H2K2 Wrapup 138
The conference took up the 18th floor of the Hotel Pennsylvania[1], with the second floor being devoted to network operations/music/gawking at the old computers. Unlike the last conference, both major session tracks were on the same floor, preventing the logjams that occurred in 2000 when hundreds of people decided to use the elevators every hour between sessions. Lesson learned for future conference organizers: don't split your major crowd-drawing events between floors if you can possibly help it.
Siva Vaidhyanathan was the first keynote speaker. He described the internet as a cynical technology -- a technology which promotes seeing things as they are, not veiled by smokescreen or corporate PR -- and noted the attacks on cynical technologies since Sept. 11, tying that in to the copyright wars with Valenti, the DMCA, WIPO, and so on. It was good, well-reasoned speech, but honestly, Slashdot readers have heard it before so I'm not going to spend much time on it.
Andy Mueller-Maguhn (probably best known to U.S. readers as the European At-Large ICANN representative) and Paul Garrin of Name.space gave a talk about ICANN and the DNS. Mueller-Maguhn described the attendance at ICANN's Montevideo meeting: about 450 people overall, of which 320 were representatives of the Intellectual Property community (RIAA, MPAA, many others), 100 or so from the world's various governments, and even a few technical people. He drove home the fact that the IP people have the funds and personnel to participate in these meetings, and that few other organizations do. Mueller-Maguhn was critical of the recent decisions by various U.S. civil liberties groups to stop trying to affect ICANN (nothing they've done has had any effect) and to start working on the U.S. Commerce department to cause change in the DNS -- Mueller-Maguhn prefers to work within the system, even when his efforts bear no fruit. Garrin talked briefly about Name.space's efforts to provide a free-speech alternative to the current DNS system.
Goldstein and Macki of 2600, and Robin Gross of the EFF, discussed the DeCSS case. Again, this a topic thoroughly covered on Slashdot, so I see no need to recap the talk. They noted that Jon Johansen is still facing charges in Norway, and that the EFF is still interesting in overturning various provisions of the DMCA, so if you have a situation that might represent a good test case, please contact them.
The next day, Eric Grimm and Robin Gross did a presentation on the DMCA, almost a continuation of the DeCSS presentation. Notice and takedown, ReplayTV, the Eldred and Golan lawsuits against the most recent copyright extensions; Slashdot covers these pretty well.
This was followed by journalist Declan McCullagh and cryptographer Matt Blaze, with a talk titled "Educating Lawmakers: is it possible?". McCullagh told his favorite anecdotes about Congressional stupidity, while Blaze described his interactions with the NSA during the dark days of crypto prohibition. Blaze described his work on the Clipper chip, which may be before the time of some Slashdot readers: in a nutshell, the U.S. government decided that they would promote a cryptographic solution which had a Federal backdoor, allowing users to secure their secrets against anyone but the government. Blaze expressed interest in it, and was invited to visit Ft. Meade, where he was given a sample Clipper chip by NSA techies -- except they weren't sure if he would allowed to take it out of the facility. The techies gave him a brown paper bag to carry out the sample -- a burn bag for *classified* materials. Which he successfully carried out, with Clipper chip inside. Blaze discovered major flaws in Clipper's backdoor, which would have allowed anyone to gain access through it, and which eventually helped torpedo the Clipper plan. (Of course, Microsoft's Palladium plan will accomplish much the same purpose: just as the Federal government had final control over the design of Clipper, Microsoft will have final control of your PC, making government wiretapping trivial, so saying "key escrow is dead" is not even close to true.) Blaze concluded by describing his testimony before the Senate Intelligence Committee: he noted that when he consulted with other witnesses after the testimony, each of them had independently decided to liberate one of the stationery notepads provided in the hearing chamber for a souvenir, and "one of us got the gavel".
Aaron McGruder gave a very interesting speech. I had barely heard of him before (not a Boondocks reader, sorry), so I wasn't sure what to expect. McGruder covered his experiences getting into cartooning, and described getting his thoughts into a few hundred newspapers daily as a "hack," which I suppose it is. His speech was mostly about his cartooning and recent politics -- suffice it to say that he isn't a fan of Bush and the current corporate government.
