Search this site

[prev]  Page 2 of 3  [next]





Shmoocon in review

This past weekend was Shmoocon. I was on-staff for the event due to my involvement in Hack or Halo. This was the first time I've been on staff for a big conference. It was pretty cool, mostly because there's a higher frequency of interesting people in the staff group than in the general population.

This was my first Shmoocon. It's like Defcon but with less debauchery, more clueful presentations, more interesting people, less disinteresting people etc. Defcon is more about getting plastered, gambling, general debauchery, and using presentations as an excuse not to drink. In short, Shmoocon is better technical conference.

I flew out on Tuesday because I wanted to take a full week off of work. wxs and I needed to put more time into the puzzles, so I didn't have to kill time by sleeping or visiting landmarks. Time was spent sleeping, working on puzzles, eating, and playing Mario Kart on wxs's Wii.

The conference itself was more or less what I had expected. When I attend conferences, I usually end up spending more time out of the sessions than in them, due to my opinion that lots of talks are super boring. The topic usually sounds neat, but the presentation style sucks or the content is worthless. My favorite part of conferences is the side channel stuff.

This year's Shmoocon broke tradition and made the NOC open and availabile to anyone this year. I'm sad I didn't get a chance to go in and find out how they setup the network. They had "Shmoocon Labs" prior to the event which invited staff and attendees to come and set up the network the day prior to the conference. Sweet idea, but crazy (Let's setup a network for 1000 people in less than a day).

On to presentations! The Jikto talk was cool in that it was code manifestation of already-known vulnerabilities exposed by AJAX, XSS, and web proxies. The speaker accidentally showed the url where the source code lives when he did 'view source' for a few seconds during a demo. Of course, a fair portion of the room scribbled down the url and downloaded it; oops.

My favorite talk was the "No tech hacking" talk. The material was, like Jikto, simply an application of known techniques. In this case, it was social engineering and observation. The style was very engaging. The whole point seemed to be that hacking people is stupid easy because most people have credential and other items visibly on the outside.

I went to a talk about using entropy for statistical analysis, but the first 5 minutes of it were *really* slow and I pretty much got the idea of what the presenter was talking about in that time, so I left to find other things to do.

Hack or Halo. This year the hack was different. It was security/hack-type puzzles instead of the previous year of "exploit these machines as fast as possible". The puzzles ranged from sudoku to lanman hash cracking to port knocking. We had a total of 22 (ish?) puzzles, and only three went unsolved across all of the players

Prior to hack or halo, wxs and I were doing some final checks on the puzzles. We booted the machine and found immediately that none of the vmware instances would start. The folder 'C:\Virtual Machines' was permanently stuck in 'read only' mode. Unchecking 'read only' in the permissions box didn't fix it (it kept resetting to 'read only' again).

What now? Zoom back another day, when wxs and I were finishing the puzzles. My spider sense told me to back up the vmware images before shutting down, so I had wxs back them up to his laptop. He copied them over from his laptop after we realized the vmware images on the hack server weren't good anymore. They worked fine. Thank god for backups.

Other than that hitch, the hack portion of the competition went off without any problems at all. Whew. I have lots of pictures posted on flickr from the competition, greater Shmoocon, and shenanigans at the parties.

As far as conference work goes, working on HoH was pretty great. The other options for working Shmoocon seemed to be NOC or physical security. NOC stuff would've been fun, since it would let you play with the new fancy security network gear being tested or generally using gear I don't have access to on a normal basis. HoH didn't take too much of my time during the con, so it was totally worth it.

HoH was awesome, and I'm considering doing it next year. If you weren't there, you missed a great conference.

Shmoocon 2007

While Shmoocon doesn't start until Friday, I'm flying out tonight. I haven't been to DC in 10 years, so I'll probably tourist it up atleast for a few hours. This week is taking me far away from any work-related activities. I turned off my pager a few minutes ago, so my vacation has officially begun.

See you in DC.

ShmooCon '07

I'm going to be attending ShmooCon '07. If you're going, and I don't know you're going, let me know.

I'm helping out with HoH. Beware.

Yahoo Hack Day '06 (Part 2)

The way Yahoo executed this event was quite clever:

Step 1: Invite hundreds of hackers to use and abuse your web-based services APIs. Entice hackers to produce with slick prizes: 32" LCD TV from Sharp, iPods, etc.

Step 2: Have the very people who wrote those APIs on-site and available for questioning. This proved extremely useful, says Tantek Celik, who consulted Yahoo Mail API developer(s) while working on his hack. In the process, Tantek's team ended up doing real testing of the API and hopefully was able to help the API dev-team improve its service.

Step 3: Profit?!

I think the attraction for both earning social merit amongst peers and possibly earning yourself a shiny new Sharp LCD TV was more than enough to help guide the brainstorming process. That is, Yahoo Mail team gave away a prize for the best hack using Yahoo Mail. Flickr did the same, as did other Yahoo groups.


