jetlib.sec » Tags » chaos-communication-congress

Tags: VoIP
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: A lot of people are interested and involved in voice over IP security. Most of the effort is concentrated on the security of the signalling protocols. This talk is focussing on the security of the voice part involved in todays voice over IP world. It is the result of the questions that I had to ask myself while i was debugging audio quality problems of customers and implementing a RTP stack from scratch. The talk gives an introduction on the shortcomings of the Realtime Transport Protocol (RTP), how systems attempt to work around them and how they introduce security vulnerabilites. A few short demonstrations will give an idea on how they can be exploited in the real world (denial of service, man in the middle attacks, call redirection). The last part of the talk will discuss some solutions to fix those vulnerabilities.

Tags:  talk security rtp chaos-communication-congress security-vulnerabilites transport-protocol  

Authors: Lars Weiler
Tags: sniffer
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Network traffic grows faster than monitoring and analysis tools can handle. During the last two years a couple of appliances hit the market which help in finding the “bits of interest”. Recently installed strategies and solutions for carriers, banks or lawful interception organizations will be discussed as examples. Quite every laptop nowadays is capable of handling Gigabit traffic. But doing a network analysis will hit the boundaries of CPU load quite quickly. Now, with 10GbE lines as the usual speed of carrier's and company's backbone, traffic monitoring and analysis became more and more painful. Even the biggest and most expensive analysis appliances on the market are barely capable of a real time traffic monitoring for more than 8Gbit/s. That's were a couple of vendors showed up and created devices which can handle multiple 10GbE lines at the same time. They call them “Active Distributed Traffic Capture Systems” or “Intelligent Data Access Networking Switches” – in short “Data Access Systems”. The primary use is for the aggregation and distribution of traffic. But all of the Data Access Systems are also capable of filtering traffic with the help of FPGA or CPLD techniques. So a carrier, bank or lawful interception organization can aggregate the data from many physical lines into one Data Access System, enter some filters with the help of a browser GUI, and distribute the resulting traffic to the analysis machines. It's easy to monitor 100 lines of 10GbE traffic. For competitive reasons, those vendors started to invent new features for a better or easier analysis of the data on the analysis devices. These include ingress port tagging, time stamping with nanosecond accuracy, slicing of packets and recalculation of checksums in realtime, blanking bits in packets, or even layer 7 filtering for e-mail and instant messenger addresses with full flow capturing. The interesting part for the usage is to create an infrastructure where even without data retention and a long term analysis specific users or just their communication with possible ”interesting“ data for intelligence agencies can be triggered and captured in real time. So, the process of the analysis can be quickened to quite no time. It's safe to say, that the flagship appliance by a vendor has been designed by request of US intelligence agencies. Of course, those devices have to be managed by administrators. For the ease of usage every vendor moved from a CLI based configuration interface to a shiny web GUI – with a couple of flaws. It is easy to break into the system or read out the configuration without access. This lecture will discuss the possibilities of today's data analysis with the help of these Data Access Systems. An overview of the features will help to understand that data analysis devices are not anymore the limiting factor in deep packet inspection of a huge amount of traffic. Examples will show what already has been set up and what is possible by companies and organizations – and which traffic they might monitor yet. During the last three years the speaker installed those appliances from different vendors at customers across Europe, gained deep knowledge of their usage, established a strong contact to the technicians and chief officers both at the vendors and customers side, and found out a lot about the hardware and software by reverse engineering.

Tags:  traffic analysis data lars-weiler europe chaos-communication-congress data-access-system  

Authors: Martin Vuagnoux
Tags: WiFi
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: In this paper, we present several weaknesses in the stream cipher RC4. First, we present a technique to automatically reveal linear correlations in the PRGA of RC4. With this method, 48 new exploitable correlations have been discovered. Then we bind these new biases in the PRGA with known KSA weaknesses to provide practical key recovery attacks. Henceforth, we apply a similar technique on RC4 as a black box, i.e. the secret key words as input and the keystream words as output. Our objective is to exhaustively find linear correlations between these elements. Thanks to this technique, 9 new exploitable correlations have been revealed. Finally, we exploit these weaknesses on RC4 to some practical examples, such as the WEP protocol. We show that these correlations lead to a key recovery attack on WEP with only 9,800 encrypted packets (less than 20 seconds), instead of 24,200 for the best previous attack.

Tags:  wep recovery technique martin-vuagnoux chaos-communication-congress encrypted-packets linear-correlations  

Authors: Lars Weiler
Tags: sniffer
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Network traffic grows faster than monitoring and analysis tools can handle. During the last two years a couple of appliances hit the market which help in finding the “bits of interest”. Recently installed strategies and solutions for carriers, banks or lawful interception organizations will be discussed as examples. Quite every laptop nowadays is capable of handling Gigabit traffic. But doing a network analysis will hit the boundaries of CPU load quite quickly. Now, with 10GbE lines as the usual speed of carrier's and company's backbone, traffic monitoring and analysis became more and more painful. Even the biggest and most expensive analysis appliances on the market are barely capable of a real time traffic monitoring for more than 8Gbit/s. That's were a couple of vendors showed up and created devices which can handle multiple 10GbE lines at the same time. They call them “Active Distributed Traffic Capture Systems” or “Intelligent Data Access Networking Switches” – in short “Data Access Systems”. The primary use is for the aggregation and distribution of traffic. But all of the Data Access Systems are also capable of filtering traffic with the help of FPGA or CPLD techniques. So a carrier, bank or lawful interception organization can aggregate the data from many physical lines into one Data Access System, enter some filters with the help of a browser GUI, and distribute the resulting traffic to the analysis machines. It's easy to monitor 100 lines of 10GbE traffic. For competitive reasons, those vendors started to invent new features for a better or easier analysis of the data on the analysis devices. These include ingress port tagging, time stamping with nanosecond accuracy, slicing of packets and recalculation of checksums in realtime, blanking bits in packets, or even layer 7 filtering for e-mail and instant messenger addresses with full flow capturing. The interesting part for the usage is to create an infrastructure where even without data retention and a long term analysis specific users or just their communication with possible ”interesting“ data for intelligence agencies can be triggered and captured in real time. So, the process of the analysis can be quickened to quite no time. It's safe to say, that the flagship appliance by a vendor has been designed by request of US intelligence agencies. Of course, those devices have to be managed by administrators. For the ease of usage every vendor moved from a CLI based configuration interface to a shiny web GUI – with a couple of flaws. It is easy to break into the system or read out the configuration without access. This lecture will discuss the possibilities of today's data analysis with the help of these Data Access Systems. An overview of the features will help to understand that data analysis devices are not anymore the limiting factor in deep packet inspection of a huge amount of traffic. Examples will show what already has been set up and what is possible by companies and organizations – and which traffic they might monitor yet. During the last three years the speaker installed those appliances from different vendors at customers across Europe, gained deep knowledge of their usage, established a strong contact to the technicians and chief officers both at the vendors and customers side, and found out a lot about the hardware and software by reverse engineering.

Tags:  traffic analysis data lars-weiler europe chaos-communication-congress data-access-system  

Authors: Lars Weiler
Tags: sniffer
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Network traffic grows faster than monitoring and analysis tools can handle. During the last two years a couple of appliances hit the market which help in finding the “bits of interest”. Recently installed strategies and solutions for carriers, banks or lawful interception organizations will be discussed as examples. Quite every laptop nowadays is capable of handling Gigabit traffic. But doing a network analysis will hit the boundaries of CPU load quite quickly. Now, with 10GbE lines as the usual speed of carrier's and company's backbone, traffic monitoring and analysis became more and more painful. Even the biggest and most expensive analysis appliances on the market are barely capable of a real time traffic monitoring for more than 8Gbit/s. That's were a couple of vendors showed up and created devices which can handle multiple 10GbE lines at the same time. They call them “Active Distributed Traffic Capture Systems” or “Intelligent Data Access Networking Switches” – in short “Data Access Systems”. The primary use is for the aggregation and distribution of traffic. But all of the Data Access Systems are also capable of filtering traffic with the help of FPGA or CPLD techniques. So a carrier, bank or lawful interception organization can aggregate the data from many physical lines into one Data Access System, enter some filters with the help of a browser GUI, and distribute the resulting traffic to the analysis machines. It's easy to monitor 100 lines of 10GbE traffic. For competitive reasons, those vendors started to invent new features for a better or easier analysis of the data on the analysis devices. These include ingress port tagging, time stamping with nanosecond accuracy, slicing of packets and recalculation of checksums in realtime, blanking bits in packets, or even layer 7 filtering for e-mail and instant messenger addresses with full flow capturing. The interesting part for the usage is to create an infrastructure where even without data retention and a long term analysis specific users or just their communication with possible ”interesting“ data for intelligence agencies can be triggered and captured in real time. So, the process of the analysis can be quickened to quite no time. It's safe to say, that the flagship appliance by a vendor has been designed by request of US intelligence agencies. Of course, those devices have to be managed by administrators. For the ease of usage every vendor moved from a CLI based configuration interface to a shiny web GUI – with a couple of flaws. It is easy to break into the system or read out the configuration without access. This lecture will discuss the possibilities of today's data analysis with the help of these Data Access Systems. An overview of the features will help to understand that data analysis devices are not anymore the limiting factor in deep packet inspection of a huge amount of traffic. Examples will show what already has been set up and what is possible by companies and organizations – and which traffic they might monitor yet. During the last three years the speaker installed those appliances from different vendors at customers across Europe, gained deep knowledge of their usage, established a strong contact to the technicians and chief officers both at the vendors and customers side, and found out a lot about the hardware and software by reverse engineering.

Tags:  traffic analysis data lars-weiler europe chaos-communication-congress data-access-system  

Tags: VoIP
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: A lot of people are interested and involved in voice over IP security. Most of the effort is concentrated on the security of the signalling protocols. This talk is focussing on the security of the voice part involved in todays voice over IP world. It is the result of the questions that I had to ask myself while i was debugging audio quality problems of customers and implementing a RTP stack from scratch. The talk gives an introduction on the shortcomings of the Realtime Transport Protocol (RTP), how systems attempt to work around them and how they introduce security vulnerabilites. A few short demonstrations will give an idea on how they can be exploited in the real world (denial of service, man in the middle attacks, call redirection). The last part of the talk will discuss some solutions to fix those vulnerabilities.

Tags:  talk security rtp chaos-communication-congress security-vulnerabilites transport-protocol  

Authors: Martin Vuagnoux
Tags: WiFi
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: In this paper, we present several weaknesses in the stream cipher RC4. First, we present a technique to automatically reveal linear correlations in the PRGA of RC4. With this method, 48 new exploitable correlations have been discovered. Then we bind these new biases in the PRGA with known KSA weaknesses to provide practical key recovery attacks. Henceforth, we apply a similar technique on RC4 as a black box, i.e. the secret key words as input and the keystream words as output. Our objective is to exhaustively find linear correlations between these elements. Thanks to this technique, 9 new exploitable correlations have been revealed. Finally, we exploit these weaknesses on RC4 to some practical examples, such as the WEP protocol. We show that these correlations lead to a key recovery attack on WEP with only 9,800 encrypted packets (less than 20 seconds), instead of 24,200 for the best previous attack.

Tags:  wep recovery technique martin-vuagnoux chaos-communication-congress encrypted-packets linear-correlations  

Authors: Martin Vuagnoux
Tags: WiFi
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: In this paper, we present several weaknesses in the stream cipher RC4. First, we present a technique to automatically reveal linear correlations in the PRGA of RC4. With this method, 48 new exploitable correlations have been discovered. Then we bind these new biases in the PRGA with known KSA weaknesses to provide practical key recovery attacks. Henceforth, we apply a similar technique on RC4 as a black box, i.e. the secret key words as input and the keystream words as output. Our objective is to exhaustively find linear correlations between these elements. Thanks to this technique, 9 new exploitable correlations have been revealed. Finally, we exploit these weaknesses on RC4 to some practical examples, such as the WEP protocol. We show that these correlations lead to a key recovery attack on WEP with only 9,800 encrypted packets (less than 20 seconds), instead of 24,200 for the best previous attack.

Tags:  wep recovery technique martin-vuagnoux chaos-communication-congress encrypted-packets linear-correlations  

Tags: VoIP
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: A lot of people are interested and involved in voice over IP security. Most of the effort is concentrated on the security of the signalling protocols. This talk is focussing on the security of the voice part involved in todays voice over IP world. It is the result of the questions that I had to ask myself while i was debugging audio quality problems of customers and implementing a RTP stack from scratch. The talk gives an introduction on the shortcomings of the Realtime Transport Protocol (RTP), how systems attempt to work around them and how they introduce security vulnerabilites. A few short demonstrations will give an idea on how they can be exploited in the real world (denial of service, man in the middle attacks, call redirection). The last part of the talk will discuss some solutions to fix those vulnerabilities.

Tags:  talk security rtp chaos-communication-congress security-vulnerabilites transport-protocol  

Authors: Jeroen Massar
Tags: network Netflow
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: On the Internet one tends to think that one is pretty much safe from poking eyes. Taps in most countries can only be established after a judge has issued a warrant, thus upto such a tap is succesfully deployed one might think one is pretty much in the clear. Most ISPs though actually employ a toolset comprising one of various NetFlow, IPFIX or sFlow protocols to do trend monitoring, billing and of course, the ability to try and establish which connections a certain IP address is making. During the CCC conference we will monitor the CCC network with NetFlow, collecting and directly anonimizing this information on IP basis. We will map a couple of well-known websites/trackers to a private IP range and preserving these mappings, while anonimizing the rest of the IP addresses, thus your anonimity is safe and please be yourself while using the network. Flow data will not be stored, thus we won't be able to go back and re-analyze the information. As a collector/analyzer we will be using the Anaphera tool by IBM Zurich Research Laboratory [1]. This tool is used in IBM datacenters and by customers of IBM worldwide for detecting malicious/unknown network traffic, traffic trending, anomaly detection, growth prognosis and billing. We'll be explaining the intriciate parts about NetFlow, IPFIX and sFlow, what the technologies are and how they work, hopping briefly in the big difference with taps and what they could see when they are deployed and also what we don't see now and what gets lost in the noise. We will be showing you what information and details can be taken from a flow based tool, so that you know what can be seen by ISPs around the world.

Tags:  private-ip-range zurich-research-laboratory chaos-communication-congress  

Authors: Daniel Domscheit-Berg
Tags: information operation privacy
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Due to popular demand, the talk will give an introduction to the OpenLeaks system and the idea behind it.

Tags:  video openleaks authors daniel-domscheit- chaos-communication-congress privacy-event information-operation  

Authors: Frank Rieger
Tags: hacking
Event: Chaos Communication Congress 27th (27C3) 2010

Tags:  video closing event frank-rieger chaos-communication-congress  

Authors: Frank Rieger
Tags: hacking
Event: Chaos Communication Congress 27th (27C3) 2010

Tags:  audio closing event frank-rieger chaos-communication-congress  

Authors: Jeroen Massar
Tags: network Netflow
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: On the Internet one tends to think that one is pretty much safe from poking eyes. Taps in most countries can only be established after a judge has issued a warrant, thus upto such a tap is succesfully deployed one might think one is pretty much in the clear. Most ISPs though actually employ a toolset comprising one of various NetFlow, IPFIX or sFlow protocols to do trend monitoring, billing and of course, the ability to try and establish which connections a certain IP address is making. During the CCC conference we will monitor the CCC network with NetFlow, collecting and directly anonimizing this information on IP basis. We will map a couple of well-known websites/trackers to a private IP range and preserving these mappings, while anonimizing the rest of the IP addresses, thus your anonimity is safe and please be yourself while using the network. Flow data will not be stored, thus we won't be able to go back and re-analyze the information. As a collector/analyzer we will be using the Anaphera tool by IBM Zurich Research Laboratory [1]. This tool is used in IBM datacenters and by customers of IBM worldwide for detecting malicious/unknown network traffic, traffic trending, anomaly detection, growth prognosis and billing. We'll be explaining the intriciate parts about NetFlow, IPFIX and sFlow, what the technologies are and how they work, hopping briefly in the big difference with taps and what they could see when they are deployed and also what we don't see now and what gets lost in the noise. We will be showing you what information and details can be taken from a flow based tool, so that you know what can be seen by ISPs around the world.

Tags:  network netflow ibm private-ip-range zurich-research-laboratory chaos-communication-congress  

Authors: Daniel Domscheit-Berg
Tags: information operation privacy
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Due to popular demand, the talk will give an introduction to the OpenLeaks system and the idea behind it.

Tags:  openleaks audio authors daniel-domscheit- chaos-communication-congress privacy-event information-operation  

Authors: Jeroen Massar
Tags: network Netflow
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: On the Internet one tends to think that one is pretty much safe from poking eyes. Taps in most countries can only be established after a judge has issued a warrant, thus upto such a tap is succesfully deployed one might think one is pretty much in the clear. Most ISPs though actually employ a toolset comprising one of various NetFlow, IPFIX or sFlow protocols to do trend monitoring, billing and of course, the ability to try and establish which connections a certain IP address is making. During the CCC conference we will monitor the CCC network with NetFlow, collecting and directly anonimizing this information on IP basis. We will map a couple of well-known websites/trackers to a private IP range and preserving these mappings, while anonimizing the rest of the IP addresses, thus your anonimity is safe and please be yourself while using the network. Flow data will not be stored, thus we won't be able to go back and re-analyze the information. As a collector/analyzer we will be using the Anaphera tool by IBM Zurich Research Laboratory [1]. This tool is used in IBM datacenters and by customers of IBM worldwide for detecting malicious/unknown network traffic, traffic trending, anomaly detection, growth prognosis and billing. We'll be explaining the intriciate parts about NetFlow, IPFIX and sFlow, what the technologies are and how they work, hopping briefly in the big difference with taps and what they could see when they are deployed and also what we don't see now and what gets lost in the noise. We will be showing you what information and details can be taken from a flow based tool, so that you know what can be seen by ISPs around the world.

Tags:  network netflow ibm private-ip-range zurich-research-laboratory chaos-communication-congress  

Authors: Sergey Bratus
Tags: hacking
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Although most academics and industry practitioners regard "hacking" as mostly ad-hoc, a loose collection of useful tricks essentially random in nature, I will argue that hacking has in fact become a "distinct research and engineering discipline" with deep underlying engineering ideas and insights. Although not yet formally defined as such, it are these ideas and insights that drive the great contributions that hacking has been making to our understanding of computing, including the challenges of handling complexity, composition, and security in complex systems. I will argue that hacking uncovers and helps to understand (and teach) fundamental issues that go to the heart of Computer Science as we know it, and will try to formulate several such fundamental principles which I have learned from hacker research. At some point I realized that I was learning more about what really matters in computer science from hacker conventions, Phrack, Uninformed, and other hacker sources than from any academic source. Moreover, it wasn't just about exploits and vulnerabilities, it was about how systems were really designed, as opposed to how developers thought and students were taught they were. Then I realized that the reason for vulnerabilities that kept on giving were quite deeply theoretical and involved, e.g., theory of computation and information theory. Very little of this was quoted or understood in the academic publications.

Tags:  science hacker computer chaos-communication-congress science-authors distinct-research  

Authors: Sergey Bratus
Tags: hacking
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Although most academics and industry practitioners regard "hacking" as mostly ad-hoc, a loose collection of useful tricks essentially random in nature, I will argue that hacking has in fact become a "distinct research and engineering discipline" with deep underlying engineering ideas and insights. Although not yet formally defined as such, it are these ideas and insights that drive the great contributions that hacking has been making to our understanding of computing, including the challenges of handling complexity, composition, and security in complex systems. I will argue that hacking uncovers and helps to understand (and teach) fundamental issues that go to the heart of Computer Science as we know it, and will try to formulate several such fundamental principles which I have learned from hacker research. At some point I realized that I was learning more about what really matters in computer science from hacker conventions, Phrack, Uninformed, and other hacker sources than from any academic source. Moreover, it wasn't just about exploits and vulnerabilities, it was about how systems were really designed, as opposed to how developers thought and students were taught they were. Then I realized that the reason for vulnerabilities that kept on giving were quite deeply theoretical and involved, e.g., theory of computation and information theory. Very little of this was quoted or understood in the academic publications.

Tags:  science hacker computer chaos-communication-congress science-authors distinct-research  

Authors: Sergey Bratus
Tags: hacking
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Although most academics and industry practitioners regard "hacking" as mostly ad-hoc, a loose collection of useful tricks essentially random in nature, I will argue that hacking has in fact become a "distinct research and engineering discipline" with deep underlying engineering ideas and insights. Although not yet formally defined as such, it are these ideas and insights that drive the great contributions that hacking has been making to our understanding of computing, including the challenges of handling complexity, composition, and security in complex systems. I will argue that hacking uncovers and helps to understand (and teach) fundamental issues that go to the heart of Computer Science as we know it, and will try to formulate several such fundamental principles which I have learned from hacker research. At some point I realized that I was learning more about what really matters in computer science from hacker conventions, Phrack, Uninformed, and other hacker sources than from any academic source. Moreover, it wasn't just about exploits and vulnerabilities, it was about how systems were really designed, as opposed to how developers thought and students were taught they were. Then I realized that the reason for vulnerabilities that kept on giving were quite deeply theoretical and involved, e.g., theory of computation and information theory. Very little of this was quoted or understood in the academic publications.

Tags:  science hacker computer chaos-communication-congress science-authors distinct-research  

Authors: Tiffany Rad
Tags: law
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Concepts of sovereignty, freedom, privacy and intellectual property become amorphous when discussing territories that only exists as far as the Internet connects. International cyber jurisdiction is supported by a complicated web of international law and treaties. Jurisdiction hopping, a technique that is becoming popular for controversial content, is one we have used for the U.S. 1st Amendment censorship-resistant and non-profit hosting company, Project DOD, by using PRQ's services in Sweden. This technique is used to place assets in a diverse, but accessible, web of countries in which that content may be legal in the hosting country, but may have legal complications in the country in which it is accessed. As ownership and protection of property becomes a concept that is difficult to maintain across boundaries that are not easily distinguishable, can the U.S. "kill-switch" parts of the Internet and under what authority can it be done? Similarly, the geographic challenges to international cyber criminal law – and the feasibility of new sovereign nations – will be analyzed. When a cybercrime is committed in a country in which the electronic communication did not originate, there is difficulty prosecuting the crime without being able to physically apprehend a subject that is virtually within – and physically without – a country's boarders. Similarly, a technique called jurisdiction hopping can be used to place assets in a diverse, but accessible, web of countries in which that content may be legal in the hosting country, but is not in the country in which it is accessed. Lastly, if the U.S. attempts to isolate damage by cutting off Internet connections, under what authority can it be done? This presentation will discuss the types of international laws and treaties that may be cited in the event of extradition of cyber criminals, legal and geographic challenges – such as new sovereign nations – to jurisdiction hopping and the authority with which the U.S. may "kill switch" the Internet. I will also discuss the practical example of where, as a result of our Project DOD case in U.S. Federal court, we have put non-copyright infringing materials on PRQ's servers in Sweden to reduce the incidences of Digital Millennium Copyright Act’s "Take Down" infringement notices that are illegitimate.

Tags:  country jurisdiction cyber tiffany-rad sweden u.s. chaos-communication-congress geographic-challenges cyber-criminals  

Authors: Tiffany Rad
Tags: law
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Concepts of sovereignty, freedom, privacy and intellectual property become amorphous when discussing territories that only exists as far as the Internet connects. International cyber jurisdiction is supported by a complicated web of international law and treaties. Jurisdiction hopping, a technique that is becoming popular for controversial content, is one we have used for the U.S. 1st Amendment censorship-resistant and non-profit hosting company, Project DOD, by using PRQ's services in Sweden. This technique is used to place assets in a diverse, but accessible, web of countries in which that content may be legal in the hosting country, but may have legal complications in the country in which it is accessed. As ownership and protection of property becomes a concept that is difficult to maintain across boundaries that are not easily distinguishable, can the U.S. "kill-switch" parts of the Internet and under what authority can it be done? Similarly, the geographic challenges to international cyber criminal law – and the feasibility of new sovereign nations – will be analyzed. When a cybercrime is committed in a country in which the electronic communication did not originate, there is difficulty prosecuting the crime without being able to physically apprehend a subject that is virtually within – and physically without – a country's boarders. Similarly, a technique called jurisdiction hopping can be used to place assets in a diverse, but accessible, web of countries in which that content may be legal in the hosting country, but is not in the country in which it is accessed. Lastly, if the U.S. attempts to isolate damage by cutting off Internet connections, under what authority can it be done? This presentation will discuss the types of international laws and treaties that may be cited in the event of extradition of cyber criminals, legal and geographic challenges – such as new sovereign nations – to jurisdiction hopping and the authority with which the U.S. may "kill switch" the Internet. I will also discuss the practical example of where, as a result of our Project DOD case in U.S. Federal court, we have put non-copyright infringing materials on PRQ's servers in Sweden to reduce the incidences of Digital Millennium Copyright Act’s "Take Down" infringement notices that are illegitimate.

Tags:  chaos-communication-congress geographic-challenges cyber-criminals  

Tags: hacking
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: We demonstrate that automated, architecture-independent gadget search is possible. Gadgets are code fragments which can be used to build unintended programs from existing code in memory. Our contribution is a framework of algorithms capable of locating a Turing-complete gadget set. Translating machine code into an intermediate language allows our framework to be used for many different CPU architectures with minimal architecture-dependent adjustments. We define the paradigm of free-branch instructions to succinctly capture which gadgets will be found by our framework and investigate side effects of the gadgets produced. Furthermore we discuss architectural idiosyncrasies for several widely spread CPU architectures and how they need to be taken into account by the generic algorithms when locating gadgets.

Tags:  framework code gadget chaos-communication-congress cpu-architectures minimal-architecture  

Tags: hacking
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: We demonstrate that automated, architecture-independent gadget search is possible. Gadgets are code fragments which can be used to build unintended programs from existing code in memory. Our contribution is a framework of algorithms capable of locating a Turing-complete gadget set. Translating machine code into an intermediate language allows our framework to be used for many different CPU architectures with minimal architecture-dependent adjustments. We define the paradigm of free-branch instructions to succinctly capture which gadgets will be found by our framework and investigate side effects of the gadgets produced. Furthermore we discuss architectural idiosyncrasies for several widely spread CPU architectures and how they need to be taken into account by the generic algorithms when locating gadgets.

Tags:  framework code gadget chaos-communication-congress cpu-architectures minimal-architecture  

Tags: hacking
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: We demonstrate that automated, architecture-independent gadget search is possible. Gadgets are code fragments which can be used to build unintended programs from existing code in memory. Our contribution is a framework of algorithms capable of locating a Turing-complete gadget set. Translating machine code into an intermediate language allows our framework to be used for many different CPU architectures with minimal architecture-dependent adjustments. We define the paradigm of free-branch instructions to succinctly capture which gadgets will be found by our framework and investigate side effects of the gadgets produced. Furthermore we discuss architectural idiosyncrasies for several widely spread CPU architectures and how they need to be taken into account by the generic algorithms when locating gadgets.

Tags:  framework code gadget chaos-communication-congress cpu-architectures minimal-architecture  

Authors: Annalee Newitz
Tags: social
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Print media are dying, but what is rising up to take their place? In this presentation, I'll answer that question by describing three new kinds of jobs for journalists that do not exist in mainstream print media. These jobs are: hacker journalist, data-mining reporter, and crowd engineer. I'll be describing what these jobs entail, and current examples of organizations already employing people to do them. My observations in this presentation are based on the nearly twenty years I have written for traditional print as well as new media publications, including zines like Bad Subjects and 2600, as well as mainstream media outlets like Wired and the Washington Post. I also created io9.com, the world's most widely-read blog devoted to science and science fiction. As I've watched friends and colleagues suffer through layoffs in the publishing industry, I've also seen the rise of new kinds of journalists who use technology to break stories in ways that would have been impossible even five years ago. Hacker journalists use everything from Perl scripts to open source mapping platforms to do investigative reporting (examples include writing at Ars Technica, as well as people working with the Ushahidi mapping platform). Data-mining reporters are people who analyze vast amounts of data to investigate issues from war crimes (using services like Wikileaks) to the stock market "flash crash". Crowd engineers work on crowd-sourced news sites like Reddit and Metafilter, writing algorithms and community software that makes it easy for people to share information. Like editors, crowd engineers can be very powerful figures who determine which information rises to the top. What these new journalists have in common is a newfound ability to aggregate and analyze information on a massive scale. Ultimately I'll explore how this changes the playing field in media, and why journalists of the future may be more powerful than ever before.

Tags:  print crowd information annalee-newitz mainstream-media-outlets chaos-communication-congress new-media-publications  

Tags: hacking
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: We demonstrate that automated, architecture-independent gadget search is possible. Gadgets are code fragments which can be used to build unintended programs from existing code in memory. Our contribution is a framework of algorithms capable of locating a Turing-complete gadget set. Translating machine code into an intermediate language allows our framework to be used for many different CPU architectures with minimal architecture-dependent adjustments. We define the paradigm of free-branch instructions to succinctly capture which gadgets will be found by our framework and investigate side effects of the gadgets produced. Furthermore we discuss architectural idiosyncrasies for several widely spread CPU architectures and how they need to be taken into account by the generic algorithms when locating gadgets.

Tags:  framework code gadget chaos-communication-congress cpu-architectures minimal-architecture  

Authors: Julia Wolf
Tags: PDF
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Ambiguities in the PDF specification means that no two PDF parsers will see a file in the same way. This leads to many opportunities for exploit obfuscation. PDFs are currently the greatest vector for drive-by (malware installing) attacks and targeted attacks on business and government. A/V technology is extraordinarily poor at detecting these. The PDF format itself is so diverse and vague, that an A/V would need to be 100% bug-compatible with the parser in the vulnerable PDF reader. You can also do cool tricks like make a single PDF file that displays completely differently in several different readers.

Tags:  video omg pdf julia-wolf-tags chaos-communication-congress omg-wtf pdf-specification  

Authors: Annalee Newitz
Tags: social
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Print media are dying, but what is rising up to take their place? In this presentation, I'll answer that question by describing three new kinds of jobs for journalists that do not exist in mainstream print media. These jobs are: hacker journalist, data-mining reporter, and crowd engineer. I'll be describing what these jobs entail, and current examples of organizations already employing people to do them. My observations in this presentation are based on the nearly twenty years I have written for traditional print as well as new media publications, including zines like Bad Subjects and 2600, as well as mainstream media outlets like Wired and the Washington Post. I also created io9.com, the world's most widely-read blog devoted to science and science fiction. As I've watched friends and colleagues suffer through layoffs in the publishing industry, I've also seen the rise of new kinds of journalists who use technology to break stories in ways that would have been impossible even five years ago. Hacker journalists use everything from Perl scripts to open source mapping platforms to do investigative reporting (examples include writing at Ars Technica, as well as people working with the Ushahidi mapping platform). Data-mining reporters are people who analyze vast amounts of data to investigate issues from war crimes (using services like Wikileaks) to the stock market "flash crash". Crowd engineers work on crowd-sourced news sites like Reddit and Metafilter, writing algorithms and community software that makes it easy for people to share information. Like editors, crowd engineers can be very powerful figures who determine which information rises to the top. What these new journalists have in common is a newfound ability to aggregate and analyze information on a massive scale. Ultimately I'll explore how this changes the playing field in media, and why journalists of the future may be more powerful than ever before.

Tags:  print crowd information annalee-newitz mainstream-media-outlets chaos-communication-congress new-media-publications  

Authors: Henryk Plötz Milosch Meriac
Tags: RFID
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Popular contactless systems for physical access control still rely on obscurity. As we have shown, time and time again, proprietary encryption systems are weak and easy to break. In a follow-up to last year's presentation we will now demonstrate attacks on systems with 'proper' cryptographic algorithms. Since we broke the last of the big players on the market at 26C3, most vendors are now migrating to new systems which rectify our main point of concern: proprietary algorithms. All new technologies use AES or 3DES for encryption and/or authentication and vendors tirelessly tout the security of their systems and the use of these algorithms between card, reader and host. We will discuss the design of the successor to a system we attacked last year, and demonstrate how a system can be insecure despite the use of secure cryptoprimitives.

