Shmoocon, Day 1
A few weeks ago the HacDC e-mail list alerted me to the fact that Shmoocon was coming to DC. I had never heard of it before but it is one of the better known hacker / security conferences, and is strictly limited to 1,500 attendees. I then discovered that all the tickets were gone, and had in fact sold out within one minute of going online. But thanks to eBay (and their new Blackberry app), I was able to get a second-hand ticket.
Systems intrusion and computer security is not really my main area, but it is hard to resist a conference that encourages you to throw balls at speakers you disagree with and has a contest for the most creatively printed barcode. And by default I am the Chief Security Officer for SentryLink.
For those of you not on the East Coast, DC was hit today with one of the worst snowstorms in history. So getting to the conference was something of a challenge. The worst snowfall started tonight so I thought I could go to some afternoon sessions, mostly travel by Metro, and only have a short drive in the storm. This more or less worked as planned, though I was almost the only car out driving at 6pm tonight.
The opening session made the point that most of us do not use common sense in protecting our networks. We have password policies that aren’t all followed, computers are more interconnected than they should be, and a great deal of existing hardware won’t support upgraded security. I must admit that we certainly are guilty of that. One thing I am very glad about, is that our servers are separate both physically and from a network perspective from anything in the main office. But the depressing fact is that a skilled hacker could undoubtedly find a way in. We try not to have anything valuable in our database, and the few things that might be use our own private encryption scheme, which is completely non-standard and separate from the database itself. Nevertheless there is always more that can be done.
After that slightly demoralizing but valid opener, the next talk was on GPUs (graphics processing units) vs. CPUs (computer processing units). This is something that I learned about in my computer graphics course last year, and it is very interesting stuff. For tasks that can be broken up into lots of parallel pieces — not always easy to figure out — GPUs are incredibly fast. And they are very cheap too, as their evolution has been driven by computer games. And if you need to break into a system by running through every single password possibility, why yes, you can make that a parallel process very easily. It is possible to break 40-bit encryption, standard for many SSL sites, given a few hours. Scary. For more information on programming with GPUs, I recommend the CUDA site.
My new lockpick set.
I was really looking forward to the talk on Economics of Cybercrime, but the weather prevented that speaker from getting here. So I wandered around a bit, and stumbled onto to the room run by TOOOL, The Open Organization of Lockpickers. There were tables with padlocks, combo locks, and handcuffs, and people trying to get them open. One fellow loaned me a tool and showed me how to open handcuffs with it, which I was able to do within a few minutes — fairly easy and satisfying. Then there was a presentation on opening keyed locks. I couldn’t resist this one, so I paid $20 for a lockpicking kit and started trying various padlocks. This was harder than it looked. But after 10-15 minutes I was able to get an “easy” padlock opened. Then another fellow showed me how to open a combination lock.
I am sure that if I had to do this in the real world, I would be very very slow at getting a lock open. I am glad to know the basics though, and who knows, maybe it will be useful. The kit is very small and light, easy to carry around.
There is supposed to be two feet of snow on the ground by tomorrow morning. If that happens, I’ll be watching day 2 of the con through the free live video.
Visiting HacDC and DorkbotDC
A few months ago I learned about a hacker community located only a few miles from my house, HacDC. Tonight they were hosting the monthly meeting of DorkbotDC, another organization that I had heard about through the DC/MD/VA Robotics Group. I thought this would be a good way to see both of them at the same time.
Before the talk, I took a short tour of the HacDC space. It was a bit smaller than I expected, basically just a room, although I was told they have another room downstairs as well. (For presentations like tonight, HacDC uses the main worship area of the church where they are located.) They had some interesting looking equipment, oscilloscopes, an air soldering machine, a drill press, and a bookshelf of technical books. I took a few pics:
Soldering station
Drill press
Random stuff
Then we had the DorkbotDC presentation. I was particularly interested in Andy Holtin’s Glance project. This is a guy who casts molds of gears, and explains in clear terms. It was a fascinating demonstration of just how far you can go with a reasonable home studio. That said, I am not likely to be hand-making basic hardware parts. I would rather spend my time in other ways!
I was happy to meet Gareth Branwyn, Editor-in-Chief of Make: Online and the writer of their blog. He is based in Virginia and is a member of HacDC. He was very friendly and immediately gave me a business card when I introduced myself (foolish man!). I told him I was working on a SpeedVest mod, and he cautioned me that someone he knew had run into problems with finicky electro-luminescent wire. He offered to give me the guy’s contact information, which I will certainly use. I want to make sure the vest is robust enough for real use!
Membership in HacDC is $50/month. I am not sure access to the space is really worth that much, but if the next few meetings are this good I will likely pony up as a form of social contribution. It’s wonderful to find such a vibrant community next door.
Update: Gareth has blogged more details of the presentations here.
Making a Speed Vest
When I got volume 19 of MAKE magazine I saw a project that I immediately wanted to build. Called the Speed Vest, it is a cycling vest that shows your speed in glowing neon as you pedal. I like to bike and I wanted to start an electronics project, what could be better?
Here is a video of Speed Vest in action:
I figure this will look pretty cool on a group ride! But of course…there are some things I want to change.
- The right digit has only odd numbers, meaning that the precision is 2 mph at best. Not good, especially since the code provided always rounds down (!) — I don’t want my friends to think I’m slower than I already am.
- The vest electronics are attached by wire to the wheel sensor on the bike. If you get off the bike and forget to take the vest off, the electronics will tear (the authors say this has happened three times already).
For the first issue, I am going to try and see if I can get 0-9 attached on the right side without becoming too bulky. The authors managed 6 digits on the left (which is unnecessary given my speed, even downhill) so I am hopeful that I can get all or almost all of the 10 digits on the right side.
A partial solution to the second problem is to put a quick disconnect on the wire. But the ultimate way to go is wireless. Especially since I already have a wireless wheel sensor that does a great job: the one for my Garmin 705. I will cover the details in another post. The first version of the vest will be wired, but I am altering the design to leave the hardware serial ports free for future use.
thekanes.org relaunched!
We have owned this domain name since, oh, at least 2003. We had two pages and one photo. The site was hosted on Verio which quietly sucked out $25 a month for the privilege of being there, and offered nothing special.
I finally remembered this, and moved to GoDaddy. Only $5 a month and there are numerous free hosted applications available, including WordPress. So here we are. As a family we have numerous outposts on the web already, but hopefully this will provide a unified directory for them. The blog portion is useful for longer essays, and for logging engineering projects.