conference – Page 5 – muellis blog

FOSS.in 2012 \o/

After it didn’t happen last year, it will this year! I’m talking about FOSS.in, the premier Free Software conference in India, if not Asia. I’m very pleased to see that this event managed to pull it off again. Also, everything seems to be very much in time this year, so I expect things to go down smoothly.

If you have something cool to share and want to attract a highly motivated audience, which doesn’t only want to listen, but also to do something, then you should consider submitting something. The FOSS.in 2012 takes place, again, in Bangelore, India, from 2012-11-29 until 2012-12-01.

The Call for Papers is closing soon, so hurry up!

GNOME.Asia 2012 in Hong Kong

I had the great pleasure to be invited to GNOME.Asia taking place in Hong Kong and to give a talk there.

The first day started off with a very nice introduction by the local organizing committee. It is amazing how much energy they invest in Free Software, especially in GNOME. I think it’s outstanding given that I don’t see that many contributers from eastern Asia and that I was told several times that the attitude in Free Software communities is discomforting, at best, to people from eastern Asian cultures. But maybe it’s because of GNOME’s rather friendly community these people feel comfortable in GNOME. Let’s keep it that way.

The organizers greeting us

The main talks were given by westerners and I hope we (the westerners) could encourage the audience to believe in themselves and in GNOME. We, I and my old GNOME friend Andre Klapper, were talking about how to start contributing to GNOME as a member of the Bugsquad. We already talked together a couple of GUADECs back. Our slides can be found here. With probably 75% of the conference attendees the talk was comparately well attended and I think it went well, too. We had a good and very unexpected discussion afterwards, too. That was very refreshing.

The crowd for our talk

The second day was filled with talks, too, although I didn’t find it as interesting as the first one. Mainly because I couldn’t understand many talks. The language barrier was quite high for me as my Chinese isn’t all too good While I do appreciate the Free Software communities for enabling everyone to have access to computing, i.e. by translating the software into every language in the universe. I do sometimes wonder whether we actually fragment ourselves and should rather concentrate on improving the actual code. Especially since we are an international community having interational conferences. If there were isolated communities, it is crystal clear that translating everything into these languages is a major bonus. But since we eventually want to talk to each other and support each other, the translations are a bit of a hurdle to overcome. But this point is very moot because these people probably wouldn’t even know about Free Software, not to mention want to exchange thoughts, if the software wasn’t translated in first place.

Allan Day talking about Every Detail Matters

There was actually one talk about Asian Women’s participation in Free Software Projects. But the talk disqualified itself quite early by bringing the common biological argument of different brains and that thus women could not code (sic!).

The *Woman are too stupid to code* talk

I enjoyed the stay in Hong Kong so much that I decided to append two weeks of traveling through China. It was very hot and humid and next time I’ll try to carry less things with me (although I do travel very lightly already).

Thanks a lot to the GNOME Foundation for making this possible for me. I also think that it helped to foster Free Software and GNOME in Hong Kong, China and Asia.

LinuxTag 2012

At this time of the year, there is a special thing happening in Berlin. It’s the annual LinuxTag, a mix of conference and expo. And again, we (GNOME) had a booth.

We shared the space with our friends from Qt and KDE, as we already did for last FOSDEM, and we got along quite well. It’s good to see friends again and again.

The critics from last events, i.e. FOSDEM and LinuxTag, were incorporated. So I did get enough tape, glue, T-Shirts and even a rollup-display *yay* Thanks to the GNOME Foundation for providing resources.

However, compared to last year we had less material, because only one EventsBox was available and we had less furniture for the booth, because LinuxTag lacks sponsors. So we had to deal with non ideal situations, but well, that’s how it always goes, no? And as we are engineers, we managed quite well, I’d say.

Unfortunately, we didn’t have any GNOME talk, so this is something that is definitely to improve for next year. You can already think about cool things to present in lovely Berlin. Interestingly enough, the computer, we used to demo GNOME, was very stable. Obviously, I wanted to show the freshest GNOME release, which was 3.4, but so far no distribution had a stable release which included the newest GNOME. So I used a Fedora 17 Beta and well, some things crashed (reliably) but it was still very smooth. The webcam was the most annoying piece of hardware. But well, it was stolen quite early so we didn’t have to bother too much about it So yeah, if you happen to have a spare webcam that works with a recent Linux and Cheese, we’d happily incorporate that into our EventsBox.

Generally though, people were interested in the newest developments and we had nice chats about the past and the future of GNOME. Unlike last year, we probably did not convince anybody to go to GUADEC (as it’s now in Spain and not in Berlin) We also couldn’t convice too many people to buy T-Shirts. The dark green one from second last FOSDEM were quite popular but as they are old, we only had 4 to sell.

A big thank you to all the people helping out at the booth and of course to LinuxTag for providing us with the opportunity to present ourselves.

The talks I’ve seen, which were not many, as I’ve spent much time at the booth, were not really exciting. I’ve seen Ulrich Drepper talking about Lock Free Data Structures on modern CPUs which was, well, a bit slow for me. He seems to be very knowledgeable but I think he presumed the audience not to be. Anyway, apparently modern Intel CPUs can do transactional memory and you can even now write code that uses that feature in the future while staying compatible with today’s CPUs. You need a new enough toolchain though.

Some other guy talked about forking. I was curious but he delivered his story about forking Nagios only. He didn’t mention any problematic fact at all and was mainly concerned about establishing an own brand.

Christoph Wickert does the Beefy Miracle

I followed “Distro Battle” for a short period of time. Basically, five contestants were about to solve some problems a user could face with her distribution. So Mageia, Fedora, Debian, Kubuntu and OpenSuSE with their respective representative should solve problems like “install this printer” or “use this 3G USB dongle”. They had the chance to introduce themselves first. Mageia was running LXDE, Fedora had a GNOME 3.2, Debian a GNOME 2 and Kubuntu and OpenSuSE were running some recent KDE version. The Kubuntu representative introduced her distro by showing how easy it was to install the whole non-free packages and by stating this would be the very first thing you wanted to do on your fresh install. Funnily enough, Kubuntu self-destructed with a reboot into memcheck. Apparently, she aborted the install at a very unpleasant moment while there was no kernel ready. So the GRUB menu didn’t have any other option than memcheck. The non-GNOME desktops failed getting the 3G dongle to work while NetworkManager sorted that out on the GNOME desktops. The printing failed completely in OpenSuSE because they used their Zast-Tool; and Debian had a minor issue with ZeroConf not working.

So it’s quite a funny concept this “Distro Battle” although nowadays the GNU/Linux base is rather streamlined, isn’t it? So it doesn’t matter much which distro you use in order to get a printer or 3G dongle running unless you try to implement your own stuff.

19th DFN Workshop 2012

The 19th DFN Workshop happened again *yay* and I was lucky enough to be able to take part

After last year we all knew the venue and it’s great. The hotel is very professional and the receptions are very good. The conference room itself is very spacious and well equipped for having a couple of hundred people there.

So after a first caffeine infusion the conference started and the first guy gave the keynote. Tom Vogt (from Calitarus GmbH) talked about Security and Usability and he made some interesting points. He doesn’t want to have more “Security Awareness” but more “User Awareness”. He claims that users are indeed aware of security issues but need to be properly communicated with. He gave Facebook as an example: If you log in wrongly a couple of times, Facebook will send you an email, excusing themselves for the troubles *you* have while logging in. As opposed to the “if the question is stupid, the helpdesk will set you on fire” attitude.

So instead of writing security policies with a lot of rules he wants us to write policies that take the user’s view into account and make sense for the average user. He also brought up passwords and password policy. Instead of requiring at least 8 characters (which will be read as “8 characters” by the user anyway) one should encourage a more sensible strategy, i.e. the XKCD one.

He also disliked the metaphors we’re using all the time, i.e. we’re talking about documents or crypto keys. A document is something static that you hold in your hand. It can’t do any harm. But a Word-“document” is indeed something different, because there are macros and whatnot. And it’s not a big problem to temporarily give away physical keys. But in the crypto world, it is. And people, he claimed, would make those associations when confronted with these terms. Unfortunately, he didn’t have a fix for those long-term used metaphors but he said extra caution needed to be applied when talking in these terms.

Dissonance was another big thing. He claimed that it’s problematic that starting a program and opening a file is the very same action in modern operating systems. If the open document was triggered differently, then the user could see if the document that they received was indeed a text file or a some binary gibberish.

And well, as the talk was titled “Usability” user interfaces were criticised, too. He mentioned that dialogues were very rude and that it was equal to holding someone until they answer a question. That trained the user to avoid and escape the dialogue as quickly as possible without even reading them, totally destroying the whole point of a dialogue. So we should only use them in a “life or death” situation where it would be okay to physically hold someone. And well, “user errors are interface errors”.

