From: NTK's own correspondent:
HAL2001 Friday:
Keynote
-------
The keynote speaker was Emannuel Goldstein, who appeared wearing a white
t-shirt bearing the word "fuck" written as a Ford logo: "I'm trying to
repel the American media" he announced. He figured that the t-shirt should
force any US cameramen to have to turn off their cameras... He went on to
explain the nature of 2600's run-in with Ford (partially covered in this
quarter's issue). In 1999 when the DNS monopoly was 'broken', some of the
new registries allowed the use of 'obscene' words. So 2600 registered a
bunch of domains: motherfucking.net, fucktheinternet.com,
fuckthemassmedia.com, fuckcbs.com, fucknbc.com (they were too slow to get
fuckabc.com and fuckfox.com!). They redirected fuckcbs.com to point to
NBC's website, and vice-versa. NBC sent a 'Cease and Desist' for trademark
infringement, so 2600 printed the letter, and publicly commended CBS for
not being as childish. The following week, CBS sent a cease and Desist.
Around the same time, 2600 registered fuckgeneralmotors.com.
Emmanuel stated it would have been a much easier life not to register these
domains, but "sometimes you just have to push back and provoke the
monster". Anyway, Ford sued 2600. This was a bit confusing as they didn't
have fuckford.com, or fordsucks.com, or anything. It took Ford a while to
actually find the 2600 offices, but eventually, a letter arrived in the
post. Ford were suing them for fuckgeneralmotors.com! It turns out that
initially fgm was pointed at GM's website, and then at a consumer watchdog
site, and then at ford.com, and then they quite simply forgot about it.
Now, if Ford had asked nicely, 2600 probably would have moved the redirect,
but they didn't even threaten, the just went ahead and sued. Ford didn't
know they could block the redirect with just a few keystrokes, they "must
have been using some Microsoft product they couldn't understand..." Well,
after all that, they just had to go and register fordreallysucks.com (the
fordsucks.com owner had already been sued and taken the site down...)
Emmanuel then went on to suggest that maybe someone should modify CodeRedII
to gain access to an IIS machine, infect it, download the patches and fix
the vulnerability itself. And then a short rant about the appalling way
that worms like Sircam were now affecting none-MS users, not through
infection, but just by the sheer volume of mail received from infected
people. 2600's public email addresses had all been swamped before they
could put filtering in place. "We don't even use their software and we
*still* get screwed".
Some other choice Goldstein quotes:
Re the DCMA: "Sometimes I get the feeling the rest of the world is
tolerating us to see how bad we fuck it up"
"Don't ever say Americans aren't tolerant - we've been tolerating shit from
our government for years!"
Privacy & location data in mobile telephony
-------------------------------------------
Jaap Henk Hoepman, Gus Hosein, Frank Rieger, Paul Dinnissen. Chair: Maurice
Wessling.
A technical panel discussion, raising many issues about the 'greedy' telcos
looking to harvest location specific data about our movements as a way of
recouping some of the UMTS investment... Several of the panelist were
working for privacy-startups, looking at building location services
(friends finder, mobile ads, traffic alerts etc) that could be used by the
subscriber with user control of who sees what personal info. Paul Dinnissen
of Maptive (http://www.maptive.com/) described the "sheer economic panic
over UMTS" leading the SPs to consider privacy a danger to future revenue
streams. Gus Hosein of Privacy International reviewed the way that traffic
data in the POTS system (who you called, when and for how long) was
expanding in the world of mobile telephony and the internet to include what
had previously been probably considered "content", including location data,
caller ID, DHCP addresses, URLs visited, search terms, and anything that
isn't the actual content of a webpage or an email... Quote: "things are
going to get worse" (refering to the CoE Cybercrime convention).
