Tiffany Rad

Indy Hall, Coworking Space in Philadelphia, PA

2010-03-06T18:18:00.004-05:00

Just one block from Christ Church and situated in the upscale neighborhood of Old City, Philadelphia, amidst outdoor cafes and coffee shops, I squeeze my large New Englander we-get-more-snow-than-you (except for D.C. this winter) SUV into a parallel parking space between a Bentley and a beater 1970s hulking Chevy. Philly is interesting in that way; from block-to-block, neighborhoods change fast. Just this morning, Far McKon, Maggie and I engaged a stranger in a conversation of whether the Satellite Coffee Shop is in West Philly or South West Philly—the locals decided upon the latter by 50 ft.

I’m dropping in on the Indy Hall crowd this afternoon right after departing the Hive 76 hacker space. On the second floor of a loft space, I exit the elevator to a large sign painted on the wall, “Independents Hall”. However, this is not the Independence Hall where our Nation was planned just a few blocks away, but this one is where startup companies are being planned, developed, and grown into companies.

On a Saturday afternoon, Indy Hall’s conference room hosts a cluster of about eight men sitting at desks arranged in a coworking circle. Their mission: to get Google to bring Google Fiber to Philly. Fast at work talking and typing on their computers, Alex @alexknowshtml, co-founder of Indy Hall, took time out to give me a tour.

Indy Hall’s furniture consists of modern IKEA individual desks, but all desks are arranged in clusters where developers can work side-by-side with their coworkers and with other entrepreneurs who choose a group working environment over renting an office in solitude. When asked about the arrangement of the desk and the permanence of a few of the work stations, Alex said, “Every 4-6 months, we move everything around just to keep things new. Sitting in the same place breeds complacency; when you’re running a start-up company, mixing it up keeps ideas new".

The idea of a modular set of individual desks was clever. Just when you get used to the same coder or social media mogul sitting next to you every day, you may have a biologist or a hardware architect next to you tomorrow. According to the philosophy of Indy Hall, taking down walled barriers and moving around spreads ideas, intrigue and innovation.

I asked questions about usual organizational management: about $275-400/month for full-timers, less for part-timers, and there is a $25/day drop-in membership for out-of-towners or people who just want to drift through when they feel like it. Between the murals on the walls, the hang-out area with couches, glass tanks containing a rat and a turtle (respectively), video game consoles, and large pillows to sit on the floor, this was a fantastic co-working space in which the organizers have given obvious attention to the flow of ideas and co-working camaraderie in a dynamic business environment in which old ideas of managing companies and intellectual property are becoming stagnant. This coworking space keeps it fresh.

Visit to Philadelphia to see Hive 76, one of Philly's hacker spaces

2010-03-06T14:21:00.007-05:00

I might have one of the most awesome part-time jobs: I am setting up a 5,500 sq ft hacker space in Northern Virginia. I traveled to Philadelphia this weekend to talk with Far McKon, one of the founders of Hive 76. About a year ago, I met Far in the D.C. area and we talked about the idea hacker space. Of course, ideals are challenging to obtain, but some hacker spaces have come closer than others. Hive 76, profitable after only 8 months since it was started, is one of those.

I met Far and Maggie, from the Prometheus Radio Project, for lunch at the Reading Terminal Market. After living in the Seattle area for a year and enjoying Pike Place Market, I have pretty high standards when it comes to indoor public markets, but I thoroughly enjoyed the Reading market. If I lived in the Philly area, I would do most of my food shopping here. I was also interested to see that most of the shop vendors were Mennonites and Amish.

At lunch while I enjoyed crepes with Nutella and fruit (I have fond memories of Nutella from my days living in Oxford, England), we discussed ideas such as an international hacker space conference, an organization for helping new hacker spaces get started, and challenges with management, legal, and lobbying efforts with hackers spaces and those faced by The Prometheus Radio Project.

After lunch, Far and I went to Hive 76. It is situated in a large warehouse/loft space in Philly’s warehouse district, not far from Center City. Upon entering the building, I was delighted to find that access to the 5^th floor loft is via an old elevator that looks like it is straight out of the movie Blade Runner; for a moment, I envisioned Sebastian’s bio-engineering workshop apartment with his invented creatures--his hacker space. Entering the caged elevator room through two steel lattice doors and watching the old counter weights go by as we ascended, I was impressed with the engineering prowess of the well-oiled machines of the last century.

The space’s access is on the 5^th floor in a building occupied by artists. Upon entering the loft, the sparsely furnished entryway is accented with little more than a threadbare couch and a large steel frame cubical sculpture. Hive 76 is down the hall, and in contrast to the neighboring artists’ spaces with kilns and easels, this hacker space is comfortably full with tech equipment: laser cutter, cupcake CNC, server racks, a workspace area for computers, and tables for projects. Christmas lights strung from the high ceiling reminded me of the hacker’s workshop in the movie Sneakers. As I sit here writing this blog posting, I have a great view of Center City, Philadelphia.

Far and I discussed some models for hacker space physical and business organizations: this is why I came. With my huge hacker space (perhaps the biggest in the U.S.) being planned for a grand opening later spring/early summer of this year, I have a lot of work to do to learn from other hacker space organizers to share what works and what doesn’t. I’ve visited a handful of other spaces, and collectively, I have graciously been afforded the opportunity to talk one-on-one with the founders about their successes and failures. I hope to replicate the former, not the latter.

Some of the discourse we’ve shared: the hacker space size, equipment and memberships should be commensurate to community in which it is located to facilitate success; membership, ideally, should pay for most if not all of the space overhead costs; a national hacker space organization (with Founder conferences and a data base of shared technical, management, and legal resources) would be very helpful in helping manage existing hacker spaces and facilitate start-ups of new spaces; a hacker space in which co-working/hacker start-up companies can rent full-time locking office space that is physically connected to the hacker space. (Image is of an old typewriter being turned into a keyboard for a computer)

@h3inous, Leah Kubik

2009-09-18T23:42:00.006-04:00

If you were on Hackers on a Plane and attended Hacking at Random in The Netherlands, you knew Leah Kubik, @h3inous. She had a tragic accident at the University of Toronto and will be missed in the hacker community.

Her funeral is Saturday, September 19, 2009 at Palmer Funeral Home-River Park in South Bend, IN. Flowers for the service have been sent from the Hackers on a Plane participants. The card with the flowers says:

FROM HOAP:MITCH,MATT,BERNIE,M,STERNN,ZIMMER,BERT,SHARDY,PHOSGENE,DAVID H.,DANIELLE,SIDNEY,VYRUS,NICKY,ERIC,MIKE,DUCK,STEVE,KRIS,DAN,JAMES,TRAVIS,FRIENDS,JOHL, DAVID B.,TIFFANY,OKKIE,CHRIS.J.,GUCKES,NIKITA,NICK.

2600 Meeting Tonight

2009-09-04T15:03:00.001-04:00

There will be a 2600 meeting at the Maine Mall tonight at 6 PM in the food court. We might move from that meeting spot to a restaurant in the mall area with better food if the group wants to. If you miss us and are coming, please e-mail tiffany at elcnetworks dot com or direct message me on Twitter @TiffanyRad.

Tonight I'll be going over the slides from the Black Hat and DEFCON presentations. We'll also be giving you an update on the status of car hacking with The OpenOtto Project. Lastly, we'll be talking about the status of HackME, Portland, Maine's proposed hacker space. If anyone else has projects or hackerish stuff to share, please do!

I'm hoping that some of my computer science students from the University of Southern Maine will be showing up and share some of their stories about their trip to Las Vegas for DEFCON.

See you there.

OpenOtto Project at DEFCON 17 and Black Hat USA 2009

2009-07-13T22:45:00.007-04:00

The OpenOtto Project is doing more presentations. We had/have a lot of conference presentations this summer. The photos (photos by Brian Turnbull) are from Intridea’s HackOn (un)conference that was held June 18-20^th in Portland, Maine. After co-working with Intridea on Friday, Nothingface and I did a presentation about the current state of the OpenOtto Project on Saturday.

We also just secured presentations at Black Hat USA 2009 and DEFCON 17 in Las Vegas. Our Black Hat talk will be with me and Travis Goodspeed. Travis is working on the layout so we can progress toward releasing the schematics, source code and producing the first demo. We're doing a presentation at Black Hat in the open source project break-out session on Wednesday, July 29, 10:00 AM, Genoa room, 3^rd floor at Caesar’s Palace.

The DEFCON talk will be on Saturday, August 1, with Skytalks, skybox 303 at 10 AM, The Riviera.

Please come see us and talk with us about hacking your car! We’re looking for funding and developers.

The Pirate Bay ship sails on the 4th of July

2009-06-16T23:52:00.004-04:00

There is a plan to turn our pontoon boat into The Pirate Bay boat for a 4th of July boat parade and decoration contest. This year's theme: "What Freedom Means To Me".

I don't think The Pirate Bay boat is what the homeowners association on our Maine lake is expecting, but we want to do full pirate regalia. We're going to make a Pirate Bay flag, we'll hand out "Steal This Film" to the judges for bribery (we're pirates after all, right?) and we'll make some No-RIAA and No-MPAA signs.

In addition, although a more difficult acting part to fulfill, we need someone to come in costume as an RIAA executive. We will have a plank ready, but we probably won't make you actually walk the plank. Somehow, this stunt might also be a good use for some RIAA toilet paper from Jinx someone gave me as a gift, but still pondering its uses...

Either join us as an RIAA executive or join the pirate movement!

2600/HackME Meeting Tonight

2009-05-01T16:13:00.003-04:00

After a few months of first fridays attendance at info sec and hacker conferences, I am going to be at this meeting tonight, 6 PM in the food court at the Maine Mall. The hacked car will be in mall's parking lot, but I don't know if Nothingface remembered to bring the hardware to do a demo. If you're in Portland, please join us for a recap about the Notacon hacker conference that was in Cleveland, Ohio a few weeks ago.

Federalization of Cybersecurity?

2009-04-06T00:11:00.004-04:00

There's some new legislation on the horizon that will change what many of us in cybersecurity do and also determine if we can continue working in this field. It will require anyone working in "cybersecurity" (yet to be defined what that actually is) to pass an exam administered by the feds. In addition, not only will a lot of private computer security be federalized, but they are creating an Office of Cybersecurity. This doesn't sound like a great idea to leave cyber security to the feds or to highly-regulate private companies working in this field. Remember what happened with TSA when airport security was federalized? Is TSA is really working well?

Senator Snowe, one of Maine's U.S. Senators, is on the committee for this new legislation. I'm surprised she's involved with this legislation because tech is not really her thing. But, hey...our other U.S. Senator, Susan Collins, came up with the first American thought crimes bill to stifle home-ground terrorists rallying support on the Internet. Maine also has proposed a law that makes staring at someone in an "aggressive" sexual way a crime punishable by time in jail--another pre-crime bill. How is this possible in a liberal state that boarders the "live free or die" state?

Regarding this federal regulation and exams, I'm curious as to what the exam would include. Would real-time pen testing be included? Will all computer security professionals have to also know requisite laws, too? I've had to take a plethora of professional and entrance exams and I've never believed this accurately tests someone's abilities. Learning how to B.S. your way through those exams is a skill that test-prep programs teach for a high fee and a skill one inherently gains from having to do a lot of them. From my experience working in and around the computer security industry for a decade, I don't know how well some of my friends would fare on this type of exam; however, but I'd trust them to protect all of my personal electronic data and the key to my DNA!

Also, from my experience teaching in high-learning institutions for five years, I know a lot of people in computer science or information technology who can do amazing work and projects, but if you ask them to take a timed test that's primarily reading and writing as most standardize tests seem to be, they would fail. There are a lot of people in this industry with different learning styles (like Asperger's) and I fear our legislatures on Capitol Hill would leave so many by the way-side if they write an exam to test everyone in computer security.

If our legislature cannot consistently understand technology enough to pass laws that are current for our industry, how can we trust them to test us and determine who's good enough to work and who isn't? Our industry should first make the law makers show us that they are capable of learning and competently understanding computer technology before we give them the power to regulate us. I don't think they are there yet.

In my opinion, what is needed is more funding for the federal anti-cybercrimes programs that already exist (as the Commission for Cyber Security for the 44th Presidency recommends), recruit and retain better people to work for government, and provide more support and communication with the private sector already doing a good job in computer security.

What should the OpenOtto demo car NOT be

2009-03-27T22:42:00.007-04:00

Rob T Firefly suggested we get a DeLorean for the OpenOtto demo. Awesome idea! Love it. If we come across one, we'll make a go for it.

However, here are some suggestions of what the demo should NOT be. Although they might attract more girls to the computer hacker scene, these cars are not cool.

Even though the guy with the 89' Oldsmobile Cutlass Sierra Louis Vuitton Limited Edition looks pretty fly, this doesn't quite say, "Give us VC funding, please" but, instead, "I'm a bad knock-off."

The Ferrari...it's just so wrong. This doesn't say, "I'm so hot, give me a speeding ticket," as Ferrari's should, but, "This is my teenage daughter's car." Instead, this is the Ferrari OpenOtto would be willing accept as a donation to the open source project. If you've ever ridden in a Ferrari and driven so fast along winding mountaintop roads in Italy that there is FIRE coming out of the tailpipe and you're pinned into the racing seat, you'd understand why my vote is for a sports car. I like fast cars that go boom.

The last picture is one I took of a wimpy Jeep Liberty on my driveway during mud season. Indeed, it took TWO Land Rovers to tow out the Liberty. No wimpy SUVs--this is a going-to-the-mall car. Thank goodness it was a rental. It had mud coming in the doors by the time we got it out of there. I was told that, when it was returned to the Portland, Maine airport car rental office, the guys receiving the car stood in disbelief as they saw the mud on and in the car. Instead, we vote for an H1 as our off-roading vehicle demo car. If we can't have that, we'll stick with the 2003 Land Rover Discovery it's in now because it really can go anywhere. In fact, we've taken it there and back.

If OpenOtto could have a demo car, what should it be?

2009-03-26T22:49:00.003-04:00

We’ve been watching Knight Rider. (Actually, we have been since the 80s, so that probably dates us.) We’ve recently been having some fun debates about a dream demo car for OpenOtto. Of course, we’re just scraping by now and absconding with junk parts from cast-offs and running OpenOtto on a 2003 Land Rover, but if a dream could come true, what would be the coolest car OpenOtto’s software and hardware could control? Would it be an off-roading SUV, a sports car, or a muscle car?

Because Knight Rider was an inspiration, one of the demos has to be an American muscle car. There will always be some who believe the original Knight Rider¸ a 1982 Pontiac Firebird Trans Am, will be the only true KITT. If you ever wondered if KITT really had a blood analyzer, Ski Mode, or an electromagnetic field generator, here are all of the technical specs for KITT from the 1980s series. We should have attended the Knight Rider Festival last week in Las Vegas. Both the new and old KITTs were demoed along with hobbyists displaying their tribute cars.

The new Knight Rider series features a Ford Shelby GT 500 KR Mustang. With Val Kilmer as the new KITT voice, the car sounds and looks HOT. If you want to keep watching the new Knight Rider TV series, you must be proactive and sign a petition to keep the show going. Why not? It’s cooler, hacker-ish, and more techie than the dozens of boring doctor and lawyer shows now on prime time TV.

But one thing is for sure, when we do professionally demo a car controlled by OpenOtto, the developers must wear their Michael Knight costumes. (Sorry, these hokie things are part of what start-ups make their employees do). But I think I’ll opt for Daisy Duke’s outfit even though the 1969 Dodge Charger General Lee always seemed to be broken down, didn’t it? KITT would leave General Lee in the dust and then go on to hack some wicked encrypted world computer networks any day! Hack on, KITT!

