Fri, 18 Jul 2014 12:00 (Olson)
Data collection, aggregation, and mining have dramatically changed the nature of contemporary surveillance. Refusal is not a practical option, as data collection is an inherent condition of many essential societal transactions. In this talk, we discuss one response to this type of everyday surveillance, a tactic called obfuscation. Tactical obfuscation can be defined as the strategy of producing misleading, false, or ambiguous data with the intention of confusing and/or inhibiting an adversary. Because obfuscation is relatively flexible in its use by average citizens as well as by experts, it holds promise as a strategy for DIY privacy and security. This talk presents a brief overview of obfuscation as political theory, including contemporary and historical examples, then focuses on two recent systems that address data collection: TrackMeNot, which shields searchers from surveillance and data profiling, and Ad-Nauseam, which targets advertising networks that track users across the web. The talk concludes with a consideration of the ethics of obfuscation as representative of a class of strategies whereby weaker parties can both protect against and confront stronger adversaries.
Speakers: Daniel C. Howe
Fri, 18 Jul 2014 17:00 (Olson)
In the fall of 2013, artist Maximus Clarke was inspired by news of government and corporate surveillance to create an art project about privacy that could also function as a secure messaging system. The result is "Per Speculum in Ænigmate" - Latin for "through a glass darkly" - combining stereo imagery and PGP encryption. Each project image is an anaglyph 3D photo of a nude model, obscured by pixelation and overlaid with an encrypted message sent by one of the project participants. Message recipients are able to download images from the project site (http://psiae.tumblr.com) and decrypt the embedded texts, without the artist ever reading them. This presentation will showcase the project images in glorious old-school red/blue 3D (glasses will be provided), and discuss the concepts, technologies, and processes involved in their creation.
Speakers: Maximus Clarke
Fri, 18 Jul 2014 19:00 (Olson)
The social construct of privacy is rather new, a result of the civil society. It was supposed to protect people from the state and/or government and its overreach, a "right to be let alone," as one of the central legal texts defined it. Privacy promised a safe space for the individual to develop new ideas without premature criticism and discrimination, a space where individual freedom unfolded. Did it really deliver on that promise? And was that the promise we needed as a society? Privacy isn't dead as some people might want to tell you, but it has changed significantly in its definition, in its relevance. And it no longer works as the central foundation of our social utopias. Private people are alone, powerless, and often invisible when faced with exactly those powerful entities that the Internet was supposed to help us fight (corporations, government agencies, etc.). Under the blanket term #postprivacy, some people have started developing ideas on how to rethink how we can harness not only the power of the Internet but the powers, ideas, and skills of each other. How will we as a social structure work between social networks, government snooping, and encryption? How can we save and form the future? This talk will give you a few new ideas.
Speakers: tante
Sun, 20 Jul 2014 14:00 (Manning)
We have had the technology to make email secure against criminals and government spies for decades. Microsoft, Netscape, and Apple have all shipped products with built-in encryption for over 15 years, yet almost nobody uses these features. Millions of people were very upset by the recent Snowden revelations - why aren't millions of people using secure email and, more importantly, how do we fix it? A part of the reason for the lack of email security is rooted in politics. During the 1990s, cryptography rights activists battled with the NSA and FBI for the right to use strong cryptography, a series of events known as the cryptowars. One part of the problem is that two email security standards emerged rather than one, neither of which is capable of fully replacing the other. But the biggest part of the problem is that any system which requires the user to be thinking about security is too hard to use. This talk will be looking at the history and future of email encryption technology. No prior knowledge of cryptography will be assumed.
Speakers: Phillip Hallam-Baker
Sun, 20 Jul 2014 18:00 (Manning)
This talk will introduce the design and implementation of Privacy Badger, EFF's new browser extension that automatically blocks both invisible trackers and spying ads. It is intended to be a minimal- or zero-configuration option that most Internet users can use to prevent nonconsensual third party collection of their reading habits from their everyday browser. Privacy Badger couples the recently developed HTTP Do Not Track opt-out header with a number of heuristics for classifying the behavior of third parties to automatically determine which should be blocked, which are needed but should have cookies blocked, and which are safe from a privacy perspective. Peter will also talk about the bigger picture on the role that nonconsensual commercial surveillance has come to play in the business and technical infrastructure of the Web; and what we can do to build better alternatives.
Speakers: Peter Eckersley
Sat, 19 Jul 2014 17:00 (Serpico)
In April 2013, the FBI sought information on what the journalist Barrett Brown was doing with an open source collaborative wiki that he founded called Project PM, and were equally as curious about what kind of dirt he had on his hard drives about the government contractors and intelligence firms he investigated on that site. Edward Snowden's leaks about the NSA have since exposed only the tip of the iceberg with regards to how much the U.S. intelligence community is capable of, and those efforts are largely assisted by the likes of companies who Project PM set out to research: Ntrepid, Abraxis Hacking Team, Cubic, Endgame, Palantir, and others. Now, more than ever, is the time to collect and analyze open source information about the shadowy companies who operate on behalf of the U.S. government, often without being held accountable.