Philip Kaplan, best known for fuckedcompany.com, talked about the secrets of making money on the net. His secret is basically: when you scratch an itch for yourself, scratch it for others as well, since probably thousands of people worldwide have the same itch you do. He also described some of the trials and tribulations of running his dot-com deadpool site, the inevitable legal hassles, etc.
Jello Biafra wasn't originally scheduled to speak, but happened to be in town. His address last time with the refrain of "Become the media" brought the house down, and he gave a late-night wide-ranging ramble working from handwritten notes which again proved to be quite popular. The talk centered mainly on music, with a secondary helping of politics, touching on his legal troubles with the rest of his former band, current developments in digital music, and ad-busting counter-culture efforts (he was following Mark Hosler of Negativland). Biafra came prepared with some old vinyl albums of corporate morale-boosting and sales songs -- imagine songs composed at corporate retreats and sung by miscellaneous employees, extolling the joys of using company X's products, or a song about the joys of being a Ford employee's wife who (of course) stays home to cook him dinner and bring his slippers when he comes home after a hard day at work. Hilarious stuff.
On Sunday, Maximilian Dornseif gave a talk about digital demonstrations. Obstructive demonstrations and sit-ins are more popular in Europe than in the U.S., and they are branching out into digital versions, electronic sit-ins that attempt to slow down or DDOS targeted websites for political ends. Dornseif described several previous attempts: programs distributed to automatically reload a targeted website, for instance. Some of them were quite sophisticated, including one with smart date-checking to make sure it was used only during the designated protest time. Dornseif described his ideals for an electronic protest, to make it as similar as possible to a real-world one: persons involved should be identifiable, outside observers should be able to know the goal of the protest, etc. Overall, an electronic protest should have strong parallels to physical protests, so that if the judicial system examines the legality of what you are doing, the judge is tempted to find it a legitimate protest rather than an illegitimate attack by cyber-criminals. Dornseif suggested making "slow" connections to HTTP servers ("G" sleep 10 "E" sleep 10 "T" sleep 10 ...), as well as "accept flooding" -- completing the TCP handshake, but not actually making any HTTP request -- these are "slow" versions of regular connections, which make effective DOS's, but also mimic regular users and might find acceptance in the courts as part of a planned protest.
Finally we come to some of the most interesting presentations. The lockpicking presentation, by Barry "The Key" Wels and Mike Glasser, was given to an utterly packed room. Wels and Glasser described many common and uncommon types of locks, and proceeded to pick them with great success. Those combination Master locks that are so popular on high school lockers? Takes one second to open any of those with the proper tool, a bent piece of metal that allows the shackle to simply pop out. You might want to invest in better protection for your varsity jacket. Thought your bicycle U-bolt lock was too strong to cut? It only takes ten seconds to pick it with the right tool, a circular pick that mimics any key. This might help explain the two bicycles I've had stolen in New York City. Normal house deadbolts? Maybe 30 seconds. They covered an assortment of high-security locks, such as ones with side dimple keys instead of teeth, 3 or 4-edged keys, disk keys, locks with magnetic pins, and so on. It was a remarkable presentation, and Mr. Wels especially represents a true hacker in every good sense of the word. He suggested starting at locktools.nl or security.nl or lockpicking.org if you'd like to try your hand.
Douglas Rushkoff was next with a wide-ranging speech about the true role of hackers in modern society. I probably can't do justice to his argument - read through his website, which has a lot of various essays and articles, if you want to get a sense of it -- but essentially he made a very Matrix-like argument about hackers, storytellers, the media, and empowerment. Starting from a premise that stories control reality (as an example he used the Ewoks in Star Wars, who were convinced to die for the Rebellion by the stories told to them by C3PO), he said that recently we have been empowered to alter and participate in our own stories (empowerment through devices such as the joystick, remote control and computer keyboard, each of which allows us to control our experiences), but this time is now ending. We are currently in a Golden Age of interactivity, where most of the attackers that attempted to control computing and the internet in round 1 have been beat down (the dot-com bust), but they're coming back, and hackers are the only ones who have the ability to see through the veils (computer GUIs and the like) that blind us to true reality. Very fun to listen to, and way too full of information to summarize effectively. I'll leave you with one memorable analogy -- Rushkoff said business and government were like bacteria and fungus, they have to stay in balance and if you suppress one of them the other one grows out of control. Not a bad analogy at all considering the times we live in.
