There were dragons. Everywhere.

Handle:
volty

IRL:
Joe Hemmerlein

Rank:
Security Grunt (aka Security Program Manager)

Likes:
Quality engineering, diverting things from their intended use, processes and tools

Dislikes:
Meat, speed limits, getting up in the morning

Guten Morgen! Joe Hemmerlein hier vom Microsoft Security Response Center (MSRC). I just returned from Germany earlier this month, where I spent some time mingling with security researchers. It's customary that we share a bit of our experience at security conferences right here, on the EcoStrat blog - and this is my first posting.

Outside temperatures were around the freezing point in Berlin during the 26^th Chaos Communication Congress (26C3), which is organized by the German Chaos Computer Club (CCC) and considered to be the European Hacker Con.

It’s only natural that physical borders start to blur when hackers from all over the world come together to participate in such a unique happening – 4 days and nights between Christmas and New Year – to work on projects together, give and attend talks, and have fun while suffering from collective deprivation of sleep. There is strong consensus that the latter is fought best through the influence of Club-Mate (dubbed "hacker soda" by some) which is a carbonated Yerba maté-based drink brewed in Germany. Club-Mate is the prime ingredient in the venue’s most favorite cocktail, Tschunk. This year’s conference motto, "Here Be Dragons", is a reference to historic seafaring folks who explored the unknown looking for new continents, treasures, and maybe even dragons.

The focus this year was on wireless telephony, net neutrality, the Internet protocol, and some cryptography – certainly relating to areas where Microsoft is active, but without any specific focus on our products. The titles of my personal top-five talks were Using OpenBSC for fuzzing of GSM handsets, cat /proc/sys/net/ipv4/f ¦ckups, Exposing Crypto Bugs through reverse engineering, WikiLeaks Release 1.0, and Security Nightmares; the latter of which was presented in German and simultaneously interpreted for non-German-speaking folks! Sessions could also be watched via a stream or listened to via the internal telephony system thanks to the 26C3 Phone Operation Center.

The recipe of communication seasoned with chaos to taste, and baked into the form of a Congress, again resulted in a unique blend of talks in the categories of society, hacking, making, science, culture and community. These categories merely give you an abstract idea of how diverse the field of hacking can be; contrary to common belief, hacking isn’t exclusively about breaking, it’s more about approaching the world in a curiously creative manner and a holistic view of how stuff works (or fails). Loads of hackers and häcksen, the latter being a German pun on the words hacker and hexe (which is German for witch), were just waiting to demonstrate and work on projects together, and discuss matters of – well - hacking. That tesla coil you built for a science project brings down your ethernet unless you use a specific packet size? How to make a tesla coil sing the Ghostbusters theme? Responsible disclosure vs. full disclosure? Different designs and materials for RepRap 3D printer extruder nozzles you’ve been experimenting with? Dismantling conspiracy theories over a couple of beers? All it takes is an open mind, some level of determination and creativity, and you’ll leave the con not only having made new friends, but also with many new ideas on what to do until the next con. Not only did I spend time attending talks or catching up with fellow hackers on the progress of projects, there was also plenty of quality time in talking shop with researchers, colleagues and other experts on the status quo and recent developments in security response.

Unfortunately, tickets sold out within a mere 12 hours. For those who didn’t get tickets or couldn’t make it to Berlin in the first place, Dragons everywhere was an experiment that allowed locations in Berlin or somewhere else on this planet to hook up to the congress network via VPN for remote participation. As most of the talks were recorded and released under a Creative Commons license for everyone to download legally, please excuse me now while I play catch-up! J See you next time!

-Joe Hemmerlein, Security Program Manager