CCH Hamburg 2012-12-27 2012-12-30 4 Version 1.9 04:00 00:15 00:15 01:30 Saal 1 nougatbytes10 Gebilde(r)ter Hirnsalat – die rhekkcüЯ der Bilderrätsel contest de Gut gereift und mit verbesserter Rezeptur. Aber immer noch: Zwei sich auf Couchen fläzende Teams gehirnwinden, spitzfinden und assoziieren gegeneinander an, um Bilderrätsel aus den Gefilden IT, Netzgesellschaft und Informatik zu entwirren. (Hashtag: #Nougatbytes) Für die zwei Runden *NOUGAT*BYTES werden ingesamt vier Teams benötigt. Die zwei der ersten Runde wollen wir im Voraus anheuern. Wenn Ihr also Lust verspürt, Eure Zellen mit uns zu teilen und das Publikum in Lachhaft zu nehmen, dann sammelt Euch zu ganzzahligen Gruppen von 3-5 Menschen und schickt Eure Bewerbung an Nougatbytes@laryllian.de Die Deadline ist in 41 Minuten. ;) Ben Rainer Nougatbytes 01 (Video) www.Nougatbytes.de 11:00 00:15 Saal 1 opening_event other en bios 11:30 01:00 Saal 1 not_my_department lecture en On the topic of resistance. Jacob Appelbaum 12:45 01:00 Saal 1 die_wahrheit_was_wirklich_passierte Wie Medien unsere Wahrnehmung beeinflussen lecture de In den vergangenen Jahren wurde vor allem die Sprache von Politikern auf dem Congress beleuchtet. Aber die schwurbelnde Politiker sind noch nicht die ganze Wahrheit. Wir möchten das Ganze daher um den zweiten wichtigen Mitspieler bei der Konstruktion von Realität ergänzen, um die Presse bzw. die Medien. Die Äußerungen von Politikern (zum Beispiel auf Pressekonferenzen) sollen dabei der Mediendarstellung gegenübergestellt werden. Dabei wird deutlich werden, dass es zwischen Politikern und Medien Rückkopplungseffekte gibt. Die einen rauf, die anderen runter – Politik will abwiegeln, Medien wollen das Neue, Aufregende, sie bauschen auf. Wie zeigen sich solche Mechanismen in der Sprache? Politik und Medien sollen dabei kontrastiv betrachtet werden. Sie kommunizieren das Gleiche, aber nicht immer auf gleiche Weise. Wir fangen mit den Kleinigkeiten an, mit Dingen, die jedem schnell mal unterlaufen können (wenn auch nicht sollten). Dann arbeiten wir uns vor zu den ersten richtigen, vielleicht aber manchmal noch fahrlässigen Manipulationen, gehen über zu absichtlichen Aufbauschungen und Verfälschungen und kommen schließlich zu den ernst gemeinten Lügen, die das Publikum verschaukeln sollen. Am Ende schließlich werfen wir einen kurzen Blick auf die traurigen Folgen dieser Manipulationen. Gezeigt werden Techniken des Zuspitzens, Vereinfachens, Verdichtens, Aufbauschens, des Aufbaus (pseudo-)logischer Zusammenhänge und Vieles mehr. Als Beispiele dienen netzpolitische Debatten, der Europäische Stabilitätsmechanismus und von der Leyens Familien- und Sozialpolitik, vielleicht aus aktuellem Anlass auch noch ein Politikerrücktritt. Kai Biermann maha/Martin Haase 14:00 01:00 Saal 1 anderthalb_jahre_fragdenstaat 1.5 Jahre FragDenStaat.de lecture de Seit anderthalb Jahren begleitet FragDenStaat.de die deutsche Informationsfreiheit in der Praxis und dokumentiert die Korrespondenz zwischen Anfragestellenden und Behörden. Welche Informationen gibt der Staat preis, und gegen welche Veröffentlichungen kämpft er sogar bis vor Gericht? Die interessantesten Fälle werden genauer beleuchtet und eine Bewertung zur Lage der staatlichen Information in Deutschland abgegeben. FragDenStaat.de hat auch im letzten Jahr die Informationsfreiheitspraxis in Deutschland begleitet und dokumentiert. Anfragen zu Ackermann-Abendessen, ACTA und anderen Akten sollen in diesem Vortrag genauer beleuchtet werden. Die negativen und positiven Trends in der Praxis werden beschrieben und die Lage der Informationsfreiheit in Deutschland bewertet. Initiativen wie das Hamburger Transparenzgesetz verbessern den Informationszugang in der Theorie deutlich, doch nur eine aktiv gelebte Praxis kann den Staat wirklich transparenter machen: ein Aufruf zum Nutzen dieses wichtigen demokratischen Werkzeugs. Stefan Wehrmeyer FragDenStaat.de Presentation 16:00 01:00 Saal 1 antiterrordatei lecture Am 6. November 2012 war der CCC vor dem Bundesverfassungsgericht zur Anhörung über die Antiterrordatei und die Grenzen polizeilicher Datenverarbeitung geladen. Wir berichten über die Anhörung, die dort vorgebrachten Argumente und die technische Konzeption der ATD. Und wir orakeln über ein mögliches Urteil im nächsten Jahr. In der Antiterrordatei werden neben den Terrorverdächtigen auch die Daten von sogenannten Kontakt- und Begleitpersonen erfasst. Der Beschwerdeführer beklagt dabei besonders das Unterlaufen des sogenannten Trennungsgebotes zwischen Polizei und Nachrichtendiensten durch die ATD sowie die Unbestimmtheit des Terrorbegriffes. Welche Schwerpunkte das Gericht setzte, welche weiteren Kritikpunkte zur Sprache kamen und wie unsere Argumentation war, werden wir im Vortrag berichten. Constanze Kurz Frank Rieger 17:15 01:00 Saal 1 grand_eu_data_protection_reform A latest battle report by some key actors from Brussels lecture The current European data protection directive is from 1995, which was when the internet had not hit Brussels' decision-makers yet. Now, 17 years later, it is being completely re-writen. Will it meet the challenges of the age of big data? Will it have any effect on non-EU data hoarders? How will it deal with user-generated consent? What is this strange new "right to be forgotten"? And what about privacy by design? The presentation will give you the latest insight into the substance and state of play, and a first glance of the upcoming political battles in Brussels. The presenters are working directly at the core of the reform, both in the European Parliament and in the European digital rights community. Jan Philipp Albrecht Katarzyna Szymielewicz Kirsten Fiedler EU Commission: documents and info on the data protection reform 18:30 01:00 Saal 1 hinter_den_kulissen_nsu lecture de NSU-Untersuchungsausschuss in Thüringen und NSU-Untersuchungsausschuss des Bundestages, über die Mordserie des NSU, das System der V-Leute und die Rolle des Verfassungsschutzes. Zwölf Jahre lang konnte der „Nationalsozialistische Untergrund“ (NSU) unerkannt in Deutschland eine rassistische Mordserie an neun migrantischen Gewerbetreibenden, zwei Bombenanschläge mit mehr als zwanzig Verletzten, den Mord an einer jungen Polizistin sowie ein Dutzend Banküberfälle verüben. Während die Ermittlungsbehörden die Familien der Getöteten und deren Umfeld verdächtigten und mit fragwürdigen Ermittlungsmethoden unter Druck setzten, konnte das NSU-Kerntrio – drei Thüringer Neonazis – und ihr breites Unterstützernetzwerk ungehindert ihre rassistischen Allmachtsphantasien in die Tat umsetzen. Denn staatliche Geheimdienste und Ermittlungsbehörden verharmlosen, vertuschen und verleugnen die Existenz neonazistischer Terror- und Gewaltstrukturen – bis heute. In der Veranstaltung wollen wir uns insbesondere mit der fragwürdigen Rolle von V-Leuten – staatlich bezahlten Neonazis – im NSU-Komplex auseinandersetzen. Denn die Untersuchungsausschüsse im Bundestag und im Thüringer Landtag haben zu Tage gefördert, dass das Netzwerk des NSU quasi von V-Leuten umstellt war. Und in den Führungspositionen anderer militanter Neonaziorganisationen und der NPD werden seit Jahren immer wieder V-Leute gefunden. Zeit also, darüber zu sprechen, wie das V-Mann-Wesen beendet werden kann. Heike Kleffner Katharina König Wir sehen nur die Spitze des Eisbergs Blog von Katharina König zum NSU-Untersuchungsausschuss 20:30 02:15 Saal 1 enemies_of_the_state Blowing the Whistle on Spying, Lying & Illegalities in the Digital Era podium en With the post 9/11 rise of the leviathan national security state, the rule of law in the United States under the Constitution is increasingly rule by secrecy, surveillance and executive fiat. Under the guise and veil of "national security" and "protecting" America through enabling act legislation and state "privilege," the United States government embarked on an unparalleled expansion of secret government power after 9/11, operating largely in the dark, while using extra-judicial executive authority for justifying its policies, including secret spying on its own citizens in violation of the Constitution. Speakers Radack, Drake and Binney will highlight their searing experiences with the Department of Justice and the National Security Agency, when they were marked as criminal targets of the US government due to their whistleblower disclosures involving rendition/torture, national security, multi-billion fraud, pervasive institutional corruption, violations of the 1st and 4th Amendments, civil and human rights, illegal surveillance on a vast scale and other unlawful secret government conduct and wrongdoing. They will also discuss the serious and compelling implications resulting from their excruciating ordeals centered on the nexus of secrecy, transparency, technology, privacy, anonymity, Internet and the law as well as actions people can take to deal with the reality of the growing surveillance state and its direct threats to human rights, liberty and freedom around the world in both our off- and on-line lives. Jesselyn Radack Thomas Drake William Binney 23:00 01:00 Saal 1 hacking_cisco_phones Just because you are paranoid doesn't mean your phone isn't listening to everything you say lecture en We discuss a set of 0-day kernel vulnerabilities in CNU (Cisco Native Unix), the operating system that powers all Cisco TNP IP phones. We demonstrate the reliable exploitation of all Cisco TNP phones via multiple vulnerabilities found in the CNU kernel. We demonstrate practical covert surveillance using constant, stealthy exfiltration of microphone data via a number of covert channels. We also demonstrate the worm-like propagation of our CNU malware, which can quickly compromise all vulnerable Cisco phones on the network. We discuss the feasibility of our attacks given physical access, internal network access and remote access across the internet. Lastly, we built on last year's presentation by discussing the feasibility of exploiting Cisco phones from compromised HP printers and vice versa. We present the hardware and software reverse-engineering process which led to the discovery of the vulnerabilities described below. We also present methods of exploiting the following vulnerabilities remotely. Cisco PSIRT has assigned CVE Identifier CVE-2012-5445 to this issue. The issue is being disclosed via a Release Note Enclosure per the Cisco Vulnerability Policy. The Vulnerability Policy can be found at the following location: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html I have included the contents of the Release Note Enclosure (RNE) that will be available via the Cisco Bug Search tool bellow. Cisco PSIRT appreciates you reporting this issue in a responsible manner and working with us to remediate the issue. We look forward to your next report. <Begin RNE Text> Symptoms: Cisco Unified IP Phone 7900 series devices also referred to as Cisco TNP Phones contain an input validation vulnerability. A local, authenticated attacker with the ability to place a malicious binary on the phone could leverage this issue to elevate their privileges or take complete control of the device. The issue is due to a failure to properly validate certain system calls made to the kernel of the device. This failure could allow the attacker to overwrite arbitrary portions of user or kernel space memory. The following Cisco Unified IP Phone devices are affected: Cisco Unified IP Phone 7975G Cisco Unified IP Phone 7971G-GE Cisco Unified IP Phone 7970G Cisco Unified IP Phone 7965G Cisco Unified IP Phone 7962G Cisco Unified IP Phone 7961G Cisco Unified IP Phone 7961G-GE Cisco Unified IP Phone 7945G Cisco Unified IP Phone 7942G Cisco Unified IP Phone 7941G Cisco Unified IP Phone 7941G-GE Cisco Unified IP Phone 7931G Cisco Unified IP Phone 7911G Cisco Unified IP Phone 7906 The following models have reached end-of-life (EOL) status (for hardware only): Cisco Unified IP Phone 7971G-GE Cisco Unified IP Phone 7970G Cisco Unified IP Phone 7961G Cisco Unified IP Phone 7961G-GE Cisco Unified IP Phone 7941G Cisco Unified IP Phone 7941G-GE Cisco Unified IP Phone 7906 Refer to the following link to determine what product upgrade and substitution options are available: http://www.cisco.com/en/US/products/hw/phones/ps379/prod_eol_notices_list.html Conditions: Cisco Unified IP Phones within the 7900 Series running a version of Cisco IP Phone software prior to 9.3.1-ES10 are affected. The fixed software release is expected to be available for customers mid-to-late November 2012. Workaround: Restrict SSH and CLI access to trusted users only. Administrators may consider leveraging 802.1x device authentication to prevent unauthorized devices or systems from accessing the voice network. Further Problem Description: This issue was reported to Cisco PSIRT by Ang Cui of Columbia University. Cisco PSIRT would like to thank Ang and his staff for working with Cisco to resolve this issue. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/5.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-5445 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html <End RNE Text> Ang Cui Michael Costello Presentation Slides 00:15 02:00 Saal 4 googlequiz Wie man (spaßorientiert) mehr als 5% seines Googlevermögens trainiert contest de Beim Googlequiz treten Teams gegeneinander an, die *ohne Internet* Aufgaben zu Googlesuchen und Suchergebnissen raten. Vorbild ist das britische Pub-Quiz: Konkurrierende Teams sitzen je an einem Tisch und trinken Kaltgetränke. Vorne stellt ein Quizmaster Fragen/Aufgaben, die die Teams auf Papier (!) beantworten. Dann werden die Antworten vorne verglichen und Punkte vergeben. Es gibt mehrere Runden mit verschiedenartigen Aufgaben. Am Ende werden die Punkte zusammengerechnet. Beim Googlequiz geht es um Aufgaben rund um Googleanfragen und -ergebnisse. Wichtig: Die TeilnehmerInnen dürfen während des Quiz nicht das Internet benutzen! Das Spiel findet im Kopf und auf Papier statt. Google liefert die Auflösung, deswegen darf nur der Quizmaster Google benutzen. Das Googlequiz ist eine ausgesprochen spaßorientierte Veranstaltung. Ein Team soll 6 bis 8 Personen umfassen. Es können maximal 7 Teams teilnehmen. PS: Ein hilfreiches Hilfsmittel, das man mitbringen kann: eine alte Zeitung. Blanche Carsten Ripke Jöran Muuß-Merholz 12:45 01:00 Saal 4 siechtum_und_sterben_der_aerztlichen_schweigepflicht lecture Der Eid des Hippokrates, der das Handeln von Ärzten ethisch leiten soll, ist zwischen 2.500 und 2.000 Jahre alt und tatsächlich wohl die erste 'Datenschutz-Vorschrift' überhaupt. So heißt es: "Was ich bei der Behandlung oder auch außerhalb meiner Praxis im Umgange mit Menschen sehe und höre, das man nicht weiterreden darf, werde ich verschweigen und als Geheimnis bewahren." [1] Diese noble Einstellung - so wird klar, wenn man einmal tiefer in die Materie schaut - scheint nicht mehr viele Anhänger zu haben. Neben den Vorschriften im Sozialgesetzbuch für die Krankenkassen und deren Data-Mining-Aktivitäten ist der Bereich der privaten Krankenversicherungen ein weiterer großer "Daten-Multiplikator"; in direktem Widerspruch zum Grundsatz der Datensparsamkeit [2]. Aber es geht ja immer noch schlimmer. Ärzte sind heute kosten-optimierende Unternehmer, die sich den Verheissungen des Outsourcing (etwa in der Rechnungsabwicklung) voll hingeben. Auch andere back-office-Dienste werden gerne genutzt. Insbesondere das dahinterstehende "Cloud"-Computing und die Individual-Software für Arztpraxen sind problematisch. Was ist die Schweigepflicht noch wert, wenn jedes Inkasso-Unternehmen die Diagnose weiß? Warum sollen wir uns auf Ärzte verlassen, die sich ohne unsere Zustimmung dem nächsten "Cloud"-Anbieter andienen? Und dann erscheint am Horizont die personalisierte Medizin, welche mittels humangenetischer Methoden und der Sequenzierung und Speicherung von DNA-Daten ein ganz neues Problem schaffen wird. Insbesondere die in der pers. Medizin notwendige Spezialisierung (auch mittels externer Dienstleister, die keine Ärzte sind) wird zu einer Weiterverbreitung genomischer Daten und deren zugeordneten Krankheitsdaten führen. Insbesondere sind genomische Daten ein Datenschutz-Albtraum: sie werden mit jeder neuen wiss. Erkenntnis immer aussagekräftiger, immer wertvoller. Können wir heute schon wissen, was man aus ein paar "verloren gegangenen" Sequenzen alles herauslesen können wird? Und kann man die Schweigepflicht überhaupt noch in die neue Zeit der personalisierten Medizin hinüberretten? - [1] http://de.wikipedia.org/wiki/Eid_des_Hippokrates#.C3.9Cbersetzung_aus_dem_Altgriechischen - [2] http://dejure.org/gesetze/BDSG/3a.html Kay Hamacher http://de.wikipedia.org/wiki/Eid_des_Hippokrates#.C3.9Cbersetzung_aus_dem_Altgriechischen http://dejure.org/gesetze/BDSG/3a.html 14:00 01:00 Saal 4 howto_hack_the_law The key elements of policy hacking lecture en Legal systems have a huge impact on what we do as hackers, but also on internet users in general. Laws can restrict our freedom to use the internet in ways we deem to be natural and it can impede the tools which we hackers use on a daily basis. Which is not to say that laws cannot also protect our freedom and ensure that all bits are treated equally. Most importantly, these laws can be hacked and tweaked to fit our needs - like most things in this world. So, how do you hack and tweak the law to protect our freedoms on the internet? In this talk we want to share Bits of Freedom's insights. We will point out the key elements of a successful lobby on both a national and European level. We will describe our approach to the net neutrality discussion in the Netherlands, now being the second country in the world to have enshrined this important principle in law. We will explain how we convinced the members of Dutch parliament to speak out clearly against the provisions of ACTA. Our experience in this field may prove valuable to individuals and organisations pursuing similar goals. In short: this talk is a "HOWTO Hack the law". Ot van Daalen Rejo Zenger 16:00 01:00 Saal 4 setting_mobile_phones_free An overview of a mobile telephony market and how a community-driven operator is born lecture en In The Netherlands, this year the community-driven mobile telco Limesco has started operations. We're providing voice, SMS and data services to dozens of hackers in our country. One of the founders of Limesco will give a lecture about mobile telephony in The Netherlands, encompassing topics like what companies are involved in the system, how tariffs are constructed and the role of government regulations. The world of telephony consist of a lot of companies that are interconnected to provide phone services to customers. Since the introduction of VoIP protocols and the increase in available bandwidth, a lot of small VoIP providers have been starting to provide services. This creates a healthy and competitive market place for land-line telephony. However, up to the day of today, mobile telephony is dominated by only a handful of companies. In The Netherlands, only three national networks exists: the Dutch KPN, the German T-Mobile and the British Vodafone. While a lot of "virtual" operators exist that make use of those networks, only little innovation takes place and operators are more often seen as introducing arbitrary barriers that facilitate commercial goals. Out of the frustration for these barriers came the idea to start investigating what would be needed to run our own mobile telco to facilitate innovation and freedom in a community of hackers. Over a time of almost two years, the founders of Limesco have been talking to several existing companies and have found a way to fund and start a community-driven mobile telco. A couple of months ago we have shipped our first SIM cards and were able to start offering services. What makes Limesco is unique are a couple of important differences compared to classical operators: we value privacy and specifically state privacy goals that are taken into account when designing our open source information and configuration systems, we are the only mobile telco that is reachable over IRC, we are hackers ourselves and hope to be able to do some cool innovations and make real progress in the future. However, the best feature we have is our Do-it-Yourself connectivity variant. The model used by classical operators (and also our Out-of-the-Box variant) allows a user to insert a SIM into a mobile phone and the operators takes care of all technical stuff to make the connection work. In our Do-it-Yourself variant, this will only be the case for SMS and data, but we will route all voice through the SIP server of the user. This allows the user to configure a mobile phone as extension on an Asterisk server and do any fancy stuff that have been possible with landline phones for a long time. Depending on available time and preference of the audience, during this lecture, the following questions will be answered by one of the founders of Limesco: - what are the reasons the project has been started? - what companies are involved in mobile telephony in The Netherlands? - how are those companies cooperating to provide mobile phone services? - how do those companies charge each other? - how are tariffs for end users constructed? - what is the role of government intervention in tariff designs? Mark van Cuijk Website of Limesco Limesco Wiki 17:15 01:00 Saal 4 re_igniting_the_crypto_wars_on_the_web lecture en This talk will give an overview of the ongoing work by the W3C on a controversial general purpose Javascript cryptography API in context of the larger desire to create trusted and encrypted cloud services with rich web applications. Today, cryptography is difficult to use and the Web is an insecure environment at best, but can this situation be improved and cryptography be put in the hands of ordinary developers and users? The W3C specification, currently under development, will be described, as well as its interaction with other parts of the emerging Web Security Model at the W3C and IETF such as Content Security Policy, HTTP Strict Transport Security, and Certificate Transparency. A number of use-cases, ranging from decentralized identity systems to secure cloud services for activists, will be detailed. As the specification will be under active development until autumn 2013, feedback from the hacker community is needed! Recently, the W3C has released as a First Public Working Draft the Web Cryptography API [1], which defines a number of cryptographic primitives to be deployed across browsers and native Javascript environments. This proposal is moving fast, and will likely be finalized by the end of 2013 and in all major browsers shortly thereafter, as browser vendors Google, Microsoft, Mozilla, and Opera are all on board. As has been discussed in a number of blog-posts [2], cryptography in Javascript on the Web is an unsafe bet at best today (Javascript Crypto O RLY?), although technically the Web Crypto API is a WebIDL that could be bound to programming languages beyond Javascript. Even with excellent implementations such as the Stanford Javascript Crypto Library [3], browsers still do not have basic cryptographic functionality not provided natively by Javascript, such as key storage. Yet is Javascript cryptography doomed on the Web? Much of the critique of Javascript cryptography boils down to a critique of current Web browsers, and as has been shown by the W3C and browser vendors - the Web Platform can evolve. Due to TLS, almost every web browser and operating system already contains well-verified and reviewed cryptographic algorithms. At its core, the Web