A BalCCon postscript: Armed and dangerous in the Balkans, and DEF CON Returns

In September, Serbia's city of Novi Sad hosted the first-ever official hacker conference in the Balkans, BalCCon: First Congress (First Contact).

I attended the conference and quickly learned that to understand Balkan hacker culture is to know Balkan history.

Serbia, as it was explained to me one night over beers by the conference's jovial keynote, "Is where everyone is armed and dangerous, you know?"

• See: NSA, Linux and handcuffs: Success in Serbia for Balkan hacker conference BalCCon

BalCCon opened its doors for two days of hacker community building not quite fifteen years after the city of Novi Sad survived ethnic cleansing, deadly nonstop NATO bombings, and before that, the terror of a war whose arms were partly funded by abduction and organ harvest of its citizens.

Novi Sad also welcomed hackers into a city starting up a vibrant nightlife, an emerging tech sector that European press is calling 'a Silicon Valley in the Balkans' and a country that is jump-starting the formation of its democracy. It is simultaneously poor, and wired.

As I learned one morning bouncing around in the back of a smuggler's van, on a quick, mission-focused trip through some outlying villages, corruption is both a problem and fact of life in Serbia, and smuggling is a good business.

So it's not hard to believe BalCCon's co-producer and LUGoNS/Linux Users of Novi Sad member Jelena Georgijevic when she tells me that in Serbia, everyone hacks.

This isn't a glib statement; with travel out of Serbia visa-prohibitive for most citizens until 2010, and numerous bans on imports, most people simply learned to build their own computers and program them accordingly.

Maybe this is why BalCCon had the most even gender ratio of any tech conference I'd ever seen - especially surprising for such a new conference.

But then, it's not at every hacker conference you hear attendees say, "I'm a farmer. And a hacker."

• See: Darknets, wargames and Raspberry Pi at first-ever Balkan hacker conference

Taking NATO down for a week in 1999 put Serbian hackers on the map. Like everywhere, there are all kinds of hackers in the Balkans. White, black and gray hats.

Since the mid-1990s the Balkans has seen a number of effective and notorious groups and a lot of turf wars, with crew names such as Black Hand, Team Spl0it, Tesla Team, Ant1-S3cur1ty Taskf0rc3, H.A.C.K. (Hackers Against Communism Klan), Kosova Network Security/Kosova Defacement Group, and many more.

As far back as 1996, Balkan hackers enacted hacks and defacements - but became fierce and loud in 1999 when then-President Clinton announced the US would join the UK, and together with NATO, bomb Serbia.

During this time, hundreds of websites were defaced as hackers did everything they could to tell people in power not to bomb them, including UK government websites, American IT agencies and business news websites.

In 1999, Serbian hackers took NATO computers down for a week in a last-ditch effort to tell them to stop the bombings, and the anti-war hacks and defacements continued until at least four weeks into NATO's daily bombings.

People came to BalCCon from a number of places; Europe and America, and Serbia mostly, but also Croatia.

One of my favorite snapshots of BalCCon was the young woman who came to the conference from Croatia and learned lockpicking in a Day 2 workshop - and proceeded to become a locksport ace over the course of two hours, wiping the floor with competitors and opening every lock with an infectious mixture of surprise and pride.

On the first day, it was easy to tell that the majority of attendees (Serbian) had never been to a hacker conference before, and didn't really know how to behave. Many came without laptops and attended talks, and hung around not quite knowing what to do.... yet. It was like holding a knitting meetup, and having lots of excited and skilled, but cautious, knitters show up - with no yarn or needles.

After the keynote (my jovial Linux-loving beer buddy) the second inagural speaker to BalCCon's stage was Maja Asanovic, a digital privacy and human rights activist and one of the founders of Serbia's Pirate Movement.

• See: 24 hours in Serbia at Balkan hacker conference BalCCon

She captured a theme I saw repeated throughout the conference and its ancillary parties and dinners; that now was the time in Serbia's democracy formation to make sensible computer crime laws. To learn from what most see as America's mistakes (namely, the CFAA).

Asanovic's talk encapsulated the context of BalCCon as not just a time to hack and learn, but to look at what is happening in the United States with both its disturbingly flawed computer laws and NSA spying revelations.

