All that is wrong with the world…

February 7, 2011

The Next Hope and DEFCON 18 – Part 2

Filed under: Security, Tech, Travel — Tags: , , , , , , — allthatiswrong @ 6:25 pm

DEFCON 18

I was really really looking forward to DEFCON. This was the hacking conference. The HOPE conference was somewhat known to me, but DEFCON was the main one I had been looking forward to and the whole reason I bothered to go to Las Vegas. I was somewhat disappointed with how HOPE turned out and was expecting a lot more from DEFCON and had even been told by a few people at HOPE that DEFCON was indeed the more technical/sophisticated conference. While it was certainly an interesting experience it was still disappointing for much of the same reasons as I was disappointed with HOPE.

Thursday

After 8 hours of travel and getting in at about midnight I caught a taxi from the airport just to Decatur and Tropicana. A major intersection and not far away, and yet it cost $50. The taxi driver didn’t rip me off as taxis have premium prices especially from the airport late at night. I have no idea why they feel entitled to collect a tip.

I arrived at my hosts house and we got acquainted and talked for a bit until it was about 2am. I only got about 4 hours of sleep. Even so I woke up and then raced to the Rivera after catching the stupidly priced deuce bus. I got to the hotel in time but could not find the lobby for the shootout…I finally found it, and managed to catch a ride with a group heading to the shoot. These were the first people I’ve met from DEFCON which was interesting. It was interesting to note the difference between most DEFCON people I saw that morning and most of the people I had seen at HOPE. The guys at DEFCON seemed a whole lot more showy…Mohawks or at least hair die, military style fashions. Everything screamed hacker wannabe. I did see one woman with what anyone would interpret to be a Tetris tattoo, but was apparently pixels. If you get a tattoo that looks like Tetris but isn’t Tetris you can’t really be upset when people think it is Tetris.

After a conversationless ride to the shoot we had arrived. After a short safety talk we were free to shoot guns. I’d shot guns the last time I was in Las Vegas…, a Desert Eagle and an AK-47, which was fun. This time everybody had brought their guns to the shoot and there was a wide variety of guns to shot from. I think I shot various semi-automatic and automatic shotguns, rifles and pistols. Probably the most interesting was a gun that looked like a sniper rifle and had a scope, but was apparently not. It was quite fun to take out oranges at 100 feet or so with a single shot and see them explode.

The pricing was interesting…..some people were offering guns completely for free while others were charging at various prices. I shot a lot of AC’s guns staying close to him for no particular reason, and it wasn’t until the end that I found Joshua, who let me shoot quite a lot of guns for free. Considering how broke I was that really ensured I had a great time…Awesome! Joshua and a few others also provided many free drinks for anyone to take, which I thought was amazing….considering how broke I was it was absolutely fantastic. I went back with one of the guys who had been letting me shoot his guns and helped pack up…I could only afford to give him $20 when it should have probably been $30 or $40 based on his prices….but since I helped him pack up I can’t feel to bad.

After helping him pack up I decided to walk from the Riviera to New York New York to catch the bus home. The bus that runs up and down the strip is ridiculously expensive and not often faster than walking. What I had not expected was the tan I received. For being out in Red Rock for 3 hours or so then a walk home I was firmly bronzed and not in the least bit burned (or if at all very slightly…no peeling), which was nice.

I had to borrow money to make sure I had enough for the conference, and after my taxi rides to and from airports was quite short. A friend of mine lent me some money and put it in my bank account…it was when I went to go back on Thursday night to get the badge that I realized my ATM card had expired. A friend drove me to the hotel and was circling around…she would have lent me the money I was short but by the time she came back around the registration had closed. I rushed home and managed to transfer it to my card in time so I could withdraw it the next morning.

Friday

On Friday I got to the registration desk early enough, but there was still a line. It progressed fast enough given the length however so it wasn’t too annoying. What I thought was strange was that they ran out of lanyards and guidebooks, although I was lucky enough to get one of the last electronic badges. I can understand running out of electronic badges but why would you make less lanyards then badges? That just seems like a poor design decision. This badge seemed interesting as well although it seemed to do less at first glance. It had a small LCD screen that could be interacted with, which was mainly used by people trying to unlock a code to get access to the Ninja Party.

I decided to take my push scooter to get to the Riviera, partly to see how long it would take and partly because I am always interested in people’s reactions to me riding it. The scooter worked OK and it took me about 30 minutes to get to the strip and then 30 minutes to get down it. Not a much greater time difference when busses are factored in, but without the cost and with the benefit of exercise. The only negative thing was having to lug it around all day, but luckily I was able to leave it with the bellman and pick it up whenever I liked. This was awesome since I was not staying at the hotel, and came in handy when I wanted to use the pool later.

