28th Chaos Communication Congress
Behind Enemy Lines
bcc
Berlin
2011-12-27
2011-12-30
4
Version 2.3.5
04:00
00:15
00:15
01:00
Saal 1
pentanews_game_show_2k11
Pentanews Game Show 2k11/3
42 new questions, new jokers, same concept, more fun than last year!
contest
en
The Penta News Game Show rehashes a collection of absurd, day-to-day
news items of 2011 to entertain the audience, let the Net participate,
and make it's winners heroes.
The Penta News Game Show rehashes a collection of absurd, day-to-day news items of 2011. The contestants will have to answer 42 questions for your
entertainment.
If they can't answer you (Yes, you on the Internet.) can help out.
Get your IRC clients ready. Further, a Web browser will be of great help.
If you have participated in last years show you will enjoy a few adjustments and new jokers.
Alien8
_john
klobs
Questions and Answers
11:30
01:00
Saal 1
keynote
Marriage From Hell: On the Secret Love Affair Between Dictators and Western Technology Companies
lecture
en
While it's old news that authoritarian regimes regularly rely on censorship and surveillance technology supplied to them by Western companies, 2011 was a year (thanks, in part, to the Arab Spring) when it became a hot issue in the public debate. While politicians on both sides of the Atlantic have recently committed to ban the sale of such technologies to dictators, it's not clear whether such measures would prove effective (or merely drive the sale of such technologies underground) or simply stimulate the growth of Chinese, Russian and Indian companies. More disturbingly, there is still very little awareness – at least among the general public – that many of the tools that are currently exported to authoritarian states have been designed to help fight "The Global War On Terror" and are thus inextricably linked to domestic policies of Western states.
This keynote talk will provide an overview of companies and technologies involved (with a focus on the Middle East and former Soviet Union), trace the evolution of dictators' strategies, speculate on the future of trade in surveillance and censorship tools, and address the shortcomings in the "containment" strategies put together by the US and EU.
Evgeny Morozov
Evgenys TED Talk
Evgeny on Jeff Jarvis' book
Evgeny über Jeff Jarvis
12:45
01:00
Saal 1
die_spinnen_die_sachsen
Sachsen dreht frei
On- und Offline-Überwachung: Weil sie es können
lecture
de
Die Meldungen aus Sachsen in diesem Jahr wirkten für alle, die nicht dort wohnen, ein bisschen, als kämen sie von einem sehr weit entfernten Stern. In regelmäßigen Abständen werden Dinge bekannt, die jeweils einzeln früher zum Rücktritt von Ministern geführt hätten. Funkzellenabfrage, §129-Verfahren, die Durchsuchung eines Pfarrers, Aberkennung der Immunität eines Fraktionsvorsitzenden wegen Rädelführerschaft: umfassende Kriminalisierung von Protesten gegen Nazis, und zwar weit bis in die "Mitte der Gesellschaft". Offline-Überwachung und -Drangsalierung sind in Sachsen Alltag. Der Talk gibt einen Überblick über den Stand der Dinge und warnt davor, sich (außerhalb Sachsens) gemütlich schaudernd zurückzulehnen. Denn: Wenn Sachsen damit durchkommt, setzt das Maßstäbe für andere Bundesländer.
Die Meldungen aus Sachsen in diesem Jahr wirkten für alle, die nicht dort wohnen, ein bisschen, als kämen sie von einem weit entfernten Stern. In regelmäßigen Abständen werden Dinge bekannt, die jeweils einzeln früher zum Rücktritt von Ministern geführt hätten. Die Funkzellenabfrage ("Handygate"), ein oder mehrere §129-Verfahren, die Durchsuchung eines Pfarrers, Aberkennung der Immunität eines Fraktionsvorsitzenden wegen Rädelführerschaft: umfassende Kriminalisierung von Protesten gegen Nazis, und zwar weit bis in die "Mitte der Gesellschaft". Inzwischen gibt es Klagen von Betroffenen gegen die Auswertung ihrer Handy-Daten, u.a. von JournalistInnen, RechtsanwältInnen, Abgeordneten.
Auf der Bundesebene wurden einzelne drastische Grundrechtseingriffe vom Verfassungsgericht korrigiert mit dem Ergebnis, dass bei vielen das beruhigende Gefühl blieb, dass irgendwie doch alles mit rechten Dingen zugeht. Ob die sächsischen Gerichte denselben Weg gehen, wird sich zeigen. Ganz offensichtlich ist jedenfalls, dass die sächsischen Behörden sich von Kritik nicht beeindrucken lassen.
Der Talk gibt einen Überblick über den Stand der Dinge und warnt davor, sich (außerhalb Sachsens) gemütlich schaudernd zurückzulehnen. Denn: Wenn Sachsen damit durchkommt, setzt das auch Maßstäbe für andere Bundesländer.
U.a. betroffen von der Ermittlungswut sächsischer Behörden ist der Jenaer Pfarrer Lothar König. Wer für ihn spenden möchte, kann das hier tun:
JG-Stadtmitte Förderkreis
Kontonummer: 80 25 320
Bankleitzahl: 520 60410
Evangelische Kreditgenossenschaft
Das Spendenkonto für die sächsischen Betroffenen der §129-Verfahren:
Rote Hilfe Dresden
Konto: 609760434
BLZ 36010043, Postbank Essen
Stichwort: Verfahren 129
Verwendungszweck: “Prozesskostenhilfe”
Anne Roth
Chronik der Ereignisse
JG Jena Stadtmitte (zu Lothar König)
Dresden Nazifrei
Ablehnung der Extremismus-Klausel
14:00
01:00
Saal 1
datamining_for_hackers
Datamining for Hackers
Encrypted Traffic Mining
lecture
This talk presents Traffic Mining (TM) particularly in regard to VoiP applications such as Skype. TM is a method to digest and understand large quantities of data.
Voice over IP (VoIP) has experienced a tremendous growth over the last few years and is now widely used among the population and for business purposes. The security of such VoIP systems is often assumed, creating a false sense of privacy. Stefan will present research into leakage of information from Skype, a widely used and protected VoIP application. Experiments have shown that isolated phonemes can be classified and given sentences identified. By using the dynamic time warping (DTW) algorithm, frequently used in speech processing, an accuracy of 60% can be reached. The results can be further improved by choosing specific training data and reach an accuracy of 83% under specific conditions
Stefan Burschka
16:00
02:15
Saal 1
der_staatstrojaner_aus_sicht_der_technik
Der Staatstrojaner
Vom braunen Briefumschlag bis zur Publikation
lecture
0zapftis wird aus Sicht der Technik und unter juristischen Gesichtspunkten analysiert.
Der Staatstrojaner erregte die Gemüter. "Es kann nicht jeder Programmierer ständig mit dem Grundgesetz unter dem Arm herumlaufen", findet Hartmut Pohl und mit ihm der Innenminister mitsamt den Länderkollegen. Doch wer kontrolliert und überwacht die Überwacher und ihre Überwachungssoftware, wenn sie in die ausgelagerten Gehirne vordringen? Wer soll einschätzen, was der Staatstrojaner rechtlich darf, wenn er nicht mal den Quellcode vorliegen hat? Was genau konnten die analysierten Versionen des Staatstrojaners? Das und die Fragen der Zukunft des Spähprogrammes werden im Vortrag Thema sein.
Denn Abhilfe soll nun eine vom Staat selbst programmierte und entwickelte Spionagesoftware, inklusive Zertifizierung, "technischem Kompetenzaufbau" sowie einer zentralen Stelle (Kompetenzkompetenzzentrum) bringen. Wir dürfen gespannt.
0zapfths
Constanze Kurz
Frank Rieger
Ulf Buermeyer
Chaos Computer Club analysiert Staatstrojaner
Chaos Computer Club analysiert aktuelle Version des Staatstrojaners
18:30
01:00
Saal 1
802_11_packets_in_packets
802.11 Packets in Packets
A Standard-Compliant Exploit of Layer 1
lecture
en
New to 2011, Packet-in-Packet exploits allow for injection of raw radio frames into remote wireless networks. In these exploits, an attacker crafts a string that when transmitted over the air creates the symbols of a complete and valid radio packet. When radio interference damages the beginning of the outer packet, the receiver is tricked into seeing only the inner packet, allowing a frame to be remotely injected. The attacker requires no radio, and injection occurs without a software or hardware bug.
This lecture presents the first implementation of Packet-in-Packet injection for 802.11B, allowing malicious PHY-Layer frames to be remotely injected. The attack is standards-compliant and compatible with all vendors and drivers.
Unlike the simpler implementations for 802.15.4 and 2FSK, 802.11B presents a number of unique challenges to the PIP implementer. A single packet can use up to three symbol sets and three data-rates, switching rates once within the header and a second time for the beginning of the body. Additionally, a 7-bit scrambler randomizes the encoding of each packet, so the same string of text can be represented 128 different ways at the exact same rate and encoding.
This lecture presents the first implementation of Packet-in-Packet injection for 802.11B, allowing malicious PHY-Layer frames to be remotely injected. The attack is standards-compliant and compatible with all vendors and drivers.
As a demo, we intend to present a malicious string which can be embedded in any file with lots of slack space, such as an ISO image. When this image is downloaded over HTTP on 802.11B, beacon frames will be injected. For the demo, we will be injecting the SSID stack buffer overflow frames from Uninformed Volume 6.
Travis Goodspeed
Introduction to PIP
PIP for 802.15.4 and 2FSK
20:30
01:00
Saal 1
the_coming_war_on_general_computation
The coming war on general computation
The copyright war was just the beginning
lecture
The last 20 years of Internet policy have been dominated by the copyright war, but the war turns out only to have been a skirmish. The coming century will be dominated by war against the general purpose computer, and the stakes are the freedom, fortune and privacy of the entire human race.
The problem is twofold: first, there is no known general-purpose computer that can execute all the programs we can think of except the naughty ones; second, general-purpose computers have replaced every other device in our world. There are no airplanes, only computers that fly. There are no cars, only computers we sit in. There are no hearing aids, only computers we put in our ears. There are no 3D printers, only computers that drive peripherals. There are no radios, only computers with fast ADCs and DACs and phased-array antennas. Consequently anything you do to "secure" anything with a computer in it ends up undermining the capabilities and security of every other corner of modern human society.
And general purpose computers *can* cause harm -- whether it's printing out AR15 components, causing mid-air collisions, or snarling traffic. So the number of parties with legitimate grievances against computers are going to continue to multiply, as will the cries to regulate PCs.
The primary regulatory impulse is to use combinations of code-signing and other "trust" mechanisms to create computers that run programs that users can't inspect or terminate, that run without users' consent or knowledge, and that run even when users don't want them to.
The upshot: a world of ubiquitous malware, where everything we do to make things better only makes it worse, where the tools of liberation become tools of oppression.
Our duty and challenge is to devise systems for mitigating the harm of general purpose computing without recourse to spyware, first to keep ourselves safe, and second to keep computers safe from the regulatory impulse.
Cory Doctorow
Bio Cory Doctorow
21:45
01:00
Saal 1
defending_mobile_phones
Defending mobile phones
lecture
Cell phone users face an increasing frequency and depth of privacy intruding attacks. Defense knowledge has not scaled at the same speed as attack capabilities. This talk intends to revert this imbalance.
Most severe attack vectors on mobile phones are due to an outdated technology base that lacks strong cryptographic authentication or confidentiality. Given this discrepancy between protection need and reality, a number of countermeasures were developed for networks and phones to better protect their users.
We explain the most important measures and track their deployment. Furthermore, we will release tools to measure the level of vulnerability of networks. Sharing the results of these measurements will hopefully create problem awareness and demand for more security by phone users around the world.
Karsten Nohl
Luca Melette
23:00
01:00
Saal 1
black_ops_of_tcpip_2011
Black Ops of TCP/IP 2011
lecture
en
Black Ops of TCP/IP 2011, a cleanup of the BH USA talk.
Also there's some crazy secret squirrel stuff I'm working on right now.
Dan Kaminsky
12:45
01:00
Saal 2
what_is_whiteit
What is WhiteIT and what does it aim for?
Why you probably want to be concerned about it and similiar alliances.
lecture
en
This talk will be about the WhiteIT project, initiated by Mr Schünemann, German Minister of Interior in the state of Lower Saxony.
The WhiteIT project is concerned with combating the online-distribution of child abuse material. WhiteIT tries to develop tools and processes to cooperatively suppress the disemination and (re-)distribution of said material.
During the Talk the lecturer will try to encourage some open source intelligence. So please consider bringing a laptop, netbook or tablet with you to help gather and collect certain informations right away.
Being involved with the WhiteIT project, the lecturer will use this opportunity to speak freely about his concerns regarding certain aspects of the endeavour. The talk will try to explain some of the projects aims as well as technical tools and processes developed and why he thinks this also concerns you as well.
Although the talk will mainly be concerned with WhiteIT and its members, it will also be of concern for other nationals as there are some global players involved.
The Talk will be somewhat interactive asking you to crowdsource certain information that the lecturer could not get hold off, so please bring a laptop, netbook or tablet with you to be able access a wiki/etherpad.
Christian Bahls -- MOGiS e.V. - Eine Stimme der Vernunft
Go here if you want to help with the some open source intelligence
CAMnet early proposal 2010 [in German, heise.de]
Recent Article in German Zeit online
14:00
01:00
Saal 2
r0ket
r0ket++
The CCC-Badge
lecture
en
Now you've got that r0ket thing. What to do with it?
If you have a r0ket, bring it to our talk!
We will try to play a game of pong with every participant. You need the l0dable r_game to join the fun :)
As we won't be using cryptokeys, you'll need the new 28c3 firmware so the l0dable will run and everything else works.
For CCCamp 2011 we designed r0ket with team r0ket. Besides being a shiny electronic name tag, the r0ket is an easy to use full featured microcontroller development board.
3000 r0kets were given to the participants, to be creative. At Camp we already told you about the journey to getting everything ready.
In r0ket++ we will tell you what happened since camp and what we learned from moving the whole production of r0ket to China.
You will get more information about writing your own software for r0ket. And finally you will find out, what your r0ket does at 28c3: Besides using r0ket as a rem0te, you can participate in an openBeacon based tracking.
lilafisch
Stefan 'Sec' Zehl
r0ket wiki
28c3 firmware, howto
r0ket soup
cccamp11 r0ket talk
git
16:00
01:00
Saal 2
scade_and_plc_vulnerabilities_in_correctional_facilities
SCADA and PLC Vulnerabilities in Correctional Facilities
Tiffany Rad, Teague Newman, John Strauchs
lecture
en
Many prisons and jails use SCADA systems with PLCs to open and close doors. Using original and publically available exploits along with evaluating vulnerabilities in electronic and physical security designs, Newman, Rad and Strauchs have discovered significant vulnerabilities in PLCs used in correctional facilities by being able to remotely flip the switches to “open” or “locked closed” on cell doors and gates. This talk will evaluate and demo SCADA systems and PLC vulnerabilities in correctional and government secured facilities while recommending solutions.
We figured out how to remotely hack into prisons cell and gate control systems by using publically available Siemens PLC exploits as well as creating our own. Teague and Tiffany did a walk-through a jail in the southwest, USA, saw PLCs in use, took pictures and saw prison guards accessing Gmail from the Control Room computers. We will be presenting the results of this research with John Strauchs discussing electronic and physical security vulnerabilities in modern prison design. Our research was presented at Defcon 19, Las Vegas, NV.
Teague
Tiffany Rad
White Paper
Wired Magazine article about our work
The Register article about our work
Der Spiegel article about our work
17:15
01:00
Saal 2
almighty_dna_and_beyond
Almighty DNA?
Was die Tatort-Wahrheitsmaschine mit Überwachung zu tun hat
lecture
de
Die Erstellung von Personenprofilen aus DNA und ihre Speicherung in polizeilichen Datenbanken erfreut sich allgemeiner Akzeptanz. Die Annahme ist weitverbreitet, es ginge dabei allein um die Aufklärung von Mord und Totschlag. Tatsächlich speichert das Bundeskriminalamt hier aber Datensätze auf Vorrat und zwar aus immer geringfügigeren Anlässen und in immer größerer Zahl. Zudem werden die DNA-Datenbanken der europäischen Polizeien derzeit miteinander vernetzt. Das ist umso beunruhigender, als wir alle beständig DNA hinterlassen, ob nun in Haaren, Hautabrieb oder Speichel.
Die Methode lebt von der Vorstellung, die Einmaligkeit des Individuums sei biologisch eindeutig zu definieren und in die DNA eingeschrieben. Wir werden sowohl theoretische wie praktische Gegenargumente liefern und einen Überblick geben über die von den Polizeien in der Bundesrepublik und in Europa betriebenen DNA-Datenbanken, ihre rechtlichen Grundlagen und die Sammelpraxis.
Susanne Schultz
Uta Wagenmann
18:30
01:00
Saal 2
does_hacktivism_matter
Does Hacktivism Matter?
How the Btx hack changed computer law-making in Germany
lecture
Do you remember those days when hackers were “real men?” When hacking was not yet a crime and the cyberspace an undiscovered land? Just before anti-hacking laws were introduced in Germany? Back in these days, the famous founding father of the CCC made the Bundespost (Germany's Federal Mail Service) meet its Waterloo, when they hacked Bildschirmtext (Btx)—the epitome of both technological utopias and dystopias at that time. But soon, hackers suffered a setback: new laws criminalized hacking in the name of fighting white-collar crimes. Simultaneously to the laws, things were getting rougher in the media and the public opinion. While being seen as a weird vanguard of technology before, hackers soon became pranksters and outlaws. Apparently hacktivism, the portmanteau word for hacking activism, had failed to shape the policies in the dawning information society. However, there are evidences that hacktivism had an impact on the new computer crime legislation—not in terms of having more, but less restrictions implemented in the law.
In my talk, I take a historian's point of view. First, I will show in which atmosphere of anxiety and excitement information technology evolved in Germany in the early 1980s. Then, I will give a very short description of the Btx hack, which is usually neglected in historical science. After giving this background, I will reconstruct the debates of white-collar crime law-making in context of the “2. WiKG” (Zweites Wirtschaftskriminalitätsbekämpfungsgesetz) in 1984-86. I will show, how different stakeholders demanded a strict law that penalized virtually every aspect of hacking while the politicians—even those from the conservative party—honored the guys who unveiled security flaws in Btx. This had led to the invention of “good” and “bad” hackers in juridical discourses. This distinction has been maintained in law journals, but likewise neglected in most court decisions. My talk will conclude by arguing that hacktivism matters in shaping policies by indirectly changing mind-sets, even if it fails to win every single battle. So, the impact of hacktivism is not part of a rational debate, but of a more complex strategic situation in which rational arguments only play a minor role.
Kai Denker
Hans-Peter Uhl, parliament speech (cf. Type II sources)
20:30
01:00
Saal 2
what_is_in_a_name
What is in a name?
Identity-Regimes from 1500 to the 2000s
lecture
Starting with the history of birth-registration an overview on the historical regimes of naming and identifying people from the 15th to the 20th century is given. the talk will show examples of the different identity media through time and their standardization with the rise of the Westphalian nation state and the subsequent developments after the French Revolution and during the 20th century. The goal of the talk is to show the complexity of the phenomenon of personal names and their media and the need for an informed debate on who and how naming and identification in the digital age is achieved.
In July 2011 Google opened the social network named Google+, immediately spawning a fierce debate about its real-name policy barring users from opening accounts with pseudonyms. Just a few days later Facebooks Vice President Randi Zuckerberg echoed Google's sentiment, asserting: “(…) anonymity on the Internet has to go away.” Finally in early August Germanys minister of the interior demanded an end of anonymity on the Internet.
My proposed talk is not concerned with the relation of anonymity and pseudonymity and free speech, discrimination and empowerment that dominated the ‘real-name’ “nymwars” on the internet.
Instead it seeks to de-familiarize the notion of the ‘real name’ by exposing central aspects of the media-history of names, situating personal names in relation to the development of statehood and capitalism between the 1500 and the 2000s.
I thus will outline the history and function of birth-registration as introduced in the wake of the reformation in 1543 and its subsequent secularization during the rise of the Westaphalian nation state.
This includes an overview of the international standardization of both identity papers and personal naming regimes during the 19th century in the context of post-1789 development of statehood and colonization. Moving to the 2oth century I will provide examples of the development and standardization of the passport-system after WWI, and conclude my talk with a synopsis of administrative digital identity vision of the early nineties.
The goal of the talk is first de-familiarize the notion of the personal-name by showing its complex historical and material background, secondly to contextualize the current developments of digital identity regimes (Neuer Personalausweis, Google+, NSTIC etc) within the larger and longer-term developments of statehood and capitalist societies. Thirdly my talk will show that a name never was ones own but always an intersection of administrative, media-technical and personal interventions and as such is currently becoming a contested phenomenon again, requiring an informed debate about what is in a name.
Duration 40 mins, presentation style will be slides and accompanying talk, discussion afterwards.
Bio:
Christoph Engemann studied psychology at the University of Bremen and became a Ph.D fellow of the Bremen International Graduate School of Social Sciences in 2002. Between 2003 and 2006 he was named a Non-Residential-Fellow at the Center for Internet and Society Stanford Law School.
Christoph took part in the 2005 Doctoral Summer School of the Oxford Internet Institute and was a lecturer at the Science, Technology and Society Program at the University of Texas in 2007 and 2008. Since February 2010 he works as researcher and lecturer at the Internationales Kolleg für Kulturtechnikforschung und Medienphilosophie at the Bauhaus University Weimar. In 2011 Christoph was a faculty member at the Weimar-Princeton Summer School for Media Studies on the topic of surveillance.
Christoph is member of the DFG-research network "Digital Citizens and their Identity"
His main areas of research are Governmediality; Digital Identity/Media of Identification and their History; Electronic Government; Genealogy of the Transaction; Political Economy of Internet.
Christoph Engemann
21:45
01:00
Saal 2
eu_datenschutz_internet_der_dinge_en
EU-Datenschutz und das Internet der Dinge (english translation)
lecture
de
Derzeit arbeitet die EU-Kommission an der Modernisierung der Datenschutzrichtlinie. Dieser Beitrag informiert über den Stand der Dinge.
Derzeit arbeitet die EU-Kommission an der Aktualisierung der Datenschutzrichtlinie, um den bestehenden Rechtsrahmen nach 15 Jahren an die neuen technischen und gesellschaftlichen Gegebenheiten anzupassen. Gleichzeitig werden in einer Expertengruppe der EU-Kommission die Herausforderungen an den Datenschutz erörtert, die sich im Zusammenhang mit dem Internet der Dinge ergeben.
