[ISN] Polite Hackers Kick It in Korea

From: InfoSec News (alerts@private)
Date: Sun Nov 19 2006 - 22:17:55 PST


http://www.wired.com/news/technology/0,72133-0.html

By Quinn Norton
Nov, 17, 2006

SEOUL, South Korea -- The first international hacker conference held in 
this most wired of nations would never be confused with its Western 
forebears. Instead of jeans and T-shirts with clever slogans, attendees 
wore button-down shirts and pleated slacks while listening quietly and 
attentively to speakers dressed in suits. There were few jokes, no 
interruptions and not a drinking game in sight.

But in terms of content, the two-day Power of Community conference that 
opened here Thursday follows squarely in the tradition of events like 
Defcon and Hope in the United States, featuring everything from a civil 
liberties stump speech from free-software guru Richard Stallman to live 
demonstrations of taking over a remote voice-over-internet-protocol 
session and remote exploits against Fedora Core.

For organizer "Vangelis," inspiration for the conference came while 
attending a similar event in Malaysia, where the IT infrastructure is 
nowhere nearly as advanced as Korea's, but the culture of hacking and 
security research has been more vibrant. He went home and started 
planning a conference "by and for hackers."

For Vangelis, the goal is to bring people together and change the 
perception of hackers in Korea. "Some people who have a negative point 
of view think we do bad things," he said. "We are not criminals. We are 
showing ... (that) hackers are needed for security."

A police crackdown three years ago left South Korea's hacking community 
broken and fragmented. One of the conference's more animated speakers, 
"Xpl017Elz," complained that many of Korea's best and brightest hackers 
wound up emigrating to more receptive environments with better pay for 
security researchers.

But he also demonstrated a large and difficult divide between how the 
hacker communities behave in Korea and the United States.

Xpl017Elz's presentation focused on four (of a reported seven) attacks 
he developed against Red Hat's Fedora Core using ExecShield. He 
demonstrated privilege escalation, where a logged-in user can become 
root and take over the machine, and remote code execution, wherein an 
external attacker can gain root without a login.

What Xpl017Elz hadn't done yet, he explained later through a translator, 
was notify Red Hat of his work. "This exploit code is not very 
critical," he explained. "This is a proof of concept." Later he conceded 
that it could be a significant vulnerability under some circumstances, 
but remained ambivalent about contacting Red Hat.

That deviates from generally accepted standards practiced in most of the 
world, where researchers notify vendors privately of the security holes 
they uncover, then follow up with a public advisory once a fix is 
available.

Vangelis says the local legal environment makes that approach a risky 
proposition in Korea.

"They have tried, but there is one problem: If we publish an advisory to 
the world it can be illegal in Korea," he said. Aggressive vendors have 
a great deal of legal latitude in South Korea, causing hackers who might 
publish a vulnerability to fear being silenced or even imprisoned.

Vangelis hopes that by bringing the community together he can educate 
hackers on issues like proper disclosure, and teach the general public 
about the value of a strong security community. "We have to get over 
this problem, because we want to be free," he said. "We hack for 
security."

With around 350 people attending Power of Community 2006, and several 
major Korean companies sponsoring the event (including the nation's 
largest search engine), Korea might becoming a friendlier place for 
independent security researchers. Vangelis has already started planning 
Power of Community 2007.

For his part, GNU pioneer Stallman cautioned the crowd not to let Korea 
become too much like the United States. He spoke about the dangers of 
the country harmonizing with the U.S. Digital Millennium Copyright Act 
through free trade agreements.

"(It allows) companies to write their own copyright law ... through 
digital restrictions management," he told a rapt audience. "It's not 
democracy."


_________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Sun Nov 19 2006 - 22:33:25 PST