The Keynote which was marked as Top Secret and had a lot of people curious turned out to be something quite mundane, “Perspectives on Cyber Security and Cyber Warfare” which was basically just a summary and some speculation. Surely the Powershell or WPA Too talks would have been more fitting for a Keynote?

I just kind of wandered around for a bit after this, checking out the pool and various sections like CTF and such or trying to socialize with people in the smoking area, where I met a few cool people. The next talk I saw “Build a Lie Detector/Beat a Lie Detector” had a strange rap introduction that seemed out of place and was to hear the lyrics to. It then became essentially a history of the lie detector and a bit on why the machines were easy to fool. So very very basic….and seemed quite short only going for half an hour. Why was a talk like this given at DEFCON 18?

The next talk I saw was “The Law of Laptop Search and Seizure”. This talk seemed to just be highlighting the fact that you have no say in customs searching through your laptop when entering a country. It is an interesting issue and I would have been interested to hear possible solutions rather than just a summary.

I then saw “Air Traffic Control Insecurity 2.0” which I had thought would be about exposing problems with the networks they were on. For instance, were any connected to the internet? Instead the talk highlighted that there were some security problems such as a lack of encryption but given that they are on a closed network that you need authorization to access, it isn’t really a problem. Riiight. Then the talk was about the information that some planes broadcast and potential ways this could be abused, which was interesting to speculate about but note a risk practically.

At this point I was extremely sweaty and had to go home to change. Coming back on the scooter was a different experience, as it was very hard to go down the strip with crowds…and I’m pretty sure one person threw ice at me from a balcony. It was much hotter then as well, making it far less appealing. I underestimated the time it took to go home and come back, and didn’t get back to the conference until about 18:00. This was annoying as I had really wanted to see the Evilgrade and Driversploit talks. Although given that the Evilgrade talk was only 30 minutes long I think I got most of it from the slides.

It seems that many of the videos of the talks or at least audio are available on the DEFCON 18 Archive page, which is cool. Perhaps this is why people don’t care about talks so much except for the very few that are significant, as they can always catch up later. I think this is my lesson learned if I attend next year…I will just focus on CTF and various activities.

I went and saw the talk “Getting Root: Remote Viewing, Non-local Consciousness, Big Picture Hacking, and Knowing Who You Are”, although as it turned out to be spiritual crap, I left. I don’t think I even went as far as getting a seat….I just wanted to see a talk and it seemed more interesting than whatever Kaminsky was rambling on about…or did I?

I didn’t see any more talks that day mainly as the two or three left didn’t seem appealing, although I kind of wish I had seen the Internet Wars panel given that the other panels I saw were all quite entertaining. I thought I would check out the pool…which was basically empty, although nice to swim in the Las vegas summer. Of course my board shorts were falling down, but after trying to find a safety pin luckily the security desk had a whole tray full of them. Even though the pool closed at 10:30 or 11, I would have thought there would be more people. Especially since there was a pool party which just meant free DJ’ing. But no….empty apart from some showboating skinny gay dude with an unfairly hot girl. I had a look in one of the chillout rooms but it had the same electronic music and lack of life that was at HOPE, so given my lack of money I decided to go back home and see what the next day may bring.

It was then that I randomly saw a girl from HOPE walking past quickly following a keg…in which she invited me to follow. Then the leader from AlphaOne labs came who really didn’t seem too interested in talking…just shy I guess. We moved around a bit from room to room as they tried to find a place where they could check ID’s and be allowed to drink. Finally I gave up as nothing interesting was happening, so I decided to go home. During this time I had been talking to a girl who seemed very into me and I felt like I could have pursued her, somehow I was just not interested. The fact that I was not that attracted to her probably had some bearing on that. So ended a Friday night in Las Vegas at a hacker convention, managing to live up to all the nerdy stereotypes long associated with such a thing.

Saturday

I arrived too late to catch the “Exploiting SCADA” talk as it took just about an hour to get down half the strip on the deuce bus. Who would have thought? I had really wanted to see this as SCADA is a hot topic at the moment and something I don’t know much about. I wasn’t too worried given that there were many SCADA talks at the conference though.

I managed to see the “Jackpotting ATM’s” talk which was surprising as the line was huge and it looked like there was no way I could make it. I ended up being able to get in at the very end, and even managed to make my way down to the front which was awesome. I was excited about this talk as I knew it had been given at Blackhat and I had been disappointed with the DEFCON talks so far. ATM’s are an interesting subject, not least because they promise untapped cash to those who can hack them. Given many are notoriously insecure running a version of Windows or OS/2 it would be interesting to know if they are connected to the internet at all or what their private network is like and just how they are protected. Alas, the talk did not touch on that at all, but rather showed how if you can get physical access to the ATM motherboard how easy it can be to reprogram it. It was a very entertaining talk but honestly it isn’t anything new. It has always been the case that it’s pretty easy to take over a machine if you have physical access. The criminals who managed to reprogram ATM’s to spit out $100 notes instead of $20 notes or whatever was much more impressive.

