Version Mildenberg

Events


Wednesday 11:00


Eröffnung: tuwat

Saal Adams (de)

Daß sich mit Kleinkomputern trotzalledem sinnvolle Sachen machen lassen, die keine zentralisierten Großorganisationen erfordern, glauben wir.

Daß die innere Sicherheit erst durch Komputereinsatz möglich wird, glauben die Mächtigen heute alle. Daß Komputer nicht streiken, setzt sich als Erkenntnis langsam auch bei mittleren Unternehmen durch. Daß durch Komputereinsatz das Telefon noch schöner wird, glaubt die Post heute mit ihrem Bildschirmtextsystem in “Feldversuchen” beweisen zu müssen. Daß der “personal computer” nun in Deutschland dem videogesättigten BMW Fahrer angedreht werden soll, wird durch die nun einsetzenden Anzeigenkampagnen klar. Daß sich mit Kleinkomputern trotzalledem sinnvolle Sachen machen lassen, die keine zentralisierten Großorganisationen erfordern, glauben wir. Damit wir als Komputerfrieks nicht länger unkoordiniert vor uns hinwuseln, tun wir wat und treffen uns am 27.12.17 in Leipzig, Seehausener Allee 1 (TAZ-Hauptgebäude) ab 11:00 Uhr. Wir reden über internationale Netzwerke – Kommunikationsrecht – Datenrecht (Wem gehören meine Daten?) – Copyright – Informations- u. Lernsysteme – Datenbanken – Encryption – Komputerspiele – Programmiersprachen – processcontrol – Hardware – und was auch immer.

Wednesday 11:30


Dude, you broke the Future!

Saal Adams (en)

We're living in yesterday's future, and it's nothing like the speculations of our authors and film/TV producers. As a working science fiction novelist, I take a professional interest in how we get predictions about the future wrong, and why, so th...

We're living in yesterday's future, and it's nothing like the speculations of our authors and film/TV producers. As a working science fiction novelist, I take a professional interest in how we get predictions about the future wrong, and why, so that I can avoid repeating the same mistakes. Science fiction is written by people embedded within a society with expectations and political assumptions that bias us towards looking at the shiny surface of new technologies rather than asking how human beings will use them, and to taking narratives of progress at face value rather than asking what hidden agenda they serve. In this talk, author Charles Stross will give a rambling, discursive, and angry tour of what went wrong with the 21st century, why we didn't see it coming, where we can expect it to go next, and a few suggestions for what to do about it if we don't like it.

Forensic Architecture

Forensic Architecture is an independent research agency that undertakes historical and theoretical examinations of the history and present in articulating notions of public truth. - Saal Dijkstra (en)

In recent years, the group Forensic Architecture began using novel research methods to undertake a series of investigations into human rights abuses. The group uses architecture as an optical device to investigate armed conflicts and environmental...

Today, the group provides crucial evidence for international courts and works with a wide range of activist groups, NGOs, Amnesty International, and the UN. Forensic Architecture has not only shed new light on human rights violations and state crimes across the globe, but has also created a new form of investigative practice that bears its name. The group uses architecture as an optical device to investigate armed conflicts and environmental destruction, as well as to cross-reference a variety of evidence sources, such as new media, remote sensing, material analysis, witness testimony, and crowd-sourcing. In Forensic Architecture, Eyal Weizman provides, for the first time, an in-depth introduction to the history, practice, assumptions, potentials, and double binds of this practice. Included in this volume are case studies that traverse multiple scales and durations, ranging from the analysis of the shrapnel fragments in a room struck by drones in Pakistan, the reconstruction of a contested shooting in the West Bank, the architectural recreation of a secret Syrian detention centre from the memory of its survivors, a blow-by-blow account of a day-long battle in Gaza, and ...

Lobby-Schlacht um die ePrivacy-Verordnung

Die EU hat die Wahl: Schutz von Menschen oder von Geschäftsmodellen? - Saal Clarke (de)

In der EU wird gerade über eine Verordnung verhandelt, die für die Vertraulichkeit der elektronischen Kommunikation verbindliche und zeitgemäße Regeln schaffen soll. Diese „ePrivacy-Verordnung“ könnte in absehbarer Zeit die letzte Möglichkeit sein...

Google analysiert die Mails seiner Kunden, Facebook wertet WhatsApp-Kontakte aus, Tracker verfolgen Bewegungen durch das Netz und auch durchs Einkaufszentrum. Die Verwertung persönlichen Informationen, die bei der digitalen Kommunikation jeden Tag gesammelt werden, ist das dominante Geschäftsmodell der digitalen Welt. Eine Wahl haben Nutzerinnen oft nicht, wenn sie auf die großen Dienste angewiesen sind: „Take it or leave it; data or die“ lautet das Grundprinzip der kommerziellen Überwachung. Während digitale Bürgerrechtsorganisationen auf eine starke Regulierung hoffen, warnt die Werbe- und Trackingindustrie davor, dass „das Internet, wie wir es kennen“, in Gefahr ist: Müssen Tracker künftig „Do not track“ respektieren? Dürfen bald auch Mobilfunkanbieter unser Kommunikationsverhalten unbegrenzt auswerten? Kommt ein echtes Recht auf Verschlüsselung? Wird die Vorratsdatenspeicherung auf Messenger ausgeweitet? Wer sich in Brüssel am Ende durchsetzt, wird auch in der Öffentlichkeit entschieden.

hacking disaster

mit Krisenintervention den Kapitalismus hacken - Saal Borg (de)

Gesundheit als entscheidender Teil von Glück und Zufriedenheit ist bis in ihre kleinsten Teilbereiche „durchkapitalisiert“. Und dieser Prozess macht auch vor humanitärer Hilfe und Krisenintervention nicht halt. In diesem Talk gehen wir auf verschi...

Die NGO CADUS steht mit ihrer Arbeit praktisch täglich vor der Problemlage, dass die Gesundheit als entscheidender Teil von Glück und Zufriedenheit bis in ihre kleinsten Teilbereiche „durchkapitalisiert“ ist. Das heißt, dass beispielsweise technische Gerätschaften, deren Technik an und für sich eher einfach ist und die auf Erkenntnissen basiert, die nicht mehr die Neuesten und längst nicht mehr als revolutionär zu bezeichnen sind, extrem teuer sind. Für viele ist diese Tatsache ganz „normal“. Das ist sie aber nur, weil einerseits der „Mythos“ der ultra teuren medizinischen Technologie weiter fleißig von den beteiligten Unternehmen genährt wird und andererseits diese produzierenden Unternehmen den Markt praktisch global kontrollieren. Darüber hinaus sitzen diese medizintechnisch produzierenden Firmen häufig selbst in den entscheidenden Kommissionen und Gremien und können so über die Marktentwicklung, etwaige Grenzwerte, Abgabezahlen und somit letztlich auch die Preisentwicklung (mit)bestimmen. Dieses praktisch kartellierte oder zumindest dem erhärteten Lobbyismusverdacht unterliegende Vorgehen missfällt uns deutlich. Günstigere Lösungen für bspw. Vitalparametermonitorin...

Wednesday 12:45


Demystifying Network Cards

Things you always wanted to know about NIC drivers - Saal Borg (en)

Network cards are often seen as black boxes: you put data in a socket on one side and packets come out at the other end - or the other way around. Let's have a deeper look at how a network card actually works at the lower levels by writing a simp...

Packet processing in software is currently undergoing a huge paradigm shift. Connection speeds of 10 Gbit/s and beyond created new problems and operating systems couldn't keep keep up. Hence, there has been a rise of frameworks and libraries working around the kernel, sometimes referred to as kernel bypass or zero copy (the latter is a misnomer). Examples are DPDK, Snabb, netmap, XDP, pf_ring, and pfq. The first part of the talk looks at the background and performance of the kernel network stack and what changes with these new frameworks. They break with all traditional APIs and present new paradigms. For example, they usually provide an application exclusive access to a network interface and exchange raw packets with the app. There are no sockets, they don't even offer a protocol stack. Hence, they are mostly used for low-level packet processing apps: routers, (virtual) switches, firewalls, and annoying middleboxes "optimizing" your connection. It's now feasible to write quick prototypes of packet processing and forwarding apps that were restricted to dedicated hardware in the past, enabling everyone to build and test high-speed networking equipment with a low budget....

End-to-end formal ISA verification of RISC-V processors with riscv-formal

Saal Clarke (en)

Formal hardware verification (hardware model checking) can prove that a design has a specified property. Historically only very simple properties in simple designs have been provable this way, but improvements in model checkers over the last decad...

Formal hardware verification (hardware model checking) can prove that a design has a specified property. This is different from simulation, which can only demonstrate that a property holds for some concrete traces (sets of inputs). Historically only very simple properties in simple designs have been provable this way, but improvements in model checkers over the last decade enable us to prove very complex design properties nowadays. riscv-formal is a framework for formally verifying RISC-V processors directly against a formal ISA specification. (The ISA specification used in riscv-formal is itself formally verified against Spike , the official RISC-V simulator and "golden reference" implementation.) riscv-formal can be made to work with any existing processor design, all that is needed is to add an additional RVFI (RISC-V formal interface) trace port to the core. riscv-formal by default uses the open source SymbiYosys toolchain to perform the formal proofs, but it should be compatible with all major HDL formal verification flows. In this presentation I will discuss how the complex task of verifying a processor against the ISA specification is broken down into smaller ver...

eMMC hacking, or: how I fixed long-dead Galaxy S3 phones

A journey on how to fix broken proprietary hardware by gaining code execution on it - Saal Dijkstra (en)

How I hacked Sasmung eMMC chips: from an indication that they have a firmware - up until code execution ability on the chip itself, relevant to a countless number of devices. It all started when Samsung Galaxy S3 devices started dying due to a bug...

<p>Few years ago Samsung Galaxy S3 devices started dying all around the world (a phenomenon known as "Galaxy S3 Sudden Death"). The faulty hardware was pinpointed to its eMMC chip (made by Samsung). eMMC are basically SD cards in BGA form soldered to the PCB, but as it apperas - they hide a CPU and a firmware inside.</p> <p>Samsung eMMC chips support some vendor-specific, undocumented eMMC commands. By doing some guesswork and finding the right sequence of commands I was able to dump the entire RAM (and firmware) of the eMMC chip, which appears to sport an <i>ARM Cortex-M3</i> chip inside. But how can we know what causes the device to fail?</p> <p>Samsung has written a Linux patch which patches the eMMC's RAM in order to fix the problem. However, investigating the patch itself reveals that it does nothing more than jumping to an infinite loop when something goes wrong. We needed a more inherent fix. By utilizing Samsung's own vendor-specific commands, we can write the eMMC's RAM in order to achieve code execution, or even write to the eMMC's NAND flash memory directly. We can update its firmware and fix the problem altogether.</p> <p>However, when a device is bricked, how do ...

Ladeinfrastruktur für Elektroautos: Ausbau statt Sicherheit

Warum das Laden eines Elektroautos unsicher ist - Saal Adams (de)

Wir retten das Klima mit Elektroautos — und bauen die Ladeinfrastruktur massiv aus. Leider werden dabei auch Schwachstellen auf allen Ebenen sichtbar: Von fehlender Manipulationssicherheit der Ladesäulen bis hin zu inhärent unsicheren Zahlungsprot...

Eine (AC-)Ladesäule ist eigentlich nur eine glorifizierte Drehstromsteckdose. Mit einem Autosimulator (vgl. https://evsim.gonium.net) kann man auf vielen Parkplätzen Strom beziehen, zum Beispiel um Waffeln zu backen: https://www.youtube.com/watch?v=pUEp3uWAWqY Mit diesem Simulator habe ich mir verschiedene Ladesäulen sowie ihre Backend-Kommunikation angeschaut. An den meisten Ladesäulen im öffentlichen Raum weist man sich mittels NFC-Chipkarte aus. Über das “Open Charge Point Protocol” (OCPP) (vgl. http://www.openchargealliance.org/protocols/ocpp/ocpp-15/) redet die Ladesäule dann mit einem Backend und prüft, ob der Ladevorgang freigeschaltet werden darf. Leider weisen sowohl die verwendeten Chipkarte als auch das OCPP-Protokoll selbst gravierende Mängel auf: Es ist mit geringen Aufwand möglich, auf fremde Kosten zu laden. Böswillige Ladesäulenbetreiber könnten Ladevorgänge protokollieren und später “virtuelle” Ladevorgänge simulieren, um zusätzlichen Umsatz zu generieren. Ladesäulen sind teilweise über das Internet erreichbar und können ferngesteuert werden: Ein laufender Ladevorgang kann aus der Ferne abgebrochen werden. Wer physischen Zugriff auf Ladestatione...

Wednesday 13:30


The Work of Art in the Age of Digital Assassination

Saal Clarke (en)

My talk explores the interconnected nature of war and culture. It does so through the context of technology and political discourse in contemporary art. With a view from the battle fields of the Middle East, both real and imagined, I attempt to di...

Uncovering British spies’ web of sockpuppet social media personas

Saal Borg (en)

The Joint Threat Research Intelligence Group (JTRIG), a unit in one of Britain’s intelligence agencies, is tasked with creating sockpuppet accounts and fake content on social media, in order to use "dirty tricks" to "destroy, deny, degrade [and] d...

In 2011, I was unknowingly messaged on an IRC channel by a covert agent from the UK’s Government Communications Headquarters (GCHQ), who was investigating the hacktivist groups of Anonymous and LulzSec. Later that year, I was arrested (and banned from the Internet) for my involvement in LulzSec. Then, in 2014, I discovered through a new Snowden leak[1] that GCHQ had targeted Anonymous and LulzSec, and the person that messaged me was a covert GCHQ employee, pretending to be a hacktivist. Because I was myself targeted in the past, I was aware of a key detail, a honeypot URL shortening service setup by GCHQ, that was actually redacted in the Snowden documents published in 2014. This URL shortening service enabled GCHQ to deanonymize another hacktivist and discover his real name and Facebook account, according to the leaked document. Using this key detail, I was able to discover a network of sockpuppet Twitter accounts and websites setup by GCHQ, pretending to be activists during the Arab spring of 2011 and Iranian revolution of 2009, and we published an article about it last summer in Motherboard as a piece of investigative journalism. This talk will: - go into detail abo...

Wednesday 14:00


Gamified Control?

China's Social Credit Systems - Saal Adams (en)

In 2014 China’s government announced the implementation of big data based social credit systems (SCS). The SCS will rate online and offline behavior to create a score for each user. One of them is planned to become mandatory in 2020. This lecture ...

Imagine living in a society where your actions will be rated and formed into a score. Where your online or offline behavior, work performance and attitude towards littering or ignoring red lights will be included in it. And that score will define your job, your ability to get a loan, your general chances, and your life. But don't be scared, it won't be like Orwell's frightening Big Brother. It will be like an all-embracing game, a huge MMORPG. You can do tasks to better your score. What sounds like dystopian fiction or just a teaser for a “Black Mirror” episode became a real life option in 2014, when China's Communist Party (CP) published a “Planning Outline for the Construction of a Social Credit System (2014-2020)”. The CP announced the system to be mandatory for every Chinese person in 2020. It is no theoretical babbling about something happening in a far future: The CP started experimenting with such social credit systems (SCS) in different regions soon after, allowed the private development of such systems, and was cited to become world leader of SCS. While the official goal of the SCS is to level economic development and to bring harmony, sincerity and trust to the whole ...

Squeezing a key through a carry bit

No bug is small enough - Saal Dijkstra (en)

The Go implementation of the P-256 elliptic curve had a small bug due to a misplaced carry bit affecting less than 0.00000003% of field subtraction operations. We show how to build a full practical key recovery attack on top of it, capable of targ...

<p>Carry bugs are fairly common, and usually too small to have big impact, or so they are considered. This one was no exception.</p> <p><a href="https://github.com/golang/go/issues/20040">Go issue #20040</a> affected the optimized x86_64 assembly implementation of scalar multiplication on the NIST P-256 elliptic curve in the standard library.</p> <p><code>p256SubInternal</code> computes <code>x - y mod p</code>. In order to be constant time it has to do both the math for <code>x &gt;= y</code> and for <code>x &lt; y</code>, it then chooses the result based on the carry bit of <code>x - y</code>. The old code chose wrong (<code>CMOVQNE</code> vs <code>CMOVQEQ</code>), but most of the times compensated by adding a carry bit that didn't belong in there (<code>ADCQ</code> vs <code>ANDQ</code>). Except when it didn't, once in a billion times (when <code>x - y &lt; 2^256 - p</code>). <a href="https://github.com/golang/go/commit/9294fa2749ffee7edbbb817a0ef9fe633136fa9c">The whole patch is 5 lines.</a></p> <p>The bug was found by a Cloudflare engineer because it caused ECDSA verifications to fail erroneously but the security impact was initially unclear. We devised an adaptive ...

Wednesday 14:15


Der netzpolitische Wetterbericht

Wird es Regen geben? Ein Ausblick auf die neue Legislaturperiode - Saal Borg (de)

Deutschland hat gewählt, man weiß nur noch nicht, wer regieren wird. Bis Weihnachten könnte ein Koalitionsvertrag verhandelt worden sein, vielleicht auch später. Was sind die zu erwartenden großen Debatten der neuen Legislaturperiode?

Der Vortrag will dazu einen Wetterbericht abliefern, über die aktuellen Vorhaben, die noch aus der digitalen Agenda abgearbeitet werden und vor allem auf die Akteure, Interessen und Konfliktfelder der zu erwartenden kommenden netzpolitischen Debatten. Von Plattform-Regulierung über KI-Regulierung bis hin zur Frage der Produkthaftung.

WTFrance

Decrypting French encryption law - Saal Clarke (en)

France is part of the top countries trying to destroy encryption, especially through backdoor obligations, global interceptions, and effort to get access to master keys. French law already criminalises the use of encryption, imposing heavier penal...

Contrary to popular opinion, the worst security legislation is not always coming from right-wing governments like Poland or Hungary but also from the 'social' democracies of liberal markets strengthening their supremacy by striving for authoritarian power. France is part of the top countries trying to destroy encryption, especially through backdoor obligations. Despite advices of all digital security experts, French officials are still speaking out against encryption, systematically using the fight against terrorism as a pretext. As a result, French law considers people using encryption as guiltier than others, imposing heavier penalties on people using it or regarding them as general suspects. Legislators also aim at obliging firms to hand over the uncrypted version of a communication or even the encryption key if possible. The period for data retention of encrypted communication is much longer than for non encrypted communications. After giving a brief historical summary of the french anti-crypto legislation, this talk will issue the possibilities to oppose this trend. Especially enquiring about what political role developers could play, this should definitely be understo...

Wednesday 15:00


How can you trust formally verified software?

Saal Borg (en)

Formal verification of software has finally started to become viable: we have examples of formally verified microkernels, realistic compilers, hypervisors etc. These are huge achievements and we can expect to see even more impressive results in th...

This is an overview of the 6 year project to create (and publicly release) formal specifications of the Arm processor architecture. The meat of the talk consists of the things I have done to make the specification correct: - testing the specification with the test programs that Arm uses as part of the sign-off criteria for processors - formally validating processor pipelines against the specification (which has the side-effect of finding bugs in the spec) - formally verifying properties of the specification - getting lots of different users - they all find different bugs There are a lot of things that you can do with a formal specification: binary analysis, proving compilers or OSes correct, driving a superoptimizer, etc. so I hope that this will inspire the audience to go off and do something amazing with Arm's specification.

Science is broken

How much can we trust science in light failed replications, bogus results and widespread questionable research practices? - Saal Clarke (en)

We're supposed to trust evidence-based information in all areas of life. However disconcerting news from several areas of science must make us ask how much we can trust scientific evidence.

The field of psychology is faced with a crisis where many results that were trusted for decades are called into question. Obviously bogus results like one trying to prove that precognition is real can be created with the existing scientific standards. In replication attempts in preclinical cancer research more than 90 percent of study results could not be confirmed. Pharmaceutical companies are constantly under attack for questionable research methods. The scientist John Ioannidis asked more than ten years ago "Why most scientific research findings are false". These aren't just single incidents, they show much deeper problems in the way science is performed today. Scientific results get published if they yield to "positive" results and land in the drawer if the results are "negative", giving an incomplete and often skewed picture. In many fields scientific studies are never replicated. Scientific incentive structures like the Impact Factor prefer sensational results more than rigorous scientific standards. But there's also some move into the right direction. Trials registers or registered reports can prevent or at least detect many questionable research practices. The r...

Wednesday 15:15


BBSs and early Internet access in the 1990ies

Modems, FIDO, Z-Netz, Usenet, UUCP, SLIP and ISDN - Saal Dijkstra (en)

This talk explains how individuals were able to communicate globally in the 1990ies using self-organized networks of BBSsin networks like FIDO and Z-Netz, before individual access to the Internet was possible. It also covers the efforts of non-pr...

This talk covers how individuals could participate in local, regional and global message-based data communications in the 1990ies. It covers the technologies used to access such networks, both on the infrastructure (BBS) side, as well as on the user/client side. At the same time, the talk is a bit of a personal journey from <ul> <li>accessing dial-up BBSs using accoustinc coupler and modem</li> <li>becoming CoSysop of a BBS and learning about how to operatie BBSs</li> <li>being a Node/Point in message based communications networks like Z-Netz and FIDO</li> <li>using UUCP to participate in Internet mail/news (Usenet)</li> <li>working in the technical team of Kommunikationsnetz Franken e.V. to set up a community-based ISP with modem and ISDN dial-up banks, satellite based Usenet feeds, analog leased lines ISDN-SPV.</li> <li>helping getting Germany's alleged first Internet Cafe (we then called it an Online Bistro) connected</li> </ul>

How risky is the software you use?

CITL: Quantitative, Comparable Software Risk Reporting - Saal Adams (en)

Software vendors like to claim that their software is secure, but the effort and techniques applied to this end vary significantly across the industry. From an end-user's perspective, how do you identify those vendors who are effective at securing...

