|Projector Art in the|
Chillout Cafe at DEFCON 21
But most of all l33t. Historically, we felt special, like our merits had won us the right to gloat in glory. We dabbled in technoarts and arcane secrets of circuits and mystical crypto that put us above everyone else. We were the best of the best, we pwned every test, earned the right to beat our chest.
Well, I didn't. Only "real" hackers did, and I wasn't a real hacker. In the DEFCON recap I wrote in 2009, I called myself a "Hacker Groupie". That was bullshit. Because I am every inch a hacker, and always have been, since second grade when I solved the weekly brainteaser without fail. When I begged my parents for a chemistry set. When I used university lasers to run the Michelson-Morely experiment. I'm less technical these days than I ever have been, with my shift away from a thirteen-year IT career in 2010, yet I am still a hacker.
From the DEFCON 21 Playing Card Deck
No, this is not going to be a rant against sexism, though I will address that topic at some point. My exclusion wasn't due to my gender, though that was a factor. I self-excluded because I bought into the chest-thumping and was unwilling to call bullshit and be who I wanted to be. Too many men and women have done the same. I met several of them at DEFCON this year, and I tried to talk them into realizing their potential.
In 2009, at my second DEFCON, I somehow considered myself an outsider, a groupie, a tagalong. This year was my sixth DEFCON. Why did it take so many years to finally stop feeling like a poser? Like any topic worth talking about, it is complex and there are many reasons, but I want to focus on culture here, since I've been around to observe it since 1992.
To be fair, my outlook on hacker culture is just one perspective based on my six DEFCONs, my lifelong-passion for computers, living on BBSes and IRC for a decade, and my career in IT. It's a bit like dipping a thermometer into the water from various beaches over a 20 year period and declaring the global average of the ocean. But that's the nature of commenting on culture. It's hard to get an objective look without running a longitudinal study and relying on survey data from a group of anarchists who want to break every system. No such study exists, so you have my analysis from my point of view in my little corner of geekdom. If you have a different take, please blog about it or comment.
The source of l33tist culture is perfectly understandable. Even the broader geek culture attracts the cocky and self-assured who try to prove their worth by one-upping everyone else through superior skills and knowledge. I've called this the Geek Hierarchy, and it likely comes from a feeling that merit is all we have. We were bullied and rejected by the mainstream as kids, so we learned to distrust people and instead trusted our hobbies. We embraced them fully, clutching at these remnants of our self-esteem, which entirely revolves around the things we're good at doing. So it's no surprise when many of us shove our knowledge and skill in other people's faces. I've done it. Many of my friends have done it. The gloaty tone of voice is part of the geek affect. It's part of our identity.
Hacker culture became a distilled versions of this. After all, hackers were the smartest of the smart. They'd earned the right to snobbery through sheer prowess. Breaking into hacker culture was like getting root. Aside from the need to understand difficult technical concepts, social firewalls included strange language, snarky attitudes, isolationist cliques, and intellectual superiority. There was a sense to outsiders that in order to be accepted, you needed to capture some impressive trophy that all other hackers previously thought impossible.
Worse, when a newbie wanted to break in by doing, and requested help, even Linux help channels met questions with rudely stated RTFM flames. Back then, you learned quickly to never ask questions unless you had already proven yourself l33t. And sometimes that meant giving up too soon or never trying in the first place.
In reality, the bar isn't actually set all that high. Had young Luna in 1992 realized this, she might have thought it worthwhile to jump in and start hacking. She might have realized hacking is like anything else -- everyone learns the basics, then the intermediates, and if they really want to go far, they're finally prepared for the advanced stuff. I thought I had to start with the advanced stuff because of the swagger of those who'd already been down that road. I didn't have patience in myself to struggle with the basics because I didn't see the point. And no one was about to help me.
I wasn't unique. There was a perception that the bar was set at the top of Mt. Everest. This perception hasn't changed. I've seen through the illusion, but thousands of others haven't. When I got back, I chatted with a friend who was worried DEFCON was too technical to be useful in his job (he works in IT). At the con, I chatted with a girl who had previously been "The Girlfriend", but this year had her own badge. She still didn't consider herself a hacker, even though she's a skilled lockpicker with a mathematics background and an interest in pen testing and crypto. I pointed her to the online tools for learning more crypto and pen testing, and gave her permission to call herself a hacker.