I then wandered around a bit as the next talk I wanted to see was not for an hour. There was nothing happening at the pool so I ended up just wondering between the smoking area and display areas. One thing I did notice was that the EFF does not seem to understand the meaning of the word donation. There was a police shooting simulator that looked interesting to try, which you could only do if you made a $20 donation. As far as I understand it a donation can be any amount and not require anything in return. What the EF was doing was charging a $20 fee to play a very basic video game, which is just lame.

I then went and saw “From No Way to 0 Day” which seemed elementary. I had thought the focus would be on showing when DoS attacks which are often dismissed can actually be used to craft a privilege escalation exploit.. It didn’t really seem to cover this at all and was far more to do with basic attacks on the Linux kernel.

I managed to catch the “SCADA and ICS for Security Experts: How to avoid Cyberdouchery” talk. SCADA systems are something that have a lot of hype and as a result a lot of misinformation is being spread around. I don’t know that much about them and was interested to learn more and this seemed like a talk that would cover a lot of basic stuff, especially since I missed the talk in the morning. Well, no. This talk took about an hour to say that the problems are overhyped and don’t really exist (without bothering to address the arguments claiming the opposite) in different ways while avoiding ‘cyberdouchery’ boiled down to not hyping problems or blowing things out of proportion. It’s an interesting opinion but the talk may have been easier to respect had he explain why his opinion was contrary to the majority of other talks being given on SCADA issues.

I regretted not seeing the “WPA Too” talk instead as that talk was actually revealing a new attack technique for the first time. Of course no one was talking about it and I didn’t read the description carefully enough to notice. I think I was partly disillusioned by the wireless security talk at HOPE so I just dismissed it. Damn.

I think I went back to the pool at this time. I wondered around the display areas for a bit more and in the interests of socializing thought I would go to the pool. Of course no one was really socializing with each other and there was hardly anyone there. I had wanted to see the talk on “The Chinese Cyberarmy – An Archaeological Study from 2001 to 2010” which was unfortunately and interestingly cancelled. Wayne Huang had a lot of interesting talks and I didn’t get to see any of them…..

I ended up puttering around for another hour then went and saw “DEFCON Security Jam III: Now in 3D?”. This was an awesome talk and easily the most entertaining I had seen so far. It was just a panel of a lot of the regular staff/attendees whatever each sharing stories of fail with games and prizes such as bacon beer to be had and specially made waffles being given out to a few lucky people.

After this it was time for the Freakshow party held by IO labs. It had appeared that you needed a pass to get in but of course it was free for all attendees. Given that there was free beer and I had to show my badge to get in, I think I actually got some value from paying for the badge. It was quite a party, in the penthouse of the Riverra with gladiator style games and some dancing and mingling. People were smoking inside…we weren’t mean to but everyone has. Captain Crunch came up to admonish us and the 3 guys I was talking to at the time just dismissed him, not even knowing who he was. After I pointed out who he was they ran off to apologize….which was funny to me. I got a chance to talk to Captain Crunch himself which was nice and the flowing beer didn’t hurt.

During this time the ultra secret Ninja Party was still on my mind. Somehow I was confident I would be able to get entry as it just seemed like a big display. Riding in a limo bus with free drinks on the way was very nice. Once arriving they did appear to have some bouncers a list, but the people I made friends with at HOPE got me in without any issues. It seemed like if you had the smallest amount of streetsmarts you could get in, yet apparently all these “hackers” could only regurgitate textbook knowledge. Not the type of person I thought the word hacker ever applied to. At this point it was again time to head home, walking to New York New York and then catching my bus. I thought about scoping out the various casinos but without money, there didn’t seem much point.

Sunday

I woke up too late which wasn’t surprising given the night before. I was kind of annoyed I missed the handcuff talk, but it was too expected. I bought a monorail pass of a guy the day before for $1 and got didn’t realize it put me so far from the hotel. I had to walk from the Hilton and by the time I got there people were telling me it was 13:00. I thought I would then go and watch Samy Kamkar’s talk at which time I realized it was actually 12:30 and I was in some other talk. I rushed out to try and catch the Powershell talk but at 12:30 the line was already too long. I wanted to make sure I caught Samy’s talk so gave up.

Samy Kamkar’s talk, “How I Met Your Girlfriend” was very entertaining, easily the best talk I saw throughout the whole conference. The Security Jam and ATM talks were entertaining but didn’t really have interesting details of a new attack like this talk did. Samy Kumar is a fantastic public speaker as well as being a decent security research. Something sorely lacking at these conferences were people coming up with innovative attacks and presenting them in a decently.

