited after summer to be like,
OK, like this year I'm going to, you know, play CTFs even harder than I did last year.
Things like that.
So they decided to hit up all the same competitions they did the previous year.
They went back to Seesaw.
We ended up getting first place for the second time in a row. They did a bunch of smaller online CTFs. But then CodeGate came up
again. And this is the biggest CTF in Korea. Remember last year, they got beat out by that
Swedish team. So this year, they qualified for it and flew to Korea again to compete.
We managed to get first place, which was, I think, $20,000 prize money. So we were quite ecstatic with that.
I mean, kind of early on, our team has had a lot of Korean influence. You know, we had,
we played all the kind of the early Korean CTFs. A lot of the grad students we had in our early
team were Korean. So we've always had like traditions about like going out for Korean
food and stuff to celebrate things. So, you know, things. So we went out and grabbed a whole bunch of food.
And all the other teams, after the conference is done and they break everything down,
they kind of throw a huge party because the conference is a little bit smaller.
So all the CTF teams that played in the conference go out to a bar and, you know, drink and talk about the competition.
And everyone's still kind of dreary from not sleeping,
but excited from, you know, the awards ceremony
and everything that just happened.
So it was just really cool to do that
and just a lot of fun to kind of hang out
and, like, just drink and get to know all the other teams
and eat delicious food and things like that.
This was the biggest victory yet. CodeGate is a very competitive competition and they walked home
with the grand prize of $20,000, which by the way, they saved all this money to use to travel to more
CTF competitions. PPP was definitely making a name for itself in the hacker competitions,
but they still wanted a shot at competing at DEF CON.
Winning that would be a dream come true.
So they kept practicing CTF after CTF,
doing as many competitions as they could.
At this point, it was kind of like,
maybe not a CTF every single weekend,
but it was getting close to it.
So, you know, we had done so many CTFs that it's
like, you know, when the last time that you played in a competition is like two weeks ago or the week
before, you're not very rusty. You're like, I'm at, you know, I'm in pretty good shape to play this.
Many of these CTF competitions lasted like a full 24 hours or 48 hours or even 72 hours.
And the team had to learn how to manage their time effectively to perform best during this time.
For instance, they'd have their food all picked out and ready to go just so they can grab it and keep going.
They had to figure out other interesting logistics to keep them going the whole time.
DEF CON qualifications came around again and PPP gave it a shot.
This time they did much better and did qualify.
Yes, now they're on their way to the most prestigious hacking conference in the world.
So we were finally ready to actually make it to DEF CON.
Now, unlike the Seesaw and CodeGate hacker challenges,
which paid for the PPP's flights and hotels, DEF CON didn't pay for anything.
But it's okay because they had a decent amount saved
from all the winnings of their other competitions. But another thing that's different about the DEF CON
CTF is that this one isn't Jeopardy based, where you have to find the clues. This style is called
Attack Defend, which was not something PPP had much experience at. DEF CON is just like completely
different. You know, it's pure attack defense. There's no, none of this jeopardy,
like, you know, sit and relax and think about a problem for a long time. Everything is kind of
hectic and like everything's on fire and you know, you're in Vegas, which honestly kind of sucks.
So it's like, everything's kind of like, everything's kind of different from what we
had been used to with like you know
you go into a room and there's like quiet music in the background and you sit and stare at your
computer screen thinking for a long time defcon is very much like you go in everything's loud
and there's bright lights and you have to work as fast as you can before someone breaks into your
server and starts breaking stuff.
Yeah, in the attack defense style of CTFs, other teams are trying to hack into your computers, and you have to block them from getting in. And at the same time, you have to attack their servers
to see if you can exploit them. So the general setup for DEF CON, or most attack defense CTFs,
is all the teams are running a set of network services, you know, up to 10 or something.
These network services might be a web page
or an FTP server or an email server.
And each of these network services,
any team that's playing in the competition can talk to them.
And you have to find the hole
by analyzing the code that was given, you know, for your service.
So you look at your own thing
and you need to find all the security holes in it,
or as many as you can,
and use those to start exploiting other teams.
