“MMM Wins The Superbowl Of Hacking!” But Just Who is MMM?

David Brumley
August 24, 2023
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

I know the secret story behind a group of some of the most skilled hackers in the world. Let me tell you how they came to be. 

By day, they run Google Threat Analysis for China, find and exploit browser zero-days in pwn2own, work on super-secret national security projects, and are founders in leading security companies. 

Once a year, the world’s best are invited to a full spectrum offense/defense contest to see who the best is. It’s run by hackers for hackers in the backroom of defcon. That contest has been dominated seven out of the last twelve years by one set of people with a common heritage

Let me tell you that story. 

PPP: Carnegie Mellon’s CTF Team

It started in 2010 at Carnegie Mellon University in Pittsburgh, PA. 

A young undergraduate named Brian Pak was “interviewing” to play with competitive CTF teams. The CTF “interviews” were completely merit-based: can you hack the hardest to hack things? Brian has a huge growth mindset, and he saw people doing amazing things and wanted to be part of it. 

When I heard Brian was doing this, I asked him a question: “You’re here at CMU with amazing talent. Why not start something here?” I couldn’t know at the time how much that question set the course for creating a dynasty of hacking legends. 

Brian thought about it, got some friends interested, and created their own team. They called it Plaid Parliament of Pwning (PPP). PPP had pretty immediate success. Just one year after founding, they were ranked #1 in the world. After all, CMU does have a pretty talented student body and curriculum.

Original PPP founders Brian Pak (first captain) and Andrew Wesie

Brian thought about how to ensure the long-term success of the team. When he graduated from CMU, he did something very smart: he handed over the reins of a very successful team to someone new. The new team captain was Tyler Nighwander, who continued to direct the team. 

Of course Brian still played, but this gave the next generation the chance and responsibility to keep building. When Tyler graduated, he appointed a new team captain, and so on to this day. Kind of like the Dread Pirate Roberts legacy in the Princess Bride.

Left is Tyler Nighswander, who Brian made captain after he graduated, and right is Ryan Goulden, co-captain after Tyler. Erye Hernandez, lead for Google’s China Threat Analysis Group, shown in the back.

PPP has two membership rules, first to be an official member, you must be a CMU student or alumni. Second, you need to show up, put in the time, and try your best.

But at DEFCON, you can only compete under one name. The various teams that spun off from PPP made a decision: choose a name that represents all of them. 

Who is MMM?

It’s now 13 years later, and PPP has tons of alumni. And those alumni have gone on to ask the same question Brian had to think about, and created their own teams with new names. 

For example, Brian Pak and PPP alumnus Andrew Weise co-founded the company Theori, and created “The Duck” for employees and friends to play. They of course still play with PPP, but “The Duck” is now their local team. PPP member Robert Xiao graduated and is now a professor at the University of British Columbia (in HCI, not security!). He created Maple Bacon to grow the security community with UBC students.

Who is MMM? MMM – the Maple Mallard Magistrates – is the result of growing those communities. At Defcon, MMM is the result of a decision the best way to be inclusive was to create a new name for that group of communities. 

I still catch myself talking about MMM as though it was PPP (I’m a proud father after all), but it’s not. So when I say “PPP has won 7 DEFCON championships with 56 black badges”, what I really mean is the people in PPP have grown multiple new communities, and those communities have gone on to create their own world-class cyber experts. 

One of the things I like to think about is how you can have an exponential effect. PPP has done that. The original PPP community begets new students interested, which begets new leaders, which begets even more communities. That’s an exponential effect. At some point members of The Duck or Maple Bacon will go on to form their own teams. 

And it begins with someone having the courage to say “I will start something here.”

Mindy Hu, current CMU MS student joined PPP/MMM this year.

Robert Xiao, PPP member and founder of Maple Bacon, is now a professor at University of Calgary.

Erye Hernandez PPP, and leads Google’s Threat Analysis for China. 

What full spectrum cyber combat actually looks like at DEFCON CTF ‘31. 

Share this post

Fancy some inbox Mayhem?

Subscribe to our monthly newsletter for expert insights and news on DevSecOps topics, plus Mayhem tips and tutorials.

By subscribing, you're agreeing to our website terms and privacy policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Add Mayhem to Your DevSecOps for Free.

Get a full-featured 30 day free trial.

Complete API Security in 5 Minutes

Get started with Mayhem today for fast, comprehensive, API security. 

Get Mayhem

Maximize Code Coverage in Minutes

Mayhem is an award-winning AI that autonomously finds new exploitable bugs and improves your test suites.

Get Mayhem