30. Chaos Communication Congress

The Hacker Jeopardy is a quiz show.

The well known reversed quiz format, but of course hacker style. It once was entitled "number guessing for geeks" by a German publisher, which of course is an unfair simplification. It's also guessing of letters and special characters. ;) Three initial rounds will be played, the winners will compete with each other in the final. The event will be in german, we hope to have live translation again.

mit Constanze Kurz Andy Müller-Maguhn und Dr. Tobias Matzner, UNI Tübingen Moderation: Christine Watty und Manfred Kloiber Ausstrahlung: 28.12.2013 um 00:05-03:00 bei Deutschlandradio Kultur bzw. 23:05-02:00 Uhr auf Deutschlandfunk

Sim Gishel is a multimedia robot. He sings and dances on request. He will try hard to take part in casting shows to become a popstar.

Sim Gishel was born in 2006 in Berlin. Sim started as a drawing machine and later performed as a soloist at Hermes Opera until he decided to become a popstar. In 2013 Sim went to the Voice Of Germany audition. Unfortunately they did not let Sim sing. “This is a show by humans for humans. No robots.” His biggest success so far has been the performance at Das Supertalent with Dieter Bohlen. Unfortunately the jury did not choose him for the live shows. Sim Gishel is named after a song on the fantastic Confield Album by the all time IDM superstars Autechre.

Introductory event to say hello to everybody, give a brief overview of the event's features and look into history and future alike

This lecture shall give a first person account of how circumstances have dramatically changed for actionist art practice over the last 15 years. I will use examples from my own art practice to show the impossibility to engange in digital and real-life actionism as they are considered criminal under anti-terrorist laws.

In the past, whenever we decided to start a new project, we always thought about possible legal implications in advance. Usually these would be easy to ignore as these implications used to result in small fines for public disturbance, copyright infringement, and your average threatening lawyer's letter. By now, anti-terrorist laws disable us to think freely about projects and issues that touch state authority and terrorism, because thinking terror already consitutes a crime. Hence we changed our strategy and went into the underground with "illegal art", we have decided to publish such projects anonymously and internally we call them our "Secret Projects". We can never be connected to what we artistically do in the underground. But I will present the changing social habitat and legal circumstances affecting the production process for artists by showcasing some of our key UBERMORGEN projects and revealing as little as possible about our "Secret Projects". In my talk I need to call to attention the many cases of self-censorship that every user on the net takes part in, the immensly negative effects of this lemming-like behavior and the reflection of this downward spiral in the revolting newspeak that has taken over the mass media and the lovely commercial social networks. Because what we are experiencing right now by means of a soft transformation, is a totalitarian take-over while the majority of the artists are focused on career, money and reputation instead of resistance, subversion and reflection.

This talk gives an introduction to firmware analysis: It starts with how to retrieve the binary, e.g. get a plain file from manufacturer, extract it from an executable or memory device, or even sniff it out of an update process or internal CPU memory, which can be really tricky. After that it introduces the necessary tools, gives tips on how to detect the processor architecture, and explains some more advanced analysis techniques, including how to figure out the offsets where the firmware is loaded to, and how to start the investigation.

The talk focuses on the different steps to be taken to acquire and analyze the firmware of an embedded device, especially without knowing anything about the processor architecture in use. Frequently datasheets are not available or do not name any details about the used processor or System on Chip (SoC). First the prerequisites, like knowledge about the device under investigation, the ability to read assembly language, and the tools of the trade for acquisition and analysis, are shown. The question "How do I get the firmware out of device X?" makes the next big chapter: From easy to hard we pass through the different kinds of storage systems and locations a firmware can be stored to, the different ways the firmware gets transferred onto the device, and which tools we can use to retrieve the firmware from where it resides. The next step is to analyze the gathered data. Is it compressed in any way? For which of the various different processor architectures out there was it compiled for? Once we successfully figured out the CPU type and we've found a matching disassembler, where do we start to analyze the code? Often we have to find out the offset where the firmware is loaded to, to get an easy-to-analyze disassembler output. A technique to identify these offsets will be shown. The last chapter covers the modifications we can apply to the firmware, and what types of checksum mechanisms are known to be used by the device or the firmware itself to check the integrity of the code.

Der Vortrag stellt fortgeschrittene linguistische Methoden des politisch motivierten Internetmonitorings vor. Er gibt keine Anleitung, wie man sich der Überwachung wirkungsvoll entziehen kann, denn das ist ohnehin zwecklos.

Nach den Enthüllungen von Edward Snowden träumten nicht wenige Netzaktivisten davon, mit Hilfe eines "Keyword-DDoS" das Überwachungssystem der NSA unbrauchbar machen zu können. Durch das wahllose Einfügen von Wörtern in E-Mails, die beim Monitoring als Indikatoren für relevante Inhalte verwendet werden, sollte das Überwachungssystem des amerikanischen Auslandsgeheimdienstes überlastet werden. Solche Pläne zeigen, dass die Vorstellung verbreitet ist, die Suche nach für die Nachrichtendienste Interessantem funktioniere vorwiegend über eine Schlagwortsuche. Dabei gibt es längst sehr viel mächtigere Methoden aus dem informatischen Information Retrieval und Text Mining, um große Textmengen effizient nach Inhalten zu durchsuchen. Einige davon möchte ich in meinem Vortrag vorstellen. Zunächst werde ich einige grundlegende computerlinguistische Analysekategorien einführen (Kollokationen, n-Gramme, semanitsche Taxonomien etc.) und dann an ausgewählten Beispielen ihre Anwendung zur Identifizierung von Personen, Themen, Ideologien und Überzeugungsgraden illustrieren.

Dieser Vortrag beschreibt Konzept und Idee des tiefen Staates anhand der Geschichte der BRD.

Dank der aktuellen Debatte um die Vollüberwachung der Bürger ist das Interesse der Öffentlichkeit an Aspekten des tiefen Staates gestiegen. In diesem Vortrag soll das Konzept des tiefen Staates anhand der bundesrepublikanischen Geschichte aufgezeigt werden. Rechtliche Aspekte kommen ebenso zur Sprache wie der hohe Grad der Militarisierung und das Ausmaß der Überwachung. Auch die historischen Konflikte zwischen paranoidem Rechtskonservatismus und bürgerlichem Widerstand finden Erwähnung. Ein Ausblick soll die Debatte über die Zukunft des tiefen Staates nach Draussen tragen.

Auf dem 30C3 wird es, neben der bisher gewohnten digitalen Infrastruktur mit Netz, Telefon etc. dieses Jahr auch erstmalig ein Rohrpost-System mit dem schönen Namen Seidenstraße geben. Als Inspiration dient die auf geschlossenen Drainagerohren und Staubsaugern basierende Installation OCTO der Künstlergruppe Telekommunisten, die einigen von der letzten transmediale bekannt sein dürfte.

Wir werden die Idee und Funktionsweise der Installation vorstellen, ihre Evolution von OCTO zur Seidenstraße als Offenes Kunstwerk, neue Features sowie von Entwicklung und Aufbau erzählen und vor allem, wie ihr mitmachen könnt! Besides the usual digital infrastructure with Wifi, telephone etc., 30C3 will feature for the first time a pneumatic tube system, with the pretty name Seidenstraße. The installation OCTO, built from drainage pipe and vacuum cleaners, by the artist group Telekommunisten served as inspiration – some of you might remember it from the last transmediale. We will present the concept of the installation, its evolution from OCTO to Seidenstraße as an Open Artwork, new features, and talk about the setup, making of and of course, how to participate! Projektvorstellung und Mitmach-Agenda. Idee, Konzept, Realisierung, weitere Features etc. In addition to this lecture, we are happy to announce that the Telekommunisten will also hold a workshop, where they will further explain concept and background of OCTO and open up the discussion for further input.

Die Enthüllungen Edward Snowdens haben die deutsche Politik für kurze Zeit in Aufregung gebracht. Für eine Beruhigung reichte es bereits aus, die Enthüllungen in sprachlich-logisch cleverer Weise zu verarbeiten, sie teilweise in ein anderen Kontext zu stellen und so schließlich Entwarnung geben zu können: Die Bundesregierung hat „keine Anhaltspunkte für flächendeckende Überwachung“. Bei diesem Vorgehen handelt sich um ein Paradebeispiel dafür, wie mit einfachen sprachlich-rhetorischen Tricks die politisch Verantwortlichen die Öffentlichkeit und sich selbst so weit täuschten, dass es ihnen nicht mehr nötig erschien, sich mit den eigentlichen Problemen auseinanderzusetzen, und so das leidige Thema aus dem Wahlkampf herausgehalten werden konnte. Neben den mittlerweile zum Standard gehörenden „Basta“-Floskeln spielte das Phänomen der Modalisierung eine besondere Rolle, wie die genauere Analyse zeigt. Auch logische Fehler wie Zirkelschlüssel und (zu) strikte Einschränkung des thematischen Bezugs erlaubten diese „Flucht-nach-vorne“-Strategie. Die Häufung sprachlicher Tricks und des logisch-inhaltlichen Ausweichens legen eine Inszenierung nahe.

Die im Bundestag vertretenen Parteien äußerten sich alle zu den Snowden-Enthüllungen. Erwartungsgemäß griff die Opposition die Regierung scharf an, während die Regierung sehr schnell dabei war abzuwiegeln – zunächst eher ungeschickt. Dann trat eine überraschende Wende ein: Plötzlich waren sich alle einig, dass die NSA-Affäre vorbei sei. Selbst die Opposition beruhigte sich, die zunächst davon gesprochen hatte, Merkel habe ihren Amtseid gebrochen. Interessant ist, dass die Wende vor allem sprachlich vollzogen wurde, wie sich an den Äußerungen sehr schön zeigen lässt. Vor allem die Verwendung auffälliger Adverbien, von Zirkelschlüssen und die teilweise drastische Einschränkung der Bezüge sind entlarvend. Zu Wort kommen neben Angela Merkel, Ronald Pofalla, Thomas Oppermann und andere Protagonisten dieser besonderen Art von Imagepolitik.

We reverse-engineered one implementation of the non-public CHIASMUS cipher designed by the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, short BSI). This did not only give us some insight on the cipher, but also uncovered serious implementation issues in GSTOOL which allow attackers to crack files encrypted with the GSTOOL encryption function with very little effort.

In the dark ages of digital cryptography, when ciphers were considered export-controlled munitions and AES was not yet standardized, the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, short BSI) decided to invent their own ciphers: CHIASMUS for software implementations and LIBELLE, which would be kept secret and only implemented in hardware. CHIASMUS is not publicly documented. It is implemented in a software tool of the same name, released by the BSI, which is only available where there is a public interest for its use. However, the GSTOOL, a database application for security audit management also released by the BSI, contains an encryption feature using the CHIASMUS block cipher, and is freely available. This software was developed by a third party, Steria Mummert Consulting, and apparently was not properly reviewed. We disassembled and analyzed the GSTOOL to obtain the specification for the encrypted files (and thus the CHIASMUS cipher itself), but we got more than we bargained for. While the cipher itself appears to be pretty secure, the implementation is a collection of rookie mistakes and a great example of what can (and will) go wrong if you ask people with little understanding of cryptography to build cryptographic software and don't verify their results. We invite you to enjoy this thriller full of historic backgrounds, non-public public announcements, legal threats, weapons-grade stupidity, and a very simple solution for complex crypotographic problems. Facepalm with us on the two-year long hunt for the elusive security patch! Have a look at the (not-so-secret-anymore) CHIASMUS block cipher! Learn why you should not build your own crypto tools unless you really know what you are doing, even if you use a known algorithm. And what happens when government contractors attempt to do so. And then attempt to fix it. (Note: Since this is an implementation issue, the stand-alone Chiasmus software tool is not affected by this issue.)

Symbolic Execution (SE) is a powerful way to analyze programs. Instead of using concrete data values SE uses symbolic values to evaluate a large set of parallel program paths at once. A drawback of many systems is that they need source code access and only scale to few lines of code. This talk explains how SE and binary analysis can be used to (i) reverse-engineer components of binary only applications and (ii) construct specific concrete input that triggers a given condition deep inside the application (think of defining an error condition and the SE engine constructs the input to the application that triggers the error).

Analysis and reverse engineering of binary programs is cumbersome. Consider the problem that we have a given interesting (error) condition inside the program that we want to trigger. How can we generate a specific input to the program that, during the execution of the program, will trigger the condition. In this talk we use a combination of binary analysis techniques that recover high-level control-flow and data-flow information from a binary-only application and Symbolic Execution (SE) to automate the analysis of such problems. Existing SE tools have often been used to achieve high coverage across all code paths in an application to find implementation bugs. We use SE for a different purpose; given a vulnerability condition hidden deep inside the application what is the input that triggers that condition. We tackle the given problem in three major steps: (i) gathering information about the binary, (ii) analyzing the information-flow and control-flow of the binary, and (iii) using symbolic execution to generate a specific input example that triggers the specified condition. During the information gathering process we define the interesting condition and use regular analysis techniques to set-up later stages. In the information-flow and control-flow analysis we use a given sample input to collect a complete execution trace of the application that is then parsed into a graph that dissects the computation of the application into individual components. The last steps uses fuzzBall, our open-source SE engine to compute specific vulnerability-triggering inputs for the identified components. To evaluate our technique we will show several examples using real programs, showing how we can use specific vulnerability conditions to automatically generate input that triggers this condition. In addition, we will show how our SE engine can be used for other interesting analysis on binary only applications. Our tools are available as open-source and we invite other hackers to join in on this project.

A review of the 10 year history of the OpenWrt project, current events, and upcoming developments.

This year we are celebrating ten years of OpenWrt and a long time has passed and a lot has happend since people first started hacking on devices like the WRT54G. Both the hardware and the software landscape has completely changed since then. In this talk we would like to take the chance, together with the audience, to look back on how the OpenWrt distribution did evolve over time and how it has changed its goals, its processes and its software stack. We will show examples of the current state-of-the-art, invite guests on stage, display things to come. And in general, celebrate that 10 years have passed and that many more are to come. The talk will start by looking back into the ancient history of OpenWrt - how it all got started - continue to the present time and give an overview of current and recent developments and then finish with an outlook onto future changes. During the talk we will look at the politics of what we have learned, what we think is broken in the CPE market, and how OpenWrt can help to change this. OpenWrt has, over the course of the past 10 years, created a territory of its own, a territory situated in a landscape criscrossed by relations, friction and interconnections. It is a journey that on its way created an universal embedded Linux operating system. OpenWrt is one of many islands in the Net which thrives by giving away its work to friends, associates and all those many people we don't know. All this is a good reason to celebrate and the talk will finish with beer, exotic drinks and more fun to come.

This talks introduces programming concepts and languages for parallel programming on accelerator cards.

Curious about the buzz around these graphic cards? Ever heard of a Xeon Phi? Let's talk about them! In my talk, I will introduce data- and task-based parallelism on multi cores as a basis. The well-known standards mentioned here will be OpenMP and OpenMPI. And then I will show you the hardware-close programming languages CUDA and OpenCL. I will also mention OpenACC and C++AMP as one possible way towards more abstraction and better code maintainability. All of them allow to program accelerator cards with or without some safeguards in place. But because every accelerator card is different in how to reach its maximum speed, I will also cover some fundamental card architectures and their pitfalls. At the end of the talk, you will be able to map your problem to one (or both) of the parallelism concepts, have a first idea how to get started ... and if it is worth the work. Looking forward to seeing you there!

Mit Informationsfreiheitsgesetz (IFG) und FragDenStaat.de kann man als Bürger den Staat einfach zurücküberwachen. Was erfährt man, wenn man fragt? Wo sind die Probleme, was sind die Workarounds? Ein Blick zurück auf 2013, nach vorn auf 2014 und ein Aufruf das IFG zu nutzen.

Mit FragDenStaat.de betreibt die Open Knowledge Foundation Deutschland ein Portal zum Thema Informationsfreiheit. Bürger können Anfragen an Behörden stellen und die Korrespondenz wird online veröffentlicht. Damit versuchen wir den Informationsvorsprung der Behörde durch transparente Kommunikation auszugleichen und stellen gleichzeitig die befreiten Informationen allen zur Verfügung. So bekommt die Öffentlichkeit mit, wie Informationsfreiheit in der Praxis funktioniert. Der Vortrag stellt die schönsten IFG-Geschichten 2013 und die Workarounds vor, wie man das IFG trotz seiner Macken effektiv nutzen und den Staat aktiv transparenter machen kann.

At Fort George "Orwell" Meade, home of the NSA and the US Defense Information School, managing the message of Chelsea Manning's trial was facilitated by a lack of public access to most of the court filings and rulings until 18 months into her legal proceeding.

While Manning disclosed approximately 750,000 documents to WikiLeaks, only 226 documents of those documents were charged against her under the Espionage and Computer Fraud and Abuse Acts. Only now, three months after being convicted to thirty-five years in prison on twenty counts (including seven containing the Esionage Act language), do we know the identity of most of those 226 charged documents. Do you want to know what put Manning away for 35 years? The truth is stranger than fiction.

This talk will discuss a case in which criminals compromised and robbed an ATM by infecting it with specially crafted malware. The successful compromise of an ATM can easily result in the loss of several hundred thousand dollars.

Most automated teller machines (ATMs) run regular Windows systems and can be controlled like any other computer. The first public demonstration of an ATM hack was given in 2010 - but how bad is this threat really? It turns out there is a multi-million dollar business behind ATM hacks. This talk reveals how these criminal gangs operate by disclosing information obtained through forensic analysis of a real compromise. In the analyzed case some malware was used to control the hacked machine that was written specifically for the targeted ATM brand. By reverse-engineering this malware, we gained unique insights into the technologies used by the intruders. The malicious features range from balance monitoring over cash-out commands to the wiping of the machine to cover up traces of the attack. They can be accessed through special number codes that are entered directly via the machine's number pad. Hooking techniques and overlay windows are used to display the status of the system on the ATM monitor. We will further discuss that operations of this scale can only be performed by professional crime groups that not only have the technical capabilities to develop such special malware, but also have access to insider information about the design of ATMs and who know how the targeted banks operate.

This talk will give an introduction on lasers and space and it will show the huge diversity of applications for lasers in space.

For various fields, like fundamental physics, inertial navigation, geophysics, and precision time keeping, a deployment of experiments in outer space is highly desirable or even necessary in order to meet the stringent requirements on stability and precision. An approach of building ultra-stable and precise measurement setups includes the usage optical systems as in quantum optical sensors or optical clocks. In addition optical circuitry is as well used in communication systems in space. However, optical systems on ground used to be bulky, sensitive to environmental changes like vibration and increasing temperature. This talk will outline the challenges of converting an optical ground experiment into an experiment operated in space. It will name some specifications of different ways of reaching “space”, approaches of meeting these specifications and will show tests to be performed in order to qualify a system. As an example the development of very robust, energy efficient, micro-integrated laser modules for the deployment of cold atom based quantum sensors in space is shown. These laser modules fit on micro optical benches not larger than 80 x 25 mm² and make use of either already space qualified or space qualifiable components and integration technologies.

Mobile networks should protect users on several fronts: Calls need to be encrypted, customer data protected, and SIM cards shielded from malware. Many networks are still reluctant to implement appropriate protection measures in legacy systems. But even those who add mitigations often fail to fully capture attacks: They target symptoms instead of solving the core issue. This talks discusses mobile network and SIM card attacks that circumvent common protection techniques to illustrate the ongoing mobile attack evolution.

The evolution is exemplified by new advanced attack vectors against mobile communication and SIM cards: Mobile calls and identities are known to be weakly protected, but network progressively rolled out patches to defeat hacking tools. We will discuss — and release — tools to measure whether these changes are effective. SIM cards were identified as a remote exploitation risk this year: Unnoticed by the victim, an attacker can take control over a card by sending a few binary SMS. Network operators started filtering binary SMS and patched some of their weak SIM card configurations in response to vulnerability research. The talk looks at filtering evasion techniques and discloses new configuration vulnerabilities present in many cards world-wide.

Die Verwendung von mittelmäßiger Kryptographie scheint gegen Angreifer mit Milliarden-Etat komplett versagt zu haben. Namentlich RC4, MD5 und SHA1 scheinen praxisrelevant brechbar.

Der Vortrag beschreibt die aktuelle Bedrohungslage, gibt praktische Ratschläge für sichere Kryptographie und wagt einen Ausblick auf zwei kommende Kryptodesaster insbesondere im Bereiche "Trusted Computing".

The aim of this talk is to give an understandable insight into wireless communication, using existing systems as examples on why there are different communication systems for different uses.

Although wireless communication systems, like Wifi, GSM, UMTS, Bluetooth or DECT, are always surrounding us, radio transmission is often seen as "Black Magic". Digital wireless communication systems differ significantly from analog system designs, although actuall transmission is still analog. Digital modulations, coding, filtering etc. enable highly scalable and adaptive wireless systems, making it possible to design quad-band LTE/UMTS/CDMA/GSM radios on a single chip. The talk briefly describes system concepts, modulation and coding basics, along with the challenges of mobile communication systems. This will include the following topics: System concepts Digital Modulations Shannon–Hartley theorem Channel coding principles Channel Access High Frequency basics Radio Propagation

This talk considers the use of new technology to police large crowds in the Romantic period. We examine ethical aspects of modern surveillance technologies by looking at debates around crowd control and face recognition in the age that first imagined, and reflected on, the surveillance state.

1819 saw a craze in Britain for German mechanic Karl Von Drais’s Laufmaschine – a two-wheeled, peddleless wooden precursor of the bicycle dubbed “velocipede” or “dandy charger”. As well as recreational uses, military and police applications were quickly proposed for this futuristic technology. On 1 September 1819, The Tickler magazine imagined squadrons of “Dandy Dragoons” being used to police “public spectacles”. There was a serious point beneath the humour. Just two weeks earlier, brutal policing by soliders on horseback led to the deaths of protestors at a public meeting that became known as the Peterloo Massacre. We consider the Drais-maschine as a “hacked horse”, but one that caused public anxiety as well as fashionable interest. We consider Romantic debates around the proposed use of velocipedes for “home service”, since they strikingly anticipate contemporary discussions about drone deployment in homeland security contexts. We ask what light these early debates throw on our own misgivings about the “teching-up” of surveillance agencies. We look at two “public spectacles” in the Romantic period. The first is the “Triumphant Entry into London” on 13 September 1819 of popular radical politician Henry Hunt to answer treason charges following his participation at Peterloo. The poet John Keats was among the 30,000-strong crowd who lined the streets to welcome him, and from his letters we have an eyewitness account. The second – related – “public spectacle” is imagined in a painting entitled “Christ’s Triumphant Entry into Jerusalem” by Keats’s friend B. R. Haydon. Haydon included Keats’s face in the crowd, as well as those of other poets and philosophers, including Voltaire and Newton. Critics of the painting referred to the “gross anachronism” of their presence – in another sense, though, they are merely in the wrong place, at the wrong time (Zur falschen Zeit am falschen Ort). Both spectacles offer a bridge to a consideration of ethical aspects to C21 surveillance technology. The final part of our talk focuses on Romanticism’s understanding of the interpretive role of face recognition. Modern software promises to turn facial features into objective, mathematical space, though arguably fails to move beyond the subjective heuristic space into which viewers of Haydon’s canvas were invited two hundred years ago. Modern face-tracking software’s act of recognition is always an act of imagining the subject’s relation to wrong-doing. The identified face in the crowd summons his or her “unenrolled” Doppelgänger, where individuals occupy a quantum-like state of uncertainty until a measurement is made against a crime – a problem to which Haydon’s painting seems supremely attuned. The talk as a whole builds on our previous exploration at 29C3 of ways in which post-Enlightenment art, poetry and political philosophy is relevant to C21 discussions about surveillance culture. °°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°° Professor Richard Marggraf Turley is Professor of Engagement with the Public Imagination at Aberystwyth University. He is author of three books on Romanticism. Blog: http://richardmarggrafturley.weebly.com/blog.html @RMarggrafTurley Anne Marggraf-Turley is Lecturer in Information Computer Technology at Coleg Ceredigion. @matusound Both live 20k north of Aberporth, Wales, UK, where Europe’s only test facility for civilian and military drones is situated. This talk will be in English. We’re happy to take questions in either English or German.

mit Manfred Kloiber, Jan Rähm und Peter Welchering

A commodity laptop is analyzed to identify exposed attack surfaces and is then secured on both the hardware and the firmware level against permanent modifications by malicious software as well as quick drive-by hardware attacks by evil maids, ensuring that the machine always powers up to a known good state and significantly raising the bar for an attacker who wants to use the machine against its owner.