SOURCE Boston 2009 – Part Four

2009-03-22T23:15:00.006-04:00

The second day started with getting up “early” so I could see Christofer Hoff discuss the vulnerabilities associated with outsourcing your prized possessions to cloud computing networks. It was definitely worth dragging myself out of bed. Chris is another AWESOME presenter. Peppered with a few early morning f-bombs (which, according to one of my students, is KEY to getting venture capital financing [?]), it was a riveting presentation and had visually appealing slides. I can take guidance from his method of presenting when he spoke to Twitterers in the crowd declaring that none of his 75 slides contained more than 160 characters per slide (and eerie, cool pictures of frogs). Most significantly, what I took from his presentation were some ideas about securely storing and accessing intellectual property from cloud computing networks. Some of those ideas I abstracted into search and seizure principles and incorporated some new research ideas into the CFP abstract for Brucon which, incidentally, was submitted at a witching hour Sunday night by me and my research partner, Myrcurial, in Toronto. Thanks for the inspiration, Chris!

Later that day, the disclosure panel was one of the talks I really wanted to see at Source. I have done research on this topic and was delighted to hear Ryan Laraine asking Dan Kaminsky, Ivan Arce, Dino Dai Zovi, Alexander Sotirov, and Katie Moussouris debatable topics such as:

· What’s enough time to give the vendor?

· Should there be a partial disclosure committee to prevent the purgatory Kaminsky endured with his DNS bug?

· Should there be civil liability for companies putting out insecure products?

· What about disclosing security vulnerabilities that effect devices where lives could be at stake?

· What if people discover vulnerabilities in safety-critical software such as in cars?

o What if someone reverse engineers the protocols in cars and hacks car computer networks? (gasp!)

These are all topics I have researched and debated with my colleagues. That’s another blog posting, but I was delighted to see some independent researchers debating this issues along side representatives from large companies. The resources and vulnerability response time small and large companies can respectively allocate toward patching a vulnerability is significantly different and was evident in the way the panelists answered these questions.

I left the panel after an hour into it so that I could show off OpenOtto’s hacked car computer that was in the garage of the Seaport. (I had to silently laugh and saw Dan steal a glance at me in the crowd during all of the hacked car computer discussion during the disclosure panel when, all along, there was one sitting in the hotel’s garage! The “what if” discussion is now moot.) I drove the hacked Land Rover to the Source conference to share this open source project with some like minded hackers like Joe Grand and Travis Goodspeed and demoed it before Joe left for the airport.

I showed Joe and Travis how the OpenOtto team reverse engineered the protocols in car computers allowing us to access any car’s computer. Automotive networks follow an OSI model, so OpenOtto was designed to be like an operating system for the car—all developers have to do is write high-level applications on top of the stack and they will operate with the car’s computer using OpenOtto hardware and software.

Source was the debut of OpenOtto’s prototype board which successfully outputted a handful of performance characteristics to a laptop connected, via the prototype board, to the OBD 2 port. This is more than a scan tool and can be used to tweak performance and output A LOT of real-time parameters about the performance and error codes for all cars. This particular prototype board could output 1 of 4 of the ISO 9141 physical layer. In a couple of weeks, a device will be complete that will run all 4 physical layers using an ARM processor. (Note: At the conference, it was MOST car computers except for GM, Ford, Chevy and cars newer than 2008, but soon it’s EVERY car. Only 1 of 4 physical layers were done at the conference, but all are being done now).

After the disclosure panel, I dumped my computer equipment in Dan Kaminsky’s room and went to join him, Travis, Ian Robertson and a co-worker from RIM for dinner at the Atlantic Beer Garden. I/O Active’s party with free drinks and food immediately followed, so we stayed there until almost closing time. From there, we went to Lucky’s Bar until that place closed. At that late hour and with the Rover on almost “Empty”, I doubted I could safely find a gas station open at that hour, so I decided to stay in Boston until dawn.

We didn’t get to see Dan Kaminsky, savior of the Internet…in his super hero tights, but we did finish the night by getting my computer equipment and busting in on Dan in his hotel room while he was dorking out on his computer just a few hours before he had to catch a flight somewhere. From there, I was happy to crash for an hour of sleep on a couch in a suite before I had to drive back to Maine at the ungodly hour of 5 am. (Thank you, suite host, for your hospitality, your pillows, and your duvet.)

Until next year, thanks SOURCE Boston organizers for making it such an interesting, informative, and fun conference!

(Picture, by Travis Goodspeed, is of OpenOtto's demo board on the upper left corner on console. Toy Story Alien is not part of OpenOtto)

SOURCE Boston 2009, Part Three

2009-03-18T15:14:00.007-04:00

Later during the first day, two of my friends, Dan Kaminsky and Travis Goodspeed, were presenting at Source, but at the same time! Similar to the only two higher-education talks, either I had to make a tough choice or do a 50/50 split which is what I did—I started with Travis and finished with Dan.

Belt buckle! When I think of Travis, this is what comes to mind including the word and the philosophy behind “neighborly” which is what Travis truly is. In addition to having established a reputation for the party mode on his belt buckle in the shape of Tennessee (the only neighborly state, he says) and having notable people holding the belt buckle (anywhere BUT as a belt buckle), he’s one of the most brilliant hardware hackers I’ve encountered. If there is a hardware device that can be sniffed or fuzzed, you know that Travis can do it. Want to talk about hacking the Clipper Chip encryption? Travis is probably already working on it.

His presentation at Source was about how the private sector or governments can use wireless technologies for good applications. One interesting example is having smart land mines that will only turn on during the advance of an enemy and can turn off or be signaled to self destruct after their need is over thus eliminating the danger of live mines. I caught the beginning of his presentation and then ducked out half-way through to hear the end of Dan’s. What I missed was Travis discussing new exploits on the TI chip. I’m eagerly waiting for more info. about this on his blog.

Dan Kaminsky is best described as a mix of brilliance and “let’s get this party started” when you see those horns thrown up. There are numerous articles describing his DNS vulnerability research and discussions about how he handled it using partial disclosure, but for someone who described how he “broke the Internet”, he is exemplary for giving vendors time to fix it and showing them how. When I describe to my computer science students the kind of hacker that’s actually doing something about making stuff more secure and not just trying to find the next big vulnerability to boost his credibility in the community, Dan is it. Humble, friendly and one of the best public speakers I’ve ever seen, he’s able to engage the audience about something as specific and technical as DNS for a full two + hours. His analogies are also legendary. Seriously, how many technical people do you know who can do all that? If he can describe DNS to his grandmother, he can tell you (the US government, SysAdmins, and your company’s recalcitrant IT guy) why it’s a big deal and you should patch today. No, really yesterday.

The first day of sessions ended after Dan’s and Travis’ presentations, but the day didn’t end there and went long into the evening. I met a group of other conference attendees at the Atlantic Beer Garden for dinner. From there, we went to the Source party which included techno, strobe lights, and a smoke machine like any good hacker party should! I got to meet some of the other (five, I think!) women at the conference including Stacy Thayer, conference founder and organizer. Dan Guido’s potato made some rounds and got decorated with feathers, signatures, and carvings. When that party wound down, I joined Travis Goodspeed, Dan Kaminsky, Marty Roesch, Jennifer Steffens (from I/O Active) in a quest for a mythical party at MIT, but ended up closing the bar, appropriately, at The Miracle of Science in the MIT vicinity with Dan and Travis.

(Photos, taken by Travis Goodspeed, is a screen shot of tcp dump output from the network on the OpenOtto Project Land Rover at Source. Right now, it's running on a laptop on the dash, but we're scrambling for cash to buy a touch screen dash mounted monitor.)

SOURCE Boston 2009, Part Two

2009-03-17T11:06:00.008-04:00

From Dan Guido’s presentation, I went to Marty Roesch’s talk titled, “From NASDAQ to the Garage with Open Source: Sourcefire’s Experience.” Not only is Marty a fantastic speaker, but his experience with open sourcing Snort is the best example I can find answering the question of how a company that embraces sharing code can be successful.

I am constantly asked by investors: “Where is the money with open source/free software?” Instead of my usual retort which used to be, “RedHat”, I’m now going to say, “Sourcefire!” Marty’s open source release of Snort’s code is a great business model and better in the sense that it’s applicable to companies that do not have as much of a service component to generate revenue but who want to produce a product. There is significant value in putting out a box containing your code that’s akin to a plug and play device as opposed to downloading the open version and having to have more of a technical background to fully make use of all of the features.

There is is also value and, as Travis Goodspeed would say, a neighborly interest in sharing your code and hardware designs to spark innovative products that will work with your code and, hopefully, foster something akin to an industry standard if you’re lucky. If not that lucky, you still have a product that a lot of people are using which creates a built-in user base, contribution to bug reports (and, I argue, better security because of this) and a reputation based upon a community that cares about quality code and hardware design.

Later that night at the Source party, I spent at least an hour talking with Marty about other lessons learned about organizing and funding an open source company. One of the most important aspects about which we both agree is the necessity to defensively patent. I know that many in the open source/free software community don’t think that patents are useful and are the antithesis of open/free releases, but if you talk to Marty about how a patent troll almost messed up their IPO, you’ll see how unethical patent attorneys buying up IP at fire sales are part of the problem with the patent system because they inhibit innovation and entrepreneurship. I know of a few companies this happened to and they ended up going out of business as a result of patent trolls. My advice to entrepreneurs with open source/free software: Patent and then license with GPL version 2! Defend yourself against evil trolls.

(Photo is of Travis Goodspeed doing a demo at SOURCE Boston using hypodermic needles as oscilloscope leads to sniff a Zigbee wireless sensor’s SPI port. Wireless traffic relies upon an encrypted key being sent to the CC2420 radio chip and tapping two pins [see Travis’ detailed photo] exposes the key)

SOURCE Boston 2009, Part One

2009-03-17T00:03:00.008-04:00

Recently returning from Source Boston 2009, I am still basking in enlightenment and the excitement of meeting brilliant computer security professionals in the relaxed, small atmosphere at the Seaport Hotel. Without fail, I’d sit down at lunch or in the lounge and be discussing computer architecture or be debating how information security professionals can improve their craft.

After a high speed dash in the snow from Southern Maine to Boston, I just made Joe Grand’s presentation and didn’t regret white-knuckle driving. Joe was a co-host of Prototype This on the Discovery Channel. Who wouldn’t want his job?! Having a hacker space warehouse near the water in San Francisco with a group of buddies making stuff—how cool! However, hearing about the behind-the-scenes difficulties that the viewers didn't see was informative. With only about $13,000. in cash per build which was to take two weeks, after knowing this, I have even more appreciation for the engineering feat with which those guys pulled off those builds. What would you do if you had Joe’s job and the producers wanted things that had never been done before, for a little amount of cash, and in two weeks? Sounds like a lot of stress, but beautiful stress. If I had his job, I think I’d have long days—some frustrating when my stuff didn’t work—but I’d go to bed every night thinking, “Yes…I am paid to tinker with stuff in a workshop that’s every geek’s dream--life is good!” By seeing Joe’s enthusiasm and broad smile when he’d describe the design and build stages and his co-host team, I suspect he feels similarly.

Right after Joe’s presentation, I went to hear Dan Guido from NYU/Poly present on “So You Want to Train an Army of Ninjas...” The way in which he has added penetration testing into a traditional computer science curriculum is exemplary and a model I hope to adopt for the University of Maine’s computer science curriculum. Teaching about the importance of engineering security from the first line of code to the final testing phase is crucial to providing computer science professionals with the skills they need to compete in this competitive employment environment and to responsibly design better software and hardware products for the market.

I’m tired of hearing about ridiculous vulnerabilities that were the fault of a lazy software engineering where the most important aspect in the design was, “Does it work?” Going beyond just making the code work is what Dan teaching his students. By hands–on methods teaching students how vulnerable stuff can be broken and then learning how to fix it, he’s not only teaching them about what happens if you design broken crap and its vulnerability is exposed, but consequences if you’re the one who put the crap out there in the first place. Better yet, he has released all of his course materials online to share with anyone interested in creating a better computer science curriculum. Thank you, Dan! As a side note, he has also started something of a crazy tradition at Source Boston (or so he told me!) with a potato being passed around. Dan Kaminsky (in the background in photo) got it next. Ah, the fun of hanging with the techie crowd—it’s funny that after hours the humor is often associated with anything BUT technical things. But I still don’t get it—why a potato?

Strong Patent Protection? FTC Public Hearings and the EFF Challenging Patents

2009-01-19T16:46:00.015-05:00

The FTC is holding public hearings on the 11th and 12th of Feb., 2009, in Washington, D.C. The discussion topic will be whether patents and other strong IP protection and licensing stimulates or stifles innovation. Whether or not I attend the hearings, I'm going to submit a comment that will go on the public record.

The FTC's solicitation for opinions is as follows: "In an announcement, the FTC said: 'Changes and proposed changes in the law, together with evolving business models for buying, selling and licensing IP, could significantly influence a patent's economic value and the operation of the IP marketplace. The hearings will consider the impact of these changes on innovation, competition and consumer welfare.' It added: 'The commission seeks the views of the legal, academic and business communities on the issues to be explored at the hearings.'"

Other significant IP news is that EFF is getting some great work done by having some patents re-examined and possibly overturned. It's extremely difficult to have a patent reexamined after it has been issued, so I applaud EFF's efforts.

2600 Meeting Tonight

2009-01-02T12:33:00.002-05:00

2600 meeting at the Maine Mall food court tonight. I think we'll be meeting at 6 PM after the next issue of 2600 Hacker Quarterly comes out with the time change from 5 to 6 PM published in the meetings section in the magazine, but until more people are alerted of the time change, I'll be there at 5:30 PM today.

Discussion with Nick Farr, HacDC

2008-12-09T22:46:00.003-05:00

I was in the D.C. area in late November and couldn’t resist stopping in to meet the HacDC guys and see the space. The evening started with Nick Far r inviting me to a DorkBot presentation at George Washington University. Alden Hart, CTO of Ten Mile Square gave a great presentation about his LED projects. This was one of the most comprehensive technical presentations I’ve seen that encompassed everything from where to buy the parts, where to ship the PCBs for fabrication, to discussing details of the software and hardware designs. I'm thrilled he's going to release his hardware designs as open source.

From there, we went to Froggy Bottom for sub-par pub food, but like most hacker group outings, the company was what was outstanding. Late—sometime around 11PM—we wrapped up the dinner and a group of us went to Nick Farr’s apartment (he has CASES of Club-Mate!) and then to HacDC. While we were there tapping into his Club-Mate stock (entire fridge full of it, too), out of his closet he pulled out a really old computer with an acoustic coupler. I’d never seen one that old because back in the 80s when we had 30+ phone lines going into our suburban D.C. house, we just had racks of slow modems, but none had couplers. He’d salvaged it for hacDC.

On the ride over to HacDC, I was able to ask Nick specific questions about the organizational structure, management, and financing the space. Because I was driving, I wasn’t able to take specific notes as I was when I talked to Far of Hacktory, so don’t take this verbatim—especially the costs.

I first asked Nick about the name. It includes “hac(k)” which, in my experience with some hacker spaces, is a turn-off for some participants. Maine’s hacker space is struggling with this, too. His response: if they don’t like hack, then they don’t really understand what we do here and this might not be the best organization for them to join. He said that “hack” in the name clearly separates the organization from other group work spaces, like co-working. However, he also said that some members solely have numbers assigned to them because of the need to remain anonymous because there are still some businesses that shun associations with anything related to hackers.

The space was amazing! So far, this is the most complete hacker space I’ve seen. What’s also interesting is their location. A church has rented out space to non-profits and hacDC has a loft space. One side of the space is all shelving for storage and it’s packed. I saw some old payphones, an old PC being used as a ballast for a huge rotating white board, five Geiger counters (which I relished being able to play with), table saws, old modems, and tons of computers. Tables are in the middle of the room to be used for projects and Tim proudly told me, “We even have our own bathroom!” as he gingerly took some drinks out of the fridge.

