The Wireless

In the hackers' world

17:28 pm on 11 November 2013

Though Wellington is the second-biggest city in Aotearoa, aside from a few joggers, teenagers off to their retail jobs, and a council worker grimly hosing down the pavement outside a nightclub, it is startlingly still on Saturday mornings.

But not this Saturday morning.

It’s just before nine o’clock and hundreds of people are gathered in Pigeon Park on Manners St, shuffling their feet and clutching takeaway cups of coffee. Most are men, wearing black hoodies or slogan tees or black hoodies over slogan tees, and aged between their late twenties and mid-forties; many have hair far longer than is the norm or the fashion of the day.

If you don’t know what they’re waiting for, it’s easy enough to find out. The supposed taboo of not wearing a band’s T-shirt to their gig doesn’t seem to apply here, with a significant proportion of those gathered wearing the event’s official merchandise before doors have even opened. It’s testament to the community that has formed around Kiwicon, New Zealand’s annual hacker conference.

I am here in my capacity as a professional curious bystander, as is no doubt painfully obvious from the Windows ’95 baseball cap I borrowed from my flatmate for the occasion. He’d assured me that it would be a “conversation starter” – and, unlike my initial plan to wear my hair in Princess Leia buns and open all interactions with “Mac or PC?”, one that would not be perceived as my shunting a middle finger at a subculture that is already notoriously wary of journalists.

I can’t blame them. Hackers get a bad rap in the media, depicted as wilfully destructive and malicious, even when their primary goal is to improve security. (Later, on day two of the conference, an Australian federal policeman pauses mid-presentation over a stock image of a man wearing a balaclava and a wrinkled shirt, holding a laptop. “Because that’s what all hackers look like,” he says; everyone laughs.)

“White hats” are ethical hackers who target an organisation’s information systems so as to determine their robustness under attack – sometimes for money, but sometimes just because they’re there. You’ve got to break stuff to fix it.

But a hacker disclosing a security vulnerability so that it can be fixed runs about a 50 per cent chance of being reported to the police – and an even higher chance of having to explain, at length, what the problem is.

As “Pipes”, a security consultant involved in the organisation of Kiwicon, said last year in response to mainstream media coverage of the Work & Income kiosk security breach: “It was really hard to tell whether they legitimately did not understand what happened, or whether they were finding better ratings by taking the twist. I suspect it was the latter. It’s why I tend to avoid talking to the media.”

It’s this lack of comprehension, and suspicion on both sides, that saw Police Minister Judith Collins ridiculed for comparing hackers to “burglars” in April this year.

“Yes, some hackers break the law,” says the Kiwicon programme. “Lots of hackers don’t. … The Kiwicon audience spans from corporate and government types, thru [sic] infosec industry, the wider tech sector, students, academics and onwards into space cadets, conspiracy theorists, nutters, freaks, and goths. So pretty much like life, then.”

This is the seventh consecutive year of the conference, and, with about 800 tickets sold, it’s the biggest yet. Many of those here today are wearing hoodies and T-shirts from Kiwicon 6, Kiwicon 5, even Kiwicons 2 and 1. Later, I ask a crew member, smoking on the Opera House balcony, if he thinks this is the old-timers’ conscious effort to separate themselves from the “n00bs”. (I don’t actually say “n00bs”.)

“I think people are proud,” he says. “We just like them. I’m only wearing my [Australian security conference] Ruxcon hoodie because the Kiwicon ones are dirty.”

The mascots of Kiwicon 7: The grass mud horse and the sheep Photo: Unknown

This year’s shirts bear a cartoon of an alpaca and a sheep – a nod to its Chinese theme. The alpaca is the “grass mud horse”, a made-up creature born out of obscene wordplay between Chinese “netizens” on forums, which has become a memeish symbol of defiance of Internet censorship in that country. The sheep is both a long-time emblem of Kiwicon, and pun on the Mandarin word for “foreigner”.

The conference’s slogan is given in modern standard Mandarin, and means both “Kiwicon strongly supports Chinese netizens (against their government)” and something far more crude. “Perhaps don’t wear it out to lunch with that innocent-looking Chinese linguist from the bureau that you’re into, or that silver fox of a cultural attaché,” the programme suggests.

The usual signs about turning off cellphones before entering the Opera House auditorium take on a new significance at a hackers’ convention. My iPhone is already switched off, with flight mode switched on, and I left my payWave credit card at home.

I’ve been warned not to use the ATMs in the vicinity of the Opera House, which is reiterated, sort of, by the organisers: “The Crue regrets that it cannot publicly congratulate anyone who makes said ATMs jackpot in honour of Barnaby Jack [the late hacker, who became known for making ATMs spew out cash].”

At first, I think I’m being paranoid, but I have no idea what the people around me are capable of, and it makes me, if not afraid, definitely uneasy. When I check my Twitter interactions later that day, I see someone using the #kiwicon hashtag tweet gleefully about the number of “unsecured networks” in the area, and I swiftly turn flight mode back on.

