27C3 Day 1
In Berlin's winter the 27th Chaos Communication Congress started again at the bcc, next to Alexanderplatz. Hence the available amount of tickets was a lot higher than demand i am happy that i got a full ticket in the presale. And luckily, i made it through the unusual strong winter from my family, where i spent christmas, back to Berlin in time, thanks to two guys from Duisburg, who offered me a ride.
Just like last year, I want to sum up what i have heard and seen at 27C3 each day.
A peace message
The keynote was held by Rop Gonggrijp. He did a flashback on a keynote 5 years before, titled "we lost the war" which draw a bad picture of the state of privacy and freedom. He related it a bit today, as some battles have been won since, though. Oftenly he compared the states of privacy and justice in Germany as well as Netherlands, where he is from. He highlighted some successes, e.g. the ban of voting machines but also pointed to present developments. Wikileaks was a topic there, for example, and the begin of cryptowars. Eventually, he took a few glances on the future, coming to the conclusion to see more decentralized, but very networked world which are the consequences of the states actions and hackers reactions. Finally, he stressed that the Chaos Communication Congress needs to grow. It would need a new location, as the bcc is quite too small.
Square the web
The keynote was fallowed by Jérémie Zimmermann from the french organization La Quadrature du Net who held a talk about copyright enforcement. From the perspective of the industries, he drawed a picture of the Internet as a "copy machine". Of course, from this POV, people have to be stopped to use it as such. He described some instruments that are used to achieve this goal, from sueing, to laws like Hadopi to - of course - ACTA. About ACTA he spoke in detail and made clear by outakes of the document where the problems are. His first main statement was that it can only be fought at the EU parliament and as such they need pressure which needs to build up by "us". Moreover he stated by studies that "sharing helps culture", that people pay more and more for the culture goods in question and especially spendids for concerts rose since Napster.
Tor is not enough
In a third part they discussed how to determine if a user visited a specified websites. Again, it is possible by data mining and AI. It is needed to collect sample data from requests to those sites and compare it with the tcpdumps from the user. They have achieved an accuracy of about 20%, another colleague up to 80%. The only proble: for this methode, the user must not do things in parallel, like listeting to web radio.
Whistleblowing in a nutshell
A general overview about what whistleblowing is, which chances it brings and which risks it takes was given by Johannes Ludwig and a guy whose name it forget to take down (sry). In a diverting talk both drew a picture with scientific statements, but also with real world examples. Unfortunately, the performance was a bit bewildered in a whole, when they rushed through the slides. Nevertheless, both pointed on the chances that whistleblowing brings - mainly early recognizaten of nuisances - and stressed that a cultural change is necessary to use this tool in an thoroughly honorouble way. Currently, whistleblowers are discriminated against in most cases, and there is only little chance to stay anonymous.
Killers are quiet
Killers are quiet is not only a song from Slipknot, but describes how Collin Mulliner and Nico Golde instrumentalized SMS on feature mobile phones (not smart phones, they have an world wide share of only 16% or so yet). In fact there are a couple of different SMS types and enhancements, which are partly rarely used, and thus not very well tested. So a good starting point for playing around with them on widespread mobile phones. As the phones and their operating systems are pretty much closed, they helped themselves with GSM itself, which is doable with the help of OpenBSC. And their results are not too bad. The most impressive three in my opinion:
- Phone does not ACK the SMS from the operator, but is crashing and rebooting directly. So, the SMS will be delivered again, which ends up in a (neverending) loop.
- A SMS causes a phone to deny every next incoming SMS, in fact neither SMS nor phone application will work again.
- Another phone has been bricked completely
In most cases, the user did not even see the SMS, since these messages may be quiet service messages.
More profitable are effects, that don't destroy the device. And indeed, there were many circumstances when a phone only rebooted once or simply crashed. In a mass attack, an operator can be tried with thousands of devices rebooting and loging into the network again.
datenwolf vs. Lennart
Then there was a talk titled "Desktop on the Linux..." where datenwolf intended to talk (and ask and complain) about the Desktop on Linux operating systems. Starting with an example which was effective two years ago, he got into several controversial discussions with PulseAudio developer Lennart Poettering. In fact, Lennart hit back at almost every of his statements... I can't remember a more entertaining talk. My adivce: absolutely do watch the recording, as soon as it is available. It is hardly informativ, but you get a lot of fun.
The ID you entrust your baby to
Germany introduced new ID cards which are supposed to be secure as hell. Well. Two Berlin students, Frank Morgner and Dominik Oepen described how the ID and its features and IO devices work in terms of security systems. Furthermore they communicated concepts in how an (relay) attack can be performed and which requirements it takes. Since they were part of the testing group they gained insights and also wrote OpenPACE, which extends SSL with PACE (password authenticated connection establishement). As such they demonstrated how the attacks can be executed and outlined how they can be prevented.
Four 0days from Stuxnet
The main act today has been done, surprisingly, by Microsoft employee and "from time to time" Linux user Bruce Dang. In an entertaining but still informative talk he explained how they detected four 0day vulnerabilities used by Stuxnet and them, too. Curiously enough it turned out, that two of them were already known, though but foreign people. The first vulnerability (LNK files) was rather easy to find - and very easy to exploit. The second (root level access by task scheduler) and third (code injection via keyboard layout loading) were hard to find, the fourth quite wiggy (remote guest can place a file anyplace under certain circumstances).