We discussed that they only have one fee structure which is about $40/month and have around 40 active members. For a large city and even larger technological suburbanite community, I understand how they can draw so many members. They have also started hacker-theme movie nights and will be offering educational classes. It seems as if they have weekly events which is very cool they can do that. I cannot wait to go back to hacDC during Shmoocon, the next time I’ll be in the D.C. area. That seems like an awesome place to be during the conference evenings. Love it, love it!

We Won Venture Capital Pitch Contest!

2008-12-08T00:07:00.006-05:00

The venture capital pitch competition was held last Thursday night at Pace University’s Business School in NYC. What a fun event! I started the pitch about something that most people like, fast cars and computers. I used Knight Rider as a theme for the pitch. I then briefly outlined the technical capabilities about what it can do now and what it will do with some VC money when the prototype is built-out. Slides with more technical info. were shown behind me as I described how the team did it and what we’d like to do with it in the future. During the Q&A, I addressed how much money we’re looking for ($30K just to build-out the prototype).

The majority of the judges were VCs and one like it. I met with him the following evening along with the President of a car computer company that has related, but not similar, products. They liked the idea and said the market is huge, but didn’t like the reverse engineering and brute forcing the protocols that we’ve done. Although that has been a valid and legal business model in the past (Compaq did it to IBM), the VCs want it done with licenses and defensive patenting. We might be able to do it like that as long as we don’t lose the open source/free software platform. We’re talking.

Finalist for Pace University Venture Capital Pitch Contest

2008-12-01T23:22:00.006-05:00

We made it! OpenOtto is a finalist in a competition for venture capital financing of a new product. I'm off to NYC for the Thursday night presentation. I've been busy working on the presentation, but here is the winning pitch that got OpenOtto into the finals:

"You don’t have to be David Hasselhoff in Knight Rider to have your car talk to you. OpenOtto is a platform for developing vehicle aware products for the consumer and industrial markets. While it will not ask you how you’re doing this evening, most people don’t realize how much information your car’s computer can tell you. OpenOtto consists of a hardware interface to your car's OBD II connector as well as an extensible software platform for communicating with all networked electronic devices in the car. Designed for flexibility and scalability, it is easily expandable to future vehicle capabilities.

OpenOtto consists of two products targeted to different markets. The first is a car computer that acts as an interface between your car's computer and a 4" x 8" touch screen display that attaches to your dashboard. The interface shows easy to understand graphical output from your car's computer including, but not limited to, standard OBD II output: coolant temperature, engine speed, oxygen sensor readings, and emission related trouble codes. Advanced features include outputting suspension control, anti-lock/traction control, and air bag status.

Additional safety and security features include a remote start and kill feature for anti-theft or convenience, display warnings to users when the transmission begins to fail, individual wheel speed indicating wheel slippage, and real-time engine performance monitoring.

The second product is priced lower for the general consumer. It includes the ability to attach any cell phone with GPS to OpenOtto. Once attached, the car's computer will text message someone (e.g., a parent) if the car exceeds a certain speed and GPS coordinates will be texted, and call 911 if airbags deploy (no proprietary subscription necessary).

Safety and security is important and built into the computer engineering designs. Some features will be access controlled and transmission of all sensitive data transmitted by OpenOtto will be encrypted using industry standard best practices to ensure safety, security, and privacy of the user.

The software and hardware designs will be released as free and open source designs to encourage adoption and adaptation of the features.

For consumers, a complete dashboard mounted display with computer will cost between $300-$500.00. The closest product currently on the market costs between $1000.-$5000.000 and does not include open software and hardware platforms, graphical dash board mounted displays, or customizable features. The low cost consumer device will target a retail cost of $100-$200.

Try getting KITT for that price."

Benefits to Having a Hacker Space in Portland, Maine

2008-11-17T16:06:00.002-05:00

A place where you can hack on our servers/network/cryptography/virtual honey pots so you don’t get into trouble doing it in the wild;
A place outside of the university to come learn about computer engineering, electronics, and network security from people with advanced degrees, professionals, or hobbyists with passion for their craft and who want to share their knowledge and equipment;
Our state university is short on funds—if you want some expensive equipment, get a group together, do some fund raising, and build it with a group of experts and professionals who can help you;
A place to hang-out with other hackers; I don’t mean the crackers who break stuff;
A place to put your electronic/hardware experiments where your significant other won’t complain it’s ugly, violates zoning, takes up the entire kitchen table or (worse) is smelly when you solder/glue/set things on fire.
Have one to add? Put it in comments. Let’s get it going!

Discussion with Far McKon, The Hacktory

2008-11-16T17:48:00.004-05:00

In the car on the way home from The Last HOPE in NYC in July 2008, three of us (Nothingface, Professor Rad, and Infochown) decided we want a hacker space in Maine. We were inspired by a presentation at HOPE about other hacker spaces.

Since then, we’ve attended four 2600 meetings where we’ve spent a bit of time discussing the hacker space idea. Funding and a name (“hack” or not “hack” is the question) are the sticking points for establishing the space. With all of the companies going under in Southern Maine, there is a plethora of rental space (both business and industrial), so we have plenty of space options, but just not the funds yet.

To find a solution to these issues and learn from others’ experiences, I’ve summoned wise hacker space organizers and asked if they could share their ideas, organizational structure, and “don’t make these mistakes like we did” stories with me. (The “hippy problem” stories are always the funniest.)

The following is a discussion I had today with Far McKon, organizer of Hacktory in Philadelphia. (I took notes while we were talking, so forgive me, Far, if I don’t have everything exactly as you told me.) Far also said that the numbers are a general ballpark, so please don’t take this as a price quote.

If Maine’s hacker space can pair with the art community and, perhaps, also attract the entrepreneur/writer community like IndiHall in Philadephia, I think we could have a pretty awesome co-work place!

Discussion with Far McKon, November 16, 2008

I spoke with Far, organizer of Hacktory in Philadelphia, about how they set up and manage their space. They are moving from a free space they had that was loaned to them by a company, but that space is too small and it’s not possible to use heavy machinery and big tools in that space; they cannot get it up to their 3^rd floor space. It has a crazy, narrow winding staircase and zoning would not allow it.

To solve their space problem, they grouped together with the art community in Philadelphia. (Brilliant! This is something that Maine’s Hacker Space surely could do—we have a HUGE artist community in Portland.) They will soon have a tech incubator space in the basement of a building that is zoned for heavy machinery/industry.

Hacktory’s affiliation with the art community is crucial for what they are doing. The hacker space in Somerville, Massachusetts also paired with the art community. Many artists are using heavy machinery and tools for their art and either they don’t have the space in their homes/apartments, cannot use fire and big machinery without violating zoning or fire codes, or cannot afford their own large studio.

The way the deal will work with the two other organizations grouping together with Hacktory is that one of the groups (not Hacktory) is always there (9-5) and controls access, signs for package deliveries, phones, secretarial services, etc.

Physical Space:

They have a large industrial space with a big, open work space in the middle. Locking studios (cubicles?) are grouped around the central open space. Those studios are small (about 50-100 sq. ft.). Some of those locked studios contain the more dangerous or expensive equipment; you get a key by taking 1-2 hour classes about “how not to break the stuff.” Some of the studios are rented to hobbyists who what a locked space and others are rented to for-profit businesses; there is a different fee structure for these two groups. All of the studio renters get the benefit of an address, secretary, shipping, etc.

Another idea, although not what Hacktory is doing, is that some hacker spaces rent the use of your own Craftsman rolling case for about $50.-75.00./month. You use the shared work benches with your tools in your rolling case. When you’re done, you put your stuff away in your case and roll it into a locked area.

Fee Structure for Studios:

$1.25 sq. ft. for hobbyists

$2.25 sq.ft. for-profit business, secretary, shipping

Organizational Structure:

Hacktory is a 501c3 non-profit. They have also registered with the state as an educational organization. With that status, they pay a lot less for insurance which is about $180-200/month.

For paying members, they have about 5 active members and 7 who are occasional.

How Does Hacktory Raise Funds?

They offer classes and they have paying members. The classes they run are about $15.00 per hour of class time. The classes a member would need to take to operate the locked machinery is about $30.00 for 2 hours of instruction.

Membership Rates for Hobbyists:

$15.00/month open hours, open means when there is an organizer/manager there;
A few students pay no fees if they watch the space, so could allow for more open; hours;
$65-85.00/month for Saturday and Sunday access only;
$125.00 open access with your own key card.

Maine's Biggest Cyber Crimes Case--James Wieland

2008-11-15T23:10:00.006-05:00

All day Thursday of this week, I got e-mails from friends in different computer law, hacker, cyber crimes, and computer forensics communities. They'd ask, “Did you see the hacker case? What do you think? Did he do it?”

The case to which they are referring is, to date, Maine’s biggest cyber crime’s case. This is bigger than the warez sales going on in Portland back in 2005.

But there is something different about this case that’s intriguing to me. In the warez case, there was a group out to profit from copying software; it was an unsophisticated, but high volume, operation. The warez trade isn’t too difficult to do and it’s not terribly interesting.

This case is different. Although I’ve spoken to James, we knew better than to discuss the case. The facts about which I write are only what are available to the public via news organizations. The news articles—from here down to the D.C. area—all have the same theme of, “evil hacker breaks and steals stuff,” but what’s really going on behind these headlines, only time will tell as the facts--especially the technical aspects of the case--are presented in court. Was this curiosity and experimentation that went beyond rational bounds or, on the other hand, was this a well-designed and calculated attack with fraudulent intent?

The news reports state that James Wieland, student at University of Maine, spread a Trojan horse program (don’t know if it was a worm or virus, but this will matter in the case) by adding it as an attachment to an e-mail that contained a video game. When the recipients opened the attachment, the malicious program was executed. The Trojan reportedly contained a keystroke logger program. It was reported that James has been collecting and storing that data since August 2007. But the intriguing part—and I’m sure an aspect of the case that will be highly-debated in court—is why James allegedly collected this information and why he didn’t do anything with it? There were no reports that he used anything he allegedly collected.

There are some hypotheses in the case: 1) James was the victim of a botnet attack on his computer meaning that he didn’t know about the Trojan or what it would do; 2) He released the Trojan as a curious experiment (didn’t write the code, but in script kiddy fashion, applied it and released it) but didn’t quite know what it was doing or how to stop it (classic Morris Worm case); 3) He wrote the code and released the Trojan with malicious intentions and wanted to collect private data from the victims and either sell it or use it for nefarious or fraudulent purposes.

What’s striking to me about this case is that James has a lot to loose. He just got engaged in Italy last month, worked for a Christian school, has his own business consulting and web design company, and seems to be just starting his professional and family life. He just doesn’t fit the typical profile of a malicious cracker. If convicted, these felony charges could be more than 5 years in prison. The District Attorney states that the 5 year sentencing estimate may be just a start and that there might be more incriminating data found now that they’ve cleaned his place out of all electronic equipment.

I wonder if University of Maine’s policy of attaching students' and faculty’s first and last names to our host names (HEY DEFENSE COUNSEL, YOU LISTENING?) had anything to do with them tracing an IP address to James Wieland? This can be spoofed, and if James was clever enough to write the program and orchestrate this attack, wouldn’t he have also been able to obscure his IP address?

What I can do is bring as much as I can from Wieland’s case to our computer law and ethics class, COS 499, at University of Southern Maine in spring 2009. Like everything in my class, we analyze computer law and cyber crimes cases from a non-biased perspective. I have hackers as guest speakers as well as a few influential FBI and CIA agents discussing different perspectives regarding electronic crimes and how to prevent them with better computer security built from the ground up into software, hardware and network design practices we teach at U. Maine.

I will be going to as many of Wieland’s hearings as I can; most certainly, I’ll be at the arraignment in January 2009. No matter the outcome of the case, there is a lot that security researchers, information technologists, and computer scientists can learn from this case. A lot of lessons will be learned both by James Wieland and by the University of Maine.

I urge readers to please hold judgment until the facts—especially the technical aspects—are presented. I want to read more articles or hear in court that this is more than tracing an IP address to Wieland. Right now, there are no details beyond that.

When we hear about the Trojan’s code (such as how it worked—I want the functions of the key algorithms discussed in court!), how and where the data was obtained and stored, 4^th amendment practices (forensic hashing of the hard drive), access to the data files, and the Internet access to Wieland’s computer network, then we’ll discuss what went wrong.

I’ll keep you updated. If you see news articles or find information online, please e-mail them to me.

Presentation for the Maine Association for Law and Innovation

2008-11-12T23:49:00.005-05:00

Yesterday I presented at Maine Law about my security vulnerability disclosure research. It was great to be back at Maine Law, but this time as a lecturer. I spent so many hours in the moot court room as a student that, just for a split second, I has a fleeting feeling of "OMG, am I going to get cold called on," when I entered the room. Some things from law school never leave you.

I have made some changes to the disclosure presentation I gave at Pumpcon a few weeks ago. For instance, Juliet (aka, Victoria) said that I had too much stuff on my slides, so I tried to par that down. She was totally right about that.

Also, I changed the title from "How to Responsibly Disclose," to a title that didn't reflect the ethical ramifications of the word "responsible." Using the industry practice of what is called "responsible disclosure," is not always the most responsible way to disclose vulnerabilities. The more research I do and the more well known security researchers with whom I discuss this topic, I find that sometimes other types of disclosures (full or partial) is what's needed for better security. My legalese peers may not agree with me, but from the computer researcher's perspective, the name "responsible disclosure" is not always as the ethical implications of that word suggest.

Last, but not least, I added a lot more about disclosing physical/electronic security vulnerabilities. I did a lot of research into lock picking laws and industry practices. Really fascinating and it makes me want to do more lock picking should the opportunity present itself.

However, are electronic biometric locks with cryptographic keys the future of the lock industry? I think they may be. That's good and bad--like all technology, isn't it? I've always been interested in the idea of faking biometric scans. For example, I know that a retina scan is really hard to fake, but mirrored or cloudy contact lenses mess up the scan. So, if you're getting your initial scan (such as going through the international terminal in Frankfurt, Germany) and you get scanned with these contact lenses in, will the computer reject the scan or will that base line scan, albeit "fake", be "yours"? I'll have to do a post about biometric scans because I did a lot of related research about that when I was working on RFID technologies and legislation.

Altering Airline Boarding Passes—Schneier and Soghoian

2008-11-08T23:12:00.005-05:00

One of the conversations we had at the November 2600 meeting was about Bruce Schneier’s alteration of airline boarding passes and using one to get through a TSA checkpoint. Schneier admits that it is illegal, and if done, there is a possibility of arrest. (Note: If you’re reading this and considering doing it, remember that you are not Bruce Schneier. I don’t truly think that the Feds would arrest him, but they would arrest you.)

At the meeting, we were discussing what those illegalities might be. To do so, we considered how fraud is different from a hoax or forgery. In short, fraud is where deception is used to unlawfully take property (usually money) or services from another. What about those theories applied to altering a boarding pass? Go to the link to see an altered boarding pass used by Jeffrey Goldberg—he even upgraded himself to 1st class for priority boarding. New York Senator Schumer was nervous about this exact scenario when he offered a bill that would treat these “federal criminals” named “Joe Terror” like a “…19 year old who makes a fake ID to buy a 6 pack of beer.” (Hhmm...Joe Terror sounds a lot like Joe Six Pack.)

Not a "Joe Terror," or "Joe Six Pack," a PhD student named Chris Soghoian wrote a program accessible through is website that would generate a fake boarding pass. What happened is discussed in his blog: in short, the glass on his front door was smashed by the FBI, his computer equipment taken, and a search warrant (issued at 2 AM) was taped to his kitchen table. But how does the law address altering boarding passes? Consider this section of federal law addressing the falsification of airline tickets or boarding documents (highlighted for emphasis):

From DHS Code Title 49, Volume 8; October 1, 2004 rev. [Page 302]:

TITLE 49--TRANSPORTATION

CHAPTER XII--TRANSPORTATION SECURITY ADMINISTRATION, DEPARTMENT OF HOMELAND SECURITY

PART 1540_CIVIL AVIATION SECURITY: GENERAL RULES--Table of Contents

Part 1540.5 -- Terms used in this subchapter.
§1540.5 Sterile area means a portion of an airport defined in the airport security program that provides passengers access to boarding aircraft and to which the access generally is controlled by TSA, or by an aircraft operator under part 1544 of this chapter or a foreign air carrier under part 1546 of this chapter, through the screening of persons and property.