This, she said, meant that since Serbia is still behind the times in both regards that there are big opportunities happening now for Serbian hackers to learn from America's problems and work to establish computer laws and policies that respect and strengthen human rights.

On the second day of BalCCon everyone brought their laptops.

The conference center - which had space like a Vegas conference center - filled up quite a bit with hackers of black, white and grey hats, who brought gear, projects, things to share and ask other hackers about.

So many attendees stayed past closing that groups of hackers were moved out to the warm plaza by building staff so cleaners could get to work.

---

Today, preparing for my Wednesday flight to Kuala Lumpur, Malaysia for Hack In The Box 2013, my doctor asked me if I ever feel unsafe "around these people."

She meant hackers.

I had never thought about it. After a moment of evaluation, I answered no. I told her that I feel the most unsafe when I cross borders; spending time learning about hackers has taught me that nation states are far more terrifying.

---

One of the more hardcore hackers I got to meet at BalCCon was a man who taught both some basic and some very advanced things to attendees, and he had once attended DEF CON.

He wore a DEF CON shirt on one of BalCCon's days. It was a highlight for him, like it is for so many people, who arrive to DEF CON after a lifetime of feeling alone or in the minority, and suddenly walk into a hall where there are thousands of people... like them.

When he went to DEF CON it was because a company he worked for at the time wanted to send someone to the American hacker conference, and he volunteered for the work trip. He arrived at DEF CON knowing no one and speaking very little English. He volunteered his skills to help with the Capture The Flag contest, went to all the parties the CTF crews dragged him to, and found himself going back to Serbia with at least one American friend for life.

Incidentally, his friend has agreed to keynote BalCCon 2014.

I think that as an American, I'm somehow programmed to compare conferences to DEF CON - and I think this is both a mistake, and an interesting thing to do.

DEF CON is the American hacker conference by which many comparatives are made, most especially by those who have attended for decades. It is most decidedly attended by, and run by, hackers.

This is in deliberate contrast to conferences seemingly 'cleaned up' with hackers overwritten as security researchers, a la Black Hat. DEF CON embraces the controversy that comes with the territory of being a hacker.

• See: A DEF CON postscript: Said the FBI agent to the taxi driver

And it is, in a way, DEF CON's primary statement. A dividing line by which it defines itself.

Other hacker conferences have different identities. Germany's CCC, while notably being the largest and longest-running hacker conference in the world, is the conference which Has Something To Say. Southeast Asia's Hack In The Box is a conference which welcomes disruptors operating outside of certain jurisdictions and internet corporate recruiters with equal measure.

But DEF CON has not yet decided it stands for anything else other than being DEF CON.

It doesn't really need to.

Like all things that grow and become popular, according to the old-timers, DEF CON is much different than when it started.

The way it has been described to me, DEF CON is kind of like a cult film that, after being around long enough, began to cross over into mainstream consciousness. And now it consists of sequels.

It's a good business model, because there will always be hackers who go to DEF CON. It's not those other guys at Black Hat, and there will always, always be a number of hackers (and security professionals!) that have bought into this - all they're waiting for is for another DEF CON to happen.

All Marvel needs to do is make a film and put "Iron Man" in the title, and even if the film is ridiculous and we are all sick of sequel franchises and lack of originality in Hollywood and hate the RIAA on top of it all (or invites the Director of the NSA as a guest), Marvel knows we will all see the film. Because... it's Iron Man, and we'd welcome Tony Stark Downey Jr. as a VIP to our No n00bs DEF CON party without a second thought.

We're just as pre-sold on DEF CON as we are on Iron Man. We're going to buy the damn product anyway, and besides, DEF CON and Marvel don't really give a f*uck what anyone thinks.

Most people who go to DEF CON simply like DEF CON. Next year's poster could say DEF CON: Nothing Nothing Nothing and the conference will still break attendance records.

It's tempting to think that DEF CON is not the tangible triumph of community and survival that BalCCon is, just as it's tempting to contrast DEF CON's epicenter of hackers and controversy to BalCCon's humble beginnings.

But nothing here is a dealbreaker. And I think we'll be seeing a lot more of both, next year.