Dieser Beitrag informiert über den aktuellen Stand der Dinge auf europäischer Ebene und diskutiert mit den TeilnehmerInnen die Positionen, die European Digital Rights (EDRi) in diesen Bereichen vertritt.
(Nach Verfügbarkeit wird dieser Beitrag gemeinsam mit anderen EDRi-AktivistInnen gestaltet; Arbeitssprache Englisch ist möglich.)
Andreas Krisch
European Digital Rights (EDRi)
Entwurf: EU Datenschutz-Verordnung
Entwurf: EU Datenschutzrichtlinie (Polizei & Justiz)
12:45
01:00
Saal 3
the_atari_2600_video_computer_system_the_ultimate_talk
The Atari 2600 Video Computer System: The Ultimate Talk
The history, the hardware and how to write programs
lecture
en
Going more retro than the Commodore C=64: The Atari 2600 VCS was the breakthrough for video games in your own living room. This lecture will cover a bit of the history on how it came to live, describes the hardware used and shows how to write your own code for it.
The Atari 2600 Video Computer System (VCS for short) was the first wide-spread gaming console. It features 128 bytes of RAM, 4k bytes of addressable ROM. This was enough to keep it in production for more than 13 years.
This lecture divides in three parts:
The first part will cover the history on how it came to live. Learn why the Atari 2600 is technically half a Commodore creation.
Learn why Motorola was really angry about that deal. Can you imagine on how the software was created, since there were no PCs or workstations available at this time? Get to view the probably first easter egg in the history of video games.
The second part will provide an intern view of the chips used in the Atari 2600: the 6507 CPU, the 6532 RIOT (RAM-I/O-Timer) and the TIA (Television Interface Adapter). It will also show why "racing the beam" is so important.
The third part will show how to write your own code. What registers you have and how to use them. Using emulators, the Harmony cartridge and a self-designed cart that will hopefully be finished by the time of the talk.
Still got questions? 2600vcs@svolli.dynxs.de
Sven Oliver ('SvOlli') Moll
14:00
01:00
Saal 3
can_trains_be_hacked
Can trains be hacked?
Die Technik der Eisenbahnsicherungsanlagen
lecture
Warum sind Züge sicher unterwegs? Wie werden Zusammenstöße trotz der Gefahr eines menschlichen Fehlverhaltens vermieden? Und was hat das alles mit IT-Sicherheit zu tun?
Der Vortrag beleuchtet die mehr als 130-jährige Geschichte der Eisenbahn-Sicherungstechnik, diskutiert die Grundbegriffe des sicheren Eisenbahnbetriebs und erklärt die Funktionsweise der verschiedenen Stellwerkstypen, die im Netz der Deutschen Bahn verwendet werden. Neben den ältesten (jedoch immer noch in großer Stückzahl vorhandenen) rein mechanischen Bauformen besprechen wir sowohl die Gleisbildstellwerke, die auf Relaistechnik basieren, als auch die modernen rechnergestützten Stellwerke, die immer größere Verbreitung finden. (Und wir besprechen anhand von Untersuchungsberichten des Eisenbahnbundesamts warum doch hin und wieder Unfälle passieren).
Während mechanische und elektrische Sicherungsanlagen in sich geschlossene Systeme sind, nutzen künftige Anlagen zunehmend drahtlose Kommunikation. Die Sicherheit der Fahrgäste hängt daher auch von der Sicherheit der zugrundeliegenden Kommunikationsinfrastruktur ab. Im Vortrag gehen wir daher der Frage nach, wie die künftige Generation der Sicherungsanlagen abgesichert sein wird, welche neuen Bedrohungsszenarien entstehen und ob daher der "Zug der Zukunft" gehackt werden kann...
Stefan Katzenbeisser
16:00
01:00
Saal 3
demokratie_auf_saechsisch
Demokratie auf Sächsisch
lecture
de
Alles begann im Vorfeld des 13. Februar 2010. Nachdem sich der sogenannte rechte Trauermarsch am Jahrestag der Bombardierung Dresdens innerhalb weniger Jahre zum größten Naziaufmarsch Europas entwickelt hatte, gründete sich 2009 ein bundesweites Bündnis aus Antifa-Gruppen, Parteien und Zivilgesellschaft mit dem Ziel, diesen zu blockieren.
Soviel Engagement gegen Rechts war den sächsischen Behörden jedoch von Anfang ein Dorn im Auge, so dass die Oberstaatsanwaltschaft Dresden bereits im Januar 2009 den Vorwurf des „Aufrufs zu Straftaten“ konstruierte, um Räumlichkeiten des Bündnisses zu durchsuchen, Plakate zu beschlagnahmen und so die Mobilisierung nach Dresden zu unterbinden. Die Taktik ging nicht auf: Am 13. Februar 2010 belagerten mehr als 10.000 Menschen den Aufmarschort, woraufhin der Naziaufmarsch nicht stattfand.
Eine solche Schlappe wollten LKA und Staatsanwaltschaft nicht noch einmal hinnehmen.
Deshalb wurde eine altbewährte Strategie zur Durchleuchtung politisch unliebsamer Strukturen herangezogen: Ein Verfahren nach §129 wegen „Bildung einer kriminellen Vereinigung“. Dies gibt der Polizei beinahe grenzenlose Ermittlungsbefugnisse, ohne dass den Beschuldigten eine Beteiligung an konkreten Straftaten nachgewiesen werden muss.
Also wurden eine Handvoll Straftaten und politisch legale Aktionen in Sachsen gesammelt und willkürlich als Aktivitäten einer bestimmten Gruppierung konstruiert, die ganz im Interesse der Behörden auch im direkten Umfeld von "Dresden Nazifrei" aktiv sei.
Vorgeworfen werden der vermeintlichen Gruppierung Landfriedensbrüche, Körperverletzungen und Sachbeschädigungen. Damit wurden umfangreiche Maßnahmen von Telefonüberwachungen bis zur Erfassung von Verbindungsdaten ganzer Stadtteile legalisiert, mit deren Hilfe die linke Szene in Dresden und die Aktivitäten des Blockadebündnisses durchleuchtet wurden.
Diese Entwicklung und die politischen Rahmenbedingungen im Freistaat Sachsen, der als Vorreiter der Extremismusdoktrin politisches Engagement immer mehr einengt, waren Grund genug für die Gründung der Kampagne „Sachsens Demokratie“.
Im Vortrag wird sich die Kampagne und ihre Arbeit vorstellen und einen Einblick in die Entwicklung der Verfahren und die Bandbreite der Repression geben.
Josephine Fischer
Tobias Naumann
17:15
01:00
Saal 3
automatic_algorithm_invention_with_a_gpu
Automatic Algorithm Invention with a GPU
Hell Yeah, it's rocket science
lecture
en
You write software. You test software. You know how to tell if the software is working. Automate your software testing sufficiently and you can let the computer do the writing for you! "Genetic Programming", especially "Cartesian Genetic Programming" (CGP), is a powerful tool for creating software and designing physical objects. See how to do CGP as we invent image filters for the Part Time Scientists' 3D cameras. Danger: Actual code will be shown!
Wes Faler
Julian Miller (inventor of CGP)
CGP Book “Cartesian Genetic Programming”
“Evolved to Win” CGP e-book
18:30
01:00
Saal 3
the_movement_against_state_controlled_internet_in_turkey
The movements against state-controlled Internet in Turkey
A short account of its history and future challenges
lecture
en
We are members of Alternatif Bilişim Derneği (Alternative Informatics Association)**, one of many organizations that oppose the ongoing efforts for state-controlled Internet in Turkey. We see that the problems with media control in Turkey and in Europe are increasingly becoming part of a global problem. The governments are working on their own view of a 'secure' Internet, and we have to articulate and suggest an alternative.
In our talk we want to give an account of our anti-censorship movement and the challenges we face in Turkey. We will first provide an overview of the political events; sanctions, censorship regulations and attempts of resistance in the country. Then, we will point out the main problems we face in making use of laws and technology against state control. We would also like to use our presentation as an opportunity to meet people at the CCC with similar affinities and to learn from their experience. We see a great need to create global networks and communities to articulate an alternative message; the Internet as the peoples’ media.
Ali Rıza Keleş*
arkeles@alternatifbilisim.org
Ayşe Kaymak
aysakaymak@gmail.com
Işık Barış Fidaner
fidaner@gmail.com
Seda Gürses
sguerses@esat.kuleuven.be
We are members of Alternatif Bilişim Derneği (Alternative Informatics Association)**, one of many organizations that oppose the ongoing efforts for state-controlled Internet in Turkey. We see that the problems with media control in Turkey and in Europe are increasingly becoming part of a global problem. The governments are working on their own view of a 'secure' Internet, and we have to articulate and suggest an alternative.
In our talk we want to give an account of our anti-censorship movement and the challenges we face in Turkey. We will first provide an overview of the political events; sanctions, censorship regulations and attempts of resistance in the country. Then, we will point out the main problems we face in making use of laws and technology against state control. We would also like to use our presentation as an opportunity to meet people at the CCC with similar affinities and to learn from their experience. We see a great need to create global networks and communities to articulate an alternative message; the Internet as the peoples’ media.
A short history
Despite its growing economy, democracy and fundamental rights have always been disputed in Turkey, where the shadow of the 1980 coup and still unresolved Kurdish problem is strongly felt, with the state persistently denying Kurdish citizens’ rights and repressing real political opposition to canalize the people’s consent to the authorized ‘official’ parties in the parliament. The coup in 1980 was mainly used to implement liberal policies, and this process is near completion: most state enterprises have been privatized in the last decade, including Türk Telekom, the phone company and the single ISP that owns the ADSL infrastructure in Turkey. In the same decade, the Internet use became widespread. Yet, the increasing popularity of the Internet has been accompanied by attempts to control it through criminal sanctions.
Until 2007, tens of thousands of websites had been blocked by courts as ‘precaution’, including sites like Wordpress and YouTube. After the Law 5651 in 2007, even more websites were censored directly by government administration. As a response to this law, Sansüre Karşı Platform (Platform Against Censorship) was organized. In the first anti-censorship rally in 17 July 2010, nearly 3000 people participated, including Internet youth, political parties, trade unions, etc.
Not long after the events in Tunisia and Egypt; the state institution for telecommunication, Bilgi Teknolojileri ve İletişim Kurumu (BTK) made a decision to force ISPs to provide unpaid Internet filters under the headings 'children', 'family' etc. This move created an enormous reaction, the culmination of which led to a nationwide Internet freedom rally in 15 May 2011 that took place in tens of cities. Alone in Istanbul 60 thousand people marched against the imposed censorship measures. What followed was a smearing campaign by controlled media (including state TV) against the protesters, and a pseudo-governance meeting with NGOs by BTK. After the general elections in June, the war with PKK escalated, suppressing the BTK decision out of media attention. Currently, DNS or IP blocking is used mostly for 'obscene' and in some cases for political websites.
National security has always functioned as an excuse for the Turkish state to introduce exceptions to a rule or to make the exception the rule itself. An example is 'Ulusal Kripto Yönetmeliği' (National Crypto By-law) that was put in order in 2010. This by-law necessitates ‘official authorization’ for any encrypted communication by any citizen, and also requires the citizens to give away their encryption mechanisms and private keys to BTK for ‘storage’.
In conclusion, we have reasons to believe that the government is currently developing infrastructure to utilize methods like deep packet inspection (DPI) as weapons in a 'cyberwar', possibly against its own people. These methods will include monitoring and labeling of Internet users as well as blocking communication. We made use of our 'right to information' to inquire about the plans for employing DPI, but were ‘informed’ that this is 'beyond the limits our right to information'.
Problems in using laws & technology against state control
The greatest problems with respect to guaranteeing fundamental rights in technology deployment and use currently are with how laws are made and how they are enforced. The lawmaking process is exclusionist, only including a few NGOs that can better be called QUANGOs (quasi-autonomous non-governmental organizations). There are several political parties and trade unions, but even their peaceful protests are occasionally declared ‘unauthorized’ and considered illegal. People in general do not trust the judiciary system, but are simply unorganized and do not believe in their power. The regime bases its legitimacy on ideology and not on lawful justice.
Türk Telekom (TT), privatized in 2005, monopolizes the ADSL infrastructure, making Internet services expensive and prone to state control. In 2007, a workers' strike in TT had triggered debates on this monopoly being protected by the government. The company also acts as a service provider in several domains, creating questions about net neutrality.
Another problem is with the limitation of how people can relate to technology. Computers, cellphones and other gadgets are aggressively marketed and widely used throughout the country, but the marketed forms of use mostly remain superficial, e.g., these gadgets are depicted as entertainment or as status symbols. We argue that the hegemony of these consumerist cultural connotations do hamper diverse uses of these products for a variety of motivations.
A small community of Linux promoters have emerged around universities. These groups could promote alternative approaches to technology. However, under the usual political fears, they only articulate their positions professionally. Their statements usually target Microsoft or other big proprietary software companies. This position is compatible with the officially accepted national pride and national security positions in Turkey, and hence is limited to politics of technology only (see Pardus project).
Leftist and Kurdish political organizations are in a position to benefit most from digital communication technologies. However, they still lack the capacity and enthusiasm to use it effectively. Alternative political media initiatives online exist, but they are mostly limited to standard uses and their technical quality reflect the lack of developers in the political community.
In Turkey, engineering education is praised and supported by families. Families make up for the lack of a financially strong social system. The society in general also praises technical knowledge. However, a strong barrier separates the 'educated people' who are supposed to know it, from 'regular people' who are only supposed to consume it. Under economic pressure and feeling indebted to their families, most white collar workers dedicate themselves to their work in private companies. There is some space in some universities for shared work and creativity, but such spaces are getting smaller as most universities are being turned into technical schools.
* Ali Rıza Keleş, Işık Barış Fidaner are software developers, Ayşe Kaymak is a lawyer from Istanbul. Seda Gürses is an Internet researcher from Brussels.
** Alternatif Bilişim is a social network that includes users, developers and researchers of digital technologies, studying and practicing alternative uses of technology. Ultimately, our objective is to diminish the alienation of people to technical knowledge.
Barış
seda
20:30
01:00
Saal 3
buggedplanet
BuggedPlanet
Surveillance Industry & Country's Actings
lecture
en
BuggedPlanet.Info is a small Wiki that tries to list and track down the activities of the surveillance industry in the fields of "Lawful Interception", Signals Intelligence (SIGINT), Communications Intelligence (COMINT) and related fields to gain access to data from telecommunication systems. In this talk I want to explain the idea behind the project and also discuss some observations made between industrial activites and governmental actings.
Especially the production/marketing of the products to governments operating in countries without any democratic tradition and the marketing activities to "widen" the market for these products does have the ability to change also the way the governments within democratic frameworks operate. I will give examples of this "cross-market" activities and the implications.
Andy Müller-Maguhn
BuggedPlanet.Info Site
21:45
01:00
Saal 3
macro_dragnets
Macro dragnets: Why trawl the river when you can do the whole ocean
What happens when data collection goes awry in the 21st century
lecture
As governments increase their data collection capabilities software developers are stepping up to both utilize and augment surveillance capabilities. DNA databases, facial recognition, behavioral patterning, and geographic profiling are all in use today. Police are crowdsourcing identification of suspects and citizens are willingly participating. This talk will cover real technologies in place today as well as educated speculation of what is coming next.
Conspiracy theorists have been questioning the degree to which anyone truly has privacy for quite some time. State ID & fingerprints have given way to electronic passports & DNA analysis. With the increasing number of DIY BIO groups it isn't outside the realm of speculation to see clandestine collection & generation of genomic information by a state actor. Police agencies are engaging in genomic data collection of suspects, witnesses, and victims with no guarantee of the information safety of those individuals. The current scope of laws in the United States limits "genetic discrimination" to "health insurance and employment decisions" with no limitations on the implication of guilt or agency in a crime at the federal level. Similarly companies are collecting photographs of individuals from online services and using them as the corpus for facial recognition techniques which are then leased to government actors.
The goal of this talk is to:
Address the current vectors for public identification
Discuss potential countermeasures for identification dragnets
Analyze the role of genomic screening
Review case studies of individuals trying to avoid "the system" and crowdsourced attempts to identify the individuals
Imagine one was "erased" from these databases. How can one re-establish positive identification (and would they want to)?
Redbeard
Santa Clara abstract on geographic profiling
Text of the Genetic Information Nondiscrimination Act of 2008 (US Law)
Attempt by Vancouver BC law enforcement to identify riots in the 15/06/2011 riots.
Lightfield Cameras
Long range facial recognition
23:00
01:00
Saal 3
string_oriented_programming
String Oriented Programming
Circumventing ASLR, DEP, and Other Guards
lecture
en
The protection landscape is changing and exploits are getting more and more sophisticated. Exploit generation toolkits can be used to construct exploits for specific applications using well-defined algorithms. We present such an algorithm for leveraging format strings and introduce string oriented programming.
String oriented programming takes format string exploits to the next level and turns an intrusion vector that needs hand-crafted exploits into arbitrary code execution. Similar to return oriented programming or jump oriented programming string oriented programming does not rely on existing code but concatenates gadgets in the application using static program analysis.
This talk presents an algorithm and a technique that takes a vulnerable application that contains a format string exploit as a parameter and constructs a format string exploit that can be used to inject a dynamic jump oriented programming dispatcher into the running application. String oriented programming circumvents ASLR, DEP, and ProPolice.
Mathias Payer
Homepage with slides, paper, and PoC code & sample programs
00:15
02:00
Saal 1
hacker_jeopardy
Hacker Jeopardy
Number guessing for geeks
contest
de
The Hacker Jeopardy is a quiz show.
The well known reversed quiz format, but of course hacker style. It once was entitled "number guessing for geeks" by a German publisher, which of course is an unfair simplification. It's also guessing of letters and special characters. ;)
Three initial rounds will be played, the winners will compete with each other in the final.
Ray
Stefan 'Sec' Zehl
11:30
01:00
Saal 1
politik_hacken
Politik hacken
Kleine Anleitung zur Nutzung von Sicherheitslücken gesellschaftlicher und politischer Kommunikation
lecture
de
Klassischer Protest, konventionelle Demos, Online-Petitionen und Bürgerinitiativen werden seit einiger Zeit durch neue Instrumente der politischen Partizipation ergänzt. Deren Stärke liegt in dezentraler Organisation, Kommunikationsguerilla-Aktionen, diskursiver Intervention und kollaborativer Spontaneität. Der Vortrag stellt anhand von Beispielen ein Toolset an Möglichkeiten des regelverletzenden und gewaltfreien Mitmischens und Einmischens in Politik vor.
Anonymous, die Hedonistische Internationale, Telecomix oder die Space Hijackers sind einige der Netzwerke, die eine neue Art des Protests und der politischen Einmischung erproben. Ihnen ist gleich, dass sie mit ihren Aktionen immer auch in den medialen Diskurs eingreifen wollen – und auf eine Richtig- bzw. Weichenstellung für eine andere Wahrnehmung der Welt setzen. Das gilt sowohl für die Wahrnehmung der Medien als auch für die Wahrnehmung von Politik. Bilder und Images werden uminterpretiert, gesellschaftliche Codes geknackt, offene Flanken genutzt. Dabei setzt diese Form des Protests auf Regelverletzung und eine neue Interpretation der Zeichen.
Die Aktionen der Aktivistinnen können sehr unterschiedlich aussehen. So können Demos regelrecht gehackt werden, wie etwa eine Demonstration von Guttenberg-Anhängern. In diesem Fall war es der Hedonistischen Internationale (HI) gelungen, eine Pro-Guttenberg-Demonstration bei der Versammlungsbehörde anzumelden und die Mobilisierung der echten Guttenberg-Fans zu nutzen – und diese dann auf der Demonstration umzudeuten. Hierdurch wurde die Person Guttenberg zum Abgang noch einmal so lächerlich gemacht, dass eine Rückkehr des ehemaligen Verteidigungsministers zumindest heute unwahrscheinlich erscheint.
Um News-Hacking ging es in einer gemeinsamen Aktion der HI und "Der Partei". Hier nutzten die Aktivisten den klassischen "18 Uhr Wahlabend"-TV-Moment, um die Niederlage der Berliner FDP auf deren Wahlparty bei Freibier live im Fernsehen zu feiern.
Die Space Hijackers aus Großbritannien hingegen fahren mit einem Panzer vor der Bank of Scotland auf – und freuen sich diebisch als die Polizei diesen beschlagnahmt und dabei mehrere Gebäude beschädigt.
Oft reicht es auch, zum richtigen Zeitpunkt die Identität eines politischen oder ökonomischen Players zu übernehmen, um die mediale Darstellung der Welt mit der eigenen Realtät in Einklang zu bringen. Wenn nach Fukushima die deutsche Atomlobby auf einmal die zynische Wahrheit twittert oder Überwachungsfirmen wie DigiTask Twitter-Dialoghotlines einrichten, sorgt dies nicht nur für Verwirrung, Freude, medienträchtige juristische Androhungen, sondern trägt auch zu einer veränderten Wahrnehmung dieser Player selbst bei.
Die Politik zu hacken bedeutet die Sicherheitslücken der gesellschaftlicher Kommunikation zu nutzen, um auch in Zukunft genussvoll frei leben zu können.
All dies kann man selber machen. Wir sagen wie.
Alexander Müller
Bärwulf Kannitschreiber
Montserrat Graupenschläger
http://www.spacehijackers.org/
http://hedonist-international.org
12:45
01:00
Saal 1
echtes_netz
Echtes Netz
Kampagne für Netzneutralität
lecture
de
Anfang 2012 startet "Echtes Netz", die Kampagne für Netzneutralität, die vom Digitale Gesellschaft e.V. initiert und von der stiftung bridge gefördert wird. Die Kampagne macht sich zur Aufgabe, das Bewusstsein für den Wert eines echten Netzes zu steigern und mit Offline- und Onlineaktionen für eine gesetzliche Verankerung der Netzneutralität zu werben.
Der Vortrag gibt einen Überblick auf die Debatte rund um die Netzneutralität in Deutschland und der EU und einen einen Ausblick auf die Kampagne.
Falk Lüke
Markus Beckedahl
Digitale Gesellschaft e.V.
Echtes Netz - Kampagne für Netzneutralität
14:00
01:00
Saal 1
effective_dos_attacks_against_web_application_platforms
Effective Denial of Service attacks against web application platforms
We are the 99% (CPU usage)
lecture
This talk will show how a common flaw in the implementation of most of the popular web
programming languages and platforms (including PHP, ASP.NET, Java, etc.) can
be (ab)used to force web application servers to use 99% of CPU for several
minutes to hours for a single HTTP request.