Subpart B_Responsibilities of Passengers and Other Individuals and
Persons

Sec. 1540.103 Fraud and intentional falsification of records.

No person may make, or cause to be made, any of the following:

(a) Any fraudulent or intentionally false statement in any
application for any security program, access medium, or identification
medium, or any amendment thereto, under this subchapter.

(b) Any fraudulent or intentionally false entry in any record or
report that is kept, made, or used to show compliance with this
subchapter, or exercise any privileges under this subchapter.

(c) Any reproduction or alteration, for fraudulent purpose, of any
report, record, security program, access medium, or identification
medium issued under this subchapter.

Below is something under the USC that is applicable to altering a document regarding a “matter within the jurisdiction of executive, legislative, or judicial branch of the Government":

United States Code
Title 18. Crimes and Criminal Procedure
Part I. Crimes
Chapter 47. Fraud and False Statements

47 U.S.C. § 1001
a) Except as otherwise provided in this section, whoever, in any matter within the jurisdiction of the executive, legislative, or judicial branch of the Government of the United States, knowingly and willfully--
(1) falsifies, conceals, or covers up by any trick, scheme, or device a material fact;
(2) makes any materially false, fictitious, or fraudulent statement or representation; or
(3) makes or uses any false writing or document knowing the same to contain any materially false, fictitious, or fraudulent statement or entry;

shall be fined under this title or imprisoned not more than 5 years, or both.

Although these codes would answer our question about Bruce Schneier’s experiment with altered boarding passes, they do not exactly cover Chris Soghoian with his website that created boarding passes. Most people who saw it when it was up (I did), thought it was a parody. Here’s what Chris recently said about that experience: “In 2006, the FBI investigated me for some of my research into boarding pass security. While no charges were ever filed, it's reasonable to state that I have little affection for the DOJ computer crimes section.”

In summary, altering boarding passes—for fraudulent purposes or not-- is covered under these statutes. Beware if you’re not Bruce Schneier. And if you are Bruce Schneier or Chris Soghogian, thank you for your security research and for potentially, “taking a hit for the team."

What Happened at November’s 2600 Meeting

2008-11-08T08:14:00.002-05:00

Attendees: Nothingface, Charlye, Infochown, Elliot, Professor Rad.

What We Discussed: Changing the venue for the meeting to a place where we can access an open wireless network; asking U. Maine to stop putting students’ and facility’s first and last names in the host name (“If you want to anonymously access an IRC chat room, immediately FAIL!”); listening devices (with demo); traveling with a pseudonym on airlines, recent US. Supreme Ct. case declaring hashing to invoke 4^th Amendment rights; a name for Maine’s Hacker Space; how to fund Maine’s Hacker Space; stories about Off the Hook and Pumpcon.

2600 Meeting Tonight

2008-11-07T12:48:00.002-05:00

2600 meeting at the Maine Mall food court tonight. I won't be able to be there at 5 PM, but Infochown and I will be there around 5:30 PM. Nothingface and Charlye are usually there by 6 PM.

On the tentative agenda:

Car computer? Nothingface's OpenOtto might be up and working in the parking lot this evening. Give us some feedback because we're entering it (and me, I suppose) in a venture capital competition in NYC in December.

I'll tell you about the awesome guys on Off the Hook and about the great people I met at Pumpcon. During that trip, I also got to visit Hacktory and I'll tell you about meeting Far and what they have going on there.

There is also a new US Supreme Ct. decision regarding hashing and 4th Amendment seach and seizure procedures applicable to computer forensics. I'll tell you about it.

See you there!

Pumpcon, Philadelphia, PA, October 25, 2008—PART TWO, Computer Software and Hardware Security Vulnerabilities

2008-11-05T17:17:00.001-05:00

The second part of my research questions what are differences between the electronic/physical security and computer software/hardware communities? If these communities have different ethical opinions regarding disclosure, why are they different?

At Pumpcon, a conference attendee from one of the U.S.’s largest electronic/physical security companies answered: “It’s because I’ll get my ‘arse’ fired if I talk about vulnerabilities and I’ll probably never work again.” He also made some comment about worrying about his personal safety post-disclosure.

Another attendee, who works for a computer security firm said, “Do it anonymously!” It’s harder to do that with physical/electronic security vulnerabilities; however, disclosures for both communities are taken more seriously when there is proof of vulnerability, right? It’s easy to post anonymously about a computer vulnerability to a bug report online site with your IP address obscured versus sending photos of yourself clad in burglar attire (or not, see picture above of one of the guys from MIT [picture from their Defcon presentation]) breaking into something. Although possibility for arrest is high, some are willing to take the risk. As John Benson, jur1st, calls it, “Taking a hit for the team.”

An example of the contrast between these two communities that I used in my Pumpcon presentation was the presentation, Anatomy of a Subway Hack, made at Defcon by three undergraduate students, Russell Ryan, Zach Anderson, Alessandro Chiesa, at MIT. These guys really took a hit for the team with the feds, in large number at Defcon, ready to arrest these guys in Las Vegas before their presentation.

Does one group have much more to risk than the other? Is it much more risky (to the discloser and the vendor) to disclose how to beat electronic/physical security measures as opposed to electronic? If so, how do proponents of full or responsible disclosure do this?

They do it at HOPE, Defcon, BlackHat, Pumpcon, Shmoocon and other computer security hacker conferences. The risks disclosures face are evidenced in the all too frequent arrests at these conferences.

One HOPE, BlackHat, and Pumpcon presenter had some important information to impart and of which I learned directly affected a company I know. Travis Goodspeed disclosed vulnerabilities in a Texas Instruments chip that is commonly used in biomedical devices and small consumer electronics. There are two debugging ports on this chip. If accessed, one could delete and replace software on the chip. If your company was using this chip, would you want to know about this design flaw?

Travis presented about this at other conferences before Pumpcon, but at this conference I was able to ask him how he addressed this with Texas Instruments. He said that they did talk with him about this security vulnerability and the fact that he has written viruses able to take advantage of this vulnerability. TI was receptive to discussing this with him, but presently, these flaws still exist on the chip.

When asked what TI could have done better to facilitate more bug reports, he said that it would have been good for them to at least give him a contact person to e-mail so he wouldn’t have to repeatedly go through the general information route when he wants to report vulnerabilities he discovers. And they should fix them, but as of the Pumpcon conference, they still exist.

Pumpcon, Philadelphia, PA, October 25, 2008—PART ONE, Physical and Electronic Security Vulnerabilities

2008-11-04T00:09:00.002-05:00

When I was growing up, one of the benefits to having a CIA dad was that I got to play with the cool stuff he brought home. As a result, I’ve been trained to beat lie detectors, how to mentally isolate physical stimuli with training on a biofeedback machine, how to make instant keys with a magical metal that melts within seconds in a spoon held over a lighter flame, and how to break into the doors and windows in the house in which I grew up. There was also a very cool lock picking kit that he had, and once when I locked myself out of my car in a dark parking lot, my Dad showed up with the kit and had my car open in seconds. Growing up, I thought that was a skill that most dads had and that every kid should be taught. I was taught these useful skills that ended up helping me in many situations.

So why are the best lock picking techniques and tools kept a secret or are illegal to possess in D.C.? Is this another example of “security through obscurity?” I’ve spent some time in the lock picking villages at HOPE and Defcon conferences. Why aren’t there more of these opportunities available to the general public, e.g. not only to locksmiths or computer security conference attendees?

This was one of the issues I addressed in my presentation at Pumpcon. I had a great time talking about this at Pumpcon. Soon after Defcon and inspired by the events surrounding the three undergrads from MIT, I began researching how to disclose security vulnerabilities. Curious about the divide between the electronic/physical security breaches compared to those involving computer software and hardware, why aren’t both groups interested in truthful discussions regarding flaws? Shouldn’t we as consumers who rely on software designers to protect our home computers and mechanical engineers who designed the locks on our houses know if something isn’t quite as secure as advertised?

It seems as if the hardware and physical/electronic security hacks take a long time to be exposed. For example, Marc Tobias presented at HOPE and Defcon in 2008 about how to pick Medeco key locks. However, according to my government fed sources, Medeco lock vulnerabilities have been known for more than a decade. What’s the reason for it not being publicly discussed? I’ve been told that it takes a highly skilled lock picker—or a locksmith—to successfully pick Medeco locks.

But surely, there were skilled lock pickers out there, so why the silence? I found the following on a site that discusses Tobias’ book:

“A detailed analysis is available together with a video demonstration that clearly shows the method of bypass. This publication has been restricted to locksmiths and the professional security community because of the simplicity of the technique and the potential security ramifications that could result from a public disclosure of the exact method. If you have security responsibility, you may contact the author for access to the restricted document. The password has been posted on ClearStar for security professionals.”

I know that the locksmith community has a lot of power, but do they have the power to silence discussion about how to pick locks? Perhaps this is true especially considering that it’s illegal to own a lock picking kit in some states unless you’re a licensed locksmith. Is this an example of a good way to make things more secure or, on the other hand, an example of legislation protecting jobs in an industry? This is how the Freemasons started; they were protecting the secret ingredients for making cement thus making the formula a coveted secret protected by those sworn into a brotherhood and keeping the brothers with guaranteed jobs.

For a modern example, someone from the crowd at Pumpcon told me that Joe Grand, aka KingPin, gets death threats regarding his lock picking research. I’d like to find more information regarding this statement. (Denied by Kingpin--see comments.) If true, that’s a sobering example of the power of a brotherhood of some kind protecting their own. Is lock picking worthy of protecting through this extreme measure? Does it make us more secure?

Will this attitude eventually spill over into the computer hardware and software security industry? I fear it might.

Note: The picture above is of the back of Kevin Mitnick’s business card. Obviously, it contains lock picking tools. They will work. Funny, but I think his thumb print is still on the other side of card! ; )

Live on the air in NYC on Off the Hook radio show

2008-10-29T17:00:00.000-04:00

I was live on the air on Off the Hook out of NYC on October 22, 2008. What a fantastic experience! Although voting machine fraud is not one of my strong suits—I didn’t know the show’s topic before I went on-- I loved discussing tech law and policy with the guys. Talking with Emmanuel Goldstein and bernieS was amazing—I read their cases in law school, and there they were on the air with me! Facing Emmanuel across the sound board and with bernieS on the phone, it felt like we were having a coffee shop discussion because they made me feel very much at ease. It wasn’t as difficult as my first TV interview; I had to constantly remind myself not to look at the camera, but that took such concentration that I seemed distracted. It was easier with radio, but it was more than just the medium. Emmanuel, bernieS, Not Kevin, Rob T. Firefly, and Voltaire on the air with me were awesome. You guys rock!

After the show, we went for Mexican food in what I think was the Greenwich Village area of NYC. I miss talking about “geek” stuff in Maine. Among other things, we were talking about Second Life: What happens when your character is assaulted online? Legal recourse?

For dinner, I had a very good chicken enchilada with mole sauce (bitter chocolate). I cannot find Mexican dishes with mole here in Maine, so it was a treat. After dinner, we went to a coffee shop to upload the show and then to a bar (Mars Bar) that is dark because it’s lit with a single bulb hanging from the ceiling. The graffiti is worth checking out if you can read it in the cavernous atmosphere.

And sometime after midnight, I decided not to take the subway because I don’t know where the heck I’m going once I’d get out of the station in Brooklyn Heights, so I took a cab. The cab driver asked if I was from the midwest—could I have been given away by my slight southern accent that rears its head after a few drinks (or when I’m nervous)? Wait…midwest? That has never happened before. (But I’ve been mistaken for Michelle Madigan at Defcon. That one was the best.)

Disclosure of Security Vulerabilities and a Geocentric Universe

2008-10-15T22:40:00.001-04:00

The title to the presentation is the following:

Disclosing Security Vulnerabilities: How to Do It Responsibly

"Disclosure of security vulnerabilities is done for many reasons. Some of these reasons include: an interest in improving security; warning the public before those with nefarious interests exploit the vulnerability; or for public recognition of skills. There are also different ways to do it including in print or presentations at conferences. Considering both the reasons for disclosure and how it is done affects how security vulnerability research is accepted by the general public, the security community, law enforcement and by the designer of the product being critiqued. This presentation includes how disclosure has historically been done and the differences between the computer and electronic security communities as compared to physical security (locks, alarms, etc.) communities. Relevant legislation, intellectual property considerations and applicable criminal law will be discussed."

I'm currently engaged in case law research for a presentation on this topic and using Westlaw in addition to my usual journalism searches. Not surprisingly, most of the cases I've read are more about violations of non-disclosure agreements and disclosure of trade secrets by disgruntled employees. However, my friend, Brenno de Winter, recently published an article titled, "Researchers Show How to Crack Popular Smart Cards." I was interested to read that researchers at universities in The Netherlands and in Germany have broadened the research done by the MIT undergrads who were not permitted to discuss or release their source code.

What I'm discovering from my research about computer security disclosure is that a lot of the heat is primarily focused on academia. Remember Professor Ed Felten with Princeton's computer science department with SDMI? His team won the challenge, but they faced prosecution if they talked about it or tried to publish their academic research. The challenge explicitly stated: "So here's the invitation: Attack the proposed technologies. Crack them."

However, what if the vendor producing an insecure product does not outright demand a challenge, but simply puts the product into the marketplace? A good example is the Mifare Classic and NXP Semiconductor. They fought the battle against the MIT students and, for the most part, won because their source code was not distributed.

However, a group from the Dutch Radbouda University Nijmegen recently assembled complete published research that would allow someone to build a cloned card. The Dutch courts said that, "...researchers shouldn't fall victim to mistakes made by suppliers," and allowed publication. I was also amazed to read that a university in Germany cut down an actual chip, and by viewing the IC layers under a microscope, they were able to figure out how the chip works and derived the algorithm.

Two different ways of figureing out security vulerabilities, but with the same result. It's now out there and readily available to a determined attacker. On the other hand, some might say that it's also readily available to a security researcher who can assess the security vulerabilities and make a better design the next time around.

This debate is nothing new--consider Copernicus's and Kepler's revolutionary teachings and publications. But what surprises me is the fact that it is nothing new. The prosecutions--including criminal--for teaching, dicussing, and publishing are still a reality. Where would we be now if Galileo's Dialogue Concerning the Two Chief World Systems wasn't published or discussed because he feared being burned at the stake? We'd still be in a Ptolemaic system where the planets revolved around us--a pretty ego-centric way to view life (picture of a geocentric universe by Portuguese cosmographer and cartographer Bartolomeu Velho, 1568 [Bibliotèque National, Paris] above).

Considering a modern perspective regarding security vulerability disclosures, it would be a more insecure world without discussions about design flaws. Professors like Ed Felten, although perhaps not (yet!) as influencial as Galileo, are to be lauded, not threatened with criminal prosecution.

What went on at the October 2600 Meeting?

2008-10-10T13:26:00.000-04:00

Who was there: Professor Rad, Nothingface, Charlye, E.M.B

What we talked about: We mostly discussed the on board computers in cars. Nothingface may have a prototype of a car computer hack at the November meeting.
We also discussed criminal law and intellectual property. It was nice to meet more computer science students from U. Maine.

2600 Meeting Tonight

2008-10-03T15:03:00.000-04:00

Fellow Maine hackers, the 2600 meeting is tonight at 5 PM at the Maine Mall. Meet outside the food court entrance on the benches if it's not raining. If it is, meet inside the food court at the tables near the entrance. See you there!

