Today was the second (and final) day of Kiwicon. Again it was well worth the time to attend, although the fine weather outside was rather more tempting than the drizzle of yesterday.

The highlight of today was the "lightning" talks -- although in reality they were nearly as long as the "half" talks we'll be having at the LCA2010 Sysadmin Miniconf, so "short" talks might be more appropriate -- anyway the change of pace worked well for the after lunch session and it didn't seem to drag anywhere near as much as yesterday's after lunch session. (And it helped it was half an hour shorter.)

Numero's talk on WifiHoneyPots was excellent, both in topic (beware geeks offering you free wifi!) and in presentation style -- while not quite Lawrence Lessig's (wikipedia) style of one slide per word, the style definitely paid homage to that approach and was extremely slickly delivered. (From where I was sitting Numero seemed relatively youthful which made it even more impressive on both fronts.)

Telecom paging was demonstrated to be very simple to decode, and presumably one of the things still being protected by the Radio Communications Act prohibitions aagainst disclosing radio transmissions. Unlike GSM (which has proved possible to crack but some effort), the pager messages appear to be completely plain text and no more difficult to decode than, eg, 1980s 8-bit computer tapes (both FSK at slow baud rates, as is obvious by ear from a few seconds listening to the pager frequencies -- at least to anyone who spent years with 8-bit computers and/or early modems). Despite that people still send relatively sensitive things out through the pager system to on-call staff.

A couple of talks on smart cards (both RFID and contact cards) were interesting in terms of what is being deployed in New Zealand, and the relative ease with which various things can be read (eg, Passport data, the "magstripe" equivilent information on bank smart cards) and certain types of cards can be read and replayed (or in some cases cloned). Perhaps the most interesting was that the Snapper Card feeder is a USB JCOP (Java Card, Open Platform) RFID High Frequency (13.56MHz) Smart Card with a custom application ("purse") which maintains the balance (someone from the Snapper team was in the audience and confirmed this).

Also the Snapper Feeder is a USB High Frequency RFID reader/writer, available for $25, and apparently supported by libnfc, at least under Linux, for general High Frequency RFID work (Low Frequency RFID work is fairly well supported by a variety of cheap devices). Alas since the Snapper purse and feeding is a custom application -- and I understand the feeding is via ActiveX, and hence limited to Microsoft Windows with IE -- this doesn't allow with checking/feeding Snapper under anything other than the one specific proprietary platform they've chosen to support (in theory there may be OS X support in "early 2010"; see also comment #6 on this blog post). However it appears there's also a Snapper USB ($40) which appears to be a dual USB device and RFID device, presumably also a JCOP capable of running the same application, that can be fed on a Mac with their beta code (and their custom plugin -- their support page only lists up through OS X 10.5.6 though so it's not clear if they updated it for OS X 10.6 and 64-bit). (PDF with Mac Compatibility details.) (And judging by the referenced Snapper blog post, the Snapper blog may indicate slightly more technical clue than their original "only Microsoft Windows with IE and ActiveX enabled" stance suggested; the blog post linked to earlier blames this on the Korean OEM for their USB hardware -- which is easily believable -- and claims they're working on a better solution based around libnfc; I guess we'll know in a few months if this is just soothing words, or if they actually have some technical clue.)

All in all, Kiwicon was again well worth the $50 entry charge, and the 300 attendees seemed to have a good time. (It was, however, a little surprising to hear that their total budget was around $35k including sponsorship. That's a fairly non-trivial business.)

And now for something different: Ben Aidia has written up his experiences auditing the results of the Takoma Park 2009 local body election by reimplementing the vote calculation algorithms of the Scantegrity auditable voting algorithm (they seem to be able to make a credible claim of providing both voter verifiable votes and voter privacy, by adding a couple of layers of indirection that allow the voter to verify tags next to their vote choices that only the voter gets to see). The process seems a little cumbersome, and the choice of stock closing data as a source of randomness seems... open to manipulation (not to mention difficult to be certain of final results), but it's worth reading through the audit experience.