26C3 Review

Attending last years CCCongress was a great pleasure. Although there were great lectures, it’s the spirit that’s the best part of the conference. Meeting all these nice hacker people, hanging around, talking, discussing, hacking is just brilliant. You’ve got all those smart hackers around you and it just can’t get boring.26c3 logo

A good way of socialising is, of course, visiting the various parties that take place. The Phenoelit party was awesome. Thanks FX for the invites :)

Besides drinking I spent time on some crypto problems and tried to investigate on the magnetic-stripe-card authentication in Hotels and Hostels. I found out, that all our cards for one room are equal, but not one card that has been obtained later. The data on the card is just ~100bits and I tried to find timestamps and room numbers in it but I failed. I blame my dataset to be too small. I’ll launch more advanced experiments next year. If you happen to have insider knowledge in magnetic-stripe locks, drop me a line.

I want to highlight two things about the last CCCongress. Firstly, Friend Tickets were available and the concept is just awesome: Basically you can propose a friend of yours you think would benefit of attending the CCCongress but has no way to cover the expenses. The organisers then decide whether you can get a discount (which will, of course, apportioned to every regularly paying attendee). I like to see this solidarity among hackers. Unfortunately, no stats are available to see how many people were enabled to come through this method. I hope, having these friend tickets will be considered next year again. So if you wanted to come to the CCCongress but feared the expenses, consider asking for a discount. Just for the record: The prices are at rock bottom anyway: 80 Euros for a 4 day conference of this kind is amazingly cheap. Thanks to all the angels! :-)

The second noteworthy concept to distribute the CCCongress as much as possible (called Dragons Everywhere). The idea is fantastic: Increase the number of attendees as much as possible by building mini conferences and stream the most important things. It would be even better, if the gatherings had a feedback channel, i.e. Webcam. Hopefully, it’ll be better next year, i.e. better and more reliable streaming services and more places, especially in Berlin, because many people were sent away because the conference was already sold out :(

If you want to get a feeling of what the CCCongress is like, you might want to have a look at the recordings. If you organize a public viewing, make sure you show these videos :-) Based on the feedback, the best talks were:

And for entertainment, the following German talks are very good:

I hope you enjoy watching the CCCongress and consider coming in next year!

Bugsquad Talk @ FOSS.in

FOSS.in has finally finished and I really enjoyed being invited. It was a real pleasure having all these talented and energetic hackers around me. It’s definitely on my top-conferences list. You could feel a real hacking spirit and it’s really sad that it’s already over.

The closing ceremony featured TRDP, a really really good Indian band playing fancy music. I was told that they are pretty famous in India and that FOSS.in was lucky to have them there. Hence we were all nerds, a Twitter wall companied the band showing recent tweets concerning the event…

Closing and Twitter Party
Closing and Twitter Party

Besides the entertainment, the program itself was pretty good as well. I disliked the keynotes to some extend though. I felt that they were mostly not really relevant to FOSS because the content was obsolete (i.e. one guy basically showing how to do shellscripts) or otherwise out of scope (i.e. a free robot operating system).

I have to thank the organizers of FOSS.in for running that conference and inviting me. Also, I need to thank the GNOME Foundation for subsidizing my trip.

The Bugsquad Talk went pretty well, I’d say. Around 5 people were interested joining the Bugsquad and I hope that they’ll stay around :) Unfortunately, the GNOME project day took place on the last day, making it unattractive to start something new because you can’t ask anyone anymore the next days.

Sponsored by GNOME!

Also, compared to other organisations such as KDE or Fedora, GNOME was highly under-represented. KDE had sweaters to give away. Admittedly, they were not very well designed but hey, it’s sweaters after all! Also, they had very fancy leaflets shortly describing what KDE was, why they rule and how to contribute. Very well done.

(Broken) Fedora stickers
(Broken) Fedora stickers

Srini brought GNOME T-Shirts which was fine but somewhat boring. Seriously, I have gazillions of T-Shirts and think other people do so, too, as nearly every project or company gives away T-Shirts. So doing something new is a smart thing to do. I hope the GNOME marketing team will come up with something fresh and shiny (hoodies? shoes? underwear? “GNOME” Keys for the keyboard instead of Windows Keys?).