Where are the longitudinal studies showing a large body of binaries with and without stack guards, or source fortification, or some other proposed best practice, and the resulting difference in exploitability? Where are the studies and reports on software content and safety, so that consumers can minimize their risk and make informed choices about what software is worth the risk it adds to an environment? We at CITL are working to fill in these blind spots, so that security professionals can back up their recommendations with solid scientific findings, and consumers can be empowered to better protect themselves. We'll be talking about the automated static analysis and fuzzing frameworks we're developing and presenting early results from our large scale software testing efforts.

Wednesday 15:30


Algorithmic science evaluation and power structure: the discourse on strategic citation and 'citation cartels'

Saal Clarke (en)

Quantitative science evaluation, such as university rankings, rely on man-made algorithms and man-made databases. The modelling decisions underlying this data-driven algorithmic science evaluation are, among other things, the outcome of a specific...

Scientific evaluation as governance technique is conducted through different instruments which have intended and unintended effects. One aspect of evaluation is the measurement of research quality through the performance of scientific publications, for example, how often they are cited. The design of such performance indicators is one core task of bibliometrics as a discipline. There is incidence that citation-based performance indicators might have side effects on citation behaviour. Those effects have to be considered by the bibliometrics community. On the one hand, they have to be considered with regard to indicator design aiming at achieving validity of measurement. On the other hand, and maybe more important, they have to be considered with regard to indicator use and its effect on science and society. We find some of this behavioural adaptation analogously in the development of search engine optimization (SEO). Search engine rankings share one core principle with citation-based indicators: that relevance (quality) is understood to be measurable through incoming links (citations) to a website (publication). The discourse on SEO and which strategies are to be regarded ...

Wednesday 15:45


Unleash your smart-home devices: Vacuum Cleaning Robot Hacking

Why is my vacuum as powerful as my smartphone? - Saal Borg (en)

Did you ever want to run your own IoT cloud on your IoT devices? Or did you ever wonder what data your vacuum cleaning robot is transmitting to the vendor? Why a vacuum cleaning robot needs tcpdump? Nowadays IoT devices are getting more and more ...

We will give you a detailed tour through the hardware and software components of the Xiaomi vacuum robot (generation 1). We will also publish a non-invasive method to get root access to your vacuum robot. After talking about the rooting procedure, we will discuss the internals of the robot. For example, the robot uses a so called SLAM (Simultaneous Localization and Mapping) system with LIDAR (Light Detection And Ranging) and various other sensors to create maps of your apartment. These maps are used, among other things, to calculate the best cleaning path. We will show you what these maps look like and how they are stored in the robot. At the end, we will discuss which data are created and uploaded to the vendor, and why this may be a big privacy issue. We will also prove why it is a bad idea to leave IoT devices in an unconfigured state.

Wednesday 16:30


Tightening the Net in Iran

The Situation of Censorship and Surveillance in Iran, and What Should Be Done - Saal Dijkstra (en)

How do Iranians experience the Internet? Various hurdles and risks exist for Iranians and including outside actors like American technology companies. This talk will assess the state of the Internet in Iran, discuss things like the threats of hack...

How do Iranians experience the Internet? Various hurdles and risks exist for Iranians and including outside actors like American technology companies. This talk will assess the state of the Internet in Iran, discuss things like the threats of hacking from the Iranian cyber army; how the government are arresting Iranians for their online activities; the most recent policies and laws for censorship, surveillance and encryption; and the policies and relationships of foreign technology companies like Apple, Twitter and Telegram with Iran, and the ways they are affecting the everyday lives of Iranians. This talk will effectively map out how the Internet continues to be a tight and controlled space in Iran, and what efforts are being done and can be done to make the Iranian Internet a more accessible and secure space. Break down of the talk: What threats exist for Iranians online? A discussion of the various bodies that police the Internet in Iran will be discussed, including the Iranian Cyber Police (FATA), Gerdab (the Revolutionary Guards Cyber Police), and the loosely affiliated government network of the Iranian Cyber Army, and how they have been tracking, arresting, and ha...

Die Lauschprogramme der Geheimdienste

Saal Adams (de)

Der NSA-BND-Untersuchungsausschuss des Deutschen Bundestags ist zu Ende. Da bietet es sich an, nun auf die gesammelten Geheimdienstskandale und die Reaktionen auf die Enthüllungen zurückzublicken.

Die Erkenntnisse aus dem Ausschuss betreffen die Massenüberwachung und den Kabelverkehr, die Selektoren und die Geheimdienstkontrolle, den Drohnenkrieg und die „Spionage unter Freunden“. Über all das wollen wir sprechen und auch darüber, warum Edward Snowden nicht als Zeuge gehört wurde.

Inside Intel Management Engine

Saal Borg (en)

Positive Technologies researchers Maxim Goryachy and Mark Ermolov have discovered a vulnerability that allows running unsigned code. The vulnerability can be used to activate JTAG debugging for the Intel Management Engine processor core. When comb...

Intel Management Engine is a proprietary technology that consists of a microcontroller integrated into the Platform Controller Hub (PCH) microchip with a set of built-in peripherals. The PCH carries communication between the processor and external devices; therefore, Intel ME has access to some critical data on the computer, and the ability to execute third-party code allows compromising the platform completely. Researchers have been long interested in such capabilities, but recently we have seen a surge of interest in Intel ME. Intel provides its engineers with the ability to perform ME debugging via JTAG, in addition to allowing third-party developers to debug ISH via DCI (as previously discussed by us at 33с3). Anyone could use the vulnerability we have found to activate JTAG debugging for ME. In our presentation, we will describe the built-in ME debugging mechanism and how to activate it with the help of this vulnerability.

1-day exploit development for Cisco IOS

Saal Clarke (en)

Year 2017 was rich in vulnerabilities discovered for Cisco networking devices. At least 3 vulnerabilities leading to a remote code execution were disclosed. This talk will give an insight on exploit development process for Cisco IOS for two of the...

On March 17th, Cisco Systems Inc. made a public announcement that over 300 of the switches it manufactures are prone to a critical vulnerability that allows a potential attacker to take full control of the network equipment. This damaging public announcement was preceded by Wikileaks' publication of documents codenamed as "Vault 7" which contained information on vulnerabilities and description of tools needed to access phones, network equipment and even IOT devices. Cisco Systems Inc. had a huge task in front of them - patching this vast amount of different switch models is not an easy task. The remediation for this vulnerability was available with the initial advisory and patched versions of IOS software were announced on May 8th 2017. I decided to reproduce the steps necessary to create a fully working tool to get remote code execution on Cisco switches mentioned in the public announcement. Another big vulnerability was disclosed in June 2017. This was a remote code execution vulnerability in an SNMP service affecting multiple Cisco routers and switches. I will share the techniques and tools I used while researching vulnerable Cisco switches and r...

Wednesday 18:30


Bildung auf dem Weg ins Neuland

Saal Borg (de)

An unseren Schulen besteht ein großes Defizit hinsichtlich der Vermittlung digitaler Mündigkeit. Da mittlerweile weitgehender Konsens besteht, dass an Schulen bezüglich digitaler Technologien mehr passieren muss, reagiert die Bildungspolitik und i...

Im Rahmen von Chaos Macht Schule geben wir seit über 10 Jahren Workshops, in denen wir uns in der thematischen Schnittmenge von Technik und Gesellschaft bewegen. Denn eine zeitgemäße Bildung, bei der die digitale Mündigkeit der Schülerinnen und Schüler im Mittelpunkt steht, scheint in der Schullandschaft auch 2017 immer noch in weiter Ferne. Sowohl die Schulen, die Wirtschaft als auch die Politik reagieren zwar langsam auf die bestehenden Defizite. Doch viele aktuelle bildungspolitische Entwicklungen adressieren die grundlegenden Probleme nicht, lösen sie nur unzureichend oder setzen aus unserer Sicht falsche Schwerpunkte. In unserem Talk diskutieren wir aktuelle blidungspolitische Entwicklungen im Kontext unserer Erfahrungen an Schulen. Dabei legen wir dar, welche Schwerpunkte aus unserer Sicht in Schulen gesetzt werden sollten, um die nachfolgende Generation auf eine fortschreitend digitalisierte Welt vorzubereiten.

QualityLand

Lesung - Saal Adams (de)

Willkommen in QualityLand, in einer nicht allzu fernen Zukunft: Alles läuft rund - Arbeit, Freizeit und Beziehungen sind von Algorithmen optimiert.

Trotzdem beschleicht den Maschinenverschrotter Peter Arbeitsloser immer mehr das Gefühl, dass mit seinem Leben etwas nicht stimmt. Wenn das System wirklich so perfekt ist, warum gibt es dann Drohnen, die an Flugangst leiden, oder Kampfroboter mit posttraumatischer Belastungsstörung? Warum werden die Maschinen immer menschlicher, aber die Menschen immer maschineller? Marc-Uwe Kling hat die Verheißungen und das Unbehagen der digitalen Gegenwart zu einer verblüffenden Zukunftssatire verdichtet, die lange nachwirkt. Visionär, hintergründig – und so komisch wie die Känguru-Trilogie.

iOS kernel exploitation archaeology

Saal Clarke (en)

This talk presents the technical details and the process of reverse engineering and re-implementation of the evasi0n7 jailbreak's main kernel exploit. This work was done in late 2013, early 2014 (hence the "archaeology" in the title), however, it ...

The evasi0n7 jailbreak was released by the evad3rs on 22nd December 2013 targeting 7.0 to 7.1b3 iOS devices (iDevices). This talk documents the reverse engineering process of evasi0n7's main kernel exploit, which was performed in order to not only understand the underlying vulnerability, but more importantly to document the exploitation techniques the evad3rs have utilized. The talk will initially focus on the kernel debugging setup (a very important but often ignored step in device/embedded exploitation talks), the encountered problems and how they were overcome. I will then explain the underlying vulnerability, and the reverse engineering of the implemented exploitation techniques. Finally, I will present a detailed step by-step re-implementation of the kernel exploit.

Lets break modern binary code obfuscation

A semantics based approach - Saal Dijkstra (en)

Do you want to learn how modern binary code obfuscation and deobfuscation works? Did you ever encounter road-blocks where well-known deobfuscation techniques do not work? Do you want to see a novel deobfuscation method that learns the code's behav...

This talk might be interesting for you if you love reverse engineering or binary security analysis. We present you modern code obfuscation techniques, such as opaque predicates, arithmetic encoding and virtualization-based obfuscation. Further, we explain state-of-the-art methods in (automated) deobfuscation [1] as well as how to break these [2]. Finally, we introduce a novel approach [3] that learns the code's semantics and demonstrate how this can be used to deobfuscate real-world obfuscated code. [1] https://www.ieee-security.org/TC/SP2015/papers-archived/6949a674.pdf [2] https://mediatum.ub.tum.de/doc/1343173/1343173.pdf [3] https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-blazytko.pdf

Wednesday 19:45


Access To Bodies

Ein Leitfaden für post-humane Computer- und Körperanwendungen - Saal Dijkstra (de)

Cyborgs und Body Enhancement sind typisch männlich dominierte Thematiken (Terminator etc). Im Gegensatz dazu ist zB die weiblich konotierte Beautybranche auch hochtechnisiert. Körper und Technologie sind auf verschiedenen Ebenen hier schon eng ver...

Der menschliche Körper ist eine sich ständig verändernde Situation, der sich den äusseren, gesellschaftlichen Bedingungen anpasst. Das Thema Cyborgs und Bodyenhancement ist hochaktuell, dabei ist das Smartphone bereits teil unserer Anatomie und mein Gehirn hat die Instagram denkweise verinnerlicht. Der Computer ist perfekt, der Mensch nicht. Das jedenfalls ist das gängige Narrativ und deswegen versucht Mensch sich beständig zu verbessern um eins mit dem Computer zu werden. Aber Verbesserung ist nur ein Argument, um Lösungen zu verkaufen. Wie sieht ein Körper aus der keiner Logik einer ständigen Verbesserung folgt? In meinem Talk spreche ich über alternative Körpererweiterungen und Schönheitsideale. Meine Arbeiten sind Prothesen, die nicht dazu dienen fehlende Körperteile zu ersetzen, sondern nicht-ökonomische, nicht-funktionale, nicht-logische Möglichkeiten zu simulieren. Anhand einer Reihe von Beispielen, Projekten und Arbeiten möchte ich gerne dieses Spannungsfeld darlegen.

Der PC-Wahl-Hack

Analyse einer Wahlsoftware - Saal Adams (de)

Hacker des Chaos Computer Clubs (CCC) haben eine in mehreren Bundesländern zur Erfassung und Auswertung der kommenden Bundestagswahl verwendete Software auf Angriffsmöglichkeiten untersucht. Die Analyse ergab eine Vielzahl von Schwachstellen und m...

https://ccc.de/de/updates/2017/pc-wahl https://ccc.de/de/updates/2017/pc-wahl-again https://ccc.de/system/uploads/230/original/PC-Wahl_Bericht_CCC.pdf

Pointing Fingers at 'The Media'

The Bundestagswahl 2017 and Rise of the AfD - Saal Borg (en)

The German election in September 2017 brought a tectonic shift to the layout of German politics. With the AfD in parliament far-right illiberalism has reached the mainstream. We investigate the communicative developments underlying this rise. Usin...

The Bundestagswahl 2017 was an earthquake to Germany's political landscape. With the AfD an illiberal and openly xenophobic party became the third-largest force in parliament. Its rise over just four years is unlike anything seen in Germany before. The new media landscape has often been touted as a key component of the rise of the AfD. More than any other party the AfD has made frequent use of the "populist playbook" -- stirring controversy through inflammatory rhetoric before back-pedalling and slamming the "Lügenpresse" (mendacious press). More than this, though, no other party has been as successful in directly connecting to and communicating with followers on Facebook to spread their "real" messaging outside mainstream media channels. Likewise, the proliferation of distinctly right-wing, rabble-rousing "news"-blogs and spread of these "news" on social media have given the far right an unfiltered platform to communicate with supporters. This has fundamentally shaken what scholars know about mass communication and agenda setting processes during elections. Still, despite many analyses and investigations we do not really know what actually went on during the 2017 campaign i...

Watching the changing Earth

warning: gravity ahead - Saal Clarke (en)

For a few decades by now, satellites offer us the tools to observe the whole Earth with a wide variety of sensors. The vast amount of data these Earth observations systems collect enters the public discourse reduced to a few numbers, numbers like ...

The melting of ice during the summer and the regrowth of ice shields in winter or any variation of mass on the surface of the Earth and inside the Earth, in general, are reflected in the change of its gravity field. By monitoring the gravity field from space, we can infer the mass variations necessary to result in the measured gravity changes. Satellite missions like GRACE (Gravity Recovery and Climate Experiment) offer us a monthly view of the Earth's changing gravity field since 2002. Providing a look into the mass redistribution driven geophysical processes, climate, and human civilisation. Furthermore, the combination of gravity with additional types of measurements allows us to get a better understanding of our planet. The objective of this presentation is not to discuss the last significant decimal in some indicator of climate change. A look at the gravity field offers much more information, e. g., continental and global hydrology, changing ocean currents, mass flow in the mantle. This talk will give a brief introduction into space geodetic techniques used to monitor the gravity field of the Earth with a focus on the GRACE mission, its scientific results and application...

Wednesday 20:30


Ecstasy 10x yellow Twitter 120mg Mdma

Shipped from Germany for 0.1412554 Bitcoins - Saal Dijkstra (en)

Artists !Mediengruppe Bitnik talk about recent works around bots and the online ecosystems that has been forming around them. Through the lens of their recent works around algorithms and bots, !Mediengruppe Bitnik offer a look into some of the tec...

Retracing their explorations into the Darknets with Random Darknet Shopper, !Mediengruppe Bitnik will talk about the shopping bot which linked the darknet directly to the art space. With a weekly budget of $100 in Bitcoins, the bot went shopping on the deep web where it randomly bought items like cigarettes, keys, trousers or a Hungarian passport scan and had them sent directly to exhibition spaces in Switzerland, the UK and Slovenia. In a more recent series of works !Mediengruppe Bitnik use the hacked online dating site Ashley Madison as a case study to talk about the current relationship between human and machine, Internet intimacy and the use of virtual platforms to disrupt and defraud.

Low Cost Non-Invasive Biomedical Imaging

An Open Electrical Impedance Tomography Project - Saal Clarke (en)

An open source biomedical imaging project using electrical impedance tomography. Imagine a world where medical imaging is cheap and accessible for everyone! We'll discuss this current project, how it works, and future directions in medical physics.

Current medical imaging machines such as MRI scanners are large, expensive and very rarely used preventatively as scans are done when symptoms have already occurred. A better healthcare for the future would include affordable high resolution body scans for everyone, which caused no harm to the body and enable us to track changes through machine learning algorithms. Electrical Impedance Tomography is an electrical current mapping technique enabling the reconstruction of 2D slices of the human body that is both non-invasive and completely safe (non-ionizing). It’s an exciting and active area of research with new techniques coming out all the time to reach higher resolution imaging. The range of applications are huge and include measuring lung volume, muscle and fat mass, gestural recognition based on muscle movement, bladder or stomach fullness, breast and kidney cancer, hemorrhage detection and even monitoring the depth of anesthesia in patients. I’ll talk about the state of research on each of these applications. Currently there is no readily available platform to enable rapid development and collaboration in this area. Unfortunately this means very few people outside of...

Wednesday 21:00


Defeating (Not)Petya's Cryptography

Saal Borg (en)

In this presentation we will outline our findings about (Not)Petya's crypto flaws and how we were able to exploit them to decrypt infected computers.

At the end of June 2017, a malware outbreak plagued Ukraine and other parts of the world. The threat, quickly dubbed NotPetya after striking similarity to Petya had been discovered, encrypted infected systems at boot-level. A deeper analysis of NotPetya's cryptography revealed several rookie mistakes that enabled us to recover the encrypted hard drives. This talk gives some insights into NotPetya's flawed cryptography and how we were able to exploit them to eventually decrypt the infected hard drives.

Wednesday 21:15


Social Cooling - big data’s unintended side effect

How the reputation economy is creating data-driven conformity - Saal Dijkstra (en)

What does it mean to be free in a world where surveillance is the dominant business model? Behind the scenes databrokers are turning our data into thousands of scores. This digital reputation is increasingly influencing our chances to find a job, ...

How do we deal with these chilling effects? I suggest we take the comparison of oil and data all the way: If oil leads to global warming, then data leads to Social Cooling. Social Cooling is an accessible narrative about the large scale chilling effects are starting to become visible, and whose effects countries like China are actively embracing. Here in the west studies show a rise in self-censorship and a growing culture of risk-aversion. For example, after the Snowden revelations fewer people visit Wikipedia pages about subjects like terrorism. We see doctors hesitating to operate on patients because a death will lower their score. This comparison is not meant to scare, but to give us hope: our move away from oil offers us a valuable blueprint on how to deal with this issue. In this talk we’ll go into the narratives we need. In a data-driven world, a good story can still be the best hack.

Die Sprache der Überwacher

Wie in Österreich über Sicherheit und Überwachung gesprochen wird - Saal Adams (de)

So intensiv wie 2017 wurde der Themenkomplex rund um Sicherheit und Überwachung in Österreich noch nie diskutiert. Das Thema ist in Hauptabendnachrichten und Leitartikeln angekommen. Die Diskussion rund um die geplante Einführung eines Sicherheits...

Drei Sätze des österreichischen Innenministers Wolfgang Sobotka stehen exemplarisch für die Qualität der Sicherheitsdiskussion in Österreich. Zu Beginn des Jahres 2017 rechtfertigte er seine Pläne für die Ausweitung der Videoüberwachung mit folgendem Argument: "Ein Beispiel: Vor meiner Haustüre lag – vor vielen Jahren – immer wieder menschlicher Kot. Als ich eine Kamera aufgestellt habe, war das sofort vorbei." Mitte des Jahres sagte er in einem Interview: "Die Sicherheit steht über der Politik". Und als sein Überwachungspaket zu scheitern drohte, griff er in die unterste Schublade und holte diesen Satz hervor: „Alle innerhalb und außerhalb des Parlaments, die gegen diese gesetzlichen Anpassungen sind, planen einen Anschlag auf die Sicherheit der Österreicher.“ Zwischen diesen argumentativen Großtaten gab es noch jede Menge anderer Misstöne, die entkräftet, entschärft und gerade gerückt werden müssen, um die Diskussion auf eine tragfähige Basis zu stellen.

Relativitätstheorie für blutige Anfänger

Raum, Zeit, Licht und Gravitation, wie hängt das zusammen? - Saal Clarke (de)

Jeder kennt sie, kaum jemand versteht sie wirklich, die vielleicht berühmteste Gleichung der Welt: E=mc^2 Was hat es damit auf sich, was ist die spezielle- und was die allgemeine Relativitätstheorie? Wie kann man sicher sein, dass das wirklich s...

Lasst und mal so richtig Gas geben und mit 300.000 Sachen pro Sekunde durch die Welt staunen. Lasst uns eine Zeitmaschine bauen und die Raumzeit verbiegen bis es knirscht. Die Relativitätstheorie und besonders die allgemeine Relativitätstheorie ist relativ schwer zu verstehen. Na und? Alles ist relativ, oder doch nicht?

Wednesday 22:00


Catch me if you can: Internet Activism in Saudi Arabia

Saal Clarke (en)

Activists in Saudi Arabia have been able to celebrate important victories like the recent lifting of the ban on women driving in September 2017 but have to fight on a lot of other front lines at the same time. Websites are blocked on a large scale...

There is a simple reason why the Internet and social media have such an important role in the current struggle for social and political change: About 75 percent of the Saudi population are younger than 30 years old and basically everyone is online all the time: 75 percent of the Saudis have a smartphone and Saudi Twitter users account for 40 percent of all Twitter users in the whole Arab world. Life in the Kingdom is strongly influenced by the conflict between conservative-religious groups on one side and liberal activists on the other side who are trying to further democratic values, women's rights, free speech and freedom of religion. While the government is restricting public discourse, activists are pushing for reforms and are trying to make their voices heard. This activism and so-called „overstepping of red lines“ comes at a price: Many have heard of the blogger Raif Badawi, who has been imprisoned in Saudi Arabia since 2012 and sentenced to 10 years in jail and 600 lashes for setting up a website that criticises religious figures. But fewer people are familiar with the cases of activists like Waleed Abulkhair, Ashraf Fayadh, Hamza Kashgari, Mariam al-Otaibi, Loujai...