Most interesting, the first questioner was Phil Zimmermann, who offered a
number of suggestions to counter the panel's bleak view of the future of
privacy. Zimmermann suggested that there was a pressing need to lobby and
publicise the cause of mobile privacy in the press, outside the hacker
community, and this would take money to reach legitimate bodies and
operators. The community needed to identify decision makers and communicate
directly with them. Of course, this all takes effort and money, but he gave
as an example how the US crypto export policy was 'fixed' through sustained
effort. "You *can* get results with enough effort applied". He made the
point that if we become passive observers, we make the changes inevitable.
The general response to Zimmermann was along the lines of: you don't
understand how dense/determined European telcos are, and "If you though the
crypto wars were bad, think of 43 DOJs" (Gus Hosein, describing the Council
of Europe). Zimmermann rebutted with a view that there had been a sea
change in the number of US congress discussions regarding privacy, that "if
we feel helpless, then we become paralysed", and "Let's get started - I
think we can win!"
A final teaser was the prospect of a new peiece of 'research' allowing a
microcode change to a Nokia phone, allowing it to connect to the 'next'
cell over, rather than the current closest base-station. No source was
provided:-(
BadRAM: broken memory put to good use
-------------------------------------
Rick van Rein gave a brief but excellent talk about his Linux kernel patch
that allows bad memory locations in 'faulty' RAM chips to be mapped, and
avoided by the OS (since linux uses an MMU). It's a similar concept to that
used in the ZX Spectrum - apparently, faulty 64bit chips were cheaper than
32 bit chips, but usually only failed in the high or low order bits, so the
chips were tested and marked H or L, and then the address bus was mapped
accordingly.
One side affect of using 'faulty' RAM in PCs is the prevention of
dual-booting to a Microsoft OS (which cannot avoid the faulty RAM
locations.) Rick was very pleased about this strategy... Apparently
something like 50-70% of RAM chips are thrown away due to manufacturing
defects. The use of BadRAM could bring these back into use, and drop memory
prices even further.
The patch isn't in the kernel yet, because (rumour has it) Linus doesn't
like the idea of using broken hardware. Alan Cox, however does (allegedly).
Rick's had at least one person who is delighted with the patch, since they
can use their laptop (with soldered-on-the-motherboard failing RAM) again.
http://rick.vanrein.org/linux/badram/ (can't connect to site at present...)
DeCSS history, background and legal future
------------------------------------------
Tom Vogt spoke about the background to DeCSS, and the structure of the
various copyright and trademark enforcement bodies involved today. He gave
a persuasive argument that the entire DVD-sandards enforcement industry
forms a restrictive cartel, and how the 218 pages of the CSS licence is
used to enforce such things as region codes, and 'hackability' of players,
far beyond the provisions provided by copyright law.
Tom also spoke about the 'European DMCA', the EU Copyright Directive, and
how national governments are likely to overshoot the required level of
restrictiveness in national law to ensure they meet the directive; and the
link between the oppression of Indymedia journalists in Genoa, with
Berlusconi and hard right/facist politics, and the increasing consolidation
of mass media into singleton powerful interests (Murdock, Haffa,
Berlusconi...).
Best quote: "The best historical example [of the reaction to deCSS] is the
churches response to printing presses"
http://www.lemuria.org/DeCSS/
http://www.eurorights.org
The Cybercrime Convention
-------------------------
Gus Hosein and Andy Mueller-Maguhn spoke about the Council of Europe
Cybercrime convention. A very scary talk, with such wonderful warnings as:
In the current language of the convention, ISPs must accept carnivore-like
devices, AND develop an interception capability. There will be increasing
problems along the lines of Dmitry Sklyarov's case, as the convention has
no requirement for 'dual-criminality' - so you could be tried in your own
country for an act that was completely legal there, but against the law
elsewhere.
Andy Mueller-Maguhn has been talking to AOL about children's internet
access, and filtering same. it was all going well, lots of agreement about
unsuitable content, and then someone suggested filtering adverts, and "it
all went quiet"... A week before the February 2000 DDoS attacks, there was
a big NIPC meeting in the US, to discuss budgets. There seemed to be huge
problems justifying the USD 2 billion for work against "cyber-terrorism".
