Hackers On Planet Earth XII: The Circle Of HOPE

The Hackers On Planet Earth (HOPE) conference takes place every two years in New York City, and after a decade of not being able to attend the event, I decided I couldn’t go any longer than that before returning. I actually hope to go more often in the future, because it truly is one of the best technical conferences going, touching on everything from good and bad security, to legal hassles that shouldn’t exist and should exist. There are workshops and vendors. Want a ham radio license? HOPE is a great place to get that done.

I consider myself to be a hacker, as I would consider anyone who tweaks with their hardware or software to be a hacker. Hackers dig into things, and mold things better to their liking. Hacking can also be educational. That said, I’m as modest a hacker as they come. I go to HOPE to bask in the brilliance that surrounds me. This year’s event had no shortage.

Like any conference with depth, there’s way too much at HOPE to cover in a single article. As I did back in 2008, I am going to recap a bunch of talks that personally impressed me in one way or another. I have to exclude things, as I am penning this up before even more travel. If you want to see which talks you missed, you can check out the official HOPE site.

No HOPE session is complete without a cold Club-Mate

Club-Mate is to hacker events what Bawls is to LAN parties (I hope Bawls is still a thing). At HOPE, it first debuted in 2008, something I vividly remember as that is the first HOPE I attended. It has a very unique taste, one that’s a bit of an acquired taste… yet it’s sometimes hard to not crave. I stupidly went to NYC without USD in my wallet, so I tried and failed more than once to send Bitcoin instead (to the annoyance of the seemingly patient vendor, I’m sure), until I found out that the upper-level of the event took plastic. It’s almost ridiculous the effort I put in for a cold Club-Mate, but hey, “when at HOPE”.

Note that I don’t have a ton of photos to share, as the lighting conditions didn’t agree with my smartphone too much. This is largely a brain-dump of what I’ve taken home from the event.

Chelsea Manning Interview

One of the highlights of this HOPE for me was being able to sit in on a two-hour interview with activist Chelsea Manning. Manning is best-known for leaking a massive trove of confidential documents tied to the US military. To make a long story short, WikiLeaks became responsible for publishing this information over time. Before long, the late Adrian Lamo turned Manning in. After serving seven years in prison, one year of which was solitary confinement, the outgoing Obama administration commuted the remainder of the 35-year sentence in 2017.

I don’t care to give much of an opinion on Manning’s actions that led to her tenure in prison, but the interview was interesting for many reasons. It became clear quick that Manning is someone who cares deeply about other people, something she said increased after reality set in, knowing she’d have to be stuck in prison until retirement age.

During a quick stint in politics, Manning went door-to-door to chat with real people, to discover real issues. That resulted in a sad reality that there are many people out there with dark problems, and many people have evolved to believe that their vote doesn’t mean anything. Manning teared up on stage after relaying a story of an elderly woman who talked her ear off with her problems. It’s often easy to ignore real issues some people have if our lives are going OK.

Activism is one of Manning’s biggest passions, and you can follow her goings-on on Twitter. If you ever have a chance to check out this talk during a replay, I would encourage it.

Manning is a hacker, like everyone else at HOPE, and said she has at least 20 Raspberry Pis kicking around her house. Her favorite? The one used for N64 and SNES emulation. She’s also a talented enough programmer to have relayed information over the phone while in prison, asking someone who is not well-versed in coding at all to type out the very specific format the language requires (likely Rust, as that’s Manning’s current favorite). Quite literally, someone without coding experience would type up programs relayed to them by Manning, and then after a compile, that person would relay whether or not there were errors. I never thought I’d say that coding on a phone sounds like a great alternative (but of course, no phones in the cell were allowed).

Tying into that, Manning said that one of the things that helped keep her sane (as possible) in prison was receiving letters from people. It didn’t matter what the letter said; what mattered was that people cared. Not all people in prison deserve to be there, so she encourages people to reach out to those who have lost control over their lives.

There was far more to come out of this interview than what I’ve touched on here, but this is what stayed in my mind days later. Again, I suggest checking out the talk if you can. If I figure out where it can be found, I will link it.

Richard Stallman’s surveillance angst

As a long-time fan of free software, in the respect that the source code is available for user inspection, collaboration, and forking, it would have been silly to not hear what the biggest supporter of free software, Richard Stallman, had to say. Stallman has some seriously strong opinions, few of which I personally agree with, but he offers a ton of insight, and has some great ideas on how to reduce the amount of surveillance that’s done on us.

