Season 33 2016

Speakers: anna, elisa

Speaker: Cian Westmoreland

As they say in the Air Force, ‚No comms no bombs‘, – A technician’s insight into the invisible networks governing military drones and the quest for accountability

Cian has spent a great deal of time thinking about the issues of responsibility in, and how communications technology has been used to distance people from the act of killing. Rising superpowers around the world are working day and night to build the next stealth drone that can penetrate air defense systems. The automation of target selection processes, navigation and control are incentivized by the vulnerability posed by the signals drones rely upon to operate.

A drone is merely a networked platform that moves across a grid, much like a mouse. It’s „mind“ is distributed among dozens of individuals located around the globe, controlling separate parts of the the overall mission using data derived from surveillance, and processed using algorithms that may or may not reflect the reality on the ground. Cian challenges the common notion that drones are the most effective tool for combatting terrorism and seeks to explain why this is so, as well as how mistakes happen. The automation of these processes will further take the responsibility out of the hands of individuals and disperse them further. This calls for a new level of ethical considerations and accountability mechanisms to be developed.

Speaker: Daniel Estévez

Outernet is a company whose goal is to ease worldwide access to internet contents by broadcasting files through geostationary satellites. Most of the software used for Outernet is open source, but the key parts of their receiver are closed source and the protocols and specifications of the signal used are secret. I have been able to reverse engineer most of the protocols, and a functional open source receiver is now available.

Outernet is a company whose goal is to ease worldwide access to internet contents by broadcasting files through geostationary satellites. Currently, they broadcast an L-band signal from 3 Inmarsat satellites, giving them almost worldwide coverage. The bitrate of the signal is 2kbps (or 20MB of content per day), and they use the signal to broadcast Wikipedia pages, weather information and other information of public interest.

Most of the software used for Outernet is open source, but the key parts of their receiver are closed source and the protocols and specifications of the signal used are secret. I think this is contrary to the goal of providing free worldwide access to internet contents. Therefore, I have worked to reverse engineer the protocols and build an open source receiver. I have been able to reverse engineer most of the protocols, and a functional open source receiver is now available.

In this talk, I'll explain which modulation, coding and framing is used for the Outernet L-band signal, what are the ad-hoc network and transport layer used, how the file broadcasting system works, and some of the tools and techniques I have used to do reverse engineering.

Speakers: Clémentine Maurice, Moritz Lipp

Hardware is often considered as an abstract layer that behaves correctly, just executing instructions and outputting a result. However, the internal state of the hardware leaks information about the programs that are executing. In this talk, we focus on how to extract information from the execution of simple x86 instructions that do not require any privileges. Beyond classical cache-based side-channel attacks, we demonstrate how to perform cache attacks without a single memory access, as well as how to bypass kernel ASLR. This talk does not require any knowledge about assembly. We promise.

When hunting for bugs, the focus is mostly on the software layer. On the other hand, hardware is often considered as an abstract layer that behaves correctly, just executing instructions and outputing a result. However, the internal state of the hardware leaks information about the programs that are running. Unlike software bugs, these bugs are not easy to patch on current hardware, and manufacturers are also reluctant to fix them in future generations, as they are tightly tied with performance optimizations.

In this talk, we focus on how to extract information from the execution of simple x86 instructions that do not require any privileges. The most studied microarchitectural attacks are beyond doubt cache attacks. Indeed, the timing of a memory access depends heavily on the state of the CPU cache. But beyond memory accesses that are the base of classical cache-based side-channel attacks, other x86 instructions leak information about the internal state of the hardware, and thus about running programs. First, we present side channels caused by the "clflush" instruction, that flushes all content of the cache. We will explain how it can be used to perform side-channel attacks that are faster and stealthier than their classical counterpart, without performing so much as a single memory access [1]. Second, we present side channels ca

Speaker: Martin Schmiedecker

Certificate transparency - what is it, and what can be done with it?

Certificate Transparency is the new kid on the block of TLS. Specified as RFC6962 it is designed to prevent fraudulently issued TLS certificates, and detect wrongdoing from Certificate Authorities.

This talk will present Certificate Transparency in full details. Beginning from the attacks it prevents, key players and threat models, we will dive into the public data that is readily available and present ideas how to enhance its ecosystem as a whole.

Speaker: Kurt Opsahl

Both strong end-to-end communications encryption and device encryption are legal in most jurisdictions today, and remain widely available. Yet software programmers and hardware producers are increasingly under pressure from law enforcement and policy makers around the world to include so-called backdoors in encryption products.

In this lecture, I will provide the state of the law as we moving into 2017, detailing what happened in the fight between Apple and the FBI in San Bernardino and the current proposals to weaken or ban encryption, covering proposed and recently enacted laws. I will also discuss the extra-legal pressures placed upon companies, and the rise of government hacking and state-sponsored malware as an alternative or addition to weakening software. Finally, the presentation will discuss possible realistic outcomes, and give my predictions on what the state of the law will be as we head into 2017, and discuss how we can fight for a future that will allow for secure communications for everyone.

The discussion will include:
- The law and policy issues in the FBI v. Apple iPhone case,
- The FBI’s purchase of 0day access to the iPhone 5c, and Apple’s technical response,
- The rise in use of government malware to access encrypted device
- Proposed and enacted crypto laws in the United States, Australia, India, Russia, and the UK,
- Legal pressures on companies, like Brazil’s arrest of Facebook executives to pressure WhatsApp,
- Q&A with the audience.

Speaker: Chris Gerlinsky

Follow the steps taken to crack a conditional access and scrambling system used in millions of TV set-top-boxes across North America. From circuit board to chemical decapsulation, optical ROM extraction, glitching, and reverse engineering custom hardware cryptographic features. This talk describes the techniques used to breach the security of satellite and cable TV systems that have remained secure after 15+ years in use.
Analysis of, and low-cost attack techniques against, a conditional access and scrambling system used in tens of millions of TV set-top-boxes in North America. A case study of the low-cost techniques used by an individual hacker to successfully crack a major pay TV system.

Topics include:

chemical decapsulation and delayering of ICs in acids, microphotography and optical bit extraction of ROM, binary analysis using IDA and homebrew CPU simulators, datalogging and injection of SPI and serial TS data, designing and using a voltage glitcher, extracting secret keys from RAM of a battery-backed IC, analyzing hardware-based crypto customizations, studying undocumented hardware peripherals, MPEG transport streams and non-DVB-standards, QPSK demodulation, interleaving, randomization, FEC of OOB (out-of-band) cable data.

The result is knowledge of the transport stream scrambling modes and knowledge of the conditional access system used to deliver keys. Strong and weak points are identified, advanced security features implemented nearly 20 years ago are compared to modern security designs. A softcam is designed and tested using free software, working for cable and satellite TV.

Speakers: Alexander Chemeris, Sergey Kostanbaev

Software Defined Radios (SDRs) became a mainstream tool for wireless engineers and security researches and there are plenty of them available on the market. Most if not all SDRs in the affordable price range are using USB2/USB3 as a transport, because of implementation simplicity. While being so popular, USB has limited bandwidth, high latency and is not really suitable for embedded applications. PCIe/miniPCIe is the only widespread bus which is embedded friendly, low latency and high bandwidth at the same time. But implementing PCIe/miniPCIe is not for the faint of heart - you have to write your own FPGA code, write your own Linux kernel driver and ensure compatibility with different chipsets, each with its own quirks. In this talk we will look at the requirements for a high performance SDR like XTRX, how this leads to certain design decisions and share pitfalls and gotchas we encountered (and solved).

We've been working with SDRs since 2008 and building own SDRs since 2011, focusing on embedded systems and mobile base stations. We created ClockTamer configurable clock source and UmTRX SDR and built a complete base station (UmSITE) to run OpenBTS and later Osmocom GSM stacks. This year we've started working on a new tiny high-performance SDR called XTRX which fits into the miniPCIe form-factor and using PCIe for the I/Q samples transfer.

We will talk about when to use PCIe and when not to use PCIe and why did we choose it for XTRX; FPGA implementation of PCIe with optimization for low latency and high throughput; Linux kernel driver for this PCIe device; integration with various SDR platforms; all the various issues we encountered and how you can avoid them.