Srini giving away GNOMEy T-Shirts
Srini giving away GNOMEy T-Shirts

FOSS.in – Impressions

The second day of FOSS.in, Indias largest Free Software conference taking place in Bangalore has just finished and the conference has been very awesome so far. The people are smart, the food rocks and you can feel the hacking spirit everywhere. While the venue itself has a high technical standard, the network over wifi is damn slow. It’s 6kB/s on average so I’m barely able to transfer data.
foss.in Logo

Since Maemo Bangalore is giving some N900s away if you hack, port or package something awesome, I want to download the SDK. But with the bandwidth contraints, it’s not really possible :-/

Dimitris Keynote on the first day was on how to build a revolutionary free software project. I enjoyed his talk although I did not really get the point. It felt like instructions for a general FLOSS project and not a revolutionary in particular.

Harald Weltes talk on how to Opening Closed Hacker Domains such as DECT or GSM was very exciting and I really look forward to have some time to play around with that. He really enlightened the crowd and showed us why it is important to get FLOSS into those areas which are highly dominated by the proprietary world.
harald@foss.in
The conference is mostly about getting stuff done as opposed to listen to fancy talks. It’s not that that the talk are not important but that actually doing stuff is as well. Apparently, Indian conferences tend to be rather passive. Anyway, it has been really great so far. If you happen to be around, feel free to join us :)

My GNOME bugsquad presentation on Saturday is well prepared but I’m still waiting for feedback of the community.

IRISS Conference 2009

I had the joy to attend the first annual IRISS Conference 2009 which is a for free conference held by IRISS, the Irish CERT.

It was about cybercrime in general and there were speaker from e.g. SANS, IRISS -the local cert- or Team Cymru which I already enjoyed at DNF CERT Conf at the beginning of the year.

One talk I attended was by a local polices cybercrime investigation team. He basically talked about the goodness of creating movement profiles with GSM data and ISP keeping IP to customer data to catch criminals…

Then we participated in HackEire, a Capture the Flag style contest. We ran second. Not too bad for our sucky preparation and the fact that we spent more than an hour to make a Mac share its 3G uplink with two Linux Notebooks over (encrypted -didn’t work-) WiFi. The game network was 10.0.1.0/23 and the Mac automatically and not changable was 10.0.2.0/24. Although the networks overlapped by one bit I expected it to work for the majority of the packets being sent. But we failed. Hard. So hard, that the Mac couldn’t take part in the game anymore… I need to polish either my understanding of networking or my passion for hating Apple.

This CtF, however, was a bit different since there was one virtual network for everyone. I.e. no team had an own server or an own virtual network. There were four machines which were supposed to be owned in a given order. That wasn’t immediately clear and there were many tarpits to waste a lot of time. I.e. a Kernel in a supposed-to-be vulnerable version which is not exploitable, or a separate PHP user for the Webserver with a locked down home directory, tempting you to mess around with PHP scripts to investigate.

And the end of the day, the contest was about collecting secret keys to decrypt a file afterwards. The secret keys were more or less obviously lying around once the machine has been pwned. Passphrases to that secret keys were either user passwords or otherwise easily guessable strings.

The Machines were:

  1. Linux Webserver. To be 0wned with a password being served on a page from the webserver. A bit obfuscated though, so that one had to use the source. Once SSHed to that host, secrings were lying around in ~/gnupg/. Also, weird processes were running that connected to a strange host outside the network (4) to send a password over the wire.
  2. BIND on windows (sic!). To be pwned via the conficker exploit. Also, one should crack a users password using THCs Hydra.
  3. Linux Mailserver. With SSH Server only visible when coming from (1). Log in with password from (2). Machine was running an old kernel, thus sooner or later you g0t root. Then search for keyring in home directories. Also, crack the shadow using a John that’s capable of cracking SHA256 (i.e. not the most recent version shipped with Ubuntu).
  4. “hidden” DB server on Windows, only connectable from (1). You could find that machine by looking at the network interfaces of (1). You’d see that it has a second interface with a different IP thus inviting you to scan the new subnet. Luckily, there was an smbclient on (1) and with credentials from (1), one could enumerate all users (smbclient -L). Then, with the other credentials found on (1), connect and get keyring as well as final encrypted file.

That final file could be decrypted using keys and passphrases obtained earlier. Out came an ELF binary that looked, smelled and quacked like “ls”. However, it contained a steganographically hidden text file. Using a standard stego tool shipped with Backtrack, it’s possible to obtain the very final CSV file.

