Alien8
Astro
Pentanews Game Show

Out of the news section of the [C3D2](http://www.c3d2.de "CCC Dresden") [radio programme](http://www.pentamedia.org/pentaradio Pentaradio24) we've compiled an entertaining game show, an Internet-based multiplayer "Who becomes millionaire?" challenge. The audience and folks on the peace missions are asked to help the players.

From the collected news items of our monthly radio show we've generated a game show somewhat inspired by "Who becomes millionaire?" but multi player. The questions cover all types of net-news we've found interesting to mention in our radio show. An example question would be: "Who operates the biggest Cloud service?" # Google # Facebook # Amazon # Botnets This game show was successfully beta tested at the [Datenspuren](http://www.datenspuren.de "Datenspuren") symposium this year but much improved since. Honouring English as the language spoken by the most people at the congress we offer English and German depending on the audience.

Jérémie Zimmermann
Copyright Enforcement Vs. Freedoms

ACTA, upcoming criminal enforcement directive, filtering of content... The entertainment industries go further and further into their crusade against sharing. They not only attack our fundamental freedoms, but also the very essence of the Internet. This session is a panorama of the current and upcoming battles, campaigns and actions. Everyone can help defeat the motherf#§$ers!

The crusade against sharing the entertainment industries are waging against their customers is taking new directions. Their obsession to apply models from the past to today's technologies leads these industries to turn copyright against their customers. Direct consequences would be damages to freedom of expression, privacy and the right to a fair trial, that would greatly serve the will of some politicians to control the Internet. A number of extremely disturbing trends and upcoming legislative projects will be detailed in this session: - ACTA. The "Anti-Counterfeiting Trade Agreement" is the flagship of the entertainment industries. It is a prototype of how to impose legislation while circumventing democratic process and public opinions. ACTA contains most of what the industries are dreaming about. By putting legal and monetary pressure over Internet technical intermediates, ACTA would force them to act as private copyright police and justice of the Net. - IPRED2. The criminal enforcement directive was frozen in the Council of EU in 2006. It is about to be revived under the direction of the French commissioner Michel Barnier. It may contain sanctions for "inciting, aiding and abetting" infringement, which would blur the line between copyright infringement and political speech or the production of software and on-line services. - "voluntary agreements", "extra-judicial measures", and "cooperation between rights-holders and Internet service providers" sound harmless, but they represent a growing trend in trying to force the ISPs into policing, through contracts, their networks and users. ISPs would be forced to use access restrictions ("three strikes") or even content filtering. - Revision of the e-Commerce directive. The movie and music industries will use this occasion to attack the exoneration of liability for technical intermediates of the Net, with potential consequences on freedom of speech. - Filtering of the Net. In the name of protecting the children or gamblers, it is being deployed all over Europe. These first steps will allow to further expand filtering mechanisms for the purpose of copyright enforcement, under influence the entertainment industries. How those policies are put in place? What can a citizen do in order to help counter them? How can we better organize to gain momentum in protecting fundamental freedoms in the digital environment? What were the successful campaigns so far, and what will be the upcoming ones? Join us in our effort!

Alvar C. H. Freude
Von Zensursula über Censilia hin zum Kindernet

Nach Zensursula kam Censilia und das Kindernet: 2010 brachte nach den hitzigen Diskussionen um Internet-Sperren und das Zugangserschwerungsgesetz einige neue Entwicklungen – und die Rundfunkkommission der Länder wollte mal wieder den Jugendschutz im Internet angehen.

Der Vortrag lässt die Themen noch einmal Revue passieren und bringt einen Ausblick, was uns in den nächsten Monaten eventuell noch blüht.

Johannes Ludwig
Whistleblower-Netzwerk
Whistleblowing

Whistleblowing als universelles Konzept für mehr Transparenz – oder: über die Rückeroberung der Dunkelräume in Wirtschaft und Politik auch jenseits von Wikileaks.

Die Präsentation von Wikileaks war einer der Höhepunkte der 26C3. Durch Wikileaks haben viele Hacker erstmals von Whistleblowing erfahren. Allerdings verkürzen einige Whistleblowing auch auf die anonyme Veröffentlichung brisanter Dokumente im Netz. Dem wollen Guido Strack und Johannes Ludwig vom Whistleblower-Netzwerk Deutschland mit ihrem Vortrag und einer begleitenden Ausstellung entgegenwirken. Es werden Beispiele von Menschen gezeigt, die Zivilcourage an ihrem Arbeitsplatz bewiesen und teils offen, teils anonym, auf Missstände aufmerksam gemacht haben. Es wird dargestellt, dass diese Menschen von Kollegen und Rechtsordnung oft alleine gelassen werden und auch wo die Grenzen anonymer Hinweise und die Schwierigkeiten journalistischen Umgangs mit Whistleblowern liegen. Die Referenten erläutern wie Whistleblowing ein archimedischer Punkt werden könnte, um Licht in Dunkelräume in Wirtschaft und Politik zu bringen, die Methoden der Hintermänner der Macht offen zu legen und Risiken für öffentliche Interessen rechtzeitig erkennen zu können. Ansatzpunkte hierzu sind das Hinterfragen der Legitimität und Reichweite von (so genannten Sicherheitsrelevanten- oder Betriebs- und Geschäfts-) Geheimnissen, eine Vernetzung der Zivilgesellschaft und kritischer Medien zur Organisation von Gegenmacht, effektiver rechtlicher Schutz von Whistleblowern und ein anderer kultureller Umgang mit jenen, die bisher oft als Denunzianten oder Nestbeschmutzer verunglimpft werden. Durch Einblicke in die Arbeit von Whistleblower-Netzwerk e.V. und seiner internationalen Kooperationspartner wird schließlich aufgezeigt wie einige dieser Ansatzpunkte bereits konkret angegangen werden, aber auch wo noch Unterstützung nötig ist und was die Netzgemeinde hier leisten könnte.

Collin Mulliner
Nico Golde
SMS-o-Death

Smart phones, everybody has a smart phone! No! Just about 16% of all mobile phones are smart phones! Feature phones are the most common type of mobile phone in the world. Some time ago we decided to investigate the security of feature phones. In this talk we show how we analyzed feature phones for SMS security issues. We show our results and the kind of attacks that are possible with our bugs.

This talk is about security analysis of a class of mobile phone the so-called "feature phones". We show how we analyzed these type of phones for SMS security issues and what kind of problems to overcome in the process. We show results for the major mobile phone manufacturers in the world. Everyone of them has problems. Finally we show what kind of global scale attacks one can carry out with these kind of bugs. The attacks range from interrupting phone calls, to disconnecting people from the network, and sometimes even bricking phones remotely. The talk is structured in the following way: - Introduction to the Topic - Problem Description - The Analysis (major part of the talk) - Analysis Results - A look at the Operator Network - Attacks based on our Results - Conclusions

Andreas Bogk
Falk Lüke
scusi
Uli Blumenthal
Netzneutralität und QoS - ein Widerspruch?

Geht es mit der Netzneutralität zu Ende? Was haben wir den Lobbyisten und PR-Leuten der Telekommunikationsunternehmen argumentativ entgegenzusetzen? Was sind die Fakten, was gehört ins Reich der Mythen?

Tim Berners-Lee hat folgende griffige Definition gefunden: "Net neutrality is this: If I pay to connect to the Net with a certain quality of service, and you pay to connect with that or greater quality of service, then we can communicate at that level." Welche der sagenumwobenen Kapazitätsengpässe existieren wirklich? Und wie soll Quality of Service (QoS) praktisch in Zukunft gehandhabt werden? Was ist machbar, was sind die Bedingungen für eine gesetzliche Regulierung? Fragen über Fragen, die mit Euch zusammen diskutiert werden sollen.

axel
Katarzyna Szymielewicz
Patrick Breyer
Ralf Bendrath
Data Retention in the EU five years after the Directive

2011 will again be a crucial year in the battle against data retention and blanket surveillance. The EU Commission is planning to publish its review of the directive in December (right in time before 27C3), and the lobbying and PR battle has already begun. In six months from now, we will see the legislative proposal from the EU commission for the revision of data retention. The talk will give a full picture of the legal state of play, what is going on in Brussels, what is already being done and of course where you can help. The speakers are closely involved in the process on the European and national level.

In December 2005, the European Parliament agreed to the data retention directive that introduced mandatory retention of the telecommunications behaviour of half a billion EU citizens and residents. That was a huge disappointment and perceived by many as the final opening of the floodgates. Frank Rieger and Rop Gongrijp at 22C3 even declared that "we lost the war" over privacy. But things turned out different than expected. Now, five years later, a new privacy movement has risen in Germany and elsewhere, a number of constitutional courts all across Europe have declared national data retention laws illegal, a case against the whole directive is pending at the European Court of Justice, and the EU has a justice commissioner who openly said that she would not have suggested the whole thing in the first place, and a home affairs commissioner who voted against the directive when she was still a Member of Parliament. The talk will give a full picture of the legal state of play, what is going on in Brussels, what is already being done and of course where you can help. The speakers are all active in European Digital Rights (EDRi.org) and are closely involved in the process on the European and national level.

Dominik Oepen
Frank Morgner
"Die gesamte Technik ist sicher"

Für den neuen elektronischen Personalausweis sind drei verschiedene Lesegeräteklassen spezifiziert, von denen die einfachste bereits einige Kritik erfahren hat. Nach der Diskussion um die Sicherheit des Personalausweises stellt sich die Frage: Können zertifizierte Lesegeräte den neuen Ausweis schützen?

Die Authentisierung mit dem neuen Personalausweis basiert auf dem Prinzip der Zweifaktorauthentisierung durch Besitz und Wissen. Notwendig sind der Besitz des Ausweises und die Kenntnis einer PIN. Mögliche Angriffe auf diese Faktoren wurden bereits vor der Einführung des neuen Personalausweises vorgestellt und als unrealistisch oder unvollständig zurückgewiesen. Wir untersuchen die Machbarkeit und Auswirkung von Relay-Angriffen in Hinblick auf die verschiedenen Lesegeräteklassen und Anwendungsszenarien des neuen Personalausweises. Nach dem derzeitigen Stand der Spezifikationen lassen sich solche Angriffe kaum verhindern. Einige der Probleme erweisen sich als unlösbar, für andere existieren Lösungsansätze, welche von simpel, aber unzureichend bis komplex, aber kaum umsetzbar reichen.

Bruce Dang
Peter Ferrie
Adventures in analyzing Stuxnet

There has been many publications on the topic of Stuxnet and its "sophistication" in the mainstream press. However, there is not a complete publication which explains all of the technical vulnerability details and how they were discovered. In this talk, you will get a first-hand account of the entire story.

We will discuss various techniques used in analyzing Stuxnet. First, we will share several tricks that were used to quickly identify the vulnerabilities. Second, we describe the thought processes that went into debugging and triaging the vulnerabilities themselves. Finally, we show some tips that you can use if you feel like decompiling stuff for fun :).

Branko Spasojevic
Code deobfuscation by optimization

Optimization algorithms present an effective way for removing most obfuscations that are used today. Much of the compiler theory can be applied in removing obfuscations and building fast and reliable deobfuscation systems. By understanding traditional optimization problems and techniques it is possible to develop and customize compiler optimization algorithms for usage in binary deobfuscation/analysis.

Analysis of malware binaries is constantly becoming more difficult with introduction of many different types of code obfuscators. One common theme in all obfuscators is transformation of code into a complex representation. This process can be viewed as inverse of compiler optimization techniques and as such can be partially removed using optimization algorithms. Optimization algorithms present an effective way for removing most obfuscations that are used today. Much of the compiler theory can be applied in removing obfuscations and building fast and reliable deobfuscation systems. By understanding traditional optimization problems and techniques it is possible to develop and customize compiler optimization algorithms for usage in binary deobfuscation/analysis. Optimization algorithms are especially successful in following: • Removal of no operation instructions • Simplifying complex instructions • Removal of unconditional jumps • Removal of conditional jumps • Simplifying control-flow graph This presentation shows common obfuscation techniques and a process of adapting optimization algorithms for removing obfuscations. Additionally, a open-source plug-in for the IDA Pro disassembler is presented that demonstrates usability of the proposed optimization process as well as a set of techniques to speed up the process of analyzing obfuscated code.

Dominik Herrmann
lexi
Contemporary Profiling of Web Users

This talk will provide a summary of recently discovered methods which allow to break the Internet's privacy and anonymity.

We will show, amongst others: * ways of distinguishing bots from humans. We use this technique to provide crawlers with false data or lure them into tar pits. Other than CAPTCHAs we introduce methods that profile the holistic behaviour within a single web session to distinguish users or bots within a longer timeframe based on subtle charactistics in most bots' implementations. * breaking filtering of JavaScript in web-based proxies. While next to all web proxies advertise the capability of filtering JavaScript, the ubiqity of XSS and CSRF attacks have proven that correct filtering of arbitrary HTML is extremly difficult. * track and re-identifying users based upon their web-profile. We show how a third-party observer (e. g. proxy server or DNS server) can create a long-term profile of roaming web users using only statistical patterns mined from their web traffic. These patterns are used to track users by linking multiple surfing sessions. Our attack does not rely on cookies or other unique identifiers, but exploits chatacteristic patterns of frequently accessed hosts. We demonstrate that such statistical attacks are practicable and we will also look into basic defense strategies. * traffic analysis and fingerprinting attacks on users of anonymizing networks. Even if anonymizeres like Tor are used, a local adversary can measure the volume of transfered data and timing characteristics to e. g. determine the retrieved websites. We will shortly sketch the current state of the art in traffic analysis, which has been improved significantly within the last year.

Oliver "Unicorn" Knapp
Eins, zwei, drei - alle sind dabei

Neben einer kurzen Einführung in die Problematik des Zensus 2011, soll es in dem Vortrag auch über die CCC Stellungnahmen für mehrere Landetage gehen. Weiterhin geht es auch um die mittlerweile abgewiesene Verfassungsbeschwerde des AK Zensus sowie weitere Möglichkeiten "was zu machen".

Zur Verhinderung einer zivilgesellschaftlichen Bewegung gegen eine neuerliche Volkszählung, erarbeitete die amtliche Statistik seit mehr als 10 Jahren das jetzt geplante alternative Erfassungsverfahren, genannt „registergestützter Zensus“, bei dem nur noch rund 25% der Bevölkerung mit persönlichen Fragebögen beschickt werden müssen. In der ersten Stufe der Volkszählung werden Daten von verschiedensten Stellen erfasst und bei den Landesstatistikämtern und dem Bundesstatistikamt in einer noch nie dagewesenen Datenbank zusammengeführt. Erst wenn dieser bisher unvorstellbare Datenberg angehäuft wurde, kommen die Bundesländer bzw. deren Ausführungsgesetze ins Spiel. Das führt dazu, dass die zu erwartende gesellschaftliche Diskussion erst stattfinden wird, wenn das Kind schon im Brunnen ertrunken ist. Der Vortrag versucht den interessierten Zuhörern einen möglichst umfassenden, aber bestimmt nicht langweiligen Überblick über die Thematik Zensus 2011 zu geben. Selbstverständlich muss im Rahmen solch eines Vortrags auch darüber gesprochen werden, warum die Verfassungsbeschwerde gegen das ZensG 2011 mit immerhin 13000 Unterstützern abgewiesen wurde und wie es jetzt weitergeht.

Jochim Selzer
Friede sei mit Euren Daten

Bundesdeutscher und kirchlicher Datenschutz führen eine Parallelexistenz. Während das Bundesdatenschutzgesetz von der Öffentlichkeit wahrgenommen und kritisch begleitet wird, ist den Wenigsten überhaupt klar, dass es auch einen vom BDSG losgelösten Datenschutz innerhalb der Kirchen gibt, der sich in einigen wichtigen Punkten vom staatlichen unterscheidet. Dieser Vortrag soll das Bewusstsein für ein Recht wecken, von dem sechzig Prozent der Deutschen betroffen sind – oft ohne es zu wissen. Praxisbeispiele und Tipps inbegriffen.