Commodity computers by design include attack vectors that allow malicious software and attackers who gain brief physical access, so-called evil maids, to take full control over the machine without the owner ever noticing. The presentation briefly enumerates well-known attacks such as remote DMA over IEEE1349/FireWire, BIOS bootkits, AMT and closed source operating system updates to arrive at a problem statement, and moves on in search of solutions which can block the attacks completely or at least hinder them from becoming persistent, starting a layer below them all; with the schematic of a laptop mainboard. A few relatively simple hardware modifications are identified, which together with the coreboot #goodBIOS firmware prevent two entire classes of attacks. The result is a machine which always powers up in a known good state and which must be under attacker control for 20 minutes in order to be compromised, rather than just 20 seconds. In closing the presentation starts a discussion about what we can do to address this problem, which exists in every single computer on the market, on a larger scale.

This talk should introduce the general 30c3 participant with several components of long distance quantum communication.

Quantum key distrution, popularized under the name quantum cryptography, is the widest known branch of quantum communication. It describes the secure exchange of a secret key in public, protected by physical laws. Several components are necessary to extend over long distances, which are actively researched. An introduction will be given into the theoretical and experimental requirements for quantum communication. The concept of the quantum repeater, with its components, quantum memory and entanglement swapping, will be discussed in detail.

Violation of memory safety is still a major source of vulnerabilities in everyday systems. This talk presents the state of the art in compiler instrumentation to completely eliminate such vulnerabilities in C/C++ software.

The hacker community has a lot of words for situations in which access to the wrong part of memory leads to an exploitable vulnerability: buffer overflow, integer overflows, stack smashing, heap overflow, use-after-free, double free and so on. Different words are used because the techniques to trigger the faulty memory access and to subsequently use that to gain code execution vary, but they all share a common root cause: violation of spatial and temporal memory safety.

If one looks at the C/C++ standard, the situations that tend to be exploitable are "unspecified". Usually, compiler writers take that as an excuse to cut corners, to gain that extra bit of performance in the benchmarks. Because, you know, who cares you're exploitable when you make a mistake, look how fast it is!

However, the standards also allow the compiler to introduce safety checks, to see whether access to a pointer actually touches the inside of an allocated object instead of the outside (spatial memory safety), and to make sure that the pointer being accessed actually points to an object that has been allocated, but not yet been freed again (temporal memory safety). Such compilers do exist, in the form of LLVM with specialized optimizer passes that introduce runtime safety checks.

This talk will look into the details of the implementation, the performance impact, practical handling, and of course, whether it really delivers the promised 100% protection against buffer overflows.

Software-Defined Radio (SDR) has increased in popularity in recent years due to the decrease in hardware costs and increase in processing power. One example of such a class of devices is the RTL-SDR USB dongles based on the Realtek RTL2832U demodulator. This talk will discuss my experience in building a distributed RF scanner array for monitoring and spectrum mapping using such cheap SDR devices. The goal is to help the audience understand the what, why, and how of building their own RF monitoring array so that they will be able to do it themselves. In this era of increasingly being ``watched'', we must be prepared to do our own ``watching''.

Software-Defined Radio (SDR) has increased in popularity in recent years due to the decrease in hardware costs and increase in processing power.One example of such a class of devices is the RTL-SDR USB dongles based on the Realtek RTL2832U demodulator. This work investigates building and running an RF scanner array for monitoring and spectrum mapping using cheap SDR devices. The array allows for both RF sampling and power analysis to be split over multiple systems in order to increase capture and spectrum analysis capabilities. The system allows for "strong signal capture" as well as, simply, signal modeling with "strong signal alerting". Also discussed will be using the array versus USRPs and the issue of antennae for all of the devices. I will explain the mistakes I made in building the array and what I did to attempt toovercome such pitfalls. The code for running the array will be introduced and released for public consumption. In addition, while we target the RTL-SDR devices, we will discuss the feasibility of including non-traditional SDR hardware in the array, including non-Realtek tuner cards and inclusion of HackRF devices.

via videolink.

Diskussion mit Micha Borrmann, SySS GmbH Marco Ghiglieri, TU Darmstadt Eric Thews, TU Darmstadt nnB Moderation: Peter Welchering Live-Sendung auf Deutschlandradio Dokumente und Debatten (DAB+)

The talk gives an overview about our work of quantifying knowledge acquisition tasks in real-life environments, focusing on reading. We combine several pervasive sensing approaches (computer vision, motion-based activity recognition etc.) to tackle the problem of recognizing and classifying knowledge acquisition tasks with a special focus on reading. We discuss which sensing modalities can be used for digital and offline reading recognition, as well as how to combine them dynamically.

People increasingly track their physical fitness, from step counting over recording sports exercises to monitoring their food intake (e.g. Fitbit, Runkeeper, LooseIt). People are more aware of their routine, let’s them improve their physical life, fostering better eating and exercise habits, decreasing the risk for any obesity related diseases, increasing the quality of life. Physical activity recognition is becoming mainstream. Traditionally, research in activity recognition has focused on identifying physical tasks performed by the user through setting up elaborate, dedicated sensors in the lab. Yet, in recent years, physical activity recognition has become more mainstream. As industry begins to apply advances suggested by activity recognition research, we see more and more commercial products that help people track their physical fitness, from simple step counting (e.g., Fitbit One, Misfit Shine, Nike Fuelband, Withings Pulse) over sports expertise tracking (e.g. Runkeeper, Strava) to sleep monitoring. We see also the first smartphone applications giving users an overview about their activities, for example “Human” and “Move”, just to name two. Their tracking abilities are still limited by the battery power of today’s smart phones. Yet, with the just announced M7 Chip in the new iPhone 5s (making it easy to aggregate and interpret sensor data in a power efficient manner), we can expect physical activity tracking will be sooner or later integrated in our smart phones and other everyday appliances. While people explored the problem of physical activity recognition thoroughly, the ability to detect cognitive activities is an area with many challenges. This exciting new research field, Cognitive Quantified Self, opens up new opportunities at the intersection of wearable computing, machine learning, psychology, and cognitive science. In this talk I focus on tracking reading (the cognitive process of decoding letters, words, and sentences) in a mobile setting using optical eye tracking and occasionally first person vision (a camera worn on the users head). We want to establish long-term tracking of many mental processes suggesting strategies to optimize mental fitness and cognitive well-being. Imagine, educators can get real-time feedback about the attention level and learning progress of their students, giving them a good grasp on already understood and potential difficult concepts. Learning material can be redesigned and tailored towards the needs of the individual student, given their reading/learning history, their preferences and life-style. Content creators can use the quantified mind logs as a basis for improving their works. In which part of the movie are users most attentive? What feelings are conveyed by a particular paragraph in a book convey? In case you are a researcher, wouldn’t you like to know at what sentence a reader looses interest in your grant proposal? And we finally can tackle more difficult to analyze lifestyle issues, given a large enough user group and good enough sensing. e.g. How do sleep and eating habits influence our attention and learning?

Roger Dingledine and Jacob Appelbaum will discuss contemporary Tor Network issues related to censorship, security, privacy and anonymity online.

The last several years have included major cryptographic upgrades in the Tor network, interesting academic papers in attacking the Tor network, major high profile users breaking news about the network itself, discussions about funding, FBI/NSA exploitation of Tor Browser users, botnet related load on the Tor network and other important topics. This talk will clarify many important topics for the Tor community and for the world at large.

About a year ago Nintendo released their latest video gaming console, the Wii U. Since 2006, the Wii has led to one of the most active homebrew scenes after its security system was completely bypassed. This talk will discuss the improvements made in Wii U's architecture and explain how it was broken in less than 31 days. The talk is targeted at those who hack (or design) embedded system security, but gamers might also find it interesting.

The talk will consist of several parts. First, we will discuss the Wii U: what it is, what makes it tick, and how it compares to its predecessor, the Wii. Next, we will cover two different approaches that we used to attack the Wii U system. The focus will be on how our results were achieved instead of on what those results are, so you can reproduce the attacks at home. Along the way we'll describe the Wii U's security architecture. The third and final part of the talk will cover where to go from here: What is broken, what is yet to be broken, things that still have to be done to create a viable homebrew ecosystem, the balance between the effort required and the reward for users and hackers, and the potential upsides and downsides of different approaches. Basic knowledge of embedded systems and CPU architectures is recommended for attendees, although we will try to explain required concepts as we go along. Before and after the talk we will also be available in the hackcenter for those who would like to discuss further details or embedded security in general.

From the mind of teenager, this short story briefly recounts the tale of an alien race and how their pride led to their downfall. However, with death comes rebirth and the end of their story may just be the beginning of ours...

Various dietary restrictions are historically associated with human culture and civilization. In addition, millions suffer from eating disorders that have both pathological and cultural origins.

Widespread concern about food safety has been exacerbated by the introduction of genetically modified crops and questionable practices of world agro-business. Meanwhile, many common organic foods are naturally poisonous and can cause illness and death if handled or prepared improperly. The most poisonous food imaginable is, of course, the forbidden fruit of the "Tree of Knowledge of Good and Evil". The ongoing catastrophic and bloody conflict between wisdom and knowledge has decimated humanity and many of its intellectual and cultural treasures. As a project in art and science, an international consortium has been organized to sequence the genome of Malus sieversii, a wlid apple from central Asia recently shown to be the ancestor of all domestic cultivars. A project to modify the Malus sieversii genome with a compressed version of Wikipedia is now underway. Malus ecclesia (Wikipedia-modified M. sieversii) will be planted in herpetaria and several other sculptural/architectural contexts internationally.

Seit Jahren nur in Fachzirkeln diskutiert gab es 2013 den Durchbruch für die Debatte um Netzneutralität. Mit der Ankündigung der Deutschen Telekom im Frühjahr, zukünftig auf Volumentarife umzusteigen und Partnerdienste priorisiert durchzulassen, wurde Netzneutralität eines der meistdiskutierten netzpolitischen Debatten des Jahres. Auf nationaler Ebene startete das Bundeswirtschaftsminsiterium eine Diskussion über eine Verordnung und auf EU-Ebene legte die Kommission einen Verordnungsvorschlag vor.

Worum geht es in dieser Debatte, und wer sind die Stakeholder mit welchen Interessen? Was sind die Argumentationen, und wie sehen die konkreten politischen Prozesse auf nationaler und EU-Ebene dazu aus? Wie geht die Debatte weiter und was kann man selbst tun?

Exploitation of baseband vulnerabilities has become significantly harder on average. With Qualcomm having grabbed 97% of the market share of shipped LTE chipsets in 1Q2013, you see their chipset in every single top-of-the-line smartphone, whether it is an Android, an iPhone, a Windows Phone or a Blackberry.

While almost all other current baseband CPUs are ARM-based, Qualcomm has transitioned their entire modem software stack to their own DSP-based architecture, the Hexagon architecture. The architecture switch together with recent hardening of the baseband stack introduces significant challenges for exploit development which we will explore in this talk.

The use of encryption to secure sensitive data from unauthorized eyes is as old as human communication itself. Before the relatively new method of computerized encryption software converting data into a format unintelligible to anyone lacking the necessary key for its decryption, for a long time there was pen and paper and the human brain doing quite a bit of work. Up until the 20th century encryption had to be done literally by hand, to then be transmitted in paper form, via telegraphy or radio. In this context, encryption of data has always been of special importance during times of political conflict and war; subsequently, it saw its major developments during those times in history. This talk will examine and explain common hand encryption methods still employed today using the example of one very successful Soviet espionage group operating in Japan in the 1930s and 1940s: the spy ring centered around Richard Sorge, codenamed “Ramsay”.

In the summer of 1938, the Japanese Secret Police started to notice mysterious radio transmissions emanating from somewhere in the Tokyo area. These transmissions, consisting of seemingly meaningless groups of digits, seemed to be directed towards the Asian mainland; neither the Secret Police nor the Japanese Communications Ministry and the Communications Bureau of the Governor General of Korea were able to pinpoint the where and from more precisely. It wasn't until 1941 that Japanese authorities uncovered the full scope and meaning of these messages – by accident and at first disbelieving what they had unearthed. The seemingly gibberish radio transmissions did indeed emanate from the heart of Tokyo and, as it turned out, were received in Vladivostok and passed on to Moscow, to be presented to Stalin himself. Decrypted, they contained vital information about secret German and Japanese plans, even the date of the German invasion of the Soviet Union. This information had been gathered by Richard Sorge, a German citizen with a colorful personality who had infiltrated the small German community in Japan under the guise of a journalist and even gained the friendship and trust of the German ambassador, giving him access to any information available inside the embassy of Japan's ally. In Japan since 1933, Sorge had built a spy ring around a small group of confidantes: a Japanese journalist with connections to powerful Japanese political circles, a French-Yugoslav communist, and a German radio technician, Max Clausen. Clausen's technical knowledge proved vital for the group's success: he was able to build a transmitter and receiver capable of reaching up to 4,000 km from scratch, using parts available in Tokyo shops without raising suspicion. His radio station was fully portable in a large briefcase and assembled in under 10 minutes. The dispatches transmitted to the Soviet Union by Sorge's group were written in English and then converted into digits using a straddling checkerboard and, to scramble the content even more, a book cipher, using pages from a statistical yearbook as the key. The Japanese authorities were not able to decipher the messages, Sorge's encryption method remained unbroken until Max Clausen explained it himself after his arrest in 1941. The historical importance of Sorge's espionage material remains a controversial issue among historians; some call him the greatest spy of all times, some argue that since Stalin did not trust his information, Sorge had little influence on the outcome of World War II. Instead of trying to settle this argument, my talk will examine the technical aspects of Sorge's work in Japan: I will describe the DIY radio station used to wirelessly transmit his dispatches over thousands of kilometers and show how these dispatches were manually encrypted using nothing but a pen, paper, and a book – suggesting that this method is still valid today, offering low-tech ways of concealing information, be it private or politically delicate material.

DNS, DNSSEC and the X.509 CA system leak private information about users to server operators and fail to provide adequate security against modern adversaries. The fully decentralized GNU Name System provides a privacy-enhancing and censorship-resistant alternative.

The Domain Name System (DNS) is vital for access to information on the Web. It is thus a target for attackers trying to suppress free access to information. This talk introduces the design and implementation of the GNU Name System (GNS), a fully decentralized and censorship-resistant name system. GNS provides an privacy-enhancing alternative to DNS and existing public key infrastructures (such as X.509 certificate authorities), while giving users the desirable property of memorable names. The design of GNS incorporates the possibility of integration and coexistence with DNS. GNS builds on ideas from the Simple Distributed Security Infrastructure (SDSI), addressing a central issue with the decentralized mapping of secure identifiers to memorable names: namely the impossibility of providing a global, secure and memorable mapping without a trusted authority, also known as Zooko's triangle. GNS uses the transitivity in the SDSI design to replace the trusted root with secure delegation of authority, thus making petnames useful to other users while operating under the strong adversary model assumed by Zooko. In addition to describing the GNS design, this talk also discusses some of the mechanisms that are needed to smoothly integrate GNS with existing processes and procedures in Web browsers. Specifically, we show how GNS is able to transparently support many assumptions that the existing HTTP(S) infrastructure makes about globally unique names.

The news of the past few years is one small ripple in what is a great wave of culture and history, a generational clash of civilizations. If you want to understand why governments are acting and reacting the way they are, and as importantly, how to shift their course, you need to understand what they're reacting to, how they see and fail to see the world, and how power, money, and idea of rule of law actually interact.

Our relationships with work and property and with the notion of national identity are changing rapidly. We're becoming more polarized in our political opinions, and even in what we consider to be existential threats. This terrain determines our world, even as we deal with our more individual relationships with authority, the ethics imposed by our positions in the world, and the psychological impact of learning that our paranoia was real. The idea of the Internet and the politics it brings with it have changed the world, but that change is neither unopposed nor detatched from larger currents. From the battles over global surveillance and the culture of government secrecy to the Arab Spring and the winter of its discontent, these things are part of this moment's tapestry and they tell us about the futures we can choose. The world is on fire, and there is nowhere to hide and no way to stay neutral.

HbbTV (Hybrid broadband broadcast TV) is an emerging standard that is implemented in a growing number of smart TV devices. The idea is to bundle broadcast media content with online content which can be retrieved by the TV set through an Internet connection. Mechanisms that allow the online content to be accessed by the TV set can be attacked and might put the TV user’s privacy at stake. The presentation highlights possible attack vectors of HbbTV-capable TV sets and introduces possible mitigations.

The Hybrid Broadcast Broadband TV consortium aims to define a standardized way on how content from so-called entertainment providers (e.g. broadcast stations, online media providers) is delivered on connected TVs. Starting as a Pan-European effort, the HbbTV consortium wants to create a globally adopted standard for hybrid entertainment services. Especially within the so-called Declarative Application Environment (DAE) – the HbbTV browser – another standard for connected TVs is being adopted: The Open IPTV Forum standard for Internet protocol TVs (IPTV). This standard seems to cover the device-specific part for Internet functionality. This new standard in the entertainment industry is currently rolled out in an increasing number of countries in- and outside of Europe. Besides concerns about privacy, this technology also raises concerns about security. Possible attack vectors and possible mitigations are introduced in this presentation.

We present a collection of techniques which aim to automagically remove significant (and unnecessary) portions of firmware binaries from common embedded devices to drastically reduce the attack surface of these devices. We present a brief theoretical explanation of Firmware Fat Camp, a collection of "before" and "after" photos of graduates of FFC, along with a set of live demonstrations of FFC in action on common embedded devices. Modern embedded systems such as VoIP phones, network printers and routers typically ship with all available features compiled into its firmware image. A small subset of these features is activated at any given time on individual devices based on its specific configuration. An even smaller subset of features is actually used, as some unused and insecure features cannot are typically enabled by default and cannot be disabled. However, all embedded devices still contain a large amount of code and data that should never be executed or read according to its current configuration. This unnecessary binary is not simply a waste of memory; it contains vulnerable code and data that can be used by an attacker to exploit the system. This “dead code” provides an ideal attack surface. Automated minimization of this attack surface will significantly improve the security of the device without any impact to the device’s functionality.

We propose a set of methods of hardening existing embedded systems against attack by employing Binary Autotomy or the automated removal of unnecessary binaries from each embedded device according to its current configuration. The configuration of the embedded device to be protected is analyzed. The firmware binary corresponding to the features enabled in the configuration is kept. The firmware corresponding to features not enabled in the configuration is removed from the firmware image. The firmware to be removed is determined by applying static and dynamic binary code analysis on the original firmware image. This analysis maps each configurable feature with a set of binary executable code within the firmware image. When a particular configuration is analyzed, a list of enabled features is built from this file. Using the feature to code mapping created from the original dynamic and static analysis, autotomic binary reduction simply removes all code that belongs to features that are not enabled, or should not be used, in the particular configuration file in question. We present quantitative analysis of the effectiveness of Binary Autotomy algorithms on a collection of common embedded devices along with several live demonstrations of embedded devices running post FFC firmware images. How much unnecessary binary can be ripped out of XYZ*? Come and find out! * XYZ = {Home routers | Enterprise routers | VoIP phones | Printers | Web Cams}

A light-hearted presentation about many aspects of particle accelerators like the LHC and their particle collision experiments. Aimed at technically interested non-scientists and physics buffs alike.

When the Large Hadron Collider went into operation in 2008, many people around the world (re)discovered an interest in particle physics and collision experiments. If you are reading this, particle accelerators have not destroyed the world yet, giving us a chance to talk about them. Particle accelerators and collision experiments touch on many fascinating aspects of technology and physics that are far removed from our usual experiences: vast machines, high precision, huge energies, enormous volumes of data, tiny lifetimes and ultra-rare occurences. This talk wants to entertain and surprise with insights into the workings of particle accelerators, the instruments used to make discoveries and the techniques used for learning from their results. The talk is supposed to be enjoyable for the scientifically versed as well as the technically inclined or the interested observer. No physics background necessary!

The facial hacking research presented in this lecture/ performance exploits a well known vulnerability of the human nervous system that it can be easily accessed and controlled by electrodes mounted on the bodies exterior. External digital facial control allows for an unprecedented exploration of human facial expressiveness and has unveiled an unknown expressive potential of the human facial hardware.

Perfect Paul is a sequel to my (in)famous Huge Harry lecture/ performance in which a digital persona lectures on computer to human communication. This new lecture/ performance, in a highly condensed fashion, will present the results of my recently completed doctoral artistic research entitled: “Facial Hacking: The Twisted Logic of Electro-Facial Choreography.” Perfect Paul will demonstrate in a live computer versus human showdown the superior qualities of digital versus neural facial control. Perfect Paul, when performed for the first time in Bilbao, Spain won the Technarte 2012 Best Speaker Award. - Perfect Paul: http://artifacial.org/perfect_paul - Transcript: http://artifacial.org/perfect_paul_transcript - Website: http://artifacial.org - Vimeo channel: http://vimeo.com/artelse

Auch das Jahr 2013 geht irgendwann vorbei. Deshalb werfen wir einen Blick zurück auf die für uns besonders relevanten Themen und versuchen abzuschätzen, was im Jahr 2014 auf uns zukommen könnte.

Auch das Jahr 2013 geht irgendwann vorbei. Deshalb werfen wir einen Blick zurück auf die für uns besonders relevanten Themen und versuchen abzuschätzen, was im Jahr 2014 auf uns zukommen könnte.

Der durchschnittliche User nutzt nur fünf Prozent seines Googlevermögens. Mit dem Googlequiz lässt sich das ausbauen. Eine gewisse Konkurrenzsituation und Kaltgetränke können hilfreich sein.

Vorbild ist das britische Pub Quiz: Konkurrierende Teams sitzen je an einem Tisch und trinken Kaltgetränke. Vorne stellt ein Quizmaster Fragen/Aufgaben, die die Teams auf Papier (ohne Internet!) beantworten. Dann werden die Antworten vorne verglichen und Punkte vergeben. Es gibt mehrere Runden mit verschiedenartigen Aufgaben. Am Ende werden die Punkte zusammengerechnet. Beim Googlequiz geht es um Aufgaben rund um Googleanfragen und -ergebnisse. Wichtig: Die TeilnehmerInnen dürfen während des Quizes nicht das Internet benutzen! Das Spiel findet im Kopf und auf Papier statt. Google liefert die Auflösung, deswegen darf nur der Quizmaster Google benutzen. Das Googlequiz ist eine ausgesprochen spaßorientierte Veranstaltung. Ein Team soll 6 bis 8 Personen umfassen. Es können maximal 7 Teams teilnehmen. PS: ein hilfreiches Hilfsmittel, das man mitbringen kann: eine alte Zeitung.

Attribute Based Credentials (ABC) allow users to prove certain properties about themselves (e.g. age, race, license, etc.) without revealing their full identity. ABC are therefore important to protect the privacy of the user. The IRMA (I Reveal My Attributes) project of the Radboud University Nijmegen has created the first full and efficient implementation of this technology on smart cards. This allows ABC technology to be used in practice both on the Internet as well as in the physical world. We will discuss ABCs in general, the IRMA system, it's advantages and pitfalls, and future work.

Attribute Based Credentials (ABC) allow users to prove certain properties about themselves (e.g. age, race, license, etc.) without revealing their full identity. They provide unlinkability, both between issuance of the credential and subsequebtly proving ownership of the credential, as well as between subsequent ownership proces at a service provider. This makes it impossible to track a user as she uses her credentials on the web. This makes ABCs a powerful privacy enhancing technology. Smart cards are an appealing container to store such credenentials: they are secure, and can be caried by the user in an ordinary wallet. However, ABC use complex cryptography to achieve their privacy preserving properties, thus far evading efficient implementations on such smart cards. The IRMA (I Reveal My Attributes) project of the Radboud University Nijmegen (together with SURFnet and TNO) has created the first full and efficient implementation of this technology on smart cards. The implementation is based on the Idemix technology orginally developed by IBM. The smart card is contactless, to allow NFC enabled smart phones and tablets as readers. This makes it easy to use IRMA cards on the web, or to prove credentials in a small shop on the tablet owned by the shopkeeper. We will discuss ABCs in general, the IRMA system and it's implementation particular, and give a demo of how an IRMA card can be used in practice (using a smart phone as the card reader). More importantly though we will discuss the advantages and disadvantages of ABC technology, compared to other identity management approaches. We will especially discuss the risk of having a ubiquitous authentication infrastructure that ABCs would provide when implemented on national identity cards, and outline ways to mitigate these risks.