Cryptography API will simply expose this functionality to WebApp developers, with a focus on essential features such as cryptographically strong random number generation, constant-time cryptographic primitives, and a secure keystore. Without these functions, Javascript web cryptography would be impossible. Yet we realize the Web Cryptography API is only a single component in building the emerging Web Security model that is necessary to make the Web part of a trusted environment. For example, one open issue is whether or not applications using the Web Cryptography API also should be required to use Content Security Policy (and attendant work such as HSTS) to prevent XSS attacks [4]. Indeed, should and can browser vendors and the W3C as a whole tackle the malleability of the browser Javascript run-time environment? Furthermore, can we use the Cryptography API to manipulate and check certificates, as is needed by proposals such as the new IETF Certificate Transparency proposal? Without a doubt these security considerations are of utmost importance, and getting them right to enable cryptography on the Web will require holistic thinking about attack surfaces and threat models. There are a number of use-cases, ranging from decentralized identity systems to secure cloud services for activists, will be detailed - including some One issue with the Web Cryptography API is that the Working Group decided to expose the low-level functionality first rather than aiming only for a high-level API aimed at the developer on the street who may not have a grasp of the finer details of cryptography. The Working Group did this on purpose after taking a survey of users [5], in order to allow experienced developers to build the functionality needed across the largest number of use-cases, but a "high-level" API similar to KeyCzar that makes using cryptography easy for Web developers will also be presented. A second issue is that the current Web Cryptography API exposes legacy cryptographic algorithms that can be used insecurely, which was done in the draft to allow Web Application developers to create applications with interoperability with widely used applications such as GPG, SSH, and the like. A number of thorny issues will be presented, and feedback from the audience will be encouraged. The questions facing this API are not only technical but political: Is releasing this cryptography in Javascript to developers responsible? Assuming it can even work, Javascript cryptography can be used for both great good and great harm. For example, given the recent proposal for Encrypted Media in HTML5, there is no doubt that there is a desire for enforcing copyright may be on the agenda. After all, the World Web Web Consortium is an industrial standards body! Yet given the current dangerously insecure state of Javascript cryptography and the fact that developers are already re-implementing cryptographic functions in Javascript in programs such as crypto.cat, myself and others at the W3C thought that action should be taken. For also the W3C is led by Tim Berners-Lee, who has publicly expressed support for protests against ACTA and an end to dangerous packet-sniffing bills put forward by governments like the UK. To avoid copyright enforcement via cryptography, should we prevent cryptography from reaching Web applications needed by activists? What does the current attempts to put together a Web Security Model mean in the larger social landscape: Are we seeing a new round of cryptography wars on the Web, and will cryptography be used to protect individuals against the now panoptic data-mining on the Web - and will it help or hinder the move towards a more transparent society? The entire point of this talk is to get wider input from the hacker community before we set the API in stone by implementing it, as by the next CCC it will be too late, as well as ask the harder questions that technical working groups usually avoid. The talk will be presented by Harry Halpin, W3C staff contact for the Working Group and author of the group charter. Harry Halpin Web Cryptography API 18:30 01:00 Saal 4 privacy_and_the_car_of_the_future Considerations for the Connected Vehicle lecture en To date, remote vehicle communications have provided little in the way of privacy. Much information and misinformation has been spread on what the system is and can do, especially within the information security community. The recent field trial in the US of a connected vehicle infrastructure raises the level of concern amongst all who are aware of existing privacy issues. In this talk I will examine a current system high level design for North American vehicles, conforming to IEEE and SAE standards and used in a recent road test in Ann Arbor, Michigan, USA. I will consider privacy concerns for each portion of the system, identifying how they may be addressed by current approaches or otherwise considered solutions. I conclude with a discussion of the strategic value in engagement between the privacy community and automotive industry during development efforts and the potential community role in raising privacy as a competitive advantage. I was contracted to do a privacy audit in July to identify aspects of the technology that would pose threats to users' privacy, as well as offering summaries of methods to partially or completely compromise the system. For this program to be successful, it must be accepted by the public since the benefits are derived from others' broadcasts. Good technologists realize that until the system is close to deployment in the field, none of the details mean that much unless you have real hardware. However, careful early consideration of the overall system design can identify and lead to solutions to information leaks that will compromise the user's ability to control their private information. Christie Dudley SAE J2735: DSRC message content specification IEEE 802.11p Standard 802.11p Task group updates Overview of WAVE vehicle interconnect standards 20:30 01:00 Saal 4 defend_freedoms_online A Positive agenda against the next ACTA, SOPA, and such lecture en Over the years we learned impressively how to oppose bad legislation hurting our freedoms online. We are now facing an even bigger challenge: how to guarantee that a Free, open, decentralized Internet will be protected in the long run? In 2012 The Internetz won major battles against SOPA/PIPA in the US, and against ACTA in the EU. Yet, we know that the powerful industries and governments behind these projects will never stop. They have an incentive to gain control of the Internet, attacking fundamental rights and promoting technologies like "Deep Packet Inspection", now being deployed in each and every corner of the Net, and used indifferently to break Net neutrality, to filter, block and censor communications or to inspect citizens traffic. How to push for proposals that will ensure that the sharing of knowledge and culture, citizens freedoms, and access to an open infrastructure will be guaranteed in the future public policies? How to become as successful in proposition as we are now in opposition? (Hint: it's political, stupid!) On Wednesday, July 4th 2012, The European Parliament rejected ACTA, the evil, dangerous and illegitimate copyright treaty, by a huge majority of 478 to 39. To all those who, for years, said it was impossible: we did it. Resonating in echo to victory against SOPA/PIPA in the US, this is a major victory for the multitude of connected citizens and organizations who worked hard for years, but also a great hope on a global scale for a better democracy. These victories are of huge symbolic and political value, and we're still beginning to comprehend fully its meaning. It is now our duty to shape its political consequences. All is in our hands. For years we have been witnessing the converging interests of political and industrial powers to attempt to get control of a Free Internet through various repressive measures (censorship, copyright enforcement, attacks against Net neutrality, etc.). We know that their attempts at attaining their financial or political objectives will never stop. And we must continue to combat them. Still, we learned over the years, by demonstrating what we advocate for, that we are capable of formulating clear alternative to each and every bad piece of legislation being proposed. From that effort is born a positive political agenda, aggregating all the proposals that were put forward by La Quadrature du Net and other activists while doing the opposition job. It is a political battle, in the ethymological sense of the word "politics": citizens caring about the affairs of the city, in that case: the Internets. All is on the table for each and every citizen to take part in a great effort for fostering the sharing of culture and knowledge, protecting Human Rights in the digital society and guaranteeing access to a Free and open Internet. Let's get things moving forward! Jérémie Zimmermann La Quadrature du Net's proposals to adapt public policy to the technological and social realities of the Internet Proposals for the reform of copyright and related culture and media policy La Quadrature du Net 21:45 01:00 Saal 4 the_ethics_of_activists_ddos_actions A Historical Analysis lecture In the world of digital activism, distributed denial of service attacks present relatively low barriers to popular participation, have a high potential for attracting large numbers of first-time and repeat participants, and can attract large amounts of media attention. But though such actions popular, are they ethical? In this talk I will be presenting an ethical framework for the analysis of activist DDOS actions. The framework is grounded in a historical analysis of various activist DDOS actions, such as the IGC attacks in Spain in the late 90s, Electronic Disturbance Theater actions in the early 2000s, and the Anonymous-led Operation Payback attacks in 2010. Each historical case study presents a unique confluence of technological, political, legal and operational factors allowing for a full spectrum of ethical analysis. Though DDOS actions are only one aspect of digital activism, the tactic crystalizes many issues that are central to the development of the internet as a field of political action. Property rights, free speech, public versus private spaces online, participant responsibility, and the legal consequences of protest are all issues central to the validity of both DDOS actions and digital activism overall. How do changes in technology, such as the use of botnets (volunteer or otherwise), traffic amplifiers, or exploits, affect the ethical validity of a DDOS action? What about so-called "wildcat" DDOS actions, which are instigated by a single individual through the use of a botnet or exploit (making it a DOS action)? What does the overwhelmingly privatized nature of the internet mean for the ethical validity of disruptive tactics like DDOS? How do the legal penalties, which are based in a criminal understanding of such attacks, affect the ethical responsibilities of the organizers of such actions? What are the ethical responsibilities activists bear towards the network itself? Are disruptive tactics like DDOS actions effective, and in what ways are they effective? In examining these questions, I will be looking at how DDOS actions fit into the landscape of digital activism and what they mean for the development of civil disobedience tactics online. I am a second-year Masters student at MIT, studying digital activism at the Center for Civic Media at the Media Lab. I'm particularly interested in digital civil disobedience and disruptive protest, and my DDOS research encompasses a significant part of my master's thesis. I presented a preliminary version of this work at the HOPE conference in New York this past summer (notes and a recording of that talk can be viewed here: http://oddletters.com/2012/07/15/hope9-talk-activist-ddos-when-similes-and-metaphors-fail/). While that talk focused on the rhetorical framings of DDOS actions, this version concentrates on the ethics of such actions. Since HOPE, I have expanded the historical analysis significantly, including three additional case studies to more thoroughly cover the spectrum of potential actions. I've also encorporated a stronger theoretical underpinning for the ethical framework, which solidifies and strengthens the analysis overall. The general analysis has also been expanded to address larger issues implicated by DDOS actions, including the validity of disruptive tactics and public spaces online. Molly Sauter 23:00 01:00 Saal 4 time_is_not_on_your_side Mitigating Timing Side Channels on the Web lecture In this year’s talk, I tie on my 28c3 talk and present timing side channels from a defending viewpoint: How can one mitigate timing side channels? Aren’t random delays sufficient to prevent timing side channels in practice? What is the minimum size of random delays to be effective? Are there other delay strategies besides random delays that are more effective and efficient? Timing side channels are vulnerabilities in software applications that leak sensitive information about secret values such as cryptographic keys. They differ from common intrusive vulnerabilities such as Buffer Overflows or SQL-Injection because the attacker sends normally looking requests to the server and infers secret information just from the time it took to process the request. Timing attacks are getting increasingly well understood by day-to-day penetration testers and in academia, breaking Web standards such as XML Encryption [1], or helping to fingerprint Web Application Firewalls [2]. At 28c3, I gave the talk “Time is on my Side” [3], which gave an overview of timing attacks, introduced a set of tools for timing attacks and explained practical timing attacks against real applications. In this year’s talk, I tie on my 28c3 talk and present timing side channels from a defending viewpoint: How can one mitigate timing side channels? Aren’t random delays sufficient to prevent timing side channels in practice? What is the minimum size of random delays to be effective? Are there other delay strategies besides random delays that are more effective and efficient? I am going to present the state-of-the-art of timing side channel mitigation. Furthermore, I show the results of a practical evaluation of the timing attack mitigations. - [1]: Bleichenbacher's Attack Strinkes Again: Breaking PKCS#1 v1.5 in XML Encryption. Tibor Jager, Sebastian Schinzel, Juraj Somorovsky. 17th European Symposium on Research in Computer Security (ESORCIS 2012), http://www.nds.rub.de/research/publications/breaking-xml-encryption-pkcs15/ - [2]: WAFFle: Fingerprinting Filter Rules of Web Application Firewalls, Isabell Schmitt, Sebastian Schinzel, https://www.usenix.org/conference/woot12/waffle-fingerprinting-filter-rules-web-application-firewalls - [3]: Time is on my Side. Sebastian Schinzel. http://events.ccc.de/congress/2011/Fahrplan/events/4640.en.html Sebastian Schinzel 28c3 Talk: Time is on my Side 12:45 01:00 Saal 6 isps_black_box provisioning behind the scenes lecture This talk is aimed to give an insight into CPE WAN Management Protocol (CWMP) and its GPLv2 implementations that were developed in the past year. CWMP (often called only TR-069) enables ISP to remotely configure, manage, upgrade and troubleshoot Customer Premises Equipment (CPE) aka your home DSL router. It is a vendor agnostic standard used to manage at least one device per customer. The protocol, used on more then half a billion devices, will be discussed in detail. GPLv2 CWMP related software will also be presented: - freecwmp is a CWMP client for (but not limited to) OpenWrt - freeacs-ng ACS server - mod_cwmp nginx CWMP proxy module - libfreecwmp library keeps the shared code in one place Luka Perkov CWMP standard http://freecwmp.org/ http://freeacs-ng.org/ http://libfreecwmp.org/ 14:00 01:00 Saal 6 cyberwar_statt_cyberwar lecture de Wir sind Zeugen eines seit einigen Jahren stattfindenden Wettrüstens im Cyberspace. Immer mehr Staaten bauen militärische Cyberware Einheiten auf, die aus IT Spezialisten bestehen und dem Zweck dienen, bestenfalls IT Systeme abzusichern oder schlechterdings Systeme von „Feinden“ anzugreifen. Die nationale Aufrüstung erhöht das Risiko für die Zivilgesellschaft. Im Zuge der flächen- und personendeckenden Vernetzung und Digitalisierung der Welt steigt die Verletzlichkeit und Abhängigkeit von IT-Systemen. Im digitalen Raum lösen sich nationale Grenzen, Verantwortlichkeiten und Zuständigkeiten auf. Großunternehmen sind multinational, Produkte und IT-Systeme werden oft in mehreren Staaten verteilt entwickelt und hergestellt. Konflikte lassen sich nur schwer räumlich eingrenzen oder durch nationale Cybercentren lösen. Jeder kann Gegner oder Feind sein, jeder kann Partner oder Betroffener sein. Antworten müssen in einer friedenspolitischen Deeskalation gesucht werden. Nationale Cyberwar Einheiten, die Angriffe vorbereiten sollen, müssen Schwachstellen in IT-Systeme finden und geheim halten. Solche Schwachstellen sind gemeingefährlich. Sie können von jedem genutzt werden, der sie findet. Gleichzeitig wird die Chance vertan, die Schwachstelle für die Zivilbevölkerung zu schließen. Das Bedrohungspotential eines Cyberwars kann durch eine Kombination verschiedener Maßnahmen reduziert werden wie z.B.: - Dezentralisierung von kritischen Infrastrukturen, - Verringerung von Abhängigkeiten durch Diversität statt homogener, monolithischer IT-Landschaften. - Entwicklung neuer und konsequente Nutzung existierender Kommunikationsprotokolle, die von vorherein den Anforderungen sicherer Kommunikation genügen. - Verzicht auf offensive Strategien fördert die Transparenz, wissenschaftlichen Diskurs, den offenen Umgang mit Sicherheitsthemen und Open Source Technologien. Sylvia Johnigk 16:00 01:00 Saal 6 accessibility_and_security lecture Accessibility of digital content is a hugely misunderstood issue. Programmers and content developers tend to view it as a distraction or a special interest concern. Accessibility advocates fail to describe it in terms that would put it in the proper place for other technologists, in particular security practitioners. We argue that if a format or a document has systemic accessibility problems, then accessibility is likely to be the least of its problems; that accessibility only collapses first, like a canary in a mine, and security is next to follow. We argue that many accessibility problems, just like many security problems, stem from documents being hard to parse or containing executable content, and that the accessibility community is only the first to suffer, due to not having the manpower to make extremely complicated formats to almost work almost always. It's an arms race tougher than the security patching cycle, made worse by there being no common model for what accessibility properties should look like. In fact, accessibility software is an unexpected consumer of complicated formats, and is thus the first sanity check on complexity gone out of whack. We believe that accessibility community and security community should join their efforts for working to the same goal of documents that can be easily and consistently parsed without compromising security. We now live in the digital world where both security and accessibility solutions are daily tasked with solving problems that are in general undecidable like the halting problem. The least we can do is acknowledge the situation and accept accessibility as an asset to the computer security field. This is a talk that attempts to place accessibility of digital content within the security field. The main point is very simple: accessibility suffers where documents are hard to parse or contain executable content, and this is where security also suffers. For example, it is not coincidental that the same features of PDF and Flash that make them the prime attack vectors also make them very hard for screenreaders to handle; in fact, a pretty good guess of where vulnerabilities are can frequently be made from what features tend to be accessibility breakers. Accessibility software developers might notice these issues before security community does, but will typically fail to communicate them to anyone who might care. The feature bloat in digital documents is getting worse and worse, and despite frequently being of no value or of negative value to the user, it is propagated in the name of providing a better user experience. Accessibility and security would both be good reasons to stop increasing the complexity of formats and the amount of executable content in digital documents, if someone would just take this to heart. I would like to hope that accessibility could become a reason to revert the current situation where one can no longer trust a webpage or an e-mail to be opened in any browser or mailreader that tries to parse and represent everything that is in it. If we cannot make people care about security, perhaps we can make them care about accessibility? I will show how typical "accessible" web pages look to text-only tools such as text browsers and screen readers, and summarize several years of experience trying to understand what the users who require them must go through every day, even with the so-called "accessible" formats. The web can be surprisingly different through a text-only prism. Anna Shubina An old version of this talk, somewhat sanitized 17:15 01:00 Saal 6 digiges Eine subjektive Bestandsaufnahme lecture de In den letzten Jahren haben sich die netzpolitischen Kräfteverhältnisse auf interessante Weise verschoben. Neue Allianzen bilden sich sowohl gegen als auch für das freie Internet – und dennoch bleibt der Aktivismus weit hinter seinem Potential zurück. Im April 2011 ging der Digitale Gesellschaft e. V. online, als neuer Weg, sich auf eine kampagnenorientierte Weise für Nutzerrechte online einzusetzen. Auf dem letzten Camp gab es einen Einblick in die Arbeitsweise und die Pläne. Seitdem ist viel passiert: ACTA, Netzneutralität, Privatisierung der Rechtsdurchsetzung, OpenData, Störerhaftung und die Urheberrechtsdebatte sind nur einige Themen, die die Digiges seitdem bearbeitet hat. Der Vortrag möchte einen Ein- und Überblick über die Arbeit der Digiges geben und Erfahrungen teilen. Linus Neumann Markus Beckedahl Ulf Buermeyer Twitter Homepage 18:30 01:00 Saal 6 indect_verhaltenserkennung automatisierte staatliche Verdächtigung lecture de INFECT: "Bei der Forschung an unserem neuen Killervirus hat unsere Ethikkommission penibelst darauf geachtet, dass niemand der Forscher sich ansteckt." Obwohl sowohl Erfahrungen als auch Studien gezeigt haben, dass Videoüberwachung im öffentlichen Raum die versprochene Effektivität nicht leisten kann und die Gründe dafür nicht in der Qualität und Quantität der Kameras, sondern vor allem in der Art liegen, wie Betroffene mit der Überwachung umgehen, gibt es immer wieder unverbesserliche Überwachungsverfechter, die mit allen Mitteln versuchen, die Milliardenausgaben sich doch noch lohnen zu lassen und uns mal wieder mehr Sicherheit versprechen. Überall wird fieber(wahn)haft an der computergestützten Automatisierung der Videoüberwachung und an der Erkennung unseres Verhaltens geforscht. Die automatisierte Videoüberwachung stellt einen noch stärkeren Eingriff in die Grundrechte dar und muss daher neu kritisch hinterfragt werden. INDECT ist nur die Spitze des Eisbergs. Ben 20:30 01:00 Saal 6 whiteit_cleanit_ceocoalition Wie die Exekutive versucht Provider zur Inhaltekontrolle im Internet einzuspannen