The entry reflects an extremely interesting insight into the peculiarities of general security perception in Eastern Asia, presented by the well-known German computer security specialist Paul Sebastian Ziegler at Hack In The Box 2012 Conference.
Today’s talk is entitled “I Honorably Assure You: It Is Secure. Hacking in the Far East”. Now, before we get started on that topic, there is one thing we have to get out of the way, and in case you’ve heard me talking before, you know what’s coming next, because unless I tell you who I am, you will not want to really hear what I have to say. But if I take too long to tell you who I am, you won’t be interested anyway. So, here’s my brief introduction.
Hello, my name is Paul Sebastian Ziegler and I am a professional pentester. I live in Tokyo, but I work and travel all over Asia, where I enjoy the English that only Asia can come up with, and I also massively enjoy always finding new comparisons to describe the current state of the security community.
If there’s anything else you would like to know, or if you’re feeling stalkerish you can check out observed.de, which is where I keep links to most of the papers, most of the slides, just in case you miss one.
So, there is this weird thing going on right now, where even though Eastern Asian countries share up to 80% of their culture, and their writing, and lots of their language, there’s a lot of hate going on over issues that really have nothing to do with what they’re supposed to be.
Now, from a foreigner’s perspective – and I’m not going to take a stance on this – it looks like everyone involved has gone crazy. I don’t know what country you’re from and if you’re in the room, I don’t know what country you’re from if you’re watching this on a video later on, or if you’re reading about this, or just looking at the slides. But if any of the things I’m going to say is going to offend you, then please be offended by the ignorant white guy. Don’t be offended by any country you attribute myself to. So, in a nutshell, please, way less of hate, and way more of that (see right-hand image), because I think we can all agree that’s really cool Asian stuff.
We’re going to start off here with one of the basic concepts in Eastern Asia, and I’m going to call it by its Japanese name, but there is a similar concept in Confucianism, it’s called the Three Wise Monkeys (see image). What do they do? The picture has kind of made it clear: the Three Wise Monkeys is a philosophical approach of how you should live your life. Namely, you should see no evil, you should hear no evil, and you should speak no evil.
Now, even though the light is shining in my face, I can kind of see that some of you are wondering: “Ok, why the f**k is this guy talking about philosophy in a hacking talk?” Well, because it makes it kind of interesting to hack in Japan, because people will do whatever they can to ignore you.
Let me give you an example: this is a picture I took a few weeks back in a big public park in Tokyo (right-hand pic). As you can see in the background, no one cares. So, even though there’s five guys dressed up as Power Rangers performing all the moves, people don’t ask them what they’re doing, people don’t go away, people just pretend they’re not there, following the: “I don’t see anything, and if I don’t say anything or hear anything, it’s going to go away on its own.”
So, one of the results of that is, unless you force people to acknowledge what they’re doing, they’re just going to try to ignore you, whether that is hacking or pentesting, or just being weird.
So, a couple of years back I took a friend aside and we tried to find out just where the limit to that phenomenon is. We really wanted to figure out how far we can go in public in Japan with hacking before someone would intervene.
So, this is a Starbucks in Tokyo, and it’s a normal laptop, and my normal suit back then (see image to the left). Unfortunately, you cannot really see the monitor right now, it was running Wireshark wildly running through stuff, not because it was really important, but because that comes closest to what most people who have seen the Matrix movies think hacking is all about, right? Lots of scary characters flashing by your screen.
So, sitting in a public café running Wireshark probably won’t get you any issues either in Europe or in the States, so we took this and we kind of changed it a little notch. Now, I’m not sure how good the resolution is, the T-shirt says: “I read your email.” Still no one really reacted, so we added the sunglasses, and since that didn’t do it, we replaced the small black ThinkPad with a huge silver ThinkPad with a sticker on it. And since that didn’t get a reaction either, we then added a 23 dB omnidirectional antenna, connected by a coaxial cable into a PCMCIA card (see image).
Now, the more security savvy among you may notice a couple of indicators that something bad is going on in this picture: you know, the sunglasses, the shirt, the laptop, and the antenna.
But we kind of figured: “Ok, these people are Japanese, they may not be able to read the English hint we left them, and maybe some of the symbols just don’t work the same way around here.” So, luckily, there’s some really great stores in Japan that will print whatever you want on a T-shirt, so we made this, (Slide 31) this says “Hacker” in Japanese (see left-hand image).
And after we sat there wearing this and taking a couple of pictures with this shirt on, about 3 minutes in, finally a Starbucks staff employee walks up to us and he goes, if we translate it into English: “Well, I humbly apologize, but I must ask you to kindly leave.” And we were thrilled, we were kind of like: “Done it! We have found the border; we have found how far we can go in Japan before they kick us out.” Yeah, the only problem is the reason we got kicked out had nothing to do with all of this stuff that I’ve just shown you. The reason we got kicked out of Starbucks – I’m not making this up – is it’s not allowed to take pictures in Starbucks.
So, I’m not sure where the boundary is – I haven’t found it yet, and I have been working in Japan for a really long time, but there doesn’t seem to be one.