From: NTK's own correspondent: HAL2001 Friday: Keynote ------- The keynote speaker was Emannuel Goldstein, who appeared wearing a white t-shirt bearing the word "fuck" written as a Ford logo: "I'm trying to repel the American media" he announced. He figured that the t-shirt should force any US cameramen to have to turn off their cameras... He went on to explain the nature of 2600's run-in with Ford (partially covered in this quarter's issue). In 1999 when the DNS monopoly was 'broken', some of the new registries allowed the use of 'obscene' words. So 2600 registered a bunch of domains: motherfucking.net, fucktheinternet.com, fuckthemassmedia.com, fuckcbs.com, fucknbc.com (they were too slow to get fuckabc.com and fuckfox.com!). They redirected fuckcbs.com to point to NBC's website, and vice-versa. NBC sent a 'Cease and Desist' for trademark infringement, so 2600 printed the letter, and publicly commended CBS for not being as childish. The following week, CBS sent a cease and Desist. Around the same time, 2600 registered fuckgeneralmotors.com. Emmanuel stated it would have been a much easier life not to register these domains, but "sometimes you just have to push back and provoke the monster". Anyway, Ford sued 2600. This was a bit confusing as they didn't have fuckford.com, or fordsucks.com, or anything. It took Ford a while to actually find the 2600 offices, but eventually, a letter arrived in the post. Ford were suing them for fuckgeneralmotors.com! It turns out that initially fgm was pointed at GM's website, and then at a consumer watchdog site, and then at ford.com, and then they quite simply forgot about it. Now, if Ford had asked nicely, 2600 probably would have moved the redirect, but they didn't even threaten, the just went ahead and sued. Ford didn't know they could block the redirect with just a few keystrokes, they "must have been using some Microsoft product they couldn't understand..." Well, after all that, they just had to go and register fordreallysucks.com (the fordsucks.com owner had already been sued and taken the site down...) Emmanuel then went on to suggest that maybe someone should modify CodeRedII to gain access to an IIS machine, infect it, download the patches and fix the vulnerability itself. And then a short rant about the appalling way that worms like Sircam were now affecting none-MS users, not through infection, but just by the sheer volume of mail received from infected people. 2600's public email addresses had all been swamped before they could put filtering in place. "We don't even use their software and we *still* get screwed". Some other choice Goldstein quotes: Re the DCMA: "Sometimes I get the feeling the rest of the world is tolerating us to see how bad we fuck it up" "Don't ever say Americans aren't tolerant - we've been tolerating shit from our government for years!" Privacy & location data in mobile telephony ------------------------------------------- Jaap Henk Hoepman, Gus Hosein, Frank Rieger, Paul Dinnissen. Chair: Maurice Wessling. A technical panel discussion, raising many issues about the 'greedy' telcos looking to harvest location specific data about our movements as a way of recouping some of the UMTS investment... Several of the panelist were working for privacy-startups, looking at building location services (friends finder, mobile ads, traffic alerts etc) that could be used by the subscriber with user control of who sees what personal info. Paul Dinnissen of Maptive (http://www.maptive.com/) described the "sheer economic panic over UMTS" leading the SPs to consider privacy a danger to future revenue streams. Gus Hosein of Privacy International reviewed the way that traffic data in the POTS system (who you called, when and for how long) was expanding in the world of mobile telephony and the internet to include what had previously been probably considered "content", including location data, caller ID, DHCP addresses, URLs visited, search terms, and anything that isn't the actual content of a webpage or an email... Quote: "things are going to get worse" (refering to the CoE Cybercrime convention). Most interesting, the first questioner was Phil Zimmermann, who offered a number of suggestions to counter the panel's bleak view of the future of privacy. Zimmermann suggested that there was a pressing need to lobby and publicise the cause of mobile privacy in the press, outside the hacker community, and this would take money to reach legitimate bodies and operators. The community needed to identify decision makers and communicate directly with them. Of course, this all takes effort and money, but he gave as an example how the US crypto export policy was 'fixed' through sustained effort. "You *can* get results with enough effort applied". He made the point that if we become passive observers, we make the changes inevitable. The general response to Zimmermann was along the lines of: you don't understand how dense/determined European telcos are, and "If you though the crypto wars were bad, think of 43 DOJs" (Gus Hosein, describing the Council of Europe). Zimmermann rebutted with a view that there had been a sea change in the number of US congress discussions regarding privacy, that "if we feel helpless, then we become paralysed", and "Let's get started - I think we can win!" A final teaser was the prospect of a new peiece of 'research' allowing a microcode change to a Nokia phone, allowing it