Eric Blossom gave another fascinating presentation about GNU radio, whose goal is to develop a Free software-defined radio system that runs on commodity hardware. Software-defined radios are a tremendous concept which are going to cause revolution when they are deployed. Think about a PC or other electronic device that has complete access to every bit of information in every radio-frequency wave passing through it, in constant wireless communications with any nearby similar device. Maybe if the devices are close, they adopt a high-frequency unlicensed band to communicate, if they're farther apart they pick a lower frequency ... Slashdot gets a lot of Ask Slashdot questions which say roughly "What open source software project should I work on?" or "I know I like computers, what should I do in college?" We delete most of them. Here is the answer for everyone who asks those questions: software-defined radio. Trust me. It's going to be big. The GNU radio people are concentrating mainly on television applications right now, because the tuners and such are readily available, and they have a lot of pieces which each work but still have a lot of work to do to create a turnkey system.
Ryan Lackey and Avi Freedman talked about the past, present and future of Sealand. We've covered this pretty extensively on Slashdot. Havenco is doing acceptably well, with their only significant problem being that the major European ISPs keep going bankrupt. They hinted that they are planning to do more things to promote free speech in the very near future - they already run an anonymous remailer and host a copy of DeCSS. An offhand comment by Freedman gave me a very good idea of what they're planning, but I'm not going to spoil their surprise by mentioning it here.
And finally, the time-honored Social Engineering panel. Again, the largest conference room available was packed with attendees. After a few funny stories about legendary hacks, Goldstein read the AT&T memo and noted, "If that's not an invitation I don't know what is." Coincidentally or not, the two lines which Verizon had installed in the conference room were mysteriously unable to dial long distance numbers or AT&T, though they had been able to yesterday. (Um, the phone companies are slow but they're not stupid - when a conference of phone hackers wants phone lines installed, it has to set off a few alarm bells somewhere.) When Goldstein eventually got an AT&T operator, she was suspicious and refused to assist him - obviously she had read the memo. :) Goldstein decided to hit easier targets, and starting paging through the phone book, eventually settling on a Starbucks outlet. He was able to get a Starbucks employee to provide him with customers' credit card information, without much difficulty. If you used an American Express card to make a $3.57 purchase at a Manhattan Starbucks on Sunday morning, you might want to check your next statement (although the A/V crew kept the card number from being heard by the crowd). Next up was the Russian Tea Room, a high-class restaurant in Manhattan, where Goldstein had no difficulty in changing some poor woman's reservations and getting her phone number, then calling her and notifying her of the changed reservations, due to a "health inspection". He said he'd call and change them back to the original time, showing the hacker's spirit: inquisitiveness without destructiveness.
Overall, I had a great time at the conference, and so did a couple of non-computer geeks that I dragged along with me. I'm looking forward to H2K4 already.
[1] That's the third time I've linked to that Dave Barry piece, and it's still funny.
Reader lokii202 takes a look at the Social Engineering presentation: lokii202 writes "I attended the Social Engineering panel discussion today at the H.O.P.E. conference, and thought it might be nice to follow up on the previous article about AT&T's Hacker Warning memo. The AT&T security number was tried and the attempt failed, although one of the members of the large crowd in attendence offered up an AT&T HRID number. The operator got suspicious and shut us down.
However, no fair 'cause they were ready for it. Starbucks, to our enjoyment, had no such warning memo circulating, and here are the results...
Our panelist made a call over a standard phone line to a Starbuck's store using a calling card. Asked the underling if they were having network problems. Underling, following the standard underling procedure, got the Assistant Manager. AM told us that yes, they were having problems with the credit card system. Oops. Within about 5 minutes he was reading off transaction times, dates, and more chillingly an American Express card number and expiration date. Our panelist stopped the guy before he exposed the whole number (the phone was hooked into a P.A. system for the conference and the experiment). The point was made very clearly.