There was nothing else to do until the closing ceremonies, so to the pool I did go. Finally, there were people in the pool, playing games even! A girl I originally met going to the shoot didn’t acknowledge me at all when I tried to say hello, although I managed to get back a guy from HOPE who whooped me in the gladiator games which was fun. It was a pretty fun time just relaxing in the water under the Las Vegas sun.

Finally, it was time to head back for the last talk I would see before the closing ceremonies, Sniper Forensics. Alas, it was cancelled and replaced with a Spot the Fed panel. I have no idea what happened to the Sniper Forensics talk for it to disappear from both HOPE and DEFCON but at least the slides are available. Odd. Spot the Fed was fun with just a lot of joking and guessing, although somehow it wasn’t what I thought it would be. Probably because the feds turned out to be analysts getting paid to go, not FBI agents scoping out threats undercover.

A bit more wandering around and then it was time for the closing ceremonies. It wasn’t too much of a big deal, just everyone being thanked and some prizes being awarded. Free stuff was being given out during although I didn’t get any. After wandering around a bit after everyone left I ended up with a random box of stuff….a motherboard, some music CD’s and a random cell phone data backup device. I also got a 8” floppy disc which I managed to swap for a lanyard, in the hope that I could sell my badge on eBay. Something I have yet to do.

Before leaving home I had a meeting with representatives from one of the big security companies who were present at DEFCON to talk about my business plan. This was very exciting for me, and they seemed eager to help. I last talked to them in September and have not made any progress, but as I finish writing this article I know that I need to get more on that.

That was it, DEFCON was now over. While walking home I stopped for a smoke outside a 7-11 and ran into some friends from HOPE who were happy to see me. We shared contact details and agreed to meet up when I was back in NYC. I arrived home where I just chilled out for the next week, still not having my laptop and deciding what to do while looking for accommodation. Then the rest of my adventures in Las Vegas began.

Conclusion

Much like HOPE, I had very high expectations for DEFCON. Perhaps a bit more as I was not entirely sure I would be able to attend, so when I was able to make it my excitement and expectations increased even more so. DEFCON was the much bigger convention than HOPE, the one where many famous attacks and discoveries had been presented and where many fun hijinks had ensued. Alas, DEFCON was nothing like I expected and I found many of the same criticisms I had of HOPE applied to DEFCON.

There was the same lack of knowledge from people attending and most talks being introductory rather than groundbreaking. I was surprised when I asked to borrow someone’s laptop to check my email, and they thought I was crazy for doing so. How could you take the risk, with all these hackers around? Apparently they had never heard of SSL and certificate authentication. To be fair there was a risk of a keylogger, but I thought it unlikely in this case. There just seems something wrong with people attending a computer security conference fearing magical hackers.

One of the more interesting things I noted about DEFCON was that I did not get checked for my badge. Not once. For a security conference that seems awfully lackluster. I could easily go to any talk I wanted and take full advantage of the conference without having to pay $140. I wonder if it has always been this way or if the goons were unusually slack this year.

The pool parties were quite pathetic, although I was very impressed with the Freakshow party put on by IO labs. The Ninja party was likewise impressive, although neither of these parties can really be attributed to the DEFCON organizers. One thing I did notice at DEFCON was there seemed to be a lot of attractive girls. As sexist as it is, I wonder if they were perhaps just girlfriends of the male attendees. To be fair, I didn’t end up seeing them in any talks or taking part in any of the games. It was a nice distraction from almost everyone getting a Mohawk. So many people with Mohawks…..so many wannabe hackers….so sad. To be fair, the EFF was doing a fundraising campaign offering Mohawks for a price, but many of the people already had them before coming to the conference. Aye.

Speaking of which, the EFF “donations” were really disappointing. If you want to raise money by charging fees for products or services do it. The whole point of a donation is that it is voluntary, not that you pay a fixed price for something.

I do wonder how much DEFCON has changed and if perhaps it is no longer as relevant as it once was. Dallas said during the closing ceremonies that this was the quietest DEFCON he had seen…..which perhaps explained why it wasn’t what I had imagined it to be. Perhaps the previous generation have all grown up, replaced by a generation of attendees with no understanding and a desire to be seen a certain way rather than actually acquire knowledge or skills.

While most of the talks I saw were introductory, there did appear to be quite a few technical talks and I may have just chosen poorly. The Powershell talk, WPA Too and the talk on Farmville all looked like they had innovative research to present and I plan on watching the videos at some point. I was quite disappointed that Wayne Huang had all of his talks pulled, as he looked like he had a lot of interesting stuff to say. Hopefully he will be able to present them next year. If I do go next year, I will make a point to only see key talks and spend more time with CTF or Wargames, although I’m not sure if Wargames are still happening as I don’t recall seeing them.

I do think the crowd at DEFCON is more technical than the crowd at HOPE, although they all tend to stick to socializing or competitions. Trying to discuss things with people outsides there was a clear difference between those who were competing and those who were trying to understand everything being said in the introductory talks.