Die fabelhafte Welt des Mobilebankings

Saal Adams (de)

Bisher wurden Angriffe gegen App-basierte TAN-Verfahren und Mobilebanking von betroffenen Banken eher als akademische Kapriole abgetan. Sie seien, wenn überhaupt, nur unter Laborbedingungen und dazu unter wiederkehrend hohem manuellen Aufwand zu r...

<p> Die in großen Schritten voranschreitende Abschaffung der unabhängigen Zwei-Faktor-Authentifizierung bei App-basierten Bankgeschäften hat die Anforderungen an die technischen Sicherungsmaßnahmen erhöht. Sich der konzeptionellen Angreifbarkeit der Verfahren bewusst, suchen die Banken ihre Apps durch Speziallösungen Dritter abzusichern. Diese Produkte sind mittlerweile zum integralen Bestandteil vieler Banking-Apps geworden und sollen deren Sicherheit im Falle eines kompromittierten Geräts garantieren. </p> <p> Im Finanzbereich allgemein, gerade aber im Feld der deutschen Banking-Apps, ist das sog. <em>Promon SHIELD</em> des norwegischen Herstellers <em>Promon</em> eine bekannte Sicherheitslösung, die durch ihre hohe Beliebtheit bei allen Instituten der deutschen Bankenlandschaft besticht. Insbesondere bei den Apps der Sparkassen-Finanzgruppe und den Volksbanken-Raiffeisenbanken ist das <em>Promon SHIELD</em> mittlerweile zum Dreh- und Angelpunkt der Sicherheitsarchitektur geworden. Als solches findet es sich nicht nur in deren Banking- und pushTAN-Apps, sondern auch in zehn weiteren Apps wieder. Aber auch bei den Privatbanken ist das Produkt geschätzt und wird unter ander...

BootStomp: On the Security of Bootloaders in Mobile Devices

Saal Dijkstra (en)

In our paper we present a novel tool called BootStomp able to identify security vulnerabilities in Android bootloaders (such as memory corruptions) as well as unlocking vulnerabilities. During its evaluation, BootStomp discovered 6 previously unkn...

Modern mobile bootloaders play an important role in both the function and the security of the device. They help ensure the Chain of Trust (CoT), where each stage of the boot process verifies the integrity and origin of the following stage before executing it. This process, in theory, should be immune even to attackers gaining full control over the operating system, and should prevent persistent compromise of a device’s CoT. However, not only do these bootloaders necessarily need to take untrusted input from an attacker in control of the OS in the process of performing their function, but also many of their verification steps can be disabled (“unlocked”) to allow for development and user customization. Applying traditional analyses on bootloaders is problematic, as hardware dependencies hinder dynamic analysis, and the size, complexity, and opacity of the code involved preclude the usage of many previous techniques. In this paper, we explore vulnerabilities in both the design and implementation of mobile bootloaders. We examine bootloaders from four popular manufacturers, and discuss the standards and design principles that they strive to achieve. We then propose BootStomp , a...

Wednesday 22:15


Microarchitectural Attacks on Trusted Execution Environments

Saal Borg (en)

Trusted Execution Environments (TEEs), like those based on ARM TrustZone or Intel SGX, intend to provide a secure way to run code beyond the typical reach of a computer’s operating system. However, when trusted and untrusted code runs on shared h...

The goals of this talk are twofold. First, it will build up an understanding of microarchitectural attacks, Trusted Execution Environments, and the existing research into the two. The talk assumes only basic knowledge of processor operation, and presents the information needed to understand the many variants of attacks against the cache and more. We will also cover key similarities and differences between ARM TrustZone and Intel SGX technologies and how these can be abused by microarchitectural attacks. This is a relatively new field of research, but it is growing quickly, and we hope to explain the significant contributions and accomplishments that have been achieved already. The second goal of the talk is to demonstrate how to perform these attacks in practice. We will take the TrustZone-based TEE implementation on the Nexus 5X as an example and explain how to write software which performs these side-channel attacks. We then push beyond the existing research and develop new methods to perform attacks on ARM TrustZone with greater precision than seen before. Our setup is relatively easy to implement, and we aim for this demonstration to encourage and enable further research ...

Wednesday 22:45


BGP and the Rule of Custom

How the internet self-governs without international law - Saal Dijkstra (en)

When bad actors can simply move servers from country to country, why does the internet remain reasonably civil ? How does one get on, or get kicked off, of the internet ? Why do fraud and child abuse websites regularly get shut down but thepirat...

<p>We have been taught that someone must be in charge, there must be a supreme court of arbitration, otherwise chaos will reign. But we have before us an example of a network which does not have any supreme court, nor any official law or governing body besides ICANN.</p> <p>The internet is made up of tens of thousands of organizations (known as Autonomous Systems) who interconnect with one another voluntarily in what are known as peering agreements. Over 99% of all peering agreements are handshake agreements with no written contract and providers trust one another to follow social norms which are present within the internet community.</p> <p>Certain behavior such as denial of service attacks, email spam, and malware propagation are generally recognized as anti-social and autonomous systems which are dedicated to these types of business have in the past found themselves disconnected by their providers and unable to find anyone who will connect with them.</p> <p>Some hosting providers describe themselves as "bulletproof" or "last resort" hosting, providers who will host websites which are not able to find hosting in other places. Bulletproof hosting charges large sums of ...

Doping your Fitbit

Firmware modifications faking you fitter - Saal Clarke (en)

Security architectures for wearables are challenging. We take a deeper look into the widely-used Fitbit fitness trackers. The Fitbit ecosystem is interesting to analyze, because Fitbit employs security measures such as end-to-end encryption and au...

We explain the Fitbit security architecture, including the most important communication paradigms between tracker, app, and server. Our talk focuses on the tracker itself and its wireless interfaces, nevertheless it is important to understand the roles of the other components to successfully imitate them. Custom firmware makes fitness trackers the ultimate geek toy, including the possibility to improve security and privacy. We show how we reverse-engineered the wireless firmware flashing process, as well as setting up a Nexmon-based environment for developing custom firmware. A short demo shows how wireless flashing works, including potentials of the modified firmware. We also release a smartphone application supporting a subset of the demonstrated attacks, including the possibility for users to extract some of their fitness tracker data without sharing it with Fitbit. This is a huge step towards privacy on wearables. Apart from the app we will also release everything necessary to patch your Fitbit firmware, enabling users to develop more secure mechanisms protecting their data.

DPRK Consumer Technology

Facts to fight lore - Saal Adams (en)

The DPRK has largely succeeded at hiding its consumer technology. While versions of the desktop operating system, Red Star, have leaked, the mobile equivalent hasn't, and there remains little knowledge of the content available on the intranet. Let...

Previous talks at CCC, including <a href="https://media.ccc.de/v/31c3_-_6253_-_en_-_saal_2_-_201412292115_-_computer_science_in_the_dprk_-_will_scott">CS in the DPRK</a>, <a href="https://media.ccc.de/v/32c3-7174-lifting_the_fog_on_red_star_os">Lifting the fog on RedStar OS</a>, and <a href="https://media.ccc.de/v/33c3-8143-woolim_lifting_the_fog_on_dprk_s_latest_tablet_pc">Woolim: Lifting the fog on DPRK's latest Tablet</a>, have given us a taste of what technology in Pyongyang looks like. Unfortunately, we've ended up in a less-than-optimal stalemate: while technical artifacts are taken outside of the country, there remains a significant hesitation to release them - after all, knowledge is power, and the unknown unknowns outweigh the potential benefits. We'll explain the current state of consumer technology in Korea in a bit more depth, and then explore some of the unique quirks. The focus will be on understanding that there is a significant, but not well known, internal market, and that it's keeping up with the west closer than we might expect.

Wednesday 23:30


Die göttliche Informatik / The divine Computer Science

Die Informatik löst formale (mathematisch modellierte) Probleme ganz vorzüglich – doch nun soll sie alle anderen Probleme auch noch lösen / Computer science nicely solves formally modelled problems – now it is believed to solve everything else too - Saal Dijkstra (de)

Die Informatik ist scheinbar das neue Göttliche, das den Klimawandel, die Kriminalität, unser fehlendes Wissen über das Gehirn, den globalen Terror, dichter werdenden Stadtverkehr, die Energieprobleme und die Armut der Welt lösen kann; und zwar mi...

<strong>DE</strong> (<a href="#langderr">EN below</a>): Der bekannte Computerpionier und Gesellschaftskritiker Prof. Dr. Joseph Weizenbaum sagte einst sinngemäß: „Früher übergab man ein Problem dem Computer, wenn man es verstanden hatte. Heute ist es anders herum“. Gründe dafür scheinen eine geradezu magische Technikgläubigkeit, ein merkwürdiges Missverständnis der Funktionsweise heutiger Computer, ein immer größer werdender finanzieller Druck auf die öffentliche Hand und ein weit verbreitetes, technisch-reduziertes – man könnte fast sagen 'kybernetisches' – Welt- und Menschenbild zu sein. Da gewinnt Googles künstliche Intelligenz Alpha-Go gegen den professionellen südkoreanischen Go-Spieler Lee Sedol und schon wird der Abgesang auf das menschliche Gehirn angestimmt. Doch dass Sedol für das Match ein paar Tassen Kaffee verstoffwechselte, aber Alpha-Go die Energie einer Kleinstadt, zeigt, dass die Lage geringfügig komplizierter ist. Ähnliche fehlleitende Ungenauigkeiten finden sich auch bezüglich der berühmten Geheimsprache der Facebook-Bots bis hin zu den Möglichkeiten von „smart contracts“ in der Blockchain. Dies sind Beispiele, wie missverstandene Computerfähigkeiten und Fe...

The Ultimate Apollo Guidance Computer Talk

Saal Borg (en)

The Apollo Guidance Computer ("AGC") was used onboard the Apollo spacecraft to support the Apollo moon landings between 1969 and 1972. This talk explains "everything about the AGC", including its quirky but clever hardware design, its revolutionar...

The AGC was an early digital computer specifically designed for the Apollo moon missions. The Command Module and the Lunar Module each contained one AGC. First built in 1965 from 5600 integrated circuits, it was one of the first minicomputers, beating commercial machines like the PDP-8 in weight (32 kg) and power consumption (55 W). The Apollo program's size and weight limitations as well as the requirements for real-time guidance, navigation and control were pushing 1960s technologies to their limits. As a 15 bit one's complement big-endian accumulator machine with 36 kilo-words of ROM and 2 kilo-words of RAM, its design seems very foreign from today's perspective. The operating system was real-time, priority-based cooperative/preemptive and fault-tolerant, supporting interpreted virtual machines – practically inventing many of these concepts. This talk explains all the hardware details of the AGC: Its machine language, counters, timers, I/O, display and keyboard, as well as its implementation using integrated circuits, core memory and "core rope" ROM. The talk goes on to explain the software: interrupt handling, the core set, the wait list, the alarm system, the interpreter...

Practical Mix Network Design

Strong metadata protection for asynchronous messaging - Saal Clarke (en)

We shall explain the renewed interest in mix networks. Like Tor, mix networks protect metadata by using layered encryption and routing packets between a series of independent nodes. Mix networks resist vastly more powerful adversary models than To...

Interest in privacy technologies has surged over the previous decade, due in part to the Snowden revelations as well as earlier revelations of warrantless wiretaping by the NSA. Tor has justifiably received considerable attention for protecting location metadata when using existing Internet protocols. We believe the time is right though to deploy far stronger systems that cover more specific use cases, especially email and monetary transactions. There are serious limitations to the adversary models addressed by Tor, which manifests today as website fingerprinting attacks, but easily extend to devastating attacks on most use cases, including messaging systems like Briar and Ricochet. Academics have proposed various anonymity technologies with far stronger threat models than Tor, but by far the most deployable and efficient option remains mix networks, which date to the founding of anonymity research by David Chaum in 1981. Tor was inspired by mix networks and shares some superficial similarities, but mix networks' are vastly stronger if they judiciously add latency and cover traffic. There are several historical reasons why mixnets lost popularity and why Tor's onion...

KRACKing WPA2 by Forcing Nonce Reuse

Saal Adams (en)

We introduce key reinstallation attacks (KRACKs). These attacks abuse features of a protocol to reinstall an already in-use key, thereby resetting nonces and/or replay counters associated to this key. We show that our novel attack technique breaks...

All protected Wi-Fi networks use the 4-way handshake to generate fresh session keys. The design of this handshake was proven secure, and over its 14-year lifetime no weaknesses have been found in it. However, contrary to this history, we show that the 4-way handshake is vulnerable to key reinstallation attacks. In such an attack, the adversary tricks a victim into reinstalling an already in-use key. This is achieved by manipulating and replaying handshake messages. When the victim reinstalls the key, the associated incremental nonce and replay counter is reset to its initial value. Apart from breaking the 4-way handshake, we also show that our key reinstallation attack breaks the group key and Fast BSS Transition (FT) handshake. The impact of our attacks depend on both the handshake being targeted, and the data-confidentiality protocol in use. Simplified, against AES-CCMP, an adversary can replay and decrypt packets, but cannot forge packets. Still, this makes it possible to hijack TCP streams and inject malicious data into them. Against WPA-TKIP and GCMP, the impact is catastrophic: an adversary can replay, decrypt, and forge arbitrary packets. Rather surprisingly, GCMP is espe...

Wednesday 00:45


All Creatures Welcome

work in progress beta preview of the documentary - Saal Adams (de)

ALL CREATURES WELCOME is a documentary film about the communities of the digital age. It shows the possibilities of new paths and new perspectives for society by using hacking as a mind-set.

A downright utopian idea is being brought to life, created by all participants of the Chaos Communication Events. On planet nerd, at the epicenter of technical and social change, ALL CREATURES WELCOME explores and reflects new ways of dealing with the digitalization of the world and the resulting reformation of sociocultural conduct. Sandra Trostel started filming the documentary at the Chaos Communication Camp in 2015, followed by shootings at 32c3 and 33c3. At the congress she will show a work in progress beta version of the movie. Furthermore she will give a quick overview of the formation process, the status and the future of the project. And, maybe most importantly: She will answer all the questions of the people who helped to realize this movie! Also watch out for the accomying self-organized sessions: Chaos Communication Choir and All Creatures Welcome.


Thursday 11:30


Visceral Systems

Approaches to working with sound and network data transmissions as a sculptural medium. - Saal Dijkstra (en)

This talk considers the visceral relationship one can have towards intangible media, notably sound and network data transmissions. Sarah presents a selection of her work demonstrating these synesthetic relationships, ranging from experiments in bi...

Lightning Talks Day 2

Saal Borg (en)

Lightning Talks are short lectures (almost) any congress participant may give! Bring your infectious enthusiasm to an audience with a short attention span! Discuss a program, system or technique! Pitch your projects and ideas or try to rally a cre...

To get involved and learn more about what is happening please visit the Lightning Talks Wikipage at <a href="https://events.ccc.de/congress/2017/wiki/index.php/Static:Lightning_Talks">https://events.ccc.de/congress/2017/wiki/index.php/Static:Lightning_Talks</a>

Social Bots, Fake News und Filterblasen

Therapiestunde mit einem Datenjournalisten und vielen bunten Visualisierungen - Saal Clarke (de)

„Angriff der Meinungsroboter“ und „Gefangen in der Filterblase“ titelten die deutschen Medien. Doch was ist wirklich daran?

Der Datenjournalist Michael Kreil hat ein Jahr lang 4500 Bots, 1,6 Mio. Twitter-Accounts, 400 Mio. Tweets und 50 Mio. Onlineartikel gesammelt und ausgewertet. Mit Scrapern, Neuronalen Netzwerken, Visualisierungstools, mit der Unterstützung von Experten und 600 Twitterusern hat er sich auf die Suche nach Social Bots, Fake News, Hate Speech und Filterblasen gemacht, um herauszufinden, ob sie existieren, wie sie funktionieren und ob sie ein Problem darstellen. Im Rahmen seinen Vortrages wird er die Ergebnisse, die Methoden, die Rohdaten und den Quellcode veröffentlichen.

Mobile Data Interception from the Interconnection Link

Saal Adams (en)

Many mobile network operators rush to upgrade their networks to 4G/LTE from 2G and 3G, not only to improve the service, but also the security. The Diameter protocol - the successor of SS7 in Long Term Evolution (LTE) networks is believed to offer ...

Ever since the public revelation of global surveillance and the exploits targeting the mobile communication backend and in particular the interconnection network that links operators to each other, the general awareness of security and privacy in telecommunication industry has increased. Misusing the technical features of mobile core network technology - specifically the Signaling System 7 (SS7) has disclosed numerous ways to locate, track and manipulate the routine cellular activities of cellphone users e.g. as shown by Karsten Nohl and Tobias Engel in 2008 and 2014. In fact, the SMS-based key recovery mechanism becoming vulnerable because of the SS7 vulnerabilities, like we saw in the recent mTAN attack in spring 2017 in Germany. Many mobile network operator rush to upgrade their networks to 4G/LTE from 2G and 3G, not only to improve the service, but also the security. The Diameter protocol - the successor of SS7 in Long Term Evolution (LTE) networks is believed to offer more protection to the network itself and to the end-users. However, Diameter inherits many functionalities and traits of the SS7 network. Therefore, some attacks are also possible there e.g. location tracki...

Thursday 12:15


Making Experts Makers and Makers Experts

Saal Dijkstra (en)

Over the past year, we have been developing open source wheelchair add-ons through user research, ideation, design, prototyping and testing. We present the outcome and insights from the process.

The project started one year ago with a wheelchair hackathon at MakerFaire. Driven by ideas of the users, we intensively worked on three topics: transport and storage, driving in the snow and lighting. In particular, following criteria played a central role: feasibility, time spent on DIY production, costs, aesthetics and impact on wheelchair users. From numerous ideas and prototypes, two products have gained resonance amongst users - OPEN LIGHTS, a wheelchair lighting feature and OPEN TRAILER, a wheelchair trailer. The project is completely open source and can be reproduced by users themselves with DIY rapid prototyping technologies. The designs and files can be downloaded for free under Creative Commons License. It is important to us that the products can be easily and inexpensively replicated so that as many wheelchair users can benefit from them.

Thursday 12:45


Beeinflussung durch Künstliche Intelligenz

Über die Banalität der Beeinflussung und das Leben mit Algorithmen - Saal Adams (de)

Eine wissenschaftliche Perspektive auf die achtlose Anwendung der Algorithmen des maschinellen Lernens und der künstlichen Intelligenz, z.B. in personalisierten Nachrichtenempfehlungssystemen oder Risikosoftware im US-Justizsystem.

Der Vortrag bietet einen Überblick über die aktuellen Entwicklungen in den Bereichen Künstliche Intelligenz und Maschinelles Lernen. Der Fokus liegt dabei vor allem auf der zumeist unbewussten Beeinflussung von Nutzerinnen und Nutzern durch personalisierte Nachrichtenempfehlungen, fake news sowie Bild-, Audio- und Videomanipulation. Die Forschung zeigt, dass ein Großteil der Nutzerinnen und Nutzer von sozialen Netzwerken wie Facebook sich der Tatsache, dass ihre Nachrichten zunehmend von Algorithmen ausgewählt und eingeschränkt werden, nicht bewusst ist. Wir erkunden, welche Folgen diese gläsernen Echokammern haben und wie leicht sie Nutzerinnen und Nutzer beeinflussen können. Ein Großteil der Daten, die diese Beeinflussung ermöglichen, entstehen dabei unbewusst und beiläufig. Sie können aber Rückschlüsse auf Vorlieben und Verhalten der Nutzerinnen und Nutzer ermöglichen. Wie banal diese Daten sein können, veranschaulicht der Versuch von Banken, Kreditwürdigkeit anhand von Postleitzahlen vorherzusagen. Ein ambitioniertes Beispiel bietet Prof. Dr. Michal Kosinski, ein Psychologe aus Stanford, der behauptet, dass er die sexuelle Orientierung eines Menschen an seinem Gesicht erken...

We should share our secrets

Shamir secret sharing: How it works and how to implement it - Saal Clarke (en)

Backing up private keys in a secure manner is not straightforward. Once a backup has been compromised you need to refresh all your key material. For example, the disclosure of a private key of a Bitcoin wallet gives access to the coins inside. Th...

<p> Shamir secret sharing is a mechanism that securely splits private keys or passwords into independent parts. These parts do not give away the secret on their own. Instead, the user defines the minimal amount of shares needed to restore the original secret. In this way, there is no need to trust a <em>single</em> entity. Additionally, compromise or loss of one share does not mean a compromise or loss of the entire secret. This makes it very suitable for backing up private keys, such as Bitcoin keys. Shamir secret sharing can also be used for passing on your secrets to your trusted successors, in case you get hit by a bus. </p> <p> In this talk, I will explain in detail how the scheme works. Although it is provably secure for confidentiality, we will see how it fails for integrity and how to fix that. While Shamir published his article almost 30 years ago, most existing libraries for Shamir secret sharing are still implemented poorly in terms of security and side-channel resistance. </p> <p> I will talk about writing the definitive library for Shamir secret sharing. We will choose suitable parameters and implement the scheme in C. We will see a couple of ...

Thursday 13:00


Digitale Bildung in der Schule

5.-Klässlerinnen, die über die Millisekunden für einen delay()-Aufruf diskutieren! Gibt es nicht? Doch, gibt es! - Saal Dijkstra (de)

„5.-Klässlerinnen, die über die Millisekunden für einen delay()-Aufruf diskutieren! Gibt es nicht? Doch, gibt es!“ Ein Modellprojekt mit sieben Schulen in Aachen hat diese Frage untersucht – wir haben die Schülerinnen und Schüler begleitet und wü...

