.
The HOPEs are scheduled every
two years and I was at the previous HOPE (called
), although just for one day. This time I attended for all three days,
although I wasn't able to stay at the conference as long as I would have liked. The program ran from 10:00AM until well past
midnight the first and second days.
This year, as last time, Christopher (my son) also attended with me. He missed one day, because of previously
scheduled birthday party.
All in all, the conference was amazing. Today, just a day after, my head is still spinning from all the
ideas, discussions and events. Great fun!
We arrived a bit early - around 8:30AM. Since the program did not start until 10:00AM, we just wondered about
midtown and Penn Station. Once we got our badges, we went up to the 18th floor of the Pennsylvania Hotel, where
the main areas holding the presentations were.
The room decorations (see pictures) were all in 1984 theme, with Big Brother watching us.
We attended the following talks:
- Hacking National Intelligence: Power to the People Speaker: Robert Steele
Robert Steele is a former spy. I presume he worked for the CIA, although he does not come right out
and say it. He is a former Marine and a current Republican. Although he does not appear to like the current
President.
The main thesis of his talk was that we (i.e. the US) spend 50 billion dollars a year on keeping secrets
and it is all "bull-shit". 80% of what we need to know to keep ourselves safe is known to all,
(except in Washingbton).
What we need is "collective intelligence" - a kind of global system to which everyone can contribute
relevant information and which can be used to discover dangers (look up "Public Intelligence" on Amazon).
At one time he had an epiphamy (or in non-republican language "Aha!"), that what we need is "open source
intelligence", where everyone contributes. See www.oss.net for more detailed
description of his ideas.
Accordingly, "'central intelligence' is an oxymoron in a distibuted world".
He paraphrased Thomas Jeffereson: "Educated citizen is the best security". We must all learn more, and
especially learn more about the rest of the world.
Today's intelligence problems can be solved, but people in Washington live in "fool's paradise" and the media
goes along. Meanwhile, we the people, are not interested.
His final thoughts were: You cannot protect America through secrecy. To change the world you need to participate -
so register to vote!
- Where'd All that SPAM Come From? Speaker: John Draper (aka. "Capt'n Crunch")
This talk was given by John Draper, the famous Capt'n Crunch
from the phone-phreaking days.
So, where does all this SPAM come from:
The installed trojans are getting more and more sophisticated. For example, the programs do not run all
the time (so they will not show up in nmap scans - as they don't use any ports), but they will "awaken"
when a "knock-knock" protocol is used. That is connection is attempted on several specific ports in
a specified sequence, and then they will start. Often the victims do not even realize they are
sending spam.
The best way to discover who is actually spamming is to "follow the money" - actually order the item
being offered and when a charge is made on your card, you can see who made it (you can also claim fraud
at your bank and have the charge undone).
You can also follow the shipment trail to discover the originating company and then make sure
to boycott them.
Reporting SPAM (to whom?) helps in shutting down of infected hosts, but does not root out the
main problem.
One cute trick to see how your addresses are passed around that John Draper uses is to create email
addresses with a random hash code as part of address (he can handle these, as he is an ISP) and then
see where they show up.
Check out his WebCrunchers. BTW, he was using a Mac laptop
for his demos and presentations.
- Security, Liberties, and the Trade-offs in the war on terrorism Speaker: Bruce Schneier
Bruce Schneier is the publisher of an online security newsletter
Cryptome, which is
published once a month. I read it fairly regularly. He is also an author of number of security
book, some more technical than others (e.g. Applied Cryptography).
His talk was about his ideas of how security fits in a world of many players, with different agendas
and how some stuff that seems ridiculous to some, actually makes sense from another point of view.
The best part of the talk were his examples.
The basic thesis is that security is a tradeoff. There is a cost associated with each security measure.
We, as "security consumers", should be able to decide if the security we are getting is worth the
cost. For example, one way to avoid airplane hi-jackings is to ground all airplanes. Clearly this
is not the price we are willing to pay.
We need rational discussion of security tradeoffs, as there is no right answer to a security question.
Different people/parties will answer differently.
For example, he described a visit to a big bank in NYC. In the lobby they had an X-ray machine to
X-ray all the bags - and one person who intently watched the screen of the machine. Since no one
was watching the people Bruce S. was able to walk through without putting his bag though the machine
Didn't seem like a good security measure.
.
When he described this to the person he saw at the bank (some high level security VP), he was told that
the bank saved 5 million dollars on insurance because they have the machine. So the bank is making
money on this deal.