Stallman, or RMS as he’s also known, gives many talks each and every year about free software, but this talk was different. Here, he tackled the angle of surveillance, which has truly become out-of-control, and could warrant content from us in the future as I personally grasp the totality of it all. In gist, I ask that you think about how bad our privacy is invaded, and then multiply the severity of the problem. In another talk, private investigator Steve Rambam told us that butt identification is a real thing. Where privacy invasion is concerned, there’s no limits.

RMS hates any and all data gathering that takes place on our devices and individual accounts. He hates Uber, or “Goober”; Apple, or “iMonster”; Facebook, or “Faceweasel”, and Amazon, or “Amazon Swindle”. He also hates Spotify, for keeping track of our music, believing that the powers in charge of that madness be persecuted.

It’s that kind of thinking I can’t agree with, because while I value my privacy greatly, there are battles that are so minor in the grand scheme, and my life is made better as a result, that I just don’t care. Maybe I should, but as far as I’m aware, Spotify doesn’t do anything nefarious with my listening habits. What it does do is create playlists based on my listens, which has allowed me to discover a lot of new music. I’ve purchase two albums in the past two months based on my Spotify suggestions.

The kind of privacy I don’t want invaded is what I do with my life. Where I go, who I talk to, and et cetera. If you have a mobile phone, our overlords know where you are at all times. If someone is in proximity to you, they know it, and track it. Sometimes, we even allow ourselves to be tracked, such as through Google, which seems to do it automatically.

All over the place, cities are beginning to implement license plate tracking, deploying cameras that can scan thousands in the span of seconds. The problem? You’ll be scanned even if you have no need to be. I’d consider this to be an invasion of privacy to the extreme. No one in the government has a right to know where you’re going. Stallman isn’t against this kind of tracking at all, but he is against the default action of surveilling everyone. His suggestion is to design the cameras to only detect plates that are flagged, either because of expiration, probation violation, or simply because the license is invalid (a New Yolk City makeshift plate won’t do it). That sounds like an absolutely reasonable suggestion to me.

I am not going to begin using RMS’ creation of Emacs as a result of his talk, but overall, it was an insightful one. Even if you don’t agree entirely with his views, we can at least respect them, and his passion for them. He doesn’t change his tune, because he strongly believes in what he believes in. In reality, we need more people like him, but we can’t start expecting that the likes of Adobe and Microsoft are going to suddenly free up their source for the greater good.

Steve Rambam on our exploitation

Steve Rambam is a private investigator for his company Pallorium, as well as a HOPE veteran, having appeared at every single event since its inauguration in 1994. That equates to 12 individual talks, and while I haven’t personally been able to catch them all, the ones I’ve attended and watched on archives have been fantastic. If you want to be truly aware of the level of surveillance that goes on the world over, you may feel sick to your stomach. Or want to give up computing.

Unfortunately, this twelfth HOPE was Rambam’s last to present at. While he continues to appreciate the conference and those who attend it, he’s been left with a bad taste in his mouth over how certain interviews and Q&A periods have been handled. With Edward Snowden’s appearance at the eleventh HOPE, for example, questions had to fall into a certain mold in order to be asked, so as to prevent questions the interviewee doesn’t want to answer. That’s something that’s too tough to accept for someone who cares an awful lot about exposing the truth. Not here-say, or friend-of-a-friend chatter, but actual facts – regardless of how painful those may be. I consider Rambam’s departure to be a loss for HOPE, as his presentations have been one of the “must go-to” at the event.

Fortunately, long before this progression has occurred, Rambam has been informing us about all we need to know about the level of surveillance. Rambam doesn’t use social media, which is very much on purpose. Despite not having a Facebook account, he has an automatically made profile which the service claims is over 80% complete. That’s how much Facebook knows about everyone – even those who’ve gone out of their way to avoid the service.

Facebook certainly isn’t the only guilty party here. Google, Amazon, Microsoft, and others data-mine their users as if the effort could be exploited to cure cancer. Rambam’s talks are always long, and this one, at three hours, was no exception. Like every other talk here, I’d highly recommend checking out this one in the future if you are able to source it (I am not sure how they will be distributed).