Speakers: Andrew Blake; Lauren Pespisa; Kevin Gallagher; Joe Fionda; Douglas Lucas
Sat, 19 Jul 2014 10:00 (Olson)
How can you distribute digital information using only sounds and computers? Frustrated by the lack of compatibility of wireless hardware in the wild, it was concluded that the audible spectrum was the One True Way to distribute knowledge. This talk will introduce Groundstation, an append-only graph database, and detail the journey of integrating it with the unambiguous encapsulation research of Ossmann/Spill to achieve its ultimate goal - the audible sharing of digital knowledge.
Speakers: Richo Healey
Fri, 18 Jul 2014 10:00 (Manning)
Mending (or fixing/repairing) - part of the spectrum that includes hacking, alteration, and making - can become a political act in a time of cheap goods, outsourced labor, and low wages. What is mending's role in a new model of production and consumption, one where artisans and individuals face off, perhaps quixotically, against mass production? Can repair become economically viable? How does mending contend with goods that are poorly made in the first place, when globalization undermines local resources, when companies design objects AND supply chains to be repair-resistant? Panelists from the repair movement will discuss the opportunities as well as the barriers to making repairs in the human realm: social (habits and systems), economic (prices, labor), and technical (parts, design). Repairing things, rather than discarding or putting up with broken objects or systems, connects deeply to the hacker/maker movement and to sustainable ecology. Panelists will address how repair can be beautiful as well as potentially disruptive. This panel includes activists and artists, attorneys and organizers - drawn to repair as process and performance. An act of repair has the possibility of political significance or an act of resistance, and brings the possibility of transformation to ordinary objects and larger systems alike.
Speakers: Sandra Goldmark; Vincent Lai; Miriam Dym; Tiffany Strauchs Rad
Sat, 19 Jul 2014 19:00 (Olson)
If you can't tear it apart, drive it, or modify it, do you really own it? This talk seeks to free a Kwikset PowerBolt and show you how to reverse engineer and take back control of your life. The Kwikset PowerBolt lock has support for a Z-Wave module. You will learn how to diagram the function of all the ICs on the Z-Wave daughter board and the Kwikset main board, how the interfaces are used across the board, how the components are connected to each other, how to spy on the traffic, and finally how to replace the Z-Wave module with your own daughter board created in gEDA. This knowledge will give you the freedom to lock and unlock your front door in any way you can imagine. This talk will teach you how to use a multimeter to test for continuity and voltage, a bus pirate to quickly test protocols, logic analyzer tools to sniff traffic on the board, and other electrical tools. You will learn how to diagram a system at the flow chart and schematic level and best practices on how to learn a system.
Speakers: Matthew O Gorman aka mog
Fri, 18 Jul 2014 21:00 (Serpico)
Take control over your neighbors' TVs like in the movies! The Google Chromecast is a handy little gadget that lets you stream video to your TV from a variety of sources like Netflix and YouTube. It also happens to allow streaming from nearby hackers. This talk will demonstrate how to hijack any Google Chromecast - even if it's behind a secure Wi-Fi network - to do your bidding. A new tool will also be released to fully automate the hijacking and playing of arbitrary video to the victim's TV. Let the prank war commence.
Speakers: Dan Petro
Sun, 20 Jul 2014 13:00 (Olson)
The National Security Agency is bound by legal constraints. It hasn't always followed the rules, to be sure. But when it does, are constitutional and statutory safeguards effective in protecting our privacy? This talk presents empirical computer science research on the NSA's legal restrictions, including results cited by President Obama's intelligence review group. We find that present limits on bulk surveillance programs come up far short. Authorities intercept international Internet traffic and enable the monitoring of ordinary Americans' online activities. The domestic telephone metadata program reaches much of the population, and allows for drawing extraordinarily sensitive inferences about medical conditions, firearm ownership, and more.
Speakers: Jonathan Mayer
Sat, 19 Jul 2014 21:00 (Olson)
Have you heard of Self Re-Configuring Modular Robotics (SRCMR)? This new technology enables robotic modules to configure themselves into whatever you need, whenever you need it, which offers many benefits. If we could create a common pool that modules can be drawn from when they are needed and returned to when they are not, we could further leverage the benefits of SRCMR. The challenge is that the pool is not intrinsic to an SRCMR system; we need to create it. We need a new understanding of our common resources and an acceptance for sharing them. If we can create the pool or "a sea of parts," it will bring the same benefits to physical systems that shared web hosting has brought to the web. This will allow quick and cheap development and deployment of new ideas.