Für knapp fünfzig Millionen Menschen in Deutschland gilt das Bundesdatenschutzgesetz nur eingeschränkt. Grund: Sie sind Mitglied einer der beiden Amtskirchen. Diese haben sich noch aus Weimarer Zeit das Privileg eines teilweise vom staatlichen Recht abgekoppelten Rechtswesens bewahrt. Man merkt dies besonders frappierend bei der bisweilen sehr eigenwilligen Verfolgung von Kindervergewaltigung, aber auch viel weniger sensationell im täglichen Leben beim Umgang mit personenbezogenen Daten, wie sie im Religionsunterricht, bei Amtshandlungen oder ganz schlicht bei Raumvermietungen anfallen. Die Kirchen stehen im Spagat, eigentlich mit Datenschutz wenig am Hut zu haben, gleichzeitig aber in der Seelsorge absolute Verschiegenheit bewahren zu wollen. Beginnend mit einem theoretischen Einstieg beschreibt dieser Vortrag anhand mehrerer Praxisbeispiele Gemeinsamkeiten und Unterschiede zwischen kirchlichem und staatlichem Datenschutz, zeigt, wo man selbst als Nicht-Kirchenmitglied vom innerkirchlichen Recht betroffen ist, benennt Lücken, an denen Handlungsbedarf besteht, und gibt Tipps, wie man innerhalb dieser Organisationen für besseren Datenschutz sorgen kann und wie man auch als Außenstehender dafür sorgt, dass mit den eigenen Daten kein Unfug getrieben wird. Hierbei werden sowohl rechtliche als auch technische Aspekte angesprochen.

Ilja van Sprundel
hacking smart phones

There's been a fair bit written and presented about smartphone's, and yet, when it comes to the attack surface of the operating systems running on them, and the applications running on top of those, much still has to be explorer. This talk will dive a bit deeper into that attack surface.

This talk will take a look at the smart phone attack surface, only from and end-to-end point of view. the baseband type stuff and things owned by the telco's will not be covered. Basically, it'll cover 5 major areas: - identifying operating systems (through for example the user-agent with mms) - identifying entrypoints - identifying trust boundaries - identifying bugs - exploiting bugs There has been a fair amount of cellphone and smartphone reseach done in the past, and yet, when it comes to attack surface, we've barely scratched the surface. SMS alone allows for a dozen or so different types of messages, there's mms, all sorts of media codecs are build into smart phones. The entrypoints can be roughly categorized as: primary entypoints: - zero-click remote attacks over default communication network (sms, mms, ...) secondary entrypoints: - zero-click remote attacks over non-default communication network (email, ...) tertiary entrypoints: - proximity attacks (wifi, bluetooth, irda, mitm wifi connection, ...) - not-zero click remote attacks (e.g. start application XYZ and connect to my evil server) The main focus in this talk will be on the primary entrypoints, however some of the secondary and tertiary entrypoints will be talked about aswell, in particular irda, since unlike bluetooth and wifi, very little security research has ever been done with irda, which on itself is weird, since after less than a day of poking around it became quite clear most irda stacks are pretty weak (as a hilarious irda sidenote which got me started to look at idra, one should read the following microsoft bulletin http://www.microsoft.com/technet/security/bulletin/ms01-046.mspx). once's the interesting entrypoints for various smartphones are explored the talk will dive into some of the trust boundaries on different smartphones, things their sandboxes allow, things they don't, wether or not it's documented and wether or not the documentation is actually accurate. in the spirit of keeping the best for last, some of the bugs discovered during the smartphone research will be discussed, both the details of them, as well as the pains the speaker had to go through to make exploits for them.

datenwolf
Desktop on the Linux... (and BSD, of course)

Time to take a look back and under the hood of the current state of FOSS based desktops: The Good, The Bad and The Ugly – Bloat, strange APIs, too much complexity.

The first decade of the 21st century brought huge progress in the development of FOSS Desktop systems. Users can now choose from a broad range of environments, which all adhere to a coherent set of standards. Not to forget that FOSS did even pioneer some GUI technologies which were later adopted by other (read: non free) systems. There's one year left of this decade. Time to take a look back and under the hood of the current state of FOSS based desktops: The Good, The Bad and The Ugly. - "Yo Dawg!" Stacking layers of redundancy. (Phonon -> GStreamer -> Pulseaudio) - Do you really need a full blown desktop session for a login screen? (GDM >2.21) - The graphics subsystem (X11) is network transparent and provides IPC. So let's build our own IPC system, that's not network transparent (DBus). - I think the login process is not complicated enough yet. (ConsoleKit) - Good ideas, poor implementation, abusive use. (PolicyKit) - Making things happen automatically doesn't "make things just work!". (Network Manager, ivman, HAL based mount) - Unified configuration madness. (gconf, XSettings) - Zombies: Some things are so bad, that even their original creators now abandon them (HAL). - What if special use cases require you, to get rid of some or multiple of the above? Admin's Nightmares! and last but not least - Possible security flaws in each of the above. And of course we'll also look at some of the pearls of strange API design in some of the above.

vanHauser
Recent advances in IPv6 insecurities

New protocol features have been proposed and implemented in the last 5 years and ISPs are now slowly starting to deploy IPv6. This talk starts with a brief summary of the issues presented five years ago, and then expands on the new risks. Discovered implemention security issues in Windows 7/2008, Linux and Cisco will be shown too. Comes with a GPL'ed toolkit: thc-ipv6

Five years have past since my initial talk on IPv6 insecurities at the CCC Congress. New protocol features have been proposed and implemented since then and ISPs are now slowly starting to deploy IPv6. Few changes have led to a better security of the protocol, several increase the risk instead. This talk starts with a brief summary of the issues presented 5 years ago, and then expands on the new risks especially in multicast scenarios. As an add-on, discovered implemention security issues in Windows 7/2008, Linux and Cisco will be shown too. Lets hope patches are out until the conference, if not - they had enough time. All accompanied with GPL'ed tools to and a library: the new thc-ipv6 package. rewritten, expanded, enhanced. For those who could not attend: on the 29th at 12:00 at b(erlin)sides @ c-base I do the presentation again

Betty
Gismo C.
Spinning the electronic Wheel

Dreieinhalb Jahre nach dem Talk '21st Century digital Bikes' auf dem Camp 2007 ist einiges in der Welt der elektrischen Fortbewegung passiert. Ende 2010 ist ein guter Zeitpunkt, den Stand der Dinge aufzurollen, die Neuigkeiten darzustellen und über eine mehr unschärfer als klarer werdende Zukunft der elektrischen Mobilität zu sprechen.

1) Immer noch Fahrzeuge für das 21te Jahrhundert, die Freiheit. die wir meinen. Die Auflagen für klassische Fahrzeuge steigen stetig. Windschutzscheiben werden mehr und mehr mit amtlichen Aufklebern zugetaped, die Zahl der Regularien und die Überwachung auf verstopften Autobahnen und im urbanen Raum nimmt immer weiter zu. Parallel dazu macht sich eine kleine Nischenbewegung zur voll funktionsfähigen Alternative: E-Bikes - die momentan wohl angenehmste Form des Individualverkehrs. 2) E-Bike / Pedelecs / LEV in der EU Als E-Biker nimmt man am öffentlichen Straßenverkehr teil. Es soll klargestellt werden, wie elektrisch betriebene Fahrzeuge in der EU rechtlich definiert werden, wann ein elektrisch betriebenes Fahrrad kennzeichenpflichtig ist und wo die Tücken und Lücken der EU-Regulierung liegen. 3) Technik Nach einem Überblick über existierende Motortechnik wird es um bürstenlose Gleichstrommotoren (brushless DC motors) gehen, welche gewisse aufzuzeigende Vorteile für den Einsatz in Fahrzeugen besitzen und außerdem als Nabenmotoren vor allem für Um- und Nachrüstungskonzepte geeignet sind. Mit dem Microcontroller für die Ansteuerung der Motoren und schließlich der aktuellen Akkumulatorentechnik soll die Erklärung des Antriebsstrang eines modernen E-Bikes vervollständigt werden. 4) Zukunft Kein Orakel, sondern unsere Wünsche für die Zukunft. Das 21te Jahrhundert lässt uns noch ein bisschen Luft, weiter an der Sache zu arbeiten - hier unser Aufruf an Interessierte und die Hackergemeinde, wie es weiterhin beim Thema E-Bikes spannend bleibt. Verbunden mit dem aktuellen Boom-Aufruf der Industrie entsteht das klassische Ungleichgewicht zwischen Marketing-befeuerter Massenware und frei dokumentierten bzw. offen entwickelten Systemen und Konzepten. Wir wollen an dieser Stelle Neugierde und Interesse wecken, um im Rahmen von OpenEverything auch bei den E-Bikes weitere Schritte voranzukommen.

Robert Spanton
From robot to robot

Today, hacking is reserved for the microscopic fraction of the population who manage to shake themselves free of the suppressive education regime. Student Robotics is the beginning of the solution. By fostering creativity through competition to solve engineering challenges, we provide the inspiration society desperately needs. We develop an open platform for robotics and provide it to schools to open students' minds to the world of hacking.

Student Robotics pushes engineering into schools by running a robotics competition between 16 to 18 year-olds. We send university students into schools to mentor the participating teams. The organisation is run entirely by students, who also develop the hardware and software for the participants to use. Student Robotics involves a whole range of software and hardware development, including including microcontroller programming, computer vision, and web-apps. This year we've started shipping the BeagleBoard as the robot's main computing device, providing us with a lot of scope for future hacking. In this talk I will: - Discuss the motivation behind Student Robotics - Provide a technical overview our current hardware and software - Discuss the future of Student Robotics in Europe Hey Teacher. Leave them hackers alone.

Nathan Fain
Vadik
JTAG/Serial/FLASH/PCB Embedded Reverse Engineering Tools and Techniques

Bring your target. Will release a slew of simple tools that explore attack surfaces and explain of how to use: jtag/serial scanners, parallel flash dumper, DePCB board routing analysis. So, crossover from software RE and start hacking/improving like its 1996 again. (full documentation and reference at: http://events.ccc.de/congress/2010/wiki/Embedded_Analysis)

"All non-trivial abstractions, to some degree, are leaky." -- Joel on Software This applies just as well to hardware. In the soft center of embedded security are the human abstraction layers between embedded developers, pcb designers and asic designers which expose attack surfaces that are often rudimentary and unmovable. Using a theoretical embedded target we walk through each surface overcoming obfuscation to gain control. Will release a slew of embedded analysis tools, some lolarduino based, some not. These tools are based on frameworks that support Industrial Design students with electronics prototyping. Meaning, with little technical background you can adapt these tools to your needs. The audience is invited to bring their target where contributors will be clustered in the hack center and be available to suggest means of protection or application of analysis techniques in your project. ## Tools discussed * [Serial Scanner] Arduino based, will scan 30+ pins for a Serial Port at any baudrate. Includes stimulating lines with wakeup signals (\n,etc). * [JTAGenum] Arduino based, will scan 30+ pins for a JTAG port. Once found can be used to scan for undocumented instructions and functionality. * [Parallel FLASH Dumper] Arduino based, dumps FLASH memory. Flash programmers can be expensive or distribution restricted. Includes discussion for how to dump FLASH where public documentation/footprint cannot be found. * [DePCB] (in progress) Given images of PCB layers, can be used to auto-route IC interconnects. Research in-progress. Based on DeGate which does the same at the transistor level of IC's. ## Topics covered * Overview of debug surfaces * Basic electrical analysis of pins to narrow target scans * Using Serial and JTAG scanners * Examining undocumented FLASH targets * Dumping FLASH * Discussion of clues that can be found in PCB design choices

Felix Gröbert
Automatic Identification of Cryptographic Primitives in Software

In this talk I demonstrate our research and the implementation of methods to detect cryptographic algorithms and their parameters in software. Based on our observations on cryptographic code, I will point out several inherent characteristics to design signature-based and generic identification methods.

Using dynamic binary instrumentation, we record instructions of a program during runtime and create a fine-grained trace. We implement a trace analysis tool, which also provides methods to reconstruct high-level information from a trace, for example control flow graphs or loops, to detect cryptographic algorithms and their parameters. With the results of this work, encrypted data, sent by a malicious program for example, may be decrypted and used by an analyst to gain further insight on the behavior of the analyzed binary executable. Applications include de-DRM'ing, security auditing, and malware C&C analysis. After the talk we will demonstrate the functionality with a ransomware which uses cryptographic primitives and release the implementation to the public.

Peter Stuge
USB and libusb

Learn about the benefits and limitations of Universal Serial Bus, how communication works on the bus, how and why the right (and sometimes wrong?) driver can be loaded automatically by the operating system, and find out the easiest way to add USB to your washing machine, toaster, or other favorite appliance.

The talk goes under the hood of the ubiquitous standard and clarifies many concepts that are important to understand when developing either device firmware or host software for USB; host, device, hubs, low speed, full speed, high speed, super speed, bus power supply, cable lengths, transfer types, endpoints, descriptors and more. The choice between kernel mode or user mode drivers will also be discussed, and finally we'll take a look at libusb; a cross-platform (WinMacLinuxBSD) library for USB programming. There will be a workshop that builds on this talk. Check the workshop schedule if you would like to join in the building of a custom USB device on an ARM microcontroller!

Franz Pletz
lilafisch
AllColoursAreBeautiful

Starting in the beginning of August 2010 and lasting until the mid of November, the project AllColoursAreBeautiful by the Munich chapter of the Chaos Computer Club was serving as a platform for interested people on the world to illuminate, animate and interact with the front of a vacant department store in Munich.

The windows were illuminated by remotely controllable, networked RGB LEDs in colorfully light the facade. A web editor was developed to ease the creation of animations at home or in front of the building with a laptop or mobile phone. Furthermore, animations could be put in a queue by sending a simple text message (SMS). Running animations could be viewed with a client program or by a webcam stream. Over 400 animations were created by the public. Next year another, bigger installation in Munich is planned. The purpose of our talk is to outline the infrastructure we built for this project and inspire other hackers to use it for rolling their own installation in their hometown. We will explain our open hardware and software design in the background and talk about our rationale behind our design decisions and comment on possible improvements in future iterations. We won't forget to include the biggest fails, fnords and pitfalls concering funding, authorizations and communication. At the Congress we will rebuild our installation using boxes. Interested hackers are very welcome to play with this colorful blinkenwall by writing animations and games.

Christian Brandt
Hacking iButtons

iButtons sind insbesondere wegen ihrer vergleichsweise einfachen und kostengünstigen Ansteuerung weiter verbreitet, als es auf den ersten Blick scheint. Obwohl die Sicherheitsrisiken teilweise mehr als offensichtlich sind, finden sie ihren Einsatz in Anwendungen, die eigentlich einer kryptografisch abgesicherten Lösung bedürfen. Der erste Teil des Vortrags zeigt, welche allgemeinen Sicherheitsprobleme bestehen und wie sich diese auf die Sicherheit der jeweiligen Anwendungen auswirken. Betroffen sind hiervon Wächtersysteme, elektronsiche Türschließanlagen, Kassenschlüsselsysteme / POS Terminals, Fahrkartenautomaten uvm. Neben iButtons, die lediglich statische Seriennummern oder RO/RW-Speicher beinhalten, existieren auch noch verschiedene Crypto iButtons, z.B. mit SHA1 MAC und Challenge-Response-Verfahren. Diese finden vorzugsweise im Micropayment-Bereich Anwendung, wobei die Systeme darauf ausgelegt sind, dass der Geldbetrag nur auf dem iButton selbst gespeichert wird. Ein Beispiel für ein solches System ist Akbil in Istanbul mit mehr als 5 Mio. Teilnehmern. Des weiteren finden sie z.B. Anwendung auf RAID Controllern zwecks Soft Feature Management (z.B. Supermicro). Der Hersteller bedient sich der Security-by-Obscurity-Methode und hält die Datenblätter sowie alle anderen wichtigen Details zurück. Diese iButtons verfügen über mehrere Vorkehrungen, die die Extraktion der 64 Bit großen Schlüssel verhindern sollen. Wir haben mehrere Angriffe entwickelt, die die Extraktion der Schlüssel erlauben, von denen wir die besten Angriffe im Vortrag vorstellen werden. Der beste Angriff auf den DS1963S lässt sich mit minimalen finanziellen Mitteln in wenigen Minuten durchführen, wobei der eigentliche Berechnungsaufwand pro 64 Bit Schlüssel unter 10 Sekunden liegt.

Ertunga Arsal
Rootkits and Trojans on Your SAP Landscape

SAP systems are the heart of many enterprises. Most critical business functions run on SAP Applications and the complexity of these systems makes it very difficult to protect against attackers. Default setups, forgotten/unimplemented security configurations, weak password management and change processes that apply to one ‘unimportant’ system can result in complete compromise of the SAP landscape.