This attack is mostly independent of the underlying web application and just
relies on a common fact of how web application servers typically work.
Alexander ‘alech’ Klink
Julian | zeri
n.runs-SA-2011.004 advisory
oCERT advisory
16:00
01:00
Saal 1
the_science_of_insecurity
The Science of Insecurity
lecture
en
Why is the overwhelming majority of common networked software still not secure, despite all effort to the contrary? Why is it almost certain to get exploited so long as attackers can craft its inputs? Why is it the case that no amount of effort seems to be enough to fix software that must speak certain protocols?
The answer to these questions is that for many protocols and services currently in use on the Internet, the problem of recognizing and validating their "good", expected inputs from bad ones is either not well-posed or is undecidable (i. e., no algorithm can exist to solve it in the general case), which means that their implementations cannot even be comprehensively tested, let alone automatically checked for weaknesses or correctness. The designers' desire for more functionality
has made these protocols effectively unsecurable.
In this talk we'll draw a direct connection between this ubiquitous insecurity and basic computer science concepts of Turing completeness and theory of languages. We will show how well-meant protocol designs are doomed to their implementations becoming clusters of 0-days, and will show where to look for these 0-days. We will also discuss simple principles of how to avoid designing such protocols.
In memory of Len Sassaman
Meredith L. Patterson
Sergey
17:15
01:00
Saal 1
hacking_mfps
Hacking MFPs
Part2 - PostScript: Um, you've been hacked
lecture
en
We have decided to continue our research onto PostScript realms - an old, very powerful and nicely designed programming language, where (as a coincidence or not, given it's numerous security flaws) Adobe owns most PostScript interpreters instances.
This time we demonstrate that PostScript language, given it's power, elegance and Turing-completeness, can be used more than just for drawing dots, lines and circles - and to a certain extent it can be a hacker's sweet delight if fully mastered.
We will be presenting a real-life implementation of unusual PostScript APIs (along with it's dissection and reconstructed documentation) that interact with various levels of OS and HW, implementation we have found in a TOP10 printer vendor product line.
Also, we will investigate whether a PostScript-based (hence platform-independent) virus (18+ years after first proposals of such theory) can be acomplished, thus giving theoretical hints and few building blocks in this direction.
We will also present some very constructive uses of the PostScript language in the creative (i.e. non-destructive) hacking direction.
In the end, we will try to summarize our conclusions and possible solution for all parties involved (vendors, users, sysadmins, security experts).
With this research we hope we can prove that entire printer industry (devices, printing software/drivers/subsystems, publishing and managed services) have to be rethought security-wise, so that it can withstand in the long run the current security landscape and threats.
"Hacking MFPs (part2) - PostScript: Um, you've been hacked"
We started our research in early 2010 as a state-of-affairs investigation of the general security related to printers and printing protocols&subsystem.
We have concluded and demonstrated that using malicious documents and applets, it is possible using the PJL protocol to control certain printer functionality, including malicious content upload/download on printers' storage.
As a side effect of the research, several other directions in printers' industry shown prone to malicious attacks (XSS injection and execution, auth-bypass, unauthorized functionality and content access, etc.)
Incidentally, very same period, Stuxnet abused printing subsystems to spread itself and few other printer researches emerged in various directions (PJL password and hard disk abuse, confidential/password data harvesting, Linux-based firmware rev-eng).
All these apparently separate events, just come to prove once again that printers are not forgotten, they spark revived hacking interest and their (mis)use can be harmful and have long-standing effects on one's eneterprise security.
============================================
We have decided to continue our research onto PostScript realms - an old, very powerful and nicely designed programming language, where (as a coincidence or not, given it's numerous security flaws) Adobe owns most PostScript interpreters instances.
This time we demonstrate that PostScript language, given it's power, elegance and Turing-completeness, can be used more than just for drawing dots, lines and circles - and to a certain extent it can be a hacker's sweet delight if fully mastered.
We will be presenting a real-life implementation of unusual PostScript APIs (along with it's dissection and reconstructed documentation) that interact with various levels of OS and HW, implementation we have found in a TOP10 printer vendor product line.
Also, we will investigate whether a PostScript-based (hence platform-independent) virus (18+ years after first proposals of such theory) can be acomplished, thus giving theoretical hints and few building blocks in this direction.
We will also present some very constructive uses of the PostScript language in the creative (i.e. non-destructive) hacking direction.
In the end, we will try to summarize our conclusions and possible solution for all parties involved (vendors, users, sysadmins, security experts).
With this research we hope we can prove that entire printer industry (devices, printing software/drivers/subsystems, publishing and managed services) have to be rethought security-wise, so that it can withstand in the long run the current security landscape and threats.
Andrei Costin
18:30
01:00
Saal 1
how_governments_have_tried_to_block_tor
How governments have tried to block Tor
lecture
Iran blocked Tor handshakes using Deep Packet Inspection (DPI) in January
2011 and September 2011. Bluecoat tested out a Tor handshake filter in
Syria in June 2011. China has been harvesting and blocking IP addresses
for both public Tor relays and private Tor bridges for years.
Roger Dingledine and Jacob Appelbaum will talk about how exactly these
governments are doing the blocking, both in terms of what signatures they
filter in Tor (and how we've gotten around the blocking in each case),
and what technologies they use to deploy the filters -- including the
use of Western technology to operate the surveillance and censorship
infrastructure in Tunisia (Smartfilter), Syria (Bluecoat), and other
countries. We'll cover what we've learned about the mindset of the censor
operators (who in many cases don't want to block Tor because they use
it!), and how we can measure and track the wide-scale censorship in these
countries. Last, we'll explain Tor's development plans to get ahead of
the address harvesting and handshake DPI arms races.
Jacob Appelbaum
Roger Dingledine
20:30
01:00
Saal 1
politik_neusprech_2011
„Die Koalition setzt sich aber aktiv und ernsthaft dafür ein“
Sprachlicher Nebel in der Politik
lecture
Aktuelle politische Texte (Reden, Interviews) werden auf Leerformeln, Füllsel und Übertreibungen untersucht, die den Text entlarven, selbst wenn der Autor versucht, die Hörer bzw. Leser einzulullen, bestimmte sprachliche Mittel verraten, welche eigentlichen Meinungen sich im Text verstecken. Auf diese Weise wird in den Texten sichtbar, was Wilson und Shea als „Fnord“ bezeichnen.
Der Sprachwissenschaftler Victor Klemperer hat festgestellt: „Was jemand willentlich verbergen will, sei es vor anderen, sei es vor sich selber, auch was er unbewusst in sich trägt: Die Sprache bringt es an den Tag.“ Besonders deutlich wird das an Ausdrucksmitteln, die als „Nebelsprech“ bezeichnet werden können: Es handelt sich dabei vor allem um sprachliche Füllsel (Pleonasmen), die im jeweiligen Kontext nichts zur Bedeutung eines Textes beitragen, sondern einer Aussage nur Nachdruck verleihen sollen, den die Aussage gar nicht benötigen würde, wenn sie ernstgemeint wäre. So heißt es im Koalitionskompromiss zum Weiterbau der A100 in Berlin: „Das Projekt des 16. Bauabschnitts der BAB 100 wird nicht grundsätzlich aufgegeben. Die Koalition setzt sich aber aktiv und ernsthaft dafür ein, dass eine Umwidmung der Bundesmittel ermöglicht wird." Die Adverbien „aktiv“ und „ernsthaft“ haben hier eine entlarvende Wirkung, denn ein passiver und scherzhafter Einsatz für eine Forderung ist ja gar nicht vorstellbar. In der Rhetorik spricht man in diesem Zusammenhang von einer Hyperbel, die allerdings im vorliegenden Fall misslungen ist, denn die hyperbolische Steigerung legt nahe, dass mit Aktivitäten in diesem Zusammenhang möglicherweise nicht zu rechnen ist. Auch wenn „vorbehaltlos, rückhaltlos und umfassend analysiert“ wird (Merkel), sollte man hellhörig werden, denn was „völlig ungefährlich“ und „gänzlich unbedenklich“ ist, hat meist einen Haken.
Analysiert werden Texte zum „Atomausstieg“, zur Vorratsdatenspeicherung und zu weiteren aktuellen Themen, vor allem aus der Netzpolitik.
maha/Martin Haase
21:45
01:00
Saal 1
apple_vs_google_client_platforms
Apple vs. Google Client Platforms
How you end up being the Victim.
lecture
en
We will discuss the two different approaches Apple and Google take for the
client platforms iPad and Chromebook, how they are similar and how they
are not.
From the security architecture and integrity protection details
to your account and identity that links you firmly back to the respective
vendor, we will provide the big picture with occasional close-up shots.
Here is what powers the vendor has over you, or what powers he gives to
arbitrary unwashed attackers at conferences through fails in logic, binary
or HTML.
Bruhns
FX of Phenoelit
greg
Recurity Labs
23:00
01:00
Saal 1
7_years_400_podcasts_and_lots_of_frequent_flyer_miles
7 years, 400+ podcasts, and a whole lot of Frequent Flyer Miles
Lessons learned from producing a weekly independent podcast on international conflicts and concerns.
lecture
In 2004 I started a weekly podcast on international under-reported news based on a feeling that this was something I enjoy doing and I could be good at.
More than 7 years and 400 episodes later, with the help of listeners and friends, I have travelled almost nonstop to some of the most interesting and unexpected corners of the world. These travels have led me to some unconventional guests, topics, and life choices. Through it all, week after week, I have kept the program going. The lessons I've learned and continue to learn going forward, tell a story that answers alot of today's most popular questions about the future of the internet and independent journalism. From crowd source funding to the streets of New Orleans, from itunes politics to the mountains of Afghanistan, I will share these stories and whatever wisdom they have brought me.
Bicyclemark
00:15
01:00
Saal 2
dick_size_war_for_nerds
NPC - Nerds’ Pissing Contest
Mein Ruby ist besser als dein urxvt!
contest
de
Hier geht es um die Gretchenfrage: „Welches Tool ist das beste?“ Dabei treten zwei Teams gegeneinander an und müssen live verschiedene $RANDOM\_NERD\_TASK auf ihren eigenen Rechnern lösen. Wer dabei zeigt, dass sein Tool das schnellere, schlankere, mächtigere, längere, größere^w^w^w^wist, gewinnt. Durch das Programm führen Jan „git-zsh-keynote-firefox“ Wulfes und Benjamin „bzr-fish-latexbeamer-chrome“ Kellermann.
In dieser Ausgabe des NPCs geht es darum herauszufinden, welcher Editor der beste ist. Zwei Teams (à 1-4 Teilnehmer) treten mit dem Editor ihrer Wahl gegeneinander an, um diese religiöse Frage zu beantworten.
Nach einer dreiminütigen Laudatio zum Editor ihrer Wahl müssen sie in der Pflicht vorgegebene Aufgaben vor den Augen des Publikums möglichst schnell und elegant lösen. Hierzu dürfen die Teams ihre Konfigurationsdateien verwenden.
In der Kür muss jedes Team die Stärken seines Editors durch einen kleinen Stunt präsentieren, welcher dann vom jeweils anderen Team ebenfalls gestanden oder sogar getoppt werden muss.
Publikum aufgepasst eure Skills sind gefragt, wir wollen Euch mit einbeziehen: per Chat könnt Ihr dem Team auf der Bühne beim Lösen der Aufgaben helfen.
Bewerbungen für Teammitgliedschaften und Eure Fragen könnt Ihr vorab an Email: [pissing28c3@c3d2.de](mailto:pissing28c3@c3d2.de) richten.
Ihr könnt Euch auf folgende Fragen unsererseits vorbereiten:
============8<============================
Das Spiel wird grob folgende Dinge abfragen:
• Ihr dürft Eure eigene Konfiguration mitbringen
• Wir wollen zum Beispiel sehen, wie gut sich Euer Editor zum programmieren eignet.
- Zeigt uns wie gut euer Syntax-Highlighting & automatische Code-Einrückung
für verschiedenste Sprachen funktioniert.
- Taugt Euer Editor als IDE? Dann zeigt uns, dass er die von uns
vorgegebenen Refactoring-Aufgaben löst.
- Jede gute IDE unterstützt die Programmierer mit Einbindung von
Online-Doku. Wie kann das Euer Tool? Zeigt uns das in zwei von Euch
vorbereiteten Programmiersprachen.
- Wie gut ist Make/Compiler/Debugger integrierbar?
• Wie gut unterstützt er Euch bei der Textproduktion?
- Wir prüfen die Rechtschreibkontrolle.
- Wir möchten sehen, ob Euer Editor die businessüblichen Formate
verarbeiten kann.
- Wie gut er Euch in langen Texten navigieren lässt.
- Nette Features, wie parallele Bearbeitung durch mehrere Benutzer werden
positiv bewertet.
• Wissen heisst wissen wo es steht.
- Wie gut ist Euer Editor dokumentiert?
- Wie leicht findet man die passende Doku?
• Konfigurierbarkeit
- Wir möchten, dass Ihr ein kleines Syntax-Highlighting implementiert.
- Euren Editor um eine kleine Funktion erweitert.
Benjamin Kellermann
klobs
Dateien, Abstimmung, IRC
11:30
01:00
Saal 2
eating_in_the_anthropocene
Eating in the Anthropocene
Transgenic Fish, Mutagenic Grapefruits and Space Potatoes
lecture
Over the last few years hackers have begun to take a larger interest in food, gastronomy and agriculture. For many in the community the ability to create DIY molecular gastronomy hardware and recipes is an obvious entry point. This talk extends some of these early investigations beyond the kitchen and the chemical properties of food by looking at specific cultivars, food technology organizations, and connections between food systems, ecosystems and planetary change.
Part 1 of the talk explores some of the more bizarre and interesting biotechnologies and genomes that make up the human food system on planet earth, including Chinese Space Potatoes, Mutagenic Grapefruits and Glowing Sushi.
Pat 2 of the talk presents ideas of food system redesign particularly relevant to hackers and food explorers: utopian cuisines, resilient biotechnologies and eaters as agents of selection.
In Part 3 we provide access to resources and propose interesting projects for black hat food hackers, DIY BIO foodies, and prospective food security researchers, such as mining the IAEA's database of radiation breeding, eating things that weren't meant to be eaten and defending agricultural biodiversity.
By introducing less known stories from the history of food and technology, and providing access to resources we hope to get more hackers curious about exploring, questioning and redesigning our human food systems.
BIO: Zack Denfeld & Cathrine Kramer run the Center for Genomic Gastronomy an independent research institute that studies the genomes and biotechnologies that make up the human food systems on the planet. They are currently in residence at Art Science Bangalore and a curating a show on the future of food at the Science Gallery in Dublin Ireland.
Cathrine Kramer
Zack Denfeld
Our research group
Our cooking show
12:45
00:30
Saal 2
data_mining_the_israeli_census
Data Mining the Israeli Census
Insights into a publicly available registry
lecture
The entire Israeli civil registry database has been leaked to the internet several times over the past decade.
In this talk, we examine interesting data that can be mined and extracted from such database.
Additionally, we will review the implications of such data being publicly available in light of the upcoming biometric database.
The Israeli census database has been freely available on the Internet since 2001. The database has been illegally leaked due to incompetent data security policies in the Ministry of Interior of Israel, which is responsible for the management of the Israeli census.
The data available includes all personal data of every Israeli citizen: name, ID number, date and location of birth, address, phone number and marital status, as well as linkage to parents and spouses.
In this talk we discuss various statistics, trends and anomalies that such data provides us with insight to.
Personal details will obviously be left out of the talk, though it is important to note that any person who wishes to retrieve such details can easily do so.
We will end the talk with a discussion about upcoming and relevant privacy issues in light of Israel's soon-to-be biometric database.
Yuval Adam
Yuval's Homepage
Slide Deck
13:15
00:30
Saal 2
dont_scan_just_ask
Don't scan, just ask
A new approach of identifying vulnerable web applications
lecture
en
For years, we tried to identify vulnerable systems in company networks by getting all the companies netblocks / ip addresses and scanning them for vulnerable services. Then with the growing importance of web applications and of course search engines, a new way of identifying vulnerable systems was introduced: "Google hacking".
However this approach of identifying and scanning companies ip addresses as well as doing some Google hacking for the (known) URLs of the company doesn't take all aspects into account and has some limitations. At first we just check the systems which are obvious, the ones that are in the companies netblocks, the IP addresses that were provided by the company and the URLs that are known or can be resolved using reverse DNS. However how about URLs and systems that aren't obvious? Systems maybe even the company in focus forgot? Second, the current techniques are pretty technical. They don't take the business view into account at any point.
Therefore we developed a new technique as well as framework to identify companies’ web pages based on a scored keyword list. In other words: From zero to owning all of a company’s existing web pages, even the pages not hosted by the company itself, with just a scored keyword list as input.
Systems that are hosted by third parties, web pages that were just released for a marketing campaign, maybe even by a third party marketing company but within the name of the company we want to check? Possibly not even the company does remember all the web applications and domains that are running under his name. These systems/applications won’t be detected using traditional techniques and thus impose a potential security risk for the company. Second, the current techniques are pretty technical. They don't take the business view into account. That means, we try to identify certain applications using technical information like version banner or the comapnies ip addresses in order to identify his systems. But how about the other way around, trying to identify applications and systems by using the company’s business data (e.g. product names, company names, tax identification numbers, contact persons, …) and then test the identified systems and applications for vulnerabilities?
That is what we did. The idea is to build up a scored keyword list for the company in focus. This list contains general keywords like the company name, product names, more detailed keywords like an address contained in imprints and very specific keywords like the companies tax number. Every keyword in that list is then rated by human intelligence. Which means specific keywords do have a higher scoring than general keywords. In the next step a spider uses these keywords to query search engines like bing, google, etc. for the keywords and stores all the web sites URLs identified in a database with their scoring. If a web site that already is in the database is found for another keyword, just the score of that entry is increased. At the end, we get a list of websites that contained one or more of the keywords, along with a scoring for each web site. Then the URL is taken and checked whether it contains one of the keywords (e.g. company name). If this is the case, the scoring of the page is increased again. Then for each entry the FQDN as well as the ip is resolved and a whois query is executed. If that whois record does contain the company name, the scoring is increased again. Furthermore the country codes are used to remove results which are not in the target country.
At the end of that process, we do have a list of URLs and FQDNs that could be found using company specific key words. Furthermore that list is scored. Since during that process you get (based on your keyword list) hundred thousands of unique hits, you have to minimize that list. Therefore we did some research on the results generated and found a decent way to minimize the results to an amount that can be checked manually by a human. Then those identified company web pages are passed to a crawler that just extracts external links from those pages, with the idea that correct company pages might link to other company pages, and integrates them to the results list. Using these technique in practice it is possible to identify a lot of web sites hosted (even by third parties) for one company.
During the crawling process not just external links are extracted but all forms, HTTP parameters as well as certain parts of the web content are stored. Thus besides a list, we do have a "mirror" of the web page as well as the forms and dynamic functions that pose an attack surface.
The information collected can then be used as input to special analysis modules. For some of our projects we integrated WAFP (Web Application Finger Printer), SQLMap and other well known tools as well as some other self written fuzzers and fingerprinters into that process. This way the whole process, from identifying web pages belonging to a certain company up to analyzing those for vulnerabilities can be totally automated.
In other words: From zero to owning all of a company’s existing web pages, even the pages not hosted by the company itself, with just a scored keyword list as input.
During our talk we will present our idea as well as our approach of identifying vulnerable web applications that belong to a certain company, based on business data. Furthermore we will explain how our framework is structured and how it does the searching as well as the vulnerability assessment in an automated way. So everybody who is interested will be able to implement his own version or adapt certain ideas for his projects. Besides just telling you how it could work, we will also present our framework that performs all of the steps described above automatically in a demo.
Fabian Mihailowitsch
14:00
00:30
Saal 2
reverse_engineering_usb_devices
Reverse Engineering USB Devices
lecture
en
While USB devices often use standard device classes, some do not. This talk is about reverse engineering the protocols some of these devices use, how the underlying USB protocol gives us some help, and some interesting patterns to look for. I'll also detail the thought processes that went into reverse engineering the Kinect's audio protocol.
This talk will narrate the process of reverse engineering the Kinect audio protocol – analyzing a set of USB logs, finding patterns, building understanding, developing hypotheses of message structure, and eventually implementing a userspace driver.
I'll also cover how the USB standard can help a reverse engineer out, some common design ideas that I've seen, and ideas for the sorts of tools that could assist in completing this kind of task more efficiently.
Drew Fisher
14:30
00:30
Saal 2
a_brief_history_of_plutocracy
A Brief History of Plutocracy
lecture
en
This whistlestop re-telling of world economic history squeezes 12,000 years of history into 18 slides. Its focus is the changing nature of money and the rise of the monied class in US and Europe.
It outlines how the modern system of banking was instituted, how international organising allowed the power of the rich to gradually eclipse that of national governments, how war was managed for profit, and how the super-rich set about using the organs of the state in an effort to secure their position of control.
Robin Upton
Altruist International
16:00
01:00
Saal 2
power_gadgets_with_your_own_electricity
Power gadgets with your own electricity
escape the basement and make the sun work for you
lecture
en
This talk, consisting of five distinct parts, is intended to show the audience how to get electricity without needing a grid connection.
It will give information on
* Which energy sources to use
* What to power with them
* What equipment to get
* How to wire it up
* And some wishful thinking
Participants should be able to assemble their own small-scale energy-generating systems after listening.
Renewable energy isn't for wealthy investors only. You can have it, too.
In this talk we'll show you how to power your own stuff from the sun, wind and other sources of energy.
The talk is divided into 5 different parts:
1. A really short introduction into the available power sources like sun, wind etc. We'll show some pipe-dreams where more hacking is needed to make it work like salt-gradient energy or damming the mediterranean sea.
2. We'll show you how much power you can expect from which source. We'll also show you what affects power output for various technologies (example: Sun needs to be shining for solar power. We'll show you how much sunshine you can expect at your place.)
3. As a follow-up to part 2 we'll show you the amount of power various things need. You can do the math yourself afterwards to see what you can power from your balcony.
4. Building the system, the easy and fully-legal way: Build your own independent grid with optional storage. We'll show what you need for a small-scale solar system independent of the power network. Works well for caravans, camping, gardens and allotments. There will be real solar panels on stage. You will see schematics, parts lists and instructions. We'll give some hints where to aquire the necessary stuff without paying too much.
5. The difficult way: Put your own power into the public grid. We'll show you what you need to do this. This can either make your purse fill up automatically (big installations earning feed-in tariffs) or it can (in theory) make your electricity meter go backwards - but that's not actually allowed. Once the electrical company recognizes what you are doing (and German law requires you to tell them) unfortunately they will install a digial meter. Digital meters will not count backwards like the Ferraris counters do now...
