For Defcon 16 I had two talks selected. The first was, "How Can I Pwn Thee? Let Me Count The Ways" The second was a talk meant to get some things off my chest and hopefully get some things in the hacker community that were bugging me. The talk was titled "10 Things That Are Pissing Me Off, And What We Can Do About It".
It was schedualed for track 2 along with another 20 minute talk. Sadly these were schedualed to be right after Dan Kaminsky's DNS vulnerability talk. There was no way they could clear out 2000 people from the hottest talk of the con, then move 2000 people back in was not going to happen quickly. So the speaker goons decided to move both our talks to a smaller room and anyone interested could go there. The room we were moved to was a 50 seat Q&A room. A bit of a step down, but it needed to be done. As a result, not everyone who wanted to wanted to see the talk could get in, nor did I get the audience I had hoped.
Luckily Amanda, a documentary film maker, was kind enough to film the talk and post it to YouTube. The film, along with the following summaries of each of the things pissing me off should allow for an audience of similar size, and hopefully, the results I was looking for.
Open Office (.OPT) version of the slides
After trying to setup WPA-Radius using freeradius and OpenSSL I met with a huge amount of frustration. I was trying to setup EAP-TLS with certificate only authentication and for the life of me I could not get the damn certs to verify to the self signed CA. Even the built in freeradius demo script for generating the certs failed to verify.
This led me to think that if I can't do it, all the people I had been telling over the years that this was the way to be secure, probobly could'nt do it either. Leading me to then think about what the larger problem was with security documentation not being written for Joe Average, non-security engineer types.
I propose that if anyone is inclined, help to write a set of generic documentation that explains by example and common language, how Joe Average IT guy can grab a spare box, install a linux distro, build freeradius, generate certs and configure their couple of AP's for WPA-Radius in an afternoon.
Maybe the reason we don't see more of it is because the existing documentation sucks
Ideas Dying a Horrible Death
I have lots of ideas. Most of them I have little to no idea how to actually implement them. So rather than hoarding them and not letting them see the light of day, I want to share them more.
Example: A wedding photo download kiosk package.
A standalone software package that automatically downloads the contents of inserted digital camera memory cards so the happy couple can get photo's from everyone at the event. A kludged together version of this worked at my wedding and got an extra 1000 photo's that normally would have been a pain to get via emails, mailed DVD's etc. As a commercial product or just a standalone app would be a damn useful thing.
Lack of Tool Evolution
All too often, a tool comes out as proof of concept and then development halts. I run into this alot with wireless tools especially. Since I can't code, but I can bribe, I plan to post some of my tool evolution ideas up and reward patches or updates.
There are so many good and useful tools that need attention. They may be open source, but sometimes you need to give a good shot in the arm to someone and offer incentive to make these updates.
802.11n scares me. 40Mhz channels are going to cause a huge amount of headaches for 802.11b/g users since they will stomp all over the limited number of working channels. Other than making lots of money prolonging this problem and selling better gear, how do we in the industry who have to deal with competing networks stomping on our customers nets, deal with this soon to be problem.
I dont know. That's why I am asking you
There is a group of people in Santa Fe, New Mexico who claim to be allergic to Wi-Fi and sued the city to prevent installation of wireless in the public libraries under Americans With Disabilities act laws since it would exclude them from a public building due to their 'disability'.
I'm not discounting that there could be people with sensitivities to some EM radiation types, their targeted campaign seemed more like an attempt to keep a useful public service from being installed, much like campagined by incumbant wireless carriers. Through available wardriving data and a few thought experiments, you can see that this group cannot be just allergic to Wi-Fi. The guy sitting next to them with a bluetooth headset would probobly kill them by their own logic.
I propose a simple test. Those that are allergic can identify the types of transmitters involved and volunteer to enter a faraday cage with said transmitter in a box and simply tell me when it's turned on. They claim they can do this, but I cannot find anything publically. Until then, I propose a very simple solution. Take one roll of tin foil and apply liberally to the affected person. Repeat as nessecary.
Airline Rate Fluctuations
Airlines suck. Flying Sucks. It is however nessecary if you go to as many conferences as I do. I'm not happy when I see things like, a flight from New York to Edmonton Via Toronto costs less than a flight from Toronto to Edmonton, same day, same flight, same plane, same seat. Why is the shorter flight costing more? How is that legal?