Tags:  time rfid system chaos-communication-congress proprietary-algorithms cryptographic-algorithms  

Authors: Julia Wolf
Tags: PDF
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Ambiguities in the PDF specification means that no two PDF parsers will see a file in the same way. This leads to many opportunities for exploit obfuscation. PDFs are currently the greatest vector for drive-by (malware installing) attacks and targeted attacks on business and government. A/V technology is extraordinarily poor at detecting these. The PDF format itself is so diverse and vague, that an A/V would need to be 100% bug-compatible with the parser in the vulnerable PDF reader. You can also do cool tricks like make a single PDF file that displays completely differently in several different readers.

Tags:  omg audio pdf julia-wolf-tags chaos-communication-congress pdf-specification omg-wtf  

Authors: Adam Obeng
Tags: Tor privacy
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The Internet began as state-sponsored anarchy, but it is now the tool of first resort for dissidents and propagandists alike. The poster-child project of the Free Software Movement runs on the authority of a single person; the rest clash over the very definition of the word 'free'. A company which pictured itself as smashing Big Brother is now seen as one of the perceived secretive and authoritarian in the industry; and for another, 'Don't Be Evil' is proving to be a challenging motto to live by. This talk aims to present a view of the societies of Internet from the perspective of political philosophy. Political philosophy is not politics, in the same way that computer science is not programming. It's not the politics about the Internet, but the politics *of* the Internet. Even so, events at any particular place or time just provide examples to be studied. Political philosophy is meta-politics, it's about the trends in politics and the theories we use to understand them. Real-world political systems have striking parallels in the evolution of the Internet: there was primitive anarchy before Eternal September, the era of walled gardens resembled that of Ancient Greek city-states, which were succeeded by more-or-less liberal regimes following the geographical territories of real-world governments. Because of its rapid evolution, mass participation, and highly complex human interaction, the Internet should be subjected to the sorts of questions that political philosophers ask. On the Internet, what is freedom? Do we have obligations to those in control? To each other? What rights do we have? What can we own? Once we know the way it is, we can ask how it should be...

Tags:  internet philosophy Software dont-be adam-obeng tor chaos-communication-congress ancient-greek-city greek-city-states  

Authors: Lepht Anonym
Tags: science robotics
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Lightning talk on biohacking, complete with cyborg speaker, implant demonstrations, and knowledge of how to hack your own perception of electromagnetic radiation for approximately thirty Euros. A talk on what's become my specialty - biohacking, or meathacking, whatever you wanna call it. I've got a full set of home-brewed implants, a subdermal RFID, a sort of cult on the Internet plus things like proven designs for cheap EM sensory nodes, experimental verification of that shit I'm claiming, etc. I have videos of procedures, photos of what I've been doing and the like, and will happily make gory slides for all to see. Can do demos of the EM nodes and RFID chip as well. I want to talk about the grinder movement - underground biohacking - it's my life. Thus, my article in H+ Magazine: "A call to arms for biohackers".

Tags:  talk rfid call chaos-communication-congress electromagnetic-radiation experimental-verification  

Tags: hacking
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: 4 minutes for every speaker. Learn about the good, the bad, and the ugly - in software, hardware, projects, and more. Give a lightning fast talk about your favourite project, program, system - and thereby find people with the same interest to proceed and promote it. Alternatively - give us a good rant about something and give us some good reasons why it should die. ;) Get right at it, don't waste time by explaining too much, get the main points across, and then let us know how to contact you on the congress for a talk! Whatever you do - please practise it, and don't be boring. Or else. You have been warned!

Tags:  talk congress lightning chaos-communication-congress lightning-talks hardware-projects  

Authors: Lepht Anonym
Tags: science robotics
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Lightning talk on biohacking, complete with cyborg speaker, implant demonstrations, and knowledge of how to hack your own perception of electromagnetic radiation for approximately thirty Euros. A talk on what's become my specialty - biohacking, or meathacking, whatever you wanna call it. I've got a full set of home-brewed implants, a subdermal RFID, a sort of cult on the Internet plus things like proven designs for cheap EM sensory nodes, experimental verification of that shit I'm claiming, etc. I have videos of procedures, photos of what I've been doing and the like, and will happily make gory slides for all to see. Can do demos of the EM nodes and RFID chip as well. I want to talk about the grinder movement - underground biohacking - it's my life. Thus, my article in H+ Magazine: "A call to arms for biohackers".

Tags:  talk rfid call chaos-communication-congress electromagnetic-radiation experimental-verification  

Authors: Adam Obeng
Tags: Tor privacy
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The Internet began as state-sponsored anarchy, but it is now the tool of first resort for dissidents and propagandists alike. The poster-child project of the Free Software Movement runs on the authority of a single person; the rest clash over the very definition of the word 'free'. A company which pictured itself as smashing Big Brother is now seen as one of the perceived secretive and authoritarian in the industry; and for another, 'Don't Be Evil' is proving to be a challenging motto to live by. This talk aims to present a view of the societies of Internet from the perspective of political philosophy. Political philosophy is not politics, in the same way that computer science is not programming. It's not the politics about the Internet, but the politics *of* the Internet. Even so, events at any particular place or time just provide examples to be studied. Political philosophy is meta-politics, it's about the trends in politics and the theories we use to understand them. Real-world political systems have striking parallels in the evolution of the Internet: there was primitive anarchy before Eternal September, the era of walled gardens resembled that of Ancient Greek city-states, which were succeeded by more-or-less liberal regimes following the geographical territories of real-world governments. Because of its rapid evolution, mass participation, and highly complex human interaction, the Internet should be subjected to the sorts of questions that political philosophers ask. On the Internet, what is freedom? Do we have obligations to those in control? To each other? What rights do we have? What can we own? Once we know the way it is, we can ask how it should be...

Tags:  chaos-communication-congress ancient-greek-city greek-city-states  

Authors: Adam Obeng
Tags: Tor privacy
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The Internet began as state-sponsored anarchy, but it is now the tool of first resort for dissidents and propagandists alike. The poster-child project of the Free Software Movement runs on the authority of a single person; the rest clash over the very definition of the word 'free'. A company which pictured itself as smashing Big Brother is now seen as one of the perceived secretive and authoritarian in the industry; and for another, 'Don't Be Evil' is proving to be a challenging motto to live by. This talk aims to present a view of the societies of Internet from the perspective of political philosophy. Political philosophy is not politics, in the same way that computer science is not programming. It's not the politics about the Internet, but the politics *of* the Internet. Even so, events at any particular place or time just provide examples to be studied. Political philosophy is meta-politics, it's about the trends in politics and the theories we use to understand them. Real-world political systems have striking parallels in the evolution of the Internet: there was primitive anarchy before Eternal September, the era of walled gardens resembled that of Ancient Greek city-states, which were succeeded by more-or-less liberal regimes following the geographical territories of real-world governments. Because of its rapid evolution, mass participation, and highly complex human interaction, the Internet should be subjected to the sorts of questions that political philosophers ask. On the Internet, what is freedom? Do we have obligations to those in control? To each other? What rights do we have? What can we own? Once we know the way it is, we can ask how it should be...

Tags:  chaos-communication-congress ancient-greek-city greek-city-states  

Authors: Felix von Leitner Frank Rieger
Tags: hacking
Event: Chaos Communication Congress 27th (27C3) 2010

Tags:  video jahresrckblick fnord frank-rieger felix-von-leitner chaos-communication-congress  

Authors: Juergen Pabel
Tags: forensic
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Cold boot attacks are a major risk for the protection that Full-Disk-Encryption solutions provide. FrozenCache is a general-purpose solution to this attack for x86 based systems that employs a special CPU cache mode known as "Cache-as-RAM". Switching the CPU cache into a special mode forces data to held exclusively in the CPU cache and not to be written to the backing RAM locations, thus safeguarding data from being obtained from RAM by means of cold boot attacks. A Proof-of-Concept implementation for Linux will be demonstrated and implementation details discussed.

Tags:  cpu ram cache chaos-communication-congress concept-implementation cpu-cache  

Authors: Felix von Leitner Frank Rieger
Tags: hacking
Event: Chaos Communication Congress 27th (27C3) 2010

Tags:  chaos-communication-congress felix-von-leitner frank-rieger  

Authors: Juergen Pabel
Tags: forensic
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Cold boot attacks are a major risk for the protection that Full-Disk-Encryption solutions provide. FrozenCache is a general-purpose solution to this attack for x86 based systems that employs a special CPU cache mode known as "Cache-as-RAM". Switching the CPU cache into a special mode forces data to held exclusively in the CPU cache and not to be written to the backing RAM locations, thus safeguarding data from being obtained from RAM by means of cold boot attacks. A Proof-of-Concept implementation for Linux will be demonstrated and implementation details discussed.

Tags:  cpu ram cache chaos-communication-congress concept-implementation cpu-cache  

Tags: hacker jeopardy
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The Hacker Jeopardy is a quiz show. The well known reversed quiz format, but of course hacker style. It once was entitled "number guessing for geeks" by a German publisher, which of course is an unfair simplification. It's also guessing of letters and special characters. ;) Three initial rounds will be played, the winners will compete with each other in the final.

Tags:  hacker quiz jeopardy chaos-communication-congress video-hacker quiz-format  

Authors: Julien Vanegue
Tags: heap overflow heap
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The dynamic memory allocator is a fundamental component of modern operating systems, and one of the most important sources of security vulnerabilities. In this presentation, we emphasize on a particular weakness of the heap management that has proven to be the root cause of many escalation of privilege bugs in the windows kernel and other critical remote vulnerabilities in user-land applications. The problem is not specific to any operating system and is present in both user-land and kernel-land allocators. The presentation is divided into three parts. First, we will reveal the exact nature of the weakness and provide a taxonomy of all tested operating systems (both in the Windows and UNIX world, most of them are exposed). We then present a custom static analyzer for this class of defects based on the HAVOC framework, a heap-aware verifier for C programs, developed in the RISE team at Microsoft Research. We have deployed the analyzer on multiple kernel components, some of them reaching one million lines of C code. The analyzer produces a reasonable amount of warnings without any complex configuration. Finally, we generalize our analysis technique by characterizing what happens when the size of heap chunks is in the neighbourhood of zero (e.g. near-zero allocations) and give another example of fixed remote bug. We emphasize that this weakness should not be considered as a new class of vulnerabilities (such as buffer overflow), but rather a new type of code defect in the same style as integer overflows, as many occurrences are legit and do not lead to a bug.

Tags:  analyzer weakness heap chaos-communication-congress heap-allocations memory-allocator  

Authors: Bernhard Fischer
Tags: GPS
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: In maritime shipping accurate positioning is vital to preserve damage to life, ship, and goods. Today, we might tend to think that this problem is sufficiently solved yet because of the existence of electronic positioning systems like, most notably, the Global Positioning System (GPS) or the Russian counterpart GLONASS. This is wrong. Positions in terms of latitude and longitude just make sense together with an accurate sea chart (and of course, together with a navigator that is able to translate charting data into reality). Sea charts are available of national geospatial agencies and business companies as hard-copy or as digital maps and dependent on costs one might spend they are more or less accurate. In today's open world the idea of making an open sea chart is obvious. Several projects now started to apply the rules used for the OpenStreetMap, "...a free editable map of the whole world." (http://www.openstreetmap.org/), to create a free editable sea chart of the whole world and it turns out to be much more difficult because of potential serious consequences in case of charting errors. A sea chart contains a lot of vital information to a navigator. It has to be accurate, up to date, and confidential. Since we (the open sea chart community) cannot just chart every navigational important item on the world we are dependent on information that was already charted before or on third-party information. The latter could be for example measurements or GPS tracks of people that are somehow involved into maritime shipping but not necessarily into details of marine mapping. Thus, data accuracy may be questionable but still valuable. The fact that unauthenticated people are editing data in an open database is a big challenge for an open community since safety and security of life heavily depends on it. This talk covers the basic principles of sea charts and marine mapping. It emphasizes the problems of an open sea chart in general and its distinction to an open street map since requirements to ensure safety at sea are very different. Data preparation and import of other sources are discussed in detail, mainly focused on lights and depths. The lecture will connect real world shortcomings to a pedantic definite IT world for an IT-oriented audience and approaches IT security from a different angle.

Tags:  world chart sea bernhard-fischer open-sea chaos-communication-congress global-positioning-system  

Tags: hacker jeopardy
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The Hacker Jeopardy is a quiz show. The well known reversed quiz format, but of course hacker style. It once was entitled "number guessing for geeks" by a German publisher, which of course is an unfair simplification. It's also guessing of letters and special characters. ;) Three initial rounds will be played, the winners will compete with each other in the final.

Tags:  hacker quiz jeopardy chaos-communication-congress quiz-format initial-rounds  

Authors: Julien Vanegue
Tags: heap overflow heap
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The dynamic memory allocator is a fundamental component of modern operating systems, and one of the most important sources of security vulnerabilities. In this presentation, we emphasize on a particular weakness of the heap management that has proven to be the root cause of many escalation of privilege bugs in the windows kernel and other critical remote vulnerabilities in user-land applications. The problem is not specific to any operating system and is present in both user-land and kernel-land allocators. The presentation is divided into three parts. First, we will reveal the exact nature of the weakness and provide a taxonomy of all tested operating systems (both in the Windows and UNIX world, most of them are exposed). We then present a custom static analyzer for this class of defects based on the HAVOC framework, a heap-aware verifier for C programs, developed in the RISE team at Microsoft Research. We have deployed the analyzer on multiple kernel components, some of them reaching one million lines of C code. The analyzer produces a reasonable amount of warnings without any complex configuration. Finally, we generalize our analysis technique by characterizing what happens when the size of heap chunks is in the neighbourhood of zero (e.g. near-zero allocations) and give another example of fixed remote bug. We emphasize that this weakness should not be considered as a new class of vulnerabilities (such as buffer overflow), but rather a new type of code defect in the same style as integer overflows, as many occurrences are legit and do not lead to a bug.

Tags:  analyzer weakness heap chaos-communication-congress heap-allocations memory-allocator  

Authors: Bernhard Fischer
Tags: GPS
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: In maritime shipping accurate positioning is vital to preserve damage to life, ship, and goods. Today, we might tend to think that this problem is sufficiently solved yet because of the existence of electronic positioning systems like, most notably, the Global Positioning System (GPS) or the Russian counterpart GLONASS. This is wrong. Positions in terms of latitude and longitude just make sense together with an accurate sea chart (and of course, together with a navigator that is able to translate charting data into reality). Sea charts are available of national geospatial agencies and business companies as hard-copy or as digital maps and dependent on costs one might spend they are more or less accurate. In today's open world the idea of making an open sea chart is obvious. Several projects now started to apply the rules used for the OpenStreetMap, "...a free editable map of the whole world." (http://www.openstreetmap.org/), to create a free editable sea chart of the whole world and it turns out to be much more difficult because of potential serious consequences in case of charting errors. A sea chart contains a lot of vital information to a navigator. It has to be accurate, up to date, and confidential. Since we (the open sea chart community) cannot just chart every navigational important item on the world we are dependent on information that was already charted before or on third-party information. The latter could be for example measurements or GPS tracks of people that are somehow involved into maritime shipping but not necessarily into details of marine mapping. Thus, data accuracy may be questionable but still valuable. The fact that unauthenticated people are editing data in an open database is a big challenge for an open community since safety and security of life heavily depends on it. This talk covers the basic principles of sea charts and marine mapping. It emphasizes the problems of an open sea chart in general and its distinction to an open street map since requirements to ensure safety at sea are very different. Data preparation and import of other sources are discussed in detail, mainly focused on lights and depths. The lecture will connect real world shortcomings to a pedantic definite IT world for an IT-oriented audience and approaches IT security from a different angle.

Tags:  chaos-communication-congress bernhard-fischer global-positioning-system  

Authors: Bernhard Fischer
Tags: GPS
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: In maritime shipping accurate positioning is vital to preserve damage to life, ship, and goods. Today, we might tend to think that this problem is sufficiently solved yet because of the existence of electronic positioning systems like, most notably, the Global Positioning System (GPS) or the Russian counterpart GLONASS. This is wrong. Positions in terms of latitude and longitude just make sense together with an accurate sea chart (and of course, together with a navigator that is able to translate charting data into reality). Sea charts are available of national geospatial agencies and business companies as hard-copy or as digital maps and dependent on costs one might spend they are more or less accurate. In today's open world the idea of making an open sea chart is obvious. Several projects now started to apply the rules used for the OpenStreetMap, "...a free editable map of the whole world." (http://www.openstreetmap.org/), to create a free editable sea chart of the whole world and it turns out to be much more difficult because of potential serious consequences in case of charting errors. A sea chart contains a lot of vital information to a navigator. It has to be accurate, up to date, and confidential. Since we (the open sea chart community) cannot just chart every navigational important item on the world we are dependent on information that was already charted before or on third-party information. The latter could be for example measurements or GPS tracks of people that are somehow involved into maritime shipping but not necessarily into details of marine mapping. Thus, data accuracy may be questionable but still valuable. The fact that unauthenticated people are editing data in an open database is a big challenge for an open community since safety and security of life heavily depends on it. This talk covers the basic principles of sea charts and marine mapping. It emphasizes the problems of an open sea chart in general and its distinction to an open street map since requirements to ensure safety at sea are very different. Data preparation and import of other sources are discussed in detail, mainly focused on lights and depths. The lecture will connect real world shortcomings to a pedantic definite IT world for an IT-oriented audience and approaches IT security from a different angle.

Tags:  chaos-communication-congress bernhard-fischer global-positioning-system  

Tags: games
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Over 70 million Wiis, over 40 million Xbox 360s and over 35 million Playstation 3s have been sold in the last few years. That makes over 145 million embedded devices out there and most of them are just used to play games. But what can you do with them if you don't like playing games? You hack them to make them run your own code of course! We're going to talk about the various hacks that you can use to gain control of your hardware and make it do what you want it to do. 2010 saw the first hacks for the Playstation 3, soon after Sony removed Other OS functionality. We will detail the operation of current PS3 exploits, show a few new ones and explain where and how Sony went wrong when designing its security system, and show how these holes can be used to gain control over the system and bring Linux back to the PS3. We will also go over hacks for the other consoles, including the JTAG hack for the Xbox 360 which made running homebrew code more convenient, and the cat-and-mouse games that Nintendo played with us to combat Wii hacks. We might also check out the security of their 'new' handheld console - the DSi. Gamers might find this talk interesting even though it is targeted at those who hack (or design) embedded system security. A basic knowledge of crypto is therefore assumed. We will also be present in the Hackcenter before and after the presentation for those of you who are interested in learning more about the subject.

Tags:  security system xbox chaos-communication-congress os-functionality mouse-games  

Tags: games
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Over 70 million Wiis, over 40 million Xbox 360s and over 35 million Playstation 3s have been sold in the last few years. That makes over 145 million embedded devices out there and most of them are just used to play games. But what can you do with them if you don't like playing games? You hack them to make them run your own code of course! We're going to talk about the various hacks that you can use to gain control of your hardware and make it do what you want it to do. 2010 saw the first hacks for the Playstation 3, soon after Sony removed Other OS functionality. We will detail the operation of current PS3 exploits, show a few new ones and explain where and how Sony went wrong when designing its security system, and show how these holes can be used to gain control over the system and bring Linux back to the PS3. We will also go over hacks for the other consoles, including the JTAG hack for the Xbox 360 which made running homebrew code more convenient, and the cat-and-mouse games that Nintendo played with us to combat Wii hacks. We might also check out the security of their 'new' handheld console - the DSi. Gamers might find this talk interesting even though it is targeted at those who hack (or design) embedded system security. A basic knowledge of crypto is therefore assumed. We will also be present in the Hackcenter before and after the presentation for those of you who are interested in learning more about the subject.

Tags:  security system xbox chaos-communication-congress os-functionality mouse-games  

Authors: Bernhard Fischer
Tags: GPS
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: In maritime shipping accurate positioning is vital to preserve damage to life, ship, and goods. Today, we might tend to think that this problem is sufficiently solved yet because of the existence of electronic positioning systems like, most notably, the Global Positioning System (GPS) or the Russian counterpart GLONASS. This is wrong. Positions in terms of latitude and longitude just make sense together with an accurate sea chart (and of course, together with a navigator that is able to translate charting data into reality). Sea charts are available of national geospatial agencies and business companies as hard-copy or as digital maps and dependent on costs one might spend they are more or less accurate. In today's open world the idea of making an open sea chart is obvious. Several projects now started to apply the rules used for the OpenStreetMap, "...a free editable map of the whole world." (http://www.openstreetmap.org/), to create a free editable sea chart of the whole world and it turns out to be much more difficult because of potential serious consequences in case of charting errors. A sea chart contains a lot of vital information to a navigator. It has to be accurate, up to date, and confidential. Since we (the open sea chart community) cannot just chart every navigational important item on the world we are dependent on information that was already charted before or on third-party information. The latter could be for example measurements or GPS tracks of people that are somehow involved into maritime shipping but not necessarily into details of marine mapping. Thus, data accuracy may be questionable but still valuable. The fact that unauthenticated people are editing data in an open database is a big challenge for an open community since safety and security of life heavily depends on it. This talk covers the basic principles of sea charts and marine mapping. It emphasizes the problems of an open sea chart in general and its distinction to an open street map since requirements to ensure safety at sea are very different. Data preparation and import of other sources are discussed in detail, mainly focused on lights and depths. The lecture will connect real world shortcomings to a pedantic definite IT world for an IT-oriented audience and approaches IT security from a different angle.

Tags:  world chart sea bernhard-fischer open-sea chaos-communication-congress global-positioning-system  

Authors: Harald Welte
Tags: RFID bank
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: How to reverse engineer the data format of a real-world RFID based debit card system. One of Asia’s most popular electronic payment systems uses insecure technology. The EasyCard system, established in 2001, is the most popular stored-valued card in Taiwan. With more than 18 million issued cards, it is the predominant means of paying for public transportation services in the capital Taipei. In 2010, use of the EasyCard was extended beyond transportation. Card holders can now pay in all major convenience stores like 7eleven, coffe shops like Starbucks and and major retail companies like SOGO. Despite the large fraud potential, the EasyCard system uses the MIFARE Classic RFID technology, whose proprietary encryption cipher CRYPTO1 relied on obscurity and was first publicly broken several years ago at 24C3 This presentation analyzes the results of combining the practical attacks on the MIFARE Classic CRYPTO1 system in the context of the EasyCard payment system. It describes the process of reverse- engineering the actual content of the card to discover the public transportation transaction log, the account balance and how the daily spending limit work. Furthermore, the talk will present how fundamentally flawed the system is, and how easy it is to add or subtract monetary value to/from the card. Cards manipulated as described in the talk have been accepted by the payment system.

Tags:  card rfid system harald-welte asia taiwan taipei chaos-communication-congress public-transportation-services capital-taipei  

Authors: Eleanor Saitta
Tags: security
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The past century our infrastructure has seen both massive expansion and heavy centralization. When it fails, it fails big -- this is the reality of our modern interconnectedness. We live in a world of crumbling bridges and bankrupt states, and our infrastructure will kill us. The people we’re relying on to keep us safe are trying to accomplish long-term risk management with short-term thinking. So, what now? We can't opt out, but we can become more resilient, and we can start thinking about risk differently. In this talk, we'll look at threat modeling in the real world, six ways to die, failing states, that big party in the desert, the failure of the humanitarian project, algae and the U.S. military, large-scale natural disasters, the power grid, and many other things. The problems we face are big in every sense of the word -- they involve some of the biggest things we've ever built -- but the solutions may not be. Can non-governmental networks step up when governments fail to provide basic services? Can we avoid a further expansion of neoliberalism in a post-infrastructural state? Are the power structures embedded in our infrastructure cultural destiny? What happens when maker culture grows up?

Tags:  chaos-communication-congress governmental-networks humanitarian-project  

Authors: Steven J. Murdoch
Tags: bank smart card
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: EMV is the dominant protocol used for smart card payments worldwide, with over 730 million cards in circulation. Known to bank customers as “Chip and PIN”, it is used in Europe; it is being introduced in Canada; and there is pressure from banks to introduce it in the USA too. EMV secures credit and debit card transactions by authenticating both the card and the customer presenting it through a combination of cryptographic authentication codes, digital signatures, and the entry of a PIN. In this paper we describe and demonstrate a protocol flaw which allows criminals to use a genuine card to make a payment without knowing the card’s PIN, and to remain undetected even when the merchant has an online connection to the banking network. The fraudster performs a man-in-the-middle attack to trick the terminal into believing the PIN verified correctly, while telling the issuing bank that no PIN was entered at all. The paper considers how the flaws arose, why they remained unknown despite EMV’s wide deployment for the best part of a decade, and how they might be fixed. Because we have found and validated a practical attack against the core functionality of EMV, we conclude that the protocol is broken. This failure is significant in the field of protocol design, and also has important public policy implications, in light of growing reports of fraud on stolen EMV cards. Frequently, banks deny such fraud victims a refund, asserting that a card cannot be used without the correct PIN, and concluding that the customer must be grossly negligent or lying. Our attack can explain a number of these cases, and exposes the need for further research to bridge the gap between the theoretical and practical security of bank payment systems. Smart cards have gradually replaced magnetic strip cards for point-of-sale and ATM transactions in many countries. The leading system, EMV (named after Europay, MasterCard, and Visa), has been deployed throughout most of Europe, and is currently being rolled out in Canada. As of early 2008, there were over 730 million EMV compliant smart cards in circulation worldwide. In EMV, customers authorize a credit or debit card transaction by inserting their card and entering a PIN into a point-of-sale terminal; the PIN is typically verified by the smart card chip, which is in turn authenticated to the terminal by a digital certificate. The transaction details are also authenticated by a cryptographic message authentication code (MAC), using a symmetric key shared between the payment card and the bank that issued the card to the customer (the issuer). EMV was heavily promoted under the “Chip and PIN” brand during its national rollout in the UK. The technology was advertised as a solution to increasing card fraud: a chip to prevent card counterfeiting, and a PIN to prevent abuse of stolen cards. Since its introduction in the UK the fraud landscape has changed significantly: lost and stolen card fraud is down, and counterfeit card fraud experienced a two year lull. But no type of fraud has been eliminated, and the overall fraud levels have actually risen (see Figure 1). The likely explanation for this is that EMV has simply moved fraud, not eliminated it. One goal of EMV was to externalise the costs of dispute from the issuing bank, in that if a disputed transaction has been authorised by a manuscript signature, it would be charged to the merchant, while if it had been authorised by a PIN then it would be charged to the customer. The net effect is that the banking industry, which was responsible for the design of the system, carries less liability for the fraud. The industry describes this as a ‘liability shift’. In the past few years, the UK media have reported numerous cases where cardholders’ complaints have been rejected by their bank and by government-approved mediators such as the Financial Ombudsman Service, using stock excuses such as ‘Your card was CHIP read and a PIN was used so you must have been negligent.’ Interestingly, an increasing number of complaints from believable witnesses indicate that their EMV cards were fraudulently used shortly after being stolen, despite there having been no possibility that the thief could have learned the PIN. In this paper, we describe a potential explanation. We have demonstrated how criminals can use stolen “Chip and PIN” (EMV) smart cards without knowing the PIN. Since “verified by PIN” – the essence of the system – does not work, we declare the Chip and PIN system to be broken.

Tags:  emv pin card mac chip steven-j.-murdoch-tags europe canada usa chaos-communication-congress smart-card-payments  

Authors: Sylvia Johnigk
Tags: intelligence
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The acronym stands for Intelligent Information System Supporting Observation, Searching and Detection for Security of Citizens in Urban Environment. A total of 17 partners in nine member states are developing an infrastructure for linking existing surveillance technologies to form one mighty instrument for controlling the people. They are laying the foundation of a European police state, since INDECT's results serve to increase the effectiveness of police operation on the national and European level. INDECT is funded under the European Commission's Seventh Framework Programme (FP7), the security-related research of which provides € 1.4 billion Euro for more than 60 partly interlaced projects. This Is What the Police Will Work with in the Future: ·Unmanned aerial vehicles/drones with surveillance camera and sensors ·Software (for cameras etc.) to identify supposedly suspicious behavior or hostile intent ·Auto-tracking of mobile objects ·Software (autonomous agents) to monitor virtual spaces such as discussion forums in the Internet or social networks ·Trojan horses which record users’ private computer activity ·Safeguards, such as watermarking, to allow sophisticated controls on recorded images for evidence, and to index, analyse and administer multimedia content (such as video) ·A search engine combining direct search of data from the real and the virtual world

Tags:  video indect police urban-environment sylvia-johnigk chaos-communication-congress intelligent-information-system security-related-research  

Authors: Harald Welte
Tags: RFID bank
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: How to reverse engineer the data format of a real-world RFID based debit card system. One of Asia’s most popular electronic payment systems uses insecure technology. The EasyCard system, established in 2001, is the most popular stored-valued card in Taiwan. With more than 18 million issued cards, it is the predominant means of paying for public transportation services in the capital Taipei. In 2010, use of the EasyCard was extended beyond transportation. Card holders can now pay in all major convenience stores like 7eleven, coffe shops like Starbucks and and major retail companies like SOGO. Despite the large fraud potential, the EasyCard system uses the MIFARE Classic RFID technology, whose proprietary encryption cipher CRYPTO1 relied on obscurity and was first publicly broken several years ago at 24C3 This presentation analyzes the results of combining the practical attacks on the MIFARE Classic CRYPTO1 system in the context of the EasyCard payment system. It describes the process of reverse- engineering the actual content of the card to discover the public transportation transaction log, the account balance and how the daily spending limit work. Furthermore, the talk will present how fundamentally flawed the system is, and how easy it is to add or subtract monetary value to/from the card. Cards manipulated as described in the talk have been accepted by the payment system.

Tags:  card rfid system harald-welte asia taiwan taipei chaos-communication-congress public-transportation-services capital-taipei  

Authors: Harald Welte
Tags: RFID bank
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: How to reverse engineer the data format of a real-world RFID based debit card system. One of Asia’s most popular electronic payment systems uses insecure technology. The EasyCard system, established in 2001, is the most popular stored-valued card in Taiwan. With more than 18 million issued cards, it is the predominant means of paying for public transportation services in the capital Taipei. In 2010, use of the EasyCard was extended beyond transportation. Card holders can now pay in all major convenience stores like 7eleven, coffe shops like Starbucks and and major retail companies like SOGO. Despite the large fraud potential, the EasyCard system uses the MIFARE Classic RFID technology, whose proprietary encryption cipher CRYPTO1 relied on obscurity and was first publicly broken several years ago at 24C3 This presentation analyzes the results of combining the practical attacks on the MIFARE Classic CRYPTO1 system in the context of the EasyCard payment system. It describes the process of reverse- engineering the actual content of the card to discover the public transportation transaction log, the account balance and how the daily spending limit work. Furthermore, the talk will present how fundamentally flawed the system is, and how easy it is to add or subtract monetary value to/from the card. Cards manipulated as described in the talk have been accepted by the payment system.