The speakers have built and are operating various small-scale power systems and come from an engineering and commercial background.
Gunnar Thöle
Jörg Dürre
17:15
01:00
Saal 2
bionic_ears
Bionic Ears
Introduction into State-of-the-Art Hearing Aid Technology
lecture
In many social situations being hearing impaired is a serious handicap, not only for elderly people. Today's hearing aids are tiny computers that do a decent job in signal processing. During the last years, the progress in this technology was significant, amongst other things by switching from analog to digital devices. Since this field becomes more and more related to computer technology, there is even more improvement to be expected. In particular, it turns into a more and more interesting playground for hackers.
Unfortunately, we are still quite far away from what was promised as the future in that 70es TV series "The Bionic Woman" [1]. Starting with a brief introduction about audiology, I will present current technical solutions (and political non-solutions) for hearing aids. Besides the hearing aids themselves, there exist a couple of interesting peripheral solutions for specific situations such as using the phone, listening to concerts and talks, or just consuming music with an mp3 player. All these not only enhance the user's life, they also open the door for creative hacks. Although the hearing-aid hacking community is still rather small, I will present some current projects and ideas for future ones.
Infos about the talk including (sometime soon ;)) slides: http://www.hackandhear.com
[1] http://en.wikipedia.org/wiki/The_Bionic_Woman
Helga Velroyen
hand and hear
18:30
01:00
Saal 2
time_is_on_my_side
Time is on my Side
Exploiting Timing Side Channel Vulnerabilities on the Web
lecture
Timing side channel attacks are non-intrusive attacks that are still widely ignored in day-to-day penetration testing, although they allow attackers to breach the confidentiality of sensitive information. The reason for this is, that timing attacks are still widely considered to be theoretical. In this talk, I present a toolkit for performing practical timing side channel attacks and showcase several timing attacks against real-world systems.
Timing side channels are vulnerabilities in software applications that leak sensitive information about secret values such as cryptographic keys. They differ from common intrusive vulnerabilities such as Buffer Overflows or SQL-Injection because the attacker sends normally looking requests to the server and infers secret information just from the time it took to process the request.
In academia, timing side channel attacks are well researched, especially against cryptographic hardware, but in day-to-day penetration testing, they are still widely ignored. One reason for this is that the timing differences are often small compared to the jitter introduced in networked environments. This makes practical timing side channel attacks challenging, because the actual timing differences blend with the jitter.
In this talk, I will present methods and tools to accurately measure response times despite the jitter in networked environments. I will introduce a programming library that enables penetration testers to measure accurate response times of requests send over networks.
Furthermore, I will describe algorithms and statistical filters to reduce the jitter from measurements. For this, I will introduce a reporting tool that takes a dataset with network measurements as input, automatically applies the algorithms and filters, and produces a report with the results. This report enables even novice penetration testers to analyze a response time dataset for timing side channel vulnerabilities.
In the end, I will show that timing side channels are practical by showing several attacks. First, I show how to determine if a given user name is an administrative user in a productive installation of the popular CMS Typo3. Second, I show how to determine how many pictures are hidden in a private album of an online gallery. Third, I show how to perform an adaptive chosen cipher text attack against implementations of the XML Encryption standard. This attack allows to decrypt any Web Service message whose body was encrypted using XML Encryption only by measuring the response time of the Web Service.
Sebastian Schinzel
20:30
01:00
Saal 2
rootkits_in_your_web_application
Rootkits in your Web application
Achieving a permanent stealthy compromise of user accounts with XSS and JS injection attacks.
lecture
en
XSS bugs are the most widely known and commonly occurring Web vulnerability,
but their impact has often been limited to cookie theft and/or simple actions,
such as setting malicious email filters, stealing some data, or
self-propagation via an XSS worm. In this work, I discuss practical approaches
for exploiting XSS and other client-side script injection attacks, and introduce
novel techniques for maintaining and escalating access within the victim's
browser. In particular, I introduce the concept of _resident XSS_ where
attacker-supplied code is running in the context of an affected user's main
application window and describe its consequences. I also draw analogies between
such persistent Web threats and the traditional rootkit model, including
similarities in the areas of embedding malicious code, maintaining access,
stealthy communication with a C&C server, and the difficulty of detecting and
removing attacker-supplied code.
Despite a few high profile cases of XSS worms, most XSS exploitation attempts
have so far been limited to cookie-stealing and executing simple malicious
actions. However, as a consequence of the same-origin policy and a combination
of other browser mechanisms, a single XSS vulnerability can often lead to a
long-term compromise all of a user's interactions with an affected webapp in
the same browser profile, long after the original bug has been fixed. In
particular, an attacker can maintain access across window/browser closures,
survive cookie and cache deletions, and compromise other user accounts accessed
from the same browser. Yet more troubling is the fact that Web application
authors currently have no means to detect or mitigate such threats once an
attack has taken place.
In the talk I provide an overview of techniques to escalate an XSS into
long-term account compromise, and explore the similarities between such
persistent Web bugs and traditional rootkits. In particular, I:
1) Introduce the concept of _resident XSS_, where malicious JavaScript is
executed in the context of the victim's main application window/tab. Contrary
to the traditional methods of exploiting XSS via a hidden frame or malicious
link which are opened in a separate, usually short-lived window, resident
XSS gives an attacker full freedom to monitor and alter the user's interaction
with the affected application.
2) Describe several techniques to convert various Web bugs into a resident
XSS. Such techniques include backdooring client-side persistent storage
mechanisms (WebSQL, localStorage, Flash LSOs), opening poisoned application
windows with injected malicious scripts, exploiting persistent (self-)XSS and
others.
3) Discuss the consequences of resident XSS, which usually allow the attacker
to get permanent access to an affected user's account and/or obtain the user's
application login credentials. On sensitive domains for which users have
enabled access to additional browser or plugin features (geolocation,
camera/microphone), it can enable persistent snooping on the exploited user. In
a large number of cases it can also enable full compromise of the user's
machine by exploiting the application-user trust relationship (e.g. by
requiring the user to install attacker-supplied plugins to use the affected
webapp, or by hijacking file download links within the vulnerable domain).
4) Analyze the techniques for maintaining access to a once-compromised origin.
In addition to backdooring persistent storage APIs, this can be achieved by
exploiting self-XSS bugs, spawning same-origin pop-unders with references to
the original window, and hiding in frames created by advertising networks on
popular websites. In most cases, a combination of those techniques suffices to
bypass a variety of the most common "cleanup" actions taken by users, and
allows an on-going compromise of the affected origin.
5) Present the difficulties faced by Web application authors when trying to
clean up a compromised origin. Short of wiping/re-creating a browser profile,
there are currently no fully reliable methods to restore a browser's state to a
secure configuration once a malicious script has run in the context of an
affected domain.
I will present the above with concrete examples of vulnerable applications and
a demo.
Artur Janc
21:45
01:00
Saal 2
building_a_distributed_satellite_ground_station_network
Building a Distributed Satellite Ground Station Network - A Call To Arms
Hackers need satellites. Hackers need internet over satellites. Satellites require ground stations. Let's build them!
lecture
en
As proposed by Nick Farr et al at CCCamp11, we - the hacker community - are in desperate need for our own communication infrastructure. So here we are, answering the call for the Hacker Space Program with our proposal of a distributed satellite communications ground station network. An affordable way to bring satellite communications to a hackerspace near you.
We're proposing a multi-step approach to work towards this goal by setting up a distributed network of ground stations which will ensure a 24/7 communication window - first tracking, then communicating with satellites.
The current state of a proof of concept implementation will be presented.
This is a project closely related to the academic femto-satellite movement, ham radio, Constellation@Home.
The area of small satellites (femto-satellite <0.1 kg up to mini-satellite 100-500 kg) is currently pressed forward by Universities and enables scientific research at a small budget. Gathered data, both scientific and operational, requires communication between satellites and ground stations as well as to the final recipients of the data. One either has to establish own transmission stations or rent already existing stations.
The project “distributed ground station” is an extension to the project which will offer, at its final expansion state, the ability to receive data from satellites and relay them to the final recepients. It is therefore proposed that a world-wide distributed network of antennas is to be set up which will be connected via the internet allowing the forwarding of received signals to a central server which will in turn forward signals to further recepients.
Individual antennas will be set up by volunteers (Citizen Scientists) and partner institutions (Universities, institutes, companies).
The core objective of the project is to develop an affordable hardware platform (antenna and receiver) to be connected to home computers as well as the required software. This platform should enable everyone to receive signals from femto-satellites at a budget and in doing so, eradicating black patches where there is currently no ground station to receive signals of satellites passing over-head.
Emphasise is put on contributions by volunteers and ham radio operators who can contribute both passively by setting up a receiver station or actively by shaping the project making it a community driven effort powered by open-source hardware and applications.
Purposes
The distributed ground stations will enable many different uses.
Using distributed ground stations one could receive beacon signals of satellites and triangulate their position and trajectory. It would therefore be possible to determine the kepler elements right after launching of a new satellite without having to rely on official reports made at low frequency.
Beacon tracking is also not limited to just satellites but can be used to track other objects like weather balloons and areal drones and record their flight paths.
Additionally, beacon signals (sender ID, time, transmission power) could be augmented with house-keeping data to allow troubleshooting in cases where a main data feed is interrupted. Details regarding the protocol and maximum data packet length are to be defined during the feasibility study phase.
Furthermore, distributed ground stations can be used as "data dumping" receivers. This can be used to reduce load on the main ground station as well as to more quickly distribute data to final recipients. The FunCube project, an out-reach project to schools, is already using a similar approach.
Another expansion stage would be increasing the bandwidth of the individual receivers.
As a side-effect, distributed ground station could also be used to analyse meteorite scattering and study effects in the ionosphere by having a ground-based sender with a known beacon signal to be reflected off meteorites and/or the iononosphere and in turn received by the distributed ground stations.
Depending on the frequency used further applications in the field of atmospheric research, eg. local and regional properties of the air and storm clouds, can be imagined.
Depending on local laws and guidelines, antennas could also be used to transmit signals.
The concept suggests the following expansion stages:
0. Feasibility study for the individual expansion stages
1. Beacon-Tracking and sender triangulation
2. Low-bandwidth satellite-data receiver (up to 10 Kbit/s)
3. High-bandwidth satellite-data receiver (up to 10 Mbit/s)
4. Support for data transmission
Each stage is again split up into sub-projects to deal with hardware and software design and develoment, prototyping, testing and batch/mass production,
Network
The networking concept demands that all distributed ground stations are to be connected via the internet. This can be achieved using the Constellation platform. Constellation is a distributed computing project used already for various simulations related to aerospace applications. The system is based on computation power donated by volunteers which is combined to effectively build a world-wide distributed super-computer. The software used to do this is BOINC (Berkeley Open Infrastructure for Network Computing) which also offers support for additional hardware to eg. establish a sensor network.
Another BOINC-project is the Quake Quatcher Network which is using accelleration sensors built into laptops or custom USB-dongles to detected earthquakes.
Constellation could be enhanced to allow use of the distributed ground station hardware.
Constellation is an academic student group of the DGLR (german aerospace society) at Stuttgart University and is supported by Rechenkraft.net e.V and Selfnet e.V..
Ham radio and volunteers
Special consideration is given to the ham radio community. Femto-satellites make use of the ham radio bands in the UHF, VHF, and S-Band range.
As a part of the ham radio community ham radio operators should be treated as part of the network. Ham radio operators hold all required knowledge about the technology required to operate radio equipment and are also well distributed world-wide.
To also make the system attractive to volunteers, hardware should be designed in a way that allows manufacturing and distribution on a budget. All designs should also be made public to allow own and improved builds of the system by the community. The hardware should be designed to be simple to use correctly and hard to be used wrong.
Supporters
[1] Constellation Plattform, aerospaceresearch.net/constellation
[2] shackspace Stuttgart, www.shackspace.de
References
[1] IRS Kleinsatelliten, Universität Stuttgart, kleinsatelliten.de
[2] Constellation Plattform, aerospaceresearch.net/constellation
[3] BOINC, Berkely University, boinc.edu
[4] Quake Catcher Network, qcn.stanford.eu
[5] DGLR Bezirksgruppe Stuttgart, stuttgart.dglr.de
[6] Rechenkraft.net e.V., rechenkraft.net
[7] Selfnet e.V., selfnet.de
Andreas -horn- Hornig
hadez
23:00
01:00
Saal 2
quantified_self_and_neurofeedback_mind_hacking
Quantified-Self and OpenBCI Neurofeedback Mind-Hacking
Transhumanism, Self-Optimization and Neurofeedback for post-modern hackers
lecture
en
Hacking Mind and Body – self knowledge through numbers and mental reprogramming
Since ancient times humans were trying to improve themselves. Today we have open-source computer technology that helps us.
Can we use Neurofeedback to increase your intelligence? How do we go about answering the question?
Trust the experts... Outsource responsibility?! Maybe not: We create beliefs ourselves without relying on authorities. We gather empiric evidence about changes of our intelligence.
In this talk we will speak about our own experience on going that way. We will also speak about the results of other people in the growing Quantified Self movement.
As hackers we look beyond the obvious and directly apparent, behind the curtain of the rabbit hole we find power to change reality. Let's turn the hacking mindset onto ourselves or shall we say our "Optimized Self". Get an overview of the latest trends in "Quantified Self" Self-Optimization, and mental techniques to level-up the projection of your digital self in the matrix.
Using automated modern computer systems and electronic sensors, we can track the functions and changes of our mind and body and look into the "Mirror of the Digital Self". Analyzing, and finally optimizing, the patterns we find, a new and optimized self can be envisioned, and gradually metamorphed into, using scientific method and data mining statistics.
- - - -
Join us in this talk about:
> IQ measurement and lung self-tracking (Christian Kleineidam)
> open-source Bio-Feedback (MeTaVoLuti0N)
> Neurofeedback MindHacking (MeTaVoLuti0N)
Record work, sleep, exercise, diet, mood, mind, iq, brainwave states and changes, and find out when and how you can function best and achieve your goals in post-modern times.
in the second part of the talk MetaMind Evolution will give an overview about the OpenBCI open source brain/body/bio computer-interface project,
and after the event will help with your Brain-Computer-Interface project, during workshops in the evening in the HardwareHackingArea.
- - -
Event image is based on GNU and OpenEEG GPL images, and under CC BY-NC-SA 3.0 license.
Christian Kleineidam
MetaMind Evolution
http://www.Open-BCI.org
http://quantifiedself.com/about
http://events.ccc.de/congress/2011/wiki/QuantifiedSelf_OpenBCI_Talk-Event
http://events.ccc.de/congress/2011/wiki/OpenBCI
http://www.MeTa-Mind.de
http://quantified-self.de
00:15
01:45
Saal 3
hacker_jeopardy_translation
Hacker Jeopardy Translation
lecture
en
12:45
02:15
Saal 3
lightning_talks_day_2
Lightning Talks Day 2
other
en
Nick Farr
16:00
01:00
Saal 3
mining_your_geotags
Privacy Invasion or Innovative Science?
Academia, social media data, and privacy
lecture
en
A practical discussion of how potentially revolutionary, yet ethically questionable data---such as that from facebook---is currently being handled in academia.
With every day that passes, the users of social media websites are providing scientists with ever-richer, larger datasets on human behavior. At the same time, machine-learning techniques allow us to exploit this data to accurately predict who these users are and how they will behave in the future. I begin this talk by outlining the need for public datasets containing rich information on individuals and their social relations. I then show how in practice, distribution and use of such datasets by academics is awkward and confused. I conclude with some consideration of how "enhancing" datasets by, for example, inferring missing or hidden data using machine learning classifiers, creates yet another ethical grey-zone.
Conrad Lee
My blog
17:15
01:00
Saal 3
counterlobbying_eu_institutions
Counterlobbying EU institutions
How to attempt to counter the influence of industry lobbyists and political forces aiming towards increasing control over the Internet
lecture
en
Return of experience about opposing #censorship #ACTA #censilia #copywrong
and promoting #openness and #netneutrality to the EU institutions.
Strategic and tactical perspectives by two old and tired activists.
The talk will be about how European citizens can empower themselves to change the course of Internet Policy Making
Using recent political discussions as an example, Jérémie and Christian will try to explain how to involve yourself with hacking the democratic process on a European level.
Christian Bahls - MOGiS e.V.
Jérémie Zimmermann
18:30
01:00
Saal 3
ein_mittelsmannangriff_auf_ein_digitales_signiergeraet
Ein Mittelsmannangriff auf ein digitales Signiergerät
Bachelorarbeit Informatik Uni Kiel SS 2011
lecture
de
In dieser Arbeit wird gezeigt, wie unter Ausnutzung einer ungesicherten Verbindung
zwischen einer sicheren Signaturerstellungseinheit und einem Anwender-PC
eine qualifizierte elektronische Signatur gefälscht werden kann.
In der zum Vortrag gehörenden Bachelorarbeit habe habe ich ein Signaturset der Deutschen Post bestehend aus Chipkartenterminal, Chipkarte und Anwendungssoftware analysiert - und angegriffen. Dazu wurde ein Gerät gebaut, dass sich in die USB-Leitung einschleifen lässt und sich dort so lange transparent verhält, wie ein Angreifer keine Daten signieren will. Der Angreifer kann per Funk auf das eingeschleuste Gerät zugreifen, Daten zum Signieren ablegen und signierte Daten abholen. Das ganze nutzt eine ungesicherte USB-Verbindung zwischen Anwender-PC und Chipkartenterminal. Da der Signaturprozess mit einer PIN-Eingabe gesichert ist, muss dem Angreifer bei Verwendung der einfachsten Karte der Post leider einmal eine Fehlermeldung angezeigt werden, um ihn dazu zu bewegen, die PIN erneut einzugeben. Wie genau das ganze umgesetzt ist erfahrt ihr hier.
Alexander Koch
20:30
01:00
Saal 3
reverse_engineering_a_qualcomm_baseband
Reverse-engineering a Qualcomm baseband
lecture
en
Despite their wide presence in our lives, baseband chips are still nowadays
poorly known and understood from a system point of view. Some presentations
have hilighted vulnerabilities in GSM stacks across various models of
basebands (cf. 27c3: _All your baseband are belong to us_ by R-P. Weinmann).
However none of them actually focused on the details of how a baseband
operating system really works. This is the focus of our presentation. From
the study of a simple 3G USB stick equipped with a Qualcomm baseband, we will
discuss how to dump the volatile memory, reverse-engineer the proprietary
RTOS, and ultimately execute and debug code while trying to preserve the
real-time system constraints.
# Introduction #
The following work has resulted from a straightforward observation: security
in the baseband world is something hard to reach. Anyone trying to get into it
is confronted with two obstacles. At the network level, one has to
apprehend the extremely massive 3GPP specifications. At the system
level, basebands are just undocumented and closed-source pieces of code
running in embedded chips. Consequently, a baseband is mostly seen as a
blackbox running code for a terrifyingly complex network stack.
Given the complexity of the involved network protocols, and the fact that
telephony stacks are historically old pieces of code, it is fairly acceptable
to think that vulnerabilities can be found inside basebands. Ralf-Philipp
Weinmann has already demonstrated this claim during the 27C3 event in 2010.
Finding and triggering vulnerabilities in basebands sound very appealing, but
we have to remember that these are only preliminary steps before the final
exploitation. And for any exploitation to succeed, one has to know the
environment into which the code is currently running. What is the
architecture? What is the operating system? What does the memory look like?
How is structured the heap? Can I safely return to some point and resume the
execution?
For those reasons and out of curiosity, I started exploring the core of a
Qualcomm baseband. The targeted device is the Icon 225 3G USB stick. It
embeds a MSM6280 Qualcomm baseband based on the ARMv5TEJ architecture, plus
two proprietary DSPs. No application processor is present on those USB sticks.
Qualcomm basebands are also notably present on HTC phones.
# Dumping the device memory #
The first step for understanding the baseband code is to manage to get a look
at it. Plugging the USB stick fires up three serial ports over the USB link.
The first one is used to handle Hayes commands to control the modem. The two
other ones are unknown at first glance. However I remarked that a little tool
for SIM-unlocking a device made use of one of those serial ports. After
dumping the USB packets, it appeared this serial link actually handles
diagnostic commands for Qualcomm. The protocol used is very simple and allows
at least writing and executing code into a small region of the memory.
Injecting a custom payload allowed me to quickly dump the entire contents of
the memory (32MB). On the ARM architecture, the first piece of code to be
executed is a ROM located at 0xffff0000. Reverse-engineering this primary
bootloader (PBL) gives us the entry point to the secondary bootloader (SBL).
Then disassembling the RAM dump from this address clearly indicates we have
one-to-one physical to virtual memory mapping.
# Reverse engineering the RTOS #
The embedded code inside the baseband is a proprietary operating system from
Qualcomm. The real-time microkernel seems to be called REX, while the
operating system itself is named AMSS.
I have reverse-engineered most part of the microkernel primitives including:
* the scheduler
* the inter-tasks communication mechanism
* the asynchronous/deferred procedure calls mechanism
* the timers
* the heap memory structure and allocation routines
The kernel implements lightweight processes called tasks. All tasks share the
same virtual address space. MMU is set up at boot time with a virtual to
physical mapping and the first 12MB of memory are marked read-only. NX is not
enabled (thus everything is executable).
Three tasks are created automatically at boot time:
* the idle task
* the DPC task, responsible for dispatching deferred procedure calls
* the main task, responsible for running all the other tasks
When fully started, AMSS is made up of approximatively 70 running tasks. They
are dedicated to hardware management (DSP, USB, USIM, Vocoder, ...), network
stacks management for each layer (GSM L1/L2/L3, SMS, RRC, LLC, and so on), and
miscellaneous features (in particular the diagnostic task). Although the USB
stick is only intended to be used for data over 3G, the operating system is a
full-blown baseband supporting all kinds of telephony stacks and features.
The tasks communicate with each other by the mean of signals and buffer
queues. A command buffer is pushed on a FIFO queue and a signal is sent to the
task for processing.
Regarding the memory allocation management, the operating system mainly uses
two kinds of heaps. The first heap has a classical _free blocks-tracking_
structure where tasks can allocate arbitrary memory blocks using the
malloc/free functions. Another kind of heap is also used on top of the former
to represent the memory as a contiguous stream of data that tasks can produce
and consume (suited for network data flow).