Next, our guy called up the Russian Tea Room, which is a pretty classy joint in NYC, and posed as the flustered husband who needed to change dinner reservations for this evening. He had no names, no prior knowledge, etc. He managed to get some poor guys' reservations changed to 9pm and also got the guy's cell number. Next, he called the guy and posed as a Russian Tea Room host and apologized that his reservations were changed to 9pm, due to a health department inspection.
That was kinda funny.
High tech gizmos and uber-gear might get one pretty far, but when you come down to it security starts with the user. This demonstration, and others like it at H2K2, made it embarassingly apparent that to obtain sensitive data one only needs a little ingenuity and some acting skills."
Reader weave takes a look at the whole conference (this may seem repetitive, but it's good to look at things through others' eyes...) He writes "H2K2 (or HOPE 2002 or Hackers On Planet Earth 2002) was held this past weekend in New York City at the Hotel Pennsylvania. I've been to previous HOPE conferences and this one was much better than ones in the past, but it still had a few problems.
Aaron McGruder, the creator of Boondocks comic strip was keynote. Jello Biafra makes a repeat appearance as well as some other past favorites, such as the "former spy" Robert Steele, as well as some surprise guests such as former Taliban fighter, Aukai Collins.
This is my personal review of h2k2. There were so many things happening at once that one person can't obviously see it all. This is based on what I saw, experienced, felt, and my personal opinions.
Keynote Speaker: Aaron MgGruder, author of Boondocks, spoke on Saturday. This was my favorite speaker and worth the price of admission. He was invited because he did a short sequence of strips covering the DeCSS subject and, as Emmanuel Goldstein said, "the only person in popular media to get it right." Aaron was very articulate, intelligent, and of course, opinionated. What I liked most about him was his admitting that he does not know it all. He made fun of political experts who sit around and debate political topics based on what they are spoon fed by popular media. He says there is not much difference between us and people who live in censored countries except they KNOW they aren't getting the full story. We all think we are smart and know it all. His advice to people who love to rant about political topics, "Shut the hell up, you don't know anything."
McGruder thinks our society is falling apart and the only thing that can fix it is revolution. He has hope, but not much. He spoke about Bush's line that countries that hurt American are going to have to pay, which means we kill a bunch of their innocent civilians so they get to claim that we will then have to pay, where they kill a bunch of us. McGruder's solution is that people should just go kill the leaders of these nations. He then back-pedaled (remembering the place was probably full of feds) and disclaimed that he wasn't advocating that anyone go out and shoot Bush (who he has no love for). He reminded us that if Bush was killed, we'd be left with Cheney, who is far far worse in his opinion. "If Cheney was President, Afghanistan and Iraq would be glass, and we may give the neighboring countries 30 minutes of warning to get away from the borders."
Jello Biafra: Jello was keynote at H2K in 2000 and returned this year to speak late Saturday night. He was well loved by most people there, based on the reactions I saw that night. I didn't like him. He reminded me of Rush Limbaugh except on the left side. Loads of rhetoric, wild claims, and positioning himself as an expert. He was supposed to speak for one hour, and then the film "Freedom Downtime" was to be shown. He rambled on for two and a half hours, then took his shoe off and asked for donations for his legal defense fund involving his former record label. People flocked up and stuffed it full of money as he started to spin records. At this point it was 12:30am and I gave up and went to my room and and got some sleep.
Robert Steele : Former spy, and backer of a concept called "Open Source Intelligence" where countries share intelligence information freely with each other and their citizens. His speech on Hacking National Intelligence was, to me, frightening. He claims that 9/11 involved a serious failure of our intelligence network and Washington is trying to whitewash it all. He also claims that he has no doubt at all that New York City will be the target of another terrorist attack soon. "When foreigners think of the U.S. they think of New York City. It is the center of capitalism." He is an excellent speaker. I hope he returns next time.
