Archive for the ‘lang:en’ Category

(Late) report on 30C3

Friday, January 31st, 2014

Oh, I almost missed to report on this year’s CCCongress, 30C3. The thirtieths CCCongress. It has grown considerably over the last few years. We’ve reached over 9000 visitors whereas we had 4000 a couple of years ago. The new venue in Hamburg is amazing. Despite the impressive number of attendees, it didn’t feel crowded at all. So many nice details made the venue just awesome. It really felt like it was *the* place to be. A rather big detail was the installation of a letter shoot. Yes, a real pneumatic postal delivery system. With routing and all. Just amazing.

That’s pretty much all I have to say. It was, of course, nice to meet so many old friends and people. I couldn’t even say hi to all of the ones I wanted to meet. What follows is a bit of a rundown of some of the talks that I’ve actually seen, hoping you can evaluate whether you want to see any of that yourself.

I was a bit late for the conference, probably one of the first talks I’ve seen was DJB on, guess what, crypto. It even has a reference to Poettering (who I was also able to meet :-) )!

Funnily enough, Nate from the EFF mentioned DJB in his talk on disclosure Dos and Donts. He said that it would be smart to think about how much fuzz one wants to make about a vulnerability at hand. Sure enough, the title needs to be catchy enough for people to notice. If you were DJB, then the lecture hall would be filled even if the title was “DJB has something to say”.

Something that stirred up the community was
Assange’s talk. Apparently sabotaged, the Skype connection wasn’t all too good. But it was also not very interesting. The gist: Sysadmin: Go to the three-letter-agencies and carry out document to become the next Snowden. Good advice.

As for carried out documents, Jake Applebaum presented the NSA’s shopping cart which includes all sorts of scary techniques and technologies. If you have only time to watch one video, make it this one. That’s probably even safer than sitting in the audience. Just after he showed the reconnaissance tools for the investigators to combine various data sources, undoubtedly including cell phone location and people around you, he switched on his cell phone so that the audience would have a connection with him. The one who knows he is being spied on. It was a very emotional talk, too.

Another depressing thing was Jöran talking about the missed (digital) opportunities in education. The most noticeable thing he said was that Apple products are consuming devices only. But the reality is that they make it work 93% of the time as opposed to 90%. But that difference makes teachers use it…

More scary, was the presentation on exploration and exploitation SD card controllers. You’re basically screwed. You have close to no idea what it running on the micro controller on your SD card. And on the various other controllers you carry around. They got themselves access to the chip and were able to flash their own firmware. Doesn’t sound all too exciting, but it is an eye opener that your stupid almost invisible SD card can spy on you.

A strange talk was the one on Digital Bank robberies. There are so many weird details they talk about. They claim to have been called for investigation of a malware that found on ATMs in Brazil. The weirdest thing for me was that the physical damage done to the ATMs went unnoticed. The gangsters needed to install a pendrive so they had to break the case. Which apparently isn’t all too secure. And then they had to make the ATM reboot to boot off the pendrive. Without having to press a key. It is unclear to me whether they could leave the pendrive or not. Apparently they could remove it, because if they couldn’t then the malware could have been found much earlier. But given that the ATMs reboot so easily, it would make sense to install the malware on the ATMs hard drive. In that case they could have spotted the malware rather easily. Anyway, the presenting people were not Brazilian. Why would such a sensitive Brazilian investigation be undertaken by foreigners?

Another interesting, although weirdly presented, talk on X Security was given by Ilja van Sprundel. He looked at X code and identified a good number of easily exploitable bugs. No wonder given that the code is 30 years old… He also mentioned libraries on top of X such as GTK+ or Qt and explained how the security story from GNOME was very different from Qt’s. Essentially: The GNOME guys understood security. Qt didn’t.

On the more fun side, the guys from Ztohoven presented their recent work. They are probably best known for their manipulated video which ran during morning TV shows (IIRC).

In their presentation they talked about their performance for which they obtained numbers from parliamentarians and sent them text messages during a session that was aired live. Quite funny, actually. And the technical details are also interesting.

Another artsy piece is “Do You Think That’s Funny?” (program link) in which the speaker describes the troubles their artistic group had to go through during or after their performances. They did things like vote auction (WP), Alanohof, or AnuScan, and their intention is to make surveillance visible and show how it makes activists censor themselves.

Applying international Bahn travel tricks to save money for tickets

Thursday, November 21st, 2013

Suppose you are sick of Tanzverbot and you want to go from Karlsruhe to Hamburg. As a proper German you’d think of the Bahn first, although Germany started to allow long distance travel by bus, which is cheap and surprisingly comfortable. My favourite bus search engine is

Anyway, you opted for the Bahn and you search a connection, the result is a one way travel for 40 Euro. Not too bad:

But maybe we can do better. If we travel from Switzerland, we can save a whopping 0.05 Euro!
Amazing, right? Basel SBB is the first station after the German border and it allows for international fares to be applied. Interestingly, special offers exist which apparently make the same travel, and a considerable chunk on top, cheaper.

But we can do better. Instead of travelling from Switzerland to Germany, we can travel from Germany to Denmark. To determine the first station after the German border, use the Netzplan for the IC routes and then check the local map, i.e. Schleswig Holstein. You will find Padborg as the first non German station. If you travel from Karlsruhe to Padborg, you save 17.5%:

Sometime you can save by taking a Global ticket, crossing two borders. This is, however, not the case for us:

In case you were wondering whether it’s the very same train and route all the time: Yes it is. Feel free to look up the CNL 472.

I hope you can use these tips to book a cheaper travel.
Do you know any ways to “optimise” your Bahn ticket?

Benchmarking raw user mode disk access for VirtualBox

Thursday, October 31st, 2013

I am working with a virtual GNU/Linux system, because the machine I’m working with must run a Windows on its bare metal.

I thought I wanted to give raw disk access to the guest, but it turns out, that it is not very easy in Windows to give permanent permissions to a regular user. You can give permissions using the semi-official subinacl like so:

C:\WINDOWS\system32>"C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe" /noverbose /file \\.\physicaldrive1 /display=sddl

+File \\.\physicaldrive1

Elapsed Time: 00 00:00:00
Done: 1, Modified 0, Failed 0, Syntax errors 0
Last Done : \\.\physicaldrive1

C:\WINDOWS\system32> "C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe" /noverbose /file \\.\physicaldrive1 "/sddl=O:BUG:SYD:(A;;FA;;;WD)(A;;FA;;;SY)(A;;FA;;;BA)(A;;FX;;;RC)"

Elapsed Time: 00 00:00:00
Done: 1, Modified 1, Failed 0, Syntax errors 0
Last Done : \\.\physicaldrive1

C:\WINDOWS\system32> "C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe" /file \\.\physicaldrive1 /display=sddl /display=owner /display=primarygroup

+File \\.\physicaldrive1

+File \\.\physicaldrive1
/owner =builtin\users

+File \\.\physicaldrive1
/primary group =system

Elapsed Time: 00 00:00:00
Done: 1, Modified 0, Failed 0, Syntax errors 0
Last Done : \\.\physicaldrive1

I needed to figure out that the language the ACLs are written in, is SDDL and how to give my current user or group all permissions. I failed doing that so I opted for giving all access to every entity known to the system… You can see the relevant SDDL in the listing above.

But that change will only survive until the next reboot. To make the software permanent, an unofficial tool called dskacl can theoretically be used. Apparently it tries to write special values to the Windows Registry. Although I found my way through the documentation, I couldn’t make it work. It actually failed so hard on me that even Windows could not see the drive itself. So make a good contingency plan before even trying to make it work. It’s not really meant for attached disks, but rather external disks via USB. Anyway, I thought I’d have to redo the above mentioned step on every boot.

The question I had was, whether it’s actually worth it. I assumed that it would be a speed up to write directly to the harddrive without having to go through Windows and VirtualBox’ VDI layer before hitting the disk.

So I measured my typical workload: compiling Chromium. As it is what I’m working on, I want compilations to happen as quickly as possible.

My technique was the following:

rm -rf out
time ninja -C out/Debug chrome

I did a handul of runs to compensate for some irregularities that might happen on the host (or in fact, on the guest…)

When writing on an Ext4 straight onto the disk, I get the following results:

real 61m59.895s
user 322m52.832s
sys 46m49.268s

real 61m25.565s
user 318m40.680s
sys 46m7.608s

real 58m59.939s
user 320m36.500s
sys 46m28.336s

Having an Ext4 filesystem in a VDI container on an NTFS partition yields the following results:

real 60m50.360s
user 322m18.184s
sys 47m3.588s

real 57m30.324s
user 318m48.752s
sys 46m52.016s

real 63m29.179s
user 328m55.004s
sys 48m4.692s

I couldn’t test shared folders, because either the NTFS or in fact the vboxfs don’t support operations needed for the compilation. I guess it’s VirtualBoxes fault though…

My interpretation of the results:

Writing directly to the disk seems to be marginally slower than going through the VDI container. At best, there is no significant deviation from writing to the container. I decided that it’s not worth to write straight to disk. Going through the VDI container and through Windows is fine. Especially with all the risks involved such as Windows not being able to see the drive at all.

I acknowledge that my data is a bit flawed. It is likely that you cannot generalise my findings for any other workload. The method is also questionable as I didn’t flush caches or took care of anything disturbing my measurements. If you do measure yourself, I’m interested in getting the results.


Sunday, September 15th, 2013

It’s been a while since I attended the mrmcds. In 2011 the event did not take place and I couldn’t make it the year after. Fortunately, 2013 allowed me to participate and I was heavily surprised by the quality of everything. The (newish) location, the people, the provided catering, the atmosphere, …

wlan stats

The event itself is relatively small. I don’t have numbers but I felt like being surrounded by 100 people. Although the stats about connected devices suggests there were at least twice or thrice as many people present.


The talks were good, a refreshing mix of technical and non-technical content. With an audience generally inclined to discuss things. That allowed for more lively sessions which create new insights, also for the speakers. My favourite was Akiko talking about her job as air traffic controller. I learned a lot about how the aviation industry is organised how various pieces fit together.

fukami doro

Fukami keynoted the conference and tried to make us aware of our ethics. Surveillance was made by hackers, he said. People like you and me. The exercise for the audience was to further think and conclude that if we didn’t help implementing and deploying surveillance infrastructure, it wouldn’t have gotten that bad. While the talk itself wasn’t too bad, I wonder who the target audience was. If it meant to wake up young hackers who have not yet adjusted their moral compass, it was too weak. The talk didn’t really give advice as to how to handle dubious situations. If it was not meant for those hackers, then why talk about it in a very basic way and not ask hard questions? Anyway, I enjoyed seeing the issue of people’s responsibility coming up and creating a discussion among the hackers.

Enjoy Cock

Mine and Stef’s talk went well, although it was the in the very last slot of the conference. After two long party nights. I barely made it to the talk myself :D We presented new ideas to guide the user when it comes to security critical questions. If you have been to GUADEC, then you haven’t missed much. The talk got a slight new angle though. In case you are interested in the slides, you can find them here.


The design of the conference was very impressive. The theme was aviation and not only did we have an impressive talk monitor as seen above, we also had trolleys with drinks and food as well as the time for various interesting locations. We also received amazing gadgets like the laser engraved belt made from the typical air plane seatbelt.

As always, parties were had with own DJs, light show, beer straight from the tap, cool people and music. To summarize: I’m glad to have visited a very enjoyable event. It’s a pleasure to be around all those smart hackers and to have inspiring discussions. I’m looking forward to next year.


OWASP AppSec Research EU 2013 – Hamburg

Friday, August 30th, 2013

I was lucky to be able to attend OWASP’s AppSec EU Research conference in Hamburg, Germany. I’ve been to the one in Dublin and looked forward to the German edition. With 400+ attendees I thought that the conference was surprisingly well attended. And rightfully so. The people organising it were doing a fantastic job. Everything seemed to work smoothly and although I volunteered I was able to see a good bunch of talks.

The program looked promising and most of it was quite good. I was told that there will be recordings soon which is also quite remarkable. The video team definitely deserves a round of applause. So does the venue. We were locked up in the upper most floor of the Emporio, which allowed for awesome views over Hamburg. Although I’ve lived in that beautiful city for so long, I didn’t realise one could actually get such a nice view from a conference room. Sometimes it was hard to not get distracted by the views during the talks…

The first talk I attended was given by Paul Stone and he showed us how he reads your browsing history and pixels. This is amazing work. He examplified the significance of these attacks by showing how to obtain the Google+ profile information. His trick was to apply some obscure SVG filters to HTML elements. Based on the amount of time it took to do so, he could deduce whether the pixel was black or white. He leveraged that possibility to read source code by analysing properties of the fonts used and what key pixels exist to tell which character was rendered. So amazing. If you have time to only watch one talk, it should be this one.

The next talk on Burp was given by Nicolas Gregoire. I was not so impressed, because it was mainly a tutorial as to where to click to make it do $things. But I was told by people actually using burp that it was insightful and interesting.

Taras Ivashchenko from Yandex was talking about Content Security Policy (CSP). I was surprised to learn that Yandex have their own browser. And that their bigger service is mail. I thought it was search. The title of the talk promised an answer to the question whether the CSP was actually useful. He didn’t deliver though. But it gave an insight to how a big company with a well used web site deploys CSP. Unfortunately, he couldn’t tell how much effort it actually was and whether it was actually an economical decision.

He reminded us that the CSP was a second line of defense. It’s not a solution to broken code which does not escape properly. It’s merely a parachute to land safely in case you screwed up. I found it interesting that he mentioned ten contexts that one would potentially need to escape for. My conclusion is that JavaScript is probably the worst language to use on the Web as it offers only two escaping functions. And not even for the most important contexts like plain HTML. I’m curious to learn about all ten contexts. Another interesting idea he presented was that CSP may allow inline scripts if they are “signed”. The “signature” was a random string that is shipped with a header and the script element on the page must carry a “nonce” attribute with that random number.

Matryoshka was the theme of Eduardo Vela’s talk. The Google guy showed various hacks, one of them was “wrapping overflow leaks on frames (wolf)”. It was possible to get an idea of the word rendered on a page with mocking around with the page’s width and height. With the information about the dimension you could detect when a scrollbar was placed and hence can find out how wide the wrapped word was. He claimed that especially new performance APIs were going to create a whole lot of privacy related issues. Another problem was the lack of a JSON format validator, he said. Several problems such as deep array parsing would currently exist. If you serialise a big enough array, you could get into trouble, he said.

A great show was delivered by Mario Heiderich talking about the The innerHTML Apocalypse. He compared the three currently distinguished types of Cross-Site scripting (XSS), namely reflected, stored, and DOM-based XSS, with the three horsemen. The fourth horseman, he said, were “mXSS”, mutation-based XSS. Essentially it is circumventing HTML filter libraries by using mutations done by the web browser.

The problem, inappropriately shortened, was that people use “document.write” to inject elements into the DOM instead of using proper DOM APIs. But that is, he claimed, due to convenience. A call to “document.innerHTML” was so much easier than calling out to “createElement”, “addChild”, etc. And it is true. Too bad that, as we’ve learned earlier, using JavaScript is totally inappropriate to write web applications as it cannot even escape for the HTML context. Anyway, the browser is quite relaxed and accepts slightly malformed HTML. It will even do optimisations or transformations for you. Internet Explorer, for example, will happily drop quotes around arguments to HTML tags for you.

To make the long story short: CSS escapes are badly handled in many of the existing escaping libraries. So you could break out of the element’s contexts by cleverly using some CSS escape sequences. Also, SVG should be avoided at all costs. It’s a can of worms, he said. You could do so many evil things within SVG, like executing JavaScript, loading remote resources or accessing attributes.

OWASP AppSec Reseaerch EU 2013 was good fun. The location was absolutely fantastic. Probably the most noble venue I was at to have a conference. The organisation looked flawless and everything seemed to work out smoothly. Thanks for giving me the opportunity to meet great people. I hope to be able to do so for the next conference.

GUADEC 2013 in Brno

Thursday, August 8th, 2013

I also attended this year’s GUADEC and it was quite good. Especially because the weather was so nice. It was so burning hot that I sometimes wished it wasn’t; especially in the night… My room in the Taufer dormitories, whose service was basic at best, was heating up so heavily over the day that it took until 4 in the morning to be cool enough to be able to sleep. When opening the cold (!) water tap, the water was as warm as a mildly hot shower… But well, GUADEC is not about sleeping anyway, right? ;-)

I was kept busy with various meeting before, while and after the conference and I piled up work lasting for a few months, I guess…

The conference itself was nicely organised. The bar was set quite high last year, so I didn’t expect this year’s team to match the overall quality. And they didn’t, but they were close. The staff was helpful and professional. Issues were dealt with promptly and quite well. I hope, again, that the knowledge gained can be transferred to future GUADEC organisers.

As for the talks, I couldn’t follow many of them. The ones I have seen were mostly great. We had (too?) many keynotes which were generally interesting. Too bad the crowd didn’t notice it was trolled by Ethan Lee. He is a game developer who ported games to Linux. The message was poor and I doubt we, GNOME, profited from this keynote. The next keynote was given by the CEO of Endless Mobile, a company which tries to leverage the potential of the “middle of the pyramid” to get the next billion users and “get 50% of the market share”. The idea is to bring a cheap enough, but also elegant enough device to the people who can afford a 40 inch TV (via loans) but not a PC. As they want to sell ARM devices, he asked us to make GNOME run better on ARM chips. Cathy Malmrose, CEO of computer manufacturing company zareason, was keynoting the last day. The company puts only GNU/Linux systems on their machines before shipping them to customers. The computers they sell range from desktops over laptops to tablets. She told us that we were quite well positioned, because GNOME was so easily usable by people who don’t have much or any experience with computers. That was very refreshing and I am happy that she told us that we were doing very well. She was opening a perspective many of us probably didn’t think about before. She was really enthusiastic about Free Software and my feeling was that she cared more about the Freedoms than many of the participants.

Other talks by members of the GNOME community were lively and one the most enjoying talks was given by the sysadmin team. It was nice to be able to applaud for them in person, because they are doing such a great job.

There were Twitter walls (hehe) in every room (supposedly made with QML) and I found it to be mainly distracting while at the same time not very informative. The news running over it were mostly not worth the electricity they consumed.

Anyway, thanks to the local team and all the sponsors for making such a great event happen! If you have anything to say, leave your feedback on the wiki.

Sponsored by GNOME!

Individuals contribute 20000 USD to make GNOME more secure and more privacy aware

Sunday, July 21st, 2013


I’m so excited. I’ve just pushed the last update to the current Friends of GNOME banner. We received donations worth 20000 USD to make GNOME more secure and privacy aware. It’s so awesome to see so many individuals donating to make GNOME better for them and ultimately for all of us.


We got 250 one-off payments and roughly 650 periodic payments from payment plans over the last 7 months. During that period, 52 payment plans were created with the average amount of 10 USD per month (the default setting). However, 51 plans were cancelled :-\ The one-off payments were worth 17600 USD and hence the average donation was about 70 USD.

Depending on how you do the math, the cost of taking the one-off donations was between 3.3% and 4.4%. I find that number surprisingly low, probably because I still can’t make sense out of PayPal’s fee structure. But there are probably some hidden fees that turn up once you actually want to do something with the money, i.e. have it wired somewhere.

A very big “Thank You” to all the donors who generously allow us to continue our mission to produce a Free Software desktop for everyone. You guys rock. Seriously.

The new GNOME board, which is already serving since the beginning of this month, will meet during GUADEC and probably call for bids some weeks later.

Finding Maloney

Wednesday, July 3rd, 2013

Every so often I feel the need to replace the music coming out of my speakers with an audio drama. I used to listen to Maloney which is a detective story with, well, weird plots. The station used to provide MP3 files for download but since they revamped their website that is gone as the new one only provides flash streaming.

As far as I know, there is only one proper library to access media via Adobe HDS. There are two attempts and a PHP script.