I would like to make a special note of TheCotMan. What a fucking retard. I understand there are some idiots or troublemakers on the forums, but when people ask for help and have done research you don’t just ban them. He is the type of arrogant idiot that thinks he knows best and has heard it all before, when he has no fucking clue. Although given the average poster on the forum, the type who like to get Mohawks and call themselves hackers without understanding some simple key concepts, he seems to be with his peers.

I honestly don’t know if I will go again this year. I can’t say that it is worth a flight out to Las Vegas again, and given the lack of innovative talks and any kind of decent party, it isn’t really that appealing to me. On the other hand I have good friends in Las Vegas and have my laptop back now, so it could be a fun learning experience. If not, I will defiantly go to DEFCON 20 which should be a big celebration. Despite everything I did have a good time and am glad I went.

Comparison between HOPE and DEFCON

It was interesting to compare the differences between The Next HOPE and DEFCON 18. HOPE was far better organized with people always on staff if you had any questions, with something being available 24/7 during the conference. I liked that you could not enter the conference areas unless your badge was displayed. HOPE was much better prepared for crowds, having overflow rooms setup which projected whoever was speaking in the main room. There were more activity villages at HOPE, more talks, fun things to try like Segways and such. DEFCON didn’t have anything like this really.

On the other hand DEFCON had a much greater number of people, has the well known competitions such as CTF and Wargames and tends to attract a greater number of high profile speakers. DEFCON 18 was terribly organized with it being impossible to get to a room as the only route was a skinny hallway, and they had no overflow rooms or the like. Badges were not checked for once, and there was very little to do that didn’t cost money outside of talks.

One thing I did appreciate is that DEFCON makes videos, audio and slides of the talks available while HOPE charges for this. It isn’t a big issue as most of the talks can be found on youtube, but I think it is a nice gesture to allow people to view them for free. It is a nice gesture and representative of helping people to learn and acquire knowledge, something that is meant to characterize these communities.

I also liked that HOPE allows for preordering for a cheaper price, and it is really something that DEFCON should consider. Running out of lanyards but not badges for example is just ridiculous. Having a cheaper price for those who are regular attendees and having the option to avoid lines would also be quite nice. Perhaps also consider appointing a non douche forum moderator.

I do wonder where these conferences are heading, or if they are losing relevance. As the industry is paying far more attention to computer security the field is going to be restricted down to a much smaller number of professionals, simply because the need will decrease. What about the non computer security aspects such as phreaking, electronics, lockpicking and such? Well, it seemed to me that these are all supplementary and the main theme is still computer security. It will be interesting to see if there is a DEFCON 30, if hacking will go the way of phreaking, or if the culture will grow and adapt. Given my impression of the community as it stands today, I don’t think that is too likely. Which is sad.

The Next Hope and DEFCON 18 – Part 1

Filed under: Security, Tech, Travel — Tags: , , , , , , — allthatiswrong @ 6:17 pm

So now just over six months since these conferences have ended I have managed to write up my thoughts on them. So much procrastination, traveling and other things to write. Still – better late than never. I’ve had a strong interest in computer security for at least the last 10 years and have dreamed of going to these conferences since at least that long. Of course, I could never afford the cost of an expensive overseas flight and accommodation and when I have been in the states before it was never in summer or on the west coast. This year however things worked out well, being in the right place at the right time.

I had such high expectations for these conferences. Surrounded by some of the most skilled and prominent people in the field, listening and learning from new talks being given, a chance to play some of the games going on and learn or prove myself in the process. There was certainly a lot to look forward to; unfortunately I found both conferences to be a huge disappointment. I found most of the people I interacted with to have a very poor understanding of even basic security concepts which was reflected in the fact that the majority of talks seemed introductory rather than groundbreaking; very few relied on a presumption of basic knowledge – something I thought would be common to the majority of attendees. I was also disappointed in the opinions held by many in response to certain issues such as piracy or the whole Bradley Manning case.

In any case, I have written about my experiences attending these conferences for the first time which some may find interesting. I will be posting it in two separate parts with the first being my experience at hope, followed by my experience at DEFCON and a comparison between the two conferences.

The Next Hope

Friday

I got to the Hotel Pennsylvania pretty much on time and waited in line to get my badge which really didn’t take long at all. The badge was interesting to observe although not having much of an understanding of electronics I couldn’t make much of it. Having never been to one of these conferences before, I had expected it to be a lot more active and packed with people than it was, while it was actually quite moderate. I wandered around for a bit as I was hoping there things would be a bit more social, but really nothing seemed to be going on.

I then decided to go and attend the first lecture, “Light, Color and Perception”. It was an interesting talk, although some of what was talked about was a bit over my head. Still, there were some interesting demonstrations and I learned a few new things.