The legal consequences, lost/damaged business and reputation can be disastrous depending on the type of the attack. While companies invest a lot to secure SAP systems at business process level for example by designing authorization concepts, implementing separation of duties or by using GRC (Governance Risk and Compliance) tools, the security at technical level mostly lacks attention. In this paper, I present several attack paths exploiting configuration weaknesses at technical level, leading to attack potential to single systems, to whole SAP landscapes, and finally the whole enterprise network. By demonstrating creative exploit variants of configuration weaknesses, I motivate the necessity to safeguard a SAP system at technical level.

Agata Królikowski
Constanze Kurz
Ina Kwasniewski
Jens-Martin Loebel
Kai Kittler
Marcus Richter
Stanislaw Lem - Der enttäuschte Weltverbesserer

Man kennt ihn als einen der wichtigsten Science-Fiction-Autoren des zwanzigsten Jahrhunderts. Aber Lem war mehr als das: Als Philosoph und Wissenschaftler konnte er technische Entwicklungen der Menschheit und ihre Auswirkungen sogar voraussehen. Als solcher prägte er viele heute geläufige Begriffe für technische Errungenschaften, die seinerzeit noch gar nicht existierten. Seine teils utopische, teils humoristische und selbstironische Art zu schreiben, brachte ihm weltweit große Popularität ein, seine Bücher erreichten eine Auflage von mehr als 45 Millionen und wurden zum Teil verfilmt.

Der 1921 in Lemberg im damaligen Polen geborene Schriftsteller blickte im Alter jedoch zunehmend unzufrieden auf sein eigenes Werk wie auch auf die Entwicklung der technisierten Gesellschaften. Er starb 2006 nach längerer Krankheit in Krakau. Das live gesprochene Feature der Hörspielwerkstatt der Humboldt-Universität zu Berlin widmet sich dem Leben und Werk Lems in gewohnter Weise in Wort, Bild und Musik.

Jeff Gough
File -> Print -> Electronics

Are you ready to wake up from the cult of Arduino? Tired of plugging together black-box pre-built modules like a mindless drone, copying and pasting in code you found on Hackaday? You've soldered together your TV-Be-Gone, built your fifth Minty Boost, and your bench is awash with discarded Adafruit packaging and Make magazines. It's time to stop this passive consumption. It's time to create something that is truly yours. It's time, my friend, to design your first circuit board. And you'll need a machine to print it.

Outsourcing printed circuit board (PCB) manufacture can be expensive and slow. You want your board now, for free. And designing PCB's is hard. You'll make mistakes, and some boards will be wasted. You can etch your own PCB's at home but the process is fiddly, and notoriously difficult to perfect. What if you had a printer that could make PCB's? A rapid prototyping machine for circuit boards. In this talk I will present my progress towards an inexpensive PCB printer by reverse engineering Epson inkjet technology. And I'm not talking about the crappy print-and-bake method you might have seen on the internet. Come and learn about the miracle of microfluidics within the modern consumer inkjet printer, and how to push it to do new, exciting things. I'll be describing some reverse engineering techniques, a bit of electronics circuit design and the potential for 3D microfabrication with inkjet technology. A PCB will be printed and etched live, on stage, at 27C3!

Michael Steil
Reverse Engineering the MOS 6502 CPU

The MOS 6502 CPU, which was designed in 1975 and powered systems like the Apple II, the Atari 2600, the Nintendo NES and the Commodore 64 for two decades, has always been subject to intense reverse engineering of its inner workings. Only recently, the Visual6502.org project has converted a hi-res die-shot of the 6502 into a polygon model suitable for visually simulating the original mask at the transistor level. This talk will present the way from a chip package to a digital representation, how to simulate transistors in software, and new insights gained form this research about 6502 internals, like "illegal" opcodes.

The presentation only requires a basic understanding of assembly programming and electronics, and is meant to teach, among other things, the methods of efficient and elegant chip design used in the early years of integrated CPUs. The talk consists of three parts. The first part, "6502 from top down", describes the programmer's model, as well as the basic layout of the components of the CPU. In the second part, "6502 from bottom up", we describe how to decap and photograph chips, convert each physical layer of the chip into a polygon model, and how to finally convert this into a network of wires and transistors suitable for logic simulation. The third part, "6502 from the inside out", explains the inner workings of the CPU: how the logic blocks work together, how an instruction is decoded by the PLA ROM into controlling these blocks and busses, and how details like interrupt delivery work. Finally, this information can be used to describe and explain undocumented behaviour, like illegal opcodes and crash instructions, and explain bugs like the BRK/IRQ race, the ROR bug and spurious reads and writes in certain situations.

Karsten Nohl
Sylvain Munaut
Wideband GSM Sniffing

GSM is still the most widely used security technology in the world with a user base of 5 billion and a quickly growing number of critical applications. 26C3's rainbow table attack on GSM's A5/1 encryption convinced many users that GSM calls should be considered unprotected. The network operators, however, have not woken up to the threat yet. Perhaps the new capabilities to be unleashed this year – like wide-band sniffing and real-time signal processing – will wake them up.

Now that GSM A5/1 encryption can be cracked in seconds, the complexity of wireless phone snooping moved to signal processing. Since GSM hops over a multitude of channels, a large chunk of radio spectrum needs to be analyzed, for example with USRPs, and decoded before storage or decoding. We demonstrate how this high bandwidth task can be achieved with cheap programmable phones.

Karsten Becker
Robert Boehme
Part-Time Scientists

The Part-Time Scientists is an international team of Scientists and Engineers participating in the first private race to the moon, the Google Lunar X-Prize. Our approach to win this competition is quite unique as everyone involved really is a part-time scientist. In our presentation we will present our latest lunar rover, lander, electronic and communications developments.

The presentation will feature: - our self developed embedded systems, - how we designed radiation hardened and fault tolerant systems, - the production of our second rover generation and their first tests, - our prototype real world testings, - what we've done in 2010, - what we've planning for 2011, and a lot more interesting topics! Our presentation will be focused on actual hardware with a rather short introduction to the topic in general.

FX of Phenoelit
Building Custom Disassemblers

The Reverse Engineer occasionally faces situations where even his most advanced commercial tools do not support the instruction set of an arcane CPU. To overcome this situation, one can develop the missing disassembler. This talk is meant to be a tutorial on how to approach the task, what to focus on first and what surprises one may be in for. The primary focus will be on the transformation of byte code back into mnemonic representation where only the reverse transformation is available (i.e. you have the respective assembler). It also covers how to integrate your new disassembler into your reverse engineering tool chain.

This tutorial talk will give: - An introduction to the problem - How to obtain byte code - Recognizing basic properties of the byte code - Finding Addressing Modes - Implementing a IDA Pro processor module - Reading code you are not supposed to

Alex Antener
Corey Cerovsek
Julien Quentin
"The Concert"

Corey Cerovsek and Julien Quentin, accomplished musicians known worldwide for their classical recital performances, and media artist Alex Antener present something that's not quite an ordinary concert, to draw attention to the importance of the public domain in centuries of classical music tradition. It's both more — and less — than what you might expect to see and hear at a classical concert.

Mixing live and recorded music with visuals with a message, Julien Quentin, Corey Cerovsek and Alex Antener imagine the heavy curtain of a non-free culture falling on four hundred years of classical music. Ripping and mixing have been going on for longer than you might imagine, and without the Public Domain, much of our classical heritage would be replaced with silence. From Lennon to Bernstein, Bernstein to Mozart, Liszt to Paganini, Sarasate to Bizet, Mendelssohn to Bach, classical music has been a culture of ceaseless sharing in which individuals have nonetheless been able to project indelible voices across the centuries. Had music always been controlled as some would like it to be controlled now, would we have this rich tradition to transmit to you?

Bicyclemark
Adventures in Mapping Afghanistan Elections

Monitoring and reporting about elections in a war zone is a complex and dangerous task. While crisis mapping carried out via sms and email proved highly successful with the use of Ushahidi in situations like post-election violence in Kenya, tracking crime in Atlanta, or earthquake recovery in Haiti, could it prove useful in such a complex situation as the Afghan political process? This year a team of people set out to do just that with three different Ushahidi mapping projects for national media, national election observers, and international observers. The following presentation is about the challenges we faced, successes we did or did not have, and the lessons learned for the future of crisis mapping.

In 2008 an open source mapping system called Ushahidi was put into public use for the first time in history. The occasion was a constitutional referendum in Kenya and the goal of the Ushahidi system was to map and track reports of violence throughout the country in the days following the vote. Through the use of sms reports from the general public, which were then categorized and published on an interactive map accessible on the internet, anyone anywhere in the world could not only get reports about what was happening, they could get almost real time reports about where violence was happening, when, and details regarding those incidents. The response in Kenya was so large and the attention the site got was so wide spread, Ushahidi would soon be used to map not only violence surrounding an election, but also earthquake recovery, snow storm recovery, forest fire prevention, crime data in urban environments, and elections monitoring. In each of these situations, the power of crowd-sourcing and interactive mapping via simple sms and email technology was all that was needed to get a body of information no media or government organization could compete with. In the summer of 2010, on the eve of Parliamentary elections in Afghanistan, several organizations interested in monitoring what happens at the polls and after the votes are in became interested in whether or not Ushahidi could be useful for their purposes. The Afghan Press agency, Pajwhok, as well as the national elections observer organization (FEFA) and the international elections observers (Democracy International) all sought to implement some form of Ushahidi system for their observers. They approached my organization, Small World News (SWN) that has assisted in Ushahidi projects in the past, to carry out this task. Over the course of just over 1 month, these three systems were rolled out in different ways, with varying level of restrictions due to security and other institutional regulations. The result tells three different stories about how the election went, while also providing a list of lessons about what open source interactive mapping can provide (or not provide) for a nation like Afghanistan with such a specific list of problems. The presentation is an explanation of both the process and the lessons learned.

Nicholas Merrill
The importance of resisting Excessive Government Surveillance

My name is Nicholas Merrill and I was the plaintiff in a legal case in the US court system where I challenged the FBI’s policy of using a feature of the so-called USA PATRIOT act - what are called “National Security Letters” - to bypass the American Constitution's system of checks and balances and in violation of the United Nations Universal Declaration of Human Rights - in order to obtain protected personal information and to unmask anonymous Internet users. I spent over 6 years not able to speak to anyone (other than my lawyers) about my case - forced to lie to those closest to me due to an FBI gag order that carried a possible 10 year prison sentence for violating it. However the lawsuit resulted in the establishment of two key legal precedents and made changes that affect every Internet worker and Telephone worker in America. I would like to speak to the 27C3 audience in order to tell about my experience and to challenge (and offer my support and assistance to) those individuals who are in a position to challenge government surveillance requests to follow their consciences and do so. People who work at Internet Service Providers and Telephone companies as well as IT workers at Universities and private businesses are increasingly likely to encounter government attempts at surveillance. I would like to speak to the CCC regarding my experiences in resisting a National Security Letter and also a “Grand Jury Subpoena” as well as my experience of being gagged by the FBI for nearly 7 years - unable to speak on the subject or identify myself as the plaintiff in the NSL lawsuit.

Nicholas Merrill founded Calyx Internet Access Corporation in 1995. Calyx Internet Access was one of the first commercial Internet service providers operating in New York City. Calyx pursued relationships with and worked with many activist groups on a pro bono or low-cost basis, including the New York Civil Liberties Union, the Independent Media Center (Indymedia.org) and the Drug Policy Foundation. In 2004, after a receiving a “National Security Letter” from the Federal Bureau of Investigation, and a subsequent request from the U.S. Secret Service, Calyx became involved with the ACLU and in using the legal system and the media to resist illegal government requests for information on Internet users. For six and a half years, Merrill and the ACLU tirelessly challenged the orders contained in the letter, resulting in the establishment of two key legal precedents overturning aspects of the national security letter program. Along the way he encountered court proceedings where he could not even be present - where he could not be referred to by name, but instead was referred to in all court documents as "John Doe". He also encountered heavy handed government censorship of court documents under the guise of "National Security" and secret evidence presented to the judge by the FBI that his attorneys were not allowed to see. The merging of Merrill's long interest in advocacy and free speech combined with his experience with the U.S. government inspired him to form a non-govermental organization (NGO) to deal specifically with this issue without being distracted or compromised by the requirements of a for-profit business.

Felix Domke
Distributed FPGA Number Crunching For The Masses

In 1998, the EFF built "Deep Crack", a machine designed to perform a walk over DES's 56-bit keyspace in nine days, for $250.000. With today's FPGA technology, a cost decrease of 25x can be achieved, as the copacobana project has shown. If that's still too much, two approaches should be considered: Recycling hardware and distributed computing. This talk will be about combining both approaches for the greater good.

A number of projects ([Copacobana] [1], [Picocomputing] [2]) have shown that with today's technology enough brute force computing power to break limited keylength ciphers (like DES) is affordable even for small companies. But what about Joe Geek at home? Recycling FPGAs is one option ([nsa@home] [3]), distributed computing another ([distributed.net] [4], ...). This project combines both approaches, developing a toolchain that can be used to prototype a project on a low-end FPGA (or even in a free simulator), and then scaling up the effort across different implementations onto a large number of devices. An example client implementation uses an FPGA in a widely available consumer device to provide computing power when the device is in standby. Another approach that will be discussed in detail is how to obtain decommissioned high-end FPGA-based hardware. We will have hardware to show with a live demo! [1]: http://www.copacobana.org/ "Copacobana" [2]: http://www.picocomputing.com/pdf/PR_Pico_DES_BH_Jan_29_2010.pdf "Picocomputing" [3]: http://nsa.unaligned.org/ "nsa@home" [4]: http://www.distributed.net/Main_Page "distributed.net"

Astro
Lying To The Neighbours

Distributed Hash Tables implement Routing and Addressability in large P2P networks. In the Kademlia adaption for Bittorrent a peer's address (NodeID) is to be generated randomly, or more appropriate: arbitrarily. Because randomness isn't verifiable, an implementation can advertise itself with popular NodeIDs or even change them on a per-packet basis.

Two issues arise due this design problem: * Amplification of UDP traffic * Amplification of TCP traffic Anyone with a moderate bandwidth connection can induce DDoS attacks with the BitTorrent cloud. Starting with the prerequisites of BitTorrent, I will outline the importance of tracker-less operation and how Magnet links work. Distributed Hash Tables are explained pertaining to the Kademlia algorithm. It is most interesting how implementations maintain and refresh routing information, allowing a malicious node to become a popular neighbour quickly, and how traffic can be amplified in two ways. I will present packet rate analysis measured during tests on Amazon EC2. In conclusion it is explained how the problem of arbitrary NodeIDs can be avoided if the protocol was to be redesigned. A few words are to be given what client authors can do to alleviate the damage potential of the BitTorrent DHT.

Felix Geisendörfer
Node.js as a networking tool

Node.js is a library that provides non-blocking I/O for Google's V8 JavaScript engine. This talk explores node's suitability for a diverse range of networking applications.

Writing network applications with good concurrency and performance has been a very time consuming task in the past. With the rise of node.js, anybody can now trivially write scalable network applications. This talk explains node's event loop and non-blocking I/O machinery and shows how node may become your tool of choice for future networking adventures. There will also be a look at new threats that could arise from the ability of managing thousands of connections with almost no difficulty.

Äpex
xif
Logikschaltungen ohne Elektronik

Ein kurzer Überblick über mechanische und strömungstechnische Logikschaltungen und Computer

In dem Vortrag wollen wir aufzeigen, welche Möglichkeiten es mit pneumatischen und hydraulischen Logikelementen gibt und wo sie früher im Einsatz waren und teilweise auch heute noch zu finden sind. Dabei geht es um einfache mechanische Ventile, Folienventilen und Fluidics. Auf die Funktion der einzelnen Logikelemente werden wir natürlich eingehen. Grundsätzlich gibt es alle Logikelemente der Elektronik auch als pneumatische/hydraulische Variante. Es soll geklärt werden, welche Möglichkeiten es mit solchen Schaltungen gibt, wo die Tücken liegen und wie ich sie mir selbst bauen kann. Es wird auch um aktuelle Beispiele wie Automatisierung in explosionsgefährdeten Bereichen, Waschmaschinen, Satelliten oder EMV-Laboren gehen. Selbstverständlich kommen eher exotische Einsatzgebiete wie pneumatische Computer für den Einsatz nach einem Atomkrieg oder pneumatisch gesteuerte Raketen nicht zu kurz. Als Exot unter Exoten wird es auch etwas um einen hydraulischen Analogrechner gehen.