And when you start exploiting other teams,
you can kind of inject backdoors
or kind of do whatever clever tricks you can
to make yourself stay inside of their system
no matter what they do.
And as they're doing this,
you have to pull out some data from their system
in the form of a flag, which is basically just kind of a single file
that will stay on disk and then rotate every five minutes or so.
Every five minutes, you want to prove that you have access to the system
by continuously stealing the contents of that file.
And then simultaneously, you need to defend your own network, either by patching your services, by analyzing network traffic, anything like that,
so that you can prevent other teams from using the same attacks that you're trying to develop
against you or any other attacks that they find. So this puts a whole new twist on the CTF game
style. Now you have to strategically think which teams to attack, when to attack them,
how to attack them. Like, it's probably better which teams to attack, when to attack them, how to
attack them. Like it's probably better to attack yourself first, learn how you're vulnerable, and
then use that vulnerability against another team, and at the same time try to figure out how to
defend yourself from that vulnerability. And if you do it this way, you're very quick in and out of
the network before they even know it. But here's the other aspect you have to consider. Any team
that is attacking you, you can sniff their incoming packets and try to see how they're attacking you. From here,
you can sometimes steal their vulnerabilities because they just showed you their hand.
So we were playing and during DEF CON, because it's attack defense, you have to look at
network traffic. So things that other teams are sending over the network to your machine.
And one of the things we saw was like some clear version of a backdoor.
So, you know, sometimes after a team exploits a challenge, they'll put in, in addition to their exploit, which gets them a flag, they'll put in something that will persist after their exploit terminates and keep sending the flag back. So we saw something and it was like installing a crontab
entry. A crontab entry is a command that's just set to run at a certain interval. So maybe every
five minutes it checks to see what's in a file and then sends the contents of that file to that
team. So we were like, oh, this looks interesting. But we went to our machine and we did like crontab-l
or whatever to list our crontab.
And it was like, okay, there's nothing here.
They didn't pull us with this, so we're fine.
But as we kept going throughout the day,
we realized that we were definitely getting exploited
on that service and we had no idea how anyone was doing it.
So we kept looking and looking. and we couldn't figure it out.
Eventually what happened was it turns out they did add a crontab entry,
but after they put in the malicious code for the backdoor,
they put in a raw carriage return,
and then they put in, like, no crontab entries found or something.
So if you cat the file, it'll read out the, you know, the exploit will get displayed.
But then the carriage will turn, will bring the whole thing back to the beginning of the line.
And then over the exploit, it'll print, you know, no crontab entries found.
So if you just cat the file, you don't see anything.
But if you cat the file and pipe it to like a hex dump,
then you'll see like there's a whole bunch of other hidden stuff inside of there you see how crazy this is getting you're in a room with some of
the best hackers in the world attacking your systems like crazy and they're doing everything
they can to hide the fact that they're hacking into your box and there's a feeling you get when
you find out hackers are in your computer it's crazy stressful and intense the blood rushes from
your face when you find out someone else is in your computer even if it is just a competition tyler was kind of upset that this team was sneaking
back doors into their server so they wanted to do some sort of payback they watched the network
traffic for that team and saw that whenever they would grab a flag they had a server open and ready
for listening for incoming flags so tyler had a plan. And we started sending Giga columns. So basically compress, you know, a gigabyte of null bytes,
which will compress down into like, you know, a few kilobytes of compressed data because it
compresses very well. And then we'd send that to their server that was listening for flags.
And then, you know, on their end, they're going to decompress this like
gigabytes and gigabytes of stuff and try to submit it as a flag.
And it actually started bringing down their internal infrastructure for getting these flags and sending them off to the server.
So not quite perfect payback, but it was still pretty funny.
Oh, now there's some sabotage going on. I love it.
The other team thought they had captured a flag
and spent a bunch of time trying to unzip this file,
but it was just a large junk file that Tyler sent them.
And it just wasted their time
and ended up bogging down their systems.
Brilliant.
So this gives you a little idea
of what's going on in the DEF CON CTF.