An abundant number of existential risks threatens humanity. Many of those planetary by nature. Current science already enables us to colonize nearby space, yet nobody bothers to supply the modest financial resources. Hence this call to action.

Numerous existential risks currently threaten humanity: Nuclear war, resource depletion, antibiotica resistant bacteries, meteor impacts, unfriendly singulary, just to list a few. Various groups try to reduce these risks, a real effect is yet to be seen though. As those risks are never going be eliminated entirely, a safer (and rather obvious) strategy would be to distribute humanity a little more redundantly throughout space. The financial resources allocated to this task however are ridiculously small. This talk is going to highlight

• why it would be a jolly good idea to take space expansion seriously
• what current technology can already do
• what humanity currently "uses" its resources on
• which political institution we should prod

USB DeadDrops, IRL map marker in public, FUCK 3D glasses or How to vacuum form a guy fawkes mask. I will present an extensive overview of my art projects from over the last 10 years including the Fake Google car by F.A.T. and moar!! It all started here at the CCC congress! :)) For more info see link --->

Curator blabla...: The versatile communication channels are taken for granted these days, but how do they influence us? According to the paradigm change of media research Bartholl not just asks what man is doing with the media, but what media does with man. The tension between public and private, online and offline, technology infatuation and everyday life creates the core of his producing. In public interventions and public installations Bartholl examines which and how parts of the digital world can reach back into reality. Aram Bartholl is a member of the Internet based artist group Free, Art & Technology Lab - F.A.T. Lab. Net politics, the DIY movement and the Internet development in general do play an important role in his work. Beside numerous lectures, workshops and performances he exhibited at MoMA Museum of Modern Art NY, The Pace Gallery NY, DAM Gallery Berlin and XPO Gallery Paris. Aram Bartholl lives and works in Berlin.

Software engineering is in a unsustainable state: software is mainly developed in a trial and error fashion, which always leads to vulnerable systems. Several decades ago the correspondence between logics and programming (Curry-Howard) was found. This correspondence is now being used in modern programming languages using dependent types, such as Agda, Coq, and Idris. In this talk I show our development of attacks and security notions within Agda, using the recent BREACH exploit as an example. Our development is a constructive step towards verified software and bridges a gap between theory and practice. I will explain the details about the Curry-Howard correspondence. The target audience are interested people with some programming experience.

Using the recent BREACH exploit as an example, I will present how to represent attacks and security notions within the Type Theory of Agda.

Using security notions such as semantic security (IND-CPA, IND-CCA), it is intuitive to show how the use of compression leads to a not semantically secure encryption, and thus potential issues. Indeed the length of the ciphertext can now be controlled by the adversary who can control the plaintext. I will show how this intuitive result can be formalized using Agda.

A note on Agda: It is both a programming language and a proof system. The programming language features pure, exhaustive, and terminating functions over rich user defined data types (inductive and co-inductive). This powerful λ-calculus is equipped with a rich type-system featuring dependent-types. Through the Curry-Howard correspondence this programming language can also be used as a proof system. With such a combined system it becomes possible to write programs and proofs about these programs in a unified way. Additionally using this approach, one can start proving properties starting only with programming skills and gradually learn more proof techniques by exploring the type system.

I claim that functional programming and dependent types can be of a great help to formalize cryptography and thus privacy enhancing tools. I will present how functions are convenient at describing these games and adversaries. I will also give an overview of the crypto-agda project: how type-isomorphisms can ease probabilistic reasoning; how circuits can help capturing the requirements on the complexity bounds; and how all of these aspects can fit together thanks to polymorphism!

Side-channel analysis (SCA) and related methods exploit physical characteristics of a (cryptographic) implementations to bypass security mechanisms and extract secret keys. Yet, SCA is often considered a purely academic exercise with no impact on real systems. In this talk, we show that this is not the case: Using the example of several wide-spread real-world devices, we demonstrate that even seemingly secure systems can be attacked by means of SCA with limited effort.

This talk briefly introduces implementation attacks and side-channel analysis (SCA) in particular. Typical side-channels like the power consumption and the EM emanation are introduced. The main focus is then on three case studies that have been conducted as part of the SCA research of the Chair for Embedded Security (Ruhr-Uni Bochum) since 2008: The first example are FPGAs that can be protected against reverse-engineering and product counterfeit with a feature called "bitstream encryption". Although the major vendors (Xilinx and Altera) use secure ciphers like AES, no countermeasures against SCA were implemented. As a second example, a wide-spread electronic locking system based on proprietary cryptography is analyzed. The target of the third case study is a popular one-time password token for two-factor authentication, the Yubikey 2. In all three cases, the cryptographic secrets could be recovered within a few minutes to a few hours of measurements, allowing an adversary to decrypt FPGA bitstreams, to clone Yubikeys, and to open all locks in an entire installation, respectively. In conclusion, we summarize possible countermeasures against the presented attacks and describe the communication with the respective vendors as part of a responsible disclosure process.

Internet-wide network scanning has powerful security applications, including exposing new vulnerabilities, tracking their mitigation, and exposing hidden services. Unfortunately, probing the entire public address space with standard tools like Nmap requires either months of time or large clusters of machines. In this talk, I'll demonstrate ZMap, an open-source network scanner developed by my research group that is designed from the ground up to perform Internet-wide scans efficiently. We've used ZMap with a gigabit Ethernet uplink to survey the entire IPv4 address space in under 45 minutes from a single machine, more than 1300 times faster than Nmap. I'll explain how ZMap's architecture enables such high performance. We'll then work through a series of practical examples that explore the security applications of very fast Internet-scale scanning, both offensive and defensive. I'll talk about results and experiences from conducting more than 300 Internet-wide scans over the past 18 months, including new revelations about the state of the HTTPS CA ecosystem. I'll discuss the reactions our scans have generated--on one occasion we were mistaken for an Iranian attack against U.S. banks and we received a visit from the FBI--and I'll suggest guidelines and best practices for good Internet citizenship while scanning.

Internet-scale network surveys collect data by probing large subsets of the public IP address space. While such scanning behavior is often associated with botnets and worms, it also has proved to be a powerful methodology for security research. Recent studies, beginning with the EFF's SSL Observatory, have demonstrated that Internet-wide scanning can help reveal new kinds of vulnerabilities, monitor deployment of mitigations, and shed light on previously opaque distributed ecosystems. Unfortunately, this methodology has been more accessible to attackers than to researchers without access to botnets or willingness to spread self-replicating code. Comprehensively scanning the public address space with off-the-shelf tools like Nmap requires weeks of time or many machines. To make Internet-wide scanning more accessible, my research team recently introduced ZMap, an open-source network scanner that is designed from the ground up to perform Internet-scale port scans. In our tests using a gigabit Ethernet uplink, ZMap scans the entire IPv4 address space in under 45 minutes from a single machine, more than 1300 times faster than Nmap. By the time of the talk, we'll have switched to a 10 gigE uplink, which should theoretically support scanning the entire address space in under 5 minutes. I'll explain how ZMap's architecture enables such high performance by taking advantage of fast modern hardware and recent improvements to the Linux kernel. We'll work through a series of practical examples that explore the security applications of very fast Internet-scale scanning, both offensive and defensive, and I'll share experiences from conducting more than 300 Internet-wide scans over the past 18 months, totaling well over 1 trillion probes. I'll describe how we completed hundreds of scans targeting every public HTTPS server (each scan larger than the entire SSL Observatory) in order to shed light on the growth of HTTPS deployments and expose security problems within the HTTPS ecosystem, such as misissued CA certs and widespread server misconfiguration. I'll show how high-speed scanning can be used to expose vulnerable hosts, using IPMI and UPnP vulnerabilities as recent examples. Malicious attackers could abuse this capability to exploit 0day vulnerabilities affecting millions of hosts within hours of a problem's discovery, and better defenses are badly needed. Finally, I'll discuss applications to Internet freedom, including discovering unadvertised services such as hidden Tor bridges (used for censorship resistance) and Bluecoat devices (used for state-sponsored censorship). High-speed scanning can be a powerful tool in the hands of security researchers, but users must be careful not to cause harm by inadvertently overloading networks or causing unnecessary work for network administrators. I'll discuss the complaints and other reactions my group's scanning has generated--on one occasion we were mistaken for an Iranian DoS attack on U.S. banks, and we received a visit from the FBI--and I'll suggest several guidelines and best practices for good Internet citizenship while scanning. We are living in a unique period in the history of the Internet: widely available networks are becoming fast enough to quickly and exhaustively scan the IPv4 address space, yet IPv6 (with its much larger address space) has not yet been widely deployed. I hope this talk will help researchers make the most of this window of opportunity.

A one hour technical lecture that covers everything from machine learning and AI to hardware design and manufacture. Includes demonstrations of applications enabled by an always-on image capturing wearable computer. You'll leave with a clear understanding of the field's status quo, how we got here, and insight into what's around the corner.

Always-on camera enabled wearable computers, like Google Glass and Lambda Hat, enable a variety of slightly creepy, but undeniably useful applications. For the past few months, I've worn a computing device that takes pictures every few seconds. I run facial detection over the image stream, pulling out every face I have seen. Soon, we'll be able to conduct mass facial recognition using this data. Other applications include detecting license plates and automatically uploading them to a public GPS tagged website. This talk will cover the history, state of the art, and future of wearable computing, machine learning, and the privacy implication of this technology.

Nachhören und nachsehen auf www.deutschlandfunk.de/hackerkongress

Jan Phillip Albrecht is rapporteur of the European Parliament for the EU's General Data Protection Regulation as well as for the EU-US data protection framework agreement.

The European data protection reform will replace the existing 27 data protection laws in EU member states to form a homogenous legislation regarding data privacy online as well as offline. As the profits of many data collecting corporations are at stake, the European parliament is subject to a storm of lobbyists trying to dismantle citizens fundamental privacy rights.

Satellites in Low Earth Orbit have tons of nifty signals, but they move quickly though the sky and are difficult to track with fine accuracy. This lecture describes a remotely operable satellite tracking system that the author built from a Navy-surplus Inmarsat dish in Southern Appalachia.

Satellites in Low Earth Orbit have tons of nifty signals, but they move quickly though the sky and are difficult to track with fine accuracy. This lecture describes a remotely operable satellite tracking system that the author built from a Navy-surplus Inmarsat dish in Southern Appalachia. The entire system is controlled through a Postgres database, fed by various daemons spread across multiple machines. So when I click on a satellite on my laptop or cellphone, it runs "UPDATE target SET name='Voyager 1';" and the motor daemon then begins to track the new target while the prediction daemon maintains accurate estimates of its position in the sky. Additional daemons take spectral prints or software-defined radio recordings of the targeted object for later review.

We present Magic Lantern, a free open software add-on for Canon DSLR cameras, that offers increased functionality aimed mainly at DSLR pro and power users. It runs alongside Canon's own firmware and introduces to consumer-grade DSLRs features usually only found in professional high-end digital (cinema) cameras.

With downloads in excess of half a million and tens of thousands of registered users, Magic Lantern has become one of the largest examples of collaborative efforts of users hoping to get the most out of their devices... by hacking them. Being a free, open source non-commercial project developed by enthusiasts, Magic Lantern is not endorsed by Canon in any way. Apart from giving an introduction of the project and it's collaborative structure, the talk will present a live demonstration of Magic Lantern, focusing mainly on DSLR video work, it's challenges, and practical day-to-day use of the unique functionality offered by Magic Lantern, like RAW 2.5k 14 bit video recording and workflow, live audio monitoring, as well as display enhancements like focus peaking, zebras, histogram and waveform assist tools. Although the talk will focus on compatible Canon cameras, it will present a solid, practical overview for any user interested in both the positive and negative aspects of using modern DSLR cameras for professional video and cinematography work. WORKSHOP: There will be a hands-on workshop on Dec. 29 at 15:00. We will meet at "Speaker's Corner" and find our way from there. See you there!

Nachhören und nachsehen auf www.deutschlandfunk.de/hackerkongress

Seit Monaten hält uns die NS-Affäre in Atem. Immer neue Abhörmaßnahmen und geheimdienstliche Praktiken werden enthüllt. Ein gigantisches Ausmaß an Überwachung durch die Vereinigten Staaten von Amerika tut sich auf, weltweit. In Europa ist die Bundesrepublik Deutschland das am meisten überwachte Land.

Ein Blick in die Geschichte zeigt: Die Affäre ist keineswegs ein singuläres Ereignis. Sie ist vielmehr der bisherige Höhepunkt in einer über sechzigjährigen Geschichte der Überwachung Deutschlands. Seit dem Ende des Zweiten Weltkriegs wird dieses Land systematisch überwacht. Die Bundesrepublik ist wichtiges Angriffsziel, aber auch wichtiger Partner der amerikanischen Geheimdienste. Verfassungsschutz und Bundesnachrichtendienst sind Ziehkinder der amerikanischen und britischen Besatzungsmächte, zu engster Zusammenarbeit und zum Austausch aller Nachrichten, einschließlich personenbezogener Daten, bis heute verpflichtet. Ohne einen Blick in die Geschichte ist die aktuelle Affäre kaum zu verstehen. Mit seinem Buch „Überwachtes Deutschlands“, das neun Monate vor Beginn der NSA-Affäre erschienen ist, hat der Freiburger Historiker Josef Foschepoth historisch-politisches Neuland betreten. Erstmals wird deutlich, wie stark die Westmächte auf die innere Entwicklung der Bundesrepublik eingewirkt haben, um ihren Anspruch auf Überwachung in Deutschland und von Deutschland aus dauerhaft zu sichern. Um das zu ermöglichen, wurde 1968 das Grundrecht auf Unverletzlichkeit des Post- und Fernmeldegeheimnis stark eingeschränkt, die Gewaltenteilung aufgehoben und der Rechtsweg ausgeschlossen. So entstand ein gewaltiger deutsch-alliierter geheimdienstlicher Komplex, der sich jeder Kontrolle entzieht. Der Schlüssel zum Verständnis der sechzigjährigen Geschichte der Überwachung liegt in dem strikten Geheimhaltungsgebot, auf das sich beide Seiten immer wieder verpflichteten. Welche Konsequenzen hatte das alles für Rechtsstaatlichkeit und Souveränität der zweiten deutschen Republik? Welche Konsequenzen ergeben sich aus den fortgesetzten Angriffen auf die freiheitlich-demokratische Ordnung der Bundesrepublik? Warum schweigt die Bundesregierung zu den elementaren Bedrohungen der verfassungsmäßig garantierten Grundfreiheiten und Grundrechten? Warum arbeitet sie an einem „Anti-Spionage-Abkommen“ und lässt gleichzeitig den Bau eines hochmodernen Spionagezentrums für die amerikanischen Geheimdienste auf deutschem Boden in Wiesbaden-Erbenheim zu? Wie rechtsstaatlich und wie souverän ist das am meisten überwachte Land in Europa? In seinem Vortrag erörtert Josef Foschepoth die historischen Grundlagen und die notwendigen Konsequenzen, die sich aus diesen und vielen anderen Fragen ergeben.

How I discovered mysterious hidden signals on a public radio channel and eventually found out their meaning through hardware hacking, reverse engineering and little cryptanalysis.

A story about my experiences with FM-RDS (Radio Data System), a digital subcarrier embedded in FM broadcast transmissions, and also cryptanalysis of the weakly encrypted TMC traffic messages contained therein. I originally found about the existence of such transmissions in a roundabout way, by using a spectrum analyzer program to examine intermodulation distortion in my radio’s Line Out audio. As it turned out, the inaudibly quiet distortion, probably caused by the radio’s stereo demuxer circuitry, contained all the information needed to decode all RDS data present in the transmission. I will demonstrate the journey I took and give a short introduction to how the data is actually encoded. Live acquisition of local RDS data depending on signal conditions in the premises. As a bonus, I'm introducing yet another little-known FM subcarrier called DARC, and my recent reverse engineering of the bus stop display radio protocol used in Helsinki.

Using case studies of documentary film, Freedom of Information Law document dumps, soundbanks, and a hacker conference, I will demonstrate experiments and results of several years developing open source tools to reorient the idea of documentary around its documents. This is in opposition to a tendancy towards textual and machine-readable metadata, which unduly constrain our wonder, perception, and ability to navigate ambiguous and unknown material.

Snapping a photo captures more than just image data. Information about the camera and its lens, shutter speed and aperture, date and time, &c, have been bundled into the JPEG since the early days of digital photography. By now, that photo is likely to include a GPS trace as well, and as soon as it leaves your camera, computers are hard at work assisting you in identifying and tagging people and places, with auto-completing textual clarity and database precision. Meanwhile NSA spooks try to reassure us that they are only interested in the metadata of our communications--the who and the when, and maybe some keywords. Without denying a power and efficacy to machine-readable metadata, I argue that for humans to navigate and find meaning in unknown and unsorted material, this search will require multi-media tools that immerse us and augment our powers of perception, rather than reduce all navigation to textfields, transcripts, and tags. For temporal media (sound and video), codecs have given us greater and greater instantaneous fidelity, but leave us with few techniques to skim, seek, and survey. Using case studies of documentary film, Freedom of Information Law document dumps, soundbanks, and a hacker conference, I will demonstrate experiments and results of several years developing open source tools to reorient the idea of documentary around its documents.

Almost all higher-end cars come with very beefy in-car entertainment hardware. In this talk, I'll describe how to take advantage of an existing hands-free kit to connect your car to the internet and script your dashboard in python.

The German company "novero" builds a range of hands-free kits that are used in most modern Volkswagen-Group cars. They handle the Bluetooth "Hands Free Profile" and A2DP (Audio Streaming), but also support RSAP (Remote Sim Access Profile) - which means that they have their own 3G modem, separate from the mobile phone. Some of these kits use this to provide an integrated WiFi access point to share an internet connection into the car. It was found that some of these devices are Linux-based, with pretty decent hardware specs, running on modern ARM processors. A very flexible software architecture, based on GLib and D-Bus, allows to easily replace or extend the existing functionality with simple user-space programs - which means that you can interact with the in-dashboard screens and buttons, get access to various data sources like GPS, and have an internet connection. This talk will show how to get root access on this hardware, run your own software, present a python-based framework for scripting your car, with full dashboard integration. With a CAN adapter, the module can be run stand-alone with a PC simulating the car, to simplify development.

"The Pirate Cinema" reveals Peer-to-Peer information flows. It is a composition generated by the activity on file sharing networks. "The Pirate Cinema" immerses the viewer in network flows.

In the context of omnipresent telecommunications surveillance, “The Pirate Cinema” makes the hidden activity and geography of Peer-to-Peer file sharing visible. The project is presented as a monitoring room, which shows Peer-to-Peer transfers happening in real time on networks using the BitTorrent protocol. The installation produces an arbitrary cut-up of the files currently being exchanged. This immediate and fragmentary rendering of digital activity, with information concerning its source and destination, thus depicts the topology of digital media consumption and uncontrolled content dissemination in a connected world.

In this talk (which in part was delivered at Infiltrate 2013 and NoSuchCon 2013) we will discuss our recent research that is being rolled into our Practical ARM Exploitation course (sold out at Blackhat this year and last) on Linux and Android (for embedded applications and mobile devices). We will also demonstrate these techniques and discuss how we were able to discover them using several ARM hardware development platforms that we custom built. Where relevant we will also discuss ARM exploitation as it related to Android as we wrote about in the "Android Hackers Handbook" which we co-authored and will be released in October 2013.

Lastly, we will also discuss some of our most recent related hardware research (to facilitate the above) which will include bus protocol eavesdropping/reverse engineering, demystifying hardware debugging, and surreptitiously obtaining embedded software (firmware) using hardware techniques. We will demonstrate and show the supportive tools used and techniques developed to perform this work and deploy them against Apple MFI iAP devices, and multimedia devices using OEM implemented USB stacks. (Which will briefly include our experiences around starting http://int3.cc where we sell a fully assembled modified version of a hardware USB fuzzer.) Along the way we will inevitably share some of the lessons we also learned while completely designing the hardware (from scratch), writing the firmware, and mobile apps for an embedded security device called Osprey that we hold the patent for and have been publicly about publicly as a hardware vulnerability assessment swiss-army-knife for researchers.

In this talk I want to show you around in the mysterious world of Field Programmable Gate Arrays, or short FPGAs. The aim is to enable you to get a rough understanding on what FPGAs are good at and how they can be used in areas where conventional CPUs and Microcontrollers are failing upon us. FPGAs open up the world of high-speed serial interconnects, nano-second event reactions and hardware fuzzing.

In this lecture I will present you the basics of how FPGAs work and how to program them. I will also show-case some tasks where FPGAs really shine. As an example I will show how a 200 MHz FPGA can perform a discrete wavelet twice as fast as an 2.6 GHz i7. I will also show other applications where FPGAs are almost unbeatable, compared to a CPU. At the end I will give you an overview of the market. What are hacker friendly boards, which vendors tool chain sucks the least etc. After this lecture you should be able to decide whether a CPU, a GPU or an FPGA could solve your problem the most efficient.

Nachhören und nachsehen auf www.deutschlandfunk.de/hackerkongress

With the disappearance of the computer, something else is silently becoming invisible as well — the User. Users are disappearing as both phenomena and term, and this development is either unnoticed or accepted as progress — an evolutionary step. Though the Invisible User is more of an issue than an Invisible Computer.

This is a call for participation in a project aimed to build up an open source based experimental incubator which can be used for variety of food, beverage and bio hacking projects allowing for easy control and monitoring of internal condition like temperature and humidity. Working groups will be established to develop prototypes which can be easily and relatively cheaply assembled. Securing funding and establishing a portal to effectively share the news and knowledge within the groups and wider community will be major part of the first phase.

One of the basic devices needed for experimenting with growth of variety of microbes for many different purposes ranging from bio luminescence art, magic mushrooms or to more frequently persuaded food and beverage fermentation is incubator. Ranging from the fields of extreme hard core bio-hacking to traditional home experimentation, device where one can easily control some of it’s internal conditions like for example temperature or humidity and record corresponding data is needed. Decently priced well established and supported open source version is not available yet. The aim of this project is to establish product which is developed by people and groups interested in the subject and which is shared by the community based on the open source paradigm and importantly continuously developed, so upgrade and update of future generations is secured. The long term goal is development of easy to assembly kit’s and complete device which people interested in can buy (from variety of entities, open source). This talk will be “officially” launching this project announcing it to the wider community calling for participation. The basic goals, budgeting and concepts for the first year or so will be established already, anticipating participation of people interested in, giving for sure some space for changes because of new people being involved. The short time goal will be to establish several working groups participating more intensively in design of first prototypes, securing funding for this effort and also building proper portal to share the news on development. For more details check our pages, this project will be quite intensively developed in the next few months, after few years of relative hibernation.

This was a busy year for crypto. TLS was broken. And then broken again. Discrete logs were computed. And then computed again. Is the cryptopocalypse nigh? Has the NSA backdoored everything in sight? Also, answers to last year's exercises will be given.

Wer ist eigentlich dieser "Verfassungsschutz", was tut er und brauchen wir ihn überhaupt? Laut Angaben des Verfassungsschutzes beantworten drei Viertel der deutschen Bundesbürger diese Frage mit "Ja.". Das nö-theater Köln stellt diesem jedoch ein klares "NÖ!" entgegen. Auf Basis intensiver Interviews, Beobachtungen und Recherchen entwickelten sie das politische Satirestück "V wie Verfassungsschutz". Es werden die Verstrickungen des deutschen Inlandsgeheimdienstes mit der NSU beleuchtet, die "fünf peinlichsten Fälle für den Verfassungsschutz" neben den Pannen mit prostitutionsähnlichen V-Mann-Praktiken inszeniert. Dazwischen tanzt fröhlich Leo Lupix, das Maskottchen des Verfassungsschutzes. Die Kölner Theatertruppe hebt für uns den Zeigefinger und sagt: V wie... Vertuschung, V wie... Verzweiflung - V wie... Versagen.