My favourite usability bug is the whole Keysigning story. It’s broken from beginning to end. I think that if we come up with a nice and clean design of a procedure to sign each others keys, the Web of Trust model will be used more and more. Right now, it’s an utterly complex process involving different media and all that is doomed to be broken.

After that, a guy from the Leibniz-Rechenzentrum talked about internal perpetrators from university data centres. They basically introduced Login IDS, a tool to scrub your logs and make them more administration friendly. He said that they didn’t watch their logs because it was way too much data. They had around 800 logins per day on their two SSH and two Citrix servers and nobody really checked when somebody was logging in. To reduce the amount of log, they check the SSHd log and fire different events, i.e. if there is someone logging in for the very first time. Or if user hasn’t logged in at that time of the day or from the IP she’s using before. That, he claimed, reduced their amount of log to 10% of the original volume. Unfortunately, the git repo shows a single big and scary Perl file with no license at all

Another somewhat technical talk followed by Michael Weiser. He talked about security requirements for modern high performance computing environments and I couldn’t really follow all the way through. But from what I’ve understood, he wants to be able to execute big jobs and have all the necessary Kerberos or AFS tokens because you don’t know for how long you’ll have to wait until you can process your data. And well, he showed some solutions (S4U2self) and proposed another one which I didn’t really understand. But apparently everything needs to be very complex because you cannot get a ticket that’s valid long enough. And instead you get a “Granting-Ticket” which empowers you to get all the tickets you want for a basically unlimited amount of time…?

The break was just coming up at the right time so that the caffeine stock could be replenished. It did get used up quite quickly

The first talk after the break introduced to HoneypotMe, a technology that enables you to put honeypots on your production-mode machines without risking to have them compromised. They basically create tunnel for the ports that are open on the honeypot but not on the production machine. So an attacker would not detect the honeypot that easily. Although it’s kinda nonsensical for a Linux machine to have the MSSQL port open. Interesting technology, although I don’t quite understand, why they put the honeypot after the production machine (network topology wise), so that you have to modify the TCP stack on the production machine in order to relay connections to the actual honeypot. Instead, one could put the honeypot in front and relay connections to the production machine. That way, one would probably reduce plumbing the TCP layer on the machine that’s meant to serve production purposes.

Another, really technical talk was given by a guy from the research centre juelich. It was so technical that I couldn’t follow. Jesus christ were the slides packed. The topic was quite interesting though. Unfortunate that it was a rather exhausting presentation. He tried to tell us how to mange IPv6 or well, to better damn manage it, because otherwise you’d have loads of trouble in your network. He was referring a lot to the very interesting IPv6 toolkit by THC. He claimed that those attacks were not easy to defend against. But it doesn’t need an attacker, he said. Windows would be enough to screw up your network, i.e. by somehow configuring Internet Connection Sharing it would send weird Router Advertisements. But I might have gotten that wrong because he was throwing lots of words and acronyms on us. NDPMON. RAPIXD. RAMOND. WTF. Fortunately, it was the last talk and we could head off to have some proper beer.

After way too less sleep and ridiculous amounts of very good food, the second day started off with a very great talk by a guy from RedTeam Pentesting. He did very interesting research involving URL shortening services and presented us his results. Some of which are quite scary. If you’re remotely interested in this topic, you should have a look at the paper once it is available. There is slightly different version here.

So the basic problem was described as follows: A user wants to send a link to a friend but the URL is too long so that email clients break it (well, he didn’t mention which though) or Twitter would simply not accept it… We kinda have to assume that Twitter is a useful thing that people do actually use to transmit links. Anyway, to shorten links, people may use a service that translates the long URL into a short one. And now the problems start.

First of all, the obvious tracking issues arise. The service provider can see who clicks on which links and even worse: Set cookies so that users are identifiable even much later. Apparently, almost all of these service do make use of tracking cookies which last for a couple of years. Interestingly, Google is reported to not make use of tracking technologies in their URL shortening service.

Secondly, you eventually leak a secret which is encoded in the URL you are shortening. And that’s apparently, what people do. They do use Google Docs or other sensitive webapps that encode important access tokens in the URL that you are throwing with both hands at the service provider. He claimed to have found many interesting documents, ranging from “obviously very private photos” over balance sheets from some company to a list of addresses of kindergarten kids. He got a good percentage of private documents which was really interesting to see.