Passing Through Airport Security Without U.S. Gov. Issued ID? Not So Fast...

2008-09-27T22:17:00.001-04:00

Shortly before I presented at The Last HOPE in NYC in July of this year, TSA changed their policy about not requiring U.S. government issued photo ID to be able to get through security checkpoints. It used to be that for flying domestically, TSA did not require ID, but you could subject yourself to additional screening if you didn't have ID on you. However, it was subsequently changed to include significantly a more subjective determination of a game of "are you lying to us?" Now, if you don't look sincere when you tell a TSA agent that you don't have ID with you (for whatever reason that may be), that agent can simply deny you permission to pass through security. In the past, I have been with people who never carry U.S. government issued ID when they fly domestically; we're citizens of the United States and not passing over foreign country boarders when traveling domestically, right?

Not the case anymore. An extensive background check will be performed--not just additional pat-downs--if you now fly without U.S. government issued photo ID and the TSA agent subjectively doesn't believe that you've forgotten your ID. I have this information 1st hand, but not as TSA's target of a background check, but looking at it from beyond the security checkpoint as my husband and baby were placed in an acrylic booth with air holes. I was traveling to the Washington, D.C. area this week with my two kids. I asked my husband's help in carrying our 5 month old daughter through security while I took our 2 year old. After I passed through security with no hassles with plane tickets for me and the 2 year old, I couldn't figure out what happened to my husband. He was right behind me until the TSA ID checking booth.

On the other side of the security checkpoint, I asked a Portland Police officer what had become of my husband and baby. I asked, "Oh...do they have them in one of those interrogation rooms with the tinted glass?"

He cautiously answered, "No. They don't do that. I'll go check." And he went back through the security check point as my plane began boarding.

The officer promptly returned and said in an apologetic tone,"I have no idea what's going on. I've never seen them screen someone where they are screening him. I don't know what they are doing."

What's funny is that TSA recognized my husband because we travel through that airport so often. They know him by name and face--they even told us this. So what was all of this about? As Bruce Schneier aptly said, "I don't think any further proof is needed that the ID requirement has nothing to do with security, and everything to do with control."

The following is an account of the incident from my husband's perspective:

"There were two TSA goons working the desks. I approached one, handed her my gate pass. She looked at it for a few moments, then asked for my ID. I said I did not have ID. She acted as though either (1) she did not speak English well, or (2) that the mere suggestion that I did not have ID on my person was preposterous. She asked if I had a wallet, anything. I said no. She said "Why is that?". I said I was just here to help my wife and family to the gate. She tried hard to comprehend the situation and she called another TSA goon, not at a desk, presumably a supervisor.

I had a short discussion with this TSA supervisor a few months prior, when AirTran was trying to convince me that some mysterious "law" prevent AirTran from issuing me a gate pass. This supervisor, although she agreed with me that AirTran could issue a gate pass without ID, seemed annoyed that I didn't just complacently quiet down and take the blue pill.

So this supervisor takes me out of line from the security checkpoint and instructs me to sit down in a chair. The supervisor also took a 3 ring binder from the screener podium and my gate pass. Where I was sitting at this point was not any special or secure area, just a waiting chair in the non-secure area of the airport. Then, moving just out of ear shot, the supervisor opened a small address book and made a call on her cell phone. I could not hear her entire conversation, but the bits I heard suggested that she was explaining some details of my situation over the phone.

After a few minutes, the supervisor provided me with a one page form to sign, which requested my name, address, and signature. The form said it was voluntary to complete, but not completing it may result in me not being allowed into the secure area of the airport. I'm not sure what dictionary they define "voluntary" in, nothing seemed very voluntary about the whole process. I suppose eating and breathing are voluntary as well, since one could choose to not do them, either. I don't recall the exact wording, but the form also indicated my consent to let TSA use the information to verify my identity, presumably by doing some sort of background check (or worse). I wasn't happy about it, but I signed the form. Probably should have also written "under duress" next to my signature. Maybe next time.

The TSA supervisor takes the form, and presumably relays the information to the telephone. She then appears to be listening or waiting for awhile, maybe a minute or two. Then she asks me how old my baby is (note: I am carrying my 5 month old daughter in an infant carrier). I told my daughter's age. The TSA supervisor says "we were guessing", presumably that the other TSA representatives, whom she has not had a conversation with since I appeared, were speculating on my daughter's age? Or perhaps between her and the one or more people on the phone who may or may not be watching me on the security cameras? Anyway, after I responded, she continues to hold the phone as if waiting and/or listening. She also says "waiting for the computer". I then ask here if the computer knows my daughter's age. She doesn't respond. I suspect it does know. Reminds me of Blade Runner, the bounty hunter mumbles something under his breath, the replicant says "The address, where I live. Is this part of the test?" "Just getting you warmed up."says the bounty hunter.

After waiting for "the computer", or the Voight-Kampff machine, or whatever, the TSA supervisor asks me a few questions. She asks for a telephone number, where I may be best reached. I gave her a number, perhaps not the best number to reach me at. I was going to tell her that I won't be able answer calls at that number at the moment, but I maybe the collective genius on the other end of her phone could figure that one out. Then she asks me of a county I have lived in besides the one I live in now. I think a bit, partly because I don't really catalog that sort of information, and partly because I was thinking which one would give me the most information about their system. I named one that I lived in for about a year, almost 10 years ago. I also didn't move from there to where I am now. She then asked me to name one vehicle that is registered in my name. Not much secret there, the DMV probably gives that out way to easily anyway. After that, she instructed me to get up, stamped my gate pass, and escorted me back into the screening area.

I skipped all the lines to get through security, even the line of people selected for additional screening, but I guess that's because I was sitting around playing "are you smarter than a TSA supervisor" for 20 minutes. I had to take off my shoes, and the leather shoes of my 5 month old, and other metal objects into the tray. I bother to mention how absurd it is to take shoes off a 5 month old (they are small, can't hide much there), but the TSA goon actually apologized about. He said "I know it's ridiculous" or something to that affect. I wonder how effective the whole charade is if TSA actors can't even act their part believably. Then they awkwardly escorted me through the metal detector ("ok sir", "no not you, sir", "yes you sir"; hey TSA, half the people here are "sir", how about better instructions), I was taken to be screened.

There was some confusion about how to screen my daughter, since they typically have a screener that is the same gender as the screener. It took 3 or 4 of them to figure it out, but I guess they have a rule (probably a super double secret rule, like most of them) that they treat children under 12 months as the gender of the parent with them. So some old dude screened my daughter and me. And fairly poorly, at that. He seemed hesitant to touch her, and was not very clear about instructions to me or about the whole process.

After being manhandled by the old dude, my things that just went through the X-ray were then swabbed for more screening. When that was complete, my gate pass was stamped, returned to me, along with my belongings, and I was finally determined to not be a threat. So given that I was suitably screened for possession of items that maybe a threat to other passengers or the aircraft, and determined by TSA not to have any such item, what could the purpose of the identity check be? If, prior to screening, they were able to determine my identity as well as (or better than) a plastic card with a picture on it, why was I still subjected to additional screening? Maybe I'm a little more paranoid than most, but when the NSA is getting together with China to collaborate, they're certainly up to no good."

And they my husband handed me my 5 month old baby, turned around, and walked out the exit past security. All that screening for a 10 second hand-off of a baby.

The Need for Judicial and Legal Technical Training

2008-09-13T23:48:00.000-04:00

Thank you, Neon Samurai! Someone is reading my stuff or watched my presentation at The Last HOPE. Neon Samurai said, "Tiffany Strauchs Rad had it dead on when she said that legislators and judges need only ask the experts what implications making such laws blindly will lead too ("Hackers" in her words; she's a professor of law and proud Hacker)."

The project on which I’m working related to this is a volunteer-based non-profit that will bring together professionals and students with backgrounds in computer science, engineering and information technology alongside those with backgrounds in law, public policy, and politics. Our objective will be to create a judicial and legal education program for cyber crimes, digital forensics, intellectual property and electronic discovery providing a basic technical background for judges deciding on these cases in hopes that technical misunderstandings will be reduced thus providing more fair judicial decisions.

Here's another idea I recently considered: Why not work to recruit and fund more people with technical backgrounds to run for political office? If we work to educate the judges and lawyers on these subjects and EFF is working to change legislation through their grassroots efforts and through the court system, let's try to get more tech-savvy people in office! Then we can hit it from all angles.

I don't think that the future of politics, wars, and the economy is going to be about equality of the sexes, racial equality, and currency-based economics as we know it today. It's going to be about technology and how it affects these concepts: Online anonymity will blur concepts of race and sex, wars are going to be electronic over the Internet, and economics is going to be about intellectual property (or lack thereof) and new energy generated and enhanced by technology (as opposed to crude oil).

The future of politics is going to be about the technology. But politics, law and legislation is still typically far behind reality. I think a large part of that relates to the people who are our law makers. Let's get more people in those positions who understand the technology and who will make responsible choices while understanding the ramifications. No more "series of tubes" legislators or those pushing for stronger intellectual property protection to prop up weak companies who fear competition and innovation. Also, let's get someone in office who recognizes that our civil rights also apply online.

What went on at the September 2600 Meeting?

2008-09-09T21:39:00.000-04:00

Who was there: Nothingface, Infochown, Export, C@t6, 4774x312, Charlye, and Prof. Rad.

What we discussed: Particle physics, plasma cutters, patents, recent DOJ cyber crime prosecutions, packet sniffing, downtown Portland warehouse real estate for Hacker Space, Defcon 16, and the 3 undergrads from MIT with their Mifare hack. Anything else? Comment about what I may have missed while at Starbucks.

2600 and Hacker Space Meeting tonight

2008-09-05T13:39:00.000-04:00

Hello to all of the Portland, Maine hackers! Tonight is the 2600 meeting at the Maine Mall. It starts at 5 PM on the benches outside of the food court. If you cannot make it until 6 PM, we'll still be around sitting at the tables closest to the outside doors. Bring some money for dinner (or your dinner) and we'll chat about the progress of Hacker Space. There are some interesting new cyber crimes prosecutions I'd like to share with you, too. Nothingface will discuss some ideas he has about designing home monitored security systems (I think that Charlye also has some expertise about this topic).

This should be our last meeting at the 5 PM time. After this meeting, we will have met 2600's requirements to change venue and the time. So if you want a say in where and when we meet in the future, please attend. No one who works likes the 5 PM meeting time, but we'll discuss the Maine Mall venue, too.

I hope to see some new people there, too. Everyone's welcome.

RFID and Mythbusters

2008-09-04T13:00:00.000-04:00

Did Mythbusters scrap their RFID episode because of legal pressure from the large credit card companies and Texas Instruments or did co-host of the show, Adam Savage, “...get some of his facts wrong?” A spokesperson for TI said that things went differently than Adam described during a presentation at The Last HOPE (Hackers on Planet Earth).

Adam has retracted his statement made at HOPE. However, how much of the statement was retracted? It seems to me that he admitted that he may have gotten the facts wrong regarding who was in on the phone call and the retractions applies to Discovery Channel—and their advertisers—being associated with the decision not to do an RFID security episode. All this means to me is that the parties involved in the call were corrected and Discovery was exonerated from being associated with the decisions, but what was discussed or the rationale behind the decision as Adam says, “If I went into the detail of exactly why this story didn't get filmed, it's so bizarre and convoluted that no one would believe me...” is left for us to speculate.

How much can be or should be disclosed about security vulnerabilities? It's a topic that everyone is discussing now.

Last Day of Defcon 16

2008-09-04T10:47:00.000-04:00

Brenno did it! He presented “Ticket to Trouble” in the place of the 3 MIT undergraduate students who, under a last-minute Massachusetts court injunction, were not able to present. Before his talk, nervous he might get arrested, the legal contingent at the conference told him not to worry. The scope of the injunction was properly narrow: it only referenced the “MIT undergrads'” and their research pertaining to the crack for the Mass. transit cards. However, Brenno gave his presentation exclusively about an extremely similar crack in the Netherlands's mass transit cards last year. The parallels to the US' Mifare card was clear, but he made no reference to the MIT guys' research.

He began his presentation by presenting a quote from the Dutch Constitution which included a statement about freedom of speech. He was able to freely present on the topic of the Dutch system because of these rights; his government cannot prevent him from presenting academic research and, in fact, specifically said it would not. Then he followed up with the words from the U.S. Constitution thus showing why, if he wanted to, U.S. citizens SHOULD have the same freedoms under U.S. laws. Unfortunately, the US courts didn't have the same opinion as the Dutch courts.

Brenno (wisely) made no particular reference to the MIT students, but their presentation was close to what Brenno presented but without any technical specifications, code, or photos of people breaking into places. Those three elements were included in the MIT guys' presentation, but a former Fed Agent told me on Friday that the FBI had asked the MIT guys that they cut some slides from their presentation. I suspect that those were the ones in contention, but what I find interesting is that, from what I understood from the former Feds' comment, the FBI wasn't going to preclude the MIT guys from presenting but only asked their presentation be edited due to an ongoing investigation. However, the Massachusetts District and Federal court went as far as to chill their speech completely. It's incredible to me because, not only is the stuff (minus the executable code) already distributed to the public on the Defcon CD that all conference attendees received at registration as early as Thursday, but these guys were talking about exploits that were already out there and well known.

I think that Brenno's valiant presentation, albeit about the Dutch and British systems, may have weakened the case against the MIT guys. The MA judges who made the decisions will be hearing about this. It was even on Twitter coming up on Brenno's laptop's screen during his talk. Thank you, Brenno. It took you, from the Netherlands, to get up in front of a standing-room-only crowd of over 700 cheering people, present academic security research and uphold our U.S. 1^st Amendment Constitutional rights. You will have effected precedent in US courts regarding this case and (hopefully) improve security for an insecure technology. And, as a member of academia, a special THANK YOU in the spirit of academic freedom.

And then, during Brenno's Q&A, I made a mad dash to the Vegas airport and barely made my flight, but seeing Brenno's presentation was worth the risk. This time I breezed through TSA security—no dumb questions regarding whether my unpeeled orange on a domestic flight could have been injected with bomb-making poisons (I'm not joking—this has actually happened).

Night 2 Parties at Defcon 16

2008-08-28T00:13:00.000-04:00

My party source told me that there was a girl hacker party next door at the Peppermill lounge at 10 PM. Cool! A party of women in computing! I went to Carnegie Mellon Univ. and read Unlocking the Clubhouse by Jane Margolis and Allan Fisher. I don't really know any other techie hacker girls who attend Defcon, so it would be interesting. He gave me a pass that had lipstick kiss marks, a skull and cross bones, and a Bond girl-ish cross hairs gun sight on it. I thought that Edgeos must be a hacking group like the Ninjas or Hacker Pimps.

The lounge at the Peppermill was retro lovely. There was circular seating around a fire pit that was coming out of a pool of water. On TV screens above the bar and the fire pit, a soft-porn video featuring the Edgeos girls was playing. They weren't hacking, but they were sitting on computers doing their soft porn stuff. I think a computer security company is Edgeos, but their marketing was confusing. The girls were also there serving drinks and I, graciously, ordered some VSOP and talked to a couple who does computer forensics for IBM. It was a bit of a disappointment that this wasn't the women in computing clubhouse, but the long line of guys standing outside to get into the party didn't mind at all.

I left with Dallas and we went to the Freak Show Party in the Penthouse put on by Dan Kaminsky's company, IOActive. This party was awesome! They really went all out with the carnie theme. They had a contortionist, a freakishly tall guy, a bearded lady, and a Twister game set up. Out on the dance floor, I saw my friends from Seattle, met up with Brenno, and we all got to dance with Cap'n Crunch. Brenno joined a former Fed and me in the back of the room to smoke cigars. I had one Dominican left, Brenno had a small box of Dutch cigars, and the former Fed had a Cuban locked in his car in the hotel's parking garage. When he mentioned the Cuban, it seemed as if techno music slowed down for a moment, my thoughts became fuzzy, and the cognac seems a bit sweeter at that moment. I almost grabbed him by the collar, assertively asked for his keys, and told him I'd happily go get it if he'd share. I distracted myself from this impulse by becoming busy lighting my Dominican and puffed hard until the impulse passed. A locked car in a parking garage is no place for a Cuban cigar! It's to be treasured and shared....Actually, it was an angry security guard who broke our smoking bliss when she demanded we extinguish our cigars. We forgot that smoking is only permitted in bars—or something like that. Don't know for sure. We, regrettably, acquiesced.