Von Januar bis Juni diesen Jahres haben sich sieben Schulen, 14 mutige Lehrerinnen und Lehrer und 223 neugierige Schülerinnen und Schüler einer ganz besonderen Herausforderung gestellt: In ein bis zwei Doppelstunden löten die Schüler sich einen eigenen kleinen Roboter zusammen und programmieren ihn anschließend textuell in C/C++! Kann das überhaupt funktionieren? Macht den Kindern das Spaß? Lernen sie auch tatsächlich etwas? Hierüber möchte ich euch gerne Näheres erzählen :)

Thursday 13:45


Why Do We Anthropomorphize Computers?...

...and dehumanize ourselves in the process? - Saal Borg (en)

A talk on waiting for the technological rapture in the church of big data. The paralysing effect of hiding the human hand in software through anthropomorphising computers and dehumanising ourselves.

Marloes de Valk is a software artist and writer in the post-despair stage of coping with the threat of global warming and being spied on by the devices surrounding her. Surprised by the obsessive dedication with which we, even post-Snowden, share intimate details about ourselves with an often not too clearly defined group of others, astounded by the deafening noise we generate while socializing with the technology around us, she is looking to better understand why.

Think big or care for yourself

On the obstacles to think of emergent technologies in the field of nursing science - Saal Dijkstra (en)

In German nursing science the dominant position on emergent technologies demands the removal of machines from caring environments („Entmaschinisierung“). In contrast to this, European research policy heavily focus on developing new health and soci...

In the first part of this talk we will introduce current positions of German nursing science and German nurses on emergent technologies. For German nursing scientists the main element of nursing is the relationship between the patient and their nurse. One central aspect of this relationship is communication. Corporal [“Leib”] perception is stressed as well as implicit or tacit knowledge. Nursing experts are presumed to use these kinds of knowledge to guide their action. It is argued that digitalization stands in the way of using these kinds of non-discursive knowledge, as digital technology is only able to display discursive knowledge. Thus, care logic and logic of technology are described as incommensurable. Nevertheless, usage of electronic health records is increasing. Furthermore, a wide range of prototypes are developed as they are conceived as solutions regarding existing problems at least from certain points of view. E.g. Smart Devices can be used to support blood sampling or the documentation process. We will show you a prototype which is part of our research project, to offer you the possibility to get your own ideas of advantages and disadvantages. In the second par...

Thursday 14:00


Reverse engineering FPGAs

Dissecting FPGAs from bottom up, extracting schematics and documenting bitstream formats - Saal Clarke (en)

In this talk I describe the basic makeup of FPGAs and how I reverse engineered the Xilinx 7 Series and Lattice iCE40 Series together with the implications.

FPGAs are used in many applications ranging from networking, wireless communications to high performance computing, ASIC prototyping and so forth. They would be perfect to create true open source hardware but we would still be bound to use proprietary toolchains provided by the manufacturers. To generate a valid configuration file this toolchain needs to know every single wire, switch, possible connection, logic block and the corresponding bits to configure each them. In other words you are required to have the blueprints of the FPGA in your toolchain to be able to do the place&routing and generation of the bitstream file from your netlist. Naturally manufacturers do not like to disclose this information, possibly because someone could reverse engineer valuable intellectual property cores. I will explain each component used in FPGAs from Lattice and Xilinx, like switchboxes, the interconnect, logic blocks, memory blocks. Furthermore I will talk about how I reverse engineered the 7 Series from Xilinx and the iCE40 from Lattice. At the end I will demonstrate how to create your own bitstream by hand, implementing a small logic circuit and testing it live on a Z...

Deep Learning Blindspots

Tools for Fooling the "Black Box" - Saal Adams (en)

In the past decade, machine learning researchers and theorists have created deep learning architectures which seem to learn complex topics with little intervention. Newer research in adversarial learning questions just how much “learning" these ne...

This talk aims to: - present recent research on adversarial networks - showcase open-source libraries for fooling a neural network with adversarial learning - recommend possible applications of adversarial networks for social good This talk will include several open-source libraries and research papers on adversarial learning including: Intriguing Properties of neural networks (Szegedy et al., 2013): https://arxiv.org/abs/1312.6199 Explaining and Harnessing Adversarial Examples (Goodfellow et al., 2014) https://arxiv.org/abs/1412.6572 DeepFool: https://github.com/LTS4/DeepFool Deeppwning: https://github.com/cchio/deep-pwning

Thursday 14:30


The seizure of the Iuventa

How search and rescue in the mediterranean was criminalized - Saal Borg (en)

The ship „Iuventa“ of the organization „Jugend Rettet“ was seized on August 2nd 2017 by the Italian authorities. The accusations: facilitating illegal immigration, organized crime and possession of weapons. What followed was a smear campaign that ...

After a short introduction in which we will explain what the civil search and rescue fleet does, we will describe the events that culminated in the seizure of the „Iuventa“. Which surveillance and intelligence techniques were used by the authorities to gather evidence. Evidence that has not been found, because it does not exist. We will describe who initiated the investigation against „Jugend Rettet“ and show how fascists, secret service and police worked hand in hand to stop the „Iuventa“ from saving people from drowning. The seizure of the „Iuventa“ was neither the begin nor the end of a smear campaign to discredit the work done by the civil search and rescue fleet. It was a small part in much bigger game played by the european union to discredit the work of the NGOs working in the mediterranean. In our talk we will explain why there is such a big interest by the European states to hinder their work and how the European Union is actually breaking international law to do so. Starting with a Frontex strategy paper from January 2016 we will describe how the European Union tries to externalize their borders onto the African continent. To places where there are no cameras or...

May contain DTraces of FreeBSD

Saal Dijkstra (en)

Systems are getting increasingly complex and it's getting harder to understand what they are actually doing. Even though they are built by human individuals they often surprise us with seemingly bizarre behavior. DTrace lights a candle in the dark...

DTrace is an incredibly useful tool for safely inspecting whole systems without impacting overall performance as much as other mechanisms. It's open source and available on a wide variety of operating systems like FreeBSD, MacOS, Solaris, illumos and NetBSD. It can be used for debugging, reverse engineering or for just learning to understand the system. I'm going to introduce DTrace and its D language by digging down into the inner workings of FreeBSD itself as it runs (e.g. memory and process management, locking infrastructure and scheduling) as well as user processes. On top of that I will use DTrace itself to illustrate how DTrace is doing its work. We are also going to take a look at some of DTraces' internals like some of the design decisions as well as the byte code that is being executed in the kernel.

Thursday 15:15


Jahresrückblick des CCC 2017

tuwat - Saal Adams (de)

Staatstrojaner, Vorratsdaten, automatisierte Biometriesammlungen, PC-Wahl – wir geben einen Überblick über die Themen, die den Chaos Computer Club 2017 beschäftigt haben.

Neben der Zusammenfassung und der Rückschau auf das vergangene Jahr wollen wir aber auch über zukünftige Projekte und anstehende Diskussionen reden.

Spy vs. Spy: A Modern Study Of Microphone Bugs Operation And Detection

Saal Borg (en)

In 2015, artist Ai Weiwei was bugged in his home, presumably by government actors. This situation raised our awareness on the lack of research in our community about operating and detecting spying microphones. Our biggest concern was that most of ...

Most of what the general public knows about microphones bugs comes from movies and other fictional sources, which usually is far from real. An example of these inaccuracies is the public speculation made by the Counselor of the United States President, Kellyanne Conway, who expressed that a microwave oven can spy as a camera; the answer is NO, as refuted in article by WIRED. The current literature about microphones bugs is disturbingly scarce, leaving most people to believe the myths distributed by the media. One of the goals of this work is to debunk the fictional beliefs around mics bugs by performing a thorough study and real life experiments with them. This paper is divided into three phases. First, we perform a survey of the state-of-the-art of mic bugs and their characteristics. Second, we develop our own free software detection tool, called Salamandra. Third, we perform several real life experiments on placing and detecting bugs to examine how difficult it was. Finally, we conclude with a thorough analysis of our experience. The first phase makes a deep survey of all the civilian-accessible microphone bugs. It takes into account physical characteristics, frequencies, tr...

Netzpolitik in der Schweiz

Die aktuellen Auseinandersetzungen über digitale Freiheitsrechte - Saal Dijkstra (de)

Gleich in drei Gesetzen drohen Netzsperren. Staatstrojaner und Massenüberwachung bis ins WLAN sind mit der Einführung der Überwachungsgesetze BÜPF und NDG vorgesehen. E-Voting soll auf Biegen und Brechen durchgesetzt werden. Nur garantierte Netzne...

Folgende Themen möchten wir aufgreifen und gemeinsam einen Blick in die Zukunft werfen: <ul> <li>Auswirkungen des neuen BÜPF: Eine Einschätzung für die Praxis ab dem 1.3.2018</li> <li>Netzsperren im Geldspielgesetz (und anderswo): Wie steht es um das Referendum?</li> <li>Beschwerde gegen die Kabelaufklärung: Strategisch klagen für Freiheitsrechte</li> <li>E-Voting: Auf Biegen und Brechen</li> <li>Netzneutralität: Ungenügende Transparenzpflichten</li> <li>Datenschutzgesetz: Wie ist der Stand der Debatte?</li> </ul> Im Anschluss an den Vortrag findet eine weiterführende Diskussions- und Fragesession im <a href="https://events.ccc.de/congress/2017/wiki/index.php/Cluster:Rights_%26_Freedoms">Rights &amp; Freedoms Orbit</a> statt. Es werden Personen von einigen aktiven Organisationen in der Schweiz (wie CCC-CH, CCCZH, Digitale Gesellschaft Schweiz, Piratenpartei Schweiz) anwesend sein.

Electromagnetic Threats for Information Security

Ways to Chaos in Digital and Analogue Electronics - Saal Clarke (en)

For non specialists, Electromagnetic Pulse weapons (EMP) are fantasy weapons in science fiction movies. Interestingly, the susceptibility of electronic devices to electromagnetic interference has been advertised since the 90’s. Regarding the high ...

Thursday 16:30


Internet of Fails

Where IoT has gone wrong - Saal Borg (en)

Expect current examples of IoT fails that I collected during my work as a journalist in regards of privacy and security. What do such fails mean for society? What are possible solutions and what can customers do?

The internet of things (IoT) is growing. A lot of (mobile) network operators talk about „next big thing“: A world of always-on devices. So far, IoT is more a wide range of disaster plots with a lot of security and privacy concerns that are a danger for the internet rather than they are the world-saving development the tech guys predict. One example: connected (sex) toys. Some countries already banned them or are planning to ban them. Another example are digital home assistants that tend to change our sense of privacy. But what can we do? We can’t stop the development, but we can make products safer. In my talk I am going to present current examples where IoT fails in terms of privacy, security and use case. Rather than going into technical detail of „How did that hack work out?“ I want to concentrate on the ethical and practical problems that arise out of connecting everything. I also want to focus on how consumers can influence the market and what we all can do as a society. For example: Currently manufacturers take care primarily of their business to bring the products quickly to the market, and less to the safety of it. In my talk, I would like to show some examples a...

Blinkenrocket!

How to make a community project fly - Saal Clarke (en)

The Blinkenrocket is a DIY SMD Soldering Kit that was designed to teach different manufacturing and soldering skills. A lot of work on both Hardware and Software was done in CCC erfas namely shackspace, chaosdorf and metalab. The kit is used...

In 2016 we made BLINKENROCKET fly. In this talk you'll learn about our journey, the lessons we learned and get insights that you can leverage to skyrocket your own soldering kit. Blinkenrocket is a badge-type electronic in the shape of the famous fairy dust rocket aimed at teaching different skills of soldering to kids as well as young adults. Once the kit it soldered, custom animations and scrolltext can be created at <a href="http://blinkenrocket.de">blinkenrocket.de</a> and uploaded using your audio port. Blinkenrocket is designed to: - teach different skills of soldering (SMD, trough hole, stencils, reflow) - be CHEAP so it can be used at school events - be 100% open source, EVERYTHING is available online under open source licensed terms - provide extensive information targeted to kids as well as young adults - be extendable - it will sell in a BUY ONE / GIVE ONE program to support future growth and donations to workshops. this way people who can not afford it are not excluded from learning how to solder.

Free Electron Lasers

...or why we need 17 billion Volts to make a picture. - Saal Dijkstra (en)

Wouldn’t it be awesome to have a microscope which allows scientists to map atomic details of viruses, film chemical reactions, or study the processes in the interior of planets? Well, we’ve just built one in Hamburg. It’s not table-top, though: 1 ...

Most people have heard about particle accelerators, most prominently LHC, at which high energy particles are brought to collision in order to study fundamental physics. However, in fact most major particle accelerators in the world are big x-ray microscopes. The latest and biggest of these synchrotron radiation sources which was built is the European XFEL. A one billion Euro ‘free electron laser’, based on a superconducting accelerator technology and spread out 3km beneath the city of Hamburg. The produced x-ray pulses allow pictures, for example from proteins, with sub-atomic resolution and an exposure time short enough to enable in-situ studies of chemical reactions. This talk aims to explain how particle accelerators and in particular light sources work, for what reason we need these big facilities to enable new types of science and why most of modern technology would be inconceivable without them.

Thursday 18:30


The Snowden Refugees under Surveillance in Hong Kong

A Rapidly Emerging Police State and Imminent Deportation to Sri Lanka and Philippines - Saal Borg (en)

The Snowden Refugees’ actions to protect the world’s most significant whistle blower of the 21st Century, amounts to an expression of Political Opinion. Since September 2016, the Snowden Refugees have been systematically targeted and persecuted by...

After the Oliver Stone film “Snowden” was released in September 2016, the world learned about Edward Snowden having been provided a safe haven and refuge in Hong Kong by the destitute “Snowden Refugees”. Instead of being recognized as brave individuals who selflessly protected Mr Snowden, the Hong Kong government launched a systematic campaign to harass, oppress and punish the Snowden Refugees, with a view to deport them from Hong Kong as quickly as possible. By October 2017, the Hong Kong government had utilized the Social Welfare Department, its Swiss based Contractor International Social Services, and the Immigration Department to target and punish the Snowden Refugees. These well-planned systemic efforts escalated with the Hong Kong police targeting the Snowden Refugees, instead of providing protection to them. The Hong Kong government has been aggressively seeking to rapidly remove Vanessa and her stateless daughter to the Philippines under conditions of a nation-wide state of emergency, martial law in Mindanao and a recently catalyzed nation-wide civil war with the National People’s Army. In the name of a war on drugs, President Duterte directed the well-planned and sys...

Inside Android’s SafetyNet Attestation: Attack and Defense

Saal Clarke (en)

SafetyNet Attestation is the primary platform security service on Android. Until recently you had to use third party tools or implemented your own app integrity checks and device rooting checks. Today you can use Android's SafetyNet Attestation in...

How to drift with any car

(without your mom yelling at you) - Saal Dijkstra (en)

Lots of research are arising from the fairly unexplored world of automative communications. Cars are no longer becoming computers, they are fully connected networks where every ECU exchanges and operates the vehicles at some point. Here is an int...

This talk is not only about security, but about hacking and video games. Many video games are about driving cars, whether it is for racing, or heisting and escaping the police. In this talk, we will explain how the user experience could actually be improved by connecting a car to a video game and turning it into a game controller. We will discuss about these connected systems, how car components interact with one another, the different protocols, or anything that came to us during this journey. However there was one important constraint during all that experience: no car could be dismantled nor modified. The main goal of this analysis was to try doing something out of the data which could be freely recovered while plugging itself to the OBD-II port of a car. As mentioned, this resulted in the possibility of controlling a video game car through the real car, like a simulator, without the need of modifying anything in the car itself. Unfortunately, this requires a lot of gasoline to have the engine powered on and run. Moreover, gasoline is really expensive in France. So we looked for a way to reduce that cost. We actually found a nice device on the Internet to optimize th...

Everything you want to know about x86 microcode, but might have been afraid to ask

An introduction into reverse-engineering x86 microcode and writing it yourself - Saal Adams (en)

Microcode is an abstraction layer on top of the physical components of a CPU and present in most general-purpose CPUs today. While it is well-known that CPUs feature a microcode update mechanism, very little is known about its inner workings given...

Given the complexity of modern instruction sets hardware vendors moved to hardware designs incorporating complex decode units. A single instruction of the complex outwardfacing instruction set is translated to multiple instructions of the simpler internal architecture. While it is possible to do this translation in hardware alone, some instructions would require huge amounts of space on the silicon and increase costs. These complex instructions are instead decoded using a software-like approach called microcode. While processing such an instruction, the CPU internally evaluates a sequence of operations, micro-ops, which decode the complex instruction into the corresponding simpler operations that are performed by the hardware. In the light of the existence of hardware bugs such as the infamous Pentium fdiv bug, hardware vendors developed a process to fix those errors without requiring a CPU replacement. However the microcode is stored in a ROM on the CPU die and can not be changed after production. Also relatively simple or often used instructions are still decoded in hardware. The update is instead achieved using microcode updates, which intercept certain instructions and re...

Thursday 19:45


Humans as software extensions

Will You Be My Plugin? - Saal Dijkstra (en)

While technology is often described as an extension of our bodies, this talk will explore a reversed relationship: Bodies and minds of digital laborers (you and me and basically everybody else) as software extensions that can be easily plugged in,...

From CAPTCHAS as micro jobs for training AI to people having to pretend to be bots, from gig work to APIs for programming people – we are extending computational systems by offering our bodies, our senses, and our cognition. To some degree, this has been true for most kind of work for a long time. However, with software creeping into every aspect of our lives, and with algorithmic systems modulating and optimizing flows constantly, being plugged in and then generating data, or being modulated by data analysis, has become ubiquitous (workers never leaving the factory?). In this talk, I will address the condition of being a software extension within the framework of my artistic practice and research by introducing artworks and discussing e.g. the survival creativity of gig workers on hyper-competitive online platforms; the surveilled workplace; AI as a global assembly line. Against this backdrop, I will also speculate about possible interventions inside these environments.

Financial surveillance

Exposing the global banking watchlist - Saal Clarke (en)

Faced with new responsibilities to prevent terrorism and money laundering, banks have built a huge surveillance infrastructure sweeping up millions of innocent people. Investigative journalists Jasmin Klofta and Tom Wills explain how, as part of a...

An accidental leak granted a rare opportunity for journalists to examine a database used to make decisions affecting people and organisations all over the world. They include a mosque that had its bank account shut without explanation, activists blacklisted for a peaceful protest, and ordinary citizens whose political activities were secretly catalogued. We will show how we used data mining, OSINT and traditional investigative techniques to analyse the World-Check database and discover the human impact of this Kafkaesque system, which is used by almost every major bank and many other institutions including law enforcement agencies. The resulting story made front page news in the UK, Germany, Belgium, Italy, the Netherlands and the USA. We will also ask whether we really want banks to be held responsible for the crimes of their customers? Are Financial Intelligence Units a sensible precaution, or are they pre-crime agencies?

Taking a scalpel to QNX

Analyzing & Breaking Exploit Mitigations and Secure Random Number Generators on QNX 6.6 and 7.0 - Saal Borg (en)

In this talk we will present a deep-dive analysis of the anatomy of QNX: a proprietary, real-time operating system aimed at the embedded market used in many sensitive and critical systems, particularly within the automotive industry. We will pr...

QNX is a proprietary, closed-source, Unix-like real-time operating system aimed at the embedded market. It is found in everything from BlackBerry products, carrier-grade routers and medical devices to military radios, UAVs and nuclear powerplants. On top of that, it dominates the automotive market and is found in millions of cars. While some prior security research has discussed QNX, mainly as a byproduct of BlackBerry mobile research, there is no prior work on QNX exploit mitigations or its secure random number generators. This talk seeks to close that gap by presenting the first reverse-engineering and analysis of the exploit mitigations, secure random number generators and memory management internals of QNX. We dissect the NX / DEP, ASLR, Stack Cookies and RELRO mitigations as well as the /dev/random and kernel PRNGs. We subsequently uncover a variety of design issues and vulnerabilities in these mitigations and PRNGs, which have significant implications for the exploitability of memory corruption vulnerabilities on QNX as well as the strength of its cryptographic ecosystem. Finally, we provide information on available patches and hardening measures available to defe...

Console Security - Switch

Homebrew on the Horizon - Saal Adams (en)

Nintendo has a new console, and it's more secure than ever.

The Switch was released less than a year ago, and we've been all over it. Nintendo has designed a custom OS that is one of the most secure we've ever seen, making the game harder than it has ever been before. In this talk we will give an introduction to the unique software stack that powers the Switch, and share our progress in the challenge of breaking it. We will talk about the engineering that went into the console, and dive deep into the security concepts of the device. The talk will be technical, but we aim to make it enjoyable also for non-technical audiences.

Thursday 20:30


Afro TECH

Afrofuturism, Telling tales of speculative futures - Saal Dijkstra (en)

Inke Arns will present speculative projections of the future and current developments in the field of digital technologies by artists and inventors from different countries in Africa, the African diaspora and many other actors in the USA and Europe.

The project examines science-fiction narratives and concepts of technology that function according to their own rules rather than conforming with dominant western narratives. A key source of inspiration for the artworks on display is Afrofuturism, a movement that emerged in the mid-twentieth century against the backdrop of the African-American community's historical experience of racism and discrimination. Telling tales of speculative futures, it opened up a space for a distinct history, and hence emancipation, self-empowerment and individual freedom. The concepts, ideas and aesthetics of Afrofuturism soon spread from the USA to the rest of the world, influencing countless artists – also in German-speaking countries – with whose experiences they strongly resonated.

Thursday 21:00


Trügerische Sicherheit

Wie die Überwachung unsere Sicherheit gefährdet - Saal Borg (de)

Wie steht es um die Sicherheitsversprechen, die mit dem Einsatz von neuen Überwachungsinstrumenten abgegeben werden? Welche Unterminierung der Sicherheit kann durch Überwachung eigentlich entstehen?