Tags:  chaos-communication-congress public-transportation-services capital-taipei  

Authors: Steven J. Murdoch
Tags: bank smart card
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: EMV is the dominant protocol used for smart card payments worldwide, with over 730 million cards in circulation. Known to bank customers as “Chip and PIN”, it is used in Europe; it is being introduced in Canada; and there is pressure from banks to introduce it in the USA too. EMV secures credit and debit card transactions by authenticating both the card and the customer presenting it through a combination of cryptographic authentication codes, digital signatures, and the entry of a PIN. In this paper we describe and demonstrate a protocol flaw which allows criminals to use a genuine card to make a payment without knowing the card’s PIN, and to remain undetected even when the merchant has an online connection to the banking network. The fraudster performs a man-in-the-middle attack to trick the terminal into believing the PIN verified correctly, while telling the issuing bank that no PIN was entered at all. The paper considers how the flaws arose, why they remained unknown despite EMV’s wide deployment for the best part of a decade, and how they might be fixed. Because we have found and validated a practical attack against the core functionality of EMV, we conclude that the protocol is broken. This failure is significant in the field of protocol design, and also has important public policy implications, in light of growing reports of fraud on stolen EMV cards. Frequently, banks deny such fraud victims a refund, asserting that a card cannot be used without the correct PIN, and concluding that the customer must be grossly negligent or lying. Our attack can explain a number of these cases, and exposes the need for further research to bridge the gap between the theoretical and practical security of bank payment systems. Smart cards have gradually replaced magnetic strip cards for point-of-sale and ATM transactions in many countries. The leading system, EMV (named after Europay, MasterCard, and Visa), has been deployed throughout most of Europe, and is currently being rolled out in Canada. As of early 2008, there were over 730 million EMV compliant smart cards in circulation worldwide. In EMV, customers authorize a credit or debit card transaction by inserting their card and entering a PIN into a point-of-sale terminal; the PIN is typically verified by the smart card chip, which is in turn authenticated to the terminal by a digital certificate. The transaction details are also authenticated by a cryptographic message authentication code (MAC), using a symmetric key shared between the payment card and the bank that issued the card to the customer (the issuer). EMV was heavily promoted under the “Chip and PIN” brand during its national rollout in the UK. The technology was advertised as a solution to increasing card fraud: a chip to prevent card counterfeiting, and a PIN to prevent abuse of stolen cards. Since its introduction in the UK the fraud landscape has changed significantly: lost and stolen card fraud is down, and counterfeit card fraud experienced a two year lull. But no type of fraud has been eliminated, and the overall fraud levels have actually risen (see Figure 1). The likely explanation for this is that EMV has simply moved fraud, not eliminated it. One goal of EMV was to externalise the costs of dispute from the issuing bank, in that if a disputed transaction has been authorised by a manuscript signature, it would be charged to the merchant, while if it had been authorised by a PIN then it would be charged to the customer. The net effect is that the banking industry, which was responsible for the design of the system, carries less liability for the fraud. The industry describes this as a ‘liability shift’. In the past few years, the UK media have reported numerous cases where cardholders’ complaints have been rejected by their bank and by government-approved mediators such as the Financial Ombudsman Service, using stock excuses such as ‘Your card was CHIP read and a PIN was used so you must have been negligent.’ Interestingly, an increasing number of complaints from believable witnesses indicate that their EMV cards were fraudulently used shortly after being stolen, despite there having been no possibility that the thief could have learned the PIN. In this paper, we describe a potential explanation. We have demonstrated how criminals can use stolen “Chip and PIN” (EMV) smart cards without knowing the PIN. Since “verified by PIN” – the essence of the system – does not work, we declare the Chip and PIN system to be broken.

Tags:  chaos-communication-congress smart-card-payments emv-cards  

Authors: Eleanor Saitta
Tags: security
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The past century our infrastructure has seen both massive expansion and heavy centralization. When it fails, it fails big -- this is the reality of our modern interconnectedness. We live in a world of crumbling bridges and bankrupt states, and our infrastructure will kill us. The people we’re relying on to keep us safe are trying to accomplish long-term risk management with short-term thinking. So, what now? We can't opt out, but we can become more resilient, and we can start thinking about risk differently. In this talk, we'll look at threat modeling in the real world, six ways to die, failing states, that big party in the desert, the failure of the humanitarian project, algae and the U.S. military, large-scale natural disasters, the power grid, and many other things. The problems we face are big in every sense of the word -- they involve some of the biggest things we've ever built -- but the solutions may not be. Can non-governmental networks step up when governments fail to provide basic services? Can we avoid a further expansion of neoliberalism in a post-infrastructural state? Are the power structures embedded in our infrastructure cultural destiny? What happens when maker culture grows up?

Tags:  world expansion infrastructure eleanor-saitta u.s. chaos-communication-congress governmental-networks humanitarian-project  

Authors: Harald Welte Steve Markgraf
Tags: GSM phone
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: In recent years, we have seen several Free Software projects implementing the network side of the GSM protocol. In 2010, OsmocomBB was started to create a free software implementation of the telephone-side. The OsmocomBB project is a Free Software implementation of the GSM protocol stack running on a mobile phone. For decades, the cellular industry comprised by cellphone chipset makers and network operators keep their hardware and system-level software as well as GSM protocol stack implementations closed. As a result, it was never possible to send arbitrary data at the lower levels of the GSM protocol stack. Existing phones only allow application-level data to be specified, such as SMS messages, IP over GPRS or circuit-switched data (CSD). Using OsmocomBB, the security researcher finally has a tool equivalent to an Ethernet card in the TCP/IP protocol world: A simple transceiver that will send arbitrary protocol messages to a GSM network.

Tags:  free-software-implementation chaos-communication-congress tcp-ip-protocol  

Authors: Sylvia Johnigk
Tags: intelligence
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The acronym stands for Intelligent Information System Supporting Observation, Searching and Detection for Security of Citizens in Urban Environment. A total of 17 partners in nine member states are developing an infrastructure for linking existing surveillance technologies to form one mighty instrument for controlling the people. They are laying the foundation of a European police state, since INDECT's results serve to increase the effectiveness of police operation on the national and European level. INDECT is funded under the European Commission's Seventh Framework Programme (FP7), the security-related research of which provides € 1.4 billion Euro for more than 60 partly interlaced projects. This Is What the Police Will Work with in the Future: ·Unmanned aerial vehicles/drones with surveillance camera and sensors ·Software (for cameras etc.) to identify supposedly suspicious behavior or hostile intent ·Auto-tracking of mobile objects ·Software (autonomous agents) to monitor virtual spaces such as discussion forums in the Internet or social networks ·Trojan horses which record users’ private computer activity ·Safeguards, such as watermarking, to allow sophisticated controls on recorded images for evidence, and to index, analyse and administer multimedia content (such as video) ·A search engine combining direct search of data from the real and the virtual world

Tags:  indect surveillance police urban-environment sylvia-johnigk chaos-communication-congress intelligent-information-system security-related-research  

Authors: Harald Welte Steve Markgraf
Tags: GSM phone
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: In recent years, we have seen several Free Software projects implementing the network side of the GSM protocol. In 2010, OsmocomBB was started to create a free software implementation of the telephone-side. The OsmocomBB project is a Free Software implementation of the GSM protocol stack running on a mobile phone. For decades, the cellular industry comprised by cellphone chipset makers and network operators keep their hardware and system-level software as well as GSM protocol stack implementations closed. As a result, it was never possible to send arbitrary data at the lower levels of the GSM protocol stack. Existing phones only allow application-level data to be specified, such as SMS messages, IP over GPRS or circuit-switched data (CSD). Using OsmocomBB, the security researcher finally has a tool equivalent to an Ethernet card in the TCP/IP protocol world: A simple transceiver that will send arbitrary protocol messages to a GSM network.

Tags:  gsm protocol Software harald-welte steve-markgraf free-software-implementation chaos-communication-congress tcp-ip-protocol  

Authors: Harald Welte Steve Markgraf
Tags: GSM phone
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: In recent years, we have seen several Free Software projects implementing the network side of the GSM protocol. In 2010, OsmocomBB was started to create a free software implementation of the telephone-side. The OsmocomBB project is a Free Software implementation of the GSM protocol stack running on a mobile phone. For decades, the cellular industry comprised by cellphone chipset makers and network operators keep their hardware and system-level software as well as GSM protocol stack implementations closed. As a result, it was never possible to send arbitrary data at the lower levels of the GSM protocol stack. Existing phones only allow application-level data to be specified, such as SMS messages, IP over GPRS or circuit-switched data (CSD). Using OsmocomBB, the security researcher finally has a tool equivalent to an Ethernet card in the TCP/IP protocol world: A simple transceiver that will send arbitrary protocol messages to a GSM network.

Tags:  free-software-implementation chaos-communication-congress tcp-ip-protocol  

Authors: Renaud Lifchitz
Tags: GSM phone locating Android
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: We introduce a new forensic technique that allows to collect users' past locations on most current Android phones, within a few seconds. It becomes possible to tell where the user was at a given time, or where a phone call took place over the last few hours or days. The attack is based on GSM BTS cell location and little-known Android logging features and can be extended to track a user's activity over long periods of time. We will also show how to perform the attack locally and remotely, and ways to protect against these techniques, as well as forensic applications and privacy concerns. As a part of the presentation we plan to show a live demonstration of both local and remote attacks to retrieve geolocation and activity history of targeted phones. The graphical mapping tool used for the presentation will be released as open source.

Tags:  chaos-communication-congress graphical-mapping long-periods-of-time  

Authors: Renaud Lifchitz
Tags: GSM phone locating Android
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: We introduce a new forensic technique that allows to collect users' past locations on most current Android phones, within a few seconds. It becomes possible to tell where the user was at a given time, or where a phone call took place over the last few hours or days. The attack is based on GSM BTS cell location and little-known Android logging features and can be extended to track a user's activity over long periods of time. We will also show how to perform the attack locally and remotely, and ways to protect against these techniques, as well as forensic applications and privacy concerns. As a part of the presentation we plan to show a live demonstration of both local and remote attacks to retrieve geolocation and activity history of targeted phones. The graphical mapping tool used for the presentation will be released as open source.

Tags:  chaos-communication-congress graphical-mapping gsm-network  

Authors: Renaud Lifchitz
Tags: GSM phone locating Android
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: We introduce a new forensic technique that allows to collect users' past locations on most current Android phones, within a few seconds. It becomes possible to tell where the user was at a given time, or where a phone call took place over the last few hours or days. The attack is based on GSM BTS cell location and little-known Android logging features and can be extended to track a user's activity over long periods of time. We will also show how to perform the attack locally and remotely, and ways to protect against these techniques, as well as forensic applications and privacy concerns. As a part of the presentation we plan to show a live demonstration of both local and remote attacks to retrieve geolocation and activity history of targeted phones. The graphical mapping tool used for the presentation will be released as open source.

Tags:  chaos-communication-congress graphical-mapping long-periods-of-time  

Authors: Daniel Domscheit-Berg
Tags: privacy
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The talk will give an update on the status of the Icelandic Modern Media Initiative. If we put IMMI into the context of the bus Rop talked about in the keynote, then IMMI is the quality rubber for the tires that can ride that road safely. It is part of what our bus should look like, ride like, feel like. The talk will also try to define some more of that bus, and elaborate on what else we need apart from the best rubber we can get. The talk will hence deal with some of the latest developments in respect to freedom of speech, specifically that of the press, and political pressure being excersized on it, roles and responsibilities, and the role of responsibility. The talk will give an update on the status of the Icelandic Modern Media Initiative. If we put IMMI into the context of the bus Rop talked about in the keynote, then IMMI is the quality rubber for the tires that can ride that road safely. It is part of what our bus should look like, ride like, feel like. The talk will also try to define some more of that bus, and elaborate on what else we need apart from the best rubber we can get. The talk will hence deal with some of the latest developments in respect to freedom of speech, specifically that of the press, and political pressure being excersized on it, roles and responsibilities, and the role of responsibility.

Tags:  chaos-communication-congress privacy-event media-initiative  

Authors: Daniel Domscheit-Berg
Tags: privacy
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The talk will give an update on the status of the Icelandic Modern Media Initiative. If we put IMMI into the context of the bus Rop talked about in the keynote, then IMMI is the quality rubber for the tires that can ride that road safely. It is part of what our bus should look like, ride like, feel like. The talk will also try to define some more of that bus, and elaborate on what else we need apart from the best rubber we can get. The talk will hence deal with some of the latest developments in respect to freedom of speech, specifically that of the press, and political pressure being excersized on it, roles and responsibilities, and the role of responsibility. The talk will give an update on the status of the Icelandic Modern Media Initiative. If we put IMMI into the context of the bus Rop talked about in the keynote, then IMMI is the quality rubber for the tires that can ride that road safely. It is part of what our bus should look like, ride like, feel like. The talk will also try to define some more of that bus, and elaborate on what else we need apart from the best rubber we can get. The talk will hence deal with some of the latest developments in respect to freedom of speech, specifically that of the press, and political pressure being excersized on it, roles and responsibilities, and the role of responsibility.

Tags:  chaos-communication-congress privacy-event media-initiative  

Tags: hacking social
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Experience firsthand some of the most interesting, surprising, and perspective-changing findings from cognitive and social neuropsychology. With perceptual illusions, priming, biases, heuristics, and unconscious influences, humans have tons of firmware "bugs". All have exploits; some even have patches. Learn how to improve your own thinking, use others' bugs to your advantage, and gain new perspective on the unconscious and often illusory processes involved in your perceptions. This interactive talk goes through as many interesting, surprising, perspective-changing findings from the cognitive sciences as I can fit in one hour while ensuring that as much as possible has a real, live demonstration that the audience participates in (rather than merely being told about). It's not just a collection of 'stupid human tricks' (though I'll be using lots of those for examples); this is a coherent narrative about surprising ways in which humans are flawed, how these aren't just things that happen to "other people", and how one might go about improving the situation at least for oneself. Every point will be supported by good science, with references to papers for those who care to read up more about them. Come to the meditation workshop afterwards to learn several more interesting and powerful techniques to proactively control your own mindstate.

Tags:  chaos-communication-congress perceptual-illusions meditation-workshop  

Tags: music
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: At least if you have used all the features of a synthesizer, you probably ask the questions: "How can I modify it? How can I build a synthesizer myself? What features do I personally need?" This talk covers this topic from a theoretical and technical point of view. Since commercial synthesizers have been built, the interest in modifying existing synthesizers and building own synthesizers has increased. Nowadays there is a much bigger DIY (Do-It-Yourself) community, and the idea of building own synthesizers and modules has been even merged with the idea of open-source and creative-commons hardware. This gives a wide range of new possibilities. Another part of the talk will be a quick introduction of less or more known DIY-synthesizer projects and the demonstration of a DIY synthesizer based on MOS 6581-like synthesis (The Commodore SID), which can be built from quite cheap electronic components and give a wide range of possibilities for sound generation and a reasonable sound. This talk will briefly describe the basics of sound synthesis and what makes it so interesting. A little bit of basic knowledge is recommended, but not necessary.

Tags:  sound diy synthesizer commodore-sid chaos-communication-congress commercial-synthesizers sound-generators  

Tags: music
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: At least if you have used all the features of a synthesizer, you probably ask the questions: "How can I modify it? How can I build a synthesizer myself? What features do I personally need?" This talk covers this topic from a theoretical and technical point of view. Since commercial synthesizers have been built, the interest in modifying existing synthesizers and building own synthesizers has increased. Nowadays there is a much bigger DIY (Do-It-Yourself) community, and the idea of building own synthesizers and modules has been even merged with the idea of open-source and creative-commons hardware. This gives a wide range of new possibilities. Another part of the talk will be a quick introduction of less or more known DIY-synthesizer projects and the demonstration of a DIY synthesizer based on MOS 6581-like synthesis (The Commodore SID), which can be built from quite cheap electronic components and give a wide range of possibilities for sound generation and a reasonable sound. This talk will briefly describe the basics of sound synthesis and what makes it so interesting. A little bit of basic knowledge is recommended, but not necessary.

Tags:  sound diy synthesizer commodore-sid chaos-communication-congress commercial-synthesizers sound-generators  

Tags: hacking social
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Experience firsthand some of the most interesting, surprising, and perspective-changing findings from cognitive and social neuropsychology. With perceptual illusions, priming, biases, heuristics, and unconscious influences, humans have tons of firmware "bugs". All have exploits; some even have patches. Learn how to improve your own thinking, use others' bugs to your advantage, and gain new perspective on the unconscious and often illusory processes involved in your perceptions. This interactive talk goes through as many interesting, surprising, perspective-changing findings from the cognitive sciences as I can fit in one hour while ensuring that as much as possible has a real, live demonstration that the audience participates in (rather than merely being told about). It's not just a collection of 'stupid human tricks' (though I'll be using lots of those for examples); this is a coherent narrative about surprising ways in which humans are flawed, how these aren't just things that happen to "other people", and how one might go about improving the situation at least for oneself. Every point will be supported by good science, with references to papers for those who care to read up more about them. Come to the meditation workshop afterwards to learn several more interesting and powerful techniques to proactively control your own mindstate.

Tags:  hackers cognitive psychology chaos-communication-congress perceptual-illusions meditation-workshop  

Tags: hacking social
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Experience firsthand some of the most interesting, surprising, and perspective-changing findings from cognitive and social neuropsychology. With perceptual illusions, priming, biases, heuristics, and unconscious influences, humans have tons of firmware "bugs". All have exploits; some even have patches. Learn how to improve your own thinking, use others' bugs to your advantage, and gain new perspective on the unconscious and often illusory processes involved in your perceptions. This interactive talk goes through as many interesting, surprising, perspective-changing findings from the cognitive sciences as I can fit in one hour while ensuring that as much as possible has a real, live demonstration that the audience participates in (rather than merely being told about). It's not just a collection of 'stupid human tricks' (though I'll be using lots of those for examples); this is a coherent narrative about surprising ways in which humans are flawed, how these aren't just things that happen to "other people", and how one might go about improving the situation at least for oneself. Every point will be supported by good science, with references to papers for those who care to read up more about them. Come to the meditation workshop afterwards to learn several more interesting and powerful techniques to proactively control your own mindstate.

Tags:  audio cognitive psychology chaos-communication-congress perceptual-illusions meditation-workshop  

Authors: Wolfgang Beck
Tags: VoIP SIP
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The SIP home gateway -- which combines a NAT router, a SIP proxy, and analogue phone adapters -- is the weakest link in a Voice over IP network. SIP's numerous source routing mechanisms share the well-known security weaknesses of IP source routing. The talk discusses possible exploits and countermeasures. Telephony is steadily moving to Voice over IP, opening up a world of hacking opportunities. While many security issues have long been addressed in standardization, real-world VoIP suffers from incomplete and sometimes broken implementations. SIP home gateways -- which combine a NAT router, a SIP proxy, and a phone adapter are especially at risk. The predominant VoIP protocol SIP (Session Initiation Protocol) has been designed as an -- almost -- stateless protocol. The network elements responsible for call routing only keep very little and short-lived state. This makes SIP highly scalable and substantially simplifies fail-over. To achieve this, SIP uses source routing mechanisms extensively. Due to its security weaknesses, the network layer protocols have long abandoned the idea of source routing, despite its theoretical appeal. Some IP source routing attacks and countermeasures can be applied to SIP.

Tags:  sip source home wolfgang-beck-tags nat session-initiation-protocol chaos-communication-congress network-layer-protocols  

Authors: Wolfgang Beck
Tags: VoIP SIP
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The SIP home gateway -- which combines a NAT router, a SIP proxy, and analogue phone adapters -- is the weakest link in a Voice over IP network. SIP's numerous source routing mechanisms share the well-known security weaknesses of IP source routing. The talk discusses possible exploits and countermeasures. Telephony is steadily moving to Voice over IP, opening up a world of hacking opportunities. While many security issues have long been addressed in standardization, real-world VoIP suffers from incomplete and sometimes broken implementations. SIP home gateways -- which combine a NAT router, a SIP proxy, and a phone adapter are especially at risk. The predominant VoIP protocol SIP (Session Initiation Protocol) has been designed as an -- almost -- stateless protocol. The network elements responsible for call routing only keep very little and short-lived state. This makes SIP highly scalable and substantially simplifies fail-over. To achieve this, SIP uses source routing mechanisms extensively. Due to its security weaknesses, the network layer protocols have long abandoned the idea of source routing, despite its theoretical appeal. Some IP source routing attacks and countermeasures can be applied to SIP.

Tags:  sip source home wolfgang-beck-tags nat session-initiation-protocol chaos-communication-congress network-layer-protocols  

Authors: Wolfgang Beck
Tags: VoIP SIP
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The SIP home gateway -- which combines a NAT router, a SIP proxy, and analogue phone adapters -- is the weakest link in a Voice over IP network. SIP's numerous source routing mechanisms share the well-known security weaknesses of IP source routing. The talk discusses possible exploits and countermeasures. Telephony is steadily moving to Voice over IP, opening up a world of hacking opportunities. While many security issues have long been addressed in standardization, real-world VoIP suffers from incomplete and sometimes broken implementations. SIP home gateways -- which combine a NAT router, a SIP proxy, and a phone adapter are especially at risk. The predominant VoIP protocol SIP (Session Initiation Protocol) has been designed as an -- almost -- stateless protocol. The network elements responsible for call routing only keep very little and short-lived state. This makes SIP highly scalable and substantially simplifies fail-over. To achieve this, SIP uses source routing mechanisms extensively. Due to its security weaknesses, the network layer protocols have long abandoned the idea of source routing, despite its theoretical appeal. Some IP source routing attacks and countermeasures can be applied to SIP.

Tags:  sip source home wolfgang-beck-tags nat session-initiation-protocol chaos-communication-congress network-layer-protocols  

Authors: Angela Crow
Tags: data mining
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: This paper explores the challenges of being proactive with existing and future data mining possibilities when facing the realities of institutional expectations for assessment and when facing the fact that one’s own understanding of cyber capabilities is less than ideal. This paper discusses the current assessment cyber resources, trends, and pressures within USA academic institutions and the challenges of reactive/proactive labor in the midst of multiple levels of technological/informational literacies amongst administrators. Years ago, when young nuns were entering a particular Catholic convent, they were asked to write autobiographical essays which were filed away along with other information about each nun. When they were elderly, these nuns agreed to be a part of a study on Alzheimers, giving permission for scientists to perform autopsies upon their deaths. Susan Kemper, a cognitive psychologist and psycholinguist was able to take the autobiographies from these humanities-based school teachers, and predict the probability of alzheimers from their sentence structures at eighteen. Luckily, replications of this kind of research are difficult. I say luckily because these kinds of findings might have potential hazards for those whose writing at 18 indicates alzheimers: specifically, living in a country in which health care is not a fundamental right, insurance companies might want access to this kind of data. I think of this study each time that I find myself in a meeting as an administrator at a university in the United States, navigating difficult decisions about gathering writing samples from a large group of 18 year old students. While our assessment rhetoric suggests that we “come in peace,” I find myself worrying over the potential hazards of employing certain cloud computing resources to facilitate our data collection of student essays. This paper explores the challenges of being proactive with existing and future data mining possibilities when facing the realities of institutional expectations for assessment and when facing the fact that one’s own understanding of cyber capabilities is less than ideal. This paper discusses the current assessment cyber resources, trends, and pressures within USA institutions and the challenges of reactive/proactive labor in the midst of multiple levels of technological/informational literacies amongst administrators.

Tags:  chaos-communication-congress catholic-convent cognitive-psychologist  

Tags: privacy
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The objective of the session is to provide a critical overview of "privacy research" within computer science. The mechanisms proposed in the last ten year include mechanisms for anonymous communications, censorship resistance, selective disclosure credentials (and their integration in identity management systems), as well as privacy in databases. All of these system are meant to shield the user from different aspects of on-line surveillance either through allowing a user to keep some of her data "confidential" or by allowing her to assert "control" over her data. We will illustrate using concrete examples, why some paradigms came to dominate the field, their advantages, but also their blind spots, and unfulfilled promises given the conditions of our surveillance societies. Since 2000 there has been a renewed interest amongst computer scientists in the field of ”privacy technology”. This includes mechanisms for “anonymous” communications, censorship resistance, selective disclosure credentials, as well as privacy in databases - all of which are meant to shield the user from some aspects of on-line surveillance. Beyond the lab, some of those systems have been deployed and are widely used today. Yet, the type of surveillance against which privacy technologies are supposed to offer protection is often ill-defined, and widely varying between works: from an individual who wishes “to hide an occasional purchase from his spouse”, to “groups coordinating political dissent under totalitarian regimes”. While privacy is seen as the key unifying theme of these works only one aspect of it is systematically represented, namely ”confidentiality”. Privacy as self-definition, informational self-determination or as a public good that needs to be negotiated is often neglected. Further, the increasing omni-presence of surveillance technologies, the informatisation of every day life, as well as active resistance to on-line surveillance are used as justifying departure points for privacy technologies but they have so far not been explored in depth in the privacy research field. In this talk, we explore the development of contemporary privacy technologies, its key results and methodologies. At its heart our argument is that the field of privacy technology was seeded by computer security and cryptography experts that rushed to apply their tools to new problems, yielding mixed results. Additional pressures from different stakeholders to devise technology that will make large IT systems acceptable to the public has led to further confusion about the goals and methods most appropriate to embed privacy friendly values into computer systems. Further, the recent trend has been to replace the confidentiality paradigm with what can be called the "control" paradigm. Using concrete examples, we seek to explain why some paradigms came to dominate the field, their advantages, but also their blind spots, and unfulfilled promises.

Tags:  chaos-communication-congress selective-disclosure privacy-event  

Authors: Angela Crow
Tags: data mining
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: This paper explores the challenges of being proactive with existing and future data mining possibilities when facing the realities of institutional expectations for assessment and when facing the fact that one’s own understanding of cyber capabilities is less than ideal. This paper discusses the current assessment cyber resources, trends, and pressures within USA academic institutions and the challenges of reactive/proactive labor in the midst of multiple levels of technological/informational literacies amongst administrators. Years ago, when young nuns were entering a particular Catholic convent, they were asked to write autobiographical essays which were filed away along with other information about each nun. When they were elderly, these nuns agreed to be a part of a study on Alzheimers, giving permission for scientists to perform autopsies upon their deaths. Susan Kemper, a cognitive psychologist and psycholinguist was able to take the autobiographies from these humanities-based school teachers, and predict the probability of alzheimers from their sentence structures at eighteen. Luckily, replications of this kind of research are difficult. I say luckily because these kinds of findings might have potential hazards for those whose writing at 18 indicates alzheimers: specifically, living in a country in which health care is not a fundamental right, insurance companies might want access to this kind of data. I think of this study each time that I find myself in a meeting as an administrator at a university in the United States, navigating difficult decisions about gathering writing samples from a large group of 18 year old students. While our assessment rhetoric suggests that we “come in peace,” I find myself worrying over the potential hazards of employing certain cloud computing resources to facilitate our data collection of student essays. This paper explores the challenges of being proactive with existing and future data mining possibilities when facing the realities of institutional expectations for assessment and when facing the fact that one’s own understanding of cyber capabilities is less than ideal. This paper discusses the current assessment cyber resources, trends, and pressures within USA institutions and the challenges of reactive/proactive labor in the midst of multiple levels of technological/informational literacies amongst administrators.

Tags:  chaos-communication-congress catholic-convent cognitive-psychologist  

Tags: privacy
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The objective of the session is to provide a critical overview of "privacy research" within computer science. The mechanisms proposed in the last ten year include mechanisms for anonymous communications, censorship resistance, selective disclosure credentials (and their integration in identity management systems), as well as privacy in databases. All of these system are meant to shield the user from different aspects of on-line surveillance either through allowing a user to keep some of her data "confidential" or by allowing her to assert "control" over her data. We will illustrate using concrete examples, why some paradigms came to dominate the field, their advantages, but also their blind spots, and unfulfilled promises given the conditions of our surveillance societies. Since 2000 there has been a renewed interest amongst computer scientists in the field of ”privacy technology”. This includes mechanisms for “anonymous” communications, censorship resistance, selective disclosure credentials, as well as privacy in databases - all of which are meant to shield the user from some aspects of on-line surveillance. Beyond the lab, some of those systems have been deployed and are widely used today. Yet, the type of surveillance against which privacy technologies are supposed to offer protection is often ill-defined, and widely varying between works: from an individual who wishes “to hide an occasional purchase from his spouse”, to “groups coordinating political dissent under totalitarian regimes”. While privacy is seen as the key unifying theme of these works only one aspect of it is systematically represented, namely ”confidentiality”. Privacy as self-definition, informational self-determination or as a public good that needs to be negotiated is often neglected. Further, the increasing omni-presence of surveillance technologies, the informatisation of every day life, as well as active resistance to on-line surveillance are used as justifying departure points for privacy technologies but they have so far not been explored in depth in the privacy research field. In this talk, we explore the development of contemporary privacy technologies, its key results and methodologies. At its heart our argument is that the field of privacy technology was seeded by computer security and cryptography experts that rushed to apply their tools to new problems, yielding mixed results. Additional pressures from different stakeholders to devise technology that will make large IT systems acceptable to the public has led to further confusion about the goals and methods most appropriate to embed privacy friendly values into computer systems. Further, the recent trend has been to replace the confidentiality paradigm with what can be called the "control" paradigm. Using concrete examples, we seek to explain why some paradigms came to dominate the field, their advantages, but also their blind spots, and unfulfilled promises.

Tags:  chaos-communication-congress selective-disclosure privacy-event  

Tags: privacy
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The objective of the session is to provide a critical overview of "privacy research" within computer science. The mechanisms proposed in the last ten year include mechanisms for anonymous communications, censorship resistance, selective disclosure credentials (and their integration in identity management systems), as well as privacy in databases. All of these system are meant to shield the user from different aspects of on-line surveillance either through allowing a user to keep some of her data "confidential" or by allowing her to assert "control" over her data. We will illustrate using concrete examples, why some paradigms came to dominate the field, their advantages, but also their blind spots, and unfulfilled promises given the conditions of our surveillance societies. Since 2000 there has been a renewed interest amongst computer scientists in the field of ”privacy technology”. This includes mechanisms for “anonymous” communications, censorship resistance, selective disclosure credentials, as well as privacy in databases - all of which are meant to shield the user from some aspects of on-line surveillance. Beyond the lab, some of those systems have been deployed and are widely used today. Yet, the type of surveillance against which privacy technologies are supposed to offer protection is often ill-defined, and widely varying between works: from an individual who wishes “to hide an occasional purchase from his spouse”, to “groups coordinating political dissent under totalitarian regimes”. While privacy is seen as the key unifying theme of these works only one aspect of it is systematically represented, namely ”confidentiality”. Privacy as self-definition, informational self-determination or as a public good that needs to be negotiated is often neglected. Further, the increasing omni-presence of surveillance technologies, the informatisation of every day life, as well as active resistance to on-line surveillance are used as justifying departure points for privacy technologies but they have so far not been explored in depth in the privacy research field. In this talk, we explore the development of contemporary privacy technologies, its key results and methodologies. At its heart our argument is that the field of privacy technology was seeded by computer security and cryptography experts that rushed to apply their tools to new problems, yielding mixed results. Additional pressures from different stakeholders to devise technology that will make large IT systems acceptable to the public has led to further confusion about the goals and methods most appropriate to embed privacy friendly values into computer systems. Further, the recent trend has been to replace the confidentiality paradigm with what can be called the "control" paradigm. Using concrete examples, we seek to explain why some paradigms came to dominate the field, their advantages, but also their blind spots, and unfulfilled promises.

Tags:  eld privacy surveillance chaos-communication-congress selective-disclosure privacy-event  

Authors: Kay Hamacher Stefan Katzenbeisser
Tags: terrorism
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Telecommunications data retention (TDR) has become a reality in most Western countries. Protagonists claim that the collection of massive amounts of data on the communication behavior of all individuals within a country would enable law enforcement agencies to exploit patterns in the stored data to uncover connections between suspects. While this is obviously true for investigations after an incident happened, there is up to now no critical and sound assessment publicly available that evaluates whether TDR brings any pro-active benefits for the above mentioned, justified purposes. In this talk we give for the first time a critical assessment of the power of TDR based on methods from information theory. To this end we have employed agent based simulations, which mimic the communication behavior of a large community including a dark-net of alleged suspects. The structure and statistics of our telecommunication simulation, which drive the dynamics of telephone calls and simulated TDR data, were generated according to known statistics of real-world telecommunications networks. Hiding in the unavoidable noise seems to be a passive strategy for terrorists to circumvent pro-active detection. This stems from a "needle in the haystack"-problem, that arises due to the small number of conspirators compared to the number of other participants. In particular situations and with adopted strategies suspected terrorists might be able to eventually exploit TDR for their purposes and take an active approach to hiding in the crowd. Such TDR exploits would lower the probability of detection by law enforcement agencies and render TDR a potential security threat. Again, we use our simulations and our analysis procedure to assess this problem.