After that, I decided to catch the talk on wireless security, “Wireless Security: Killing Livers, Making Enemies”. I had thought it would be these types of talks that were the reason I came to the conference. Unfortunately, this talk was a disappointment. It was incredibly basic and boiled down to rehashing that WEP is bad. I would have hoped that everyone in the conference would have at least known that, even if they didn’t understand the underlying details as to why. The talk mainly consisted of a few stories demonstrating how easy it is to fool people into joining rogue networks and why this was bad. There were no innovative ideas given for solutions and no talk of the more recent attacks. An hour of how you can screw with people who don’t know any better is not what I was expecting. I was pretty dissatisfied with the talk but thought it would be an exception and looked forward to some of the more technical talks that would have a bit more substance to them. I was mistaken.

I then decided to go and see the keynote which at the least should be interesting. It was by Dan Kaminsky, someone who I have never felt too highly of. He has always seemed to me to be a drama queen, being overly cocky without cause and often simply getting things wrong. I also can’t think much of a security expert who uses 5 letter long root passwords and fails to comprehend the threat of dll hijacking.

I felt he lived up to some of my perceptions during his talk, which was basically talking about the problems in languages that allow for bugs. This is a fairly well understood area of ongoing research and certainly did not seem the worthy subject of a Keynote. It was essentially a slideshow summary of the problem and what has been suggested by many people as solutions. Again, no groundbreaking new ideas or revelations, just a basic summary that a lot of people in attendance would/should have been familiar with.

I’m not too sure what I did at this time. I think I wondered around the mezzanine looking for the segways which had closed for the day. There was nothing really going on that seemed too interesting, so I may have gone home briefly.

The next talk I saw was “Tor and Internet Censorship”, which was actually interesting. I would have hoped that most people in the audience would be familiar with tor and the goals of the project and while the talk was a summary, it also revealed a lot more info on what the guys are trying to accomplish. It was interesting to hear how they deal with countries trying to block the software and the various cat and mouse games they are forced to play. In today’s world the importance of projects such as tor cannot be underrated and it was great to see them keeping in touch with the community and getting the message out.

After this I saw the “Easy Hacks on Telephone Entry Systems” talk, which I hoped would be interesting. I have very little knowledge of telephone infrastructure and still have not gotten around to playing around with Asterix to get a better idea. I had hoped I would be able to pick up some things from the talk even without having the background knowledge. Well, the talk didn’t require any background knowledge. The talk was basically showing that a lot of entry systems still use default passwords and/or have the access control panel only protected by a very flimsy piece of metal. It was interesting to learn those facts…, but it really should have been one of the 20 minute lightning talks. How it stretched out to an hour I don’t know.

After this, I went home as I was exhausted. I wasn’t sure why I didn’t stay for the hotel talks talk as that seems interesting, probably I had had enough talks for one day though and there was nothing in the mezzanine more appealing than sleep.

Saturday

The next day I arrived kind of late due to trying to work out why the bank had suspended my access to my funds I got there in time for most of the “Grand Theft Lazlow” talk. This talk was one of, if not the most disappointing of the talks I saw throughout all of HOPE and DEFCON. The guy was a developer for Rockstar Games and started talking about his views in piracy. Piracy is a complex area (precisely because it is NOT theft) but this guy would not acknowledge that, simply considering it completely wrong and actually pushing for greater restrictions. Many of the things he was saying were just ignorant and it was disheartening to hear the audience cheer.

An interesting moment was when someone got up to ask a question, making the point that $80 or so is too much to spend on a game without knowing the quality, so he will often pirate and buy the game if he felt it was worth it. Lazlows response was not to comment on the legitimacy of doing that but to accuse the guy of being a liar, to which the crowd cheered. This was meant to be a community of people capable in critical thinking and understanding new ideas, but that crowd was anything but.

Then it was time for the keynote which was said to be given by Julian Assange. At this time I was still catching up with the whole Wikileaks phenomenon so was surprised just how much the feds did want him and how big a thing it would be if he did show up. Obviously he didn’t end up showing and a talk was given by Jacob Applebaum from the Tor project covering why Wikileaks is important, and what they stand for.
Ironically I have not made up my mind on Wikileaks because there is so much contradicting information, and credible claims made against them.

The points given in the talk however were interesting, especially the points of privacy. All of the talk of no secrets reminded me of the Asimov story, The Dead Past, in which privacy is eliminated. Obviously the Wikileaks people are not calling for an end to personal privacy, but even so I find it hard to imagine a world in which governments as powerful as the US are completely transparent. Reason being, there is a lot of justification for a government to keeps things secret from its population, at least for a while.