Jesse
Peter Eckersley
Is the SSLiverse a safe place?

The EFF SSL Observatory has collected a dataset of all TLS/HTTPS certificates visible on the public web. We discuss this dataset - what we have learned from it, how you can use it, and how intend to offer a live, continually updated version of it.

TLS/SSL is only as good as your mechanism for verifying the other party, and it turns out that with HTTPS and other CA-certified applications of TLS, that mechanism involves trusting a lot of governments, companies and individuals. The SSL observatory is a project to bring more transparency to SSL Certificate Authorities, and help understand who really controls the web's cryptographic authentication infrastructure. The Observatory is an Electronic Frontier Foundation (EFF) project that began by surveying port 443 of all public IPv4 space. At Defcon 2010, we reported the initial findings of the SSL Observatory. That included thousands of valid 'localhost' certificates, certificates with weak keys, CA certs sharing keys and with suspicious expiration dates, and the fact that there are approximately 650 organisations that can sign a certificate for any domain that will be trusted by modern desktop browsers, including some that you might regard as untrustworthy. In this talk we will give an update on new developments in the project, including where to find a copy of our data and how to work with it for your own research; the progress made at fixing some of the vulnerabilities we found; and our design for a new, decentralised version of the SSL Observatory.

Andreas Lehner
Lars
Literarischer Abend

Ein literarischer Abend im Quartett.

Anläßlich einer Diskussion auf intern@ in Vorbereitung der Datenschleuder, Ausgabe 94, im Mai dieses Jahres hatte sich wieder einmal gezeigt, wie wenig Wissen bei vielen Mitgliedern über Klassiker der (insbesondere Science-Fiction-)Literatur heutzutage vorhanden ist. Da diese Werke früher auch zum inneren Zusammenhalt der Szene beitrugen, auch weil sie gemeinsame Begriffe, Bilder und Visionen aufspannten, auf die als kulturelle Referenz Bezug im politischen Diskurs genommen werden konnte, scheint es angebracht, diese erneut in den Fokus zu rücken. Den Rahmen dazu soll eine kurze Einführung bilden, die die Relevanz solcher gemeinsamer Sprache hervorhebt. Sie soll auch aufzeigen, wie Science Fiction es ermöglichte - auch in restriktiveren Rahmenbedingungen - Sozialkritik zu äußern. Indem dies in verschlüsselter Form stattfand, transponiert in futuristische Welten, und dem Leser die Aufgabe des Transfers in seine Lebensumstände überließ, beförderte SF darüberhinaus die Fähigkeit der Leserin zur Abstraktion. Schließlich sollen einzelne Autoren und deren bedeutende Werke in Auszügen vorgestellt werden und, soweit möglich, ein Bezug zur aktuellen Situation hergestellt werden. Und außerdem ist das einfach mal merkwürdig, wenn Leute nicht wissen, von wem "Pfeif nicht, während Du pißt, George, und stell keine Fragen, wenn Du einen geblasen kriegst" stammt. :) Werke, die bitte vorab zu lesen sind (in keiner bestimmten Reihenfolge): * Charles Stross, Halting State * Vernor Vinge, True Names * John Brunner, The Shockwave Rider und Squares of the City und Am falschen Ende der Zeit und Ein irrer Orbit und eigentlich alles andere auch * Jeff Noon, Vurt * Ray Bradbury, Fahrenheit 451 * Stanislaw Lem, Solaris und Der futurologische Kongreß * William Gibson, Pattern Recognition und Spook Country * Philip K Dick: Das Orakel vom Berge * RAW: Cosmic Trigger * Neal Stephenson: A diamond age

Andreas Bogk
Defense is not dead

The security model of our current computer architectures - kernel in ring 0, processes in ring 3 - goes back to the early 70s. However, science hasn't stopped.

This talk is going to look into the state of the art in building secure computers, with a focus on type systems and formal verification, and hopefully an outlook on how tomorrow's computers will be more secure than what you can buy now.

Ralf-Philipp Weinmann
The Baseband Apocalypse

Attack scenarios against mobile phones have thus far concentrated on the application processor. The operating systems running on these processors are getting hardened by vendors as can be seen in the case of Apple's iOS -- the current release uses data execution prevention and code signing. In contrast, the GSM stack running on the baseband processor is neglected. The advent of open-source solutions such as OpenBSC and OpenBTS for running GSM base stations is a game-changer: Malicious base stations are not within the attack model assumed by the GSMA and ETSI.

This talks explores the viability of attacks against the baseband processor of GSM cellular phones. Results presented will be the first over-the-air memory corruption exploitation of bugs in a number of widespread GSM stacks that that allow for remote code execution.

Marcus Nutzinger
Rainer Poisel
Secure communications below the hearing threshold

Auditive steganography allows for various usage scenarios. In our project we focused on hidden communications in VoIP and GSM in which voice data is typically compressed and transmitted in realtime. A framework has been developed to meet these requirements, providing interfaces for robust steganographic algorithms.

The need for steganography has arisen from scenarios that forbid the application of cryptographic algorithms for secure communications. Countries that made secret message exchange a delict are an example for such scenarios. The LSB algorithm used by many open- and closed-source projects is insecure, as its application can be statistically detected. Therefore, we focused on alternate approaches which are more robust against operations on the bit-level, such as compression, D/A-, A/D-conversion and channel idiosyncrasies, such as spread spectrum steganography in time and frequency domain. Secure and hidden communications demand more than an embedding algorithm. Involved elements include: * protocols for data flow handling, * various embedding algorithms and * support for different I/O-interfaces. For correct interaction of these elements, arranging them in a layered model is a reasonable approach for the distribution of the required tasks such as frame and packet building, checksumming, transmission, etc. From this model we derived our software architecture which is portable to common platforms (Linux/Unix, Windows, ...) and various architectures (x86_32, x86_64, mips). This talk gives an introduction to the topic and describes the development and implementation of our framework based on a novel layered model for auditive steganography including a live demonstration.

Guido Strack
Wikileaks und mehr

Als kurzfristiger Ersatz für eine ausgefallenen Vortrag wurde die Entwicklung von Wikileaks kurz nachgezeichnet, bis hin zu den derzeit entstehenden weiteren Leaking-Plattformen. Im Mittelpunkt stand die Frage welchen Nutzen Wikileaks & Co. für Whistleblower bieten, welche Voraussetzungen für ihre anonyme Nutzung bestehen und wie die Entwicklung weitergehen wird.

Nach Ansicht des Referenten ist ein Markt von Plattformen und ein Wettbewerb im entstehen. In diesem stehen nicht nur die diversen Leaking-Plattformen sondern auch klassische Medien, individuelle Webseiten genauso wie Organisationen und Behörden, kurz alle die Interesse daran haben an die Informationen zu kommen die bei den Whistleblowern verfügbar sind. Vor diesem Hintergrund kommt es darauf an den Whistleblowern den bestmöglichen Nutzen zu bieten, kurz: eine Chance einen Missstand abzustellen ohne selbst dabei Schaden zu nehmen. Die Chance setzt aber voraus, zielgerichtet (also evtl. auch regional oder thematisch) ein Publikum erreichen zu können, dass genügend Gegenmacht (sei es durch Größe oder Stellung oder eine Kombination beider Faktoren) organisieren kann um Veränderungen zu erreichen bzw. notfalls auch zu erzwingen.

Nick Farr
Lightning Talks - Day 2

4 minutes for every speaker. Learn about the good, the bad, and the ugly - in software, hardware, projects, and more.

Give a lightning fast talk about your favourite project, program, system - and thereby find people with the same interest to proceed and promote it. Alternatively - give us a good rant about something and give us some good reasons why it should die. ;) Get right at it, don't waste time by explaining too much, get the main points across, and then let us know how to contact you on the congress for a talk! Whatever you do - please practise it, and don't be boring. Or else. You have been warned! :-P

Mathias Payer
I Control Your Code

Unsafe languages and an arms race for new bugs calls for an additional line of defense in software systems. User-space virtualization uses dynamic instrumentation to detect different attack vectors and protects from the execution of malicious code. An additional advantage of these virtualization systems is that they can be used to analyze different exploits step by step and to extract the exploit code from a running program. This talk explains the concept of different attack vectors (stack buffer overflows, format string attacks, return to libc attacks, race attacks / TOCTTOU, integer overflows, heap buffer overflows, and code anomalies). For each of these attack vectors we show possible exploits and explain how the virtualization system is able to detect and prevent the exploit.

User-space virtualization uses a binary translation framework to instrument all running code. The instrumentation works like an additional virtualization layer and makes it possible to observe any changes to the runtime datastructures (code and data) of a running program. We use fastBT to instrument and analyze different exploitable programs. The added instrumentation detects changes in runtime layout and stops the program whenever exploit code is about to be executed. This talk presents different classes of exploits that can be observed in a dynamic instrumentation system. The exploits are analyzed and different security strategies are discussed. We then show how the instrumentation framework can implement an online protection mechanism against each class of attack vectors. Observable Attack Vectors - Stack Overflow A limited buffer is (over) flown with user-data and over writes data on the stack (e.g., the return instruction pointer). - Format String Attack An attack can write to an arbitrary address (e.g., the return instruction pointer or the address of a library function) if unvalidated user input is passed directly to the printf function. - Return to libc Attack This attack prepares multiple stack frames that execute code sequences in libraries. The stack frame can be constructed so that (almost) arbitrary code is executed. - Race Attacks / TOCTTOU Time-of-check-to-time-of-use race conditions exploit the fact that they can change values on the stack after they are checked but before they are used in the program or kernel. - Integer Overflow Overflows can be triggered by using a negative integer value instead of an unsigned value. - Heap Overflow A heap buffer overflow is used to overwrite function pointers or data from the memory allocator to trigger execution of arbitrary code. - Code Anomalies x86_64 code is backward compatible to ia32 and in modern operating systems x86_64 and ia32 code can be mixed. The mix of different system calls makes it possible to break out of sand boxes that are not aware of all possible combinations of system calls. The exploits are detected generally whenever the program branches to the injected code or to the constructed code fragments. The program is interrupted and a debugger can be attached to analyze the state of the program. TOCTTOU attacks can be detected by observing the threads and using a specific system call architecture. Conclusion Dynamic instrumentation is an important tool to prohibit, detect, and analyze different attack vectors to running programs. Additional instrumentation guards can be used to better understand exploits. The additional layer of virtualization implemented through dynamic instrumentation can be used to detect and log bugs and is an additional line of defense against new exploits. Related Work A detailed discussion of related work is in the paper. These references here are for informational purposes only (to show how this talk was inspired) and not complete. - fastBT: A fast binary translator that enables different security extensions. http://nebelwelt.net/fastBT - 26c3 talk: Hacking the Hackers (user space virtualization and encapsulation mixed with system call authorization to prevent exploits) - Watson, R. N. "Exploiting Concurrency Vulnerabilities in System Call Wrappers" - Levy, Elias. "Smashing the stack for fun and profit" - c0ntex. "Bypassing non-executable-stack during exploitation using return-to-libc" - Shacham, Hovav; Page, Matthew; Pfaff, Ben; Goh, Eu-Jin; Modadugu, Nagendra; and Boneh, Dan. "On the Effectiveness of Address-Space Randomization" - Borisov, Nikita; Johnson, Rob; Sastry, Naveen; and Wagner, David; 2005; "Fixing Races for Fun and Profit: How to abuse atime" - Phrack #60, Basic Integer Overflows - Seccomp vulnerabilities due to x86_64 and ia32 compatibility issues: http://scarybeastsecurity.blogspot.com/2009/02/linux-kernel-minor-seccomp.html

Oona Leganovic
A short political history of acoustics

The birth of the modern science of acoustics was directly intertwined with the desires to surveill and communicate, either in secret or to everybody at once. Acoustics was not just about 'learning more about nature,' right from the start it was an applied science, driven by very clear notions of who has the right, and thus should have the possibility, of listening in on others, who needs to be able to converse in private, and who should be heard by everybody if he wishes to. How are these historical ideas related to those of today?

The talk teases out these juicy implications from mostly original source material, focussing on the strange figure of the Jesuit Athanasius Kircher, but also looking at better known characters of the Scientific Revolution like Francis Bacon, Marin Mersenne, and the early Royal Society. There are plenty of phantastic 'scientific' illustrations to look at as well as descriptions of devices (for the amplification of sound, for acoustical surveillance, entertainment, and the so called 'cryptoacoustics') that did or rather did not work to laugh about, but the key questions are those about power and its relationship to notions of privacy and communication, the history of privacy as a privilege and surveillance as a 'right' of government. Some of these ideas become especially clear in the phantasies they produced. How are these historical ideas related to our own about who gets to listen in, who gets to converse in private, and who get to be heard by everybody? And what has all that to do with the history of science, and even magic?

Thomas Barth
Netzmedienrecht, Lobbyismus und Korruption

Die Mediennutzung, aber auch ihre Verwaltung und Vergütung, also ihr Management, müssen an eine digitale Netzwelt angepasst werden. Wie ist der Stand der juristischen Auseinandersetzung um die Rechte von Urhebern, Verwertern und Nutzern von Medieninhalten? Wie und wo setzen sich starke Wirtschaftsinteressen mit Lobbygruppen durch?

Hintergrund sind entsprechende Debatten in internationalen Organisationen, z. B. TRIPS (Trade Related Aspects of Intellectual Property) und WIPO (World Intellectual Property Organization) sowie das von der EU lancierte Grünbuch ‚Urheberrechte in der wissensbestimmten Wirtschaft‘ (2008). Dort wurde eine „Ausgewogenheit der Interessen von Urhebern und Nutzern von geistigen Produkten bzw. Wissensobjekten“ proklamiert, die sich leider so nicht erkennen lässt. Im Grünbuch ist eine Tendenz erkennbar, die Lösung der Problematik der urheberrechtlich gebremsten Verbreitung von Wissen von der Verschiebung auf das Gebiet des Vertragsrechts zu erwarten. Dies erweckt den Verdacht, dass sich hier die Lobby der Medienindustrie durchgesetzt haben könnte, die dank ihrer Rechtsabteilungen von besagter Tendenz profitieren dürfte – gegenüber Bildung und Forschung, aber auch generell gegenüber den Urhebern ihrer Inhalte. Rechtlich entscheidend sind dabei die Ausnahmen und Beschränkungen kommerzieller Verwertungsrechte, im UHG kodifiziert für 1. Behinderte, 2. Archive/Museen etc., 3. Bildung/Forschung sowie „evtl. noch zu schaffende“ für von Nutzern geschaffene Inhalte: v. a. Open Source, Wikis etc.

Florian Adamsky
Techniken zur Identifizierung von Netzwerk-Protokollen

Der Vortrag soll Techniken aufzeigen, mit denen man Netzwerk-Protokolle identifizieren kann, die in Layer 7 des OSI-Modells angesiedelt sind. Alle Techniken - darunter auch die Deep Packet Inspection (DPI) - werden technisch erläutert und kritisch bewertet.

Der Fokus des Vortrags liegt auf dem SPID-Algorithmus, den Hjelmvik und John entwickelten. Dieser Algorithmus inspiziert die Netzwerk-Protokolle mit statistischen Merkmalen. Die Ergebnisse der statistischen Analyse geben Aufschluss, wie man Protocol Obfuscation in Zukunft verbessern kann, um zu verhindern das Protokolle erkannt werden. Auf die folgenden Techniken zur Identifizierung von Netzwerk-Protokollen wird inhaltlich eingangen: Port-Nummern, Deep-Packet-Inspection, Maschinen-Lern-Algorithmen und der hybride Ansatz SPID. Alle Techniken werden nach den folgenden Anforderungen abgewogen. Erstens sollen Protokolle in naher Echtzeit erkannt werden. Zweitens soll eine möglichst robuste und sichere Erkennung von Protokollen möglich sein. Und Drittens soll die Technik auf leistungsarmer und kostengünstiger Hardware laufen. Nach der Abwägung werden die technischen Einzelheiten des SPID-Algorithmus erläutert und ausgewählte statistische Merkmale beleuchtet. Diese bilden nachfolgend die Grundlage, um Protocol Obfuscation zu verbessern. Abschließend werden verschiedene Evaluierungs-Ergebnisse präsentiert.