Another guy has been trying to convince his girlfriend to come to DEFCON. She knows how to something-something with DNA (the technical terms escape me, because it's not my field, but I knew what he was talking about), and considers it "easy", and yet he can't get her to go to local biohacking meetings or to DEFCON because she feels she's not good enough. I told him it sounded like she qualified to give a home-biohacking talk at DEFCON, because she knows how to do things I don't, and I'd love for her to teach me how.
This is a problem. There aren't enough qualified employees in the InfoSec world to fill demand. While the numbers have been improving, unemployment is still at 1.95% (as of April 2013). What that means is that when a company wants to hire a hacker, they will have a difficult time filling the position. This is detrimental to the IT industry, as we struggle to secure infrastructure. It is detrimental to employed InfoSec workers, who have to do the work of two or three other people. It is detrimental to our economy that companies can't expand quickly enough, or they are forced to expand with unsecured systems even though they very much would like to secure them. It works against the goals of the white hat hacker community, who wants to evangelize security to the world, but don't have enough bodies to do so.
It's also a problem for more squishy reasons. The hacker community needs an influx of new minds. We need entrepreneurs to build new future companies and non-profits inspired by the hacker ethic, not just in InfoSec, but in biohacking and other fields. We need fresh perspectives and new thinkers.
|Two new cards, Hacker and Crypto,|
allows for a "HACK" poker hand.
Perhaps most importantly is the principle of the thing. Elitism has always been at odds with hacker community ideals like openness, democracy, & equality. These contradictions need to be corrected. In general, hackers want an open society while clinging to privacy and secrecy for themselves. Hackers want open source, yet fail to make participation welcoming and accessible to all. Hackers protest the 1%, yet hoard a wealth of knowledge through snobbish attitudes and indecipherable language, effectively establishing themselves as the intellectual 1%. Hackers want everyone to be included, yet mock newbie mistakes, underestimate women, and require proof of worth before allowing access into exclusive social circles.
DEFCON should be proud of it's meritocratic society. Merit certainly does need to be rewarded, and in the past, bragging rights and social glory was a generous reward indeed. But so is camaraderie and having more friends and brilliant minds in the community. That is the direction we should be headed. And I think we are.
Up until recently, I was blindly unaware of this dynamic. I was a part of the system itself, and therefore, ignorant of it. As an outsider, I played the game by staying outside. As a geek, I gloated along with the rest of the geeks, (though I at least tried to be inclusive and not require proof-of-geekdom). As I slowly embraced my hacker side, I gloated in what little cred I had.
It took the cultural shift at DEFCON this year to set the past in stark relief against the now, and to show where as a culture, we've been wrong. The shift wasn't sudden. It's been building, evolving for years, as DEFCON has grown from a handful of people to 14,000, and as computer ownership spread from the rare nerd to every single household, and now to every purse and pocket. In recent years, the shift accelerated as prominent figures like Lost giving "I'm just like you" and "Be by doing" talks to thousands of hackers.
Hacker Spaces and DIY Maker culture has also influenced hacker culture to include rather than exclude. Makers preach a populist message to the masses: Make it and fix it. You can do it. Anyone can.
But perhaps a larger influence is generational. We GenX were born jaded. As youth, we were characterized by our rebellious nature and distrust of authority. We have since matured and mellowed. And while we still have plenty of distrust in authority, we've learned to work within the system. We've proven ourselves in a hundred other ways, and no longer need the trophies and chest-thumping.
And "kids these days", why aren't they replacing our immaturity with theirs? Because GenY is very different. They come with built-in self-esteems. They may have been bullied, but they don't know what it's like to be excluded from society merely for owning a computer or being into sci-fi (hi Harry Potter and Pokemon). They also tend to trust authority and each other a little more than we did. I believe GenY is less interested in cliquish crowing and more interested in making things with others. (Now get off my lawn.)
