Wednesday, April 4, 2012

Hackito Ergo Sum: Not Just Another Conference

My name is Jonathan Brossard, but you may know me under the nic Endrazine. Or maybe as the CEO of Toucan System.. Nevermind: I'm a hacker. Probably like yourself, if you're reading this blog post. Along with my friends Matthieu Suiche and Philippe Langlois,—with the invaluable help of a large community worldwide—we're trying to build a conference like no other: Hackito Ergo Sum.
First, a bit of background on conferences as I have discovered them:
I remember really well the first conference I attended almost a decade ago: it was PH-Neutral in Berlin. The first talk I'd ever seen was from Raoul Chiesa on attacking legacy X25 networks, specifically how to root satellites. (For those unfamiliar with X25, it was the global standard for networking before the internet existed. Clearly, if you sent a satellite to space in the 1980s, you weren't going to get it back on earth so that you could path it and upgrade its network stack, so it would remain in space, vulnerable for ages, until its owner eventually decided to change its orbit and destroy it).
The audience comprised some of the best hackers in the world and I got to meet them. People like Dragos Riou, FX, Julien Tinnes, and various members of the underground security industry were asking questions or completing what the presenter was saying in a relaxed, respectful, and intelligent atmosphere. It was a revelation. That's when I think I decided I'd spend the rest of my life learning from those guys, switch my career plans to focus on security full time, and eventually become one of them: an elite hacker.
Back in those days, PH-Neutral was a really small conference (maybe 50 or 100 people, invitation only). Even though I had many years of assembly development and reverse engineering behind me, I realized those guys were way ahead in terms of skills and experience. There were exactly zero journalists and no posers. The conference was put together with very little money and it was free; anyone could pay for their travel expenses and accommodations, and, as a result, all the people present were truly passionate about their work.
Since then I've traveled the world, gained some skills and experience, and eventually was able to present my own research at different security conferences. I have probably given talks or trainings at all the top technical security conferences in the world today, including CCC, HITB,  BlackHat U.S., and Defcon. I couldn't have done half of it without the continuous technical and moral help and support of an amazing group of individuals who helped me daily on IRC.
Building the Team
I remember the first talk I ever gave myself: it was at Defcon Las Vegas in 2008. Back in those days, I was working in India for a small security startup and was quite broke (imagine the salary of an engineer in India compared to the cost of life in the U.S.). I was presenting an attack, working against all the BIOS passwords ever made, as well as most disk encryption tools (Bitlocker, Truecrypt, McAfee). I remember Matthieu knocking at my door after his own BlackHat talk on RAM acquisition and forensics: he was only 18 and had no place to stay!
We slept in the same bed (no romantic stuff involved here). To me, that's really what hacking was all about: sharing, making things happen in spite of hardcore constraints, friendship, knowledge. I also started to realize that those big conferences had nothing to do with the small elite conferences I had in mind. A lot of the talks were really bad. And it seemed to me that attitude, going to as many parties as possible, and posing for journalists was what attendees and most speakers really expected from those conferences.
In 2008 during PH-Neutral (once again), I met Philippe Langlois. For those of you who don't know him by any of his numerous IRC nics, you might know him as the founder and former CTO of Qualys. An old-school guy. Definitely passionate about what he was doing. Phil was feeling equally unsatisfied with most conferences: too big, too commercial, too much posing, and very little actual content. At that time in France the only security conference was organized by the army and the top French weapons sellers. To make it even worse, all the content was in French (resulting in zero international speakers, which is ridiculous given that we collaborate daily with hackers literally from around the globe, even when coding in our bedrooms, at our desks, or in a squat).
So, we decided to make our own conference with Matt.
Breaking the Rules and Setting Our Own
We agreed immediately that the biggest problem with modern conferences was that they had turned into businesses. You can't prioritize quality if your budget dictates you have famous, big-name speakers. So we decided that Hackito would be a spin-off from the /tmp/lab, the first French hackerspace, which was a 100% non-profit organization housed in a stinky basement of an industrially-zoned Paris suburb. At first we squatted until we reached an agreement with the landlord, who agreed to let us squat and eventually pay for both our electricity (which is great for running a cluster of fuzzing machines) and water. It was humid, the air was polluted by a neighboring toxic chemical plant, and trains passed by every 10 minutes right outside the window. But it didn't matter because this spot was one of the most important hacker headquarters in France.
One thing that played a major role in creating the spirit of Hackito was the profile of the people who joined this hackerspace: sure there were software programmers, but also hardware hackers, biologists, artists, graphic designers, and general experimenters who wanted to change the world from a dank, humid garage. This was a major inspiration to us because (just like the internet) anyone was welcome to the space, without discrimination. Hackerspaces by nature are open and exchange a lot of information by having joint events such as the HackerSpace Festival or hosting members from other hackerspaces for extended period of times. We modeled this by wanting to share with other conferences instead of competing, which led to the Security Vacation Club (it started as a joke, but today allows us to share good speakers, good spirit, and mutual friendship with other hacking conferences we respect).
We then called our irc friends for help. Some could make it and others couldn't, but all of them contributed in one way or another, even if it was only with moral support.
Early Days