lecture Nach dem Scheitern der diversen politischen und gesetzgeberischen Initiativen zur Sperrung und Filterung von Inhalten in Deutschland und der EU haben verschiedene politische Akteuere Initiativen gestartet dieselben Mechanismen auf Basis eine "Selbstregulation" mit Service-Providern auszuhandeln und umzusetzen. Diese Verhandlungen zwischen den Regierungen (oder regierungsähnlichen Organisationen) und Industrie-Partnern passieren nicht nur in Hinterzimmern. Nicht weniger dieser Projekte sind überraschend transparent darüber, was sie zu tun gedenken, und wie sie dorthin gelangen wollen. In zunehmenden Maße wird die Entscheidung darüber was illegal ist und was nicht und was verbreitet werden darf und was nicht ohne Beteiligung des Rechtssystems alleine auf Grundlage von Vereinbarungen zwischen der Exekutive und bereitwilligen Providern unter Verwendung automatischer Werkzeuge entschieden. Facebook nutzt PhotoDNA (eine Software von Microsoft) um Bilder-Uploads nach bekannten - und zu sperrenden - Bildern zu durchsuchen. Ebenso durchsucht Microsoft die im Skydrive gelagerten Dateien seiner Kunden mit dieser Software. Die Nutzung solcher Filter wird aktive durch die Kommission im Rahmen ihrer CEO Coalition beworben. White IT ist eine Initiative des Landesinnenministers Schünemann, die daran arbeitet eine Filterinfrastruktur für Webhosting und Email-Provider zu etablieren. Dazu soll beim BKA eine zentrale Datei von Hashes bekannter Dateien (Kindesmissbrauchsdarstellungen, aber auch gewöhnliche Erwachsenenpornographie) erstellt werden. Ohne Einschaltung eines Richters werden die vom BKA als "kriminell" markierten Bilder von den Providern gelöscht oder gefiltert werden (und eventuell auch gemeldet) werden. Clean IT ist ein Projekt in dem es um die Entfernung terroristischer Propaganda aus dem Netz geht. Auch hier wird die Verwendung automatischer Filter- und Sperrsysteme erwogen. Was genau terroristische Inhalte sein sollen und auf welcher Grundlage diese Eingriffe in die Meinungsfreiheit geschehen sollen ist unklar. All diese Projekte zielen auf die Etablierung von Mechanismen in denen das Recht und Rechtstaatlichkeit komplett umgangen werden. Die Meinungssfreiheit wird so immer mehr der Entscheidung einiger großer Industriepartner ausgeliefert, welche gerne auch die moralische Unterstützung der Regierungen nutzen um Ihre eigene Agenda zu entwickeln. Der Vortragende hat das Bündnis White IT kürzlich öffentlichkeitswirksam verlassen und ist beobachtenden Mitglied bei der CEO coalition und wird über seine Erfahrungen mit diesen berichten. Christian Bahls CEO Coalition to make the Internet a better place for kids 28c3: What is WhiteIT and what does it aim for? Bündnis gegen Kinderpornografie im Internet: MOGiS erklärt Austritt aus White IT Bündnis für ein kindersicheres Internet 21:45 01:00 Saal 6 new_human_interfaces_for_music DIY MIDI Controllers lecture Human interface design for musical instruments presents unique challenges and vast new possibilities. The proliferation of low cost rapid-prototyping tools has put the means of fabricating instruments within reach of the performing musician. In this talk, I'll go through the design process for my main performance controller (The Mojo), my multiplayer instruments (aka Jamboxes) and my new RoboCaster guitar-controller. * How to build a controller (Making of The Mojo): http://www.youtube.com/watch?v=uqs59UrA11c * Moldover's Jamboxes: http://www.youtube.com/watch?v=Muj-1m2X-4M Moldover 23:00 01:00 Saal 6 scada_strangelove or: How I Learned to Start Worrying and Love Nuclear Plants lecture Modern civilization unconditionally depends on information systems. It is paradoxical but true that ICS/SCADA systems are the most insecure systems in the world. From network to application, SCADA is full of configuration issues and vulnerabilities. During our report, we will demonstrate how to obtain full access to a plant via: - a sniffer and a packet generator - FTP and Telnet - Metasploit and oslq - a webserver and a browser About 20 new vulnerabilities in common SCADA systems including Simatic WinCC will be revealed. Releases: - modbuspatrol (mbpatrol) – free tool to discover and fingerprint PLC - Simatic WinCC security checklist - Simatic WinCC forensic checklist and tools - close to real life attack scenario of a Simatic WinCC based plant - 1. Intro - 1.1 Who we are? - 1.2 History of research - 2. Overview of ICS/SCADA architecture - 3. SCADA network puzzle - 3.1 Overview of protocols used in SCADA networks - 3.2 Modbus overview - 3.3 S7 overview - 3.4 Modbus/S7 SCADA/PLC fingerprint (release mbpatrol - free tool for PLC fingerprint) - 4. Who is mister PLC? - 4.1. Typical PLC architecture - 4.2. Security and configuration issues - 4.3. Coordinated disclosure of vulnerabilities in several PLC - 5. DEMO. Owning plant with ftp and telnet. During demo, I will demonstrate how several vulnerabilities and configuration issues of PLC can be used to get root access to the device, install rootkit and manipulate something in real world. - 6. Miss SCADA - 6.1. Place of OS and DB in security of SCADA infrastructure - 6.2. Simatic WinCC default configuration issues - 6.3. Ways to abuse OS and DB vulnerabilities - 6.4. Coordinated disclosure of several OS/DB WinCC vulnerabilities - 6.5. Simatic WinCC security checklist - 6.6. Simatic WinCC postexploitation/forensic - 7. Heavy weapon - 7.1. SCADA/HMI application architecture (based on Simatic WinCC) - 7.2. Clients-side in SCADA network? (release of client-site fingerprint tool for HMI software) - 7.3. Coordinated disclosure of vulnerabilities in Siemens Simatic WinCC 7.0 used in exploit. - 8. Architecture of exploit - 9. DEMO. Owning plant with browser. Exploit scenario. Several 0-day (but responsible disclosed) vulnerabilities in Siemens Simatic WinCC 7.0 used to: - Fingerprint presence of WinCC client software - Obtain access password to WinCC WebNavigator interface - Read registry and files on WinCC box - View and manage HMI /PLC/technological process from internet via browser of operator - 10 PS. Why physical separation is not enough Will we tell about 0-day vulnerabilities? Yes, but we will coordinate with vendor. So list of vulnerabilities depended on patching speed of Siemens. Will instruments be presented? Releases: - modbuspatrol (mbpatrol) – free tool to discover and fingerprint PLC - Simatic WinCC security checklist - Simatic WinCC forensic checklist and tools Denis Baranov Gleb Gritsai Sergey Gordeychik SCADA StrangeLove Project Releases 11:00 03:30 Saal 17 Interviews, Talkrunden, Kennenlernen other Deutschlandfunk @ 29C3 14:30 00:30 Saal 17 Frank Rieger im Interview über den 29C3 other de Publikum willkommen. Deutschlandfunk @ 29C3 15:00 00:30 Saal 17 Stefan Wehrmeyer von »Frag' den Staat« im Interview other de Publikum willkommen. Deutschlandfunk @ 29C3 15:30 01:00 Saal 17 Interviews, Talkrunden, Kennenlernen other Deutschlandfunk @ 29C3 16:30 00:30 Saal 17 Deutschlandfunk @ 29C3 other Publikum willkommen. Deutschlandfunk @ 29C3 Sendungswebsite 17:00 01:00 Saal 17 Interviews, Talkrunden, Kennenlernen other de Deutschlandfunk @ 29C3 11:30 01:00 Saal 1 transparenzgesetz_hh How to further transparency by law – the Hamburg example and beyond lecture en In the Free City of Hamburg, which is one of 16 German states, a coalition of hackers, activists and other players of civil society have drafted the most revolutionary Freedom of information law in the world. The law obliges the state to proactively publish all important public information (such as contracts, studies, construction permits) in an OpenData format on the Internet. After the start of a referendum campaign, the law was passed unanimously by the state parliament in June 2012 to avoid a public vote on it. Gregor Hackmack, Co-Founder of ParliamentWatch and one of the initiators of the Hamburg transparency law will present the law, its implications and most importantly how the campaign was started and why it succeeded. He will also briefly talk about ParliamentWatch, a transparency website running in Germany with partner projects in Luxemburg, Ireland and Tunisia and its impact on politicians. Gregor Hackmack 12:45 01:00 Saal 1 certificate_authority_collapse Will the EU Succeed in Regulating HTTPS? lecture en Hypertext Transfer Protocol Secure (HTTPS) has evolved into the de facto standard for secure web browsing. But in the security community, it has long been known that HTTPS is fundamentally broken, and this has been confirmed by alarming hacks and security breaches at several Certificate Authorities (CAs). To tackle the global collapse of trust in these central mediators of HTTPS communications and to augment HTTPS security, the EU has launched a proposal for strict regulation. Will these efforts succeed? Through the certificate-based authentication protocol that is HTTPS, web services and internet users protect valuable communications and transactions against interception and alteration by cybercriminals, governments and business. In only one decade, it has facilitated trust in a thriving global E-Commerce economy, while every internet user has come to depend on HTTPS for social, political and economic activities on the internet. Recent breaches and malpractices at several Certificate Authorities (CAs) have led to a collapse of trust in these central mediators of HTTPS communications as they revealed fundamental weaknesses in the design of HTTPS. In particular, the breach at Dutch CA Diginotar shows how a successful attack on one of the 650 Certificate Authorities across 54 jurisdictions enables attackers to create false SSL-certificates for any given website or service. Moreover, Diginotar kept the breach silent. So for 90 days, web browsers continued to trust Diginotar certificates, enabling attackers to intercept the communications of 300.000 Iranians. In its aftermath, Dutch public authorities overtook operations at Diginotar and convinced Microsoft to delay updates to its market-leading web browser to ensure ‘the continuity of the internet’. These bold interventions lacked a legitimate basis. Given our dependence on secure web browsing, the security of HTTPS has become a top priority in telecommunications policy. In June 2012, the European Commission proposed a new Regulation on eSignatures. As the HTTPS ecosystem is by and large unregulated across the world, the proposal presents a paradigm shift in the governance of HTTPS. Moreover, taking the form of a Regulation, the EU proposal will become law in 27 Member States directly upon adoption in Brussels. In other words, this is the one to watch. The presentation addresses the question if, and if so, how the EU should address the systemic vulnerabilities of the HTTPS ecosystem. The hack at Dutch CA Diginotar and other security breaches at CAs are discussed from which the systemic vulnerabilities of HTTPS emerge. It then analyses the EU eSignatures Regulation and abstracts from the EU proposal in search of general insights for communications security governance. The presentation and paper are part of a PhD project on communications security governance and have been presented in September 2012 at the Berkman Center of Harvard University and the Telecommunications Policy Research Conference in Washington D.C. axelarnbak Bio and publications A.M. Arnbak Paper 'Certificate Authority Collapse' 14:00 01:00 Saal 1 staatstrojaner2012 Spionage-Software von Staats wegen lecture de Wir wissen seit ein paar Jahren, dass der Staat technisch in der Lage ist, die Computer einiger seiner Bürger zu infiltrieren. Aber soll er das auch dürfen? Was hat sich in den letzten Monaten beim Staatstrojaner getan? Seit der Veröffentlichung der Untersuchungen des CCC zum Staatstrojaner hat sich erneut eine Diskussion um den Einsatz der Spionagesoftware entspannt. Die "Quellen-TKÜ" und die Online-Durchsuchung sind im letzten Jahr Gegenstand von Untersuchungsberichten und parlamentarischen Anfragen gewesen. Deren Ergebnisse wollen wir im Vortrag betrachten. Und wir sparen nicht an Ratschlägen für den zukünftigen Gesetzgeber. Constanze Kurz Ulf Buermeyer 16:00 01:00 Saal 1 gender_studies_informatik lecture Weltbilder der Informatik sind in mancher Hinsicht denen in der Hacker- und Hackerinnen-Community nicht unähnlich. Was ist? Allgemein werden die Gender-Forschungen zur Technik unterteilt in die Kategorien: 1. Frauen, Männer, Altersgruppen, Ethnien, soziale Schichten, etc., die in dem Fach/Beruf vertreten sind. Wie befinden sie sich dort? Hierzu gehören beispielsweise vergleichende Studien zwischen Ländern und Kulturen, die erklären, warum die Frauenbeteiligung in der Informatik in allen nah- und fernöstlichen Ländern so viel höher ist als hierzulande. Ein anderes Beispiel stellt unsere gerade beendete DFG-Studie zu Weltbildern der Informatik in Deutschland dar. 2. Wie wird Geschlecht in dem entsprechenden Fach behandelt, mit welchen Folgen? Die von der Informatik bereitgestellte Bildgebung und Bildbearbeitung sind Medien, mittels derer auch Geschlecht repräsentiert wird. Sie erleichtern die öffentliche und die medizinische Präsentation von Stereotypen und verfestigen so unnötigerweise überkommene Geschlechtervorstellungen. 3. Wie wirken sich die historische oder/und aktuelle Einseitigkeiten der Beteiligung in Zielen, Methoden, Modellen, Ergebnisinterpretationen des jeweiligen Faches aus? Auch hier können Ergebnisse unseres Weltbilderprojekts als Beispiel dienen. Interessant ist zudem eine Studie über die VPA Siri, die tiefergehende Theorien zur Analyse und Reflexion der verwendeten Hintergrundannahmen und der Gestaltung(smöglichkeiten) verwendet. Was kann, was soll? Aus den o. g. Beispielen ergibt sich zwangsläufig ihr Sinn: Gender Studies sind Augenöffner für Einseitigkeiten, die beispielsweise in Software, ihren Modellen und den Benutzungsmöglichkeiten eingelassen sind. Bei ihrer Rezeption kann sich der Blick weiten, und es können so adäquatere Lösungen gefunden werden, was letztlich auch ökonomische Folgen nach sich ziehen kann. Britta Schinzel 17:15 01:00 Saal 1 der_mord_faellt_aus Ein Werkstattbericht der GEMA-Alternative C3S lecture Die Debatte um die Tarifreform der GEMA war eines der großen Themen des Jahres 2012: Die Verwertungsgesellschaft geriet quer durch alle politischen Lager und gesellschaftlichen Schichten in die Kritik, die Warnungen vor einem großen Clubsterben wurden von Tausenden auf die Straße getragen. Dies steigerte auch das Interesse an der »Cultural Commons Collecting Society« (C3S), einem Graswurzelprojekt zur Gründung einer neuen, modernen und internetverstehenden Verwertungsgesellschaft, die u. a. auch vollen Support für Creative-Commons-Lizenzen bieten soll. 2012 war daher auch ein ereignisreiches Jahr für dieses Projekt, und 2013 sollen nach Plan die Gründung als Europäische Genossenschaft und die Antragsstellung beim Deutschen Patent- und Markenamt folgen. Als wir 2010 mit der Arbeit begannen, hielten wir Bestrebungen, die GEMA von innen oder außen zu reformieren, für weniger aussichtsreich, als etwas ganz Neues auf die Beine zu stellen. Wir rechneten mit drei bis vier Jahren, um aus der ambitionierten Idee eine funktionierende Verwertungsgesellschaft für Musik zu machen. In diesem Vortrag wollen wir nicht nur erläutern, wie das Ziel aussieht, sondern von Stationen und Begegnungen auf dem Weg dorthin berichten, und auch an Beispielen zeigen, in welchen Details der Teufel steckt, wenn man sich in seiner Freizeit einen GEMA-Konkurrenten baut. Christoph Scheid m.eik Meinhard Starostik 18:30 01:00 Saal 1 facthacks RSA factorization in the real world lecture en RSA is the dominant public-key cryptosystem on the Internet. This talk will explain the state of the art in techniques for the attacker to figure out your secret RSA keys. A typical 1024-bit RSA public key is a product of two secret 512-bit primes. The security of the cryptosystem relies on an attacker being unable to compute the user's secret primes. The attacker can try guessing one of the secret primes and checking whether it divides the user's public key, but this is very unlikely to work: there are more than 2^500 512-bit primes, far beyond the number of atoms in the universe. Fortunately for the attacker, there are much faster ways to figure out the secret primes. Some of the danger is visible in public announcements of factorization records by academic teams; the largest publicly factored RSA key, announced in 2009, has 768 bits. But what does this mean for the security of 1024-bit RSA? There are several different reasons that a real-world attacker doesn't have to play by the rules of an academic challenge. Sometimes users have bad random-number generators; sometimes users generate both primes from a single search; sometimes users choose special primes to try to make RSA run faster; sometimes users leak secret bits through side channels; sometimes the attacker has a botnet, or a 65-megawatt data center in Utah or Tianjin. This talk will assess the real-world threat to RSA-1024, explaining what the best attacks can do and how you can replicate them in your very own home or local GPU farm. Attack algorithms will be presented as Python code snippets and will already be online before the talk. This is a joint presentation by Daniel J. Bernstein, Nadia Heninger, and Tanja Lange, surveying work by many people. djb Nadia Heninger Tanja Lange 20:30 01:00 Saal 1 hackers_as_a_highrisk_population Harm Reduction Methodology lecture en Hackers are a high-risk population. This talk will provide hackers with tools to reduce the risk to themselves and their communities using harm reduction methodology. Hacktivism, social networks, hacking’s learning opportunities, grey area use of communication tools by revolutionaries and countermovements, information transparency opportunities, privacy and security abuse and user risk situations all share one central tension: resolving ethical decisions around potentially harmful behavior. At the same time, those who confuse information with advocacy perceive much of what we do – and discuss – as dangerous. This talk will provide hackers with tools to reduce the risk to themselves and their communities. We’ll examine the similarities between extreme risk populations and the risk / harm situations hackers find themselves in – especially those with exceptional access, power or talent. Importantly, I’ll explain how the controversial – yet effective – harm reduction model can be used specifically as a tool for at-risk hackers, and those faced with decisions that may result in perceived or actual harm. The talk begins with an overview of harm reduction and its roots in reducing risk in European drug culture. We’ll also look at how it is currently used hands-on in the US by urban activists/educators/crisis volunteers such as myself to effectively educate and reduce risk in high-risk, typically underserved, populations. Threaded throughout the talk is the idea that informed consent practices and the acceptance that harmful behavior is immutable can be effective tools to solve ethical decisions. Used on a wider scale, harm reduction in this light can be used to change the cultural conversation when black vs. white solutions (“just say no,” jailing those who publish information or “real names” policies) are unsuccessfully applied to complex problems (drug abuse, abusive use of information, using pseudonyms for harm). We’ll examine instances in which harm reduction would minimize damage (including the “gentleman’s agreement” between hackers), and failures when harm reduction could have mitigated failure or worse. We will specifically look at harm reduction as applied to hacktivism, social networks, hacking’s learning opportunities, grey area use of communication tools by revolutionaries and countermovements, information transparency opportunities, privacy and security abuse, and user risk events. For over a decade I have taught harm reduction methodology and practice in San Francisco, California to global health students, nurses, doctors, outreach and clinic workers, counselors and therapists. The primary organization I do this with is a twice-yearly training for healthcare professionals so they are able to treat populations on the fringes and who live in danger. Additionally, I have instructed and applied harm reduction methods to volunteer work I’ve done to bridge homeless and at-risk youth with neighborhood residents to foster safer quality of life. The third arena in which I instruct and apply harm reduction is a twice-yearly live-action, on-site refugee crisis simulation lead in conjunction with UCSF’s Global Heath Program in which volunteers for [NGO] organizations such as Doctors Without Borders and Red Cross are intensely prepared for emergency refugee relief events. It is with all this work that I see the lens with which the HR methods can seriously benefit the edge-case and high-risk scenarios hackers often find themselves in. Violet Blue 21:45 01:00 Saal 1 safecast Empowering citizen in the wake of Fukushima triple-meltdown disaster lecture The triple meltdown of the Fukushima Dai-Ichi nuclear power plant in March last year and the release of radioactive material that has ensued have left a good part of Northern Japan contaminated with unknown amount of radioactivity. An outstanding lack of transparency from both the government and the power utility then resulted in a near total lack of information concerning the levels of radiation in the, yet unknown, contaminated areas. As a response, concerned citizen have started to take upon themselves this challenging task. However it quickly became clear that handheld measurements wouldn't scale up to the full magnitude of the area to cover. New means of measuring radiation accurately, quickly and cheaply were needed. We present the design of an affordable mobile radiation sensor system for independent citizen monitoring and cartography of radioactive contamination. Historically radiation measurements has had a high entry barrier for technical, financial, and political reasons. We show how the tremendous advances in information technology have been a game changer in this field. Notably, we leverage the open-source software and hardware paradigm to dramatically accelerate the development and deployment time of the system. Our design methodology allowed to prototype and deploy the system in one month following the Fukushima disaster. Our sensors have been since driven by volunteers, covering most of North-East Japan with a fine spatial resolution. Safecast is a volunteer based organization created in the early days following the triple meltdown accident at the Fukushima nuclear power plant in 2012. Its goal is to give independent information concerning the radiation levels, first in Japan, but then globally. Early on, we realized that in most places radiation measurements are simply not done, so we decided to collect this data ourselves. Volunteers from Tokyo Hackerspace used tools from the DIY revolution (Arduino, cheap PCB fab, laser cutters, ...) to create a versatile mobile radiation measurement device called a bento-Geiger counter, nicknamed bGeigie , a lunchbox sized contraption that is fixed on a car and collect geo-tagged radiation data as the car moves. Using this system (of which we have around 50 units by now), we were able to cover most of Japan, but also other places world wide, such as Hong Kong, Seoul, California, etc. The devices are driven around by volunteers in the Fukushima area during their daily activities. This lecture will present first how this organization was born from a discussion