Tags:  tdr telecommunications communication stefan-katzenbeisser kay-hamacher chaos-communication-congress needle-in-the-haystack  

Tags: hacking
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: 4 minutes for every speaker. Learn about the good, the bad, and the ugly - in software, hardware, projects, and more. Give a lightning fast talk about your favourite project, program, system - and thereby find people with the same interest to proceed and promote it. Alternatively - give us a good rant about something and give us some good reasons why it should die. ;) Get right at it, don't waste time by explaining too much, get the main points across, and then let us know how to contact you on the congress for a talk!

Tags:  talk congress lightning chaos-communication-congress lightning-talks hardware-projects  

Tags: hacking
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: 4 minutes for every speaker. Learn about the good, the bad, and the ugly - in software, hardware, projects, and more. Give a lightning fast talk about your favourite project, program, system - and thereby find people with the same interest to proceed and promote it. Alternatively - give us a good rant about something and give us some good reasons why it should die. ;) Get right at it, don't waste time by explaining too much, get the main points across, and then let us know how to contact you on the congress for a talk!

Tags:  talk congress lightning chaos-communication-congress lightning-talks hardware-projects  

Authors: Peter Franck
Tags: forensic
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Data recovery has always been an area of myths. This lecture will lift some of their covers.

Tags:  video recovery data peter-franck chaos-communication-congress abstract-data  

Authors: Peter Franck
Tags: forensic
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Data recovery has always been an area of myths. This lecture will lift some of their covers.

Tags:  techniques recovery data peter-franck chaos-communication-congress abstract-data  

Authors: Peter Franck
Tags: forensic
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Data recovery has always been an area of myths. This lecture will lift some of their covers.

Tags:  chaos-communication-congress peter-franck abstract-data  

Tags: election
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Monitoring and reporting about elections in a war zone is a complex and dangerous task. While crisis mapping carried out via sms and email proved highly successful with the use of Ushahidi in situations like post-election violence in Kenya, tracking crime in Atlanta, or earthquake recovery in Haiti, could it prove useful in such a complex situation as the Afghan political process? This year a team of people set out to do just that with three different Ushahidi mapping projects for national media, national election observers, and international observers. The following presentation is about the challenges we faced, successes we did or did not have, and the lessons learned for the future of crisis mapping. In 2008 an open source mapping system called Ushahidi was put into public use for the first time in history. The occasion was a constitutional referendum in Kenya and the goal of the Ushahidi system was to map and track reports of violence throughout the country in the days following the vote. Through the use of sms reports from the general public, which were then categorized and published on an interactive map accessible on the internet, anyone anywhere in the world could not only get reports about what was happening, they could get almost real time reports about where violence was happening, when, and details regarding those incidents. The response in Kenya was so large and the attention the site got was so wide spread, Ushahidi would soon be used to map not only violence surrounding an election, but also earthquake recovery, snow storm recovery, forest fire prevention, crime data in urban environments, and elections monitoring. In each of these situations, the power of crowd-sourcing and interactive mapping via simple sms and email technology was all that was needed to get a body of information no media or government organization could compete with. In the summer of 2010, on the eve of Parliamentary elections in Afghanistan, several organizations interested in monitoring what happens at the polls and after the votes are in became interested in whether or not Ushahidi could be useful for their purposes. The Afghan Press agency, Pajwhok, as well as the national elections observer organization (FEFA) and the international elections observers (Democracy International) all sought to implement some form of Ushahidi system for their observers. They approached my organization, Small World News (SWN) that has assisted in Ushahidi projects in the past, to carry out this task. Over the course of just over 1 month, these three systems were rolled out in different ways, with varying level of restrictions due to security and other institutional regulations. The result tells three different stories about how the election went, while also providing a list of lessons about what open source interactive mapping can provide (or not provide) for a nation like Afghanistan with such a specific list of problems. The presentation is an explanation of both the process and the lessons learned.

Tags:  mapping ushahidi election afghanistan atlanta kenya haiti forest-fire-prevention chaos-communication-congress earthquake-recovery  

Tags: election
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Monitoring and reporting about elections in a war zone is a complex and dangerous task. While crisis mapping carried out via sms and email proved highly successful with the use of Ushahidi in situations like post-election violence in Kenya, tracking crime in Atlanta, or earthquake recovery in Haiti, could it prove useful in such a complex situation as the Afghan political process? This year a team of people set out to do just that with three different Ushahidi mapping projects for national media, national election observers, and international observers. The following presentation is about the challenges we faced, successes we did or did not have, and the lessons learned for the future of crisis mapping. In 2008 an open source mapping system called Ushahidi was put into public use for the first time in history. The occasion was a constitutional referendum in Kenya and the goal of the Ushahidi system was to map and track reports of violence throughout the country in the days following the vote. Through the use of sms reports from the general public, which were then categorized and published on an interactive map accessible on the internet, anyone anywhere in the world could not only get reports about what was happening, they could get almost real time reports about where violence was happening, when, and details regarding those incidents. The response in Kenya was so large and the attention the site got was so wide spread, Ushahidi would soon be used to map not only violence surrounding an election, but also earthquake recovery, snow storm recovery, forest fire prevention, crime data in urban environments, and elections monitoring. In each of these situations, the power of crowd-sourcing and interactive mapping via simple sms and email technology was all that was needed to get a body of information no media or government organization could compete with. In the summer of 2010, on the eve of Parliamentary elections in Afghanistan, several organizations interested in monitoring what happens at the polls and after the votes are in became interested in whether or not Ushahidi could be useful for their purposes. The Afghan Press agency, Pajwhok, as well as the national elections observer organization (FEFA) and the international elections observers (Democracy International) all sought to implement some form of Ushahidi system for their observers. They approached my organization, Small World News (SWN) that has assisted in Ushahidi projects in the past, to carry out this task. Over the course of just over 1 month, these three systems were rolled out in different ways, with varying level of restrictions due to security and other institutional regulations. The result tells three different stories about how the election went, while also providing a list of lessons about what open source interactive mapping can provide (or not provide) for a nation like Afghanistan with such a specific list of problems. The presentation is an explanation of both the process and the lessons learned.

Tags:  mapping ushahidi election afghanistan atlanta kenya haiti forest-fire-prevention chaos-communication-congress earthquake-recovery  

Tags: election
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Monitoring and reporting about elections in a war zone is a complex and dangerous task. While crisis mapping carried out via sms and email proved highly successful with the use of Ushahidi in situations like post-election violence in Kenya, tracking crime in Atlanta, or earthquake recovery in Haiti, could it prove useful in such a complex situation as the Afghan political process? This year a team of people set out to do just that with three different Ushahidi mapping projects for national media, national election observers, and international observers. The following presentation is about the challenges we faced, successes we did or did not have, and the lessons learned for the future of crisis mapping. In 2008 an open source mapping system called Ushahidi was put into public use for the first time in history. The occasion was a constitutional referendum in Kenya and the goal of the Ushahidi system was to map and track reports of violence throughout the country in the days following the vote. Through the use of sms reports from the general public, which were then categorized and published on an interactive map accessible on the internet, anyone anywhere in the world could not only get reports about what was happening, they could get almost real time reports about where violence was happening, when, and details regarding those incidents. The response in Kenya was so large and the attention the site got was so wide spread, Ushahidi would soon be used to map not only violence surrounding an election, but also earthquake recovery, snow storm recovery, forest fire prevention, crime data in urban environments, and elections monitoring. In each of these situations, the power of crowd-sourcing and interactive mapping via simple sms and email technology was all that was needed to get a body of information no media or government organization could compete with. In the summer of 2010, on the eve of Parliamentary elections in Afghanistan, several organizations interested in monitoring what happens at the polls and after the votes are in became interested in whether or not Ushahidi could be useful for their purposes. The Afghan Press agency, Pajwhok, as well as the national elections observer organization (FEFA) and the international elections observers (Democracy International) all sought to implement some form of Ushahidi system for their observers. They approached my organization, Small World News (SWN) that has assisted in Ushahidi projects in the past, to carry out this task. Over the course of just over 1 month, these three systems were rolled out in different ways, with varying level of restrictions due to security and other institutional regulations. The result tells three different stories about how the election went, while also providing a list of lessons about what open source interactive mapping can provide (or not provide) for a nation like Afghanistan with such a specific list of problems. The presentation is an explanation of both the process and the lessons learned.

Tags:  forest-fire-prevention chaos-communication-congress earthquake-recovery  

Authors: Ralf-Philipp Weinmann
Tags: backdoor embedded
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Want to persistently backdoor a laptop? Backdooring the BIOS is out of the question since your target can dump and diff it? Planting hardware is out of the question as well? Shhhhhhh.. I have something for you: Embedded controllers are present in every modern laptop, yet their security impact has been unresearched thus far. An embedded controller has access to the complete stream of keyboard scan codes, can control fans and the battery charging process. Backdooring the embedded controller is a powerful way to plant a persistent firmware keylogger that works in a cross-platform fashion. Since ECs usually also provide battery and temperature sensor readings through ACPI, there also exists a way to funnel out the keystroke data through a low-privilege process later. Some laptops even allow EC controller firmware updates over the LAN! I will present a PoC backdoor for a widespread series of laptops and show you how to defend yourself against this attack by dumping the EC firmware yourself.

Tags:  chaos-communication-congress controller-firmware keyboard-scan  

Authors: Ralf-Philipp Weinmann
Tags: backdoor embedded
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Want to persistently backdoor a laptop? Backdooring the BIOS is out of the question since your target can dump and diff it? Planting hardware is out of the question as well? Shhhhhhh.. I have something for you: Embedded controllers are present in every modern laptop, yet their security impact has been unresearched thus far. An embedded controller has access to the complete stream of keyboard scan codes, can control fans and the battery charging process. Backdooring the embedded controller is a powerful way to plant a persistent firmware keylogger that works in a cross-platform fashion. Since ECs usually also provide battery and temperature sensor readings through ACPI, there also exists a way to funnel out the keystroke data through a low-privilege process later. Some laptops even allow EC controller firmware updates over the LAN! I will present a PoC backdoor for a widespread series of laptops and show you how to defend yourself against this attack by dumping the EC firmware yourself.

Tags:  controller firmware backdoor lan ralf-philipp chaos-communication-congress controller-firmware keyboard-scan  

Authors: Marcus Nutzinger Rainer Poisel
Tags: cryptography
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Auditive steganography allows for various usage scenarios. In our project we focused on hidden communications in VoIP and GSM in which voice data is typically compressed and transmitted in realtime. A framework has been developed to meet these requirements, providing interfaces for robust steganographic algorithms. The need for steganography has arisen from scenarios that forbid the application of cryptographic algorithms for secure communications. Countries that made secret message exchange a delict are an example for such scenarios. The LSB algorithm used by many open- and closed-source projects is insecure, as its application can be statistically detected. Therefore, we focused on alternate approaches which are more robust against operations on the bit-level, such as compression, D/A-, A/D-conversion and channel idiosyncrasies, such as spread spectrum steganography in time and frequency domain. Secure and hidden communications demand more than an embedding algorithm. Involved elements include: protocols for data flow handling, various embedding algorithms and support for different I/O-interfaces. For correct interaction of these elements, arranging them in a layered model is a reasonable approach for the distribution of the required tasks such as frame and packet building, checksumming, transmission, etc. From this model we derived our software architecture which is portable to common platforms (Linux/Unix, Windows, ...) and various architectures (x8632, x8664, mips). This talk gives an introduction to the topic and describes the development and implementation of our framework based on a novel layered model for auditive steganography including a live demonstration.

Tags:  secure steganography model marcus-nutzinger chaos-communication-congress usage-scenarios spread-spectrum  

Authors: Marcus Nutzinger Rainer Poisel
Tags: cryptography
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Auditive steganography allows for various usage scenarios. In our project we focused on hidden communications in VoIP and GSM in which voice data is typically compressed and transmitted in realtime. A framework has been developed to meet these requirements, providing interfaces for robust steganographic algorithms. The need for steganography has arisen from scenarios that forbid the application of cryptographic algorithms for secure communications. Countries that made secret message exchange a delict are an example for such scenarios. The LSB algorithm used by many open- and closed-source projects is insecure, as its application can be statistically detected. Therefore, we focused on alternate approaches which are more robust against operations on the bit-level, such as compression, D/A-, A/D-conversion and channel idiosyncrasies, such as spread spectrum steganography in time and frequency domain. Secure and hidden communications demand more than an embedding algorithm. Involved elements include: protocols for data flow handling, various embedding algorithms and support for different I/O-interfaces. For correct interaction of these elements, arranging them in a layered model is a reasonable approach for the distribution of the required tasks such as frame and packet building, checksumming, transmission, etc. From this model we derived our software architecture which is portable to common platforms (Linux/Unix, Windows, ...) and various architectures (x8632, x8664, mips). This talk gives an introduction to the topic and describes the development and implementation of our framework based on a novel layered model for auditive steganography including a live demonstration.

Tags:  secure steganography model marcus-nutzinger chaos-communication-congress usage-scenarios spread-spectrum  

Authors: Marcus Nutzinger Rainer Poisel
Tags: cryptography
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Auditive steganography allows for various usage scenarios. In our project we focused on hidden communications in VoIP and GSM in which voice data is typically compressed and transmitted in realtime. A framework has been developed to meet these requirements, providing interfaces for robust steganographic algorithms. The need for steganography has arisen from scenarios that forbid the application of cryptographic algorithms for secure communications. Countries that made secret message exchange a delict are an example for such scenarios. The LSB algorithm used by many open- and closed-source projects is insecure, as its application can be statistically detected. Therefore, we focused on alternate approaches which are more robust against operations on the bit-level, such as compression, D/A-, A/D-conversion and channel idiosyncrasies, such as spread spectrum steganography in time and frequency domain. Secure and hidden communications demand more than an embedding algorithm. Involved elements include: protocols for data flow handling, various embedding algorithms and support for different I/O-interfaces. For correct interaction of these elements, arranging them in a layered model is a reasonable approach for the distribution of the required tasks such as frame and packet building, checksumming, transmission, etc. From this model we derived our software architecture which is portable to common platforms (Linux/Unix, Windows, ...) and various architectures (x8632, x8664, mips). This talk gives an introduction to the topic and describes the development and implementation of our framework based on a novel layered model for auditive steganography including a live demonstration.

Tags:  secure steganography model marcus-nutzinger chaos-communication-congress usage-scenarios spread-spectrum  

Authors: Nicholas Merrill
Tags: privacy
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: My name is Nicholas Merrill and I was the plaintiff in a legal case in the US court system where I challenged the FBI’s policy of using a feature of the so-called USA PATRIOT act - what are called “National Security Letters” - to bypass the American Constitution's system of checks and balances and in violation of the United Nations Universal Declaration of Human Rights - in order to obtain protected personal information and to unmask anonymous Internet users. I spent over 6 years not able to speak to anyone (other than my lawyers) about my case - forced to lie to those closest to me due to an FBI gag order that carried a possible 10 year prison sentence for violating it. However the lawsuit resulted in the establishment of two key legal precedents and made changes that affect every Internet worker and Telephone worker in America. I would like to speak to the 27C3 audience in order to tell about my experience and to challenge (and offer my support and assistance to) those individuals who are in a position to challenge government surveillance requests to follow their consciences and do so. People who work at Internet Service Providers and Telephone companies as well as IT workers at Universities and private businesses are increasingly likely to encounter government attempts at surveillance. I would like to speak to the CCC regarding my experiences in resisting a National Security Letter and also a “Grand Jury Subpoena” as well as my experience of being gagged by the FBI for nearly 7 years - unable to speak on the subject or identify myself as the plaintiff in the NSL lawsuit. Nicholas Merrill founded Calyx Internet Access Corporation in 1995. Calyx Internet Access was one of the first commercial Internet service providers operating in New York City. Calyx pursued relationships with and worked with many activist groups on a pro bono or low-cost basis, including the New York Civil Liberties Union, the Independent Media Center (Indymedia.org) and the Drug Policy Foundation. In 2004, after a receiving a “National Security Letter” from the Federal Bureau of Investigation, and a subsequent request from the U.S. Secret Service, Calyx became involved with the ACLU and in using the legal system and the media to resist illegal government requests for information on Internet users. For six and a half years, Merrill and the ACLU tirelessly challenged the orders contained in the letter, resulting in the establishment of two key legal precedents overturning aspects of the national security letter program. Along the way he encountered court proceedings where he could not even be present - where he could not be referred to by name, but instead was referred to in all court documents as "John Doe". He also encountered heavy handed government censorship of court documents under the guise of "National Security" and secret evidence presented to the judge by the FBI that his attorneys were not allowed to see. The merging of Merrill's long interest in advocacy and free speech combined with his experience with the U.S. government inspired him to form a non-govermental organization (NGO) to deal specifically with this issue without being distracted or compromised by the requirements of a for-profit business.

Tags:  internet government security u.s.-secret nicholas-merrill john-doe u.s. america usa new-york-city chaos-communication-congress  

Authors: Nicholas Merrill
Tags: privacy
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: My name is Nicholas Merrill and I was the plaintiff in a legal case in the US court system where I challenged the FBI’s policy of using a feature of the so-called USA PATRIOT act - what are called “National Security Letters” - to bypass the American Constitution's system of checks and balances and in violation of the United Nations Universal Declaration of Human Rights - in order to obtain protected personal information and to unmask anonymous Internet users. I spent over 6 years not able to speak to anyone (other than my lawyers) about my case - forced to lie to those closest to me due to an FBI gag order that carried a possible 10 year prison sentence for violating it. However the lawsuit resulted in the establishment of two key legal precedents and made changes that affect every Internet worker and Telephone worker in America. I would like to speak to the 27C3 audience in order to tell about my experience and to challenge (and offer my support and assistance to) those individuals who are in a position to challenge government surveillance requests to follow their consciences and do so. People who work at Internet Service Providers and Telephone companies as well as IT workers at Universities and private businesses are increasingly likely to encounter government attempts at surveillance. I would like to speak to the CCC regarding my experiences in resisting a National Security Letter and also a “Grand Jury Subpoena” as well as my experience of being gagged by the FBI for nearly 7 years - unable to speak on the subject or identify myself as the plaintiff in the NSL lawsuit. Nicholas Merrill founded Calyx Internet Access Corporation in 1995. Calyx Internet Access was one of the first commercial Internet service providers operating in New York City. Calyx pursued relationships with and worked with many activist groups on a pro bono or low-cost basis, including the New York Civil Liberties Union, the Independent Media Center (Indymedia.org) and the Drug Policy Foundation. In 2004, after a receiving a “National Security Letter” from the Federal Bureau of Investigation, and a subsequent request from the U.S. Secret Service, Calyx became involved with the ACLU and in using the legal system and the media to resist illegal government requests for information on Internet users. For six and a half years, Merrill and the ACLU tirelessly challenged the orders contained in the letter, resulting in the establishment of two key legal precedents overturning aspects of the national security letter program. Along the way he encountered court proceedings where he could not even be present - where he could not be referred to by name, but instead was referred to in all court documents as "John Doe". He also encountered heavy handed government censorship of court documents under the guise of "National Security" and secret evidence presented to the judge by the FBI that his attorneys were not allowed to see. The merging of Merrill's long interest in advocacy and free speech combined with his experience with the U.S. government inspired him to form a non-govermental organization (NGO) to deal specifically with this issue without being distracted or compromised by the requirements of a for-profit business.

Tags:  internet government security u.s.-secret nicholas-merrill john-doe u.s. america usa new-york-city chaos-communication-congress  

Authors: Bernd Sieker
Tags: science
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Getting the interfaces right to computers controlling complex and dangerous machines such as commercial airliners is crucial. I will present a successful accident analysis method and talk about interface design problems, ideas for solutions, methods for understanding causal control flow. There will be some spectacular aviation accident videos and stories of bad luck, bad design, bad decisions, and a hero that managed to turn a near-catastrophe into an accident without fatalities. Getting the Interface right can be crucial. So does an understanding of the underlying logic, and knowledge of correct procedures when operating complex devices. Modern airliners are incredibly complex machines, no person can fully understand what is going on. This starts at simple things like fuel systems (e. g. the B777 has only two engines and three fuel tanks, how complicated can that be? Surprisingly so.) and goes on to autopilots, autothrottle systems, FADECs (Full Authority Digital Engine Control), Flight Management, Guidance and Envelope Computers (FMGEC), digital fly-by-wire systems, weight computations etc. Apart from the largely unsolved problems of how to create software for these systems that is demonstrably extremely reliable (in commercial aviation we're talking about probablities of dangerous failures of 1 in a billion flight hours: testing just won't do), there is the underrated question of getting the interface right. What to annunciate to the crew and when, and in which form? Some accidents and incidents are directly related to a flight crew being confused by the annunciations, or didn't know how to react properly to seemingly unrelated warnings. At other times, a pertinent and important warning is suppressed because another, ostensibly more important warning inhibited the other one. I'll be talking about some accidents that we have analysed using Why-Because-Analysis (see http://www.rvs.uni-bielefeld.de/research/WBA/) in which the interface and the automation played a role. I will also be talking about some design principles to guide interface design and interactive safety.

Tags:  chaos-communication-congress interface-design-problems fly-by-wire  

Authors: Ralf-Philipp Weinmann
Tags: GSM
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Attack scenarios against mobile phones have thus far concentrated on the application processor. The operating systems running on these processors are getting hardened by vendors as can be seen in the case of Apple's iOS -- the current release uses data execution prevention and code signing. In contrast, the GSM stack running on the baseband processor is neglected. The advent of open-source solutions such as OpenBSC and OpenBTS for running GSM base stations is a game-changer: Malicious base stations are not within the attack model assumed by the GSMA and ETSI. This talks explores the viability of attacks against the baseband processor of GSM cellular phones. Results presented will be the first over-the-air memory corruption exploitation of bugs in a number of widespread GSM stacks that that allow for remote code execution.

Tags:  processor gsm baseband ralf-philipp chaos-communication-congress open-source-solutions memory-corruption  

Authors: Bernd Sieker
Tags: science
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Getting the interfaces right to computers controlling complex and dangerous machines such as commercial airliners is crucial. I will present a successful accident analysis method and talk about interface design problems, ideas for solutions, methods for understanding causal control flow. There will be some spectacular aviation accident videos and stories of bad luck, bad design, bad decisions, and a hero that managed to turn a near-catastrophe into an accident without fatalities. Getting the Interface right can be crucial. So does an understanding of the underlying logic, and knowledge of correct procedures when operating complex devices. Modern airliners are incredibly complex machines, no person can fully understand what is going on. This starts at simple things like fuel systems (e. g. the B777 has only two engines and three fuel tanks, how complicated can that be? Surprisingly so.) and goes on to autopilots, autothrottle systems, FADECs (Full Authority Digital Engine Control), Flight Management, Guidance and Envelope Computers (FMGEC), digital fly-by-wire systems, weight computations etc. Apart from the largely unsolved problems of how to create software for these systems that is demonstrably extremely reliable (in commercial aviation we're talking about probablities of dangerous failures of 1 in a billion flight hours: testing just won't do), there is the underrated question of getting the interface right. What to annunciate to the crew and when, and in which form? Some accidents and incidents are directly related to a flight crew being confused by the annunciations, or didn't know how to react properly to seemingly unrelated warnings. At other times, a pertinent and important warning is suppressed because another, ostensibly more important warning inhibited the other one. I'll be talking about some accidents that we have analysed using Why-Because-Analysis (see http://www.rvs.uni-bielefeld.de/research/WBA/) in which the interface and the automation played a role. I will also be talking about some design principles to guide interface design and interactive safety.

Tags:  design interface accident bernd-sieker chaos-communication-congress interface-design-problems fly-by-wire  

Authors: Bernd Sieker
Tags: science
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Getting the interfaces right to computers controlling complex and dangerous machines such as commercial airliners is crucial. I will present a successful accident analysis method and talk about interface design problems, ideas for solutions, methods for understanding causal control flow. There will be some spectacular aviation accident videos and stories of bad luck, bad design, bad decisions, and a hero that managed to turn a near-catastrophe into an accident without fatalities. Getting the Interface right can be crucial. So does an understanding of the underlying logic, and knowledge of correct procedures when operating complex devices. Modern airliners are incredibly complex machines, no person can fully understand what is going on. This starts at simple things like fuel systems (e. g. the B777 has only two engines and three fuel tanks, how complicated can that be? Surprisingly so.) and goes on to autopilots, autothrottle systems, FADECs (Full Authority Digital Engine Control), Flight Management, Guidance and Envelope Computers (FMGEC), digital fly-by-wire systems, weight computations etc. Apart from the largely unsolved problems of how to create software for these systems that is demonstrably extremely reliable (in commercial aviation we're talking about probablities of dangerous failures of 1 in a billion flight hours: testing just won't do), there is the underrated question of getting the interface right. What to annunciate to the crew and when, and in which form? Some accidents and incidents are directly related to a flight crew being confused by the annunciations, or didn't know how to react properly to seemingly unrelated warnings. At other times, a pertinent and important warning is suppressed because another, ostensibly more important warning inhibited the other one. I'll be talking about some accidents that we have analysed using Why-Because-Analysis (see http://www.rvs.uni-bielefeld.de/research/WBA/) in which the interface and the automation played a role. I will also be talking about some design principles to guide interface design and interactive safety.

Tags:  design interface accident bernd-sieker chaos-communication-congress interface-design-problems fly-by-wire  

Authors: Ralf-Philipp Weinmann
Tags: GSM
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Attack scenarios against mobile phones have thus far concentrated on the application processor. The operating systems running on these processors are getting hardened by vendors as can be seen in the case of Apple's iOS -- the current release uses data execution prevention and code signing. In contrast, the GSM stack running on the baseband processor is neglected. The advent of open-source solutions such as OpenBSC and OpenBTS for running GSM base stations is a game-changer: Malicious base stations are not within the attack model assumed by the GSMA and ETSI. This talks explores the viability of attacks against the baseband processor of GSM cellular phones. Results presented will be the first over-the-air memory corruption exploitation of bugs in a number of widespread GSM stacks that that allow for remote code execution.

Tags:  processor gsm baseband ralf-philipp chaos-communication-congress open-source-solutions memory-corruption  

Authors: Alex Antener Corey Cerovsek Julien Quentin
Tags: music
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Corey Cerovsek and Julien Quentin, accomplished musicians known worldwide for their classical recital performances, and media artist Alex Antener present something that's not quite an ordinary concert, to draw attention to the importance of the public domain in centuries of classical music tradition. It's both more — and less — than what you might expect to see and hear at a classical concert. Mixing live and recorded music with visuals with a message, Julien Quentin, Corey Cerovsek and Alex Antener imagine the heavy curtain of a non-free culture falling on four hundred years of classical music. Ripping and mixing have been going on for longer than you might imagine, and without the Public Domain, much of our classical heritage would be replaced with silence. From Lennon to Bernstein, Bernstein to Mozart, Liszt to Paganini, Sarasate to Bizet, Mendelssohn to Bach, classical music has been a culture of ceaseless sharing in which individuals have nonetheless been able to project indelible voices across the centuries. Had music always been controlled as some would like it to be controlled now, would we have this rich tradition to transmit to you?

Tags:  corey concert music bach mozart quentin quentin-tags alex-antener chaos-communication-congress four-hundred-years corey-cerovsek  

Authors: Oona Leganovic
Tags: audio music
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The birth of the modern science of acoustics was directly intertwined with the desires to surveill and communicate, either in secret or to everybody at once. Acoustics was not just about 'learning more about nature,' right from the start it was an applied science, driven by very clear notions of who has the right, and thus should have the possibility, of listening in on others, who needs to be able to converse in private, and who should be heard by everybody if he wishes to. How are these historical ideas related to those of today? The talk teases out these juicy implications from mostly original source material, focussing on the strange figure of the Jesuit Athanasius Kircher, but also looking at better known characters of the Scientific Revolution like Francis Bacon, Marin Mersenne, and the early Royal Society. There are plenty of phantastic 'scientific' illustrations to look at as well as descriptions of devices (for the amplification of sound, for acoustical surveillance, entertainment, and the so called 'cryptoacoustics') that did or rather did not work to laugh about, but the key questions are those about power and its relationship to notions of privacy and communication, the history of privacy as a privilege and surveillance as a 'right' of government. Some of these ideas become especially clear in the phantasies they produced. How are these historical ideas related to our own about who gets to listen in, who gets to converse in private, and who get to be heard by everybody? And what has all that to do with the history of science, and even magic?

Tags:  science everybody history marin-mersenne oona-leganovic chaos-communication-congress athanasius-kircher  

Authors: Alex Antener Corey Cerovsek Julien Quentin
Tags: music
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Corey Cerovsek and Julien Quentin, accomplished musicians known worldwide for their classical recital performances, and media artist Alex Antener present something that's not quite an ordinary concert, to draw attention to the importance of the public domain in centuries of classical music tradition. It's both more — and less — than what you might expect to see and hear at a classical concert. Mixing live and recorded music with visuals with a message, Julien Quentin, Corey Cerovsek and Alex Antener imagine the heavy curtain of a non-free culture falling on four hundred years of classical music. Ripping and mixing have been going on for longer than you might imagine, and without the Public Domain, much of our classical heritage would be replaced with silence. From Lennon to Bernstein, Bernstein to Mozart, Liszt to Paganini, Sarasate to Bizet, Mendelssohn to Bach, classical music has been a culture of ceaseless sharing in which individuals have nonetheless been able to project indelible voices across the centuries. Had music always been controlled as some would like it to be controlled now, would we have this rich tradition to transmit to you?

Tags:  chaos-communication-congress four-hundred-years corey-cerovsek  

Authors: Alex Antener Corey Cerovsek Julien Quentin
Tags: music
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Corey Cerovsek and Julien Quentin, accomplished musicians known worldwide for their classical recital performances, and media artist Alex Antener present something that's not quite an ordinary concert, to draw attention to the importance of the public domain in centuries of classical music tradition. It's both more — and less — than what you might expect to see and hear at a classical concert. Mixing live and recorded music with visuals with a message, Julien Quentin, Corey Cerovsek and Alex Antener imagine the heavy curtain of a non-free culture falling on four hundred years of classical music. Ripping and mixing have been going on for longer than you might imagine, and without the Public Domain, much of our classical heritage would be replaced with silence. From Lennon to Bernstein, Bernstein to Mozart, Liszt to Paganini, Sarasate to Bizet, Mendelssohn to Bach, classical music has been a culture of ceaseless sharing in which individuals have nonetheless been able to project indelible voices across the centuries. Had music always been controlled as some would like it to be controlled now, would we have this rich tradition to transmit to you?

Tags:  chaos-communication-congress four-hundred-years corey-cerovsek  

Authors: Alex Antener Corey Cerovsek Julien Quentin
Tags: music
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Corey Cerovsek and Julien Quentin, accomplished musicians known worldwide for their classical recital performances, and media artist Alex Antener present something that's not quite an ordinary concert, to draw attention to the importance of the public domain in centuries of classical music tradition. It's both more — and less — than what you might expect to see and hear at a classical concert. Mixing live and recorded music with visuals with a message, Julien Quentin, Corey Cerovsek and Alex Antener imagine the heavy curtain of a non-free culture falling on four hundred years of classical music. Ripping and mixing have been going on for longer than you might imagine, and without the Public Domain, much of our classical heritage would be replaced with silence. From Lennon to Bernstein, Bernstein to Mozart, Liszt to Paganini, Sarasate to Bizet, Mendelssohn to Bach, classical music has been a culture of ceaseless sharing in which individuals have nonetheless been able to project indelible voices across the centuries. Had music always been controlled as some would like it to be controlled now, would we have this rich tradition to transmit to you?

Tags:  chaos-communication-congress four-hundred-years corey-cerovsek  

Authors: Oona Leganovic
Tags: audio music
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The birth of the modern science of acoustics was directly intertwined with the desires to surveill and communicate, either in secret or to everybody at once. Acoustics was not just about 'learning more about nature,' right from the start it was an applied science, driven by very clear notions of who has the right, and thus should have the possibility, of listening in on others, who needs to be able to converse in private, and who should be heard by everybody if he wishes to. How are these historical ideas related to those of today? The talk teases out these juicy implications from mostly original source material, focussing on the strange figure of the Jesuit Athanasius Kircher, but also looking at better known characters of the Scientific Revolution like Francis Bacon, Marin Mersenne, and the early Royal Society. There are plenty of phantastic 'scientific' illustrations to look at as well as descriptions of devices (for the amplification of sound, for acoustical surveillance, entertainment, and the so called 'cryptoacoustics') that did or rather did not work to laugh about, but the key questions are those about power and its relationship to notions of privacy and communication, the history of privacy as a privilege and surveillance as a 'right' of government. Some of these ideas become especially clear in the phantasies they produced. How are these historical ideas related to our own about who gets to listen in, who gets to converse in private, and who get to be heard by everybody? And what has all that to do with the history of science, and even magic?