But it gets worse. He set up a brand new web server listening on a brand new domain (fd0.me) and created URLs which he then shortened using the services. On the page his webserver delivered was a password which no search engine knew back then. The question was: Do URL shortening services leak their data to search engines? Or worse: Do they scan the database for interesting looking URLs themselves? Turns out: Yes and yes. He found his password on search engines and curious administrators in his webserver log.

Other obvious problems include loss of URL. Apparently people do use shortened URLs in long lasting things like books. And well, URL shortening services are not necessarily known for being long living. Fun fact: His university used to have such a service, but they shut it down…

Another technical issue is speed. Because of the indirection, you have an overhead in time. Google are the winner here again. They serve the fastest.

So yeah that was a very interesting talk which clearly showed the practical risks of such services.

A electronic ID card was introduced in Germany rather recently and the next guy did some research (sponsered by the ministry of interior) to explore the “eID Online Authentication Network Threat Model, Attacks and Implications”. Nobody in the audience actually used the eID so he had to tell us what you are supposed to do with it. It is used to authenticate data like your name, address, birthday or just the fact that you are at legal age. It’s heavily focussed on Browser stuff, so the scenarios are a bank or a web shop. After the website requested eID functions, the browser speaks to the local eID deamon which then wants to read your eID and communicates with the servers. Turns out, that everything seems to be quite well designed, expect well, the browsers. So he claims it is possible to Man in the Middle a connection if one can make a browser terminate a successfully opened connection. I.e. after all the TLS handshakes were finished, one would terminate the connection, intercept it and then no further verification was done. A valid attack scenario, not necessarily easy to be in that position though.

There were tiny talks as well. My favourite was Martin John from SAP talking about Cross Domain Policies. Apparently, standards exist to “enhance” the same origin policy and enable JavaScripts in browsers to talk to different domains. He scanned the internet^tm and found 3% of the domains to have wildcard policies. 50% of those had in some way sensitive webapps, i.e. authentication. He closed giving the recommendation of using CORS to do cross domain stuff.

The last two talks were quite interesting. The first one talked about XML Signature Wrapping. A technique that I haven’t heard of before, mostly because I’m not into XML at all. But it seems that you can sign parts of a XML document and well, because XML is utterly complex, libraries fail to handle that properly. There are several attacks including simply reproducing the XML tree with different properties and hoping that the parser would verify the correct tree, but work on the other. Simple, huh? But he claimed to have found CVE 2011-1411, a vulnerability in an interesting user of XML: SAML, some authentification protocol based on XML.

Afterwards, I was surprised to see an old tool I was playing with some time ago: Volatility. It gained better Linux support and the speaker showed off some features and explained how to make it support your Linux version. Quite interesting to see that people focus on bringing memory forensics to Linux.

So if you are more interested in the topics, feel free to browse or buy the book which includes all the papers.

This year’s DFN Workshop was much more interesting content wise and I am glad that it managed to present interesting topics. Again, the setting and the catering are very nice and I hope to be able to attend many more DFN Workshops in the future

GNOME @ FOSDEM2012

Is this time around again and the FOSDEM happened in Brussels, Belgium. Probably the biggest gathering of Free Software people was a lot colder than last year. It was covered in snow. So badly, that we had big troubles coming into Brussels. It took us almost twice as long to arrive than usual. The streets were packed with cars suffering from the severe conditions.

But all that didn’t stop us (GNOME that is) from having a nice presence. If you know FOSDEM you’d expect the booth to be in a packed and smelly area because all the people try to move along in the tiny hallway. But this year was different because we got a spacious place in a new building. That was cool, because it gave us much more area to move than usual but unfortunately it made the conference much more disconnected as there was yet another building involved. I didn’t even try to visit each and everything.

Anyway, from what I’ve seen, we had quite a good stand. Our friends from OpenSuSE received the most attention though. Rightfully so. Not only because they had almost free beer and nearly free other goodies, but because they had nice hardware, nice demos and nice people to present. Fortunately, we were located just next to our friends from KDE which enabled us to chit chat with well known people and to plan conspiracies for upcoming conferences in 2013. So stay tuned for that.

