The 37th Chaos Communication Congress (37C3), Europe’s largest hacking convention, happened to be the first “business trip” in my cybersecurity career. It ended up being so much more.
Out of respect for the 37C3’s photography and media policies, the amount of photos I took was woefully small.
Depending on which audience this reaches, this is going to be a journal entry full of potentially embarrassing confessions.
Just before celebrating New Year’s, I had the pleasure of setting out on my first “business trip” in my new career. At the recommendation of a friend working in Germany’s IT scene, I purchased tickets to the 37th Chaos Communication Congress (which I’ll abbreviate as “37C3” from hereon out). I knew very little about what the event would entail. I’d heard that it was essentially a German take on DEF CON. I knew it would be a four-day ordeal between the Christmas and NYE/Silvester holidays, and it would give me an excuse to return to Hamburg, which is rapidly becoming my favorite city in Germany.
I was vaguely aware that the big difference between 37C3 and events like DEF CON or CYBERWARCON was the political ethos of the Chaos Computer Club, which organizes the event.
The Chaos Computer Club, which is largely anti-authoritarian and occasionally labeled as “left-wing” or “left-libertarian”, is an organization (term used loosely) I find myself fascinated by. Personally hailing from a small town in the US and spending six years in the military, this is an area of political identity I find myself woefully underexposed to. Many of the loudest technology enthusiasts on my radar fall into the crypto-bro/enlightened centrist/right-libertarian wavelength. Currently operating in the security space with a mix of intelligence professionals and academics, the politics are diverse, but there’s a generally unspoken political pragmatism that unites everyone.
Founded in 1981, the Chaos Computer Club has grown to become one of the most influential hacker organizations in the world, largely focused on digital rights activism and privacy advocacy. The CCC claims to champion the principles of freedom of information and ethical use of technology, and the Chaos Communication Congress is its flagship event. It predates DEF CON by nearly a decade. The Congress is a massive showcase of ideas, lectures, and discussions on topics related to cybersecurity, internet freedom, and the socio-political implications of technology.
I think there’s this tendency among people from my background to assume that those who hold leftist or anti-colonial views are somehow anti-technology, no matter how sympathetic to the positions we may be. I’m certainly guilty of this as well. While I’ve had some YouTube-shallow exposure to Solarpunk, and I’m a big fan of HydroponicTrash (who is awesome and deserves your money way more than I do), I wasn’t prepared for the amount of technological optimism and actionable praxis I’d be exposed to over these several days. And the whole thing was just cool as hell.
The Vibes (I Am A Tourist)
Coming into this space from an industry where I’m mostly used to gag socks and lanyards being among the most expressive décor, the numerous cat ear accessories and endless gallery of Club-Mate (or its admittedly inferior, but sugar-free cousin, Mio Mate) soda bottles were a welcome change of pace.
I was taken aback by how much left-wing and antifascist ideology was represented in the artistic ethos of the entire thing. In the months since, my scope of the European tech space has filled out and this has become far less surprising, and it’s a thread I’ll continue to pull on as my own politics get admittedly drawn in that direction.
But it wasn’t all style and messaging with little substance. To my more apolitical, centrist, or even right-libertarian readers, I want to assure you: if your tech space principles still focus heavily on your privacy against government or corporate overreach, an advancement of the cybersecurity and cryptographic crafts, or decentralization/federation, you’d have found a surprisingly warm amount of common ground with the many “creatures” in attendance at 37C3.
Everything was managed by an army of volunteers who had schedules they would opt into or out of via a Congress-managed intranet. It all seemed tremendously…chaotic, but everything moved along without any game-breaking incidents.
All-up, I probably attended eighteen different events, ranging from thirty minutes to three hours throughout my four days in Hamburg. A detailed breakdown would be nigh-impossible, but I’ll try and highlight what I thought were some of the standout presentations in some of the categories that were most important to me. The events were a mixture of professional “TED-style” lectures, self-organized events by various groups, and smaller, more intimate “classroom-sized” seminar blocs. At any given time, there were a dozen active events throughout the Congress building, and this didn’t include permanent installations of managed hacker spaces, refreshment stalls, thrown-together meetups, and mutual aid group pop-up kiosks.
Some Highlights
I couldn’t even attend a quarter of the events, despite being there for 14+ hours each day. Thankfully, the good people at Chaos Communication Congress give away most of the lectures for free on their website once enough time has passed. Lessons Learned in this situation: I should have focused more heavily on the interactive events and workshops than the big lectures, though a few that I attended were not destined for viewing outside of the Congress.
It’s also some killer incentive to finally get serious about my German.
Humanitarian: CADUS International Disaster Response on their preparations for assisting in Gaza.
CADUS is an organization I’d never heard of until 37C3. Based in Berlin, they assist in medical and infrastructure-related humanitarian aid in often extremely dangerous places impacted by war. Besides their proclaimed values of international solidarity and mutual aid, the group’s appearance at the congress was also relevant because of their work in providing or restoring communications for those in need. This particular event didn’t have any associated media that can be shared for it, but I wanted to give the good people at CADUS a shout. Go to their website. Read up on what they’re doing. See if there’s a way you can help. The amount of organizations still operating in Gaza keeps shrinking.
