Saturday, September 27, 2008

The Last Hope Conference

It’s been a busy summer and I’m just now posting on some of the conferences that I attended. Everyone enjoyed The Last Hope, and we are now looking forward to The Next Hope!

Here are some links from the talks that I attended. You can catch recordings of all of the HOPE talks over at The Last Hope Web site. There were many presentations that I wished I could have attended, however the conference had three tracks running simultaneously, plus an ad-hoc fourth track, and I haven't yet figured out how to hack myself. Some of the talks were repeated the following week at DefCon.

The (Im)possibility of Hardware Obfuscation
By Karsten Nohl

This talk was incredible, and set the pace for the rest of my conference experience.

The MBTA subway hack paper by a group of MIT students is related, so I have posted a link here. Is NYC susceptible to this same vulnerability? The next NY Metro InfraGard meeting will be held at MTA Headquarters, and will focus on physical security. I’m hoping to contribute.

Maintaining a Locksporting Organization and Breakthroughs in the Community
By Doug Farre, Jon King

Watch rock star Jon pick a Medeco lock using his “Medecoder” tool.

Citizen Engineer - Consumer Electronics Hacking and Open Source Hardware
By Phillip Torrone, Limor Fried

In her presentation, Limor dissected a retired public telephone and turned it into her home phone. Very cool. I recommend her cell phone forensics kit. Also, if you’ve heard about the mp3 player made out of an Altoids tin, it too was a project of Lady Ada.

The Attendee Meta-Data Project
By LexIcon, Daravinne, Neo Amsterdam, Aestetix, Echo, Dementia, Matt Joyce, Christopher Petro

I didn’t actually make it to this one, but like so many of the presentations that I didn’t make it to, it really interested me. I’m streaming the audio online as I type, and according to the audio, they had enough of these special RFID badges to fit about half the number of attendees. Those people were then viewed as objects in a “live” database--sort of like social networking on crack, and general crowd movement could be tracked, for example congestion around the elevators or certain vendor tables.

Wikipedia: You Will Never Find a More Wretched Hive of Scum and Villainy (Partial)
By Virgil Griffith

I really just caught the last 5-10 minutes of this one, but it created quite a buzz.

Introduction to MCU Firmware Analysis and Modification with MSP430static
By Travis Goodspeed

I wanted to catch this one as it seemed interesting and he’s a friend-of-a-friend, but didn’t quite make it.

Introduction to the Open Web Application Security Project (OWASP)
By Tom Brennan

OWASP is home to WebGoat and many other wonderful projects. I just attended their NYC conference and will post that information as time allows.

Advanced Memory Forensics: Releasing the Cold Boot Utilities
By Jacob Appelbaum

Autonomously Bypassing VoIP Filters with Asterisk: Let Freedom Ring
By Blake Cornell, Jeremy McNamara

A Collaborative Approach to Hardware Hacking: NYCResistor (Partial)
By Bre Pettis and Friends

I support NYC Resistor and find the group a really welcoming bunch.

Technical Surveillance Countermeasures (Electronics Surveillance and Bug Detection)
By Marty Kaiser

Marty Kaiser has been involved with digital security and surveillance for as far back as most of us have memory. Listening to Marty was like hearing an old-fashioned radio show, filled with great stories. He brought up the infamous Russian Seal Bug, which is a fascinating piece of history. I could have spent the rest of the day just listening to more pieces from his past (and present) experiences.

A Convergence of Communities
By John Strauchs

Mr. Strauchs touched on something that’s increasingly important: IT Security + Physical Security. Can you have one without the other? His talk reminded me of an RFID crack that I’d heard about recently. It’s by Chris Paget at IOActive, Inc. This was not part of the HOPE Conference, but it’s tangentially related, so I thought it worth mentioning. View a video demonstration of Chris using the device here.

Crippling Crypto: The Debian OpenSSL Debacle
By Jacob Appelbaum, Dino Dai Zovi, Karsten Nohl


Keynote Address
By Steven Levy

Methods of Copying High Security Keys
By Barry Wels, Han Fey

I won a lock-pick at this very interesting presentation.

Port Knocking and Single Packet Authorization: Practical Deployments (Partial)
By Michael Rash

Bagcam - How Did TSA and/or the Airlines Manage to Do That to Your Luggage?
By algormor

These videos are a must-see!

Featured Speaker
Steven Rambam

Basically this guy’s a PI on crack, brilliant! And if you ever need to track someone down, he will find them.

Part 1

Part 2

Social Engineering
By Emmanuel Goldstein and Friends

One ploy involved Emmanuel phoning a luxury hotel in NYC (Ritz Carlton?) and confirming their bed-bug eradication assignment in the morning.

Featured Speaker
Kevin Mitnick

Kevin Mitnick handed out his ingenious business card that doubles as a lock-picking set to the first few hundred who lined-up after he spoke. I remember way back when, working at one of the few isp’s in NYC. The choices were pretty much PANIX or ECHO. I worked at ECHO for Stacy Horn, and Kevin did too. The rest, they say, is history.

PenTest Labs Using LiveCDs
By Thomas Wilhelm

Mr. Wilhelm is a genius and wants to share everything he has learned with everyone. His generosity and attitude is infectious. I highly recommend downloading his lab.

Pen Testing the Web with Firefox
By DaKahuna & theprez98

Identification Card Security: Past, Present, Future
By Doug Farre

How to craft your own holographic IDs.

I didn’t catch this one, but Cheshire sent me some of his own links from the conference that I thought were handy.

Warrantless Laptop Searches at U.S. Borders
By Decius

YouTomb - A Free Culture Hack (Partial)
By Oliver Day, Dean Jansen, Quentin Smith, Christina Xu

I didn’t catch all of this one, but what I did grab was quite interesting. Here’s a blurb from their site:

YouTomb continually monitors the most popular videos on YouTube for copyright-related takedowns. Any information available in the metadata is retained, including who issued the complaint and how long the video was up before takedown. The goal of the project is to identify how YouTube recognizes potential copyright violations as well as to aggregate mistakes made by the algorithm.”

Postal Hacking

I’ve included the above video link to a different presentation that he gave, but there was some overlap. This was quite an entertaining talk.

Strengths and Weaknesses of (Physical) Access Control Systems
By Eric Schmiedl, Mike Spindel

This talk was very engaging. The example of using yellow high-lighter pen (blends in on keypad) on your finger to track the order on a keypad (under uv lighting) was an interesting concept.

No-Tech Hacking
By Johnny Long

The icing on the cake. Pure fun!

This next (and last but NOT least) link is not from HOPE, but was released at DefCon from a colleague of mine, Kevin Johnson. I thought it fitting to include. It’s a “Live” Web Penetration Testing CD called Samurai. Some of you know Kevin better as The Hacker Princess…Long live the princess!

No comments: