Archive for the ‘CCC’ Category

26C3 Review

Monday, January 18th, 2010

Attending last years CCCongress was a great pleasure. Although there were great lectures, it’s the spirit that’s the best part of the conference. Meeting all these nice hacker people, hanging around, talking, discussing, hacking is just brilliant. You’ve got all those smart hackers around you and it just can’t get boring.26c3 logo

A good way of socialising is, of course, visiting the various parties that take place. The Phenoelit party was awesome. Thanks FX for the invites :)

Besides drinking I spent time on some crypto problems and tried to investigate on the magnetic-stripe-card authentication in Hotels and Hostels. I found out, that all our cards for one room are equal, but not one card that has been obtained later. The data on the card is just ~100bits and I tried to find timestamps and room numbers in it but I failed. I blame my dataset to be too small. I’ll launch more advanced experiments next year. If you happen to have insider knowledge in magnetic-stripe locks, drop me a line.

I want to highlight two things about the last CCCongress. Firstly, Friend Tickets were available and the concept is just awesome: Basically you can propose a friend of yours you think would benefit of attending the CCCongress but has no way to cover the expenses. The organisers then decide whether you can get a discount (which will, of course, apportioned to every regularly paying attendee). I like to see this solidarity among hackers. Unfortunately, no stats are available to see how many people were enabled to come through this method. I hope, having these friend tickets will be considered next year again. So if you wanted to come to the CCCongress but feared the expenses, consider asking for a discount. Just for the record: The prices are at rock bottom anyway: 80 Euros for a 4 day conference of this kind is amazingly cheap. Thanks to all the angels! :-)

The second noteworthy concept to distribute the CCCongress as much as possible (called Dragons Everywhere). The idea is fantastic: Increase the number of attendees as much as possible by building mini conferences and stream the most important things. It would be even better, if the gatherings had a feedback channel, i.e. Webcam. Hopefully, it’ll be better next year, i.e. better and more reliable streaming services and more places, especially in Berlin, because many people were sent away because the conference was already sold out :(

If you want to get a feeling of what the CCCongress is like, you might want to have a look at the recordings. If you organize a public viewing, make sure you show these videos :-) Based on the feedback, the best talks were:

And for entertainment, the following German talks are very good:

I hope you enjoy watching the CCCongress and consider coming in next year!

jOEpardy at Easterhegg09

Friday, October 30th, 2009

I held a jOEpardy session at Easterhegg09! I guess, you know what a Jeopardy is, if not, have a look at the Wikipedia :-P

The people were entertained and hopefully learned something ;-) Sadly, the hardware didn’t really work :( The buzzer were somewhat broken so that we actually had to try to see (with our eyes) who pushed the button first. Funnily enough, I *did* test the setup extensively just 10 minutes before the gig! Very weird.

The Questions can be found here: Round 1, Round 2, Round 3, Round 4. But it doesn’t make much sense without the jOEpardy software, unless you parse the XML on your own.

The software is a Java Application which was initially written by TriPhoenix! I haven’t written Java for a long time and I have to admit, that writing Java with Eclipse is actually fun! Eclipse is so smart and tightly integrated in the build process that it’s quite easy to write, build and debug. I wish there was such a good IDE for C or Python. Sadly, I think that Java Code is bloated although <2.500 LoC for a jOEpardy is not too bad I’d say :-)

I actually thought I could release the jOEpardy code by now (and thus waited with this post…), but I still have to resolve copyright questions.

CCC Artwork

Sunday, September 20th, 2009

There are several images related to the CCC which I looked for for quite some time. Probably the oldest is the Pesthoernchen (also as SVG):

The Pesthoernchen

The Pesthoernchen

While you can get the image above from the official Logos, you can’t get the lower ones (yet): Sterntastatur from 18C3 (Hacking Is Not A Crime) also as SVG:

Sterntastatur - Logo of the  18C3

Sterntastatur - Logo of the 18C3

You might like the inverted version (also as SVG): 18C3 Logo invertiert

There is a modified version which aims to be more like the original RAF logo by mimicking a shotgun (also a SVG):

Sterntastatur2 - More like the RAF logo

Sterntastatur2 - More like the RAF logo

Hacking Is Not A CrimeHacking Is Not A Crime

Datenspuren 2009 – Call for Participation

Tuesday, September 1st, 2009

Die Datenspuren in Dresden gehen wider erwarten in eine neue Runde! Es ist schoen zu sehen, dass sich ein neues Organisationsteam im C3D2 Umfeld geformt hat und die gemuetliche Konferenz ans Laufen bringt. Obwohl ich selber noch nie da war, soll es eine ueberschaubare Konferenz sein, die sich weniger um Technik, als um praktische Datenvermeidung und Risiken der glaesernen Gesellschaft dreht. “Hands off – Privacy on” lautet das diesjaehrige Motto: Finger weg von den Grundrechten; der eigenen Privatsphäre bewusst werden.

Datenspuren 2009 Flyer Front

Datenspuren 2009 Flyer Front

Wenn du also am 03.10.2009 und 04.10.2009 nichts vor hast, bist du herzlich eingeladen nach Dresden in die Scheune zu kommen! Der Eintritt ist frei.

Auch darfst du ueber das Pentabarf deinen Vortrag oder Workshop einreichen, die Schwerpunkte sollen dieses Jahr sein:

  • Datenspuren im täglichen Leben
  • Missbrauch von Daten
  • Rechtslage
  • Sicherheit und Prävention
  • Digital Resistance
  • Hacking
  • Technikfolgenabschätzung
  • Informationsfreiheit
  • Aufklärung und Diskurs
Datenspuren 2009 Flyer Back

Datenspuren 2009 Flyer Back

Back from HAR2009

Thursday, August 20th, 2009

I have just arrived from HAR2009 which was a very awesome event! We were camping for 5 days, drinking beer and attending lectures. Some of us visited Workshops, but sadly I didn’t. I probably was too busy attending talks and visiting the Toasti booth ;-)
Har2009 Logo

The CCC has built up a great Dome as well as a big tent for hacking. CCCHH brought Milliways, the last pub at the end of the universe and it was a really cool place to hang out. There were many people from different countries which made it really interesting and enjoyable to just be there. Last but not least, the beer was great ;-)

Others have brought a GSM Network! How awesome is that?! Harald Welte and his fellow GSM-Tent members have set up the “42” Network and we were able to place as many (internal) phone calls and SMS as we liked. Of course, we started to script that ;-) So I found out, that sending an SMS via a serial connection to my phones modem is as simple as the following lines:

import serial
import time
 
DEVICE = '/dev/ttyACM0'
 
def send_sms(nr, msg):
    ser = serial.Serial(DEVICE, 115200, timeout=1)
    ser.write('AT\r')
    line = ser.readline()
    line = ser.readline()
    assert line == "OK\r\n"
 
    ser.write('AT+CMGF=1\r')
    line = ser.readline()
    line = ser.readline()
    assert line == "OK\r\n"
 
    ser.write('AT+CMGS="%s"\r' % nr)
    ser.write('%s\n' % msg)
    ser.write(chr(26))
    time.sleep(3)
    lines = ser.readlines()
    print lines
    ser.close()

Sadly, I couldn’t hack more with the GSM network because it was shut down rather early and I didn’t use my computer much during the lecture time. So next time I’ll try to reproduce the Curse of Silence and play around with PDU SMS.

So I have been to a lot of interesting villages and I met some interesting people but sadly GNOME people couldn’t make it. Maybe we’ll have a GNOME Village next time… :) If you are interested in how the camp looked, watch this impressions movie or click through the media.

The next CCCamp will probably be in two years and according to rumours it’ll happen in Finowfurt again. I’m really looking forward to that event!

BufferOverflow Workshop at EasterHegg09

Sunday, August 16th, 2009

During Easterhegg I held a workshop together with hc. It was about Buffer Overflows, which used to be the most common security vulnerability a couple of years ago.

We gave a talk explaining the basic concepts of processes and how they work on x86 machines. This was heavily packed with information and I really think we couldn’t make everything clear in the first run. But as it was planned as workshop, we intended to give people stuff they can chew on ;-) Basically, we took stuff from the excellent Phrack article  Smashing the Stack for Fun and Profit which is nearly 13 years old by now.

As modern operating systems protect themselves against the consequences of buffer overflows, we prepared a virtual machine with QEmu/KVM so that exploits will work. It’s an old debian woody with an SSH daemon and build essentials.

Of course I have changed the image in the last minutes, because I wanted to improve it. And of course something went terribly wrong: The root filesystem was corrupted and fsck deleted important files, leaving the image in a useless state. We had to port my changes back to the old image.

Of course, we wanted to distribute the ~1GB image among our workshop guests. As we expected 50 people to show up and didn’t want to stress the WiFi so much, I intended to use BitTorrent, but it’s not as easy and smart as it could be: We are NATted, so using an external tracker would FAIL. Also, it can’t multicast the packets, which would perfectly make sense if many people start to download the torrent in the same network. We ended up having a usb pendrive and a thttpd serving the tarred image. Not very smart or efficient.