Futurism: Dorian Cavé and his presentation on “Unlearning & Radical Collective Change in Online Communities”
In this lecture, Cavé, (who may actually be “Dr. Dorian Cavé, PhD.” by the time I publish this) summarizes some findings from his past decade of research. Cavé‘s academic career has largely focused on sustainable and decentralized online communities, and the lecture discusses some of his findings regarding two communities looking to achieve such goals in Europe.
Three of the many insights I will substantiate and examine in the talk are:
Dorian Cavé for 37C3
-that online communities have the potential to create deep changes in people when they are built in ways that foster deep relationships, criticality and conflict transformation, and emergent leadership;
– that changing socio-political structures must go together with joyful, liberating practices that can help us unlearn harmful cultural patterns that get in the way; and
– that perhaps we should be less interested in becoming experts, and rather find the courage and open hearts allowing us to be fearlessly and fiercely present to the world, with all its shit, its wonder, and its uncertainty.
Read his most recent piece on Resiliance.org.
Technical Demonstrations: All Cops Are Broadcasting (TETRA radio encryption is awful)
Dutch cybersecurity researchers, Jos Wetzels, Carlo Meijer, and Wouter Bokslag are part of the team at Midnight Blue. The team has been working tirelessly to advocate against the use of primitive, proprietary encryption algorithms that have introduced vulnerabilities into critical infrastructure, disaster response, and law enforcement.
The long and short of their demonstration showed that certain releases of the TETRA radio encryption are vulnerable to various cryptographic attacks. One such demonstration by the Midnight Blue team showed that they were able to resolve the encryption in a reasonable amount of time on a laptop that was widely available in the late nineties.
Much of this equipment is used and still being sold throughout Europe, as well as EU and NATO partner nations.
Philosophy? Aesthetics? Conspiracy?: YOU’VE JUST BEEN FUCKED BY PSYOPS
In what was probably the most bizarre presentation I saw at the Congress, Dr. Trevor Paglen gave a sixty minute lecture on relationships between psychological operations, AI, conspiracy-pilling, and the intelligence applications of magical aesthetics.
Before you get up in arms about it, Dr. Paglen is coming at all of this from a (mostly?) critical direction. There’s still enough digging into government meddling to satisfy one’s conspiracy brain, but from an anti-capitalist direction.
While I still walked away from the lecture with a bit of skepticism towards what I’d just heard, it felt enriching, and lent a type of depth to the Congress that I suspect might not be so outwardly expressed in your typical hacker space. I have to look more deeply at the Paglen‘s career.
Ripples On The Internet
Given that this was my first time at such a public event in what could loosely be considered the cybersecurity space, I was–perhaps naively so–surprised that I’d found much of what I had been seeing play out before me being written about in real time. The infosec sphere on social media seemed to be lighting up every time one of the major lectures published a technical revelation. This was the first time I’d seen articles go up on sites like Dark Reading or Hacker News on some of these relevant topics within minutes of an event I could correlate to my lived experience.
The most impactful instance of this was the presentation by the team at Kaspersky about how a threat actor attempted to hack several of their phones utilizing a zero-click malware, with behaviors that largely mirrored those associated with spyware developed for state use (such as Pegasus).
Kaspersky, being who they are, were not only able to detect the attack, but were able to document it extensively at virtually every level of its incredibly complex kill-chain.
My Big Takeaway: LinkedIn Isn’t Reality
It’s been months, and now that I’ve returned to the civilian world after ending a six-year career in the US Army, I feel like I can publicly express just what this Congress meant to me.
I will never condemn the security or military spaces wholesale. I owe a lot of who I am, and a lot of my current political explorations to ideas I developed (or am currently developing) while inhabiting them. I have a lot of love for many of the people I’ve worked with, and continue to work or socialize with. As well, I’ll take the daring stance here and re-state that there are times certain governments or militaries are clearly the lesser of two evils.
But man. It felt awesome to be given this alternate vision for the way the future could look. Until attending this event, I’d found the tech space to be inextricably linked to “hustle culture” or the military-industrial complex. Hacktivism was as “edge” as it got, and it largely seemed cringe. I had been operating under the assumption that the open-source ethos was all but dead. The infosec spaces I’d largely inhabited prior to 2023 seemed to run so close to the crypto-scam/NFT griftosphere, with little substantive examination of the impact growth-first technological progress has on the environment, civil liberties, or people living outside of the conception of the “western world”.
A lot of criticism lodged at left-wing or environmental activism amounts to accusations of it being a luddite space with no room for the love of technology, or a bunch of liberals-in-denial who want a greenwashed nanny-state. While I’ve never bought into this, the Chaos Communication Congress showed that I hadn’t yet missed my chance to engage with a better, healthier vision of my relationship with privacy, security, and tech.