# Code execution and debugging #
Static analysis of the whole operating system is possible, but the code is
pretty massive and a lot of interactions between different tasks are involved at
run-time. Since code execution is possible on the device, I investigated
how to dynamically debug system code. I present here the architecture of the
debugger I am currently writing (this is still a work in progress).
The main point is to be able to debug the operating system with the fewest
possible side-effects. In a nutshell, the debugger has to be real-time
compliant as much as possible. For the communication with the debugger, I
decided to reuse the diagnostic task channel over USB by implementing custom
command handlers. The debugger then relies on the GDB server protocol
implemented over the diagnostic channel protocol, itself being over USB.
We have access to the interrupt vectors, and we can put BKPT instructions
anywhere as well (everything is running in ARM supervisor mode and we can
disable the MMU if necessary). If the exception address is a watchpoint, we
dump the state of registers and stack, and set up a DPC to acknowledge the
debugger of the event. Then execution is immediately resumed. If the exception
address is a breakpoint, then we set up a DPC for the debugger and put the
task into a wait state allowing other tasks to be immediately scheduled. The
execution for the waiting task can be resumed by the debugger by sending it a
special signal.
The debugger is making use of its own separated heap and queue at a high
address, not to interfere with other operating system tasks while processing
debug events.
Of course some tasks will need to process code at timely events, especially
those at the lowest layers, so specific care has to be taken not to put
breakpoints that would possibly break the RF processing.
ARMv5 has no native support for single-stepping the code. Single-step is
implemented by predicting the next PC address and putting a breakpoint at it.
# Notes and further thoughts #
Information about the code execution environment on basebands is clearly
lacking in the literature. On the contrary of previous presentations on the
same topic, this presentation focuses on the details of a proprietary baseband
operating system, in this case Qualcomm's. I intend to do a demonstration of
the debugger for the presentation, and to release the source code later on.
Future areas of work may include a study of the proprietary DSPs and the
possibility to locally _fuzz_ the baseband without using a base station.
Guillaume Delugré
21:45
01:00
Saal 3
post_memory_corruption_memory_analysis
Post Memory Corruption Memory Analysis
Automating exploitation of invalid memory writes
lecture
en
Pmcma is a tool aimed at automating the most time consuming taskes of
exploitation. It for instance determine why an application is triggering
a segmentention fault, evaluate if the faulting instruction can be used
to write to memory or execute arbitrary code, and list all the function
pointers potentially called from a given point in time by an application.
Pmcma is a totally new kind of debugger, which allows for easy
experimentation with a process in memory by forcing it to fork. The
exact replicas of the process created in memory can then be intrumented
while keeping the properties (eg: state of variables, ASLR,
permissions...) of the original process.
Pmcma is an easily extensible framework available under the Apache 2.0
license from http://www.pmcma.org/ .
In this presentation, we introduce a new exploitation methodology of
invalid memory reads and writes, based on dataflow analysis after a
memory corruption bug has occured inside a running process.
We will expose a methodology which shall help writting a reliable
exploit out of a PoC triggering an invalid memory write, in presence of
security defense mechanisme such as compiler enchancements (full RELRO,
SSP...), or kernel anti exploitation features (ASLR, NX...).
We will demonstrate how to:find all the function pointers inside a
running process, how to determine which ones would have been
dereferenced after the crash, which ones are truncable (in particular
with 0x00000000). In case all of the above fail, how to test for
specific locations overwrites in order to indirectly trigger a second
vulnerability allowing greater control and eventually control flow
hijacking. All of the above without source code, indeed ;)
In the case of invalid memory reads, we will exemplify how indirectly
influence the control flow of execution by reading arbitary values, how
to trace all the unaligned memory access and how to test if an invalid
read can be turned into an invalid write or used to infere the mapping
of the binary.
We will also introduce a new debugging technique which allows for very
effective testing of all of the above by forcing the debugged process to
fork(). Automatically. And with a rating of the best read/write location
based on probabilities of mapping addresses (because of ASLR).
Finally, since overwriting function pointers doesn't allow direct
shellcode execution because of W^X mappings, we introduce a new
exploitation technique which works even in the most hardcore kernels
such as grsecurity. IT is called "stack desynchronization" and allows
frame faking inside the stack itself.
Those techniques are implemented in the form of a proof of concept tool
available under the Apache 2.0 license at : http://www.pmcma.org/ .
endrazine
Pmcma's address
23:00
01:00
Saal 3
crowdsourcing_genome_wide_association_studies
Crowdsourcing Genome Wide Association Studies
Freeing Genetic Data from Corporate Vaults
lecture
en
It was only a couple of years ago that generating genetic information about individuals was expensive and laborious work. Modern techniques have drastically cut cost and time needed to get an insight into one's genome and have ultimately led to the formation of personal genetics companies – like 23andMe, deCODEme and others – that now offer direct-to-customer genetic testing. With a price tag of those tests starting at about 100 €, the number of people that do such tests is on the rise. By now, 23andMe alone has over 100.000 paying customers, with over 60.000 of them willing to donate their genetic data and to actively participate in research projects by filling out surveys, e.g. on their medical histories. This has resulted in a high-quality dataset with genetic information of 60.000 individuals. The best part: The data has already been paid for by the participants in the research.
Who would not love to get their hands on data like this? Unfortunately, the data sits locked away in corporate vaults, inaccessible to interested (citizen) scientists. But what if we could change this?
We've created openSNP, a central, open source, free-to-use repository which lets customers of genotyping companies upload their genotyping data and annotate them with phenotypes. OpenSNP provides its users with the latest scientific research on their genotypes and lets scientists download annotated genotypes to make science more open.
Companies that perform Direct-To-Customer (DTC) genetic tests have now been around for about six years, with 23andMe – founded in 2006 – and deCODEme being two of the oldest companies on the market. Their customers receive a test tube via mail, spit into this tube and send it back to their DTC company to get their genetic information analyzed. The tests performed by DTC companies do not utilize the more famous DNA sequencing, but rely on faster and cheaper DNA microarrays instead.
Microarrays screen for around 1 million genetic markers, called Single Nucleotide Polymorphisms (SNPs). A SNP is a genomic variation, where a single base is changed at one site between members of a population. Usually a SNP has only two alleles (variants) and occurs with a frequency of at least 1% in the population. Spread over the whole human genome, each of us carries around 10 million variable sites, where 10% are covered by DTC-companies. Because of their uniqueness, SNPs can be used as markers associated with certain conditions. For example, there are variations of SNPs that are associated with elevated risks of developing breast cancer or Alzheimer’s. Other SNPs can be used to predict how a person metabolizes chemicals or drugs.
23andMe uses the results of consenting customers to perform their own genome wide association studies (GWAS). Those studies check for statistical differences between different groups. In a simple example one could have a group that is known to have Alzheimer’s and a control-group that does not have Alzheimer’s. Given enough participants, one can then look for genetical variants that are over- or underrepresented in one of the groups. The variants that are found by this method can then be used as predictors for Alzheimer’s.
We feel that research projects all over the world and science in general would benefit from a rich, freely available source of linked, genetic data. And although genome wide association studies need a minimum number of participants to be able to find significant variations, it is not necessary to have 30.000 participants in your study. There are many publications with significant results with a total number of participants of less than 5000 individuals. Given the current number of 23andMe customers, one only needs 5 % of them to participate in freely sharing their genetic information together with basic information on some medical conditions or other variations to reach the critical mass to be able to perform simple association studies! While many people have already started to publish their results on GitHub et al. and movements like DIYBio are starting to take off, there are no real efforts to create a repository to centrally collect this kind of data.
But what if one could create an open platform to collect this kind of linked data? Is it possible to perform crowd-sourced association studies to create new knowledge about our genes? With the creation of openSNP we have tried (and are still trying) to find out.
Bastian Greshake
Philipp Bayer
openSNP project website
openSNP blog
Delicious link dump on personal genomics
00:15
01:30
Saal 1
neue_leichtigkeit
"Neue Leichtigkeit"
when unconditional artistic freedom happens
other
de
Despite the vast new possibilities new medias offer to artists, musicians and composers, regulation authorities and governments are trimming creative minds in their freedom, introducing new laws, filters and limitations. On the example of "Europa: Neue Leichtigkeit" the immanence of unconditional artistic freedom in creativity is brought to the audience.
Artistic freedom -
Using the example of a young band, formed by musicians and composers, the misguidance of the copyright industry, imposing their values onto media society, is brought to you in form of a musical performance.
New Airiness (neue Leichtigkeit) -
The expression "new airiness" obviously is an analogy to the music of "new objectivity". Kurt Weills proclaiming quote "In our music we want to give the voice to the man of our days, and he should speak to many." is underlined by new airiness. If we want to achieve this, our music has to be different, because the humans and the time have changed. One of the key stylistic elements therefore is reaction. The first step in composition is the adaption of well known and accepted song-structures. Airiness manifests itself in the incoherent manipulation of existing song-material. - In an unusual way "Europa: Neue Leichtigkeit" comments the crisis of the post-modern society with seemingly simple love songs.
Gala der Neuen Leichtigkeit - Wie EUROPA 'Glanz & Gloria' hackt
I. Auch im 21.Jh. ist und bleibt die Gala ein wichtiges Instrument, die Konsumgesellschaft bei Laune zu halten. Popstars werden als Ikonen inszeniert, Werte wie Beauty, Glanz und Geld werden vermittelt, Emotionen freien Lauf gelassen auf der endlosen Rennbahn des Gewinns. Die Gala ist Messe und Mysterienspiel des Kapitalismus. In liturgischer Form lenkt sie die irrationalen Wünsche der Masse in die geregelten Bahnen des Systems. (Dass der Versuch einer Monopolisierung und Einschränkung der künstlerischen Freiheit mittels © eine Analogie zur römisch-katholischen Vereinheitlichung der Liturgie in der Spätantike und somit des an-sich-freien Glaubens darstellt, sei hier nur am Rande erwähnt).
II. Eine Gala verläuft nach Mustern. Es gibt Verhaltens- und Dresscodes; Formeln, die zu befolgen sind. Daher kann jede Gala auch gehackt werden. Wer sich in eine Gala hackt, kann mit ihr spielen, Unsinn mit ihr anstellen oder ihr gar empfindlichen Schaden zufügen. (In ähnlicher Weise hackt cc das ©-System, da es der Privation des Geistigen die Freiheit des Geistes entgegenstellt).
III. Dementsprechend versucht die Neue Leichtigkeit die Codes der Gala zu knacken. EUROPA eignet sich mimetisch die Gebärden der Schlagerstars an. Ist dies gelungen, so wird mittels Verfremdung die Brüchigkeit der propagierten Werte fühlbar gemacht. Als Gegenmythos zur Exklusivität von Glanz & Gloria feiert die Neue Leichtigkeit eine öffentliche Eleganz, welche den direkten Dialog zwischen Gesellschaft und Individuum ermöglicht. Durch die Überschreitung der Grenzen der Pop-Sprache wird ihre Begrenztheit zum Thema gemacht. (Es stellt sich hier auch die Frage nach der Legitimation von Symbolen mit religiöser Konnotation im Kontext der Pop-Kultur. Sie sollten Allgemeingut werden und nicht mehr an eine monopolisierte Instanz gebunden sein; [you are]your own personal Jesus.)
Alex Antener
Amelie Boehm
Andrin Uetz
Jonas Bischof
ruedi tobler
Samuel Weniger
Europa: Neue Leichtigkeit
Offizielle Webseite "Neue Leichtigkeit"
Teaser Neue Leichtigkeit
11:30
02:15
Saal 1
jahresrueckblick_2011
Jahresrückblick
lecture
Kaum hat es begonnen, da ist es auch schon wieder vorbei – das Jahr 2011. Also ist es wieder an der Zeit für den Rückblick auf Technikforschung und Nerd-Lobbyismus mit Hackerperspektive, der natürlich nie ohne Ausblick ist.
Der CCC blickt auf ein ereignisreiches Jahr, und es ist kein Blick zurück im Zorn. Das Jahresendzeitteam wird die technischen und politischen Schwerpunkte schmissig zusammenfassen und kommentieren. Die Sprecher des CCC berichten von Aktivitäten, Themen, Veranstaltungen, Vorträgen, Rekorden und der Öffentlichkeitsarbeit sowie weiteren Geschehnissen im Chaos Computer Club im abgelaufenen Jahr. Ob die Mitgliedsbeiträge also richtig angelegt sind, davon soll sich jeder selbst sein Bild machen.
Andreas Bogk
Constanze Kurz
Erdgeist
Frank Rieger
14:00
01:00
Saal 1
bitcoin_an_analysis
Bitcoin - An Analysis
lecture
Bitcoin is the first distributed, digital currency.
It received a lot of attention recently as it questions
the state monopoly to issue legal tender. It relies
on distributed proof-of-work concepts to ensure
money-like characteristics.
The existence and potential widespread use of such
a distributed, non-centralized, non-regulated currency
questions the ability of governments to control money supply,
issue debt, and tax its populace.
Transactions in bitcoin form a publicly accessible network of
economic relations, which can be extracted from the transaction
history available to all users in the P2P-network of bitcoin.
Using re-identification algorithms it is possible to attack
the proposed anonymity of users. While this is already an
interesting security issue, the insight into a real-world
economic experiment allows for the first time the empirical
test of community structures in such social networks, which
is definitely more substantial than the "I-like"-network
in facebook and the like.
In this presentation, we show results on network analysis
of the money flow, the behavior of individuals, and the overall
scalability of P2P-currencies. At the same time we will
discuss advanced "financial instruments" that one might
find in the transactions.
Kay Hamacher
Stefan Katzenbeisser
15:15
01:00
Saal 1
kinectfusion
KinectFusion
Real-time 3D Reconstruction and Interaction Using a Moving Depth Camera
lecture
en
This project investigates techniques to track the 6DOF position of handheld depth sensing cameras, such as Kinect, as they move through space and perform high quality 3D surface reconstructions for interaction.
While depth cameras are not conceptually new, Kinect has made such sensors accessible to all. The quality of the depth sensing, given the low-cost and real-time nature of the device, is compelling, and has made the sensor instantly popular with researchers and enthusiasts alike.
The Kinect camera uses a structured light technique to generate real-time depth maps containing discrete range measurements of the physical scene. This data can be reprojected as a set of discrete 3D points (or point cloud). Even though the Kinect depth data is compelling, particularly compared to other commercially available depth cameras, it is still inherently noisy. Depth mea- surements often fluctuate and depth maps contain numerous ‘holes’ where no readings were obtained.
To generate 3D models for use in applications such as gaming, physics, or CAD, higher-level surface geometry needs to be inferred from this noisy point-based data. One simple approach makes strong assumptions about the connectivity of neighboring points within the Kinect depth map to generate a mesh representation. This, however, leads to noisy and low-quality meshes. As importantly, this approach creates an incomplete mesh, from only a single, fixed viewpoint. To create a complete (or even watertight) 3D model, different viewpoints of the physical scene must be captured and fused into a single representation.
This talk presents a novel interactive reconstruction system called KinectFusion). The system takes live depth data from a moving Kinect camera and, in real- time, creates a single high-quality, geometrically accurate, 3D model. A user holding a standard Kinect camera can move within any indoor space, and reconstruct a 3D model of the physical scene within seconds. The system continuously tracks the 6 degrees-of-freedom (DOF) pose of the camera and fuses new viewpoints of the scene into a global surface-based representation. A novel GPU pipeline allows for accurate camera tracking and surface reconstruction at interactive real-time rates.
We demonstrate core uses of KinectFusion as a low-cost handheld scanner, and present novel interactive methods for segmenting physical objects of interest from the reconstructed scene. We show how a real-time 3D model can be leveraged for geometry-aware augmented reality (AR) and physics- based interactions, where virtual worlds more realistically merge and interact with the real.
Placing such systems into an interaction context, where users need to dynamically interact in front of the sensor, reveals a fundamental challenge – no longer can we assume a static scene for camera tracking or reconstruction. We illustrate failure cases caused by a user moving in front of the sensor. We describe new meth
ods to overcome these limitations, allowing camera tracking and reconstruction of a static background scene, while simultaneously segmenting, reconstructing and tracking foreground objects, including the user. We use this approach to demonstrate real-time multi-touch inter
actions anywhere, allowing a user to appropriate any physical surface, be it planar or non-planar, for touch.
David Kim
project page
17:15
01:00
Saal 1
cellular_protocol_stacks_for_internet
Cellular protocol stacks for Internet
GPRS, EDGE, UMTS, HSPA demystified
lecture
en
Almost everyone uses the packet oriented transmission modes of cellular networks. However, unlike TCP/IP, Ethernet and Wifi, not many members of the hacker commnunity are familiar with the actual protocol stack for those services.
This talk is aimed to give an in-depth explanation how the lower layer protocols on the air and wired interfaces
for packet data services in cellular networks are structured.
For 2.5/2.75G, this includes RLC/MAC, NS, BSSGP, LLC, SNDCP, GTP
For 3G/3.5G, this includes RRC, RLC, PDCP, NBAP, RANAP
Harald Welte
OpenBSC project (includes OsmoSGSN)
http://
18:30
01:00
Saal 1
implementation_of_mitm_attack_on_hdcp_secured_links
Implementation of MITM Attack on HDCP-Secured Links
A non-copyright circumventing application of the HDCP master key
lecture
A man-in-the-middle attack on HDCP-secured video links is demonstrated. The attack is implemented on an embedded Linux platform, with the help of a Spartan-6 FPGA, and is capable of operating real-time on HD video links. It utilizes the HDCP master key to derive the corresponding private keys of the video source and sink through observation and computation upon the exchanged public keys. The man-in-the-middle then genlocks its raster and cipher state to the incoming video stream, enabling it to do pixel by pixel swapping of encrypted data. Since the link does no CRC or hash verification of the data, one is able to forge video using this method.
Significantly, the attack enables forging of video data without decrypting original video data, so executing the attack does not constitute copyright circumvention. Therefore, this novel and commercially useful application of the HDCP master key impairs equating, in a legal sense, the master key with circumvention. Finally, the embodiment of the exploit is entirely open-source, including the hardware and the Verilog implementation of the FPGA.
BACKGROUND & CONTEXT
In September 2010, the HDCP master key was circulated via Pastebin. Speculation ensued around the application of the master key to create HDCP strippers, which would enable the circumvention of certain copyright control mechanisms put in place around video links. Unfortunately, this is a legally risky application, for a number of reasons, including potential conflicts with DMCA legislation that criminalizes the circumvention of copyright control mechanisms.
This talk discloses a new use for the HDCP master key that side-steps some of the potential legal issues. This hack never decrypts video; without decryption, there is no circumvention, and as a result the DMCA cannot apply to this hack. Significantly, by demonstrating a bona-fide commercially significant purpose for the HDCP master key that does not circumvent an access control measure, this hack impairs the equating of trafficking or possession of the HDCP master key to circumvention and/or circumvention-related crimes.
The main purpose of this hack is to enable the overlay of video content onto an HDCP encrypted stream. The simple fact that a trivial video overlay becomes an interesting topic is illustrative of the distortion of traditional rights and freedoms brought about by the DMCA. While the creation of derivative works of video through dynamic compositing and overlay (such as picture in picture) seems intuitively legal and natural in a pre-HDCP world, the introduction of HDCP made it difficult to build such in-line equipment. The putative purpose role of HDCP in the digital video ecosystem is to patch the plaintext-hole in the transmission of otherwise encrypted video from shiny disks (DVDs, BDs) to the glass (LCD, CRT). Since the implementation of video overlay would typically require manipulation of plaintext by intermediate processing elements, or at least the buffering of a plaintext frame where it can be vulnerable to readout, the creation of such devices has generally been very difficult to get past the body that controls the granting of HDCP keys, for fear that they can be hacked and/or repurposed to build an HDCP stripper. Also, while a manufacturer could implement such a feature without the controlling body's blessing, they would have to live in constant fear that their device keys would be revoked.
While the applications of video overlay are numerous, the basic scenario is that while you may be enjoying content X, you would also like to be aware of content Y. To combine the two together would require a video overlay mechanism. Since video overlay mechanisms are effectively banned by the HDCP controlling organization, consumers are slaves to the video producers and distribution networks, because consumers have not been empowered to remix video at the consumption point.
The specific implementation of this hack enables the overlay of a WebKit browser over any video feed; a concrete example of the capability enabled by this technology is the overlay of twitter feeds as "news crawlers" across a TV program, so that one may watch community commentary in real-time on the same screen. While some TV programs have attempted to incorporate twitter feeds into the show, the incorporation has always been on the source side, and as such users are unable to pick their hashtags. Now, with this hack, the same broadcast program (say, a political debate) can have a very different viewing experience based on which hashtag is keyed into the viewer's twitter crawler.
TECHNICAL IMPLEMENTATION
A Spartan-6 FPGA was used to implement a TMDS-compatible source and sink. TMDS is the signaling standard used by HDMI and DVI. The basic pipeline within the FPGA deserializes incoming video and reserializes it to the output. In this trivial mode, it is simply a signal amplifier for the video.
In order to enable the overlay of a WebKit browser, an 800 MHz ARM-based Linux computer is connected to the FPGA. The Linux computer is based upon the PXA168 by Marvell, and it features 128 MB of DDR2 and a microSD card for firmware. The distribution is based upon Angstrom and it is built using OpenEmbedded with the help of buildbot. The entire build system for the Linux computer is available through a public EC2 cloud image that anyone can copy and rent from Amazon.
From the Linux computer's standpoint, the FPGA emulates a parallel RGB LCD, and thus from the programming standpoint looks simply like a framebuffer at /dev/fb0. There is also a device management interface revealed through I2C that is managed using the standard Linux I2C driver. The I2C management interface handles routine status requests, such as reading the video timing and PLL state, and also handles reading out sections of snooping buffers, the significance of which will be discussed later. The FPGA also has a chroma-key feature where a magic color (240,0,240) is remapped to "transparent".
The FPGA itself is bootstrapped through a programming interface where the device’s compiled bitstream is sent to the FPGA by writing to /dev/fpga. There are also IOCTLs available on /dev/fpga that enable other meta-level functions such as resetting the FPGA or querying its configuration state.
In addition to passing through the TMDS signal, the FPGA also has the ability to listen to *and* manipulate the DDC. The DDC is an I2C link found on HDMI cables that enables the reporting of monitor capability records (EDIDs) and also is the medium upon which the key exchange happens. Therefore, being able to listen to this passively is of great importance to the hack. The FPGA implements a "shadow-RAM" which records all reads and writes to specific addresses that fall within the expected address ranges for EDID and HDCP transactions.