I not only liked the fact that they posted hints on the wall every now and then, but also that they actively walked around, talking to the teams and helped them actually achieving stuff. In fact, I wouldn’t even have thought about transferring zones from that BIND instance using AXFR or checking the machines whether they have an smbclient installed.

While we were playing, I bricked my sudo by trying to add a line without knowing the syntax. I couldn’t do sudo nano /etc/sudoers afterwards as it couldn’t parse the file, effectively leaving me without root access. I think I’ll better use visudo now…

jOEpardy at Easterhegg09

I held a jOEpardy session at Easterhegg09! I guess, you know what a Jeopardy is, if not, have a look at the Wikipedia :-P

The people were entertained and hopefully learned something ;-) Sadly, the hardware didn’t really work :( The buzzer were somewhat broken so that we actually had to try to see (with our eyes) who pushed the button first. Funnily enough, I *did* test the setup extensively just 10 minutes before the gig! Very weird.

The Questions can be found here: Round 1, Round 2, Round 3, Round 4. But it doesn’t make much sense without the jOEpardy software, unless you parse the XML on your own.

The software is a Java Application which was initially written by TriPhoenix! I haven’t written Java for a long time and I have to admit, that writing Java with Eclipse is actually fun! Eclipse is so smart and tightly integrated in the build process that it’s quite easy to write, build and debug. I wish there was such a good IDE for C or Python. Sadly, I think that Java Code is bloated although <2.500 LoC for a jOEpardy is not too bad I’d say :-)

I actually thought I could release the jOEpardy code by now (and thus waited with this post…), but I still have to resolve copyright questions.

Datenspuren 2009 – Call for Participation

Die Datenspuren in Dresden gehen wider erwarten in eine neue Runde! Es ist schoen zu sehen, dass sich ein neues Organisationsteam im C3D2 Umfeld geformt hat und die gemuetliche Konferenz ans Laufen bringt. Obwohl ich selber noch nie da war, soll es eine ueberschaubare Konferenz sein, die sich weniger um Technik, als um praktische Datenvermeidung und Risiken der glaesernen Gesellschaft dreht. “Hands off – Privacy on” lautet das diesjaehrige Motto: Finger weg von den Grundrechten; der eigenen Privatsphäre bewusst werden.

Datenspuren 2009 Flyer Front
Datenspuren 2009 Flyer Front

Wenn du also am 03.10.2009 und 04.10.2009 nichts vor hast, bist du herzlich eingeladen nach Dresden in die Scheune zu kommen! Der Eintritt ist frei.

Auch darfst du ueber das Pentabarf deinen Vortrag oder Workshop einreichen, die Schwerpunkte sollen dieses Jahr sein:

  • Datenspuren im täglichen Leben
  • Missbrauch von Daten
  • Rechtslage
  • Sicherheit und Prävention
  • Digital Resistance
  • Hacking
  • Technikfolgenabschätzung
  • Informationsfreiheit
  • Aufklärung und Diskurs
Datenspuren 2009 Flyer Back
Datenspuren 2009 Flyer Back

Back from HAR2009

I have just arrived from HAR2009 which was a very awesome event! We were camping for 5 days, drinking beer and attending lectures. Some of us visited Workshops, but sadly I didn’t. I probably was too busy attending talks and visiting the Toasti booth ;-)
Har2009 Logo

The CCC has built up a great Dome as well as a big tent for hacking. CCCHH brought Milliways, the last pub at the end of the universe and it was a really cool place to hang out. There were many people from different countries which made it really interesting and enjoyable to just be there. Last but not least, the beer was great ;-)

Others have brought a GSM Network! How awesome is that?! Harald Welte and his fellow GSM-Tent members have set up the “42” Network and we were able to place as many (internal) phone calls and SMS as we liked. Of course, we started to script that ;-) So I found out, that sending an SMS via a serial connection to my phones modem is as simple as the following lines:

import serial
import time
 
DEVICE = '/dev/ttyACM0'
 
def send_sms(nr, msg):
    ser = serial.Serial(DEVICE, 115200, timeout=1)
    ser.write('AT\r')
    line = ser.readline()
    line = ser.readline()
    assert line == "OK\r\n"
 
    ser.write('AT+CMGF=1\r')
    line = ser.readline()
    line = ser.readline()
    assert line == "OK\r\n"
 
    ser.write('AT+CMGS="%s"\r' % nr)
    ser.write('%s\n' % msg)
    ser.write(chr(26))
    time.sleep(3)
    lines = ser.readlines()
    print lines
    ser.close()

Sadly, I couldn’t hack more with the GSM network because it was shut down rather early and I didn’t use my computer much during the lecture time. So next time I’ll try to reproduce the Curse of Silence and play around with PDU SMS.