Brenno and I danced until the party shut down and we went across the hall to another Penthouse party. At this party, anyone who felt like it went behind the bar and served drinks. I met one of the Agent Orange guys, Obphusc8 (I think), who was amazed that I was, “...like 22 or something and teaching college classes.” Even though I'm sure it was the beer talking, he still got major points for that one. Seriously. You rock.

In the Penthouse after watching limos and expensive sports cars trolling the streets below and the neon-lit Vegas sky scrapers, the the morning sun seemed far from Vegas. Vegas is a city made for the night. The lights, theme-park like hotels and “what happens in Vegas stays in Vegas,” is only made for the cover of night. Before spoiling this intoxicating night-time view with the rising sun, I went back to my cavernously dark room.

Day 2 of Defcon 16

2008-08-27T23:41:00.000-04:00

I began today with Don Blumenthal's talk about working with law enforcement. He's really a good speaker: he's accurate with this tech and legal info. and he approaches the issues from direct perspective. He's right when he recommended that if a warrant is given, don't screw with law enforcement. Know your rights, but don't try to mislead them if they have properly requested materials.

Scott Moulton talked about how, in a few states, one needs a private investigator's license to do computer forensics. I had never heard about these laws before, but it's shocking. Being a licensed PI in itself doesn't qualify one to work with electronic evidence, do computer forensics, or do audits for clients. In addition to the long apprentice training required, the PI exam is mostly composed of questions about guns and guard dogs.

After I returned to Maine, I mentioned Moulton's talk at a TechMaine meeting of information security and network and sys. admin. professionals. Only one person had heard of this scary legislation, but we all agreed that before it could be proposed in Maine, we should let our legislators know that we won't accept it. It seems as if, in the other states with these laws, the legislation was quickly passed without the info. security groups knowing what was going on. Thanks to Moulton's talk, we'll be on top of this before the PI lobbying group gets to our state. That law would put a lot of good people out of work. And as if tech jobs are even easy to come by in this state!

After Moulton's presentation, I went to get lunch in the contest room. I was delighted that Mycurial sat down next to me. I saw him present at The Last HOPE. We discussed how he won't let his employees at a large bank take their business laptops across the US boarder because of the laptop searches and seizures being done by US Customs. The policies allow for officers to take laptops for a “reasonable period of time” to “review and analyze information.” There are (shockingly!) no requirements for reasonable suspicion. I learn about stuff like that and wonder where our civil liberties are going and who's making and passing this legislation?

In an e-mail Mycurial sent me, he said, “There has not yet been a National response from the Privacy Commissioner of Canada, but I'm not sure how long that might or might not take. In the interim, we just don't outsource data to the states.” He has bank employees take wiped hard drives through Customs and then download the data they need through an encrypted network after they've cleared Customs.

After finishing lunch and discussing data storage laws (If you store your short-term memory on your hard drive because of a medical condition, should that stored data have a higher level of protection (think Johnny Mnemonic) ? What about for search and seizure protocols?), I slipped into the “Ask the EFF Panel.” However, the panel was canceled. The MIT students were slapped with a temporary restraining order prohibiting them from talking about their security research at MIT. Massachusetts Judge Woodlock really misjudged this one. Read Bruce Schneier's article (link above) because it's a good opinion article about why full disclosure of computer security issues is good for the computer industry. When the norm used to be to quietly tell the vendor, many vendors used the fallible “security through obscurity” routine and do nothing.

Last, but not least, I went to “The Commission on Cyber Security for the 44^th President .” The Center for Strategic and International Studies has a policy group composed of a myriad of professionals who wrote a security plan to be given to the next US President. Ed Felten is among a long list of impressive contributors. Someday I hope to be a part of a policy group such as CSIS.

I know that I let down my Hacker Space group, but they requested a lot of pictures of the Grendel mobile hacker space van. I went outside a few times, but it was locked every time. However, I was able to get one picture of it (above, top of blog).

The highlight of my day was being asked by a very nervous teen if I was Michelle Madigan. Huh? She was the Dateline NBC reporter who was run out of Defcon 15 last year. She refused to get a press pass but was trying to secretly film evil hackers breaking stuff. However, rumor was that it was a Fed who outed Madigan. Some of the Feds are working undercover and they didn't want to show up on a hidden camera on Dateline, either. I wonder what would have happened if I'd said, “Yes”? It would have been fun.

Night 1 Parties at Defcon

2008-08-19T11:50:00.000-04:00

After leaving the Bellagio's spa, I called Dallas to ask what was going on that night. Of course, he's connected and knows everyone, so he's my party source. First on the agenda: Hacker Pimps party in the skyboxes. After a great steak dinner at Bellagio, I took a taxi back to the Riv. around 10 PM and made my way up to the skyboxes. There were 2 different parties in the skyboxes, both with great techno music.

Walking into the Hacker Pimps party, I noticed a pack of guys on one side of the room watching the entertainers. One of the Hacker Pimps came up to me and asked if I'd found my friend I was meeting there. I remembered this guy from the Hacker Pimps presentation at the Last HOPE. My friend was in the thick of the pack of guys, so I quickly grabbed my friend's shoulder and said something like, “I'm here. See you later. Going out to the balcony,” and I pressed through the pack of guys to get back out.

There was a smaller party next door called “Spiders are Fun,” put on by a computer security company whose name I cannot remember. The bar was open, the techno was good, and I knew some people here and met some others. Out with the smokers on the balcony, I met a computer security guy from NYC who works for a company named Gotham. I liked that name and the guy even looked like Christian Bale.

Brenno then came out on the balcony and re-lit my cigar with his. For a while, we sat there blissfully puffing away and sipping XO cognac on the rocks. After both ran out, we danced until 2 AM. People we knew came and went until the alcohol ran out and the bar became cash. I read on Leah Shanker's blog that Jeff Moss was not able to get into this party without being escorted by a girl. Obviously the bouncer didn't know who he was—crazy! I told that to my brother because he was in the long line of guys waiting to get in, albeit unsuccessfully. He didn't feel so bad when he learned that even Jeff Moss was bounced.

Last, but not least, I went up to the penthouse party to meet up with my friend, Dallas. I got there just after the cops broke up the party so there wasn't much going on and Dallas wasn't there. At the ripe hour of 2:30 AM, I finally went to bed.

Parties at Defcon are legendary. Some of the skybox parties have passwords to keep out the Feds, but they were there, anyway.

Missing Vegas and NYC: What am I doing here in Maine?

2008-08-15T22:52:00.000-04:00

Just as I begin to get bored living in Maine, I'm reminded of why I moved here. This afternoon, I decided to make an impromptu trip to Long Sands Beach in York, Maine. I needed to do some surfing. I've been feeling really bummed since getting back to Maine from Vegas and NYC after Defcon and HOPE; I'm having a “what am I doing here?” crisis. I'm tired of cool tech companies going out of business, my favorite shops and restaurants closing for lack of revenue, and prospective clients wanting to pay me in stock options instead of my hourly fees. Half of my friends have already left “Vacationland” for places called “Job Land,” which is in the D.C. area, Seattle, or Silicon Valley.

Just as I was thinking about what life would be like in Job Land, I caught a glimpse of the glittering ocean as I headed east toward the beach. Some of the weekenders coming north from Boston were already hitting the beach, but it was far from crowded. I found a parking spot immediately, got out on the walkway, and looked out on the long, sandy beach toward the lighthouse on the point. Slipping into my wet suit and grabbing my board, the wet sand between my toes and the SPF 50 on my face smelled so much like August.

When the ocean is regularly as cold as it is here in Maine, you just can't stop when going in. Totally go for it. I took a running start crashing into the waves. The cold water on my face felt like a slap, but I liked it. With eyes burning and hair wet with salty water, I kept paddling for the white water. Still thinking about my dilemma, my agitated thoughts were: What am I doing here in Maine? I could be in D.C. going to see the newest exhibits at the National Gallery, driving my convertible into the city on warm, summer nights and dipping my feet in the reflecting pool at midnight while earning way into the six figures during daylight hours. Or in Seattle earning the same and hanging out in coffee shops with that rich, deep ground coffee aroma permeating my senses, having fresh fish sandwiches at a seafood bar in Pikes Place, or hanging out with people like Dark Tangent or my friends from Microsoft.

Unsuccessfully trying to duck dive my board under a huge wave, I get smacked in the face with white water. I'm reminded: In Maine, I can only drive my sexy convertible for 4 months a year. My giant SUV is far from the sleek profile of my convertible, and even with that hulking SUV, I still sometimes cannot get up my driveway in the February snow and ice. And I've seen every new exhibit at the Portland Museum of Art. I've been to every night club and wine bar in the Old Port and it just doesn't do it for me anymore.

Finally, beyond the breakers, I inhale the salty air and rest my head on my board. With seagulls soaring overhead, I spot the lighthouse in the distance beyond the ocean mist. The angled sunlight shines down into the clear, emerald water and I see bits of seaweed and fish deep beneath my feet. My board slightly bobs up and down as small waves push beneath me. Turning around, I see it coming as I get sucked backwards. The wave rises five feet above me from trough to peak. I'm in it. It's on.

All hands and feet churning the water, I'm determined to make it and not get pummeled in the breakers. Thinking: It's Friday afternoon at 4 PM. No stop-and-go traffic on I 95, no line-up for the waves, no cares anymore and there isn't anyone else out this far. I'm alone and it's just me on the board in the cold ocean. The wave picks me up suddenly and I glide toward the beach. The vibrations from the water beneath the board and the roar of the breaking wave is totally exhilarating.

Maybe I cannot hangout in Pikes Place anymore, maybe I get burned coffee at Dunkin Donuts, maybe I love and hate my SUV because it can haul ass off-road and fit my long board and snowboard inside, maybe I miss the Seattle crowd and will never hang out with Dark Tangent, but I have a hacker/lawyer/techie crowd I meet at Javanet in the Old Port, maybe I'm just missing Defcon and HOPE and the city lights and fast nights.

But it's Friday afternoon and I'm surfing, alone, in the warm sun and don't care about the maybes anymore. Ask me 6 months from now how I feel and I'll write you a response from the top of a Maine mountain with my snowboard strapped to my feet and a steep, fast decent with jumps ahead of me in the crisp mountain air. And that will be on a Monday or some other work day.

I'm not in a cubicle, I make my own schedule, I love teaching in a tiny computer science department at a big state university and I live on a lake in the woods just 1.5 hours from Boston. For now, it's all good if the bills are still (mostly) getting paid. Sure I miss the city, but on days like today, I'm reminded why I chose to live here. Sure wish I could have both lives--work week urbanite and weekender in the woods—I'm working on it. But for now, I'm working online, watching the sandy, sweet smelling wax on my surfboard soften in the sun outside and planning to go kayaking on my lake at sunset.

Meet the Feds at Defcon 16

2008-08-14T13:12:00.000-04:00

“Meet the Feds” was the last presentation I went to that evening. I had to; I'd read so much about Jim Christy (and linked to a video of him on a previous posting of mine) that I obviously enjoy his rants. Spot the Lamer before their panel is the Fed's antidote to Spot the Feds. The lamer, similar to last year, could answer too many questions about Battlestar Galactica, Star Wars, and is often asked if he can read binary or speak in hexadecimal. A tall guy who looked like Dwight from The Office was this year's winner (Lamer).

Slightly different variations of the same usual questions were asked: Which countries pose the most cyber threat to the US? (Answer: China and Russia) What's it like to work there? How much of a criminal background is too much to work for the Feds? Do you do the stuff like is on TV or in movies? (Answer: No) Do I make more money working in the private sector than you do for the government? (Answer: Absolutely YES!)

I know that the Meet the Feds panel is the gov's response to some of the latent fear of law enforcement in the hacker community. “We're just geeks like you,” is their general theme. But they really aren't too much like us, actually. Everyone on that panel is either near or at retirement age. If the Feds are also using this panel to recruit--they were much more direct about that last year--then shouldn't they reflect a bit more of what we are like? I spoke to Jim Christy later in the conference and suggested that he put younger Feds on the panel next year so that the 20-30s something crowd could ask questions of the younger Feds' experiences working for the gov because it is a tough sell. He won't put them on the panel because he said they don't have enough training to answer the questions (I read “liability concerns” in his statement), but they will have some younger Feds in the Q&A room for more “what's it like?” questions.

Also, Christy wasn't much like the scary guy I thought he'd be from the Wired article. When I first approached him, I felt my pulse rise and I began to sweat and I was sure not to break eye contact. “'As DefCon founder Jeff Moss (handle: the Dark Tangent) tells it, in the late '80s and early '90s there were only three people hackers worried about. Christy was one of them. 'It was like, be fearful, there's Jim Christy. Holy crap, stay out of his way.'” But I'm a girl...everyone is nice to me at Defcon, so maybe that's why. Or maybe it's because my blondish hair makes me look less dangerous (or maybe more?). Jim and his Royal Canadian Mountie Fed friend next to him put on sweet smiles, leaned back in their chairs, and answered my questions.

Day 1 of Defcon 16

2008-08-14T13:03:00.000-04:00

Brenno J.S.A. de Winter started Defcon for me and ended it, too (see Last Day of Defcon 16 posting). “Hacking Data Retention: Small Sister Your Digital Privacy Self Defense,” was where he released a tool that would encrypt communications. The most important emphasis he made is, “...even if you don't care or don't need to use encryption, do it for all of the other people who do.” It was great to see Brenno again; we met last year and have been buddies ever since.

CoffeeWars had already begun in the contest area when I finished catching up with Brenno. Hurring to the contest table so I could get my free coffee, I skimmed past a tall, attractive guy dressed in a black tshirt with spikes on it. But I was too distracted by the aroma from the coffee drawing me into the contest area for it to register that the guy with the spikes was Jeff Moss, (pict. above by Vissago) the founder of Defcon.

The coffee I was given was pretty bad and I was hoping that it wasn't my submission (it wasn't). For CoffeeWars, you're given as much coffee as you want in little plastic Styrofoam cups, but there is no sugar or milk to “adulterate” the flavor. Strong, very strong stuff! I had to choke down the sludge that was already in my cup before they would pour me more from a different brew. While working to do that, I was talking to the former fed who is often spotted as being a fed—he has a collection of the “I'm the Fed” t-shirt to prove it. We were discussing the MIT undergrads' presentation. I was told that the Feds had asked the MIT guys to pull some of their slides because of an on-going investigation. That didn't surprise me because I had an idea that those guys would have some issues with their presentation, especially because they took pictures of them breaking into stuff. The former fed introduced me to Jeff Moss who was sparingly given a cup of coffee from the next brew.

Maybe it was the coffee, the time change, or the stifling crowds in the halls between the presentation rooms, but I had a headache that Advil wouldn't touch so I went to Bellagio's spa for the afternoon. I really had intended to attend a bunch of sessions that afternoon, but I couldn't continue. The Bellagio was perfect and my headache was gone after the hour long massage by a guy with really strong hands. That spa was incredible, too; I felt like I was on a space ship while walking over rectangular green lights set into the floor and indirect spot lights coming out of the walls. Trippy atmosphere more so than soothing.

Night Before Defcon

2008-08-12T15:26:00.000-04:00

After a great dinner at Social House, we went to the Wynn to see Le Reve. I always enjoyed a good Cirque du Soleil show and this is up there in my favorites with “O”.