The FPGA also implements a "squash-RAM" which is used to override bits on the I2C bus. Since I2C is an open collector standard, overriding a 1 to a 0 is trivial; but, overriding a 0 to a 1 requires an active pull-up. The hardware implements a beefy FET on the DDC to enable overriding 0's to 1's. The DDC implementation uses a highly oversampled I2C state machine. I2C itself only runs at 100 kHz, but the state machine implementation runs at 26 MHz. This allows the state machine to determine the next state of the I2C bus and decide to override or allow the transaction on-the-fly. The "squash-RAM" feature is used to override the EDID negotiation such that the video source is only informed of modes that the FPGA implementation can handle. For example, this implementation cannot handle 3D TV resolutions, so the reporting of such capabilities from the TV is squashed before it can get to the video source. This causes the source to automatically limit its content to be within the hardware capabilities of the FPGA, and to be within the resolutions that are supported by the WebKit UI.
The key exchange on HDCP consists of three pieces of data being passed back and forth: the source public key (Aksv), the sink public key (Bksv), and a piece of shared state (An). The order in which these are written is well-defined. The completion of the transfer of the final byte of Aksv serves as a trigger to initialize the cipher states of the source and the sink. During this time period, each device computes the dot-product of the other device's KSV with their internal private key (which is a table of forty 56-bit numbers) and derives a shared secret, known as Km. This is basically an implementation of Blom's Scheme.
In order to implement the man-in-the-middle attack, the three pieces of data are recorded, and the authentication trigger is passed from the FPGA to the Linux computer through an udev event. udev triggers a program that reads the KSVs from the snoop memory, and performs a computation upon the HDCP master key and the KSVs to derive the private keys that mirrors those found in each of the source and sink devices. In a nutshell, the computation loops through the 40x40 matrix of the HDCP master key, and based upon the KSV having a 1 at a particular bit position it sums in the corresponding 40-entry row or column of the master key to the 40-entry private key vector. The use of a row or columns depends upon if the KSV belongs to a source or a sink.
Once the private keys vectors have been derived, they can be multiplied in exactly the same fashion as would be found in the source or sink to derive the shared secret, Km.
This shared secret, Km, is then written into the FPGA's HDCP engine, and the cipher state is ready to go. In practice, the entire computation can happen in real-time, but some devices go faster or slower than others, so it is hard to guarantee it always completes in time, particularly with the variable interrupt latency of the udev handler. As a result, the actual link negotiation caches the value of Km from previous authentications, and the udev event primarily verifies that Km hasn't changed (note that for each given source and sink pair, Km is static and never changes, so unless users are pulling cables out and swapping them between devices, Km is essentially static). If the Km has changed, it updates the Km in the FPGA and forces a 150ms hot plug event, which re-initiates the authentication, thereby making the transaction fairly reliable yet effectively real-time.
Significantly, this system as implemented is incapable of operating without having the public keys provided by both the source and the sink. This means that it cannot "create" an HDCP link: this implementation is not an operational HDCP engine on its own. Rather, it requires the user of this overlay hack to "prove" it has previously purchased a full HDCP link through evidence of valid public keys. This “proof of purchase” exhausts the proprietary rights to the link associated with first sale doctrine.
Once the FPGA's HDCP cipher state is matched to the video source's cipher state, one can now selectively encrypt different pixels to replace original pixels, and the receiver will decrypt all without any error condition. This is because encryption is done on a pixel by pixel basis and the receiver does little in the way of verification. The lack of link verification is in fact quite intentional and necessary. The natural bit error rate of HD video links is atrocious; but this is acceptable, because the human eye probably won't detect bit errors even on the level of 1 in every 10,000 bits (at high error rates, users see a “sparkle” or “snow” on the screen, but largely the image is intact). Therefore, this latitude in allowing pixel-level corruption is necessary to keep consumer costs low; otherwise, much higher quality cables would be required along with FEC techniques to achieve a bit error rate that is compatible with strict cryptographic verification techniques such as full-frame hashing.
The selection of which pixel to swap is done by observing the color of the overlay's video. The overlay video is not encrypted and is generated by the user, so there is no legal violation to look at the color of the overlay video. Note that other pixel-combining methods, such as alpha blending, would necessitate the decryption of video. If the overlay video matches a certain chroma key color, the incoming video is selected; otherwise, the overlay video is selected. This allows for the creation of transparent "holes" in the UI. Since the UI is rendered by a WebKit browser, chroma-key is implemented by simply setting the background color in the CSS of the UI pages to magic-pink. This makes the default state of a web page transparent, with all items rendered on top of it opaque.
Note that pixel-by-pixel manipulation of the incoming video feed is done without any real buffering of the video. A TMDS pixel "lives" inside the FPGA for less than a couple dozen clock cycles: the lifetime of a pixel is simply the latency of the pipelines and the elastic buffers required to deskew wire length differences between differential pairs. This means that the overlay video from the Linux computer must be strictly available at exactly the right time, or else the user will see the overlay jitter and shake. In order to avoid such artifacts, the time resolution requirement of the pixel synchronization is stricter than the width of a pixclock period, which can be as short as dozen nanoseconds.
In order to accomplish this fine-grain synchronization, a genlock mechanism was implemented where vertical retrace signals (which are unencrypted) trigger an interrupt that initiates the readout of /dev/fb0 to the FPGA. However, the interrupt jitter of a non-realtime Linux is *much* larger than a single pixel time, so in order to absorb this uncertainty, a dynamic genlock engine was implemented in the FPGA. An 8-line overlay video FIFO is used to provide the timing elasticity between the Linux computer and the primary video feed; and the vertical sync interrupt-to-pixel-out latency of the Linux computer is dynamically measured by the FPGA and pre-compensated. In effect, the FPGA measures how slow the Linux box's reflexes are, and requests for the frame to start coming in advance of when the data is needed. These measures, along with a few lines of FIFO, ensure pixel availability at the precise time when the pixel is needed.
SUMMARY
A system has been described that enables a man-in-the-middle attack upon HDCP secured links. The attack enables the overlay of video upon existing streams; an example of an application of the attack is the overlay of a personalized twitter feed over video programs. The attack relies upon the HDCP master key and a snooping mechanism implemented using an FPGA. The implementation of the attack never decrypts previously encrypted video, and it is incapable of operating without an existing, valid HDCP link. It is thus an embodiment of a bona-fide, non-infringing and commercially useful application of the HDCP master key. This embodiment impairs the equating of the HDCP master key with copyright circumvention purposes.
bunnie
an article on the hack
another good article
developer resources page
link to get an NeTV to play with
hardware sources for NeTv
20:30
01:00
Saal 1
the_hack_will_not_be_televised
The Hack will not be televised?
Hacker in Movies
movie
Though hackers prefer being indivualists, a strong relationship towards Culture industry makes hacker culture a source and product at the same time. While you can laugh about most Hollywood movies presenting stereotypical hackers, you shouldn't ignore the influence they have. "And with the 1983 release of the hacker-thriller movie War Games, the scene exploded. It seemed that every kid in America had demanded and gotten a modem for Christmas", Bruce Sterling wrote in "The Hacker Crackdown".
Let's lean back for an hour, watching hackers in movies from the last four decades at work. Some movies you might know, others you don't. Promised.
Caspar Clemens Mierau
List of Hacker Movies
21:45
01:00
Saal 1
new_ways_im_going_to_hack_your_web_app
New Ways I'm Going to Hack Your Web App
lecture
en
Writing secure code is hard. Even when people do it basically right there are sometimes edge cases that can be exploited. Most the time writing code that works isn’t even the hard part, it’s keeping up with the changing attack techniques while still keeping an eye on all the old issues that can come back to bite you, straddling the ancient world of the 90’s RFCs and 2010’s HTML5 compatible browsers. A lot like how Indiana Jones bridges the ancient and the modern... Except for Indiana Jones 4. Let’s never talk about that again. Ever.
Take Facebook, Office 365, Wordpress, Exchange, and Live. These are applications that had decent mitigations to standard threats, but they all had edge cases. Using a mix of old and new ingredients, we’ll provide a sampler plate of clickjacking protection bypasses, CSRF mitigation bypasses, "non-exploitable" XSS attacks that are suddenly exploitable and XML attacks where you can actually get a shell; and we'll talk about how to defend against these attacks.
The best description is probably via the slides linked below. We've put a lot of effort into these, and they have video clips making the slide deck pretty big (why we're linking to it and not attaching it).
Jesse Ou
Rich
23:00
01:00
Saal 1
fnord_jahresrueckblick
Fnord-Jahresrückblick
von Atomendlager bis Zensus
lecture
de
Auch dieses Jahr werden wir euch wieder mit den Fnords des Jahres zu unterhalten suchen.
Im Format einer lockeren Abendshow werden wir die Highlights des Jahres präsentieren, die Meldungen zwischen den Meldungen, die subtilen Sensationen hinter den Schlagzeilen. Kommen Sie, hören Sie, sehen Sie! Lassen Sie sich mitreißen!
Felix von Leitner
Frank Rieger
11:30
01:00
Saal 2
not_your_grandfathers_moon_landing
Not your Grandfathers moon landing
Hell yeah, it's Rocket Science 3.1415926535897932384626!
lecture
en
We got a new rover and it's much more awesome than last year!
Ok, there's a bit more to it :-)
The basics, we are team of part-time scientists and engineers who want to send a rover to the moon before the end of the year 2013.
There is a lot to be done towards this first private moon landing and we want to take the chance to explore what we want to do and show what we already accomplished in the past 12 months. The talk will feature important technical milestone like our very first R3 rover prototype and great events like the CCCamp11.
There is also be a live demonstration of the very first R3A rover right in the presentation.
We want to take this chance to present where we are and what is next to go on the worlds first private mission to the moon.
2011 was great and we want to show you some of our personal highlights like us actually doing real rocket science at the CCCamp11.
We will have a close look at the first R3 Rover prototype how it got made and all the cool things we already did with it and going to test along the next year.
We're aiming for a pretty quick and dense 30 minute review of 2011with an outlook for 2012 and then do a live presentation of the R3 rover with an open Q&A round.
This time we split our efforts and got our most interesting presenters to enroll for separate talks on one self picked exciting topic they worked on this year in their own free time.
Karsten Becker
Robert Böhme
13:15
00:30
Saal 2
security_log_visualization_with_a_correlation_engine
Security Log Visualization with a Correlation Engine
What's inside your network?
lecture
en
This brief session focuses on the visualization of actual security incidents, network forensics and counter surveillance of covert criminal communications utilizing large data sets from various security logs and a very brief introduction to correlation engine logic. Visually displaying security or network issues can express the risk or urgency in a way a set of dry logs or other methods might not be able to. Additionally, many organizations rely on a more singular approach and react to security events, many times from a high false positive rate source such as isolated intrusion prevention or firewall alerts, or relying only on anti-virus alerts. Utilizing a correlation engine (especially open source) or similar applications could offer a method of discovering or in some cases proactively detecting issues. The research discussed involves analysis and interrogation of firewall, intrusion detection and prevention systems, web proxy logs and available security research. What does a compromised server infected with spam malware look like or cyber warfare?
A 20 minute presentation of data visualization and investigation scenarios of five actual issues discovered using various security logs and a correlation engine. The lecturer will take you on a visual journey from seemingly mundane entries in firewall logs through to detecting covert communications between a corporate web server and a cyber-criminal drop zone. Additional visualizations presented: a United Kingdom based portion of the South Korean DNS Distributed Denial of Service attacks of July/August 2008, what bypassing deep packet inspection using HTTPS/SSL/TLS looks like, detecting a rouge corporate email server, malicious DNS usage and more. Although the presenter used a commercial correlation engine, the presentation will conclude with the discussion of an open source correlation engine.
Chris Kubecka
14:00
00:30
Saal 2
frag_den_staat
Frag den Staat
Praktische Informationsfreiheit
lecture
de
FragDenStaat.de startete am 1. August 2011 als Plattform zum Stellen von Anfragen nach dem Informationsfreiheitsgesetz und veröffentlicht dort die Korrespondenz mit den Behörden nach dem Vorbild von whatdotheyknow.com and befreite-dokumente.de. Der Vortrag wird die Plattform vorstellen, zeigen wie die Seite Antragssteller bei ihrem Recht auf Akteneinsicht unterstützt und die interessantesten Vorfälle genauer beleuchten.
FragDenStaat.de ging als Projekt der Open Knowledge Foundation Deutschland mit Unterstützung von u.a. Transparency International, Mehr Demokratie und der Access Info am 1. August 2011 online. Ein halbes Jahr später gibt es viel veröffentlichte Korrespondenz mit Behörden zu begutachten, die einige spannende Geschichten enthalten und interessante Fragen aufwerfen. Hat man Recht auf Akteneinsicht in die Gutachten des Wissenschaftlichen Dienstes des Bundestags? Sind Datenshops mit dem IFG vereinbar? Und wie muss man das Informationsfreiheitsgesetz verbessern, damit es auch in Zeiten von Open Data funktioniert? Im Vortrag möchte ich unter anderem auf diese Fragen eingehen, Statistiken der Plattform präsentieren (welche Behörde antwortet am schnellsten etc.), erklären welche Mittel und Wege es gibt, um Informationen von staatlicher Stelle zu erlangen und dazu aufrufen, diese Mittel auch aktiv zu nutzen.
Stefan Wehrmeyer
FragDenStaat.de
14:30
00:30
Saal 2
tresor
TRESOR: Festplatten sicher verschlüsseln
lecture
de
Herkömmliche Festplattenverschlüsselungen legen notwendige Schlüssel im RAM ab. Dadurch sind sie schutzlos Angriffen wie Cold-Boot Attacken ausgeliefert, die auf den Arbeitsspeicher abzielen. TRESOR bietet Schutz gegen solche Angriffe.
Herkömmliche Festplattenverschlüsselungen legen notwendige Schlüssel im RAM ab. Dadurch sind sie schutzlos Angriffen wie Cold-Boot Attacken ausgeliefert, die auf den Arbeitsspeicher abzielen. TRESOR bietet Schutz gegen solche Angriffe, indem es den Verschlüsselungsalgorithmus AES ausschließlich auf dem Prozessor ausführt. Die Sicherheit wird also dadurch erhöht, dass TRESOR den Schlüssel (sowie alle Rundenschlüssel und Zwischenzustände von AES) niemals im RAM hinterlegt, sondern nur in Registern der CPU. Während der gesamten Betriebszeit gelangen somit keine kritischen Daten der Verschlüsselung in den Arbeitsspeicher.
TRESOR ist als Patch für den Linux Kernel umgesetzt und nutzt Intel's AES-NI Instruktionen um die AES-Verschlüsselung zu beschleunigen. Zur Speicherung des Schlüssels werden die Debugging-Register der x86-64 Architektur "zweckentfremdet". TRESOR ist kompatibel mit allen Linux-Distributionen und etwaige Performance-Einbußen sind vernachlässigbar.
tilo
TRESOR Runs Encryption Securely Outside RAM
16:00
00:30
Saal 2
ooops_i_hacked_my_pbx
Ooops I hacked my PBX
Why auditing proprietary protocols matters
lecture
This talk is cautionary tale about developers forgetting to remove debug interfaces from finished products and the need of repetitive system reviews. A midrange PBX systems (non web) configuration interface is used as an example of what flaws you can actually find in commercial systems.
The Idea behind this talk is to give you an idea what can happen when developers do not audit their code on regular basis. It is not meant to make anybody laugh at another ones stupidity but as a reminder what could happen to YOU if you're a developer.
As an example of what could possibly go wrong, a problem in the way the configuration interface is authenticating its administrators on a PBX is used.
It is about dissecting a proprietary TCP/IP based protocol used to configure telephones with system integration through the PBX and unexpectedly finding a flaw which not only allows to modify configuration of phones but also manipulate the PBX. The even bigger oversight was that all communication is possible without using any authentication.
It is also a little bit about protocol design and some (false) assumptions still made when when preparing an impending product launch.
But for the sake of honesty: No names and no brands will be given, the talk is based upon a true example but because of responsible disclosure procedures not all information will be released to the public.
pt
16:30
00:30
Saal 2
open_source_music_tracking_2_0
Open source music: Tracking 2.0
lecture
Tracking is so 1990s. Nowadays MP3 and other similar formats are
overwhelmingly more popular. But is this really a step forward? A
(very) brief history of computer music, where we are at now, and why I
think people are headed in the wrong direction. And what we can do
about it.
Distributing music as recordings is terribly limiting to hackers and
tinkerers. Music as *source code* makes dissection, modification and
reuse easier. I will introduce a prototype next-generation tracker
for the web, with the ultimate aim of being a way to not just create
but also distribute music, and to collaborate on music creation:
Github for music, if you will.
As a music creation tool, trackers have been displaced in popularity because they are:
* Balky (arcane command+parameter syntax, steep learning curve, have
slowly grown by accretion without regard to comprehensibility)
* Underpowered (many useful DSP effects are unavailable)
As a music distribution tool, tracked formats have been displaced in popularity because they are:
* Not ubiquitous (people may not have playback software)
* Underspecified (hence behaviour differs across implementations)
I believe all of these problems are soluble, and I'm going to talk
about how. "modplayjs" (a working title which may well change by
December) is a tracker written in javascript. While capable of
playing existing module formats, it is primarily a playground for
experimenting with shedding two decades of accumulated baggage, and is
currently under heavy development.
Tom Hargreaves
current bleeding-edge demo
source repository
slides
fooble home page
http://
17:15
01:00
Saal 2
the_best_of_the_oxcars
The best of The oXcars
the greatest free/Libre culture show of all times
movie
The Best of the oXcars!
OXcars is fun. oXcars is empowering the people.
Presentation and screening of the best of the oXcars 2011, 2010, 2009, 2008.
Because their business is not our business.
Every year, in Barcelona 1500 people gather for the biggest free/libre culture Show of all times ;-).
Artists and performers from all areas of Spanish and international culture take part in a "Gala";-) in which artists say "Not in my name" to the commercialisation of culture, "Not in my name" to limiting the potential of digital media and to criminalization of the Internet. Civil society demands the 'lost profits' of all the knowledge that is being withheld and stolen from public use in the name of private profits.
http://oxcars11.whois--x.net/en/
http://oxcars10.whois--x.net/en/
http://oxcars09.whois--x.net/en/
http://whois--x.net/proyectos/oxcars-08
X.net (since 2008) - http://whois--x.net/
X.net (previously Exgae) aims to provide citizens with creative and legal skills that they can use to put an end to the monopoly and activities of the cultural industries groups and their private goals.
X.net fights alongside the great majority of society for the growth of new forms of circulation of culture. It's the first Spanish legal advisory service specialised in protecting citizens from the abuses of cultural industries lobbies and royalty management and collecting societies.
X.net developments and drafts proposals for intervention on legislation, organises cultural events that aim to “normalise” free culture production and diffusion practices and make them known to the general public; creates viral campaigns and lobby groups from the civil society like the FCForum (http://fcforum.net).
One of X.net’s public activities is the annual oXcars event, the world’s biggest free culture show ;-). The oXcars is a showcase for artists and creators who have pioneered the changes in knowledge and cultural production thanks to the potential of new technologies, and seeks to defend society’s right to use them. The oXcars are also a way to make the free culture movement mainstream, a bridge between free culture works and artists and the general public.
The oXcars inform, make free culture visible and magnify it, and thus empower citizens.
Each number that is presented in the show it is an excuse to explain a topic: the right to quote, the right to share, net neutrality, P2P networks, online free art, free beer :-) etc etc.
We have prepared a screening session to show you this amusing Show.
http://oxcars11.whois--x.net/en/
http://oxcars10.whois--x.net/en/
http://oxcars09.whois--x.net/en/
http://whois--x.net/proyectos/oxcars-08
http://whois--x.net/english/the-oxcars/oxcars08
Simona Xnet
http://whois--x.net/
http://oxcars11.whois--x.net/en/
http://oxcars10.whois--x.net/en/
http://oxcars09.whois--x.net/en/
http://whois--x.net/proyectos/oxcars-08
http://fcforum.net
http://2011.fcforum.net
18:30
01:00
Saal 2
print_me_if_you_dare
Print Me If You Dare
Firmware Modification Attacks and the Rise of Printer Malware
lecture
en
Network printers are ubiquitous fixtures within the modern IT infrastructure. Residing within sensitive networks and lacking in security, these devices represent high-value targets that can theoretically be used not only to manipulate and exfiltrate the sensitive information such as network credentials and sensitive documents, but also as fully functional general-purpose bot-nodes which give attackers a stealthy, persistent foothold inside the victim network for further recognizance, exploitation and exfiltration.
We first present several generic firmware modification attacks against HP printers. Weaknesses within the firmware update process allows the attacker to make arbitrary modifications to the NVRAM contents of the device. The attacks we present exploit a functional vulnerability common to all HP printers, and do not depend on any specific code vulnerability. These attacks cannot be prevented by any authentication mechanism on the printer, and can be delivered over the network, either directly or through a print server (active attack) and as hidden payloads within documents (reflexive attack).
In order to demonstrate these firmware modification attacks, we present a detailed description of several common HP firmware RFU (remote firmware update) formats, including the general file format, along with the compression and checksum algorithms used. Furthermore, we will release a tool (HPacker), which can unpack existing RFUs and create/pack arbitrary RFUs. This information was obtained by analysis of publicly available RFUs as well as reverse engineering the SPI BootRom contents of several printers.
Next, we describe the design and operation a sophisticated piece of malware for HP (P2050) printers. Essentially a VxWorks rootkit, this malware is equipped with: port scanner, covert reverse-IP proxy, print-job snooper that can monitor, intercept, manipulate and exfiltrate incoming print-jobs, a live code update mechanism, and more (see presentation outline below). Lastly, we will demonstrate a self-propagation mechanism, turning this malware into a full-blown printer worm.
Using HPacker, we demonstrate the injection of our malware into arbitrary P2050 RFUs, and show how similar malware can be created for other popular HP printer types. Next, we demonstrate the delivery of this modified firmware update over the network to a fully locked-down printer.
Lastly, we present an accurate distribution of all HP printers vulnerable to our attack, as determined by our global embedded device vulnerability scanner (see [1]). Our scan is still incomplete, but extrapolating from available data, we estimate that there exist at least 100,000 HP printers that can be compromised through an active attack, and several million devices that can be compromised through reflexive attacks. We will present a detailed breakdown of the geographical and organizational distribution of observable vulnerable printers in the world.
*We have also unpacked several engine-control processor firmwares (different from the main SoC) and are currently attempting to locate code related to tracking dots. Perhaps we will have some results by December. In any case, HPacker will help the community to do further research in this direction, possibly allowing us to spoof / disable these yellow dots of burden.