Speakers: Per Sjoborg
Sat, 19 Jul 2014 12:00 (Manning)
SecureDrop is an open-source whistleblower submission system that media organizations can use to securely accept documents from and communicate with anonymous sources. The platform has been deployed and is being actively used by an array of journalistic organizations to provide a secure and usable platform for whistleblowers to get in touch with journalists while protecting their own identity. The talk will begin with a broad overview of the project and then go into more detail: what does the network architecture look like, what does it provide, and what cryptographic primitives are used?
Speakers: William Budington; Garrett Robinson; Yan Zhu
Sun, 20 Jul 2014 15:00 (Olson)
Routers sit between all your computing devices and the Internet, making them a perfect target for abuse (Glenn Greenwald has written about the NSA hacking into them). The presentation will explain some of the configuration options in home routers that can make your Local Area Network more secure. Among these are locking down access to the router, Wi-Fi security, firewalls, DNS, and hiding on the Internet. Also covered are known security flaws in routers and how to defend against them. Some of the covered flaws are: WPS, UPnP, port 32764, Heartbleed, and smartphones leaking Wi-Fi passwords.
Speakers: Michael Horowitz
Sat, 19 Jul 2014 23:00 (Serpico)
"Being a nerd is not about what you love; it's about how you love it." Wil Wheaton's words ring true for many self-identified geeks and nerds. But what happens when what you love is "love," or even "lust?" Geeks have never been more cool, but mainstream culture is full of negative messages about sex and pleasure. Combining nerd enthusiasm and geek know-how with erotic experiences results in writings, DIY toys, citizen science, and other projects which can promote sex-positivity and consent culture. In this talk, Kristen "where did this b!tch get her doctorate" Stubbs shares stories from the sex geek trenches: the awesome, the awkward, and the randomness in between.
Speakers: Kristen Stubbs
Fri, 18 Jul 2014 13:00 (Olson)
Radio has become marginalized and governments are curtailing international shortwave broadcasting, yet these bands remain one of the most anonymous and inexpensive ways to convey information within and across international borders. This presentation will include background information about shortwave radio, its range, what types of stations are on the air (broadcast, military, weather fax, spy numbers, amateur, and more), and finally pirate radio. It will include background information behind pirate broadcasting stations on the air, how stations attempt to maximize their signal quality and range while avoiding detection by the authorities. Some of these tactics have ranged from transmitting from ships, to leaving battery-powered transmitters on public lands, to installing equipment at highway billboards. In an age when IP addresses, GPS, and cell phones track people as well as data, pirate radio is one of the few means of sending untracked, anonymous information.
Speakers: Andrew Yoder
Sat, 19 Jul 2014 21:00 (Serpico)
If a reporter wants to get the point across that certain people shouldn't have access to a particular key, would it be wise for said reporter to then show that key to the world? Like the New York City subway key? The key to the subway? On the Internet?! This and other media fails will be shown. And maybe even one or two non-fail examples.... Several cases of key-copying-by-sight will be discussed with lots of pictures and videos. How this can happen will be explained, as well as what to do to prevent it.
Speakers: Jos Weyers
Sat, 19 Jul 2014 18:00 (Olson)
Skeuomorphic steganography is spawned in the terrain where art, code, and digital media interbreed. Steganography is the ancient art, revitalized in the digital age, of hiding messages in plain sight. Skeuomorphism is the use of design elements that include features inherent to an earlier design, for example, images of leather binding in on-screen calendars, or faux wood grain printed on vinyl tiles. This talk puts forth the theory that steganography finds a natural home inside skeuomorphism. Sometimes, when one is looking for hidden data, one has to know where to look. This is especially true outside the digital realm. An idea for a new convention will be proposed: Let's have skeuomorphism show us where to look. Joshua will show how printed skeuomorphic steganography can be decoded with simple tools. The dream is of a world, just slightly more fun than this one, in which skeuomorphism takes on a new life, not as kitsch, an eyesore, or some wigged-out aberration at Apple Inc., but as a hint of a possible invitation, a bread crumb left by a new friend.
Speakers: Joshua Fried
Fri, 18 Jul 2014 11:00 (Serpico)
The biases run deep: from early in our school careers, we're taught that "smart people" go into math, science, and tech. There's an unspoken hierarchy many of us have drilled into our heads, with particle physics at the top of the academic food chain, engineering lower down but still higher than that weird squishy stuff in biology and the even squishier stuff in sociology, etc. "Smart people" tackle the "hard" problems, and the hard problems involve a lot of math, "hard" science, and empirical evidence. Well listen, J. Random Hacker, if you're so goddamn smart, why haven't you built a tool that makes it easy for people to encrypt their email yet? Why is adoption the major barrier to secure communications? Why haven't the tools you've built evened out the digital divide? Is the hard problem infrastructure scaling or the Traveling Salesman problem, or is the really hard problem dealing with the people you could never get to understand what you're doing? This talk will be an exhortation for hackers to overcome the traditional biases many of us have in favor of technical projects and against human-factors work. It's a call for more people to think about usability in open source software, particularly on the privacy and security tools we care so much about. Gus will tease apart the deep-seated socialization we have about what work "smart" people do, what "good" science looks like, and why studies of human social interactions must have different criteria than "hard" sciences in order to be effective.