Bernd Sieker
"Spoilers, Reverse Green, DECEL!" or "What's it doing now?"

Getting the interfaces right to computers controlling complex and dangerous machines such as commercial airliners is crucial. I will present a successful accident analysis method and talk about interface design problems, ideas for solutions, methods for understanding causal control flow. There will be some spectacular aviation accident videos and stories of bad luck, bad design, bad decisions, and a hero that managed to turn a near-catastrophe into an accident without fatalities.

Getting the Interface right can be crucial. So does an understanding of the underlying logic, and knowledge of correct procedures when operating complex devices. Modern airliners are incredibly complex machines, no person can fully understand what is going on. This starts at simple things like fuel systems (e. g. the B777 has only two engines and three fuel tanks, how complicated can that be? Surprisingly so.) and goes on to autopilots, autothrottle systems, FADECs (Full Authority Digital Engine Control), Flight Management, Guidance and Envelope Computers (FMGEC), digital fly-by-wire systems, weight computations etc. Apart from the largely unsolved problems of how to create software for these systems that is demonstrably extremely reliable (in commercial aviation we're talking about probablities of dangerous failures of 1 in a billion flight hours: testing just won't do), there is the underrated question of getting the interface right. What to annunciate to the crew and when, and in which form? Some accidents and incidents are directly related to a flight crew being confused by the annunciations, or didn't know how to react properly to seemingly unrelated warnings. At other times, a pertinent and important warning is suppressed because another, ostensibly more important warning inhibited the other one. I'll be talking about some accidents that we have analysed using Why-Because-Analysis (see http://www.rvs.uni-bielefeld.de/research/WBA/) in which the interface and the automation played a role. I will also be talking about some design principles to guide interface design and interactive safety.

Peter Franck
Data Recovery Techniques

Data recovery has always been an area of myths. This lecture will lift some of their covers.

* A short tour of recovery layers and techniques * "Talk to your Hard Drive!" - out-of-band interfaces * change the serial number of your HDD to your girl friend's name

Ralf-Philipp Weinmann
The Hidden Nemesis

Want to persistently backdoor a laptop? Backdooring the BIOS is out of the question since your target can dump and diff it? Planting hardware is out of the question as well? Shhhhhhh.. I have something for you:

Embedded controllers are present in every modern laptop, yet their security impact has been unresearched thus far. An embedded controller has access to the complete stream of keyboard scan codes, can control fans and the battery charging process. Backdooring the embedded controller is a powerful way to plant a persistent firmware keylogger that works in a cross-platform fashion. Since ECs usually also provide battery and temperature sensor readings through ACPI, there also exists a way to funnel out the keystroke data through a low-privilege process later. Some laptops even allow EC controller firmware updates over the LAN! I will present a PoC backdoor for a widespread series of laptops and show you how to defend yourself against this attack by dumping the EC firmware yourself.

Andreas Bogk
Andy Müller-Maguhn
Constanze Kurz
Frank Rieger
CCC-Jahresrückblick 2010

Wir berichten über vergangene Veranstaltungen, Erfa-Aktivitäten, Demonstrationen, Hacks, Medienkontakte, Gerichtsverhandlungen, Lobbyarbeit sowie weiteres Erfreuliches und Ärgerliches des Jahres 2010 keinesfalls objektiv, sondern mit der gewohnten Hackerperspektive.

Wir berichten über vergangene Veranstaltungen, Erfa-Aktivitäten, Demonstrationen, Hacks, Medienkontakte, Gerichtsverhandlungen, Lobbyarbeit sowie weiteres Erfreuliches und Ärgerliches des Jahres 2010 keinesfalls objektiv, sondern mit der gewohnten Hackerperspektive.

Peter Welchering
Ralph Müller-Schmid
Tim Pritlove
Willi Steul
Radio der Zukunft

Radio – das ist eine der wenigen elektronischen Medientechnologien, die den Sprung in die digitale Ära noch nicht richtig geschafft hat. Während die Fernsehverbreitung schon fast vollständig per volldigitalen Systemen wie DVB-T stattfindet, bleiben die Radiosender dem guten alten Analog-Funk auf UKW treu.

Dabei haben die Versuche, das Radio zu digitalisieren, viel früher als beim Fernsehen begonnen. Doch das aufwendige DAB-System konnte sich genausowenig gegen UKW durchsetzen wie DRM gegen Mittel- und Langwelle. Auch das Nachfolgesystem DABplus hat Startschwierigkeiten. Und das, obwohl die UKW-Frequenzen knapp sind und die Qualität auf Mittel- und Langwelle bescheiden ist. Nur im Internet wurde das Radio digitalisiert – und die Informationsvielfalt im Netz zwingt die Sender, ganz neue Angebote zu machen. Das Podium wird diskutieren, wie der bundesweite Hörfunk mit der Digitalisierung des Radios umgeht.

bushing
marcan
sven
Console Hacking 2010

Over 70 million Wiis, over 40 million Xbox 360s and over 35 million Playstation 3s have been sold in the last few years. That makes over 145 million embedded devices out there and most of them are just used to play games. But what can you do with them if you don't like playing games? You hack them to make them run your own code of course! We're going to talk about the various hacks that you can use to gain control of your hardware and make it do what you want it to do.

2010 saw the first hacks for the Playstation 3, soon after Sony removed Other OS functionality. We will detail the operation of current PS3 exploits, show a few new ones and explain where and how Sony went wrong when designing its security system, and show how these holes can be used to gain control over the system and bring Linux back to the PS3. We will also go over hacks for the other consoles, including the JTAG hack for the Xbox 360 which made running homebrew code more convenient, and the cat-and-mouse games that Nintendo played with us to combat Wii hacks. We might also check out the security of their 'new' handheld console - the DSi. Gamers might find this talk interesting even though it is targeted at those who hack (or design) embedded system security. A basic knowledge of crypto is therefore assumed. We will also be present in the Hackcenter before and after the presentation for those of you who are interested in learning more about the subject.

Daniel Domscheit-Berg
IMMI, from concept to reality

The talk will give an update on the status of the Icelandic Modern Media Initiative. If we put IMMI into the context of the bus Rop talked about in the keynote, then IMMI is the quality rubber for the tires that can ride that road safely. It is part of what our bus should look like, ride like, feel like. The talk will also try to define some more of that bus, and elaborate on what else we need apart from the best rubber we can get. The talk will hence deal with some of the latest developments in respect to freedom of speech, specifically that of the press, and political pressure being excersized on it, roles and responsibilities, and the role of responsibility.

The talk will give an update on the status of the Icelandic Modern Media Initiative. If we put IMMI into the context of the bus Rop talked about in the keynote, then IMMI is the quality rubber for the tires that can ride that road safely. It is part of what our bus should look like, ride like, feel like. The talk will also try to define some more of that bus, and elaborate on what else we need apart from the best rubber we can get. The talk will hence deal with some of the latest developments in respect to freedom of speech, specifically that of the press, and political pressure being excersized on it, roles and responsibilities, and the role of responsibility.

Harald Welte
Steve Markgraf
Running your own GSM stack on a phone

In recent years, we have seen several Free Software projects implementing the network side of the GSM protocol. In 2010, OsmocomBB was started to create a free software implementation of the telephone-side.

The OsmocomBB project is a Free Software implementation of the GSM protocol stack running on a mobile phone. For decades, the cellular industry comprised by cellphone chipset makers and network operators keep their hardware and system-level software as well as GSM protocol stack implementations closed. As a result, it was never possible to send arbitrary data at the lower levels of the GSM protocol stack. Existing phones only allow application-level data to be specified, such as SMS messages, IP over GPRS or circuit-switched data (CSD). Using OsmocomBB, the security researcher finally has a tool equivalent to an Ethernet card in the TCP/IP protocol world: A simple transceiver that will send arbitrary protocol messages to a GSM network.

Steven J. Murdoch
Chip and PIN is Broken

EMV is the dominant protocol used for smart card payments worldwide, with over 730 million cards in circulation. Known to bank customers as “Chip and PIN”, it is used in Europe; it is being introduced in Canada; and there is pressure from banks to introduce it in the USA too. EMV secures credit and debit card transactions by authenticating both the card and the customer presenting it through a combination of cryptographic authentication codes, digital signatures, and the entry of a PIN. In this paper we describe and demonstrate a protocol flaw which allows criminals to use a genuine card to make a payment without knowing the card’s PIN, and to remain undetected even when the merchant has an online connection to the banking network.

The fraudster performs a man-in-the-middle attack to trick the terminal into believing the PIN verified correctly, while telling the issuing bank that no PIN was entered at all. The paper considers how the flaws arose, why they remained unknown despite EMV’s wide deployment for the best part of a decade, and how they might be fixed. Because we have found and validated a practical attack against the core functionality of EMV, we conclude that the protocol is broken. This failure is significant in the field of protocol design, and also has important public policy implications, in light of growing reports of fraud on stolen EMV cards. Frequently, banks deny such fraud victims a refund, asserting that a card cannot be used without the correct PIN, and concluding that the customer must be grossly negligent or lying. Our attack can explain a number of these cases, and exposes the need for further research to bridge the gap between the theoretical and practical security of bank payment systems. Smart cards have gradually replaced magnetic strip cards for point-of-sale and ATM transactions in many countries. The leading system, EMV (named after Europay, MasterCard, and Visa), has been deployed throughout most of Europe, and is currently being rolled out in Canada. As of early 2008, there were over 730 million EMV compliant smart cards in circulation worldwide. In EMV, customers authorize a credit or debit card transaction by inserting their card and entering a PIN into a point-of-sale terminal; the PIN is typically verified by the smart card chip, which is in turn authenticated to the terminal by a digital certificate. The transaction details are also authenticated by a cryptographic message authentication code (MAC), using a symmetric key shared between the payment card and the bank that issued the card to the customer (the issuer). EMV was heavily promoted under the “Chip and PIN” brand during its national rollout in the UK. The technology was advertised as a solution to increasing card fraud: a chip to prevent card counterfeiting, and a PIN to prevent abuse of stolen cards. Since its introduction in the UK the fraud landscape has changed significantly: lost and stolen card fraud is down, and counterfeit card fraud experienced a two year lull. But no type of fraud has been eliminated, and the overall fraud levels have actually risen (see Figure 1). The likely explanation for this is that EMV has simply moved fraud, not eliminated it. One goal of EMV was to externalise the costs of dispute from the issuing bank, in that if a disputed transaction has been authorised by a manuscript signature, it would be charged to the merchant, while if it had been authorised by a PIN then it would be charged to the customer. The net effect is that the banking industry, which was responsible for the design of the system, carries less liability for the fraud. The industry describes this as a ‘liability shift’. In the past few years, the UK media have reported numerous cases where cardholders’ complaints have been rejected by their bank and by government-approved mediators such as the Financial Ombudsman Service, using stock excuses such as ‘Your card was CHIP read and a PIN was used so you must have been negligent.’ Interestingly, an increasing number of complaints from believable witnesses indicate that their EMV cards were fraudulently used shortly after being stolen, despite there having been no possibility that the thief could have learned the PIN. In this paper, we describe a potential explanation. We have demonstrated how criminals can use stolen “Chip and PIN” (EMV) smart cards without knowing the PIN. Since “verified by PIN” – the essence of the system – does not work, we declare the Chip and PIN system to be broken.

Felix von Leitner
Frank Rieger
Fnord-Jahresrückblick 2010

Auch dieses Jahr werden wir uns wieder bemühen, Euch mit einem Rückblick auf die Fnords des Jahres zu unterhalten.

Im Format einer lockeren Abendshow werden wir die Highlights des Jahres präsentieren, die Meldungen zwischen den Meldungen, die subtilen Sensationen hinter den Schlagzeilen. Kommen Sie, hören Sie, sehen Sie! Lassen Sie sich mitreißen!

Ray
Stefan 'Sec' Zehl
Hacker Jeopardy

The Hacker Jeopardy is a quiz show.

The well known reversed quiz format, but of course hacker style. It once was entitled "number guessing for geeks" by a German publisher, which of course is an unfair simplification. It's also guessing of letters and special characters. ;) Three initial rounds will be played, the winners will compete with each other in the final.

seda
A Critical Overview of 10 years of Privacy Enhancing Technologies

The objective of the session is to provide a critical overview of "privacy research" within computer science. The mechanisms proposed in the last ten year include mechanisms for anonymous communications, censorship resistance, selective disclosure credentials (and their integration in identity management systems), as well as privacy in databases. All of these system are meant to shield the user from different aspects of on-line surveillance either through allowing a user to keep some of her data "confidential" or by allowing her to assert "control" over her data. We will illustrate using concrete examples, why some paradigms came to dominate the field, their advantages, but also their blind spots, and unfulfilled promises given the conditions of our surveillance societies.

Since 2000 there has been a renewed interest amongst computer scientists in the field of ”privacy technology”. This includes mechanisms for “anonymous” communications, censorship resistance, selective disclosure credentials, as well as privacy in databases - all of which are meant to shield the user from some aspects of on-line surveillance. Beyond the lab, some of those systems have been deployed and are widely used today. Yet, the type of surveillance against which privacy technologies are supposed to offer protection is often ill-defined, and widely varying between works: from an individual who wishes “to hide an occasional purchase from his spouse”, to “groups coordinating political dissent under totalitarian regimes”. While privacy is seen as the key unifying theme of these works only one aspect of it is systematically represented, namely ”confidentiality”. Privacy as self-definition, informational self-determination or as a public good that needs to be negotiated is often neglected. Further, the increasing omni-presence of surveillance technologies, the informatisation of every day life, as well as active resistance to on-line surveillance are used as justifying departure points for privacy technologies but they have so far not been explored in depth in the privacy research field. In this talk, we explore the development of contemporary privacy technologies, its key results and methodologies. At its heart our argument is that the field of privacy technology was seeded by computer security and cryptography experts that rushed to apply their tools to new problems, yielding mixed results. Additional pressures from different stakeholders to devise technology that will make large IT systems acceptable to the public has led to further confusion about the goals and methods most appropriate to embed privacy friendly values into computer systems. Further, the recent trend has been to replace the confidentiality paradigm with what can be called the "control" paradigm. Using concrete examples, we seek to explain why some paradigms came to dominate the field, their advantages, but also their blind spots, and unfulfilled promises.

Kay Hamacher
Stefan Katzenbeisser
Terrorists Win - Exploiting Telecommunications Data Retention?

Telecommunications data retention (TDR) has become a reality in most Western countries. Protagonists claim that the collection of massive amounts of data on the communication behavior of all individuals within a country would enable law enforcement agencies to exploit patterns in the stored data to uncover connections between suspects.

While this is obviously true for investigations after an incident happened, there is up to now no critical and sound assessment publicly available that evaluates whether TDR brings any pro-active benefits for the above mentioned, justified purposes. In this talk we give for the first time a critical assessment of the power of TDR based on methods from information theory. To this end we have employed agent based simulations, which mimic the communication behavior of a large community including a dark-net of alleged suspects. The structure and statistics of our telecommunication simulation, which drive the dynamics of telephone calls and simulated TDR data, were generated according to known statistics of real-world telecommunications networks. Hiding in the unavoidable noise seems to be a passive strategy for terrorists to circumvent pro-active detection. This stems from a "needle in the haystack"-problem, that arises due to the small number of conspirators compared to the number of other participants. In particular situations and with adopted strategies suspected terrorists might be able to eventually exploit TDR for their purposes and take an active approach to hiding in the crowd. Such TDR exploits would lower the probability of detection by law enforcement agencies and render TDR a potential security threat. Again, we use our simulations and our analysis procedure to assess this problem.

Angela Crow
Ignorance and Peace Narratives in Cyberspace

This paper explores the challenges of being proactive with existing and future data mining possibilities when facing the realities of institutional expectations for assessment and when facing the fact that one’s own understanding of cyber capabilities is less than ideal. This paper discusses the current assessment cyber resources, trends, and pressures within USA academic institutions and the challenges of reactive/proactive labor in the midst of multiple levels of technological/informational literacies amongst administrators.