on social networks, and how these networks allowed talented people to come on-board quickly. Then the bGeigie system will be presented to show how it could be replicated at home. Finally the result of our survey of radiation in Japan and the maps resulting will be shown. sean bonner Safecast Homepage Safecast's github repository 23:00 02:00 Saal 1 hacker_jeopardy Zahlenraten für Geeks contest Ray Stefan 'Sec' Zehl 00:15 01:00 Saal 4 hanussens_mindreading Experiments of the historical psychic other de This is fun stuff for the late night program, not a serious talk: Is it possible to read sb. others mind? In the late 1920ies/early 1930ies Berlin was excited by the famous mindreader and fortune-teller Erik Jan Hanussen who performed his strange abilities on stage. His act was so convincing that leading nazis believed in his powers and wanted him for advice – until they decided to murder him. Markus Kompa tells the true story of the mysterious mindreader 'Erik Jan Hanussen' (1889-1933) and offers to copy Hanussen's experiments with participation of the audience. A biography of Hanussen by Kompa was used by screenwriters of the German movie "Hotel Lux" to design a Hanussen-style character. Kompa is a well known magician and expert in deception – and maybe gifted, maybe not. markuskompa biography of Hanussen by Kompa German movie "Hotel Lux" 11:30 01:00 Saal 4 meldegesetz Was aus dem 57-Sekunden-Gesetz wurde lecture de Meldegesetz und der erfolgreiche Protest dagegen. Als wir im Juli erfuhren, dass das Gesetz in 2. und 3. Lesung glatt den Bundestag passiert hatte und jetzt nur noch die Zustimmung des Bundesrates brauchte, hatten wir die Sache schon verloren gegeben. Doch als die Details bekannt wurden (Widerspruch ist zwecklos!), die Last-Minute-Änderungen im Innenausschuss und das Video von der 57-sekündigen Abstimmung im Bundestag die Runde machte, da war die Empörung der Öffentlichkeit groß und plötzlich wollte es keine Partei mehr so gewollt haben. Bei einer gemeinsamen Aktion von FoeBuD, campact, Verbraucherzentrale Bundesverband (vzbv) und der Deutschen Vereinigung für Datenschutz dokumentierten fast 200.000 Menschen ihre Ablehnung des geplanten Meldegesetzes. Der Bundesrat lehnte dann tatsächlich das Gesetz einstimmig ab. Wir möchten Hintergründe und Lobbyinteressen beleuchten, die Forderungen der Zivilgesellschaft erläutern und berichten, wie die Sache weiter- oder ausgegangen ist. Katharina Nocun Rena Tangens 12:45 02:15 Saal 4 lightningtalks1 5 Minutes of Fame other en Nick Farr schedule is in the wiki http:// 17:15 01:00 Saal 4 many_tamagotchis_were_harmed_in_the_making_of_this_presentation lecture en You might remember Tamagotchi virtual pets from the 1990's. These toys are still around and just as demanding as ever! This talk covers my attempts to hack the latest Tamagotchis. Starting with the IR interface, and moving down into the hardware, this presentation will discuss techniques for reverse engineering a device with limited inputs, computing power and debugging capabilities. Recent Tamagotchis are more than just pets. They can talk to their friends over IR, support games on external ROMs and store generations worth of information about their ancestors. This talk goes through the different ways Tamagotchis can be tampered with through these channels, including making Tamagotchis rich and happy over IR, altering their states in persistent memory and writing custom games. It also goes through attempts to dump the Tamagotchi's code from ROM. Natalie Silvanovich Blog entries detailing my Tamagotchi project 18:30 01:00 Saal 4 smart_meter A technological overview of the German roll-out lecture en This talk will give an overview on the technology, the laws and the technical guidelines of the smartMeter roll-out in Germany. SmartMeter are an ongoing topic in many countries. Sometimes the roll-out is driven by companies, sometimes by laws. Implementation fails, security nightmares and privacy issues have been covered even by the lamestream media. The next big roll-out will happen in Germany. This talk will give an overview of the planed roll-out and the laws and technical guidelines. The “Energiewirtschaftsgesetz” (ENWG) was renewed in 2005 and amended in the following years to reflect aspects like smart grids and renewable energy sources. It also covers the energy directives. The important aspect is that it makes the roll-out a law. In charge of the roll-out is the “Bundesministerium für Wirtschaft und Technologie” (BMWi) which delegates the task of defining the technical details to the “Bundesamt für Sicherheit in der Informationstechnik” (BSI). The BSI therefore is in the process of developing a so-called protection profile (PP) (or common criteria) for smart meter gateways and security module used in a smart meter. The BSI also develops a technical guideline (TR 03109) which describes how the communication related details of whole smart meter infrastructure have to be implemented to provide security and interoperability. This talk will present the different roles defined by the TR and PP. The rights and duties of the different roles in the model will be presented. The cryptographic mechanisms that will be used to secure the communication will be shown. Further the additional services that are planned to be supported and the use cases that are defined for the smart metering system will be explained. derpeter BSI TR-03109 SMART ENERGY WP Energiewirtschaftsgesetz Smart-Metering-Systeme 20:30 01:00 Saal 4 defeating_windows_memory_forensics lecture en Aside from further development of traditional forensic techniques which involve post-mortem hard disk analysis, in the last couple of years the field of computer forensics has been marked by significant development of live forensic techniques and tools. Memory forensics is composed of two main activities: memory aquisition/capture and analysis. This presentation will give an overview of the memory acquisition and analysis techniques and tools on the Windows operating systems. The main part of the presentation will cover current exploitation techniques and methods for defeating both acquisition and analysis phase of the memory forensics, as well as present a new approach for hiding specific artifacts from forensic tools. Based on the covered exploitation techniques, some suggestions and improvements of the current tools will be given. In the last couple of years, memory anti-forensic techniques and methods are gaining popularity in the infosec and black-hat communities. Current techniques can be grouped into the following three categories: - Simple and easily detectable approaches based on complete blocking of the acquisition process, - Thwarting the acquisition process by fooling the memory manager (Sparks/Butler BH-JP-05: Shadow Walker – Raising the bar for Rootkit Detection), - Thwarting the analysis by modifying the kernel structures (Haruyama/Suzuki BH-EU-12: One-byte Modification for Breaking Memory Forensic Analysis). However, each of the previously mentioned techniques has a drawback which makes the process of hiding a particular operating system object (eg. process, thread, network connection, etc.) either difficult (Sparks/Butler) or impossible (Haruyama/Suzuki and acquisition blockers). This research presents a new approach on defeating memory analysis on Windows operating systems by exploiting the fundamental issues in memory-acquisition tools. The developed approach is an extension of the research done on the disk anti-forensic techniques in the past (especially DDefy rootkit: Bilby BH-JP-06: Low Down and Dirty: Anti-forensic Rootkits). Since all memory acquisition tools work in a similar manner, this approach is generic and applicable to a wide class of analysis tools. As a proof of concept, application called Dementia has been developed. Dementia successfully exploits memory acquisition tools and hides operating system objects (eg. processes, threads, etc.) from the analysis applications, such as Volatility, Memoryze and others. Because of the flaws in some of the memory acquisition tools, Dementia will additionally demonstrate how an attacker can hide operating system objects from the analysis tools completely from the user-mode. Luka Milkovic 21:45 01:00 Saal 4 let_me_answer_that_for_you adventures in mobile paging lecture en In the last years, mobile security and specifically GSM has been attacked in many different ways. It was demonstrated how to sniff and crack traffic, how to impersonate a subscriber by placing a fake call and the general security characteristics of this mobile protocol stack have been evaluated. In this presentation, we will check out a part of the protocol procedures that hasn't been looked at yet, specifically Mobile Terminated services. This talk is all about paging in GSM. How is a phone call or an SMS actually delivered to a phone? How do carriers locate your phone and transmit these services over the air? We will have a look at the related protocol procedures and more importantly, what could possibly go wrong. During the presentation, we will show new attacks based on mobile paging that can ultimately disrupt mobile telecommunication or even worse. Nico Golde 23:00 01:00 Saal 4 esxi_beast Exploiting VMWARE ESXi Binary Protocols Using CANAPE lecture This presentation will cover a demonstration of the new version of the Canape protocol analysis tool being released for Ruxcon. During the course of the presentation various attack scenarios against the VMWare ESXi binary protocol will be demonstrated using Canape. The VMWare ESXi protocol is a complex multi-layered protocol which transitions between many protocol states throughout a connection lifetime. The protocol uses multiplexed frames, compression and encryption all over a single TCP connection. The talk will discuss and outline serious weaknesses within the ESXi protocol and how these can be leveraged from within Canape. During the talk, new features of Canape will be demonstrated live to show the audience how the tool can be used from traffic interception and initial protocol dissection through data injection and fuzzing and finally demonstrating full PoC exploitation all within Canape. Presentation outline: - What is Canape - Examining the VMWare ESXi protocol - Demonstrating ESXi protocol interception - Intercepting the ESXi encryption - Data injection to brute force user credentials - Fuzzing ESXi - 0day demonstration - Questions Testing and exploiting binary network protocols can be both complex and time consuming. More often than not, custom software needs to be developed to proxy, parse and manipulate the target traffic. Canape is a network protocol analysis tool which takes the existing paradigm of Web Application testing tools (such as CAT, Burp or Fiddler) and applies that to network protocol testing. Canape provides a user interface that facilitates the capture and replaying of binary network traffic, whilst providing a framework to develop parsers and fuzzers. James Forshaw 11:30 01:00 Saal 6 everycook Cooking gets digital lecture en We know, that cooking is an art. Selecting the ingredients, carefully washing, pealing and cutting them before you put them into the right dish at the right time with the right heat. Watching the food change his color, form and consistency, seasoning it to develop it's flavors and serving it on beautiful plates is a pleasure. For some, but not for all.Those who love cooking can spend hours at the stove and relax while preparing delicious meals. For others cooking is pure stress. What is the difference between orange and yellow carrots? Did I forget something? Is the pan hot enough? Or too hot? How long after the pasta do I start cooking the steak? Will it be healthy? Is it sustainable? So many questionsappear if one starts to think about food. The answers are complicated and ambiguous. They require research and analyzing. Many have stopped thinkingabout food. They just believe what is written on the package. I can't cook is such an easy answer. And it is accepted in our society. Nobody is ashamed of it. This gives more and more control tomultinational corporations. Through precooked food and shiny commercials they calm our conscience and stimulate our laziness. The consequences are dramatic!The profit-focused approach of multinational corporations have led to things like: • Patented genetically modified seeds. Lawyers suing farmers for copyrights. • Destruction of South-American jungle to make soya to feed European cows so they make more milk. Although a cow as never born to eat proteins. • Chickens that can't stand on their own feet due to the weight of their breasts. They will never see soil, worms or even sunlight. • Oran-Utangs losing their homes for palm oil • Vegetables getting grown in the desert, wasting huge amounts of drinking water. Conclusions: • We must know more about our food • We have to cook more ourselves • So we will recover some control over what we eat What is EveryCook? Hardware We build our machines with the resources that we can financially effort. The current hardware is still in beta-phase. The machine has been developed as a kit. Where possible, standard components were used. So we can produce small quantities at relatively low costs. The hardware is open source. Anyone can download the plans and build the machine by himself. But whoever changes these plans or uses them to develop something new should share it with us. The design has been uncompromisingly optimized for modifiability, robustness and repairability. Aesthetics will come later. Features We tried to build a simple machine, which can anyways do many things. Therefore we took advantage of synergies where possible: - If we have a heated pot, we dimension everything around it to be able to fry in it - If we have a motor to stir, we can also use it to cut - If we build a scale, we use 4 independent load cells. It simplifies mechanics and allows us - to analyse the weight distribution in the software. -ctors: - A induction heating with 1'500 W of power - A motor with up to 195 rpm and up to 4 Nm - A RC model servo to open the steam blowoff valve -ensors: - A ceramic pressure sensor for 0-2 bar relative pressure - A PT1000 temperature sensor 0-300°C - Four load cells, 0-5 kg each -echanics: - A stainless steel pot with 5 litres volume tested for 1.2 bar relative pressure - A cover made of high strength aluminium with stainless steel hinges and screws - A stirrer made of stainless steel and Teflon made for 250°C - Several cuttings disks in stainless steel to cut slices and stripes - Stainless steel motor shaft, high temperature bearings and o-rings - Overpressure and blowoff valve as combined unit completely in stainless steel - Easy to assemble, disassemble and modify Communication: - A 7-segment module to show operating modes - A piezo buzzer to say "weight reached" (or other messages) - An embedded PC with WIFI and LAMP for the GUI Software The software from EveryCook is open source. It uses many proven tools and frameworks that are also open source. The whole project is hosted on GitHub. Everyone interested can join and help us. We use: - Yii Framework for PHP code - jQuery for JavaScript - Arduino and Leaflabs IDE for microcontroller programming - Perl for the interface between the microcontroller and Linux - Linux for the embedded computer running a LAMP Our database is developed under the cc-by-sa license. If you want to access it you can do that and develop other smart cooking appliance. Who adds new records, shall share these with us. Who wants to help us feeding the database with information is always welcome. The more information about food and recipes is available, the better for everyone who uses EveryCook. We see in EveryCook a great opportunity to promote direct sales of food from producers to consumers. So if you know a farmer or food production place, please enter the food into the database and link it with recipes and producers. Then we will have less unnecessary shipping and get fresher food. The nutritional value information has been provided by the USDA Nutrient Database. This is the only freely available database although almost every country maintains a nutritional value database. We will try to add more nutritional value data as soon as possible. Alexis The recipe database The documentation The Software 12:45 00:30 Saal 6 unsicherheit_hardwarebasierter_festplattenverschluesselung lecture de Hardware-basierte Festplattenvollverschlüsselungen in Form sogenannter SEDs (Self-Encrypting Drives) werden gemeinhin als sichere und performante Alternative zu Software-basierter Verschlüsselung wie BitLocker und TrueCrypt gesehen. Während der Performance-Gewinn und die Benutzerfreundlichkeit von SEDs, bspw. Intel's SSD 320 bzw. SSD 520, außer Frage stehen, ist der Sicherheits-Gewinn deutlich geringer als bisher angenommen. Teilweise sind Systeme die auf SEDs basieren gar schwächer als vergleichbare Systeme die auf Software-Verschlüsselung basieren. Wir haben handelsübliche SEDs einer Sicherheitsanalyse unterzogen, indem wir sie allen Angriffen ausgesetzt hab en die bekanntermaßen gegen Software-basierte Festplattenverschlüsselungen erfolgen. Dazu zählen "Cold-Boot Angriffe", "DMA/FireWire Angriffe" sowie "Evil-Maid Angriffe". Für jeden dieser Angriffe konnten wir zeigen, dass sie in vielen praktischen Szenarien auch gegen SEDs erfolgreich sind. Darüberhinaus stellen wir eine neue Klasse von Angriffen vor, die nur gegen SEDs -- nicht gegen Software-basierte Verfahren -- eingesetzt werden kann. Grob gesagt wird bei dem neuen Angriff die SATA-Verbindung einer SED im laufenden Betrieb umgesteckt, während die Stromversorgung aufrecht erhalten wird. Wir nennen diese Klasse von Angriffen daher "Warm-Replug Angriffe". Da SEDs nur gesperrt werden wenn die Stromverbindung unterbrochen wird, kann die Verschlüsselung laufender, und im Standby befindlicher, Rechner damit umgangen werden, also unter ähnlichen Voraussetzungen wie wir sie von Cold-Boot und DMA-Angriffen kennen. Insgesamt führen Warm-Replug Angriffe dazu, dass viele SED-basierte Systeme sogar als schwächer eingestuft werden müssen als vergleichbare Systeme die auf BitLocker oder TrueCrypt basieren. tilo SED (In)Security Project Site 13:15 00:30 Saal 6 romantichackers Keats, Wordsworth and Total Surveillance lecture en In 1791, the political reformer Jeremy Bentham theorized the Panopticon, whose design promised to allow a single Inspector to surveil (exercise "inspective force" over) large numbers of criminals or workers. In recent years, the advent of a suitable technical apparatus – CCTV, ISP taps (network traffic interception), data banks, and so on – has extended the proposed 30m circumference of Bentham’s structure to, and beyond, the physical boundaries of entire countries. While total surveillance is often perceived as a feature of modernity, its conceptual and epistemological framework is rooted in the Romantic period, moreover at a key juncture in the history of ideas concerning individual subjectivity, rights and freedoms. David Barnard-Wills refers to inspective culture as a "nexus of surveillance, identity and language" (2012). In this talk, we examine this nexus in the historical period that first, and so powerfully, imagined the fully surveilled world. While panoptic visions of surveillance emerged out of Enlightment rationality and utilitarian projects, becoming conceptually possible for the first time, so, too, did a response to those visions – hacking. Hacking, we argue, using the term in a tighter sense than that of analogy alone, or that of Richard Stallman's definition of hacking as "playful cleverness" – represents a key response of Romantic writers and political activists from the period to emerging totalitarian surveillance culture (and the suspension of habeas corpus in England in 1795 and 1817). As we discuss, the first victims of surveillance culture developed some of the most persuasive, and enduring, forms of resistance to that culture. Our talk looks at two specific case studies, the (now-)canonical Romantic poets William Wordsworth and John Keats, both of whom were subject to state censure for their close links to radical political movements. Wordsworth was the friend of treason suspects on the Romantic equivalent of a "kill list", and was himself placed under close surveillance by Pitt's government. Keats's career as a poet was blighted by a focused and sustained government campaign of character assassination and ridicule that bears comparison with methods used against political writers of our own age, including Julian Assange. Both Romantic poets, we show, developed strategies of resistance that may be considered as "analogue hacking", subverting the established language of power at the level of discourse and literary genre. These strategies of resistance bear fruitful comparison to – at the same time as throwing light on – ways in which current resistance is constituted by "movements" such as Anonymous and Lulzsec. These poets' shift of status from rebels, undesirables and revolutionaries to central canonical English authors will be a subject of discussion. As a concrete example of the phenomena we describe, poems by these Romantic authors, through their use of irony, ambiguity and allegory, provide Tor-like anti-tracking protection for their readers, obscuring political start points and ideological destinations. We finish by considering literary equivalents to web trolling, trojans and viruses. We suggest how these early responses to surveillance offer ways of envisaging possible futures for political resistance. ___________________________________________________________ Professor Richard Marggraf Turley is author of three books on Romantic authors, including most recently Bright Stars: John Keats, Barry Cornwall and Romantic Literary Culture (Liverpool University Press, 2012). He is Co-director of the Centre of Romantic Studies at Aberystwyth University. Anne Marggraf-Turley worked in Germany as a computer technician and technology teacher, and now works in the Department of European Languages at Aberystwyth University Both live 30 miles from Aberporth, the largest drone test site in Europe, on the former site of West Wales airport. While we are waiting for the recording of our talk, the slides are available on slideshare 'Romantic Hackers' Anne Marggraf-Turley & Prof. Richard Marggraf-Turley Prof Richard Marggraf Turley Home page blog about the conference & talk 14:00 00:30 Saal 6 tacticaltech lecture en Don't call us if your campaign does not work! And worse, everyone's been harassed or arrested. In 30 minutes we will try to convene that – one good hack, one good infographic, one good video, one good march – in fact anything singular would never change anything – unless it has a power of a giant asteroid (some things do). So what is needed? Why hackers should work with designers, why designers should work with campaigners, why activists should learn coding? And if they finally manage somehow (it happens!), why it can be so easily destroyed if they do not give a damn about security and privacy? Come and listen and then talk to us, we have some experience to share. During a 30 minute talk we'd like to introduce our work to the wider CCC community, discuss some of the problems we face in bridging the gap between the communities of people who develop open source pro-privacy tools on the one and people who need those tools on the other hand. We work with people in many different places of the world whose work and well-being depends on online security. At 29c3 