So I have been to a lot of interesting villages and I met some interesting people but sadly GNOME people couldn’t make it. Maybe we’ll have a GNOME Village next time… :) If you are interested in how the camp looked, watch this impressions movie or click through the media.

The next CCCamp will probably be in two years and according to rumours it’ll happen in Finowfurt again. I’m really looking forward to that event!

BufferOverflow Workshop at EasterHegg09

During Easterhegg I held a workshop together with hc. It was about Buffer Overflows, which used to be the most common security vulnerability a couple of years ago.

We gave a talk explaining the basic concepts of processes and how they work on x86 machines. This was heavily packed with information and I really think we couldn’t make everything clear in the first run. But as it was planned as workshop, we intended to give people stuff they can chew on ;-) Basically, we took stuff from the excellent Phrack article  Smashing the Stack for Fun and Profit which is nearly 13 years old by now.

As modern operating systems protect themselves against the consequences of buffer overflows, we prepared a virtual machine with QEmu/KVM so that exploits will work. It’s an old debian woody with an SSH daemon and build essentials.

Of course I have changed the image in the last minutes, because I wanted to improve it. And of course something went terribly wrong: The root filesystem was corrupted and fsck deleted important files, leaving the image in a useless state. We had to port my changes back to the old image.

Of course, we wanted to distribute the ~1GB image among our workshop guests. As we expected 50 people to show up and didn’t want to stress the WiFi so much, I intended to use BitTorrent, but it’s not as easy and smart as it could be: We are NATted, so using an external tracker would FAIL. Also, it can’t multicast the packets, which would perfectly make sense if many people start to download the torrent in the same network. We ended up having a usb pendrive and a thttpd serving the tarred image. Not very smart or efficient.

After the people ran that images, they couldn’t login with SSH due to a mysterious heisenbug. I suspect our last-minutes changes to be the culprit but I can’t provide a more technical error description. The SSH daemon worked quite well *in* the image, but as soon as you wanted QEmu to redirect the traffic into the machine, it FAILed: The connection was established, but no data was transferred. Could be a bug in QEmu as well.
The people either worked through the QEmu widget or set up a TUN device to get the network up and running…
That pissed some people off which then left. We ended up with 20 people trying to hack themselves :)

We prepared examples in the image, some of them copied from Gera, e.g.:

/* stack1.c                                     *
 * specially crafted to feed your brain by gera */

int main() {
	int cookie;
	char buf[80];

	printf("buf: %08x cookie: %08xn", &buf, &cookie);
	gets(buf);

	if (cookie == 0x41424344)
		printf("you win!n");
}

The people were supposed to make the program print “you win!”. If you know, how a stack works, it’s actually simple. Do you know, what input you have to feed in order to win!?
Oh, you don’t want to compile this program with anything other than -O0 because the compiler rearranges the variables on the stack so that you can’t overwrite the integer…

In the end, I think I am satisifed with the workshop, although things could have worked better. We had pretty smart people which were really curious how stuff works. They have learned a lot and I guess they had fun with that as well :)

Gran Canaria Desktop Summit

The GCDS has just finished and I think it was a great and successful conference. It was the first joint aKademy + GUADEC conference and I feel it turned out quite well. We could have had more explicit collaboration or more attention on the “other” talks, but I think the people have to get used to the fact that there are people with different approaches who you can talk to. Let’s hope it’ll be a joint convention next year as well (I always wanted to spend a week or two in Finland…).

The registration process was a bit weird, because the organizers wanted to know private data without even trying to make clear what they are used for. In fact, the only thing I could see (even from a retro perspective) is to collect the data. As I’ve stated in a mail buried in this thread, I don’t really like that for several reasons and I hope that the next organization committee will not collect absolutely necessary data.