Building your own conference out of thin air is more challenging than you might expect and, of course, we wanted to do it with minimal sponsorship. We agreed straight away with sponsors that they'd get nothing in exchange for their support (no anticipated disclosure, no right to vote on what talks would be presented, no paid talk or keynote). We requested help from friends to help us select solid technical talks and to come speak. You'd be surprised how the hackers you respect most (and are seriously busy) are willing to help when they share the spirit of what you're doing.
So, we ended up with the scariest Programming Committee on earth, for free—I don't think there's a company in existence with a security team half as talented. I can't express here how much we value the time and effort that they, and our speakers, spend helping us. Why would they do this? Because a lot of people are unsatisfied with the current conference offerings. Now don't get me wrong, commercial and local conferences do offer value, if only to gather disparate communities, foster exchange of ideas, and sometimes even introduce business opportunities. If you're looking after your first job in the security industry, there's no better choice than attending security conferences and meeting those who share the same taste for security.
Hackers Prize Quality—Not Open Bars, Big Names, or Bullshit
To give you some perspective: two of the talks nominated in last year's pwnie awards at BlackHat were given first at Hackito. Tarjei Mandt and his 40 kernel Windows Exploit (winner of the Pwnie award for best local exploit) and Dan Rosenberg and John Obereide with their attack against grsecurity exploit. That's what Hackito is all about: giving an opportunity to both known and unknown speakers, judging them based solely on their work—not their stardom or their capacity to attract journalists, or money.
I think it's important to make clear that most Hackito speakers have paid for their own plane tickets and accommodations to come and present their work in Paris. I can't thank them enough for this; they are true hackers. It is common practice for so-called security rock stars to not only pay for nothing, but to ask for a four-digit check to present at any conference. In contrast, we believe our hacking research is priceless and that sharing it for free (or even at your own cost) with your peers is what makes you a hacker. That's the spirit of Hackito.
Without any rock stars, Hackito can feature what we believe represents some of the most innovative security researchers worldwide. The content is 100% in English and must be hardcore technical—if you can't code, you can't talk for the most part. If it's not new or offensive, we don't care. If you're asking yourself why anyone would present years of hard research for free at Hackito instead of selling it the highest bidder, the answer is simple: respect from your peers.
That's what hackers do: distribute software, share knowledge, collaborate. Period.
Hackito is More Than Just Talks
I've used the words quality and best a lot in this post; to be honest, I believe competition is a bad thing in general and for hacking in particular. Hacking is not about being better than others. It's about being better than the machine and getting better yourself. It has everything to do with sharing and being patient, polite, passionate, respectful, innovative...that is, being an accomplished human being.
If you remember only one thing from this post, make it that message.
In the same vein, I don't see Hackito as directly competing with other conferences. We actually speak at other conferences of similar quality and I strongly believe that any conference that promotes hacking is a good thing. We need diverse offerings to match all skills and expectations. Hackito focuses on the hardcore top end of security research, but that doesn't mean newbies shouldn't be allowed to progress in other cons.
The Hackito framework allows us to offer more than just talks, which are important, but like FX repeatedly told my in the PH-Neutral days: the conference is the people. Therefore, we try to maintain an open conference as much as possible. Anyone with a cool security-related project is welcome to submit it to us, making it part of Hackito and then labeling it Hackito. For example, Steven van Acker from the overthewire.org community has written a special war game for attendees every year.
Our presenter line-up seriously rocks! This year, Matias Brutti from IOActive will offer a free workshop on Social Engineering and Walter Belgers from the highly respected Toool group will do the same with a Lockpicking workshop. Eloi just published a cryptographic challenge open to anyone on the internet with the valuable help of Steven Van Acker (who is hosting the challenge on the overthewire.org community servers). Other featured editions include an FPGA reverse engineering challenge by the incredible hardware hacker LeKernel.
We Still Party Hard
Hackito unites hackers from across the globe—Korea, Brazil, Israel, Australia, Argentina, Germany, Sweden, U.S., Portugal, Switzerland, Russia, Egypt, Romania, Chile, Singapore, Vietnam, New Zealand—so of course we have to party a bit. I remember the first Hackito party in our /tmp/lab garage space; imagine the anti-Vegas party: no sponsors, live hardteck music, artists spanking each other in a crazy performance, raw concrete walls, bad cheap beer, virtually no females, zero arrogance, zero drama, zero violence—just 300 people going nuts together. That was one of the best parties of my entire life.
Feel like joining? You can still get one of the few seats left for the 2012 edition here:
or at least have a look at our website here:
Greetings
Thanks heaps to (in no particular order): itzik, Kugg, redsand, Carlito, nono, Raoul, BSdeamon, Sergey, Mayhem, Cesar Cerrudo, Tarjei, rebel, #busticati, baboon, all those I can't possibly exhaustively name here, plus the Hackito team of Matt and Phil.
I also must thank:
  • All of our speakers.
  • All of our sponsors (who help us and don't ask much in exchange).
  • The incredible team behind Hackito that spends countless hours in conference calls on their weekends to make things happen during an entire year so that others can present or party.
  • Our respected Programming Committee of Death (you guys have our highest respect; thank you for allowing us to steal some of your time in return).
  • Every single hacker who comes to Hackito, often from very far, to contribute and be part of the Hackito experience. FX was right: the conference is the people!!

1 comment:

  1. Great write-up! Got me some really nice insights into the Hackito spirit.

    Thanks for sharing :)

    Florian, ERNW

    ReplyDelete