From where I’m seated, at the back of the auditorium, I can see about 15 women; two are either side of me, and from Radio New Zealand. One woman, who is alone, makes a beeline for us in a room full of empty seats. Safety in numbers, I guess.

We’ve been sitting in the stalls for about 10 minutes when the lights dim, and the thrash metal that’s been playing over the sound system is replaced by a dial-up tone. The curtain lifts to reveal, on the stage, lit by red spotlights, a five-piece band, which bursts into action.

A few whoops aside, the audience sits in appreciative (or, at least, polite) silence as the head-banging vocalist repeats “I am big brother” and the guitarists. The heavily-tattooed drummer is not wearing a shirt. It’s not yet 9.15am.

“There’s not many places you can find hacker-themed thrash metal,” observes Adam Boileau, or Metlstorm, cheerfully as he bounds onto the stage to “welcome the combined badasses” of Kiwicon 7. The MC of this year’s event, he is tall and bearded, with long black hair tied in a ponytail that reaches down his back, and the easy, oddly confronting confidence of a stand-up comedian.

Adam 'Metlstorm' Boileau Photo: Unknown

Metlstorm outlines the fire safety policy – “Please attempt not to die” – and the earthquake policy, which is much the same. He gestures to the “high rollers”, seated in the Opera House boxes either side of the stage. “They are better people than you because they have more money,” he says. “Please acknowledge them as such.”

Thomas Lim, the self-described “godfather of Chinese hacking”, takes to the stage. Though Metlstorm has just said the bar upstairs will open at noon, Lim is drinking a beer. It’s now about 9.30am.

With “Disclaimers” glowing white on black on the screen above his head, Lim tells us that, if we have a problem with his presentation, we should complain to him, not the organisers.

“They have no f…ing idea what I’m going to say.”

Kiwicon 7 is off with a bang. I whimper.

*

“A little bit of paranoia goes a long way.”

Speaker Denis ‘Dol’ Andzakovic of Security-Assessment.com intends it as a reminder not to rely on off-the-shelf security software, but it could almost be the tagline of the conference. Dr Peter Gutmann of the University of Auckland begins his presentation on cryptography with, “They really are out to get you.” Who are? Get what?

It’s tempting to take such warnings with a generous heaping of salt: many of the speakers, like Andzakovic, are in the business of identifying and fixing vulnerabilities in corporate systems, and as such stand to benefit from the perception that there are real, persistent threats in cyber space.

Plus, at least one person at Kiwicon believes 9/11 was an inside job; I know, because I interrupt the Australian technology journalist Patrick Gray mid-conversation with him.

But it can’t all be chalked up to big talk and conspiracy theories, if only because those present are hyper-literate in the field; they’d know if the wool was being pulled over their eyes, even if your correspondent doesn’t.

I shouldn’t be surprised at how little I understand of what’s going on, but I’m struck by how many of the hackers sound, to me, like parodies of hackers. Andzakovic talks a bit like Q in Skyfall, as though he’s reciting an script full of colloquialisms (“just joshing y’all … de nada … ‘Fortress Kickass’”) and jargon designed to at once befuddle and impress the layman, at a breakneck pace.

Big reveals met with a collective groan, and punchlines that raise belly laughs across the auditorium, prompt no spark of recognition. Pythons, Doritos and beef are referred to, but I understand just enough to know not the snakes, chips, or meat. Even the references to Mario Kart, Austin Powers and Wayne’s World (including the ‘Bohemian Rhapsody’ scene, in its entirety), thrown in to enliven the Powerpoints, don’t make matters clearer.

'conners on the Opera House balcony Photo: Unknown

Being one of a few women in a room full of men is also a jarring experience. The small number of women in hacking, and ICT in general, is a concern for the community. This year, as in past years, a “Girl Geek Dinner” was held in association with Kiwicon the night before the conference to give female attendees “a chance to meet each other at a convivial, less, uh, dude-filled event” (at which “Miley Cyrus’ boobs” and “StarCraft” are given as examples of typical Google searches).

But one woman says on Twitter on Sunday night, after Kiwicon has wrapped up, that it was the “most sexist con I’ve been at” [sic], and likens it to the National Party in that “women [were] welcome if they fit into its culture”, but no changes would be made on their account. (She later retracts the comment, and deletes the tweet, after Kiwicon organisers contact her to discuss the issue.) Another agrees, saying that “despite the daily reminders not to be a dick, there were several times I felt slightly uncomfortable”.

Though I’d been warned to expect the male gaze on high-beam, the few occasions I do feel ill at ease at Kiwicon are an internal response to being so marked a minority, and could only have been alleviated by a more even gender balance. Without exception, everyone I speak to is friendly and helpful, even when it becomes clear I’m a journalist.

And, I’m told, the numbers are improving. Aurynn Shaw, one of the three female speakers (out of about 30), estimates about 20 per cent of this year’s turn-out are women. “There was a queue for the ladies’ bathroom yesterday,” she tells me with enthusiasm.

