From: NTK's own correspondent:

HAL2001 Friday:

The keynote speaker was Emannuel Goldstein, who appeared wearing a white 
t-shirt bearing the word "fuck" written as a Ford logo: "I'm trying to 
repel the American media" he announced. He figured that the t-shirt should 
force any US cameramen to have to turn off their cameras... He went on to 
explain the nature of 2600's run-in with Ford (partially covered in this 
quarter's issue). In 1999 when the DNS monopoly was 'broken', some of the 
new registries allowed the use of 'obscene' words. So 2600 registered a 
bunch of domains:,,,, (they were too slow to get and!). They redirected to point to 
NBC's website, and vice-versa. NBC sent a 'Cease and Desist' for trademark 
infringement, so 2600 printed the letter, and publicly commended CBS for 
not being as childish. The following week, CBS sent a cease and Desist. 
Around the same time, 2600 registered

Emmanuel stated it would have been a much easier life not to register these 
domains, but "sometimes you just have to push back and provoke the 
monster". Anyway, Ford sued 2600. This was a bit confusing as they didn't 
have, or, or anything. It took Ford a while to 
actually find the 2600 offices, but eventually, a letter arrived in the 
post. Ford were suing them for! It turns out that 
initially fgm was pointed at GM's website, and then at a consumer watchdog 
site, and then at, and then they quite simply forgot about it. 
Now, if Ford had asked nicely, 2600 probably would have moved the redirect, 
but they didn't even threaten, the just went ahead and sued. Ford didn't 
know they could block the redirect with just a few keystrokes, they "must 
have been using some Microsoft product they couldn't understand..." Well, 
after all that, they just had to go and register (the owner had already been sued and taken the site down...)

Emmanuel then went on to suggest that maybe someone should modify CodeRedII 
to gain access to an IIS machine, infect it, download the patches and fix 
the vulnerability itself. And then a short rant about the appalling way 
that worms like Sircam were now affecting none-MS users, not through 
infection, but just by the sheer volume of mail received from infected 
people. 2600's public email addresses had all been swamped before they 
could put filtering in place. "We don't even use their software and we 
*still* get screwed".

Some other choice Goldstein quotes:

Re the DCMA: "Sometimes I get the feeling the rest of the world is 
tolerating us to see how bad we fuck it up"

"Don't ever say Americans aren't tolerant - we've been tolerating shit from 
our government for years!"

Privacy & location data in mobile telephony
Jaap Henk Hoepman, Gus Hosein, Frank Rieger, Paul Dinnissen. Chair: Maurice 

A technical panel discussion, raising many issues about the 'greedy' telcos 
looking to harvest location specific data about our movements as a way of 
recouping some of the UMTS investment... Several of the panelist were 
working for privacy-startups, looking at building location services 
(friends finder, mobile ads, traffic alerts etc) that could be used by the 
subscriber with user control of who sees what personal info. Paul Dinnissen 
of Maptive ( described the "sheer economic panic 
over UMTS" leading the SPs to consider privacy a danger to future revenue 
streams. Gus Hosein of Privacy International reviewed the way that traffic 
data in the POTS system (who you called, when and for how long) was 
expanding in the world of mobile telephony and the internet to include what 
had previously been probably considered "content", including location data, 
caller ID, DHCP addresses, URLs visited, search terms, and anything that 
isn't the actual content of a webpage or an email... Quote: "things are 
going to get worse" (refering to the CoE Cybercrime convention).

Most interesting, the first questioner was Phil Zimmermann, who offered a 
number of suggestions to counter the panel's bleak view of the future of 
privacy. Zimmermann suggested that there was a pressing need to lobby and 
publicise the cause of mobile privacy in the press, outside the hacker 
community, and this would take money to reach legitimate bodies and 
operators. The community needed to identify decision makers and communicate 
directly with them. Of course, this all takes effort and money, but he gave 
as an example how the US crypto export policy was 'fixed' through sustained 
effort. "You *can* get results with enough effort applied". He made the 
point that if we become passive observers, we make the changes inevitable.

The general response to Zimmermann was along the lines of: you don't 
understand how dense/determined European telcos are, and "If you though the 
crypto wars were bad, think of 43 DOJs" (Gus Hosein, describing the Council 
of Europe). Zimmermann rebutted with a view that there had been a sea 
change in the number of US congress discussions regarding privacy, that "if 
we feel helpless, then we become paralysed", and "Let's get started - I 
think we can win!"