Speaker: Yannay Livneh

PHP-7 is a new version of the most prevalent server-side language in use today. Like previous version, this version is also vulnerable to memory corruptions.
However, the language has gone through extensive changes and none of previous exploitation techniques are relevant.
In this talk, we explore the new memory internals of the language from exploiters and vulnerability researchers point of view. We will explain newly found vulnerabilities in the 'unserialize' mechanism of the language and present re-usable primitives for remote exploitation of these vulnerabilities.

PHP is the most prominent web server-side language used today. Although secure coding practices are used when developing in PHP, they can’t mitigate vulnerabilities in the language itself. Since PHP is written in C, it is exposed to vulnerabilities found in projects written in a low-level language, such as memory-corruption vulnerabilities, which are common when manipulating data formats. PHP-7 is a new implementation of the language, and while memory corruption bugs exist in this version as well, none of the exploitation primitives from the previous version are working (e.g. @i0n1c presentation from BH2010).
In this talk, I will discuss the memory internals of PHP7 from exploiter and vulnerability researcher's perspective, explain newly found vulnerabilities in the unserialize mechanism and demonstrate how to exploit this class of bugs in PHP-7 presenting re-usable primitives.
The internals of the language implementation changed quite dramatically, and now it’s harder to find and exploit memory corruption bugs. The new zval system prefers embedding over pointing to members and the allocation mechanism has gone through a complete re-write, removing metadata. The overall result is less primitives and less control over crafted data. unserialize is a data manipulation and object instantiation mechanism in PHP which is prone to memory corruption vulnerabilities. For

Speaker: Trammell Hudson

Heads is an open source custom firmware and OS configuration for laptops and servers that aims to provide slightly better physical security and protection for data on the system. Unlike Tails, which aims to be a stateless OS that leaves no trace on the computer of its presence, Heads is intended for the case where you need to store data and state on the computer. It targets specific models of commodity hardware and takes advantage of lessons learned from several years of vulnerability research. This talk provides a high level overview of Heads, a demo of installing it on a Thinkpad and a tour of some of the attacks that it protects against.

Heads builds on several years of firmware security research focused on firmware vulnerabilities ("Thunderstrike: EFI bootkits for Apple Macbooks" and "Thunderstrike 2") as well as many other CCC talks ("Hardening hardware and choosing a #goodBIOS", "Beyond anti evil maid", "Towards (reasonably) trustworthy x86 laptops", etc.) and combines these ideas into a single system.

It is not just another Linux distribution - it combines physical hardening and flash security features with custom Coreboot firmware and a Linux boot loader in ROM. This moves the root of trust into the write-protected ROM and prevents further modifications to the bootup code. Controlling the first instruction the CPU executes allows Heads to measure every step of the boot process into the TPM, which makes it possible to attest to the user or a remote system that the firmware has not been tampered with. While modern Intel CPUs require binary blobs to boot, these non-Free components are included in the measurements and are at least guaranteed to be unchanging. Once the system is in a known good state, the TPM is used as a hardware key storage to decrypt the drive.

Additionally, the hypervisor, kernel and initrd images are signed by keys controlled by the user, and the OS uses a signed, immutable root filesystem so that any sof

Speaker: Sebastian Schinzel

We present DROWN, a novel cross-protocol attack on TLS that uses a server supporting SSLv2 as an oracle to decrypt modern TLS connections. Using Internet-wide scans, we find that 33% of all HTTPS servers are vulnerable to this protocol-level attack.

We present DROWN, a novel cross-protocol attack on TLS that uses a server supporting SSLv2 as an oracle to decrypt modern TLS connections. We introduce two versions of the attack. The more general form exploits multiple unnoticed protocol flaws in SSLv2 to develop a new and stronger variant of the Bleichenbacher RSA padding-oracle attack. The victim client never initiates SSLv2 connections. We implemented the attack and can decrypt a TLS 1.2 handshake using 2048-bit RSA in under 8 hours, at a cost of $440 on Amazon EC2. Using Internet-wide scans, we find that 33% of all HTTPS servers and 22% of those with browser-trusted certificates are vulnerable to this protocol-level attack due to widespread key and certificate reuse.