I can only cover a small fragment of what was covered, but here’s some things to scare you a bit. You may have heard about printers that have hidden unique identifiers on printed pages which can be used to identify someone, but did you know that the exact same kind of procedure is done using the dust on your smartphone’s camera? The more pictures you take with the same dust patterns, the more a smart algorithm could source it to a single individual.

Have a butt? If so, you are in trouble, because if you slide into a chair that “hugs” you, that butt of yours can act as a unique identifier. What’s even crazier is that if you eat a certain food and listen to a certain type of music, marketing firms have been able to determine whether you’re more or less likely to purchase a certain type of product. It sounds outrageous, but it’s been heavily used behind our backs already.

Again, this is just touching the surface, but if you are intrigued, hit up YouTube (or hit-up the video above) and check out some of Rambam’s more recent talks.

Jason Scott and Internet Archive

I have heard of the Internet Archive’s Jason Scott before, but I’ve never had the pleasure to see him give a presentation – and I must say, ‘End of File’ was an amazing talk. I can’t remember the last time I laughed so much during a presentation, almost to the point of it feeling like I was watching stand-up.

This talk tackled the problem of data disappearing, hence the name. While it can often feel like nothing digital is ever lost, physical materials can disappear overnight. Someone who has a unique manual, for example, has the power to prevent it from ever being read by those curious, simply by recycling it. You all know the Internet Archive, home of the awesome Wayback tool. The Archive goes well beyond scraping websites, though; it also offers a wealth of materials to pore over, from old manuals and magazines to emulated video games you can play right on the website.

Credit: Jason Scott (Wikimedia)

Scott’s presentation largely focused around health complications he experienced last year, having suffered a heart attack while working in Melbourne, Australia. He thought he was tired, but he was lucky to go to a doctor, because if he didn’t, he likely wouldn’t be with us today. The complications and surgery inspired him to be healthier, and I admit that it’s inspired me to be healthier, too.

In events like these, some people almost automatically begin to reevaluate their life, and wonder if the path they’re on is the path they actually want to be on. When Scott thought about those questions, he realized that the Internet Archive is exactly where he wants to be. His mission is to archive the world, for the world to enjoy.

One of the coolest facts I learned about the Archive in this talk is that its ‘Main Hall’, inside an old church, has statues sitting in the pews. Since the Archive can’t offer things like company stock, since it doesn’t exist, the organization celebrates employee three-year anniversaries by commissioning a statue in their likeness. I suddenly want to be a statue, and I don’t quite know why.

Jennifer Helsby and SecureDrop

There have always been whistleblowers, but it seems in recent years that leaks have increased in volume, and because of that, government agencies (and others) try very hard to figure out who leaked what. In order to give people a secure way to inform the media on issues the greater public should be aware of, the aptly named SecureDrop was first released in 2013, originally developed by Kevin Poulsen, and the late James Dolan and Aaron Swartz. Today, Jennifer Helsby is the software’s lead developer, and she had a lot to say about what the purpose of the project was, and how it’s being improved for the future.

SecureDrop’s purpose is to allow whistleblowers to do their thing with anonymity, with the least amount of risk possible. Whether someone has the right to leak information or not is a topic that could be debated forever, but if you had truly damning information that you felt the public should be aware of, you’d probably want the most secure process of relaying the information possible.

In its current likeness, SecureDrop requires quite a bit of hands-on work, and ideally, a skilled IT person. The primary configuration will have two servers located inside of a news agency, of which dozens have implemented. Those include Associated Press, The Wall Street Journal, Bloomberg, Forbes, The New York Times, USA Today, Reuters, and many others. In order to access the data, a journalist would have two computers; one which is internet-capable, and another that’s locked off (air gapped) from the outer world.

There’s more to the process that I’m not tackling, but fortunately, that process is going to be (hopefully) deprecated at some point in the future, as SecureDrop is going to be using Qubes OS as a base to give people an all-in-one SecureDrop platform to get all of the work done on a single computer. “But Rob, how in the heck could that be safe?” Through virtual machines, of course. Once a document is sent to a journalist, the file can be clicked, which will automatically boot up a completely sandboxed offline virtual machine, and then open the respective file.

A potential issue here is of course screen readers, but with this OS being hardened on bootable media, it seems very unlikely that malware is going to prove an issue, but it’s still a reality SecureDrop keeps in mind. The ultimate goal is to make things as truly secure as possible, something that’s weighed above ease-of-use, thankfully. But that doesn’t mean things can’t be improved. This forthcoming SecureDrop solution should make the lives of both parties a lot easier.

