CCC Artwork

There are several images related to the CCC which I looked for for quite some time. Probably the oldest is the Pesthoernchen (also as SVG):

The Pesthoernchen
The Pesthoernchen

While you can get the image above from the official Logos, you can’t get the lower ones (yet): Sterntastatur from 18C3 (Hacking Is Not A Crime) also as SVG:

Sterntastatur - Logo of the  18C3
Sterntastatur - Logo of the 18C3

You might like the inverted version (also as SVG): 18C3 Logo invertiert

There is a modified version which aims to be more like the original RAF logo by mimicking a shotgun (also a SVG):

Sterntastatur2 - More like the RAF logo
Sterntastatur2 - More like the RAF logo

Hacking Is Not A CrimeHacking Is Not A Crime

Datenspuren 2009 – Call for Participation

Die Datenspuren in Dresden gehen wider erwarten in eine neue Runde! Es ist schoen zu sehen, dass sich ein neues Organisationsteam im C3D2 Umfeld geformt hat und die gemuetliche Konferenz ans Laufen bringt. Obwohl ich selber noch nie da war, soll es eine ueberschaubare Konferenz sein, die sich weniger um Technik, als um praktische Datenvermeidung und Risiken der glaesernen Gesellschaft dreht. “Hands off – Privacy on” lautet das diesjaehrige Motto: Finger weg von den Grundrechten; der eigenen Privatsphäre bewusst werden.

Datenspuren 2009 Flyer Front
Datenspuren 2009 Flyer Front

Wenn du also am 03.10.2009 und 04.10.2009 nichts vor hast, bist du herzlich eingeladen nach Dresden in die Scheune zu kommen! Der Eintritt ist frei.

Auch darfst du ueber das Pentabarf deinen Vortrag oder Workshop einreichen, die Schwerpunkte sollen dieses Jahr sein:

  • Datenspuren im täglichen Leben
  • Missbrauch von Daten
  • Rechtslage
  • Sicherheit und Prävention
  • Digital Resistance
  • Hacking
  • Technikfolgenabschätzung
  • Informationsfreiheit
  • Aufklärung und Diskurs
Datenspuren 2009 Flyer Back
Datenspuren 2009 Flyer Back

Back from HAR2009

I have just arrived from HAR2009 which was a very awesome event! We were camping for 5 days, drinking beer and attending lectures. Some of us visited Workshops, but sadly I didn’t. I probably was too busy attending talks and visiting the Toasti booth ;-)
Har2009 Logo

The CCC has built up a great Dome as well as a big tent for hacking. CCCHH brought Milliways, the last pub at the end of the universe and it was a really cool place to hang out. There were many people from different countries which made it really interesting and enjoyable to just be there. Last but not least, the beer was great ;-)

Others have brought a GSM Network! How awesome is that?! Harald Welte and his fellow GSM-Tent members have set up the “42” Network and we were able to place as many (internal) phone calls and SMS as we liked. Of course, we started to script that ;-) So I found out, that sending an SMS via a serial connection to my phones modem is as simple as the following lines:

import serial
import time
 
DEVICE = '/dev/ttyACM0'
 
def send_sms(nr, msg):
    ser = serial.Serial(DEVICE, 115200, timeout=1)
    ser.write('AT\r')
    line = ser.readline()
    line = ser.readline()
    assert line == "OK\r\n"
 
    ser.write('AT+CMGF=1\r')
    line = ser.readline()
    line = ser.readline()
    assert line == "OK\r\n"
 
    ser.write('AT+CMGS="%s"\r' % nr)
    ser.write('%s\n' % msg)
    ser.write(chr(26))
    time.sleep(3)
    lines = ser.readlines()
    print lines
    ser.close()

Sadly, I couldn’t hack more with the GSM network because it was shut down rather early and I didn’t use my computer much during the lecture time. So next time I’ll try to reproduce the Curse of Silence and play around with PDU SMS.

So I have been to a lot of interesting villages and I met some interesting people but sadly GNOME people couldn’t make it. Maybe we’ll have a GNOME Village next time… :) If you are interested in how the camp looked, watch this impressions movie or click through the media.

The next CCCamp will probably be in two years and according to rumours it’ll happen in Finowfurt again. I’m really looking forward to that event!

BufferOverflow Workshop at EasterHegg09

During Easterhegg I held a workshop together with hc. It was about Buffer Overflows, which used to be the most common security vulnerability a couple of years ago.

We gave a talk explaining the basic concepts of processes and how they work on x86 machines. This was heavily packed with information and I really think we couldn’t make everything clear in the first run. But as it was planned as workshop, we intended to give people stuff they can chew on ;-) Basically, we took stuff from the excellent Phrack article  Smashing the Stack for Fun and Profit which is nearly 13 years old by now.

As modern operating systems protect themselves against the consequences of buffer overflows, we prepared a virtual machine with QEmu/KVM so that exploits will work. It’s an old debian woody with an SSH daemon and build essentials.

Of course I have changed the image in the last minutes, because I wanted to improve it. And of course something went terribly wrong: The root filesystem was corrupted and fsck deleted important files, leaving the image in a useless state. We had to port my changes back to the old image.

Of course, we wanted to distribute the ~1GB image among our workshop guests. As we expected 50 people to show up and didn’t want to stress the WiFi so much, I intended to use BitTorrent, but it’s not as easy and smart as it could be: We are NATted, so using an external tracker would FAIL. Also, it can’t multicast the packets, which would perfectly make sense if many people start to download the torrent in the same network. We ended up having a usb pendrive and a thttpd serving the tarred image. Not very smart or efficient.