Speakers: Gillian (Gus) Andrews
Spy Improv: Ask Me Anything
Sat, 19 Jul 2014 23:59 (Serpico)
The former spy, honorary hacker, former candidate for the Reform Party presidential nomination, and #1 Amazon reviewer for nonfiction, again takes on any question. His record, set in 2010, is eight hours and one minute. This year, the formal program provides for two hours.
Speakers: Robert Steele
Fri, 18 Jul 2014 20:00 (Manning)
You've enabled HTTPS on your site. Now what? How do you protect against sslstrip attacks, CA compromise, and the dangers of mixed content? @jimio will share some approaches they've taken @twitter: Strict-Transport-Security, "secure SEO" with canonical link elements, Content Security Policy, and certificate pinning. There will be code, exploits, and open source! There will be a few fun stories to share as well, and since this is an SSL talk, you KNOW there's gonna be heartbleed.
Speakers: @jimio
Fri, 18 Jul 2014 14:00 (Olson)
High precision in fabrication is often required for building useful hardware and tools - including hardware and tools that can be used for dissent. Craftsmanship is valued for its precision and attention to detail, but mastering a craft is inherently slow. 3D printers evoke a Star Trek replicator-esque, hands-off solution for instantly creating precise tools, but in that image also become a transparent technology. However, digital fabrication technology as it exists today is anything but transparent, as digital fabrication tools are difficult to access, interface with, modify, and even use as intended. In a way, lack of access to precision fabrication is in itself a form of control. This talk will be about how digital fabrication enables personal fabrication, and how we are getting closer to being able to truly use digital fabrication in technologies for dissent.
Speakers: Nadya Peek
Sun, 20 Jul 2014 16:00 (Olson)
Just days before HOPE Number Nine, John Huntington released a self-published version of his book, Show Networks and Control Systems. Several months before, his publisher had decided that they were not interested in an update after three successful editions, so Huntington got his publishing rights back and did a whole new edition himself using Amazon's Createspace for printed copies and Kindle for e-books. And it's been a success - Huntington has made far more money self publishing this one edition than the royalties on all three of the previous editions with the publisher combined. More importantly, he has had a far higher level of engagement with his readers, and has been able to do things he never could have done with the publisher, like putting free lecture videos for each chapter on his website, or giving copies away (which he will do at the end of this talk). Huntington will share sales figures, compare the economics and issues related to both printed and e-book editions, and lay out the challenges, pitfalls, and successes of this process.
Speakers: John Huntington
Sun, 20 Jul 2014 17:00 (Serpico)
How can you improve security at companies that haven't hired you or given you permission to test their systems? Non-intrusive methods such as Google searches and observing headers can detect some serious problems without trespassing on networks. Sam found problems at thousands of websites, including dozens of companies and big-name colleges that are currently under hostile control. These problems included SQL injections, website redirectors, WordPress pingback exploits, and more. Many of the systems were being used by criminals to perform attacks. He notified the companies. Most ignored the notifications. Some of them fixed the problems, a few complained, and one made a serious effort to silence him. In this talk, Sam will show how he found the problems, how he notified the administrators, and how they reacted. Whitehatting can be useful and rewarding, as long as you have realistic expectations and a thick skin.
Speakers: Sam Bowne
Fri, 18 Jul 2014 11:00 (Olson)
It's impossible to imagine a world without surveillance. Its presence reflects a symbiotic relationship with the State and hegemony as a whole. For years, artists have been using surveillance and surveillance technologies to engage and disrupt the surveillance apparatus. This talk will explore works by artists such as Steven Mann, Banksy, The Surveillance Camera Players, and many more working in the medium to answer the question of "how are we to engage with a surveillance society?"
Speakers: Gregg Horton
Sun, 20 Jul 2014 12:00 (Serpico)
Privacy advocates and government officials are often at odds. Ironically, both groups want the same thing - a safe and free democracy. This will be an exploration of how government employees can better make protection of privacy and civil liberties part of the calculus considered when making security decisions - not just due to legal compliance constraints or fear of a backlash from privacy advocates, but due to a true appreciation that privacy and civil liberties are as important to democracy as is security. This talk will cover initial successes in exposing government employees to electronic privacy and civil liberties material in the classroom, and sketch the outlines of open source training materials. The ultimate objective is to inform and inspire government employees worldwide to propagate legal reform inside the system without taking extreme approaches. The presentation will be interactive, so please come with ideas for content and educational strategies that might be used to educate government employees at all levels and in a wide variety of countries on the importance of electronic privacy and civil liberties.