I returned to the Riv just in time for the Foofus.net party in a suite by the pool. I also had to submit my CoffeeWars beans that night to Foofus. I was glad to get the beans out of my hotel room because even though they were double bagged in plastic, I was just about knocked over by the strong coffee scent when I unzipped my luggage at the Riv. You can imagine what my clothes smelled like that night. You would either love it or hate it. I smelled like a fruity, dark sumatra blend with hints of chocolate.

Foofus.net's party was a great re-introduction to some people whom I met last year and his party successfully kicked off Defcon. With Foofus' famous margarita he mixed up for me--all it took was one--I was lounging in the moon light out on their patio and begun to fully appreciate coming to the conference this year. The mixing of intellect, technical curiosity, and bravado I love at these conferences was just beginning. Enjoying the warm desert star-filled night, I closed my eyes, and with great anticipation for tomorrow, I let me mind wander with Fatboy Slim's “Song for Shelter” saturating my thoughts.

Day before Defcon Began

2008-08-12T15:23:00.000-04:00

After leaving my house at an early hour, the drive was unfettered to Manchester, NH to catch a non-stop flight to Las Vegas. However, I was stuck at the back of the airplane in a window seat—but at least it wasn't a middle seat. Soon after the plan lifted off, the two elderly people in the middle and aisle seats powered-down as if there was an altermeter switch in their brains—there was no rousing these two to get out of my window seat. The 5.5 hours went very slowly being trapped in my window seat with a walking cane (not mine!) lying across my feet.

I don't like Vegas' old airport much, but the view flying in is spectacular. As I'm watching the Wynn and Bellagio out of the window, I'm already planning my visits to their bars and night clubs.

We didn't get a great view of the strip in the taxi on the way to the Riviera. Arriving at the Riviera was also anti-climatic. It always is. With the low ceilings, stained carpets, mirrored walls, thick cigarrette smoke creating a gaudy burlesque environment and the shrieks of bachellorette parties watching Thunder from Down Under (I won't describe that show because I won't ever attend), I knew I'd arrived at the Riviera. But it was the sea of guys wearing black t-shirts at the bar that announced my arrival at Defcon.

Of course, the Riv screwed up my hotel reservations. They had me scheduled to arrive the following day even though I'd confirmed my reservation a week before, so I was stuck sharing my brother's room for the night. I promptly dumped my stuff in his room and went down to the conference area to get a badge. Unfortunately, they had not yet received the real badges, so I was given a paper one to exchange later.

There wasn't too much going on that night except for Foofus.net's party later, so I went out on the strip for dinner and entertainment. We first went to Social House at Treasure Island. That is one of the finest sushi restaurants I've ever patronized. Although the menu was a little confusing and the waiter's offer to order dinner for us using his expertise to create a “blend of flavors” wasn't what we were looking for, we ordered for ourselves off the menu. That was the finest cut and freshest tasting fish I've ever had—and this is in a land-locked desert! I live on the coast in Maine; why can't I get this on the east coast? I now have a quest to find the best sushi restaurant on the east coast. I'll be in the D.C. area in September, NYC in October, and I'm in Boston whenever I want. There has to be a Social House equivalent restaurant somewhere between these cities and I'm going to find it—with a little help from local friends and some warm saki, I believe I will succeed.

Off to Def Con--you going?

2008-08-07T00:58:00.000-04:00

After some lucky private funding that paid for my trip to The Last HOPE, I am now able to attend Def Con. Univ. of Southern Maine also is paying for my registration fee for Def Con (thanks!), so that's awesome. I won't have to live off PowerBars and eat cheap Chinese food on this trip.

I'm disappointed that I missed SushiCon because it was tonight, but I'll be able to make it to Foofus.net's party by the pool Thursday night. Although I'm in the last boarding group on Southwest out of Manchester, NH tomorrow morning, it is non-stop. I guess that could be kind-of bad if I'm stuck in a middle seat with a laptop battery that lasts 10 min. I also have a DeCSS wallpaper on my screen when I boot up and it's sometimes funny to see who notices what it is.

I'll try to blog about Def Con every day, but with the late nights tempered with Cubans and cognac in the Sky Boxes (please, Dallas, get me into the Ninja Party like you did last year!), the blogs may be delayed.

Ciao, and if you're going to be there, e-mail me!

What I'd Ask Kevin Mitnick

2008-08-05T15:52:00.000-04:00

I'm interested to know if Kevin, as a hacker, feels restricted with the technology he uses fearing that someone could claim that he's back to cracking systems? Also, does he worry that the remainder of his life will be under scrutiny of law enforcement? Conversely, the hacker community has embraced him and has since the beginning of his ordeal with law enforcement. Does he feel more "at home" with the hacker community? Are hackers, such as Kevin, a modern version of the “...angelheaded hipsters burning for the ancient heavenly connection to the starry dynamo in the machinery of night,” in Ginsberg's Howl? Are we just trying to figure out how things work within the technological constructs of our modern society?

I'm curious as to how Kevin feels about the hacker community because it is one of the most accepting communities I've encountered. I'm not a sociologist, but I believe that the hacker community (see my blog posting on setting up a Hacker Space and how popular these hang-outs are becoming) may be the hippies-from-the-70s kind of counter-culture for generation X and Y, but with better hair and attire. And when you add technology to that--it's the great anonymizer in today's Big Brotherish society. Instead of inspiration from Allen Ginsberg's Howl or Jack Kerouac's On the Road, we've read The Mentor's The Conscience of a Hacker (“Hacker Manifesto”) and heard him read it at H2K2, read Hackers by Steven Levy, William Gibson's Neuromancer and Neil Stephenson's Snow Crash.

As for world-wide affects of his trial and jail time? From one perspective, it made the hacker community more cautious about law enforcement—either from the perspective of being more careful when exploring and aware of criminal statutes or more aware of their surroundings in public and online. On the other hand, it also drove the community more outside of their internal Internet existence and encouraged some usually quiet and seclusive individuals to go outside with “Free Kevin” stickers, signs, and publications. 2600 Magazine was a big supporter of Kevin and was the first introduction I had to his case.

Perhaps Kevin's experience, and that of the hacker community at large, is aptly put by The Mentor:

“This is our world now... the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn't run by profiteering gluttons, and you call us criminals. We explore... and you call us criminals. We seek after knowledge... and you call us criminals. We exist without skin color, without nationality, without religious bias... and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals.

Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.

I am a hacker, and this is my manifesto. You may stop this individual, but you can't stop us all... after all, we're all alike.”

Or, on the other hand, are we just the children of 70s counter-culture parents who read us Howl and taught us to type on a manual typewriter but still have the same philosophy and ideals as our parents? Perhaps the hacker culture isn't anything novel, but a modern incarnation of fighting to maintain our civil liberties and freedom.

“..the last fantastic book

flung out of the tenement window, and the last

door closed at 4. A.M. and the last telephone

slammed at the wall in reply and the last fur-

nished room emptied down to the last piece of

mental furniture, a yellow paper rose twisted

on a wire hanger in the closet, and even that

imaginary, nothing but a hopeful little bit of

hallucination

ah, Carl, while you are not safe I am not safe, and

now you're really in the total animal soup of

time...”

Discussing Kevin Mitnick

2008-08-05T15:42:00.000-04:00

My friend, Kaja Perina, is Editor-in-Chief of Psychology Today. She spent some time at HOPE with me and is considering doing something about hackers in a future issue considering that Psychology Today has a history of writing about hackers.

I suggested she try to interview some hackers, but foremost of all, Kevin Mitnick. She asked if there is anything I'd like to know about him or questions I'd ask if I could. Indeed, I've always wanted to meet Kevin and I have some questions about the results of his jail time and his effect on the hacking community. I know the media often asks him about his jail time and there is more to him than that part of his past, but I'd like to ask about how it changed him and, a bigger question, if he thinks that his experience with law enforcement and the judicial system changed the hacker community world-wide.

In my e-mail to Kaja, I wrote the following:

In my blog, I wrote a bit more about why his jail time was so egregious; I cannot imagine the kind of abuse he endured there. And being in jail for so long without even being charged? From the perspective of a lawyer, I feel embarrassed and compelled to say "sorry" to him for the lot of attorneys (excluding Jennifer Granick) who didn't understand the technical aspects of his case. But honestly, most lawyers and law enforcement to whom I've spoken believe that he got what he deserved.

As you know, I was inspired to go to law school and study technology and cyber criminal law because of his case, so it has obviously effected me a great deal. I suppose, from a psychological standpoint, I feel that if the legal system mismanaged his case it could happen to anyone--even me--which is frightening. This is especially true of people with extraordinary technical skills or intelligence whom the criminal justice system considers to have an "extra" skill which, in their minds, makes computer criminals more dangerous and thus are permitted to give them extra punishments for improperly wielding their intelligence.

So, in turn, if you're a defendant and smarter than the lawyers, judges, and jury in your trial and no one can really explain or understand your exploits because of a lack of technical comprehension of the facts or forensic evidence, you're at a serious disadvantage. Our judicial system failed Kevin Mitnick.

I've heard that Kevin doesn't talk a lot about his time in jail and I assume it's because it was painful for him. But with hackers, there is a constant fear of law enforcement, but not just because malicious hackers are afraid of getting caught, but they fear an unfair trial. At my HOPE presentation, the first question I was asked was, “Is there a special court for computer criminals? If not, why?” It's always the first question I'm asked.

No Maine Hacker Space—At Least Not Now

2008-08-04T00:03:00.000-04:00

Alas, we only had 4 people attend the meeting and only 3 want to financially support the project. That doesn't add up to enough to get a physcial space where we can share our equipment and expertise, so Maine's Hacker Space will have to remain virual until we have more interest.

However, what we can do is invigorate Maine's 2600 meeting and attend regularly. We spent a few hours at the meeting discussing networks, honeypots, and electronics projects with which we're involved. Infochown and I want to try out the cold boot utilities code (Ed Felten is a part of that research group) that was released at HOPE. Nothingface and Charley want to build a CNC milling machine when they have the financial resourses for the parts. So, instead of a Hacker Space concept where we have a place to work on our projects and hang-out, we have the 2600 meeting to talk about stuff we do at home or work. If some of us have smaller living accomodations like Infochown who had to give up his kitchen table to get a couch in his apartment or us whose office consists of a 4x5 closet space off the kitchen, they are going to be darn small projects. We might visit the Space idea later (when the economy picks up?) but for now, we're virtual with independent projects.

Attendance for the Portland, Maine 2600 Meeting on August 1, 2008:

Prof Rad
Infochown
Charlye
Nothingface
2600 Reasons (telecommuted)

2600 Meeting Tonight—Hacker Space Proposal Meeting

2008-08-01T13:25:00.000-04:00

Tonight is the monthly 2600 meeting at the Maine Mall. Unfortunately, a few of us have attended the meeting—sometimes for 4 meetings in a row—and no one else shows up. I’ve e-mail 2600 to have the meeting location moved from 5 PM to 6 PM and out of the food court in the mall to a Boarders bookstore adjacent to the mall, but no response. Someone, whoever they are, still claims that there is a 2600 meeting and is notifying 2600 as such, but we cannot find evidence of anyone existing. Hence, we’re going to be showing up in force for the next few meetings and keeping a log so we can prove that we were there, want the meeting, and to move it out of the mall and to a later time easier for working professionals.

At the meeting tonight, we’re going to discuss the possibility for setting up Hacker Space. This is the crucial time for anyone interested to attend. If we cannot find five individuals willing to pay monthly dues to establish Hacker Space, Maine’s first Hacker Space might be only virtual. That would be too bad, but we understand that getting anyone to pay into a business organization now is difficult.

A hacker lawyer guy took these pictures of two of the proposed locations for Hacker Space. The top picture is a single room, small, but relatively affordable and smells like the Chinese restaurant below. The bottom photo is the larger space with 4 locking offices, large common area, and kitchen. That space would be easier to share with other professional organizations until Hacker Space could break-out on its own and be totally autonomous.

Establishment of a Hacker Space in Portland, Maine?

2008-07-29T11:22:00.000-04:00

After reviewing presentations from hacker conferences and Make Magazine about setting up a Hacker Space, 4-5 of us are setting out to establish one in Portland, preferably in the Old Port part of the city near the waterfront, arts district, great coffee shops and restaurants. The down-side to that location is the cost. We could get some warehouse space with no plumbing and little heat in an abandoned factory in Biddeford or Westbrook, but if we can manage the Old Port's steeper rent, I think we'll get more people interested and have more of the public wandering in. The offer to “...meet us at Hacker Space in an abandoned warehouse near the trash incinerator in Biddeford,” doesn't quite have the same attraction as, “...meet us on Exchange Street, 3 doors down from JavaNet Coffee and 4 doors down from the Fuji Japanese Restaurant with great sushi.”

The space I saw yesterday would be perfect being that it's in the Old Port near the Javanet coffee shop and the Fuji Japanese restaurant. The entrance had an attractive lobby and an elevator and the office had a huge common area with a skylight and big kitchenette surrounded by 4 offices, 3 of which look out on Exchange street. A patent attorney and I both want separate offices for our companies and Hacker Space wants a locking office for their expensive and/or difficult to operate machinery. That would leave one office to be sublet. If the owner of the building is okay with 3 on the lease and will take what we can afford, it would be a perfect location for Hacker Space, my company, and my friend's patent law firm.

We're having a Hacker Space info. meeting in conjunction with the 2600.com meeting at the Maine Mall this Friday evening, so we'll see if we have enough people interested in founding the project.

Last HOPE conference (Hackers on Planet Earth) Part 7

2008-07-24T01:26:00.000-04:00

Last HOPE conference (Hackers on Planet Earth) in NYC 2008

Part 7 (Sunday)

July 20, 2008:

After spending the previous evening lounging in a 2nd floor hammock drinking Club-Mate for a while and learning how to pick my Masters combination lock when I forget the combination (usually [dumbly] at the gym after showering and wearing just a towel), I made it to Sunday’s 10 AM “A Decade Under the DMCA,” and was so pleased the speaker put in a few plugs for ChillingEffects.org. I wrote a lot of the patent section’s FAQs under my maiden name, Tiffany Strauchs.

Alas…departure day. : ( We all knew this day would come. We waited a year for this conference and then it went by so fast. Another HOPE blogger said that it was the best weekend of his life.

As for me, I was hoping that I’d be able to attend Def Con in a couple of weeks, but due to the fact that this trip kind-of broke my travel budget, I’m not going to Def Con this year unless I win the lottery. I’ll have to forgo meeting up with my west coast hacker friends and I won’t be able to defend my 2nd place title in Coffee Wars. With the Freaky Bean’s French Roast, “Professor Rad,” (that’s my hacker handle!) almost won, but narrowly took 2nd place. I was hoping Foofus would be able to tip the scale in my favor for 1st, but my persuasion didn’t work.

I went to a couple of other talks on Sunday but couldn’t stay until the closing ceremonies because driving back to Maine is at least a 6 hour endeavor. We packed up our computer gear, our new conference acquisitions such as an RFID blocking passport wallet, the requisite black 2600 conference t-shirt, and (literally) packed our 3rd row passenger into the SUV.

With the 97 degree heat beating down upon us and the radiant heat from the pavement, if I closed my eyes, it felt the same as leaving Def Con in Vegas during mid-day. Other weary conference attendees were dragging their Pelican cases toward Penn. Station or taking pictures of the 2600 Bell van (picture from 6 years ago) parked outside of Hotel Penn.

After exiting the Lincoln tunnel and looking in awe at one of the most spectacular views of NYC, I reminded myself that although this may be The Last HOPE, there always is The Next HOPE and I’ll be back.