The making of a chip

Saal Clarke (en)

You are surrounded by ICs. Yet you probably don't know much about how such a chip is made. This talk is an introduction to the world of chip fabrication from photolithography over ion implantation to vapor deposition of the connections

This talk is a tour through the fabrication of an integrated circuit, an electronic chip. You will see the basics of the different techniques used in the process: - photolithography ("photolitho") - etching - ion implantation - vapor deposition and how they are combined: - photolitho and etching to selectively remove material - photolitho and implantation to form doped semiconductors that form transistors - photolitho and vapor deposition to form the connections that turn the transistors into gates I will touch the underlying semiconductor physics only very briefly to give an idea why this layout makes sense. This talk is meant to give you a glimpse into the world of IC fabrication. I will not talk about things that are particularly new, this knowledge has been around since at least 1990. But it is still interesting since the processes are still used for every IC in production today yet not widely known outside the semiconductor industry. I won't touch IC development (none of the points mentioned <a href=https://en.wikipedia.org/wiki/Integrated_circuit_development>here</a>). If you're interested in that <a href=https://media.ccc.de/v/c4.openchaos.2017.06.cpu-d...

Intel ME: Myths and reality

Saal Adams (en)

Many claims were made recently about purpose and capabilities of the Intel ME but with all the buzz it is not always clear what are facts and what is just speculation. We'll try to clear the fog of misunderstanding with research based on investiga...

We would like to cover the most common claims about the ME, based in part on the new research done in the few last years such as complete recovery of the proprietary Huffman compression which previously hindered research into some parts of the ME firmware, as well as describe what steps can ordinary users take to reduce the attack surface exposed by the ME. Some of the claims we plan to cover: • It's a backdoor made for NSA and serves no useful purpose • It is always on even if the PC is turned off • It can read all data on PC/spy on the user • It can't be disabled • It can lock the PC with a command sent over the air • It a black box which can't be audited because it's closed source • End users can't do anything about it. Together with the talk we're planning to make available detailed notes on reverse engineering of the ME firmware with some pointers to the identified functionality for other interested researchers.

Thursday 21:15


The Noise Protocol Framework

Saal Dijkstra (en)

The <a href="https://noiseprotocol.org">Noise Protocol Framework</a> is a toolkit for 2-party secure-channel protocols. Noise is used by WhatsApp for client-server communication, by the WireGuard VPN protocol, and by the Lightning Network. In th...

Noise provides a simple pattern language and naming scheme for 2-party DH-based cryptographic handshakes, covering the different possibilities for client and/or server authentication, post/pre-specified peers, identity-hiding, and 0-RTT encryption. These patterns are easily compiled into linear sequences of cryptographic operations using your favorite ECDH, hash, and cipher functions. Extensions are in the works for additional cryptographic choices, e.g. post-quantum options for "hybrid forward-secrecy", as well as negotiation frameworks.

Thursday 22:00


Implementing an LLVM based Dynamic Binary Instrumentation framework

Saal Dijkstra (en)

This talk will go over our efforts to implement a new open source DBI framework based on LLVM. We'll explain what DBI is used for, how it works, the implementation challenges we faced and compare a few of the existing frameworks with our own imple...

We have been using DBI frameworks in our work for a few years now: to gather coverage information for fuzzing, to break whitebox cryptography implementations used in DRM or to simply assist reverse engineering. However we were dissatisfied with the state of existing DBI frameworks: they were either not supporting mobile architectures, too focused on a very specific use cases or very hard to use. This prompted the idea of developing QBDI which has been in development for two years and a half. With QBDI we wanted to try a modern take on DBI framework design and build a tool crafted to support mobile architectures from the start, adopting a modular design enabling its integration with other tools and that was easy to use by abstracting all the low-level details from the users. In this talk we will review the motivation behind the usage of a DBI. We will explain its core principle and the main implementation challenges we faced. We will go through a few of the existing frameworks (Intel Pin, Valgrind, DynamoRIO) and compare our implementation choices with theirs. Finally, we will demo our framework and showcase its integration inside Frida. We also plan to open source ou...

Thursday 22:15


Opening Closed Systems with GlitchKit

'Liberating' Firmware from Closed Devices with Open Source Hardware - Saal Borg (en)

Systems that hide their firmware-- often deep in readout-protected flash or hidden in encrypted ROM chips-- have long stymied reverse engineers, who often have to resort to inventive methods to understand closed systems. To help reduce the effort ...

Work by a variety of authors has demonstrated the vulnerability of hardware peripherals to fault-injection-driven firmware-disclosure attacks [1]-- or in other words: glitching attacks that cause devices to 'accidentally' disclose their own firmware. A common form of this attack exploits the behavior of hardware peripherals as they send out bits of read-only memory-- by inducing a glitch at the end of a communication, transmitters can often be inticed to transmit memory beyond the end of the scheduled communcation, often leaking firmware and other device secrets. For glitching attacks to function properly, glitches must be precisely timed relative to communication events-- a requirement that often requires reverse engineers to develop purpose-built glitch-triggering hardware. GitchKit helps to relieve this burden-- providing an easy, context-aware glitching toolkit that can synchronize glitch events to a variety of communications events, including events generated by common protocols such as USB. GlitchKit builds atop existing open-source software and hardware-- including the GreatFET communications multitool, the FaceDancer USB-hacking toolkit, and the ChipWhisperer fault-in...

LatticeHacks

Fun with lattices in cryptography and cryptanalysis - Saal Adams (en)

Lattices are an extremely useful mathematical tool for cryptography. This talk will explain the basics of lattices in cryptography and cryptanalysis.

It’s an exciting time for public-key cryptography. With the threat of practical quantum computers looming in the next few decades, it’s high time to replace the systems that can be broken by a quantum computer with ones that remain secure even if the attacker has a quantum computer. However, this is easier said than done – there is no consensus what replacements should be chosen and how secure the systems are. NIST has just started a 5-7 year competition with the target to recommend a portfolio of post-quantum encryption and signature schemes. Considerations will be speed, bandwidth, and of course security. Several of the submissions are based on lattices. At our current level of understanding, lattice-based cryptography offers relatively small public keys for both encryption and signatures, while having good performance and reasonably sized ciphertexts and signatures. While these features are nice and make us want to know more about lattices, that world can be a scary place full of discussions of Minkowski bounds, Gaussian distributions, and orthogonalized bases. We will show how these schemes work in accessible terms. Lattices have been used in cryptography for more than...

ASLR on the line

Practical cache attacks on the MMU - Saal Clarke (en)

Address Space Layout Randomization (ASLR) is fundamentally broken on modern hardware due to a side-channel attack on the Memory management unit, allowing memory addresses to be leaked from JavaScript. This talk will show how.

Address space layout randomization (ASLR) has often been sold as an important first line of defense against memory corruption attacks and a building block for many modern countermeasures. Existing attacks against ASLR rely on software vulnerabilities and/or on repeated (and detectable) memory probing. In this talk, we show that neither is a hard requirement and that ASLR is fundamentally insecure on modern cache- based architectures, making ASLR and caching conflicting requirements (ASLR xor Cache, or simply AnC). To support this claim, we describe a new EVICT+TIME cache attack on the virtual address translation performed by the memory management unit (MMU) of modern processors. Our AnC attack relies on the property that the MMU's page-table walks result in caching page-table pages in the shared last-level cache (LLC). As a result, an attacker can derandomize virtual addresses of a victim's code and data by locating the cache lines that store the page-table entries used for address translation. Relying only on basic memory accesses allows AnC to be implemented in JavaScript without any specific instructions or software features. We show our JavaScript impl...

Thursday 23:15


Growing Up Software Development

From Hacker Culture to the Software of the Future - Saal Dijkstra (en)

Hacker culture overcomes limitations in computer systems through creativity and tinkering. At the same time, hacker culture has shaped the practice of software development to this day. This is problematic - techniques effective for breaking (...

<p> Hacker culture, which originated CCC (or vice versa?), overcomes limitations in computer systems through creativity and tinkering. Many activities of the hacker community have focussed on discovering weaknesses of IT systems, and creativity and tinkering have been enormously successful at this endeavour. At the same time, hacker culture has shaped the practice of software development to this day. This is problematic - techniques effective for breaking (into) a computer systems are not necessarily suitable for developing resilient and secure systems. The long, long list of vulnerabilities with always the same root causes bears testament to this. Thus, ironically, the very techniques hackers have used to discover and fight vulnerabilities are responsible for them in the first place. </p> <p> It does not have to be this way: It is possible to construct resilient software systematically, greatly reducing the risk of failure. However, this requires significant changes in culture, methodology, and the tools we use to develop software. We need to approach software development as a methodical, systematic activity rather than tinkering, and teach it accordin...

Thursday 23:30


All Computers Are Beschlagnahmt

Zum Verbot von Indymedia linksunten - Saal Adams (de)

Im August 2017 wurde Indymedia linksunten vom Bundesinnenminister verboten. Rechtsanwältin Kristin Pietrzyk berichtet von den Razzien, von der Zusammenarbeit zwischen Polizei und Geheimdiensten und gibt Einblick in das juristische Vorgehen gegen V...

Die wichtigste linksradikale Nachrichtenplattform linksunten.indymedia.org wurde im August 2017 von Bundesinnenminister Thomas de Maizière verboten. Um das Presserecht auszuhebeln, nutzte das Innenministerium das Vereinsrecht. Kurzerhand erklärten sie einige ihnen bekannte Freiburger Autonome zu Mitgliedern eines Vereins „Indymedia linksunten” und das Autonome Zentrum KTS Freiburg zum „Vereinsheim“. Um überhaupt erst gerichtsfeste Belege für das Vereinsverbot und die Zuordnung der Betroffenen zu diesem Verein zu beschaffen, wurden vier Wohnungen und das „Vereinsheim” durchsucht. Das aufgefundene Geld wurde kurzerhand als „Vereinsvermgögen“ deklariert und beschlagnahmt. Die beschlagnahmten Computer sollen von einer „Task Force“ des LKA Baden-Württemberg, der Bundespolizei und dem Bundesamt für Verfassungsschutz „dekryptiert“ und im Erfolgsfall vom Inlandsgeheimdienst ausgewertet werden. Eigentlich müsste anhand des Beispiels Indymedia linksunten politisch über Presse- und Meinungsfreiheit diskutiert werden. Über gezielte Verfassungsschutzhetze im Vorfeld des Verbots und über den Fallout des G20-Gipfels in Hamburg. Über den Aufstieg der rechtsradikalen AfD und einen deutsch...

Home Distilling

Theory and practice of moonshining and legal distilling - Saal Borg (en)

This talk covers the theory, legality and economics of home distilling. We present the theoretical background of mashing, fermenting and distilling alcohol as well as the legal framework for home distilling in Germany from 2018 on.

Our theory part covers both the biochemical and physical principles of fermenting fruit mash to alcohol, of distilling this alcohol to a fine spirit and best practices of how to gain maximum output at the best taste. The legal and regulations part shows how to do this process legally under the new German alcohol law of 2018, and how to avoid serious health risks, a.k.a. explosions and burn prevention. The theoretical part will close with a short introduction on the economics of craft distilling, in terms of time consumption and financial investments necessary to get up and running.

Uncovering vulnerabilities in Hoermann BiSecur

An AES encrypted radio system - Saal Clarke (en)

Hoermann BiSecur is a bi-directional wireless access control system “for the convenient and secure operation of garage and entrance gate operators, door operators, lights […]” and smart home devices. The radio signal is AES-128 encrypted and the s...

In our CCC talk we plan to give a step-by-step presentation on how we analyzed and subsequently broke the Hoermann BiSecur system. This includes the following topics: - Overall system overview - Radio signal analysis with the CCC rad1o SDR platform - Reverse engineering of the radio signal - Hardware analysis of BiSecur transmitters - Firmware extraction from the microcontroller by exploiting a security flaw in the PIC18F controller - Firmware disassembly and reverse engineering with IDA Pro - Analysis results providing a technical overview of how the BiSecur system operates including the encryption scheme (with AES-128 at its core) and RF operations - Presentation of our attacks (signal cloning of genuine transmitters) - Live-Hacking Demo with the CCC rad1o SDR platform - Suggested security fix

Thursday 00:00


Robot Music

The Robots Play Our Music and What Do We Do? - Saal Dijkstra (en)

Once full automation hits, we will have a lot of free time on our hands. This project demonstrates early explorations in computer generated music via robot hands, old computers and generative algorithms. While the robot performs, we sit next to it...

“Robot Music” is an ongoing robotic research project between artists Goto80 and Jacob Remin centered around automation, creation and loss of control. The project was initiated in 2017 and has been shown in other forms at Illutron (Copenhagen), Algomech Festival (Sheffield) and Internetdagarna (Stockholm). In this installment at CCC robotic arms play music on a Commodore 64 and other sound machines. The robot loads songs that we have made and re-works them live by changing the notes, instruments, arrangements, effects and by applying a general “robot cool” to the mix. While the robot performs, we sit next to it to talk to people about robots being “creative” and “stealing our jobs”. For CCC we will bring two robots. One for performing and one for hacking. We are inviting all hackers to join our conversation, and we are excited to meet people with skills within robotics, programming, neural networks for music composition and live coding.

Schnaps Hacking

from apple to schnaps -- a complete diy-toolchain - Saal Borg (en)

This talk covers the theory, the required tools and how to make them, and the process of turning apples into juice, ferment them, and enrich the alcohol content of the product.

We will present our high-pressure, drm-free juice press which we used to turn our hand picked apples into juice. Then we present a simple setup to ferment the juice (or other stuff, maybe even mate ;) ) to turn it into an alcoholic beverage. You will learn about the precise steps you need to avoid, in order to not build a still. We will also talk about all the details of a totally hypothetical distilling process, and the results that could have been achieved. Finally we will show you a method to increase the alcohol content of a beverage without distilling it ("ice-rifing"), and talk about our results. We will cover the relevant measuring equipment as well as the theory behind each of these steps, as we go through them.

Thursday 00:45


Hacker Jeopardy

Zahlenraten für Geeks - Saal Adams (de)

The Hacker Jeopardy is a quiz show.

The well known reversed quiz format, but of course hacker style. It once was entitled „number guessing for geeks“ by a German publisher, which of course is an unfair simplification. It’s also guessing of letters and special characters. ;) Three initial rounds will be played, the winners will compete with each other in the final. The event will be in German, we hope to have live translation again.

Hacker Jeopardy Stream

Zahlenraten für Geeks (Stream) - Saal Borg (de)

The Hacker Jeopardy is a quiz show. -- Stream


Friday 11:30


Lightning Talks Day 3

Saal Borg (en)

Lightning Talks are short lectures (almost) any congress participant may give! Bring your infectious enthusiasm to an audience with a short attention span! Discuss a program, system or technique! Pitch your projects and ideas or try to rally a cre...

To get involved and learn more about what is happening please visit the Lightning Talks Wikipage at <a href="https://events.ccc.de/congress/2017/wiki/index.php/Static:Lightning_Talks">https://events.ccc.de/congress/2017/wiki/index.php/Static:Lightning_Talks</a>

Methodisch inkorrekt!

Die Wissenschaftsgala vom 34C3 - Saal Adams (de)

Der IgNobelpreis ist eine Auszeichnung, um wissenschaftliche Leistungen zu ehren, die „Menschen zuerst zum Lachen, dann zum Nachdenken bringen“ („to honor achievements that first make people laugh, and then make them think“). Wir erklären die Prei...

Es geht um Kaffeetrinken, flüssige Katzen und ganz viele primäre Geschlechtsteile. Eigentlich ein Podcast, der alle 14 Tage erscheint. Gelegentlich aber auch auf Bühnen. Aber immer im Dienste der Wissenschaft. Echt jetzt. It works, bitches!

Taxation

Saal Clarke (en)

Taxation, the most "boring" #34c3 talk, but hey it's the economy stupid, and you pay for it! We will a provide a quick overview of the international taxation system. Explaining what a Double Irish Sandwich is. Why international corporations like G...

You might heard about #LuxLeaks, #PanamaPapers, or other frivilous tax activites. This talk gives a overview about one the most urgend policy issues legal tax holes for big corporation, how big their score is, in relation to your own tax rate (across Europe) and why it should concern you. Duh you pay for it. And why you should get active. We will present the launch of a European-wide anti-tax evasion campaign beginning of May 2017. Ireland's decision to phase out the Double Irish tax loophole doesn't mean the country is giving up on tax competition, or that U.S. multinationals will now bring more of their foreign earnings home. The reason affected tech companies are so calm about it is that they know Ireland will do whatever it takes to keep them. And it's not just Ireland ... "Revelations of the extent of tax avoidance by multinationals based on exploitation of the arm’s length system prompted a rear-guard action by the OECD described as the base erosion and profit shifting (BEPS) programme but the programme deliberately avoids any principled re-examination of norms underlying the international tax regime or any consideration of a shift from residence to source-based ...

Holography of Wi-Fi radiation

Can we see the stray radiation of wireless devices? And what would the world look like if we could? - Saal Dijkstra (en)

Holography of Wi-Fi radiation Philipp Holl [1,2] and Friedemann Reinhard [2] [1] Max Planck Institute for Physics [2] Walter Schottky Institut and Physik-Department, Technical University of Munich When we think of wireless signals such as ...

Friday 12:15


Bringing Linux back to server boot ROMs with NERF and Heads

Saal Clarke (en)

The NERF and Heads projects bring Linux back to the cloud servers' boot ROMs by replacing nearly all of the vendor firmware with a reproducible built Linux runtime that acts as a fast, flexible, and measured boot loader. It has been years since a...

The NERF project was started by Ron Minnich (author of LinuxBIOS and lead of coreboot at Google) in January 2017 with the goal to bring Linux back to the BIOS by retaining a minimal set of PEI modules for memory controller initialization and replacing the entirety of the server vendor's UEFI DXE firmware with a reproducibly built Linux runtime. It has been ported to a few different manufacturer's servers, demonstrating the general portability of the concept. NERF is fast - less than twenty second boot times, versus multiple minutes. It's flexible - it can make use of any devices, filesystems and protocols that Linux supports. And it's open - users can easily customize the boot scripts, fix issues, build their own runtimes and reflash their firmware with their own keys. The Heads runtime was started by Trammell Hudson (author of Thunderstrike and Magic Lantern) and was presented last year at 33c3. It is a slightly more secure bootloader that uses Linux, the TPM, GPG and kexec to be able to load, measure, verify and execute the real kernel. As part of porting Heads to work with NERF on server platforms, it now includes tools like Keylime to allow severs to remotely attes...

Friday 12:45


Coming Soon: Machine-Checked Mathematical Proofs in Everyday Software and Hardware Development

Saal Dijkstra (en)

Most working engineers view machine-checked mathematical proofs as an academic curiosity, if they have ever heard of the concept at all. In contrast, activities like testing, debugging, and code review are accepted as essential. They are woven i...

<p>Today's developers of computer software and hardware are tremendously effective, compared to their predecessors. We have found very effective ways of <b>modularizing</b> and <b>validating</b> our work. The talk is about ammunition for these activities from a perhaps-unexpected source.</p> <p><b>Modularity</b> involves breaking a complex system into a hierarchy of simpler pieces, which may be written and understood separately. Structured programming (e.g., using loops and conditionals instead of <tt>goto</tt>s) helps us read and understand parts of a single function in isolation, and data abstraction lets us encapsulate important functionality in objects, with guarantees that other code can only access the private data by calling public methods. That way, we can convince ourselves that the encapsulated code upholds certain essential properties, <i>regardless of which other code it is linked with</i>. Systematic unit testing also helps enforce contracts for units of modularity. Each of these techniques can be rerun automatically, to catch regressions in evolving systems, and catch those regressions in a way that accurately points the finger of responsibility to particu...

Friday 13:00


Designing PCBs with code

Is designing circuits with code instead of CAD the future of electronic design automation? - Saal Clarke (en)

An overview and history of various tools and languages that allow you to use code rather than CAD software to design circuits.

For anyone used to expressing their ideas with code using a CAD tool to design electronics can be an even more frustrating exercise than normal. If you are a programmer thinking about getting into designing circuits or if you have ever thought "I could easily solve this with a for-loop" when using KiCad then this talk is for you. We will cover the short history of ideas of using code to describe electronic circuits and culminate in some of the presenter's own experiments in this area.

Friday 13:45


History and implications of DRM

From tractors to Web standards - Saal Clarke (en)

Digital Restrictions Management (DRM) is found everywhere from music to cars and, most recently, World Wide Web Consortium recommendations. How did we get here and where are we going with DRM? Who really owns not just your tools, but your experien...

This talk will cover a range of technologies and use (and failure) cases in how digital experiences are being restricted and controlled by "rights holders." It will also touch on what it means to be a rights holder, and how that's affecting digital media and technology. This talk is aimed at a general audience, and will be tackling these topics at a basic level, with the aim to create shared language and understanding.

Regulating Autonomous Weapons

The time travelling android isn’t even our biggest problem - Saal Adams (en)

Depending on the definition, autonomous weapon systems do not and might never exist, so why should we care about killer robots? It is the decline of human control as an ongoing trend in military systems and the incapacity of computing systems to „...

Therefore, the envisaged military advantages come at a price as the technology raises legal, ethical, and security concerns. The good news: Scientists and NGOs have taken up these concerns and States address the issue within the UN Convention on Certain Conventional Weapons (CCW), where a ban of the development and use of autonomous weapons is possible. The bad news: States Parties might not find a consensus for a necessary regulation. The talk will discuss these pressing issues to support civil society in addressing the regulation of lethal autonomous weapons (LAWS).

“Nabovarme” opensource heating infrastructure in Christiania

Freetown Christiania´s digitally controlled/surveyed heating system. 350 users - Saal Borg (en)

Project “Nabovarme” (meaning “neighbour heating”) has transformed private heating necessity into a social experiment build on OpenSource software/hardware and social empowerment by transforming heat consumers into Nabovarme Users and letting them ...