to connect to the 'next' cell over, rather than the current closest base-station. No source was provided:-( BadRAM: broken memory put to good use ------------------------------------- Rick van Rein gave a brief but excellent talk about his Linux kernel patch that allows bad memory locations in 'faulty' RAM chips to be mapped, and avoided by the OS (since linux uses an MMU). It's a similar concept to that used in the ZX Spectrum - apparently, faulty 64bit chips were cheaper than 32 bit chips, but usually only failed in the high or low order bits, so the chips were tested and marked H or L, and then the address bus was mapped accordingly. One side affect of using 'faulty' RAM in PCs is the prevention of dual-booting to a Microsoft OS (which cannot avoid the faulty RAM locations.) Rick was very pleased about this strategy... Apparently something like 50-70% of RAM chips are thrown away due to manufacturing defects. The use of BadRAM could bring these back into use, and drop memory prices even further. The patch isn't in the kernel yet, because (rumour has it) Linus doesn't like the idea of using broken hardware. Alan Cox, however does (allegedly). Rick's had at least one person who is delighted with the patch, since they can use their laptop (with soldered-on-the-motherboard failing RAM) again. http://rick.vanrein.org/linux/badram/ (can't connect to site at present...) DeCSS history, background and legal future ------------------------------------------ Tom Vogt spoke about the background to DeCSS, and the structure of the various copyright and trademark enforcement bodies involved today. He gave a persuasive argument that the entire DVD-sandards enforcement industry forms a restrictive cartel, and how the 218 pages of the CSS licence is used to enforce such things as region codes, and 'hackability' of players, far beyond the provisions provided by copyright law. Tom also spoke about the 'European DMCA', the EU Copyright Directive, and how national governments are likely to overshoot the required level of restrictiveness in national law to ensure they meet the directive; and the link between the oppression of Indymedia journalists in Genoa, with Berlusconi and hard right/facist politics, and the increasing consolidation of mass media into singleton powerful interests (Murdock, Haffa, Berlusconi...). Best quote: "The best historical example [of the reaction to deCSS] is the churches response to printing presses" http://www.lemuria.org/DeCSS/ http://www.eurorights.org The Cybercrime Convention ------------------------- Gus Hosein and Andy Mueller-Maguhn spoke about the Council of Europe Cybercrime convention. A very scary talk, with such wonderful warnings as: In the current language of the convention, ISPs must accept carnivore-like devices, AND develop an interception capability. There will be increasing problems along the lines of Dmitry Sklyarov's case, as the convention has no requirement for 'dual-criminality' - so you could be tried in your own country for an act that was completely legal there, but against the law elsewhere. Andy Mueller-Maguhn has been talking to AOL about children's internet access, and filtering same. it was all going well, lots of agreement about unsuitable content, and then someone suggested filtering adverts, and "it all went quiet"... A week before the February 2000 DDoS attacks, there was a big NIPC meeting in the US, to discuss budgets. There seemed to be huge problems justifying the USD 2 billion for work against "cyber-terrorism". Then the attacks on CNN and Yahoo happen, and everyone knew what cyberterrorism meant. The budget was approved... Also, a german journalist was quoted in the press as stating that a Dutch hacker group called 29A has devleoped CodeRed, and that they'd likely be at HAL. 29A are actually Spanish, and denied all responsibility for CodeRed, although they seeming did develop a proof of concept *virus* two years ago, called "red code"... http://is.lse.ac.uk/staff/hosein/ http://conventions.coe.int Worms - what is possible? ------------------------- Jonathan Wignall gave a practical demo of a worm, and detailed the idea work characteristics. He suggested the best place to release a worm would be at a place where there might be a few thousand possible suspects... but begged the audience not to do any such thing, as he'd be prime suspect... Apparently, AOL users logged into the service access AOL FTP on members.aol.com using anonymous/userid@aol.com. To finish, he threw t-shirts and pens into the crowd. I haven't had my photos developed yet, but with luck I should have a shot of him throwing the pen that hit me right in the mouth. Might be worth a ticket to DNSCon next year? He claims the slides and sample worm at http://www.dnscon.org/hal2001/ will be removed on friday, so maybe better to quote his 'securing a server' paper instead: http://www.dnscon.org/standard.rtf Hosting controversial content: onshore, offshore, or online? ------------------------------------------------------------ Ryan Lackey gave a balanced view of the options, not favouring the use of ex-anti-aircraft platforms declared autonomous constitutional democracies at all... An interview (by Christiaan Alberdingh Thijm) about Sealand following the talk was more controversial, with some hard questions on the acceptable usage policy of HavenCo (no child porn, but it has to be "actual real child porn". And the only reason