Then the attacks on CNN and Yahoo happen, and everyone knew what
cyberterrorism meant. The budget was approved... Also, a german journalist
was quoted in the press as stating that a Dutch hacker group called 29A has
devleoped CodeRed, and that they'd likely be at HAL. 29A are actually
Spanish, and denied all responsibility for CodeRed, although they seeming
did develop a proof of concept *virus* two years ago, called "red code"...
http://is.lse.ac.uk/staff/hosein/
http://conventions.coe.int
Worms - what is possible?
-------------------------
Jonathan Wignall gave a practical demo of a worm, and detailed the idea
work characteristics. He suggested the best place to release a worm would
be at a place where there might be a few thousand possible suspects... but
begged the audience not to do any such thing, as he'd be prime suspect...
Apparently, AOL users logged into the service access AOL FTP on
members.aol.com using anonymous/userid@aol.com.
To finish, he threw t-shirts and pens into the crowd. I haven't had my
photos developed yet, but with luck I should have a shot of him throwing
the pen that hit me right in the mouth. Might be worth a ticket to DNSCon
next year?
He claims the slides and sample worm at http://www.dnscon.org/hal2001/ will
be removed on friday, so maybe better to quote his 'securing a server'
paper instead: http://www.dnscon.org/standard.rtf
Hosting controversial content: onshore, offshore, or online?
------------------------------------------------------------
Ryan Lackey gave a balanced view of the options, not favouring the use of
ex-anti-aircraft platforms declared autonomous constitutional democracies
at all...
An interview (by Christiaan Alberdingh Thijm) about Sealand following the
talk was more controversial, with some hard questions on the acceptable
usage policy of HavenCo (no child porn, but it has to be "actual real child
porn". And the only reason that's in place is because it's against the law
of Sealand (apparently)). Anyway, Havenco charge too much for anyone to
host porn there, but when pressed about a minimum age, Lackey suggested 18,
seeming to be making policies (or Sealand law) up as he went along.
Havenco are apparently making a small profit, having reached break-even
point, but even after two years, Ryan cannot sing the Sealand national
anthem, and doesn't have a Sealand passport ("I couldn't be bothered to get
a photo.") Havenco are however considering an offshore Sourceforge-like
server for controversial projects...
Wau Holland (CCC) Memorial Session
----------------------------------
Friday night, there was a memorial for CCC greybeard, Wau Holland. I didn't
know him, but many people (maybe a thousand) attended, and eulogies were
spoken. http://wauland.de/
HAL2001 Saturday:
Location privacy in mobile internetworking (IPV4 & IPV6)
--------------------------------------------------------
Alberto Escudero Pascual lectured about how mobile IP (v4) roaming could be
mapped by monitoring traffic forwarded from the home agent; and how even
though IPv6 solved this with a binding update to allow the packet
originator to send data direct to the mobile IP users care-of address, the
use of a globally unique MAC address in the IPv6 link-local auto-config
address meant that your roaming could be easily mapped. Not a major issue,
until IPv6 becomes the data carrier of choice in mobile telephony with UMTS...
With capture from the 350+ 802.11 users on campus, Pascual demonstrated
that most users don't (or can't) change their MAC address, so maybe what
was needed was some random generation of MAC address. Not so random that it
stands out like a sore thumb (hello 12:34:12:34:56:78 !) but a random lower
3 bytes , and make the upper 3 bytes statistically allocated from the
vendor codes seen by the first hop router. (On the HAL WLAN, approx 80% of
the NICs were Lucent, 8% were Apple Airports, and the rest were sundry
other vendors).
http://www.it.kth.se/~aep/licentiate/ for his thesis.