Years ago, when young nuns were entering a particular Catholic convent, they were asked to write autobiographical essays which were filed away along with other information about each nun. When they were elderly, these nuns agreed to be a part of a study on Alzheimers, giving permission for scientists to perform autopsies upon their deaths. Susan Kemper, a cognitive psychologist and psycholinguist was able to take the autobiographies from these humanities-based school teachers, and predict the probability of alzheimers from their sentence structures at eighteen. Luckily, replications of this kind of research are difficult. I say luckily because these kinds of findings might have potential hazards for those whose writing at 18 indicates alzheimers: specifically, living in a country in which health care is not a fundamental right, insurance companies might want access to this kind of data. I think of this study each time that I find myself in a meeting as an administrator at a university in the United States, navigating difficult decisions about gathering writing samples from a large group of 18 year old students. While our assessment rhetoric suggests that we “come in peace,” I find myself worrying over the potential hazards of employing certain cloud computing resources to facilitate our data collection of student essays. This paper explores the challenges of being proactive with existing and future data mining possibilities when facing the realities of institutional expectations for assessment and when facing the fact that one’s own understanding of cyber capabilities is less than ideal. This paper discusses the current assessment cyber resources, trends, and pressures within USA institutions and the challenges of reactive/proactive labor in the midst of multiple levels of technological/informational literacies amongst administrators.

Wolfgang Beck
SIP home gateways under fire

The SIP home gateway -- which combines a NAT router, a SIP proxy, and analogue phone adapters -- is the weakest link in a Voice over IP network. SIP's numerous source routing mechanisms share the well-known security weaknesses of IP source routing. The talk discusses possible exploits and countermeasures.

Telephony is steadily moving to Voice over IP, opening up a world of hacking opportunities. While many security issues have long been addressed in standardization, real-world VoIP suffers from incomplete and sometimes broken implementations. SIP home gateways -- which combine a NAT router, a SIP proxy, and a phone adapter are especially at risk. The predominant VoIP protocol SIP (Session Initiation Protocol) has been designed as an -- almost -- stateless protocol. The network elements responsible for call routing only keep very little and short-lived state. This makes SIP highly scalable and substantially simplifies fail-over. To achieve this, SIP uses source routing mechanisms extensively. Due to its security weaknesses, the network layer protocols have long abandoned the idea of source routing, despite its theoretical appeal. Some IP source routing attacks and countermeasures can be applied to SIP. The talk will discuss - how to impersonate somebody else, with seemingly network-asserted identity - how to trick a home gateway into sending UDP packets to an arbitrary host and port in a victim's LAN. - how to make a victim's home gateway call an arbitrary number (with some effort) - how to get material for your off-line password guessing attack - what SIP providers do about those issues - how SIP passed the IETF's security reviews - how home gateway vendors should improve their products to avoid all this mess.

Sylwester
DIY synthesizers and sound generators

At least if you have used all the features of a synthesizer, you probably ask the questions: "How can I modify it? How can I build a synthesizer myself? What features do I personally need?" This talk covers this topic from a theoretical and technical point of view.

Since commercial synthesizers have been built, the interest in modifying existing synthesizers and building own synthesizers has increased. Nowadays there is a much bigger DIY (Do-It-Yourself) community, and the idea of building own synthesizers and modules has been even merged with the idea of open-source and creative-commons hardware. This gives a wide range of new possibilities. Another part of the talk will be a quick introduction of less or more known DIY-synthesizer projects and the demonstration of a DIY synthesizer based on MOS 6581-like synthesis (The Commodore SID), which can be built from quite cheap electronic components and give a wide range of possibilities for sound generation and a reasonable sound. This talk will briefly describe the basics of sound synthesis and what makes it so interesting. A little bit of basic knowledge is recommended, but not necessary.

Henryk Plötz
Milosch Meriac
Analyzing a modern cryptographic RFID system

Popular contactless systems for physical access control still rely on obscurity. As we have shown, time and time again, proprietary encryption systems are weak and easy to break. In a follow-up to last year's presentation we will now demonstrate attacks on systems with 'proper' cryptographic algorithms.

Since we broke the last of the big players on the market at 26C3, most vendors are now migrating to new systems which rectify our main point of concern: proprietary algorithms. All new technologies use AES or 3DES for encryption and/or authentication and vendors tirelessly tout the security of their systems and the use of these algorithms between card, reader and host. We will discuss the design of the successor to a system we attacked last year, and demonstrate how a system can be insecure despite the use of secure cryptoprimitives.

Sylvia Johnigk
INDECT - an EU-Surveillance Project

INDECT The acronym stands for Intelligent Information System Supporting Observation, Searching and Detection for Security of Citizens in Urban Environment. A total of 17 partners in nine member states are developing an infrastructure for linking existing surveillance technologies to form one mighty instrument for controlling the people. They are laying the foundation of a European police state, since INDECT's results serve to increase the effectiveness of police operation on the national and European level. INDECT is funded under the European Commission's Seventh Framework Programme (FP7), the security-related research of which provides € 1.4 billion Euro for more than 60 partly interlaced projects.

This Is What the Police Will Work with in the Future: ·Unmanned aerial vehicles/drones with surveillance camera and sensors ·Software (for cameras etc.) to identify supposedly suspicious behavior or hostile intent ·Auto-tracking of mobile objects ·Software (autonomous agents) to monitor virtual spaces such as discussion forums in the Internet or social networks ·Trojan horses which record users’ private computer activity ·Safeguards, such as watermarking, to allow sophisticated controls on recorded images for evidence, and to index, analyse and administer multimedia content (such as video) ·A search engine combining direct search of data from the real and the virtual world The presentation deals with: - Goals and Partners - The EU's Current Security Policy - Ethically Clean - Censorship in Disguise? Ethics Board for INDECT. - Critical Assessment of INDECT-Research

Betje Schwarz
Doris Gerbig
Kathrin Englert
Digitale Spaltung per Gesetz

Hartz IV-Empfangende brauchen keine internetfähigen Computer, weil sie Fernseher haben. Dieser Ansicht sind deutsche Sozialgerichte und forcieren damit eine digitale Spaltung per Gesetz. Im Zeitalter der digitalen Informations- und Kommunikationsgesellschaft mutet dieser Umstand absurd an, aber eine breite öffentlichkeitswirksame Debatte steht bisher aus.

Hartz IV-Empfangende brauchen keine internetfähigen Computer, weil sie Fernseher haben. Die Grundversorgung mit Informationen werde laut Landessozialgericht NRW durch Fernsehen und Rundfunk sichergestellt. Dementsprechend gilt auch nur ein Fernseher nicht jedoch ein internetfähiger PC als unpfändbar. In den ALG II-Regelleistungen sind Anschaffungskosten für einen PC nicht vorgesehen, lediglich 5,80 Euro im Monat für Internetdienste und Datenverarbeitung. Dass es in Hamburg mittlerweile eine „Computer-Tafel“ gibt, zeigt die Unwirklichkeit eines Beschlusses des Landessozialgerichts Bayern, laut dem Hartz IV-Empfangende die Kosten für einen PC ansparen könnten. In dieser Situation der digitalen Spaltung erforschen wir als Sozialwissenschaftlerinnen an der TU Hamburg-Harburg die Internetnutzung von Erwerbslosen und stellen erste Ergebnisse vor. Die per Gesetz verordnete digitale Spaltung mutet im Zeitalter der digitalen Informations- und Kommunikationsgesellschaft absurd an. Dass es bisher keine öffentlichkeitswirksame Debatte gibt, mag auch daran liegen, dass es bisher kaum wissenschaftliche Erkenntnisse darüber gibt, welche Bedeutung das Internet im Alltag von Erwerbslosen hat. Diese Frage ist bisher weder in der Erwerbslosen- noch in der Internetforschung untersucht worden. Dabei wäre eine wissenschaftliche Beschäftigung mit dieser Frage in der Debatte um Ausgrenzung und Teilhabe dringend notwendig. In unserem Forschungsprojekt sind wir dieser Frage anhand von Interviews und Internetsessions mit Erwerbslosen in drei verschiedenen Regionen Deutschlands nachgegangen. Der Alltag von Menschen im ALG II-Bezug ist in besonderem Maße durch prekäre Lebensverhältnisse gekennzeichnet. Der Verlust von Erwerbsarbeit bedeutet den Verlust einer zentralen Dimension gesellschaftlicher Teilhabe, der sich auch auf weitere Teilhabeformen wie soziale Nahbeziehungen, Rechte, Kultur und Bildung auswirkt. Welche Rolle spielt nun das Internet in diesem von Ausgrenzungen und sozialen Verwundbarkeiten geprägten Alltag? Kann das Internet die eingeschränkten Teilhabemöglichkeiten kompensieren? Können Erwerbslose mit Hilfe des Internets Handlungsfähigkeit zurückgewinnen? Welche Bedeutung schreiben Erwerbslose dem Zugang zum Internet zu? Wird ein nicht vorhandener oder eingeschränkter Internetzugang zu einer weiteren Dimension der Ausgrenzung von Erwerbslosen in der digitalen Wissensgesellschaft und produziert damit soziale Ungleichheit? Wir würden gerne mit AktivistInnen diskutieren, wie man gegen die derzeitige gesetzlich geförderte doppelte Ausgrenzung von Erwerbslosen vorgehen kann.

Felix von Leitner
Frank Rieger
Fnord-Jahresrückblick 2010 (english translation)

Auch dieses Jahr werden wir uns wieder bemühen, Euch mit einem Rückblick auf die Fnords des Jahres zu unterhalten.

Im Format einer lockeren Abendshow werden wir die Highlights des Jahres präsentieren, die Meldungen zwischen den Meldungen, die subtilen Sensationen hinter den Schlagzeilen. Kommen Sie, hören Sie, sehen Sie! Lassen Sie sich mitreißen!

Hacker Jeopardy (english translation)

The Hacker Jeopardy is a quiz show.

The well known reversed quiz format, but of course hacker style. It once was entitled "number guessing for geeks" by a German publisher, which of course is an unfair simplification. It's also guessing of letters and special characters. ;) Three initial rounds will be played, the winners will compete with each other in the final.

Nick Farr
Lightning Talks - Day 3

4 minutes for every speaker. Learn about the good, the bad, and the ugly - in software, hardware, projects, and more.

Give a lightning fast talk about your favourite project, program, system - and thereby find people with the same interest to proceed and promote it. Alternatively - give us a good rant about something and give us some good reasons why it should die. ;) Get right at it, don't waste time by explaining too much, get the main points across, and then let us know how to contact you on the congress for a talk! Whatever you do - please practise it, and don't be boring. Or else. You have been warned! :-P

Sai
Cognitive Psychology for Hackers

Experience firsthand some of the most interesting, surprising, and perspective-changing findings from cognitive and social neuropsychology. With perceptual illusions, priming, biases, heuristics, and unconscious influences, humans have tons of firmware "bugs". All have exploits; some even have patches. Learn how to improve your own thinking, use others' bugs to your advantage, and gain new perspective on the unconscious and often illusory processes involved in your perceptions.

This interactive talk goes through as many interesting, surprising, perspective-changing findings from the cognitive sciences as I can fit in one hour while ensuring that as much as possible has a real, live demonstration that the audience participates in (rather than merely being told about). It's not just a collection of 'stupid human tricks' (though I'll be using lots of those for examples); this is a coherent narrative about surprising ways in which humans are flawed, how these aren't just things that happen to "other people", and how one might go about improving the situation at least for oneself. Every point will be supported by good science, with references to papers for those who care to read up more about them. Come to the meditation workshop afterwards to learn several more interesting and powerful techniques to proactively control your own mindstate. Tags: #27c3 #cogsci @saizai (emails also appreciated) See below for blinking disks illusion from Akiyoshi Kitaoka, inspired by Faubert and Herbert (1999). Stop staring at it if it makes you dizzy. No, it's not actually moving - if you point at / fixate on any part of it, that part will remain stable.

Bernhard Fischer
Safety on the Open Sea

In maritime shipping accurate positioning is vital to preserve damage to life, ship, and goods. Today, we might tend to think that this problem is sufficiently solved yet because of the existence of electronic positioning systems like, most notably, the Global Positioning System (GPS) or the Russian counterpart GLONASS. This is wrong. Positions in terms of latitude and longitude just make sense together with an accurate sea chart (and of course, together with a navigator that is able to translate charting data into reality).

Sea charts are available of national geospatial agencies and business companies as hard-copy or as digital maps and dependent on costs one might spend they are more or less accurate. In today's open world the idea of making an open sea chart is obvious. Several projects now started to apply the rules used for the OpenStreetMap, "...a free editable map of the whole world." (http://www.openstreetmap.org/), to create a free editable sea chart of the whole world and it turns out to be much more difficult because of potential serious consequences in case of charting errors. A sea chart contains a lot of vital information to a navigator. It has to be accurate, up to date, and confidential. Since we (the open sea chart community) cannot just chart every navigational important item on the world we are dependent on information that was already charted before or on third-party information. The latter could be for example measurements or GPS tracks of people that are somehow involved into maritime shipping but not necessarily into details of marine mapping. Thus, data accuracy may be questionable but still valuable. The fact that unauthenticated people are editing data in an open database is a big challenge for an open community since safety and security of life heavily depends on it. This talk covers the basic principles of sea charts and marine mapping. It emphasizes the problems of an open sea chart in general and its distinction to an open street map since requirements to ensure safety at sea are very different. Data preparation and import of other sources are discussed in detail, mainly focused on lights and depths. The lecture will connect real world shortcomings to a pedantic definite IT world for an IT-oriented audience and approaches IT security from a different angle.

Renaud Lifchitz
Android geolocation using GSM network

We introduce a new forensic technique that allows to collect users' past locations on most current Android phones, within a few seconds. It becomes possible to tell where the user was at a given time, or where a phone call took place over the last few hours or days.

The attack is based on GSM BTS cell location and little-known Android logging features and can be extended to track a user's activity over long periods of time. We will also show how to perform the attack locally and remotely, and ways to protect against these techniques, as well as forensic applications and privacy concerns. As a part of the presentation we plan to show a live demonstration of both local and remote attacks to retrieve geolocation and activity history of targeted phones. The graphical mapping tool used for the presentation will be released as open source. Talk keywords: mobile phone hacking, geolocation, android, privacy, forensics Outline: 1. WHY ANDROID? 2. GEOLOCATION: DIFFERENT APPROACHES 3. ATTACK VECTORS 4. SPYING USERS... (GETTING MORE THAN LOCATION: TRACKING CALLS&SMS) 5. HOW TO PROTECT? 6. TOOL DEMO

Eleanor Saitta
Your Infrastructure Will Kill You

The past century our infrastructure has seen both massive expansion and heavy centralization. When it fails, it fails big -- this is the reality of our modern interconnectedness. We live in a world of crumbling bridges and bankrupt states, and our infrastructure will kill us. The people we’re relying on to keep us safe are trying to accomplish long-term risk management with short-term thinking. So, what now? We can't opt out, but we can become more resilient, and we can start thinking about risk differently.

In this talk, we'll look at threat modeling in the real world, six ways to die, failing states, that big party in the desert, the failure of the humanitarian project, algae and the U.S. military, large-scale natural disasters, the power grid, and many other things. The problems we face are big in every sense of the word -- they involve some of the biggest things we've ever built -- but the solutions may not be. Can non-governmental networks step up when governments fail to provide basic services? Can we avoid a further expansion of neoliberalism in a post-infrastructural state? Are the power structures embedded in our infrastructure cultural destiny? What happens when maker culture grows up? Come find out, while you still have a choice.

Harald Welte
Reverse Engineering a real-world RFID payment system

How to reverse engineer the data format of a real-world RFID based debit card system.

One of Asia’s most popular electronic payment systems uses insecure technology. The EasyCard system, established in 2001, is the most popular stored-valued card in Taiwan. With more than 18 million issued cards, it is the predominant means of paying for public transportation services in the capital Taipei. In 2010, use of the EasyCard was extended beyond transportation. Card holders can now pay in all major convenience stores like 7eleven, coffe shops like Starbucks and and major retail companies like SOGO. Despite the large fraud potential, the EasyCard system uses the MIFARE Classic RFID technology, whose proprietary encryption cipher CRYPTO1 relied on obscurity and was first publicly broken several years ago at 24C3 This presentation analyzes the results of combining the practical attacks on the MIFARE Classic CRYPTO1 system in the context of the EasyCard payment system. It describes the process of reverse- engineering the actual content of the card to discover the public transportation transaction log, the account balance and how the daily spending limit work. Furthermore, the talk will present how fundamentally flawed the system is, and how easy it is to add or subtract monetary value to/from the card. Cards manipulated as described in the talk have been accepted by the payment system.