This lecture gives an introduction to processor design. It is mostly interesting for people new to processor design and does not cover high performance pipelined structures. Small knowledge on VHDL programming would be great but is not essential. A very small processor core will described here. Demo: Create a backdoor in the VHDL Code of a processor core. Exploit this backdoor to get a root shell in the linux operating system.

Processors are getting more and more complex. Only a small part of the hacker comunity really understands what is going on in them. This lecture introducess processor design for the normal C/Assembler programmer. During the lecture a very small self wirtten processor core is introduced. Mentioned subjects: - why build your own processor core - Instruction Set Architecture - Fenite State Machines - Compiler - RegisterFile - Arithmetical and Logical Unit - Fetch Unit - Decode Unit - Main Memory - Processors and Security Demo: Create a backdoor in the VHDL Code of a processor core. Exploit this backdoor to get a root shell in the linux operating system.

!Mediengruppe Bitnik are contemporary artists. In their talk they will show two examples of their work, illustrating the translation of hacking from the computer field into an artistic practice. Bitnik will show how to hack the opera in ten easy steps and what happens when you send a parcel with a hidden live webcam to Julian Assange at the Ecuadorian Embassy in London. Using the strategies of hacking, !Mediengrupppe Bitnik intervenes into settings with the aim of opening them up to re-evaluation and new perspectives.

«Opera Calling» was an artistic intervention into the cultural system of the Zurich Opera. From March 9th to May 26th 2007, audio bugs, hidden in the auditorium, transmitted the performances of the Zurich Opera to randomly selected telephone land-lines in the city of Zurich. In proper style of a home-delivery-service, anyone who picked up their telephone, was able to listen to the on-going opera performances for as long as s/he wanted through a live connection with the audio bug signal. The Zurich Opera launched a search for the bugs and in a first reaction threatened to take legal action if the transmissions were not stopped and the bugs not removed. «Delivery for Mr. Assange» is a live mail art piece. In January 2013 !Mediengruppe Bitnik sent Wikileaks-Founder Julian Assange a parcel containing a camera. Julian Assange has been living in the center of a diplomatic crisis at the Ecuadorian embassy in London since June 2012. Through a hole in the parcel, the camera documented and live-tweeted its journey through the postal system, letting anyone online follow the parcel's status in real-time. !Mediengruppe Bitnik regard this work as a SYSTEM_TEST. Would the parcel reach its intended destination? Or would it be removed from the postal system?

A Butoh Dance raising from the raw material portraying the mitology of Mate!

Since our first Mate harvest in 2009, we have been performing the indigenous Guarani mythology of the Mate Goddess Caayari in a Butoh context. This performance has been readapted for the context of the Congress, reinforcing how the connecting and communication aspects of Mate help hackers on the data highway to focus and make synergies. Once upon a time an ailing Guarani Indian left behind by his tribe discovered a plant that rejuvenated him and made him feel young again. This magical drink that he made from the leaves of the Mate Tree took on the spirit of the Goddess Caayari who kept him company in his solitude and gave him strength and inspiration. From flashing back to the mate mythology, forward to 30C3, Mate today plays a different role, captured in a bottle and beloved by hackers who drink mate to concentrate and connect on the Net. Just as the Guarani tribes used to drink Mate together a long time ago around the fire and exchange information, and South American communities come together to pass a mate cuia around; today Mate plays a vital role in the social aspect of gatherings such as the Congress. Raven and Fabricio do Canto have performed the Caayari mythology for audiences in India and Lebanon, and more recently, Fabricio has integrated parts from the performance into his Mate lectures. Their expressionistic interpretation of the origins of the Caayari Mate Mythology will be followed by a Mate Circle.

Die technischen Probleme der De-Mail ließen sich juristisch lösen, und auch bei der E-Mail setzen deutsche Provider bald Sicherheitsstandards der Neunziger Jahre um. Auch für "die Cloud" hat das BSI einen feinen Standard parat – natürlich ohne Verschlüsselung. Wofür bräuchten wir die auch im Schlandnet?

Die mediale Aufmerksamkeit auf die NSA-Leaks nutzen deutsche Unternehmen für PR-Kampagnen, in denen "made in Germany" als Gütesiegel für IT-Sicherheit etabliert werden soll. Aus Security-Perspektive reicht ein kurzer Blick, um zu erkennen, dass die Konzepte meist zumindest fahrlässig unsicher, wenn nicht sogar absichtliche Mogelpackungen sind. Im Vortrag werden die Design-Schwächen dargestellt und die Rollen der im Hintergrund wirkenden Behörden und Konzerne beleuchtet. [Logo: CC-BY-SA MathiasM ]

Ken Thompson's classic "Reflections on Trusting Trust" examined the impacts of planted build chain bugs, from an example of a compiler Trojan to a hypothetical "well-placed microcode bug". Once theoretical & remote, such scenarios have lately been revealed as a stark reality. But what if we could have every individual piece of software or firmware in the binary toolchain bug-free, performing just as their programmers intended? Would we be safe from run-away computation if only well-formed inputs to each of the individual tools were allowed? Not so. Potential for malicious computation lurks in a variety of input formats along all steps of the binary runtime process construction and execution. Until the "glue" data of an ABI and the binary toolchains in general is reduced to predictable, statically analyzable power, plenty of room for bug-less Trojans remains. We will discuss our latest work in constructing Turing-complete computation out of different levels of metadata, present tools to normalize and disambiguate these metadata, and conclude with proposals for criteria to trust binary toolchains beyond "Trusting trust" compilers and planted bugs.

This talk develops on our previous "weird machines" work published in WOOT 2013, https://www.usenix.org/system/files/conference/woot13/woot13-shapiro.pdf and https://www.usenix.org/system/files/conference/woot13/woot13-bangert.pdf (video & slides at https://www.usenix.org/conference/woot13/tech-schedule/workshop-program) We will look at the elements of runtime that are typically overlooked as "mere engineering", and show that without restricting these to statically predictable computing power no trust in the toolchain is possible, i.e., a computation can be hijacked from a "signed" image even before it starts executing. In particular, we will show how parser differentials between images as verified and as loaded, or as seen by the kernel and the RTLD can result in completely different view of the loadable segments (and, as a result, of the runtime space).

Supersymmetry has been particle theorists' favorite toy for several decades. It predicts a yet unobserved symmetry of nature and implies that to each known type of elementary particle there exists a partner particle none of which has been detected up to today. I will explain why it is an attractive idea nevertheless and what is the current situation after the large hadron collider (LHC) at CERN has looked at many places where supersymmetric partners were expected and did not find them. Is it time to give up hope that susy is a property of nature?

The speaker is a theoretical physics research at Munich university. His research focusses mainly on superstring theory (an extension of supersymmetry) and quantum gravity.

Eine unterhaltsame, spannende und lehrreiche Reise durch 25 Jahre Chipkarten-Angriffe mit tiefen Einblicken in Amateur- und Profi-Hackerlabore, inklusive eines Ausblicks in neueste Methoden und zukünftige Ansätze.

Dr. Peter Laackmann und Marcus Janke öffnen ihr privates Archiv und erklären die Entwicklung von Chipkarten-Angriffe von gestern und heute. Der Vortrag kombiniert eine Retrospektive der letzten 25 Jahre mit einem modernen systematischen Ansatz zur Angriffs-Klassifizierung in unterhaltsamer und lehrreicher Weise. Professionelle Angriffe werden stets in Relation mit erfindungsreichen Amateur-Ansätzen und kostengünstigen Methoden betrachtet. Zweifelhafte Versprechen der Industrie werden auf die Probe gestellt und Ansätze gezeigt, wie schon hier Warnsignale erkannt werden können. Die Autoren blicken auf über 25 Jahre private und fast 20 Jahre berufliche Erfahrung im Bereich Chipkarten-Angriffsmethoden zurück und knüpfen hier an ihre allerersten Chipkarten-Vorträge und -Workshops 1991-93 auf den CCC Kongressen im Eidelstädter Bürgerhaus an.

Learning to program an FPGA is time consuming. Not just do you need to download and install 20 GB of vendor tools, but you also need to wrap your brain around the strange ideas of hardware description languages like VHDL. PSHDL aims to ease the learning curve significantly and provide more people with the ability to program FPGAs.

At the 29C3 I gave two 6 hour workshops on programming FPGAs in VHDL. This was not an extensive course with plenty of extra features. It was a crash course that got you barely started in a "I will throw you out of a plane and during the fall I will not just explain to you how to attach the parachute to your body, but maybe before we splash on the ground you might actually be able to open it as well" way. Some of the problems to learn to program an FPGA are certainly caused by the complexity that is involved in thinking HW vs. SW. The other problems however can easily be addressed, such as providing an IDE that is actually pleasant to use AND guides the user towards solving his problem by meaningful error message and helpful documentation. You can't do that with VHDL because the language is too fucked up. So in this lecture I want to propose a new language that has a much better syntax similar to C, so that most developers will easily understand it. Yet at the same time it is very powerful to get even complicated jobs done. Additionally, you will not need to install anything to start playing with it. The big picture here is that I want to create the Arduino for FPGAs and I need your help to get there.

In the chain of trust of most secure schemes is an electronic chip that holds secret information. These schemes often employ cryptographically secure protocols. The weakest link of such a scheme is the chip itself. By attacking the chip directly an attacker can gain access to the secret data in its unencrypted form. In this presentation we demonstrate the attack class of the future, backside attacks. This class of attacks mitigate all device countermeasures and can access all signals of the device. As opposed to the attacks of today, these attacks can also be applied to complex systems such as the ARM SoCs of modern smartphones.

Over recent years hackers and chip manufacturers have been deadlocked in the field of integrated circuit security. From reverse engineering proprietary cryptographic algorithms and microprobing bus lines to fault injection and side cannel attacks, every class of attack has ushered in new preventative countermeasures. Most attacks to date are performed from the frontside where all the active areas and circuit nodes are accesible. Hence, all countermeasures, such as shields and meshes, also focus on mitigating attacks from the frontside. Security relevant signals are burried under many layers of metalization to make them inaccessible to frontside attackers. The direct consequence is that backside attacks become significantly more appealing. With comprably little effort, many old-school attacks are once again possible. Setting or resetting fuses, probing wires or even single transistors is possible, not only with needles but with electron beams or lasers. More exotic attacks are feasible from the backside as well. For example, in switching transistors some of the electrons induce photons that can be seen with an infrared camera during execution. The opposite, i.e. iducing laser light, can also result in successful glitching attacks. Currently, there are is little IC vendors can do to prevent such attacks.

In this lecture Julian will introduce projects and interventions made by himself and others that foreground Engineering, rather than Art, in the creative and critical frame, offering highly public insights into the hidden mechanisms and power struggles within our technical environment. Projects such as the Transparency Grenade, Packetbruecke and Newstweek will be covered in detail.

Art has long been celebrated as an important frame for critical reflection upon contemporary life. In the post-industrial era however, complex tools, formal languages and hidden infrastructure increasingly influence how we communicate, move and remember; now an inextricable part of our Environment.

So it follows that to ignore the languages and ideas that comprise engineering - from Computer Networking and Programming to BioTechnology and Electronics - is to become unable to describe, and thus critically engage, the world we live in. While this presents a challenge for the traditional artist, it is one that an engineer not working in service to science and industry - a Critical Engineer - is able to meet.

In this lecture Julian will introduce projects and interventions made by himself and others that foreground Engineering, rather than Art, in the creative and critical frame, offering highly public insights into the hidden mechanisms and power struggles within our technical environment. Projects such as the invasive Transparency Grenade, Packetbruecke (a location-distorting tree of 802.11 radios) and Newstweek (a wall plug that allows the owner to manipulate news headlines read on wireless hotspots) will be introduced in detail.

Companies are often blamed for not working upstream. Surprisingly, the situation is not per se better with community projects. To change the latter for the better, Wolfram will show some examples regarding the Linux Kernel and present ideas to create win-win-win situations.

In this talk, some examples will be given how Linux Kernel patches are handled in a few great-for-hacking projects. There is great creativity to be found and interesting lessons to be learned, especially when it comes to upstreaming. The idea is to create or encourage situations where everyone wins. Ultimately, the kernel will be improved, the project doesn't need to carry a local patch, the submitter gains knowledge and experience, and the development effort won't be forgotten but shared amongst all. And there are already helpful inbetween states on the way. Wolfram will share his experiences wearing the hats of a Kernel maintainer, a commercial developer, and a passionate hacker. And while Kernel focused, the ideas applied here are pretty generic.

Did you ever feel the need to be in charge of your environment? We did . A detailed story of our experience playing with 220VAC and water to build an automated, digitally controlled ecosystem. A place, where you can be the climate-change. Double the temperature, triple the floods, let it storm or rain. A Tamagotchi that generates food from electricity. All done with Arduino, raspberry Pi and Node.js.

Show and tell of our food replicator project, filled with experiences and lessons learned about Node.js controlled Arduinos on a raspberry Pi. From a web app down to controlling environmental conditions in an ecosystem, by talking JSON. A quantified environment that automatically adapts itself to the needs of its flora and fauna, driven by machine learning. Aquaponics in combination with robotics. Fish and plants inside a machine and the Implications for future food production. For more information, visit www.plantsandmachines.com

Although people around the world are becoming increasingly aware of the United States' global geography of surveillance, covert action, and other secret programs, much of this landscape is invisible in our everyday lives.

The drone war, for example, seems to happen “somewhere else” while surveillance programs take place among the (largely) invisible infrastructures and digital protocols of the internet and other communications networks. Moreover, the state agencies responsible for secret programs strive to make them as invisible as possible. In this talk, artist Trevor Paglen discusses his work attempting to “see” the various aspects of the secret state. In examples ranging from tracking spy satellites to foraging through the bureaucratic refuse of CIA front companies, Paglen will discuss methods used to identify and exploit structural contradictions in classified programs which render them visible, and comment on the aesthetics and politics of attempting to “see” secrecy.

This talk will focus on responsible disclosure best and worst practices from both legal and practical perspectives. I'll also focus on usable advice, both positive and negative, and answer any questions the audience has on best practices.

You've found a security vulnerability in someone else's product. What now? You want to report your finding so users can protect themselves, or so the vendor can repair their product, or so you as a researcher can give your talk or publish your paper. But how? You don't want to get sued! You don't want to go to jail! You don't want your talk cancelled! You don't want to lose your job! In my role as a lawyer at the EFF on the Coders' Rights Project, I advise security researchers, students, developers, and hackers of all varieties on how to report vulnerabilities. In this talk, I'll share some practical advice that will help the audience navigate the legal, ethical, and practical waters that surround the disclosure of security vulnerabilities. There is no one-size-fits-all approach responsible disclosure; every situation is different. I'll discuss how to make an offer of delayed publication not sound like a blackmail threat, and how to draw the right kind of attention to your talk without bringing too much of the wrong kind of attention with it. Finally, I'll talk about the different kinds of risk that disclosure entails, including the types of legal issues often faced by researchers. Instead of announcing rules that you must follow, I'll focus on a number of practical DOs and DON'Ts to help you minimize the risks involved.

SCADA StrangeLove team will present their research on ICS systems for the second time on CCC. Last year we showed current situation with security of industrial world and disclosed a big number of vulnerabilities found in Siemens ICS solutions. Part of vulnerabilities, we can say most notable one, wasn’t disclosed due to Responsible Disclosure. This time we already know. We will speak about several industrial protocols and their weaknesses. During this year we played with new industrial hardware and software – this patitially brings new “We don’t know yet” vulnerability details. Moreover, we’ll mention creepiest bugs undisclosed from last year, tell you about new ones and build attack vectors from them. At last, we will share our experience in pentesting ICS enviroments. Speakers: Gleb Gritsai and Sergey Gordeychik

1. Introduction 1.a. About SCADA StrangLove 1.b. We were here before c. Why we eat what we eat 2. ICS in internet – piece of cake 2.a. Massscan, zmap, sonar, etc. 2.b. One time scan isn’t sexy today – Continuous monitoring 2.c. Pizza Owens on the internets now 3. More protocols – more fun 3.a. Profinet/DCP 3.b. IEC104 – the bad and the bad 3.c. MMS – from reflash to tag 3.d. S7 saga continued 3.e. Every self-respecting ICS vendor must have own buggy protocol 4. “Darwin” bugs in ICS 4.a. Statistic and detailed analysis of vulnerabilities discovered by SCADASL team 5. Don’t try it at home - Pentesting ICS environment 5.a. Listen to the turbines 5.b. Sit in hardened rooms 5.c. Remember the exit paths 6. What we already know. Fixes and releases in 2013 7. Things we don’t know yet 7.a. Old friends: Siemens 7.a.i. New S7-1500 PLC 7.a.ii. Cookie monster to own all PLC’s 7.b. New friends 7.b.i. Invensys vulnerabilities 7.b.ii. ABB vulnerabilities and exploit demo 7.b.iii. Emerson vulnerabilities 8. Special 30C3 releases

We all know monopolies are bad. We even have laws against them that sometimes get enforced. However, today we have new kinds of monopolies that affect us without us even noticing them for what they truly are. And technology plays a central role.

When we look at social networks we see them usually as a single market, maybe divided between full-blown ones and microblogs. Thus we see Facebook and Google+ competing on a single market that seems to be divided between many players, including a small slice for Diaspora, for example. Competition only works where there is a real possibility to choose a product or service. For example, competition between family car makers works, because customers can actually choose different family cars and yet be able to travel to the same places on the same roads, and using the same kinds of fuels. Similarly, competition in areas of web browsers and e-mail providers works because regardless of which web browser you choose or with which e-mail provider you set-up your account, you will be able to access the whole web and to contact users of all other providers. This, however, is not the case with closed social networks. Facebook users cannot contact Google+ users and vice-versa. Technically, from users' perspective, Facebook and Google+ are actually separate markets, each of those with a single monopolist provider (Facebook and Google, respectively). Once we start seeing technomonopolies for what they are, we can start exploring their consequences, in the same terms we consider consequences of any other kind of monopoly on any other market.

DATE TBC! DECODER is a legendary German film from 1984, based on the themes of William S. Burroughs. Burroughs himself acts in a key scene in the film, along with F.M. Einheit, Christiane F., Genesis P. Orridge a.o.

The story of urban chaos and intrigue focuses on the sonic experiments of the disillusioned ‚noise-freak’ FM, who is experimenting with music and infra-sound. In search of new and extreme sounds he stumbles into a kind of black mass being celebrated by urban pirates. He is able to convince them to join him in his search for an antidote to muzak, as he discovers that the musical tranquilizer can become a brain poison. After distributing multiple copies of their anti-tape the urban pirates successfully induce nausea in H-Burger-restaurants, not to the liking of their multinational headquarters who promptly dispatch a special agent to stop the tape-terrorism which spreads rapidly, leading to mass civil disobedience and street fighting.

Im Format einer lockeren Abendshow werden wir die Highlights des Jahres präsentieren, die Meldungen zwischen den Meldungen, die subtilen Sensationen hinter den Schlagzeilen. Kommen Sie, hören Sie, sehen Sie! Lassen Sie sich mitreißen!

Im Format einer lockeren Abendshow werden wir die Highlights des Jahres präsentieren, die Meldungen zwischen den Meldungen, die subtilen Sensationen hinter den Schlagzeilen. Kommen Sie, hören Sie, sehen Sie! Lassen Sie sich mitreißen!

Talk introducing NSTIC and COM 238, i.e. the current digital identity policy proposals in the USA and European discussing their similarities, differences and possible conflicts.

In the past two years both the US Government as well as the European Commission have declared their intend to create “Identity Ecosystems” and are actively pursuing the creation of regulatory and technical frameworks for digital authentication of their citizens. Both the USA and the European Union expect the implementation of state-recognized digital identities in the coming three to five years. The American initiative is called “National Strategy for Trusted Identities in Cyberspace (NSTIC), its European counterpart “electronic identification and trust services for electronic transactions in the internal market“ (COM(2012) 238). Given the scope of these programs, the number of people affected and the fact that identity technologies necessarily have to negotiate conflicting values of individual liberty and social control, it is reasonable to expect that the developments around NSTIC and COM (2012) 238 will become dominant in the debate on the future of the Internet. In my talk I will introduce the basics of the White Houses NSTIC initiative and the European Unions COM(2012) 238, explaining the common traits as well as the conflicting aspects of the electronic identity programs of two of the worlds largest and most influential state entities. I will outline how both programs share the assumption that providing “secure” and “trusted” identities is essential for the future development of the Internet, is necessary to fully realize citizenship status on the Net as well as to foster further economic growth. I will also scrutinize the importance and function of the term “transaction” that is prominent in both NSTIC and COM (2012) 238. Subsequently I will show that NSTIC and COM (2012) 238 differ fundamentally in their view on the role of the state, of the private sector and of civil society in providing and controlling the standards, protocols and infrastructures of digital identities. Here I will outline how the NSTIC employs a neoliberal market rhetoric, declaring that “the Identity Ecosystem should be market- driven“ while the European Union follows an etaistic vision of governmental identity provision. In this context I will show the importance of the different approaches between Europe and the USA concerning the relation of existing offline and online identity solutions. The goal of the talk is to raise awareness to the importance of these programs, to enable an understanding of the paradoxes of digital identity provision and its function in both enabling and sustaining statehood and capitalism. The talk will close with a statement locating the differences between the European and the United States approach in the larger conflict on the question of means and legitimacy of intervening and regulating capitalism. Duration 40 mins + 20 min discussion, presentation style will be slides and accompanying talk, discussion afterwards.

Making a new control system for a machine is often a slow and tedious task. Maybe you already have a 3 axis stage, and you already know how to move it around. But what if you want to add a camera and use it for position feedback? You'd have to redesign the whole hardware layer. I'll talk about some ways I've built modularity into control systems for machines so that you can quickly iterate on different kinds of machine systems without getting stuck in hardware land forever. This includes connecting synchronized nodes across a network and importing legacy nodes for things like, say, an old pressure box you found in the trash and has rs232 in. Down with gcode! Long live machine control.

India is currently implementing some of the scariest surveillance schemes in the world. This lecture will shed light on India's surveillance industry, its UID scheme which aims at the collection of all biometric data and on various controversial surveillance schemes, such as the Central Monitoring System (CMS).

When it comes to surveillance, the most mainstream argument is that the majority of India's population lives below the poverty line and that surveillance is an elitist issue - and not a "real" issue which affects the masses. Given that the majority of India's population has mobile phones and that the Indian government is currently implementing the Central Monitoring System (CMS) which aims at intercepting all telecommunications (and Internet communications), surveillance does not appear to be an elitist issue. Given that the UID scheme aims at collecting the biometric data of all citizens residing in India and that most BPL cash programmes require UID registration, surveillance appears to be an issue which (unfortunately) affects the 1.2 billion people currently living in India. And this is to say the least. As part of the Privacy Project, the Centre for Internet and Society (CIS) in Bangalore, India, is investigating surveillance within the country. The project is funded by Privacy International and aims to map out various forms of surveillance in India, ranging from drones, CCTV cameras and GPS tracking equipment to phone and Internet monitoring gear. This lecture aims to present the research that Maria Xynou has undertaken at the CIS so far, which includes data on the various surveillance technology companies operating in India and the type of spy gear they sell to Indian law enforcement agencies. This research also includes the presentation of India's various controversial surveillance schemes, with an emphasis on the Central Monitoring System (CMS) which unlawfully enables the interception of all telecommunications and Internet communications. India is currently implementing the world's largest biometric data collection and interception of communications schemes. The aim of this lecture is to present India's scary mass surveillance and to discuss its implications on the right to privacy and other human rights.

Building and running an ISP is not that difficult. It's hard to say how many people are connected to the Internet by such weird structures, but we know that they are more and more each day. What is at stake is taking back the control of the Internet infrastructure and showing that a neutral Internet access is natural.

Y U NO ISP Providing access to the Internet seems complicated but it's actually quite simple. You have to roll up your sleeves, dig a lot into legal, commercial and administrative stuff. Surprisingly, the technical part is usually not a problem. Despite what you could think, there is no need for a big infrastructure, a lot of money, or that sort of thing. Benjamin Bayart is at the head of the non-profit organization FDN the oldest ISP still in activity in France. In 2010, he called for the swarming of the concepts behind FDN. The idea was to copy locally what FDN was doing at a country scale and spread the word about self-hosting, Net neutrality and the stakes for society. The call was followed by the creation of several non-profit organizations, quickly federated in a meta-structure called FFDN, for Federation FDN. 2 years later, FFDN is much bigger. From 7 orgs, there are now 21, counting around 1 400 members. A human network above the machine's one. From the beginning, we knew that we were not alone and in the meantime we met with similar organizations around the world, like the Free Network Fundation in the USA or Guifi in Spain. We launched an international mailing list to spread the recipes for building open and neutral access to the Internet in many situations. During OHM, this talk helped federating energies around a belgium project and we hope 30C3 will be the occasion to spread the word even more, maybe to give some ideas and plant some seeds for building a better Internet. After all, Y U NO TRY ?

