http://www.wired.com/news/technology/0,72133-0.html By Quinn Norton Nov, 17, 2006 SEOUL, South Korea -- The first international hacker conference held in this most wired of nations would never be confused with its Western forebears. Instead of jeans and T-shirts with clever slogans, attendees wore button-down shirts and pleated slacks while listening quietly and attentively to speakers dressed in suits. There were few jokes, no interruptions and not a drinking game in sight. But in terms of content, the two-day Power of Community conference that opened here Thursday follows squarely in the tradition of events like Defcon and Hope in the United States, featuring everything from a civil liberties stump speech from free-software guru Richard Stallman to live demonstrations of taking over a remote voice-over-internet-protocol session and remote exploits against Fedora Core. For organizer "Vangelis," inspiration for the conference came while attending a similar event in Malaysia, where the IT infrastructure is nowhere nearly as advanced as Korea's, but the culture of hacking and security research has been more vibrant. He went home and started planning a conference "by and for hackers." For Vangelis, the goal is to bring people together and change the perception of hackers in Korea. "Some people who have a negative point of view think we do bad things," he said. "We are not criminals. We are showing ... (that) hackers are needed for security." A police crackdown three years ago left South Korea's hacking community broken and fragmented. One of the conference's more animated speakers, "Xpl017Elz," complained that many of Korea's best and brightest hackers wound up emigrating to more receptive environments with better pay for security researchers. But he also demonstrated a large and difficult divide between how the hacker communities behave in Korea and the United States. Xpl017Elz's presentation focused on four (of a reported seven) attacks he developed against Red Hat's Fedora Core using ExecShield. He demonstrated privilege escalation, where a logged-in user can become root and take over the machine, and remote code execution, wherein an external attacker can gain root without a login. What Xpl017Elz hadn't done yet, he explained later through a translator, was notify Red Hat of his work. "This exploit code is not very critical," he explained. "This is a proof of concept." Later he conceded that it could be a significant vulnerability under some circumstances, but remained ambivalent about contacting Red Hat. That deviates from generally accepted standards practiced in most of the world, where researchers notify vendors privately of the security holes they uncover, then follow up with a public advisory once a fix is available. Vangelis says the local legal environment makes that approach a risky proposition in Korea. "They have tried, but there is one problem: If we publish an advisory to the world it can be illegal in Korea," he said. Aggressive vendors have a great deal of legal latitude in South Korea, causing hackers who might publish a vulnerability to fear being silenced or even imprisoned. Vangelis hopes that by bringing the community together he can educate hackers on issues like proper disclosure, and teach the general public about the value of a strong security community. "We have to get over this problem, because we want to be free," he said. "We hack for security." With around 350 people attending Power of Community 2006, and several major Korean companies sponsoring the event (including the nation's largest search engine), Korea might becoming a friendlier place for independent security researchers. Vangelis has already started planning Power of Community 2007. For his part, GNU pioneer Stallman cautioned the crowd not to let Korea become too much like the United States. He spoke about the dangers of the country harmonizing with the U.S. Digital Millennium Copyright Act through free trade agreements. "(It allows) companies to write their own copyright law ... through digital restrictions management," he told a rapt audience. "It's not democracy." _________________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Sun Nov 19 2006 - 22:33:25 PST