With the help of local GNOME people, we had our EventsBox which is well equipped. But well, since we had only one Box, we weren’t as well equipped as last time at LinuxTag. We had loads of T-Shirts from the Desktop Summit though which we tried to sell. I especially like the name tags we had. Somebody just got them printed so we looked much more inviting, I guess. Also cool were the posters that we got provided so we could pimp the glass wall behind us. It’s cool that we have people that provide such things just like that. We didn’t have the appropriate tools to handle the posters well. We used regular adhesive tape (which we ran out of in the middle of the day) which kinda destroys the posters. From our KDE friends we got some “blue-tac” or “patafix” which was really really great. Apparently it’s well known in the western end of Europe. I didn’t know it at all, but I now know that we definitely want to have this for the next time.

We also didn’t have blank sheets of paper to write stuff on which was a bit annoying. But well, we didn’t have markers either so we needed to get both first before being able to inform the people about the t-shirt prices.

Needless to say that our demo machine got upgraded to the latest Fedora and that that broke at least the web-cam. I mean it was supported in the last Fedora version so it’d be boring it was supported now, too. But the Fedora people had a nice gimmick to give away: A cheat cube which is just a well cut piece of paper that you can fold up to build a cube. You’re supposed to put that on your desk and use it to retrieve information quickly. I was wondering whether we could make something like that for GNOME Shell. Oh and while we’re at it: Many folks had roll-up displays which look very nice. They are around 1m wide and 2m high and you can have your big design on it. It doesn’t cost all too much but we’d need a proper motif first. So if you have any idea, feel free to discuss that in the wiki. And another thing that was annoying were our flyers. While it’s good that we had some, they were quite outdated. So we badly need some flyer material. Again, in the wiki is the place to show up.

So a big big thanks to the folks that helped out at the booth to make it rock. I hope we can make it work next year again.

There was also, again, a massive keysigning going on and I have to drop a quick rant about all that mess. caff on Fedora is kinda weird. It seems like the defaults in the man page don’t match the code, i.e. keyserver defaults to a different server than the man page states. And very annoying: It’s also different from GPG settings! So while trying to use caff it failed downloading the keys. I guess the server just hit a timeout or blocked my request altogether because it’s so many keys (/.-)
After having that sorted out, gpg asked to hit “y” all the time whether I was sure to sign the keys. Goddamnit. It’s about 100 keys and I sign with 4 private keys or so. Now I have to press 800 keys to get the fork()ing keys signed and mailed. Jesus Christ. It’s fricking 2012 and not 1972 anymore. I just want to conveniently sign the whole damn thing and not buy a new keyboard after each FOSDEM. Not only because I have to type so many keys but also because I feel the urge to smash it into someone face. But not only did I need some shell-fu to get the keys imported, I also needed to fiddle the fingerprints of the official key list because caff wouldn’t accept the fingerprints. The format though, is the format gpg uses to display fingerprints… So I had to do something like

cat /tmp/ksp.txt | tr -d ' ' | tr '\n' ' '

to get the proper format… And yeah, I’ll patch everything.. tomorrow…

Although I haven’t seen much of Brussels this time, I liked it being covered in snow and ice. I hope to be able to get more out of Brussels next time, especially improve my French So yeah, I’m looking forward to next year.

28C3 – Behind enemy lines

I was lucky enough to get a ticket for the Chaos Communication Congress 2011 in Berlin, Germany. So many people wanted to attend the CCCongress that the tickets were sold out in an instant. But the current location can’t handle more visitors so we’re forced to somehow limit the number of visitors unless the location or the concept of the CCCongress changes. Both options don’t sound really inviting, but refusing people to come isn’t fun either. So we’ll see what the future brings.

But I’d like to raise the point that the CCCongress is very much an event made by the people, i.e. the participants. It’s not that there is an overly mighty set of people who decide everything and are responsible for having a great event. It’s everybody that is responsible for helping out if somethings need to be done, contributing ideas, talks, workshop, etc. It’s rather a place where you play a part by helping physically and paying a fraction of the cost to have a good time. That means that you can’t make a CCCongress by paying the entrance fee only. It’s not a show for your entertainment. Hence you can’t have expectations that somebody has to do things for you. This applies to things you don’t like, too. If you don’t like stuff that is happening, stand up and change it. Don’t sit and complain. This especially applies to things like sexism or other politically incorrect things. There is no personnel being obliged to do anything. It’s all our big party and you’re supposed to contribute yourself to make it great. I mention this, because there were complaints about supposedly right-wing people being present but nobody did anything.