Speakers: Greg Conti
Sun, 20 Jul 2014 14:00 (Olson)
XKEYSCORE is possibly the most "big-brother" tool in the NSA arsenal, eavesdropping on network traffic around the world producing around 100 billion records per month. Recently, code snippets were leaked, allowing us deeper insights into how the system works. This talk will be in three parts. The first part will be an overview from what we
know from public disclosures, how the packet-sniffer reads network traffic and indexes it for automated systems and human analysts. The second part will walk through the disclosed source code, comparing it to public deep-packet-inspection tools, in order to get a detailed understanding of the internals. The third part will look at jamming the system, both the specific fingerprints in the disclosed source code, but also other fingerprints that might exist. The unexpected ways that the source may indirectly run afoul of FISA regulations will also be investigated. Questions from the audience are encouraged.
Speakers: Robert Graham
Sat, 19 Jul 2014 10:00 (Serpico)
When you hear you are being profiled for which books you check out in a library, what do you do with this knowledge? Do you tell your friends to "evade," to not check these books out, or to find other means of getting this content? No. You tell everyone in the world to deliberately check these books out (and now we have had the pleasure of reading Catcher in the Rye). This talk is about looking signature detection in the face and confusing or saturating the tool or analyst. A number of techniques will be explored, including a fun malware signature trick called a tumor (it's OK, it's benign), and others focusing on open source Intrusion Detection Systems. There may be some random banter about grocery loyalty cards, too. Although this talk intends to be just as technical as expected at a conference like this, it will also be light, fun, and philosophical in nature. Expect a gratuitous slide deck, lots of terminal action, signatures in the nude, hex, and beautiful regex.
Speakers: Eric (XlogicX) Davisson
Sat, 19 Jul 2014 11:00 (Olson)
How do I figure out if the application I've designed is secure? What do I need to test? When do I need to start thinking about security? How does what an application is designed to do affect how it's tested? How do high-level security goals relate to protocol bugs? How do I know when I need specialist review? How do I figure out if my users will be able to use my application securely? If you've found yourself asking questions like these or if you're just realizing that maybe you should be asking them, this talk will give you tools to work with. The work that a security analyst does can be opaque, but understanding it will save you time and help you build a more secure application. This talk will cover threat modeling (both on its own and as a driver of high-level test planning), when and which kinds of low-level tests you should be including, with special attention paid to parser/protocol bugs. Examples will be shown from both the commercial space and the world of software designed for high-risk users, with specific focus on some of the particular challenges of the latter arena.
Speakers: Eleanor Saitta
Sat, 19 Jul 2014 17:00 (Manning)
In 2000, a whole lot of movie companies sued a whole lot of people over the coding of a routine called DeCSS, which would allow the access and playback of DVDs in Linux and any other platform that felt the burning desire to watch Hollywood movies. The full name of the court case has a name too long for this description, but by the time it was over, a whole host of individuals had dropped out, leaving 2600 Magazine and the rest fighting over the point of whether linking to infringing materials is itself infringement. The case was decided in Hollywood's favor, and passed into the realm of history. A decade later, the extensive files related to this case were slated for disposal, and Jason Scott volunteered to take possession of them. These files are now being scanned in, and contain all manner of amazing material, some highlights of which will be shown in this presentation. The case was a time capsule of an industry expecting yet another rolling over of the populace as to who truly owned the media. It didn't quite work out that way. Expect a level of excitement not usually found in court transcripts and evidence collections.
Speakers: Jason Scott
Sun, 20 Jul 2014 14:00 (Serpico)
When people talk to TProphet (also known as The Telecom Informer) about how he travels and lives all over the world, experiencing destinations from Armenia to Antarctica, they often say something like "I could never afford that!" If you think like a hacker, though, travel doesn't have to be expensive. You will learn how tickets for an around-the-world trip were booked for under $219, and how you can also travel for little or nothing. The world is an incredible place to explore. This talk will encourage you to get out and see it!
Speakers: TProphet
Fri, 18 Jul 2014 22:00 (Manning)
"Her name is Alfreda Frances Bikowsky." While those six words may seem innocuous, according to the Central Intelligence Agency, if made publicly, they might have sent Ray and his journalist colleagues to prison. On September 8, 2011, they received the first in a series of phone calls and emails from CIA's media rep Preston GOlson. "We strongly believe it is a potential violation of federal criminal law [the IIPA Intelligence Identities Protection Act] to print the names of two reported undercover CIA officers whom you claim have been involved in the hunt against al Qa'ida." They had used this approach successfully several times in the past to persuade some of America's most respected journalists - Jane Mayer of The New Yorker, Adam Goldman and Matt Apuzzo of the Associated Press, among others - to withhold her name from the public. Seeking advice from the ACLU's National Security Project, its lead attorney Ben Wizner made them aware that she had become something of an open secret in his world. They had stumbled onto a hornet's nest. Bikowsky, as it turned out, was the person credited internally with the greatest PR coup of the Obama White House, the successful assassination earlier that year of Osama bin Laden. As chief of the Global Jihad Unit, she reportedly runs the nation's drone strikes program. She is a through-line running from the failure to prevent 9/11 to the push for war in Iraq to the development of the CIA's renditions, black sites, and torture program and continuing to today's targeted assassinations in countries around the world. Through her story, we can see the details of a devolution in the rule of law and the justice system in America, as well as the impetus for and birth of what some call the "war on whistleblowers and journalists." For 20 years, she has been at the center of history, yet the covert nature of her job has prevented that history from ever before being told to the public in one place. Doing so is necessary for a democratic citizenry to have an informed discussion about national security and intelligence policy in America's continuing fight against terrorism.