The most interesting thing about the Keynote was not that Julian Assange did not appear as that is to be expected. It’s that he didn’t teleconference in, or even prerecord something. This is a hacker conference full of people supposedly ahead of the curve when it comes to many issues, not least of which is technology. It’s hard for me to believe there was no one able to set it up so he could talk, an action which would have sent a message all by itself. Was there really no one capable of setting up a webcast to go through anonymous proxies? We could have even gotten the guys from the Pirate Bay or something to host it, by the time a warrant would have been issued the webcast would have been long over. Or, maybe he had his own personal issues to deal with. In place of Assange Jacob Applebaum of the Tor project gave a great presentation and then made an amusingly dramatic exit.

The next talk I saw was “Modern Crimeware” which turned out to be a very basic explanation of how people make money through malware with botnets…not particularly interesting or enlightening. Again, I would expect most people in attendance to already understand this basic stuff. I was hoping for some interesting details on how “cyber-criminals” protect botnets or something….researchers at universities regularly publish far more interesting papers in this vein.

I then saw “Surfs Up” – a well presented and entertaining explanation of CSRF attacks but still a very basic explanation…., I mean, were talks like this presented at the last conference? Why are such introductory talks the norm? I don’t have anything against all these speakers as I think their presentations were fine for what they were, I just don’t understand why they were given at a HOPE conference.

The “Social Engineering” talk was interesting. It was a panel with a lot of famous faces, not least of which were Emmanuel Goldstein, Kevin Mitnick and Captain Crunch. It was interesting just to hear some of the stories these guys were telling and just how easy the technique still works to this day. Definitely an entertaining panel and honestly I wished there had been more like it.

The last talk I saw of the day was “Net Wars Over Free Speech, Freedom, and Secrecy or How to Understand the Hacker and Lulz Battle Against the Church of Scientology”. I was hoping this talk would highlight some of the attacks on free speech that have been instigated by Scientology in the name of religion – instead it was mainly a summary of some of the pranks Anonymous have pulled. Which anyone who keeps up with this type of news would have been aware of?

After that I was disappointed to see that the “Hacker Cinema” was not showing something entertaining or relevant, but rather a documentary. IIRC it was “Get Lamp” which was a documentary on something to do with the history of early text games (corrected due to commenter Pan) which just didn’t seem appealing at 11pm on a Saturday night in New York City.

I was hanging around with some of the other people I had met while we were looking for more information on Lazlow and maybe to see if some other games or something were going on. Nothing much was going on except for a party in the mezzanine with horrible, horrible video game music. So many people actually dancing to repetitive loops of Mario dying and hitting mushrooms. It was just so bad. Somehow, that seemed to say a lot. New York City was right outside on a Saturday night, but dancing to video game sounds was more preferable for many people. Aye

Sunday

Sunday was the last day of a conference that had so far been disappointing, but still had potential. I got there later than I expected…I think it was due to some problem with the trains. The first talk I saw was not until 13:00, and was “DMCA and ACTA vs Academic & Professional Research”. I was hoping this talk would give some insight into the ACTA treaty as I had not kept up with it and it has largely been kept secret. There was nothing on ACTA except that it was often mentioned in the same breath as the DMCA as being evil. The DMCA had been around for about 10 years so explaining it again resulted in this talk being yet another introductory talk.

The main problem I had with this talk is that the speakers would continual talk about the DMCA as being evil when the problem is not with the legislation. The problems in almost all of the examples given were from people or organizations misusing the DMCA. There was no mention of companies who would refuse to acknowledge counter-claims due to being too scared of being sued. There are actions you can take against this to stop further abuse; failing to realize that and take action does not mean that the DMCA is evil.

The next talk I saw was “Into the Black: DPRK Exploration”, which was slightly entertaining but hardly informative. The first 20 slides or so are just meant to be humorous and were skimmed through, with the rest basically dismissing every claim because North Korea doesn’t have its shit together. A fair argument, but it might have carried more weight if it wasn’t presented as just mocking the country. It’s hard to tell the talk was meant to be considered authoritative or speculation given the way it was presented.

While I was watching the DPRK talk I had no idea how significant the informant’s panel was and that Lamo would be there, so I only managed to catch the last 20 minutes of it or so. I never thought too highly of Lamo before, with his previous claims to fame for “hacking” seeming to be designed to give his as much media exposure as possible rather than actually contributing in any useful way. I didn’t know enough about the Wikileaks situation at the time to take sides but managed to get the gist of things. The main thing I noticed here was that most people were angry at him and insulting him, having made up their minds before he even attempted to defend his actions.

Regardless of if his actions were right or wrong, I do believe in this case he thought he was doing the right thing. What he did is not a simple issue and it made me sad to see everyone dismiss his actions as wrong without bothering to actually give the issue the thought it deserves. It was when question time came that I saw the real character of most of the attendees.

One girl asked him about restraining orders and his ex-girlfriends claims of abuse, which true or not have absolutely no relevance to the issue that was at hand. I expected more from this community than trying to discredit someone further because you disagree with their actions. Another attendee didn’t bother to ask a question but outright accused him of treason (which showed that persons ignorance, as per the definitions Lamo’s actions are closer to patriotism) only for everybody to cheer and applaud. I am still undecided on the entire issue as it is so very complex.