Yeah, it's kind of like every second
there's like something new going on
where someone's like,
wait, like which version of the binary did we do? Did patch this one like what is this network traffic this looks like an
exploit um so the whole competition kind of goes like this so it goes on as a three-day competition
um so by the end of it we're kind of exhausted and the scoreboards kind of open the whole time
so we can see that i don't know what we got our first year but like seventh place or something kind of no hope pretty early on it was pretty clear that we were getting
uh getting screwed on that that event bummer seventh place it means nothing there are only
prizes for first place i mean how many more ctfs and practicing does this team need to do to win
this thing but i guess they're just college kids after all, and still have a lot to learn. So back home to Carnegie Mellon they went. The new school season started up, which
means more people joining PPP, and again they make their rounds to all the CTFs for the year.
They go compete in all the ones they can pretty much every weekend again, dedicating another year
to CTFs. But this time they focus on things that will help them prepare for DEFCON. So the year
goes by, and the DEFCON qualification comes up again.
PPP tries and qualifies.
They fly out to Vegas again to compete, but they didn't do so great.
They got something like fifth place that year.
So they have to wait another year, back to doing another 20 CTFs in the year,
back to Korea to compete, back to California, back to New York,
and then back to Pittsburgh to practice.
So then DEFCON comes up again, PPP qualifies, and they head out to Vegas for the competition.
This year, you know, some combination of like being more relaxed about the competition or
the organization running more smoothly or whatever, we were like doing super well.
So I think at the end of like the first day, we were already in first place. The end of the the first day we were already in first place the end of the
second day we were already in first place we're still in first place maintained our lead so we're
like we're like oh man like we're finally like finally we're gonna win defcon this is like this
is this is great like we've been working on this for so long so we're like we're up at night we're
like okay guys we just gotta like keep keep doing what we're doing, don't screw anything up, we totally got this in the bag.
So then, you know, last day we go in, we're running through stuff, and just before the end of the competition, like, it was either like an hour before or like 30 minutes before or something,
the team that was in second place manages to solve some some weird
challenge that we didn't even look at because we only had eight people and they managed to
solve that challenge and they shot up past us and they won the competition and we got second
and then we we were like talking to them afterwards and we learned that they're i mean
you know they they had a lot of good people on their
team and everything, but their team was actually a group of 80 people. So literally eight times
more people than we had and they beat us, but they only beat us barely. There was no limit on the
size of your team that year, but PPP had a taste of blood in their mouths. They were so close to
winning. They knew if they practice a little more and they come back again, they have a really good shot at winning this. So another year of
hardcore practicing, more analyzing of binaries, more practicing of machine code, more learning
cryptography, more reverse engineering. One of the other people on our team, Ricky Zhu,
he went to high school with George Hotz. They both went to high school in New Jersey together.
So they actually kind of knew each other.
So, you know, George ended up at Carnegie Mellon for a little while trying to study stuff.
So, you know, we were like, we quickly were like, OK, you need to you need to play CTFs with us.
Like, trust me, you'll love it. It'll be lots of fun.
Whoa, George Hotz? You remember this guy, Gio Hot?
At 17 years old, George unlocked his iPhone.
When you buy an iPhone, it's set to a specific carrier.
Yeah, well, George jailbroke it so he could use any carrier he wanted.
You might be thinking, big deal, I've jailbroke my iPhone too.
Yeah, but George was the first person ever to do it, ever.
Well, the first person to publicly admit to doing it.
And that made huge news. Then a few
years later, George reverse engineered the PlayStation 3 and was able to read and write
memory within it. And this was a monumental feat. Those things were locked down really tight.
And again, this made news, so much news that Sony actually sued him for doing it, which created a
huge backlash against Sony. So now this famous hacker is there at Carnegie Mellon,
and the PPP really wanted him on the team.
And George joined.
He's just a really fun and hilarious guy.
So, you know, as soon as he shows up to our team meetings,
it's like, you know, it's really exciting because he's like,
he totally goes all in for the CTFs.