After the people ran that images, they couldn’t login with SSH due to a mysterious heisenbug. I suspect our last-minutes changes to be the culprit but I can’t provide a more technical error description. The SSH daemon worked quite well *in* the image, but as soon as you wanted QEmu to redirect the traffic into the machine, it FAILed: The connection was established, but no data was transferred. Could be a bug in QEmu as well.
The people either worked through the QEmu widget or set up a TUN device to get the network up and running…
That pissed some people off which then left. We ended up with 20 people trying to hack themselves :)

We prepared examples in the image, some of them copied from Gera, e.g.:

/* stack1.c                                     *
 * specially crafted to feed your brain by gera */

int main() {
	int cookie;
	char buf[80];

	printf("buf: %08x cookie: %08xn", &buf, &cookie);
	gets(buf);

	if (cookie == 0x41424344)
		printf("you win!n");
}

The people were supposed to make the program print “you win!”. If you know, how a stack works, it’s actually simple. Do you know, what input you have to feed in order to win!?
Oh, you don’t want to compile this program with anything other than -O0 because the compiler rearranges the variables on the stack so that you can’t overwrite the integer…

In the end, I think I am satisifed with the workshop, although things could have worked better. We had pretty smart people which were really curious how stuff works. They have learned a lot and I guess they had fun with that as well :)

mrmcd0x8 – Call for Participation

Die MetaRheinMain ChaosDays gehen in eine neue Runde *yay*! Ich werd’ wohl dieses Jahr nicht koennen, aber ich war ja nun auch schon oft genug dort ;-) Wenn du einen Vortrag oder einen Workshop einreichen willst, benutze bitte das Pentabarf. Ein Grund, etwas einzureichen (oder um einfach nur hinzugehen) ist das Pornophonique Konzert! Wirklich empfehlenswert.

c&p von der offiziellen Seite:

Der CCCMZ, C3F2M, CCC Mannheim, oqlt, der IT Stammtisch Darmstadt und CDA laden zu den achten MetaRheinMain ChaosDays ein.

Die MetaRheinMain Chaosdays 0x8 sind ein jährlich stattfindender Kongress, der dieses Jahr unter dem Motto “Zurueck zum Thema” mit den Themenschwerpunkten Journalismus, Gesellschaft und Technik vom c3f2m Frankfurt, CCCmz (Mainz/Wiesbaden), der Hochschulgruppe Chaos Darmstadt, dem AK Vorrat und weiteren regionalen Gruppen im Rhein-Main-Neckargebiet organisiert wird. Die MRMCDs finden dieses Jahr vom 04.09-06.09.2009 an der Technischen Universität Darmstadt statt. Drei Tage lang werden Vorträge, Diskussionen und ein Hackcenter geboten.

Die Vorträge und Workshops richten sich mit Themen sowohl an die breite Öffentlichkeit, als auch an spezialisierte Interessen. Auf diese Weise soll die wissenschaftliche Anbindung und der Bezug zum aktuellen öffentlichen Diskurs gewahrt werden. Folgende Schwerpunkte bilden das Rückgrat der Veranstaltung:

  • Journalismus
  • Gesellschaft
  • Technik

Darunter fallen z. B.: Wahlmaschinen, Überwachung, Kryptographie, IT-Sicherheit, Biometrie, Vorratsdatenspeicherung, BKA-Gesetz, Elektronische Gesundheitskarte, Auswirkung der Weiterentwicklung von Technik auf die Gesellschaft, Chaos Kultur, Projekt- und Selbstmanagement.

26C3: Here Be Dragons

Well well, the next Chaos Communication Congress has been officially announced *yay*! This years motto will be Here Be Dragons.

This motto is not as bad as I intuitively thought. It reflects the current political situation pretty well: It seems as if the politicians are actively avoiding knowledge in the area of IT.

HERE BE DRAGONS

You should consider to come by as well as sending in a paper! You have time until 2009-10-09 to submit your proposal via Pentabarf.

I don’t know if I can make it, but I’ll certainly try :)

Taxi from Hamburg to HAR2009

Pre-Sense is sponsoring a bus ride for up to 30 people to the HAR2009! The way back to Hamburg is sponsored as well. Also, you can win two HAR tickets! :)

HAR Plakat

It’s very kind of that young company to sponsor that trip and thus enable young hackers to meet with the brightest people in the IT-Security area. I wonder if they hope that some of these young hackers will take one of their open positions in the future ;-)

Anyway, feel free to register for the bus ride or win a ticket. The details can be found at http://www.pre-sense.de/har2009.html.

Your HAR2009 Tickets

I received my ticket for the HAR2009 which takes place from August 13th till August 16th somewhere in the Netherlands!

If you buy your ticket until 2009-03-31, you’ll get a 25 Euro discount. If you additionally use the code “SURFBIRD”, you’ll get additional 5 Euro off. That translates to 150 Euros for a ticket.

I hope, it’s going to be an awesome CCCamp this year :) I’m really looking forward to this hackers holidays.

HAR Ticket
HAR Ticket

Balls of Steel (§202c)

I just received a mail where some dude told that he reported himself to the Police. He accused himself of “obtaining posesssion” and “creating” passwords which could be used for a crime afterwards. He supposes that to be illegal due to the famous german “Hackerparagraph” §202c.

He says he downloaded and printed an article from the New York Times (maybe he meant this one?) which listed the 20 most common passwords on MySpace.
Also he used pwgen to generate passwords himself.

His first try to denounce himself failed because the police officer said that *this* wasn’t justiciable. The second attempt, though, succeeded. He offered his police report as downloadable PDF.

I have to say: Respect Mr. Balls of Steel! I am eager to see how that’s turning out.