At the end of July, I had the opportunity to attend an inspiring hacking conference in New York City. Organized by the 2600 magazine editorial staff, the HOPE Conference (for “Hackers On Planet Earth”) is an event held every two years in New York City for anyone interested in the world of hacking, IT and web security intersecting with the digital arts, electronics, robotics, amateur radio, and so much more. At the end of the three days, my brain was completely saturated by everything I learned from the talks, discussions and workshops I attended during the weekend.
I learned a little bit more about online privacy, data encryption, Internet of Things security (or lack thereof), data leaks, popular hacking cases currently on trial (the Ross Ulbricht/Silk Road-Dark Web trial) or recently released to the public (the Panama Papers case still being dissected by a worldwide collective of journalists and IT professionals). I encountered lots of interesting people (a sizeable delegation from Montreal and the province were attending the conference), and groups (the Electronic Frontier Foundation (EFF) gang at their booth and during their presentation, Ask the EFF: the year in digital civil liberties), and picked up valuable new skills (like how to protect ourselves from metasploits and malware with Python scripts). Overall, an incredible learning experience!
As a frontend developer, some acquaintances reacted strangely when I told them that I was attending a hacking conference. I got asked the obvious question: “Why? You aren’t a hacker, you don’t hack governmental or business servers for data and privacy!” Maybe not, but it IS my job to be aware of all the inherent security vulnerabilities that come up in my field so that I can be sure our clients’ products and websites are built in the most secure way possible. There are many examples: how to counteract possible server intrusions; how to code my forms to block SQL injections in our databases, and so much more. Understanding the security issues our backend team deals with makes me a better frontend developer.
My overall thoughts:
- The HOPE Conference has a very DIY vibe: while there were three rooms presenting many interesting talks, there was also a fourth room available for any attendee who wanted to improvise a panel or discussion session. For example, following the talk The Silk Road to Life without Parole - A Deeper Look at the Trial of Ross Ulbricht, Ross’s Mom gave an unpublicized talk about what it’s like to be a parent of a convicted hacker dealing with the American justice system. Very interesting indeed.
- Anyone could improvise a workshop, a panel or an activity during the weekend. The dealer's room had many sections reserved for testing your skills in lockpicking, with Segways, for building your hammock (nap time!), testing mate tea while discussing with fellow geeks and hackers.
- A very diverse crowd: you didn’t need to be a hacker to attend HOPE. Anyone who identified him[her]self as a hacker (a debatable definition), or anyone interested in the hacker culture and community could attend. If you have a curious personality, love tinkering with technology, trying to understanding its intricacies and failures, and trying to improve everything your hands and brain touch, then you could call yourself a hacker. In that way, I really felt welcomed at HOPE: I was included in the community right away because I had the curiosity and common interests shared by so many others there.
- Not all talks were technical/coding panel sessions: many panels discussed subjects such as online privacy, copyright infringement, the American justice system and law, sociological studies of diverse hacker groups (Anonymous, Women in Cybersecurity), etc. While some speakers focused on bitcoin, cryptography and TOR system, many talks focused on the hacker community: how to integrate with wider society (or live comfortably on the fringe); how to protect ourselves in an increasingly intrusive society that is less and less accepting of marginal and different behaviors; how to keep your curious mind strong and optimistic in an era of intensified online surveillance and repression of freedom of (alternative) speech.
Internet of Things (IoT) vulnerabilities
Continuing on the trendy subject of IoT (as I mentioned in my post on attending Smashing Conference NYC), HOPE’s speakers talked a LOT about the major vulnerabilities of these connected devices. Basically, any device connected to any network can potentially be hacked, their servers breached, and clients’ data leaked and sold on the Dark Web for a hefty sum of money. Just hearing the daily stream of reported exploits and vulnerabilities is enough to send most developers straight to the bar - to drown their security sorrows with a stiff drink (or ten). Luckily the hackers at HOPE aren’t the bad guys ready to exploit every possible loophole in the code. This was a bunch of good people with a strong conscience and code of ethics, ready to ‘save the digital world’ by pointing out these issues and trying to solve them, one vulnerability at a time.
Interesting panels on this subject
- 2016 Car Hacking Tools - description, video
- CAPTCHAs - building and breaking - description, video
- Hacking housing - description, video
- Medical devices - pwnage and honeypots - description, video
Online Privacy, Famous Cases and Leaks
Of course, nothing is secure on the Internet, as the black hat hacker community and governments all over the world keep “kindly” reminding us. There was a lot of emphasis on the word ‘privacy’: be it the rights to online anonymity or the right to digital privacy; data leaks and breaches (Panama Papers for example); the broken trust between major online companies (like Facebook, Microsoft, Apple, Google,...) and their users; companies abusing their users’ right to privacy by invading their private realms and over-asking their private info; un/conscious ways of intrusive data demands on users in different online services (PokemonGo app asking for rights to everything on your mobile device; or medical devices like pacemakers sending private data to online cloud servers on unencrypted wireless connections, making them discoverable and hackable). I must admit, I had a couple of moments of goosebumps and facepalms hearing about all these potential vulnerabilities.
Another interesting point was the number of American lawyers present during the events and giving talks, presenting their legal point of views on the hacking scene, public cases they heard or even represented. Many activists for civil liberty/civil right advocate groups also presented sessions on knowing your digital rights. While the Q&As were very informative, it was American-centric, focusing on their legal system, economy and culture. It did give us Canadians some food for thought about our own matters of online privacy at home. Since our digital economies are so inextricably linked, their issues are also ours.
There was also some great input on how to protect our sources (for journalists who want to protect their sources and whistleblowers); how to protect our identity online and browse on a more secure connection and anonymous way (from the creators and developers of TOR, for example); how, as a digital collective and tribe interested in the questions of equality, diversity, and curiosity, we can better improve our collective knowledge by sharing it to all, even the non-hackers (Cory Doctorow’s Keynote speech); and how it is still dangerous for white hat/ethical hackers to even report on major vulnerabilities of security issues to US companies (Sam Borne’s case with his lawyer Alex Muentz explaining how he was sued for reporting major security issues at a medical company).
Interesting panels on this subject
- When vulnerability disclosure turns ugly - description, video
- The Panama papers and the law firm behind it: shady lawyers caught with their pants down - description, video
- The Silk Road to life without parole: A deeper look at the trial of Ross Ulbricht - description, video 1, video 2
- Privacy, Anonymity, and Individuality: the final battle begins - description, video
- Ask the EFF: The year in digital civil liberties - description, video
Overall, the HOPE conference was an amazingly eye-opening experience. If you are a vocal advocate for IT security, online privacy and digital rights, a better-coded Web, and a more tolerant and open-minded hacker/makers community, you should certainly attend. I know I will going back in 2018, maybe I’ll see you there!
Videos worth watching:
- The Keynote address by Cory Doctorow - description, video
- How Anonymous narrowly evaded being framed as cyber terrorists - description, video
- Social engineering - description, video
- Now and then, here and there - description, video