For an even cheaper attack, we apply our new techniques together with a newly discovered vulnerability in OpenSSL that was present in releases from 1998 to early 2015. Given an unpatched SSLv2 server to use as an oracle, we can decrypt a TLS ciphertext in one minute on a single CPU—fast enough to enable man-in-the-middle attacks against modern browsers. We find that 26% of HTTPS servers are vulnerable to this attack.

This talk gives an overview on the DROWN vulnerability for the hacker community with some background information that didn’t make it to the paper.

Speaker: benni, Dorina

Die Lebenswelt von Kindern und Jugendlichen sowie die der Schulen könnte in Bezug auf die Digitalisierung kaum gegensätzlicher sein: Schülerinnen und Schüler leben und entfalten sich begeistert in der digitalen Welt, aber die Schule ist kaum in der Lage, Schülern ihre drängenden Fragen rund um die komplexe digitale Welt zu beantworten. In unserem Talk möchten wir anhand unserer Erfahrungen aus dem Projekt "Chaos macht Schule" u.a. diskutieren, wie man die heranwachsende Generation u. a. für Themen wie Datenschutz und Überwachung sensibilisieren und gleichzeitig Technikbegeisterung bei jungen Menschen fördern kann.

Die Lebenswelt von Kindern und Jugendlichen sowie die der Schulen könnte in Bezug auf die Digitalisierung kaum gegensätzlicher sein. Schülerinnen und Schüler leben und entfalten sich begeistert in der digitalen Welt, während am Großteil der Schulen weder die Technik vorhanden ist noch die Lehrkräften dafür ausgebildet wurden bzw. die Lehrpläne genügend Raum lassen, Schülern ihre drängenden Fragen rund um die komplexe digitale Welt zu beantworten. Als Bundesbildungsministerin Johanna Wanka im Oktober ihren Plan äußerte, 2017 fünf Milliarden Euro für die digitale Ausstattung an Schulen bereitstellen zu wollen, folgte direkt laute Kritik vom Präsidenten des Lehrerverbandes Josef Kraus.

Vor diesem Hintergrund verwundert es kaum, wenn Frank Rieger und Rop Gonggrijp vor elf Jahren in ihrem vielbeachteten Talk "We lost the war“ beklagten, dass es uns nicht gelungen sei, unsere Themen in der Gesellschaft zu verankern. Auch heute noch gibt es nur vereinzelte Ansätze, Jugendliche an Themen der Medienkompetenz, Technikgestaltung und gesellschaftlichen Relevanz heranzuführen.

Im Rahmen des Projektes "Chaos macht Schule" besuchen Mitglieder des CCCs seit mittlerweile ca. 10 Jahren Bildungseinrichtungen für Workshops zu technischen Themen (z.B. Programmierung, Löten etc.) als auch zu gesellschaftlichen

Speaker: Mathy Vanhoef

Mathy Vanhoef is a postdoctoral researcher at KU Leuven (Belgium). He finished his PhD on the security of WPA-TKIP, TLS, and RC4, in July 2016. His research interest is in computer security with a focus on wireless security (Wi-Fi), network protocols in general, the RC4 stream cipher, and software security (discovering and exploiting vulnerabilities). Currently he is researching how to automatically detect logical flaws in network protocol implementations.

Mathy Vanhoef is a postdoctoral researcher at KU Leuven, where he performs research on streamciphers, discovered a new attack on RC4 that made it possible to exploit RC4 as used in TLS in practice (the RC4 NOMORE attack), and found the HEIST attack against TLS. He also focuses on wireless security, where he turns commodity wifi cards into state-of-the art jammers, defeats MAC address randomization, and breaks protocols like WPA-TKIP. He also did research on information flow security to assure cookies don't fall in the hands of malicious individuals. Currently he is researching how to automatically fuzz network protocols, and detect logical flaws in implementations (e.g. downgrade attacks). Apart from research, he also knows a thing or two about low-level security, reverse engineering, and binary exploitation. He regularly participates in CTFs with KU Leuven's Hacknamstyle CTF team.

Speaker: Joseph Cox

In early 2015, the Federal Bureau of Investigation hacked computers in Austria, Denmark, Chile, Colombia, Greece, and likely the United Kingdom and Turkey too. In all, the agency used a Tor Browser exploit to target over 4000 computers spread across the world based on a single, arguably illegal warrant.