Many people go to the CCCongress for the talks. And well, I didn’t really managed to watch many of them, but the following make a list of notable talks, because they were in some ways, say, “interesting”.

Taking control over the Tor network
Well, it’s strong French with way too packed slides…
Quantified-Self and OpenBCI Neurofeedback Mind-Hacking
Haven’t seen it yet but is supposed to be very esoteric…
Power gadgets with your own electricity
People were quite upset because it was a bit off and nothing was really told…

But you can have very good talks as well. For example

A very big applause needs to be given to the video team. It’s just amazing that the recordings were available within a few days. I just envy those guys for rocking so hard.

Now it’s time for a shameless plug: As I want to watch the recordings of this CCCongress and I know that I won’t do it myself, because the last years proof that I don’t watch the videos anyway, I’ll publicly show two videos of the recordings every Wednesday in the local Chaos Computer Club. So if your disk is filling up with videos that you wanted to watch but never will, feel free to show up on the “Chaotic Congress Cinema“. Funny thing is, that there are 100 videos recorded and if we watch 2 videos every week, we’d finish all of them within the year

LinuxCon Brazil 2011

I was lucky to be invited to LinuxCon Brazil, taking place in *drumroll* Brazil! Sao Paulo to be precise. The conference centre was very spacious and the conference itself seemed to be much bigger than in Japan.

My talk on GNOME 3 (actually 3.2 and 3.x) was well received and I hope I was able to entertain a bunch of people and make some of them try the new GNOME. Fortunately, our friends from OpenSuSE just released their new version a couple of days ago and brought some machines and media to try it out. Needless to say that it features the latest and greatest GNOME release. We had a good discussion during the talk and I talked to many people after the talk. There was more interest that I expected. I was told that even Linus and Dirk Hohndel commented on it in the speaker’s room when I was not there.

I couldn’t really attend the other talks as I wanted because they were held in Portuguese $:-\$ There was translation but only for the foreign speakers not talking in Portuguese. So sadly I had to stick to talks that I either knew or didn’t interest me that much. But there were a couple of interesting ones, nonetheless My favourite was Jan Kiszka talking about “Developing Linux inside QEMU/KVM Virtual Machines” because I learned how to actually be able to pass data from my host system into my guest QEMU machine.

So the conference could have made more effort to actually indicate whether the talks were held in English or not. Other than that, it was a good conference which was held in a pretty good conference centre. As the other South American conference I attended a couple of weeks ago, it slipped behind schedule. But only for half an hour

It wasn’t all too easy to get to Brazil though. I had flight troubles in Amsterdam with KLM again. The security at the gate wanted to search my bag but I refused. I was told to either let them search the bag or wait for the supervisor. I chose to wait as I had quite a bit of newspaper left. Eventually one of the security guys called me out and told me to go out of the gate area to talk to the supervisor. We talked and came back to the gate where I was about to put my stuff into the xray machine. But then the guy came and told me that the flight attendant told him that I couldn’t fly. So I asked the woman directly whether I was denied boarding. She said yes because I caused a queue. I demanded a list of my rights because I was denied boarding and she sent me to the Transfer desk. Then she left… When I went to the transfer desk, I figured out that I was not referenced as being denied boarding but No-Show, i.e. I just wasn’t present. But that’s ridiculous as I sat in the gate except for three minutes when the supervisor called me out. For that reason, I wasn’t provided a list of my rights and the transfer agent wasn’t friendly at all. A second transfer agent managed to get me on the next flight though. I thought I’d like KLM, at least for them flying to South America not crossing the US. But I probably have to go with Iberia the next time.

I’m looking foward to come back to Brazil, either for GNOME Forum or for LinuxCon

Ekoparty 2011

I was invited to Ekoparty in Buenos Aires, Argentina. It all went very quickly, because when I was accepted for my talk on Virtualised USB Fuzzing using QEMU and Scapy, I couldn’t read email very well. I was abroad and had only a replacement laptop (which we got at MeeGo Summit in Dublin) at hand because my laptop broke down And of top of that I wasn’t very well connected. Anyway, I got notice exactly two weeks before the conference and actually I had other plans anyway. But since it was in Argentina and I haven’t been there yet, I was very eager to go.