What I do think personally is that Lamo showed a lot of courage by joining in the panel and attempting to justify his actions, knowing the public opinion and abuse he would likely face. Most of the people in the audience would likely not have that courage or strength of will to do what they think is right, are more comfortable criticizing from behind the scenes.

That finished at about 3:30 or 4, and then it was some more hanging around with people in the mezzanine or outside. I had wanted to see the talk on Sniper Forensics but didn’t bother because it was going to be at DEFCON. Of course, it wasn’t, but it didn’t end up being given at HOPE either. Luckily I have my slides on the CD from DEFCON.

Closing Ceremonies

The closing ceremonies were interesting. They started very annoyingly as most of the seats were filled, and one fucking douchenozzle told me his seat was taken, when it was just his bag….and he wouldn’t let anyone sit the entire conference. I was planning to do something about that, but he left before I could learn his douche name.

I saw one girl who was basically ignoring the ceremonies, playing Scrabble on Facebook or tweeting about shoes the whole time on her iPad…yet she was continuously moving toward the front….why? Why worry about being at the front if you aren’t paying attention? Then there was a guy who kind of crept up behind me when I was leaning against a pillar, only to somehow swoop in when I left it for a few seconds. He was filming the entire thing and would just keep tapping me to move out of his way….apparently he was unable to speak or say please, despite him being fully capable of speech. I just don’t understand what it is with this crowd and the bizarre lack of social skills. The ceremonies themselves were fine….just what could be expected. Some prizes were awarded and thanks were given as well as talk of a possible next conference.

After that I didn’t feel like going home just yet, so volunteered for a few hours. After I started I heard talk of some prizes for the volunteers which kept me going. Several hours of lifting heavy cables, crates, lights and such…all for nothing. It was at least 4 hours or so of hot sweaty work and I was hoping for a copy of a book or something. Alas…nothing. Funnily enough I don’t really feel guilty about downloading the ebook.

Conclusion

That was the end of The Next HOPE, my first ever conference. I had always been interested in computer security and the associated underground culture. Ever since I saw the movie Hackers which was directly inspired by the 2600 community I had wanted to see what it was all about. Growing up where I did I never really had the opportunity to join in, but as I became a computer security professional and learned more about the community which I had always held in high esteem I couldn’t wait to one day go to one of these conferences and participate.

It was then all the more disappointing to go to a conference and witness in most people an inability to think originally or creatively and to accept popular ideas without giving them the critical analysis they need, that is required to have an opinion worth anything. For most of the talks to be introductory and retreading well known topics was also a disappointment. Where were the new discoveries, the innovative attacks or just the passionate discussions on matters important to our community and society?

One of the interesting things to note was how amazed people were that I could make the badge remain blue and just how incapable they were to figure it out themselves. The badge had LED’s which blinked intermittently in no discernible pattern. When you touched a sensor on the back, it would remain blue. So, in order to keep it as blue, you just had to keep the connection somehow. Yet, no one was able to figure out this very simple hack with people being puzzled at how I accomplished it.

I should also mention the disappointing views that manifested in the talks about piracy or governments or Adrian Lamo. I think at some point in the Informants talk someone made the comment that all nation states are a fundamentally bad thing to which everyone cheered…loudly. Apparently many people in the audience are naïve fucking anarchists, not the caliber of person I would have expected at a HOPE conference.

Club Matte also deserves a mention. This drink was disgusting but hyped up as being from Germany and what hackers in Germany were drinking. Having lived in Berlin for over a year recently I had never seen it before and it tasted like shit. At $4 a bottle it really wasn’t worth the price, yet people were buying it in droves. I can understand if it were to try something new, but people kept buying it to be seen as cool. To be seen as fitting in and being part of the scene. There is just something very sad about that.

One of the highlights of the conference for me was to see Kevin Mitnick and Captain Crunch in person…icons who in many ways shaped the culture and community. I have to wonder what they think of the current state of the communities. Both Mitnick and Crunch did what they did by thinking originally and looking for solutions to problems, the very opposite of just accepting whatever they are told which seems to characterize the current community.

Despite everything I did notice a very strong sense of community, a sense of unity that I had not seen before. What I wonder is has a community once defined by solving problems in innovative ways and creating things never envisioned simply become a hobby group for people who have an interest in technology? Perhaps my expectations were too high or I was looking for the wrong thing, but somehow I don’t think that’s it. I didn’t see a few talks such as the https fragile talk, which may have been technically interesting. Even so, seeing the views of people attending was discouraging. However for $50 it was worth it and I would do it again hoping for a better turn of events.

Update 1 – February 8th 2011
Corrected one typo and fixed the description of the movie Get Lamp.