So, you know, like he's, you know, like most of the people that do well at CTFs,
you know, part of it is just like being able to sit and concentrate on a really difficult problem
and do that for extended periods of time. And he was, you know, he's just very good at doing that.
So, you know, we'd have some problems where I think we had some like some problem that was
like some really hard crypto problem that I think during the competition,
like no team solved. This was just some random competition we were playing in the year.
And, you know, that was the problem that he was working on at the end of the event. And he was
like, like, you know what, screw this. Like, I'm going to go back to my room. I'm going to lock
the door. I'm going to keep working on this problem until I solve it. And, you know, that
was kind of his attitude
for a lot of these things.
Okay, so this was a great boost for PPP.
Now, with a few new teammates,
more practice under their belts,
they headed back to DEF CON
for their fourth attempt at the competition.
They have their food orders all on a spreadsheet
and two helpers just running around
getting them the things they need
so they can focus more on just hacking
as much as possible.
And they made sure to get a hotel room at the conference so that they didn't have to
spend any time driving around.
And they even got rooms as close together as possible.
We try to get a suite to have all of our teams so they can work in a single place instead
of having to work across, you know, a few different hotel rooms or sitting on like a
bed in someone's hotel room.
So Tyler, now the captain of PPP, and the team is feeling better than ever
to compete. And what they also liked that year was the team size limit was set to eight people.
They think this was to their advantage. The team is prepared to spend as many waking hours as
possible throughout the entire DEF CON weekend to attempt to win this contest. It takes a toll
on their body each time they go through it. Yeah, I mean, most people are kind of, they kind of know that, you know, if we're going there, you know, they're prepared to lose a lot of sleep and drink a lot
of caffeine and all that. So they begin the competition. They see a lot of the same teams
and faces that they've known before. Some Korean teams, some American. These are the top teams they
were expecting to see. And at this point, we're starting to understand their attack style and
defense style a little more. Tyler thinks some of the other teams might even be sleeping in
shifts. There's always a group hacking while another group is sleeping. Now, you never know
what kind of operating system the organizers will have you hacking on. It could be Windows,
it could be Linux, it could be Unix. But when the contest started, all the servers were using ARM.
My computer and your computer runs using x86 architecture. That's just what desktop computers use in their processing.
But ARM is like what cell phones use or microcontrollers.
It's just a bit weird.
It meant they were on computers that they hadn't really written many exploits for or understood really well.
But Tyler thought this might be to their advantage.
One of the things that our team usually tends to be good at is kind of like obscure, weird things.
So like if it's like ARM or MIPS or like just weird architectures that people kind of don't see every day, that tends to benefit our team more than others.
We went into it and kind of right away on the first day, kind of right out of the boat, we started winning. So we kind of
shot up immediately and we were like, okay, this is, you know, this is a good start.
PPP is looking good on day one. There are a lot of game mechanics you have to think through the
whole time. So like the contest shuts down at night and the conference room doors close,
so you can't hack other people at night. So what the teams do is they take these puzzles upstairs into the suites and try to find exploits
all night long, offline, basically.
What if you find an exploit right before the room is going to close?
Should we save this for tomorrow or should we throw it now?
Because if we start attacking people with it now, they'll have more time to analyze
the network traffic overnight.
But also, you know, if we wait tomorrow, maybe other teams will find the same bug
overnight. So there's kind of all these all these kind of weird game theoretic questions.
There's lots of strategy that has to go on.
I've heard from a lot of people that some teams don't like to throw exploits at us because they're
worried that we'll find the exploit and turn it around and throw it back at them real fast.
And similarly, you know, we usually don't throw exploits against the top teams
until we've thrown it against the teams we think are weaker for, you know, maybe 30 minutes.
And then we'll start to throw it against everyone.
Day two now begins, and they have a few hours of sleep and are ready for the caffeine
to carry them through the day.
Now, I've talked to a bunch of organizers
and players of this DEF CON CTF,
and let me tell you,
there's so much craziness
that goes on during these things.
It's bonkers.
For instance, one year,
one person from a team
hid under the desk of another team
to listen in on the chatter
and the exploits they found.
