CodeCon 2.0: Day Two

Related link: http://codecon.info

Brandon Wiley of the Foundation for Decentralization Research presented href="http://tristero.sf.net/alluvium">Alluvium, a decentralized low bandwidth system for web casting, which applies basic swarmcasting techniques to streaming music across the Internet. Instead of downloading a continuous stream, Alluvium publishes a playlist and clients download the tracks from multiple sources across the net and just before playback the tracks get sequenced back into a stream on the destination machine. Alluvium utilizes the Open Content Networks download model and maps a set of streaming channels onto a set of files in the network. Alluvium will also include a client portion that sequences all the tracks into an Icecast stream that can be played by any streaming music player. And if that is not enough, it also works for live streams -- it takes the live stream, breaks it into discrete files and then puts the files into the Open Content Network where the clients can download the files and stitch them into a coherent stream. Brandon would like to make freely available music available (preferably Creative Commons or Open Audio licensed content) in Alluvium streams to give emerging artists more exposure. Last, but not least, Brandon asked the community to donate a buck in order to prove to the IRS that the Foundation for Decentralized Research has public support, which is needed to gain tax exempt status.

Jim Young and James Hong presented their user interface design experiences learned from creating and maintaining the HOTorNOT site. According to the duo of web designers, the user interface is the first point of failure between your application and the user. Good interfaces are easy to learn, but still efficient for experienced users and will increase web site usage and retain more users. Web sites should cater to beginners and make common tasks easy, yet the training wheels that guide new users through using the site should disappear once the user has successfully mastered the skill that was being presented. One of the most important overall aspects of a well designed site is that the site needs to be fast to ensure that users don't get bored and wander off. Another important lesson they learned from the project concerned the placement of banner ads -- the click-through rate for banner ads greatly depends on the placement of the banner ad. If the ad is placed outside of scope of how the users interact with the site, the banner ads are less likely to get clicked on. The click through rates for HOTorNOT improved drastically when the banner ad was placed in the path of users using the site.

The Hydan steganography algorithm was presented by Rakan El-Khalil. Steganography (not stenography) is the concept of hiding messages in text files, images or even sound files. The Hydan algorithm is designed to hide messages in binary executable files on the i386 instruction set. Since steganography relies on redundancy in the medium to hide its messages it is difficult to hide messages in binary executables, since CPU instruction sets are designed to contain as little redundancy as possible. The core concept of the algorithm is to slightly change some instructions in a manner that will not alter the execution of the host program. For instance, it is possible to change a subtract instruction into an add instruction by simply negating the value that is being subtracted. Rakan then outlined a few methods for how to traverse a binary application (e.g. random walk) to look for changed instructions in order to retrieve the message from the binary executable. The algorithm requires about 150 binary executable bytes for each 1 byte of message that is to be embedded into an application.

Nick Mathewson presented MixMinion, a third generation anonymous remailer. Nick, at least we had to believe it to be Nick, pranced on stage wearing a facemask to illustrate his point of anonymity. I suppose thats a good gag for an anonymity hacker, but during the talk he slipping up and admitted to having written the code for MixMinion. And with that slip he pulled off his mask and reiterated his point that even the smallest slip-up will compromise anonymity. During his presentation he outlined the previous generations of anonymous remailers and their flaws and how MixMinion will attempt to avoid these flaws. The goals for MixMinion include a public specification (perhaps IETF/RFC bound) that will provide more public scrutiny, increased interoperability and will hopefully encourage the community to create other implementations. Many of the specific achievements of the new MixMinion remailer are beyond the scope of this coverage of CodeCon -- for details, please check out the MixMinion project for more details.

Dan Kaminsky the TCP/IP hacker extraordinaire demonstrated and discussed tools from his Paketto Keiretsu. This package of TCP/IP tools does things that Vint Cerf had never imagined that anyone would do with TCP/IP. For instance, his blazingly fast scanrand port scanner utilizes TCP/IP sequence numbers and TTL values instead of actually opening connections to each of the ports being scanned. The Paketto Keiretsu includes a bunch of neat TCP/IP utilities that he demonstrated, including a tool that uses standard command line redirection to grab and put packets onto the network. When piping this output to the strings command he was able to pick out URLs of web sites that the audience was currently requesting via their wireless connections. Some of the useful things that Dan has found in his TCP/IP hacking go beyond the scope of system security. For instance, one of the tools can quickly establish the true hop count between two hosts, which could be used by P2P networks to reorganize the network dynamically to maximize network efficiency. Also, different operating systems have different delays and retry counts for certain network operations, and these delays and counts can be measured to classify the operating system of the remote host.

The second day of CodeCon 2.0 was packed with as many valuable presentations as the first day and nearly all the demonstrations ran flawlessly. Big thumbs up for day 2!

CodeCon 2.0 -- getting better all the time?