Christiania - a child of hippie thinking and direct democracy, est. 1971 900 inhabitants, 210 houses, 24 hectares land, 1 km from the danish parliament and the royal palace Local common ownership to ALL infrastructure: houses, roads, electricity, water, sewers, fiber LAN, park and lakes Nabovarme (started 2001) has connected more than half of Christiania Previously heating was based on private wood burning stoves, coal burning stoves and oilheaters, Nabovarme has created a transition towards common heating systems based on burning wood pellets. Nabovarme has transformed the heating infrastructure into a social experiment built on OpenSource software/hardware and social empowerment and is transforming passive heat consumers into active Nabovarme Users -making everyone take ownership of the infrastructure and a goal of optimizing usage for economic and climate reasons. Current technologies for heating systems are proprietary and full of protocols hidden behind NDA's. Our project has unlocked a broad range of devices so data and control now is in the hands of the users - and not sent out of the community. The project is a cross competence endeavor where equal amounts of ...

Friday 14:00


Policing in the age of data exploitation

Saal Dijkstra (en)

What does policing look like in the age of data exploitation? This is the question we at Privacy International have been exploring for the past two years. Our research has focused on the UK where the population has been used as guinea pigs for eve...

Society is changing – the cities we live in, the way we communicate, the objects we carry, what we reveal about ourselves has evolved – and law enforcement across the world is desperately trying to catch up. From mobile phone extraction to social media intelligence, police forces have been trying to take advantage of an environment that is largely unregulated. With 51,000 cameras run by the police London is arguably the most surveilled city in the world. We have focused our research in a country that has effectively become a playing ground for law enforcement and corporations wishing to sell technologies offering the police unprecedented access to people’s life. The deals are safely signed behind closed doors and the general population has been left out of this debate. Privacy International has been trying to shed light on these new trends. By conducting research, FOI requests and legal actions we are attempting to document this new environment. Trials of facial recognition have taken place at football matches and Notting Hill Carnival. They will continue to test this technology on the public and the next year will see a rapid uptake of a variety of predictive policing to...

Friday 14:30


Antipatterns und Missverständnisse in der Softwareentwicklung

Eine Geschichte voller Missverständnisse - Saal Adams (de)

Anhand von Anekdoten aus 20 Jahren Softwareentwicklung versucht der Vortrag herauszuarbeiten, was in der Praxis zu scheiternden Projekten führt.

Es geht nicht um Programmierfehler sondern um Fehler in der Herangehensweise, den Prozessen, falsche Anreize, etc. Bei den Antipatterns geht es um Dinge, die aus den falschen Gründen gemacht werden -- etwa einen Monolithen in eine Microservice-Architektur überführen, aber dann bei einem verteilen Monolithen rauskommen. Ein gemeinsames Muster ist, dass man mit chirurgischer Präzision die Vorteile eines Ansatzes gezielt umgeht, aber großzügig jeden einzelnen Nachteil mitnimmt.

Net Neutraliy Enforcement in the EU

Saal Clarke (en)

After four years of advocacy and lobbying to enshrine net neutrality principles in law in Europe, we can now examine the first full year of enforcement of the new rules. We will compare the enforcment of net neutrality in the individual EU member ...

Net neutrality is the principle that all data transfers on the internet should be treated equally. It gives users the right to choose the content and services they wish to see and use online and prevents ISPs from acting as gatekeepers. Net neutrality also guarantees equal access to the global Internet to all ideas, innovations and opinions without centralised control. Since August 2016, the EU has had a regulatory regime protecting net neutrality that now has to be enforced by the national telecoms' regulatory authorities. Unfortunately, we observe very different results in different EU member states with Germany presenting a particularly negative example. In this context, our NGO epicenter.works has focused its enforcement work on a product of Deutsche Telekom called "StreamOn". We will showcase our work on that product analysing the offer, raising awareness, submitting complaints with the regulator, and speaking at the annual general meeting of Deutsche Telekom AG. This presentation is intended for everyone interested in net neutrality and particularly for those that want to become active in safeguarding it.

OONI: Let's Fight Internet Censorship, Together!

The Open Observatory of Network Interference - Saal Borg (en)

How can we take a stand against the increasing shadow of Internet censorship? With OONI Probe you can join us in uncovering evidence of network interference!

During this talk we will give you an overview of the challenges people around the world face when accessing the internet. In 2017, we have witnessed multiple cases of Internet censorship being used as a tool to suppress controversial political views. We've also seen increasing censorship of conversations between individuals, reflected by the blocks on chat networks like WhatsApp and Signal. OONI, the Open Observatory of Network Interference is a project for documenting and revealing these violations of Internet Connectivity. In 2017, we released mobile applications, reported on policy changes, expanded our testing to detect throttling, and now process close to 100,000 measurements from over 200 countries each month. We'll share how we're thinking about increasing transparency and accountability around the issues of access and censorship, and how you can join this growing, open, movement.

Friday 15:15


Open Source Estrogen

From molecular colonization to molecular collaboration - Saal Clarke (en)

Collaborative and interdisciplinary research, Open Source Estrogen combines biohacking and artistic intervention to demonstrate the entrenched ways in which estrogen is a biomolecule with institutional biopower. It is a form of biotechnical civil ...

A collaborative, interdisciplinary research project, Open Source Estrogen combines biohacking and speculative design to demonstrate the entrenched ways in which estrogen is a biomolecule with institutional biopower. It is a form of biotechnical civil disobedience, seeking to subvert dominant biopolitical agents of hormonal management, knowledge production, and anthropogenic toxicity. The project begins with a speculative question: what if it was possible to make estrogen in the kitchen? From this seed arises more fundamental questions about who is producing hormones, whose bodies are affected, and how environmental hormones exist already as a state of toxicity. While issues of body and gender sovereignty are deeply at stake, endocrine disruptors termed ‘xenoestrogens’ pervade our environments due to petrochemical agro-industrial and pharmaceutical forces. These xeno-molecules change the morphology of our bodies and bodies of non-human species, evidencing a malleability inherent to nature but alien to our prescribed notions of (eco)heteronormalcy. In response to the “molecular queering” performed by estrogen, facilitated by dominant hegemonic forces, the project initiates a publi...

Internet censorship in the Catalan referendum

Overview of how the state censored and how it got circumvented - Saal Dijkstra (en)

On October 1st the Catalan society held a referendum to decide if they wanted to stay part of the Spanish state or create an independent state. This talk will explain the internet censorship which took place in the weeks before the referendum, on ...

The talk will focus on the methods used by the state to carry out the censorship. These included websites informing about the referendum and information about the polling station each citizen had to use. I will describe how the censorship got circumvented and give an insight in the systems developed to facilitate an easy cloning of the information. On the day of the referendum it was expected that the Spanish police will close down polling stations. Therefor a global census accessible via internet was introduced which allowed the vote at any polling station. I will describe how this global census was organised to block people from voting twice. I will explain in which different ways the census got attacked by the Spanish state. And of course what we can learn from the state censorship to create more resilient infrastructures.

Vintage Computing for Trusted Radiation Measurements and a World Free of Nuclear Weapons

Saal Adams (en)

Eliminating nuclear weapons will require trusted measurement systems to confirm authenticity of nuclear warheads prior to their dismantlement. A new idea for such an inspection system is to use vintage hardware (Apple IIe/6502) instead of modern m...

Twenty-five years after the end of the Cold War, there are still about 15,000 nuclear weapons in the arsenals of the nine nuclear weapon states. After an era of transparency, cooperation, and confidence-building in the 1990s, progress in nuclear arms control has slowed down in the 2000s and is currently in a crisis. The newly negotiated Treaty on the Prohibition of Nuclear Weapons (“Ban Treaty”) and the 2017 Nobel Peace Prize have given new attention to the enduring threat posed by these weapons and the urgency of further reductions. Any further progress toward nuclear disarmament will have to rely on robust verification mechanisms, especially while there is limited trust among relevant states. This requires trusted measurement systems to confirm the authenticity of nuclear warheads based on their radiation signatures. These signatures are considered sensitive information, the systems have to be designed to protect them. To accomplish this task, so-called “information barriers” have been proposed. These devices process the sensitive information acquired during an inspection, but only display results in a pass/fail manner. Traditional inspection systems rely on complex electronic...

Saving the World with Space Solar Power

or is it just PEWPEW?! - Saal Borg (en)

Space Solar Power station, such as SPS Alpha, could overcome some issues that renewable energy plants on Earth suffer of structural basis when challenges such as energy transfer from orbit to Earth are solved. But will this solve the Earth's probl...

The increasing demand on energy seems to be one of the greatest challenges for modern society. [1,2] Power generation approaches of the 20th century, such as coal, oil, or nuclear plants come with certain issues limiting the scalability and/or questioning even the approach itself since they may harm nature and environment on a longterm time scale. Renewable energy generated e.g. with solar cells, wind mills, or tidal stations are on the rise but they usually depend to certain locations, weather, storage capabilities, and in some cases even on political climates. [3] Space based Solar Power generation [4,5] overcomes some of these issues: solar cells in orbit are independent of atmospheric influences and weather (e.g. clouds), solar harvesting satellites can be placed in orbit so they always face sun and generate power continuously, and there is enough space to scale the plants in order to serve the power demands. Solar power is an infinite power source (at least in the time scale for humanity) The bottle neck with this approach, however, is the transfer of the power from orbit to Earth. But if solved, this technology can supply power to locations on Earth, that are remotely...

Friday 15:45


Drones of Power: Airborne Wind Energy

Saal Borg (en)

Airborne wind energy is the attempt to bring the digital revolution to the production of energy. It means that we convert the power of high-altitude winds into electricity by autonomously controlled aircraft which are connected to the ground via a...

It is hard to argue that energy is not the very heart of humankind’s major challenge. Up to now it is largely unscratched by a digital revolution -- the main power sources of the world are remarkably dumb. We are about to change this. In this talk, we will present what we think will disrupt energy production. We're not talking about retrofitting the power grid with yet some more insecure 'smart' component. This is about predictably available renewable energy called Airborne Wind Energy (AWE): autonomous flying drones at high altitudes can harvest the wind’s energy cheaper than any wind turbine, and most importantly: it can be done almost everywhere and almost all the time, solving the two major technological and geopolitical challenges of sustainable energy production, which has rattled the world for decades. We are convinced that humans should power the world by clean energy only, and we think AWE can be a key element to do just that. In this talk, we will cover the physical foundations, introduce a few of the control algorithms and the challenges associated with very strong forces acting on very light objects. We will also shed a light on the progress of leaders in the fiel...

Friday 16:30


cryptocurrencies, smart contracts, etc.: revolutionary tech?

short answer: Yes! - Saal Adams (en)

Bitcoin arrived eight years ago, and has now spawned a dazzling array of follow-on technologies, including smart contracts, censorship-resistant computation, trustless databases (“blockchains”) and more. This talk attempts to highlight a few of th...

This talk will briefly summarize in broad strokes what previously-impossible technologies have now been proven and deployed (starting with Bitcoin), as well as the general outlines of nascent technologies are currently under development. It will also briefly outline the evolution of the market and the social response to these technologies, such as the ICO boom and the varying reactions of different populations and governments. It will also draw out a few examples that illustrate the situation in more detail, such as the recent crackdown by the Chinese government, the deployment and evolution of Ethereum, and the massive investment into new technologies which is being fueled by the ICO boom.

Don't stop 'til you feel it

Artistic interventions in climate change - Saal Borg (en)

This talk will report on my current research in bringing to bear multiple knowledges on problem spaces around the environment and digital culture, and in so doing questioning both the prevailing knowledge hierarchy and the institutionalisation of ...

We exist within a set of rules about the value of knowledge - a hierarchy of knowledge that places quantified data at the top and the “lower” senses at the bottom. The neglect of other forms of knowledge – aesthetic, embodied, cultural and more – has created a void in our socio-political and environmental relations that has been filled by emotive, populist rhetoric that undermines the validity of the knowledge we have. Post-truth practices are answering a gap that arises from our reliance on cognitive knowledge as the main valid form of knowledge – including datafication of everything – particularly in politics. As an alternative I propose we augment this cognitive and data derived knowledge with more emotionally connecting knowledges, to achieve a more integrated understanding of the world, and to once again embark on a quest for a type of truth. When we live close to the land we experience empathy with the land. It has recently been said that indeed our present mode of life has led to the “death of empathy”. The Coral Empathy Device uses principles of embodied learning to explore whether physical sensation curated by an artist can evoke interspecies empathy in a huma...

UPSat - the first open source satellite

Going to space the libre way - Saal Clarke (en)

During 2016 Libre Space Foundation a non-profit organization developing open source technologies for space, designed, built and delivered UPSat, the first open source software and hardware satellite.

UPSat is the first open source software and hardware satellite. The presentation will be covering the short history of Libre Space Foundation, our previous experience on upstream and midstream space projects, how we got involved in UPSat, the status of the project when we got involved, the design, construction, verification, testing and delivery processes. We will also be covering current status and operations, contribution opportunities and thoughts about next open source projects in space. During the presentation we will be focusing also on the challenges and struggles associated with open source and space industry.

avatar²

Towards an open source binary firmware analysis framework - Saal Dijkstra (en)

Avatar² is an open source framework for dynamic instrumentation and analysis of binary firmware, which was released in June 2017. This talk does not only introduce avatar², but also focuses on the motivation and challenges for such a tool.

Dynamic binary instrumentation and analysis are valuable assets for security analysis and testing, and while a variety of tools exist for desktop software, the tooling landscape for analysing low-level binary firmware directly interacting with hardware is relatively empty. This talk will first outline the key problems for developing dynamic firmware analysis tools and pinpoint different approaches to overcome those problems. The core of this talk, however, focuses on avatar², an open source framework built to ease firmware reversing and security analysis. In more detail, avatar² utilizes partial emulation to enable transparent analysis of firmware, and while the main firmware is executed inside the emulator, I/O operations to and from the hardware are commonly relayed to the actual hardware or the emulator. To realize this complex orchestration, avatar² enables communication and state synchronization between a variety of popular tools, such as Qemu, OpenOCD, GDB, PANDA and angr. While the declared scope of avatar² the is analysis of embedded firmware, this talk will also show that the framework can also be useful in other contexts, such as scripting gdb in python from ...

Friday 17:00


SatNOGS: Crowd-sourced satellite operations

Satellite Open Ground Station Network - Saal Clarke (en)

An overview of the SatNOGS project, a network of satellite ground station around the world, optimized for modularity, built from readily available and affordable tools and resources.

We love satellites! And there are thousands of them up there. SatNOGS provides a scalable and modular platform to communicate with them. Low Earth Orbit (LEO) satellites are our priority, and for a good reason. Hundreds of interesting projects worth of tracking and listening are happening in LEO and SatNOGS provides a robust platform for doing so. We support VHF and UHF bands for reception with our default configuration, which is easily extendable for transmission and other bands too. We designed and created a global management interface to facilitate multiple ground station operations remotely. An observer is able to take advantage of the full network of SatNOGS ground stations around the world.

Friday 18:30


Inside AfD

Saal Clarke (de)

Herbst 2017. Irgendwo in Deutschland. Die führenden Köpfe der AfD träumen von der parlamentarischen Machtübernahme und dem schleichenden Sieg im Kampf um die Deutungshoheit von Begrifflichkeiten. Doch dann kommt alles ganz anders.

Ihr Visionär und Hauptredner ist plötzlich verschwunden und an seiner Stelle betritt ein afrikanisches Chamäleon die politische Bühne. Die zunächst als Krise wahrgenommene Situation entpuppt sich für die AfD als große Chance, sich tief in der Gesellschaft zu verankern. Ein moderner Barbarossa-Mythos entsteht. Doch die Rechnung wurde ohne das Chamäleon gemacht… Nach monatelanger Recherche erforscht das nö theater in „Inside AfD“ die Strategien und Mechanismen der Zeitgeistpartei. Gleichzeitig werden Fragen nach einem wirkungsvollen Umgang und der unfreiwilligen Instrumentalisierung durch die AfD gestellt. Das nö theater wendet sich in „Inside AfD“ vom klassischen Dokumentartheater ab und sucht Antworten in einer lyrischen Entzauberung. Entstanden ist eine symbolische und sprachliche Achterbahnfahrt durch die BRD im postfaktischen Zeitalter. Eine Koproduktion mit dem Polittbüro Hamburg

Protecting Your Privacy at the Border

Traveling with Digital Devices in the Golden Age of Surveillance - Saal Adams (en)

Our lives are on our laptops – family photos, medical documents, banking information, details about what websites we visit, and so much more. Digital searches at national borders can reach our personal correspondence, health information, and finan...

This talk will begin with an overview of the legal and policy issues surrounding border crossings, where many countries will conduct more invasive searches than their constitutions would otherwise allow. The discussion will include examples of countries that can require you to enter passwords to decrypt data on your laptop and will examine your social media and cloud data, and provide advice on which countries may require more extensive precautions. This includes the challenges of entering the United States in the time of Trump, discussing the recent changes to policy for visitors entering the country, what your rights are as a visa holder, and details about EFF’s lawsuit to challenge the policy. Turning to the practical, the talk will discuss techniques to help protect your data, from basic precautions like backups and externally stored data, to more advanced advice about encryption and password strategies, secure boot processes, as well as data hygiene - how to travel clean, and still have access to important information on the other side. This will cover what border agents are theoretically capable of doing to compromise devices, and what precautions you can take to secure...

A hacker's guide to Climate Change - What do we know and how do we know it?

An introduction to the basics of climate research and what we can do about climate change - Saal Borg (en)

Climate change has long ceased to be news to many people, but it is increasingly shaping humanity's reality. This talk sheds light on the changes in the climate system and their consequences. We introduce the basics and discuss possible acti...

I. Understanding the Climate System We begin with the physical basics, guided by visualizations rather than focussing on the math. What do we know about the workings of climate? How do we know? We also consider the reliability of our knowledge in detail, as well as open questions yet to answer. What are the bio-physical consequences? What are the socio-economic ones? II. Hacking the Climate Next, we discuss leverage points to hack the climate system itself - climate engineering. Many ideas have been proposed, such as removing greenhouse gases or changing the radiative budget with other means. Most of these attempts are not more than a workaround. Nevertheless, some of these are discussed much more seriously among climate scientist than the public realizes. III. Hacking the System We conclude with examples of what could be effective solutions to the climate problem and what we can do – hacking our political and economic system rather than the earth system. How can individuals contribute? What societal changes do we need?

Resilienced Kryptographie

Saal Dijkstra (de)

Die Sicherheitsdesaster bei der Schlüsselgenerierung in TPM Chips und bei der Minix 3 basierten Intel ME Implementierung zeigen, dass das Vertrauen in hardwaregestützte Coputersicherheit grundlegend hinterfragt werden muss. Die Robustness in feind...

Kryptographie hilft gegen sehr mächtige Angreifer. Wenn jedoch Fehler bei der Schlüsselgenerierung gemacht werden oder Hardwarebackdoors schwer aufdeckbaren Angriffe ermöglichen, bricht das gesamte Sicherheitsfundament. Die Sicherheitsdesaster bei der Schlüsselgenerierung in TPM Chips und bei der Minix 3 basierten Intel ME Implementierung zeigen, dass das Vertrauen in hardwaregestützte Coputersicherheit grundlegend hinterfragt werden muss. Es gibt eine Reihe von einfachen mathematischen Hacks, um auch zukünftige Angriffsmethoden nachhaltig zu erschweren. Auch die Robustness in feindlicher Umgebung kann mit anspruchsvolleren kryptographische Verfahren mathematisch abgesichert erhöht werden.

Friday 19:45


Zamir Transnational Network und Zagreb Dairy

Das erste computer netzwerk in Krieg (Jugoslavia 1992-1997) - Saal Dijkstra (de)

Die Geschichte des ZAMIR Transnational Network und meines Zagreb-Diary (http://www.wamkat.de/diaries1/zagreb-diary) zwischen 1991 und 1995 im früheren Jugoslawien. Es war das erste Computernetzwerk in einer Kriegsregion, das alle Friedens-, Fra...

Zwischen 1991 und 1995 habe ich aktiv mitgeholfen, die Idee eines Computer-Netzwerks in einem Kriegsgebiet zu verwirklichen. Mit Unterstützung von Bionic, CCC und anderen Gruppen wurden im Gebiet des früheren Jugoslawien etwa ein Dutzend Hubs aufgebaut, die damals fast 20.000 Benutzer im Kriegsgebiet mit der Außenwelt und - quer über die wechselnden Fronten - auch miteinander verbunden haben: Das ZAMIR Transnational Network. Ich habe in der Zeit jeden Tag mein elektronisches Tagebuch publiziert (http://www.wamkat.de/diaries1/zagreb-diary), was manchmal von einigen hunderttausend Menschen gelesen wurde und viel dazu beigetragen hat, ein aktives, humanitäres grassroots-Netzwerk aufzubauen. Von den damaligen Schwierigkeiten möchte ich gern berichten, die sich heute kaum noch jemand vorstellen kann, obwohl es eigentlich noch gar nicht so lange her ist. Davon, wie wir die Probleme gelöst haben (oder nicht) und was sich daraus ergeben hat. Über die Dinge, die wir damit erreicht haben. Und darüber, was für mich und andere schließlich daraus geworden i

On the Prospects and Challenges of Weather and Climate Modeling at Convection-Resolving Resolution

Saal Borg (en)

The representation of thunderstorms (deep convection) and rain showers in climate models represents a major challenge, as this process is usually approximated with semi-empirical parameterizations due to the lack of appropriate computational resol...

Today the evidence for global climate change is unequivocal, and the human influence is clear. Therefore the focus of young researchers has shifted from assessing whether the Planet is warming towards envisioning how a warmer world might look like. For instance, basic physical principles suggest that the hydrological cycle of Planet Earth will likely undergo dramatic changes. However, understanding and describing the involved processes, estimating future changes, and assessing the underlying uncertainties has proven to be difficult and complex. In this effort, numerical simulations of the weather and climate system are a useful research tool. Weather and climate modeling involves solving the governing equations of atmospheric motion on a numerical mesh and employing semi-empirical parameterizations that treat the processes not represented explicitly. For example, the parameterizations typically include treatments for thunderstorms and rain showers (deep convection). These processes are fundamental to the climate system since they vertically redistribute moisture, heat, and momentum, but so far they could not be resolved explicitly, due to the coarse gird spacing of the mesh (re...