Speakers: Ray Nowosielski
Sat, 19 Jul 2014 23:59 (Olson)
At HOPE Number Nine, aestetix gave a general introduction to the world of nyms (short for pseudonym) and NymRights (the group he created to promote online self-expression). Things have changed a lot in the last two years. More services are moving online, and there are a lot of discussions about how to securely "verify" users, how to prevent fraud/harm, and how to do all of this while keeping our civil liberties intact. There have also been developments with the National Strategy for Trusted Identities in Cyberspace (NSTIC), an Obama strategy designed to promote these discussions in places like health care and social security. The White House is finalizing points on their Cybersecurity Framework (which includes NSTIC) and, in the meantime, a bunch of web services are implementing "verification" solutions, some with better success than others. In light of fundamental "nym" ethics, the discussion will take a look at these strategies and solutions, show which work better than others and why, and introduce some things the panelists have been working on as well.
Speakers: aestetix; Kaliya "IdentityWoman"
Sat, 19 Jul 2014 16:00 (Olson)
This talk will provide an outline of the pitfalls, dangers, benefits, and progress when it comes to doing encryption in JavaScript in the browser. Nadim has been working on this problem for the past three years in collaboration with Mozilla, Google, and the W3C. The solution is still far away, but there have been many interesting (and, most importantly, educational) challenges that have been faced. After giving an overview of how browser cryptography has advanced in the past year, Nadim will reveal a new open source encryption software project during the talk.
Speakers: Nadim Kobeissi
Fri, 18 Jul 2014 23:00 (Manning)
In light of the past year's NSA revelations and the long history of SIGINT, safe network use is a serious concern, especially for international travelers. Open source and commercial tools to hide one's identity when traveling will be described here, in the face of both blanket surveillance and targeted, intense monitoring. You will learn about tools which can be comfortably taken through restrictive border regimes and carried openly in war zones without attracting undue attention - as would suit a journalist or human rights worker. While these tools tend to be complex, the true challenge is the threat model: a single slip-up, undetected at the time, can doom the user and the user's contacts to discovery, interrogation, or worse.
Speakers: Ryan Lackey; Marc Rogers aka cyberjunky
Fri, 18 Jul 2014 23:00 (Olson)
This talk will cover the state of vigilante action around the world; what they fight with, who their targets are, how they stay anonymous, and how they organize. Without condemning or condoning any single act, these radically unique responses to crime and corruption deserve our attention. How much power are they wielding? Is nonviolence winning out over violence? Is anonymity giving way to irresponsible action? And what should we expect as these networks deepen? There's a growing list of options being explored, and these explorers have dramatic and largely unknown stories to tell.
Speakers: Zimmer Barnes
Sat, 19 Jul 2014 12:00 (Olson)
Computer-based visualization systems provide visual representations of datasets designed to help people carry out tasks more effectively. Visualization is suitable when there is a need to augment human capabilities rather than replace people with computational decision-making methods. The design space of possible vis idioms is huge, and includes the considerations of both how to create and how to interact with visual representations. Vis design is full of tradeoffs, and most possibilities in the design space are ineffective for a particular task, so validating the effectiveness of a design is both necessary and difficult. Vis designers must take into account three very different kinds of resource limitations: those of computers, of humans, and of displays. Vis usage can be analyzed in terms of why the user needs it, what data is shown, and how the idiom is designed. Tamara will discuss the implications of all this trickiness for systems visualization, where the datasets include trace logs, network traffic, and semi-structured text in addition to the classic big table of numbers. One good way forward is to think hard about how to transform your original data into a form that's well suited for addressing the user's problems before you dive into the details of exactly how to draw any pictures.
Speakers: Tamara Munzner
Fri, 18 Jul 2014 23:00 (Serpico)
After the Snowden disclosures, it was revealed that the NSA and NIST were subverting the open standards process by intentionally weakening the security of the core standards that form the foundation of the web and Internet. Now, more than ever, we need cryptographically strong standards and verified open source libraries for these standards. The humble origins of the IETF and the W3C will be discussed, as will the efforts taken by open standards to combat pervasive surveillance via workshops like STRINT and the "perpass" mailing list, and the new standardization work that is likely to result. In particular, the focus will be on the myriad problems implicit in putting cryptography into the web security model with the W3C Web Cryptography API, as well as attempts to analyze properties of this JavaScript API by using techniques from formal proof-proving. There's also new work from the W3C on decentralized social networking - and all the security problems that entails! Most importantly, you'll learn how you can get involved to help build open standards to build what Tim Berners-Lee calls the "Web We Want" - and stop the web from being subverted.