The GenZ has something neither GenX or GenY had. They have rootz Asylum (formerly DEFCON Kids). This year, there were hundreds of kids, and again, they found dozens of 0days in real products, including the Samsung Smart TV. The kids had several tracks of programming and a bunch of contests just for them. One was an elaborate capture the flag game. As I watched the Social Engineering CTF, sometimes a trained military sniper stood on a chair and nerfed little kids who ran through the room to deliver a package.
Art in the Chillout Cafe, video.
Filmed by Roland who chats with a stranger.
Another welcome change this year was a steep reduction in sexism. What sexism I saw was on the ground-level, committed by individuals, and in one case via sheer ignorance from newbies and not malice. No more presentation slides showing bound women. No more sexist comments by panelists. No more icky behavior supported by Goons. No more bingo cards with "Tits" as a requirement. And no more parties with themes like "Pimp". I'm pretty sure this was all intentional, and I certainly noticed. The waves of these actions are rippling down to the ground level and causing real change. I heard zero talk from women about feeling uncomfortable. That's not to say it didn't exist, but if it did, it was certainly subdued.
I was a little afraid that a less-sexist DEFCON would mean less fun. But nope! Sexual freedom maintained an appropriate level of looseness, and discussions about sex at parties still flowed as liberally as the alcohol. So it seems it is possible to strike a balance between freedom and respect for women. Huzzah!
|Skulls know no class or hate.|
Every skull is l33t!
(Except for numbskulls. They're dumb.)
Later on, they started talking about other things, and I joined their conversation. I learned they were DEFCON first-timers, and in reality nice guys. That's how most of these things work, and why I'm hesitant to turn into a flaming furious feminist without giving people a chance. The uncomfortable environment they'd created was unintentional, and I'm sure they remain ignorant to this moment about how their conversation might have affected me. There was no point in explaining it to them, since this sort of thing is really hard to convince anyone of in the moment. Instead I blog about it and let culture work its magic.
The influx of DEFCON newbs does create some ground-level cultural awkwardness. Being inclusive of plebes means they won't immediately share the sense of tolerance for fashion that DEFCON has always enjoyed. At a Thursday party during the cusp between Blackhat and DEFCON, Roland received some guff for his clothing choice. If you've ever been to DEFCON (which these guys apparently hadn't), you would quickly realize that the black Utilikilt is a traditional geek uniform. Most guys wear jeans, and those who want to spruce up a little wear kilts. At this party, a couple of guys told Roland his kilt made him look gay and it wouldn't help him pick up chix. Roland told them he wasn't dressing for them and was doing just fine with the womens, kthanksbai.
Given the prominence of the Queercon party and the fact that many of the Goons are from west coast cities and tend to be socially liberal and that DEFCON in general has become extremely LGBT-friendly, I doubt their attitude lasted long into the weekend. Girls like me happen to think kilts are dashing. I'd definitely hit that, but no so much the guys who concern-troll any sort of gayness.
The Wall of Sheep was almost empty this year. For those who don't know, DEFCON NOC traditionally packet-sniffs for passwords going over the network in the clear. They post pwned pws on a giant screen called the Wall of Sheep. It's a very good thing the number of pwnable pws is going down. In part, credit goes to DEFCON having two wifi networks, one being (more or less) secure. But also heartening is that more internet services are forcing SSL for logins, which is a beautiful thing. In 2009, my Twitter account got owned, because Twitter didn't use SSL at the time. This time, nearly all the ten or so sheeped accounts were unencrypted POP3 and IMAP.
|DEFCON 21 Playing Card.|
I mean, badge.
|Uber Duber Badge!|
|Crypto Sign is part of the DEFCON 21 Badge Puzzle.|
I still don't know what it means!
|See? It's clearly a clock!|
|I proudly will keep this|
and hold it ironically close to my heart.
The NSA is in need of criticism to be sure, but what Greenwald presented is not what the NSA is actually doing and not what the leaked slides show. Prism and Boundless Informant and XKeyScore have been debunked, and here, and here, and many elsewheres. At Blackhat, General Alexander confirmed the conjecture made by tech-journal debunkers. The cellphone metadata story has more meat to it, though it was also exaggerated to some extent. I wish that's what the discussion is centered around, because I like discussing facts, not made up stuff that should be on Snopes.
I was greatly saddened by the fact that DEFCON attendees, speakers, and Goons seemed to be buying the sensationalist narrative. The technical community should know better. Of all people, hackers should be able to reality check Snowden/Greenwald's claims and see right through it. I did. Unfortunately, the story hits hacker-community fears related to government surveillance and loss of privacy rights and a historical mistrust of government. The cognitive consonance is just too delicious to let go. Just goes to show we are all vulnerable to cognitive bias attack-vectors, even the most brilliant of us.
|The NSA inspires a lot of tinfoil hats at DEFCON 21!|
|Tinfoil Tophat |
Deflecting government brain scanners in style!
I spent alot of the talks squirming in my seat and madly tweeting opinions (pontifitweeting?). I will spare you since you can read it on Twitter and I don't have room here for a more detailed explanation of my controversial opinion.
I will specifically call out the ACLU talk on the subject, since they ought to know better and did nothing to debunk the myths. The way they phrased things, they seemed to know the truth of it, but anyone who hasn't seen the debunks would have had their bias confirmed by everything the ACLU said. So it was a bit dishonest. But I'm sure they made more money from it.
The one argument I get regularly is the "Ends justify the means" rationale. It goes something like this: No one listens to privacy advocates, and there is still bad stuff going on, even if it's not the way Snowdald says it is, so this non-issue gives attention to the topic in general, therefore the story is good even if it's wrong. I counter-reason that all arguments should be based in fact so they cannot be easily dismantled. Fighting against imaginary dragons does nothing to defeat real dragons.
That said, the EFF did bring in ~$100,000 this year at DEFCON, so in that sense, maybe the Greenwden hoax has an upside.
Another happy thing about the EFF is they seem to be shifting their stance on the "What to do about privacy" problem. They seem to be promoting more reciprocal transparency side, which is to say, the only way to combat ubiquitous government cameras is to focus on defending the citizen's right to point cameras back at the government. Let the Feds look, as long as we know what they're looking at and why. It warms my heart, because I've hesitated to support the EFF while they uselessly spin their wheels trying to keep the government from snooping.
I attended a talk by Mudge, an old school hacker whose been working for DARPA for the last three years. He told a number of interesting anecdotes centered around a theme about communication between the government and hackers. We come from two very different cultures, and in order to communicate between them, everyone needs to consider the language we're using. Feds need to act like diplomats entering an advanced alien civilization, and hackers need to realize that Feds are focused far more on doing their jobs than on how to fuck with citizens and hackers.
He suggested that in order to be trusted, the Feds need to give back to the hacker community. They need to show up at hacker cons and give technical talks to share things they know. And they need to realize hacker = researcher, not hacker = criminal.
He also pointed out that between private companies and the government, no one is incentivized to improve security. Defense contractors actually get financially rewarded for letting secrets leak, because our national strategic advantage is in being the most technologically advanced. When secrets leak, contractors get new contracts to produce new tech.
To hackers, he implored us to reward the government for good behavior. When a department or elected individual does something awesome, praise them. Help them. Encourage them. Offer assistance.
I also attended the opening talk and closing ceremonies, as well as Lost's talk on Decrypting DEFCON. Aside from dropping badge clues and describing the badge design process, Lost again evangelized on a theme of "doing". This time the underlying point was, "You'll be a better hacker if you understand the technology and knowledge that underlies the high-level stuff you're doing." To developers, he encouraged learning binary, processor logic, and assembly. The best quote I pulled from this talk is: "Technology is nothing more than learning to communicate." Which is a bit like I used to say in my job -- writing is programming where humans are the hardware. These fields have so much in common, which is why, as a writer, I still feel confident in saying I'm a hacker. Especially since I'm currently writing about mind exploits.
I also attended a thought-provoking and balanced talk on white hat hacker ethics by Alex Stamos, and an emotionally difficult talk by Amber Baldet on suicide risk assessment and intervention. I caught the tail end of a village talk on tamper evident basics, if you've ever wanted to open an envelope or void a warranty without getting caught.
I spent a little bit of time watching people peel back "VOID" tape in the Tamper Evident Village, though I didn't stop long enough to do it myself.