Are all BSDs created equally?

A survey of BSD kernel vulnerabilities. - Saal Adams (en)

In this presentation I start off asking the question „How come there are only a handful of BSD security kernel bugs advisories released every year?“ and then proceed to try and look at some data from several sources.

It should come as no surprise that those sources are fairly limited and somewhat outdated. The presentation then moves on to try and collect some data ourselves. This is done by actively investigating and auditing. Code review, fuzzing, runtime testing on all 3 major BSD distributions [NetBSD/OpenBSD/FreeBSD]. This is done by first investigating what would be good places where the bugs might be. Once determined, a detailed review is performed of these places. Samples and demos will be shown. I end the presentation with some results and conclusions. I will list what the outcome was in terms of bugs found, and who – based on the data I now have – among the three main BSD distributions can be seen as the clear winner and loser. I will go into detail about the code quality observed and give some pointers on how to improve some code. Lastly I will try and answer the question I set out to answer („How come there are only a handful of BSD security kernel bugs advisories released every year?“).

Friday 21:00


Tiger, Drucker und ein Mahnmal

Neues vom Zentrum für Politische Schönheit - Saal Adams (de)

Flüchtlingsfressende Tiger in Berlin, zum Diktatorensturz aufrufende Flugblätter in Istanbul und ein Mahnmal das den Rechtsextremisten Björn Höcker in seinem Thüringer Dorf heimsucht: Viel ist geschehen, seit das Zentrum für Politische Schönheit v...

Grund genug mal wieder Bericht zu erstatten, aus dem Nähkästchen zu plaudern und unveröffentlichtes Material mit euch zu begutachten. Aber Vorsicht: das ZPS ist die einzige Organisation die von Björn Höcke das Gütesiegel "terroristische Vereinigung" verliehen bekommen hat. Es könnte also lustig werden.

Running GSM mobile phone on SDR

SDR PHY for OsmocomBB - Saal Clarke (en)

Since SDR (Software Defined Radio) becomes more popular and more available for everyone, there is a lot of projects based on this technology. Looking from the mobile telecommunications side, at the moment it's possible to run your own GSM or UMTS ...

There is a great open source mobile side GSM protocol stack implementation - OsmocomBB project. One could be used for different purposes, including education and research. The problem is that the SDR platforms were out of the hardware the project could work on. The primary supported hardware for now are old Calypso based phones (mostly Motorola C1XX). Despite they are designed to act as mobile phone, there are still some limitations, such as the usage of proprietary firmware for DSP (Digital Signal Processor), which is being managed by the OsmocomBB software, and lack of GPRS support. Moreover, these phones are not manufactured anymore, so it's not so easy to find them nowadays. Taking the known problems and limitations into account, and having a strong desire to give everyone the new possibilities for research and education in the telecommunications scope, we decided to write a 'bridge' between OsmocomBB and SDR. Using GNU Radio, a well known environment for signal processing, we have managed to get some interesting results, which we would like to share with community on the upcoming CCC.

How Alice and Bob meet if they don't like onions

Survey of Network Anonymisation Techniques - Saal Dijkstra (en)

There exists no such thing as a perfect anonymity network with low latency, low bandwith consumption which provides strong anonymity. Popular anonymisation networks rightfully focus on Web browsing, because that is the most popular application ...

With the popularity of the Web came the popularity of anonymisation communication networks (ACNs) catering for the Web context. That means in particular low latency. Generally, though, anonymisation networks can be classified by different properties such as anonymity goals, strength of adversary or application area. In this talk we present alternative ACNs to the popular Tor network and their goals. We explain their architectures, properties, and how they achieve anonymity. In particular, we will look at JonDonym, I2P, Freenet, and GNUnet as well as ongoing research projects such as Loopix, Vuvuzela, and Riffle. We will see that once you understand your requirements, you can optimise your choice of anonymisation networks according to your needs.

Simulating the future of the global agro-food system

Cybernetic models analyze scenarios of interactions between future global food consumption, agriculture, landuse, and the biogeochemical cycles of water, nitrogen and carbon. - Saal Borg (en)

How can we feed a growing world population within a resilient Earth System? This session will present results from our cybernetic computer models that simulate how future trends in population growth, diets, technology and policy may change the glo...

Potsdam Institute for Climate Impact Research is specialized on simulations of the Earth System using supercomputing facilities, pushing the cybernetic concepts of the 20st century to the next level. Dozens of researchers jointly coded for more than a decade a number of Integrated Assessment Models that simulate the complex interactions between humans and the environment in great detail, drawing concepts from both natural and social sciences. Building such computer-supported macroscopes allow us to make the vast complexity of the Earth System comprehensible and supports decision makers in finding sustainable pathways into the future. This session will address the question: How can we feed a growing world population within a resilient Earth System? It will present results from our cybernetic computer models that simulate how future trends in population growth, diets, technology and policy may change the global land cover, freshwater usage, the nitrogen cycle and the climate system, and how more sustainable pathways can be reached. We want to discuss how our computer models and our data can be made accessible and usable by a broader community, and which new ways exist to visua...

Friday 21:45


Electroedibles

Open Source Hardware for Smart Candies - Saal Clarke (en)

Electroedibles is an experiment with “edible” hardware that explores the limits of interaction between our tongue and circuits to mock the present fantasies of Internet of (Every)thing. This project initiated by the hardware lab at Shenkar Colleg...

Closing the loop: Reconnecting social-technologial dynamics to Earth System science

Saal Borg (en)

International commitment to the appropriately ambitious Paris climate agreement and the United Nations Sustainable Development Goals in 2015 has pulled into the limelight the urgent need for major scientific progress in understanding and modelling...

Friday 22:15


Ein Festival der Demokratie

Von Technik, Kollaborationen und Erreichtem zum G20-Gipfel 2017 - Saal Dijkstra (de)

Erfahrungen und Details zu den zwei kritischen Medienprojekten FC/MC (alternatives Medienzentrum im Herzen der Stadt) und THERE IS NO TIME (Live-Talks am Rande des Sperrgebiets und über die Stadt verteilte Video-Empfangsstationen) und ihrer Kollab...

<b>Info</b> Als im Sommer 2016 klar wurde, dass ein in einem Jahr die Avatare der 20 größten Industriestaaten nach Hamburg kommen würden, entwickelten die Gruppen um die Projekte FC/MC und THERE IS NO TIME, zunächst unabhängig und später im Austausch miteinander, zwei komplementäre Medienformate, die den G20-Gipfel begleiten sollten. FC/MC als Plattform für kritische Berichterstattung und Bereitstellung von Infrastruktur für diese, TINT mit eigens produzierten Live-Talks, orientiert an den Punkten der offiziellen Gipfelagenda, und einem Netzwerk von Empfangsstationen in der ganzen Stadt. Beide Gruppen arbeiteten dabei mit dem VOC und weiteren Hackern aus dem CCC zusammen, um die produzierten Inhalte zu verteilen sowie die Technische infrastruktur für das FCMC zu schaffen. <b>Why tho?</b> Erfahrungsgemäß verläuft die Berichterstattung zu Events wie dem G20 oft tendenziös und eng am Narrativ der offiziellen Polizeiberichte. Auch rückblickend ist dies in Anbetracht von Repression und Umgang mit Polizeigewalt ein augenscheinliches Problem. Eine Auseinandersetzung mit den Themen, die beim Gipfel verhandelt werden oder werden sollten, findet in der Regel nicht statt oder verliert...

Decoding Contactless (Card) Payments

An Exploration of NFC Transactions and Explanation How Apple Pay and Android Pay Work - Saal Adams (en)

This talk will dive into the techniques and protocols that drive contactless card payments at the Point of Sale. We will explore how Apple Pay works on a technical level and why you are able to 'clone' your credit card onto your phone. Building up...

Contactless payments are gaining more momentum every day and even though Apple Pay is not yet available in Germany, you are able to use your new contactless credit card at an increasing number of locations. This trend is not likely to stop anytime soon and it is time to understand what is going on the lower layers. To jumpstart the discussion, we will first have a look at all the parties involved in a card transaction and where they are placed in the communication and decision chain. From there we are comparing the differences between a chip (ICC) and a contactless (NFC) transaction. Afterwards we are ready to look at Apple Pay, Android Pay and other card emulations. Even though they provide the same features on first look, they work fundamentally different on the technical level. We will learn about storing sensitive transaction information offline on the device in a Secure Element (SE) or online with your service provider utilizing Hosted Card Emulation (HCE). In the end, we will take a short look at how contactless payments might influence our future, why legacy is still king and if tokenization might just save your day one time.

Friday 22:30


Extended DNA Analysis

Political pressure for DNA-based facial composites - Saal Clarke (en)

In 2017, the federal states of Baden-Wurttemberg and Bavaria suggested the extension of the law on the analysis of forensic DNA. Up to now, DNA fingerprinting in forensic settings may, in addition to non-coding features of DNA, only analyze the c...

Ever since TV shows such as CSI or NCIS have become popular, DNA evidence has gained a reputation for an infallible method of crime solving. However, similar to fingerprints, DNA evidence up to now only serves as a method of matching the DNA at a crime scene to a suspect. So what if there are no suspects? In theory, DNA possesses all the information on what a human being would look like. Does that mean we could construct a facial composite from blood spots, semen or saliva? While the term “DNA facial composite” may imply so, the science of it is still in its infancy. We can determine a likely eye, hair and skin color and a geographic ethnicity from the DNA. In some cases even more features. This could, depending on the case, lead investigations to the right suspect - but down a very dangerous path. Genetic information is subject to the laws of privacy. For one, instead of having a crime and finding as suspect, extended DNA analysis leads to an investigation into a crime, where there is no suspect, but a range of “non-suspect persons of interest” that are connected to the case only by their appearance. The presumption of innocence is vital to a democracy. Putting people of simi...

Ensuring Climate Data Remains Public

Saal Borg (en)

How do we keep important environmental and climate data accessible amidst political instability and risk? What even counts as an “accessible” dataset? Could we imagine better infrastructures for vital data? By describing the rapid data preservatio...

Climate change data often relies on state-supported scientific research infrastructure-- ranging from agency data centres, satellites, and the compute clusters powering climate, air, and water modelling. Days after the 2016 US election, scholars and activists mobilized to preserve both environmental data and the research infrastructure generating it. While rapid data preservation efforts encouraged many people to act, we are faced with long-standing vulnerabilities in data infrastructure. In this talk I will describe the range of groups involved in data preservation efforts that have been ongoing since November 2016, unpack some of the recent and long-standing issues with data preservation, and speak to the ways people are actively addressing these challenges. In particular, I’ll talk about an organization I am a member of, the Environmental Data and Governance Initiative (EDGI), a distributed network of academics and non-profits that has engaged in a range of projects including guerilla archiving of federal datasets, ongoing monitoring of content changes on environmental and energy websites, and contributing to growing conversations around Environmental Data Justice.

Friday 23:15


Treibhausgasemissionen einschätzen

Wieviel CO2 macht <...>? Ungefähr? - Saal Borg (de)

Alles was wir jeden Tag tun erzeugt Treibhausgase. Für eine vernünftige/moralische/ökologische Entscheidung, um mit anderen Handlungsoptionen brauchbar vergleichen zu können, muss man wissen - wieviel? Ungefähr zumindest? Für Einsteiger. Keine For...

Kurzvorstellung einiger für nicht-Fachleute verständlicher Werkzeuge, um Treibhausgasemissionen einschätzen zu können:<ul> <li>Globales Emissionsmodell integrierter Systeme (GEMIS) und Probas</li> <li>Environmental Product Declaration</li> <li>Ein Guter Tag hat 100 Punkte</li> </ul> Anhand der Werkzeuge gucken wir uns mal ein paar typische und ein paar überraschende Alltagsbeispiele an:<ul> <li>Bus oder Bahn oder Auto oder Flugzeug?</li> <li>Aufzug oder Treppe - was ist klimafreundlicher?</li> <li>Leitungswasser oder Flaschenwasser?</li> <li>Elektroautos und die Studie aus Schweden?</li> <li>Amazon oder Kaufhaus?</li> <li>Fleisch, Rotwein, Käse?</li> </ul> Hier werden keine kompletten, korrekten Ökobilanzen errechnet, sondern es geht darum, alltagstaugliche Entscheidungshilfen vorzustellen. Die Berücksichtigung kompletter Prozessketten vom Bohrloch bis zur Entsorgung machen wir aber trotzdem.

Es sind die kleinen Dinge im Leben II

was alles geht und wie man anfängt, mit Mikroskopen - Saal Clarke (de)

Jeder weiß ungefähr was man mit einem Mikroskop tun kann: Kleine Dinge ansehen. Aber wie geht das genau, was braucht man dafür und gibt es da nicht eine Möglichkeit, dass da digitale Bilder rauspurzeln? Das hier soll eine Einführung sein, und zwar...

Manch einer hat Erinnerungen an Mikroskope aus der Schule, vielleicht hat auch einer noch irgendwo ein Mikroskop aus einem Experimentierkasten zu hause, manche kennen eigentlich nur Bilder aus den Medien – aber eine Vorstellung davon was ein Mikroskop ist hat irgendwie jeder: Es vergrößert Dinge. Ein Gerät, das nur für den Zweck gebaut wurde die kleinen Dinge zu vergrößern, bringt ein paar Besonderheiten mit sich im Bezug auf Optik und Abbildung. Ich möchte erklären was das Besondere an einem Mikroskop-Objektiv ist, was die Begriffe Field of View, nummerische Apertur, Bildfeldwölbung, Auflösung und Vergrößerung bedeuten und, vor allem, was dass für eine Anwendung zu Hause heißt. Es gibt einiges an Geräten zu kaufen. Ich möchte aufzeigen was günstige USB-Mikroskope leisten können, was die Ansteck-Mikroskope für Smartphones taugen, worauf bei „Kindermikroskopen“ zu achten ist und was man davon auch selber bauen könnte. Und es soll erklärt werden wie man digitale Bilder erhält, mit günstiger (oder selbstgemachter) Hardware und offener Software. Außerdem sollen ein paar Anwedungszwecke vorgestellt werden. Nicht nur die Biologie liefert einen Grund zum Mikroskop zu greifen,...

Friday 23:30


Deconstructing a Socialist Lawnmower

Obsolete Technologies + Critical Material Studies in Media Art - Saal Dijkstra (en)

Darsha Hewitt is a Canadian artist working in new media and sound. She is known for her examinations of communication technology in the domestic sphere and her use of DIY aesthetics and practices as an artistic method. She makes electromechanical ...

Alongside her artistic practice, Darsha is presently a fellow at the Berlin Centre for Advanced Studies in Arts and Sciences (BAS) in the Graduate School at the Art University of Berlin and a Guest Professor in New Media and Sound Art at the Karlsruhe University of Art and Design. From 2015-16 she shared a joint guest professorship in New Media with Aram Bartholl at the Art University of Kassel. She is also a Lecturer in the Media Arts Environments Research Chair at the Bauhaus University Weimar. Her do-it-yourself electronics workshops are an integral part of her discipline and are presented internationally. Her work in this field was a subject in the Music, Digitization, Mediation: Towards Interdisciplinary Music Studies project based in the Faculty of Music at Oxford University. Darsha is a collaborating facilitator of the Music Makers Hack Lab with Create Digital Music .

This is NOT a proposal about mass surveillance!

Analysing the terminology of the UK’s Snooper’s Charter - Saal Adams (en)

In November 2016 the UK has passed the Investigatory Powers Act (aka Snooper’s Charter). This act unprecedentedly extends surveillance powers of the state – p.e. legalising the hacking of devices or forcing Internet Service Providers to collect w...

Much research has been dedicated to analysing the rhetorics of political discourse but this talk focuses on the semantics of surveillance discourse from a corpus linguistic perspective. Corpus linguistics is the study of language based on examples of real life language use and works with large amount of data. In this talk I will analyse the context of keywords which are used in the parliamentary debates and the respective media coverage concerning the passing of the Snooper’s Charter. Using methods of corpus linguistics I want to show how central terms are constructed entirely different in these two spheres. While newspaper articles present the inconvenient consequences of this legislation and classify the proposed measures in categories which are familiar to the reader, the parliamentary debates open up new categories for practices known as mass surveillance and deny the existence of the latter. Let me assure you that this does not meet the criteria of doublethink...

Friday 00:00


Public FPGA based DMA Attacking

Saal Clarke (en)

Most thought Direct Memory Access (DMA) attacks were a thing of the past after CPU vendors introduced IOMMUs and OS vendors blocked Firewire DMA. At least until the PCILeech direct memory access attack toolkit was presented a year ago and quickly ...

A year later the situation has improved but some firmware and operating systems still remain vulnerable by default. The hardware used to perform the attacks was however limited both in capabilities and supply. FPGA support was introduced and made available to the public to overcome these problems. In this talk I will subvert kernels, defeat full disk encryption and spawn system shells - all by using affordable publically available FPGAs and open source software!

Friday 00:45


Nougatbytes 11₂

Die geekige Wort- & Bilderrätselspielshau ist zuЯück - Saal Adams (de)

Zwei Teams mit rauchenden Köpfen und ein johlendes Publikum raten sich durch unsere dritte Wortspielhölle der IT, Informatik und digitalen Gesellschaft. Wer bei vielschichtigen (Anm. d. R.: „haarsträubenden“!) Assoziazionsbilderrätseln freudiges S...

Allgemeiner Aufruf: Für die erste Runde Nougatbytes wollen wir die Teams im Voraus anheuern. Wenn Ihr Mitmachlust verspürt und Euch auf unsere Couch traut, so bildet Banden zu dritt bis fünft gebt euch nen Namen und lasst uns wissen, warum ihr Lust auf Kopfsalat habt: couchplatz@nougatbytes.de Links / Videos: Nougatbytes 1 und 10 https://media.ccc.de/v/26c3-3671-de-nougatbytes_-_ein_wortspiel_bunt_und_in_stereo https://media.ccc.de/v/29c3-5037-de-en-nougatbytes10_h264 http://nougatbytes.de


Saturday 11:30


Lightning Talks Day 4

Saal Borg (en)

Lightning Talks are short lectures (almost) any congress participant may give! Bring your infectious enthusiasm to an audience with a short attention span! Discuss a program, system or technique! Pitch your projects and ideas or try to rally a cre...

To get involved and learn more about what is happening please visit the Lightning Talks Wikipage at <a href="https://events.ccc.de/congress/2017/wiki/index.php/Static:Lightning_Talks">https://events.ccc.de/congress/2017/wiki/index.php/Static:Lightning_Talks</a>

library operating systems

reject the default reality^W abstractions and substitute your own - Saal Dijkstra (en)

Traditional models of application development involve talking to an underlying operating system through abstractions of its choosing. These abstractions may or may not be a good fit for your language or application, but you have no choice but to ...

This talk is an overview of library operating systems that focuses on the benefits to application developers. Interfacing with lower-level systems using familiar abstractions, rather than alien ones, is a thing of joy -- in testing, reasoning, modification, and participation. Operating systems programming doesn't have to be an arcane black art requiring a totally different set of skills from your day-to-day application development. It can be comprehensible, documentable, testable, and hackable with your everyday tools. Operating systems hacking is in reach! Examples (when appropriate) will be given using the MirageOS library operating system, which is written in OCaml, but principles discussed are applicable to other library operating systems projects including IncludeOS in C++, HaLVM in Haskell, and many others.

Mietshäusersyndikat: den Immobilienmarkt hacken

Wie man ein Haus kaufen kann ohne es zu besitzen - Saal Adams (de)

Das Mietshäusersyndikat ist eine nicht-kommerzielle Kooperative mit dem Ziel, Bereiche von selbstorganisiertem Wohnen zu schaffen, ohne selbst Vermieter zu werden.

Wohnverhältnisse sind meist von Privatbesitz geprägt: die Eigentuemer wollen ihre Immobilien gewinnbringend vermieten. Diejenigen, die mieten, sind stark abhängig: die Mieten können in die Höhe getrieben werden und wer nicht zahlen kann, fliegt raus. Um diese Struktur zu konterkarieren, hat sich das Mietshäusersyndikat entwickelt. Hier sind Hausprojekte lose organisiert, deren Häuser nicht in Privathand sind und damit die erwähnten Abhängigkeiten wegfallen. Aber wie ist das bei dem heutigen Immobilienmarkt möglich? Häuser nicht im Privateigentum und nicht mit dem Ziel, Gewinn zu erwirtschaften? Das Statut von 1992 vom Mietshäusersyndikat benennt das Ziel„die Entstehung neuer selbstorganisierter Hausprojekte zu unterstützen und politisch durchzusetzen: Menschenwürdiger Wohnraum, das Dach überm Kopf, für alle.“ Häuser, die von Projektgruppen aus dem Mietshäusersyndikat heraus gekauft werden, sollen für Menschen da sein, nicht für den Profit, und sollen auch nie wieder in den Immobilienmarkt zurück gehen. Inzwischen umfasst das Mietshäusersyndikats-Netzwerk mehr als 125 Häuser, die bei niemandem im Privatbesitz sind und die von den Bewohnenden selbst verwaltet...

International Image Interoperability Framework (IIIF) – Kulturinstitutionen schaffen interoperable Schnittstellen für digitalisiertes Kulturgut

Saal Clarke (de)

Neue Standards wie IIIF (http://iiif.io) ermöglichen es, digitalisiertes Kulturgut (Gemälde, Bücher, Handschriften, Fotografien, Karten u.s.w.) interoperabel und maschinenlesbar verfügbar zu machen. Darauf aufsetzend können nicht nur ansehnliche P...