During his talk, he introduced Aukai Collins who told us of his experiences fighting for bin Laden (during the 90s when we were paying bin Laden's salary and he allegedly was a good guy). When the embassy bombings started to occur, he went to the CIA and offered himself as an intelligence source. He worked for them and the FBI a few years and during that time was invited by bin Laden's runners to come work closely with him. When he bought this opportunity to get close to bin Laden to his superiors, they told him not to go. He feels we lost probably our only opportunity to get one of our guys close to bin Laden. He has written a book on this called My Jihad.
If this so far sounds like h2k2 was more politics than tech, I got the same impression. I skipped out on most of the DMCA updates and other legal updates. They were hosted by members of EFF and their lawyers. The small bits I saw sounded very informative and I applaud their works in these areas. Since I've kept up on all the news on these cases, I decided to skip these forums.
The best of the tech presentations was Fun with 802.11b hosted by Dragorn, Porkchop, and StAtic FuSIOn. (I sometimes hate silly handles). During the days before h2k2, they mapped out over 400 open wireless networks accessible from within three blocks of the hotel in midtown Manhattan. They demonstrated passive snoopers like kismet and showed us different directional high-gain antennas. Their recommendation for a good PCMCIA 802.11b card was Cisco's 352, which I of course didn't have. I ran out and bought an SMC card for my company laptop before the conference and had a tech load Linux on my laptop. I told him he could pick the distro of his choice, but unfortunately he picked the one I'm least familiar with, Slackware. I could not get the damn card working for the life of me. I wanted to scream.
A big disappointment was the Cult of the Dead Cow Extravaganza . It was to be held down on the lower level in the network room and broadcast up to the conference rooms on the 18th floor. Well, it didn't work. I was upstairs and they mucked with the equipment for an hour trying to get a a/v feed going. After all this time of wondering whether we should fight our way downstairs to watch it in person, we got an announcement. "Sorry, but we can't get it to work. Oh, by the way, they have already started downstairs."
Urge to kill. My friend and I wondered how they screwed this one up and traced the wires to a display table and behind a closed stairwell door. We looked at each other and said "Nooo". We popped into a neighboring stairwell as everyone fought for the elevators. We went down one floor then popped over to the stairwell that we saw the wires going down. Sure enough, they had run the wires down the open portion of the stairs so they were hanging by their own weight for a distance of about 22 floors (the hotel has 18 number floors, about 4 lettered floors like A, B, C, D, a mezzanine floor, and lobby floor). I'm not sure what the stress would be introduced by a cable hanging by its own weight for that kind of distance, but I bet the center copper core couldn't bear it and broke inside.
So we run downstairs and saw some talented but unwanted female singing about how great the CDC was. Then someone else got up and swung a black briefcase looking device around. Had no idea what it was because we couldn't understand squat in the back. Basically we said to hell with them all, and left.
So while the presentations were hit and miss, the overall best part of the conference were the attendees. Freaks, geeks, and misfits everywhere, all being good to each other, curious, intelligent, and sometimes a bit too paranoid. Of course it was mostly guys, but there were women as well as one person who had a male voice but noticeable breasts and a feminine face and shape. Many other guys dressed up a bit too flamboyant for my tastes as well. My point being, everyone was accepted for who they are and all got along great together. I didn't meet a single person who I talked to who was rude, or unwilling to strike up a conversation. The network room had wired and wireless internet access and was open 24 hours a day and the source for some of the most fun at the conference. But by all means, the best part of h2k2 was the attendees and they are the reason why I will want to go again in the future."
cDc Talk (Score:3, Funny)
Caldor Story from SE panel (Score:5, Funny)
While the phones were being set up for the AT&T attempt, Emmanuel (?) was talking about a voicemail system for the Caldor retail stores in the Northeastern US being protected by a very obvious four digit pin (the first four letters of Caldor). Using this, they could gain access to the PA system of almost any store.
Aside from the obvious hi-jinks of putting random things on sale and playing music (which, BTW, the employees would run all over, thinking it was coming from a phone on the sales floor), they would dial in when the night crew was stocking. Imagine hearing "I'm still in the store" when working late at night....
Summary of Events (Score:5, Funny)