DDoS: analysis, detection & mitigation techniques
-------------------------------------------------
Sven Dietrich gave a long and interesting talk about DDoS. Most interesting
points were:
Back Scatter Analysis (detecting DDoS from it's effects elsewhere in the
net, through ICMP and other effects)
Distinguishing DDoS from the Slashdot effect (Slashdot referrals don't tend
to use odd protocols or curious packet flags/seq numbers etc)
The future: "Whack A Mole attacks"; Worm-based DDoS; and the up-and-coming
"worm wars" as mobile agents become much more sophisticated.
Opportunistic encryption in IP security
---------------------------------------
John Gilmore spoke about the new opportunistic encryption (keeping public
keys in the text records in the DNS, and encrypting traffic whenever
possible) in the FreeSWAN (IPsec) code, while Hugh Daniel prepared a demo
and bitched about how xinted was so broken on RedHat ("why did they take
chargen away! This is what's *wrong* with 'security experts' - don't take
functionality away")
Apparently, the overhead for opportunistic encryption isn't too bad (less
than 1 second in most cases, and much less when caches are well populated).
However, as DNS is vulnerable to spoofing, this is only secure against
passive (sniffing) attacks. It requires DNSsec to prevent someone feeding
fake keys and actively attacking the IPsec session.
Quote from Bruce Schneier on doing an analysis on IPsec Key Exchange: "I
found six obvious things [problems], so I stopped there". Daniel: "IKE was
designed by two of the dumbest entities I know - The US Government and
business".
Daniel also thinks PGP is a "piece of crap", and wants to use finger (also
missing from his xinted) for key distribution in webs of trust. He is
"talking seriously about redesigning the internet" - all of our APIs have
to be thrown away, and "FTP has to die".
The best quote, however, was one of Rober Morris Snr's: "when looking to
see if crypto is working, always look for plaintext"
http://www.freeswan.org
The daily security practice at an ISP
-------------------------------------
The room was too full for me to get a seat, or even see the screen! So not
much in the way of notes, except:
Scott McIntyre on worms (CodeRed especially): "Some people just have way
too much free time - get a job!"
Heckler: "Or a girlfriend!"
The tragedy of software quality in OS/GPL systems
-------------------------------------------------
Hugh Daniel (manager of the FreeSWAN project) is going to live in the
asteroid belt before he dies, and he's not going there on open source
software, cos it sucks, big time. Actually, he was making an important
point about the mack of code reuse and learning from mistakes in open
source. A couple of versions of someting is okay, but is it really
necessary to have ten separate implementations, just so people can appear
on freshmeat?
Just very long whinge, really.
Ten years of open PGP
---------------------
Phil Zimmermann was going to talk on Hushmail 2.0, but instead decided to
ramble about the history of PGP.
Half of all the email he gets about backdoors in PGP is from Germans. He
got an awful lot of questions after the DoJ dropped the case. Most of the
emails are in a "sort of quiet tone - it's okay, you can tell me if it's
backdoored, I won't tell anyone..."
Quote: "For some reason, cryptography attracts paranoid people"
He went on to explain the cycle of acquisitions that meant PGP (after it
was bought by NAI) joined, left and rejoined the Key Recovery alliance. In
the end, NAI simply didn't pay any more subscriptions, and *still* had to
force the alliance to take the company name of the roster on the website.
Zimmermann stated that PGP 6.5.8 was the last version NAI published the
source for, so was the last practically trustworthy version, but he worked
on 7.0.1, and it was the same code. Zimmermann left before 7.1, but reckons
it is probably okay, but wouldn't try to convince anyone of that... Some
people in the audience refused to trust anything later than 2.6.3i, which
Zimmermann was pleased about - that was still all his code (although the
latest versions do still have a command line interface apparently, which is
just ported from his original work).
Zimmermann also predicted the death of S/MIME ("it will got the way of
PEM"), and publically called for Adobe to actively contribuute to
Sklyarov's case (against the DoJ).