Last HOPE conference (Hackers on Planet Earth) in NYC 2008 Part 6

2008-07-24T01:24:00.001-04:00

After a coffee and saying goodbye to friend Kaja, I went to Kevin Mitnick’s presentation. Federal prosecutor Kent Walker said in an interview with the New York Times that Kevin "…was arguably the most wanted computer hacker in the world…” However, that stereotype was mostly due to media hype. His trial didn’t go so well with many procedural issues, an overzealous prosecution, and a technically-illiterate Judge. The Judge believed that Kevin could whistle tones into the phone and launch a nuclear missile attack and, consequently, put him in solitary confinement for 8 months.

In my opinion, Kevin’s punishment didn’t fit the crime. Hearing about Kevin and BernieS’s legal cases inspired me to go to law school. If more people with a background or interest in computers got involved in defense or prosecution of hacking crime cases, I think the system would be fairer for computer crimes and legal/law enforcement blunders like Kevin’s time in the hole and BernieS’ physical abuse in federal prison wouldn’t happen [as much] anymore. Also, finding technologically competent criminal defense attorneys and expert witnesses should be easier to do; hence, I hope to start a non-profit group to further that endeavor.

I’ve also been curious about where a special international cyber crimes court could exist. Without fail, my computer science students and someone at a presentation will always ask if a special court exists, and subsequently, why it doesn’t. The only venue I can imagine where something that specialized could potentially exist is with the International Criminal Court (ICC) at The Hague. It is only a court of the last resort (meaning the really bad stuff like genocide and other crimes against humanity) and the US won’t recognize that court, but perhaps they will in the future considering that many cyber crimes have international originations and target, some with serious implications.

Last HOPE conference (Hackers on Planet Earth) Part 5

2008-07-24T01:20:00.000-04:00

Last HOPE conference (Hackers on Planet Earth) in NYC 2008

Part 5 (Saturday)

I arrived an hour before my talk because I wanted to see John Threat’s Hackateer premier which was right before my presentation. Meeting one of the MOD guys was like meeting a character out of an action/adventure movie—I’d read so much about them, but instead of their capers being fictional, this was the real thing. I was also hoping to meet Mark Abene, aka Phiber Optik, but it was nice to see him onscreen. I remember reading about these guys when I was messing around with my brother’s BBS in the 1980s and wondering if they would ever log onto ours (they didn’t—as far as I know). But I studied these guys’ legal cases in law school in Ron Weiker’s awesome cyber law class at Franklin Pierce Law Center so it was interesting to actually meet them.

My presentation started at 8 PM with me fumbling to find a power cord to plug in my computer because the year-old battery has only 10 min. of life in it. It was a good thing that I couldn’t see past the second row because of the blinding lights because seeing the filled room would have probably been shocking. And coming after John Threat was a difficult act to follow. Somehow, I pulled 6 months of academic research together into a 50 minute presentation titled, “RFID and REAL ID Act: Privacy and Legal Implications.”

Afterwards, I was happily received off stage by a large group of people with questions. Interestingly enough, I met a guy from Latvia and one from Portland, Maine. Oddly enough, I also met a scary guy who insisted that the government put an RFID chip in his head while he was sleeping, wanted me to help him remove it, and then wanted me to help chip some racial/religious group “for God” so they could be tracked. Great…just my luck to have a really scary guy ruin my post-presentation high. I reported him to conference security. Their response: “We’re not going to let some psycho guy scare off one of the few female presenters we have, by God!” They offered to toss him out if I saw him again which, thankfully, I didn’t.

Last HOPE conference (Hackers on Planet Earth) Part 4

2008-07-24T01:13:00.000-04:00

The Last HOPE conference (Hackers on Planet Earth) in NYC 2008

Part 4 (Saturday)

After not a lot of sleep and with my own presentation looming later that day, I somehow made it to the conference at 10 AM for “Technical Surveillance Countermeasures (TSCM)—A Brief Primer on the Arcane Art and Science of Electronics Surveillance and Bug Detection.” As my hacker/lawyer Mainer friend aptly said, “He looks like a nice guy and reminds me of my Grandpa—but without the bomb stuff.” Marty Kaiser told us about some business deal with the FBI or CIA (I cannot remember which) that didn’t go well and the gov. destroyed his reputation causing him tens of years in court and something like $75,000. in legal fees. He also showed us some old bug detection devices and reminded me why my old metal detector in the shed shouldn’t be discarded because it can find bugs like the newer ones cannot. Interesting should I ever need that.

“A Convergence of Communities,” was given by my father, John J. Strauchs, former case officer (that means covert agent) for the CIA. Married to my mother who was a hippie in the 70s (afro, headbands—the whole thing!) and former leader of her college’s Student’s for a Democratic Society (SDS), I’m a mix of the two perspectives. My father’s presentation was critical of how Homeland Security is spending our tax dollars. He believes that we’re bankrupting our economy with often expensive, and not always necessary, security that isn’t intelligently planned and implemented. Intelligence, in his opinion, is the only way to prevent terrorist attacks but some attacks on certain infrastructures, such as mass transportation, are inevitable. However, it is possible to mitigate the risks—and subsequent fatalities should an attack succeed--by making wiser choices regarding high-risk terrorist targets through prioritizing using triage.

His abbreviation for TSA (thousands standing around) is appropriate, especially when I have to deal with my husband getting stopped every darn time we go through security because he has an olive complexion that TSA incorrectly assumes makes him Arab or when security demanded that my son, only 1 year old at the time, crawl through the metal detectors alone because he might be hiding something; he crawled through and then stopped in the middle of it thus creating a huge back-up into Dulles airport—that’s my boy! That probably wasn’t smart allocation of TSA’s resources.

Steven Levy, a prolific writer and public speaker, talked about his inspirations for the book Hackers. He began by mentioning an article from the 1980s in Psychology Today as being his chief inspiration. One of my friends, Kaja Perina, is currently the Editor in Chief of Psychology Today. I got on my cell and told her she’d better get down here to cover the conference because her magazine was just mentioned as being the inspiration for the book which helped spawn the hacker culture! She was there by the end of the day and was kindly given a press pass for the conference.

After Levy’s presentation, I went into seclusion back at the hotel to give my presentation a last review before my 8 PM time slot. I missed some talks I wanted to see, but I had to practice. I’ve spoken to large groups before and even been in front of an event featuring U.S. Congress, but presenting to my peers—and some pretty smart peers—was a daunting task. I had to meet some high bars for this talk.

Last HOPE conference (Hackers on Planet Earth) Part 3

2008-07-24T01:09:00.000-04:00

The Last HOPE conference (Hackers on Planet Earth) in NYC 2008

Part 3 (Friday)

Last that day, another notable presentation included “Hacking the Mind, Hacking the Body: Pleasure.” I went to it because the title piqued my curiosity and I demanded my husband go with me, but before the presentation started, he slipped out to go get some Jolt and, according to his story, there were so many people in the room when he returned that he couldn’t get back in because the room was beyond max. capacity. So, in turn, he left me surrounded shoulder-to-shoulder in a room containing 99.9% hacker guys in which a woman was discussing some tech about cyber sex and a lot of things I had never before heard of. I had the pleasure of sitting behind two hulking Federal agents (it was so obvious—who is teaching you guys to “blend in” with the natives?!) who, in their tight golf shirts and ironed khaki shorts, were giggling like kids. Every time the presenter said something about anatomy or someone from the audience asked a question, they’d double over laughing and make critical comments about computer geeks.

Did you guys know that you had an entertained audience behind you who found your antics hilarious? At least your packing heat requirement was not fulfilled with an American-touristy fanny pack as you did in previous years, but if you’re the new face of the FBI, we’re lost. I can see it now on the FBI’s Employment page: “Now hiring tough-guy goons for the anti-cyber crimes squad. Must [not] be able to blend in with the tech crowd, must be able to bench press over 300 lbs., wear tight t-shirts to show off your top-rate physique, and have a history in high school of bullying geeks and, subsequently, were snowed by those same geeks in college math and science classes who refused to tutor you.”

If the FBI is as keen on recruiting the smart people at hacker conferences like Def Con and HOPE as they say they are, they are not projecting the most positive image of what it’s like to work for the anti-cyber crimes squad.

And then, after midnight and some lounging in the hammocks listening to techno music on the 2nd floor, I went to sleep unsoundly amidst the not-comforting-to-a-Mainer city noises.

Last HOPE conference (Hackers on Planet Earth) Part 2

2008-07-24T01:05:00.000-04:00

The Last HOPE conference (Hackers on Planet Earth) in NYC 2008
Part 2 (Friday)

On Friday, I went to see a fellow techie lawyer’s presentation, “Botnet Research, Mitigation and the Law.” You always know when a lawyer is speaking with the, “Don’t take this as legal advice,” spiel. It was great how Alex Muentz truly is technical and, at the same, time gets the legal stuff right, too. I didn’t get to talk to him much at the conference beside a brief discussion regarding how some lawyers (especially those in big firms) shy away from hiring techie lawyers, but I saw him fly past me later during the con. on one of the Segways that he had taken off the Segway race track.

Robert Steele with “Earth Intelligence Network: World Brain as Earth Game,” has it right when he says that bureaucratic organizations that lock up most of their information are making it difficult to improve society and security through secrecy. I liked his analogy to the open/free software and hardware movement, but you will either love or hate his presentation style. His in-your-face kind of approach and occasional profanity is one of a kind.

“From a Black Hat to a Black Suit: How to Climb the Corporate Security Ladder without Losing Your Soul,” was hilarious. In addition to the fact that this IT security professional was begging more women to go into IT, he was a likable presenter and made a good point about keeping any arrogant sysop and black hat tendencies at home. The suit, in some IT departments, will be your new uniform.

One of the most interesting technical presentations of the whole conference was today: “Advanced Memory Forensics: Releasing Cold Boot Utilities.” This team from Princeton’s CS dept. proved that if you think your key is gone and not retrievable from DRAM when you pull the plug or leave your computer in sleep mode, think again. I’m going to check out his code.

One of the most informative, “How Do I Pwn Thee? Let me Count the Ways,” was about how average Bob could be “owned” with his unsecured wireless devices. Even Bob’s wife was theoretically owned by an unsecured wireless sex toy accessible with phone text messages. With that, Renderman brought up an interesting criminal law question: “Is that rape or just bad encryption?” Never before had I heard those terms in the same sentence, but aside from the sniggering in the audience, it was a novel question. I won’t describe the details of the presentation, but go to 2600.com’s site and listen to the audio file.

“Hacker Space Design Patterns,” has inspired a few of us in the Portland, Maine area to look into downtown commercial rental space to set up a hacker space. A hacker space, usually as part of a monthly membership, is part inventor’s lab and part techno hang-out. It’s a place where techie hackers can congregate and, most certainly (part of the culture), drink highly caffeinated beverages while tinkering with electronics and software/hardware projects using expensive tools and equipment whose cost is split among the group . On the drive back to Maine after the conference, we discussed working on a 3-D printer and what type of investment, equipment and legal agreements (two of us are lawyers, so legal stuff comes up immediately—can’t help it) we’d need to start the space.

Last HOPE conference (Hackers on Planet Earth)

2008-07-24T00:59:00.000-04:00

Part 1 (Friday)

July 18, 2008:

After driving for 7 hours to NYC from Southern Maine in a 16 mpg SUV packed with people, food (we’re cheap), and computer gear, we finally arrived in NYC late Thursday night. We didn’t stay at the Hotel Pennsylvania this time because the rooms were an outrageous $450./night when I got around to booking, but stayed at the Affinia Manhattan which was one block away. At $350./night with 2 bathrooms, a living room, a separate bedroom and, most importantly, a full kitchen, that hotel is now my favorite in NYC. Although it was right next to a police dept. and fire station with sirens going at all hours which added poignant staccato to the perpetual taxi horns, it seasoned our noisy NYC experience.

In accordance with true computer hacker form, the conference (thankfully) didn’t start until 10 AM every day and went past midnight. Arriving at the conference on Friday morning was, for us, like going to a family reunion. Seeing friends from all over the world and being surrounded with like-minded and similarly-attired computer geeks instantly made me feel comfortable. Sometimes the media portrays computer hacker conference like it’s a meeting of criminals getting together to take down civilized society, but in actuality, the cracker contingent is negligible; in fact, at HOPE and Def Con, if the conference attendees or organizers find out that script kiddies are messing with the hotel’s or conference’s stuff, they counter-attack or just throw them out.

Most of the attendees whom I’ve met at these conferences are the smartest people I know. They generally are not socially inept and, on the contrary, people just walk up to me and say, “Hi, my name is…(insert cool hacker handle here).” And I don’t think they are so friendly just because I’m a girl hacker.

Ok, so maybe it’s part of it, but that’s cool because there is nothing more awesome than a mysterious guy with a hacker handle like “Obsidian” with black spiky hair, wearing all black, carrying some totally cool technological device (that he built!), and with an IQ that could sear through any encryption and, some women might say, their better sensibilities. HOPE and Def Con conference are like hacker girl heaven—THOUSANDS of brilliant men are there with very little competition. C’mon girls…these guys are HOT. You’re missing out if you write off these sexy-in-a-geeky-way guys because, if you’re lucky like I am, you’ll marry one and never lack the type of cool tech discussions and attraction that rivals the thrill you get from watching a great action adventure/spy movie or snowboarding, fast, down a mountain--they are fast and furious.

Besides the “coming home” feeling most hackers have at this conference, there is not another type of conference I attend (certainly not legal topic ones) in which I’m riveted to my seat. Getting me to willingly sit in a non-ergonomic chair for days at a time is something that only a good hacker conference can do. I find myself skipping meals and forgetting to answer my cell so I can go to presentations uninterrupted from mid-day until midnight—the presentations were so great this year.

Welcome to by blog on technology and law

2008-07-24T00:55:00.000-04:00

Welcome to my blog on technology and law. I endeavor to share my opinions regarding technology-related legislation, legal cases, and public policy as it relates to academic research and how these issues affect my business and, in general, the computer industry. However, the typical disclaimer applies here: no one may rely on these postings as legal advice and I encourage readers to consult an attorney for advice on any particular issue.

With that said, I believe that my legal and scientific background provides me with a relatively unique perspective on how law—especially intellectual property—affect technological research and companies. Although I am of the opinion that intellectual property filings can assist inventors and entrepreneurs in giving them time to establish companies based on their inventions or to conduct further innovative research, I believe that the current way in which intellectual property is taught in law schools and practiced by attorneys was not quite what our founding fathers had in mind when granting, for example, limited monopolies for patent filings or limited copyright protection.

The patent system is in dire need of an overhaul and should have more protection for individual inventors and small companies rather than for big corporations. I have seen too many fantastic tech start-ups go out of business because of large corporations practicing offensive patent litigation. As a result, I support defensive patenting for individual inventors and small companies, but the USPTO has new rules looming on the horizon that will make it much more costly for small companies and individual inventors to file multiple patent claims thus benefiting large companies in the race to file.

In addition, I find super-broad and non-novel claim drafting—especially in the software industry—to be stifling to innovation. I do not support over-broad, non-novel, and industry-stifling patents that are used as industry weapons to destroy competition rather than to foster innovation.

Another relevant project on which I am currently working is a legal clinic/externship for law and computer science students. I spend a good amount of time in the hacker community, and while I do not condone malicious hacking, I think that traditional criminal law has not kept pace with technology. More research into criminology and education of both the computer hacker and the legal communities will lessen the divide between them. Giving computer professionals a better understanding of criminal law and the legal community a better understanding of computer science and technology will provide more just and effective prosecution or defense of those accused of computer crimes. A long term goal is for the clinic to assist in creating technology and privacy legislation.

One of my primary interests in the computer hacker community is studying patterns of cyber crimes and computer security. When studying security, I also spend time assessing whether particular security measures improve safety in a way that does not severely infringe privacy and constitutional liberties.

Lastly, I am a proponent of free and open source software. As a computer scientist, I like to get into source code for my computer applications and alter them to suit my needs, but that is usually not possible using proprietary operating systems, software and hardware. While in business school, I spent a lot of time studying how to make companies profitable that choose to offer their software/hardware with free or open source licensing and I hope to bring some of those ideas to this forum.