Julien Vanegue
Zero-sized heap allocations vulnerability analysis

The dynamic memory allocator is a fundamental component of modern operating systems, and one of the most important sources of security vulnerabilities. In this presentation, we emphasize on a particular weakness of the heap management that has proven to be the root cause of many escalation of privilege bugs in the windows kernel and other critical remote vulnerabilities in user-land applications.

The problem is not specific to any operating system and is present in both user-land and kernel-land allocators. The presentation is divided into three parts. First, we will reveal the exact nature of the weakness and provide a taxonomy of all tested operating systems (both in the Windows and UNIX world, most of them are exposed). We then present a custom static analyzer for this class of defects based on the HAVOC framework, a heap-aware verifier for C programs, developed in the RISE team at Microsoft Research. We have deployed the analyzer on multiple kernel components, some of them reaching one million lines of C code. The analyzer produces a reasonable amount of warnings without any complex configuration. Finally, we generalize our analysis technique by characterizing what happens when the size of heap chunks is in the neighbourhood of zero (e.g. near-zero allocations) and give another example of fixed remote bug. We emphasize that this weakness should not be considered as a new class of vulnerabilities (such as buffer overflow), but rather a new type of code defect in the same style as integer overflows, as many occurrences are legit and do not lead to a bug.

Juergen Pabel
FrozenCache

Cold boot attacks are a major risk for the protection that Full-Disk-Encryption solutions provide. FrozenCache is a general-purpose solution to this attack for x86 based systems that employs a special CPU cache mode known as "Cache-as-RAM". Switching the CPU cache into a special mode forces data to held exclusively in the CPU cache and not to be written to the backing RAM locations, thus safeguarding data from being obtained from RAM by means of cold boot attacks.

A Proof-of-Concept implementation for Linux will be demonstrated and implementation details discussed.

Julia Wolf
OMG WTF PDF

Ambiguities in the PDF specification means that no two PDF parsers will see a file in the same way. This leads to many opportunities for exploit obfuscation.

PDFs are currently the greatest vector for drive-by (malware installing) attacks and targeted attacks on business and government. A/V technology is extraordinarily poor at detecting these. The PDF format itself is so diverse and vague, that an A/V would need to be 100% bug-compatible with the parser in the vulnerable PDF reader. You can also do cool tricks like make a single PDF file that displays completely differently in several different readers.

maha/Martin Haase
Ich sehe nicht, dass wir nicht zustimmen werden

Der Vortrag zeigt auf, wie sich Politiker rechtfertigen, wenn sie gegen ihre Argumentation und die Überzeugungen entscheiden oder handeln, für die sie stehen. Es ergibt sich dabei eine extreme Zwangslage, denn es ist oft nicht so einfach möglich, die zuvor vorgebrachten Argumente aufzugeben. Also muss auf Leerformeln, Nebelkerzen, Scheinargumente und spezielle grammatische Mittel zurückgegriffen werden, die die Regresspflicht mindern (Konjunktive, doppelte Verneinungen, Modalpartikeln usw.); dabei sind Kunstgriffe nötig, die über die inzwischen hinlänglich bekannte Leyen-Rhetorik hinausgehen.

2010 war ein Jahr der politischen Veränderung. Dabei veränderten sich auch politische Einstellungen: so wollen die Grünen im Düsseldorfer Landtag plötzlich für den Jugendmedienschutzstaatsvertrag stimmen, den sie in der Opposition verhindern wollten. Reinhard Bütikofer stimmt dem Gallo-Bericht zu Urheber- und Leistungsschutz zu. Und schon 2009 glaubten grüne Abgeordnete, nicht gegen das Zugangserschwerungsgesetz stimmen zu müssen. Alle rechtfertigten sich – oder versuchten es zumindest. Auch in den anderen Parteien gab es Veränderungen: Der Innenminister gab sich mal mehr mal weniger aufgeschlossen, wenn es um Netzpolitik ging. Die CDU forderte eine verlässliche Politik beim Bahnhofsbau, vollzog aber den Ausstieg aus dem Atomausstieg. Die SPD wollte mal wieder Netzpartei sein und forderte mehr Zeitungslektüre für Schüler. Wenn man wenige oder keine Argumente hat, weicht man auf Scheinargumente aus; was bleibt aber, wenn man in die eine Richtung argumentiert und in die andere Richtung entscheidet? Die Sprache des politischen Verrats und seiner Rechtfertigung gibt Aufschluss. Zu Wort kommen: Matthi Bolte, Reinhard Bütikofer, Peter Schaar und ein Politiker aus Stuttgart.

Annalee Newitz
Three jobs that journalists will do in 2050

Print media are dying, but what is rising up to take their place? In this presentation, I'll answer that question by describing three new kinds of jobs for journalists that do not exist in mainstream print media. These jobs are: hacker journalist, data-mining reporter, and crowd engineer. I'll be describing what these jobs entail, and current examples of organizations already employing people to do them.

My observations in this presentation are based on the nearly twenty years I have written for traditional print as well as new media publications, including zines like Bad Subjects and 2600, as well as mainstream media outlets like Wired and the Washington Post. I also created io9.com, the world's most widely-read blog devoted to science and science fiction. As I've watched friends and colleagues suffer through layoffs in the publishing industry, I've also seen the rise of new kinds of journalists who use technology to break stories in ways that would have been impossible even five years ago. Hacker journalists use everything from Perl scripts to open source mapping platforms to do investigative reporting (examples include writing at Ars Technica, as well as people working with the Ushahidi mapping platform). Data-mining reporters are people who analyze vast amounts of data to investigate issues from war crimes (using services like Wikileaks) to the stock market "flash crash". Crowd engineers work on crowd-sourced news sites like Reddit and Metafilter, writing algorithms and community software that makes it easy for people to share information. Like editors, crowd engineers can be very powerful figures who determine which information rises to the top. What these new journalists have in common is a newfound ability to aggregate and analyze information on a massive scale. Ultimately I'll explore how this changes the playing field in media, and why journalists of the future may be more powerful than ever before.

Jeroen Massar
How the Internet sees you

On the Internet one tends to think that one is pretty much safe from poking eyes. Taps in most countries can only be established after a judge has issued a warrant, thus upto such a tap is succesfully deployed one might think one is pretty much in the clear.

Most ISPs though actually employ a toolset comprising one of various NetFlow, IPFIX or sFlow protocols to do trend monitoring, billing and of course, the ability to try and establish which connections a certain IP address is making. During the CCC conference we will monitor the CCC network with NetFlow, collecting and directly anonimizing this information on IP basis. We will map a couple of well-known websites/trackers to a private IP range and preserving these mappings, while anonimizing the rest of the IP addresses, thus your anonimity is safe and please be yourself while using the network. Flow data will not be stored, thus we won't be able to go back and re-analyze the information. As a collector/analyzer we will be using the Anaphera tool by IBM Zurich Research Laboratory [1]. This tool is used in IBM datacenters and by customers of IBM worldwide for detecting malicious/unknown network traffic, traffic trending, anomaly detection, growth prognosis and billing. We'll be explaining the intriciate parts about NetFlow, IPFIX and sFlow, what the technologies are and how they work, hopping briefly in the big difference with taps and what they could see when they are deployed and also what we don't see now and what gets lost in the noise. We will be showing you what information and details can be taken from a flow based tool, so that you know what can be seen by ISPs around the world.

Frank Rieger
Ron
Security Nightmares

Was hat sich im letzten Jahr im Bereich IT-Sicherheit getan? Welche neuen Entwicklungen haben sich ergeben? Welche neuen Buzzwords und Trends waren zu sehen?

Wie immer wagen wir den Ausblick auf das Jahr 2011 und darüber hinaus, denn was wir wirklich wissen wollen, ist ja schließlich: Was kommt in Zukunft auf uns zu? Wir werden außerdem frühere Voraussagen hinsichtlich des Eintreffens unserer Weissagungen prüfen.

Adam
Tor is Peace, Software Freedom is Slavery, Wikipedia is Truth

The Internet began as state-sponsored anarchy, but it is now the tool of first resort for dissidents and propagandists alike. The poster-child project of the Free Software Movement runs on the authority of a single person; the rest clash over the very definition of the word 'free'. A company which pictured itself as smashing Big Brother is now seen as one of the perceived secretive and authoritarian in the industry; and for another, 'Don't Be Evil' is proving to be a challenging motto to live by.

This talk aims to present a view of the societies of Internet from the perspective of political philosophy. *Political philosophy is not politics*, in the same way that computer science is not programming. It's not the politics about the Internet, but the politics *of* the Internet. Even so, events at any particular place or time just provide examples to be studied. Political philosophy is meta-politics, it's about the trends in politics and the theories we use to understand them. Real-world political systems have striking parallels in the evolution of the Internet: there was primitive anarchy before Eternal September, the era of walled gardens resembled that of Ancient Greek city-states, which were succeeded by more-or-less liberal regimes following the geographical territories of real-world governments. Because of its rapid evolution, mass participation, and highly complex human interaction, the Internet should be subjected to the sorts of questions that political philosophers ask. On the Internet, what is freedom? Do we have obligations to those in control? To each other? What rights do we have? What can we own? Once we know the way it is, we can ask how it should be...

Lepht Anonym
Cybernetics for the Masses

Lightning talk on biohacking, complete with cyborg speaker, implant demonstrations, and knowledge of how to hack your own perception of electromagnetic radiation for approximately thirty Euros.

A talk on what's become my specialty - biohacking, or meathacking, whatever you wanna call it. I've got a full set of home-brewed implants, a subdermal RFID, a sort of cult on the Internet plus things like proven designs for cheap EM sensory nodes, experimental verification of that shit I'm claiming, etc. I have videos of procedures, photos of what I've been doing and the like, and will happily make gory slides for all to see. Can do demos of the EM nodes and RFID chip as well. I want to talk about the grinder movement - underground biohacking - it's my life. Thus, my article in H+ Magazine: "A call to arms for biohackers".

Sergey
Hackers and Computer Science

Although most academics and industry practitioners regard "hacking" as mostly ad-hoc, a loose collection of useful tricks essentially random in nature, I will argue that hacking has in fact become a "distinct research and engineering discipline" with deep underlying engineering ideas and insights. Although not yet formally defined as such, it are these ideas and insights that drive the great contributions that hacking has been making to our understanding of computing, including the challenges of handling complexity, composition, and security in complex systems. I will argue that hacking uncovers and helps to understand (and teach) fundamental issues that go to the heart of Computer Science as we know it, and will try to formulate several such fundamental principles which I have learned from hacker research.

At some point I realized that I was learning more about what really matters in computer science from hacker conventions, Phrack, Uninformed, and other hacker sources than from any academic source. Moreover, it wasn't just about exploits and vulnerabilities, it was about how systems were really designed, as opposed to how developers thought and students were taught they were. Then I realized that the reason for vulnerabilities that kept on giving were quite deeply theoretical and involved, e.g., theory of computation and information theory. Very little of this was quoted or understood in the academic publications. In this talk I will give a retrospective of hacker research that I believe has priority in developing or rediscovering important scientific ideas that define the discipline of information security. I will also argue that "hacking" has de-facto become a distinct engineering discipline with its own special methods and principles. 1. Hackers invented "cross-layer analysis" methodology. Hackers deal with trust properties of software, hardware, and human-computer systems. Other disciplines claim to study these properties, but hacker approach is radically different: while others focus of *layered designs* (like the OSI networking model or the application-library-system calls-kernel internals-drivers), hacking is essentially *cross-layer*. In a word, hackers essentially invented security analysis that focuses on trust assumptions in interactions between layers in multi-layer composed systems. It is not formalized to academic standards, but it's there and it delivers. In retrospect, the emergence of an engineering discipline that analyzed the trust effects of the prevaling practical method of developing complex computer systems - composing them out of mostly independently developed and tested components - was to be expected. Such analysis was sorely needed and would arise even if these issues were continually ignored by the recognized experts and authorities. As it stands, hacker research arose to fill this gap. Whereas for a regular developer the layers below or above are implicitly trusted to behave as specified (or at least as described in tutorials), hackers focus on how the layers actually interact, and how data and control actually flow through the layers. That is why in-depth rootkits (like Phrack 59:5, palmers@team-teso and similar) are the best possible reading for understand OS structure. I assign it in all my OS-related courses. That is why session hijacking through packet injection and other "Black Ops" a-la Ptacek, Newsham, and Kaminsky is best for understanding how TCP/IP stacks work: it shows exactly what data structures are kept by kernels to present the illusion of a session over stateless IP, and how they are controlled. 2. "Security is not Composable" Many of the best hacks are based on an interplay between composition of relatively secure parts resulting in new properties that make the composed system insecure. To a large extent, Hacking as a research discipline is a study of this phenomenon (which I will illustrate with examples from networks and systems). From the theory standpoint, for a system that is a composition of several sufficiently complex parts, there is no general algorithm or formal method to deduce properties of the composed system even if properties of parts are known. (This can be reduced to the Halting Problem or, equivalently, to Rice's Theorem). I will give examples of insecure system design based on simple assumptions about the compositional properties that cannot actually be verified in any algorithmic way -- and, as a result, these systems remain badly broken despite efforts to fix them. These systems will remain untrustworthy and yielding 0-days because their security is based on an undecidable problem that no amount of programming can solve. A prime example - taken to the next level of rigor in a major break-through by Len Sassaman and Meredith Patterson announced this year - is the case of X.509 certificates. It depends on the computations involved in parsing of the certificate signing request and the signed certificate by the CA and the browser respectively being equivalent (i. e., yielding the same result). However, the design of the X.509 protocol makes it computationally impossible to check this equivalence - and so the certificate system will keep on giving. Mostly likely, there is no "good enough" solution, unless a well-defined intermediary class of data structures involved is defined. Another example of the same thing is NIDS traffic re-assembly. The efficacy of NIDS depends on the re-assembly computation giving the same result on the NIDS and the target - and this is, in general, also computationally impossible (undecidable), with no "good enough" solution either. 3. Hackers re-define what "computation" means. Theory of computation concerns itself with proving what computing environments can and cannot do - e. g., that regular expressions cannot parse recursive structures (not that it is not being attempted, the last high-profile example being IE's regexp-based anti-XSS rewriting feature which gave rise to a whole new kind of exploits precisely because of this inability). Designers and developers base security of their systems on similar trust assumptions of what the systems can and cannot do. The problem is, they do not understand what computations their systems are *actually* capable of. From the early days of Aleph1 stack-smashing, hacking has a great history of exposing extra computational power in systems, and in demonstrating "weird" computations that were thought to be impossible. Hackers have been exposing unexpected "weird machines" actually contained in traditional computing environments, which supported unexpected programming models, with exploits as their "programs". Exploit development as a discipline is about recognizing a "weird machine" inherent in the target (which is usually Turing-complete or close) and writing code for it (in its "weird" instruction set, which may include calls to library functions, system calls, or just reachable pieces code from app to firmware). It's all about programming "platforms within platforms within platforms". A prime example is the story of developing the "return-to-known code" idea, from the original "return-to-libc" exploits first published by Solar Designer in 1997, through the detailed technique explanation in Phrack 2000-2001 (58:4, 59:5), to the recent fully featured compiler for kernel rootkits by Hund, Holz, and Freiling. The idea of such compilers, however, has been circulated in the hacker community since at least 2001, as I will show. It took about ten years for academia to recognize the power of this idea, which got named "Return-oriented Programming" or "ROP" in 2008. The idea that an exploit - that is, an actual program in its own right, executing on a "weird machine" - could contain *no* native executable code, and thus instead of looking for "malicious code" one had to watch out for "malicious computation" (this term itself coined in 2008) - would have been impossible without hacker research. In short, hacker research had re-defined the very idea of computation. 4. DoD "Orange Book" ideas re-born in hacker OS hardening patches. I will show how the classic 1970s ideas about building secure systems, such as those of the DoD "Rainbow series" and Tagged architectures, while long ignored by the commodity computing vendors like Intel, have been re-born in hacker hardening patches such as OpenWall, PaX, grsecurity patches, etc., and other creative uses of the x86 segmentation system, extra page table entry bits, and split TLB. I will give a historical perspective of these advances, from OpenWall to ShadowWalker and beyond. I will argue that it was hacker research and hacker proof-of-concepts that finally caused the industry to recognize the value of and implement hardware NX protection and introduce NX-based features like DEP into mainstream OS (I am indebted to FX for major parts of this argument). 5. The hacker development of the debugger into a Turing-complete environment. It is a fact that hackers (and, in particular, vuln dev and RE communities) have been the leading producer of debuggers ever increasing in power, and have in fact changed the very idea of the conventional debugger, by making it into a Turing-complete environment. This research involved a deeper understanding of how to use hardware trapping - including how to trap complex events such as "a page that has been recently written to by a user process was used to fetch an instruction from" (OllyBone). It opened new directions for security policy mechanisms, reference monitor design, etc., in both academia and industry (of which I will give examples). 6. Trust relationships as first-class networking objects. I will describe how hacker research into network deceptions and trust relationship mapping in networks created the methodology and the industry of network security assessment.

kornau
A framework for automated architecture-independent gadget search

We demonstrate that automated, architecture-independent gadget search is possible. Gadgets are code fragments which can be used to build unintended programs from existing code in memory. Our contribution is a framework of algorithms capable of locating a Turing-complete gadget set.

