Julian Wälde and Alexander Klink will be presenting a new attack against Web Application Frameworks (WAF), that can be used to generate HTTP requests, that take several minutes of CPU time to process. Sending many of these requests in parallel can be used as an effective Denial of Service attack against many websites. Even one cannot spot any relation to cryptography from the abstract, I have been informed that this talk will also cover many cryptography related aspects.

See the talk, Day 2, 14:00, Saal 1

Author: Erik Tews

A group of enthusiast interpreters at the congress are organizing simultaneous translation into English for a small selection of German talks. We are aiming for the “fun” events that have been translated for a few years, and for the first time this year, we are trying our hand at some “content” talks as well.

The provisional list of translated events is:

• “Hacker Jeopardy – number guessing for geeks“, Day 2, Midnight – This will be on DECT, streamed to “Saal 3” on the Internet and archived.
• “Data fairy or fair game – what is the value of tracking data?”, Day 3, 18:30 – An overview about web tracking technologies and detailed discussion of the value that these interaction data actually have for the involved players.  – On DECT, streamed to “Saal 3” on the Internet and archived.
• “Fnord review for 2011“, Day 3, 23:00 – On DECT, streamed to “Saal 2”, to the Internet and archived.
• “Security nightmares“, Day 4, 17:15 – TBA

Be sure to tell your English speaking friends to check out some really great content they might not otherwise have access to!

We, Sebastian and Julian, are part of last year’s core team of live interpreters. In the past we have translated at several Chaos Communication Congresses, together with Volty who cannot be there this year and many others.
We want to continue this tradition of translating important talks such as the Fnord News Show and the Hacker Jeopardy, but also others, depending on our resources.
If you are interested in helping out, please meet us on Day 1, December 27th, at 21:00 in the angel area down in the basement. You may also contact us via e-mail at Sebastian.Lisken _at_ gmx.net or julian _at_ phinn.de – or via twitter at @hdsjulian.

The talks we want to interpret are:
http://events.ccc.de/congress/2011/Fahrplan/events/4844.en.html
http://events.ccc.de/congress/2011/Fahrplan/events/4788.en.html
http://events.ccc.de/congress/2011/Fahrplan/events/4775.en.html
http://events.ccc.de/congress/2011/Fahrplan/events/4866.en.html
http://events.ccc.de/congress/2011/Fahrplan/events/4898.en.html

Now, as we have gathered some experience in the past few years, we would like to intensify our efforts and get even more important German talks to be translated even better.
Therefore we need help from fellow hackers. Please note that the following rules might sound a little strict for a voluntary job. However, experiences from the last years have shown that this work can only be done if there is absolutely no personal vanity involved and everybody is willing to submit to a strong hierarchy in order to do a good job. Nobody wants to get bored with a bad translation and we are truly willing to give our best. Also the work in the interpretation booth can be very, very stressful at times.
We want to provide all congress attendees (and people watching the stream) the best possible translation. In order to do this we are willing to work hard and submit ourself to a strict set of rules. We expect the same from everybody who wants to help us.

You are:
– Excellent in speaking English and German
– Or excellent in understanding English and German, with a talent for keeping your head up in stressful situations
– Willing to submit to a strong set of rules
– Possibly experienced with translations

Jobs to be done:

Interpreter

We need some good translators willing to spend part of their time at the Congress in the speaker’s cabin. You will sit together with two other translators and do your best interpreting talks live in several minute long segments as told to you by the director.

Director

We also need some very few “Directors”. In the past we have noticed that we get into the best flow if we have a person listening to our translations and deciding on the fly who should do the talking. This director will have to have a good understanding of the work the interpreters are doing. They will decide autonomously when to choose which interpreter for how long. Their job is to get a good flow into the translation and prevent exhaustion and lack of concentration among the interpreters.

The director can be an interpreter as well. When they choose to act as interpreter, the director will put a replacement director in charge for the duration of that segment.

Rules:

Please do not feel insulted by the strictness of these rules. We have had issues in the past with the vanity of individuals who didn’t do a good job but insisted to continue interpreting. We want to prevent this.

