32c3 - Highlights from the 32nd Chaos Communication Congress

Here is my personal shortlist of talks that I found most interesting. All talks are available online at media.ccc.de!

Fun Talks

Beyond your cable modem

In a short and entertaining talk, Alexander Graf shows how he by accident discovered how to gain complete control over three million routers in the network of the German ISP Kabel Deutschland. With this access he could dial expensive 0900 phone numbers, intercept phone calls and all other traffic through the router, and attack other devices in the local network like IP cameras or other “smart” devices, which often do not require additional authentication. This again shows that many systems are built without any security in mind and this was especially true 10 years ago and many systems do not get security audits as long as they work.

The exhaust emissions scandal („Dieselgate“)

In this exciting talk, Daniel Lange and Felix "tmbinc" Domke give more background information on the exhaust emissions "scandal", based on their knowledge. Daniel gives insights on what is driving the Car Industry today and Felix Domke explains his findings when reverse-engineering the ECU, the “brain” of the car engine.

Politics

Safe Harbor

Max Schrems, known as the man behind http://europe-v-facebook.org/, gives background information on the story how the Safe Harbor deal, which allowed EU-US data sharing, was ruled invalid by the European Court of Justice in the light of the revelations over US surveillance by Edward Snowden. This small guy vs. big regime story is definitely a must see. My overall impression from the talk was that many politicians are simply not educated well enough to understand the Snowden revelations and lobbyists can abuse that, but if they get properly educated by initiatives like the one form Max, they actually sometimes make good decisions.

Grundrechte gelten nicht im Weltall!

Die absurdesten Szenen aus dem NSA-BND-Untersuchungsausschuss

In den nunmehr Hunderte A4-Seiten füllenden Live-Protokollen des NSA-BND-Untersuchungsausschusses, die bei netzpolitik.org nachzulesen sind, verbergen sich interessante Antworten auf Fragen, die niemand gestellt hat, vorher unbekannte juristische „Theorien“ des BND und Perlen verlogener Rabulistik.

Ein Abgrund von Landesverrat

Wie es dazu kam und was daraus zu lernen ist

Markus Beckedahl erläutert Details wie er beinahe zum Landesverräter gemacht wurde.

Informative

Hardware-Trojaner in Security-Chips (German)

Als nicht Electrical Engineer fand ich diesen Vortrag sehr gut geeignet um einen Überblick über Möglichkeiten, Backdoors in Hardware einzubauen zu bekommen: Es ist (viel) einfacher als man denkt! Und Hardware backdoors sind sehr sehr schwer zu finden. Ich denke, wir werden in den nächsten Jahren noch viel dazu hören, gerade weil jetzt immer mehr backdoors erkannt werden, werden die Überwacher nach Möglichkeiten suchen diese besser zu verstecken.

Building and Breaking Wireless Security

This 30 minute talk was given by jiska who is a PhD student at TU Darmstadt. She summarizes findings in Wireless Security and also scratches the surface of ways to make it more secure.

How the Great Firewall discovers hidden circumvention servers

Philipp Winter explains how the great firewall of china works. Interestingly, the great firewall is very sophisticated in some aspects. For example it makes DPI for every packet and maintains quite some state such that it can also combine multiple packages. On the other hand it is extremely stupid in some aspects. For some time it was downloading lists of IP addresses from unwanted websites and when the maintainers of those websites put the addresses of popular services in them, whole China was not able to access those sites anymore.

(Un)Sicherheit von App-basierten TAN-Verfahren im Onlinebanking (German)

Many banks nowadays provide smartphone apps to do mobile banking. Many banks mandate that each transaction is authenticated through a one-time password, called TAN. This TAN is usually sent to the user via a different channel, e.g. SMS text message, snail mail, or dedicated hardware devices. The problem is that when users are on the go, they usually do not carry a separate phone to receive the TAN nor any other dedicated hardware for generating the TAN. Hence many banks now provide a separate app for receiving the TAN. Of course this is unsecure because if the smartphone is infected with malware, the attacker has full control over what both apps are doing. Hence the bank tries to make it as hard as possible to tamper with the TAN app in practice. In his Talk, Vincent Haupert shows that this fails in practice and that anyone is able circumvent the applied security mechanisms with minimal effort.

Classics

Fnord Jahresrückblick

Jahresrückblick des CCC

Security Nightmares 0x10

Ten years after “We Lost The War”

Other Stuff

Sonic Pi (http://sonic-pi.net/)

With this software you can express music in code. Great for kids to learn how to code and exciting for geeks to play with.

Talks that were recommended to me but which I could not watch yet

Quantenphysik und Kosmologie (German)

Eine Einführung für blutige Anfänger

Wie man einen Blackout verursacht und warum das gar nicht so einfach ist. (German)

Der steigende Anteil der Erneuerbaren Energien an der Stromerzeugung und der zunehmende Handel mit Strom erhöht die Belastung der Stromnetze. Welche Auswirkungen hat das auf die Netzstabilität? Wann kommen die Stromnetze an ihre Leistungsgrenze? Wie kann ein gezielter Angriff auf das Europäische Verbundnetz aussehen? Was müsste man tun, um einen Blackout zu verursachen? Und: Wie können wir unsere Stromnetze umbauen, damit das nicht passiert?