Speakers: Harry Halpin
Fri, 18 Jul 2014 15:00 (Olson)
We have many mechanisms to provide confidential communications so that network operators and other would-be surveillance regimes can't inspect the content of our traffic. But some of those mechanisms actually reveal more about who is speaking than cleartext communication would, especially over longer periods of time and large datasets. Information about who is speaking to whom is so valuable that large organizations devote huge amounts of resources to assembling network graphs of this "metadata," even without the content of the communications. Clearly this information is worth something; it is probably worth protecting. Why should privacy (hiding who you are) conflict with confidentiality (hiding what is being said)? This talk will look at specific instances of privacy and confidentiality conflicts, and describe patterns that create this tension. There will also be a discussion on some approaches to resolve the conflict and outline ways to improve privacy while preserving confidentiality.
Speakers: Daniel Kahn Gillmor
Fri, 18 Jul 2014 13:00 (Manning)
When The Guardian and Washington Post published the first stories exposing the National Security Agency's surveillance operations based on revelations from the whistleblower Edward Snowden, the world learned that U.S. government officials told a series of misleading half-truths and outright lies to conceal what has become a U.S. surveillance industrial complex. The revelations revealed massive waste, fraud, abuse, illegality, and an equally massive loss of valuable intelligence. In response to the understandable public outrage about their mass surveillance, the NSA chose not to investigate the officials who needlessly and in secret sacrificed the privacy of hundreds of millions of innocent people. Rather, the intelligence community has spent untold resources investigating and attempting to discredit Snowden. It is a predicable response for an institution to focus on the messenger rather than the message. It can be an effective distraction to focus the media and public attention on one individual rather on exposing systematic, widespread illegality in a powerful government agency. Whistleblowers in all corporate and government spheres risk choosing their conscience over their careers, but under the Obama administration, national security and intelligence whistleblowers face choosing their conscience over their very freedom. The Obama administration has prosecuted more people under the Espionage Act for alleged mishandling of classified information than all past presidential administrations combined. The Espionage Act is an arcane, vague, and overbroad World War I-era law intended to go after spies, not whistleblowers. NSA whistleblower Thomas Drake objected to mass surveillance using internal channels and was charged under the Espionage Act. Central Intelligence Agency whistleblower John Kiriakou objected to torture and was charged under the Espionage Act. He is now serving 30 months in prison. Army Private Chelsea Manning helped expose war crimes and is serving 35 years after facing Espionage Act charges. Because of this pattern of persecution, Edward Snowden was forced to leave the United States and seek asylum in Russia after the U.S. government left him stranded in the Moscow airport last year. This talk, by a member of Snowden's legal team, will address all of this and more.
Speakers: Jesselyn Radack
Sat, 19 Jul 2014 20:00 (Serpico)
If your name isn't Barton Gellman, Laura Poitras, or Glenn Greenwald, chances are that while the NSA may be a rights-violating threat to all, it's not your actual, day-to-day adversary. Real world adversaries tend to be spouses, parents, bosses, school administrators, random drive-by malware, and maybe local law enforcement. While federal threats create a terrible security culture, they aren't stepping into the lives of most people. And while obsessing over various intelligence agencies and trying to build tools against them makes you feel like a badass, it doesn't help most people. Fixing Flash and building easy to use communication tools does change the lives of countless people. This talk will focus on the infosec needs of the 99 percent - who aren't geeks. This talk will touch upon the value of bad crypto when it lets someone escape an abusive spouse, and the common situations where tools that let people sidestep the requirements of their IT departments make the world a better place. Yes, the big bad guys still matter, but fighting a billion little bad guys probably matters more.
Speakers: Quinn Norton
Fri, 18 Jul 2014 19:00 (Serpico)
How do we begin the movement to create a world of ubiquitous open wireless, where sharing and openness is the norm? How do we get it to spread? Speakers from EFF's activism, legal, and technology teams will describe the open wireless movement (https://www.openwireless.org) and the specific challenges their open wireless router campaign is solving. The first hurdle is convincing the world that sharing Wi-Fi with guest users is, as security expert Bruce Schneier puts it, a matter of "basic politeness." Another perceived roadblock is the belief that running an open network could subject the host to legal liability. Lastly, even proponents of open wireless lack easy technical solutions to safely enable private and anonymous guest access without reservations. To that end, EFF is developing an easy to set up, secure Wi-Fi router. But, in order to truly realize our open wireless future, they will need your help.
