• Frank
• Jul 20,2008
• In: Features

The Last HOPE, Part 3 of 4

I continue the series of my experience on Friday at The Last HOPE.

At 3 PM, I attended Wikipedia: You Will Never Find a More Wretched Hive of Scum and Villainy, a presentation by Virgil Griffith on his project WikiWatcher, an expanded WikiScanner, if you’ve been hiding under a rock, is the internet app that traces any IP or range, including corporate and government ranges, to the anonymous edits they made on Wikipedia. All he does is take all the anonymous edits from the latest dump of Wikipedia, buy a database of IPs and merge them together. Among other things, it’s been discovered that the CIA edits Wikipedia, that an official at the Arkansas governor’s office edited Mike Huckabee’s page during his candidacy, that a Dutch princess removed links to a drug baron, and that (not unexpectedly) politicians and corporations police their own pages. Other tools that Griffith recommends: Traffic statistics, coloring text by trust level and Vispedia, which allows the graphing of everything on Wikipedia.

WikiScanner did have a few problems, though: by having an account, or editing at home (outside of a corporate IP range) it could be circumvented. Thus he devised WikiWatcher, which features three tools: WikiScanner 2.0, Wikiganda and a third yet to be announced. WikiScanner 2.0 has as its main improvements Poor Man’s CheckUser and Sockpuppetry. CheckUser is a tool that allows some high-level Wikipedians to see the IP addresses of users; this one works by the fact that people sometimes forget to log in or have their sessions expire, and so publish talk page messages under their IPs and fix it a few minutes later. That fix is what links the IP to the username, and all of them are listed at PMCU. (It’s a long list.) Sockpuppetry, which is not yet available to the public, was demonstrated as well; it takes the PMCU IPs and simply lists the accounts sharing IPs, thus hoping to find “sockpuppets”, i.e., when one person has multiple accounts.

In a broader sense, security and data-mining get along great, Griffith says. Simply take an example out of a vulnerability and apply it to the whole internet. He then listed a few things, which included uncensoring PDFs (it’s quite easy to do, really).

While the talk was intriguing and the tools both controversial and useful, I expected a talk with such a title to live up to it; as it was, it did not. 4 / 5

At 4 PM, I attended Hacking the Price of Food: An urban farming renaissance, presented by “Bicyclemark”, a podcaster. He outlined what the urban farm was, firstly–”growing food in an urban setting”, in the most broad sense–and described specific types. After noting a few issues with the present food situation around the world–shortages, high prices, protests, export bans, potential famines–he described the benefits of urban farms for cities, including food quality and health, and the drawbacks, including pollution and problems finding capital and space. Attention was paid mostly to community supported agriculture, in which people in the community hold shares in the farm, and vertical farming, a proposal (featured on the Colbert Report a few weeks ago, if anyone will recall) to create urban towers that hydroponically grow food all year. It may sound good, but it’s never been built and there are serious doubts about its feasibility. The presentation was intriguing, but the topic wasn’t the best in my opinion. 3 / 5

From 5 PM to 6 PM I walked around a bit and dropped in on the last ten minutes of A Hacker’s View of the Freedom of Information Act (FOIA), which I did not see enough of to make a description or a rating.

At 6 PM I attended Undoing Complexity: From Paper Clips to Ball Point Pens, presented by the group of Matt Fiddler, Marc Tobias and Tobias Bluzmanis on a “systematic approach” to dissecting and disabling locks. Mechanical locks often appear secure, they say, while they really are not. As locksporters (the term benign lockpickers tend to use to describe themselves), they view locks as mechanical puzzles; more complexity means more vulnerabilities, and there are often design flaws that are never discovered. Locks are grouped into two categories: conventional cylinders, which are easy to pick and bump open with minimal, if any, resistance; and high-security cylinders, which must meet UL and BHMA/ANSI standards, are of higher quality, use patents and the like to control keys and are resistant to forced and covert entry. They described their process of figuring out techniques to bump and pick open Medeco high-security locks, and found that it was much simpler and faster than should be the case for a high security lock. Multiple layers of security, each being a point of failure, should operate independently, they emphasized. In addition, the standards for high-security locks do not contemplate more sophisticated methods of undoing locks, e.g., ones using non-approved tools.

The presenters emphasized that in attacking locks, much like attacking anything else (this is, after all, a hacker conference) the methodology involves assuming and believing nothing, thinking outside of the box and always believing that there is a vulnerability. The manufacturers are falsely assured by patents and standards, and there is a sharp dichotomy between security and the real world; Medeco, in particular, was cited for a “failure if imagination” and inability to “connect the dots”.

Locksporting is to locks what white-hats are to computers: by finding and disclosing issues so they can be fixed before they are exploited, they serve to improve the security overall. Thus, in addition to presenting well, these people are performing a useful service. 5 / 5

I will be finishing my posts of my experience yesterday at HOPE with Part 4, featuring brain hacking, educational technology and the taxi system.

Popularity: 11% [?]