The Next HOPE: A Defcon Prequel


Old Apple Computer

This year I attended my first HOPE conference.  HOPE (Hackers On Planet Earth) is a hacker conference organized by 2600 The Hacker Quarterly.  After hearing about the talks they had at 2008’s HOPE (The Last HOPE) when I was listening to the 2600 podcast, I knew I had to attend this year.  I was not disappointed.

HOPE, if this one is an indication of how they usually are, is like an East Coast version of Defcon.  Really, the only difference is that the atmosphere of the talks is slightly different given the HOPE being located in NYC vs Defcon being located in Las Vegas.  While the playful hacker spirit is present at both, there’s usually an extra bit of an anything goes feeling in Vegas.  There were also a few talks that were presenting preliminary versions of the data they hoped to present at Blackhat/Defcon.  It makes sense, since those are the more prestigious hacker cons.

Just as when I attended Blackhat/Defcon a couple years ago, the main theme of the conference was that you should not trust anyone or even the networks you’re on.  For starters, you should be extremely careful when using a public wifi (or even a private wifi if you live in an apartment complex or densely packed neighborhood).  One of the talks I attended demonstrated how they could cause your computer to think their computer was the wifi access point.  They would then pass all your info onto the real access point so you wouldn’t notice that anything was wrong.  They would have the ability to see everything you were doing – conversations, passwords, websites.  It sure makes you think twice when using that wifi at Starbucks or Panera!  Another talk I attended focused on the fact that certificate authorities are not as trustworthy as they seem.  Certificate authorities are the people who let you know that when you see a lock in the bottom right of your browser, you really are connected to your bank.  This was even scarier than the wifi hack because it means that even from your own home you can’t be confident that you’re not being redirected away from the site you expect to be using.

Security Flow Chart

Social networking has exploded since I attended Blackhat/Defcon.  Back then, Facebook was still mostly being used by college kids and recent grads while the uneducated were stuck in the Myspace ghetto.  Twitter was around and had started to take off, but it wasn’t being read off on CNN yet.  So, this year, a lot of talks revolved around the perils of putting too much information out there.  One bit about you is just information.  A torrent of information is data!  I went to two talks revolving around GPS data being recorded on social networking sites.  The first talk was about people who geotagged their photos posted to twitter and the second talk was about geotagging on social networking sites in general.

The first talk led me to discover a site they had setup at http://www.icanstalku.com.  They wanted to make sure that people who are geotagging their tweeted photos realize that they are doing so.  A lot of cell phones ask users to set their geopreferences early on in use and many users forget it is turned on.  So, by creating this website they hope that people can realize what’s going on and then make an informed choice about whether they still want to do this.  The most basic problem with tweeting geotagged photos is that people know when you’re not at home and can even figure out how far away you are and, based on the content of your tweet (“I’m on a shopping spree!”) how long they have to rob you.  The authors showed how trivial it is to figure out where someone lives (the second talk also did something similar).  If there are a cluster of photos taken in the same spot and involving tweets like, “having breakfast”, “just woke up”, etc it’s a pretty safe bet they are pinpointing the location of your home.  A little googling can tell a criminal if that’s a neighborhood that might be worth robbing.  Then, just following your tweets for a couple weeks will let them know your daily patterns and they can fleece you!  They also demonstrated how they can easily combine this info with court records, figure out who owns the house, and basically figure out your real name and identity from your tweets.  This could be used for blackmail, kidnapping, robbery, rape of others, etc.

Wanted: Adrian Lamo

The common thread throughout HOPE was the constant bashing of Adrian Lamo.  Lamo is a famous hacker who was contacted by Bradley Manning, an Army guy who claims to have leaked the helicoptor strike video to wikileaks.  When Manning also bragged to Lamo that he had released some thousands of State Department diplomatic cables, Lamo turned him in to the authorities.  Just as in many other communities, snitching is frowned upon in the hacker community.  The community believes that people should only get caught through their own carelessness, not through others turning them in.  So a lot of the talks had sideswipes to Lamo on their slides.  One talk I went to had something about him on every slide.  I eventually devolved into the childish like claiming that Lamo was a pedophile or Nazi sympathizer.  He had a chance to defend himself on Sunday, but I didn’t attend that talk – I was attending a different once and, had I known he would speak – it wasn’t made clear in the pamphlet – I would have attended.

I had a blast, as I usually do at these conferences.  It’s fun to be around others who are as into technology and exploration as I am.  (in some cases even more so)  The talks are always a blast because they demonstrate the amazing ability of people to figure out new ways to exploit the world (for good and for bad).  They also help you realize that the world isn’t quite a clean and neat as it seems.  If they have another one in two years (I heard that the hotel has definitely received the OK to be demolished) I will definitely try to go.