we'd like to start building stronger ties with people who want to help us provide, find, choose or audit the necessary tools. Tactical Tech is an international NGO working to enable the effective use of information for progressive social change. Among other things we provide information, material and trainings to help activists, human rights advocates, journalists and members of communities at risk to communicate safely online. Marek Tuszynski Stephanie Hankey http://www.tacticaltech.org http://protect.tacticaltech.org/ http://security.ngoinabox.org/ http://www.onorobot.org/ http://myshadow.org/ 14:30 00:30 Saal 6 omg_oer How big business fights open education in Poland, and how open education fights back! lecture en Polish government decided in favour of open-licensed e-textbooks. This is not to liking of big textbook publishers, reaping in profits hand over fist. While their black PR campaign focuses on technicalities, it seems obvious that their real beef is with the liberal licensing. Polish schools are planned to get [CC-By licensed e-textbooks](http://news.slashdot.org/story/12/04/04/0232244/polish-government-to-deliver-free-textbooks-for-all-kids-grades-4-6) prepared by academia in co-operation with business -- but the publishing business wants none of that. A well-funded black PR campaign is rages in Polish media in an attempt to convince parents and teachers (and through them, the government) to oppose e-textbooks. Anything goes! From technical issues ("you will have to buy an expensive iPad to read those!") through playing on anti-government sentiments ("the government is trying to hijack the education process!") all the way to economy-related ("e-textbooks will hinder the free market"), and with [legal threats sent to academia](http://conasuwiera.pl/?p=653) in order to coerce the universities not to participate (and hence ensure the failure of the programme). And media are happy to publish PR pamphlets as valid articles without even checking their sources... All this, of course, because the publishing business would rather keep their stranglehold on textbook business in Poland rather then adapt and make money on open-licensed content. I would like to talk how we got here, and how we (the Coalition for Open Education) try to fend off the well-funded and ruthless publishers' campaign. This, I believe, can be a valuable lesson for OER advocates from other places of the world. Michał "rysiek" Woźniak how textbook publishers are fighting open education in Poland pure text version of the above [polish] analysis of publishers' legal threats to academia slashdot article announcing the e-textbooks initiative 16:00 01:00 Saal 6 sharing_access_risiken_beim_betrieb_von_wlan_netzen Stand gestern, heute und morgen lecture de Der Betrieb von WLAN-Funk-Netzen und auch von offenen oder freien Netzen ist heute weit verbreitet und Teil der Diskussion um die "Cultures of Sharing". Der Vortrag soll die Grundlagen der Haftung für offene Netze und die Entwicklung der Rechtsprechung vom Landgericht Hamburg ("gestern") zum BGH-Urteil "Sommer unseres Lebens" und den Einfluss aktueller Rechtsprechung des Europäischen Gerichtshofs, des Bundesgerichtshofs und der Instanzgerichte darstellen ("heute"). Ein Ausblick auf die Folgen dieser neuen, teilweise abweichenden Rechtsprechung und auf die Gesetzesinitiativen der SPD und der Linken ("morgen") soll den Vortrag abrunden. Der Betrieb von WLAN-Funk-Netzen ist heute Realität in praktisch jedem Haushalt. Ein sich früh zeigendes Phänomen davon sind sogenannte freie oder offene Netze, bei denen der Zugang zum Netz und zum Internet geteilt wird. Dabei spielten unterschiedliche Motivationen eine Rolle. Immer wichtiger geworden ist aber der Gesichtpunkts des Teilens der Zugangs. "Sharing Access" oder die Überwindung des "Digital Divide" sind daher Schlagworte, die in der aktuellen Diskussion über die "Cultures of Sharing" immer wichtiger werden. In Deutschland wird spätestens seit dem Urteil des Landgerichts Hamburg aus dem Jahre 2006 über die rechtlichen Folgen des Betriebs eines offenen Netzes diskutiert. Das Stichwort "Störerhaftung", das vorher vermutlich praktisch unbekannt war, hat es unter dem Stichwort "Cafe schließen WLANs wegen Störerhaftung" in die Top-Medien geschafft. Der Vortrag soll die Voraussetzungen der Störerhaftung und die Folgen darstellen, aber auch mögliche Handlungsanweisungen geben, die den "sicheren" Betrieb eines (offenen) Funknetzes ermöglichen sollen. Die Rechtsprechung hat seit dem Jahre 2006 einige Wendungen genommen, die zuletzt in der Entscheidung des Bundesgerichtshof "Sommer unseres Lebens" 2010 ihren (vorläufigen) Höhepunkt gefunden haben. Nach einer kurzen Darstellung dieser Entscheidung soll der Vortrag aufzeigen, welchen Einfluss die aktuelle Rechtsprechung des Europäischen Gerichtshofs, des Bundesgerichtshofs und der Instanzgerichte haben und einen entsprechenden Ausblick geben. Als Folge der öffentlichen Diskussion sind mittlerweile verschiedene Gesetzgebungsinitiativen (der SPD und der Linken (basierend auf einem Entwurf des Digitale Gesellschaft e.V.)) angestoßen worden. Diese sollen dargestellt, bewertet und in einen Kontext mit der zuvor aufgezeigten Rechtsprechung gesetzt werden. Reto Mantz Weblog Ankündigung Nachtrag TKG- und TMG-Anbieter 17:15 01:00 Saal 6 the_tor_software_ecosystem lecture en At the very beginning, Tor was just a socks proxy that protected the origin and/or destination of your TCP flows. Now the broader Tor ecosystem includes a diverse set of projects -- browser extensions to patch Firefox and Thunderbird's privacy issues, Tor controller libraries to let you interface with the Tor client in your favorite language, network scanners to measure relay performance and look for misbehaving exit relays, LiveCDs, support for the way Android applications expect Tor to behave, full-network simulators and testing frameworks, plugins to make Tor's traffic look like Skype or other protocols, and metrics and measurement tools to keep track of how well everything's working. Many of these tools aim to be useful beyond Tor: making them modular means they're reusable for other anonymity and security projects as well. In this talk, Roger and Jake will walk you through all the tools that make up the Tor software world, and give you a better understanding of which ones need love and how you can help. At the very beginning, Tor was just a socks proxy that protected the origin and/or destination of your TCP flows. Now the broader Tor ecosystem includes a diverse set of projects -- browser extensions to patch Firefox and Thunderbird's privacy issues, Tor controller libraries to let you interface with the Tor client in your favorite language, network scanners to measure relay performance and look for misbehaving exit relays, LiveCDs, support for the way Android applications expect Tor to behave, full-network simulators and testing frameworks, plugins to make Tor's traffic look like Skype or other protocols, and metrics and measurement tools to keep track of how well everything's working. Many of these tools aim to be useful beyond Tor: making them modular means they're reusable for other anonymity and security projects as well. In this talk, Roger and Jake will walk you through all the tools that make up the Tor software world, and give you a better understanding of which ones need love and how you can help. Jacob Appelbaum Roger Dingledine 18:30 01:00 Saal 6 ifg_chance_oder_buergerbluff Informationsfreiheit in Deutschland. Ein Sachstand. lecture de Sechs Jahre nach seinem Inkrafttreten wurde das Informationsfreiheitsgesetz (IFG) des Bundes für den Deutschen Bundestag evaluiert. Auch aus einzelnen Bundesländern liegen zwischenzeitlich wissenschaftlich untermauerte Erkenntnisse zum Stand oder Nichtstand der Informationsfreiheit in Deutschland vor. Der Vortrag geht auch anhand der Rechtsprechung und an Beispielen aus der Praxis auf notwendige Veränderungen der Gesetzeslage ein. Der Referent war als Bundestagsabgeordneter (1994-2009) "Vater" des Bundes-IFG und Kläger in Sachen Einblick in den Mautvertrag gegen die Bundesrepublik Deutschland. Jörg Tauss 20:30 01:00 Saal 6 how_i_met_your_pointer Hijacking client software for fuzz and profit lecture en An approach to the problem of fuzzing proprietary protocols will be shown, focusing on network protocols and native software. In the course of this talk I will combine several methods in order to force the client software to work as a “double agent” against the server. An interesting approach to the problem of fuzzing proprietary protocols will be presented. Since the method is applicable to several kinds of software and in order to keep an example in mind through all the talk, I will be focusing on network protocols and native software. The main idea behind it is very simple: “in a client/server architecture, the client knows how the protocol works.” In the course of this talk I will need to combine several methodologies in order to "force" the client software to work as a “double agent” against the server. Advanced hooking, dynamic binary instrumentation and differential debugging are among the topics discussed here. The talk includes a live demo of this method in which a small program implementing a proprietary protocol will be fuzzed (without knowledge of it) and a memory corruption will be found. Last but not least, the talk is written in a very amusing style with multiple references to "nerd culture" and interacting with the audience to make the (hard) topic as interesting and entertaining as it can be. Carlos Garcia Prado 21:45 01:00 Saal 6 rfidkleidung Tracking von Menschen durch in Kleidung integrierte RFID-Chips lecture de Mit RFID-Lesegeräten Menschen tracken - keine Zukunftsvision. Was wir vor 9 Jahren als Schreckgespenst an die Wand malten, ist Wirklichkeit geworden: RFID-Tags, eingenäht in Kleidung. Auf 8 Meter Entfernung lassen sich die Tags nach Herstellerangaben auslesen. Und wer damit herumläuft, ist von jedem Lesegerät wiedererkennbar. Wir bringen ein Gerät mit, führen auf der Bühne spielerisch die Funktion vor und erklären, was die Textilindustrie so fasziniert an dieser Technik. Und wir erklären, warum wir gar nicht davon angetan sind, dass Menschen fürderhin nicht mehr nur gläsern sind, sondern ganz und gar nackig vor den Augen von Bekleidungsindustrie und -handel. padeluun Rena Tangens Stopp-RFID-Seiten 23:00 01:00 Saal 6 stylometry_and_online_underground_markets lecture en Stylometry uses linguistic information found in a document to perform authorship recognition. In this talk, we will present how stylometry can be used to deanonymize users in multilingual underground forums. Our initial result shows that in spite of differences in languages and text lengths, regular stylometric methods perform well in identifying users in this context. We will also present the improved version of Anonymouth, a tool to anonymize written document, with user studies. Stylometry identifies the author of an anonymous text by using linguistic features, a topic that we explore in detail at the Privacy, Security, and Automation Lab at Drexel University. In our previous talks at CCC, people have often asked us how well stylometry works on non-English texts and how well translation tools work at anonymizing texts. We will explore these topics in detail in this year’s talk. In particular, we have shown that machine translation does not obfuscate a writer’s writing style and an anonymous text that has been translated can be attributed to its original author with a 92% true-positive rate. Next, we wanted to see what stylometry could do when applied to an interesting real world dataset containing short text in multiple languages. As a result, we applied stylometry to leaked underground forums. Online forums are frequently used by cyber-criminals around the world to establish trade relationship and exchange fraudulent goods and services such as the sale of stolen credit card numbers and compromised hosts, spamming, phishing, and online credential theft. These forums are popular among the cyber-criminals as they are easily accessible and provide some high degree of anonymity. In this work, we examine several multilingual underground forums, for example, thebadhackerz.com, blackhatpalace.com, www.carders.cc, free-hack.com, hackel1te.info, hack-sector.forumh.net, rootwarez.org, L33tcrew.org, antichat.ru. We did authorship attribution on these users and so far have had 72% success in correct attribution (however we believe this number will be significantly improved by the time of the talk as we continue our analysis and bring in new features). Authorship attribution in the underground forums requires new features since the text used in these forums are multilingual, contain numerical information such as credit card and bank account numbers, and have many symbols in the URLs and services being shared. These properties of the text are not similar to common writing. We are expecting a significant increase in the accuracy once the above mentioned feature set is implemented. We will also present our results on user attribution across forums to see if we can detect users engaging in different forums or users who have multiple accounts in the same forum, since these users tend to get banned. We also present some improvements we have made to the tool Anonymouth which was presented at 28C3 and helps a writer anonymize their text by making the suggested changes. Aylin Caliskan Islam Rachel Greenstadt Sadia Afroz Aylin's personal page Privacy, Security, and Automation Lab at Drexel University Rachel's personal page Sadia's personal page 11:00 05:30 Saal 17 Interviews, Talkrunden, Kennenlernen other de Deutschlandfunk @ 29C3 16:30 00:30 Saal 17 Deutschlandfunk @ 29C3 other de Publikum willkommen. Deutschlandfunk @ 29C3 Sendungswebsite 17:00 01:00 Saal 17 Interviews, Talkrunden, Kennenlernen other de Deutschlandfunk @ 29C3 11:30 02:15 Saal 1 jahresrueckblick2012 lecture Wir schauen nicht zurück im Zorn, aber jetzt auch nicht grade mit Euphorie. Im CCC-Jahresrückblick präsentieren wir Euch einige der hacktivistischen Themen des vergangenen Jahres, an denen der CCC gearbeitet oder sich abgearbeitet hat. Diesmal mit schönen neuen Gesetzen, Hacker-Humor, versäumten Gerichtsterminen, bunten Blinkenlichtern und Iggy Pop. Wir haben uns wirklich das ganze Jahr bemüht, nur in begrenztem Umfange zu prokrastinieren. Außerdem erzählen wir von unseren Eindrücken bei der Öffentlichkeits- und Lobbyarbeit, identifizieren bereits erlegte, neue oder wiederauferstandene Zombie-Gegner. Dabei reden wir nicht nur über kuriose Vorkommnisse in der Clubarbeit, sondern wagen ab und an auch einen Blick in die Zukunft. Constanze Kurz Dodger Erdgeist Frank Rieger 14:00 01:00 Saal 1 analytical_summary_of_the_blackhole_exploit_kit Almost Everything You Ever Wanted To Know About The BlackHole Exploit Kit lecture There are hundreds, if not thousands, of news articles and blog posts about the BlackHole Exploit Kit. Usually, each story covers only a very narrow part of the subject matter. This talk will summarize the history of the BlackHole Exploit Kit into one easy to follow story. There will be diagrams and flow-charts for explaining code, rather than a giant blob of illegible Javascript, PHP, or x86 Assembly. A. What a browser exploit kit is, and what it isn't 1. It only does exploits 2. Directing victims to the exploits is out of scope 3. Usually done with spam or iframe injections 4. The actual malware installed is out of scope too 5. Where is exploit kit is hosted, is also quite variable B. Timeline 1. Version 1.0.0 - September 2010 i. It's not that different from other exploit kits 2. Version 1.0.1 3. Version 1.0.2 - November 2010 i. Changelog ii. Leaked in May 2011 4. Version 1.1.0 - December 2010 i. Changelog 5. Version 1.2.0 - August 2011 i. Changelog 6. Version 1.2.1 - December 2011 7. Version 1.2.2 i. Cryptome "Virus" 8. Version 1.2.3 - March 2012 9. Version 1.2.4 - June 2012 i. CVE-2012-1723 ii. CVE-2011-2110 10. Version 1.2.5 - July 2012 i. CVE-2012-1889 ii. A single IFRAME injection campaign uses a temporal 'Domain Generation Algorithm' 11. August 2012 i. CVE-2012-4681 12. Version 2.0.0 - September 2012 i. Changelog ii. The official announcement isn't entirely true. C. The "Free Version" 1. Pulled from a system with C99 Shell 2. IonCube "copy protection" 3. How to break IonCube obfuscation 4. Analysis of PHP Source Code D. Open Source Code in use 1. PluginDetect 2. MaxMind GeoIP 3. etc. E. The Exploits 1. CVE-2010-0188 2. etc. etc. etc. as time allows X. There is almost no change in the expliots themselves from one version of the exploit kit to the next. Y. Currious clues about the possible authorship of some exploits Julia Wolf 16:00 01:00 Saal 1 open_source_schluessel_und_schloesser Offene Quellen zum Bösen und Guten: von downloadbaren Handschellenschlüsseln zu sicheren elektronischen Schlössern lecture de Was bedeutet das Zeitalter offener Designs für die Sicherheit von Schlössern? Zum Beispiel solchen, die auf eine geringe Verbreitung eines Schlüssels setzen? Ein Beispiel sind die sogenannten Hochsicherheitsversionen von Polizeihandschellen. Der Talk zeigt was (und wie) sich in diesem Bereich mit Lasercuttern und 3D Druckern erreichen lässt - sowie welche komplexeren Angriffsziele noch warten. Als Ausweg aus der Problematik kopierbarer Schlüssel gelten digitale Schlösser, aber sie kranken anders an offenen Quellen: sie haben keine! Im Rahmen eines Open Source Lock Projektes haben wir uns daher ein reflashbares Vorhängeschloss angesehen, doch noch ehe wir den Programmieradapter angeschlossen hatten fanden wir eine Schwachstelle der Hardware... Leider kein Einzelfall! Wie verträgt sich das Open Source Konzept mit Sicherheitstechnik in der realen Welt? Eigentlich ist es einfach: man möchte seine Schlüssel geheim halten, seine Schlösser aber kennen und verstehen können. Was in der virtuellen Welt längst etabliert ist, funktioniert im "real life" leider auf beiden Ebenen nicht. Der Vortrag gibt eine kurze Einführung samt Überblick über den Stand der Technik und erklärt dann im Detail, was unseren Recherchen zum Opfer fiel. Die Vorstellung eines trivial schneidbaren 3D Modells für die "geheimen" Schlüssel von Chubb und Bonowi Handschellen sorgte auf der HOPE für einigen Presserummel - doch das war erst der Anfang. Der Vortrag erklärt sowohl die Vorgehensweisen und Probleme solche Modelle auf die immer beliebter werdenden Lasercutter zu bringen, als auch die Schritte, die nötig waren, um nach den Erfolgen von New York auch das letzte hartnäckigere Angriffsziel, die verbeitetste deutsche "hochsicherheits"-Polizeihandschelle, so zu überwinden. Ebenso wird auf das Drucken und Schneiden noch komplexerer Schlüssel, sowie die Möglichkeiten parametrisierter 3D Modelle eingegangen. Wer sich vor solchen Problemen schützen will, dem bleibt auf Lange Sicht wohl nur der Weg zu digitalen Schliesssystemen. Diese kranken leider alle an der weit verbreiteten Angst der Hersteller vor offenen Quellen, oft wird nicht mal der verwendete Kryptoalgorithmus verraten, eine überprüfbare Implementierung gibt es von keinem. Neben der kompletten Eigenentwicklung scheint hier die Umprogrammierung eines vorhandenen Schlosses ein Weg, endlich zu einem vertrauenswürdigen System zu kommen. Wir zeigen unsere Analysen eines brandneuen und dafür geeignet wirkenden digitalen Vorhängeschlosses auf Basis des MSP430 - haben leider aber auch den dazu passenden mechanischen Angriff gefunden, der die Software zur Nebensache macht. Nicht zum ersten Mal... Jan mh Ray 17:15 01:00 Saal 1 writing_a_thumbdrive_from_scratch Prototyping Active Disk Antiforensics lecture This action-packed lecture presents the inner workings of the author's from-scratch implementation of a USB Mass Storage disk in user-land Python, along with some embarrassing bugs in operating systems that support such disks. The lecture concludes with an introduction to Active Antiforensics, in which a thumbdrive's own firmware can recognize and defend itself against disk imaging and other forensic tools. USB is a lovely little conduit into the deepest parts of the kernel. Drivers are made to speak complicated protocols in hastily written C, leaving a goldmine of bugs and unexplored behaviors for a crafty attacker to exploit. This lecture will show how a USB Mass Storage device was implemented from scratch in user-land Python for the Facedancer board. Along the way, we'll take a look at how to abuse a number of bugs in kernels, automounters, filesystems, and forensic utilities, all of which are easily confused. As an example application of these techniques, the culmination of this lecture presents a prototype disk that actively resists forensics, wiping itself to an innocent state whenever it detects disk imaging, undeletes, access by the wrong operating system, or the presence a write blocker. Travis Goodspeed Facedancer11 Hardware Emulating USB Devices in Python 18:30 01:00 Saal 1 russias_surveillance_state lecture en Privacy International, Agentura.Ru, the Russian secret services watchdog, and Citizen Lab have joined forces to launch a new project entitled 'Russia’s Surveillance State'. The aims of the project are to undertake research and investigation into surveillance practices in Russia, including the trade in and use of surveillance technologies, and to publicise research and investigative findings to improve national and international awareness of surveillance and secrecy practices in Russia. The project is made possible with support from the Canada Centre for Global Security Studies, Munk School of Global Affairs, at the University of Toronto. The project will consist of three sections: Mapping the surveillance landscape: establishing which agencies and companies are behind surveillance in Russia, and producing a glossary of surveillance technologies. Documenting the Surveillance State: reporting on policies and surveillance initiatives, including examples of legal interception contracts and tender notification letters. Reviewing the legal landscape: collating and analysing relevant pieces of Russian legislation in order to better understand surveillance powers and safeguards. Over the coming year we will jointly publish various reports and analyses, and release documents identifying the key challenges in protecting Russian citizens from abuses and holding the Russian surveillance state to account. Mapping the surveillance landscape At present there are eight agencies in Russia that can conduct operational investigations (including surveillance): the Interior Ministry (MVD), the FSB, the Federal Protective Service, the Foreign Intelligence Service, Customs and Excise, The Federal Anti-drug Agency, the Federal Prisons Service (FSIN) and the Main Intelligence Directorate of the General Staff (GRU). According to figures published by the Supreme Court Justice Department, over the last five years the number of legal telephone intercepts alone has almost doubled. In 2011, for example, the police received authorisation from the courts for 466,152 intercepts and recordings of phone calls and intercepts of emails. The equivalent figure for 2006 was 265,937. As a start, we have put together a brief glossary of surveillance terminology, including a list of abbreviations and acronyms for the agencies involved in surveillance activities and the various government departments responsible for surveillance operations. Documenting the Surveillance State In 1995, a presidential decree (No. 891) stipulated that "control over postal items, telegraphic and other communications ... shall be handed to the bodies of the Federal Security Service...