Tags:  chaos-communication-congress athanasius-kircher marin-mersenne  

Authors: Oona Leganovic
Tags: audio music
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The birth of the modern science of acoustics was directly intertwined with the desires to surveill and communicate, either in secret or to everybody at once. Acoustics was not just about 'learning more about nature,' right from the start it was an applied science, driven by very clear notions of who has the right, and thus should have the possibility, of listening in on others, who needs to be able to converse in private, and who should be heard by everybody if he wishes to. How are these historical ideas related to those of today? The talk teases out these juicy implications from mostly original source material, focussing on the strange figure of the Jesuit Athanasius Kircher, but also looking at better known characters of the Scientific Revolution like Francis Bacon, Marin Mersenne, and the early Royal Society. There are plenty of phantastic 'scientific' illustrations to look at as well as descriptions of devices (for the amplification of sound, for acoustical surveillance, entertainment, and the so called 'cryptoacoustics') that did or rather did not work to laugh about, but the key questions are those about power and its relationship to notions of privacy and communication, the history of privacy as a privilege and surveillance as a 'right' of government. Some of these ideas become especially clear in the phantasies they produced. How are these historical ideas related to our own about who gets to listen in, who gets to converse in private, and who get to be heard by everybody? And what has all that to do with the history of science, and even magic?

Tags:  chaos-communication-congress athanasius-kircher marin-mersenne  

Authors: Andreas Bogk
Tags: security
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The security model of our current computer architectures - kernel in ring 0, processes in ring 3 - goes back to the early 70s. However, science hasn't stopped. This talk is going to look into the state of the art in building secure computers, with a focus on type systems and formal verification, and hopefully an outlook on how tomorrow's computers will be more secure than what you can buy now.

Tags:  chaos-communication-congress computer-architectures ring-0  

Authors: Daniel J. Bernstein
Tags: cryptography
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Are you writing a program that sends data through the Internet? Are you sending the data through HTTP, or SMTP, or simply TCP, leaving it vulnerable to espionage, corruption, and sabotage by anyone who owns a machine connected to the same network? You can use SSH and IPsec to protect communication with your own machines, but how do you talk to the rest of the Internet? You can use TCPcrypt to protect yourself against attackers too lazy to forge packets, but how do you protect yourself against serious attackers? You can use HTTPS for low-frequency communication, but how do you handle heavy network traffic, and how do you protect yourself against the security flaws in HTTPS? Today's Internet cryptography is slow, untrustworthy, hard to use, and remarkably unsuccessful as a competitor to good old unprotected TCP. This talk will present a different approach to high-security Internet cryptography. This approach is easy for users, easy for system administrators, and, perhaps most importantly, easy for programmers. The main reason that the approach has not been tried before is that it seems to involve very slow cryptographic operations; this talk will show that the approach is extremely fast when it is done right.

Tags:  internet cryptography approach daniel-j.-bernstein chaos-communication-congress internet-cryptography internet-authors  

Authors: Daniel J. Bernstein
Tags: cryptography
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Are you writing a program that sends data through the Internet? Are you sending the data through HTTP, or SMTP, or simply TCP, leaving it vulnerable to espionage, corruption, and sabotage by anyone who owns a machine connected to the same network? You can use SSH and IPsec to protect communication with your own machines, but how do you talk to the rest of the Internet? You can use TCPcrypt to protect yourself against attackers too lazy to forge packets, but how do you protect yourself against serious attackers? You can use HTTPS for low-frequency communication, but how do you handle heavy network traffic, and how do you protect yourself against the security flaws in HTTPS? Today's Internet cryptography is slow, untrustworthy, hard to use, and remarkably unsuccessful as a competitor to good old unprotected TCP. This talk will present a different approach to high-security Internet cryptography. This approach is easy for users, easy for system administrators, and, perhaps most importantly, easy for programmers. The main reason that the approach has not been tried before is that it seems to involve very slow cryptographic operations; this talk will show that the approach is extremely fast when it is done right.

Tags:  internet cryptography approach daniel-j.-bernstein chaos-communication-congress internet-cryptography internet-authors  

Authors: Andreas Bogk
Tags: security
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The security model of our current computer architectures - kernel in ring 0, processes in ring 3 - goes back to the early 70s. However, science hasn't stopped. This talk is going to look into the state of the art in building secure computers, with a focus on type systems and formal verification, and hopefully an outlook on how tomorrow's computers will be more secure than what you can buy now.

Tags:  audio security ring andreas-bogk chaos-communication-congress computer-architectures ring-0  

Authors: Felix 'FX' Lindner
Tags: reverse engineering
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The Reverse Engineer occasionally faces situations where even his most advanced commercial tools do not support the instruction set of an arcane CPU. To overcome this situation, one can develop the missing disassembler. This talk is meant to be a tutorial on how to approach the task, what to focus on first and what surprises one may be in for. The primary focus will be on the transformation of byte code back into mnemonic representation where only the reverse transformation is available (i.e. you have the respective assembler). It also covers how to integrate your new disassembler into your reverse engineering tool chain.

Tags:  transformation engineering disassembler felix chaos-communication-congress reverse-engineer commercial-tools  

Authors: Jesse Burns Peter Eckersley
Tags: X.509 SSL
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The EFF SSL Observatory has collected a dataset of all TLS/HTTPS certificates visible on the public web. We discuss this dataset - what we have learned from it, how you can use it, and how intend to offer a live, continually updated version of it. TLS/SSL is only as good as your mechanism for verifying the other party, and it turns out that with HTTPS and other CA-certified applications of TLS, that mechanism involves trusting a lot of governments, companies and individuals. The SSL observatory is a project to bring more transparency to SSL Certificate Authorities, and help understand who really controls the web's cryptographic authentication infrastructure. The Observatory is an Electronic Frontier Foundation (EFF) project that began by surveying port 443 of all public IPv4 space. At Defcon 2010, we reported the initial findings of the SSL Observatory. That included thousands of valid 'localhost' certificates, certificates with weak keys, CA certs sharing keys and with suspicious expiration dates, and the fact that there are approximately 650 organisations that can sign a certificate for any domain that will be trusted by modern desktop browsers, including some that you might regard as untrustworthy. In this talk we will give an update on new developments in the project, including where to find a copy of our data and how to work with it for your own research; the progress made at fixing some of the vulnerabilities we found; and our design for a new, decentralised version of the SSL Observatory.

Tags:  observatory tls ssl jesse-burns peter-eckersley chaos-communication-congress electronic-frontier-foundation https-certificates  

Authors: Jesse Burns Peter Eckersley
Tags: X.509 SSL
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The EFF SSL Observatory has collected a dataset of all TLS/HTTPS certificates visible on the public web. We discuss this dataset - what we have learned from it, how you can use it, and how intend to offer a live, continually updated version of it. TLS/SSL is only as good as your mechanism for verifying the other party, and it turns out that with HTTPS and other CA-certified applications of TLS, that mechanism involves trusting a lot of governments, companies and individuals. The SSL observatory is a project to bring more transparency to SSL Certificate Authorities, and help understand who really controls the web's cryptographic authentication infrastructure. The Observatory is an Electronic Frontier Foundation (EFF) project that began by surveying port 443 of all public IPv4 space. At Defcon 2010, we reported the initial findings of the SSL Observatory. That included thousands of valid 'localhost' certificates, certificates with weak keys, CA certs sharing keys and with suspicious expiration dates, and the fact that there are approximately 650 organisations that can sign a certificate for any domain that will be trusted by modern desktop browsers, including some that you might regard as untrustworthy. In this talk we will give an update on new developments in the project, including where to find a copy of our data and how to work with it for your own research; the progress made at fixing some of the vulnerabilities we found; and our design for a new, decentralised version of the SSL Observatory.

Tags:  observatory tls ssl jesse-burns peter-eckersley chaos-communication-congress electronic-frontier-foundation https-certificates  

Authors: Jesse Burns Peter Eckersley
Tags: X.509 SSL
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The EFF SSL Observatory has collected a dataset of all TLS/HTTPS certificates visible on the public web. We discuss this dataset - what we have learned from it, how you can use it, and how intend to offer a live, continually updated version of it. TLS/SSL is only as good as your mechanism for verifying the other party, and it turns out that with HTTPS and other CA-certified applications of TLS, that mechanism involves trusting a lot of governments, companies and individuals. The SSL observatory is a project to bring more transparency to SSL Certificate Authorities, and help understand who really controls the web's cryptographic authentication infrastructure. The Observatory is an Electronic Frontier Foundation (EFF) project that began by surveying port 443 of all public IPv4 space. At Defcon 2010, we reported the initial findings of the SSL Observatory. That included thousands of valid 'localhost' certificates, certificates with weak keys, CA certs sharing keys and with suspicious expiration dates, and the fact that there are approximately 650 organisations that can sign a certificate for any domain that will be trusted by modern desktop browsers, including some that you might regard as untrustworthy. In this talk we will give an update on new developments in the project, including where to find a copy of our data and how to work with it for your own research; the progress made at fixing some of the vulnerabilities we found; and our design for a new, decentralised version of the SSL Observatory.

Tags:  observatory tls ssl jesse-burns peter-eckersley chaos-communication-congress electronic-frontier-foundation https-certificates  

Authors: Karsten Becker Robert Böhme
Tags: science robotics
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The Part-Time Scientists is an international team of Scientists and Engineers participating in the first private race to the moon, the Google Lunar X-Prize. Our approach to win this competition is quite unique as everyone involved really is a part-time scientist. In our presentation we will present our latest lunar rover, lander, electronic and communications developments. The presentation will feature: our self developed embedded systems, how we designed radiation hardened and fault tolerant systems, the production of our second rover generation and their first tests, our prototype real world testings, what we've done in 2010, what we've planning for 2011, and a lot more interesting topics! Our presentation will be focused on actual hardware with a rather short introduction to the topic in general.

Tags:  lunar presentation time robert-bhme chaos-communication-congress fault-tolerant-systems communications-developments  

Authors: Mathias Payer
Tags: exploiting
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Unsafe languages and an arms race for new bugs calls for an additional line of defense in software systems. User-space virtualization uses dynamic instrumentation to detect different attack vectors and protects from the execution of malicious code. An additional advantage of these virtualization systems is that they can be used to analyze different exploits step by step and to extract the exploit code from a running program. This talk explains the concept of different attack vectors (stack buffer overflows, format string attacks, return to libc attacks, race attacks / TOCTTOU, integer overflows, heap buffer overflows, and code anomalies). For each of these attack vectors we show possible exploits and explain how the virtualization system is able to detect and prevent the exploit. User-space virtualization uses a binary translation framework to instrument all running code. The instrumentation works like an additional virtualization layer and makes it possible to observe any changes to the runtime datastructures (code and data) of a running program. We use fastBT to instrument and analyze different exploitable programs. The added instrumentation detects changes in runtime layout and stops the program whenever exploit code is about to be executed. This talk presents different classes of exploits that can be observed in a dynamic instrumentation system. The exploits are analyzed and different security strategies are discussed. We then show how the instrumentation framework can implement an online protection mechanism against each class of attack vectors. Observable Attack Vectors Stack Overflow A limited buffer is (over) flown with user-data and over writes data on the stack (e.g., the return instruction pointer). Format String Attack An attack can write to an arbitrary address (e.g., the return instruction pointer or the address of a library function) if unvalidated user input is passed directly to the printf function. Return to libc Attack This attack prepares multiple stack frames that execute code sequences in libraries. The stack frame can be constructed so that (almost) arbitrary code is executed. Race Attacks / TOCTTOU Time-of-check-to-time-of-use race conditions exploit the fact that they can change values on the stack after they are checked but before they are used in the program or kernel. Integer Overflow Overflows can be triggered by using a negative integer value instead of an unsigned value. Heap Overflow A heap buffer overflow is used to overwrite function pointers or data from the memory allocator to trigger execution of arbitrary code. Code Anomalies x86_64 code is backward compatible to ia32 and in modern operating systems x86_64 and ia32 code can be mixed. The mix of different system calls makes it possible to break out of sand boxes that are not aware of all possible combinations of system calls. The exploits are detected generally whenever the program branches to the injected code or to the constructed code fragments. The program is interrupted and a debugger can be attached to analyze the state of the program. TOCTTOU attacks can be detected by observing the threads and using a specific system call architecture. Conclusion Dynamic instrumentation is an important tool to prohibit, detect, and analyze different attack vectors to running programs. Additional instrumentation guards can be used to better understand exploits. The additional layer of virtualization implemented through dynamic instrumentation can be used to detect and log bugs and is an additional line of defense against new exploits. Related Work A detailed discussion of related work is in the paper. These references here are for informational purposes only (to show how this talk was inspired) and not complete.

Tags:  code instrumentation attack mathias-payer chaos-communication-congress format-string-attack format-string-attacks  

Authors: Karsten Becker Robert Böhme
Tags: science robotics
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The Part-Time Scientists is an international team of Scientists and Engineers participating in the first private race to the moon, the Google Lunar X-Prize. Our approach to win this competition is quite unique as everyone involved really is a part-time scientist. In our presentation we will present our latest lunar rover, lander, electronic and communications developments. The presentation will feature: our self developed embedded systems, how we designed radiation hardened and fault tolerant systems, the production of our second rover generation and their first tests, our prototype real world testings, what we've done in 2010, what we've planning for 2011, and a lot more interesting topics! Our presentation will be focused on actual hardware with a rather short introduction to the topic in general.

Tags:  lunar presentation time robert-bhme chaos-communication-congress fault-tolerant-systems communications-developments  

Authors: Karsten Becker Robert Böhme
Tags: science robotics
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The Part-Time Scientists is an international team of Scientists and Engineers participating in the first private race to the moon, the Google Lunar X-Prize. Our approach to win this competition is quite unique as everyone involved really is a part-time scientist. In our presentation we will present our latest lunar rover, lander, electronic and communications developments. The presentation will feature: our self developed embedded systems, how we designed radiation hardened and fault tolerant systems, the production of our second rover generation and their first tests, our prototype real world testings, what we've done in 2010, what we've planning for 2011, and a lot more interesting topics! Our presentation will be focused on actual hardware with a rather short introduction to the topic in general.

Tags:  lunar presentation time robert-bhme chaos-communication-congress fault-tolerant-systems communications-developments  

Authors: Felix Geisendörfer
Tags: Javascript
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Node.js is a library that provides non-blocking I/O for Google's V8 JavaScript engine. This talk explores node's suitability for a diverse range of networking applications. Writing network applications with good concurrency and performance has been a very time consuming task in the past. With the rise of node.js, anybody can now trivially write scalable network applications. This talk explains node's event loop and non-blocking I/O machinery and shows how node may become your tool of choice for future networking adventures. There will also be a look at new threats that could arise from the ability of managing thousands of connections with almost no difficulty.

Tags:  tool node networking felix-geisendrfer chaos-communication-congress networking-applications javascript-engine  

Authors: Mathias Payer
Tags: exploiting
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Unsafe languages and an arms race for new bugs calls for an additional line of defense in software systems. User-space virtualization uses dynamic instrumentation to detect different attack vectors and protects from the execution of malicious code. An additional advantage of these virtualization systems is that they can be used to analyze different exploits step by step and to extract the exploit code from a running program. This talk explains the concept of different attack vectors (stack buffer overflows, format string attacks, return to libc attacks, race attacks / TOCTTOU, integer overflows, heap buffer overflows, and code anomalies). For each of these attack vectors we show possible exploits and explain how the virtualization system is able to detect and prevent the exploit. User-space virtualization uses a binary translation framework to instrument all running code. The instrumentation works like an additional virtualization layer and makes it possible to observe any changes to the runtime datastructures (code and data) of a running program. We use fastBT to instrument and analyze different exploitable programs. The added instrumentation detects changes in runtime layout and stops the program whenever exploit code is about to be executed. This talk presents different classes of exploits that can be observed in a dynamic instrumentation system. The exploits are analyzed and different security strategies are discussed. We then show how the instrumentation framework can implement an online protection mechanism against each class of attack vectors. Observable Attack Vectors Stack Overflow A limited buffer is (over) flown with user-data and over writes data on the stack (e.g., the return instruction pointer). Format String Attack An attack can write to an arbitrary address (e.g., the return instruction pointer or the address of a library function) if unvalidated user input is passed directly to the printf function. Return to libc Attack This attack prepares multiple stack frames that execute code sequences in libraries. The stack frame can be constructed so that (almost) arbitrary code is executed. Race Attacks / TOCTTOU Time-of-check-to-time-of-use race conditions exploit the fact that they can change values on the stack after they are checked but before they are used in the program or kernel. Integer Overflow Overflows can be triggered by using a negative integer value instead of an unsigned value. Heap Overflow A heap buffer overflow is used to overwrite function pointers or data from the memory allocator to trigger execution of arbitrary code. Code Anomalies x86_64 code is backward compatible to ia32 and in modern operating systems x86_64 and ia32 code can be mixed. The mix of different system calls makes it possible to break out of sand boxes that are not aware of all possible combinations of system calls. The exploits are detected generally whenever the program branches to the injected code or to the constructed code fragments. The program is interrupted and a debugger can be attached to analyze the state of the program. TOCTTOU attacks can be detected by observing the threads and using a specific system call architecture. Conclusion Dynamic instrumentation is an important tool to prohibit, detect, and analyze different attack vectors to running programs. Additional instrumentation guards can be used to better understand exploits. The additional layer of virtualization implemented through dynamic instrumentation can be used to detect and log bugs and is an additional line of defense against new exploits. Related Work A detailed discussion of related work is in the paper. These references here are for informational purposes only (to show how this talk was inspired) and not complete.

Tags:  chaos-communication-congress format-string-attack format-string-attacks  

Authors: Mathias Payer
Tags: exploiting
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Unsafe languages and an arms race for new bugs calls for an additional line of defense in software systems. User-space virtualization uses dynamic instrumentation to detect different attack vectors and protects from the execution of malicious code. An additional advantage of these virtualization systems is that they can be used to analyze different exploits step by step and to extract the exploit code from a running program. This talk explains the concept of different attack vectors (stack buffer overflows, format string attacks, return to libc attacks, race attacks / TOCTTOU, integer overflows, heap buffer overflows, and code anomalies). For each of these attack vectors we show possible exploits and explain how the virtualization system is able to detect and prevent the exploit. User-space virtualization uses a binary translation framework to instrument all running code. The instrumentation works like an additional virtualization layer and makes it possible to observe any changes to the runtime datastructures (code and data) of a running program. We use fastBT to instrument and analyze different exploitable programs. The added instrumentation detects changes in runtime layout and stops the program whenever exploit code is about to be executed. This talk presents different classes of exploits that can be observed in a dynamic instrumentation system. The exploits are analyzed and different security strategies are discussed. We then show how the instrumentation framework can implement an online protection mechanism against each class of attack vectors. Observable Attack Vectors Stack Overflow A limited buffer is (over) flown with user-data and over writes data on the stack (e.g., the return instruction pointer). Format String Attack An attack can write to an arbitrary address (e.g., the return instruction pointer or the address of a library function) if unvalidated user input is passed directly to the printf function. Return to libc Attack This attack prepares multiple stack frames that execute code sequences in libraries. The stack frame can be constructed so that (almost) arbitrary code is executed. Race Attacks / TOCTTOU Time-of-check-to-time-of-use race conditions exploit the fact that they can change values on the stack after they are checked but before they are used in the program or kernel. Integer Overflow Overflows can be triggered by using a negative integer value instead of an unsigned value. Heap Overflow A heap buffer overflow is used to overwrite function pointers or data from the memory allocator to trigger execution of arbitrary code. Code Anomalies x86_64 code is backward compatible to ia32 and in modern operating systems x86_64 and ia32 code can be mixed. The mix of different system calls makes it possible to break out of sand boxes that are not aware of all possible combinations of system calls. The exploits are detected generally whenever the program branches to the injected code or to the constructed code fragments. The program is interrupted and a debugger can be attached to analyze the state of the program. TOCTTOU attacks can be detected by observing the threads and using a specific system call architecture. Conclusion Dynamic instrumentation is an important tool to prohibit, detect, and analyze different attack vectors to running programs. Additional instrumentation guards can be used to better understand exploits. The additional layer of virtualization implemented through dynamic instrumentation can be used to detect and log bugs and is an additional line of defense against new exploits. Related Work A detailed discussion of related work is in the paper. These references here are for informational purposes only (to show how this talk was inspired) and not complete.

Tags:  code instrumentation attack mathias-payer chaos-communication-congress format-string-attack format-string-attacks  

Authors: Mathias Payer
Tags: exploiting
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Unsafe languages and an arms race for new bugs calls for an additional line of defense in software systems. User-space virtualization uses dynamic instrumentation to detect different attack vectors and protects from the execution of malicious code. An additional advantage of these virtualization systems is that they can be used to analyze different exploits step by step and to extract the exploit code from a running program. This talk explains the concept of different attack vectors (stack buffer overflows, format string attacks, return to libc attacks, race attacks / TOCTTOU, integer overflows, heap buffer overflows, and code anomalies). For each of these attack vectors we show possible exploits and explain how the virtualization system is able to detect and prevent the exploit. User-space virtualization uses a binary translation framework to instrument all running code. The instrumentation works like an additional virtualization layer and makes it possible to observe any changes to the runtime datastructures (code and data) of a running program. We use fastBT to instrument and analyze different exploitable programs. The added instrumentation detects changes in runtime layout and stops the program whenever exploit code is about to be executed. This talk presents different classes of exploits that can be observed in a dynamic instrumentation system. The exploits are analyzed and different security strategies are discussed. We then show how the instrumentation framework can implement an online protection mechanism against each class of attack vectors. Observable Attack Vectors Stack Overflow A limited buffer is (over) flown with user-data and over writes data on the stack (e.g., the return instruction pointer). Format String Attack An attack can write to an arbitrary address (e.g., the return instruction pointer or the address of a library function) if unvalidated user input is passed directly to the printf function. Return to libc Attack This attack prepares multiple stack frames that execute code sequences in libraries. The stack frame can be constructed so that (almost) arbitrary code is executed. Race Attacks / TOCTTOU Time-of-check-to-time-of-use race conditions exploit the fact that they can change values on the stack after they are checked but before they are used in the program or kernel. Integer Overflow Overflows can be triggered by using a negative integer value instead of an unsigned value. Heap Overflow A heap buffer overflow is used to overwrite function pointers or data from the memory allocator to trigger execution of arbitrary code. Code Anomalies x86_64 code is backward compatible to ia32 and in modern operating systems x86_64 and ia32 code can be mixed. The mix of different system calls makes it possible to break out of sand boxes that are not aware of all possible combinations of system calls. The exploits are detected generally whenever the program branches to the injected code or to the constructed code fragments. The program is interrupted and a debugger can be attached to analyze the state of the program. TOCTTOU attacks can be detected by observing the threads and using a specific system call architecture. Conclusion Dynamic instrumentation is an important tool to prohibit, detect, and analyze different attack vectors to running programs. Additional instrumentation guards can be used to better understand exploits. The additional layer of virtualization implemented through dynamic instrumentation can be used to detect and log bugs and is an additional line of defense against new exploits. Related Work A detailed discussion of related work is in the paper. These references here are for informational purposes only (to show how this talk was inspired) and not complete.

Tags:  code instrumentation attack mathias-payer chaos-communication-congress format-string-attack format-string-attacks  

Authors: Felix Geisendörfer
Tags: Javascript
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Node.js is a library that provides non-blocking I/O for Google's V8 JavaScript engine. This talk explores node's suitability for a diverse range of networking applications. Writing network applications with good concurrency and performance has been a very time consuming task in the past. With the rise of node.js, anybody can now trivially write scalable network applications. This talk explains node's event loop and non-blocking I/O machinery and shows how node may become your tool of choice for future networking adventures. There will also be a look at new threats that could arise from the ability of managing thousands of connections with almost no difficulty.

Tags:  tool node networking felix-geisendrfer chaos-communication-congress networking-applications javascript-engine  

Authors: Felix Geisendörfer
Tags: Javascript
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Node.js is a library that provides non-blocking I/O for Google's V8 JavaScript engine. This talk explores node's suitability for a diverse range of networking applications. Writing network applications with good concurrency and performance has been a very time consuming task in the past. With the rise of node.js, anybody can now trivially write scalable network applications. This talk explains node's event loop and non-blocking I/O machinery and shows how node may become your tool of choice for future networking adventures. There will also be a look at new threats that could arise from the ability of managing thousands of connections with almost no difficulty.

Tags:  tool node networking felix-geisendrfer chaos-communication-congress networking-applications javascript-engine  

Authors: Karsten Nohl Sylvain Munaut
Tags: GSM sniffer
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: GSM is still the most widely used security technology in the world with a user base of 5 billion and a quickly growing number of critical applications. 26C3's rainbow table attack on GSM's A5/1 encryption convinced many users that GSM calls should be considered unprotected. The network operators, however, have not woken up to the threat yet. Perhaps the new capabilities to be unleashed this year – like wide-band sniffing and real-time signal processing – will wake them up. Now that GSM A5/1 encryption can be cracked in seconds, the complexity of wireless phone snooping moved to signal processing. Since GSM hops over a multitude of channels, a large chunk of radio spectrum needs to be analyzed, for example with USRPs, and decoded before storage or decoding. We demonstrate how this high bandwidth task can be achieved with cheap programmable phones.

Tags:  processing gsm encryption chaos-communication-congress radio-spectrum high-bandwidth  

Authors: Felix 'FX' Lindner
Tags: reverse engineering
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The Reverse Engineer occasionally faces situations where even his most advanced commercial tools do not support the instruction set of an arcane CPU. To overcome this situation, one can develop the missing disassembler. This talk is meant to be a tutorial on how to approach the task, what to focus on first and what surprises one may be in for. The primary focus will be on the transformation of byte code back into mnemonic representation where only the reverse transformation is available (i.e. you have the respective assembler). It also covers how to integrate your new disassembler into your reverse engineering tool chain.

Tags:  transformation engineering disassembler felix chaos-communication-congress reverse-engineer commercial-tools  

Authors: Karsten Nohl Sylvain Munaut
Tags: GSM sniffer
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: GSM is still the most widely used security technology in the world with a user base of 5 billion and a quickly growing number of critical applications. 26C3's rainbow table attack on GSM's A5/1 encryption convinced many users that GSM calls should be considered unprotected. The network operators, however, have not woken up to the threat yet. Perhaps the new capabilities to be unleashed this year – like wide-band sniffing and real-time signal processing – will wake them up. Now that GSM A5/1 encryption can be cracked in seconds, the complexity of wireless phone snooping moved to signal processing. Since GSM hops over a multitude of channels, a large chunk of radio spectrum needs to be analyzed, for example with USRPs, and decoded before storage or decoding. We demonstrate how this high bandwidth task can be achieved with cheap programmable phones.

Tags:  chaos-communication-congress radio-spectrum high-bandwidth  

Authors: Karsten Nohl Sylvain Munaut
Tags: GSM sniffer
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: GSM is still the most widely used security technology in the world with a user base of 5 billion and a quickly growing number of critical applications. 26C3's rainbow table attack on GSM's A5/1 encryption convinced many users that GSM calls should be considered unprotected. The network operators, however, have not woken up to the threat yet. Perhaps the new capabilities to be unleashed this year – like wide-band sniffing and real-time signal processing – will wake them up. Now that GSM A5/1 encryption can be cracked in seconds, the complexity of wireless phone snooping moved to signal processing. Since GSM hops over a multitude of channels, a large chunk of radio spectrum needs to be analyzed, for example with USRPs, and decoded before storage or decoding. We demonstrate how this high bandwidth task can be achieved with cheap programmable phones.

Tags:  processing gsm encryption chaos-communication-congress radio-spectrum high-bandwidth  

Authors: Jeff Gough
Tags: hardware hacking
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Are you ready to wake up from the cult of Arduino? Tired of plugging together black-box pre-built modules like a mindless drone, copying and pasting in code you found on Hackaday? You've soldered together your TV-Be-Gone, built your fifth Minty Boost, and your bench is awash with discarded Adafruit packaging and Make magazines. It's time to stop this passive consumption. It's time to create something that is truly yours. It's time, my friend, to design your first circuit board. And you'll need a machine to print it. Outsourcing printed circuit board (PCB) manufacture can be expensive and slow. You want your board now, for free. And designing PCB's is hard. You'll make mistakes, and some boards will be wasted. You can etch your own PCB's at home but the process is fiddly, and notoriously difficult to perfect. What if you had a printer that could make PCB's? A rapid prototyping machine for circuit boards. In this talk I will present my progress towards an inexpensive PCB printer by reverse engineering Epson inkjet technology. And I'm not talking about the crappy print-and-bake method you might have seen on the internet. Come and learn about the miracle of microfluidics within the modern consumer inkjet printer, and how to push it to do new, exciting things. I'll be describing some reverse engineering techniques, a bit of electronics circuit design and the potential for 3D microfabrication with inkjet technology. A PCB will be printed and etched live, on stage, at 27C3!

Tags:  pcb circuit time jeff-gough chaos-communication-congress rapid-prototyping-machine pcb-manufacture  

Tags: hacking
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: 4 minutes for every speaker. Learn about the good, the bad, and the ugly - in software, hardware, projects, and more. Give a lightning fast talk about your favourite project, program, system - and thereby find people with the same interest to proceed and promote it. Alternatively - give us a good rant about something and give us some good reasons why it should die. ;) Get right at it, don't waste time by explaining too much, get the main points across, and then let us know how to contact you on the congress for a talk! Whatever you do - please practise it, and don't be boring. Or else. You have been warned! :-P

Tags:  chaos-communication-congress lightning-talks hardware-projects  

Tags: hacking
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: 4 minutes for every speaker. Learn about the good, the bad, and the ugly - in software, hardware, projects, and more. Give a lightning fast talk about your favourite project, program, system - and thereby find people with the same interest to proceed and promote it. Alternatively - give us a good rant about something and give us some good reasons why it should die. ;) Get right at it, don't waste time by explaining too much, get the main points across, and then let us know how to contact you on the congress for a talk! Whatever you do - please practise it, and don't be boring. Or else. You have been warned! :-P

Tags:  chaos-communication-congress lightning-talks hardware-projects  

Tags: BitTorrent
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Distributed Hash Tables implement Routing and Addressability in large P2P networks. In the Kademlia adaption for Bittorrent a peer's address (NodeID) is to be generated randomly, or more appropriate: arbitrarily. Because randomness isn't verifiable, an implementation can advertise itself with popular NodeIDs or even change them on a per-packet basis. Two issues arise due this design problem: Amplification of UDP traffic Amplification of TCP traffic Anyone with a moderate bandwidth connection can induce DDoS attacks with the BitTorrent cloud. Starting with the prerequisites of BitTorrent, I will outline the importance of tracker-less operation and how Magnet links work. Distributed Hash Tables are explained pertaining to the Kademlia algorithm. It is most interesting how implementations maintain and refresh routing information, allowing a malicious node to become a popular neighbour quickly, and how traffic can be amplified in two ways. I will present packet rate analysis measured during tests on Amazon EC2. In conclusion it is explained how the problem of arbitrary NodeIDs can be avoided if the protocol was to be redesigned. A few words are to be given what client authors can do to alleviate the damage potential of the BitTorrent DHT.

