David Bozzini and I experienced another international security conference, taking a new step in our investigation of the customs and codes of the infosec community. The Troopers conference, that we attended between 18th to 22nd March, was organized by ERNW in Heidelberg. As always, since I still have tons of field notes to process, I will merely give a quick overview of what we got and – just the once will not hurt – I will proceed in a quantitative way.
2 days of hacking (or attempt of)
We first attended the “hacking 101” training course and despite our lack of technical knowledge, we could at least become a little bit more familiar with some tools that are used to perform attacks on networks, web applications and software. We often couldn’t do much more than simply replicate the instructions without understanding exactly what we were actually doing, but our challenge was probably not as big as our tutors’ that were really surprised to see two anthropologists barge in there course!
Fortunately, they, and the other attendees, were kind enough not to run out of patience. Actually, the way they assist us resonates quite well with the whole atmosphere of this con where people have been very open and curious about our approach to the field. People we met were not solely excellent but also very open and willing to feed us with “translations” of technical stuff and deeply-engaged conversations. A remarkable openness, thus, that somehow contrasts with my initial apprehension when I read the agenda for the first time and realized that I could not understand at least half of the titles of the talks…
2 days for 42 presentations
Is that really a coincidence that 42 presentations were planned?
I genuinely admire the usual kind of poetical phrasings that can provide titles of presentations and papers in computer security. The basic arsenal is indeed composed of military vocabulary, unintelligible acronyms and figurative images such as cloud, sorcery, hex or even mimikatz (a world which I somehow naively connect to a lovely kitten – and which is in fact a powerful tool to extract login and password information on Windows). The whole usually constitutes an enigmatic headline (at least for me). The variation of those three ingredients provide a general orientation: in the case of troopers, it was clearly a very technical-oriented approach with a clear military terminology in line with the moto of the con: make the world a safer place!
All of that is to say that the three tracks of the conference, Attack & Research, Defense and Management, and Active Directory Security, offered a coherent frame with 42 presentations that attracted around 500 experts from more than 20 different countries. I say experts because this is really an expert conference, in the sense that outsiders like me cannot really get into the presentation. Not at all because one wouldn’t let me in but simply because the talks were deeply involved into technical details that are far beyond my understanding of IT. Luckily, I met a lot of great women and men, whose current positions and careers tend to confirm that this event is really a place for specialists to meet and learn from each others, and who were very keen to make me understand their research by decipher it into “plain English”!
There were however some talks that really got my full attention. A first one was the panel on ethics, preceded by a presentation of Enno Rey where he depicted three general approaches to solve ethical questioning (consequentialism, deontology and principlism), illustrating them with some (mostly-)true examples. As I often said, one interesting point for me as anthropologist is the fact that the people in the infosec field are generally quite reflexive and this panel was a good illustration of this. The discussion raised a lot of concrete issues and choices that the guests had faced during their careers. “When there is a doubt, there is no doubts” is a sentence that I heard several times and show how uncomfortable some situations might be.
Another interesting talk was a presentation of a new initiative : a bug hunting event for connected car. During two weeks, hackers gathered to hack components of smart cars, and the better and more dangerous their findings were, the higher their bounty! “Seeing that this kind of security program occurs in the car industry is a sign that things are slowly evolving but there is still a lot of work to do”, said a participant.
And guess how many vulnerabilities they found in the car?
Well... 42, of course!
A frightening 4-hour round-table on IoT and medical device security
Why frightening? Because of a terrible lack of security awareness regarding many connected devices that can demonstrably be hacked. Examples were given, but with a lot of caution not to disclose any identifying details. The Internet of Things (IoT) is a booming industry and, as a consequence, a rising source of preoccupation for security-focused person. Last year, one of the round tables was on surveillance through the IoT and it seems that the participants came to the somehow sad conclusion that people do not care enough about such an important topic, and the default settings are far from sufficient from a security and privacy-oriented perspective. The problems are numerous: these devices are made with cheap (cheaper, even the cheapest!) hardware components and engineered with a lack of awareness (or caution?) in regards to “what could possibly go wrong”. Moreover, there are not enough incentives to change the regulation in that domain, with “security components” often deemed as a feature that you can add on top of things, which made a participant say: «Security is not a black box that you can put in your device, it has to be implemented from the beginning».
What I found interesting during this round table is that all the participants seemed to be quite aware of why IT security might not be a top priority preoccupation for medical doctors and why safety has always been prioritized both from the manufacturers and the practitioners. However, they were also quite aware of the risk that a lack of security could imply, leading at worst to death. Are there any deaths attributable to a lack of security in IoT medical device? Yes, very likely, even though the numbers cannot be easily estimated since it is very difficult to even notice such a hack. One participant also argued that a young teenager stuck in a hospital room could just want to have fun with his PC and then incidentally breaks some connected devices by “killing time with nmap”, a tool used to scan the network – it happened to him!
1 IoT badge with 943 accepted tokens
Yes, the conference badge of trooper was an IoT device, and yes, you could hack it! Actually, we were exhorted to do so and 943 hacks were recorded! You could also play with it, weld “shitty addons” on it (see the fox head in the first picture below) and, even, write your name (or whatever else) on it! I believe this badge represents on its own such an indicative object of the spirit of the conference that it would deserve a whole post on its own.
5 days of great food and Club Mate at will
As I heard it many times, this con is not only about hearing interesting talks, but mostly about meeting people and being part of the “TROOPERS family”. And what is the best way to boost interactions? Food, certainly! (At least it works with me!) It is undeniable that we have been spoiled during the numerous coffee breaks and meals, as much as it is undeniable that these moments were key to meet new people. Actually, it is during breaks that I had the most insightful discussions of the conference, be them on ethics, bug bounty programs or the future of infosec. Many thanks to all our interlocutors for sharing their views with us, and many thanks to the organizers for the great food!
Thousands of jokes
Humor is a very interesting topic for me and I believe that it can really help to grasp others’ worlds. In-jokes tell us about the sense of being part of a community while joking relationships can reveal structural power relationships among a group. Who is allowed to make what kind of jokes? How? With whom? When? Why? On what topic? For which purpose? Making a joke is a performance, but it is also performative: it affects the social reality by softening conflicts or on the contrary strengthening antagonism, by contesting power relationships or by undermining the burden of uncertainty or stress. It is also a very powerful rhetorical tool. Further, humor is a very delicate topic, since explaining a joke often kills it.
A man disguised in a frog suit? A burning hat? 3 Nahuels? Some shining leds everywhere? Some Alka-Seltzer deposited on the table in the morning of the last day of the con? Some "troopers-condoms" to make the world a safer place? Again some Nahuels?
“Did you have fun at Troopers?” This is how Enno Rey begun his closing talk on Thursday. And indeed, Troopers was a lot of fun, for me, but obviously with many people I talked to.