Full text of Top Hacker Shows Us How It’s Done by Pablos Holman at TEDxMidwest conference.
Listen to the MP3 Audio here: MP3 – Top Hacker Shows Us How It’s Done by Pablos Holman at TEDxMidwest
So this is a hotel room, kind of like the one I’m staying in. I get board sometimes. A room like this has not a lot to offer for entertainment. But for a hacker, it gets a little interesting because that television is not like the television in your home, it’s a node on a network. Right? That means I can mess with it. If I plug a little device like this into my computer, it’s an infrared transceiver, I can send the codes that the TV remote might send and some other codes.
So what? Well, I can watch movies for free. That doesn’t matter to me so much, but I can play video games too.
Hey, but what’s this? I can not only do this for my TV in my hotel room, I can control your TV in your hotel room. So I can watch you if you’re checking out with one of these, you know, TV based registration things, if you’re surfing the web on your hotel TV, I can watch you do it. Sometimes it’s interesting stuff. Funds transfer. Really big funds transfers. You never know what people might want to do while they’re surfing the web from their hotel room.
The point is I get to decide if you’re watching Disney or porn tonight. Anybody else staying at the Affinia hotel?
This is a project I worked on when we were trying to figure out the security properties of wireless networks; it’s called the Hackerbot. This is a robot we’ve built that can drive around and find Wi-Fi users, drive up to them and show them their passwords on the screen.
We just wanted to build a robot, but we didn’t know what to make it do, so — We made the pistol version of the same thing. This is called the Sniper Yagi. It’s for your long-range password sniffing action, about a mile away I can watch your wireless network.
This is a project I worked on with Ben Laurie to show passive surveillance. So what it is, is a map of the conference called Computers, Freedom and Privacy. And this conference was in a hotel, and what we did is we, you know, put a computer in each room of the conference that logged all the Bluetooth traffic. So as everybody came and went with their phones and laptops we were able to just log that, correlate it, and then I can print out a map like this for everybody at the conference.
This is Kim Cameron, the Chief Privacy Architect at Microsoft. Unbeknownst to him, I got to see everywhere he went. And I can correlate this and show who he hangs out with (phone dialing) when he got board, (phone dialing) hangs out in the lobby with somebody. Anybody here use cellphones?
So my phone is calling–
Voice mail: You have 100 messages.
Pablos Holman: Uh oh!
Voice mail: First unheard message —
Pablos Holman: Where do I press —
Voice mail: Message skipped. First skipped message.
Pablos Holman: Uh oh!
Voice mail: Main menu. To listen to your– You have pressed an incorrect key — You have two skipped messages. Three saved messages. Goodbye.
Pablos Holman: Uh oh! So we’re in Brad’s voice mail. And I was going to record him a new message, but I seem to have pressed an invalid key, so we’re going to move on. And I’ll explain how that works some other day because we’re short on time.
Anybody here used MySpace? MySpace users? Oh! Used to be popular. It’s kind of like Facebook. This guy, a buddy of ours Samy, was trying to meet chicks on MySpace which I think is what it used to be good for. And what he did is he had a page on MySpace about him. It lists all your friends, and that’s how you know somebody’s cool is that they have a lot of friends on MySpace.
But then it would copy that code onto your page, so that whenever anybody looked at your page it would automatically add them as Samy’s friend too. And it would change your page to say that “Samy is your hero.” So in under 24 hours, Samy had over a million friends on MySpace. Hey, he just finished serving 3-years probation for that.
Even better, Christopher Abad, this guy, another hacker, also trying to meet chicks on MySpace but having spotty results. Some of these dates didn’t work out so well, so what Abad did is he wrote a little bit of code to connect MySpace to Spam Assassin, which is an open source spam filter. It works just like the spam filter in your email. You train it by giving it some spam, train it by giving it a little bit of legitimate email, and it tries to use artificial intelligence to work out the difference. Right?