Yahoo Hack Day '06 (Part 1?)

Update: The keynav hack for X11/Xorg/XFree86 can be found here

This event was absolutely beyond any of my expectations.

I was expecting a Mashup Camp-style event with a hundred or so people. I certainly wasn't prepared for the event. Heck, I knew very little about the event before showing up.

Entertainment and Hospitality

Beck. Beck. And more Beck. Beck put on one of the best shows I've ever seen. The crowd was about 500 strong, I'd guess. The stage effects had the help of Puppetron, who synchronized marionettes of the band with the band's movement. Very cool. A summary of what Beck did during this concert can be found in a review of another Beck concert. Bears on stage. Seriously. Awesome.

To quote Beck Puppet, "I'm about to hack a bitch." Puppetron and Beck did a sweet hack video for the event.

Other hospitality perks included many kegs of beer, tons of pizza, fifty-six dozen Krispy Kremes for breakfast, and an extremely well organized staff.

Before the event

One of the rules of the event is that you ought to invoke one or more of the available Yahoo! web API's in your code sorcerery. Prior to arriving, I wasn't sure I wanted to do a web-based hack, so I was planning on not using any of the APIs. I also showed up with no ideas. Hacking without a plan? Seemed to work out. I found out at sometime around midnight during the event that there would be prizes for the best hacks. My hacks would clearly not qualify, but whatever, I was here to hack :)

Hack Day

I started with working on my binary screen partitioning tool. I haven't found a good way to explain this application in words yet. Look at my slides (link at bottom of this post) and it'll show you a screenshot-based demo. I added a bit of more polish to it. I got bored after I ran out of code to write, so I offered coding services in exchange for not being bored to Kevin Marks.

Idea bouncing led to me playing with the API. The end result was something I term "jokeware" - a filesystem driver for storing real files in It was built as a joke just for the sake of trying it. It worked. The more technical details can be found in my slides. If you want to look at the code, you'll have to use a decent webbrowser that supports "data:" urls. View "" on And, yes. I am actually storing raw data in It's a hack, and I think it's hilarious. It's not fast enough to use to store anything meaningful.

Personally, I think my two projects are totally slick. Read about them on my slides:
My Slides for Hack Day '06

I can't remember all the hacks I liked, but those I remember are here:

  • Purse Hack. Pedometer + microcontroller + camera. Takes pictures every 100 steps.
  • monologr(sp?) - record an audio stream while selecting images from flickr to create slideshow with an audio story.
  • YahooSpace - bridge Yahoo 360 with MySpace. Society is doomed.
There was press everywhere at this event. Yahoo's PR folks did a fantastic job of selling the existence of the event to the press. Local news, Wall Stree Journal, etc. Journalists for publications as far as Germany were here. At the end of the hack session, news coverage was shown on the projector. Atleast three news channels covered the event.

The event was a huge success. To any of you Yahoo folk reading: Thanks for an incredible event. Same time next year? ;)

League of Technical Voters Hackathon

This October will bring a 48-hour hackathon organized by the League of Technical Voters. If you can find your way to Austin, Texas in mid October, then you should sign up and be there.

If you know PHP, then you can probably help code. If you don't know PHP, but know how to code, and still want to help, you can probably still help code! If you don't program, but still want to help out, you can do that too!

The goal of the hackathon seems to be development of Drupal modules to aid the league site in becoming a meaningful and useful portal for political discussion.

If you're interested in attending, learn more on the league event wiki

BarCamp Stanford in Review

BarCamp Stanford has come and gone. Like prior BarCamp events, it ends with new friends and new knowledge.

This BarCamp was like the others I have attended: different. There were fewer tracks and sessions. The time organization was more ad-hoc than structured. One session set was organized using a method called open space. This camp was special to me in that I met *way* more people this time.


Friday night's BBQ was a fantastic idea. I showed up around 5:45pm and met up with Chris Messina. Shortly after, Nima and others returned with food. More folks flowed in as the evening progressed. The selection of food was quite nice - grilled peppers and pineapples, sausages, salad, and portabellas. It always takes me a little while to warm up to social situations, being whatever I am that makes me shy. As such, I tried to be useful and aided in food preparation. After grabbing a sausage and some grilled peppers for snacking, I floated around aquainting myself with people I haven't met and catching up with folks I knew from previous BarCamp events. Dick Karpinski had lots of interesting things to talk about, as did others. I met some fine folks from Yahoo! and other local companies. Lots of user interface and public policy people were present, aswell, which made for a better BarCamp.

The BBQ closed around 10pm with Todd giving some remarks about the event and calling for those who were sleeping on campus to follow him. I went home for the night.


