This is a story that took place during SHA2017, an international hacker camp in Zeewolde. If you want to get an impression of how awesome this event was, I suggest you read Chris van ‘t Hof’s article (in Dutch) or Jenny List’s personal review (in English).


Even though SHA2017 is a hacker camp, and thus has an anarchistic tendency to it, it doesn’t mean that there are no rules. These rules are generally speaking there because either the camp itself has to comply to external rules (like local laws and regulations with regards to noise and safety) or to keep things safe in general. One of these rules related to ‘open fire’ was worded on the SHA2017 wiki as:

Are open fires allowed (bonfire, barbecue, …)?
No, unfortunately not because of safety reason.
Open fire is anything that is not gas powered, allowed are (butane, propane) powered stoves and barbecue grills.
If u are cooking for 1 person we will allow small burners on fuel (like spirit of alcohol) , make sure u cook
in the open air! There will however be a offical sha2017 organized campfire near the beac, feel free to join.
Please make sure u have a fire-extinguisher in the area.

I fully understand why this rule is there. Without it, there would be hundreds of campfires on the campground, definitely causing safety issues. However, somewhere during the camp we really missed sitting around a campfire. Not just because of the heat, but als because a fire also opens up conversations between people. Some people in our group were responsible for engineering and operating the flame throwers mounted on the light towers, so they managed to engineer a gas-powered campfire. Since it would be running on gas, it would comply with the ‘no open fire’ rule

Somewhere during the night, an angel (volunteers at these events are called ‘Angles’) approached us to inform us that we were in violation of the ‘no open fire’ rule. This resulted in a discussion around the rules. Our argument was that we were running a gas-powered installation and therefore it was not an open fire. His argument was that since we were not cooking, it was not a stove or BBQ and thus open fire. However, since it was already late, and we were being responsible by having a fire extinguisher at hand and somebody near the gas valve, we were not required to stop at that time. But it looked like a second night of gas-powered campfire might not be fully appreciated.

At this point compliance turned into a sport and caused us to introduce our ‘compliance-kettle’.

Next night we erected a tri-pod over the fire and hung a kettle over the fire. Ergo, we turned our campfire into a stove. I’ll grant you, that we were not cooking very efficiently, and to be honest having a kettle of boiling water there would not have been very safe, but nobody said that our stove needed to be efficient, it just needed to be a stove instead of an open fire.

To the credit of the angels that night they too, realized that fighting over words would not result in a safer situation. So, we mutually agreed that if there would be a non-intoxicated person watching the fire and operating the gas valve things would be safe enough.

Our compliance-kettle story is the perfect illustration of how security and compliance can be very difference things, even when they try to achieve the same goals.
You are welcome to use this story it if you ever need to explain the difference between security and compliance.

Blog: Cupfighter

All images: CC licence, by Frank Breedijk

post author image

Over admin

Matthijs is director bij PwC’s Forensic Technology Solutions. Zijn specialismen zijn threat intelligence en incident response. Daarnaast creëert hij cybersecurity awareness bij bedrijven door het inzetten van de Game of Threats die door PwC is...

Meer over admin

    Leave A Comment