Tor is a project to build such things.
I predict that in 10 years the Internet will be a wireless mesh network covering the globe, with Onion Routers everywhere.
Naturally after I post my journal entry Slashdot publishes this this story.
This year, as last time, Christopher (my son) also attended with me. He missed one day, because of previously scheduled birthday party.
All in all, the conference was amazing. Today, just a day after, my head is still spinning from all the ideas, discussions and events. Great fun!
Day 1 - Friday July 9th, 2004
We arrived a bit early - around 8:30AM. Since the program did not start until 10:00AM, we just wondered about midtown and Penn Station. Once we got our badges, we went up to the 18th floor of the Pennsylvania Hotel, where the main areas holding the presentations were.
The room decorations (see pictures) were all in 1984 theme, with Big Brother watching us. We attended the following talks:
Robert Steele is a former spy. I presume he worked for the CIA, although he does not come right out and say it. He is a former Marine and a current Republican. Although he does not appear to like the current President.
The main thesis of his talk was that we (i.e. the US) spend 50 billion dollars a year on keeping secrets and it is all "bull-shit". 80% of what we need to know to keep ourselves safe is known to all, (except in Washingbton).
What we need is "collective intelligence" - a kind of global system to which everyone can contribute relevant information and which can be used to discover dangers (look up "Public Intelligence" on Amazon). At one time he had an epiphamy (or in non-republican language "Aha!"), that what we need is "open source intelligence", where everyone contributes. See www.oss.net for more detailed description of his ideas.
Accordingly, "'central intelligence' is an oxymoron in a distibuted world".
He paraphrased Thomas Jeffereson: "Educated citizen is the best security". We must all learn more, and especially learn more about the rest of the world.
Today's intelligence problems can be solved, but people in Washington live in "fool's paradise" and the media goes along. Meanwhile, we the people, are not interested.
His final thoughts were: You cannot protect America through secrecy. To change the world you need to participate - so register to vote!
This talk was given by John Draper, the famous Capt'n Crunch from the phone-phreaking days.
So, where does all this SPAM come from:
These are funded hacker labs, allegedly funded by the russian mafia.
The installed trojans are getting more and more sophisticated. For example, the programs do not run all the time (so they will not show up in nmap scans - as they don't use any ports), but they will "awaken" when a "knock-knock" protocol is used. That is connection is attempted on several specific ports in a specified sequence, and then they will start. Often the victims do not even realize they are sending spam.
The best way to discover who is actually spamming is to "follow the money" - actually order the item being offered and when a charge is made on your card, you can see who made it (you can also claim fraud at your bank and have the charge undone).
You can also follow the shipment trail to discover the originating company and then make sure to boycott them.
Reporting SPAM (to whom?) helps in shutting down of infected hosts, but does not root out the main problem.
One cute trick to see how your addresses are passed around that John Draper uses is to create email addresses with a random hash code as part of address (he can handle these, as he is an ISP) and then see where they show up.
Check out his WebCrunchers. BTW, he was using a Mac laptop for his demos and presentations.
Bruce Schneier is the publisher of an online security newsletter Cryptome, which is published once a month. I read it fairly regularly. He is also an author of number of security book, some more technical than others (e.g. Applied Cryptography).
His talk was about his ideas of how security fits in a world of many players, with different agendas and how some stuff that seems ridiculous to some, actually makes sense from another point of view. The best part of the talk were his examples.
The basic thesis is that security is a tradeoff. There is a cost associated with each security measure. We, as "security consumers", should be able to decide if the security we are getting is worth the cost. For example, one way to avoid airplane hi-jackings is to ground all airplanes. Clearly this is not the price we are willing to pay.
We need rational discussion of security tradeoffs, as there is no right answer to a security question. Different people/parties will answer differently.
For example, he described a visit to a big bank in NYC. In the lobby they had an X-ray machine to X-ray all the bags - and one person who intently watched the screen of the machine. Since no one was watching the people Bruce S. was able to walk through without putting his bag though the machine Didn't seem like a good security measure.
. When he described this to the person he saw at the bank (some high level security VP), he was told that the bank saved 5 million dollars on insurance because they have the machine. So the bank is making money on this deal.
Technology and media do not help in choosing answers to security questions.
