Hope Number 9 (Day 2)

Why Browser Crypto is Bad

Speaker:  Nadim Kobeissi

As we use the browser to handle more and more of our data, and as more of our data resides in the cloud, the browser should be doing all our encryption so that data stored in outside our computer is safe. Notice that https only prevents people from eavesdropping while the data is in transit, but in the cloud our data is stored in the clear.

Project Cryptocat is an attempt to implement an experimental chat client that performs encryption in the client in Javascript. Cryptocat is similar in function to Pidgin OTR, but is much easier to use – just use the browser.

There are number of problems to overcome when building a Javascript client:

  • Code delivery – Javascript is reloaded each time you start the client. How can you make sure that code was not intercepted and modified by a hostile party. Note that using https to upload the code is not enough.
  • Random number problem – the default random number code generator (which is needed in key creation) is very bad.
  • Performance of Javascript can be a problem in some crypto computations.

Google’s Chrome browser helps to solve some of these problems:

  • Random number generator in Chrome is much better.
  • Chrome apps partially solve the code delivery problem. But there is still a problem with verifying the installed code.

To improve speed of Javascript crypto Elliptic Curve encryption is used. Since Cryptocat generates public/private key pairs for each session – this speed is important.

In the future it would be great to have a standardized crypto library in the browser. This way we could guarantee data privacy for everyone.

Meanwhile, Cryptocat 2 is in the works – get the code from github and help!

When Botnets Attack

Speaker: Aditya Sood

“On the Internet some things are not what they say they are.”

This talk was a summary of research done by the speaker on various kinds of malware.

The basic kinds of browser malware falls into the following groups:

  • Runs directly in browser (Class A)
  • Communicates with browser via the plugin framework (Class B)
  • Inserts itself between the O/S and the browser.

Typical way to insert malware into your computer is to break into some website, and then insert hidden iframes which then include URLs that cause downloads of bad software to your computer.

The speaker discussed examples of various forms of malware. Below is a list of interesting links from his presentation:

Key Note – the Yes Men

Saturday’s keynote was delivered by the Yes Men. Yes Men are a small activist group that do silly things in public in order to bring important things to the fore front in media.  They got started when after creation of a fake WTO website they were invited to a WTO conference. There they gave a talk on election reform – how officials should buy votes directly, without going through advertisers etc..

After that things got even sillier.

The Yes Men were joined by Vermin Supreme, who is running for President in 2012. He called on everyone to participate in the Thousand Meme March to happen during the Republican convention this year.

The talk ended by members of the audience suggesting memes for the march. Silliness reigned.

Privacy Tricks for Web Developers

Speaker: Micah Lee

This talk was given by a web developer who works for EFF.  His talk consisted of suggestions on how to build websites, so that websites visitors are harder to  track. He talked about number of tricks you can use to prevent other websites from gathering visitor information. Here is a sample:

  • If you use Google web fonts, save the fonts on your server.
  • Use plain links to point to social media sites – do not use the scripts they provide
  • Load twitter feed on the server, not the client.
  • Proxy AJAX requests to avoid sending data to third parties
  • Let users opt in, otherwise provide basic html web site.

Another important thing to consider is not to store more than you need:

  • Disable logging of IP addresses, or encrypt IP address so you can tell if one IP address is hitting the site too much (see cryptlog).
  • Hide identifying information from PHP.
  • Hided non-public information behind basic HTTP authentication

Deploy HTTPS correctly:

  • Force users to use https.
  • Make cookies secure (use “secure” and “httponly” flags)

Do not use FTP and Flash.

Weather Is Not Boring

Speaker: John Huntington

This was a talk on the weather data. National Weather Service gathers all weather data and disseminates it for free. The speaker explained how this data is collected and where it is available. You can start with NWS website.

The speaker was interested in tracking storms and mentioned Tom Warner – a guy who specialized in photographing and filming lightning at very high speeds. you can see a little video about this guy here.

Original Hackers in World War II

Speaker:  George Keller

The speaker was a Navy veteran who worked in signal encryption while in the Navy. Recently he visited Bletchley Park and he talked about his visit there. It was nice to see the pictures of the museum that exists there – even though I know the details of the story.

Social Engineering Panel

As always this panel was a lot of fun. My favorite story was about a non-existent Austrian artist who was send to an international art show with a crew, but who never showed up. Of course his crew consisted of the actual artists whose works were displayed under this fake name.

This year the attempt at phone social hacking fell little short of hilarity.

3D Printers and Washington DC

Speaker: Micheal Weinberg

The speaker is the author of  “It Will Be Awesome if We Don’t Screw Up”, talked about 3-D printers and how this potentially very disruptive technology will be received by the world. The question is whether intellectual property laws can be used to stop this technology from gaining wide spread use.

3-D printing is a generic technology for manufacturing objects – as generic as the computer.

The speaker was cautiously optimistic. One thing he mentioned that copyright laws do not apply to physical objects – physical object may be freely copied.

We need to make sure that the policy makers in Washington DC don’t change that.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s