But what strikes me most about Kiwicon is how, though there may be black hats and white hats, an awful lot seems to be left deliberately grey.

There is an instructive element even to presentations bookended by legal disclaimers and grounded in hypotheticals...

Though every speaker is at pains to make clear what is and isn’t above board (including, at one point, a discussion of the intricacies of the Crimes Act and what, exactly, constitutes blackmail), there is an instructive element even to presentations bookended by legal disclaimers and grounded in hypotheticals: “One could…” “It’s possible to…” “In theory…”

Barf, from Christchurch, gives a talk on the security of unmanned aerial vehicle systems that asks the question, “If Iran can down a US drone, why can’t we?” He outlines obliquely, but not opaquely, how one might go about using a “jamming device” to block a GPS device – in theory, of course: “Jamming is almost certainly illegal in New Zealand, so we’re definitely not condoning it.”

But even though particulars of screenshots are redacted, Barf stresses how easy it is to access the technology, even that which is illegal in New Zealand or the US, and it’s unclear whether that’s presented as an issue to be fixed, or a hint where to look.

“You can buy jammers straight from China – free shipping, even. And that’s a concern.” Especially, he adds, because some GPS devices have what he terms “security of life” purposes. Like… planes?

Later, of another piece of kit, he says: “You can buy this from Noel Leeming and get FlyBuys on it. That’s pretty cool.”

AmmonRa, also of Christchurch, shows the conference how to access members of the public’s personal information – name, date of birth, email, phone number – and add to your bus fare balance through vulnerabilities in Christchurch’s Metrocard system. (The website has been taken down since Radio New Zealand and The Wireless broke the story.)

Though AmmonRa hasn’t used those details for malicious purposes – he reported the flaw to the governing organisation – it doesn’t mean others won’t. He ends his presentation with a piece of advice for Metrocard users: register it online before a hacker does it for you. He pauses.

“But if your hat is of a darker colour … and you’re from Christchurch, this might prove useful to you on the way home.”

When I run into him later, I ask AmmonRa how long it would take a hacker who had seen his presentation to access those details. He shrugs. “A couple of hours’ work?”

Sure, the presentations on vulnerabilities and how to secure them are helpful for those who are in the business of preventing hostile attacks – and many, if not most, of the hundreds present won’t have both the technical skills and the inclination to take advantage of that instruction. But my (perhaps naïve) guess is that some will.

But as my friend Keith Ng points out later, when I articulate my unease to him, “The very act of talking about a vulnerability at a con renders it (mostly) inert. One you talk about it, it gets fixed. So, you’d only ever talk about it if you have no interest in exploiting it. They have a culture of responsible disclosure – all of the speakers contacted the relevant vendors first, and gave them a chance to fix it prior to presenting it. With a few exceptions, the things that people live demo’d weren’t exploits, and the exploits that were shown weren’t live.”

A desire to test boundaries out of a pathological curiosity seems common of all hackers, regardless of hat colour. “You’ve got to try these things, right?” asks AmmonRa, of his exceeding the maximum balance on the smart card by hundreds of thousands of dollars. “‘Hey… I wonder if… Let’s see how far I can take this,’” is how Tom Eastman articulates the thought process that led to the thesis of his presentation on serialisation formats. There’s an almost academic interest in pushing technology to the limit to see what breaks, and sharing the findings.

It also seems fair to say it’s partly grounded in ego. It’s clear that there’s immense satisfaction to be had from pulling off a stunt that no one else had the brains to think of, or the balls to attempt – not to mention the respect, if not the outright adulation, of the hacker community, at least for two days of the year.

These elastic ethics crop up again and again at Kiwicon, and though the FAQ seems rather laissez-faire on the subject (“Some of the techniques discussed could be used to break the law, so it is your individual responsibility to ensure that you comply with the law, and utilise your powers for good, not evil”), the organisers seem to genuinely and uniformly disapprove of wilfully destructive behaviour, seen as a prime violation of the conference’s number-one rule, “Don’t be a dick”.

The audience, too, frowns upon views malicious activity. A member of the Australian Federal Police’s CyberComms Unit is literally applauded for his presentation on how he caught and prosecuted a destructive hacker known as ‘Evil’, resulting in a two-and-a-half-year prison sentence.

The impression I have, as an unabashed and blatant tourist, is that the theory and practice of hacking go together: you can’t show “how to prevent it” without at least a bit of “how to do it”. It seems that, for most hackers, the satisfaction is not in pulling apart the fabric of digital society and culture as we know it, but in finding a hole that no one else has caught – and before it gets too big.

By Kiwicon’s end, I am wearing a black hoodie over a slogan tee, and I am significantly more paranoid about the privacy of my online presence – though still not exactly sure as to why, and what’s at stake. But chalk it up to an absence of curiosity, or a reluctance to bend the rules: I have no desire to swap my Windows ’95 hat for one of a darker colour.