I was going from Hamburg via Amsterdam and Sao Paulo to Buenos Aires. And back from Buenos Aires via Charles de Gaule to Berlin. After my first fight I had a good break at Shiphol but when I wanted to board the next flight, I was denied at first. After a couple of minutes, some officials came and I was interrogated. Because my itinerary looked suspicious, they said. So I was asked and searched and the information I gave was promptly checked by they woman and her smart-phone. Weird stuff. The next flights and airports were fortunately much better.

The very first day of the conference was reserved for the keynote and workshops. Unfortunately, the workshops were held in Spanish only so I couldn’t really follow anything. But I still attended some folks playing around with an USRP. It was interesting enough despite the Spanish. They decoded normal FM radio, pager messages and other (analogue) radio messages flying through the ether. The keynote was held in Spanish, too, but two translators simultaneously translated the talk into English. It’s the first time that *I* am the one needing a translation device I didn’t fully get the keynote because the there was a lot of noise in the radio of the Spanglish

The first talk by Agustin Gianni from Immunity was about Attacking the Webkit Heap and was, well, very technical. A bit too detailed for me as I don’t have much desire to exploit memory issues in Webkit, but it’s good to know that there people looking into that. Just after that, there was a talk about security of SAP products. The message I got was, to read the SAP advisories and documentation. Because he was showing exploits that used vulnerabilities that were either known and fixed or documented. It was still a bit interesting for me as I didn’t know much about SAP systems and could see what it’s actually about.

I don’t have much to say about the iOS forensic talk, because you can find the things he mentioned with a one liner: find / -name '*.db'.
Ryan McArthur talked about Machine Specific Registers which I didn’t even know what it was. But apparently CPUs have special registers that you usually don’t use. And these have special capabilities such as offering debug facilities. Also you can issue a simple instruction to detect whether you are in a virtual machine or not. That sounds damn interesting. With Intel it’s called Last Branch Recording. And he implementing something that would be able to trace programs like Skype. I wonder though what difference to PaiMai is. An implementation using these facilities apparently exists for Linux as well.

A bit off the wall was Marcos Nieto talking about making money with Facebook. So he realised that he could send the AJAX request, which some Flash game sends to the game server, himself. He didn’t think about writing a bot playing the game for him though. Instead, he used a proxy to capture the HTTP traffic his Flashplayer was generating and replaying that traffic with the proxy software. And the money part would then be to sell the account that had all the experience points on eBay. I hope it was just the translation and the crappy quality of the radio that made it seem so lame.

As for my presentation, I wasn’t too lucky with the MeeGo laptop I used, because it only has an Atom processor which doesn’t have KVM support. That is very bad if you want to do something with QEMU But I tried to prepare my things well enough to not have many problems. But what happened then was really embarrassing. I prepared demos and I did that very thoroughly. I even recorded some videos as second line of defence in case something fails. But I didn’t expect anything to fail because my demos were simple enough, and just a few copy&paste jobs. That’s what I thought and Murphy proved me wrong. I hate him. So my demos did not work, of course. I still don’t really know why, but I guess that I left a QEMU instance running due to the nervousness. And that instance would still mess around with the pipes that I was using. So lessons learnt: Whenever you think it’s simple enough, think harder.

Demo-Video. If it doesn’t play inline (stupid wordpress) please download yourself.

The rest of the conference was relaxed and the talks were much better than the day before. I feel that the second day was saved for the big things while the first was thought of as a buffer for the people to arrive. There was the SSL talk which caught a lot of attention in international media even before the conference. For reference: The issue was assigned CVE-2011-3389. I was astonished, really, to hear *the* talk being held in Spanish. I absolutely expected that thing to go off in English. Unfortunately, I couldn’t understand much of the things that were told. It took me quite a while to understand that the “navigator” the translatress was constantly referring to is actually the browser… So I was disappointed by that talk, but the expectations were high so it was easy to be disappointed.

http://www.youtube.com/watch?v=lauFlKi56aM

So all in all it went fine. It’s a nice enough conference, really relaxed, maybe even too relaxed. Given that there was one track only, it didn’t really matter that things bent the schedule by two hours. I felt that generally things went off the radar of the organising folks, most likely due to organising a conference being very stressful But well, it would still have been nice if they actually provided the facilities they promised to give a talk, like a USB cable or a demo laptop I barely got a T-Shirt

CHIS-ERA conference 2011 in Cork

While being in Ireland, I had the great opportunity of attending the CHIS-ERA strategic conference 2011 in Cork. Never heard of it? Neither have I. It’s a conference of European academic funding bodies to project and discuss future work and the direction of the work to be funded. Hence, it had many academics or industrial research people that talked about their vision for the next few years. If I got it correctly, the funding bodies wanted some input on their new “Call” which is their next big pile of money they throw at research.

