TechScape: Why ‘hacker summer camp’ and pandemics don’t mix

In a normal year, I would be getting on a plane today and travelling to Las Vegas for the loose conglomeration of events informally known as “Hacker Summer Camp”. Centred around DEF CON and its stuffy younger sibling Black Hat, the event sees Las Vegas taken over by hackers, information security specialists, spooks and criminals, all there to discuss the best ways to defend computers against hostile adversaries – and to break into those same computers as quickly as possible.

This year is not, of course, a normal year. For one thing, I now have a four-month-old daughter at home, helpfully making the choice for me as to whether or not I travel to conferences in distant nations. For another, there’s waves arms all this still going on.

DEF CON (alright, Defcon, the official styling is giving me a headache) had planned for the occasion. Despite being one of the oldest, and the largest, hacker conventions in the world, it had always been a resolutely in-person affair until the coronavirus pandemic saw events cancelled globally and forced it online. This year, in prescient forward planning, the organisers announced the event would take place in a “hybrid” fashion, streaming live online as well as in-person in Las Vegas.

The initial justification was less about Covid per se, and more about the difficulty for international travellers: travel to the US is banned from a host of countries, including most of Europe and China. But as the date of the event drew closer, and it became increasingly clear that the pandemic would not be over by August, a growing number of American attendees also reconsidered their decision to travel to Las Vegas.

Defcon and hygiene don’t normally go together. The conference is the only place I’ve ever heard volunteers refer to the “3-2-1 rule” – that is, three hours of sleep a night, two meals a day, and please, for everyone’s sake, one shower. But the conference is trying its best, adding a “real mask” mandate (no bandanas or face shields) and requiring proof of vaccination. But for many, the belated awareness that America, too, was at risk from the Delta variant that had seen cases skyrocket in India and the UK was the final straw. Defcon is happening at the worst possible time, some worry: cases are creeping back up in Nevada, as they are across the US, even as restrictions remain lax. The state reintroduced a mask mandate for indoor events on Friday. But fears about Delta’s significantly increased R number seem to be enough to convince people to stay at home for another year. Online tickets have been sold out for weeks, but in-person tickets remained available until the last minute.

This isn’t just another story of events struggling against coronavirus, though. Defcon has its own unique set of problems to contend with. Like other hacker conferences, the event is notoriously unwilling to create any sort of register of attendees. In previous years, that’s meant eschewing any form of pre-sale entirely, and exclusively selling tickets on the door, for cash.

“Do we take credit cards,” the official FAQ reads. “Are you JOKING? No, we only accept cash – no checks, no money orders, no travellers checks. We don’t want to be a target of any State or Federal fishing expeditions.”

This year is different: to gauge attendee numbers, the organisers sold badges online. “Cash at the door will still be honoured for as long as spaces last,” organisers said, “but there is a chance we’ll have to turn away cash customers if we reach capacity for our venues.”

The news had some worried, and not unreasonably so. American law enforcement clearly has its eyes on Defcon as an event that draws people of interest from around the world. In 2017, Marcus Hutchins, the British researcher who single-handedly stopped the outbreak of WannaCry that shut down a chunk of the NHS, was arrested over unrelated historical allegations in Las Vegas airport, preparing to leave the country after the conference. (Hutchins later plead guilty to two charges and was sentenced to time served and a year of supervised release).

Adding frisson to the choice is an unusual announcement for the counter-cultural convention’s keynote speaker: Alejandro Mayorkas, Biden’s secretary of homeland security. The reaction was … poor. “What were y’all thinking? I’m so disappointed in you,” influential hacker Ian Coldwater told the convention. “As a main stage speaker this year I can’t say I’m terribly excited to be sharing a stage with this man.”

But what about the hacking?

Controversies or not, Covid or not, Defcon is still the focal point of the hacker calendar, and there’s a lot of news that’ll be breaking over the next week to keep an eye on. Some has already broken, in fact, pre-briefed out to excite attendees:

  • PunkSpider, a controversial and long-unavailable “hacker search engine”, is back. “PunkSpider automatically identifies hackable vulnerabilities in websites,” Wired’s Andy Greenberg writes, “and then allows anyone to search those results to find sites susceptible to everything from defacement to data leaks.” The tool is, like many that come from the convention, scrupulously neutral in its morality. “PunkSpider finds vulnerabilities, it does a little work on the backend to determine the likelihood they’re exploitable, and then it releases them to the public immediately,” the tool’s creator told Greenberg. “That last part is the part I get a little bit of shit for sometimes.” Even computer-rights organisation EFF was a bit doubtful, telling the magazine that PunkSpider “is full of good intentions – these vulnerabilities are leading to a lot of real-world problems, ransomware being one of them, and making them public might be the thing that pushes administrators to fix them. But we don’t recommend it.”

  • Twitter has responded to long-running accusations that its image cropping algorithm is racist – regularly cropping black faces out in favour of white people – by challenging the Defcon community to prove it. The company’s created its first “algorithmic bias bounty”, modelled on “bug bounty” security programs, which reward ethical hackers for reporting weaknesses to the developer. “Your mission is to demonstrate what potential harms such an algorithm may introduce,” the company says. It’s only offering beer money for now, with a top prize of $3,500 that pales in comparison to the $20,000 it will pay for a security flaw, but it’s the start of a new way of looking at algorithmic bias.

  • Sometimes futurism is hard. Other times, not so much. Way back in 2019, OpenAI produced GPT-2, a then-groundbreaking text generation AI, and decided to not release it to the public for almost six months after demonstrating it to the press because it was afraid of how it could be misused. Well, now that day has come. Three hackers from the Singaporean government have produced an “AI as a service phishing pipeline that was successfully deployed in multiple authorised phishing campaigns”. Using those same basic AI tools, they managed to generate automatic, human-like phishing messages, incorporating information from their targets’ social media services.

Facebook on Facebook

Facebook got in touch after last week’s email to point out that, while Mark Zuckerberg did specifically propose holocaust denial as an example of something he felt should be allowed on the social network, the company reversed that policy in 2020.

“Our decision is supported by the well-documented rise in antisemitism globally and the alarming level of ignorance about the Holocaust, especially among young people,” Facebook’s Monika Bickert wrote last October. “According to a recent survey of adults in the US aged 18-39, almost a quarter said they believed the Holocaust was a myth, that it had been exaggerated or they weren’t sure.”

That decision to reverse course is covered in Cecilia Kang and Sheera Frenkel’s book An Ugly Truth as well. The pair say that the choice came from the top – again. But they also highlight the fact that it was never really acknowledged as a reversal. Even Bickert’s public post is called an “update” to the hate speech policy. And behind the scenes, the pair write, Zuckerberg was indeed shaken by the evidence which suggested that Holocaust denial was on the increase, but never seemed able to come to terms with the fact that that made the original policy a mistake.

Facebook also pointed out that the social network wasn’t the only one to drop the ball in 2016.

“Much has been written about the fact that in 2016, we and those in the government and media did not fully recognise the nature and scope of foreign interference in our elections,” a spokesperson said. “Since 2017, we have removed over 150 covert influence operations originating in more than 50 countries, and a dedicated investigative team continues to vigilantly protect democracy on our platform both here and abroad.”

A reminder, if you want more of this, that I’ll be interviewing Kang and Frenkel today as part of a Guardian Live event.

If you want to read the complete version of this newsletter please subscribe to receive TechScape in your inbox every Wednesday.