Technology and media do not help in choosing answers to security questions.
- Media exhadurates the rare. People are afraid to fly, but not to drive. Risks are misperceived.
Everyday bad events do not get on the news.
- Technology obscures how things work.
So how do we wind with stuff that is not worth having? It's because "Security decision are made for non-security
reasons". Different parties in security decisions have differing agendas (eg. police want more power,
banks want less insurance etc).
Another example he discussed was why airlines are happy to check photo IDs as a "security measure".
It is because the airlines can prevent people from selling non-refundable tickets (since your name
is the ticket).
His final point was that we must accept risk - there is no way to eliminate it. We must also
avoid security measures that are too expensive.
Finally during the Q/A part of the talk, hew was asked what country he would want live in - he said he'll stay in the
US (until the election at least) and he told the audience to move to Ohio.
- When Corporations Attack - panel discussion: Acidus, Virgil Griffith, Dan Morgan, Wendy Seltzer
This panel included three victims of corporate attacks and a lawyer from EFF - Wendy
Seltzer. She spoke first how corporations are using laws, like DMCA, to squash competition or even
reporting that exposes defects in their product. EFF maintains a web site where you can see examples
of lawsuits and threats of lawsuits that are happening at present. This website is called
Chilling Effects.
The fist victim was Dan Morgan, a publisher of the "Satellite Watch News" newsletter. This newsletter covered
various facets of satelite TV. It published technical information on how the system worked etc.
However, at one point Direct TV decided that the information published there helped people make
fake satellite TV cards, that could be used to receive programming for free. They decided to sue, and in
short time the closed the news letter (which has been publishing for over 10 years). Dan's office equipment
and his computers were confiscated. He also feels that the lawyer that was going to defend him, was intimidated
and decided not to fight (this is just an allegation).
The remaining two victims were two college students from Georgia Tech. They "fiddled" with the campus
ID card system and discovered several security flaws. They proceeded to write a paper and submitted it
to a conference. Before the paper was published, they were sued by the company that makes the system
(Blackboard.com) and were not able to present.
They were accused of breaking provisions of DMCA and several other laws they haven't heard of before. Although,
they felt they had done nothing wrong, the fight in a courtroom could cost about $500,000 and they there
was a chance they might not win (one questionable issue was that they haven't gotten a formal permission
from the University to use their system for their testing). They did not have the required resources
so they settled. Part of the settlement agreement is a gag order - they cannot discuss the details of
what they discovered and they cannot discuss the details of the settlement.
In the discussion that followed the initial presentation the guys from Georgia Tech stressed that if you
going to do certain sensitive research make sure that you document every step and that you get
the required persmissions to use things that "belong" to others.
One positive aspect of their experience was the removal of Social Security number from the student ID cards.
Even though, it's not clear that their paper made the company implement this change.
Here is the original Slashdot story
- Slaying the Corporate Litigation Dragon Speaker: Atom Smasher
This presentation was a pleasent change from the previous talk. The speaker, who said law was his hobby,
got a corporation - his previous employer (a company called CSF) - to agree that he should run
the csx-sucks.com website.
He proceeded by first registering csx-diversity.com domain and putting a web site that poked fun
at the company. He included some KKK photos etc. In any case, as expected, he got a cease and desist order.
However, the complaint was so poorly written that he was able to exploit and negotiate with the company.
He was willing to give up csx-diversity.com, if the company agreed to let him have csf-sucks.com,
which they did.
One of the clever things he did, he conditioned the gag clause - that would prevent him about talking to anyone
about the settlement, on the payment (of $200) that the company owed him for giving up the csf-diversity.com.
He gave them 30 days to pay. Naturally, to get a check from a large corporation can take much longer, so after
90 days he send them a letter saying that the "gag clause" was no longer valid, as per the agreemenr, since
his payment was not delivered in 30 days.
Which how it is that he can discuss the case at the conference and why you can see the relevant documents
and the contract on his website.
- Friday's Keynote Speaker: Kevin Mitnick
Kevin Mitnick is a hacker who in the 80s and 90s, broke into a lot of systems (his favorite was VMS) and
manage to steal source code to VMS, Solaris and bunch of other things. He was arrested by FBI twice. After
the first time he got out of prison, and got into further trouble and for few years was a fugitive, until
caught again in 199x(??). He spent nearly 5 years in jail, without a bail hearing and without a trial.
