27C3: We come in peace (2010)

We Came in Peace: Event Recordings Available!


It’s only been a few days since the close of the 27c3, but much of the conference is ready to download. Credit goes in no small part to the FEM, who did a really tremendous job during the conference and continue their hard work getting Official Releases of the talks ready to go.

If you enjoyed the streams and the recordings of the talks, consider [supporting their efforts][5] to purchase updated equipment to improve the image quality and transmission path for future events.

Did you really love certain events? Weren’t so excited about others? Let us know! You can leave feedback via the …

Crypto Talk at 27C3: New Key Recovery Attacks on RC4/WEP, Day 4, 17:15, Saal 2


The RC4 Stream Cipher could be the most common stream cipher used on the Internet. RC4 is the only Stream Cipher which is standardized for the SSL/TLS protocol, it is also used for WEP and WPA protected wireless networks. Initially, RC4 was designed to be a closed source commercial product, with the core algorithm kept secret. In 1994, the source code for RC4 was posted on the internet and the algorithm could be analyzed.

The first attack on RC4 was published by Fluhrer, Mantin, and Shamir in 2001. The attack is very effective, but can only be used against certain keys starting with a special …

Hackcenter project: Django


Django is a high-level Python Web Framework that encourages Rapid Development and clean, pragmatic design. It is known for it’s extensive documentation. Django is Open Source Software (BSD license).

As a Full Stack Framework it gives you the option to define your data models as Python classes and access them via a powerful ORM. The automatic admin interface makes it easy to …

Hackcenter project: i3


i3 is a tiling window manager, that means it configures your windows to use the whole available screen space. It was written from scratch with focus on clear and well-documented code. Additionally, a lot of documentation like the User’s Guide or a Hacking Howto is available. i3 is fast, easy to use and configure, features full unicode and decent multi-monitor support.

Two of the core developers are traditionally attending the Chaos Communication Congress and are in the hackcenter (the 4-person table in the middle of the hackcenter, watch out for the i3 poster), ready to answer your questions, …

Crypto Talk at 27C3: FrozenCache – Mitigating cold-boot attacks for Full-Disk-Encryption software, Day 3, 23:00, Saal 2


Cold BootsAs a general attack against encryption software on a computer, the cold boot attack was presented at 25C3. To encrypt data on a PC, many programs store the encryption key in RAM. The key is usually derived from a password or loaded from the hard disk where it is protected by a password too. The key resists as least as long as the encryption operation take in RAM. For many applications like Full-Disk-Encryption or Email Signatures, it is convenient to keep the key permanently in RAM, once it has been loaded, so that the user doesn’t need to enter his password again and again.

To protect the key …

Speaking of: Intercensor – Internet Censorship Game


In the past years there was a lot of discussion about internet censorship. To get an actual impression of how censorship may be implemented and what methods of circumvention are possible, we created the Intercensor Project. Your task is to bring your laptop, connect it to our special switch and choose a challenge to solve. We provide several levels of difficulty and various methods of censorship, so that you can play around with many ways of circumvention.

We invite you to visit our table at the Hackcenter (in the back, near the elevator), try the game and give us feedback.

Let’s encrypt and authenticate the whole internet.


An average internet user who has to deal with cryptography: big problem. An average programmer who has to secure his protocol with cryptography: a much bigger problem. Practically, because not every programmer cares much about cryptography. Theoretically, because it is sort of a bad design if everyone implements it in their own piece of software.

Last year, fefe and erdgeist showed impressively how hard it is for a programmer to create a socket, let alone open a connection to another machine on the Internet. Today, as a programmer, you also have to encrypt your connection; you have to …

Crypto Talk at 27C3: High-speed high-security cryptography: encrypting and authenticating the whole Internet, Day 2, 20:30, Saal 1


High SpeedAs many of us know, the whole internet should be regarded as an insecure place. At every place where your internet traffic passes by, it can be modified, suppressed or recorded. Daniel J. Bernstein will show us how you can prevent this from happening:

This talk will present a different approach to high-security Internet cryptography. This approach is easy for users, easy for system administrators, and, perhaps most importantly, easy for programmers. The main reason that the approach has not been tried before is that it seems to involve very slow cryptographic operations; this talk will show …

Today at 18:30: The concert in Saal 1.


This morning, a concert grand (see photo) was delivered to the stage of Saal one for a special event today: Starting at 18:30 hrs, Corey Cerovsek, Alex Antener and Julien Quentin will be giving a classical concert.

They will be playing pieces from many different composers, including Lennon, Bernstein (Leonard probably; Dan Bernstein can be heard one hour later in the same Saal ;-), Mozart, Liszt and Paganini, to name a few. But there’s more:

In this very concert copyright and public domain issues will be discussed—and a (musical) answer will be given: what would classical music sound like if …

Crypto Talk at 27C3: Is the SSLiverse a safe place? Day 2, 16:00, Saal 2


SSL/TLS is the standard when it comes to securing HTTP traffic on the internet. The authenticity of a web server is usually secured using a X.509 certificate digitally signed by a trusted certification authority (CA). All major web browsers come with a list of CAs preinstalled they assume as trustworthy. Every website can be signed by any of these CAs, so no web browser would show a warning, if www.dod.gov would be signed by a Chinese certification authority or the Deutsche Telekom.

ObservatoryTo examine the usage of X.509 certificates for SSL/TLS, the EFF installed a SSL Observatory:

The SSL …

Update on Hash Tags for Peace Missions


To relay a question to the Mission Angels in each talk, use the following Twitter hash tags without dashes:


If you’d like to help, you can sign yourself up for Mission Angel shifts in the Engelsystem. Be sure to check in at the Angel Heaven on the C level for your briefing sheet.

Crypto Talk at 27C3: Die gesamte Technik ist sicher, Day 1, 21:45, Saal 1


NPAThe new national id card Neuer Personalausweis (NPA) was one of the biggest IT projects in the German government in the last years. Compared to the old id card, the new id card is a RFID smart card, which can also be used on the internet to prove your identify to a remote party (Ebay, Paypal, or Amazon for example) and to sign binding contracts. For example, you can use the card to buy a new house or car, or open up a bank account or apply for a credit.

When using the card over the internet, the card is connected to a reader, which is connected to a (potentially insecure) PC, which is …