Speakers: Adi Kamdar; Nate Cardozo; Ranga Krishnan
Sun, 20 Jul 2014 11:00 (Olson)
During an investigation, Michael discovered an attacker who was emailing himself from an infected user's account. He sent and received emails under the radar via Outlook extension malware. Countless times Michael has seen attackers forced to blend their malware communications with the noise on his clients' networks. The talk will start with a brief history lesson on malware and its use of the network for command-and-control and data theft. Then there will be some fun opening his malware vault to explore interesting specimens from the wild such as the Outlook Assistant and malware that tweets! The presentation will close by discussing how you can find and analyze malware that communicates on the network and why traditional network monitoring isn't enough - attackers will find a way out of your network no matter how small a funnel you put them through.
Speakers: Michael Sikorski
Fri, 18 Jul 2014 13:00 (Serpico)
This panel will feature discussion and debate about the exciting current state of wireless meshnet technology, with a particular focus on how to build and join local urban wireless networks separate from the traditional Internet. A short tutorial of the project as well as how to connect to a local meshnet - including an overview of the necessary open hardware and software required - will be provided at the beginning of the panel. After the tutorial, a discussion will occur regarding the scope and impact of the global meshnet project. Technology covered will include the CJDNS project, Hyperboria, installing the Meshberry image on a Raspberry Pi device, configuring Ubiquiti NanoStation M5 routers featuring the OpenWrt software, and other relevant topics. Whether you're a new user or an enthusiast, this is a great place to learn more about the technology driving new free and secure private networks.
Speakers: Kevin Carter; Peter Valdez; Kurt Snieckus
Sat, 19 Jul 2014 17:00 (Olson)
The LEAP Encryption Access Project is dedicated to giving all Internet users access to secure communication. Their focus is on adapting encryption technology to make it easy to use and widely available. Like free speech, the right to whisper is a necessary precondition for a free society. Without it, civil society languishes and political freedoms are curtailed. As the importance of digital communication for civic participation increases, so too does the importance of the ability to digitally whisper. When you attempt to secure your communications online, you are faced with confusing software, a dearth of secure service providers, and involuntary leakage of critical information. For aspiring service providers, barriers to entry include the high cost and technical complexity of setting up secure servers. LEAP's goal is to transform secure online communication from an exercise in frustration into an automated and straightforward process for those whose access to information and free expression depend upon confidentiality, authenticity, and the protection of their social networks. Come to this talk to hear about LEAP's unique strategic infrastructure approach taking federated standards and open protocols to tackle these problems and find out how you can too. Also, there will be pretty pictures of birds.
Speakers: Micah Anderson
You've Lost Privacy, Now They're Taking Anonymity (aka Whistleblowing is Dead - Get Over It)
Sat, 19 Jul 2014 18:00 (Manning)
Government and private entities are working to shred privacy and warehouse personal, relationship, and communications data. Once unimaginable surveillance technologies are being perfected and implemented. The most intimate details of lives are routinely and unthinkingly surrendered to data-gatherers. Is it still possible to be an anonymous whistleblower? Is it still possible to be anonymous at all? Your physical location and activities for the past ten years are known and have been logged. If you attend a church or synagogue or mosque or a demonstration or visit an abortion clinic or a "known criminal activity location" or meet with a "targeted person" or a disliked political activist, it is routinely recorded. Your finances, sexual orientation, religion, politics, habits, hobbies, and information on your friends and family are gathered, indexed, and analyzed. Facial recognition, camera analytics, license plate readers, and advances in biometrics allow you to be de-anonymized and remotely surveilled 24/7/365 by machines. Forensic linguistics, browser and machine fingerprinting, and backdoors substantially eliminate the possibility of anonymous Internet activity. Thanks to "The Internet of Things," your thermostat and electric meter report when you arrive home and your garbage can reports when you throw out evidence to be collected by the few remaining human agents. "Predictive profiling" even knows what you will do and where you will go in the future, so the data collection bots can be waiting for you. Data collection now begins at birth. And no data gathered will ever be thrown away. And none of the data gathered belongs to you or will be under your control ever again. An internationally-known private investigator and longtime HOPE speaker, Steve will describe in frightening detail how the last shreds of everyone's anonymity are being ripped away. Real world examples will be used. Surprises can be expected.
Speakers: Steve Rambam
Play Social Engineering
Sat, 19 Jul 2014 22:00 (Manning)
The tenth incarnation of this panel, which officially makes it a tradition. One of our biggest draws, this session always delivers something memorable. The panel will tell stories of the magic of social engineering, predict what may or may not be possible in the future, and make a few live attempts over the phone to gain information they have absolutely no right to possess. Sometimes it works and sometimes it fails horribly, as is the very nature of social engineering. You'll learn how to recover from being denied or busted and how to push forward, gaining tiny bits of information until you possess more knowledge about your target than you (or they) ever thought possible.
Speakers: Emmanuel Goldstein and friends
Emmanuel Goldstein
Emmanuel Goldstein is the editor of 2600, organizer of the HOPE conferences, and host of WBAI's Off The Hook radio program. He never intended for any of this to happen.