Tags:  chaos-communication-congress amazon-ec2 hash-tables  

Tags: BitTorrent
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Distributed Hash Tables implement Routing and Addressability in large P2P networks. In the Kademlia adaption for Bittorrent a peer's address (NodeID) is to be generated randomly, or more appropriate: arbitrarily. Because randomness isn't verifiable, an implementation can advertise itself with popular NodeIDs or even change them on a per-packet basis. Two issues arise due this design problem: Amplification of UDP traffic Amplification of TCP traffic Anyone with a moderate bandwidth connection can induce DDoS attacks with the BitTorrent cloud. Starting with the prerequisites of BitTorrent, I will outline the importance of tracker-less operation and how Magnet links work. Distributed Hash Tables are explained pertaining to the Kademlia algorithm. It is most interesting how implementations maintain and refresh routing information, allowing a malicious node to become a popular neighbour quickly, and how traffic can be amplified in two ways. I will present packet rate analysis measured during tests on Amazon EC2. In conclusion it is explained how the problem of arbitrary NodeIDs can be avoided if the protocol was to be redesigned. A few words are to be given what client authors can do to alleviate the damage potential of the BitTorrent DHT.

Tags:  bittorrent traffic hash amazon chaos-communication-congress amazon-ec2 hash-tables  

Authors: Felix Domke
Tags: cracking FPGA
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: In 1998, the EFF built "Deep Crack", a machine designed to perform a walk over DES's 56-bit keyspace in nine days, for $250.000. With today's FPGA technology, a cost decrease of 25x can be achieved, as the copacobana project has shown. If that's still too much, two approaches should be considered: Recycling hardware and distributed computing. This talk will be about combining both approaches for the greater good. A number of projects (Copacobana, Picocomputing) have shown that with today's technology enough brute force computing power to break limited keylength ciphers (like DES) is affordable even for small companies. But what about Joe Geek at home? Recycling FPGAs is one option (nsa@home), distributed computing another (distributed.net, ...). This project combines both approaches, developing a toolchain that can be used to prototype a project on a low-end FPGA (or even in a free simulator), and then scaling up the effort across different implementations onto a large number of devices. An example client implementation uses an FPGA in a widely available consumer device to provide computing power when the device is in standby. Another approach that will be discussed in detail is how to obtain decommissioned high-end FPGA-based hardware. We will have hardware to show with a live demo!

Tags:  fpga number project felix-domke joe-geek chaos-communication-congress client-implementation fpga-technology  

Authors: Michael Steil
Tags: reverse engineering hardware hacking
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The MOS 6502 CPU, which was designed in 1975 and powered systems like the Apple II, the Atari 2600, the Nintendo NES and the Commodore 64 for two decades, has always been subject to intense reverse engineering of its inner workings. Only recently, the Visual6502.org project has converted a hi-res die-shot of the 6502 into a polygon model suitable for visually simulating the original mask at the transistor level. This talk will present the way from a chip package to a digital representation, how to simulate transistors in software, and new insights gained form this research about 6502 internals, like "illegal" opcodes. The presentation only requires a basic understanding of assembly programming and electronics, and is meant to teach, among other things, the methods of efficient and elegant chip design used in the early years of integrated CPUs. The talk consists of three parts. The first part, "6502 from top down", describes the programmer's model, as well as the basic layout of the components of the CPU. In the second part, "6502 from bottom up", we describe how to decap and photograph chips, convert each physical layer of the chip into a polygon model, and how to finally convert this into a network of wires and transistors suitable for logic simulation. The third part, "6502 from the inside out", explains the inner workings of the CPU: how the logic blocks work together, how an instruction is decoded by the PLA ROM into controlling these blocks and busses, and how details like interrupt delivery work. Finally, this information can be used to describe and explain undocumented behaviour, like illegal opcodes and crash instructions, and explain bugs like the BRK/IRQ race, the ROR bug and spurious reads and writes in certain situations.

Tags:  chaos-communication-congress illegal-opcodes logic-simulation  

Authors: Michael Steil
Tags: reverse engineering hardware hacking
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: The MOS 6502 CPU, which was designed in 1975 and powered systems like the Apple II, the Atari 2600, the Nintendo NES and the Commodore 64 for two decades, has always been subject to intense reverse engineering of its inner workings. Only recently, the Visual6502.org project has converted a hi-res die-shot of the 6502 into a polygon model suitable for visually simulating the original mask at the transistor level. This talk will present the way from a chip package to a digital representation, how to simulate transistors in software, and new insights gained form this research about 6502 internals, like "illegal" opcodes. The presentation only requires a basic understanding of assembly programming and electronics, and is meant to teach, among other things, the methods of efficient and elegant chip design used in the early years of integrated CPUs. The talk consists of three parts. The first part, "6502 from top down", describes the programmer's model, as well as the basic layout of the components of the CPU. In the second part, "6502 from bottom up", we describe how to decap and photograph chips, convert each physical layer of the chip into a polygon model, and how to finally convert this into a network of wires and transistors suitable for logic simulation. The third part, "6502 from the inside out", explains the inner workings of the CPU: how the logic blocks work together, how an instruction is decoded by the PLA ROM into controlling these blocks and busses, and how details like interrupt delivery work. Finally, this information can be used to describe and explain undocumented behaviour, like illegal opcodes and crash instructions, and explain bugs like the BRK/IRQ race, the ROR bug and spurious reads and writes in certain situations.

Tags:  cpu model engineering michael-steil chaos-communication-congress illegal-opcodes logic-simulation  

Authors: Felix Domke
Tags: cracking FPGA
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: In 1998, the EFF built "Deep Crack", a machine designed to perform a walk over DES's 56-bit keyspace in nine days, for $250.000. With today's FPGA technology, a cost decrease of 25x can be achieved, as the copacobana project has shown. If that's still too much, two approaches should be considered: Recycling hardware and distributed computing. This talk will be about combining both approaches for the greater good. A number of projects (Copacobana, Picocomputing) have shown that with today's technology enough brute force computing power to break limited keylength ciphers (like DES) is affordable even for small companies. But what about Joe Geek at home? Recycling FPGAs is one option (nsa@home), distributed computing another (distributed.net, ...). This project combines both approaches, developing a toolchain that can be used to prototype a project on a low-end FPGA (or even in a free simulator), and then scaling up the effort across different implementations onto a large number of devices. An example client implementation uses an FPGA in a widely available consumer device to provide computing power when the device is in standby. Another approach that will be discussed in detail is how to obtain decommissioned high-end FPGA-based hardware. We will have hardware to show with a live demo!

Tags:  fpga number project felix-domke joe-geek chaos-communication-congress client-implementation fpga-technology  

Authors: Felix Domke
Tags: cracking FPGA
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: In 1998, the EFF built "Deep Crack", a machine designed to perform a walk over DES's 56-bit keyspace in nine days, for $250.000. With today's FPGA technology, a cost decrease of 25x can be achieved, as the copacobana project has shown. If that's still too much, two approaches should be considered: Recycling hardware and distributed computing. This talk will be about combining both approaches for the greater good. A number of projects (Copacobana, Picocomputing) have shown that with today's technology enough brute force computing power to break limited keylength ciphers (like DES) is affordable even for small companies. But what about Joe Geek at home? Recycling FPGAs is one option (nsa@home), distributed computing another (distributed.net, ...). This project combines both approaches, developing a toolchain that can be used to prototype a project on a low-end FPGA (or even in a free simulator), and then scaling up the effort across different implementations onto a large number of devices. An example client implementation uses an FPGA in a widely available consumer device to provide computing power when the device is in standby. Another approach that will be discussed in detail is how to obtain decommissioned high-end FPGA-based hardware. We will have hardware to show with a live demo!

Tags:  fpga number project felix-domke joe-geek chaos-communication-congress client-implementation fpga-technology  

Authors: Jeff Gough
Tags: hardware hacking
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Are you ready to wake up from the cult of Arduino? Tired of plugging together black-box pre-built modules like a mindless drone, copying and pasting in code you found on Hackaday? You've soldered together your TV-Be-Gone, built your fifth Minty Boost, and your bench is awash with discarded Adafruit packaging and Make magazines. It's time to stop this passive consumption. It's time to create something that is truly yours. It's time, my friend, to design your first circuit board. And you'll need a machine to print it. Outsourcing printed circuit board (PCB) manufacture can be expensive and slow. You want your board now, for free. And designing PCB's is hard. You'll make mistakes, and some boards will be wasted. You can etch your own PCB's at home but the process is fiddly, and notoriously difficult to perfect. What if you had a printer that could make PCB's? A rapid prototyping machine for circuit boards. In this talk I will present my progress towards an inexpensive PCB printer by reverse engineering Epson inkjet technology. And I'm not talking about the crappy print-and-bake method you might have seen on the internet. Come and learn about the miracle of microfluidics within the modern consumer inkjet printer, and how to push it to do new, exciting things. I'll be describing some reverse engineering techniques, a bit of electronics circuit design and the potential for 3D microfabrication with inkjet technology. A PCB will be printed and etched live, on stage, at 27C3!

Tags:  pcb circuit time jeff-gough chaos-communication-congress rapid-prototyping-machine pcb-manufacture  

Authors: Marc Heuse
Tags: IPv6
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: New protocol features have been proposed and implemented in the last 5 years and ISPs are now slowly starting to deploy IPv6. This talk starts with a brief summary of the issues presented five years ago, and then expands on the new risks. Discovered implemention security issues in Windows 7/2008, Linux and Cisco will be shown too. Comes with a GPL'ed toolkit: thc-ipv6 Five years have past since my initial talk on IPv6 insecurities at the CCC Congress. New protocol features have been proposed and implemented since then and ISPs are now slowly starting to deploy IPv6. Few changes have led to a better security of the protocol, several increase the risk instead. This talk starts with a brief summary of the issues presented 5 years ago, and then expands on the new risks especially in multicast scenarios. As an add-on, discovered implemention security issues in Windows 7/2008, Linux and Cisco will be shown too. Lets hope patches are out until the conference, if not - they had enough time. All accompanied with GPL'ed tools to and a library: the new thc-ipv6 package. rewritten, expanded, enhanced.

Tags:  chaos-communication-congress protocol-features marc-heuse  

Tags: hacker jeopardy
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Out of the news section of the C3D2 radio programme we've compiled an entertaining game show, an Internet-based multiplayer "Who becomes millionaire?" challenge. The audience and folks on the peace missions are asked to help the players. From the collected news items of our monthly radio show we've generated a game show somewhat inspired by "Who becomes millionaire?" but multi player. The questions cover all types of net-news we've found interesting to mention in our radio show.

Tags:  radio game show chaos-communication-congress peace-missions radio-programme  

Authors: Ertunga Arsal
Tags: rootkit SAP
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: SAP systems are the heart of many enterprises. Most critical business functions run on SAP Applications and the complexity of these systems makes it very difficult to protect against attackers. Default setups, forgotten/unimplemented security configurations, weak password management and change processes that apply to one ‘unimportant’ system can result in complete compromise of the SAP landscape. The legal consequences, lost/damaged business and reputation can be disastrous depending on the type of the attack. While companies invest a lot to secure SAP systems at business process level for example by designing authorization concepts, implementing separation of duties or by using GRC (Governance Risk and Compliance) tools, the security at technical level mostly lacks attention. In this paper, I present several attack paths exploiting configuration weaknesses at technical level, leading to attack potential to single systems, to whole SAP landscapes, and finally the whole enterprise network. By demonstrating creative exploit variants of configuration weaknesses, I motivate the necessity to safeguard a SAP system at technical level.

Tags:  business level sap chaos-communication-congress critical-business-functions sap-systems  

Tags: hacker jeopardy
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Out of the news section of the C3D2 radio programme we've compiled an entertaining game show, an Internet-based multiplayer "Who becomes millionaire?" challenge. The audience and folks on the peace missions are asked to help the players. From the collected news items of our monthly radio show we've generated a game show somewhat inspired by "Who becomes millionaire?" but multi player. The questions cover all types of net-news we've found interesting to mention in our radio show.

Tags:  chaos-communication-congress peace-missions radio-programme  

Authors: Ertunga Arsal
Tags: rootkit SAP
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: SAP systems are the heart of many enterprises. Most critical business functions run on SAP Applications and the complexity of these systems makes it very difficult to protect against attackers. Default setups, forgotten/unimplemented security configurations, weak password management and change processes that apply to one ‘unimportant’ system can result in complete compromise of the SAP landscape. The legal consequences, lost/damaged business and reputation can be disastrous depending on the type of the attack. While companies invest a lot to secure SAP systems at business process level for example by designing authorization concepts, implementing separation of duties or by using GRC (Governance Risk and Compliance) tools, the security at technical level mostly lacks attention. In this paper, I present several attack paths exploiting configuration weaknesses at technical level, leading to attack potential to single systems, to whole SAP landscapes, and finally the whole enterprise network. By demonstrating creative exploit variants of configuration weaknesses, I motivate the necessity to safeguard a SAP system at technical level.

Tags:  chaos-communication-congress critical-business-functions sap-systems  

Authors: Ertunga Arsal
Tags: rootkit SAP
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: SAP systems are the heart of many enterprises. Most critical business functions run on SAP Applications and the complexity of these systems makes it very difficult to protect against attackers. Default setups, forgotten/unimplemented security configurations, weak password management and change processes that apply to one ‘unimportant’ system can result in complete compromise of the SAP landscape. The legal consequences, lost/damaged business and reputation can be disastrous depending on the type of the attack. While companies invest a lot to secure SAP systems at business process level for example by designing authorization concepts, implementing separation of duties or by using GRC (Governance Risk and Compliance) tools, the security at technical level mostly lacks attention. In this paper, I present several attack paths exploiting configuration weaknesses at technical level, leading to attack potential to single systems, to whole SAP landscapes, and finally the whole enterprise network. By demonstrating creative exploit variants of configuration weaknesses, I motivate the necessity to safeguard a SAP system at technical level.

Tags:  business level sap chaos-communication-congress critical-business-functions sap-systems  

Authors: Ertunga Arsal
Tags: rootkit SAP
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: SAP systems are the heart of many enterprises. Most critical business functions run on SAP Applications and the complexity of these systems makes it very difficult to protect against attackers. Default setups, forgotten/unimplemented security configurations, weak password management and change processes that apply to one ‘unimportant’ system can result in complete compromise of the SAP landscape. The legal consequences, lost/damaged business and reputation can be disastrous depending on the type of the attack. While companies invest a lot to secure SAP systems at business process level for example by designing authorization concepts, implementing separation of duties or by using GRC (Governance Risk and Compliance) tools, the security at technical level mostly lacks attention. In this paper, I present several attack paths exploiting configuration weaknesses at technical level, leading to attack potential to single systems, to whole SAP landscapes, and finally the whole enterprise network. By demonstrating creative exploit variants of configuration weaknesses, I motivate the necessity to safeguard a SAP system at technical level.

Tags:  business level sap chaos-communication-congress critical-business-functions sap-systems  

Authors: Bruce Dang Peter Ferrie
Tags: malware malware analysis Stuxnet
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: There has been many publications on the topic of Stuxnet and its "sophistication" in the mainstream press. However, there is not a complete publication which explains all of the technical vulnerability details and how they were discovered. In this talk, you will get a first-hand account of the entire story. We will discuss various techniques used in analyzing Stuxnet. First, we will share several tricks that were used to quickly identify the vulnerabilities. Second, we describe the thought processes that went into debugging and triaging the vulnerabilities themselves. Finally, we show some tips that you can use if you feel like decompiling stuff for fun :).

Tags:  malware video stuxnet bruce-dang peter-ferrie chaos-communication-congress technical-vulnerability mainstream-press  

Authors: Bruce Dang Peter Ferrie
Tags: malware malware analysis Stuxnet
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: There has been many publications on the topic of Stuxnet and its "sophistication" in the mainstream press. However, there is not a complete publication which explains all of the technical vulnerability details and how they were discovered. In this talk, you will get a first-hand account of the entire story. We will discuss various techniques used in analyzing Stuxnet. First, we will share several tricks that were used to quickly identify the vulnerabilities. Second, we describe the thought processes that went into debugging and triaging the vulnerabilities themselves. Finally, we show some tips that you can use if you feel like decompiling stuff for fun :).

Tags:  malware audio stuxnet bruce-dang peter-ferrie chaos-communication-congress technical-vulnerability mainstream-press  

Authors: Marc Heuse
Tags: IPv6
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: New protocol features have been proposed and implemented in the last 5 years and ISPs are now slowly starting to deploy IPv6. This talk starts with a brief summary of the issues presented five years ago, and then expands on the new risks. Discovered implemention security issues in Windows 7/2008, Linux and Cisco will be shown too. Comes with a GPL'ed toolkit: thc-ipv6 Five years have past since my initial talk on IPv6 insecurities at the CCC Congress. New protocol features have been proposed and implemented since then and ISPs are now slowly starting to deploy IPv6. Few changes have led to a better security of the protocol, several increase the risk instead. This talk starts with a brief summary of the issues presented 5 years ago, and then expands on the new risks especially in multicast scenarios. As an add-on, discovered implemention security issues in Windows 7/2008, Linux and Cisco will be shown too. Lets hope patches are out until the conference, if not - they had enough time. All accompanied with GPL'ed tools to and a library: the new thc-ipv6 package. rewritten, expanded, enhanced.

Tags:  talk ipv protocol marc-heuse chaos-communication-congress protocol-features  

Authors: Marc Heuse
Tags: IPv6
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: New protocol features have been proposed and implemented in the last 5 years and ISPs are now slowly starting to deploy IPv6. This talk starts with a brief summary of the issues presented five years ago, and then expands on the new risks. Discovered implemention security issues in Windows 7/2008, Linux and Cisco will be shown too. Comes with a GPL'ed toolkit: thc-ipv6 Five years have past since my initial talk on IPv6 insecurities at the CCC Congress. New protocol features have been proposed and implemented since then and ISPs are now slowly starting to deploy IPv6. Few changes have led to a better security of the protocol, several increase the risk instead. This talk starts with a brief summary of the issues presented 5 years ago, and then expands on the new risks especially in multicast scenarios. As an add-on, discovered implemention security issues in Windows 7/2008, Linux and Cisco will be shown too. Lets hope patches are out until the conference, if not - they had enough time. All accompanied with GPL'ed tools to and a library: the new thc-ipv6 package. rewritten, expanded, enhanced.

Tags:  chaos-communication-congress protocol-features marc-heuse  

Authors: Franz Pletz
Tags: science
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Starting in the beginning of August 2010 and lasting until the mid of November, the project AllColoursAreBeautiful by the Munich chapter of the Chaos Computer Club was serving as a platform for interested people on the world to illuminate, animate and interact with the front of a vacant department store in Munich. The windows were illuminated by remotely controllable, networked RGB LEDs in colorfully light the facade. A web editor was developed to ease the creation of animations at home or in front of the building with a laptop or mobile phone. Furthermore, animations could be put in a queue by sending a simple text message (SMS). Running animations could be viewed with a client program or by a webcam stream. Over 400 animations were created by the public. Next year another, bigger installation in Munich is planned. The purpose of our talk is to outline the infrastructure we built for this project and inspire other hackers to use it for rolling their own installation in their hometown. We will explain our open hardware and software design in the background and talk about our rationale behind our design decisions and comment on possible improvements in future iterations. We won't forget to include the biggest fails, fnords and pitfalls concering funding, authorizations and communication. At the Congress we will rebuild our installation using boxes. Interested hackers are very welcome to play with this colorful blinkenwall by writing animations and games.

Tags:  allcoloursarebeautiful chaos installation franz-pletz munich chaos-communication-congress chaos-computer-club munich-chapter  

Authors: Katarzyna Szymielewicz Patrick Breyer Ralf Bendrath
Tags: law privacy
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: 2011 will again be a crucial year in the battle against data retention and blanket surveillance. The EU Commission is planning to publish its review of the directive in December (right in time before 27C3), and the lobbying and PR battle has already begun. In six months from now, we will see the legislative proposal from the EU commission for the revision of data retention. The talk will give a full picture of the legal state of play, what is going on in Brussels, what is already being done and of course where you can help. The speakers are closely involved in the process on the European and national level. In December 2005, the European Parliament agreed to the data retention directive that introduced mandatory retention of the telecommunications behaviour of half a billion EU citizens and residents. That was a huge disappointment and perceived by many as the final opening of the floodgates. Frank Rieger and Rop Gongrijp at 22C3 even declared that "we lost the war" over privacy. But things turned out different than expected. Now, five years later, a new privacy movement has risen in Germany and elsewhere, a number of constitutional courts all across Europe have declared national data retention laws illegal, a case against the whole directive is pending at the European Court of Justice, and the EU has a justice commissioner who openly said that she would not have suggested the whole thing in the first place, and a home affairs commissioner who voted against the directive when she was still a Member of Parliament. The talk will give a full picture of the legal state of play, what is going on in Brussels, what is already being done and of course where you can help. The speakers are all active in European Digital Rights (EDRi.org) and are closely involved in the process on the European and national level.

Tags:  retention privacy directive katarzyna-szymielewicz patrick-breyer ralf-bendrath frank-rieger germany europe brussels chaos-communication-congress  

Authors: Katarzyna Szymielewicz Patrick Breyer Ralf Bendrath
Tags: law privacy
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: 2011 will again be a crucial year in the battle against data retention and blanket surveillance. The EU Commission is planning to publish its review of the directive in December (right in time before 27C3), and the lobbying and PR battle has already begun. In six months from now, we will see the legislative proposal from the EU commission for the revision of data retention. The talk will give a full picture of the legal state of play, what is going on in Brussels, what is already being done and of course where you can help. The speakers are closely involved in the process on the European and national level. In December 2005, the European Parliament agreed to the data retention directive that introduced mandatory retention of the telecommunications behaviour of half a billion EU citizens and residents. That was a huge disappointment and perceived by many as the final opening of the floodgates. Frank Rieger and Rop Gongrijp at 22C3 even declared that "we lost the war" over privacy. But things turned out different than expected. Now, five years later, a new privacy movement has risen in Germany and elsewhere, a number of constitutional courts all across Europe have declared national data retention laws illegal, a case against the whole directive is pending at the European Court of Justice, and the EU has a justice commissioner who openly said that she would not have suggested the whole thing in the first place, and a home affairs commissioner who voted against the directive when she was still a Member of Parliament. The talk will give a full picture of the legal state of play, what is going on in Brussels, what is already being done and of course where you can help. The speakers are all active in European Digital Rights (EDRi.org) and are closely involved in the process on the European and national level.

Tags:  chaos-communication-congress patrick-breyer frank-rieger  

Authors: Katarzyna Szymielewicz Patrick Breyer Ralf Bendrath
Tags: law privacy
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: 2011 will again be a crucial year in the battle against data retention and blanket surveillance. The EU Commission is planning to publish its review of the directive in December (right in time before 27C3), and the lobbying and PR battle has already begun. In six months from now, we will see the legislative proposal from the EU commission for the revision of data retention. The talk will give a full picture of the legal state of play, what is going on in Brussels, what is already being done and of course where you can help. The speakers are closely involved in the process on the European and national level. In December 2005, the European Parliament agreed to the data retention directive that introduced mandatory retention of the telecommunications behaviour of half a billion EU citizens and residents. That was a huge disappointment and perceived by many as the final opening of the floodgates. Frank Rieger and Rop Gongrijp at 22C3 even declared that "we lost the war" over privacy. But things turned out different than expected. Now, five years later, a new privacy movement has risen in Germany and elsewhere, a number of constitutional courts all across Europe have declared national data retention laws illegal, a case against the whole directive is pending at the European Court of Justice, and the EU has a justice commissioner who openly said that she would not have suggested the whole thing in the first place, and a home affairs commissioner who voted against the directive when she was still a Member of Parliament. The talk will give a full picture of the legal state of play, what is going on in Brussels, what is already being done and of course where you can help. The speakers are all active in European Digital Rights (EDRi.org) and are closely involved in the process on the European and national level.

Tags:  retention privacy directive katarzyna-szymielewicz patrick-breyer ralf-bendrath frank-rieger germany europe brussels chaos-communication-congress  

Authors: Franz Pletz
Tags: science
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Starting in the beginning of August 2010 and lasting until the mid of November, the project AllColoursAreBeautiful by the Munich chapter of the Chaos Computer Club was serving as a platform for interested people on the world to illuminate, animate and interact with the front of a vacant department store in Munich. The windows were illuminated by remotely controllable, networked RGB LEDs in colorfully light the facade. A web editor was developed to ease the creation of animations at home or in front of the building with a laptop or mobile phone. Furthermore, animations could be put in a queue by sending a simple text message (SMS). Running animations could be viewed with a client program or by a webcam stream. Over 400 animations were created by the public. Next year another, bigger installation in Munich is planned. The purpose of our talk is to outline the infrastructure we built for this project and inspire other hackers to use it for rolling their own installation in their hometown. We will explain our open hardware and software design in the background and talk about our rationale behind our design decisions and comment on possible improvements in future iterations. We won't forget to include the biggest fails, fnords and pitfalls concering funding, authorizations and communication. At the Congress we will rebuild our installation using boxes. Interested hackers are very welcome to play with this colorful blinkenwall by writing animations and games.

Tags:  allcoloursarebeautiful chaos installation franz-pletz munich chaos-communication-congress chaos-computer-club munich-chapter  

Authors: Franz Pletz
Tags: science
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Starting in the beginning of August 2010 and lasting until the mid of November, the project AllColoursAreBeautiful by the Munich chapter of the Chaos Computer Club was serving as a platform for interested people on the world to illuminate, animate and interact with the front of a vacant department store in Munich. The windows were illuminated by remotely controllable, networked RGB LEDs in colorfully light the facade. A web editor was developed to ease the creation of animations at home or in front of the building with a laptop or mobile phone. Furthermore, animations could be put in a queue by sending a simple text message (SMS). Running animations could be viewed with a client program or by a webcam stream. Over 400 animations were created by the public. Next year another, bigger installation in Munich is planned. The purpose of our talk is to outline the infrastructure we built for this project and inspire other hackers to use it for rolling their own installation in their hometown. We will explain our open hardware and software design in the background and talk about our rationale behind our design decisions and comment on possible improvements in future iterations. We won't forget to include the biggest fails, fnords and pitfalls concering funding, authorizations and communication. At the Congress we will rebuild our installation using boxes. Interested hackers are very welcome to play with this colorful blinkenwall by writing animations and games.

Tags:  allcoloursarebeautiful chaos installation franz-pletz munich chaos-communication-congress chaos-computer-club munich-chapter  

Authors: Wolfgang Draxinger
Tags: Linux
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Time to take a look back and under the hood of the current state of FOSS based desktops: The Good, The Bad and The Ugly – Bloat, strange APIs, too much complexity. The first decade of the 21st century brought huge progress in the development of FOSS Desktop systems. Users can now choose from a broad range of environments, which all adhere to a coherent set of standards. Not to forget that FOSS did even pioneer some GUI technologies which were later adopted by other (read: non free) systems.

Tags:  video bsd linux foss foss-desktop wolfgang-draxinger chaos-communication-congress abstract-time course-authors  

Authors: Wolfgang Draxinger
Tags: Linux
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Time to take a look back and under the hood of the current state of FOSS based desktops: The Good, The Bad and The Ugly – Bloat, strange APIs, too much complexity. The first decade of the 21st century brought huge progress in the development of FOSS Desktop systems. Users can now choose from a broad range of environments, which all adhere to a coherent set of standards. Not to forget that FOSS did even pioneer some GUI technologies which were later adopted by other (read: non free) systems.

Tags:  bsd course linux foss foss-desktop wolfgang-draxinger chaos-communication-congress abstract-time course-authors  

Authors: Wolfgang Draxinger
Tags: Linux
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Time to take a look back and under the hood of the current state of FOSS based desktops: The Good, The Bad and The Ugly – Bloat, strange APIs, too much complexity. The first decade of the 21st century brought huge progress in the development of FOSS Desktop systems. Users can now choose from a broad range of environments, which all adhere to a coherent set of standards. Not to forget that FOSS did even pioneer some GUI technologies which were later adopted by other (read: non free) systems.

Tags:  bsd paper linux foss foss-desktop wolfgang-draxinger chaos-communication-congress abstract-time course-authors  

Authors: Wolfgang Draxinger
Tags: Linux
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Time to take a look back and under the hood of the current state of FOSS based desktops: The Good, The Bad and The Ugly – Bloat, strange APIs, too much complexity. The first decade of the 21st century brought huge progress in the development of FOSS Desktop systems. Users can now choose from a broad range of environments, which all adhere to a coherent set of standards. Not to forget that FOSS did even pioneer some GUI technologies which were later adopted by other (read: non free) systems.

Tags:  audio bsd linux foss foss-desktop wolfgang-draxinger chaos-communication-congress abstract-time course-authors  

Authors: Ilja van Sprundel
Tags: phone
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: There's been a fair bit written and presented about smartphone's, and yet, when it comes to the attack surface of the operating systems running on them, and the applications running on top of those, much still has to be explorer. This talk will dive a bit deeper into that attack surface. This talk will take a look at the smart phone attack surface, only from and end-to-end point of view. the baseband type stuff and things owned by the telco's will not be covered. Basically, it'll cover 5 major areas: identifying operating systems (through for example the user-agent with mms) identifying entrypoints identifying trust boundaries identifying bugs exploiting bugs There has been a fair amount of cellphone and smartphone reseach done in the past, and yet, when it comes to attack surface, we've barely scratched the surface. SMS alone allows for a dozen or so different types of messages, there's mms, all sorts of media codecs are build into smart phones. The entrypoints can be roughly categorized as: primary entypoints: - zero-click remote attacks over default communication network (sms, mms, ...) secondary entrypoints: - zero-click remote attacks over non-default communication network (email, ...) tertiary entrypoints: - proximity attacks (wifi, bluetooth, irda, mitm wifi connection, ...) - not-zero click remote attacks (e.g. start application XYZ and connect to my evil server) The main focus in this talk will be on the primary entrypoints, however some of the secondary and tertiary entrypoints will be talked about aswell, in particular irda, since unlike bluetooth and wifi, very little security research has ever been done with irda, which on itself is weird, since after less than a day of poking around it became quite clear most irda stacks are pretty weak (as a hilarious irda sidenote which got me started to look at idra, one should read the following microsoft bulletin http://www.microsoft.com/technet/security/bulletin/ms01-046.mspx). once's the interesting entrypoints for various smartphones are explored the talk will dive into some of the trust boundaries on different smartphones, things their sandboxes allow, things they don't, wether or not it's documented and wether or not the documentation is actually accurate. in the spirit of keeping the best for last, some of the bugs discovered during the smartphone research will be discussed, both the details of them, as well as the pains the speaker had to go through to make exploits for them.

Tags:  talk irda surface chaos-communication-congress evil-server sidenote  

Authors: Ilja van Sprundel
Tags: phone
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: There's been a fair bit written and presented about smartphone's, and yet, when it comes to the attack surface of the operating systems running on them, and the applications running on top of those, much still has to be explorer. This talk will dive a bit deeper into that attack surface. This talk will take a look at the smart phone attack surface, only from and end-to-end point of view. the baseband type stuff and things owned by the telco's will not be covered. Basically, it'll cover 5 major areas: identifying operating systems (through for example the user-agent with mms) identifying entrypoints identifying trust boundaries identifying bugs exploiting bugs There has been a fair amount of cellphone and smartphone reseach done in the past, and yet, when it comes to attack surface, we've barely scratched the surface. SMS alone allows for a dozen or so different types of messages, there's mms, all sorts of media codecs are build into smart phones. The entrypoints can be roughly categorized as: primary entypoints: - zero-click remote attacks over default communication network (sms, mms, ...) secondary entrypoints: - zero-click remote attacks over non-default communication network (email, ...) tertiary entrypoints: - proximity attacks (wifi, bluetooth, irda, mitm wifi connection, ...) - not-zero click remote attacks (e.g. start application XYZ and connect to my evil server) The main focus in this talk will be on the primary entrypoints, however some of the secondary and tertiary entrypoints will be talked about aswell, in particular irda, since unlike bluetooth and wifi, very little security research has ever been done with irda, which on itself is weird, since after less than a day of poking around it became quite clear most irda stacks are pretty weak (as a hilarious irda sidenote which got me started to look at idra, one should read the following microsoft bulletin http://www.microsoft.com/technet/security/bulletin/ms01-046.mspx). once's the interesting entrypoints for various smartphones are explored the talk will dive into some of the trust boundaries on different smartphones, things their sandboxes allow, things they don't, wether or not it's documented and wether or not the documentation is actually accurate. in the spirit of keeping the best for last, some of the bugs discovered during the smartphone research will be discussed, both the details of them, as well as the pains the speaker had to go through to make exploits for them.