So how do we wind with stuff that is not worth having? It's because "Security decision are made for non-security reasons". Different parties in security decisions have differing agendas (eg. police want more power, banks want less insurance etc).
Another example he discussed was why airlines are happy to check photo IDs as a "security measure". It is because the airlines can prevent people from selling non-refundable tickets (since your name is the ticket).
His final point was that we must accept risk - there is no way to eliminate it. We must also avoid security measures that are too expensive.
Finally during the Q/A part of the talk, hew was asked what country he would want live in - he said he'll stay in the US (until the election at least) and he told the audience to move to Ohio.
This panel included three victims of corporate attacks and a lawyer from EFF - Wendy Seltzer. She spoke first how corporations are using laws, like DMCA, to squash competition or even reporting that exposes defects in their product. EFF maintains a web site where you can see examples of lawsuits and threats of lawsuits that are happening at present. This website is called Chilling Effects.
The fist victim was Dan Morgan, a publisher of the "Satellite Watch News" newsletter. This newsletter covered various facets of satelite TV. It published technical information on how the system worked etc. However, at one point Direct TV decided that the information published there helped people make fake satellite TV cards, that could be used to receive programming for free. They decided to sue, and in short time the closed the news letter (which has been publishing for over 10 years). Dan's office equipment and his computers were confiscated. He also feels that the lawyer that was going to defend him, was intimidated and decided not to fight (this is just an allegation).
The remaining two victims were two college students from Georgia Tech. They "fiddled" with the campus ID card system and discovered several security flaws. They proceeded to write a paper and submitted it to a conference. Before the paper was published, they were sued by the company that makes the system (Blackboard.com) and were not able to present.
They were accused of breaking provisions of DMCA and several other laws they haven't heard of before. Although, they felt they had done nothing wrong, the fight in a courtroom could cost about $500,000 and they there was a chance they might not win (one questionable issue was that they haven't gotten a formal permission from the University to use their system for their testing). They did not have the required resources so they settled. Part of the settlement agreement is a gag order - they cannot discuss the details of what they discovered and they cannot discuss the details of the settlement.
In the discussion that followed the initial presentation the guys from Georgia Tech stressed that if you going to do certain sensitive research make sure that you document every step and that you get the required persmissions to use things that "belong" to others.
One positive aspect of their experience was the removal of Social Security number from the student ID cards. Even though, it's not clear that their paper made the company implement this change. Here is the original Slashdot story
This presentation was a pleasent change from the previous talk. The speaker, who said law was his hobby, got a corporation - his previous employer (a company called CSF) - to agree that he should run the csx-sucks.com website.
He proceeded by first registering csx-diversity.com domain and putting a web site that poked fun at the company. He included some KKK photos etc. In any case, as expected, he got a cease and desist order. However, the complaint was so poorly written that he was able to exploit and negotiate with the company.
He was willing to give up csx-diversity.com, if the company agreed to let him have csf-sucks.com, which they did.
One of the clever things he did, he conditioned the gag clause - that would prevent him about talking to anyone about the settlement, on the payment (of $200) that the company owed him for giving up the csf-diversity.com. He gave them 30 days to pay. Naturally, to get a check from a large corporation can take much longer, so after 90 days he send them a letter saying that the "gag clause" was no longer valid, as per the agreemenr, since his payment was not delivered in 30 days.
Which how it is that he can discuss the case at the conference and why you can see the relevant documents and the contract on his website.
Kevin Mitnick is a hacker who in the 80s and 90s, broke into a lot of systems (his favorite was VMS) and manage to steal source code to VMS, Solaris and bunch of other things. He was arrested by FBI twice. After the first time he got out of prison, and got into further trouble and for few years was a fugitive, until caught again in 199x(??). He spent nearly 5 years in jail, without a bail hearing and without a trial.
He seemed to be caught up in a weird catch-22. In order to prepare his defense he and his laywer had to use Kevin's laptop. But he was not allowed to touch any computers in prison (some prosecutors insisted that he could start nuclear war by whistling into a phone). So, he had to waive his right to speedy trial, so that he could prepare a defense. In the end he and the goverment settled and he was released.
His talk was basically a biographical. He talked how his first "hack" was when he figured out how to ride buses in L.A. for free. He got blank transfers from the dumpster near the bus depo and a bus driver told him where to get the right hole punch, to punch in the date. Kevin was 12 years old at the time.