At Tantek's suggestion, I gave a session loosely titled "Corporate firewall bypass for fun and profit." I covered using PuTTY to encrypt your more general traffic such as web and mail with both local port forwarding and dynamic (SOCKS5) forwarding. I went over how you can bypass even draconian firewalls with simple tunneling over ssh. I also covered why you especially want encrypted traffic on an open wireless network. I finished up with coverage of arp poisoning, nat traversal, and a few other things. Those in attendance seemed pleased with the content. Thanks to those who came!

The next session was on online identity, and how to fix it. I was aware of most of the problems discussed, but hadn't heard of any of the technologies geared towards solutions. Notes can be found on the BarCamp wiki, here. There was lots of good discussion, most of which I don't recall the details of. It was heavily attended.

Lunch time: Stanford's SSP sponsored pizza. Woot!

After lunch, I attended a microformat discussion lead by Tantek Celik. I learned quite a bit more about microformats. Notes from this session can be found here. I'm fairly convinced that microformats are a good thing. The best part about them is that many of the microformat standards are simply microformat implementations of existing standards, such as hCard (a microformat version of vCard).

The next session I attended was on the idea of community. Notes can be found here. I must confess I wasn't paying too much attention, as I was busy doing other things such as hacking on a few random ideas or updating the wiki notes. A short way through the presentation, someone came in and announced that the Busycle had arrived and was open for riders.

I ran downstairs to take a ride. This thing sat about 12 people plus the driver. Everyone had to pedal to get it moving. We also had to synchronize not pedalling when the driver needed to shift gears. It was really fun to ride.

The next session was directed using "open space" - something I hadn't had experience with before. There were very many sessions held at the same time. Everyone split into small groups in different parts of the camp area to have discussions. The discussion I attended was "Best/Worst AJAX UI" - which had very little to cover. It ran mostly with some of us showing demos of cool/crappy applications. One of the guys from Yahoo! showed off their maps and finance interfaces. We also showed Meebo and YouOS as interestingly unique class of applications - these applications don't suffer from the "broken back button" syndrome that many "Web 2.0" (I hate that buzzword) applications often suffer. This is likely due to the desktop-feel of those two applications.

The day closed with a few remarks about where/how the night should progress. We split up into groups and ventured from Stanford into downtown Palo Alto. I ended up at a Thai restaurant. After dinner, we collected at a bar called Blue Chalk. I had a beer, and later left with some folks to go back to the dorms for the night.

I stayed at the dorms until most folks went to sleep. I remembered I had brought no clothes or toothbrush, so I drove home around 1am.


Sunday was super cool. There were a few morning presentations on mashup tools and tricks. Bjorn Hartman gave a presentation on mashup tools. It was cool to see someone mash flickr and hardware together. Kent Brewster gave a demo of SpiffY!Search.

After that, ideas were thrown up for mashpit groups. People broke into a few groups: identity "2.0", Coworking, Decentralized Coworking, flickr slideshow video mashup, technology and politics, and educative systems. I kept to myself and worked on a Selenium mashup of my own.

Notes on my selenium mashup can be found here.

The flickr slideshow movie generator was very cool. The demo allowed you to search flickr for text and generate a video clip of any number of photos, automatically. Certainly faster than manually finding pictures and gluing them together yourself in a video, eh?

The other groups had other interesting presentations, but weren't doing software so had nothing to demo. The coworking group came up with some cool stuff, as did the tech policy group.

At the end of the camp, Silona Bonewald mentioned that I should attend the League of Technical Voters' 48-hour hackathon in October. I've put it on my calendar. Current plan is to attend. </BarCampStanford>

Until next time, BarCampers!

BarCamp Stanford in Review

This weekend was incredible. I'll post a review when I have time tomorrow. Huge thanks to Stanford and it's Symbolic Systems Program for sponsoring pizza and the venue. More thanks to Microsoft for sponsoring the BBQ.

BarCampEarth:Stanford - This weekend

BarCampEarth @ Stanford starts on Friday. I'm not sure what I'll present on just yet.

I'll brainstorm tonight and hopefully come up with something. If you're reading this and in the Bay Area, you should go! If you aren't in the bay area, check out all the other BarCamp Earth's happening.

Defcon 14

DC14 has come and gone, and with it went several gallons of liqour.

This year's focus seemed to be generally on a debugging technique called fuzzing. Bruce Potter's talk this year was as entertaining as last year's talk, with the exception that he didn't scream out "Bow to my firewall!" - oh well. This year he talked about trusted computing; it was a good presentation. Dan Kaminsky's talk covered a lot of neat things, but I was put off by how full of himself he seems to be, whatever. I made an effort to attend a dns hackery talk, but the speaker was horrible at maintaining focus and presenting, so I left a few minutes into the talk.

Things I need to play with: squid reverse ssl proxy, scapy, some generic tcp proxy thing I don't remember the name of, and a host of other new-to-me technologies. Exploitation for fun and profit, good times!