[the FSB]". The same decree ordered that unified central control points (or remote control points) were to be established by the FSB. The first ones were established in Moscow and St. Petersburg, and subsequently in other Russian cities, at regional FSB departments headquarters. A cable was laid from these points to the premises of the providers where special interception equipment had been installed. In this way, the FSB became responsible for installing the SORM equipment, while other intelligence services and the police gained access to the interception system via FSB remote points. By the first decade of the new millennium, however, the FSB were no longer in sole charge of the technical side of SORM. On forums across the country, Internet providers began to complain about being approached by a variety of different law enforcement and secret services officials demanding that interception equipment corresponding to their own needs should also be installed. At least five Russian government agencies now operate their own systems of interception. To illustrate these relationships, we have published a number of tender notification letters for the SORM equipment supply, originally placed on the Russian government procurement website (downloads below). Reviewing the legal landscape The legal framework governing surveillance operations in Russia primarily consists of the Federal Law on Operational-Search Activities (adopted on 12th August 1995) and the Code of Criminal Procedure of the Russian Federation. Over the course of the project, we will be analysing how the various pieces of legislation governing communications interception are applied by the courts, and considering firstly whether the existing legal framework is sufficient in and of itself, and secondly whether it is accurately understood and applied by the judiciary. More information https://www.privacyinternational.org/blog/privacy-international-and-agenturaru-launch-the-joint-project-russias-surveillance-state Andrei Soldatov Internet filtering and DPI in Russia German Translation 20:30 01:00 Saal 1 milking_the_digital_cash_cow Extracting Secret Keys of Contactless Smartcards lecture Contactless smartcards have become widespread for applications such as ticketing, access control, identification and payments. Side-channel analysis (SCA) is a powerful type of passive implementation attack that enables to extract the secret keys of cryptographic devices. At the example of NXP's Mifare DESfire MF3ICD40 smartcards we demonstrate that SCA attacks can be applied to cryptographic RFID devices: By exploiting the electro-magnetic information leakage of the cards, its cryptographic keys are revealed. We introduce our open-source tools for analyzing contactless smartcards, i.e., an ISO 14443 RFID reader (http://sourceforge.net/projects/reader14443) and the card emulator Chameleon (http://sourceforge.net/projects/chameleon14443). We then present the probably worst realization of a commercial contactless payment system ever and detail on various real-world attacks on this widespread (in Germany) system, e.g., how to 'milk the digital cash cow' by modifying the credit balance and convert zeros and ones into real money. The content of the talk is joint work with Ingo von Maurich, David Oswald and Christof Paar. Timo Kasper 21:45 01:00 Saal 1 further_hacks_calypso or how to turn a phone into a BTS lecture en The calypso baseband and its companion chips are used on the Motorola C123 among other and are now well known for being supported by the Osmocom-BB open source GSM baseband implementation. A couple years ago, it was hacked a little further by using it as a raw bits capture device allowing the interception of GSM traffic very cheaply. This talk will present some further work on that platform, showing that just because a device wasn't design for a given task doesn't mean it can't do it. More specifically how you can hack this phone to act as a GSM basestation and broadcast your own network. Sylvain Munaut 23:00 01:00 Saal 1 fnord_jahresrueckblick2012 Diesmal mit noch mehr Eurozonen-Spaltung! lecture de Neues Jahr, neue Fnords :-) Im Format einer lockeren Abendshow werden wir die Highlights des Jahres präsentieren, die Meldungen zwischen den Meldungen, die subtilen Sensationen hinter den Schlagzeilen. Kommen Sie, hören Sie, sehen Sie! Lassen Sie sich mitreißen! Felix von Leitner Frank Rieger 11:30 01:00 Saal 4 securing_the_campaign Security and the 2012 US Presidential Election lecture en This talk will go into some of challenges, solutions, and stories from securing a campaign for the 2012 US presidential election. Modern US political campaigns are large, sophisticated, and well-funded efforts to communicate with, persuade, and organize national-scale populations. With this complexity and scope comes a number of unique security challenges. The growing importance of technology has necessitated the development of robust and secure solutions that are resilient against a large number of attack vectors. This talk will go into some of challenges, solutions, and stories from securing a campaign for the 2012 US presidential election. The speaker led the application security program for a 2012 US presidential campaign. According to most accounts, this was the first position, in a US campaign, filling a dedicated security role. Ben Hagen 12:45 02:15 Saal 4 lightning_talks_2 5 Minutes of Fame other en Nick Farr schedule is in the wiki 16:00 01:00 Saal 4 privatisierung_der_rechtsdurchsetzung Von ACTA, IPRED und Freunden lecture ACTA war das beherrschende Thema des zweiten Halbjahres. Mit ACTA sollte der Weg einer Privatisierung der Rechtsdurchsetzung weiter gegangen werden. Was das konkret bedeutet, können wir bereits im Ausland sehen: Netzsperren, 3-Strikes-Systeme und eine Echtzeit-Überwachung des Datenverkehrs zur Bekämpfung von Urheberrechtsverletzungen. Existierende Modelle in anderen europäischen Staaten zeigen, dass diese Maßnahmen erhebliche grund- und datenschutzrechtliche Probleme aufwerfen. Aber auch in Deutschland haben wir die Debatte über die mögliche Einführung einer Warnmodell-2-Strikes-Infrastruktur als ersten Schritt in diese Richtung. Das Problem: Internetanbieter und Hoster werden damit gleichzeitig zu Richtern und Hilfspolizisten in Personalunion gemacht. Diese Maßnahme durchbricht ein ehernes Prinzip: Der Internetanbieter ist nicht für die transportierten Inhalte haftbar und soll sich ausdrücklich nicht um diese kümmern. Der Vortrag will einen Überblick bieten, was in welchen Staaten wie bereits läuft. Der Vortrag will gleichzeitig Einblick geben, wer die Lobbies dahinter sind und welche Ideen sie vertreten. Und es gibt einen Ausblick auf die kommenden Kämpfe auf EU- und internationaler Ebene durch IPRED2 und TPP sowie die Nebenschauplätze wie Clean IT und CEO-Koalition. Kirsten Fiedler Markus Beckedahl 17:15 01:00 Saal 4 sind_faire_computer_moeglich lecture Green-IT kennen wir inzwischen zur Genüge. Computer können aber nicht nur nicht "green" sein, sondern auch unfair und unsozial, von der Rohstoffgewinnung bis zur Verschrottung. Unfair spart nämlich Geld. Der Gedanke, faire Produkte anzubieten und zu kaufen, ist inzwischen weit verbreitet, allerdings eher bei Kaffee oder Kleidung. Ein Angebot an fairer IT fehlt. Die Industrie hat sich noch nicht auf den Weg gemacht, faire Computer herzustellen. Wir Nutzer haben kaum die Wahl – verändern können wir aber durchaus etwas. Der Vortrag erklärt, was und wie. Der Vortrag berichtet (auf Basis allgemein zugänglicher Informationsquellen) vom Stand der Entwicklung fairer Informationstechnologie. Dabei wollen wir kein "Apple ist böse und Samsung sowieso" wiederholen, sondern schauen, wie es in Zukunft zu einem Angebot fairer IT kommen könnte. Thematisiert werden: * Komplexität der IT-Produktion, von den Rohstoffen, über die Herstellung bis zur Verschrottung der Computer, * Beispiele, warum man die IT-Produktion unfair nennen muss, * Rolle der Markenhersteller, * Strategien: Proteste, Rankings, Aufklärung, Gesetze, Transparenzinitiativen, Nachfragestimulierung, * Vorstellung zweier Projekte zur Herstellung fairer IT: die (teil-)faire Maus von NagerIT und FairPhone * Möglichkeiten, selber aktiv zu werden für eine faire IT. Der Autor ist aktiv beim Forum InformatikerInnen für Frieden und gesellschaftliche Verantwortung (FifF) und seit drei Jahren mit dem Thema beschäftigt. Sebastian Jekutsch Faire Maus von NagerIT FairPhone Projekt Hauptseite FIfF Faire Computer auf FIfF-Website Portal zum Thema (noch im Aufbau) 18:30 01:00 Saal 4 low_cost_chip_microprobing lecture Security is moving deeper into hardware and so should security research. This talks introduces microprobing, an old technique for snooping on data inside chips, and details a low-cost probing setup. Hardened security chips protect secrets in an astonishing range of applications from payment and ID cards to car controllers to DRM-enabled gadgets like your smartphone. Extracting a device's firmware for analysis is not always feasible using software tools. This talk looks into a generic intrusive method to extracting code from silicon chips. We discuss both the physical extraction setup and glitching tricks to make the chip spill out its entire content. On the physical setup, we look at documented attacks on smart card chip, derive a simplified setup for 'home laboratories', and touch on upcoming attack potential through advanced microprobing. On the topic of chip glitching, we reiterate over the good old 'linear code extraction' attack that tricks the chip into accessing all corners of its memories. The talk provides an introduction to aspiring chip hackers as much as a warning to solution designers that too much rely on hardware protection. dexter Karsten Nohl 20:30 01:00 Saal 4 security_evaluation_of_russian_gost_cipher Survey of All Known Attacks on Russian Government Encryption Standard lecture In this talk we will survey some 30 recent attacks on the Russian GOST block cipher. Background: GOST cipher is the official encryption standard of the Russian federation, and also has special versions for the most important Russian banks. Until 2012 there was no attack on GOST when it is used in encryption with random keys. I have developed more than 30 different academic attacks on GOST the fastest has complexity of 2^118 to recover some but not all 256-bit keys generated at random, which will be presented for the first time at CCC conference. It happens only once per decade that a government standard is broken while it is still an official government standard (happened for DES and AES, no other cases known). All these are broken only in academic sense, for GOST most recent attacks are sliding into maybe arguably practical in 30 years from now instead of 200 years... Our earlier results were instrumental at ISO for rejecting GOST as an international encryption standard last year. Not more than 5+ block cihers have ever achieved this level of ISO standardisation in 25 years and it NEVER happended in history of ISO that a cipher got broken during the standardization process. Two main papers with 70+30 pages respectively which are http://eprint.iacr.org/2011/626 and http://eprint.iacr.org/2012/138. Two other papers have been already published in Cryptologia journal which specializes in serious military and government crypto. The talk will cover three main families of attacks on GOST: high-level transformations, low- level inversion/MITM/guess-then-software/algebraic attacks and advanced truncated differential cryptanalysis of GOST. Plan for the talk: First I cover the history of GOST with major Cold War history events as the necessary background. Then I describe in details three main families of attacks: 1) self-smilarity attacks which generalize slide fixed point and reflection attacks, and provide a large variety of ways in which the security of the full GOST cipher with 32 rounds can be reduced to the security of GOST with 8 rounds in a black box reduction and thus the task of the cryptanalys is split into two well-defined tasks. 2) detailed software/algebraic and MITM attacks on 8 rounds and how weak diffusion in GOST helps. 3) advanced truncated differential attacks on GOST Dr Nicolas T. Courtois 21:45 01:00 Saal 4 hashflooding_dos_reloaded lecture en At 28C3, Klink and Waelde showed that a number of technologies (PHP, ASP.NET, Ruby, Java, Python, etc.) were vulnerable to the decade-old hash-flooding DoS attacks. The vulnerability was then often fixed by adopting stronger hash functions and "randomizing" them. We show that it's not enough, at least for systems relying on "MurmurHash" or on Google's "CityHash64", by presenting powerful "universal multicollision" attacks for those functions. We will present demos showing how to exploit these attacks to DoS a Ruby on Rails application, as well as the latest Java OpenJDK7. We also describe a vulnerability of Python's new randomized hash, allowing an attacker to easily recover the 128-bit secret seed. As a reliable fix to hash-flooding, we introduce SipHash, a family of cryptographically strong keyed hash function competitive in performance with the weak hashes, and already adopted in OpenDNS, Perl 5, Ruby, and in the Rust language. djb Jean-Philippe Aumasson Martin Boßlet The SipHash hash function, and PoCs for several hash functions Dec 2011 advisory Original description of hash-flooding Nov 2012 advisory 23:00 01:00 Saal 4 pflanzenhacken_richtig Einblicke in die Weizenzüchtung lecture de Der Vortrag handelt über Getreidezüchtung. Am Beispiel von Weizen soll der langjährige Prozess beschrieben werden, den es benötigt, um eine neue Sorte auf den Markt zu bringen. Es sollen die biologischen Grundlagen sowie die benötigte Technik vorgestellt werden. Außerdem wird auf die Problematik eingegangen, die die Konzentration des Marktes auf wenige große Konzerne mit sich bringt. Nach einem kurzen Abriss über die Herkunft des Weizens und seine Bedeutung für die Landwirtschaft soll die Entwicklung einer neuen Sorte beschrieben werden. Dazu muss zuerst auf die Genetik eingegangen werden. Die Besonderheiten bei Selbstbefruchtern, Homozygotie versus Heterozygotie und das Hardy-Weinberggesetz werden besprochen. Hieraus wird schon deutlich, daß es mindestens zehn Jahre dauert, bis eine neue Sorte auf den Markt gebracht werden kann. Der Züchter muss schon am Beginn der Entwicklung entscheiden, welche Zuchtziele er erreichen möchte und welche Pflanzen als Eltern für die Kreuzzung zu wählen sind. Als nächstes wird die Arbeit in der Züchtung im Verlauf eines Jahres beschrieben. Neben Tätigkeiten wie das Kreuzen und Aufnahme von Daten, die ohne besondere Technik geschehen, soll besonders auf die verschieden Maschine eingegangen werden, die speziell für die Getreidezüchtung entwickelt wurden. Das sind insbesondere Kleinparzellendrescher, Einzelährendrescher und Saatgutreinigung. Daneben gibt es dann noch die Analysen die im Labor durchgeführt werden, um die Backqualität der Zuchtlinien bewerten zu können. Neben dieser klassischen Züchtungsarbeit werden dann noch moderne Techniken wie Transformation, Hybriden, cytoplasmatic male sterile, Gewebekulturen und ähnliches vorgestellt. Insgesamt soll deutlich gemacht erden, welchen enormen Aufwand es braucht, Saatgut für die Landwirte bereitzustellen. Anchließend an die eigentliche züchterische Tätigkeit kommt dann noch der Prozeß der Anmeldung und Zertifizierung. Die Rolle des Bundessortenamts und die rechtlichen Grundlagen zum Handel mit Saatgut werden kurz angerissen, um dann auf die Problematik einzugehen, die in dem Urteil des EuGH zum Handel mit Saatgut zu Tage tritt. Welche Auswirkungen hat es in diesem Zusammenhang, daß der Markt für Saatgut sich auf Anbieterseite in der Hand von wenigen großen, internationalen Konzernen befindet. Alexander 11:30 01:00 Saal 6 cve_2011_3402_analysis lecture en CVE-2011-3402 is well known as the Windows Kernel TrueType [Font] 0-day used in the "Duqu" attack(s). Recently this exploit has begun to appear in several crimeware exploit kits... Actually, not merely just the exploit, but the *entire* font file used by Duqu, now being harnessed to infect a large population with malware. This talk will mostly be an extremely low-level walk-through of the font program within this TrueType font, which is used to manipulate the Windows Kernel into executing the native x86 shellcode. Julia Wolf 12:45 00:30 Saal 6 stabilitaetsanker_wachstumslokomotive lecture de Stabilitätsanker & Wachstumslokomotive geben als politische Metaphern ungewollt Auskunft über das Ausmaß der europäischen Wirtschafts- und Finanzkrise. Wie kommt so ein Begriff in Verkehr? Wer gebraucht ihn? Zu welchem Zweck? Was fördert die Analyse der Metaphern zutage? Im Juni 2011 importierten Bundesverteidigungsminister de Maizière und Bundesbankpräsident Weidmann fast zeitgleich den "Stabilitätsanker" in die politische Sprache. Der eine wollte die Lieferung von Leopard-Panzern an Saudi-Arabien rechtfertigen: Saudi-Arabien sei ein regionaler Stabilitätsanker (wenige Wochen nach der Niederschlagung der Revolte in Bahrein durch saudische Truppen). Der andere wollte die besondere Rolle der Zentralbanken beschreiben. Beide übersahen, woher der solide Begriff stammt: aus Landesbauordnungen. Zur Absicherung "fliegender Bauten" wie z. B. Karussells oder Achterbahnen braucht man ein Gegengewicht in der "Totmanngrube". Die Metapher scheint unbewusst genau die Sachverhalte zu beschreiben, die die politischen Sprecher zu bemänteln versuchen: die Unwuchten und Legitimationsdefizite sowie die Volatilität der Situationen, in denen sie agieren. Gleicht die Nervosität der Finanzmärkte nicht einer Achterbahn, und ist die Sicherheitslage im Mittleren Osten überhaupt noch mit Begriffen der Stabilität angemessen zu beschreiben? Ich möchte die Geschichte und Verwendung der beiden Begriffe in meinem Vortrag beleuchten. Zwischen Juni 2011 und Oktober 2012 hat ein Google Alert den Stabilitätsanker unter Überwachung gestellt: Über 150 weitere Institutionen aus Politik und Wirtschaft bezeichnen sich im Vertrauen auf die Solidität des Begriffs als "Stabilitätsanker". Hans Huett 13:15 00:30 Saal 6 ethics_in_security_research lecture Recently, several research papers in the area of computer security were published that may or may not be considered unethical. Looking at these borderline cases is relevant as today’s research papers will influence how young researchers conduct their research. In our talk we address various cases and papers and highlight emerging issues for ethic committees, internal review boards (IRBs) and senior researchers to evaluate research proposals and to finally decide where they see a line that should not be crossed. For researchers in computer security the recent success of papers such as [KKL+09] are an incentive to follow along a line of research where ethical questions become an issue. In our talk at the conference we will address various cases and papers and provide possible guidelines for ethic committees, internal review boards (IRBs) and senior researchers to evaluate research proposals and to finally decide where they see a line that should not be crossed. While some actions might not be illegal they still may seem unethical. Key phrases that would be addressed in the discussion: (1) Do not harm users actively, (2) Watching bad things happening, (3) Control groups, (4) Undercover work. In the following, we introduce some lines of thought that should be discussed throughout the talk: A first and seemingly straightforward principle is that researchers should not actively harm others. So deploying malware or writing and deploying new viruses is obviously a bad idea. Is it, however, ok to modify malware? Following the arguments of [KKL+08], one would not create more harm if, for instance, one would instrumentalized a virus so that it sends us statistical data about its host. Such a modification could be made by the ISP or the network administrators at a university network. If this modification makes the virus less likely to be detected by anti-virus software, the case, however, changes. Then this is analogous to distributing a new virus. A few quick lab experiments have shown that malware that is detected by virus scanners is very often not picked up after it has been modified. Stealing a user’s computing and networking resources may harm her; however, if some other malware already steals the resources one could argue that the damage is less since the researcher’s software does “less bad things”. This is basically what the authors of [KKL+08] argue. So when taking over a botnet, generating additional traffic would not be permissible whereas changing traffic would be. The real-world analogue is that you see someone breaking in a house, you scare the person away and then you go in and only look around, for instance, to understand how the burglar selected the target and what he was planning to steal, which is “less bad” than the stealing what the burglar was probably planning to do. There is a line of research when researchers only passively observe malware and phishing without modifying any content or receivers. When thinking of research ethics of “watching what happens”, the Tuskegee Study of Syphilis [W1] comes to mind. Patients were not informed about available treatments, no precautions were taken that patients did not infect others, and they were also actively given false information regarding treatment. Today it is obvious that the study is unethical. As done in [BSBK09] the best way is to ask people for their consent prior to the experiment. In other studies, involving, for instance, botnets, this procedure may be impossible as a host computer can only be contacted after sending modified messages. In a botnet study such as [SGCC+09] it seems both feasible and responsible to inform a user that her computer is part of a botnet. However obvious this may seem, there might be multiple users on an infected machine and informing an arbitrary user could cause some additional harm. For instance, the infection of an office computer may have been caused by deactivating the anti-virus software, surfing to Web pages not related to work, etc. Thus informing one person could cause another person to lose his job. While this is not as extreme as the “Craiglist experiment” [W2] similar impacts are conceivable. For a cell phone provider we set up two honeynets, one open to the Internet and one accessible only to the mobile provider’s customers that use GPRS/UMTS data services. The goal was to analyze the trustworthiness of different devices. Management decided not to inform users whom we knew to be infected by certain malware; the rationale was that customers might feel being watched and would feel that their privacy has been invaded. Comparing this with a real world analogue of “watching without helping” (such as the circumstances of the murder of Kitty Genovese and the bystander-effect [MLC07] one may consider this to be unethical. - [BSBK09] Leyla Bilge, Thorsten Strufe, Davide Balzarotti, and Engin Kirda. All your contacts are belong to us: automated identity theft attacks on social networks. In WWW ’09: Proceedings of the 18th international conference on World wide web, pages 551–560, New York, NY, USA, 2009. ACM. - [GC10] Simson L. Garfinkel and Lorrie Faith Cranor. Institutional review boards and your research. Commun. ACM, 53(6):38–40, 2010. - [GSFT08] Steven J. Greenwald, Brian D. Snow, Richard Ford, and Richard Thieme. To- wards an