As hackers go, CMU students in it to win
You know all that stuff that keeps you up at night — paying the bills, wanting a raise, buying a bigger home or a nicer car?
George Hotz, among the world's best known computer hackers, doesn't share your concerns.
It's a little odd, he acknowledges, to think that becoming the first person to break into and alter an iPhone was easy but that holding down a 9-to-5 job seems unfathomable. “It's a little defect in your mind that makes you want to sit there and stick it to the machine all night,” he says.
Hotz, 23, a sophomore at Carnegie Mellon University from Glen Rock, N.J., now plays as a member of CMU's capture-the-flag team, going up against computer researchers around the world to break code and find guarded information.
Played for skill and prize money, the games have real-world implications for everyone.
Twitter this month said hackers compromised 250,000 user accounts. Attacks kept customers from accessing accounts at PNC Bank and other U.S. banks. The New York Times and other media outlets said the Chinese hacked their websites and top U.S. military officials have warned the Department of Defense cannot protect itself.
Often vying against competitors who work in defense industries, CMU students ranked first in the world in 2011 but slipped last year to second behind a team from Russia that — as Hotz will tell you — maintains the online rankings.
After graduation, some of the students plan to work in computer security research or to write software. Breaking into other people's code can help them avoid similar mistakes, says Alex Reece, 21, a senior from Orlando who lined up a job to write software for a San Francisco-based data management firm.
“Because I played the role of the attacker so much, I'm aware of these common weaknesses,” Reece said.
Hackers often divide themselves into the good, who seek vulnerabilities to patch before someone can exploit them, and the bad, who try to scam victims and steal money. The truth is, they all fall into a gray area, Hotz says. He follows his own Golden Rule: Do unto others... and don't be a jerk. “There is no objective morality,” he says.
Wearing a black sweater, blue jeans and duck boots, Hotz opens his wallet and flips out a fake Northwestern University ID that he created to get into football games and the library when he lived in Evanston, Ill. but did not enroll in classes.
So this time he's committed to graduating from college?
“Who said I'm getting an undergraduate degree?” he says with a comical indignity. “I'm just here (at CMU) to chill.”
On a wintry Tuesday late-afternoon, Hotz sits in the “Cluster” — an oval-shaped room in The Gates Center for Computer Science at CMU. White marker boards cover the walls, and graffiti covers them: Detailed drawings of a mermaid, a dragon and the man in the moon, next to complicated-looking algorithms and code diagrams.
“You can log out anytime you want but you can never leave,” someone has scrawled near the top of one wall where it cannot easily be erased.
Hotz and about a half-dozen others play Minecraft , a computer game popular with middle-schoolers that allows players to create their own universe by building homes and landscapes. The CMU students play an altered version that allows them to add nuclear reactors.
Reece sits on the floor, a backpack at his feet and an Apple laptop sitting precariously on his knees as he leans against the wall.
Hotz breaks things to see how they work. Using the online name “Geohot,” he was at age 17 the first person to hack into an iPhone so that owners could choose their cellphone carrier and add content. He did it, he says, to focus on something after his girlfriend dumped him.
Two years later, he cracked into Sony's supposedly unbreakable PlayStation 3. Like the iPhone hack, he posted a video online showing how to do it. This time, however, the game-maker sued.
Under the banner of a “Free Geohot” campaign, hackers retaliated. They shut down Sony's websites and broke into its systems to take millions of customers' personal information. The company issued an alert and eventually settled with Hotz, who had nothing to do with the attacks and condemned them.
Reece prefers to make things. He writes software and plans for the future. Playing Minecraft, he jumps up shouting gleefully, bouncing around the room in glasses and a faded black CMU hooded sweatshirt with a dragon, the School of Computer Science mascot, on the front.
He, too, started with computers at an early age. In middle school when he wanted to buy the video game Halo, his father, a CMU grad, put up a challenge: If Reece was mature enough to write the code for a game of Connect 4 that would beat his mother, he could buy Halo. He worked for a year on the program before his father relented. By then, however, young Reece was hooked — and he successfully wrote the code a few years later.
On CMU's capture-the-flag team, each player brings unique skills.
The team leader, Tyler Nighswander, 22, a senior from Hamden, Conn., lives on the second floor of a brick and frame house off campus. Next to his unmade double bed, he turned an Ikea table into a scientist's workshop. Capacitors sit in a row across the back of the table. Each cylinder holds the energy equivalent of a baseball moving at 70 miles per hour, and he has 10 of them hooked together. In his free time, Nighswander built an electronic magnet to crush a Coke can.
Across the room, a desk holds a computer and three flat-screen monitors: One displays a running list of comments from team members; another shows the Internet; the third sits vertically for reading scientific journal articles.
Nighswander recently wrote a journal article explaining how someone with $2,500 in equipment could disrupt GPS systems. Manufacturers, he says, are supposed to be working on a patch.
In the common room next door, packing boxes sit on the floor where they were torn open two years ago. Near the end of a once-fancy but now well-worn couch with blue flowers and birds sits a canister of liquid nitrogen that Nighswander says he keeps for physics experiments.
These men — along with about 20 others and at least two women — make up the Plaid Parliament of Pwning , the name of CMU's capture team. Pwning in techie parlance means total domination and comes from mis-typing “owning.”
They play most capture games online, but top teams get together several times a year, using sponsorship money to pay for travel and prizes. The Plaid Parliament won more than $100,000 in the four years since it formed.
Nighswander, who joined as a freshman, traveled for games to South Korea five times, four times to New York and twice each to Moscow and Las Vegas.
Among the hundreds of teams around the world that play, China fields one team and Israel has none. “The obvious conclusion is that they do not want to let other people know how good they are,” Nighswander says.
Why do the students play? “For fun,” Reece shouts from the back of the room where the team gathered one Friday night.
To dominate, says Hotz: “I like the competition.”
Nighswander enjoys the “street cred” among the other teams: “We're pretty proud of our reputation.”
The CMU team wants to start passing on its skills. It plans to host a national high school competition in April and May. Many of the CMU players started young and they see the advantage of giving others a venue to explore hacking skills.
“It's difficult to find a place where it's legal,” Reece says.
Andrew Conte is a staff writer for Trib Total Media. He can be reached at 412-320-7835 or firstname.lastname@example.org.