NFC technology is becoming more and more relevant in our lives. One of its major uses is in ticketing solutions. However, most of companies use bad implementations of NFC technology. By this talk we will explain a complete solution, analyzing security challenges and outlining the best practices and implementation choices.

Most of NFC ticketing solutions are based on MIFARE ULTRALIGHT chips. The main topic of our talk is why and how these implementations are vulnerable. The whole talk will be divided in two main sections: The first one we're going to deal with is about the vulnerabilities which may occur if you do not pay enough attention to security topics. We're focusing on 3 areas in which frauds are possible: I. Bad use of GPS and internet protocol to apply fees. II. Correct use of OTP sector in ULTRALIGHT chips. III. Correct data stamping on tickets. In the second part we will show a proof of concept of a validation machine which uses a secure way to validate tickets. The machine is based on an Arduino Uno device, and we're going to use MIFARE ULTRALIGHT as kind of NFC chips to keep the whole solution low cost. All source code will be made available as opensource just after the talk to let everyone use it to create secure solutions in the world.

Imagine getting pulled over for running a stop sign and learning for the first time – from the cop – that you are HIV-positive. People in China are required to carry electronic, swipeable ID cards that hold their political views, their HIV status, their mental health situation, and much more.

We'll examine the history of these cards, where the data is housed, who can access it, what vulnerabilities might exist in this system, what can be done about it, and what it means for human rights.

During the last 10 years the technology that was formerly only available to the military, reached the hands of thousands. Researchers, hackers, enthusiasts and hobbyists helped drive the technology further and higher than anyone had imagined just a few years ago. We will recap what the civilian airborne robot community has achieved in the last decade and what the next frontiers are that need to be addressed.

Over the last decade, projects and companies like Paparazzi, Microdrone, AscTec, Mikrokopter, UAVP-NG and others have made small unmanned vehicles (aka. drones) what they are today. Through innovation and hard work, autonomous drones are now affordable and accessible enough that most of us can build one at home. While the companies inspired, the Open-Source projects advanced and shared these multidisciplinary technologies with many engineers and hackers thereby building a collaborative community of innovators from the ground up. Though many challenges have been overcome, we are only at the very beginning of the private UAV revolution. Consider a comparison with the personal computer, which has evolved in ways that could not be foreseen in the beginning. Those working on this platform need space and time to discover the beneficial possibilities. There are many challenges that we are still facing and they are as exciting and basic as the technology itself. Let me take you through a brief history of the developments and advances in Open-Source UAV and try to envision what is still in front of us.

Every successful open hardware project needs a solid organization structure at some point in time, especially when plan to produce and sell your project. In our “i3 Berlin” 3d printer project, we took some elements of the PLM (Product Lifecycle Management) concept and implemented it with open source tools like Github and Blender.

Common project structure used in the product industry

The concept of Product Lifecycle Management is the process of managing the entire lifecycle of a product from its conception, through design and manufacture, to service and disposal. PLM is about how to handle versions, communication with users, etc. Every PLM has to be tailor made to the project and the team working on it. PLM is vital to organize open hardware projects to be more focused and efficient, yet being open and adaptive at the same time. Building a PLM is time demanding but will make your projects more and more efficient.

Our experiences so far

Our project is the i3 Berlin 3D printer, a remix of the Prusa i3. - It is an electromechanical project that is mainly built from printed parts and standardized sourced parts. - We don´t develop electronics, but we do design mechanical parts and make adjustments to the firmware. - We also sell our design as a kit, which need a manual and a bill of materials that is always up to date. - Furthermore we have to track issues and we want to be open for cooperation by other people.

We used Blender to design the entire machine. - Blender is a 3D mesh modeler, where the industry uses solely parametric CAD software when it comes to electromechanical engineering. - Parametric 3D models are smart, where mesh models are stupid models you modify with smart tools. - Mesh modeling is a very suitable method, when 3D printing is the main manufacturing method. Design files are much easier to share among people and programs. - Cables are an intricate part of a moving machine which can be modeled well within Blender. - We wrote a plug in to generate a bill of material and developed a method to make a step by step visual manual with animation frames. Both BOM and manual are a part of the design file and therefore these will always be up to date. The rendered pictures from Blenders

For communication we use Github. - The core ideas and design requirements grow over time in the wiki. - The submit structure of Github automatically takes care for a version control. - Git issues work as a support ticket system to track and solve problems. - Design guidelines make sure that everyone cooperating organizes their work coherently with the project.

Future plans

- make Blender more accessible by making tutorials directly focused on mechanical design. - connect the BOM with a database for logistics and price calculations and demand estimation, supply chain - continue work on OHM (open hardware management) toolbox

Bei calc.pw handelt es sich um DIY Hardware, mit deren Hilfe man Passwörter aus einem Masterpasswort und einfach merkbaren Informationen (z. B. "ebay", "amazon", etc.) generieren kann. Im Vortrag soll es um die Probleme vorhandener Passwortverfahren (Passwortschemen, Passwortdatenbanken) gehen. Es soll die Theorie hinter der Passwortberechnung erläutert und eine praktische Implementierung dieser Berechnung vorgestellt werden.

Bei dem Vortrag geht es um mein neuestes Projekt "calc.pw", einer Open-Source-Hardware zur Generierung von Passworten. Hierzu wird ein Masterpasswort und eine dienstabhängige Information verwendet, die anhand kryptographischer Methoden (Arc4 und SHA-1) zu einem Dienstpasswort überführt werden. Das Ganze ist mit Arduino-Hardware aufgebaut worden und kann mit Hilfe der zur Verfügung gestellten Aufbauinformationen und des Quelltextes, der unter GPLv3 steht, nachgebaut werden. Im Vortrag soll die Idee hinter calc.pw erklärt, es soll der Grund für die Veröffentlichung als Open Source beleuchtet werden. Es sollen außerdem die Besonderheiten der Einzelteile erklärt werden (Stichwort Key-Schedule des RC4, Stichwort Speichermanagent des ATMEL, etc.). Ähnliche Vorträge zu dem Thema konnte ich bereits als Lightning Talk bei der #SIGINT13 und als Lecture bei den #MRMCD2013 halten.

Nachhören und nachsehen auf www.deutschlandfunk.de/hackerkongress

All “managed FLASH” devices, such as SD, microSD, and SSD, contain an embedded controller to assist with the complex tasks necessary to create an abstraction of reliable, contiguous storage out of FLASH silicon that is fundamentally unreliable and unpredictably fragmented. This controller is an attack surface of interest. First, the ability to modify the block allocation and erasure algorithms introduces the opportunity to perform various MITM attacks in a virtually undetectable fashion. Second, the controller itself is typically powerful, with performance around 50MIPS, yet with a cost of mere pennies, making it an interesting and possibly useful development target for other non-storage related purposes. Finally, understanding the inner workings of the controller enables opportunities for data recovery in cards that are thought to have been erased, or have been partially damaged. This talk demonstrates a method for reverse engineering and loading code into the microcontroller within a SD memory card.

TECHNICAL APPROACH Publicly available documentation on SD card controllers is scarce. However, based upon tear-down and decap analysis as well as a survey of the publicly available product briefs, most controllers are believed to be either an enhanced 8051, or an ARM derivative. A further challenge to overcome is the fact that SD card manufacturers typically reserve the right to change the controller IC within a card without updating the external markings to reflect the change. This policy favors the SD card manufacturers, as it allows them to swap out existing controllers for lower-cost devices as new controllers are introduced. However, it is problematic for users as it means that two otherwise identical looking cards can have different performance and/or bugs with which to contend. To kick off the effort, a survey of available cards was made at an SD card gray market in Shenzhen, China. Each card was dissected and visually inspected for cues, such as the layout of the traces going to the controller glob-top, that would indicate the type of controller within. About a dozen different controller types were identified, of which one was picked for further investigation due to its use of SLC FLASH memory. SLC is a good starting point for reverse engineering because no storage-level scrambling is required to prevent the read and write-disturb issues typical of MLC and TLC FLASH. A simple binary dump of the FLASH memory within the card revealed structure within the first erase block consistent with what we might expect for code storage. Since FLASH memory is inherently unreliable, four CRC + ECC protected copies of code are located within the first sector. This crude duplication scheme allows the card to boot even if bit errors creep into the code storage sector. We also noted the existence of the string “BUILDWIN” within the code storage sector, which indicates that the controller is likely from a series made by a company called Appotech. Product briefs from the Appotech/Buildwin websites indicated that the architecture of the code is likely an 8051-derivative, and the model of the controller is probably an AX211. At this point, our effort to reverse engineer the controller split into two paths. One path was static analysis, where extracted binaries and manufacturing-related tools were analyzed with IDA to determine key entry points, storage locations, and most importantly a method for injecting code into the card via the SD interface. The other path was dynamic analysis, where the signals going to the SD card bus and to the NAND FLASH were instrumented with logging and stimulus facilities, and the controller's operation could be observed with exquisite resolution, enabling a broad class of fuzzing and other brute-force analysis attacks, as well as the rapid confirmation or rejection of hypotheses generated by static analysis. Dynamic analysis was key in determining features such as the location of the GPIO control registers and the function and format of otherwise undocumented extended instruction opcodes. The static analysis path was assisted by the availability of official firmware burning routines, scavenged from Chinese language file-sharing websites. These are tools normally used during the production of SD cards, but made available on the gray market to enable (and correct) card capacity expansion fraud. Typically, these tools are used to flash an incorrect version of the firmware onto the SD cards, which would identify the card as having a much higher capacity than the physically available storage. This would allow unscrupulous dealers to sell, for example, aging 128MiB silicon as devices identifying themselves with 2GiB capacity. These bootleg tools would come with a collection of firmware blobs for loading onto the card, as well as a routine that communicates to a proprietary USB-based burning device. We did not have access to the burner, but static analysis of the communication protocol via code reverse engineering revealed that firmware loading is initiated through the application of a specific “secret knock” sequence during card boot. The dynamic analysis path was implemented using an embedded platform of our making, known publicly as Novena. It is a quad-core ARM CPU running Linux mated to a Spartan 6 FPGA with a high speed expansion port. The FPGA also has a 256 MiB DDR3 buffer slaved off of it. This buffer + FPGA was used to implement a combination logic analyzer + ROM emulator used to wrap the controller on the SD card. The ROM emulator presents a virtual, dual-ported NAND FLASH device to the SD card controller. The dual-port design allows us to modify and read the contents of the NAND FLASH on the fly, thereby allowing us to stimulate the controller IC with various fault conditions or code loops and measure its effect on the FLASH device. This tight coupling enabled us to rapidly discover, for example, which SFRs (Special Function Registers) are responsible for reading or writing to the Flash controller hardware. Furthermore, each port of the SD card controller is connected to a virtual logic analyzer within the FPGA that can store up to a 16MiB trace of transactions going to and from the controller from both the SD and FLASH buses. This very deep buffer length allowed us to observe behavior of the device from power-on to full operation, as well as observe stimulus-response loops to compound SD bus commands. SD INTERFACE OVERVIEW Before diving into the details of our approach, we review a few important aspects of the SD protocol. When an SD card first boots, it is running in SD/MMC mode. This is a 9-wire protocol, using the following pinout (note: pin 9 is located below and to the side of pin 1): 12345678 9|||||||\- DAT1 |||||||\-- DAT0 ||||||\--- GND |||||\---- Clock ||||\----- VDD +3.3V |||\------ GND ||\------- Command |\-------- DAT3 \--------- DAT2 SD commands consist of a start bit of 0, a sync bit of 1, a 6-bit command number (referred to as CMDn, where n is between 0 and 63,) four 8-bit arguments, a CRC7 checksum, and a stop-bit of 1. This yields a total of 48-bits (or 6 bytes) per command. While the card is processing the request, it will keep the Command line high, and will begin its communication with a start bit by bringing the Command line low, indicating "0". This will be followed by 38 bits of data, 7 bits of crc7, and a stop bit of "1", for a total of 48 bits. Bit values are sampled when the clock line is high, and may change when the clock line is low. Bytes are sent from high to low. For example, hex value 0x80 would be written out as 0b10000000. CMD0 must be sent before any other commands are processed. To send such a command, transmit the following six byes. {0x40 0x00 0x00 0x00 0x00 0x95} | | | | | \----- (CRC7 of ({0x40, 0x00, 0x00, 0x00}))<<1 | 1 | \----\----\----\---------- Four arguments of "0" \------------------------------ Start bit of 0, cmd bit of 1, CMD0) Then, continue to wiggle the clock, and look for the 48-bit response. Data is transmitted either on the DAT0 line (for 1-bit mode), or striped in parallel across DAT0-DAT3. As with the Command line, bit 7 is sent first, and bit 0 is sent last. In four-bit mode, DAT3 will send bit 7, DAT2 will send bit 6, DAT1 will send bit 5, and DAT4 will send bit 4. Bits 3-0 will be sent using DAT3-DAT0 on the next clock cycle. Data is transmitted with a start bit of 0, followed by the data (almost always 512 bytes), followed by a CRC16 of the data, and then a stop bit of 1. In the case of 4-bit mode, all four DAT lines send a start bit of 0, and each individual line sends its own CRC16 of the transmitted data. All four lines send a stop bit of 1, as well. CONTROLLER-SPECIFIC NOTES The AX211 is based on the 8051 architecture, which is an eight-bit processor core that is very common among embedded parts. The original 8051 ran at around 1 MIPS, but improvements in architecture and clock speed allows the 8051 present in the AX211 to run at 50 MIPS. The 8051 instruction set had a single undefined opcode of 0xa5, which is used by Appotech to implement 32-bit instruction set extensions. The hardware SD protocol engine only handles transferring bytes (OSI layers 1 & 2). The higher-level details of the SD protocol set is implemented entirely in software, making for a compelling attack surface. When the processor first starts up it attempts to load a valid flash image off of the NAND. While it is in this state, it can respond to a limited set of SD commands, including "RESET", "Set CRC7 required", and "Set voltage". It will not respond to the "Go Ready" command until it has loaded its firmware. There are four copies of the AX211 firmware, located at NAND offset 0x0000, 0x10000, 0x20000, and 0x30000. Each copy is protected with its own error correcting code. If all four copies are sufficiently damaged, or if the NAND is missing or blank, then the card will never fully boot, and will never be able to go ready. FACTORY PROGRAMMER As noted previously, we had found a copy of the Windows-based AX211 factory programming tool off of Chinese-language file sharing websites. The full AX211 factory programming suite is a combination of this software and a proprietary (and unknown to us) hardware tool. We suspect the hardware is based on the AppoTech AX2002 processor, which also uses an 8051-compatible instruction set. The device connects to the main PC through USB, and has the USB ID string of "appotechcksd". This allows the software to identify the programmer regardless of its product/vendor ID. We believe the device may have a small display, or else it prints debugging information out a serial port. The programming software is almost entirely in Chinese. It does not contain a codepage identifier, so a system must be set to run non-Unicode programs as "Chinese (PRC)", which selects an encoding of GB-18030. If you do not do this, the software will display gibberish in place of Chinese text. The programmer control software appears to be fully automated. Without the programmer hardware, we can only configure the software and see where, presumably, individual hardware programmers would appear in the user interface. Therefore, we must resort to disassembling the binary to determine how it works. Code flow analysis indicates that when the software initially detects the attachment of factory programming hardware via USB, it opens the device and sends a binary file called "2005FM.BIN". 2005FM.BIN is a raw opcode stream that is loaded into the programmer hardware's 8051 (not the SD target) at address 0. The program begins running from address 0, and begins doing some initialization. It then displays the string "RUN" through the putative logging interface on the programming hardware. After this, it awaits further control instructions from the host. The microcontroller used in the programmer hardware does not contain an SD/MMC host controller. This is fortunate for us, as it means the SD programming interface is implemented entirely using GPIOs. This makes it easy to trace all signal changes through static code analysis. When programming begins, the programmer places the SD card into a special mode where it will accept and execute programs. It does this by sending SD CMD0 (card reset) followed within 20 msec by CMD63 with the arguments 'A' 'P' 'P' 'O' and the appropriate crc7 checksum. The card then responds with the following sequence: {0x3f 0x00 0x9d 0x20 0x0b 0x35} | | | | | \-- CRC7 checksum, plus stop bit | \----\----\----\------- Unknown values \---------------------------- The command we sent (CMD63) The program to be executed on the SD card is then loaded to offset 0x2900, and will begin executing immediately from within an interrupt context. Therefore, the first thing the routine should do is escape the context by changing the return value, then issuing a "reti" command. When the host software detects a new card to be programmed, it informs the programmer to put the card into this special factory mode, and then begins uploading firmware and communicating with the card. The first program to get loaded is a small piece of test code called TestBoot.bin. The program performs a few sanity checks, then returns pass or fail by sending the result out the Command line. Once the program finishes, control returns to the AX211 ROM. After TestBoot.bin runs, the programmer loads a file called communication.bin. This program contains a full interrupt vector table, and is therefore able to replace functions such as SD communication and NAND access. It uses this to load a new, expanded set of communication options, including the ability to load and execute another program at memory offset 0x800. Because it has its own interrupt vector table, it loads at offset 0, and takes control of the entire card. Once the communications program is loaded, the programmer uses it to load more advanced programs that actually deal with the NAND flash component. Programs are loaded at offset 0x800 in order to allow the communications program (and its interrupt vector table) to stay resident. The first program loaded is FLASH_SCAN.BIN, which is responsible for scanning the flash to determine its properties. This can be useful when operators are not familiar with the type of NAND they're working with. This program is able to inform the host of properties such as the page size, flash size, and ECC data. The host can then use this information to construct a Card ID block. It's important to note that the host controller can choose to ignore the information coming from the flash, and can program invalid flash sizes. This can occur either deliberately or accidentally. Thus, some "counterfeit" cards may simply be a result of an operator forgetting to change the settings when programming a new batch of NAND. After the flash has been scanned, a program called FLASH_PRO.BIN is loaded. This is responsible for the actual programming of the NAND with the requisite firmware file. With FLASH_PRO.BIN running, the programmer must feed the card a firmware file. A wide variety of firmwares are bundled with the programming software, and vary between the vendor, page size, block size, number of planes, and the number of chip enables. The host picks an appropriate firmware file to send, and writes it out to the card. After programming is complete, the programmer resets the card and formats it. Depending on the size of the card, the programmer places either a FAT16 or a FAT32 header on the card, and creates the actual file allocation table. It is interesting to note that there are two DOS MBRs stored in the 2005FM.BIN programmer firmware, complete with an NTLDR boot sector. This gets placed at the head of the card, with the actual file allocation table following shortly after. The upshot of reversing the factory programmer binaries is the development of our own routines which is capable of knocking the AX211 and loading our own code onto the device. AX211 FIRMWARE REVERSING The contents of the programs run on the AX211 has also been analyzed. In addition to confirming the host-side initialization protocols documented above, the firmware reversing effort has revealed more details on the allocation of instruction set enhancements and the Function Specific Registers (FSRs). FSRs are memory-mapped registers that are used to control and configure the state of the hardware. For example, the pins required to turn NAND I/Os into GPIOs and toggle their values is contained in the FSR region; therefore discovering the FSR map is an important component of achieving maximum utility from the SD card controller. Opcode extensions on the 8051 are accomplished by using the escape opcode 0xA5. This is the only opcode function in the 8051 which doesn't have a pre-defined value. Typically, the escape opcode is followed by one or more bytes that specify which escape sequence to use. In our investigation of the firmware, we have only seen one and two-byte escape sequences. Two-byte sequences require that the lower nibble of the first escape opcode to be 1's. We have modified the 8051 processor module in IDA to handle these escape sequences gracefully. Our current theory is that the opcode extensions are used to trigger various NAND interface functions, such as transmitting a command cycle or computing ECC on a loaded page of memory. The FSR map was determined in part through static binary code analysis in IDA, and in part through a dynamic fuzzing infrastructure. For example, to determine which FSR was used as a GPIO, we wrote a small assembly stub that would set a pseudo-random (based upon a seed value, so we could reproduce experiments later on) selection of four FSR registers within the 128-byte window of valid FSRs to 0xFF, then 0x00, with a few microseconds' delay between. We had connected an oscilloscope to one of the NAND I/Os on the AX211, and monitored for changes in I/O status while running this code. We decided to write four bytes at once under the theory that we had to configure not only a data register, but also direction & configuration registers as well to be outputs for us to measure a change using the oscilloscope. With some luck, we were able to discover very quickly an FSR which, when written to, would cause some of the NAND I/O pins to flip on and off. Through this combination of static and dynamic analysis, we have confirmed the function of much of the FSR table, which looks like this: | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | | 8 | 9 | A | B | C | D | E | F | -----+-------+-------+-------+-------+-------+-------+-------+-------+ 80 | SDMOD | SP | DPL | DPH | | | | | -----+-------+-------+-------+-------+-------+-------+-------+-------+ 88 | SDOS | SDI4 | SDI3 | SDI2 | SDI1 | SDCMD | IACK | | -----+-------+-------+-------+-------+-------+-------+-------+-------+ 90 | SDSM | | | SDBL | SDBH | | SDDL | SDDH | -----+-------+-------+-------+-------+-------+-------+-------+-------+ 98 | | | | | | | | | -----+-------+-------+-------+-------+-------+-------+-------+-------+ A0 | NTYPE | NCMD | NRAML | NRAMH | | | | | -----+-------+-------+-------+-------+-------+-------+-------+-------+ A8 | IE | NCMD1 | NCMD2 | NADD0 | NADD1 | NADD2 | NADD3 | NADD4 | -----+-------+-------+-------+-------+-------+-------+-------+-------+ B0 | | RAND | | | | | | | -----+-------+-------+-------+-------+-------+-------+-------+-------+ B8 | ER8 | | | | | | | | -----+-------+-------+-------+-------+-------+-------+-------+-------+ C0 | ER00 | ER01 | ER02 | ER03 | | | | | -----+-------+-------+-------+-------+-------+-------+-------+-------+ C8 | ER10 | ER11 | ER12 | ER13 | | | | | -----+-------+-------+-------+-------+-------+-------+-------+-------+ D0 | | | | | | | | | -----+-------+-------+-------+-------+-------+-------+-------+-------+ D8 | ER20 | ER21 | ER22 | ER23 | | | | | -----+-------+-------+-------+-------+-------+-------+-------+-------+ E0 | ACC | | | | | | | | -----+-------+-------+-------+-------+-------+-------+-------+-------+ E8 | | | NFMT | SDDIR | | | | | -----+-------+-------+-------+-------+-------+-------+-------+-------+ F0 | B | | NPRE1 | NPRE2 | | | PORT1 | | -----+-------+-------+-------+-------+-------+-------+-------+-------+ F8 | ER30 | ER31 | ER32 | ER33 | | | | | -----+-------+-------+-------+-------+-------+-------+-------+-------+ Our presumption is many of the spots reading back as 00 are probably unused FSRs, so we have probably uncovered the function of most of the implemented FSRs. WORKING IT: A REPL DEBUGGER In investigating the actual runtime firmware of the AX211 card, it has become apparent that the entire SD engine at the protocol level is implemented in 8051 code. Only the SD physical layer (including both SPI and MMC mode) is handled in hardware. When the host controller sends a command such as CMD0, the host controller actually treats the command as an offset in a jump table. Application commands are also treated in a separate jump table. This means that it is a trivial matter to add an additional command. All one needs to do is co-opt one of the unused commands, which currently point to a default handler. There is plenty of space at the end of the firmware to add any additional commands. Now that the SD controller's functions are well known, we were able to implement a REPL-mode debugger firmware for the SD controller: root@bunnie-novena:~/ax211-code# ./ax211 -d debugger.bin FPGA hardware v1.26 Debug mode APPO response [6]: {0x3f 0x00 0xc1 0x04 0x17 0xab} Result of factory mode: 0 00000000 0f 41 1f 0f 0f 0f ff ff |.A......| Expected 0x00 0x00, got 0x0f 0x41 Loaded debugger Locating fixup hooks... Done AX211> help List of available commands: hello Make sure the card is there peek Read an area of memory poke Write to an area of memory jump Jump to an area of memory dumprom Dump all of ROM to a file memset Set a range of memory to a single value null Do nothing and return all zeroes disasm Disassemble an area of memory ram Manipulate internal RAM sfr Manipulate special function registers nand Operate on the NAND in some fashion extop Execute an extended opcode on the chip reset Reset the AX211 card help Print this help For more information on a specific command, type 'help [command]' AX211> As one can see, the features of the debugger include generic options such as memory manipulation (peek/poke), but also includes more powerful features such as disassembly, and chip-specific features such as NAND manipulation via the internal SFRs. DEBUGGER IMPLEMENTATION The debugger relies upon two key mechanisms that were reverse-engineered in the course of this study: (1) the ability to load small stubs of arbitrary code to bootstrap the system and (2) the ability to pass messages back and forth from the AX211 using the SD PHY layer. The footprint of the native 8051 code for the debugger is limited to 512 bytes; this is the stub size afforded by the mask ROM bootloader on the AX211. Therefore, in order to implement a rich command feature set, the debugger functions are partitioned between a host CPU (the ARM i.MX6) and the target 8051-based CPU. For example, disassembling a particular region of memory breaks down to a script executed on the host side that drives the native AX211 stub code to dump the requested portion of memory to disassemble, followed up with the disassembly algorithm running on the host ARM CPU. The only way to talk to the AX211 is via the SD interface. Therefore, the interactive REPL environment must run on the host ARM system, which is equipped with the requisite terminal interface features such as a ssh console. The REPL environment then translates the user's requests into bundles of SD commands. We take advantage of the command/response token protocol built into the SD-PHY spec (see page 8 of SD Card Physical Layer Simplified Specification v2.00 for more information). The command/response protocol runs bidirectionally on a single wire, the CMD line of the SD-PHY interface, and is timed by the CLK line. Command tokens are 48-bits long, and contain a CRC along with some static header bits. Response tokens are also 48 bits long, and similarly feature CRC protection along with different static header bits. The SD commands originating from the REPL environment are transmitted to the AX211 via the FPGA built into the host system. The FPGA presents a “gpio-like” API for the SD host PHY: one register for data output, one register for data input, and one register to bit-wise set the data direction. The SD commands are received on the AX211 and processed by the hardware SD engine attached to the embedded 8051 CPU. The state machine handles receiving the data and computing/checking the CRC. Once a complete packet is received by the state machine, the 8051 is notified of the packet's arrival via an interrupt. Therefore, the 512 bytes of native 8051 code for our debugger contains the following routines: * An entry sequence that resets the execution environment and redirects ongoing code execution into the debug.bin patch * An interrupt handler for receiving SD command packets * Code to set the ISR handler to our new interrupt handler * A jump table to parse incoming SD commands * Helper routines, such as the response transmission and wait loops * Implementation of all the basic stub commands: * hello - inform the host we're running * echo - loop back the request * peek - request contents of XRAM * poke - set contents of XRAM * jump - run code at an address * nand - manipulate the NAND hardware registers * SFR/IRAM get/set routines - more on this below * extended opcode - execute an extended opcode * error - return an error code CROSS-MEMORY AREA ACCESS The 8051 has two different kinds of memory, each of which is further subdivided: IRAM - located on-chip. 256 bytes in total. Accessed using "mov" instruction. The IRAM map is as follows: * IRAM address 0-7 corresponds to CPU registers R0-R7 * IRAM address 8-0x7f are on-chip RAM * IRAM address 0x80-0xff are Special Function Registers (SFRs). SFRs are locations that are mapped to hardware functions, such as the NAND command engine or GPIO XRAM - 16 kilobytes of "External" RAM (this memory was a physically separate chip in the original non-embedded 8051 implementation). Accessed by storing an address in DPTR (which is really made up of SFR 0x82 and 0x83, called DPL and DPH respectively) and either loading to the accumulator using "movx A, @DPTR" or storing from the accumulator using "movx @DPTR, A". The XRAM map is as follows: * 0x0000 - 0x0006 is reserved. Contains 0x51 0x00 0x00 0x00 ... * 0x0007 - 0x01ff is protected and returns 0xff. The CPU and NAND block can't read this range, but the SD block can. * 0x0200 - 0x0202 is interrupt vector 0 (SPI) * 0x0203 - 0x0205 is interrupt vector 1 (other SPI) * 0x0206 - 0x0208 is interrupt vector 2 (NAND) * 0x0209 - 0x020b is interrupt vector 3 (unknown) * 0x020c - 0x02af is general-purpose RAM * Code execution for APPO factory mode begins at offset 0x2900 * 0x2ba0 - 0x2bff contains something interesting, and I'm not sure what * 0x2c00 - 0x3fff is read-only and contains zeroes * 0x0000 - 0x3fff is mirrored at 0x4000, 0x8000, and 0xc000 The division of 8051 memory space into IRAM and XRAM presents a unique challenge for debugger implementation. Not being able to index into IRAM means that one cannot dereference a variable pointer into IRAM. In the 8051 ISA, only constant values can be dereferenced into IRAM. This pseudo code draws a loose analogy of the situation in C-like syntax: iram_vaule = *iram_pointer; // ERROR: variable values not allowed iram_value = *(0x42); // ACCEPTABLE: only hard-coded constant values allowed This limitation of the 8051 architecture present a challenge in implementing a key feature of the debugger, namely enabling the dynamic exploration of the IRAM and associated SFR space. Fortunately, on the AX211, the debugger code is loaded into XRAM, which can be indexed via the DPTR register using the MOVX instruction. This allows the debugger to manipulate its own code, thereby allowing us to change, for example, the offset constant to a MOV instruction inside the debugger. Therefore, in order to implement peek and poke in the IRAM space (and likewise enable convenient exploration of the SFRs), we reserve three-byte slots in debug.bin using a sentinel sequence of invalid opcodes that are unique and searchable. Once debug.bin is loaded, one of the first tasks the host program does is scan the loaded program for the unique sequences and records their offsets. These sequences are then replaced on-demand with the appropriate instructions to implement the required MOV opcodes to explore arbitrary locations in IRAM. Below is a concrete example of this technique as implemented in the debugger. The following code snippet is from debugger.asm: cmd_sfr_get: ; This will get replaced by "mov 0x20, [SFR]" at runtime .db 0xa5, 0x60, 0x61 mov 0x21, #0 mov 0x22, #0 mov 0x23, #0 sjmp xmit_response Here, we are looking at the “SFR get” stub. The arguments to return to the host are loaded into IRAM locations 0x20-0x23. For example, mov 0x21, #0 puts the constant value 0 into IRAM 0x21; so in this stub, locations 0x21-0x23 are set to 0, and 0x20 is intended to have the value of the queried SFR. A sequence of three bytes, “0xA5 0x60 0x61” is used as a placeholder for a different “mov” instruction that will be slotted in. 0xA5 is the sole invalid opcode in the 8051 instruction set, and therefore it is an “almost safe” opcode (bar collisions with other opcode extensions) to use as the starting marker for a sentinel sequence. The remaining bytes “0x60 0x61” are simply chosen to be unique and non-colliding with other opcode extensions. When the user requests the value of an SFR via the REPL interface on the host by typing, for example, sfr -r 0xA0 the host issues a command to poke the cached location of the sentinel sequence “0xA5 0x60 0x61” with the sequence “0x85 0x20 0xA0” which represents the instruction mov 0x20 0xA0 Recall that the only difference between IRAM and SFR is that SFRs have an address greater than 0x80; and furthermore all arguments to the mov are constant, therefore this is a valid 8051 instruction that implements the requested command via the REPL interface. Now that the correct instruction has been installed in the cmd_sfr_get routine, the actual command to run this callback is issued on the SD interface and the requested SFR is returned to the host. This enhanced ability to interrogate the SFR space dynamically allowed us to greatly expand our map of the special function registers. EXTENDED OPCODES A similar method was used to also explore the extended opcode space for the 8051. As noted in the previous section, “0xA5” is the sole illegal instruction in the native 8051 instruction set, and in enhancements such as the one found in the AX211, it is used as an escape sequence to specify an extended instruction set. As a (entertaining) side-note, the sparse literature available on the AX211 claims that the on-board 8051 is a 32-bit processor. We originally thought this was an amusing “lost in translation” moment, but in fact, the AX211 implements a set of instructions that operate on 32-bit data types using extended opcodes, thereby lending credibility to the “32-bit” label. SFR locations 0xC0-3, 0xC8-B, 0xD8-B, and 0xF8-B were identified as functioning 32-bit registers, and opcodes were discovered that could reverse the order of bits in these registers, invert the contents of these registers, and clear the contents of these registers to zero. There may be other opcodes present as well; code has been found implementing CRC16 checksums using these 32-bit enhancements, and most likely these enhancements also enable the implementation of MLC/TLC scrambling algorithms. The BCH ECC computations, however, are handled by a dedicated hardware coprocessor. SUMMARY An approach has been disclosed for the exploration and exploitation of the embedded controller found within a particular type of SD card. The approach consists of a combination of static code analysis, and dynamic fuzzing analysis. A "secret knock" for uploading code into the controller was found, and through this mechanism we explored the register map and extended opcodes of the microcontroller. Significantly, in this particular device all of the SD protocol-layer commands are implemented in software. This allowed us to redefine the SD protocol set and implement, as a demonstration, a REPL-mode debugger for the SD card.