ethical code for information security? In NSPW ’08: Proceedings of the 2008 workshop on New security paradigms, pages 75–87, New York, NY, USA, 2008. ACM. - [HME10] Markus Huber, Martin Mulazzani, and Edgar R. Weippl. Social networking sites security: Quo vadis. In Proceedings of the International Conference on e-Business (ICEB ), Minneapolis, MN, August 2010. - [HMSE10] Markus Huber, Martin Mulazzani, Sebastian Schrittwieser, and Edgar R. Weippl. Cheap and automated socio-technical attacks based on social net- working sites. In Proceesings of ACM CCS Workshops, Chicago, IL, October 2010. - [HMW10] Markus Huber, Martin Mulazzani, and Edgar R. Weippl. Who on earth is mr. cypher? automated friend injection attacks on social networking sites. In Proceedings of the IFIP International Information Security Conference 2010: Security & Privacy — Silver Linings in the Cloud, Brisbane, Australia, 2010. Springer LNCS. - [JJJM07] Tom N. Jagatic, Nathaniel A. Johnson, Markus Jakobsson, and Filippo Menczer. Social phishing. Commun. ACM, 50(10):94–100, 2007. - [KKL+ 08] Chris Kanich, Christian Kreibich, Kirill Levchenko, Brandon Enright, Geof- frey M. Voelker, Vern Paxson, and Stefan Savage. Spamalytics: an empirical analysis of spam marketing conversion. In CCS ’08: Proceedings of the 15th ACM conference on Computer and communications security, pages 3–14, New York, NY, USA, 2008. ACM. - [KKL+ 09] Chris Kanich, Christian Kreibich, Kirill Levchenko, Brandon Enright, Geof- frey M. Voelker, Vern Paxson, and Stefan Savage. Spamalytics: an empirical analysis of spam marketing conversion. Commun. ACM, 52(9):99–107, 2009. - [MLC07] R. Manning, M. Levine, and A. Collins. The kitty genovese murder and the social psychology of helping: The parable of the 38 witnesses. American Psy- chologist, 62:555–562, 2007. - [SGCC+09] Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szyd- lowski, Richard Kemmerer, Chris Kruegel, and Giovanni Vigna. Your botnet is my botnet: Analysis of a botnet takeover. Technical report, Security Group, De- partment of Computer Science, University of California, Santa Barbara, 2009. http://www.cs.ucsb.edu/ seclab/projects/torpig/torpig.pdf. - [Spi03] Diomidis Spinellis. Reflections on trusting trust revisited. Communications of the ACM, 46(6):112, 2003. - [Tho84] Ken Thompson. Reflections on trusting trust. Communications of the ACM, 27(8):761–763, 1984 - [W1] http://en.wikipedia.org/wiki/Tuskegee Study of Untreated Syphilis in the Negro Male - [W2] http://en.wikipedia.org/wiki/Jason Fortuny#.22Craigslist Experiment.22 Sebastian Schrittwieser 14:00 00:30 Saal 6 on_breaking_saml Be Whoever You Want to Be lecture The Security Assertion Markup Language (SAML) is a widely adopted language for making security statements about subjects. It is a critical component for the development of federated identity deployments and Single Sign-On scenarios. In order to protect integrity and authenticity of the exchanged SAML assertions, the XML Signature standard is applied. However, the signature verification algorithm is much more complex than in traditional signature formats like PKCS#7. The integrity protection can thus be successfully circumvented by application of different XML Signature specific attacks, under a weak adversarial model. In this presentation we describe an in-depth analysis of 14 major SAML frameworks and show that 11 of them, including Salesforce, Shibboleth, and IBM XS40, have critical XML Signature wrapping (XSW) vulnerabilities. Based on our analysis, we developed an automated penetration testing tool for XSW in SAML frameworks. Its feasibility was proven by additional discovery of a new XSW variant. We propose the first framework to analyze such attacks, which is based on the information flow between two components of the Relying Party. Surprisingly, this analysis also yields efficient and practical countermeasures. Our research was presented at USENIX Security Symposium 2012, Bellevue, WA. For full details, please see attached paper. Andreas Mayer 14:30 00:30 Saal 6 small_footprint_inspection_techniques_for_android Reverse engineering on Android platforms lecture The lecture would address topics related to reverse engineering for mobile platforms, especially from the Android point of view. The main aspects of the presentation is a new approach to reverse engineering side effects problem: some low footprint inspection techniques that grant analysts with the ability to access the program memory without altering its behavior. One technique is presented in particular - Android service injection - and is demonstrated. Reverse engineering and motivations =================================== With mobile devices getting more complex everyday, users tend to store huge amounts of data and access so many services on potentially insecure networks and systems that mobile security is one of the main concerns faced by development companies and IT security experts nowadays. Meanwhile, both for security reasons and intellectual property protection, developers are provided with a panel of optimization and obfuscation tools that is getting powerful and fairly easy to include in any release process. Reverse engineering binary packages has become a full time job for security consultants, who are lacking some tools when dealing with very specific issues. In order to completely understand motivations for small footprint inspection techniques, one first has to compare reverse engineering with physics. Reverse engineering *is* the physics of computers: experts are collecting facts and observing behaviors to establish laws and analyze system internals that could no be observed directly. Those same experts are facing numerous experimental issues, especially when studying programs specifically designed against reverse engineering techniques. One of them is very common to physics and computers: experimental and measure uncertainty. When performing any run-time dynamic analysis, reverse engineers modify the application behavior by altering its environment: debugging meta-data, run-time breakpoints, virtual machine overlay, physical device emulator and even network traffic interception may end up in a complete different response from the target application. Studying the program necessarily involves a bias; developers and specific anti-debugging tools exploit this bias to slow down reverse engineers or lead them to wrong conclusions. Current tools available for the Android mobile platform usually have many side effects: their footprint is so big that dynamic analysis of mobile applications is sometimes impossible. This observation motivated various research projects for dynamic analysis – mostly inspection – techniques involving a minimal footprint. Small footprint inspection ========================== Android inspection state of the art ----------------------------------- Many tools are available for memory and execution path inspection of Android applications. The most common one is DDMS (Dalvik Debug Monitor Server), it is perfectly integrated with development environments like Eclipse and allows developers and auditors to place breakpoints, inspect both local and global variables. Yet the application has to be launched in debug mode (if not built with the debug flag). One of the latest tools released is APKIL. It provides auditors with a complete Dalvik byte-code patching system that is able to inject monitoring instructions into application packages. Its main purpose is the inspection of Android API calls, which – as any system call – are usually perfectly relevant for analyzing internal mechanisms. It is still easily beaten by loading remote code at run-time or by spoofing usual API calls. Service injection ----------------- The techniques we used to circumvent annoying side effects and anti-debugging protections are based on a very simple principle that malware developer already have widely explored: Android applications are built upon a modular architecture, declaring possibly unrelated activities, services, etc. Thus, injecting code into an application package does not necessarily mean altering the existing Dalvik byte-code. We tried and exploited many injection vectors, from supposed static resources to fully equipped services, and ended up dropping a service that remains completely silent until it is enabled and queried by a client application. The injected piece of code communicates using standard service calls as a covert channel in order to grant users the ability to inspect the application memory from the inside and execute any Dalvik instruction in the same process and virtual machine as the target application. It is also able to load dynamic classes at run-time – in a very similar fashion as Meterpreter – in order to extend its functionality while keeping a minimal space footprint. Introspection API and examples ------------------------------ The tool we eventually developed exposes a simple service API that may be proxified over the network and integrated in the same fashion as DDMS plugins. It is able to perform complete activities and running services introspection, variables modification and remote method invocation as well as downloading and invoking user-defined Java/Dalvik macros at run-time. It will be released together with example client applications. Presentation contents ===================== The presentation would be held in English, last about 30 minutes and address the following topics: - general considerations and real life examples about the importance of mobile security and reverse engineering on mobile platforms; - existing inspection tools and examples of their usual side effects; - minimal footprint inspection principles and overview of the technical implementation we came up with; - demonstration of the released tool abilities using a couple of target applications and the Android introspection client (as well as a DDMS-like plugin if ready soon enough). Damien Cauquil Pierre Jaury 16:00 01:00 Saal 6 an_overview_of_secure_name_resolution DNSSEC, DNSCurve and Namecoin lecture en There's about 100 top-level domains signed with DNSSEC and .nl recently hit 1M second-level domains. At this occasion, we take a look at the goods and the bads of DNSSEC deployment, including amplification attacks, Zensursula-like DNS redirects, China DNS injection and NASA key rollover mistakes. We will find out what DNSCurve and Namecoin promise to make better and what Zooko's triangle has all to do with this. DNSSEC uses public-key cryptography to sign (not encrypt) public data in the Domain Name System. With knowledge of the root public key resolvers (DNS clients) can verify names along a chain of trust. A new type of resource records allows for secure denial of existence of mistyped names. Deployment of DNSSEC proceeds gradually. The root zone is signed since July 2010 and the major top-level domains support DNSSEC, though most second-level domains are unsigned. .br, .cz, .nl and .se have >10% of their domains signed. An estimated 70-80% of the queries seen at authoritative nameservers originate from resolvers that are capable of parsing DNSSEC answers but this does not imply that validation is enabled (or works) on all of them. About 5-10% of Interwebz clients are using validating resolvers, with CZ, SE and US having validation ratios of >10%. Current operating systems do not support DNSSEC validation and thus rely on full-blown nameservers in the local network or at the ISP's premises. The last mile between OS and validating nameserver is currently not secured by DNSSEC. Implications of DNSSEC deployment: - CPU and network load increases on resolvers and nameservers. - Amplifications attacks become more effective: rate-limiting nameserver responses will be a must-have in future. - Complexity increases: expect new bugs. - Rogue DNS redirects become impossible. - Zensurursula-like attack won't redirect to government STOPP website, but block the website without notice. - NXDOMAIN response redirected by ISP to spam website will look (almost) like it originally should. - Collateral damage caused by China DNS injection will decrease if you have alternative transit pathes. - If a domain administrator fails over his DNSSEC configuration, validating ISPs will be blamed for blocking. Expect outages of large sites. DNSCurve is an alternative concept to secure DNS. While DNSSEC sticks to the original idea of shoving around resource records and preserving forwarders in the query path, DNSCurve uses a secured direct connection between the recursive nameserver and the authoritative nameserver. Using link-level security has the benefits of abandoning amplification attacks, encrypting the communication and hassle-free negative responses, but the down-sides of losing multi-hop caching and the necessity for online signing on authoritative nameservers. DNSCurve carries the public key in self-authenticating domain names instead of dedicated resource records. Namecoin is an experimental adoption of the Bitcoin concept to domain names. Miners invest computation time to acquire Namecoins and can use them to register and refresh domain names. The namespace of Namecoin is flat and Namecoin suffers from the same scalability issues as Bitcoin does, but enables a peer-to-peer naming system that can not be controlled by a centralized instance. For secure name resolution, resolvers need to participate in the Namecoin peer-to-peer system. ## References from Slides 1. DNSCurve: [The nsec3walker tool](http://dnscurve.org/nsec3walker.html), 2011-01-03 2. ICANN: [TLD DNSSEC Report](http://stats.research.icann.org/dns/tld_report/), 2012-12-26 3. Registro.br: [Domínios Registrados por DPN](http://registro.br/estatisticas.html), 2012-12-26 4. VeriSign: [Domains Secured with DNSSEC](http://scoreboard.verisignlabs.com/), 2012-12-26 5. CZ.NIC: [Statistics](http://www.nic.cz/stats/), 2012-12-25 6. PowerDNS: [Total number of DNSSEC delegations in the .NL zone](https://xs.powerdns.com/dnssec-nl-graph/), 2012-12-01 7. SIDN: [Statistics](https://www.sidn.nl/en/knowledge-bank/statistics/), 2012-12-01 8. .SE: [Domain Growth per Type](https://www.iis.se/english/domains/domain-statistics/growth/?chart=per-type), 2012-12-26 9. RFC 3514: [The Security Flag in the IPv4 Header](http://tools.ietf.org/html/rfc3514), 2003-04-01 10. RIPE NCC: [Status for k.root-servers.net](http://k.root-servers.org/statistics/ROOT/daily/), 2012-08-09 11. Comcast DNS: [Analysis of NASA.GOV Validation Failure](http://dns.comcast.net/index.php/entry/analysis-of-nasa-gov-validation-failure), 2012-01-24 12. Simon McCalla: [DNSSEC incident report](http://blog.nominet.org.uk/tech/2010/09/24/dnssec-incident-report/), 2010-09-24 13. Keith Cowing (NASA Watch): [Comcast Blocks Customer Access to NASA.gov](http://nasawatch.com/archives/2012/01/comcast-blocks.html), 2012-01-18 14. P. Vixie, V. Schryver: [DNS Response Rate Limiting (DNS RRL)](http://ss.vix.com/~vixie/isc-tn-2012-1.txt), 2012-06 15. Ondrej Caletka: [Wildcard domains DNSSEC resolver test](http://0skar.cz/dns/en/) 16. Red Hat Bugzilla: [Bug 824219](https://bugzilla.redhat.com/show_bug.cgi?id=824219) 17. Anonymous: [The Collateral Damage of Internet Censorship by DNS Injection](http://conferences.sigcomm.org/sigcomm/2012/paper/ccr-paper266.pdf), 2012-07-03 18. P. Eckersleyer & J. Burns: [Is the SSLiverse a Safe Place?](https://www.eff.org/files/ccc2010.pdf), 2010 19. RFC 6698: [The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA](http://tools.ietf.org/html/rfc6698), 2012-08 20. RFC 5011: [Automated Updates of DNS Security (DNSSEC) Trust Anchors](https://tools.ietf.org/html/rfc5011) 21. Image credit: Microsoft [Bing Maps](http://www.bing.com/maps/?v=2&cp=pnmwpj540dy8&lvl=19.48&dir=74.44&sty=b&where1=1920%20E%20Maple%20Ave%2C%20El%20Segundo%2C%20CA%2090245&form=LMLTCC) 22. Image credit: Terremark Inc. 23. Image credit: Kim Davies, [KSK Ceremony 1](http://www.flickr.com/photos/kjd/sets/72157624302045698/with/4711838778/), 2010-06-16 24. Image credit: ICANN, <http://data.iana.org/ksk-ceremony/> 25. Fingerprint of root KSK as of 2012-12-26: “. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5” 26. Jakob Schlyter: [Hardware Security Modules](http://www.iis.se/docs/hsm-20090529.pdf) 27. T. Okubo et al.: [DNSSEC Practice Statement for the Root Zone ZSK operator](http://www.root-dnssec.org/wp-content/uploads/2010/06/vrsn-dps-00.txt), 2010-05-28 28. <http://dnscurve.org/> 29. Matthew Dempsky: [DNSCurve: Link-Level Security for the Domain Name System](http://tools.ietf.org/html/draft-dempsky-dnscurve-01), 2010-02-26 30. Image credit: <http://root-servers.org> & Google Maps, 2012-12-27 31. <http://dot-bit.org> 32. Matthäus Wander: [How Bitcoin Works](http://www.vs.uni-due.de/personal/wander/20110629_Bitcoin_Wander.pdf), 2011-06-29 33. Zooko Wilcox-O'Hearn: [Names: Decentralized, Secure, Human-Meaningful: Choose Two](http://zooko.com/distnames.html), 2003-09-22 34. Image credit: Sven Wolter, Wikimedia Commons Matthäus Wander Slides (HTML5) 17:15 01:00 Saal 6 long_live_the_protocoletariat lecture We're winning! The future looks like network politics! Wait, what the hell are network politics and how do they work? Is that like the Pirate Party, or the IETF, or Anonymous? In this talk, We'll try to answer this question, or at least confuse the issue in an enlightening manner. We'll speak about the International Modern Media Institute, the work we did with the Constitutional Analysis Support Team in Iceland last year, what happens when Liquid Feedback meets pogroms, how a do-ocracy decides to not do something, how not to be governed (which turns out to be quite like how not to be seen), why incomplete politics are useless, what a protocoletariat is, and other topics for our emerging post-democratic future. Eleanor Saitta Smári McCarthy 18:30 01:00 Saal 6 hacking_philosophy Digitale Mündigkeit, Technikpaternalismus und warum wir Netzphilosophie brauchen lecture Wir sehen in der digitalen Technik großes Potential zur Demokratisierung und Befreiung der Menschen. Doch machen wir uns nichts vor. Technik kann genausogut der Entmündigung von Menschen dienen. Je komplexer sie wird, desto mehr sind wir von Vereinfachung abhängig und desto weniger Einfluss können wir selber auf die Technik nehmen. Hacken und Philosophie haben eine große Gemeinsamkeit: ein ästhetisches Wohlbefinden, beim Erkennen oder Finden einer eleganten Lösung (was ja auch die Herkunft des Wortes "hack" ist). Doch bisher hat diese grundlegende Gemeinsamkeit noch wenig Gemeinsamkeiten produziert. Auf dem Treffen der UN-Fernmeldeunion in Dubai fordern Politiker, Experten (was auch immer das sein mag) und Lobbyisten neue Regeln für das Internet. Was das bedeutet, wenn derartige Forderungen laut werden, ist uns ja schon klar: noch mehr Einschränkungen sollen kommen und wir müssen in absehbarer Zeit wieder auf die Straße gehen und protestieren. Dabei ist es gar nicht so falsch, dass wir neue, zeitgemäße (moralische) Regeln brauchen, die auf das Internet angepasst sind. Dies hat nämlich unsere Gesellschaft derart umgestülpt, dass kaum ein Lebensbereich davon unberührt bleibt. Gerade unbedarftere Netzteilnehmende tappen immer wieder in böse Fallen, die hätten vermieden werden können. Und die Reaktion darauf sind regelmäßig Forderung nach mehr Beschränkungen. Neue ethische Regeln könnten dem vorbeugen. Denn wieder einmal macht die Philosophie ihren Lieblingsfehler: Sie braucht zu lange, um sich mit neuen Themen zu beschäftigen. Das Sprichwort mit dem Berg und dem Propheten legt nahe, dass wir den Philosophen mal ein wenig entgegen kommen sollten. Wie könnten sinnvolle moralische Regeln aussehen? Wie muss unsere Technik gestaltet werden, damit sie unsere Freiheit bewahrt und nicht mehr und mehr und mehr einschränkt? Ist ja nicht so, dass wir ganz bei Null anfangen müssten. Die Technikphilosophie hat da einiges vorgelegt. Wir können uns "Technikpaternalismus" vornehmen. Denn darüber können wir erfahren, welche Technik für unsere "digitale Mündigkeit" ganz sicher gefährlich wird und welche eher nicht. Netzethiken und Thesen gibt es zu Hauf. Was wir brauchen, ist etwas Allgemeingültiges, das auch der letzte DAU verinnerlichen kann. Leena Simon Netzphilosopie.org 20:30 01:00 Saal 6 a_rambling_walk_through_an_emv_transaction lecture en With Visa and Mastercard pushing for EMV (http://www.emvco.com, aka “chip and pin”) rollout in the United States, the uptake of contactless payment and the use of mobile NFC wallets, the chipcard security community will soon be getting more eyes to analyze the protocols in use with chip and contactless credit card transactions. This talk won’t present any innovative attacks on the EMV system. Instead, we’ll perform a single EMV transaction on stage, exploring every command. Along the way we’ll discuss the plethora of standards and technologies surrounding EMV, elaborate the data structures used and try to put into perspective some of the better known attacks on the system. Afterwards you should have enough information to plug in your own card and start hacking. Tim Becker Code from demo. Javascript based framework for working with smartcards http:// 21:45 01:00 Saal 6 men_who_stare_at_bits RFID-Studierendenkarten mit Fehlern lecture de Unsichere Studierenden- und Mensakarten. Eine wissenschaftliche Auswertung. Wie sicher sind eigentlich Studierendenkarten? Mit denen kann man nicht nur sein Mensaessen bezahlen, sondern auch kopieren und (s)einen Schrank auf- und zusperren. Da sollte der Laptop auch noch drin stehen, wenn man zum Schrank zurück kommt. Doch Sicherheit scheint hier eher Zufall zu sein. Der FoeBuD hatte zwecks Forschungsprojekt zum Einsenden von Studi- und Mensakarten aufgerufen. Wissenshungrige "men who stare at bits" förderten so einige 'Auffälligkeiten' zutage. In diesem Talk stellen wir die Forschungsergebnisse vor und berichten über die höchst unterschiedlichen Reaktionen der Unis und Studierendenwerke. nuit Rena Tangens Proxmark3 + DESfire 23:00 01:00 Saal 6 the_future_of_protocol_reversing_and_simulation Mapping your enemy Botnet with Netzob lecture en Have you ever been staring for nights at binary or hexadecimal data flows extracted from an USB channel? Don't you remember yourself searching for some patterns and similarities in this fuc***g mess of zeros and ones grabbed from a binary configuration file? How long did it take you to find an 16 bits decimal size field last time you reversed an IPC communication protocol? Did you know you were not alone and that among them, Rob Savoye (@ FOSDEM-08) and Drew Fisher (@ 28C3) have already reported the main difficulties of the RE operations. Both of them called for the creation of a tool which would help experts in their work. After 2 years of intensive researches, we are pleased to present our results. A tool that facilitates the analysis of binary flows, finds relations between segments of data, deduces data types and formats, infers the state machine and other few little things, including fuzzing and simulating implementations of undocumented protocols . Released under GPLv3, Netzob is (to our knowledge) the most advanced available tool that helps reversers and security evaluators/auditors in their work on undocumented protocols. There are many reasons why an I.T. Advanced User would engage himself in RE operations. For example, some want to understand how their favorite game saves their credentials while others want to make interoperable their USB device on natively unsupported OSes. In addition to these common usages, security auditors (and evaluators) often use RE process in their work, either for vulnerability assessment of implementations or for analyzing malicious traffic and malwares. This presentation will discusses usage of RE by security auditors and evaluators in the context of malware analysis, and as a specific use case on botnets C&C. We will present Netzob, an Open Source tool, and show how it helps to semi-automatically reverse undocumented communication protocols (USB, Network, IPC, ...). It leverages bio-informatic, automata theory and data dependencies algorithms to infer both the message format and the state machine of a protocol. Most of these algorithms were re-implemented from scratch which allowed us to customize their specifications regarding our needs. These algorithms will be pedagogically explained and their uses for RE purposes will be detailed. We will also expose the methodology to generate contextualized communications based on the obtained specifications. Hence, the provided simulation module allows the creation of realists servers and clients in a controllable manner. Frédéric Guihéry Georges Bossert Official website of the published tool Devel area of netzob Git Repository hosting source code 11:00 05:15 Saal 17 Interviews, Talkrunden, Kennenlernen other de Deutschlandfunk @ 29C3 16:15 00:45 Saal 17 Deutschlandfunk @ 29C3 other Publikum willkommen. Deutschlandfunk @ 29C3 Sendungswebsite 17:00 01:00 Saal 17 Interviews, Talkrunden, Kennenlernen other de Deutschlandfunk @ 29C3 11:30 01:00 Saal 1 best_of_verfassungsschutz Der Verfassungsschutz schützt die Verfassung so wie Zitronenfalter Zitronen falten. lecture de Verfassungsschutzskandale gibt es nicht erst seit der Entdeckung des NSU vor einem Jahr. Vorgestellt werden: sie Affaire Traube, der Schmücker-Prozess, das Celler Loch, die Vulkan-Affaire, der Anschlagsversuch auf das Jüdische Gemeindehaus West-Berlin, vier Jahrzehnte Beobachtung von Rolf Gössner. Vielleicht sind aber gar nicht die Pannen der Skandal, sondern vielmehr der ganz gewöhnliche Alltag des Verfassungsschutzes. Dazu gehören die Berufsverbote in den 70er und 80er Jahren in Westdeutschland (so einzigartig, dass "Le Berufsverbot" auch in der französischen Sprache existiert), dazu gehört vor allem die teils jahrelange Überwachung von Personen, Gruppen und Netzwerken mit falscher Gesinnung oder auch nur Kontakten zu welchen, denen dies unterstellt wird. Dazu gehört seit einigen Jahren politische Bildung an Schulen durch..? Den Verfassungsschutz. Der Verfassungsschutz soll die Verfassung schützen, agiert aber vollkommen undemokratisch: geheime Methoden, geheime Strukturen, keine nennenswerte Kontrolle. Und zwar von Anfang an. Eine parlamentarische Kontrolle gibt es erst seit 1978, und von tatsächlicher Kontrolle kann kaum gesprochen werden, wenn die handverlesenen Kontrollierenden mit niemandem über das sprechen dürfen, was sie im geheimen Gremium erfahren. Es geht also auch um die Entstehungsgeschichte des deutschen Inlandsgeheimdienstes und wie das daraus geworden ist, was er heute ist. "Der Verfassungsschutz ist dazu da, die Verfassung zu schützen, nicht die Regierung." – Burkhard Hirsch, ehemaliger Innenminister von Nordrhein-Westfalen Anne Roth Süddeutsche, 28.9.11: Über die Seilschaften der Altnazis Der Spiegel 10/77: Der Minister und die Wanze Uwe Wesel, Zeit Online, 28. 