A final teaser was the prospect of a new peiece of 'research' allowing a 
microcode change to a Nokia phone, allowing it to connect to the 'next' 
cell over, rather than the current closest base-station. No source was 

BadRAM: broken memory put to good use
Rick van Rein gave a brief but excellent talk about his Linux kernel patch 
that allows bad memory locations in 'faulty' RAM chips to be mapped, and 
avoided by the OS (since linux uses an MMU). It's a similar concept to that 
used in the ZX Spectrum - apparently, faulty 64bit chips were cheaper than 
32 bit chips, but usually only failed in the high or low order bits, so the 
chips were tested and marked H or L, and then the address bus was mapped 

One side affect of using 'faulty' RAM in PCs is the prevention of 
dual-booting to a Microsoft OS (which cannot avoid the faulty RAM 
locations.) Rick was very pleased about this strategy... Apparently 
something like 50-70% of RAM chips are thrown away due to manufacturing 
defects. The use of BadRAM could bring these back into use, and drop memory 
prices even further.

The patch isn't in the kernel yet, because (rumour has it) Linus doesn't 
like the idea of using broken hardware. Alan Cox, however does (allegedly). 
Rick's had at least one person who is delighted with the patch, since they 
can use their laptop (with soldered-on-the-motherboard failing RAM) again. (can't connect to site at present...)

DeCSS history, background and legal future

Tom Vogt spoke about the background to DeCSS, and the structure of the 
various copyright and trademark enforcement bodies involved today. He gave 
a persuasive argument that the entire DVD-sandards enforcement industry 
forms a restrictive cartel, and how the 218 pages of the CSS licence is 
used to enforce such things as region codes, and 'hackability' of players, 
far beyond the provisions provided by copyright law.

Tom also spoke about the 'European DMCA', the EU Copyright Directive, and 
how national governments are likely to overshoot the required level of 
restrictiveness in national law to ensure they meet the directive; and the 
link between the oppression of Indymedia journalists in Genoa, with 
Berlusconi and hard right/facist politics, and the increasing consolidation 
of mass media into singleton powerful interests (Murdock, Haffa, 

Best quote: "The best historical example [of the reaction to deCSS] is the 
churches response to printing presses"

The Cybercrime Convention
Gus Hosein and Andy Mueller-Maguhn spoke about the Council of Europe 
Cybercrime convention. A very scary talk, with such wonderful warnings as: 
In the current language of the convention, ISPs must accept carnivore-like 
devices, AND develop an interception capability. There will be increasing 
problems along the lines of Dmitry Sklyarov's case, as the convention has 
no requirement for 'dual-criminality' - so you could be tried in your own 
country for an act that was completely legal there, but against the law 

Andy Mueller-Maguhn has been talking to AOL about children's internet 
access, and filtering same. it was all going well, lots of agreement about 
unsuitable content, and then someone suggested filtering adverts, and "it 
all went quiet"...  A week before the February 2000 DDoS attacks, there was 
a big NIPC meeting in the US, to discuss budgets. There seemed to be huge 
problems justifying the USD 2 billion for work against "cyber-terrorism". 
Then the attacks on CNN and Yahoo happen, and everyone knew what 
cyberterrorism meant. The budget was approved... Also, a german journalist 
was quoted in the press as stating that a Dutch hacker group called 29A has 
devleoped CodeRed, and that they'd likely be at HAL. 29A are actually 
Spanish, and denied all responsibility for CodeRed, although they seeming 
did develop a proof of concept *virus* two years ago, called "red code"...

Worms - what is possible?
Jonathan Wignall gave a practical demo of a worm, and detailed the idea 
work characteristics. He suggested the best place to release a worm would 
be at a place where there might be a few thousand possible suspects... but 
begged the audience not to do any such thing, as he'd be prime suspect...

Apparently, AOL users logged into the service access AOL FTP on using anonymous/

To finish, he threw t-shirts and pens into the crowd. I haven't had my 
photos developed yet, but with luck I should have a shot of him throwing 
the pen that hit me right in the mouth. Might be worth a ticket to DNSCon 
next year?

He claims the slides and sample worm at will 
be removed on friday, so maybe better to quote his 'securing a server' 
paper instead:

Hosting controversial content: onshore, offshore, or online?
Ryan Lackey gave a balanced view of the options, not favouring the use of 
ex-anti-aircraft platforms declared autonomous constitutional democracies 
at all...

An interview (by Christiaan Alberdingh Thijm) about Sealand following the 
talk was more controversial, with some hard questions on the acceptable 
usage policy of HavenCo (no child porn, but it has to be "actual real child 
porn". And the only reason that's in place is because it's against the law 
of Sealand (apparently)). Anyway, Havenco charge too much for anyone to 
host porn there, but when pressed about a minimum age, Lackey suggested 18, 
seeming to be making policies (or Sealand law) up as he went along.