The first day began with a RMS keynote for me. I expected it to be really bad because for some reason the people say that RMS’ talks are boring, stubborn and repetitive. I’ve never heard a RMS talk before and I couldn’t apply any of these critics onto his talk. In fact, I really liked and enjoyed it, although it was not necessarily pleasant to listen because he disagrees with our decisions: He doesn’t like to see new applications to be written in C# because the Software Freedom Law Center doesn’t think that the Community Promise guarantees that Microsoft will not charge patent fees. I am not into that topic but I believe that the SFLC does a good job. And I also trust the SFLC more than I trust Microsoft. So it’s not about patents in general (which should be abolished anyway) but rather about not putting too many weight onto our Desktop so that we can get rid of C# apps easily in case of fire^W ugly patent stuff. And I don’t know what’s not clear about that: As the risk seems to be there and we want to have a free desktop in the future, we have to watch out now to not fall into a Bitkeeper trap.

I also don’t agree with travis or lefty who think the reference to an EMACS virgin is sexist or mixing different topics (software freedom and religion in this case) is unhealthy. RMS clearly referred to the Christian church and it’s habits, so if there is anything bad, it’s to be search in these circles. Also, virtually everyone has cheered after RMS’ performance. And I wouldn’t go that far and call all the audience sexist. Actually, I dislike the idea of (computer) engineers answering sociologists questions for the same reason I don’t ask a sociologist in case of computer trouble (I like it, when they think, talk and discuss about it though). From an intersectional point of view, I’d ask whether the strong focus on women is actually sexist, because there is clearly more than one domain we have minorities in. Take Blacks, Jews, Disabled or Queers or people with an inside out belly button for example. By constantly reciting that women are a minority, we could actually harden this situation instead of making it disappear. I could actually write a paper about it, as I need one for university anyway to finish my Gender Studies.

The parties were all awesome, thanks to Canonical, Nokia, Igalia and Collabora who really know how to throw a good party. I wonder why Google didn’t show up though.

I also have to thank the GNOME foundation for sponsoring my trip to Gran Canaria! It’s really good to see that my contributions are valued and that I can improve them by attending various talks and sessions. This year was especially useful because we could attend the KDE peoples sessions. I especially enjoyed being at the KDE bugsquad sessions to share and improve ideas.
Sponsored by GNOME!

Although I took some photos, I won’t upload them to flicker, but the people seem to tag their photos with “gcds” or “guadec”. I have looked through a couple of them and they seem to be all good. But I couldn’t make it through all of them as there are way too many.

Two major drawbacks were the relocation of the conference and the Internet connectivity during the event: We moved from the rather central Alfredo Kraus Auditorium to the suburban University on the fourth day or so. That was inconvenient because it took ages to get there. The Internet thing is totally unrelated to the organizers, but left a bad taste anyway. The uplink was totally broken with a packet loss with up to 75% in “So6-0-0-0-grtmadno1.red.telefonica-wholesale.net”.

I’m looking forward to next years GUADEC or maybe “TDS”… :-)

Bugsquadding Talk on GCDS

I just had my talk with Pedro and I think it went quite well.

We talked about how to do QA in GNOME and how to use our tools properly. There were about 30 people listening and discussing with us. It was a great honour to meet the bugsquad heros like Philip, Akhil and guenther. Thanks to Andre to look over our slides.

Besides telling about our infrastructure, we slightly discussed alternative ways to access our bug database: There seems to be DeskZilla and Mylyn to work with bugzilla through the XML-RPC API. I haven’t tried Deskzilla yet (the GNOME key link is broken atm), but Cosimo says it doesn’t work with the GNOME bugzilla probably because it’s heavily patched. I wonder when we’ll migrate to Bugzilla-3…
I tried Mylin but it unfortunately doesn’t work either :( You can query and show the bugs but you can’t update them. It’s a pity because I think that webinterfaces suck in general and our GNOME bugzilla in special.

Although the intended target group wasn’t there, we managed to recruit triagers :) Let’s hope they’ll stay with us for a while. You can find the bugsquad-slides.

I followed the KDE Bugsquad BoF and we discussed several things. They seem to have more fundamental problems than we do, especially getting the bugzilla used by the developers. I collected a couple of ideas: Given that you can’t edit bugs right away if you just have created an account, would it be good to automatically set editing right once a user has commit permissions on the VCS? What about a bugsquad (micro) blog to keep the community informed and involved? It could be a good idea to have kind of a monthly digest which will be sent around. I also envy the KDE Bugdays which apparently are a lot of work, but also potentially recruits new bug triagers. Maybe one could write an webapp for managing the work involved…