1. During the talk, the core team’s word is law.
2. The core team at first consists of Sebastian and Julian. We will be eager to invite more people as we move along. We strongly believe in a trust and merit based system.
3. There will be no discussions in the interpretation booth. Period.
4. Disputes will be solved outside and _after_ the talks.
5. We do understand that interpreting is a skill to be learned through practice. We will not send away newbies. We will however make sure their talking time is limited until they feel secure and able to do more segments.
6. After the talk we will have a discussion with all participants. There will be open criticism and everybody will have the right to speak their mind. This includes criticising the core team (who will also be interpreting and directing, of course) as well as the other directors and interpreters for their work as well as their behaviour. Of course this round is also open for positive criticism and finding out what was good.

The first cryptography related talk at 28C3 is about data mining in encrypted data. One may assume, that encrypting your data with a good encryption scheme prevents other people from learning about it. However, this is not true, specially for network protocols, that often leak information, like who is communicating with who, and when how much data is transferred. An attacker can use these information to make assumptions about the content of the transmission.

From the abstract: Voice over IP (VoIP) has experienced a tremendous growth over the last few years and is now widely used among the population and for business purposes. The security of such VoIP systems is often assumed, creating a false sense of privacy. Stefan will present research into leakage of information from Skype, a widely used and protected VoIP application. Experiments have shown that isolated phonemes can be classified and given sentences identified. By using the dynamic time warping (DTW) algorithm, frequently used in speech processing, an accuracy of 60% can be reached. The results can be further improved by choosing specific training data and reach an accuracy of 83% under specific conditions.

I think this talk is interesting, because it can show you how much information can even be gathered from an encrypted data stream, just using some side information from the communication.

See the talk: Day 1, 14:00, Saal 1

Author: Erik Tews

Es ist eine tolle Idee seine Kinder auf den 28c3 mitzubringen. Nicht nur, dass sie kostenfreien Eintritt haben, wenn sie elf oder jünger sind. Sondern auch das Chaos macht Schule-Projekt bietet vier Stände an, die sich speziell um die Junghacker kümmern werden.

Ein Stand wird sich speziell um sichere Kommunikation in Computernetzwerken kümmern und für alle kniffligen Fragen um das Thema Antworten parat halten.

Die anderen Stände bieten Basteltrainings um dem Nachwuchs zu helfen, auf den Grund der technischen Spielereien zu gelangen: Von Miniroboter, über elektronischem Haustier, bis zur LED-Matrix mit Spielen können die Junghacker und Haecksen auf eigene Faust, oder mit professioneller Unterstützung die Elektronen fließen lassen. Und das ebenfalls: ganz kostenfrei (… so lange unsere Bausätze reichen).

Und weil sie auf den Datenspuren so gut angekommen sind: Es wird wieder Junghackerpässe geben, um seine Erfolge zu dokumentieren.

When packing for 28C3, don’t forget to bring your r0ket! (and a micro-USB cable!)

Among other things there will be a multiplayer tetris game on an LED wall you can play with your r0ket and new m0duls to boost your r0ket into new heights.

To access all new features of your r0ket have a look at http://r0ket.badge.events.ccc.de/init

The update contains an improved mesh network, l0dables for interactive installations and support for the next flame generation.

Good news for those who didn’t get one on camp – or want more: Team r0ket will be selling new, slightly improved r0kets for 30 Euros and RGB flame m0dules for 10 Euros on 28C3.

They will also bring several USB missile launchers for a hardware hacking competition – the goal is to combine the missile launcher with your r0ket. If you are one of the first 100 people to publish a cool hack, you can keep the launcher for free!

For more information on the r0ket badge and current updates on where to get one during Congress see http://r0ket.badge.events.ccc.de

Details on the missile launcher competition: http://r0ket.badge.events.ccc.de/r0ketlauncher

Pictures of the new r0ket generation:

Since we forgot to mention it in the first place: Yes, we do have a 28c3-friends request address for people who can’t afford to pay the full ticket price. We’ve added information to http://events.ccc.de/congress/2011/wiki/Tickets:

If you or someone you know can’t afford to pay the full price for a ticket, send a mail to 28c3-friends@cccv.de. Please tell us, why this person can’t pay the full price and why he or she should take part in 28C3 nevertheless. Usually we agree on some affordable price. But please keep in mind that tickets are already very cheap and that we can handle only a limited number of such requests. So, please think twice before sending us a mail to that address.

If you want to try your luck, you still need to get a ticket in the on-line ticket sales. Just choose any ticket type and tell us the user name. If we agree on some price, we’ll edit your order afterwards. If we don’t agree, you may just not pay within 2 weeks.