In this lecture, we present a black-box analysis of an electronic contact-less system that has been steadily replacing a conventional mechanical key on multi-party houses in a big European city. So far, there are est. 10.000 installations of the electronic system. The mechanical key has been introduced about 40 years ago to allow mail delivery services to access multi-party houses but has since then aggregated many additional users, such as garbage collection, police, fire brigade and other emergency services. Over 92% of residential buildings in this city are equipped with such a solution.

We have found several vulnerabilities in the new system caused by the design, technology used, organization, and its implementation. We have further shown that the new system is circumventable with little costs (not higher than the old key is sold under the counter). To acquire keys samples we packed an active mid-range RFID reader with a battery pack into a parcel and send it via post. On its way, the reader wirelessly collected the key(s) of the handling personnel. As a side project, we also present security shortcomings in other access control systems and electronic purse solutions.

The ArduGuitar is an electric guitar with no physical controls, i.e. no buttons or knobs to adjust volume, tone or to select the pickups. All of these functions are performed remotely via a bluetooth device such as an Android phone, or via a dedicated Arduino powered blutetooth footpedal. The musician still plucks the strings, of course! This talk will give an overview of the technology and particularly the voyage that took me from nearly no knowledge about anything electronic to enough know-how to make it all work.I will explain what I learned by collaborating on forums, with Hackerspaces and with component providers: "How to ask the right questions." The guitar with its Arduino powered circuit and an Android tablet will be available for demo; the code is all available on the github arduguitar repo with the associated Arduino footpedal libraries.

Nachhören und nachsehen auf www.deutschlandfunk.de/hackerkongress

The movement against SOPA in the US was the largest protest in online history, and as one of the core organizers, we learned a lot of lessons on how to build a grassroots movement for internet freedom.

How can these lessons learned be applied to the anti-surveillance movement both in the US and globally? Can millions of internet users really counter millions of dollars and entrenched interests on the other side? And how can we continue to have our voices heard on these issues?

Nachhören und nachsehen auf www.deutschlandfunk.de/hackerkongress

The brain can be understood as a highly specialized information processing device. Because computers basically do the same thing, it's not too absurd to try to link these two together. The result is a brain-computer-interface. This talk explains the core functionality of our brain and how to access the stored data from the outside. Software and hardware have already reached a somewhat hacker-friendly state, and we want to show you how we got there. We're also here to answer all your questions about the brain.

Communication between humans and computers has great tradition, but also underlies several disadvantages. Interfaces like mice, keyboards or microphones essentially link the user's body parts to a computer. When creating new content, these interfaces prove to be relatively inefficient, inaccurate and limited by the user's skill. A good brain-computer-interface would take body movements out of the process. Less required skill and more information flow density are only the most obvious benefits. It is a potential replacement for dozens of today's specialized devices. And, just as a microphone does for voice, it would also allow the transfer of visual imaginations. Before we explain how to create the most advanced brain-computer-interface possible today, Dominic dives quite deeply into the signal processing structure in the brain. He presents the most recent findings in cognitive science and explains what happens - step for step - when we imagine the image of a red ball. At the end of this first section, he arrives at the level of electrical signals. Anne then takes over with the groundwork necessary to capture and process these electrical signals. She isn't afraid to use proper math for a deeper understanding, but she made sure that her talk is easy to follow for non-tech majors too. The foundation for a contemporary brain-computer-interface consists of several core algorithms, which are used in lab settings today and by enthusiasts tomorrow. She calls out the pitfalls when dealing with signals from live brains, and covers the technical limitations with crunching the data. We finish with a real-world perspective. The power of today's available hardware and software is still limited, but our understanding of informations inside and outside the brain has improved drastically. We've come a long way since electrode-level pattern matching, and we'd be excited to show you some examples of what's possible today.

As application security becomes more important on Android we need better tools to analyze and understand them. Android applications are written in Java and a run in the Dalvik VM. Until now most analysis is done via disassembling and monitored execution in an emulator. This talk presents a new technique to instrument Android applications executed in the DVM. The talk will introduce the new technique in great detail including many small examples and a whole attack based on it. We will go step by step to show you what can be achieved using this technique.

As application security becomes more important on Android we need better tools to analyze and understand them. Android applications are written in Java and a run in the Dalvik VM. Until now most analysis is done via disassembling and monitored execution in an emulator. This talk presents a new technique to instrument Android applications executed in the DVM. The talk will introduce the new technique in great detail including many small examples and a whole attack based on it. We will go step by step to show you what can be achieved using this technique. Outline: General Introduction Background Introduction to Android and Dalvik Applications Introduction to Dynamic Instrumentation Basics (Native Code) Introducing: Android DDI Details Tools Examples Real World Attack Example Conclusions Take Away: This talk is highly technical, you will learn about new techniques for analyzing and modifying Android applications. You will want to try out what you saw in this talk.

A foray into the present, future and ideas of Artificial Intelligence. Are we going to build (beyond) human-level artificial intelligence one day? Very likely. When? Nobody knows, because the specs are not fully done yet. But let me give you some of those we already know, just to get you started.

While large factions within the philosophy of mind still seem to struggle over the relationship between mind, world, meaning, intentionality, subjectivity, phenomenal experience, personhood and autonomy, Artificial Intelligence (AI) offers a clear and concise set of answers to these basic questions, as well as avenues of pursuing their eventual understanding. In the view of AI, minds are computational machines, whereby computationalism is best understood as the most contemporary version of the mechanist world view. In the lecture, I will briefly address some of the basic ideas that will underlie a unified computational model of the mind, and especially focus on a computational understanding of motivation and autonomy, representation and grounding, associative thinking, reason and creativity.

Knight-Mozilla OpenNews sends coders into news organisations on a ten-month fellowship to make new tools for reporting and measuring the news. We believe that to remain relevant, journalism has to smarten up about tech and data. As a global community, we develop tools to datamine public data, news apps to make information accessible, and visualisations to break down complex stories. In my talk, I want to present the lessons about tech that I've learned in a newsroom and the things that still need to be built.

The internet is destroying the business of news. Not only does the web make it harder to sell advertising on dead trees, it also changes what it means to investigate and tell a good news story. Scoops aren't just researched on the phone anymore, but in scraped databases or leaked data dumps. Yet most journalists are missing the skills to access such information effectively. This means two things: we need training for journos and collaborations between hacks and hackers. Some news organisations are waking up to this fact: the New York Times has an interactive team that employs some of the best web developers, and the non-profit ProPublica has its own nerd team working as data-driven reporters. Working in a news organisation requires coders to change the way they do things and to focus on telling a good story, rather than building a beautiful application. After coding on open data applications for a few years, I applied to join OpenNews and to try and build data-driven news applications from inside a news organisation. After a year at Spiegel Online and visiting news orgs around the world, I've explored not just the weird space of online news, but also the kinds of systems that we need to build to enable journalists to run their investigations deeper, and to keep track of the knowledge they collect.

Nachhören und nachsehen auf www.deutschlandfunk.de/hackerkongress

Wir leben in einem Zeitalter des Remix. Kreativität und Kultur bauten schon immer auf bereits Bestehendem auf. Internet und digitale Technologien ermöglichen aber die kreative Nutzung existierender Werke in völlig neuen Dimensionen: Nie zuvor war es so vielen möglich, Werke auf so unterschiedliche Arten zu verändern und so einfach anderen zugänglich zu machen. In dem Maße, in dem die kreative Kopie Teil des kommunikativen Alltags breiter Bevölkerungsschichten wird, ist ein Recht auf Remix eine grundlegende Voraussetzung für die Kunst- und Meinungsfreiheit einer Gesellschaft. Die Gegenwart ist jedoch geprägt von restriktivem Rechtemanagement und entgrenzter Rechtsdurchsetzung. Die Initiative "Recht auf Remix" möchte das ändern.

Der Vortrag zum Thema "Recht auf Remix" versucht sich an drei Dingen: Erstens, die Bedeutung von Remix für Kunst- und Meinungsfreiheit in der digitalen Gesellschaft zu illustrieren. Zweitens, die rechtliche Situation und deren Kollateralschäden in Form von privater Rechtsdurchsetzung, gefesselter Kreativität und Behinderung von Innovation darzustellen. Drittens, Lösungsmöglichkeiten und in diesem Zusammenhang den aktuellen Status der Initiative "Recht auf Remix" des Digitale Gesellschaft e. V. zu präsentieren.

The goal of white-box cryptography is to protect cryptographic keys in a public implementation of encryption algorithms, primarily in the context of Pay-TV and tamper-resistant software. I present an overview of the white-box cryptography concept along with the most common applications and proposed designs. I discuss the subtle difference between white-box cryptography, public-key cryptography, and obfuscation.

The informal notion of white-box cryptography was coined by Chow et al. 2002 as a method to protect cryptographic keys in a public implementation of encryption algorithms, which is fully accessed by an adversary. White-box implementations of the AES and DES ciphers were presented, but they were all badly broken. Subsequent attempts were no better. Whereas some theoretical foundations of white-box cryptography have been given recently in Wyseur's PhD thesis, so far they have not lead to any practical scheme. I present an overview of the white-box cryptography concept along with the most common applications and proposed designs. I discuss the subtle difference between white-box cryptography, public-key cryptography, and obfuscation. I try to answer the question if the security of a white-box scheme can be relied on public scrutiny in contrast to the hardness assumptions behind RSA and other public-key schemes. Alongside the theoretical results, I present some well-known attempts to construct a white-box cryptographic scheme from the AES and DES ciphers, and show their inherent weaknesses. Finally, I discuss some potential methods to construct a secure white-box cipher from scratch using the results from finite fields theory and public-key cryptography.

You might remember Tamagotchi virtual pets from the 1990's. These toys are still around and just as demanding as ever! At 29C3, I talked about my attempts to reverse engineer the latest Tamagotchis, and this presentation covers my progress since then. It includes methods for executing code on and dumping code from a Tamagotchi, an analysis of the Tamagotchi code dump and a demonstration of Tamagotchi development tools that make use of these capabilities.

Recent Tamagotchis are more than just pets. They can talk to their friends over IR, support games on external ROMs and store generations worth of information about their ancestors. This talk goes through the different ways Tamagotchis can be tampered with through these channels. It describes a method of achieving code execution on a Tamagotchi though a flash accessory, using this to dump the Tamagotchi's internal ROM, and the internal Tamagotchi 'secrets' it revealed. It also covers the development tools I've written for the Tamagotchi and includes some demonstrations of modified Tamagotchis.

For over thirty years, human rights groups in Guatemala have carefully documented the killing and disappearance of many people in the early 1980s. There are tens of thousands of records in many databases, and over 80 million paper pages of police records available in the Archives of the National Police. Most of the prosecutions of the former military and police officials who committed the atrocities depends on eyewitnesses, specific documents, and forensic anthropologists' examination of exhumed bones. However, data analysis helps to see the big patterns in the violence.

This talk will explain how data analysis illuminated the selective patterns among mass killings in the prosecution for genocide of former de facto President General José Efraín Ríos Montt. The talk will also explain how looking at the communications metadata from over 20,000 randomly sampled paper memos helped illuminate command patterns in a disappearance case.

mit Manfred Kloiber, Jan Rähm und Peter Welchering

Auf dem 29C3 stellten wir euch die Cultural Commons Collecting Society (C3S) als Initiative zur Gründung einer GEMA-Alternative vor. Seit dem ist sehr viel passiert: Unter anderem ist mittlerweile eine Europäische Genossenschaft gegründet, die mit sechsstelligem Kapital aus einer Crowdfunding-Kampagne in das Jahr 2014 geht. Auf Seiten der GEMA sind angesichts der entstehenden Konkurrentin bereits erste Anzeichen für eine Kursänderung wahrnehmbar.

Dieser Vortrag knüpft dort an, wo wir letztes Jahr aufgehört haben: Wir stellen euch die Höhepunkte der Projektchroniken und Lieblingsanekdoten aus 2013 vor, und werfen einen Blick darauf, was wir uns für die nähere Zukunft vorgenommen haben.

For the past year, I've been looking at the implementation of X.org code. both client and server. During this presentation, I'll give an overview of the good, the bad and the ugly.

Since late 2012 I've been looking for security bugs in X.org code. Both Server and Client code. In this talk I will give an architectural overview of all the discovered attack surfaces which would include: - client network protocol parser - server network protocol parser - data passed on from Server to extensions - Shared memory - parsers - ACL's - ... I will also discuss security issues found therein. I will also discuss interaction with various developers and how that process went.

In this work we present a stealthy malware that exploits dedicated hardware on the target system and remains persistant across boot cycles. The malware is capable of gathering valuable information such as passwords. Because the infected hardware can perform arbitrary main memory accesses, the malware can modify kernel data structures and escalate privileges of processes executed on the system. The malware itself is a DMA malware implementation referred to as DAGGER. DAGGER exploits Intel’s Manageability Engine (ME), that executes firmware code such as Intel’s Active Management Technology (iAMT), as well as its OOB network channel. We have recently improved DAGGER’s capabilites to include support for 64-bit operating systems and a stealthy update mechanism to download new attack code.