Airlines are nickle and diming you for everything they can because they are bleeding cash at every turn. I just want to pay a reasonable amount for the flight and travel in realative ease and peace. Knowing that since I want to take a short trip will cost me more, as a consumer, should I not book the longer flight and just skip the second leg of the trip? If I want to fly from Los Angeles to New York for the cheapest fare possible and the cheapest way involves booking a flight that connects from NY to London, why should'nt I buy it and just not go on to London and stay in NY? This will cause the airlines no end of grief trying to track down missing connecting passengers, but then again, why should we pay more for the same seat on the same flight?
I propose a system to take publically available flight data and determine the cheapest way to book the same flight, even if that involves skipping a subsiquent connection. I just want to pay a reasonable amount based on expenses for the flight plus a reasonable profit. If this were the case, and airlines were'nt bleeding money by charging less for more, maybe flying would be a more pleasant experience.
There is too much security
If a vulnerability exists, does it make a sound? If a vulnerability in a program is not activly searched for by either side of the battle, is it a vulnerabilty?
Pushing the envelope to find new vulnerabilities and patch them before they become an issue is problematic in my mind. A researcher finds a string of new vulnerabilities and issues fixes for them, but in looking back, the exposure of the vulnerablities led to new viruses and exploits to be developed and abuse these holes, despite the fixes being issued. My question is, if the vulnerabilties had not been found, would that not have been better overall?
It's controversial to say, but I personally think there is too much cutting edge vulnerability research being done and the fallout from the exposure is greater than if it was left alone for a while. Research needs to turn around and look back and ask some questions. Why are 6 year old vulnerabilities still a problem? Why are the fixes they are coming up with, not being deployed as they should?
I propose that we stop research into exotic threats and spend a year or more looking at where we've been and how to solve the problem of people not patching, secure coding practices, and just plain or laziness and stupidity. The vulnerabilites are'nt going anywhere, but if we keep breaking new ground, all that will be behind us is weeds.
We Have No Skills
Hackers and security pro's tend to think of themselves as hot shots and know it alls. I know I do sometimes. In February of 2008, I was in Norway for a conference and went with about 8 other hackers to the Norweigan resistance museum. During WWII, Norway was invaded and occupied by the Nazi's. During the occupation, the resistance that sprang up to fight were some of the most ingenious and clever bunch of hackers I'd ever seen. At one point one of the guys with me held out his cell phone next to a home built radio and commented that the cell phone had billions more circuts than the radio in front of us, but how many of us could build that radio? The answer was; not many.
This idea got me thinking while watching a zombie movie; if everything hit the fan and there was a general breakdown in society and infrastructure due to whatever reasons (War, natural disaster, zombie infestation), what are the useful skills that would be missing from the group of survivors, and how could hackers prepare and have those skills handy to make ourselves useful.
The end result is my desire to have a talk or class next Defcon about hacker survival skills. I need you to contact me with ideas for what skills, outside the usual HAM radio emergency stuff or the Michigan Milita survival stuff that would be useful in an emergency for hackers to learn to make ourselves useful.
"I owe you a beer" or "You owe me a beer for that" are common phrases mentioned on the various forums and mail lists I'm on. We have a Beer economy with credits and debts that is very poorly tracked. I'm sure that there are hundreds of beers owed to me and I owe thousands. Our culture tends to operate on helping one another and trading these credits and debts and I want to make sure I pay back all those debts.
I suggested during the talk that we setup a beer tracker where one could have an account an enter in a ledger style, who they owed a tasty beverage to and link to the email, forum post or other event as evidence. The person could then print out a 'statement that listed all the beers they owed and were owed. After a con, other subscribers could indicate that they were paid thier beer and even out the debts.
It was pointed out to me after the talk that there are already such sites, but I figure the Defcon community needs one of our own that could be linked into the DC forums or website. I own Beer-tracker.com, so if anyone wants to setup such a system, feel free.
RFID id a cool technology but both sides are not working with a full set of facts. Both sides are making wild claims about capabilities and making it a big problem to have a civil debate about it's use. There were so many myths involved that I was surprised the Mythbusters stopped short of testing most of them. I asked Adam Savage about why they stopped short. I got one hell of an answer
I propose that the hacker community take a literal look at some of these theories and put them to the test in a Mythbusters style and post the results.