By Quinn Norton
Nov, 17, 2006
SEOUL, South Korea -- The first international hacker conference held in
this most wired of nations would never be confused with its Western
forebears. Instead of jeans and T-shirts with clever slogans, attendees
wore button-down shirts and pleated slacks while listening quietly and
attentively to speakers dressed in suits. There were few jokes, no
interruptions and not a drinking game in sight.
But in terms of content, the two-day Power of Community conference that
opened here Thursday follows squarely in the tradition of events like
Defcon and Hope in the United States, featuring everything from a civil
liberties stump speech from free-software guru Richard Stallman to live
demonstrations of taking over a remote voice-over-internet-protocol
session and remote exploits against Fedora Core.
For organizer "Vangelis," inspiration for the conference came while
attending a similar event in Malaysia, where the IT infrastructure is
nowhere nearly as advanced as Korea's, but the culture of hacking and
security research has been more vibrant. He went home and started
planning a conference "by and for hackers."
For Vangelis, the goal is to bring people together and change the
perception of hackers in Korea. "Some people who have a negative point
of view think we do bad things," he said. "We are not criminals. We are
showing ... (that) hackers are needed for security."
A police crackdown three years ago left South Korea's hacking community
broken and fragmented. One of the conference's more animated speakers,
"Xpl017Elz," complained that many of Korea's best and brightest hackers
wound up emigrating to more receptive environments with better pay for
But he also demonstrated a large and difficult divide between how the
hacker communities behave in Korea and the United States.
Xpl017Elz's presentation focused on four (of a reported seven) attacks
he developed against Red Hat's Fedora Core using ExecShield. He
demonstrated privilege escalation, where a logged-in user can become
root and take over the machine, and remote code execution, wherein an
external attacker can gain root without a login.
What Xpl017Elz hadn't done yet, he explained later through a translator,
was notify Red Hat of his work. "This exploit code is not very
critical," he explained. "This is a proof of concept." Later he conceded
that it could be a significant vulnerability under some circumstances,
but remained ambivalent about contacting Red Hat.
That deviates from generally accepted standards practiced in most of the
world, where researchers notify vendors privately of the security holes
they uncover, then follow up with a public advisory once a fix is
Vangelis says the local legal environment makes that approach a risky
proposition in Korea.
"They have tried, but there is one problem: If we publish an advisory to
the world it can be illegal in Korea," he said. Aggressive vendors have
a great deal of legal latitude in South Korea, causing hackers who might
publish a vulnerability to fear being silenced or even imprisoned.
Vangelis hopes that by bringing the community together he can educate
hackers on issues like proper disclosure, and teach the general public
about the value of a strong security community. "We have to get over
this problem, because we want to be free," he said. "We hack for
With around 350 people attending Power of Community 2006, and several
major Korean companies sponsoring the event (including the nation's
largest search engine), Korea might becoming a friendlier place for
independent security researchers. Vangelis has already started planning
Power of Community 2007.
For his part, GNU pioneer Stallman cautioned the crowd not to let Korea
become too much like the United States. He spoke about the dangers of
the country harmonizing with the U.S. Digital Millennium Copyright Act
through free trade agreements.
"(It allows) companies to write their own copyright law ... through
digital restrictions management," he told a rapt audience. "It's not
Subscribe to InfoSec News