Tags:  talk irda surface chaos-communication-congress evil-server sidenote  

Authors: Peter Stuge
Tags: USB
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Learn about the benefits and limitations of Universal Serial Bus, how communication works on the bus, how and why the right (and sometimes wrong?) driver can be loaded automatically by the operating system, and find out the easiest way to add USB to your washing machine, toaster, or other favorite appliance. The talk goes under the hood of the ubiquitous standard and clarifies many concepts that are important to understand when developing either device firmware or host software for USB; host, device, hubs, low speed, full speed, high speed, super speed, bus power supply, cable lengths, transfer types, endpoints, descriptors and more. The choice between kernel mode or user mode drivers will also be discussed, and finally we'll take a look at libusb; a cross-platform (WinMacLinuxBSD) library for USB programming. There will be a workshop that builds on this talk. Check the workshop schedule if you would like to join in the building of a custom USB device on an ARM microcontroller!

Tags:  bus speed usb peter-stuge chaos-communication-congress power-supply-cable universal-serial-bus  

Authors: Collin Mulliner Nico Golde
Tags: phone
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Smart phones, everybody has a smart phone! No! Just about 16% of all mobile phones are smart phones! Feature phones are the most common type of mobile phone in the world. Some time ago we decided to investigate the security of feature phones. In this talk we show how we analyzed feature phones for SMS security issues. We show our results and the kind of attacks that are possible with our bugs. This talk is about security analysis of a class of mobile phone the so-called "feature phones". We show how we analyzed these type of phones for SMS security issues and what kind of problems to overcome in the process. We show results for the major mobile phone manufacturers in the world. Everyone of them has problems. Finally we show what kind of global scale attacks one can carry out with these kind of bugs. The attacks range from interrupting phone calls, to disconnecting people from the network, and sometimes even bricking phones remotely.

Tags:  feature security phone nico-golde collin-mulliner chaos-communication-congress mobile-phone-manufacturers feature-phones  

Authors: Peter Stuge
Tags: USB
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Learn about the benefits and limitations of Universal Serial Bus, how communication works on the bus, how and why the right (and sometimes wrong?) driver can be loaded automatically by the operating system, and find out the easiest way to add USB to your washing machine, toaster, or other favorite appliance. The talk goes under the hood of the ubiquitous standard and clarifies many concepts that are important to understand when developing either device firmware or host software for USB; host, device, hubs, low speed, full speed, high speed, super speed, bus power supply, cable lengths, transfer types, endpoints, descriptors and more. The choice between kernel mode or user mode drivers will also be discussed, and finally we'll take a look at libusb; a cross-platform (WinMacLinuxBSD) library for USB programming. There will be a workshop that builds on this talk. Check the workshop schedule if you would like to join in the building of a custom USB device on an ARM microcontroller!

Tags:  chaos-communication-congress power-supply-cable universal-serial-bus  

Authors: Peter Stuge
Tags: USB
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Learn about the benefits and limitations of Universal Serial Bus, how communication works on the bus, how and why the right (and sometimes wrong?) driver can be loaded automatically by the operating system, and find out the easiest way to add USB to your washing machine, toaster, or other favorite appliance. The talk goes under the hood of the ubiquitous standard and clarifies many concepts that are important to understand when developing either device firmware or host software for USB; host, device, hubs, low speed, full speed, high speed, super speed, bus power supply, cable lengths, transfer types, endpoints, descriptors and more. The choice between kernel mode or user mode drivers will also be discussed, and finally we'll take a look at libusb; a cross-platform (WinMacLinuxBSD) library for USB programming. There will be a workshop that builds on this talk. Check the workshop schedule if you would like to join in the building of a custom USB device on an ARM microcontroller!

Tags:  bus speed usb peter-stuge chaos-communication-congress power-supply-cable universal-serial-bus  

Authors: Collin Mulliner Nico Golde
Tags: phone
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Smart phones, everybody has a smart phone! No! Just about 16% of all mobile phones are smart phones! Feature phones are the most common type of mobile phone in the world. Some time ago we decided to investigate the security of feature phones. In this talk we show how we analyzed feature phones for SMS security issues. We show our results and the kind of attacks that are possible with our bugs. This talk is about security analysis of a class of mobile phone the so-called "feature phones". We show how we analyzed these type of phones for SMS security issues and what kind of problems to overcome in the process. We show results for the major mobile phone manufacturers in the world. Everyone of them has problems. Finally we show what kind of global scale attacks one can carry out with these kind of bugs. The attacks range from interrupting phone calls, to disconnecting people from the network, and sometimes even bricking phones remotely.

Tags:  feature security phone nico-golde collin-mulliner chaos-communication-congress mobile-phone-manufacturers feature-phones  

Authors: Nathan Fain
Tags: embedded hardware hacking
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Bring your target. Will release a slew of simple tools that explore attack surfaces and explain of how to use: jtag/serial scanners, parallel flash dumper, DePCB board routing analysis. So, crossover from software RE and start hacking/improving like its 1996 again. (full documentation and reference at: http://events.ccc.de/congress/2010/wiki/Embedded_Analysis) "All non-trivial abstractions, to some degree, are leaky." -- Joel on Software This applies just as well to hardware. In the soft center of embedded security are the human abstraction layers between embedded developers, pcb designers and asic designers which expose attack surfaces that are often rudimentary and unmovable. Using a theoretical embedded target we walk through each surface overcoming obfuscation to gain control. Will release a slew of embedded analysis tools, some lolarduino based, some not. These tools are based on frameworks that support Industrial Design students with electronics prototyping. Meaning, with little technical background you can adapt these tools to your needs. The audience is invited to bring their target where contributors will be clustered in the hack center and be available to suggest means of protection or application of analysis techniques in your project.

Tags:  analysis jtag target nathan-fain joel chaos-communication-congress reverse-engineering-tools industrial-design-students  

Authors: Felix Gröbert
Tags: cryptography
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: In this talk I demonstrate our research and the implementation of methods to detect cryptographic algorithms and their parameters in software. Based on our observations on cryptographic code, I will point out several inherent characteristics to design signature-based and generic identification methods. Using dynamic binary instrumentation, we record instructions of a program during runtime and create a fine-grained trace. We implement a trace analysis tool, which also provides methods to reconstruct high-level information from a trace, for example control flow graphs or loops, to detect cryptographic algorithms and their parameters. With the results of this work, encrypted data, sent by a malicious program for example, may be decrypted and used by an analyst to gain further insight on the behavior of the analyzed binary executable. Applications include de-DRM'ing, security auditing, and malware C&C analysis. After the talk we will demonstrate the functionality with a ransomware which uses cryptographic primitives and release the implementation to the public.

Tags:  talk identification Software felix-grbert control-flow-graphs chaos-communication-congress cryptographic-primitives  

Authors: Felix Gröbert
Tags: cryptography
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: In this talk I demonstrate our research and the implementation of methods to detect cryptographic algorithms and their parameters in software. Based on our observations on cryptographic code, I will point out several inherent characteristics to design signature-based and generic identification methods. Using dynamic binary instrumentation, we record instructions of a program during runtime and create a fine-grained trace. We implement a trace analysis tool, which also provides methods to reconstruct high-level information from a trace, for example control flow graphs or loops, to detect cryptographic algorithms and their parameters. With the results of this work, encrypted data, sent by a malicious program for example, may be decrypted and used by an analyst to gain further insight on the behavior of the analyzed binary executable. Applications include de-DRM'ing, security auditing, and malware C&C analysis. After the talk we will demonstrate the functionality with a ransomware which uses cryptographic primitives and release the implementation to the public.

Tags:  talk identification Software felix-grbert control-flow-graphs chaos-communication-congress cryptographic-primitives  

Authors: Felix Gröbert
Tags: cryptography
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: In this talk I demonstrate our research and the implementation of methods to detect cryptographic algorithms and their parameters in software. Based on our observations on cryptographic code, I will point out several inherent characteristics to design signature-based and generic identification methods. Using dynamic binary instrumentation, we record instructions of a program during runtime and create a fine-grained trace. We implement a trace analysis tool, which also provides methods to reconstruct high-level information from a trace, for example control flow graphs or loops, to detect cryptographic algorithms and their parameters. With the results of this work, encrypted data, sent by a malicious program for example, may be decrypted and used by an analyst to gain further insight on the behavior of the analyzed binary executable. Applications include de-DRM'ing, security auditing, and malware C&C analysis. After the talk we will demonstrate the functionality with a ransomware which uses cryptographic primitives and release the implementation to the public.

Tags:  talk identification Software felix-grbert control-flow-graphs chaos-communication-congress cryptographic-primitives  

Authors: Nathan Fain
Tags: embedded hardware hacking
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Bring your target. Will release a slew of simple tools that explore attack surfaces and explain of how to use: jtag/serial scanners, parallel flash dumper, DePCB board routing analysis. So, crossover from software RE and start hacking/improving like its 1996 again. (full documentation and reference at: http://events.ccc.de/congress/2010/wiki/Embedded_Analysis) "All non-trivial abstractions, to some degree, are leaky." -- Joel on Software This applies just as well to hardware. In the soft center of embedded security are the human abstraction layers between embedded developers, pcb designers and asic designers which expose attack surfaces that are often rudimentary and unmovable. Using a theoretical embedded target we walk through each surface overcoming obfuscation to gain control. Will release a slew of embedded analysis tools, some lolarduino based, some not. These tools are based on frameworks that support Industrial Design students with electronics prototyping. Meaning, with little technical background you can adapt these tools to your needs. The audience is invited to bring their target where contributors will be clustered in the hack center and be available to suggest means of protection or application of analysis techniques in your project.

Tags:  analysis jtag target nathan-fain joel chaos-communication-congress reverse-engineering-tools industrial-design-students  

Authors: Dominik Herrmann
Tags: web application profiling privacy
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: This talk will provide a summary of recently discovered methods which allow to break the Internet's privacy and anonymity. We will show, amongst others: ways of distinguishing bots from humans. We use this technique to provide crawlers with false data or lure them into tar pits. Other than CAPTCHAs we introduce methods that profile the holistic behaviour within a single web session to distinguish users or bots within a longer timeframe based on subtle charactistics in most bots' implementations. breaking filtering of JavaScript in web-based proxies. While next to all web proxies advertise the capability of filtering JavaScript, the ubiqity of XSS and CSRF attacks have proven that correct filtering of arbitrary HTML is extremly difficult. track and re-identifying users based upon their web-profile. We show how a third-party observer (e. g. proxy server or DNS server) can create a long-term profile of roaming web users using only statistical patterns mined from their web traffic. These patterns are used to track users by linking multiple surfing sessions. Our attack does not rely on cookies or other unique identifiers, but exploits chatacteristic patterns of frequently accessed hosts. We demonstrate that such statistical attacks are practicable and we will also look into basic defense strategies. traffic analysis and fingerprinting attacks on users of anonymizing networks. Even if anonymizeres like Tor are used, a local adversary can measure the volume of transfered data and timing characteristics to e. g. determine the retrieved websites. We will shortly sketch the current state of the art in traffic analysis, which has been improved significantly within the last year

Tags:  privacy web traffic dominik-herrmann tor chaos-communication-congress web-proxies privacy-event  

Authors: Dominik Herrmann
Tags: web application profiling privacy
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: This talk will provide a summary of recently discovered methods which allow to break the Internet's privacy and anonymity. We will show, amongst others: ways of distinguishing bots from humans. We use this technique to provide crawlers with false data or lure them into tar pits. Other than CAPTCHAs we introduce methods that profile the holistic behaviour within a single web session to distinguish users or bots within a longer timeframe based on subtle charactistics in most bots' implementations. breaking filtering of JavaScript in web-based proxies. While next to all web proxies advertise the capability of filtering JavaScript, the ubiqity of XSS and CSRF attacks have proven that correct filtering of arbitrary HTML is extremly difficult. track and re-identifying users based upon their web-profile. We show how a third-party observer (e. g. proxy server or DNS server) can create a long-term profile of roaming web users using only statistical patterns mined from their web traffic. These patterns are used to track users by linking multiple surfing sessions. Our attack does not rely on cookies or other unique identifiers, but exploits chatacteristic patterns of frequently accessed hosts. We demonstrate that such statistical attacks are practicable and we will also look into basic defense strategies. traffic analysis and fingerprinting attacks on users of anonymizing networks. Even if anonymizeres like Tor are used, a local adversary can measure the volume of transfered data and timing characteristics to e. g. determine the retrieved websites. We will shortly sketch the current state of the art in traffic analysis, which has been improved significantly within the last year

Tags:  privacy web traffic dominik-herrmann tor chaos-communication-congress web-proxies privacy-event  

Authors: Robert Spanton
Tags: robotics
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Today, hacking is reserved for the microscopic fraction of the population who manage to shake themselves free of the suppressive education regime. Student Robotics is the beginning of the solution. By fostering creativity through competition to solve engineering challenges, we provide the inspiration society desperately needs. We develop an open platform for robotics and provide it to schools to open students' minds to the world of hacking. Student Robotics pushes engineering into schools by running a robotics competition between 16 to 18 year-olds. We send university students into schools to mentor the participating teams. The organisation is run entirely by students, who also develop the hardware and software for the participants to use. Student Robotics involves a whole range of software and hardware development, including including microcontroller programming, computer vision, and web-apps. This year we've started shipping the BeagleBoard as the robot's main computing device, providing us with a lot of scope for future hacking. In this talk I will: Discuss the motivation behind Student Robotics Provide a technical overview our current hardware and software Discuss the future of Student Robotics in Europe Hey Teacher. Leave them hackers alone.

Tags:  robot robotics student robert-spanton teacher.-leave europe chaos-communication-congress robotics-competition beagleboard  

Authors: Robert Spanton
Tags: robotics
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Today, hacking is reserved for the microscopic fraction of the population who manage to shake themselves free of the suppressive education regime. Student Robotics is the beginning of the solution. By fostering creativity through competition to solve engineering challenges, we provide the inspiration society desperately needs. We develop an open platform for robotics and provide it to schools to open students' minds to the world of hacking. Student Robotics pushes engineering into schools by running a robotics competition between 16 to 18 year-olds. We send university students into schools to mentor the participating teams. The organisation is run entirely by students, who also develop the hardware and software for the participants to use. Student Robotics involves a whole range of software and hardware development, including including microcontroller programming, computer vision, and web-apps. This year we've started shipping the BeagleBoard as the robot's main computing device, providing us with a lot of scope for future hacking. In this talk I will: Discuss the motivation behind Student Robotics Provide a technical overview our current hardware and software Discuss the future of Student Robotics in Europe Hey Teacher. Leave them hackers alone.

Tags:  robot robotics student robert-spanton teacher.-leave europe chaos-communication-congress robotics-competition beagleboard  

Authors: Robert Spanton
Tags: robotics
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Today, hacking is reserved for the microscopic fraction of the population who manage to shake themselves free of the suppressive education regime. Student Robotics is the beginning of the solution. By fostering creativity through competition to solve engineering challenges, we provide the inspiration society desperately needs. We develop an open platform for robotics and provide it to schools to open students' minds to the world of hacking. Student Robotics pushes engineering into schools by running a robotics competition between 16 to 18 year-olds. We send university students into schools to mentor the participating teams. The organisation is run entirely by students, who also develop the hardware and software for the participants to use. Student Robotics involves a whole range of software and hardware development, including including microcontroller programming, computer vision, and web-apps. This year we've started shipping the BeagleBoard as the robot's main computing device, providing us with a lot of scope for future hacking. In this talk I will: Discuss the motivation behind Student Robotics Provide a technical overview our current hardware and software Discuss the future of Student Robotics in Europe Hey Teacher. Leave them hackers alone.

Tags:  robot robotics student robert-spanton teacher.-leave europe chaos-communication-congress robotics-competition beagleboard  

Authors: Branko Spasojevic
Tags: reverse engineering
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Optimization algorithms present an effective way for removing most obfuscations that are used today. Much of the compiler theory can be applied in removing obfuscations and building fast and reliable deobfuscation systems. By understanding traditional optimization problems and techniques it is possible to develop and customize compiler optimization algorithms for usage in binary deobfuscation/analysis. Analysis of malware binaries is constantly becoming more difficult with introduction of many different types of code obfuscators. One common theme in all obfuscators is transformation of code into a complex representation. This process can be viewed as inverse of compiler optimization techniques and as such can be partially removed using optimization algorithms. Optimization algorithms present an effective way for removing most obfuscations that are used today. Much of the compiler theory can be applied in removing obfuscations and building fast and reliable deobfuscation systems. By understanding traditional optimization problems and techniques it is possible to develop and customize compiler optimization algorithms for usage in binary deobfuscation/analysis. Optimization algorithms are especially successful in following: • Removal of no operation instructions • Simplifying complex instructions • Removal of unconditional jumps • Removal of conditional jumps • Simplifying control-flow graph This presentation shows common obfuscation techniques and a process of adapting optimization algorithms for removing obfuscations. Additionally, a open-source plug-in for the IDA Pro disassembler is presented that demonstrates usability of the proposed optimization process as well as a set of techniques to speed up the process of analyzing obfuscated code.

Tags:  compiler-optimization-techniques control-flow-graph chaos-communication-congress  

Authors: Branko Spasojevic
Tags: reverse engineering
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Optimization algorithms present an effective way for removing most obfuscations that are used today. Much of the compiler theory can be applied in removing obfuscations and building fast and reliable deobfuscation systems. By understanding traditional optimization problems and techniques it is possible to develop and customize compiler optimization algorithms for usage in binary deobfuscation/analysis. Analysis of malware binaries is constantly becoming more difficult with introduction of many different types of code obfuscators. One common theme in all obfuscators is transformation of code into a complex representation. This process can be viewed as inverse of compiler optimization techniques and as such can be partially removed using optimization algorithms. Optimization algorithms present an effective way for removing most obfuscations that are used today. Much of the compiler theory can be applied in removing obfuscations and building fast and reliable deobfuscation systems. By understanding traditional optimization problems and techniques it is possible to develop and customize compiler optimization algorithms for usage in binary deobfuscation/analysis. Optimization algorithms are especially successful in following: • Removal of no operation instructions • Simplifying complex instructions • Removal of unconditional jumps • Removal of conditional jumps • Simplifying control-flow graph This presentation shows common obfuscation techniques and a process of adapting optimization algorithms for removing obfuscations. Additionally, a open-source plug-in for the IDA Pro disassembler is presented that demonstrates usability of the proposed optimization process as well as a set of techniques to speed up the process of analyzing obfuscated code.

Tags:  deobfuscation compiler optimization ida-pro compiler-optimization-techniques control-flow-graph chaos-communication-congress  

Authors: Branko Spasojevic
Tags: reverse engineering
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: Optimization algorithms present an effective way for removing most obfuscations that are used today. Much of the compiler theory can be applied in removing obfuscations and building fast and reliable deobfuscation systems. By understanding traditional optimization problems and techniques it is possible to develop and customize compiler optimization algorithms for usage in binary deobfuscation/analysis. Analysis of malware binaries is constantly becoming more difficult with introduction of many different types of code obfuscators. One common theme in all obfuscators is transformation of code into a complex representation. This process can be viewed as inverse of compiler optimization techniques and as such can be partially removed using optimization algorithms. Optimization algorithms present an effective way for removing most obfuscations that are used today. Much of the compiler theory can be applied in removing obfuscations and building fast and reliable deobfuscation systems. By understanding traditional optimization problems and techniques it is possible to develop and customize compiler optimization algorithms for usage in binary deobfuscation/analysis. Optimization algorithms are especially successful in following: • Removal of no operation instructions • Simplifying complex instructions • Removal of unconditional jumps • Removal of conditional jumps • Simplifying control-flow graph This presentation shows common obfuscation techniques and a process of adapting optimization algorithms for removing obfuscations. Additionally, a open-source plug-in for the IDA Pro disassembler is presented that demonstrates usability of the proposed optimization process as well as a set of techniques to speed up the process of analyzing obfuscated code.

Tags:  compiler-optimization-techniques control-flow-graph chaos-communication-congress  

Authors: Jérémie Zimmermann
Tags: law
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: ACTA, upcoming criminal enforcement directive, filtering of content... The entertainment industries go further and further into their crusade against sharing. They not only attack our fundamental freedoms, but also the very essence of the Internet. This session is a panorama of the current and upcoming battles, campaigns and actions. Everyone can help defeat the motherf#§$ers! The crusade against sharing the entertainment industries are waging against their customers is taking new directions. Their obsession to apply models from the past to today's technologies leads these industries to turn copyright against their customers. Direct consequences would be damages to freedom of expression, privacy and the right to a fair trial, that would greatly serve the will of some politicians to control the Internet. A number of extremely disturbing trends and upcoming legislative projects will be detailed in this session: ACTA. The "Anti-Counterfeiting Trade Agreement" is the flagship of the entertainment industries. It is a prototype of how to impose legislation while circumventing democratic process and public opinions. ACTA contains most of what the industries are dreaming about. By putting legal and monetary pressure over Internet technical intermediates, ACTA would force them to act as private copyright police and justice of the Net. IPRED2. The criminal enforcement directive was frozen in the Council of EU in 2006. It is about to be revived under the direction of the French commissioner Michel Barnier. It may contain sanctions for "inciting, aiding and abetting" infringement, which would blur the line between copyright infringement and political speech or the production of software and on-line services. "voluntary agreements", "extra-judicial measures", and "cooperation between rights-holders and Internet service providers" sound harmless, but they represent a growing trend in trying to force the ISPs into policing, through contracts, their networks and users. ISPs would be forced to use access restrictions ("three strikes") or even content filtering. Revision of the e-Commerce directive. The movie and music industries will use this occasion to attack the exoneration of liability for technical intermediates of the Net, with potential consequences on freedom of speech. Filtering of the Net. In the name of protecting the children or gamblers, it is being deployed all over Europe. These first steps will allow to further expand filtering mechanisms for the purpose of copyright enforcement, under influence the entertainment industries. How those policies are put in place? What can a citizen do in order to help counter them? How can we better organize to gain momentum in protecting fundamental freedoms in the digital environment? What were the successful campaigns so far, and what will be the upcoming ones?

Tags:  acta copyright enforcement michel-barnier europe chaos-communication-congress judicial-measures internet-service-providers  

Authors: Jérémie Zimmermann
Tags: law
Event: Chaos Communication Congress 27th (27C3) 2010
Abstract: ACTA, upcoming criminal enforcement directive, filtering of content... The entertainment industries go further and further into their crusade against sharing. They not only attack our fundamental freedoms, but also the very essence of the Internet. This session is a panorama of the current and upcoming battles, campaigns and actions. Everyone can help defeat the motherf#§$ers! The crusade against sharing the entertainment industries are waging against their customers is taking new directions. Their obsession to apply models from the past to today's technologies leads these industries to turn copyright against their customers. Direct consequences would be damages to freedom of expression, privacy and the right to a fair trial, that would greatly serve the will of some politicians to control the Internet. A number of extremely disturbing trends and upcoming legislative projects will be detailed in this session: ACTA. The "Anti-Counterfeiting Trade Agreement" is the flagship of the entertainment industries. It is a prototype of how to impose legislation while circumventing democratic process and public opinions. ACTA contains most of what the industries are dreaming about. By putting legal and monetary pressure over Internet technical intermediates, ACTA would force them to act as private copyright police and justice of the Net. IPRED2. The criminal enforcement directive was frozen in the Council of EU in 2006. It is about to be revived under the direction of the French commissioner Michel Barnier. It may contain sanctions for "inciting, aiding and abetting" infringement, which would blur the line between copyright infringement and political speech or the production of software and on-line services. "voluntary agreements", "extra-judicial measures", and "cooperation between rights-holders and Internet service providers" sound harmless, but they represent a growing trend in trying to force the ISPs into policing, through contracts, their networks and users. ISPs would be forced to use access restrictions ("three strikes") or even content filtering. Revision of the e-Commerce directive. The movie and music industries will use this occasion to attack the exoneration of liability for technical intermediates of the Net, with potential consequences on freedom of speech. Filtering of the Net. In the name of protecting the children or gamblers, it is being deployed all over Europe. These first steps will allow to further expand filtering mechanisms for the purpose of copyright enforcement, under influence the entertainment industries. How those policies are put in place? What can a citizen do in order to help counter them? How can we better organize to gain momentum in protecting fundamental freedoms in the digital environment? What were the successful campaigns so far, and what will be the upcoming ones?

Tags:  acta copyright enforcement michel-barnier europe chaos-communication-congress judicial-measures internet-service-providers  

Authors: Rop Gonggrijp
Tags: hacking
Event: Chaos Communication Congress 27th (27C3) 2010

Tags:  chaos-communication-congress  

Authors: Rop Gonggrijp
Tags: hacking
Event: Chaos Communication Congress 27th (27C3) 2010

Tags:  chaos-communication-congress  

Authors: Frank Rieger
Tags: hacking
Event: Chaos Communication Congress 28th (28C3) 2011

Tags:  video closing event frank-rieger chaos-communication-congress  

Authors: Frank Rieger
Tags: hacking
Event: Chaos Communication Congress 28th (28C3) 2011

Tags:  audio closing event frank-rieger chaos-communication-congress  

Authors: Wes Faler
Tags: network
Event: Chaos Communication Congress 28th (28C3) 2011
Abstract: Even after years of committee review, communication protocols can certainly be hacked, sometimes highly entertainingly. What about creating a protocol the opposite way? Start with all the hacks that can be done and search for a protocol that gets around them all. Is it even possible? Part Time Scientists has used a GPU to help design our moon mission protocols and we'll show you the what and how. Danger: Real code will be shown!

Tags:  video communication protocol wes-faler chaos-communication-congress communication-protocols time-scientists  

Authors: Wes Faler
Tags: network
Event: Chaos Communication Congress 28th (28C3) 2011
Abstract: Even after years of committee review, communication protocols can certainly be hacked, sometimes highly entertainingly. What about creating a protocol the opposite way? Start with all the hacks that can be done and search for a protocol that gets around them all. Is it even possible? Part Time Scientists has used a GPU to help design our moon mission protocols and we'll show you the what and how. Danger: Real code will be shown!

Tags:  communication evolving protocol wes-faler chaos-communication-congress communication-protocols time-scientists  

Authors: Wes Faler
Tags: network
Event: Chaos Communication Congress 28th (28C3) 2011
Abstract: Even after years of committee review, communication protocols can certainly be hacked, sometimes highly entertainingly. What about creating a protocol the opposite way? Start with all the hacks that can be done and search for a protocol that gets around them all. Is it even possible? Part Time Scientists has used a GPU to help design our moon mission protocols and we'll show you the what and how. Danger: Real code will be shown!

Tags:  audio communication protocol wes-faler chaos-communication-congress communication-protocols time-scientists  

Authors: Brenno De Winter
Tags: privacy
Event: Chaos Communication Congress 28th (28C3) 2011
Abstract: Meet the Netherlands: a nation filled with techno-optimists protecting our freedom by puting in place restrictions on what you can do, reducing our privacy and have technology as a solution for anything and everything. When you make a trip we store your details for two years, your airplane meal selection from two years earlier is good data to test with and when migrating the government website we keep the old website running in an unmaintained state. If you have nothing to hide nothing can go wrong and there is nothing you can do. Well not quite. What would happen if you play the system? If you would take the train and hack the card? What if you were to pick up the resistance you face and use it in your advantage. No matter what the costs would carry on? If you would take some data and show the failures? Not just once but a full month long and call that month Leaktober. What if you would publicly call the failures with our personal data? Ultimately you make a difference. You change the law, you changes the rules of the game and you really can raise the question if storing all that data is really needed. Ultimately people really start to doubt if this is the right way to go. This is a strategic and tactical story on how you can regain some privacy and data protection. Even though for a journalist this should be normal work, thanks to some people these things become very personal. It ends in criminal prosecution, legal threats, insults, a successful counter hack and ultimately a lot of benefits. But standing up for a cause does work as long as you focus on the stories you want to bring. My story is about hacking the system from the inside, overcoming fear and showing bureaucrats that hackers are people too. The talk is a lessons learnt how a few people can change a nation with hacker beliefs if they really want to. A guideline on how to make a difference by hacking the system you want to change. Where you can even make huge mistakes, but with some luck you can win a world. How you can make your critical voice be heard. Zillions of lessons learnt.

Tags:  nothing privacy system winter-tags the-netherlands chaos-communication-congress privacy-event overcoming-fear  

Authors: Brenno De Winter
Tags: privacy
Event: Chaos Communication Congress 28th (28C3) 2011
Abstract: Meet the Netherlands: a nation filled with techno-optimists protecting our freedom by puting in place restrictions on what you can do, reducing our privacy and have technology as a solution for anything and everything. When you make a trip we store your details for two years, your airplane meal selection from two years earlier is good data to test with and when migrating the government website we keep the old website running in an unmaintained state. If you have nothing to hide nothing can go wrong and there is nothing you can do. Well not quite. What would happen if you play the system? If you would take the train and hack the card? What if you were to pick up the resistance you face and use it in your advantage. No matter what the costs would carry on? If you would take some data and show the failures? Not just once but a full month long and call that month Leaktober. What if you would publicly call the failures with our personal data? Ultimately you make a difference. You change the law, you changes the rules of the game and you really can raise the question if storing all that data is really needed. Ultimately people really start to doubt if this is the right way to go. This is a strategic and tactical story on how you can regain some privacy and data protection. Even though for a journalist this should be normal work, thanks to some people these things become very personal. It ends in criminal prosecution, legal threats, insults, a successful counter hack and ultimately a lot of benefits. But standing up for a cause does work as long as you focus on the stories you want to bring. My story is about hacking the system from the inside, overcoming fear and showing bureaucrats that hackers are people too. The talk is a lessons learnt how a few people can change a nation with hacker beliefs if they really want to. A guideline on how to make a difference by hacking the system you want to change. Where you can even make huge mistakes, but with some luck you can win a world. How you can make your critical voice be heard. Zillions of lessons learnt.

Tags:  nothing privacy system winter-tags the-netherlands chaos-communication-congress privacy-event overcoming-fear  

Tags: law privacy
Event: Chaos Communication Congress 28th (28C3) 2011
Abstract: The idea of Dining Cryptographers-Networks (DC) offers a much better anonymity compared to MIX-Networks: Defined anonymity sets, no need to trust in a central service, no possible attack for data retention. In this talk you will learn about DC-Networks, advanced key generation methods (resulting in a DC+-Network) and a library to make DC-Networks available to your programs.

Tags:  chaos-communication-congress privacy-event dc-network  

Authors: Dario Carluccio Stephan Brinkhaus
Tags: privacy
Event: Chaos Communication Congress 28th (28C3) 2011
Abstract: Advanced metering devices (aka smart meters) are nowadays being installed throughout electric networks in Germany, in other parts of Europe and in the United States. Due to a recent amendment especially in Germany they become more and more popular and are obligatory for new and refurbished buildings. Unfortunately, smart meters are able to become surveillance devices that monitor the behavior of the customers leading to unprecedented invasions of consumer privacy. High-resolution energy consumption data is transmitted to the utility company in principle allowing intrusive identification and monitoring of equipment within consumers' homes (e. g., TV set, refrigerator, toaster, and oven) as was already shown in different reports. This talk is about the Discovergy / EasyMeter smart meter used for electricity metering in private homes in Germany. During our analysis we found several security bugs that range from problems with the certificate management of the website to missing security features for the metering data in transit. For example (un)fortunately the metering data is unsigned and unencrypted, although otherwise stated explicitly on the manufacturer's homepage. It has to be pointed out that all tests were performed on a sealed, fully functionally device. In our presentation we will mainly focus on two aspects which we revealed during our analysis: first the privacy issues resulting in even allowing to identify the TV program out of the metering data and second the "problem" that one can easily alter data transmitted even for a third party and thereby potentially fake the amount of consumed power being billed. In the first part of the talk we show that the analysis of the household’s electricity usage profile can reveal what channel the TV set in the household is displaying. We will also give some test-based assessments whether it is possible to scan for copyright-protected material in the data collected by the smart meter. In the second part we focus on the data being transmitted by the smart meter via the Internet. We show to what extent the consumption data can be altered and transmitted to the server and visualize this by transmitting some kind of picture data to Discovergy’s consumption data server in a way that the picture content will become visible in the electricity profile. Moreover, we show what happens if the faked power consumption data reflects unrealistic extreme high or negative power consumptions and how that might influence the database and service robustness.