Dedicated hardware such as network interface cards and video controllers can be exploited to conduct a direct memory access (DMA) attack. Direct access means main memory access without the involvement of the host CPU, which in turn means that existing host security software cannot detect or prevent the attack. Our presentation covers a DMA malware that benefits from an isolated network channel to update the attack code and to exfiltrate captured data. To be more precise, we show how to conduct a DMA attack using Intel's Manageability Engine (ME). Our attack environment is dedicated hardware based on a 32-bit RISC processor called ARCtangent-A4 (ARC4, x86-incompatible) implemented in the chipset of modern Intel platforms. Intel's ME executes special firmware such as Intel's Active Management Technology (iAMT). The ME/iAMT environment provides an administrator with an Out-of-Band (OOB) network channel to maintain the computer platform remotely. A prominent iAMT feature is the capability to remotely reinstall an operating system that got corrupted and does not boot anymore. iAMT is also available when the platform is in a standby or powered off state. This can be exploited to implement persistent DMA malware. It is needless to say that such a powerful environment must be well protected. Hence, Intel enforces strong isolation of the ME execution environment that makes it perfect to hide malware. The ME is not only implemented in business platforms, but also in consumer platforms. Our work does not only show, that an arbitrary attacker is able to perform one of the most dangerous attacks against an iAMT featured platform, but also, that the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker. Our presentation consists of three parts. The first part addresses how to find valuable data in the main memory of the host. The second part exploits the ME's OOB network channel to exfiltrate captured data to an external platform and to inject new attack code to target other interesting data structures available in the host runtime memory. The last part deals with the implementation of a covert network channel based on JitterBug. In the first part of our presentation we exploit the DMA engine of Intel's ME to find valuable data in the host runtime memory. We have two memory targets. Our first target is the keyboard buffer. We demonstrate how to find the buffer on a Linux as well as on a Windows operating system. Our implementation is called DAGGER - DmA based keyloGGER. We implemented different search strategies for the operating system targets. On Windows we need to find the corresponding CR3 processor register value to get the page directory entries that are needed to map virtual memory addresses into physical ones. We also had to take address randomization into account. The search strategy for the Windows keyboard buffer is mainly based on finding and traversing the so called Object Manager Namespace Directory (OMND). On Linux we implemented a different search strategy. On Linux we have a different starting point for the search phase than on Windows. The implementation to map virtual memory addresses into physical ones is also different. On Linux we can go without page tables. Due to the availability of the Linux source code it was easier to derive a signature for our target structure used by the USB HID driver. We can permanently monitor the keyboard buffer on both operating system targets. Hence, we can capture all user input (passwords, instant messenger sessions, etc.) done via the associated keyboard. Our second memory target concerns the privilege data of an arbitrary process. Again, we use the DMA engine of the ME to find the appropriate data structure. Then we overwrite the existing privileges with root privileges via DMA. The privilege escalation attack actually belongs to the second part of our attack scenario. The implementation is based on an updated version of DAGGER that is able to attack 64-bit operation systems. We demonstrate how to remotely load new attack code (to escalate privileges) to be executed on Intel's ME using the isolated OOB channel. To figure out how to exploit the DMA engine to read from the host runtime memory was comparatively easy due to previous work. To figure out how to exploit the ME OOB feature was more challenging. We had to find the ring buffers that iAMT uses to send and receive network packets and the corresponding ring buffer pointers. We also had to find code that is responsible for sending data to an external platform in the 16MB iAMT firmware runtime memory. To get the OOB channel under our control we implemented a breakpoint helper tool. That tool disassembles and displays iAMT code present in the iAMT runtime memory on-the-fly. This enables us to set breakpoints (based on hooks) to check the register content of the ARC4 processor. We were able to identify all necessary OOB channel parts by setting breakpoints and by triggering network events. The last part of our presentation deals with a covert network channel based on JitterBug. The OOB channel is perfect to hide malicious network packets from the host, but not from other monitors present in the network. The aim of the JitterBug based covert network channel is to demonstrate how far an attacker can go with stealthy data exfiltration when using Intel's ME as attack environment. Using the JitterBug technique the attacker exfiltrates information by introducing seemingly random delays to some outgoing network packets. The delay pattern can be decoded by an external platform that is under the control of the attacker. Since timing is very important to implement a JitterBug, we had to figure out how to exactly measure time in the ME execution environment. Furthermore, we had to determine which network packets are "delayable" and how to delay them. To learn how to use the required ME/iAMT components for a JitterBug implementation we developed a more advanced debug tool. This debug tool is based on ARC4 code emulation and it enabled us to collect a huge amount of firmware trace logs that eventually revealed the required parts of the ME/iAMT inner workings. In our talk we will present important runtime memory areas and ARC4 disassemblies of the ARC4 based code. Furthermore, we will present demo videos of our attack scenarios. Please note, we do not present a new security vulnerability to exploit Intel's ME.

Calafou – the Ecoindustrial Postcapitalist Colony – is a settlement of around three dozen people in the Catalonian countryside. Concrete pylons standing 20 meters high hold a highway passing above the wild forest valley, where hall after dilapidated hall of industrial ruins stretch along the banks of a contaminated stream nurturing a twisted yet lively ecosystem. Echoes of unseen, passing cars blend into the organic static of wildlife, punctuated by beats booming from the hacklab speakers.

Dubbed The Hacker Monastery by some, this 3 years old effort aims to create a node in a self-sustaining network of cooperatives called Cooperativa Integral Catalana, developed at the site of a 13th century factory which was itself an industrial experiment, and builds on the local traditions of self-organisation and autonomy. Not to be confused with ecovillages, Calafou has a strong technological focus, ranging from software and hardware development through permaculture to crafts based on recycling and local materials. While we are concentrating on creating and strenghtening local infrastructures, Calafou is not a self-enclosed entity but a constructive and sometimes combative participant in an extensive array of compatible projects, a mutated plague infecting even the mainstream society which is already ridden with opressive institutions. Projects/infrastructures/initiatives include:

• hacklab (Lorea social network, Phone Liberation Front, libbitcoin cryptocurrency toolbox, etc.)
• hardware lab (transfeminist performances, ecomotors)
• biolab (under construction, slime moulds, forest microbes)
• wood and metal workshop (building materials, furniture, educational tools)
• metal foundry
• recovering and reinvigorating practices and knowledge on herbs, poultry, natural fibers, clay as building material, etc.

How is it possible to participate in a social event anonymously? How can we hide from surveillance in public space? How can we communicate anonymously in real life? How can we be private in public? This talk will give an overview about existing hacks and techniques that allow to be private in public, and compare privacy technologies from the web to anonymity techniques that can be used in real life.

How is it possible to participate in a social event anonymously? How can we hide from surveillance in public space? How can we communicate anonymously in real life? How can we be private in public? This talk will give an overview about tools that allow anonymity in real life, and compare privacy technologies from the web to anonymity techniques that can be used in real life. It will also deal with the challenges that anonymity can pose, such as questions of responsibility, both in real life and on the net.

Diskussion mit Karl-Heinz Land, Neuland Prof. Rolf Schwartmann, UNI Köln nnB Moderation: Peter Welchering Live-Sendung auf Deutschlandradio Dokumente und Debatten (DAB+)

Based on her own experiences as an Intelligence Officer for MI5 (the UK domestic security service) and a whistleblower, Annie Machon will talk about the relationships between the wars on 'terror', drugs, whistleblowers, and the internet, and suggest some ideas about what we can do.

Drawing on her experiences as an MI5 intelligence officer-turned-whistleblower who had to go on the run around Europe, as well as her current work as a writer, commentator, and a Director of Law Enforcement Against Prohibition, Annie will be discussing the four current global wars: on terror, drugs, whistleblowers and the internet, and suggesting ways that we, as concerned citizens, can resist. After World War 2 the peoples of the world, collectively reeling from the violence and barbarity, drew up the Universal Declaration of Human Rights. This is a high water mark in civilisation. Since then, at least in the west, we have enjoyed an unprecedented degree of freedom and prosperity. In the subsequent decades further victories were won around equal rights on issues of race, gender, or sexuality. By the 1990s peace appeared to be breaking out around the world, the Cold War was over, and we all lived in an increasingly connected, globalised village. Or did we.... President Eisenhower coined the phrase "the military-industrial complex". He recognised that conflict was good for business, and this had implications for future security. He was prescient. After the racial war was won in the USA, they announced the "war on drugs" which has disproportionately hit ethnic communities in America; as the Soviet threat receded, so the Islamist threat came to prominence; and as the free flow of information spread over the internet, so the fight-back began with the copyright wars, surveillance, and the crackdown on whistleblowers and organisations such as Wikileaks. We are now facing the "military-security complex" and an unending, if nebulous, war on concepts. What can we do about it?

A year ago in November 2012, Nintendo released their latest home video game console: the Wii U. While most video game consoles use controllers that are very basic, the Wii U took the opposite route with a very featureful gamepad: wireless with a fairly high range, touch screen, speakers, accelerometer, video camera, and even NFC are supported by the Wii U gamepad. However, as of today, this interesting piece of hardware can only be used in conjunction with a Wii U: wireless communications are encrypted and obfuscated, and there is no documentation about the protocols used for data exchange between the console and its controller. Around december 2012, I started working with two other hackers in order to reverse engineer, document and implement the Wii U gamepad communication protocols on a PC. This talk will present our findings and show the current state of our reverse engineering efforts.

When the Wii U was released, a few console hackers and I were talking about potential uses for the Wii U gamepad. However, before being able to use a Wii U gamepad as a remote controller for a robot or a quadricopter, the first step was to understand how it worked and how to communicate with it. This started our long journey of soldering wires on Flash chips, reading the h.264 specification and complaining about the lack of features in most Wi-Fi drivers and devices (on all platforms, Linux and ath9k devices being the least horrible). While some “journalists” reported that the Wii U gamepad is using the Miracast™ technology, a Wi-Fi standard, it turned out that this was never the case. Instead, Nintendo decided to reinvent four different protocols (video streaming, audio streaming, input streaming as well as a light request-reply RPC protocol), and embed them in a slightly obfuscated version of WPA2, sent over the air using 5GHz Wi-Fi 802.11n. A small ARM CPU is embedded in the Wii U Gamepad (codenamed DRC) and runs a realtime operating system to handle network communication. In the Wii U, another ARM CPU (codenamed DRH) does the same thing. In this presentation, we will go into the details of how we went from a 32MB binary blob to a proof of concept of Wii U gamepad “emulation” on a PC, including full documentation of the wireless communications obfuscation layer and partial documentation of the four data exchange protocols used on the gamepad.

Memory corruption has been around forever but is still one of the most exploited problems on current systems. This talk looks at the past 30 years of memory corruption and systematizes the different existing exploit and defense techniques in a streamlined way. We evaluate (i) how the different attacks evolved, (ii) how researchers came up with defense mechanisms as an answer to new threats, and (iii) what we will have to expect in the future.

Memory corruption (e.g., buffer overflows, random writes, memory allocation bugs, or uncontrolled format strings) is one of the oldest and most exploited problems in computer science. These problems are here to stay as low-level languages like C or C++ continue to trade safety for potential performance. A small set of all proposed solutions (e.g., Address Space Layout Randomization, Data Execution Prevention, and stack canaries) is applied in practice but real exploits show that all currently deployed protections can be defeated. In this talk we systematize the existing knowledge about (i) attack vectors and specific techniques to exploit running software and (ii) defense mechanisms that protect against the attack vectors. Many of these techniques have been developed hand in hand. We take a methodological approach and cover the complete design space for control-flow based and data-flow based attacks for low-level languages. The problems of current protection mechanisms calls for novel approaches towards software protection that adhere to the three laws of software defenses: low overhead for high security guarantees, no changes to the original source code, and compatibility to existing libraries and binaries (including a partial migration strategy).

Die Enki ist ein Raumschiff, dass ungefähr 15.000 Menschen fasst und auf der Suche nach einem neuen Planeten ist, auf dem diese Menschen wohnen können. Schon seit Generationen ist die Enki unterwegs, niemand weiß ob und wann es das Ziel der Reise erreichen wird. Währenddessen leben Generationen nach Generationen von Menschen auf der Enki ohne jemals etwas anderes, als das innere des Raumschiffs gesehen zu haben. Aber auch wenn wir uns hier in einer fernen Zukunft auf einer Reise durch das All befinden: Manche Dinge ändern sich nie. Gestorben wird ja praktisch immer. Aber warum? Warum musste Fabu sterben? Und wer hat ihn so übel zugerichtet?

As Internet privacy/security professionals and amateur enthusiasts, we are often asked to give advice about best practices in this field. Sometimes this takes the form of one-on-one advice to our friends, sometimes it's training a room full of people, and sometimes you may be asked to write a blog post or a brief guide or an entire curriculum. This talk will survey the current Internet privacy guide landscape and discuss the perils and pitfalls of creating this type of resource, using the Electronic Frontier Foundation's Surveillance Self Defense project as a case study.

As a result of the Snowden leaks, we are learning more and more about the capabilities of potential adversaries such as the NSA, GCHQ, and agencies within China, Russia, and Israel with every passing day. With each new revelation, there is greater uncertainty about privacy and security best practices, especially if your threat model includes a state-level adversary. This talk will discuss the following points: What resources already exist? How should best practices change in light of the Snowden leaks? What makes a good security/privacy resource? How did the Electronic Frontier Foundation confront these questions while rewriting their Internet privacy guide?

2013 will be remembered as the year that the Internet lost its innocence for nearly everyone as light was shed on the widespread use of dragnet surveillance by the NSA and intelligence agencies globally. With the uprisings of the Arab Spring where people raided the offices of their regimes to bring evidence to light, we've seen a tremendous phenomenon: a large numbers of whistleblowers have taken action to inform the public about important details. The WikiLeaks SpyFiles series also shows us important details to corroborate these claims. There is ample evidence about the use and abuses of a multi-billion dollar industry that have now come to light. This evidence includes increasing use of targeted attacks to establish even more invasive control over corporate, government or other so-called legitimate targets.

2013 will be remembered as the year that the Internet lost its innocence for nearly everyone as light was shed on the widespread use of dragnet surveillance by the NSA and intelligence agencies globally. With the uprisings of the Arab Spring where people raided the offices of their regimes to bring evidence to light, we've seen a tremendous phenomenon: a large numbers of whistleblowers have taken action to inform the public about important details. The WikiLeaks SpyFiles series also shows us important details to corroborate these claims. There is ample evidence about the use and abuses of a multi-billion dollar industry that have now come to light. This evidence includes increasing use of targeted attacks to establish even more invasive control over corporate, government or other so-called legitimate targets. Everything transiting our network connections is under surveillance to some degree. It's also common for law enforcement and intelligence agencies to use exploits and malware to infect and monitor computers, mobile devices and to spy on networks. They're able to bug our rooms with our own telephones, read encrypted emails, log keystrokes - they invade the most personal spaces in the very core of a person's life with minimal economic impact to their budget. In this talk we'll discuss the nature of targeted and untargeted surveillance, exploitation and intelligence gathering. This active surveillance is produced and operated not only by governments but by corporations and mercenaries that provide their intrusion services to the highest bidders who often have the lowest respect for human rights. We'll introduce you to the players in the business of active, passive, tactical and strategic surveillance and the products they provide. We'll also discuss examples of specific attacks on journalists and human rights activists worldwide in the last couple of years. Surprises won't be missing.

This talk will demonstrate why it is virtually impossible to secure virtual machines implementations properly. In the talk I will try to give an overview of the basics of hardware virtualization technology, the existing attack techniques against virtualization and also explain why it is such a complex problem to create a secure hypervisor. The talk will focus on the low level interfaces and how it affects all aspects of computer platform security. I will also try to review a few interesting Erratas at the end of the talk.

This talk will demonstrate why it is virtually impossible to secure virtual machines implementations properly. In the talk I will try to give an overview of the basics of hardware virtualization technology, the existing attack techniques against virtualization and also explain why it is such a complex problem to create a secure hypervisor. The talk will focus on the low level interfaces and how it affects all aspects of computer platform security. I will also try to review a few interesting Erratas at the end of the talk. When you get out of this talk you I hope that you will reconsider your trust of virtualized cloud platforms and VMM implementations like XEN, KVM and VMWare as well as virtualization based sandboxing solutions. The talk will touch on the following subjects / attack methods / virtualization failures (among others): • PCIe • SMM as a shared component between VMs and why it is dangerous • STM (aka Dual Monitor) - why it is never implemented? • Shared MSRs and their dangers • ISA implementation challanges • VT-d / IOMMU challenges • Memory configuration, views and the complexity of memory management (re-mappings, PEG, System, IGD, …) • MMIO Finally the talk will also cover virtualization attack vectors and interesting Erratas. For those less familiar with some computer architecture details - don’t worry. During this talk I will provide a brief introduction to subjects required to understand the technical challenges presented. additional details and materials might be found on my company website later (see included link)

Substanzen wie MDMA, Psilocybin, LSD und Ketamin besitzen erhebliches therapeutisches Potential, und die Erforschung ihrer Wirkmechanismen erlaubt Einblicke in die Funktionsweise der menschlichen Psyche. Der trotz Illegalität relativ einfachen Verfügbarkeit steht ein Mangel an Aufklärung über Risiken, Effekte und Pharmakologie gegenüber, dem mit dieser Einführung begegnet werden soll.

Die Stigmatisierung psychedelischer Substanzen in der “westlichen Welt” und die gleichzeitige Akzeptanz solcher Rauschmittel wie Alkohol und Tabak scheinen in einem Widerspruch zu stehen. Während die letzteren ein hohes Abhängigkeitspotenzial aufweisen und sowohl dem Konsumenten als auch seiner Umgebung erheblichen Schaden zufügen, steht dem im Falle von Psychedelika die Möglichkeit der Auslösung psychotischer Zustände sowie (bei bestimmten Substanzen) eine mögliche Neurotoxizität gegenüber. Die jahrtausendelange Tradition des therapeutischen und rekreationalen Gebrauchs von psychedelischen Pflanzen (und Tieren) wird dagegen im modernen “War on Drugs” ausgeblendet. Wie die Ergebnisse der psychedelischen Forschung der 50er/60er Jahre und der seltenen akademischen Studien heute zeigen, sind Substanzen wie LSD, Psilocybin, MDMA und Ketamin potentiell mächtige Werkzeuge, um an der menschlichen Psyche nachhaltige Änderungen vorzunehmen. In diesem Vortrag wird der Versuch unternommen, aus einer möglichst neutralen Position heraus über einige Psychedelika zu sprechen. Nach einer kurzen systematischen Zusammenfassung gehen wir auf die Wirkungsmechanismen ein und erklären die Zusammenhänge zwischen ihrer Pharmakodynamik und der beabsichtigten therapeutischen/rekreationalen Wirkung. Es werden beispielhafte Sessionabläufe geschildert (wie sie in den gegenwärtigen klinischen Studien stattfinden) und mögliche langfristige Schäden sowie unerwünschte Nebenwirkungen erläutert. Der Vortrag ist keineswegs als ein Plädoyer für den Gebrauch illegaler Substanzen zu verstehen; Ziel ist vielmehr die Vermittlung des für einen bewussten und verantwortungsvollen Umgang mit Psychedelika notwendigen Wissens.

Law enforcement agencies claim they are "going dark". Encryption technologies have finally been deployed by software companies, and critically, enabled by default, such that emails are flowing over HTTPS, and disk encryption is now frequently used. Friendly telcos, who were once a one-stop-shop for surveillance can no longer meet the needs of our government. What are the FBI and other law enforcement agencies doing to preserve their spying capabilities?

The FBI is rallying political support in Washington, DC for legislation that will give it the ability to fine Internet companies unwilling to build surveillance backdoors into their products. Even without such legislation, the US government has started to wage war against companies that offer secure communications services to their users. As the FBI's top lawyer said in 2010, "[Companies] can promise strong encryption. They just need to figure out how they can provide us plain text." At the same time, law enforcement agencies in the United States and elsewhere are acquiring the tools to hack into the computers of their own citizens. The FBI has purchased custom-built software, while other law enforcement agencies in the US and elsewhere use off-the-shelf spyware from companies like Gamma and Hacking Team. Regardless of the software they use, the capabilities are generally similar: They can enable a computer's webcam and microphone; collect real-time location data; and copy emails, web browsing records, and other documents.

TREZOR is a hardware wallet for Bitcoin. We identified security of the end users' computer as one of the main problems that block Bitcoin mass adoption.

In order to fix this issue we designed a small easy-to-use device, which isolates the whole process from the computer which is prone to viruses and malware. In this talk we describe the main ideas and concepts we implemented and various challenges we had to cope with in the process.

Finally, the world is aware of the threat of mass surveillance and control, but we still have a fight on our hands, and that fight is both technical and political. Global democracy is not going to protect itself. There has never been a higher demand for a politically-engaged hackerdom. Jacob Appelbaum and Julian Assange discuss what needs to be done if we are going to win.

The first part of this talk will discuss the WHAT? and the WHY?: the historical challenge we face, and how we are called to resistance.

We are living in a defining historical moment. In recent years, the network has created an unprecedented capacity for parallel communication and action. This has changed the world. For decades hackers have known of the growth of a surveillance state at the heart of Western democracies. Now, everyone knows, and we are left with a single question, how do we stop this? Hackers, sysadmins, developers and people of a technical persuasion are neither neutral parties nor spectators to this. We built the internet and we keep it running. We live there. We write the code. We manage the networks. Communications hegemony is impossible without the obedience of the people who build and run the system. Our network has become the nervous system of the world. We must wake up to this. We must realize the power and responsibility we hold for the great structural problems of our time. This year, Edward Snowden showed that we are not powerless. We all face a moral choice whether to collude or to resist. We say, resist! Sysadmins of the world, unite!

In the second half of this talk we will discuss the HOW?: the medium term and long term modes of action around which we must organize, if we are to see meaningful resistance against the global counterintelligence state, and meaningful progress towards emancipation.

Inbetriebnahme alter Flip-Dot-Anzeigemodule eines Autobahn-Parkleitsystems zu einer interaktiven Anzeige. Reverse Engineering des Protokolls und Entwicklung einer Steuerplatine auf Basis des Raspberry Pi.

Der MuCCC hat das Innenleben eines Parkleitschildes von der Münchener Autobahnmeisterei geschenkt bekommen. Es ergaben sich hieraus 192 Module von 24 x 32 cm mit 16 x 20 Pixeln, die auf neue Verwendung warteten. In Zusammenarbeit mit anderen Hackerspaces konnte das Ansteuerprotokoll herausgefunden werden. Nach ersten Versuchen mit dem Net-I/O-Board ist daraus einen neues Ansteuersystem entwickelt worden, das 24V- und 5V-Netzteile, SPI-Portexpander und Raspberry PI beinhaltet. Das System kann bis zu 4 Modulspalten gleichzeitig ansteuern und mit weiteren Modulboards zu einer großen Anzeige zusammengeschaltet werden. Vorstellung von Hardware und Protokoll, Details des verwendeten Treibers und der Ansteuersoftware auf dem Raspberry, Live-Demo mit der mitgebrachten Flip-Dot-Anzeige. Verschiedene Retro-Games wie Tetris oder Snake wurden bereits umgesetzt. Diskussion über weitere Projekte mit den Modulen ausdrücklich erwünscht.

»Lange Schlüssel sind sicherer als kurze.« »RSA und/oder AES sind einfach zu implementieren.« »Für Zufallszahlen reicht es, java.util.Random zu nehmen.« Solche oder ähnliche Aussagen hört man immer mal wieder. Doch was ist da dran? Welche Fehler werden bei der Benutzung und Implementierung von Kryptografie gern gemacht?

Kryptografie vermittelt oft den Eindruck, ein mathematisch abgesichertes Verfahren zu sein. Wenn man den Algorithmus wie im Standard implementiert, kann nichts passieren. In der Praxis zeigt sich, dass kryptografische Produkte leicht kaputt gehen. Wenn das passiert, sind die Schäden extrem. Dabei reichen schon einzelne Bits, die falsch gesetzt sind, oder Spezifika der Architektur. Der Vortrag zeigt einige Fehler bei der Benutzung oder Implementierung von Krypto. Die Beispiele rangieren von einfachen oft gemachten Fehlern bis hin zu exotischen. Es soll euch die Augen öffnen, nicht blind einer Implementierung zu vertrauen. Wie immer gilt: »Use the source, luke.« :-)

Die Drohnenkriege sind Ausdruck einer rasanten Entwicklung: vom „Krieg gegen den Terror“ nach 9/11 zur Kriegsführung der Zukunft. Einer Zukunft, die gelegentlich der Science Fiction der späten Achtziger zu entstammen scheint, in der Roboter die schmutzigen Kriege der Menschen kämpfen und sich schließlich gegen ihre Schöpfer erheben. Letzteres liegt noch längst nicht im Bereich des Möglichen, aber Wege zur Erschaffung autonomer Kampfroboter werden bereits beschritten. Der Vortrag will das Phänomen des Drohnenkrieges politisch einordnen und einen Ausblick versuchen.

Die Drohnenkriege hatten vor kurzem (Anfang November 2012) bereits ihr zehnjähriges Jubiläum. Die Bezeichnung Drohnenkrieg wurde in den letzten zwei Jahren zu einem populären Schlagwort und fasst eine Reihe von globalen politischen und militärischen Entwicklungen zusammen. Bekannt wurden insbesondere Tötungseinsätze britischer und US-amerikanischer ferngesteuerter Kampfdrohnen der Typen Predator und Reaper, welche vor allem mit Hellfire-Raketen (Luft-Boden-Raketen) Bodenziele beschießen. Diese Einsätze (derzeit vor allem in Pakistan und Afghanistan, Somalia und Jemen) sind zu einer wesentlichen Ausformung des weltweiten „Krieges gegen den Terror“ geworden – wenn nicht sogar zu dessen prägnantester Erscheinungsform überhaupt – und dienen der Tötung von vermuteten Mitgliedern terroristischer Gruppen. Doch diese Form der „Jagd auf Terroristen“ ist alles andere als präzise und sauber, denn bei den Explosionen, mit denen die Terror-Verdächtigen hingerichtet werden, sterben auch immer wieder viele Unbeteiligte bzw. Zivilisten, z. B. durch den Beschuss von Wohngebäuden oder anderen zivilen Zielen. Die rechtlichen und politischen Probleme dieser Form der Kriegsführung sind schwerwiegend und vielfältig, schließlich handelt es sich um eine Form außergerichtlicher staatlicher Hinrichtung, um Tötungen auf Verdachtsgrundlage und um einen verdeckten, weltweiten “schmutzigen” Krieg. Gefahren liegen in der rasanten Eskalationsdynamik, welche die Drohnenkriege mit sich bringen: Die Welt steht am Beginn eines neuen Wettrüstens. Das Gesicht moderner Kriegsführung wandelt sich grundlegend, weitgehend autonom handelnde Killerroboter sind bereits in der Entwicklung. Norbert Schepers, Politikwissenschaftler und Leiter des Bremer Büros der Rosa-Luxemburg-Stiftung, gibt eine Einführung in das Phänomen des Drohnenkrieges, einen Ausblick auf mögliche Entwicklungen und stellt seine Einschätzungen zur Debatte.

