The evocative video made by conference organizer tried to convince the audience that the hacker campgrounds are a Dutch tradition – as well as tulips, windmills, Gouda cheese and wooden shoes. Since 1989, every four years hackers gather in a traditional Dutch style campsite. Imagine a large music festival, substitute concerts with tech lectures and replace a variety of food stalls with tents of various hackerspaces, makerspaces and projects. At night, the camp turns into a twinkling city in which hackers want to prove that the image of the hacker as an intellectual loner is pure cliché.
Our group starts arriving to Amsterdam a few days early group by group. We all want to see the other Dutch traditions – Red Light District, have a beer at the windmill and go cycling. Many of us opt for a bicycle trip from the nearest station to the campground. We were welcomed by a typical Dutch weather and arrive completely wet, but happy. Trying to dry at the Progressbar, Laila, the chief decorator of our camp tent is already sticking posters to the wall. Others build up tents – inside the main tent which is the headquarters of Czech-Slovak village. Geography is maintained at least relatively because a short walk from our village is HQ and campsite of Metalab, Vienna. Their typical telephone booth is connected to the OHM2013 phone network. Brmlab from Prague is a bit further but still close.
Unofficial, but apparently the main theme of OHM2013 is the apparent asymmetry between the human desire for privacy and large organizations – headed by the NSA and the largest social networks and portals, who have other plans with the “private” data. Proclaimed objective of NSA is to protect the public against terrorist attacks, although the facts show a significantly different story. According to the latest information, NSA-caught personal communication is distributed to DEA for minor drug investigations as well. The aim of “technology” giants like Google, Facebook and Yahoo is to serve their customers – the advertisers. In this way, they can raise prices and allow better ad targeting. People are starting to realize that for these companies, we are not the customers, but the product. Julian Assange spoke about this from his “asylum” in the Ecuadorian Embassy in London via Skype. Jérémie Zimmermann, founder of La Quadrature du Net, a European organization that is fighting for the right to privacy of users said, “Julian, I really wish that you could be here with us. It’s beautiful here, there are lots of blinking lights at night. We miss you.” The atmosphere was nostalgic, just four years ago he gave one of the major speeches on his project Wikileaks at this same event. Julian Assange did not say much, but one new thing we did learn – according to him, the states are not forcing companies to send data to their secret organizations and companies are fighting, but ultimately giving up. Technology giants and NSA are in the same bed. As an example, he mentioned a visit from Eric Schmidt of Google, who came up with several representatives of state power.
The so-called “Spook Panel”, which consisted of former agents and contractors of NSA, CIA, MI5 and American Department of Justice, explained to us how the surveillance system works. There is a great deal of exchange of information between the agencies. Since the NSA cannot eavesdrop on Americans officially, they simply outsource this part of activities to their partners, who in exchange receive information that are captured by the U.S. probes. Analyst at the agency sees target’s e-mails, conversations on social networks, browsing history, metadata about phone calls (date, time of call and dialed number), or SWIFT transfers and card transactions. Whenever the analyst tries to get the information, they must provide written justification, however, although it is archived, nobody reads it.
In addition to political issues, there were also purely technical issues. Philippe Langlois started a popular topic of hackers – hacking telecommunications infrastructure. Telecommunications market is known for its closeness and overcomplicated solutions and protocols. It is a popular target for hackers because closed complex systems usually involve a lot of vulnerabilities. Phillipe’s lecture was about Home Location Registry of cellphone operators. HLR is a central database of users and information about them. Each access to the network by the user, whether at home or from a roaming network is verified by this system. It contains most sensitive data operator knows about its users. And it’s almost always a huge, complex system covered with the various old components. It is no wonder that finding security holes is not that difficult. But no one would forget to protect such systems with firewall and certainly no one would ever put them out on the Internet, to be reachable by anyone, right? Not really – several mobile operators with millions of active users have put the most important system they own out on the Internet.
Karsten Nohl continued his series of mobile technology hacks and this time he focused on the SIM card. He found a vulnerability in firmware signing of several SIM cards, which allows complete remote cloning, locating the user or calling the attacker-chosen phone number at any time. Effectively this way an attacker can transform a phone with a SIM card to a surveillance bug, which intercepts not only what you say, but also where you are. Some mobile operators stated that their SIM cards are not vulnerable – at least our SIM cards were OK. But you should be aware that mobile phone operators change their SIM card technology, and while the newest cards may not be vulnerable, when was the last time you actually changed the SIM card?
Like at other hacker camps, what is happening outside of the official program is usually much more fun and interesting. Workshops, technology demonstrations and dance floors gave us perhaps more than mere lectures. Opportunity to meet interesting people from different fields of science, technology and art is almost priceless. And the biggest surprise? Flying ostrich. Do you say that ostriches do not fly? That is true, but not at hacker camps, where they replace their inside with an engine and add few rotors on top. And voilà, the ostrich can fly. I saw it with my own eyes.