The two broad topics were “Green ICT” and “From Data to Knowledge“. And both subjects were actually interesting. But due to the nature of the conference, many talks were quite high level and a bit too, say, visionary for my taste. But it had some technical talks which I think were displaced and given by poor Post-Docs that needed to have a presentation on their record to impress their supervisor or funding body.

CHIS-ERA Flower
However, for the Green IT part, almost all the speakers highlighted how important it was to aim for “Zero Power ICT”, because the energy consumption of electronic devices would shoot up as it did the last decade or so. But it hadn’t necessarily been much of problem, because Moore’s Law would save us a bit: We knew that in a couple of month, we could place the same logic onto half the chip which would then, according to the experts, use half the energy. However, that wouldn’t hold anymore in a decade or two, because we would reach a physical limit and we needed new solutions to the problem.

Some proposed to focus on specialised ICs that are very efficient or could be turned off, some others proposed to build probabilistic architectures because most of time a very correct result wouldn’t matter or to focus research on new materials like nanotubes and nanowires. The most interesting suggestion was to exploit very new non volatile memory technologies using spintronic elements. The weirdest approach was to save energy by eliminating routers on the Internet and have a non routing Internet. The same guy proposed to cache content on the provider as if it wasn’t done already by ISPs.

After the first day, we had a very nice trip to the old Jameson Distillery in Midleton. It started off with a movie telling us the story about Jameson coming to Ireland and making Whiskey. It didn’t forget to mention that Irish Whiskey was older and of course better than the Scottish and the tour around the old buildings were able to tell us what makes Irish Whiskey way better than the Scottish. Funnily enough, they didn’t tell us that the Jameson guy was actually Scottish I do have to admit that I like the Irish Whiskey though The evening completed with a very nice and fancy meal in a nice Restaurant called Ballymaloe. I think I never dined with so many pieces of cutlery in front of me…

CHIST-ERA D2K visualisation
The second day was about “From Data to Knowledge” and unfortunately, I couldn’t attend every lecture so I probably missed the big trends. When I heard that Natural Language Processing and Automatic Speech Recognition were as advanced as being able to transcribe a spoken TV or radio news show with a 5% error rate, I was quite interested. Because in my world, I can’t even have the texts that I write corrected because I need to use ispell which doesn’t do well with markup or other stuff. Apparently, there is a big discrepancy between the bleeding edge of academic research and freely available tools I hope we can close this gap first, before tackling the next simultaneous translation tool from Urdu to Lowgerman…

CCCamp 2011

It happened again! The Chaos Communication Camp took place a couple of weeks ago near Berlin. I was all excited to go although I had to miss the last days of the Desktop Summit.

The weather was mostly nice and the atmosphere, especially at night, was really fantastic. Everybody was really nice and there was so much creativity all over the venue that it was really hard to not start to make or hack on something.

While it had many very interesting things to be seen, I think to most amazing machine on the ground was a “Crepes printer”. Some austrian dude built a machine which would make you a fresh crepe. Including some chocolate sauce! Just right next the that were some friends that intend to launch a sattelite and already had their radio equipment ready. With their massive antenna they spoke to the moon and measured the reflections coming back.

The participants also got a fancy badge called “r0ket“. It’s an amazing device and people did awesome stuff with it immediately. Given the presence of 3D printers and lasercutters, people added all sorts of extensions to the r0ket. But some enhanced their r0ket with good old knitting goodness.

The whole CCCamp, taking place on an old russian airbase, was themed very aeronautical so everything was somehow related to space travel or rocket science. It also had many talks on those subjects which I didn’t attend a lot. I was too busy hacking or socialising.

You can only see a tiny fraction of the many artisty stuff it had on the ground. But you do see an old MIG which got pwned along with a spacy car. He got trolled quite well, I’d say but decide for yourself:

You can try to grasp the atmosphere by looking at these areal shots:

You can see some more pictures and press articles in the CCCamp Wiki. The next Camp will be “Observe. Hack. Make. 2013.” and I’m very much looking forward to attend it.