Havenco are apparently making a small profit, having reached break-even 
point, but even after two years, Ryan cannot sing the Sealand national 
anthem, and doesn't have a Sealand passport ("I couldn't be bothered to get 
a photo.") Havenco are however considering an offshore Sourceforge-like 
server for controversial projects...

Wau Holland (CCC) Memorial Session
Friday night, there was a memorial for CCC greybeard, Wau Holland. I didn't 
know him, but many people (maybe a thousand) attended, and eulogies were 

HAL2001 Saturday:

Location privacy in mobile internetworking (IPV4 & IPV6)
Alberto Escudero Pascual lectured about how mobile IP (v4) roaming could be 
mapped by monitoring traffic forwarded from the home agent; and how even 
though IPv6 solved this with a binding update to allow the packet 
originator to send data direct to the mobile IP users care-of address, the 
use of a globally unique MAC address in the IPv6 link-local auto-config 
address meant that your roaming could be easily mapped. Not a major issue, 
until IPv6 becomes the data carrier of choice in mobile telephony with UMTS...

With capture from the 350+ 802.11 users on campus, Pascual demonstrated 
that most users don't (or can't) change their MAC address, so maybe what 
was needed was some random generation of MAC address. Not so random that it 
stands out like a sore thumb (hello 12:34:12:34:56:78 !) but a random lower 
3 bytes , and make the upper 3 bytes statistically  allocated from the 
vendor codes seen by the first hop router. (On the HAL WLAN, approx 80% of 
the NICs were Lucent, 8% were Apple Airports, and the rest were sundry 
other vendors). for his thesis.

DDoS: analysis, detection & mitigation techniques
Sven Dietrich gave a long and interesting talk about DDoS. Most interesting 
points were:

Back Scatter Analysis (detecting DDoS from it's effects elsewhere in the 
net, through ICMP and other effects)

Distinguishing DDoS from the Slashdot effect (Slashdot referrals don't tend 
to use odd protocols or curious packet flags/seq numbers etc)

The future: "Whack A Mole attacks"; Worm-based DDoS; and the up-and-coming 
"worm wars" as mobile agents become much more sophisticated.

Opportunistic encryption in IP security
John Gilmore spoke about the new opportunistic encryption (keeping public 
keys in the text records in the DNS, and encrypting traffic whenever 
possible) in the FreeSWAN (IPsec) code, while Hugh Daniel prepared a demo 
and bitched about how xinted was so broken on RedHat ("why did they take 
chargen away! This is what's *wrong* with 'security experts' - don't take 
functionality away")

Apparently, the overhead for opportunistic encryption isn't too bad (less 
than 1 second in most cases, and much less when caches are well populated). 
However, as DNS is vulnerable to spoofing, this is only secure against 
passive (sniffing) attacks. It requires DNSsec to prevent someone feeding 
fake keys and actively attacking the IPsec session.

Quote from Bruce Schneier on doing an analysis on IPsec Key Exchange: "I 
found six obvious things [problems], so I stopped there". Daniel: "IKE was 
designed by two of the dumbest entities I know - The US Government and 

Daniel also thinks PGP is a "piece of crap", and wants to use finger (also 
missing from his xinted) for key distribution in webs of trust. He is 
"talking seriously about redesigning the internet" - all of our APIs have 
to be thrown away, and  "FTP has to die".

The best quote, however, was one of Rober Morris Snr's: "when looking to 
see if crypto is working, always look for plaintext"

The daily security practice at an ISP
The room was too full for me to get a seat, or even see the screen! So not 
much in the way of notes, except:

Scott McIntyre on worms (CodeRed especially): "Some people just have way 
too much free time - get a job!"
Heckler: "Or a girlfriend!"

The tragedy of software quality in OS/GPL systems
Hugh Daniel (manager of the FreeSWAN project) is going to live in the 
asteroid belt before he dies, and he's not going there on open source 
software, cos it sucks, big time. Actually, he was making an important 
point about the mack of code reuse and learning from mistakes in open 
source. A couple of versions of someting is okay, but is it really 
necessary to have ten separate implementations, just so people can appear 
on freshmeat?

Just very long whinge, really.

Ten years of open PGP
Phil Zimmermann was going to talk on Hushmail 2.0, but instead decided to 
ramble about the history of PGP.

Half of all the email he gets about backdoors in PGP is from Germans. He 
got an awful lot of questions after the DoJ dropped the case. Most of the 
emails are in a "sort of quiet tone - it's okay, you can tell me if it's 
backdoored, I won't tell anyone..."

Quote: "For some reason, cryptography attracts paranoid people"

He went on to explain the cycle of acquisitions that meant PGP (after it 
was bought by NAI) joined, left and rejoined the Key Recovery alliance. In 
the end, NAI simply didn't pay any more subscriptions, and *still* had to 
force the alliance to take the company name of the roster on the website.