01.2012: Spitzel, Wanzen, Bomben Offener Brief von Bürgerrechtsorganisationen beider deutscher Staaten "Ämter für Verfassungsschutz auflösen", 31.5.1991 Raul Zelik: Wer, bitte, wird denn hier geschützt? WOZ - Die Wochenzeitung, 2.2.2012 Bild: Das Schaf von bildpilot, CC-BY-NC-SA-Lizenz 12:45 01:00 Saal 1 gsm_cell_phone_network_review 262 42 - The full spectrum lecture Did you notice 262 42 in your mobile phone network search list at the last CCC events? Did you and your friends buy SIM cards at the PoC and help test the network by calling each other, or by calling through the bridge to the DECT network services? Did you ever wonder about the details of this open source test network, set up by a team of volunteers in the middle of the city? We would like to tell you all the details of the cell phone network we operate at 29C3, and show you some fancy graphs based on the network activity! We will describe the process of setting up the test network we operate at 29C3, what legal and technical challenges we have faced, and we will describe the actual installation at the CCH. We will also compare this with the 262 42 test networks that were operated using the same open source software but otherwise very different installations at CCC Camp 2011 and 28C3. We will go on to show various statistics that we collect from the network while it has been running. Peter Stuge 14:00 01:00 Saal 1 proximax_telex_flashproxy Übersicht über aktuelle Zensurumgehungssoftware lecture de Zensur im Internet betrifft immer mehr Nutzer. Wir kennen Tools wie Proxies, VPNs oder Tor Bridges. Doch welche weiteren Werkzeuge unterstützen die Nutzer vor Ort? Wo sind die Stärken und Schwächen? Der Vortrag stellt einige von diesen vor und zeigt die Stärken und Schwächen. Der Vortrag versucht, einen Überblick über die öffentlich verfügbaren Zensurumgehungswerkzeuge zu geben und diese zu bewerten. Zu Anfang werden kurz mögliche, eher nichttechnische Wege angesprochen. Dann folgt eine Betrachtung von Haystack und Ultrasurf. Insbesondere gehe ich auf die spezifischen Fehler dieser Projekte ein. Einen ähnlichen Ansatz wie die beiden anderen Projekte verfolgt Psiphon. Die verschiedenen Versionen der Software werden kurz vorgestellt. Später werde ich auf das Konzept der Tor Bridges eingehen. Dies ist wichtig, denn für diverse weitere Dienste ist dies die Grundlage. Insbesondere Proximax und die Flashproxies haben einen Bezug zu den Bridges. Telex.cc stellt den Abschluss der Erklärungen dar. Der Vortrag stellt die Funktionsweise der diversen Dienste vor und erklärt, wo Stärken und Schwächen liegen. Ich würde mir erhoffen, dass der Vortrag für weitere neue Ansätze oder Verbesserungen der bestehenden Software dient. Jens Kubieziel Folien zum Vortrag 16:00 01:00 Saal 1 marvin_und_der_blues Wie Roboterinstrumente zum Musik machen benutzt werden können lecture de Autonomer Drumroboter, robotisches Glockenspiel oder klingende Installation: Musikinstrumente zu modifizieren und selbstzubauen bietet musik- und technikaffinen Geeks die Möglichkeit, vorgefertigten Klang-Setups etwas eigenständiges entgegenzusetzen. Drumroboter und Klanginstallationen üben dabei sowohl physisch als auch optisch einen besonderen Reiz aus: die Quelle des Klangs wird entdeckt. Ich habe mich in den letzten zwei Jahren mit der Entwicklung und dem Bau des mechanischen Drumroboters MR-808 beschäftigt [3]. Die Installation MR-808 ist die mechanische Replik des berühmten Drumcomputers TR-808 (1981, Roland). Hierbei wurden 11 der ursprünglich 14 elektronisch erzeugten Sounds durch mechanische Klangerzeuger ersetzt. Im ersten Teil dieses Vortrags gebe ich einen Überblick über die verschiedenen Ansätze und Konzepte für robotische Musikinstrumente. Im zweiten Teil gehe ich auf die technische Umsetzung mit Fokus auf dem mechanischen Drumroboter MR-808 ein. Abschließend werden mehrere Instrumente präsentiert, die zum spielen und experimentieren einladen. Nach zwei Hauptströmungen für mechanischen Klangerzeuger unterscheide ich autonome, lernfähige und somit selbständige Musikroboter ([1], [2]) und zum anderen programmierbare und deterministische Musikroboter die von einem Menschen gespielt werden (worunter auch meine Installation MR-808 fällt). Auf folgende Schwerpunkte wird näher eingegangen: * die Einbeziehung des Zufalls durch die Transformation der Klangerzeugung in die (fehlerbehaftete) physische Welt, * das Verschwinden des Einflusses eines menschlichen Künstlers und die Autonomie der Installation und der musikalischen Struktur * die größtmögliche Kontrolle über klangliche Eigenschaften Weiterhin erläutere ich oft verwendete Techniken am Beispiel des Drumcomputers MR-808: * Aufbau & elektrische Ansteuerung, Arduino * Programmierung mit MAX/MSP und Processing * verwendete Aktoren * Latenzproblematik * [1] Gil Weinberg and Scott Driscoll: Toward Robotic Musicianship, 2006, Massachusetts Institute of Technology * [2] Moritz Simon Geist: "MR-808", eine mechanische Replik des berühmten Drumcomputers TR808 (Roland, 1981) Moritz Simon Geist Moritz Simon Geist: "MR-808", Yellow Drum machine 17:15 01:00 Saal 1 security_nightmares2012 Damit Sie auch morgen schlecht von Ihrem Computer träumen. lecture Was hat sich im letzten Jahr im Bereich IT-Sicherheit getan? Welche neuen Entwicklungen haben sich ergeben? Welche neuen Buzzwords und Trends waren zu sehen? Wie immer wagen wir den IT-Security-Alptraum-Ausblick auf das Jahr 2013 und darüberhinaus, denn was wir wirklich wissen wollen, ist ja schließlich: Was kriecht, krabbelt und fliegt in Zukunft auf uns zu? Im Zuge von allgemeiner Transparenz, Erfolgskontrolle und Selbstoptimierung werden wir außerdem frühere Voraussagen hinsichtlich des Eintreffens unserer Weissagungen prüfen. Frank Rieger Ron 18:30 01:00 Saal 1 closing_event2012 lecture en Some facts and stats about Congress, plus stories and legends. Good-bye and have a safe trip home! bios Frank Rieger 11:30 01:00 Saal 4 sprache_ungleichheit_unfreiheit lecture Forderungen nach einer gerechten Sprache (also einer Sprache frei von Rassismus, Sexismus und anderen menschenfeindlichen Ideologien) stoßen häufig auf Unverständnis und Ablehnung. Unverständnis, weil statt der sozialen Wirklichkeit die Sprache kritisiert wird, mit der sie beschrieben wird. Ablehnung, weil Sprachkritik häufig als Sprechverbot empfunden wird. In meinem Vortrag will ich anhand einer Betrachtung von vor allem sexistischer Sprache zeigen, dass diese Reaktionen auf einem Missverständnis bezüglich von Sprache und ihrer Funktionsweise beruhen. Wörter und grammatische Strukturen sind keine Bausteine für die neutrale Beschreibung der Wirklichkeit, sondern mit kulturellem Wissen aufgeladene Symbole, die die Wirklichkeit nicht nur abbilden, sondern auch mit erzeugen. Die Sprache, die wir heute sprechen, wurde über viele Jahrhunderte mit der Weltsicht einer Gesellschaft aufgeladen, in der heterosexuelle, christliche, weiße Männer nicht nur der selbstverständliche Normalfall, sondern der einzig gedachte Fall waren. Diese Weltsicht ist tief und schwer erkennbar im Wortschatz und in der Grammatik des Deutschen (und anderer Sprachen) verankert und sie wird durch eine unreflektierte Verwendung dieser Sprache(n) immer weiter getragen. Da sprachliche Strukturen oft sehr träge sind und sich nur schwer aktiv verändern lassen, ist eine gerechte Sprache nicht ohne Mühe umsetzbar. Es gibt aber eine Reihe von Maßnahmen, die bereits von vielen Menschen und Organisationen ergriffen wurden, um wenigstens dort kurzfristig Veränderungen zu bewirken, wo es möglich ist. Dort, wo das nicht der Fall ist, können sie wenigstens ein Bewusstsein für die strukturelle Problematik unserer Sprache zu schaffen. Gerechte Sprache kann so helfen, soziale Ungerechtigkeit zu erkennen und zu benennen. Anatol Stefanovitsch http://www.scilogs.de/sprachlog/ 12:45 02:15 Saal 4 lightning_talks_3 5 Minutes of Fame other en Nick Farr schedule is in the wiki http:// 16:00 01:00 Saal 4 executable_metadata lecture The Executable and Linkable Format (ELF) is omnipresent; related OS and library code is run whenever processes are set up and serviced (e.g., dynamically linked). The loader is the stage manager for every executable. Hardly anyone appreciates the work that the ELF backstage crew (including the linker and the loader) puts in to make an executable run smoothly. While the rest of the world focuses on the star, hackers such as the Grugq (in Cheating the ELF) and Skape (in Locreate: An Anagram for Relocate), and the ERESI/ELFsh crew, know to schmooze with the backstage crew. We can make a star out of the loader by tricking it into performing any computation by presenting it with crafted but otherwise well-formed ELF metadata. We will provide you with a new reason why you should appreciate the power of the ELF linker/loader by demonstrating how specially crafted ELF relocation and symbol table entries can act as instructions to coerce the linker/loader into performing arbitrary computation. We will also explore how these techniques can be applied to discover weird machines beyond ELF to other executable formats. bx 17:15 01:00 Saal 4 page_fault_liberation_army a history of creative x86 virtual memory uses lecture en x86 processors contain a surprising amount of built-in memory translation logic, which is driven by various data tables with intricate entry formats, and can produce various kinds of traps and other interesting computational effects. These features are mostly relics of earlier, more civilized times, when Jedi Knights tried to protect the Old Republic OSes with segmentation, supervisor bits, and hardware task support, but were defeated by processor de-optimizations and performance concerns and left unused by both Windows and UNIX systems – and explored only by hackers. For the rest of the world, an x86 PC was a "von Neumann architecture" with most of its strangeness unused. In reality, the x86 memory system is a weird love child of von Neumann and Harvard, due to the split paths that code and data bytes are fetched through; the separate Translation Lookaside Buffers (TLBs) give a degree of control over address translation logic, and can be used to hide code from scanning the way ShadowWalker did. In multiprocessor systems, seemingly innocent optimizations like Paging Structure Caches can lead to two processors seeing the same address space differently, which creates unexpected bugs for kernel developers and opportunities for rootkit authors, which we will discuss. In this talk we will give a (nearly) complete historic overview of creative uses of memory-related traps and faults by hardening patches such as OpenWall, PaX, and other less known but interesting projects, as well as by rootkit designs such as ShadowWalker, and by unorthodox reverse engineering and debugging systems such as OllyBone. We will then show some novel tricks with the x86 systems to both conceal and protect memory contents. Every address a program issues, calls, or jumps to is an illusion or even a composition of several illusions created by different pieces of the MMU. In this universe of illusions, memory translation is what holds its together, and on x86 it's underappreciated and underused. Not only is the MMU the habitual liar, it could also be a schisophrenic one. Ain't that nifty? Julian Bangert Sergey Bratus 11:30 01:00 Saal 6 miilions_of_lesson_learned_on_electronic_napkins On the way to free(ing) education lecture en Massive open online courses are the vogue of the season when it comes to discussing the future of university-level education. But we’re only starting to see what education at this scope means and how it can be supported best, in terms of both didactics and technology. This talk is an inside report by two instructors who have delved into the experience of teaching large audiences online. We share the lessons that we have learned: how to spark student interest, how to put intuition before formal theories, how to streamline production and much more. And we point out what needs to be done to truly democratize education from the viewpoint of both the students and the instructors. Teaching, in particular at university level, hasn't really changed much for hundreds of years. There's a teacher lecturing to a room full of students, but very few of them being engaged. The past few years have seen a number of initiatives that try to bring education online, usually even free of charge, through online videos and mostly also through interactive elements. Prominent examples include Khan Academy, Udacity, Coursera, and edX. Well-known in the US, the former two have also had a massive echo in the German press. Some of these initiatives adopt a new format where the professor is more tutoring students rather than lecturing them: The classes aren't just filmed lectures, they more resemble a friend explaining something by scribbling on a napkin in a personal conversation. Interactive quizzes keep every single student engaged rather than just the two students in the front row who were paying attention in the regular classroom. Advocates and optimists associate a lot of hopes and promises with this new format: - “Every student can learn at his or her own pace.” - “Everybody can learn from the best teachers – for free.” - “Education is freed of bureaucracy and bad old habits.” - “If done right, students can be engaged on a 1:1 basis instead of 1:30 – or 1:500 in an introductory medicine class.” - "Education could become a data-driven science instead of an opinion-driven art." Salman Khan, the founder of Khan academy, even goes so far as to say that technology, ironically, will humanize the classroom. The response from students to this new format is apparently massive, in particular as this type of education becomes accessible and interesting for many new audiences, ranging from pupils in the U.S. to students in the developing world. Lectures on Khan Academy have been watched hundreds of millions of times. The most popular courses at Udacity, for example, were only launched at the beginning of this year and have already seen hundreds of thousands of students complete full university-level courses with an individual time-investment of 80+ hours. But does that mean that all the above promises are fulfilled? In this talk, we share our experiences gathered from electronic lectures and more interactive forms online-supported university teaching and from teaching two courses at Udacity, one of the initiatives mentioned above aiming to provide free online education at a university level. We'll investigate if the optimists are right: - Does learning online really work? And for whom? - Is this just a new hype similar to edutainment and to interactive CD-ROMs – or is something different happening? - Is this new format a chance to move beyond memorization, toward understanding – possibly even toward critical thinking? Or does this format even threaten deep learning? We’ll look at didactic methods and at technology to mitigate the issues found, in particular building on the years' worth of experiments conducted by one of us (J. L.). Ultimately, if this format catches on, it is bound to lead to a new level of openness in education: Just as with Wikipedia and YouTube, everybody will soon be able to create a course, not just a collection of electronic lectures. But can everyone be a teacher? Should everyone be a teacher? And who gets to decide? Technology might well turn education upside down. Jörn Loviscach Sebastian Wernicke Udacity course of Jörn Talks by Jörn Publications by Jörn Sebastian's TED talks Udacity course of Sebastian 14:00 01:00 Saal 6 the_ultimate_galaksija_talk Everything about a Yugoslavian microcomputer halfway between a TRS-80 and a ZX 80 lecture Galaksija was to be in Yugoslavia what Commodore and Sinclair were in the west. Whether it succeeded or not, its deceptively simple design can still teach us a lot of interesting tricks on how to make a usable computer and operating system with as few transistors and bits as possible. Galaksija was a Yugoslavian home microcomputer popular in the local DIY community throughout the 1980s. It was meant as an alternative to illegally bought contemporary Sinclair and Commodore computers. It is a fascinating product of the time of severely limited availability of electronic components and a widespread disregard for copyright. This situation led to unique design decisions on both the hardware and software side. Galaksija can display better graphics than Sinclair ZX 80 with only a small number of general-purpose digital logic integrated circuits. Since it included no specialized chips it was easy to build at home. Being constrained to a relatively small EPROM, Galaksija's built-in BASIC interpreter was based on a stripped-down and hand-optimised Tandy TRS-80 ROM. It relies on undocumented Z80 features, "racing the beam", executing error messages and floating point constants as code and similar tricks. By not including an auto-run feature the authors also made sure that Galaksija programs were hard to copy-protect, encouraging sharing and an early open-source like approach to developing software. This is a talk inspired by the Atari 2600 and Commodore 64 ultimate talks from the previous Congresses and the 30th anniversary of Galaksija's design. In 45 minutes it will include a brief introduction about the history of Galaksija and home microcomputers in Yugoslavia at the time. It will then cover all aspects of Galaksija's hardware design, built-in ROM routines and original software that has been preserved to this day. It will end with coverage of what tools exist today to develop software for Galaksija, either for running in one of the software emulators, on hardware replicas or the real thing. I'm an electronic engineer and this talk is based on my university diploma thesis about reverse engineering Galaksija's hardware and software design and tracing back its origins. I have designed and made a working replica using modern CMOS logic that preserves Galaksija's features, look and DIY-nature as much as possible. CMOS Galaksija has been presented in a number of retro-computing events and talks. I am also the author of a number of Galaksija demos and a Free software Galaksija developer's kit. Tomaž Šolc The incomplete Galaksija ROM disassembly Galaksija development tools A collection of Galaksija demos Blog posts about designing CMOS galaksija replica 16:00 00:30 Saal 6 noc_review NOC Review about the 29C3 lecture Kay Will Hargrave 17:15 01:00 Saal 6 mehr_transparenz_und_teilhabe_im_gesetzgebungsprozess Mehr Transparenz und Teilhabe im Gesetzgebungsprozess lecture de Wir brauchen ein maschinenlesbares und -schreibbares Gesetzgebungsverfahren, in dem jede Änderung transparent diskutiert und beschlossen wird. Der Bundestag öffnet und digitalisiert sich eher langsam und widerwillig, dennoch kann man schon heute anfangen, die Werkzeuge der parlamentarischen Zukunft in Deutschland zu gestalten und auszuprobieren. Dazu stellen wir die Projekte OffenesParlament.de und das Bundes-Git vor und zeigen, wie es in Zukunft weitergehen könnte. OffenesParlament ist eine digitale Aussichtsplattform für den Bundestag (aber ohne die Sicherheitscontainer). Von hier aus kann man die Plenardebatten nachlesen, bekommt endlich eine vernünftige Suche für Anfragen und Gesetzgebungsvorgänge und kann nachvollziehen, womit sich der eigene Abgeordnete beschäftigt. Mit der Abo-Funktion wird man bei neuen Ereignissen in einem Politikfeld automatisch benachrichtigt. Eine API bietet den Zugriff auf strukturierte Daten der Reden, Vorgänge und zu einzelnen Personen. Das Bundes-Git wendet den Prozess der verteilten, kollaborativen Softwareentwicklung auf die Gesetzgebung an. Jeder kann den aktuellen Stand der Gesetze forken, Änderungen vornehmen und diese zur Übernahme vorschlagen. Würde der Bundestag so etwas wie das Bundes-Git nutzen, wären unsere Gesetze nicht nur endlich durchgehend versioniert und maschinenlesbar, sondern der Prozess auch transparenter, kollaborativer und partizipativer. Das Bundes-Git ist für das Parlament noch Zukunftsvision, man kann es aber jetzt schon ohne Mithilfe oder Zustimmung des Bundestags als kollaborativen Gesetzeeditor, Nerd-Kampagnenwerkzeug über Pull Requests und als Datengrundlage nutzen. Friedrich Lindenberg Stefan Wehrmeyer OffenesParlament.de Bundes-Git auf GitHub