Held at the end of the conference, this performance will embody my personal experience of the conference and with the participants. I bring into the poem the people, topics and interactions from the conference, diffuse them into words, and let them explode on stage for others to relate to.

I make sense of the people and world around me through art, particularly poetry. It humanises our interactions and experiences. It turns ideas back into thoughts and actions back into intentions. After days of discussing important and serious issues around different themes, I seek to create closure and a summary through poetry at the closing ceremony.

Lawful Interception is a monitoring access for law enforcement agencies, but also one of the primary data sources of many surveillance programs. (Almost?) every Internet service provider needs to provide LI functionality in its routers. However, LI exposes a larger attack surface to the one being surveilled than any router should. Could this be a mistake?

This short talk will cover the standards, devices and implementation of a mandatory part of our western Internet infrastructure. The central question is whether an overarching interception functionality might actually put national Internet infrastructure at a higher risk of being attacked successfully. The question is approached in this talk from a purely technical point of view, looking at how LI functionality is implemented by a major vendor and what issues arise from that implementation. Routers and other devices may get hurt in the process.

The Czech art collective Ztohoven' project “Moral Reform” was accomplished in collaboration with web security experts. Together they created the unique art concept of a mobile phone mass-hack.

"Am I the only one who sees all the bad things we do? It`s impossible to govern in a decent way anymore. Let's finish it once for all. I am ready to overtake the responsibility. I am ready to reveal the full truth.” Messages like these were received by Ministers from their government fellows.

Few hackers will disagree that users are not given enough consideration when building Internet Freedom Tools designed to circumvent censorship and surveillance. But how do we do it? This talk will outline a framework for a user-focused approach to the Development and Impact of Internet Freedom Tools through using ethnography, human-centered design, and the practice of research-based product definition. This talk is intended for developers, researchers, and journalists who seek to understand how better tools can be developed to protect anonymity and provide unfettered access to the Internet.

Internet Freedom Tools (IFTs) are developed to solve the technical challenges of anonymity, privacy, security and information access. Focus on these technical challenges rather than the user of an IFT can lead to overlooking the motivations, needs and usability issues faced by user communities. Further, IFTs may solve a technical challenge for users, and yet fall short when it comes to user experience. There is a disconnect that must be remedied for IFTs and the people who use them to realize their full potential. This talk seeks to provide new insights to developers and users in need of knowledge on how they can better address relevant problems, create appropriate solutions and help users with IFTs. This talk will explain to the audience what tools are available for user-focused design. It will also walk through a framework to guide the development of IFTs that is grounded in ethnographic methods and human-centered design, and how this framework is being used to conduct an IFT user community. This work is currently being conducted by SecondMuse and Radio Free Asia through the Open Technology Fund (www.opentechfund.org). ADDENDUM: But, what is "Ethnography"? What are "User Communities"? Ethnography is defined as the study of culture and human motivation through qualitative research. Ethnographic practices complement usability studies by tapping into needs and motivations of people and users to give the "why" behind certain actions observed solely through conducting usability research. This method includes interviews, observing specific behaviors and understanding the material culture and surrounds of a target group. A community is defined as a group of users that can be defined by geography, culture, shared experiences, or shared challenges. User is defined as someone who is currently utilizing a particular IFTs such as Tor, RedPhone, CryptoCat, and/or other privacy, security, anonymity and access enhancing technologies and methodologies created by developers or users themselves. A user may also be defined as a potential user of such technologies and tools.

mit Manfred Kloiber, Jan Rähm und Peter Welchering

The average movement habits of a clichè hacker are legendary. Cowering for days in front of unergonomic hardware setups, stoic ignorance of hardly decodeable signs of the body like hunger, eye- and backpains. Probably due to a general disinterest in non-digitally engineered systems. Shouldn’t a true hacker know at least bits and pieces about the codes and signs of the body? We all know bits and pieces.. but are they the correct and helpful ones? We will discuss some technical and biological details of slipped discs, posture disservice and pain. I will show fundamental “red flags” which have to be serviced by a medical geek. But not all medical geeks have a good idea about the body's code, therefore I will also suggest some helpful therapies for the most common cases. Bottom line: how to code your body to prevent pain without relying on smattering.

I am a trained physical therapist and have treated many patients with different back problems, which were mostly caused by the same habits: ignorance of warning signs, bad hardware setup and cluelessness about how the body functions. My talk will include basic models of the important body structures and how basic maintanance should look like. I will focus on the vertebral setup with bone and connective tissues. How are they build and what their function is. I will also present some worst case scenarios of consequences when slipped discs cut of nerves and numbness in arms or legs are mild problems you might encounter. Small changes in posture and daily habits will be presented, because you have to know why and how you should do it.

Increasingly, users and their computing hardware are exposed a range of software and hardware attacks, ranging from disk imaging to hardware keylogger installation and beyond. Existing methods are inadequate to fully protect users, particularly from covert physical hardware modifications in the "evil maid" scenario, and yet are very inconvenient. Victims include governments and corporations traveling internationally (e.g. China), anti-government activists in places like Syria, and anyone who is a target of a motivated attacker who can gain physical access. Physically Unclonable Functions, combined with a trusted mobile device and a network service, can be used to mitigate these risks. We present a novel open-source mobile client and network service which can protect arbitrary hardware from many forms of covert modification and attack, and which when integrated with software, firmware, and policy defenses, can provide greater protection to users and limit potential attack surface. We'll also be showing video of an unreleased tool to the public utilized by surveillance teams.

Additional Notes for our talk: 1) The attack addressed is an entire class of hardware, firmware, and software attacks around the attacker gaining surreptitious access and modification (of hardware/firmware/software) on one or more occasions, followed by the authorized user making normal use of the device after these modifications. A software-only attack can be addressed through "trusted boot" or "measured boot" systems (e.g. what TCG does). Firmware attacks are generally not addressed by most measured boot processes, but that's just an implementation problem. The most novel category of attack is defeating the addition of hardware components or modification of hardware components, which becomes a desirable attack once software/firmware are locked down. One scenario is that an investor flies to China with a laptop and a cellphone and intends to remain in the country for several weeks, conducting business online as well as in person. On several occasions, the investor leaves his laptop in his hotel room, while taking his cellphone with him at all times. Adversary agents, as hotel staff, enter the room and make modifications to hardware, with the intent of circumventing either local software protections (cloning drives, capturing pass phrases, etc.) or subverting network resources later accessed, either while the investor remains in China or after he returns to the home office with the laptop. In-depth physical analysis of the hardware, conducted at home base, can often discover hardware modifications. Best current practice is to quarantine "travel" machines and never allow them back on high security networks. Unfortunately, this leaves the user exposed for the entire duration of a single trip -- in some situations the entire transaction happens during a trip, so all sensitive information must be protected for that trip. PUFs and our network verification can be used to effectively "sign" hardware in the field in a way which can be automatically verified and verified interactively with a "home base" network service. This lets network resources be protected continuously; before every access, the client device's integrity can be checked and attested. An interesting strategy is to not travel with any sensitive hardware (beyond the cellphone) and buy random laptops at the destination, enroll them in the service while at the destination, provision them with services, and ensure no subsequent unauthorized hardware/firmware/software changes can be made, using the same system. 2) PUFs The PUFs are functions which can't be (tractably) cloned. Unfortunately, virtually none of these can be inspected/verified/attested directly by an unaided human -- anything which is a simple serial number seal or other human-verifiable thing can be fairly trivially counterfeited. The PUFs make use of large amounts of random and changing data, created through physically random processes which are impossible to (tractably) reproduce. The innovation is to use a user's cellphone and a network service as the verifier -- the phone can remain in the user's physical custody at all times, and by splitting the verification between the phone (on site with the user) and a network service acting as gatekeeper to protected network resources, the system can be protected from various attacks. The PUFS that we take advatage of are that of the physical systems themselves. When a device is created during manufacture a multitude of processes are utilized to produce the compute device. As it turns out reproducibility on the sub millimetre scale of a identical compenents such as a laptop case is excessively difficult to clone/counterfit/interact with without disturbing the previous state. We take advantage of these flaws to aid the user in detecting modification to their computing devices through photography and other standard low cost tamper evidencing devices which a untrained user can deploy in the field. Clear technical documentation w/ photos explaining why it is incredibly difficult with current attack methods to perfectly clone manufactured parts which on the surface are indistinguishable from another manufactured assembly.

Der digitale Wandel hat uns grandiose Chancen für selbstbestimmtes, kreatives, kollaboratives, kritisches und demokratisches Lernen gebracht. Wir haben sie nicht genutzt.

Am Morgen nach der Erfindung des Internets stand der Erste auf, um die Revolution des Lernens auszurufen. Jahrzehnte später haben wir alles an Technologie, was für die Revolution nötig erschien. Und alle Ziele grandios verfehlt. Die Verheißungen blieben aus. Es kamen elearning anstelle von selbstbestimmtem Lernen, Friss-oder-Stirb-Apps anstelle von (De-)Konstruktionswerkzeugen, multimediale Vokabeltrainer anstelle von grenzenlosen Communities, elitäre Edu-Zirkel anstelle einer Demokratisierung des Lernens. Stattdessen haben wir bunte YouTube-Videos, die das Schulfernsehen der 1970er Jahre kopieren. Wir besuchen den Massen-Onlinekurs statt den Massen-Hörsaal, Google statt die Bibliothek. Mit digitalen Schulbüchern können wir praktisch weniger anfangen als mit den analogen Vorgängern. In das Lexikon kann man inzwischen reinschreiben - macht aber keiner. Graf Zahl heißt jetzt Salman Khan. Mario Sixtus ist unser Jean Pütz. Zeit für Ernüchterung. Oder?

Modern society's use of technology as an instrument for domination is deeply problematic. Are instrumentality and domination inherent to the essence of technology? Can hacking provide an alternative approach to technology which can overcome this? How do art and beauty fit into this approach?

In order to understand the essence of hacking, it is important to first critically examine the essence of (modern) technology and the rationalization of technological development. Because for all the wonderful things technology has given us, it has also brought us a vast array of instruments for domination, ranging from nuclear warheads to the panoptic surveillance state. As a community that is so deeply involved with technology, it is imperative for us to comprehend that these developments did not come out of thin air and that we have the choice to follow a different path. Understanding Heideggers notion of enframing as the product of historical rationalization gives us an insight in the relation between the objective, scientific approach to technology and its instrumentalization as a means for domination. Yet it also highlights the subversive potential of hacker cultures. The hackers' playful curiosity and desire to express creativity within the computer-imposed frameworks of formal logic has the potential to transcend code into poetry, reconnecting techne with poiesis and mapping the road towards the revealing nature of technology. Hacking has the potential to elevate abstract technological mechanisms and relations dissociated from the individuality to the plane of the utmost concrete and subjective images. As the creative output of the hacker both adheres to the formal methods of boolean logic and at the same time challenges them by devoiding them of their rational finalities, the positivist rationale of what we hold to be most objective can be turned into an expression of the subject. I will argue that this repositioning of the subject provides the basis for transforming the technological rationale into one that is aimed at liberation.

This talk aims to shed some light on recent human rights violations in the context of the use of digital information and communications technology, particularly considering the latest disclosures about the surveillance programmes of Western intelligence services. At the same time, it shall provide information about Amnesty International's positions and activities in this field and invite anybody interested in our work to get involved.

In the past 20 years, digital technologies have become widely used in data processing and transmission. This phenomenon, often labelled as „digital revolution“, has brought about great improvements in efficiency in the daily lives of many and for society as a whole. The fight for a better protection of human rights has also benefitted vastly from these developments: It is hard to imagine that the „Arab Spring“ movement could have gained the same momentum without the widespread use of modern information and communications media. Classified documents (the leaks by Chelsea Manning and Edward Snowden only being the most spectactular ones) bearing witness, for the first time, to human rights violations of a number of states, wouldn't have seen the same spread and publicity without anonymous online whistleblower platforms like WikiLeaks. Today, numerous projects interconnect human rights defenders all around the world through blogs, social networks, short messaging services and smartphone apps. As networks and bandwidths evolve, these technologies more and more enable activists in all parts of the world to compare notes on a global basis, exchange information and experiences, upload evidence of human rights violations and protect themselves more effectively. On the other hand, governments also use these technologies to spy on, track down and detain people that they believe could jeopardise their power. In many cases, these measures affect people who have merely exercised their human rights. States use their capabilities to oppress actions or opinions they do not deem suitable. They covertly eavesdrop on electronic communications on a large scale, thus undermining the anonymity of communication and the privacy of people. They block content or services on the Internet, break into private email accounts, censor opinions through gigantic word filters, or even shut down communications networks in times of civil unrest and political protests. The revelations of the last months concerning the NSA's and GCHQ's surveillance activities by far exceed the dimensions of global communications interception known to the public so far. At the same time, whistleblowers disclosing classified information about human rights violations face severe persecution by State authorities. The EU Directive on blanket telecommunications data retention and dubious EU research projects like INDECT add to the evolving picture that it is not just states with a well-known record of extensive communications interception, filtering and censoring like China, Iran or Saudi Arabia, that seem to attach little value to human rights in digital networks. These are but a few examples of the ambivalent impact of digitisation on human rights. While modern information and communications technologies have yielded new opportunities for individuals to exercise their rights, they have also given rise to new ways for governments to prevent, obstruct or control these activities effectively. Current developments show that the excessive use of government power in this environment imperils the full enjoyment of human rights, in particular the right to privacy and the freedom of expression and information. In fact, governments all over the world these days seem to engage in what could be described as a repressive backlash against the facilitations that modern information and communications technologies have brought about for the exercise of human rights. Amnesty International's German section is currently setting up a new task force (preliminarily known as Digital@Amnesty) that focuses on human rights violations in the context of the use of digital information and communications technology. Our mission is to keep a critical eye on the further development of these technologies and to assist in finding a position on the issues arising thereof with a view to the future protection of human rights in a digital environment. This talk will present some aspects of our work, the position Amnesty takes on recent incidents in this field (including a legal assessment from a human rights perspective), and ways to get involved.

23rd of December 2008 was a sad day in India for civil liberties. On this day, The Indian Parliament passed the "The Information Technology (Amendment) Act" with no debate in the House, which effectively means is that the government of India now has the power to monitor all digital communications in the country without a court order or a warrant. The "world's largest democracy" strongly leaning towards becoming a surveillance state raises many questions and poses severe challenges for free speech and economic justice in India and globally. This talk will map and review the current political, socio-cultural and legal landscape of mass-surveillance, data protection and censorship in India and analyse how it ties in to the global landscape of surveillance and censorship. It will also aim to create a discussion space to investigate the deeper effects of these so called "welfare" projects and how citizen-led movements can drive the state towards stronger data protection and privacy laws.

Section 69 of the act states, "Section 69 empowers the Central Government/State Government/ its authorized agency to intercept, monitor or decrypt any information generated, transmitted, received or stored in any computer resource if it is necessary or expedient so to do in the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence or for investigation of any offence". What this effectively means is that the government of India now has the power to monitor all digital communications in the country without a court order or a warrant. Since then, India has gone on to setup several projects which leverage technology to freely collect, mine, share and commoditize citizen data, resulting in a massive intelligence network. These include the world’s largest biometric ID scheme (Aadhaar/UID), the Central Monitoring System(CMS), the Telephone Call Interception System (TCIS), a DNA data bank and the National Intelligence Grid (NATGRID). The "world's largest democracy" strongly leaning towards becoming a surveillance state raises many questions and poses severe challenges for free speech and economic justice, not just in India but globally. This talk will map and review the current political, socio-cultural and legal landscape of mass-surveillance, data protection and censorship in India and analyse how it ties in to the global landscape of surveillance and censorship. It will also aim to create a discussion space to investigate the deeper effects of these so called "welfare" projects and how citizen-led movements can drive the state towards stronger data protection and privacy laws. ABOUT THE SPEAKER Kaustubh Srikanth is a hactivist, technologist and researcher based between Berlin and Bangalore. He is one of the lead organisers of the annual Open Data Camp in India and currently works as the Head of Technology at Tactical Tech (https://tacticaltech.org), an international NGO working to enable the effective use of information for progressive social change.

From Stellar Wind to PRISM, Boundless Informant to EvilOlive, the NSA spying programs are shrouded in secrecy and rubber-stamped by secret opinions from a court that meets in a faraday cage. The Electronic Frontier Foundation's Kurt Opsahl explains the known facts about how the programs operate and the laws and regulations the U.S. government asserts allows the NSA to spy on you.

The Electronic Frontier Foundation, a non-profit civil society organization, has been litigating against the NSA spying program for the better part of a decade. EFF has collected and reviewed dozens of documents, from the original NY Times stories in 2005 and the first AT&T whistleblower in 2006, through the latest documents released in the Guardian or obtained through EFF's Freedom of Information (government transparency) litigation. EFF attorney Kurt Opsahl's lecture will describe how the NSA spying program works, the underlying technologies, the targeting procedures (how they decide who to focus on), the minimization procedures (how they decide which information to discard), and help you makes sense of the many code names and acronyms in the news. He will also discuss the legal and policy ramifications that have become part of the public debate following the recent disclosures, and what you can do about it. After summarizing the programs, technologies, and legal/policy framework in the lecture, the audience can ask questions.

Diskussion mit Prof. Dr. Oliver Günther, UNI Potsdam, GI Peter Schaar nnB Moderation: Peter Welchering

Nachhören und nachsehen auf www.deutschlandfunk.de/hackerkongress/

After studying the various levels of activities that come together in BuggedPlanet and realizing the scope and level of implementation of NSA´s SIGINT theatre, it´s propably time to step back, summarize the big picture and ask how we handle it properly.

The talk will be structured in three parts: Part 1: Technical Abilities & Affected Areas Technologies of surveillance, telecommunication interception and SIGINT, cryptoanalytics, cryptocircumvention and what areas of data processing must be considered practically targeted and compromised. Part 2: What this means for governments, societies, citizens How the theory of democratic governments, human rights, justice and legal frameworks are being affected by the interception and how this practically affects the processes of governments and its players. I will herefore give examples which SIGINT material is used in the form of Kompromat and Intelligence Operations to influence decisions and decision makers from different countries and continents to show the principles and methods and how this impacts governmental and other businesses. Part 3: Concepts for global TSCM (Technical Surveillance Counter Measures) What are the necessary steps to "de-bug" our countries and how to immunitize against intelligence propaganda in order to achieve data. This part shall be a framework showing some ideas and principles to act, as well as necessary relationships to understand. The idea is to invite the audience to participate in this part and come up with ideas to create a broader concept and agree on the next steps.

Die alarmierenden Zustände beim Abbau der Rohstoffe, die in den Bauteilen (z. B. dem Tantal-Elektrolytkondensator) eines Computers stecken, rufen Menschenrechtler auf den Plan. In den U.S.A. ist es 2010 gelungen, ein umstrittenes Gesetz umzusetzen, das die Finanzierung von Kriegsparteien durch Erzhandel regulieren soll. In der EU soll nun ähnliches geschehen. Der Vortrag klärt über die Geschichte auf, nennt Konsequenzen und formuliert Forderungen.

"Dead Tree Edition" wird auf ironische Weise Ausgedrucktes genannt, das auch elektronisch verfügbar ist. Man ignoriert dabei, dass für die Online-Infrastruktur und all die Computer nicht nur Bäume, sondern gleich ganze Berge, auf denen sie gestanden haben, abgetragen werden. Und Menschen kommen auch zu Schaden. Um die Jahrtausendwende hat die UN aufgedeckt, dass der Handel mit Metallerzen, wie sie zur Herstellung von Elektronikbauteilen benutzt werden, die Konfliktparteien in der D.R. Kongo finanziert und somit den Bürgerkrieg am Leben erhält. Der Begriff der "Konfliktmineralien" wurde geboren. Zehn Jahre später hat ein engagiertes Bündnis von Nichtregierungsorganisationen eine Regelung in ein US-amerikanisches Börsengesetz (Dodd-Frank-Act) einbringen können, das die Hersteller verpflichtet, den Kauf gewisser Rohstoffe aus dem Kongo zu veröffentlichen. Die Folgen waren zunächst verheerend, später zukunftsweisend. Konfliktfreie Mineralien aus dem Gebiet sind nun dank einiger Hersteller erhältlich, Kondensatoren werden daraus hergestellt, Lötzinn produziert, das FairPhone macht daraus ein Produkt, Intel bis Jahresende einen Prozessor. Nun will die EU nachziehen und ebenfalls zur Transparenz beim Kauf von Rohstoffen aus Konflikt- und Risikogebieten verpflichten. Das könnte große Wirkung auf unsere Elektronikprodukte haben. Wir sollten Einfluss auf die Ausformulierung nehmen, es droht nämlich eine nur freiwillige, sanktionsfreie, nicht weitgehende Regelung, im Sinne der Industrie. Was wir aber brauchen, ist eine Regelung, die den Minenarbeitern wirksam hilft. Nur mit einer starken Gesetzgebung kann es uns gelingen, die Produktion von IT fairer zu gestalten.

HomeMatic is a good working, inexpensive and quickly spreading home automation system supporting wired as well as (partly AES handshake protected) wireless communication. The first part of our talk deals with security issues of HomeMatic devices and their wireless communication protocol called BidCoS (Bidirectional Communication Standard). In the second part we introduce Homegear, our own interface software to control HomeMatic devices.

In the past few years wireless home automation systems have become increasingly available as a good alternative to wired systems. Since wireless devices are installable without ripping open walls, it is now possible to easily integrate them into an existing building infrastructure. We chose to work with HomeMatic, because we think that through its affordable prices, its good quality and its fast growing portfolio it will become the most widely spread wireless home automation system in Germany. In this live hacking presentation we will introduce different mechanisms to attack a HomeMatic system. We will show how to sniff BidCoS packets, how to send arbitrary packets in order to emulate a device (e. g. a HomeMatic central) and to control devices. Some devices use an AES handshake to verify the sender of a command. But not all devices support the handshake and for many devices it is disabled by default. We will demonstrate several attacks making use of this security issue. After the live hacking part we will give a short introduction into Homegear. Homegear is an interface software, which directly communicates with BidCoS devices and is controllable through XML RPC (XML Remote Procedure Call). It is possible to fully control most HomeMatic devices. We developed it to add features which are not integrated into the official system like controlling valve drives directly to implement custom room temperature control algorithms.

In dem Vortrag beschäftigt sich der Ex-Bundesdatenschützer mit der Rolle der Datenschutzbeauftragten: Welche Durchsetzungsmöglichkeiten haben sie? Wie ist ihr Verhältnis zur Zivilgesellschaft? Welchen Einfluss können sie auf europäischer und internationaler Ebene ausüben?

Was hat sich im letzten Jahr im Bereich IT-Sicherheit getan? Welche neuen Entwicklungen haben sich ergeben? Welche neuen Buzzwords und Trends waren zu sehen?

Wie immer wagen wir den IT-Security-Alptraum-Ausblick auf das Jahr 2014 und darüberhinaus. Denn was wir wirklich wissen wollen, ist ja schließlich: Was kriecht, krabbelt und fliegt in Zukunft auf uns zu und in unseren digitalen Implants herum? Im Zuge von noch mehr Transparenz, Kritik & Selbstkritik und kontinuierlicher nachhaltiger Optimierung aller Prozesse werden wir außerdem frühere Voraussagen hinsichtlich des Eintreffens unserer Weissagungen prüfen.