The seventh and last HOPE (Hackers on Planet Earth) conference took place last weekend, bringing the 14 year old biennial hacker con to an end. Emmanuel Goldstein (Eric Corley), publisher of 2600 magazine, has been the brains behind this production, providing a forum for presenting the true philosophical concepts of hacking culture. In contrast to the acquired reputation of hacking, that of malicious digital thievery, this conference hosts hacking in the traditional sense-those who possess a strong technological curiosity to understand how things work, with an equally strong desire to know why they don't, and to inform the public with security truths.
Fundamentals of the hacker lifestyle include, the improvement of scientific processes, helping people achieve technological independence, creating self-reliant communities through education, and providing eco-friendly solutions for modern living. These were demonstrated in a number of the presentations and workshops at this year's HOPE.
However, since this was still technically a hacker con, included were the usual presentations of clever exploits, reverse engineering, and new creative security measures and evasion techniques. For our infosec purposes, this is all we really care about.
Compared to other venues, there were a lot of diverse talks presented during the three day event. With approximately 100 different options for quenching your cognitive thirst for knowledge, I've limited my coverage to those relevant to information security.
The event started off with the Attendee Meta-Data Project (AMD), where numbered badges with active RFID chips were handed out during registration. Once individuals submitted biographical information at the project website, their movement was tracked for next three days. Locational data was collected and processed to provide real time visualizations of the position and movement of participants. This project demonstrates a simple and scalable framework for developing behavioral pattern studies on individual autonomy vs. dynamic group collaboration. Then again, I'm pretty sure a bit of RFID badge hacking occurred within the first 20 minutes.
There were some interesting discussions on the practices and procedures of the TSA. The Bagcam project (from Notacon), exposing the realities of check-in luggage security, consisted of outfitting a small suitcase with a pinhole camera DVR system. The select footage presented, from various domestic flights, was disappointing to those expecting a "baggage handlers gone wild" montage. Another talk on travel and TSA guidelines called, "Packing and the Friendly Skies", introduced a unique luggage security strategy involving firearms. Federal law requires the securing of check-in baggage containing firearms, with non-TSA approved locks, and prohibits opening by any travel staff. Therefore, a simple procedural exploit gives travelers a new method for ensuring the safety of their luggage contents. Although this may be less effective if there was a large TSA turnout at HOPE, due to the numerous presentations on lock picking.
There was a strong showing from the DIY hardware hackers. Despite their longtime presence, this community of technologically creative and resourceful inventors has recently been popularized by mainstream media, largely due to the success of Make Magazine. This was reflected in this year's HOPE agenda, with demonstrations of microcontroller projects, electronic art, presentations on hacker spaces and the launch of Citizen Engineer-a site featuring "how-to" videos of some of the coolest home hardware hacking projects. I learned how to build a Cray X1E using common household items.
Michael Rosh talked about the often underutilized packet layer of security. Highlighting the use of single packet authorization (SPA) and port knocking, he covered the use of fwknop, iptables and ipfw, as well as addressing advanced issues of covert channel use and Tor integration. For a great overview on port knocking, read this.
Other topics of discussion included the cryptographic problems plaguing debian systems, a "how-to" session involving honeypots and IDSs, a vulnerability analysis of the ES&S e-voting system, an introduction to OWASP and an overview of IPv6.
Due to the sheer volume of content, it is impossible to provide all of the talks the journalistic coverage they deserve....in a blog. Although, some of the other security presentations included XSS vectored MITM attacks, VLAN Layer 2 attacks, VoIP vulnerabilities, PGP and PKI key management, new analogies for threat modeling and pen testing with Firefox.
Any reporting or write-ups of HOPE are grossly incomplete without mentioning the ultimate highlight for all hackers --the social engineering panel. This consisted of Mr. Corley's traditional live performance of telephone social engineering and included swapping war stories with hacker legend, Kevin Mitnick.
The end of the weekend was sobering for many, as it became a reality that this was indeed the last HOPE conference. With a prime location for development adjacent to Penn Station, HOPEs home venue, the Hotel Pennsylvania , is planned for demolition by Vornado Realty Trust. However, the historic hotel's continued financial success has led to some strategical reconsideration by Vornado CEO, Steven Roth.
As it stood (PUN...yes), with demolishment plans currently postponed, veteran attendees were set to leave NYC with half-hearted dreams of a future HOPE. Perhaps giving hope for HOPE...
Just when everyone thought the hacking had ended, the final one was revealed. At the conclusion of the event, with the deceptive confidence of a social engineer, the event planners officially announced that the Next HOPE will take place in 2010....at the Hotel Pennsylvania.
I HOPE you will send your comments to: email@example.com