that's in place is because it's against the law of Sealand (apparently)). Anyway, Havenco charge too much for anyone to host porn there, but when pressed about a minimum age, Lackey suggested 18, seeming to be making policies (or Sealand law) up as he went along. Havenco are apparently making a small profit, having reached break-even point, but even after two years, Ryan cannot sing the Sealand national anthem, and doesn't have a Sealand passport ("I couldn't be bothered to get a photo.") Havenco are however considering an offshore Sourceforge-like server for controversial projects... Wau Holland (CCC) Memorial Session ---------------------------------- Friday night, there was a memorial for CCC greybeard, Wau Holland. I didn't know him, but many people (maybe a thousand) attended, and eulogies were spoken. http://wauland.de/ HAL2001 Saturday: Location privacy in mobile internetworking (IPV4 & IPV6) -------------------------------------------------------- Alberto Escudero Pascual lectured about how mobile IP (v4) roaming could be mapped by monitoring traffic forwarded from the home agent; and how even though IPv6 solved this with a binding update to allow the packet originator to send data direct to the mobile IP users care-of address, the use of a globally unique MAC address in the IPv6 link-local auto-config address meant that your roaming could be easily mapped. Not a major issue, until IPv6 becomes the data carrier of choice in mobile telephony with UMTS... With capture from the 350+ 802.11 users on campus, Pascual demonstrated that most users don't (or can't) change their MAC address, so maybe what was needed was some random generation of MAC address. Not so random that it stands out like a sore thumb (hello 12:34:12:34:56:78 !) but a random lower 3 bytes , and make the upper 3 bytes statistically allocated from the vendor codes seen by the first hop router. (On the HAL WLAN, approx 80% of the NICs were Lucent, 8% were Apple Airports, and the rest were sundry other vendors). http://www.it.kth.se/~aep/licentiate/ for his thesis. DDoS: analysis, detection & mitigation techniques ------------------------------------------------- Sven Dietrich gave a long and interesting talk about DDoS. Most interesting points were: Back Scatter Analysis (detecting DDoS from it's effects elsewhere in the net, through ICMP and other effects) Distinguishing DDoS from the Slashdot effect (Slashdot referrals don't tend to use odd protocols or curious packet flags/seq numbers etc) The future: "Whack A Mole attacks"; Worm-based DDoS; and the up-and-coming "worm wars" as mobile agents become much more sophisticated. Opportunistic encryption in IP security --------------------------------------- John Gilmore spoke about the new opportunistic encryption (keeping public keys in the text records in the DNS, and encrypting traffic whenever possible) in the FreeSWAN (IPsec) code, while Hugh Daniel prepared a demo and bitched about how xinted was so broken on RedHat ("why did they take chargen away! This is what's *wrong* with 'security experts' - don't take functionality away") Apparently, the overhead for opportunistic encryption isn't too bad (less than 1 second in most cases, and much less when caches are well populated). However, as DNS is vulnerable to spoofing, this is only secure against passive (sniffing) attacks. It requires DNSsec to prevent someone feeding fake keys and actively attacking the IPsec session. Quote from Bruce Schneier on doing an analysis on IPsec Key Exchange: "I found six obvious things [problems], so I stopped there". Daniel: "IKE was designed by two of the dumbest entities I know - The US Government and business". Daniel also thinks PGP is a "piece of crap", and wants to use finger (also missing from his xinted) for key distribution in webs of trust. He is "talking seriously about redesigning the internet" - all of our APIs have to be thrown away, and "FTP has to die". The best quote, however, was one of Rober Morris Snr's: "when looking to see if crypto is working, always look for plaintext" http://www.freeswan.org The daily security practice at an ISP ------------------------------------- The room was too full for me to get a seat, or even see the screen! So not much in the way of notes, except: Scott McIntyre on worms (CodeRed especially): "Some people just have way too much free time - get a job!" Heckler: "Or a girlfriend!" The tragedy of software quality in OS/GPL systems ------------------------------------------------- Hugh Daniel (manager of the FreeSWAN project) is going to live in the asteroid belt before he dies, and he's not going there on open source software, cos it sucks, big time. Actually, he was making an important point about the mack of code reuse and learning from mistakes in open source. A couple of versions of someting is okay, but is it really necessary to have ten separate implementations, just so people can appear on freshmeat? Just very long whinge, really. Ten years of open PGP --------------------- Phil Zimmermann was going to talk on Hushmail 2.0, but instead decided to ramble about the history of PGP. Half of all the email he gets about backdoors in PGP is from Germans. He got an awful lot of questions after the DoJ dropped the case. Most of the emails are in a "sort of quiet tone - it's okay, you can tell me if it's backdoored, I won't tell anyone..." Quote: "For some reason, cryptography attracts paranoid