Many different stories followed this one. He got an A+ in his high school computer class for writing a program to steal passwords. He was an early phone-phreak, who could make calls on a rotary phone by tapping on the microphone.
He could be described a "master social engineer" (i.e. a real good con-man). It's amazing what he could talk people into doing.
Anyways, the room where he was speaking was packed. We arrived a bit late and had to stand.
While at the conference I bought a documentary about Kevin's case called "Freedom Downtime". I also got one of his books - called "The Art Of Deception".
By the time the keynote was done it was nearly 6 o'clock and we were pretty tired. We didn't stick around for the questions and answers.
Day 2 - Saturday July 10th, 2004
Met Paul B. for breakfast (hi, Paul, thanks!).
This was one of the more technical talks I attended. The speaker proposed a different solution to sensistive data being held in databases. Traditional approach to database security is to build a "fortress", allowing only limited number of people access. However, outsiders can still penetrate the fortress (and making the fortress less penetrable gets expensive), or insiders take advantage of the info they gain access to.
Even data that is not apparently sensitive can cause problems. The speaker talked about a particular expensive brand of stereo that was stolen from his car (not a very fancy mini-van). He discovered that the same night, the same kind of stereo was stolen from his neighbors car. While, other cars on his block (some much more expensive) were left untouched. He realized that someone had gained access to the database that holds the purchase information for the particular stereo brand and knew who to target.
What is the solution then? The solution is to invert the problem. Rather than trying to secure the database, make the data in the database useless to people who are not supposed to see it. He calls this approach translucent database - and he has written a book about it.
Basically, the idea is to use one-way function to encrypt the interesting data. They values computed by these functions can be used as keys, but will be useless to anyone who doesn't hold the key. One of the first translucent databases was the "/etc/passwd" file on Unix. Anyone can read it, but you cannot find the password, as it is encrypted by a one way functions.
The rest of the talk went into more details how certain types of systems could be implemented to preserve the privacy of the owner of the data, while allowing the normal operations that people may want to do. One exmple was a library system that keeps track of the value of the books you took out, but does not have the information about the titles that you borrowed.
The idea is pretty intriguing and I'll probably will wind up getting his book.
This was a panel discussion about the media and propaganda. Here are couple of links:
Random quotes I wrote down:
There was one poignant moment during the Q-and-A session, when a Chinese man came to a mike and said that we should be greatful we can complain about propaganda and speak up. In China we'd all be arrested.
Steven Wozniak's keynote was the highlight of the conference. He talked about his life, his high school hobbies (designing computers) and phone-phreaking with his friend Steve Jobs (who wanted to sell everything Woz designed).
He told us how he didn't want to leave HP to join Apple, until he was told that he could remain an engineer forever. He told up about the first "dial-a-joke" he ran in Cumpertino and lots of other funny stories.
There was an odd parallel between his life and that of Kevin Mitnick. They were both interested in computers, networks and telephone systems. They both met Capt'n Crunch and were into phone-phreaking. Yet, look how differently their lives turned out.
Woz talked about sneaking into SLAC library on weekends to read up specs on new computers or to look up technical details on the phone system, so that he could design his blue boxes.
It was a pleasure listening to him. You should have come...
Day 3 - Sunday July 11, 2004
This panel consisted of three short presentation by three art/hactivism groups with short question and answer period.
These guys build robots (or autonomous vehicles) for activist purposes. They are trying to move the robotics research into other directions than DARPA. DARPA's work is based on beliefs that people are weak in combat, but few people controlling a lot of robots can fight better.
So, as a response the group developed a graffitti drawing robot - to avoid being arrested! When they first used their robot on the steps of the Capitol in Washington, they did not get arrested and the police was actually impressed with the robot.
They built a somewhat larger version of the graffitti write and took it to the DARPA Challenge (the autonomous vehicle contests). They pretended to be a regular entrant. But when their robot started the race, it drew Asimov's First Law of Robotics on the race track: "A robot will never harm a human being".