And another story I heard
was that one team snuck an Ethernet cable
into another team's router so that they could be on the same network and try to hack
into things that way. The stories are endless and all the shenanigans that go on during the
competition. And most of this kind of hacking is allowed. Really the only thing you can't hack
are the organizers. So day two completes. The scoreboard shows that PPP is still in the lead,
but now the scores are hidden. So they don't know how much of a lead they have.
And on day three, the scoreboard is completely hidden, so nobody knows who's in the lead.
The contest ends on Sunday, and the scores are tallied.
The team goes to the awards ceremony where the winners will be announced.
You know, we just sit down and kind of go through all the competitions,
and we're mostly just kind of exhausted and nodding off to
sleep during the whole ceremony because we haven't really slept in a few days all right hi i'm gino
fage from legitimate business syndicate first place will receive eight black badges in third
place we had rayon asrt in second place we had the men in black hats and in first place we had the Men in Black Hats. And in first place, we had PPP, the Plaid Parliament of Pony.
You know, we were expecting it because, you know, we'd worked pretty hard.
We were doing well.
But it was just kind of a ridiculous feeling after working for so many years.
You know, because this is, you know, year four of doing CTFs and like
year three or something of doing DEF CON, you know, we'd put in so much time and energy into
working at this competition that it was like a relief isn't quite the right word, but it's a
mixture of, you know, relief and excitement and happiness. They went on stage to receive their
awards. All eight of them got their own black badge. Even Geohawk got one. After like a few hours, you know, we're just kind of like,
you know, all sitting around and like looking at each other and we're like, you know, just kind of
like nodding at each other. Like, yeah, like, I guess, I guess we finally did it. Like, shit,
like, you know, we finally, finally made it and finished first in the competition.
In my mind, this means that you threw your hat in and said, we want to prove that we're the best hackers in the world.
Anyone who wants to challenge us can come here and challenge us.
And you proved it.
Do you feel that way?
Yeah. I mean, I think one of the kind of cool things for us was also, you know,
most of the teams that were playing and that had won kind of previously
were kind of these big groups of professionals.
So, you know, people who work, you know, doing IT security
or doing like working at defense contractors, doing security or like,
you know, kind of like the real honest to God, you know, people who do this for a living.
And we came in as, you know, basically a group of kids. We just kept working our butts off until
we could get there. And then, you know, to have this this kind of real win kind of like on you
know there's no way anyone can question it when you win defcon ctf it's kind of like well you know
if you got you know if you beat everyone else there and you were beating everyone else and
all the other ctfs like you are just the best team when i when i go in there and I look around, I don't know why I don't see NSA hackers or some serious black hat hackers that are just like, look, we're going to totally smoke these guys.
They've got no chance in hell.
How come I don't see those competitors?
I can guarantee you that they are there, having talked to some of them.
So there are definitely people from those groups who are there.
Sometimes they like to stay up in the hotel rooms rather than be downstairs where people are taking pictures and stuff.
It's not like the whole might of the NSA is up against you or something because that that's a little different but it is absolutely people who you know work for you know governments are there and people who you know there are there are people who did you know black hat hacking for for a living who are there it's not you know it's not like
that's probably not the the majority of people but it's's not an insignificant proportion of it.
You see what I mean here? Tyler and his PPP team proved they are the best hackers in the world,
openly, in a fair contest for anyone else to challenge them. And they beat out people from
the NSA, Google, Microsoft, the Koreans, the Russians, you name it. Not only did they beat
them here at DEF CON, but they beat them all over the world and hundreds of other CTFs they played along the way.
PPP was number one.
But now the team, well, of course they feel good,
but they have these new skills
and they've been doing so many CTFs
and they're like, hey, let's not get rusty here.
Let's keep it going.
We've already won in 2013.
Let's try again in 2014.