Ang Cui
Jonathan Voris
Past publications
"A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan" Paper
20:30
01:00
Saal 2
the_future_of_cryptology
The future of cryptology: which 3 letters algorithm(s) could be our Titanic?
RMS Olympic, RMS Titanic, HMHS Britannic vs Discrete Logarithm, Integer factorization, Conjectured hard problems
lecture
en
The lessons and best practices of the titanic will be extracted. Are we ready?
This will be a co-presentation (Jean-Jacques Quisquater / David Samyde) and occasional friendly exchange, with point and counter-point of different contrasting views on the impact of solving integer factorization and some other difficult problem in cryptography.
The idea is to perform a provocative comparison between the 'unbreakable' RSA algorithm and the unsinkable Titanic.
Receiving his RSA Conference Lifetime Achievement Award, Rivest said that it has not been demonstrated mathematically that factorization into primes is difficult. So “Factoring could turn out to be easy,” and according to him “maybe someone here will find the method”.
Since 1994 and Shor's algorithm, the danger of quantum computer is known: breaking RSA in polynomial time. Factoring large numbers is conjectured to be computationally infeasible on classic non quantum computers. No efficient algorithm is known and the research in the last 30 years did not show enormous progress.
Iceberg existence is predicted but not shown yet.
According to Rivest a variety of alternative schemes have been developed in the decades since RSA was published, and a new system could probably be adopted quickly.
This relies on solving factorization only, but several other cases can be considered, in some of them the action to replace RSA with a new algorithm could require more work than initially planned (solution to discrete logarithm).
Managing the risk and the threat of the resolution of any major problem used in cryptography is crucial. This presentation challenges the conventional thinking using lessons learned from history.
RSA users are everywhere so what could be the consequences of a break in the real world? What were the errors made on the Titanic? Can the best practices used be improved or just translated into a new scheme? What would be the impact of solving the RSA assumption on cryptography?
The outline is:
History of factorization
Titanic primes and RSA keys
Complexity, classes of algorithms and practical costs
Risk analysis and Threat management
Probability estimation and proactive monitoring
From best to worst case
Best methods and lessons learned
Multiple scenari
(Im)possibility of accurate prediction
What to expect and how to be ready
Conclusion
Andrew Grove, former CEO of Intel said "Only the paranoid survive". Forecasting the presence of a strategic inflection point is hard. What to expect at the time of the next major cryptanalysis breakthrough? What history teaches? What remains to be done? Are we ready?
The format will be a co-presentation (Jean-Jacques Quisquater/David Samyde) and occasional friendly debate or exchange, with point and counter-point of different contrasting views on the
impact of solving integer factorization in Information Security.
At the last RSA conference, Ronald Rivest, Adi Shamir and Leonard Adleman received the RSA Conference Lifetime Achievement Award. They were rewarded for the creation of the RSA cryptosystem and their magnificient contribution to the field of cryptography. Rivest during his speech said that
it has not been demonstrated mathematically that factorization into primes is difficult. So "Factoring could turn out to be easy," and according to him "maybe someone here will find the method".
Since 1994 and Shor's algorithm, the cryptographic community is aware of the danger of quantum computer for the the integer factorization problem. With a sufficient number of qubits, Shor's algorithm can be used to break RSA in polynomial time. Since last year RSA conference the first commercially available quantum computer with 128-qubit chip has been sold to an american company. But some criticism and a controversy are present around the real potential of this solution.
A well accepted assumption is that factoring large numbers is computationally infeasible on classic non quantum computers. No classical algorithm is known and the research in the last 30 years did not show enormous progress even if the improvements to the field of integer factorization are important since the existence of RSA.
The consequences of solving integer factorization in polynomial time would be to render the RSA scheme vulnerable. According to Ron Rivest a variety of alternative schemes have been developed in the decades since RSA was published, and a new system could probably be adopted quickly.
Some new encryption/signature schemes are available but they do not all rely on some problems that can be proven to be very hard in all cases and instances. The difference between a solid proof and a conjecture is important but it is not because a problem is proven hard that it is enough and
sufficient to use it to build a secure cryptosystem. The knapsack problem is NP-complete to solve exactly but it can be difficult to create a secure cryptosystem from it. Leonard Adleman broke the Ron Graham and Adi Shamir enhancement of the Merkle-Hellman scheme and so did Serge Vaudenay who broke the Chor-Rivest knapsack cryptosystem.
Discrete logarithm, graph isomorphism and integer factorization are NP-intermediate problems and they are not known to be to be P or NP-complete. Solving the discrete logarithm problem brings a solution to the integer factorization problem in a trivial manner. The lack of recent progress on the resolution of the discrete logarithm helps and supports integer factorization. But in general an advance in one of them can be translated into the other one. This is not automatic, however it can be expected.
Cryptographic problems rely massively on the integer factorization and discrete logarithm problems. Few other systems exist and amongst this group some algorithms suffer from cryptanalysis methods, reducing their usage to specific cases. The worldwide presence, acceptance and usage, of RSA
are huge therefore if the algorithm would be compromised then a lot of companies would have no choice and would be forced to switch to another encryption system.
The quick and rapid adoption of a new system would play an important part in maintaining a high level of trust in security. Because public key cryptography secures Internet and ecommerce, banking and financial transactions, governments communications and much more, the new system(s) should be
proven to be secure and quickly deployed.
The assumption of Ron Rivest about the difficulty of integer factorization relies on the fact that the solution to factorization would not create more perturbations in the field of encryption algorithms and would not enable new cryptanalytic methods on potential replacement solutions. In such a case his statement about replacing RSA with a new method is correct. However several
other cases can be considered, and in some of them the action to replace RSA with a new algorithm could require more work than initially planned. In the same manner big companies can not really afford (and not only on the financial side) to replace one encryption algorithm by another one and to experience a failure of the new system just after its deployment.
This presentation challenges the conventional thinking, indeed factorization is at the core of number theory and a limited number of top researchers do really work and understand it. But a tremendous amount of money and business is secured relying on the resistance of this problem to years of attack by talented minds. The entire world use the RSA algorithm and trusts its security. This is so true that some scheme do not even plan a replacement plan and some certificates never expire.
In the greek mythology Cassandra received from Apollo the ability to predict the future, but she could not provide any evidence data of her predictions. She foresaw the destruction of Troy using the Trojan Horse, the death of Agamemnon, and her own troubles but she could not forestall these
tragedies. Ron Rivest did not provide any new method to solve factorization but he clarified the possible existence of a solution. When the inventor of the system starts to consider that a solution can exits it seems to be time to be open minded. If a solution can be reached, so what?
Andrew Grove, former CEO of a silicon manufacturer highlighted in his book "Only the paranoid survive." the importance of Cassandras in an organization. According to Grove, they can help to predict a strategic inflection point.
Factorization in a practical manner would be a strategic inflection point but could also not be limited to integer factorization only and extend to other fields. A much more elegant method to the problem of the decomposition of a composite in primes even inspired movie makers and Hollywood (Sneakers by Phil Alden Robinson) or book writers (Tetraktys by Ari Juels). What is the reality of such an assumption, is this pure science or pure fiction. Are these people Cassandras or is it simply impossible ? Through the usage of comparisons and metaphors the authors deal with what would be the lessons to learn from the resolution of factorization in different cases.
It is difficult to make accurate predictions and cryptographers learned with time that even the most brilliant of them and/or the giants amongst the community can make bad predictions. The inventors of RSA stated in Martin Gardner's column (August 1977) of Scientific American that it
would require 40 quadrillion years to factorize RSA-129 (426 bits). Derek Atkins lead the work that proved them wrong few years later.
The recent history of cryptanalysis teaches us that some schemes are weaker than expected and the general perception of the cryptologic community can be modified very quickly. A good example is the lack of collision resistance of the MD5 hash function designed by Ron Rivest.
The co authors believe that any prediction about the time separating us from the existence of an elegant solution to the integer factorization problems makes no sense. The art of prediction is much more difficult than doing simple comparisons.
The existence of a practical solution to factorize would have the effect of an earthquake to the world of cryptography and computer security. Predicting earthquake is not really possible and the recent past brings to our mind all the colateral effects that can be related to an earthquake. In real life seismologists monitor many phenomena that are considered to be possible precursors of earthquakes. This presentation will develop a simple model based on common sense to explain what could be the consequences of an improvement of integer factorization according to the probability of its apparition.
If the perception of the cryptologic community would be drastically modified about factorization, what could be the consequences on cryptography and security in the real world? Can the best practises used with RSA be improved or even translated into a new scheme? What would be the impact of solving the RSA assumption on numerous other algorithm ?
In the case of a resolution of the integer factorization problem, several scenari are possible. They all have different implications and conclusions. This presentation consider each main scenario according to a level of relevance and details the impact and the consequences of the new discovery
on different fields including computer security, governance, cloud security, cyberwar and cyber weapons and other fields.
Managing the risk of the creation of a solution to any major problem used in cryptography is important for the whole industry. In general cryptographers consider that non linear improvements in their field take time and that all algorithm are deprecated before to be absolutely broken. This presentation will challenge some of these statements.
Jean-Jacques Quisquater
Renaud Devaliere
21:45
01:00
Saal 2
towards_a_single_secure_european_cyberspace
Towards a Single Secure European Cyberspace?
What the European Union wants. What the hackerdom can do..
lecture
en
The "European Great Firewall" was the way that European civil rights organizations has addressed the proposal to create a "single European cyberspace". Surely other lectures will describe the technicalities of the proposal. This lecture will go beyond that, describing a vulnerability that the proposal reveals in the power structures of the European and world governance, that could be exploited by the hackerdom if the war is understood as a value to be avoided.
The proposal registered by the body of the Council of the European Union to create «a single secure European cyberspace» marks a pivotal moment in the development of the Union. Three reasons grounds that statement. First, because after decades omitting the use of the term, the semantics of «cyberspace» is officially adopted by the Union's policy. Second, because that adoption enacts a new field of community policy making. Third, because the new field is formulated by binding, under a «single European» frame, the home affairs with the security and defense areas – the building blocks of sovereignty since the Peace of Westphalia.
The notion of cyberspace as a global wide computer mediated domain of human agency is not new. Furthermore, the saliency of that domain in the contemporary society can hardly be refuted: Beyond the contributions from the Literature and the Academia, the most reliable source of empirical evidence can be found in the production of the concerned polities to address the deployment and the effects of informatics and telecommunications – the constituent technologies of cyberspace.
The legal developments on the protection of personal data and on the enforcement of intellectual property rights, or the budgetary assignments to the field of information society are meaningful proofs of that saliency. However, the idea of an «European cyberspace» (a) impugns the aforementioned «global wide» range by assuming the possibility to constrain the agency to the boundaries of a political body – the EU – which then becomes the holder of the sovereignty in that domain, what (b) defies the traditional monopoly of the State regarding the exercise of power over their own territory.
As Kymlicka has pointed out, the existence of a common identity is a requirement of statality, at leas in the political configuration designed under the liberal democracy paradigm. Provided that cyberspace favours the establishment of social interactions not limited by the constrains that provides statality, it is possible to conform alternative identities that can enact a conflict with the identitary demarcations of the State and, therefore, following Foucault, to challenge the discoursive hegemony of the State.
Suso Baleato
the virtual schengen leaked document
Telegraph article
23:00
01:00
Saal 2
camp_review_2011
CCC Camp 2011 Video Impressions
Reviving a nice summer dream
movie
All of us who did attend are still dreaming. All of us who did not attend are still weeping. The CCCamp 2011.
This film recapitulates all the great moments that took place during summer this year. All the great moments. Really. All of them.
English and German with English subs (still improvable, though).
11:30
01:15
Saal 3
taking_control_over_the_tor_network
Taking control over the Tor network
lecture
en
This talk deals with weaknesses identified in the TOR network protocol and cryptography implementation. We manage to take control over users using this network and to access all your information and data exchanged despite cryptography.
The TOR network is one of the most famous way to use Internet in a anonymous and secure way at least supposedly. Tor client software routes Internet traffic through a worldwide volunteer network of servers in order to conceal a user's location or usage from someone conducting network surveillance or traffic analysis. Aside protocol-oriented aspects, TOR security relies heavily on cryptography.
The aim of this talk is to explain how it is possible to take over a significant part of the TOR network not to say over the whole network. We have identified two classes of weaknesses in the way Onion routers (Ors) are managed:
a first class of weaknesses relates to the way the routes among Ors. It is possible to influence and to force users to use arbitrary Ors and hence control which route they take.
A second class of weaknesses relates to the way cryptography is implemented. Bu using malware-based attacks and the concept of dynamic cryptographic backdoors we have succeeded to circumvent the cryptography in place without removing it.
We present different possible attack scenarii which are malware-based or not (depending on the scenario considered) that have been experimented and validated on a TOR simulation network of 50 nodes and partially on the real TOR network (as far as it was possible regarding existing laws).
We show that it is indeed possible to gain a lot of sensitive information thus bypassing and managing existing cryptographic mechanisms in a very efficient way and to take the effective control over a significant part of the TOR network. The attack is fully dynamic and can be replayed on request. We present an open source library that enable to automate the identification of hidden relay bridges.
We propose some modification in the TOR source and protocol in order to prevent those attacks.
Demos will be presented to expose the two class of vulnerabilities we exploit. An Internet access is required to make part of the demos on the real TOR network.
Eric Filiol
Seun Omosowon
Tor Attack Slides 28C3
12:45
02:15
Saal 3
lightning_talks_day_3_pecha_kucha
Lightning Talks Day 3
Pecha Kucha Round!
other
en
Nick Farr
16:00
01:00
Saal 3
deceiving_authorship_detection
Deceiving Authorship Detection
Tools to Maintain Anonymity Through Writing Style & Current Trends in Adversarial Stylometry
lecture
en
Stylometry is the art of detecting authorship of a document based on the linguistic style present in the text. As authorship recognition methods based on machine learning have improved, they have also presented a threat to privacy and anonymity. We have developed two open-source tools, Stylo and Anonymouth, which we will release at 28C3 and introduce in this talk. Anonymouth aids individuals in obfuscating documents to protect identity from authorship analysis. Stylo is a machine-learning based authorship detection research tool that provides the basis for Anonymouth's decision making. We will also review the problem of stylometry and the privacy implications and present new research related to detecting writing style deception, threats to anonymity in short message services like Twitter, examine the implications for languages other than English, and release a large adversarial stylometry corpus for linguistic and privacy research purposes.
Stylometry is the study of authorship recognition based on linguistic style (word choice, punctuation, syntax, etc). Adversarial stylometry examines authorship recognition in the context of privacy and anonymity though attempts to circumvent stylometry with passages intended to obfuscate or imitate identity.
This talk will introduce the open source authorship recognition and obfuscation projects Anonymouth and Stylo. Anonymouth aids individuals in obfuscating their writing style in order to maintain anonymity against multiple forms of machine learning based authorship recognition techniques. The basis for this tool is Stylo, an authorship recognition research tool that implements multiple forms of state-of-the-art stylometry methods. Anonymouth uses Stylo to attempt authorship recognition and suggest changes to a document that will obfuscate the identity of the author to the known set of authorship recognition techniques.
We will also cover our recent work in the field of adversarial authorship recognition in the two years since our 26C3 talk, "Privacy & Stylometry: Practical Attacks Against Authorship Recognition Techniques." Our lab has new research on detecting deception in writing style that may indicate a modified document, demonstrating up to 86% accuracy in detecting the presence of deceptive writing styles. Short messages have been difficult to assign authorship to but recent work from our lab demonstrates the threat to anonymity present in short message services like Twitter. We have found that while difficult, it is possible to identify authors of tweets with success rates significantly higher than random chance. We also have new results that examine the ability of authorship recognition to succeed across languages and the use of translation to thwart detection.
This talk will also mark the release of an adversarial stylometry data set that is many times larger than our previous release. This data set, provided by volunteers, includes at least 6500 words per author of unmodified writing as well as sample adversarial passages intended to preserve the anonymity of the author and demographic information for each author.
The content of this talk will be relevant to those with interest in novel issues in privacy and anonymity, forensics and anti-forensics, and machine learning. All of the work presented here is from the Privacy, Security and Automation Lab at Drexel University. Founded in 2008, our lab focuses on the use of machine learning to augment privacy and security decision making.
Michael Brennan
Rachel Greenstadt
Privacy, Security and Automation Lab at Drexel
Michael Brennan
Rachel Greenstadt
JStylo (Alpha)
Anonymouth (Alpha)
17:15
01:00
Saal 3
electronic_money
Electronic money: The road to Bitcoin and a glimpse forward
How the e-money systems can be made better
lecture
en
The proposed talk provides a definition of the problem of creating e-money and after a review of the state of the art points out possible solutions and proposes questions for discussion for the properties of electronic money system.
Electronic money: The road to Bitcoin and a glimpse ahead
---------------------------------------------------------
**Abstract**: *The proposed talk provides a definition of the problem of creating e-money and after a review of the state of the art points out possible solutions and proposes questions for discussion for the properties of electronic money system.*
## 1. What is electronic money and different means of currency
Definition of electronic money and distinction from similar means of exchange.
Electronic money is defined as monetary value which is:
- stored on an electronic device;
- issued on receipt of funds; and
- accepted as a means of payment by persons other than the issuer.
Working e-money examples: PayPal and MoneyBookers
Other means of exchange, similar to e-money: Alternative/Social/Timeshare/Community currencies; Loyalty and Voucher systems.
Working examples: WIR and Ven currencies (Bitcoin)
What makes them different from e-money? (convertible only one-way, not a legal tender, mostly backed by trust only, etc)
*Optional*: Pros and cons of the abovementioned means of exchange.
## 2. Defining the e-money problem: What electronic money should do?
Risks and requirements to the solution for electronic money from technical, legal and business standpoint. The basic human problem of reaching a consensus and trust in a group.
###General system risks:
- Credit Liability
- Credit Abuse
- Counterfeiting
- Unauthorized Withdrawal
- Purchase Order Modification
- Double Spending
- Failure to Credit Payment
- Denial of Service
- Repudiation
- Failure to deliver
- Framing
- Secrecy
###Legal and accounting:
- Dispute resolution
- Money laundering and finance of terrorism
- Tax evasion prevention
- Consumer protection requirements
- Ways to negotiate and conclude a contract
- Auditability
- Reverse and chargeback transactions
- **How the burden of proof is distributed**
###Business:
Costs for:
- Registration
- Operation
- Support
- Marketing
- Customer and merchant negotiation
###Accent on the most important human problems:
- Identification and authorization (which is the required minimum?)
- Achieving consensus and easy dispute resolution in a group.
- Determine the state of the system at any given moment
- Trust (between the peer users or trust in the central authority)
##3. How the risks and requirements have been traditionally addressed?
Review of the cryptographic, legal and procedural methods from the existing e-money protocols. Еmphasis on anonymity and privacy problems.
The review of the existing systems will be a distinction between:
- Online and offline systems
Example: PayPal and Blind signature/PayWord based systems
- Centralized and decentralized systems
Example: Liberty Reserve and Ripple/BitCoin
- Hard and Soft systems
Example: BitCoin and Credit card based money and payment protocols
How do they solve the problems of trust and consensus in a certain group?
How they provide anonymous transactions and keep user privacy? Are independent jurisdictions a (contribution to) the solution?
Calculated risk, insurance and responsibility/role delegation as patches to the existing problems.
Which of the above systems may be deemed "legal"? (what do the central banks think)
*Optional*: Few words for Blind signature and PayWord techniques and the protocols around them
##4. The great step forward. The contribution of Bitcoin
Emphasis on decentralization and (relative) anonymity features of Bitcoin. How the combination of a way to create(mint) coins and to timestamp the state of their distribtion created the first working non-centralised currency. What, in my opinion, contributed for the Bitcoin popularity.
##5. The problems of Bitcoin
What Bitcoin doesn't provide or doesn't provide in an effective manner:
- Cost of creating money
- Method of reaching a consensus, based on computing power
- No "real value" to back it
- Settlement risk not covered
- Scalability issues
- All the lacking features of a "soft" currency
Is it decentralized or distributed system? (having in mind the introduction of "trust points")
##6. A Glimpse forward
How can anonymous e-money be made better (more effective and accessible). Proposal (and discussion) of the possible enchancements.
###How to issue e-money in more effective manner?
Possible solutions are to issue money based on:
- Exchange for FIAT money or back by any other valuable stock (gold, land, silver);
- IOU credit/debit principle from the community currencies;
- Some fair distribution as an alternative to:
- Solving a math problem (as Bitcoin does)
How do these solution relate to the speed the new money are accepted and used?
###How to reach a consensus in a group in a more effective manner?
- Is practical byzantine tolerance more effective than distributed timestamping?
- Can and should we consider any centralized authority?
- Should we consider decentralized money impossible and settle for distributed money?
- Can a Webtrust (OpenPGP alike) scheme of trust be applied? What social identification (friend of a friend) can contribute?
- Can we use/rely on public/official timestamping services and how this can be used as a better proof?
- How triple accounting techniques may help?
###How to achieve anonimity and preserve privacy?
- Is complete anonymity possible? What are the achievable levels of anonymity?
- Can the user set a "mode" of a transaction, sacrificing some protection?
- To what extend the existing bank secrecy will suffice?
- Jurisdictional independence as a possible solution / significant contributor.
- What anonymizing technical methods are possible?
More general question: Should a good e-money currency be made according to the legal requirements of the EU directive and made legal tender?
If not are features like: consumer protection (reverse and refund transactions), auditability and settlement risk coverage need to be implemented and at what cost?
Peio Popov
18:30
01:00
Saal 3
datenvieh_oder_daten_fee
Datenvieh oder Daten-Fee
Welchen Wert haben Trackingdaten?
lecture
Eine nüchterne Untersuchung der Verfahren zum Nutzertracking und des wirtschaftlichen Wertes von Tracking- und Userdaten.
Das Tracking von Nutzerinteraktionen ist heute das Rückrad eines großen Teils der Online-Wirtschaft. Für Nutzer und Aussenstehende findet diese Wertschöpfung im Verborgenen statt. Aus quantitativen Daten werden mittels Datamining qualitative Daten aggregiert. Und die Wirtschaft erdenkt ständig neue Methoden, die Erhebung zu verbessern und Methoden, die Erhebung zu verschleiern.
Der Vortrag fasst kurz die verschiedenen Möglichkeiten der Erhebung zusammen und widmet sich dann ausführlich der Frage, welchen Wert die einzelnen Interaktionen tatsächlich haben. Die beteiligten Branchen werden dargestellt und es wird beschrieben, welchen Weg die Daten von ihrem Ursprung zu welchen Abnehmern nehmen.