"Yes Man", according to the speaker, is a collaboration of activists, social engineers and idiots. It all started with their website gatt.org, which someone mistook for a WTO web site, and invited a representative to go to an economic conference in Salzburg, Austria. Naturally, they accepted and sent someone to present some fake and outragous stuff (i.e. a proposal to reduce cost of elections by letting people aution their votes off to the highest bidder).
They filmed the entire expedition and eventually it will be released as a documentary. See their website.
The representative of this group is could not present, as he is fighting bio-terrorism charges (that is he has been accused of bio-terrorism).
This group was setting up presentations at various museums to educate people about genetic engineering of plants and animals. One of their exhibits included pertri dishes with several strains of common bacteria to demonstrate what bio-tech companies do.
You can find out more about their case at CAE Defense Fund.
This panel turned out to be little boring. Richard Cheshire and Woz talked about the old computers they worked on. R. Cheshire talked about the IMSAI 8080, how it had to be booted by toggling the bootloader by hand via front panel switches.
Woz talked about designing and building Apple I and Apple II. He said that it was great fun to be able develope the software and hardware at the same time. He talked about writing the first Breakout in Apple Basic and being blown away at how short the code was. Until then such thing were done in hardware.
The last speaker talked about the future of retro-computing and demoed an Apple II emulator running on his laptop (in fact he ran three at once). Find out more about these emulators here: Virtual Apple.
Jello Biafra is a political activist from California. His keynote was a solid two hour rant agaist the war in Iraq, Resident Bush, corporatism, American media and so on. You should have been there to see it. Actually the 2600 magazine will publish a video of the talk, so you can get it there.
Needless to say I enjoyed the keynote - but I'm sure that some of his "facts" would not pass scrutiny and some of his theories were a bit paranoid.
In the end he suggested that "knowledge is power" and we should seek knowledge from outside our country (i.e. read the Guardian). And vote!!
If you ever saw the movie Hackers you know that one of the characters is a guy named Emanuel Goldstein. That character was modelled on the Emanuel Goldstein who participated on this panel.
The topic of the panel was "social engineering", which I guess is a high-tech term for being a con-man. In particular these guys talked about how you can get information out of people by just talking to them. While the discussion was going on, Emanuel Goldstein did couple of demos, by getting on the phone pulling some silly pranks. For example, he called a Taco Bell and convinced them to stop taking orders for 5 minutes from 9:00PM until 9:05PM, so that a remote software upgrade could be done.
The other demo included a series of calls to American Express 800 number to find out the direct dial number of the call center in India. He got after speaking maybe ten different people in Manilla, North Caroline and finally in India.
Another little demo included faking out the caller ID number that shows up on the receiving phone. Although, they did not reveal their actual methods, they showed how an arbitrary number can show up as the caller ID. Moral is do not trust caller ID numbers.
Kevin Mitnick described couple of his social engineering exploits. One included a delivery of VMS patch tape, that included an additional "Kevin Security Patch", dressed as a UPS man. His victim eventually installed the patch, and that gave Mitnick a backdoor into his VAX system.
If you go to the 2600 Magazine website you should be able to order VCDs of the talks from the conference - eventually.
NY Time had an article about the conference, but only mention Wozniak as a keynote speaker. They didn't say anything about Mitnick or Biafra.
Wired had two articles:
Wired didn't mention Jello Biafra either.
On final day Sunday we went to see these talks:
I took a lot of notes and some pictures on the last day. I'm planning to write a longer summary of all this to post here.
All in all an amazing weekend.
In the next few days I'll try to fill in the details of each - I took a lot of notes, but I'm too tired right now.
Tomorrow I'm going to see Steve Wozniak.
I think I should keep quiet more.
Instead I got a new Fujitsu S-Lifebook. This is a really nice laptop. Red Hat 8.0 installed with no problems (it's dual boot with Windows XP and RH). I need to do a nice web page describing what I've done and tested so far - there are no S-Lifebook pages on Linux on Laptops for this model.
Now these newest laptops use ACPI power management, instead of the older APM. To get ACPI working I had to patch the kernel (I got 2.4.20, patched and recompiled it). Now I have most of the ACPI devices, except for "thermal_zone" and "fan". For some reason these devices do not get set up properly.
So, I started reading through the "Linux Device Drivers" book and I'm reading the ACPI code to see if I can figure this out.
The possession of a book becomes a substitute for reading it. -- Anthony Burgess