Tags:  energy-consumption-data chaos-communication-congress smart-hacking  

Tags: law privacy
Event: Chaos Communication Congress 28th (28C3) 2011
Abstract: The idea of Dining Cryptographers-Networks (DC) offers a much better anonymity compared to MIX-Networks: Defined anonymity sets, no need to trust in a central service, no possible attack for data retention. In this talk you will learn about DC-Networks, advanced key generation methods (resulting in a DC+-Network) and a library to make DC-Networks available to your programs.

Tags:  chaos-communication-congress privacy-event dc-network  

Authors: Dario Carluccio Stephan Brinkhaus
Tags: privacy
Event: Chaos Communication Congress 28th (28C3) 2011
Abstract: Advanced metering devices (aka smart meters) are nowadays being installed throughout electric networks in Germany, in other parts of Europe and in the United States. Due to a recent amendment especially in Germany they become more and more popular and are obligatory for new and refurbished buildings. Unfortunately, smart meters are able to become surveillance devices that monitor the behavior of the customers leading to unprecedented invasions of consumer privacy. High-resolution energy consumption data is transmitted to the utility company in principle allowing intrusive identification and monitoring of equipment within consumers' homes (e. g., TV set, refrigerator, toaster, and oven) as was already shown in different reports. This talk is about the Discovergy / EasyMeter smart meter used for electricity metering in private homes in Germany. During our analysis we found several security bugs that range from problems with the certificate management of the website to missing security features for the metering data in transit. For example (un)fortunately the metering data is unsigned and unencrypted, although otherwise stated explicitly on the manufacturer's homepage. It has to be pointed out that all tests were performed on a sealed, fully functionally device. In our presentation we will mainly focus on two aspects which we revealed during our analysis: first the privacy issues resulting in even allowing to identify the TV program out of the metering data and second the "problem" that one can easily alter data transmitted even for a third party and thereby potentially fake the amount of consumed power being billed. In the first part of the talk we show that the analysis of the household’s electricity usage profile can reveal what channel the TV set in the household is displaying. We will also give some test-based assessments whether it is possible to scan for copyright-protected material in the data collected by the smart meter. In the second part we focus on the data being transmitted by the smart meter via the Internet. We show to what extent the consumption data can be altered and transmitted to the server and visualize this by transmitting some kind of picture data to Discovergy’s consumption data server in a way that the picture content will become visible in the electricity profile. Moreover, we show what happens if the faked power consumption data reflects unrealistic extreme high or negative power consumptions and how that might influence the database and service robustness.

Tags:  energy-consumption-data chaos-communication-congress smart-hacking  

Authors: Robert Helling
Tags: science quantum cryptography
Event: Chaos Communication Congress 28th (28C3) 2011
Abstract: Quantum systems can have very different properties from their classical analogues which allows them to have states that are not only correlated but entangled. This allows for quantum computers running algorithms more powerful than those on classical computers (represented by Turing machines) and for quantum cryptography whose safety is (in principle) guaranteed by the laws of nature. I will explain key facts of quantum information theory from a physics perspective. In particular, I will focus on the fundamental difference between the quantum world and the classical world of everyday experience that in particular makes it provable impossible to simulate a quantum world by a classical world. This will then be applied to information processing tasks like quantum computing, quantum cryptography and possibly the human brain. No background in theoretical physics is necessary but some familiarity with basic complexity theory and linear algebra (what is a vector? what is a matrix?) could be helpful.

Tags:  world cryptography quantum robert-helling quantum-information-theory chaos-communication-congress quantum-cryptography  

Authors: Robert Helling
Tags: science quantum cryptography
Event: Chaos Communication Congress 28th (28C3) 2011
Abstract: Quantum systems can have very different properties from their classical analogues which allows them to have states that are not only correlated but entangled. This allows for quantum computers running algorithms more powerful than those on classical computers (represented by Turing machines) and for quantum cryptography whose safety is (in principle) guaranteed by the laws of nature. I will explain key facts of quantum information theory from a physics perspective. In particular, I will focus on the fundamental difference between the quantum world and the classical world of everyday experience that in particular makes it provable impossible to simulate a quantum world by a classical world. This will then be applied to information processing tasks like quantum computing, quantum cryptography and possibly the human brain. No background in theoretical physics is necessary but some familiarity with basic complexity theory and linear algebra (what is a vector? what is a matrix?) could be helpful.

Tags:  world cryptography quantum robert-helling quantum-information-theory chaos-communication-congress quantum-cryptography  

Authors: Will Hargrave
Tags: network
Event: Chaos Communication Congress 28th (28C3) 2011
Abstract: A review about the camp and the congress network. Network layout, planning, setup, operation and finally the teardown. This talk will review both the 28C3 and, due to popular demand, the Camp network. First we would like to give you a review about our network at the camp, where we built a mid-sized carrier network in a few weeks at a camp ground with no infrastructure: Starting at the 4km fibre uplink and the roll out of fibre over the whole campground, you will learn how to build proper datenklos, deploy access switches and WLAN access points in them and also how to convert a shipping container into a sophisticated outdoor data center, in order to build a network that can deliver pictures of cute little cats to over 3000 users. We had some issues and challenging tasks, which we wish to report; we also have some graphs, diagrams, photos and graphics which we want to share with you. The second part will be about the network of the 28C3, which is more or less the usual stuff like every year. You will see some graphs, infrastructure, and hopefully no reports about big issues. ;)

Tags:  network review camp chaos-communication-congress wlan-access-points little-cats  

Authors: Will Hargrave
Tags: network
Event: Chaos Communication Congress 28th (28C3) 2011
Abstract: A review about the camp and the congress network. Network layout, planning, setup, operation and finally the teardown. This talk will review both the 28C3 and, due to popular demand, the Camp network. First we would like to give you a review about our network at the camp, where we built a mid-sized carrier network in a few weeks at a camp ground with no infrastructure: Starting at the 4km fibre uplink and the roll out of fibre over the whole campground, you will learn how to build proper datenklos, deploy access switches and WLAN access points in them and also how to convert a shipping container into a sophisticated outdoor data center, in order to build a network that can deliver pictures of cute little cats to over 3000 users. We had some issues and challenging tasks, which we wish to report; we also have some graphs, diagrams, photos and graphics which we want to share with you. The second part will be about the network of the 28C3, which is more or less the usual stuff like every year. You will see some graphs, infrastructure, and hopefully no reports about big issues. ;)

Tags:  network review camp chaos-communication-congress wlan-access-points little-cats  

Authors: Ruben Bloemgarten
Tags: data mining
Event: Chaos Communication Congress 28th (28C3) 2011
Abstract: The object of the lecture is to present and discuss the chokepointproject. How it (will) attempt(s) to aggregate and visualize near-realtime global internetwork data and augment this visualisation with legislative, commercial(ownership) and circumvention information. The goals of the project are as follows: Provide a global early warning system against governmental or commercial abuse of internetworking systems in regards to civil and human rights. Enforce transparency by aggregating commercial ownership information. Enforce transparency by aggregating legislative information, including voting histories. Enable lobbyist to influence legislators by providing reliable, verifiable data. Provide a public database with near real-time network monitoring data for general use. Provide up to date circumvention methodologies, their relative legal status and their potential risks. The chokepointproject currently consists of two elements : A frontend and public database, An intended globally distributed network monitoring data collection system. The frontend intends to provide an easily understandable visualisation of aggregated and processed data-sources. The data-sources intend to provide the following information: A per country detailed description of: 1a. Network ownership (by IP block and route) 1b. Legislative information such as Which relevant laws are currently active. Who has voted for them (supposing voting was a part of the process). Which relevant laws are currently under review or being proposed. Who are proposing/drafting these laws. 1c. What circumvention methods are currently available for specific problems. Near real-time network status vitalisations such as, but not restricted to 2a. Connectivity of geographic clusters, 2b. Manipulation of connectivity such as: 2b.1. Traffic shaping, 2b.2. Content filtering, 2b.3. Blackouts. The intended globally distributed network monitoring data collection system would provide an independent and publicly available dataset. I do not intend to discuss this in depth. The focus of this lecture is supposed to be the front-end and the aggregation of already publicly available data sources, and the supposed benefit to improving civil rights everywhere and protecting them in those places where their functional effectiveness is under threat.

Tags:  chokepointproject network information ruben-bloemgarten chaos-communication-congress real-time-network global-internetwork  

Authors: Will Hargrave
Tags: network
Event: Chaos Communication Congress 28th (28C3) 2011
Abstract: A review about the camp and the congress network. Network layout, planning, setup, operation and finally the teardown. This talk will review both the 28C3 and, due to popular demand, the Camp network. First we would like to give you a review about our network at the camp, where we built a mid-sized carrier network in a few weeks at a camp ground with no infrastructure: Starting at the 4km fibre uplink and the roll out of fibre over the whole campground, you will learn how to build proper datenklos, deploy access switches and WLAN access points in them and also how to convert a shipping container into a sophisticated outdoor data center, in order to build a network that can deliver pictures of cute little cats to over 3000 users. We had some issues and challenging tasks, which we wish to report; we also have some graphs, diagrams, photos and graphics which we want to share with you. The second part will be about the network of the 28C3, which is more or less the usual stuff like every year. You will see some graphs, infrastructure, and hopefully no reports about big issues. ;)

Tags:  network review camp chaos-communication-congress wlan-access-points little-cats  

Authors: Ruben Bloemgarten
Tags: data mining
Event: Chaos Communication Congress 28th (28C3) 2011
Abstract: The object of the lecture is to present and discuss the chokepointproject. How it (will) attempt(s) to aggregate and visualize near-realtime global internetwork data and augment this visualisation with legislative, commercial(ownership) and circumvention information. The goals of the project are as follows: Provide a global early warning system against governmental or commercial abuse of internetworking systems in regards to civil and human rights. Enforce transparency by aggregating commercial ownership information. Enforce transparency by aggregating legislative information, including voting histories. Enable lobbyist to influence legislators by providing reliable, verifiable data. Provide a public database with near real-time network monitoring data for general use. Provide up to date circumvention methodologies, their relative legal status and their potential risks. The chokepointproject currently consists of two elements : A frontend and public database, An intended globally distributed network monitoring data collection system. The frontend intends to provide an easily understandable visualisation of aggregated and processed data-sources. The data-sources intend to provide the following information: A per country detailed description of: 1a. Network ownership (by IP block and route) 1b. Legislative information such as Which relevant laws are currently active. Who has voted for them (supposing voting was a part of the process). Which relevant laws are currently under review or being proposed. Who are proposing/drafting these laws. 1c. What circumvention methods are currently available for specific problems. Near real-time network status vitalisations such as, but not restricted to 2a. Connectivity of geographic clusters, 2b. Manipulation of connectivity such as: 2b.1. Traffic shaping, 2b.2. Content filtering, 2b.3. Blackouts. The intended globally distributed network monitoring data collection system would provide an independent and publicly available dataset. I do not intend to discuss this in depth. The focus of this lecture is supposed to be the front-end and the aggregation of already publicly available data sources, and the supposed benefit to improving civil rights everywhere and protecting them in those places where their functional effectiveness is under threat.

Tags:  chokepointproject network information ruben-bloemgarten chaos-communication-congress real-time-network global-internetwork  

Authors: Ruben Bloemgarten
Tags: data mining
Event: Chaos Communication Congress 28th (28C3) 2011
Abstract: The object of the lecture is to present and discuss the chokepointproject. How it (will) attempt(s) to aggregate and visualize near-realtime global internetwork data and augment this visualisation with legislative, commercial(ownership) and circumvention information. The goals of the project are as follows: Provide a global early warning system against governmental or commercial abuse of internetworking systems in regards to civil and human rights. Enforce transparency by aggregating commercial ownership information. Enforce transparency by aggregating legislative information, including voting histories. Enable lobbyist to influence legislators by providing reliable, verifiable data. Provide a public database with near real-time network monitoring data for general use. Provide up to date circumvention methodologies, their relative legal status and their potential risks. The chokepointproject currently consists of two elements : A frontend and public database, An intended globally distributed network monitoring data collection system. The frontend intends to provide an easily understandable visualisation of aggregated and processed data-sources. The data-sources intend to provide the following information: A per country detailed description of: 1a. Network ownership (by IP block and route) 1b. Legislative information such as Which relevant laws are currently active. Who has voted for them (supposing voting was a part of the process). Which relevant laws are currently under review or being proposed. Who are proposing/drafting these laws. 1c. What circumvention methods are currently available for specific problems. Near real-time network status vitalisations such as, but not restricted to 2a. Connectivity of geographic clusters, 2b. Manipulation of connectivity such as: 2b.1. Traffic shaping, 2b.2. Content filtering, 2b.3. Blackouts. The intended globally distributed network monitoring data collection system would provide an independent and publicly available dataset. I do not intend to discuss this in depth. The focus of this lecture is supposed to be the front-end and the aggregation of already publicly available data sources, and the supposed benefit to improving civil rights everywhere and protecting them in those places where their functional effectiveness is under threat.

Tags:  chokepointproject network information ruben-bloemgarten chaos-communication-congress real-time-network global-internetwork  

Tags: social engineering
Event: Chaos Communication Congress 28th (28C3) 2011
Abstract: All the talks i saw about SE so far just showed which good SE's the speakers are. I try to do another approach, what if i get in and don't know what to do then. The talk is about the reconn. before the assessment, the different approaches of SE. Which techniques can one use, how to do a proper intel. and what is useful. How things work and more important why. Which skill set should one have before entering a engagement. And last but not least how do one counter a SE attack.

Tags:  video engineering part chaos-communication-congress how-things-work social-engineering  

Tags: social engineering
Event: Chaos Communication Congress 28th (28C3) 2011
Abstract: All the talks i saw about SE so far just showed which good SE's the speakers are. I try to do another approach, what if i get in and don't know what to do then. The talk is about the reconn. before the assessment, the different approaches of SE. Which techniques can one use, how to do a proper intel. and what is useful. How things work and more important why. Which skill set should one have before entering a engagement. And last but not least how do one counter a SE attack.

Tags:  engineering part audio chaos-communication-congress how-things-work social-engineering  

Tags: hacking
Event: Chaos Communication Congress 28th (28C3) 2011

Tags:  video day lightning chaos-communication-congress lightning-talks  

Tags: hacking
Event: Chaos Communication Congress 28th (28C3) 2011

Tags:  day audio lightning chaos-communication-congress lightning-talks  

Tags: privacy
Event: Chaos Communication Congress 28th (28C3) 2011
Abstract: This talk is about: Information freedom and the issues for the citizens RWB ressources: a “human network” RWB needs: Get involved! ** Freedom of information and citizen issues Why defend media freedom, journalists and bloggers? Because without a free press, no cause can make its voice heard, no human rights violation can be reported. Specific examples of information vital to the public (links below): - the tainted baby formula scandal in China exposed by the netizen Zhao Lianhai, who was arrested as a result - Organized crime denounced by netizens, some of whom have been killed. Rascatripas, the moderator of the Nuevo Laredo en Vivo website, murdered on 9 November 2011 - RWB sees how the media and methods of spreading news and information are evolving, and is adapting to the changes - RWB helps all kinds of “information producers” including professional journalists and bloggers and takes positions on the problems specific to new media WikiLeaks hounded - Capacity building and e-advocacy: RWB provides bloggers, cyber-dissidents and journalists with the means to continue reporting and circulating information. Provision of censorship circumvention tools (including VPN) and online security training, circulation of viral campaigns, awareness campaigns, information about online risks. ** RWB’s resources: a “human network” A human network: 150 correspondents worldwide + informal contacts Strong lobbying capacity (European Parliament and Washington) A legal committee Handbook for Bloggers and Handbook for Journalists during Elections Training (in Thailand, in Paris in February, in China and elsewhere in the future) Virtual Shelter project: Creation of electronic safe and website for hosting censored content ** RWB’s needs: Get involved! Need for people whose technical skills can help us to evaluate a country’s Internet, by carrying out tests to determine the filters used, the presence of Deep Packet Inspection and so on. Need for technicians who can tell us about the safety of the various communications methods used. Which governments monitor Skype, IRC, BBM, and Google Talk? Which email service or VoIP to use? Need for the help of experts in viral marketing, search engine marketing and information monitoring. Need for contacts in companies that cooperate with Internet censorship (or former employees) Need for the help of jurists in different countries to analyze the growing number of laws that regulate the Internet

Tags:  chaos-communication-congress citizen-issues privacy-event  

Authors: Zoran Zaric
Tags: backup
Event: Chaos Communication Congress 28th (28C3) 2011
Abstract: bup is short for "backup". bup uses the file format of the distributed version control system Git. It solves Git's problems with big files. Deduplication is used to make backups space efficent (about five times smaller than rsnapshot's backups). Data is deduplicated globally across files and backups. If a small part of a big file is changed only little additional space is needed. The major part of this talk will describe Git's concepts, the structure of a repository, file format, and go into detail about the resulting implications on backups. After a demonstration of bup I'll describe the implemented algorithms and data structures and their resulting perfomance gains over other backup solutions. The talk will end with an overview of the recent development and a bait for new developers.

Tags:  chaos-communication-congress algorithms-and-data-structures backup-solutions  

Authors: Zoran Zaric
Tags: backup
Event: Chaos Communication Congress 28th (28C3) 2011
Abstract: bup is short for "backup". bup uses the file format of the distributed version control system Git. It solves Git's problems with big files. Deduplication is used to make backups space efficent (about five times smaller than rsnapshot's backups). Data is deduplicated globally across files and backups. If a small part of a big file is changed only little additional space is needed. The major part of this talk will describe Git's concepts, the structure of a repository, file format, and go into detail about the resulting implications on backups. After a demonstration of bup I'll describe the implemented algorithms and data structures and their resulting perfomance gains over other backup solutions. The talk will end with an overview of the recent development and a bait for new developers.

Tags:  chaos-communication-congress algorithms-and-data-structures backup-solutions  

Tags: privacy
Event: Chaos Communication Congress 28th (28C3) 2011
Abstract: This talk is about: Information freedom and the issues for the citizens RWB ressources: a “human network” RWB needs: Get involved! ** Freedom of information and citizen issues Why defend media freedom, journalists and bloggers? Because without a free press, no cause can make its voice heard, no human rights violation can be reported. Specific examples of information vital to the public (links below): - the tainted baby formula scandal in China exposed by the netizen Zhao Lianhai, who was arrested as a result - Organized crime denounced by netizens, some of whom have been killed. Rascatripas, the moderator of the Nuevo Laredo en Vivo website, murdered on 9 November 2011 - RWB sees how the media and methods of spreading news and information are evolving, and is adapting to the changes - RWB helps all kinds of “information producers” including professional journalists and bloggers and takes positions on the problems specific to new media WikiLeaks hounded - Capacity building and e-advocacy: RWB provides bloggers, cyber-dissidents and journalists with the means to continue reporting and circulating information. Provision of censorship circumvention tools (including VPN) and online security training, circulation of viral campaigns, awareness campaigns, information about online risks. ** RWB’s resources: a “human network” A human network: 150 correspondents worldwide + informal contacts Strong lobbying capacity (European Parliament and Washington) A legal committee Handbook for Bloggers and Handbook for Journalists during Elections Training (in Thailand, in Paris in February, in China and elsewhere in the future) Virtual Shelter project: Creation of electronic safe and website for hosting censored content ** RWB’s needs: Get involved! Need for people whose technical skills can help us to evaluate a country’s Internet, by carrying out tests to determine the filters used, the presence of Deep Packet Inspection and so on. Need for technicians who can tell us about the safety of the various communications methods used. Which governments monitor Skype, IRC, BBM, and Google Talk? Which email service or VoIP to use? Need for the help of experts in viral marketing, search engine marketing and information monitoring. Need for contacts in companies that cooperate with Internet censorship (or former employees) Need for the help of jurists in different countries to analyze the growing number of laws that regulate the Internet

Tags:  chaos-communication-congress citizen-issues privacy-event  

Authors: Herr Urbach
Tags: security
Event: Chaos Communication Congress 28th (28C3) 2011
Abstract: Software is becoming more and more important in organizing response to all kinds of crises, whether that means activists responding to an unjust government or aid workers helping with the aftermath of a disaster. Security often isn't the first thing people think about in these situations -- they have work to get done, just like the rest of us, and many of these tools are built in the heat of the moment. In a crisis, a lack of security can make a small disaster into a big one. In this talk, we'll look at real world experiences of the security and privacy problems in the field, and how to fix them, at both large and small levels. People are using technology to try to save the world, whether in the disaster response world, or in activist or revolutionary work. Many of the people involved are not technologists. Many of the people building tools for these situations do not understand security. This is a problem because: Privacy issues for disaster response Creepy uncle Creepy government agency Gaming the aid process with crowdsourced reports Activists and revolutionaries are subject to direct attack, coercion, harrassment, etc. A few problems: People are using generic tools that don't provide the guarantees they need People are writing special-purpose tools without understanding the problem People are writing tools which intentionally subvert their users People don't understand the problems they're causing with how they use tools To fix this: Build specialist tools with a deep understanding of the real problems Get the help you need to make tools secure Ask for help Help disaster/activist ICT projects if you know your security Build security into generic tools, even if you're not planning on revolutionaries using them, because you never know when you're going to need to overthrow a government on twittter. Learn/teach about security and what it takes to use existing tools well Build a security culture in your organization

Tags:  security disaster response chaos-communication-congress special-purpose-tools disaster-crisis  

Authors: Kay Hamacher
Tags: privacy
Event: Chaos Communication Congress 28th (28C3) 2011
Abstract: In his now (in)famous pamphlet "Conspiracy as Governance" Julian Assange (JA) argues about the need for leaking as an efficient way to destroy "unjust" groups as the neo-feudalistic ones - luring the conspiracy theory leaning hacker community into his belief system. Eventually, JA used a biologistic argument on the benefits and drawbacks that uncontrolled leaking might pose for "just" and "unjust" systems, arriving at the conclusion that "unjust" systems are hurt more and thus will be less viable, essentially being destroyed by more "just" systems. While an innovative proposal, the underlying assumptions on complexity, network theory, and especially the evolutionary perspectives were never critically assessed. Some blogs and media raised questions on details and potential threats to innocent bystanders. Still, fundamental problems with the philosophy were never addressed. This paper argues against the general validity of such theories. In particular, we will refute some of the biologistic arguments. Theoretical biology has long ago pointed out the hidden complexity in evolutionary processes and as such the envisioned "leaking revolution" might be a limited artifact: there might even arise situations where the leaking envisioned and encouraged by Wikileaks and the like can actually strengthen some "conspiracies". In this paper I will describe some research questions, that should be answered before given the “leaking philosophy” an unconditioned “thumbs-up”. Empirically, for example, a potential strengthening is illustrated by the rise of a 'neo-feudalistic economy', which is linked closely to the paradigm of "intellectual property" as it is to the security-financial-political complex. The players have effectively created a closed network or a "conspiracy" and might be resilient towards Wikileaks-like attacks. The paper concludes with an alternative to that proposal; in particular, a way to deal with the 'conspiracy' that might be coined the rise of the neo-feudalistic society (which in itself is a self-sustainable, self-amplifying feedback loop, not necessarily a conscious conspiracy).

Tags:  way conspiracy paper julian-assange kay-hamacher chaos-communication-congress innocent-bystanders  

Authors: Herr Urbach
Tags: security
Event: Chaos Communication Congress 28th (28C3) 2011
Abstract: Software is becoming more and more important in organizing response to all kinds of crises, whether that means activists responding to an unjust government or aid workers helping with the aftermath of a disaster. Security often isn't the first thing people think about in these situations -- they have work to get done, just like the rest of us, and many of these tools are built in the heat of the moment. In a crisis, a lack of security can make a small disaster into a big one. In this talk, we'll look at real world experiences of the security and privacy problems in the field, and how to fix them, at both large and small levels. People are using technology to try to save the world, whether in the disaster response world, or in activist or revolutionary work. Many of the people involved are not technologists. Many of the people building tools for these situations do not understand security. This is a problem because: Privacy issues for disaster response Creepy uncle Creepy government agency Gaming the aid process with crowdsourced reports Activists and revolutionaries are subject to direct attack, coercion, harrassment, etc. A few problems: People are using generic tools that don't provide the guarantees they need People are writing special-purpose tools without understanding the problem People are writing tools which intentionally subvert their users People don't understand the problems they're causing with how they use tools To fix this: Build specialist tools with a deep understanding of the real problems Get the help you need to make tools secure Ask for help Help disaster/activist ICT projects if you know your security Build security into generic tools, even if you're not planning on revolutionaries using them, because you never know when you're going to need to overthrow a government on twittter. Learn/teach about security and what it takes to use existing tools well Build a security culture in your organization

Tags:  security disaster response chaos-communication-congress special-purpose-tools disaster-crisis  

Authors: Kay Hamacher
Tags: privacy
Event: Chaos Communication Congress 28th (28C3) 2011
Abstract: In his now (in)famous pamphlet "Conspiracy as Governance" Julian Assange (JA) argues about the need for leaking as an efficient way to destroy "unjust" groups as the neo-feudalistic ones - luring the conspiracy theory leaning hacker community into his belief system. Eventually, JA used a biologistic argument on the benefits and drawbacks that uncontrolled leaking might pose for "just" and "unjust" systems, arriving at the conclusion that "unjust" systems are hurt more and thus will be less viable, essentially being destroyed by more "just" systems. While an innovative proposal, the underlying assumptions on complexity, network theory, and especially the evolutionary perspectives were never critically assessed. Some blogs and media raised questions on details and potential threats to innocent bystanders. Still, fundamental problems with the philosophy were never addressed. This paper argues against the general validity of such theories. In particular, we will refute some of the biologistic arguments. Theoretical biology has long ago pointed out the hidden complexity in evolutionary processes and as such the envisioned "leaking revolution" might be a limited artifact: there might even arise situations where the leaking envisioned and encouraged by Wikileaks and the like can actually strengthen some "conspiracies". In this paper I will describe some research questions, that should be answered before given the “leaking philosophy” an unconditioned “thumbs-up”. Empirically, for example, a potential strengthening is illustrated by the rise of a 'neo-feudalistic economy', which is linked closely to the paradigm of "intellectual property" as it is to the security-financial-political complex. The players have effectively created a closed network or a "conspiracy" and might be resilient towards Wikileaks-like attacks. The paper concludes with an alternative to that proposal; in particular, a way to deal with the 'conspiracy' that might be coined the rise of the neo-feudalistic society (which in itself is a self-sustainable, self-amplifying feedback loop, not necessarily a conscious conspiracy).

Tags:  way conspiracy paper julian-assange kay-hamacher chaos-communication-congress innocent-bystanders  

Authors: Peter Eckersley
Tags: SSL
Event: Chaos Communication Congress 28th (28C3) 2011
Abstract: This talk will describe the Sovereign Key system, an EFF proposal for improving the security of SSL/TLS connections against attacks that involve Certificate Authorities (CAs) or portions of the DNSSEC hierarchy. The design stores persistent name-to-key mappings in a semi-centralised, append-only data structure. It allows domain owners to deploy operational TLS keys without trusting any third parties whatsoever, and gives clients a reliable way to verify those keys. The design can also be used to automatically circumvent a large portion of server impersonation and man-in-the-middle attacks, avoiding the need for confusing certificate warnings, which users will often click through even when they are under attack. The Sovereign Key design bootstraps from and reinforces either CA-signed certificates or DANE/DNSSEC as a method of publishing and verifying TLS servers' public keys. Conceptually, it provides functionality similar to what could be obtained if HTTPS servers could publish special headers saying "in the future, all new public keys for this domain will be cross-signed by this key: XXX", but the design includes a number of necessary additional features, including a secure revocation mechanism, protection against false headers that an attacker could publish after compromising an HTTPS server, and support for protocols other than HTTPS (SMTPS, POP3S, IMAPS, XMPPS, etc). Sovereign Keys allow clients to detect server impersonation and man-in-the-middle attacks even if the attack involves compromise or malice by a CA or DNSSEC registry. But Sovereign Keys also allow for automatic circumvention of these attacks via proxies, VPNs, or Tor hidden services.

Tags:  chaos-communication-congress certificate-authorities those-keys  

Authors: Peter Eckersley
Tags: SSL
Event: Chaos Communication Congress 28th (28C3) 2011
Abstract: This talk will describe the Sovereign Key system, an EFF proposal for improving the security of SSL/TLS connections against attacks that involve Certificate Authorities (CAs) or portions of the DNSSEC hierarchy. The design stores persistent name-to-key mappings in a semi-centralised, append-only data structure. It allows domain owners to deploy operational TLS keys without trusting any third parties whatsoever, and gives clients a reliable way to verify those keys. The design can also be used to automatically circumvent a large portion of server impersonation and man-in-the-middle attacks, avoiding the need for confusing certificate warnings, which users will often click through even when they are under attack. The Sovereign Key design bootstraps from and reinforces either CA-signed certificates or DANE/DNSSEC as a method of publishing and verifying TLS servers' public keys. Conceptually, it provides functionality similar to what could be obtained if HTTPS servers could publish special headers saying "in the future, all new public keys for this domain will be cross-signed by this key: XXX", but the design includes a number of necessary additional features, including a secure revocation mechanism, protection against false headers that an attacker could publish after compromising an HTTPS server, and support for protocols other than HTTPS (SMTPS, POP3S, IMAPS, XMPPS, etc). Sovereign Keys allow clients to detect server impersonation and man-in-the-middle attacks even if the attack involves compromise or malice by a CA or DNSSEC registry. But Sovereign Keys also allow for automatic circumvention of these attacks via proxies, VPNs, or Tor hidden services.

Tags:  chaos-communication-congress certificate-authorities those-keys  

Authors: Kay Hamacher
Tags: privacy
Event: Chaos Communication Congress 28th (28C3) 2011
Abstract: In his now (in)famous pamphlet "Conspiracy as Governance" Julian Assange (JA) argues about the need for leaking as an efficient way to destroy "unjust" groups as the neo-feudalistic ones - luring the conspiracy theory leaning hacker community into his belief system. Eventually, JA used a biologistic argument on the benefits and drawbacks that uncontrolled leaking might pose for "just" and "unjust" systems, arriving at the conclusion that "unjust" systems are hurt more and thus will be less viable, essentially being destroyed by more "just" systems. While an innovative proposal, the underlying assumptions on complexity, network theory, and especially the evolutionary perspectives were never critically assessed. Some blogs and media raised questions on details and potential threats to innocent bystanders. Still, fundamental problems with the philosophy were never addressed. This paper argues against the general validity of such theories. In particular, we will refute some of the biologistic arguments. Theoretical biology has long ago pointed out the hidden complexity in evolutionary processes and as such the envisioned "leaking revolution" might be a limited artifact: there might even arise situations where the leaking envisioned and encouraged by Wikileaks and the like can actually strengthen some "conspiracies". In this paper I will describe some research questions, that should be answered before given the “leaking philosophy” an unconditioned “thumbs-up”. Empirically, for example, a potential strengthening is illustrated by the rise of a 'neo-feudalistic economy', which is linked closely to the paradigm of "intellectual property" as it is to the security-financial-political complex. The players have effectively created a closed network or a "conspiracy" and might be resilient towards Wikileaks-like attacks. The paper concludes with an alternative to that proposal; in particular, a way to deal with the 'conspiracy' that might be coined the rise of the neo-feudalistic society (which in itself is a self-sustainable, self-amplifying feedback loop, not necessarily a conscious conspiracy).

Tags:  way conspiracy paper julian-assange kay-hamacher chaos-communication-congress innocent-bystanders