LAS VEGAS--If everything goes as planned, for 72 hours next February hackers from all over the United States will hit targets across the Internet in the largest mass attack to date.
But the affected systems won't be corporate Web servers or networks, they'll be computers set up and maintained by other hackers as part of a capture-the-flag game. When the digital dust clears, the team from either the East Coast or the West Coast will be named winner.
"We have people take over someone's box and play the game from there," said "D.D.," a member of the Seattle-based security group Ghetto Hackers, which kicked off a smaller version of the game, Root Fu, at the Defcon hacking convention here on Friday. "In terms of our machines, we are pretty confident that we can contain it." The Ghetto Hackers have run the smaller capture-the-flag-type game, where eight teams hack each other on a closed network, for three years at the convention.
Next year, the group of hacking hobbyists hopes to take the game global. Dubbed Mega Root Fu, the new game will be the first large-scale hacking contest played over the public Internet. The group is allowing teams throughout the United States to sign up at its Web site and hopes to have a thousand players come February.
Getting the teams on board will likely be the easy part, especially with the group advertising the contest at the nation's largest hacking convention. Preventing the game from spilling over to the Internet may not be as simple. The Ghetto Hackers plan to create a network separate from, but running on, the Internet, using routing and encryption technology known as a virtual private network, or VPN.
The prospect of mass attacks by hackers, surprisingly, does not worry security experts much at all.
"It will pretty likely be contained," said Bruce Schneier, a well-known computer security expert and founder of network-monitoring service Counterpane Internet Security. "Sure, it's possible that some stuff will get out, but people are not going to be doing large-scale, uncontrollable attacks, like worms or viruses."
In fact, the contest could help security experts learn more about online attackers' techniques and how to defend against them.
Last year, the University of California at Berkeley teamed up with the Information Sciences Institute at the University of Southern California and the ISI's sister institute in Virginia to start work on a large, 1,000-node network that modeled the Internet. Called the Cyber Defense Technology Research (DETER) network, the initiative will let researchers study online attacks and defenses and reset the network to a clean state easily.
"It's a pretty interesting experiment that they are trying," said Doug Tygar, professor of computer science and information management at the University of California at Berkeley and a principal researcher on the DETER Project. "I hope they are very careful about containment and being ethical."
Tygar added that though the contest could be an interesting learning experience, it would likely not be very valuable to academicians.
"We are interested in repeatable scientific experiments of what will happen on the Internet," he said. "What they are doing is interesting, but I'm not sure how controlled it will be."
Legally, the contest will be in a gray area, said Jennifer Granick, clinical director of Stanford University's Center for Internet Law and Society. If a virulent attack escaped the virtual private network and caused damage, it could be grounds for a lawsuit.
"Theoretically, it is possible that you would be legally negligent," Granick said.
The pursuit of the larger project may mark the evolution of the Ghetto Hackers capture-the-flag contest away from Def Con. The current eight-team format does not allow more amateur hackers to play, said Jeff Moss, the conference's founder and organizer.
"This is the longest that we have had one group do the capture-the-flag event," he said. "It used to be that any of the attendees could walk up and play."
The contests have also garnered support from nonhackers, who see it as a good outlet and not as a threat.
"I think it is very hard to shut this type of activity down, and I don't think that would be desirable at all," Berkeley's Tygar said.