Translating machine code into an intermediate language allows our framework to be used for many different CPU architectures with minimal architecture-dependent adjustments. We define the paradigm of free-branch instructions to succinctly capture which gadgets will be found by our framework and investigate side effects of the gadgets produced. Furthermore we discuss architectural idiosyncrasies for several widely spread CPU architectures and how they need to be taken into account by the generic algorithms when locating gadgets.

TiffanyRad
International Cyber Jurisdiction

Concepts of sovereignty, freedom, privacy and intellectual property become amorphous when discussing territories that only exists as far as the Internet connects. International cyber jurisdiction is supported by a complicated web of international law and treaties. Jurisdiction hopping, a technique that is becoming popular for controversial content, is one we have used for the U.S. 1st Amendment censorship-resistant and non-profit hosting company, Project DOD, by using PRQ's services in Sweden. This technique is used to place assets in a diverse, but accessible, web of countries in which that content may be legal in the hosting country, but may have legal complications in the country in which it is accessed. As ownership and protection of property becomes a concept that is difficult to maintain across boundaries that are not easily distinguishable, can the U.S. "kill-switch" parts of the Internet and under what authority can it be done? Similarly, the geographic challenges to international cyber criminal law – and the feasibility of new sovereign nations – will be analyzed.

When a cybercrime is committed in a country in which the electronic communication did not originate, there is difficulty prosecuting the crime without being able to physically apprehend a subject that is virtually within – and physically without – a country's boarders. Similarly, a technique called jurisdiction hopping can be used to place assets in a diverse, but accessible, web of countries in which that content may be legal in the hosting country, but is not in the country in which it is accessed. Lastly, if the U.S. attempts to isolate damage by cutting off Internet connections, under what authority can it be done? This presentation will discuss the types of international laws and treaties that may be cited in the event of extradition of cyber criminals, legal and geographic challenges – such as new sovereign nations – to jurisdiction hopping and the authority with which the U.S. may "kill switch" the Internet. I will also discuss the practical example of where, as a result of our Project DOD case in U.S. Federal court, we have put non-copyright infringing materials on PRQ's servers in Sweden to reduce the incidences of Digital Millennium Copyright Act’s "Take Down" infringement notices that are illegitimate.

Martin Vuagnoux
News Key Recovery Attacks on RC4/WEP

In this paper, we present several weaknesses in the stream cipher RC4. First, we present a technique to automatically reveal linear correlations in the PRGA of RC4.

With this method, 48 new exploitable correlations have been discovered. Then we bind these new biases in the PRGA with known KSA weaknesses to provide practical key recovery attacks. Henceforth, we apply a similar technique on RC4 as a black box, i.e. the secret key words as input and the keystream words as output. Our objective is to exhaustively find linear correlations between these elements. Thanks to this technique, 9 new exploitable correlations have been revealed. Finally, we exploit these weaknesses on RC4 to some practical examples, such as the WEP protocol. We show that these correlations lead to a key recovery attack on WEP with only 9,800 encrypted packets (less than 20 seconds), instead of 24,200 for the best previous attack.

Nick Farr
Lightning Talks - Day 4

4 minutes for every speaker. Learn about the good, the bad, and the ugly - in software, hardware, projects, and more.

Give a lightning fast talk about your favourite project, program, system - and thereby find people with the same interest to proceed and promote it. Alternatively - give us a good rant about something and give us some good reasons why it should die. ;) Get right at it, don't waste time by explaining too much, get the main points across, and then let us know how to contact you on the congress for a talk! Whatever you do - please practise it, and don't be boring. Or else. You have been warned! :-P

Lars Weiler
Data Analysis in Terabit Ethernet Traffic

Network traffic grows faster than monitoring and analysis tools can handle. During the last two years a couple of appliances hit the market which help in finding the “bits of interest”. Recently installed strategies and solutions for carriers, banks or lawful interception organizations will be discussed as examples.

Quite every laptop nowadays is capable of handling Gigabit traffic. But doing a network analysis will hit the boundaries of CPU load quite quickly. Now, with 10GbE lines as the usual speed of carrier's and company's backbone, traffic monitoring and analysis became more and more painful. Even the biggest and most expensive analysis appliances on the market are barely capable of a real time traffic monitoring for more than 8Gbit/s. That's were a couple of vendors showed up and created devices which can handle multiple 10GbE lines at the same time. They call them “Active Distributed Traffic Capture Systems” or “Intelligent Data Access Networking Switches” – in short “Data Access Systems”. The primary use is for the aggregation and distribution of traffic. But all of the Data Access Systems are also capable of filtering traffic with the help of FPGA or CPLD techniques. So a carrier, bank or lawful interception organization can aggregate the data from many physical lines into one Data Access System, enter some filters with the help of a browser GUI, and distribute the resulting traffic to the analysis machines. It's easy to monitor 100 lines of 10GbE traffic. For competitive reasons, those vendors started to invent new features for a better or easier analysis of the data on the analysis devices. These include ingress port tagging, time stamping with nanosecond accuracy, slicing of packets and recalculation of checksums in realtime, blanking bits in packets, or even layer 7 filtering for e-mail and instant messenger addresses with full flow capturing. The interesting part for the usage is to create an infrastructure where even without data retention and a long term analysis specific users or just their communication with possible ”interesting“ data for intelligence agencies can be triggered and captured in real time. So, the process of the analysis can be quickened to quite no time. It's safe to say, that the flagship appliance by a vendor has been designed by request of US intelligence agencies. Of course, those devices have to be managed by administrators. For the ease of usage every vendor moved from a CLI based configuration interface to a shiny web GUI – with a couple of flaws. It is easy to break into the system or read out the configuration without access. This lecture will discuss the possibilities of today's data analysis with the help of these Data Access Systems. An overview of the features will help to understand that data analysis devices are not anymore the limiting factor in deep packet inspection of a huge amount of traffic. Examples will show what already has been set up and what is possible by companies and organizations – and which traffic they might monitor yet. During the last three years the speaker installed those appliances from different vendors at customers across Europe, gained deep knowledge of their usage, established a strong contact to the technicians and chief officers both at the vendors and customers side, and found out a lot about the hardware and software by reverse engineering.

Daniel Domscheit-Berg
OpenLeaks

Due to popular demand, the talk will give an introduction to the OpenLeaks system and the idea behind it.

kapejod
Having fun with RTP

A lot of people are interested and involved in voice over IP security. Most of the effort is concentrated on the security of the signalling protocols. This talk is focussing on the security of the voice part involved in todays voice over IP world. It is the result of the questions that I had to ask myself while i was debugging audio quality problems of customers and implementing a RTP stack from scratch.

The talk gives an introduction on the shortcomings of the Realtime Transport Protocol (RTP), how systems attempt to work around them and how they introduce security vulnerabilites. A few short demonstrations will give an idea on how they can be exploited in the real world (denial of service, man in the middle attacks, call redirection). The last part of the talk will discuss some solutions to fix those vulnerabilities.

SAAL 1

• 00:15
  Alien8
  Astro
  Pentanews Game Show
• 11:30
  Rop Gonggrijp
  27C3 Keynote
• 12:45
  Jérémie Zimmermann
  Copyright Enforcement Vs. Freedoms
• 14:00
  Alvar C. H. Freude
  Von Zensursula über Censilia hin zum Kindernet
• 16:00
  Johannes Ludwig
  Whistleblower-Netzwerk
  Whistleblowing
• 17:15
  Collin Mulliner
  Nico Golde
  SMS-o-Death
• 18:30
  Andreas Bogk
  Falk Lüke
  scusi
  Uli Blumenthal
  Netzneutralität und QoS - ein Widerspruch?
• 20:30
  axel
  Katarzyna Szymielewicz
  Patrick Breyer
  Ralf Bendrath
  Data Retention in the EU five years after the Directive
• 21:45
  Dominik Oepen
  Frank Morgner
  "Die gesamte Technik ist sicher"
• 23:00
  Bruce Dang
  Peter Ferrie
  Adventures in analyzing Stuxnet

SAAL 2

• 12:45
  Branko Spasojevic
  Code deobfuscation by optimization
• 14:00
  Dominik Herrmann
  lexi
  Contemporary Profiling of Web Users
• 16:00
  Oliver "Unicorn" Knapp
  Eins, zwei, drei - alle sind dabei
• 17:15
  Jochim Selzer
  Friede sei mit Euren Daten
• 18:30
  Ilja van Sprundel
  hacking smart phones
• 20:30
  datenwolf
  Desktop on the Linux... (and BSD, of course)
• 21:45
  vanHauser
  Recent advances in IPv6 insecurities
• 23:00
  Betty
  Gismo C.
  Spinning the electronic Wheel

SAAL 3

• 12:45
  Robert Spanton
  From robot to robot
• 14:00
  Nathan Fain
  Vadik
  JTAG/Serial/FLASH/PCB Embedded Reverse Engineering Tools and Techniques
• 16:00
  Felix Gröbert
  Automatic Identification of Cryptographic Primitives in Software
• 17:15
  Peter Stuge
  USB and libusb
• 18:30
  Franz Pletz
  lilafisch
  AllColoursAreBeautiful
• 20:30
  Christian Brandt
  Hacking iButtons
• 23:00
  Ertunga Arsal
  Rootkits and Trojans on Your SAP Landscape

• 00:15
  Agata Królikowski
  Constanze Kurz
  Ina Kwasniewski
  Jens-Martin Loebel
  Kai Kittler
  Marcus Richter
  Stanislaw Lem - Der enttäuschte Weltverbesserer
• 11:30
  Jeff Gough
  File -> Print -> Electronics
• 12:45
  Michael Steil
  Reverse Engineering the MOS 6502 CPU
• 14:00
  Karsten Nohl
  Sylvain Munaut
  Wideband GSM Sniffing
• 16:00
  Karsten Becker
  Robert Boehme
  Part-Time Scientists
• 17:15
  FX of Phenoelit
  Building Custom Disassemblers
• 18:30
  Alex Antener
  Corey Cerovsek
  Julien Quentin
  "The Concert"
• 20:30
  Daniel J. Bernstein
  High-speed high-security cryptography: encrypting and authenticating the whole Internet
• 21:45
  Bicyclemark
  Adventures in Mapping Afghanistan Elections
• 23:00
  Nicholas Merrill
  The importance of resisting Excessive Government Surveillance

SAAL 2

• 11:30
  Felix Domke
  Distributed FPGA Number Crunching For The Masses
• 13:00
  Astro
  Lying To The Neighbours
• 13:45
  Felix Geisendörfer
  Node.js as a networking tool
• 14:30
  Äpex
  xif
  Logikschaltungen ohne Elektronik
• 16:00
  Jesse
  Peter Eckersley
  Is the SSLiverse a safe place?
• 17:15
  Andreas Lehner
  Lars
  Literarischer Abend
• 18:30
  Andreas Bogk
  Defense is not dead
• 20:30
  Ralf-Philipp Weinmann
  The Baseband Apocalypse
• 23:00
  Marcus Nutzinger
  Rainer Poisel
  Secure communications below the hearing threshold

SAAL 3

• 11:30
  Guido Strack
  Wikileaks und mehr
• 12:45
  Nick Farr
  Lightning Talks - Day 2
• 14:00
  Mathias Payer
  I Control Your Code
• 16:00
  Oona Leganovic
  A short political history of acoustics
• 17:15
  Thomas Barth
  Netzmedienrecht, Lobbyismus und Korruption
• 18:30
  Florian Adamsky
  Techniken zur Identifizierung von Netzwerk-Protokollen
• 20:30
  Bernd Sieker
  "Spoilers, Reverse Green, DECEL!" or "What's it doing now?"
• 21:45
  Peter Franck
  Data Recovery Techniques
• 23:00
  Ralf-Philipp Weinmann
  The Hidden Nemesis

• 11:30
  Andreas Bogk
  Andy Müller-Maguhn
  Constanze Kurz
  Frank Rieger
  CCC-Jahresrückblick 2010
• 14:00
  Peter Welchering
  Ralph Müller-Schmid
  Tim Pritlove
  Willi Steul
  Radio der Zukunft
• 16:00
  bushing
  marcan
  sven
  Console Hacking 2010
• 17:15
  Daniel Domscheit-Berg
  IMMI, from concept to reality
• 18:30
  Harald Welte
  Steve Markgraf
  Running your own GSM stack on a phone
• 20:30
  Steven J. Murdoch
  Chip and PIN is Broken
• 21:45
  Felix von Leitner
  Frank Rieger
  Fnord-Jahresrückblick 2010
• 23:00
  Ray
  Stefan 'Sec' Zehl
  Hacker Jeopardy

SAAL 2

• 11:30
  seda
  A Critical Overview of 10 years of Privacy Enhancing Technologies
• 12:30
  Kay Hamacher
  Stefan Katzenbeisser
  Terrorists Win - Exploiting Telecommunications Data Retention?
• 13:45
  Angela Crow
  Ignorance and Peace Narratives in Cyberspace
• 14:30
  Wolfgang Beck
  SIP home gateways under fire
• 16:00
  Sylwester
  DIY synthesizers and sound generators
• 17:15
  Henryk Plötz
  Milosch Meriac
  Analyzing a modern cryptographic RFID system
• 18:30
  Sylvia Johnigk
  INDECT - an EU-Surveillance Project
• 20:30
  Betje Schwarz
  Doris Gerbig
  Kathrin Englert
  Digitale Spaltung per Gesetz
• 21:45
  Felix von Leitner
  Frank Rieger
  Fnord-Jahresrückblick 2010 (english translation)
• 23:00
  Hacker Jeopardy (english translation)

SAAL 3

• 11:30
  Nick Farr
  Lightning Talks - Day 3
• 14:00
  Sai
  Cognitive Psychology for Hackers
• 16:00
  Bernhard Fischer
  Safety on the Open Sea
• 17:15
  Renaud Lifchitz
  Android geolocation using GSM network
• 18:30
  Eleanor Saitta
  Your Infrastructure Will Kill You
• 20:30
  Harald Welte
  Reverse Engineering a real-world RFID payment system
• 21:45
  Julien Vanegue
  Zero-sized heap allocations vulnerability analysis
• 23:00
  Juergen Pabel
  FrozenCache

• 11:30
  Julia Wolf
  OMG WTF PDF
• 12:45
  maha/Martin Haase
  Ich sehe nicht, dass wir nicht zustimmen werden
• 14:00
  Annalee Newitz
  Three jobs that journalists will do in 2050
• 16:00
  Jeroen Massar
  How the Internet sees you
• 17:15
  Frank Rieger
  Ron
  Security Nightmares
• 18:30
  Frank Rieger
  Closing Event

SAAL 2

• 11:30
  Adam
  Tor is Peace, Software Freedom is Slavery, Wikipedia is Truth
• 12:45
  Lepht Anonym
  Cybernetics for the Masses
• 13:45
  Sergey
  Hackers and Computer Science
• 14:30
  kornau
  A framework for automated architecture-independent gadget search
• 16:00
  TiffanyRad
  International Cyber Jurisdiction
• 17:15
  Martin Vuagnoux
  News Key Recovery Attacks on RC4/WEP

SAAL 3

• 11:30
  Nick Farr
  Lightning Talks - Day 4
• 14:00
  Lars Weiler
  Data Analysis in Terabit Ethernet Traffic
• 16:00
  Daniel Domscheit-Berg
  OpenLeaks
• 17:15
  kapejod
  Having fun with RTP