David Goren’s Brooklyn Radio Map

In our digitally rich world, fewer and fewer people seem to care about one of the most reliable and satisfying methods of communication ever invented: the radio. As you’re likely aware, the respective radio bands are chock-full of commercial stations which require heavy investment to get on the air. The problem about this is: many communities suffer.

New York is home to rich ethnic diversity, thanks in large part to the fact that everyone would like to live the “American Dream”, and New York is a cornucopia of opportunity.  Many have moved to America for a better life, something that can be complicated when you either don’t speak the native language ideally, or seem to be severed off from your home country. It’s easy to say “Just listen on the internet”, but that’s simply not a feasible option for everyone.

That problem has led to the rise of pirate radio stations, and NY, especially Brooklyn, is home to slew of them. Dave Goren has a bit of a passion for this sort of thing, and has crafted a website which allows you to not only track the stations, but listen to samples, and through his efforts, see which ones have quite literally disappeared from the map, and which are still going strong.

Goren said that about a third of these pirate stations are Haitian, and there’s a wide variety of what’s available, delivering music, news, and even comedy. If Haitian radio isn’t your bag, you may prefer to listen to some reggae, country, dance, or religious programming.

As you might imagine, the FCC would love it if these stations disappeared tomorrow, and because of its preexisting efforts to fight them, the hosts of these stations are often anonymous, and have to deal with the complications of transmission equipment being detected, and thus shut down. Law enforcement has found the root of many of these stations, so it’s a bit of a dangerous job. That’s despite the fact that none of the stations make any real money. Some have a bit of income to cover basic costs, but like most everything else seen at HOPE, passion is the real driving-force here.

Matt Blaze, Harri Hursti & Margaret MacAlpine on weak voting systems

In case you’re unaware, the chances of your vote not being tabulated correctly is way too high. After the 2000 and 2004 elections, it was discovered that an obscene number of seriously vulnerable voting machines were in use, and could have swayed the elections. Must-watch material: Hacking Democracy.

“Good thing those voting machines are no longer in use!” As I write this, I am almost squirming in my seat because of how inaccurate that statement is. “But they’re patched, surely?” *SQUIRMING INTENSIFIES*

You’re not reading me wrong. It gets worse: those same machines are still being sold (unpatched!) for official elections. If you’re lucky, you may even be able to find one of these voting machines on eBay for dirt cheap, so you can prove to yourself just how vulnerable they are.

At last year’s Defcon, Matt Blaze, Harri Hursti, and Margaret MacAlpine hosted an event which saw many hackers jump on voting machines – most for the first time ever. What happened? They were easily defeated. The event was so successful that the same crew is expanding the fun for next month’s Defcon.

Should you be upset that myriad voting machines out there are more insecure than your grandparents’ Facebook account? You should be filled with rage. Insecure voting machines is an ideal way to “hack democracy”.

Final Thoughts

This article exists because I felt inspired to write about HOPE, because it’s impossible to leave the event without feeling a surge of inspiration, and even ambition. The event is home to some unbelievable talent; some of the smartest people in the business. I personally left inspired, and plan to put some of what I learned into action, and investigate certain things further.

Official HOPE 2018 t-shirt; 12 types of hackers

As mentioned earlier, HOPE takes place every two years (originally, it was spaced out more), so if you’re suddenly intrigued, you can mentally prepare to attend in two years time. HOPE is far from being the only hacker conference, though, so if you have any interest at all, you should look to local events, or other hacker events in locations you’re willing to travel to. They are out there, believe me.

Love making things? Go to a Maker Faire – an event that’s growing vastly in popularity each and every year, and has many events of different sizes spanning the globe each year. You don’t have to be an adult; and in fact, kids are an awesome target for these events, as it can inspire them to tinker – something we desperately need in an evolving landscape that sees lack of control shrinking each year.

You should never feel ashamed of being a hacker. Hackers are what make the world go around. Those people who code the world’s most trusted apps? Hackers. People who edit the source to fine-tune an application to their liking? Also hackers. Hacker is often an overblown term in the media, being assigned to anyone who defeats any system, even if the extent is superfluous. Media doesn’t want you to be a hacker, even though you certainly should be. It’s about taking things apart, not just to see how they work, but how they can be improved, too. Being a hacker is something to be proud of. I truly believe that.