Die freie Verfügbarkeit bildbasierter Dokumente ist von grundlegender Bedeutung für die Verbreitung kulturellen Wissens sowie für Forschung und Lehre. Digitalisate historischer Gemälde, Zeichnungen, Bücher, Zeitschriften, Handschriften, Karten, Schriftrollen, Fotografien und Archivmaterialien online bereitzustellen, macht es möglich, deren Inhalte ortsunabhängig und bei optimalem Schutz der physisch empfindlichen Originale großen Nutzerkreisen zur Verfügung zu stellen. Dies wird durch neue Standards wie IIIF nun auch maschinenlesbar möglich. War bis vor wenigen Jahren die Betrachtung dieser Werke nur auf isolierten, institutionellen Websites möglich, so beschäftigt sich seit 2011 eine wachsende internationale Gemeinschaft von Forschungsbibliotheken, Museen und Archiven mit der Konzeption und Standardisierung einer interoperablen Technologie zur institutionsübergreifenden Bereitstellung von Digitalisaten im Internet unter der Bezeichnung International Image Interoperability Framework (IIIF, http://iiif.io). Aufgrund seiner starken Orientierung an Linked Open Data und der interoperablen Bereitstellung aller Ressourcen über HTTP ist es mit IIIF möglich, Daten zu verknüpfen un...

Saturday 12:15


Schreibtisch-Hooligans

Informationsfreiheit trotz CSU - Saal Adams (de)

Wie umgehen mit politischer Ohnmacht? Das Informationsfreiheitsgesetz bietet einige Ansätze: Es macht es auch für juristische Laien möglich, gegen Behörden vorzugehen, die das Recht brechen. Wir kämpfen gegen die Ohnmacht: Dieses Jahr haben wir al...

Modern key distribution with ClaimChain

A decentralized Public Key Infrastructure that supports privacy-friendly social verification - Saal Dijkstra (en)

ClaimChain is a Public Key Infrastructure unique in that it can operate in fully decentralized settings with no trusted parties. A vouching mechanism among users, similar to the Web of Trust, assists with social authentication but without revealin...

Blockchain holds a big promise for Public Key Infrastructure (PKI) designs. Prominent systems, such as Keybase and CONIKS, tend to be centralized, something that eases the update of keys and provides good availability. Centralized designs, however, require users to trust that the source of authority acts honestly at all times, and does not perform surveillance.<br> ClaimChain is a decentralized PKI design, where users maintain repositories of claims implemented as hash chains: data structures that allow for efficient verification of the integrity and authenticity of their content. Claims relate to the key material of the owners, or their beliefs about public keys of others. In the latter case, cross-referencing serves as a way of efficient and verifiable vouching about states of other users. In practice, such information would reveal the social graph of the chain owners and even their communication patterns. To solve this privacy issue, we use cryptographic verifiable random functions to derive private identifiers that are re-randomized on each chain update, encrypted to a given set of authorized readers. In that way, chain owners can not present different views to authorized...

WHWP

Walter Höllerer bei WikiPedia - Saal Clarke (de)

Vorstellung der Dissertation "WHWP - Walter Höllerer bei WikiPedia". Es wurde ein einzelner Artikel in der deutschen WikiPedia untersucht. Es wird dargestellt, welchen Einfluss die beteiligten Autoren auf die Qualität des WikiPedia-Artikels üb...

Die Dissertation "WHWP - Walter Höllerer bei WikiPedia" ist eine medienwissenschaftliche Untersuchung. Es wurden sprachwissenschaftliche Methoden zur Untersuchung eines enzyklopädischen Artikels in der deutschsprachigen Online-Enzyklopädie WikiPedia angewandt. Besonders interessant ist diese Arbeit, weil ein ausführlicher und für den WikiPedia-Artikel über Walter Höllerer umfassender Blick hinter die Kulissen der WikiPedia-Inszenierung gezeigt wird. Jede einzelne Veränderung des Artikels wurde dokumentiert und bewertet. Die beteiligten Autoren wurden an ihren Aktivitäten erkannt und durch weitere, online verfügbare Informationen individuell charakterisiert. Walter Höllerer war ein deutscher Literaturwissenschaftler, Professor an der TU-Berlin, Mitglied der Gruppe 47, Gründer des Literarischen Colloquium Berlin und der Sprach- / Literaturzeitschriften "Sprache im technischen Zeitalter" und "Akzente". Die Arbeit zeigt deutlich, wie einfach es ist, durch öffentlich verfügbare Daten Aktivitätsmuster zu erkennen und damit Aussagen über die Relevanz der Aktivitäten verschiedener WikiPedia-Autoren machen zu können. Die Arbeit ist in einem allgemeinverständl...

Saturday 13:00


Italy's surveillance toolbox

Research on Monitoring Italian Government Surveillance Capabilities by means of Transparency tools - Saal Dijkstra (en)

This project aims to take advantage of the availability of public procurement data sets, required by anticorruption transparency laws, to discover government surveillance capabilities in Italy.

In this talk I'll present a mixed-strategy approach, based on transparency and privacy activism, to uncover government capabilities analyzing procurement data of Ministry of Interior, Justice and Defense that are allowed by law to buy and use surveillance products and services. This project will present manifold outcomes, such as the mapping of surveillance capabilities, monitoring governmental expenditures, discovering governmental project codenames, providers and peculiar participants of surveillance related tenders. The project will take advantage of the new italian FOIA laws by asking for: - all invoices of each company that we found out selling surveillance technologies to the government - all technical and economic offers of all the contractors related to surveillance technologies Preliminary findings of the prototyping phase have been presented at the Freedom Not Fear 201, where we described the strategy we are using and talked about some early results showing documents we received with a FOIA requests: the Ministry of Interior provided us with 85 invoices issued by Area SpA, an italian surveillance company known for selling surveillance technology to Egypt. ...

openPower - the current state of commercial openness in CPU development

is there no such thing as open hardware? - Saal Clarke (en)

How does developing future processors with yesterdays capabilities work out today? CPU development is something out of focus these days. In this lecture I would like to show the state-of-the-art processor development flow of POWER processors from ...

This talk should first give a brief overview of how processor development is done these days and which steps are required to get to working products at the end of the day, what is needed from a technical perspective, how many people are involved during the process and which process steps are required. Second it should show which requirements are out there for server/cloud products and their customers. Third it should address why there is this openPOWER initiative and what it all means in regards to hardware development. It should show more detailed information the ideas behind this group of different hardware suppliers and universities. It will definitely not end up in an promotional talk but more look behind the curtains how open this format really is and if it can be used by real people at the end or if it only applies to commercial entities.

TrustZone is not enough

Hijacking debug components for embedded security - Saal Adams (en)

This talk deals with embedded systems security and ARM processors architecture. Most of us know that we can perform security with the ARM TrustZone framework. I will show that most ARM processors include debug components (aka CoreSight components)...

Embedded security is still a hot topic. For several years, ARM have proposed its TrustZone framework. With some colleagues, we have studied how we could use debug components available in most ARM processors to create security mechanisms targeting a wide range of attacks (buffer overflows, ROPs…) with minimal performance overheads. We use CoreSight debug components in with a technique called dynamic information flow tracking (aka DIFT) which allow us to monitor the execution of an application at runtime. Compared to existing works, we show that there’s no need to modify the main processor (existing binaries will be compatible!). Furthermore, we used a coprocessor implemented in reconfigurable logic (FPGA chip) to speedup the DIFT process. This ARM/FPGA combo is up to 90% faster than related techniques in terms of instrumentation time. Furthermore, as the ARM CPU has not been modified (while existing works do modify it…), the final user doesn’t have to recompile all his/her programs to be compatible with our approach. We will also show a few clues to indicate how we could target multi-threaded/multi-processor architectures as it is the case of most embedded systems by now.

Saturday 13:45


institutions for Resolution Disputes

Rosa Menkman investigates video compression, feedback, and glitches - Saal Clarke (en)

The institutions of Resolution Disputes [iRD] call attention to media resolutions. While a ’resolution’ generally simply refers to a standard (measurement) embedded in the technological domain, the iRD reflect on the fact that a resolution is inde...

Rosa Menkman is a Dutch artist, curator and researcher. In 2011 Menkman wrote the Glitch Moment/um, a little book on the exploitation and popularization of glitch artifacts (published by the Institute of Network Cultures), co-facilitated the GLI.TC/H festivals in both Chicago and Amsterdam and curated the Aesthetics symposium of Transmediale 2012.

Briar

Resilient P2P Messaging for Everyone - Saal Borg (en)

Briar is a peer-to-peer messaging app that is resistant to censorship and works even without internet access. The app encrypts all data end-to-end and also hides metadata by utilizing Tor onion services.

Around the world communication is increasingly monitored and restricted. If communication can not be eavesdropped on, it is often blocked entirely. Less advanced states even block the entire internet nation-wide. We need to develop tools that are more resilient to these threats. Communication and expression needs to be free. Censorship should not be possible. Even if the internet was taken down, people should still be able to communicate. This presentation will introduce Briar a resilient messaging app. Its goal is to enable people in any country to create safe spaces where they can debate any topic, plan events, and organize social movements. Briar does not rely on servers. It connects people directly peer-to-peer and does not care how data is exchanged. Currently, it has plugins for Bluetooth, WiFi and Tor. The latter is used for long-distance communication over the internet and is supposed to not leak metadata. Briar aims to be secure and easy to use at the same time. An Android app is currently in beta. Support for other platforms is planned. Since Briar works peer-to-peer, there is no single universal truth in it. Each group of people might have a different v...

0en & 1en auf dem Acker

Was die Sensor & Automatisierungstechnik in der Landwirtschaft heute schon leisten kann – Ein Einblick - Saal Adams (de)

Die Dynamik der globalen Agrarmärkte hat sich in den letzten Jahren verstärkt und birgt neue Herausforderungen für die Landwirte. Hoffnungsträger sind ähnlich wie in anderen Branchen auch Sensor- & Datenverarbeitungstechnik sowie das Internet: Pro...

Die Dynamik der globalen Agrarmärkte hat sich in den letzten Jahren verstärkt und birgt neue Herausforderungen für die Landwirte. Ebenso ändert sich das vielfach verbreitete Berufsbild des Landwirts oder des Bauers zunehmend hin zu einem landwirtschaftlichen Unternehmer, der das komplette Spektrum des aktuellen Standes des Technik einzusetzen vermag. Themen wie Ressourcenknappheit, Veränderungen im Klima sowie die weltweit steigende Nachfrage nach Nahrungsmitteln und nachwachsenden Rohstoffen zwingen dabei auch in Deutschland die Bauern bzw. landwirtschaftlichen Unternehmer über neue Strategien und Arbeitstechniken nachzudenken um Produktivität und Effizienz zu steigern. Die rasante Entwicklung in der Sensor- & Datenverarbeitungstechnik in Verbindung mit dem Internet ist dabei einer der Schlüssel der helfen kann den aktuellen Herausforderungen der Landwirtschaft zu begegnen. Dabei sind – ohne dass ein Großteil der Bevölkerung dies vermuten würde – gerade in der Landwirtschaft und dem landwirtschaftlichen kommunalen Dienstleistungssektor große Fortschritte in Arbeitsabläufen und Arbeitserledigungen vollzogen worden. Es darf dabei – gänzlich modern & smart von Landwirtschaft 4.0...

Saturday 14:30


Fuck Dutch mass-surveillance: let's have a referendum!

Forcing the Netherlands to publicly debate privacy and the intelligence agencies - Saal Adams (en)

Dutch intelligence agencies will soon be allowed to analyse bulk data of civilians on a massive scale, by intercepting internet traffic and through real-time access to all kinds of databases. They will also start hacking third-parties. My friends ...

In this talk I will discuss what the new spying law means for the Netherlands, how we campaigned to get 400k+ signatures, and the future course of the debate and campaign for the referendum (which is due in March). Finally, I would like to do a call to action, nationally and internationally. The main concerns about the law are: the allowance of untargeted interception on a potentially massive scale. (Which the AIVD is framing as not being mass-surveillance, you judge for yourself.) This sparked an outcry from human rights activists, journalists, doctors, and others. Also, the hacking of third-parties is very uncool and has not yet been the subject of a strong public debate. Both edges of the political spectrum are supporting the initiative, which shows how the erosion of privacy affects us all. Thus, our campaign tries to reach out to everyone. Now that the privacy debate is mainstream and #woke again, Team-Intelligence-Agencies is showing their teeth. But we’re biting back, even though we realize that we are five kids (and back-up) fighting something way bigger than ourselves. This means that we really need your support! You can help on so many levels that I won’t write them ...

Privacy Shield - Lipstick on a Pig?

Saal Borg (en)

In 2015 the Court of Justice of the European Union (CJEU) has overturned the EU-US data sharing system called „Safe Harbor“ over US mass surveillance, as disclosed by Edward Snowden. Only months later the European Commission agreed with the US go...

Organisational Structures for Sustainable Free Software Development

Saal Clarke (en)

What kind of organisational structures exist for free software projects? What funding sources? How can you avoid pitfalls with funding, support volunteers, and stay a happy family?

We will look at various options for structuring projects on an organisational level, the protections (and dangers) of legal entities, and the difficulties of meeting the expectations of financial backers while keeping the volunteers and the community alive. Moritz will draw from his experience with dozens of Free Software projects and funding sources, both from the perspective of a funder and as recipient of grants, contracts and donations.

Hardening Open Source Development

Saal Dijkstra (en)

<p>As authors it is our responsibility to build secure software and give each other the chance to verify and monitor our work. Various flaws in development toolchains that allow code execution just by viewing or working in malicious repositories ...

<p>Not only the software we build can be flawed, but also its dependencies, our tools or just the process of building it.<br/> Vulnerabilities in shell-integrations, code linters, package managers or compilers can become dangerous vectors of malware infection for developers. Beyond that risk we see software shipped straight from the developers editor to a repository, through the build chain, across the CDN, referenced from the package registry, almost directly to the user. Since even our favorite package managers have demonstrated large scale malware delivery, there is reason to seriously question our ability to guarantee our own products safefy at all.</p> <p>Deciding to distrust our own equipment and abilities leads us to find solutions that work based on collaboration to gain safety against failure or fraud. Cleanly defined merge and release processes with automated quality enforcement and distributed quorum based verification are essential mitigations that allow others to verify our work. By sharing lessons learned from 15 years of building software in open-source and enterprise environments I want to raise awareness for security in the development process and present pra...

Saturday 15:15


34C3 Infrastructure Review

How does the CCC run a conference? - Saal Borg (en)

In this traditional lecture, various teams provide an inside look at how this Congress‘ infrastructure was planned and built. You’ll learn what worked and what went wrong, and some of the talks may even contain facts! Also, the NOC promises to try...

Uncertain Concern

How Undocumented Immigrants in the US Navigate Technology - Saal Clarke (en)

Over 11 million undocumented immigrants live in the United States today. Immediately after taking office, the Trump administration issued two executive orders pumping resources into border and immigration enforcement agencies, heightening fears of...

In this talk, I will first discuss the current state of immigration enforcement in the United States, including recent immigration policy changes, known surveillance capabilities of enforcement agencies, and recent efforts by these agencies that hint at an expansion of technical sophistication. I will then discuss lessons and insights from a series of interviews we conducted with undocumented immigrants and immigrant rights organizations about this community’s technology practices, risk awareness, and security and privacy behavior online. We find that in the face of acute risk of detention, harassment, and deportation, this community is well-versed in managing risks offline. Their most common strategies for managing risk online—self-censorship and controlling access to spaces—are largely the same techniques used in the physical world. However, the immigrants we interviewed are extremely uncertain about the effectiveness of their defenses against adversaries online, which are typically conceptualized as nebulous and all-knowing. We find that managing privacy and immigration status disclosure, a responsibility that rests not only with individuals but in communities, is more com...

The Internet in Cuba: A Story of Community Resilience

Get a unique tour of some of the world’s most unusual networks, led by a Cuban hacker - Saal Adams (en)

Internet access in Cuba is notoriously restrictive. ETECSA, the government-run teleco, offers 60 wireless hotspots in parks and hotels, allowing foreigners and citizens alike to "visit" the Internet for only $1/hour… That’s what most tourists know...

Internet access in Cuba is a study in resilience. By the official numbers, the island seems hopelessly disconnected: Cuba ranked last in the Americas in the ITU’s 2016 ICT development index, having only 5.6% household Internet penetration, and international bandwidth per user measures a mere 572 bits/s. Yet Cubans have developed a number of bottom-up, community-oriented responses to these limitations. This talk will focus on three indigenous networks that aren't seen by the typical tourist. These include “El Paquete”, a sneaker-net distribution of media files that’s passed around the country on USB sticks and hard drives, and which may be Cuba’s largest source of private employment. There is also the Cuban educational network, which connects more than 20 higher education institutions around the country. Perhaps most unusual is Havana’s “Street Network”, or SNET, a vast unsanctioned IP network, constructed by volunteers using salvaged equipment. Though entirely isolated from the Internet, the SNET connects over 50,000 residential users across the capital city, and it’s home to a vibrant community and hundreds of websites. In describing these three systems, we'll draw lesson...

MQA - A clever stealth DRM-Trojan

A critical look on a new audio Format - Saal Dijkstra (en)

Master Quality Authenticated (MQA) is a new audio format promising studio sound at home and no DRM. We take a critical look both at the sound-quality aspects as well as on the DRM story of MQA.

Master Quality Authenticated (MQA) is an audio format introduced in 2014 promising to deliver studio sound at home. Marketed aggressively mostly to audiophiles two claims are central to MQA: no DRM and better sound through “deblurring temporal inaccuracies” introduced by ADCs and DACs in the signal chain. MQA is backed by the three major labels Warner, Universal and Sony and has support by a number of indie label rights agencies as well as by the Recording Industry Association of America. Rollout has started in 2016 and at IFA 2017 the major labels asserted their backing for the format. Streaming services Tidal, Deezer and Pandora as well as Groovers (Korea) 7digital and HDmusicstream offer MQA-streaming at a higher price-point as their regular offerings (20.- per month instead of 10). Companies like Onkyo, Pioneer, Sony, Rotel and NAD offer hifi-products supporting MQA and some smartphone makers like LG incorporated it too. MQA consists of a container format and a licensing regime for audio DACs. MQA files will play on any redbook-capable device and can be freely copied. The lowest bit of the file is used to store compressed spectral content above 24k and a c...

Saturday 16:30


Tracking Transience

Saal Borg (en)

Hasan Elahi is an interdisciplinary artist working with issues in surveillance, privacy, migration, citizenship, technology, and the challenges of borders. An erroneous tip called into law enforcement authorities in 2002 subjected Elahi to an inte...

Security Nightmares 0x12

Saal Adams (de)

Was hat sich im letzten Jahr im Bereich IT-Sicherheit getan? Welche neuen Entwicklungen haben sich ergeben? Welche neuen Buzzwords und Trends waren zu sehen?

Wie immer wagen wir den IT-Security-Alptraum-Ausblick auf das Jahr 2018 und darüber hinaus. Denn was wir wirklich wissen wollen, ist ja schließlich: Was kriecht, krabbelt und fliegt in Zukunft auf uns zu und in unseren digitalen Implants herum? Im Zuge von noch mehr Transparenz, Kritik & Selbstkritik und kontinuierlicher nachhaltiger Optimierung aller Prozesse werden wir außerdem frühere Voraussagen hinsichtlich des Eintreffens unserer Weissagungen prüfen.

Type confusion: discovery, abuse, and protection

Saal Clarke (en)

Type confusion, often combined with use-after-free, is the main attack vector to compromise modern C++ software like browsers or virtual machines. Typecasting is a core principle that enables modularity in C++. For performance, most typecasts are ...

C++ is popular in large software projects that require both the modularity of object-oriented programming and the high efficiency offered by low-level access to memory and system intrinsics. Examples of such software are Google Chrome, Microsoft Windows, Mozilla Firefox, or Oracle's JVM. Unfortunately, C++ enforces neither type nor memory safety. This lack of safety leads to type confusion vulnerabilities that can be abused to attack programs. Type confusion arises when the program interprets an object of one type as an object of a different type due to unsafe typecasting, leading to reinterpretation of memory areas in different contexts. For instance, a program may cast an instance of a parent class to a descendant class, even though this is not safe if the parent class lacks some of the fields or virtual functions of the descendant class. When the program subsequently uses these fields or functions, it may use data, say, as a regular field in one context and as a virtual function table (vtable) pointer in another. Exploitable type confusion bugs have been found in a wide range of software products, such as Adobe Flash (CVE-2015-3077), Microsoft Internet Explorer (CVE-2015-6...

SCADA - Gateway to (s)hell

Hacking industrial control gateways - Saal Dijkstra (en)

Small gateways connect all kinds of fieldbusses to IP systems. This talk will look at the (in)security of those gateways, starting with simple vulnerabilities, and then deep diving into reverse-engineering the firmware and breaking the encryption ...

Companies often utilize small gateway devices to connect the different field-busses used in industrial control systems (such as Modbus, RS232 etc) to TCP/IP networks. Under the hood, these devices are mostly comprised of ARM-based mini computers, running either custom, tiny operating systems or uClinux/Linux. The talk will look at the security aspects of these gateways by examining known and unfixed vulnerabilities like unchangeable default credentials, protocols that do not support authentication, and reverse engineering and breaking the encryption of firmware upgrades of certain gateways. The talk will consist of a theoretical part, an introduction on how to reverse-engineer and find vulnerabilities in a firmware-blob of unknown format, and a practical part, showcasing a live ICS environment that utilizes gateways, from both the IP and the field-bus side, to pivot through an industrial control system environment: Demonstrating how to potentially pivot from a station in the field up to the SCADA headquarters, permanently modifying the firmware of the gateways on the way.

Saturday 17:30


Abschluss

#tuwat - Saal Adams (de)

DE: Damit wir als Komputerfrieks nicht länger unkoordiniert vor uns hinwuseln, tun wir wat und treffen uns!

EN: To keep us computer freaks from puttering about aimlessly any longer, we’re doin’ somethin’ and will meet!