He seemed to be caught up in a weird catch-22. In order to prepare his defense he and his laywer had to use
Kevin's laptop. But he was not allowed to touch any computers in prison (some prosecutors insisted that
he could start nuclear war by whistling into a phone). So, he had to waive his right to speedy
trial, so that he could prepare a defense. In the end he and the goverment settled and he was released.
His talk was basically a biographical. He talked how his first "hack" was when he figured out how to
ride buses in L.A. for free. He got blank transfers from the dumpster near the bus depo and a bus driver
told him where to get the right hole punch, to punch in the date. Kevin was 12 years old at the time.
Many different stories followed this one. He got an A+ in his high school computer class for writing
a program to steal passwords. He was an early phone-phreak, who could make calls on a rotary phone
by tapping on the microphone.
He could be described a "master social engineer" (i.e. a real good con-man). It's amazing what he could
talk people into doing.
Anyways, the room where he was speaking was packed. We arrived a bit late and had to stand.
While at the conference I bought a documentary about Kevin's case called "Freedom Downtime". I also
got one of his books - called "The Art Of Deception".
By the time the keynote was done it was nearly 6 o'clock and we were pretty tired. We didn't stick around
for the questions and answers.
Met Paul B. for breakfast (hi, Paul, thanks!).
- Building the Anti-Big Brother Speaker: Peter Wayner
This was one of the more technical talks I attended. The speaker proposed a different solution
to sensistive data being held in databases. Traditional approach to database security is
to build a "fortress", allowing only limited number of people access. However, outsiders can
still penetrate the fortress (and making the fortress less penetrable gets expensive), or
insiders take advantage of the info they gain access to.
Even data that is not apparently sensitive can cause problems. The speaker talked about a particular
expensive brand of stereo that was stolen from his car (not a very fancy mini-van). He discovered that
the same night, the same kind of stereo was stolen from his neighbors car. While, other cars on
his block (some much more expensive) were left untouched. He realized that someone had gained
access to the database that holds the purchase information for the particular stereo brand and
knew who to target.
What is the solution then? The solution is to invert the problem. Rather than trying to secure
the database, make the data in the database useless to people who are not supposed to see it.
He calls this approach translucent database - and
he has written a book about it.
Basically, the idea is to use one-way function to encrypt the interesting data. They values computed
by these functions can be used as keys, but will be useless to anyone who doesn't hold the key.
One of the first translucent databases was the "/etc/passwd" file on Unix. Anyone can read it,
but you cannot find the password, as it is encrypted by a one way functions.
The rest of the talk went into more details how certain types of systems could be implemented
to preserve the privacy of the owner of the data, while allowing the normal operations that
people may want to do. One exmple was a library system that keeps track of the value
of the books you took out, but does not have the information about the titles that
you borrowed.
The idea is pretty intriguing and I'll probably will wind up getting his book.
- Propaganda in Art and Media Panel: b9punk, Mike Castleman, Fredrick Guimont, Lazlow
This was a panel discussion about the media and propaganda. Here are couple of links:
- 1984 Comic - Fredrick Guimont is working on a comic
book version of "1984".
- Freepress.net - an independent media website
Random quotes I wrote down:
- Repetition is truth. Repetition is truth. Repetition is truth.
- Democracy is conducive to capitalism, but capitalism is not conducive to denmocracy.
There was one poignant moment during the Q-and-A session, when a Chinese man came to
a mike and said that we should be greatful we can complain about propaganda and
speak up. In China we'd all be arrested.
- Saturday's Keynote Speaker: Steve Wozniak
Steven Wozniak's keynote was the highlight of the conference. He talked about his life, his high school
hobbies (designing computers) and phone-phreaking with his friend Steve Jobs (who wanted to sell
everything Woz designed).
He told us how he didn't want to leave HP to join Apple, until he was told that he
could remain an engineer forever. He told up about the first "dial-a-joke" he ran in
Cumpertino and lots of other funny stories.
There was an odd parallel between his life and that of Kevin Mitnick. They were both
interested in computers, networks and telephone systems. They both met Capt'n Crunch
and were into phone-phreaking. Yet, look how differently their lives turned out.
Woz talked about sneaking into SLAC library on weekends to read up specs on new computers
or to look up technical details on the phone system, so that he could design his blue boxes.
It was a pleasure listening to him. You should have come... :)
- Tactical Media and the New Paranoia Panel: Mike Bananno, John Henry
This panel consisted of three short presentation by three art/hactivism groups with short
question and answer period.