So they go back to DE defcon to try to defend their
title as the best hacking team in the world yeah okay so we won we won 2013 2014 we lost 2015 we
were hoping to get three in a row bummer they couldn't get three in a row but they decided to
try again they go back again in 2016 and win the defcon ctf then and they go back again in 2016 and win the DEFCON CTF then. And they go back again in
2017 and win first place again that year. And they really, really wanted to win three in a row,
but they ended up getting second place last year in 2018. At this point, PPP has won the DEFCON CTF
four times. That's four black badges for Tyler. That is the current record for anyone or any team for
number of black badges from DEFCON. PPP is the only one with four wins. Tyler and PPP will be
competing this year again at DEFCON 27 to try to prove once again their team is the best. And then
they plan to go on to try to win three in a row from there. They've already made a legacy, but now
they're trying to become legends. But their story just boggles my mind in so many ways. Like Tyler's been to DEF CON
nine years in a row now. And the only thing he's experienced there ever is CTFs. Like he's never
seen a single talk or wandered through the villages or did any workshop or even go to any
parties during DEF CON. The one kind of exception was, so not this year or the year before, but the year before that, me and a couple of other people from our team were participants in the DARPA Cyber Grand Challenge, which was like the big machine CTF thing that DARPA ran.
So a couple of us participated in that with a company, and we won first place in that, and then moved on to the CTF and got first place in
that as well. Now I should point out the people who participate in these CTFs get a ton of job
offers. And of course the winners also get even more job offers. I mean, who wouldn't want to
hire the best hackers in the world or even the hackers who came in the top 10. So this has been
an amazingly great thing for all the members of the PPP's career. Winning a DEF CON black badge
is just solid gold to have on the resume. I even saw the NSA one year at DEF CON set up a booth and were
actively recruiting people. And their booth even said, if you've won a black badge, please come
talk to us. And another really cool thing that PPP did was they made their own CTF. It's called
PICO CTF. And you can play it anytime in the world. It's on picoctf.org. You don't even need
a special computer. I've played through it. It's great fun. And I learned a lot along the way.
You basically are given a set of little puzzles and you have to try to solve each one. Starts
you out with easy challenges and you work your way up to the harder stuff. It's designed for
colleges and high schools to get students to learn how to do security and hacking. And since it's
backed by Carnegie Mellon, it's played by many schools around the world.
If you want to get started with hacking,
I highly recommend going to picocetf.org
and start playing around in their CTF.
I guess one other kind of fun fact is that
my wife and I actually met on the CTF team,
which is fun too.
She participated on the team?
Yeah, so she joined the CTF team in 2013
as a master's student at Carnegie Mellon.
And we started dating and she's
continued to play CTFs with the team.
And then we got married a year ago so
that's exciting that is really cool yeah so this has changed your life dramatically being
on pvp and and competing at defcon like everything about your life has changed just because of that
ride yeah yeah i mean it's pretty weird like, my, my job is basically due to that cause I, you know, I work at a security company that has, I have to sit down and count,
but like several other people from PPP are also part of that company. Um, and my wife is,
I met from PPP and yeah, it's a, it's, that's kind of a inundated with reminders of CTFs.
You've been listening to Darknet Diaries.
Thanks, Tyler, for telling us your story.
Good luck at DEF CON this year.
I'm going to DEF CON this year, too.
And hey, if you're listening and going, too, let's meet up.
I've got a number of meetups going on there.
Here's where I'll be.
Thursday, August 8th. During the day, I'll be poolside at Mandalay Bay
hanging out with my friends from CMD.
And CMD is inviting you to come hang out with us too. But there are a limited amount of people I
can get in. So sign up at darknetdiaries.com if you want to come hang out with me there.
Then again, on Thursday night, you can find me at the link at the 3535 bar. Come on over and we'll
hang out there and get drinks. Nothing else is going on Thursday anyway, so let's do this.
Then Friday night, I'll be partying with the folks from TourCon,
up in the chandelier room in the Cosmopolitan from 8pm to 11.
You're all invited to come too. Let's have drinks there.
My schedule is going to be posted on darknetdiaries.com,
so don't go blowing up my text trying to find where I am.
Just look for my whereabouts there and you'll find me.
This episode was created by me, the Binjitsu White Belt, Jack Recyder.
Theme music is by the Ba-p bup bup breakmaster cylinder