Rene Meissner
20:30
01:00
Saal 3
introducing_osmo_gmr
Introducing Osmo-GMR
Building a sniffer for the GMR satphones
lecture
en
The latest member of the Osmocom-family projects, osmo-gmr focuses on the GMR-1 (GEO Mobile Radio) air interface used in some satellite Phones. This talk will shortly present the GMR protocol, the Thuraya network that uses this protocol in the Eurasian/African and Australian continents and finally details how you can capture samples and process them for analysis using osmo-gmr.
Sylvain Munaut
Project home-page
21:45
01:00
Saal 3
behind_the_scenes_of_a_c64_demo
Behind the scenes of a C64 demo
lecture
en
C64 "demos" were the root of the whole demo-scene-thing and they are still the main force keeping the C64 alive today. Audiovisual pleasure, still pushing hardware limits, still exploring different ways of expression. But what is typically happening inside the machine when you watch a demo? What effort is needed to entertain the audience? This talk will give you an inside look at the steps taken for the award winning demo "Error 23" given first hand by one of its main programmers.
This talk extends previous talks and documentation about the Commodore 64 and its demo effects by adding real-life challenges and experiences to it. What were the basic ideas? What obstacles were on the way? How did they get solved? 6502 assembly knowledge is really not required, some general understanding about assembly and low-level computing will be useful, though (think of stack, timer, cycles...). This isn't about theory, this is for real ;)
Topics include (but not limited to):
- Explaining design choices
- Basic ideas behind the effects
- Data compression techniques
- Load stuff while displaying effects
- Dirty tricks which make your computer science professor run away
- Synchronization and linking
- how to keep it all in 64KB RAM
Ninja / The Dreams
Error23 at pouet.net
Error23 on youtube
23:00
01:00
Saal 3
sovereign_keys
Sovereign Keys
A proposal for fixing attacks on CAs and DNSSEC
lecture
en
This talk will describe the Sovereign Key system, an EFF proposal for improving the security of SSL/TLS connections against attacks that involve Certificate Authorities (CAs) or portions of the DNSSEC hierarchy.
The design stores persistent name-to-key mappings in a semi-centralised, append-only data structure. It allows domain owners to deploy operational TLS keys without trusting any third parties whatsoever, and gives clients a reliable way to verify those keys. The design can also be used to automatically circumvent a large portion of server impersonation and man-in-the-middle attacks, avoiding the need for confusing certificate warnings, which users will often click through even when they are under attack.
The Sovereign Key design bootstraps from and reinforces either CA-signed certificates or DANE/DNSSEC as a method of publishing and verifying TLS servers' public keys. Conceptually, it provides functionality similar to what could be obtained if HTTPS servers could publish special headers saying "in the future, all new public keys for this domain will be cross-signed by this key: XXX", but the design includes a number of necessary additional features, including a secure revocation mechanism, protection against false headers that an attacker could publish after compromising an HTTPS server, and support for protocols other than HTTPS (SMTPS, POP3S, IMAPS, XMPPS, etc).
Sovereign Keys allow clients to detect server impersonation and man-in-the-middle attacks even if the attack involves compromise or malice by a CA or DNSSEC registry. But Sovereign Keys also allow for automatic circumvention of these attacks via proxies, VPNs, or Tor hidden services.
Peter Eckersley
12:45
01:00
Saal 1
from_press_freedom_to_the_freedom_of_information
From Press Freedom to the Freedom of information
Why every citizen should be concerned
meeting
This talk is about:
- Information freedom and the issues for the citizens
- RWB ressources: a “human network”
- RWB needs: Get involved!
** Freedom of information and citizen issues
- Why defend media freedom, journalists and bloggers? Because without a free press, no cause can make its voice heard, no human rights violation can be reported.
Specific examples of information vital to the public (links below):
- the tainted baby formula scandal in China exposed by the netizen Zhao Lianhai, who was arrested as a result
- Organized crime denounced by netizens, some of whom have been killed. Rascatripas, the moderator of the Nuevo Laredo en Vivo website, murdered on 9 November 2011
- RWB sees how the media and methods of spreading news and information are evolving, and is adapting to the changes
- RWB helps all kinds of “information producers” including professional journalists and bloggers and takes positions on the problems specific to new media WikiLeaks hounded
- Capacity building and e-advocacy: RWB provides bloggers, cyber-dissidents and journalists with the means to continue reporting and circulating information. Provision of censorship circumvention tools (including VPN) and online security training, circulation of viral campaigns, awareness campaigns, information about online risks.
** RWB’s resources: a “human network”
- A human network: 150 correspondents worldwide + informal contacts
- Strong lobbying capacity (European Parliament and Washington)
- A legal committee
- Handbook for Bloggers and Handbook for Journalists during Elections
- Training (in Thailand, in Paris in February, in China and elsewhere in the future)
- Virtual Shelter project: Creation of electronic safe and website for hosting censored content
** RWB’s needs: Get involved!
- Need for people whose technical skills can help us to evaluate a country’s Internet, by carrying out tests to determine the filters used, the presence of Deep Packet Inspection and so on.
- Need for technicians who can tell us about the safety of the various communications methods used. Which governments monitor Skype, IRC, BBM, and Google Talk? Which email service or VoIP to use?
- Need for the help of experts in viral marketing, search engine marketing and information monitoring.
- Need for contacts in companies that cooperate with Internet censorship (or former employees)
- Need for the help of jurists in different countries to analyze the growing number of laws that regulate the Internet
Reporters Without Borders
Tainted baby formula scandal in China
Rascatripas, the moderator of the Nuevo Laredo en Vivo website, murdered on 9 November 2011
RWB helps bloggers in Egypt
Problems specific to new media WikiLeaks hounded
14:00
01:00
Saal 1
the_engineering_part_of_social_engineering
The engineering part of social engineering
Why just lying your way in won't get you anywhere
lecture
en
All the talks i saw about SE so far just showed which good SE's the speakers are. I try to do another approach, what if i get in and don't know what to do then. The talk is about the reconn. before the assessment, the different approaches of SE. Which techniques can one use, how to do a proper intel. and what is useful. How things work and more important why. Which skill set should one have before entering a engagement. And last but not least how do one counter a SE attack.
Preface:
Needed Skillset:
-physical (ie.NLP)
-logical Customer Preparation:
-theoretical models of attack
-check customer needs by his business
-Contract
Preparation & Reconnaissance:
-threat modeling
-physical
-logical
Project Planing:
-Storyboard
-the target
-infiltration
-fetching data/reaching the target
-exfiltrate
-backup plans
Infiltration:
Find & fetch the data:
Exfiltrate the data:
Writing report:
Business impact analyses:
customer meeting:
Aluc
the slide deck
http://
16:00
01:00
Saal 1
quantum_of_science
Quantum of Science
How quantum information differs from classical
lecture
en
Quantum systems can have very different properties from their classical analogues which allows them to have states that are not only correlated but entangled. This allows for quantum computers running algorithms more powerful than those on classical computers (represented by Turing machines) and for quantum cryptography whose safety is (in principle) guaranteed by the laws of nature.
I will explain key facts of quantum information theory from a physics perspective. In particular, I will focus on the fundamental difference between the quantum world and the classical world of everyday experience that in particular makes it provable impossible to simulate a quantum world by a classical world. This will then be applied to information processing tasks like quantum computing, quantum cryptography and possibly the human brain.
No background in theoretical physics is necessary but some familiarity with basic complexity theory and linear algebra (what is a vector? what is a matrix?) could be helpful.
Robert Helling
17:15
01:00
Saal 1
security_nightmares
Security Nightmares
lecture
de
Frank Rieger
Ron
18:30
00:30
Saal 1
closing_event
Closing Event
other
en
Frank Rieger
11:30
01:00
Saal 2
neo_feudalism_or_why_julian_assange_might_be_wrong_after_all
Resilience Towards Leaking or Why Julian Assange Might Be Wrong After All
lecture
In his now (in)famous pamphlet "Conspiracy as Governance" Julian Assange (JA) argues about the need for leaking as an efficient way to destroy "unjust" groups as the neo-feudalistic ones - luring the conspiracy theory leaning hacker community into his belief system. Eventually, JA used a biologistic argument on the benefits and drawbacks that uncontrolled leaking might pose for "just" and "unjust" systems, arriving at the conclusion that "unjust" systems are hurt more and thus will be less viable, essentially being destroyed by more "just" systems. While an innovative proposal, the underlying assumptions on complexity, network theory, and especially the evolutionary perspectives were never critically assessed. Some blogs and media raised questions on details and potential threats to innocent bystanders. Still, fundamental problems with the philosophy were never addressed.
This paper argues against the general validity of such theories. In particular, we will refute some of the biologistic arguments. Theoretical biology has long ago pointed out the hidden complexity in evolutionary processes and as such the envisioned "leaking revolution" might be a limited artifact: there might even arise situations where the leaking envisioned and encouraged by Wikileaks and the like can actually strengthen some "conspiracies".
In this paper I will describe some research questions, that should be answered before given the “leaking philosophy” an unconditioned “thumbs-up”. Empirically, for example, a potential strengthening is illustrated by the rise of a 'neo-feudalistic economy', which is linked closely to the paradigm of "intellectual property" as it is to the security-financial-political complex. The players have effectively created a closed network or a "conspiracy" and might be resilient towards Wikileaks-like attacks. The paper concludes with an alternative to that proposal; in particular, a way to deal with the 'conspiracy' that might be coined the rise of the neo-feudalistic society (which in itself is a self-sustainable, self-amplifying feedback loop, not necessarily a conscious conspiracy).
Kay Hamacher
Author's Homepage
12:45
00:30
Saal 2
antiforensik
Antiforensik
Einführung in das Thema Antiforensik am Beispiel eines neuen Angriffsvektors
lecture
Antiforensik ist ein noch eher neues Thema und bekommt zunehmend mehr Bedeutung. IT-Forensik als Mittel zur Aufklärung von Sachverhalten kann vor Gericht aber auch in internen Ermittlungen maßgeblich für Freisprüche oder Schuldsprüche sorgen. Daher ist es besonders schlimm, wenn die dazu verwendeten Programme nicht korrekt arbeiten und sogar mit präparierten antiforensischen Aktionen angegriffen werden können. Der Vortrag zeigt eine bisher unbekannte und dennoch technisch einfache Sicherheitslücke in mindestens einer weltweit verwendeten Forensik-Suite und wie diese ausgenutzt werden kann: Hinzufügen von Ermittlungsergebnissen, Löschen/Verändern von Ermittlungsergebnissen, Infektion des Auswertesystems mit Malware.
Antiforensik ist ein noch eher neues Thema und bekommt mehr Bedeutung in dem Maße, wie IT-Forensik an Bedeutung gewinnt. IT-Forensik als Mittel zur Aufklärung von Sachverhalten kann vor Gericht aber auch in internen Ermittlungen maßgeblich für Freisprüche oder Schuldsprüche sorgen. Die Anforderungen an die Korrektheit der verwendeten Programme und der eigenen Arbeitsweise sind daher besonders hoch. Personen, die eine IT-forensische Auswertung ihrer Computer und IT-Systeme befürchten, verwenden Maßnahmen der Antiforensik, um zukünftige Ermittlungen zu sabotieren oder wenigstens zu erschweren.
Antiforensik kann z.B. bedeuten, Spuren wie Zeitstempel zu vernichten, damit eine spätere Auswertung nicht mehr möglich ist. Besonders schwerwiegend sind Aktionen, wenn sie die Auswertesysteme eines IT-Forensikers so angreifen, dass unbemerkt Ermittlungsergebnisse manipuliert werden. Der Vortrag soll eine Sicherheitslücke in einer weltweit verwendeten Forensik-Suite zeigen und diese ausnutzen, um nachträglich Informationen in forensische Berichte einzufügen, Informationen zu entfernen und den Auswerte-PC unbemerkt mit Malware zu infizieren. Der dazu nötige Angriff ist technisch sogar sehr einfach. Zwei Forensik-Suites aus dem US-Markt müssen noch auf Lücken untersucht werden.
Der Vortrag soll die neu gefundene Lücke in den beiden Programmen vorstellen und ausnutzen und vorab kurz in das Thema Antiforensik einführen, inkl. kurzer Vorstellung des aktuellen Stand der Technik. Falls auch die US-Programme anfällig sind, sollen die entsprechenden Funde vorgestellt werden.
Martin Wundram
Artikel die ich geschrieben habe
Antiforensikartikel aus 2007 von Alexander Geschonneck
13:15
00:30
Saal 2
bup_git_for_backups
bup: Git for backups
lecture
en
bup is short for "backup". bup uses the file format of the distributed version control system Git. It solves Git's problems with big files. Deduplication is used to make backups space efficent (about five times smaller than rsnapshot's backups). Data is deduplicated globally across files and backups. If a small part of a big file is changed only little additional space is needed.
The major part of this talk will describe Git's concepts, the structure of a repository, file format, and go into detail about the resulting implications on backups.
After a demonstration of bup I'll describe the implemented algorithms and data structures and their resulting perfomance gains over other backup solutions.
The talk will end with an overview of the recent development and a bait for new developers.
Zoran Zaric
bup
14:00
00:30
Saal 2
chokepointproject
ChokePointProject - Quis custodiet ipsos custodes?
Aggregating and Visualizing (lack of) Transparancy Data in near-realtime
lecture
en
The object of the lecture is to present and discuss the chokepointproject. How it (will) attempt(s) to aggregate and visualize near-realtime global internetwork data and augment this visualisation with legislative, commercial(ownership) and circumvention information.
The goals of the project are as follows:
1. Provide a global early warning system against governmental or commercial abuse of internetworking systems in regards to civil and human rights.
2. Enforce transparency by aggregating commercial ownership information.
3. Enforce transparency by aggregating legislative information, including voting histories.
4. Enable lobbyist to influence legislators by providing reliable, verifiable data.
5. Provide a public database with near real-time network monitoring data for general use.
6. Provide up to date circumvention methodologies, their relative legal status and their potential risks.
The chokepointproject currently consists of two elements :
1. A frontend and public database,
2. An intended globally distributed network monitoring data collection system.
The frontend intends to provide an easily understandable visualisation of aggregated and processed data-sources. The data-sources intend to provide the following information:
1. A per country detailed description of:
1a. Network ownership (by IP block and route)
1b. Legislative information such as
Which relevant laws are currently active. Who has voted for them (supposing voting was a part of the process).
Which relevant laws are currently under review or being proposed. Who are proposing/drafting these laws.
1c. What circumvention methods are currently available for specific problems.
2. Near real-time network status vitalisations such as, but not restricted to
2a. Connectivity of geographic clusters,
2b. Manipulation of connectivity such as:
2b.1. Traffic shaping,
2b.2. Content filtering,
2b.3. Blackouts.
The intended globally distributed network monitoring data collection system would provide an independent and publicly available dataset. I do not intend to discuss this in depth. The focus of this lecture is supposed to be the front-end and the aggregation of already publicly available data sources, and the supposed benefit to improving civil rights everywhere and protecting them in those places where their functional effectiveness is under threat.
Ruben Bloemgarten
http://chokepointproject.net/
14:30
00:30
Saal 2
noc_review_28c3_camp
NOC Review
NOC Review about the Camp 2011 and 28C3
lecture
A review about the camp and the congress network. Network layout, planning, setup, operation and finally the teardown.
This talk will review both the 28C3 and, due to popular demand, the Camp network.
First we would like to give you a review about our network at the camp, where we built a mid-sized carrier network in a few weeks at a camp ground with no infrastructure:
Starting at the 4km fibre uplink and the roll out of fibre over the whole campground, you will learn how to build proper datenklos, deploy access switches and WLAN access points in them and also how to convert a shipping container into a sophisticated outdoor data center, in order to build a network that can deliver pictures of cute little cats to over 3000 users.
We had some issues and challenging tasks, which we wish to report; we also have some graphs, diagrams, photos and graphics which we want to share with you.
The second part will be about the network of the 28C3, which is more or less the usual stuff like every year. You will see some graphs, infrastructure, and hopefully no reports about big issues. ;)
Kay
Will Hargrave
16:00
01:00
Saal 2
smart_hacking_for_privacy
Smart Hacking For Privacy
lecture
Advanced metering devices (aka smart meters) are nowadays being installed throughout electric networks in Germany, in other parts of Europe and in the United States. Due to a recent amendment especially in Germany they become more and more popular and are obligatory for new and refurbished buildings.
Unfortunately, smart meters are able to become surveillance devices that monitor the behavior of the customers leading to unprecedented invasions of consumer privacy. High-resolution energy consumption data is transmitted to the utility company in principle allowing intrusive identification and monitoring of equipment within consumers' homes (e. g., TV set, refrigerator, toaster, and oven) as was already shown in different reports.
This talk is about the Discovergy / EasyMeter smart meter used for electricity metering in private homes in Germany. During our analysis we found several security bugs that range from problems with the certificate management of the website to missing security features for the metering data in transit. For example (un)fortunately the metering data is unsigned and unencrypted, although otherwise stated explicitly on the manufacturer's homepage. It has to be pointed out that all tests were performed on a sealed, fully functionally device.
In our presentation we will mainly focus on two aspects which we revealed during our analysis: first the privacy issues resulting in even allowing to identify the TV program out of the metering data and second the "problem" that one can easily alter data transmitted even for a third party and thereby potentially fake the amount of consumed power being billed.
In the first part of the talk we show that the analysis of the household’s electricity usage profile can reveal what channel the TV set in the household is displaying. We will also give some test-based assessments whether it is possible to scan for copyright-protected material in the data collected by the smart meter.
In the second part we focus on the data being transmitted by the smart meter via the Internet. We show to what extent the consumption data can be altered and transmitted to the server and visualize this by transmitting some kind of picture data to Discovergy’s consumption data server in a way that the picture content will become visible in the electricity profile. Moreover, we show what happens if the faked power consumption data reflects unrealistic extreme high or negative power consumptions and how that might influence the database and service robustness.
Dario Carluccio
Stephan Brinkhaus
17:15
01:00
Saal 2
changing_techno_optimists_by_shaking_up_the_bureaucrats
Changing techno-optimists by shaking up the bureaucrats
lecture
en
Meet the Netherlands: a nation filled with techno-optimists protecting
our freedom by puting in place restrictions on what you can do, reducing
our privacy and have technology as a solution for anything and
everything. When you make a trip we store your details for two years,
your airplane meal selection from two years earlier is good data to test
with and when migrating the government website we keep the old website
running in an unmaintained state. If you have nothing to hide nothing
can go wrong and there is nothing you can do.
Well not quite. What would happen if you play the system? If you would
take the train and hack the card? What if you were to pick up the
resistance you face and use it in your advantage. No matter what the
costs would carry on? If you would take some data and show the failures?
Not just once but a full month long and call that month Leaktober. What
if you would publicly call the failures with our personal data?
Ultimately you make a difference. You change the law, you changes the
rules of the game and you really can raise the question if storing all
that data is really needed. Ultimately people really start to doubt if
this is the right way to go.
This is a strategic and tactical story on how you can regain some
privacy and data protection. Even though for a journalist this should be
normal work, thanks to some people these things become very personal. It
ends in criminal prosecution, legal threats, insults, a successful
counter hack and ultimately a lot of benefits. But standing up for a
cause does work as long as you focus on the stories you want to bring.
My story is about hacking the system from the inside, overcoming fear
and showing bureaucrats that hackers are people too. The talk is a
lessons learnt how a few people can change a nation with hacker beliefs
if they really want to. A guideline on how to make a difference by
hacking the system you want to change. Where you can even make huge
mistakes, but with some luck you can win a world. How you can make your
critical voice be heard. Zillions of lessons learnt.
Brenno de Winter
11:30
01:00
Saal 3
your_disaster_crisis_revolution_just_got_pwned
Your Disaster/Crisis/Revolution just got Pwned
Telecomix and Geeks without Bounds on Security and Crisis Response
lecture
en
Software is becoming more and more important in organizing response to all kinds of crises, whether that means activists responding to an unjust government or aid workers helping with the aftermath of a disaster. Security often isn't the first thing people think about in these situations -- they have work to get done, just like the rest of us, and many of these tools are built in the heat of the moment. In a crisis, a lack of security can make a small disaster into a big one. In this talk, we'll look at real world experiences of the security and privacy problems in the field, and how to fix them, at both large and small levels.
People are using technology to try to save the world, whether in the disaster response world, or in activist or revolutionary work.
Many of the people involved are not technologists.
Many of the people building tools for these situations do not understand security.
This is a problem because:
Privacy issues for disaster response
Creepy uncle
Creepy government agency
Gaming the aid process with crowdsourced reports
Activists and revolutionaries are subject to direct attack, coercion, harrassment, etc.
A few problems:
People are using generic tools that don't provide the guarantees they need
People are writing special-purpose tools without understanding the problem
People are writing tools which intentionally subvert their users
People don't understand the problems they're causing with how they use tools
To fix this:
Build specialist tools with a deep understanding of the real problems
Get the help you need to make tools secure
Ask for help
Help disaster/activist ICT projects if you know your security
Build security into generic tools, even if you're not planning on revolutionaries using them, because you never know when you're going to need to overthrow a government on twittter.
Learn/teach about security and what it takes to use existing tools well
Build a security culture in your organization
Herr Urbach
willowbl00
Telecomix
Geeks Without Bounds
12:45
02:15
Saal 3
lightning_talks_day_4
Lightning Talks Day 4
other
en
Nick Farr
16:00
01:00
Saal 3
dc_plus_the_protocol
DC+, The Protocol
Technical defense against data retention law
lecture
en
The idea of Dining Cryptographers-Networks (DC) offers a much better anonymity compared to MIX-Networks: Defined anonymity sets, no need to trust in a central service, no possible attack for data retention.
In this talk you will learn about DC-Networks, advanced key generation methods (resulting in a DC+-Network) and a library to make DC-Networks available to your programs.
klobs
A DC+-Server
A DC+-Library
Multicast on top of DC-Networks
https://github.com/klobs/DCoffee
17:15
01:00
Saal 3
evolving_custom_communication_protocols
Evolving custom communication protocols
Hell Yeah, it's rocket science
lecture
Even after years of committee review, communication protocols can certainly be hacked, sometimes highly entertainingly. What about creating a protocol the opposite way? Start with all the hacks that can be done and search for a protocol that gets around them all. Is it even possible? Part Time Scientists has used a GPU to help design our moon mission protocols and we'll show you the what and how. Danger: Real code will be shown!
Wes Faler
Julian Miller (inventor of CGP)
CGP Book “Cartesian Genetic Programming”
“Evolved to Win” CGP e-book
Communication Protocol Engineering