The Hacker’s Dozen HOPE

For a little bit this past weekend, I hit 2600’s HOPE XII (A Hacker’s Dozen).

I didn’t spend long enough time hanging out and exploring to really get into it this year, so my new learnings list is far smaller:

  • Qubes has a lot of cool features:
    • Discrete VMs for each app, and perhaps for each document or link you might want to open
    • The ability to intercept clicks on links so that you don’t accidentally click phishing links and can route which VM to send them to. So, technically, you could click on a link in your email client in one VM, and then capture that to open it in a completely separate throwaway VM where the other side won’t have your details from your client you don’t want them to.
    • sys-usb – an interesting way to control and route all USB devices you plug into your computer (as soon as you plug in a device, it’ll ask you what you want to do with it, and you can redirect it to a specific VM, if you so choose)
    • For very serious compartmentalization and anonymity, you can run Whonix inside of Qubes and tunnel the whole thing via Tor
    • If you really want to separate your Signal identity and be anonymous, or have multiple ones (which you can’t do on your phone because it’s tied to your phone number), you compartmentalize a Signal desktop with a Twilio number on top of a Qubes VM (!)
  • Kali is a Linux distribution specifically designed for digital forensics and penetration testing and comes with all the pen-testing tools pre-installed, so you can just run it off a USB stick.
  • Hologram and Particle are cellular connectivity platforms for IoT, like those you see in all those electric scooters: they all need an easy way to phone home cheaply and efficiently.
  • Four Thieves Vinegar Collective works to put out guides to making your own medicine, especially if it’s not otherwise available or if you can make it for far less money than you would pay (they’ve been eluding the FDA by only making guides, not actually selling drugs).

Towards the end of the first day, my friend Chad reminded me of an old-but-great Times article about a hacker gathering in the Puck Building in 1997. This gathering, of course, was the second HOPE conference: Beyond HOPE. (Be sure to click to step back into 1997 Lafayette Street & the Puck.) The article was about hacking the at-the-time newly released gold MetroCard – the only way to see if it’s secure and a threat to privacy “is to tear it down and see how it ticks”.

Disguised in his trademark red ski mask and a yellow Transit Authority baseball cap given to employees, Red Balaklava — who refuses to identify himself, for obvious reasons, but who showed his Transit Authority identification card to a reporter — gave a seminar yesterday summing up the progress thus far. Overcoming the now ubiquitous Metrocard is an issue of privacy, he insisted, not free rides.

”They can tell where you’ve been and when you’ve been there,” he said. ”All the information is stored on their computers. Does anyone here have a problem with that besides me?”

”Yes!” came the resounding reply.

Privacy was a major theme at the last HOPE I attended too: it hasn’t gone away or gotten any easier for any of us in the last two decades. With all the talk these days of where your data resides and who can do what with it, my favorite part came at the end of the article:

Katie Lukas, 20, of Brooklyn said she already had the best way to ”hack” the Metrocard.

”I use tokens,” said Ms. Lukas, who wore a beeper in the waist of her skirt. ”It’s the Transit Authority, you know. Anything that is going to store information at all and has the word ”authority” on it, I try not to use.”

How times have changed indeed.