Zimmermann stated that PGP 6.5.8 was the last version NAI published the 
source for, so was the last practically trustworthy version, but he worked 
on 7.0.1, and it was the same code. Zimmermann left before 7.1, but reckons 
it is probably okay, but wouldn't try to convince anyone of that... Some 
people in the audience refused to trust anything later than 2.6.3i, which 
Zimmermann was pleased about - that was still all his code (although the 
latest versions do still have a command line interface apparently, which is 
just ported from his original work).

Zimmermann also predicted the death of S/MIME ("it will got the way of 
PEM"), and publically called for Adobe to actively contribuute to 
Sklyarov's case (against the DoJ).

Wearable Computing
Marcus Wolschon (ably assisted by Martin Ling) gave a brief overview of 
wearable computing, and then turned the rest of the session into a 
show-and-tell. Not much new to anyone who's read the wear-hard mailing list 
( but good the see the hardware in the flesh (as 
it were).

Most important info was the apparent ease of making a head-mounted display 
out of a videocamera eyepiece. Allegedly all that is required is a 
composite RGB input, and suitable power as per the donating camcorder.

Hacker Ethics from 1984 to 2001
Panel discussion (Emmanuel Goldstein, Andy Mueller-Maguhn (CCC), Rop 
Gonggrijp. Chair: Francisco van Jole) in which the panel got some grief for 
not being more outspoken. Mueller-Maguhn got sharply criticised for 
suggesting that ethics where purely a personal choice.

Emmanuel Goldstein: During the recent troubles, 2600 got lots of email 
urging them to attack China, all of it from Hotmail accounts. Hotmail 
records the sender's address in an X-Originating-IP field, so 2600 checked 
these up. They were *all* from .mil domains.

Drugs and Thought Crime
John Gilmore (funder of the FreeSWAN project) does drugs. He has a friend 
(the inventor of MDMA) who designs drugs, and Gilmore is part of the select 
circle who get to try these out.

He's also committed to donating USD 10 million over the next ten years to 
support drugs studies.

Quote: "In some companies you pass a drug test by having no drug residue in 
your urine. In others, you pass by bringing better drugs than the boss".

HAL2001 Sunday:

Future directions in operating systems
Hugh Daniel's third talk - hopefully trying to come up with some answers to 
his previous complaints. For many years now, he's been looking for the next 
better tool than Unix. Some people have tried to help: "Hey Hugh, don't you 
know Pascal and VMS is the future?"

He thinks there is a need to jack a new OS under Linux (sort of like the 
way the real-time kernels do). Security is vial, and he's "really 
embaressed about buffer overflows" in open source software.

Quoting an aircraft engineer: "My job is killing people. That's what 
aircraft engineers do unless they're *really good*"

Some useful ideas:
  + Secure booting - making sure the OS is the first OS running on the tin, 
and not under some emulated layer.
  + Capability-based OS (EROS is the only current implementation of this) - 
it becomes trival to freeze the OS, and change the hardware underneath. 
Okay, so maybe modern laptops can do this, but KeyCos (1970s - the only OS 
the NSA bought externally) ran on IBM 360s - one of which ran continually 
for 10 years from IPL.

Mobile Security
Zoltan Kincses and Zoltan Hornak of the University of Budapest beboured the 
point (beyond a joke) that all the information in their presentations on 
SIM card cloning, and wireless interception was freely available on the 
internet, as where all images, so they could not be in breach of any 
copyright law, and would all the police therefore leave the room...

There are some interesting physical attacks on SIM card PINs. It used to be 
the case that a 'bad point' was written to the SIM for each wrong PIN 
guess, and this required a higher voltage to write than was required to 
read. limiting the voltage meant the failled gues could not be recorded, 
and guessing the PIN through brute force is possible. This was fixed by 
making the 'bad point' write happen before the PIN entry, and then use the 
write to erase the 'bad point'. However, at certain temperatures, SIMs can 
read, but not write, so the brute force attack becomes possible again by 
temperature control...

Apparently, every 10th person now has a mobile phone, and GSM networks are 
present in more counties than MacDonalds. There are more mobile 
end-stations than internet-connected devices, and it is predicted that by 
2003, there will be more mobile internet-capable deviced than fixed.

Other Notes:

Oddest sight: A 6'6" cross-dressing Lara Croft-alike
Scariest thing: having a 220V feed to my tent, while it was pissing down 
with rain.
Worst thing about the rain: It blew away the (outdoors) propagation of the 
802.11b Wireless LAN.
Most unsurprising event: The bar ran out of Jolt...