The villages may be another part of why DEFCON is growing to feel more inclusive. There were four this year, the Lockpick, Tamper Evident, Wireless, and Hardware Village. Tables were strewn with tools and materials for practicing the craft, with helpful experts available to teach and demonstrate. The villages permit a hands-on experience, and since they cover the rudimentary basics, and say "Yes, everyone can pick a lock or solder a circuit", they reveal that the price for entry to learning hacking is actually quite low. Everyone starts somewhere, and it's stated clearly that no one will to judge you for not knowing anything or asking newbie questions.
This year, Roland and I challenged one another to submit talks next year. We're already busy working on our ideas. I know exactly what I'd like to speak on: Reverse Engineering Mind Control, using Mormonism as a case study. I bounced the idea off a couple of the people who run Skytalks, and they like it. While I love hacking tech, I've always been more comfortable with squishy topics, like culture, religion, and psychology. Which doesn't mean I'm good at people -- quite the opposite. I just think people are the most interesting type of machine to analyze.
Last year I said DEFCON was the best EVER. And this year, I would say I was the best Luna ever at DEFCON. Part of this of course is that I'm always self-improving. But the biggest change this year is that I was on an SSRI for anxiety. (Say it with me, Selective Serotonin Reuptake Inhibitor. What a fun phrase!)
I couldn't ignore the change. My social anxiety was gone and my inhibitions towards talking to people nearly vanished. No more internal feedback loops of self-conscious second guessing. I just opened my mouth and let words pour forth not worrying too much if I'd say the wrong thing or talk to the wrong people or monolog too long. My bravery was greatly rewarded because people actually engaged with me. I met so many people and had so many great conversations. I stood up for myself and others when needed and didn't worry I might be hurting someone else's feelings.
For years I've tried to talk myself into not being afraid, but talking never quite did it. Medication did. So hacking-the-Luna-through-biochemistry project was a huge success. Moreover I felt more aware during conversations, like the world of humans had slowed down just enough for me to understand what was going on and think well enough to respond. Any awkwardness I felt was a mild discomfort, not the mind-scorching panic it would have been a month ago. My Aspergers diagnosis has also given me an understanding of the many causes of my brokenness so I can accept those things about myself and feel a little more l33t because of it. It wasn't a panacea. I still have old habits and hesitations. But I now have hopes my attempts to rid myself of them will go smoothly.
I had the wonderful opportunity to meet Bernie Mojzes, editor at Unlikely Story, where I was published last year in the Journal of Unlikely Entomology. There are currently calls for stories in the Journal of Unlikely Cryptography, so if any DEFCON writers are reading this, make something and go submit it. I plan to take my own advice here.
The parties were also great, as usual. We didn't party too hard this year. Queercon was good but it will never recapture the intimacy and fun spirit and wild dancing it had at the much smaller room in the Skyboxes at the Riv. We found a small private party offsite at The Palms, hosted by (I think?) PasswordCon. It was in a suite that looked strangely like the one in Four Rooms where Quinten Tarantino chops off a guy's finger. No fingers were lost, just good conversations were had.
The Freakshow was sadly canceled due to the death of Barnaby Jack, who worked for IOActive.
DEFCON threw a poolside party instead, and we were treated to some sick rhymes by Dual Core, and the impressive medley of musical madness played by the Sex Havers who were having way too much contagious fun to not enjoy every second of it.
I missed watching DEFCON: The Documentary at the con, because the timing was awkward. But I'm looking forward to torrenting it and pressing play. So many thanks to Jason Scott and DEFCON for making this film.
So many other things happened, which I will remember after clicking "Publish". If you'd like these sorts of things to happen to you, head on down to DEFCON next year. The only requirement is that you be interested in related topics like information security, national security, privacy, data, locks, cryptography, solder, robots, cyberwarfare, or social engineering. That's all it takes to be smart enough. Join us and learn. I give you permission.
Past posts about DEFCON:
Defcon Recap 2009: Adventures of a Hacker Groupie
Culture War at Defcon 17 (by Roland Lindsey)
Defcon 19 Badge Contest: In General
Defcon 19 Badge Contest: In Specific
DEFCON 20: Coming of Age
DEFCON 20: The Badge Contest
UPDATE: Edited to correct the fact that Dual Core is actually on Spotify, and Dual Core is two words not one. :D