The Last HOPE


I made the trek to a steamy hot NYC this weekend to attend one day of the three day Last HOPE (Hackers on Planet Earth) conference at the Hotel Pennsylvania. There was too much going to adequately cover it here (or even take it all in), but a few things stood out.

Steve Rambam’s eye opening talk on the death of privacy for example. For a solid three hours in front of a standing room only crowd he weaved back and forth between the Orwellian theme of how our privacy is being ripped from us by everyone from Google to Choicepoint and the theme that seemed even creepier to him, self contribution. Over and over he expressed disbelief at how willingly we post our personal details everywhere from Twitter to Facebook while thanking us all the while for making his job as a private investigator that much easier. What the marketers and government don’t actively take, we actively give. Naturally I twittered the whole thing.

Cell phone tracking; artificial-intelligence-assisted reality mining; 3000 cameras per square mile in Manhattan; facial, activity, and even gait identification software; government outsourced investigative databases shielded from FOIA requests; UAV-based license plate scanners; beating anonymity by correlating multiple datasets; unanticipated database repurposing; and on and on… Finally I could twitter no more and left the venue hurriedly fashioning a tinfoil hat from a burger wrapper while consigning myself to doubling the dosage on my meds.

sid-vicious.jpgI will say this though, there was something deliciously ironic about standing in a room chock full of hackers all listening at rapt attention to a three hour chillingly dystopic harangue on privacy loss while nearly every single one of them was wearing an RFID tag around their necks. Even better, the tag was tracking their every move around the venue and was linked to a comprehensive self-contributed profile.

Moving beyond the privacy nightmare stuff, there was hardware hacking to be found everywhere at Last HOPE. Tables were covered with broken open electronic toys and electronic components and were surrounded by hackers with smoking soldering irons.

Of the completed projects on display, one of my favorites was a something of a hybrid that projected a 3D image onto carefully placed strings. string.jpg

Called Wiremap, the project was built by Albert Hwang who carefully moved it from his living room to the Hotel Pennsylvania where it took him a full day to set up and re-calibrate. It is a fascinating piece that creates a convincing (if low res) three dimensional image by carefully processing a volumetric image into slices (using Processing) and then projecting those slices onto reflective white strings stretched into a precise angular array.

The resolution of the system is limited by the fact that the strings have a physical width and that the projector is quite imperfect for the task. Relatively poor angular precision, rectilinear lens distortion, the lack of flat field optics, and the fact that the lens has a fairly narrow focal depth all conspire to limit the display resolution to 256 slices. However, despite the limitations you could move around the display and really get a sense for the object and it’s motion. The video I’m embedding below isn’t great but it should get the idea across.

Finally, I just wanted to mention a couple of things about the “Crippling Crypto – The Debian OpenSSL Debacle” talk given by Appelbaum, Zovi and Nohl. Plenty has been written about the issue itself, so there is no point in regurgitating it here, but if you haven’t seen the diff of the before and after code change it’s worth taking a look. It is amazing that such a benign looking edit (at first, and probably second, glance it looks like someone just added a comment) could turn out to be the “worst bug in the history of Debian,” and probably SSH as well since it also relies on OpenSSL.

As the presenters set out to recreate 524,288 weak keys for use in tracking them down and blacklisting them, they calculated it would take them five days on a single machine. So, instead, using Amazon’s S3, SQS, and 20 32 bit and 20 64 bit EC2 instances, they ran the entire job in four hours for a total cost of $24. Interestingly, they didn’t even have to supply their own image of Ubuntu with the un-patched code as it was still available from Amazon for use with EC2.

security-camera.jpgI expect video for some of the talks will pop up here and there. In the meantime, if you are interested, these guys videotaped every session and made DVD’s. If you don’t already suffer from paranoiac delusions I would highly recommend Steve Rambam’s session (or, you can find an earlier version of the talk here).

tags: , , , , , ,