Wearable Computing
------------------
Marcus Wolschon (ably assisted by Martin Ling) gave a brief overview of
wearable computing, and then turned the rest of the session into a
show-and-tell. Not much new to anyone who's read the wear-hard mailing list
(http://wearables.blu.org) but good the see the hardware in the flesh (as
it were).
Most important info was the apparent ease of making a head-mounted display
out of a videocamera eyepiece. Allegedly all that is required is a
composite RGB input, and suitable power as per the donating camcorder.
http://www.informatik.uni-rostock.de/~mawol/hal2001/
Hacker Ethics from 1984 to 2001
-------------------------------
Panel discussion (Emmanuel Goldstein, Andy Mueller-Maguhn (CCC), Rop
Gonggrijp. Chair: Francisco van Jole) in which the panel got some grief for
not being more outspoken. Mueller-Maguhn got sharply criticised for
suggesting that ethics where purely a personal choice.
Emmanuel Goldstein: During the recent troubles, 2600 got lots of email
urging them to attack China, all of it from Hotmail accounts. Hotmail
records the sender's address in an X-Originating-IP field, so 2600 checked
these up. They were *all* from .mil domains.
Drugs and Thought Crime
-----------------------
John Gilmore (funder of the FreeSWAN project) does drugs. He has a friend
(the inventor of MDMA) who designs drugs, and Gilmore is part of the select
circle who get to try these out.
He's also committed to donating USD 10 million over the next ten years to
support drugs studies.
Quote: "In some companies you pass a drug test by having no drug residue in
your urine. In others, you pass by bringing better drugs than the boss".
HAL2001 Sunday:
Future directions in operating systems
--------------------------------------
Hugh Daniel's third talk - hopefully trying to come up with some answers to
his previous complaints. For many years now, he's been looking for the next
better tool than Unix. Some people have tried to help: "Hey Hugh, don't you
know Pascal and VMS is the future?"
He thinks there is a need to jack a new OS under Linux (sort of like the
way the real-time kernels do). Security is vial, and he's "really
embaressed about buffer overflows" in open source software.
Quoting an aircraft engineer: "My job is killing people. That's what
aircraft engineers do unless they're *really good*"
Some useful ideas:
+ Secure booting - making sure the OS is the first OS running on the tin,
and not under some emulated layer.
+ Capability-based OS (EROS is the only current implementation of this) -
it becomes trival to freeze the OS, and change the hardware underneath.
Okay, so maybe modern laptops can do this, but KeyCos (1970s - the only OS
the NSA bought externally) ran on IBM 360s - one of which ran continually
for 10 years from IPL.
Mobile Security
---------------
Zoltan Kincses and Zoltan Hornak of the University of Budapest beboured the
point (beyond a joke) that all the information in their presentations on
SIM card cloning, and wireless interception was freely available on the
internet, as where all images, so they could not be in breach of any
copyright law, and would all the police therefore leave the room...
There are some interesting physical attacks on SIM card PINs. It used to be
the case that a 'bad point' was written to the SIM for each wrong PIN
guess, and this required a higher voltage to write than was required to
read. limiting the voltage meant the failled gues could not be recorded,
and guessing the PIN through brute force is possible. This was fixed by
making the 'bad point' write happen before the PIN entry, and then use the
write to erase the 'bad point'. However, at certain temperatures, SIMs can
read, but not write, so the brute force attack becomes possible again by
temperature control...
Apparently, every 10th person now has a mobile phone, and GSM networks are
present in more counties than MacDonalds. There are more mobile
end-stations than internet-connected devices, and it is predicted that by
2003, there will be more mobile internet-capable deviced than fixed.
http://cuba.xs4all.nl/hip
Other Notes:
Oddest sight: A 6'6" cross-dressing Lara Croft-alike
Scariest thing: having a 220V feed to my tent, while it was pissing down
with rain.
Worst thing about the rain: It blew away the (outdoors) propagation of the
802.11b Wireless LAN.
Most unsurprising event: The bar ran out of Jolt...