- Institute for Applied Autonomy
These guys build robots (or autonomous vehicles) for activist purposes. They are trying to move the robotics
research into other directions than DARPA. DARPA's work is based on beliefs that people are weak in combat,
but few people controlling a lot of robots can fight better.
So, as a response the group developed a graffitti drawing robot - to avoid being arrested! When they first
used their robot on the steps of the Capitol in Washington, they did not get arrested and the police was
actually impressed with the robot.
They built a somewhat larger version of the graffitti write and took it to the DARPA Challenge (the autonomous
vehicle contests). They pretended to be a regular entrant. But when their robot started the race, it drew
Asimov's First Law of Robotics on the race track: "A robot will never harm a human being".
- Yes Men
"Yes Man", according to the speaker, is a collaboration of activists, social engineers and idiots. It
all started
with their website gatt.org, which someone mistook for a WTO web site,
and invited a representative
to go to an economic conference in Salzburg, Austria. Naturally, they accepted and sent someone to
present some fake and outragous stuff (i.e. a proposal to reduce cost of elections by letting people
aution their votes off to the highest bidder).
They filmed the entire expedition and eventually it will be released as a documentary. See their website.
- Critical Art Assemble
The representative of this group is could not present, as he is fighting bio-terrorism charges (that is
he has been accused of bio-terrorism).
This group was setting up presentations at various museums to educate people about genetic engineering
of plants and animals. One of their exhibits included pertri dishes with several strains of common
bacteria to demonstrate what bio-tech companies do.
You can find out more about their case at CAE Defense Fund.
- Retrocomputing Panel: Richard Cheshire, Sam Nitzberg, Steve Wozniak
This panel turned out to be little boring. Richard Cheshire and Woz talked about the
old computers they worked on. R. Cheshire talked about the IMSAI 8080, how it had to be
booted by toggling the bootloader by hand via front panel switches.
Woz talked about designing and building Apple I and Apple II. He said that it was great
fun to be able develope the software and hardware at the same time. He talked about
writing the first Breakout in Apple Basic and being blown away at how short the code was.
Until then such thing were done in hardware.
The last speaker talked about the future of retro-computing and demoed an Apple II emulator
running on his laptop (in fact he ran three at once). Find out more about these emulators
here: Virtual Apple.
- Sunday's Keynote Speaker: Jello Biafra
Jello Biafra is a political activist from California. His keynote was a solid two hour rant agaist
the war in Iraq, Resident Bush, corporatism, American media and so on. You should have been there to see it.
Actually the 2600 magazine will publish a video of the talk, so you can get it there.
Needless to say I enjoyed the keynote - but I'm sure that some of his "facts" would not pass
scrutiny and some of his theories were a bit paranoid.
In the end he suggested that "knowledge is power" and we should seek knowledge from outside our
country (i.e. read the Guardian). And vote!!
- Social Engineering Panel: Emanuel Goldstein, Kevin Mitnick, Cheshire Catalyst
If you ever saw the movie Hackers you know that one of the characters is a guy
named Emanuel Goldstein. That character was modelled on the Emanuel Goldstein who participated
on this panel.
The topic of the panel was "social engineering", which I guess is a high-tech term for being a con-man. In
particular these guys talked about how you can get information out of people by just talking
to them. While the discussion was going on, Emanuel Goldstein did couple of demos, by getting
on the phone pulling some silly pranks. For example, he called a Taco Bell and convinced them to
stop taking orders for 5 minutes from 9:00PM until 9:05PM, so that a remote software upgrade
could be done.
The other demo included a series of calls to American Express 800 number to find out the direct dial
number of the call center in India. He got after speaking maybe ten different people in Manilla, North
Caroline and finally in India.
Another little demo included faking out the caller ID number that shows up on the receiving phone. Although,
they did not reveal their actual methods, they showed how an arbitrary number can show up as the caller ID.
Moral is do not trust caller ID numbers.
Kevin Mitnick described couple of his social engineering exploits. One included a delivery of VMS patch tape,
that included an additional "Kevin Security Patch", dressed as a UPS man. His victim eventually installed
the patch, and that gave Mitnick a backdoor into his VAX system.
NY Time had an article about the conference, but only mention Wozniak as a keynote speaker. They didn't
say anything about Mitnick or Biafra.
Wired didn't mention Jello Biafra either.