people" He went on to explain the cycle of acquisitions that meant PGP (after it was bought by NAI) joined, left and rejoined the Key Recovery alliance. In the end, NAI simply didn't pay any more subscriptions, and *still* had to force the alliance to take the company name of the roster on the website. Zimmermann stated that PGP 6.5.8 was the last version NAI published the source for, so was the last practically trustworthy version, but he worked on 7.0.1, and it was the same code. Zimmermann left before 7.1, but reckons it is probably okay, but wouldn't try to convince anyone of that... Some people in the audience refused to trust anything later than 2.6.3i, which Zimmermann was pleased about - that was still all his code (although the latest versions do still have a command line interface apparently, which is just ported from his original work). Zimmermann also predicted the death of S/MIME ("it will got the way of PEM"), and publically called for Adobe to actively contribuute to Sklyarov's case (against the DoJ). Wearable Computing ------------------ Marcus Wolschon (ably assisted by Martin Ling) gave a brief overview of wearable computing, and then turned the rest of the session into a show-and-tell. Not much new to anyone who's read the wear-hard mailing list (http://wearables.blu.org) but good the see the hardware in the flesh (as it were). Most important info was the apparent ease of making a head-mounted display out of a videocamera eyepiece. Allegedly all that is required is a composite RGB input, and suitable power as per the donating camcorder. http://www.informatik.uni-rostock.de/~mawol/hal2001/ Hacker Ethics from 1984 to 2001 ------------------------------- Panel discussion (Emmanuel Goldstein, Andy Mueller-Maguhn (CCC), Rop Gonggrijp. Chair: Francisco van Jole) in which the panel got some grief for not being more outspoken. Mueller-Maguhn got sharply criticised for suggesting that ethics where purely a personal choice. Emmanuel Goldstein: During the recent troubles, 2600 got lots of email urging them to attack China, all of it from Hotmail accounts. Hotmail records the sender's address in an X-Originating-IP field, so 2600 checked these up. They were *all* from .mil domains. Drugs and Thought Crime ----------------------- John Gilmore (funder of the FreeSWAN project) does drugs. He has a friend (the inventor of MDMA) who designs drugs, and Gilmore is part of the select circle who get to try these out. He's also committed to donating USD 10 million over the next ten years to support drugs studies. Quote: "In some companies you pass a drug test by having no drug residue in your urine. In others, you pass by bringing better drugs than the boss". HAL2001 Sunday: Future directions in operating systems -------------------------------------- Hugh Daniel's third talk - hopefully trying to come up with some answers to his previous complaints. For many years now, he's been looking for the next better tool than Unix. Some people have tried to help: "Hey Hugh, don't you know Pascal and VMS is the future?" He thinks there is a need to jack a new OS under Linux (sort of like the way the real-time kernels do). Security is vial, and he's "really embaressed about buffer overflows" in open source software. Quoting an aircraft engineer: "My job is killing people. That's what aircraft engineers do unless they're *really good*" Some useful ideas: + Secure booting - making sure the OS is the first OS running on the tin, and not under some emulated layer. + Capability-based OS (EROS is the only current implementation of this) - it becomes trival to freeze the OS, and change the hardware underneath. Okay, so maybe modern laptops can do this, but KeyCos (1970s - the only OS the NSA bought externally) ran on IBM 360s - one of which ran continually for 10 years from IPL. Mobile Security --------------- Zoltan Kincses and Zoltan Hornak of the University of Budapest beboured the point (beyond a joke) that all the information in their presentations on SIM card cloning, and wireless interception was freely available on the internet, as where all images, so they could not be in breach of any copyright law, and would all the police therefore leave the room... There are some interesting physical attacks on SIM card PINs. It used to be the case that a 'bad point' was written to the SIM for each wrong PIN guess, and this required a higher voltage to write than was required to read. limiting the voltage meant the failled gues could not be recorded, and guessing the PIN through brute force is possible. This was fixed by making the 'bad point' write happen before the PIN entry, and then use the write to erase the 'bad point'. However, at certain temperatures, SIMs can read, but not write, so the brute force attack becomes possible again by temperature control... Apparently, every 10th person now has a mobile phone, and GSM networks are present in more counties than MacDonalds. There are more mobile end-stations than internet-connected devices, and it is predicted that by 2003, there will be more mobile internet-capable deviced than fixed. http://cuba.xs4all.nl/hip Other Notes: Oddest sight: A 6'6" cross-dressing Lara Croft-alike Scariest thing: having a 220V feed to my tent, while it was pissing down with rain. Worst thing about the rain: It blew away the (outdoors) propagation of the 802.11b Wireless LAN. Most unsurprising event: The bar ran out of Jolt...