There is, however, a little trick making things easier. The website exposes a HTML5 player if it thinks you’re a moron. Fortunately, it’s easy to make other people think that. The easiest thing to do is to have an IPaid User-Agent header. The website will play the media not via Adobe HDS (and flash) but rather via a similar, probably Apple HTTP Live Streaming, method. And that uses a regular m3u playlist with loads of tiny AAC fragments :-)

The address of that playlist is easily guessable and I coded up a small utility here. It will print the ways to play the latest Maloney episode. You can then choose to either use HDS or the probably more efficient AAC version.

$ python ~/vcs/findmaloney/ 
mplayer -playlist,q10,q20,.mp4.csmil/master.m3u8

livestreamer "hds://,q10,q20,.mp4.csmil/manifest.f4m" best


GNOME.Asia Summit 2013

Thursday, June 6th, 2013

This year’s GNOME.Asia Summit took place in Seoul, Korea. It’s my second GNOME.Asia Summit after the previous one in Hongkong and it’s again amazing to see how nice the local team put everything together.


Initially I thought I’ll go to Seoul straight from LinuxTag which would have been quite stressful. Unfortunately, LinuxTag didn’t happen for GNOME :-\ We lacked people to run the booth and it’s insane to try to run the booth with only two or three people over four days. So I went more or less straight to Seoul. Via CDG. So far I didn’t like that airport because it is huge and transfers between terminals are very slow and the terminals themselves rather poor in terms of infrastructure (power, seats, WiFi, shops). But terminal 2E was surprisingly nice. It’s got designeresque chairs to sit in, lots of power sockets, free WiFi, some shops, water fountains, and it’s generally airy. So thumbs up for that.


As for Seoul, things went surprisingly well. While i did organise this GNOME.Asia Summit to some extent I didn’t expect things to work out that nicely. The local team, which was pretty much unknown to me, was surprisingly big and they found a good venue and good sponsors.

GNOME Asia Summit

Lemote gave us a few laptops to give away *yay*. A raffle was organized and the best speaker got the biggest machine. I didn’t win in the raffle, but I got a machine as the best speaker. It’s a Lemote Loongson. I don’t know yet whether it is what I need. I have a very underspecced Lenovo ideapad which barely runs GNOME. Running anything that requires memory is really dreadful. Yes Firefox, looking at you. And some things like Gajim, an XMPP client, don’t even work because the machine starts to swap so heavily that every TCP connection times out. Again and again. I have to explore whether the Lemote laptop performs any better. It’s MIPS after all. And according to Wikipedia the CPU alone draws 15W.


Anyway, the conference itself was good and I felt that it was bringing together people nicely. I hope that it relevant Korean businesses are happy, too. We will have to see though whether any measurable output has been generated.

The reactions to my talk about GNOME 3.8 were, as already mentioned, positive. To my surprise I have to say. I was still a bit tired and jetlagged, but from talking to people afterwards I know that I inspired some folks to take a closer look at GNOME. You can find my slides here.


I found a surprising large number of other talks interesting, too. Unfortunately, the aforementioned laptop died while taking notes so I can’t provided a nice summary. The most interesting thing I found was a talk about seafile. A Dropbox-like tool which sounds really good. But to be ready they have to fix some design problems like depending on a local webserver or not using established authentication and encryption protocols (think SSH).


I’m happy for the GNOME.Asia. May it prosper in the future. I hope we can gain some more sponsors for future editions of the event and also for GNOME. As other people already stated: I’d like to thank the GNOME Foundation for sponsoring my attendance at the conference. I’d also like to thank the conference sponsors for their support, including NIPA, Lemote, LG, Google, Linux Pilot, ONOFFMIX and

Sponsored by GNOME!

RIP Atul Chitnis

Tuesday, June 4th, 2013


I am sad to read that Atul Chitnis passed away at the age of 51. I met him several times during and it was a pleasure to meet the driving force behind that conference. While certainly being a controversial figure in the Free Software world, he did a lot of good things for our communities and ecosystems. Let’s hope the team takes the heritage and continues to make great events for India.