Carnegie Mellon University demonstrated its cyber prowess by winning the “Capture the Flag” and “Crack Me If You Can” contests at DEFCON 22, one of the world’s largest annual computer security conferences.

Carnegie Mellon’s computer hacking team, the Plaid Parliament of Pwning (PPP), took first place for the second consecutive year in the Capture the Flag (CTF) contest, with a score of 11,263, more than 3,400 points above the second-place team.  Globally, hundreds of teams battle throughout the year for one of 20 slots at DEFCON’s CTF competition, which has been called the “World Series of Hacking.”

CTF competitions are computer security war games in which teams solve complex problems by engaging in web hacking, binary reverse engineering, forensics, cryptography and other activities.

“Our team competed against universities and also against large defense contractors. This win is a huge accomplishment for our team,” said team adviser David Brumley, an associate professor of electrical and computer engineering and technical director of Carnegie Mellon CyLab. The PPP team qualified for DEFCON for the last three years, and won first place in 2013 and 2014. This year’s competition was Aug. 7–10 in Las Vegas.

The PPP team is part of CyLab’s Undergraduate Computer Security Research group, and it consists of 35 members from the College of Engineering and the School of Computer Science.  At DEFCON 22, the team was limited to eight current and former students: George Hotz, Ryan Goulden, Tyler Nighswander, Brian Pak, Alex Reece, Max Serrano, Andrew Wesie and Ricky Zhou. The final scoreboard is at https://legitbs.net/2014/, along with replays of the attacks over the entire contest.

“Our first day was a bit rough, but once we got in the swing of things we were able to take the lead pretty quickly,” said Nighswander, (CS ’14), now a graduate student at the University of Waterloo. “I think teamwork is really what gave us an edge and let us work so efficiently together.”

Brumley, Nighswander and other members of PPP were recently featured in a Washington Post article about the ethics of hacking and the controversies surrounding “cyberoffense” research.

A second CyLab team, simply named “cmu,” won the Street Division category in the “Crack Me If You Can” contest. In this two-day event sponsored by KoreLogic Security, teams exposed or “cracked” encrypted passwords.

“The students leveraged what they had learned from our research studies to develop their winning strategy,” says Lorrie Cranor, professor of computer science and engineering and public policy and director of Carnegie Mellon’s CyLab Usable Privacy and Security (CUPS) Lab, “It is remarkable for a first-time team to win this competition.”