After the people ran that images, they couldn’t login with SSH due to a mysterious heisenbug. I suspect our last-minutes changes to be the culprit but I can’t provide a more technical error description. The SSH daemon worked quite well *in* the image, but as soon as you wanted QEmu to redirect the traffic into the machine, it FAILed: The connection was established, but no data was transferred. Could be a bug in QEmu as well.
The people either worked through the QEmu widget or set up a TUN device to get the network up and running…
That pissed some people off which then left. We ended up with 20 people trying to hack themselves :)

We prepared examples in the image, some of them copied from Gera, e.g.:

/* stack1.c                                     *
 * specially crafted to feed your brain by gera */

int main() {
	int cookie;
	char buf[80];

	printf("buf: %08x cookie: %08xn", &buf, &cookie);
	gets(buf);

	if (cookie == 0x41424344)
		printf("you win!n");
}

The people were supposed to make the program print “you win!”. If you know, how a stack works, it’s actually simple. Do you know, what input you have to feed in order to win!?
Oh, you don’t want to compile this program with anything other than -O0 because the compiler rearranges the variables on the stack so that you can’t overwrite the integer…

In the end, I think I am satisifed with the workshop, although things could have worked better. We had pretty smart people which were really curious how stuff works. They have learned a lot and I guess they had fun with that as well :)

mrmcd0x8 – Call for Participation

Monday, July 6th, 2009

Die MetaRheinMain ChaosDays gehen in eine neue Runde *yay*! Ich werd’ wohl dieses Jahr nicht koennen, aber ich war ja nun auch schon oft genug dort ;-) Wenn du einen Vortrag oder einen Workshop einreichen willst, benutze bitte das Pentabarf. Ein Grund, etwas einzureichen (oder um einfach nur hinzugehen) ist das Pornophonique Konzert! Wirklich empfehlenswert.

c&p von der offiziellen Seite:

Der CCCMZ, C3F2M, CCC Mannheim, oqlt, der IT Stammtisch Darmstadt und CDA laden zu den achten MetaRheinMain ChaosDays ein.

Die MetaRheinMain Chaosdays 0x8 sind ein jährlich stattfindender Kongress, der dieses Jahr unter dem Motto “Zurueck zum Thema” mit den Themenschwerpunkten Journalismus, Gesellschaft und Technik vom c3f2m Frankfurt, CCCmz (Mainz/Wiesbaden), der Hochschulgruppe Chaos Darmstadt, dem AK Vorrat und weiteren regionalen Gruppen im Rhein-Main-Neckargebiet organisiert wird. Die MRMCDs finden dieses Jahr vom 04.09-06.09.2009 an der Technischen Universität Darmstadt statt. Drei Tage lang werden Vorträge, Diskussionen und ein Hackcenter geboten.

Die Vorträge und Workshops richten sich mit Themen sowohl an die breite Öffentlichkeit, als auch an spezialisierte Interessen. Auf diese Weise soll die wissenschaftliche Anbindung und der Bezug zum aktuellen öffentlichen Diskurs gewahrt werden. Folgende Schwerpunkte bilden das Rückgrat der Veranstaltung:

  • Journalismus
  • Gesellschaft
  • Technik

Darunter fallen z. B.: Wahlmaschinen, Überwachung, Kryptographie, IT-Sicherheit, Biometrie, Vorratsdatenspeicherung, BKA-Gesetz, Elektronische Gesundheitskarte, Auswirkung der Weiterentwicklung von Technik auf die Gesellschaft, Chaos Kultur, Projekt- und Selbstmanagement.

26C3: Here Be Dragons

Tuesday, June 16th, 2009

Well well, the next Chaos Communication Congress has been officially announced *yay*! This years motto will be Here Be Dragons.

This motto is not as bad as I intuitively thought. It reflects the current political situation pretty well: It seems as if the politicians are actively avoiding knowledge in the area of IT.

HERE BE DRAGONS

You should consider to come by as well as sending in a paper! You have time until 2009-10-09 to submit your proposal via Pentabarf.

I don’t know if I can make it, but I’ll certainly try :)

Taxi from Hamburg to HAR2009

Wednesday, June 3rd, 2009

Pre-Sense is sponsoring a bus ride for up to 30 people to the HAR2009! The way back to Hamburg is sponsored as well. Also, you can win two HAR tickets! :)

HAR Plakat

It’s very kind of that young company to sponsor that trip and thus enable young hackers to meet with the brightest people in the IT-Security area. I wonder if they hope that some of these young hackers will take one of their open positions in the future ;-)

Anyway, feel free to register for the bus ride or win a ticket. The details can be found at http://www.pre-sense.de/har2009.html.

Easterhegg 2009

Monday, April 6th, 2009

The Hamburg branch from CCC is going to hold the annual Easterhegg! If you have spare time around easter (2009-04-10 till 2009-04-13) then consider to come around!

Easterhegg Logo

Easterhegg Logo

Also, see the website for further information.