But this is only one case in the growing trend of law enforcement agencies reaching outside of their own country and hacking criminals suspects abroad, bringing up urgent questions of legality, jurisdiction, and proportionately in the digital age.

For the past year, I have investigated law enforcement’s international use of hacking tools. As well as finding which countries the FBI remotely searched computers in, I uncovered another operation led by a local Australian police department, which targeted individuals in the United States – clearly outside of the agency’s jurisdiction.

Because many criminals suspects have moved onto the so-called dark web, law enforcement have no idea where the computers they are hacking are actually located. This worrying shoot-malware-ask-questions later approach has seen only minimal attention from policy makers and legal experts, and is likely to become more widespread.

Speaker: RA Ulrich Kerner

Polizeibehörden und Geheimdienste sammeln Daten der Bürger – mehr als je zuvor. Der Bestand an unterschiedlichen Datenbanken ist enorm gewachsen und geradezu unübersichtlich geworden. Aufgrund datenschutzrechtlicher Regelungen gibt es für etliche dieser Datenbanken einen gesetzlichen Auskunftsanspruch des Bürgers.

Gesetzlich geregelt sind auch die Fristen für die Löschung dieser Daten. Die Praxis zeigt aber, dass die Daten häufig erst gelöscht werden, wenn der betroffene Bürger eine Datenauskunft beantragt – Grund genug also, um dies massenhaft zu tun.

Der Tonfall bei der Verkehrskontrolle ist zunächst freundlich. Nachdem aber die Personalien über das Polizeisystem überprüft wurden, sind die vorher freundlichen Beamten plötzlich ganz schön ruppig, der Kofferraum wird durchsucht, die Kontrolle dauert ohne erkennbaren Grund noch eine ganze Weile länger. Da muss es wohl noch eine alte Eintragung im Polizeicomputer geben, Widerstand gegen Vollstreckungsbeamte, Drogendelikte oder einfach den Personenbezogenen Hinweis (PHW) Straftäter linksmotiviert?

Wer würde da nicht gerne wissen, was die Polizei und andere Behörden über ihn gespeichert haben? Das kann man wissen – mit einem Antrag auf Auskunft über die im POLIKS, POLAS, INPOL, Schengener Informationsystem (SIS) oder Mehrländer-Staatsanwaltschafts-Automation (MESTA) – um nur einige Datenbanken zu nennen – gespeicherten Daten. Hierzu braucht man jedoch einen Überblick, welche Behörde welche Daten erhebt, wo und wie die Anfrage gestellt werden muss und welche Besonderheiten es dabei jeweils zu beachten gilt. Da die Behörden genug personelle Kapazitäten einsetzen, um zu speichern, nicht aber, um nach Ablauf der Speicherfrist die gesetzlichen Löschungsvorschriften einzuhalten, wird häufig eine Löschung erst vorgenommen, wenn ein Antrag auf Datenauskunft gestellt wird.

Der mündige Bürger sollte daher die über ihn gespeicherten Daten in den un

Speaker: Ulf Treger

What are the politics and aesthetics of mapping? An introduction how cartography shapes cities and landscapes, creates borders and determines the perception of our environment. How an evolving mix of high-resolution satellite imagery, algorithm-based mappings and the huge amount of data of digitized cities will enhance these effects? And in contrast, how can maps be designed, that question the “objectivity” and “correctness” of conventional cartography?

While digital communication gets ubiquitous, maps play an important role in the formation and mediation of physical space.

A view back to earlier stages of development from the Da Vinci maps in the 15th century, the world-exploring and world-conquering by cartographic techniques in the area of colonialism in the late 19th, the emergence of photorealistic mapping (aerial and satellite photography) in the 20th century will provide some ideas of the power of maps and its impacts on society.

With the Aspen Movie Map and its widespread successor Google Street View there is a decisive change of perspective going on (from bird‘s eye view to street level) that will lead to new, more intense forms of immersion by the use of maps.

Maps shapeshift into navigational screens, we are using digital maps while our devices map our movements in the same time. With a view ahead, I‘ll try to find out which mapping algorithms are developed, which kind of images latest satellites with high-resolution 3D capabilities will create and what maps the researchers of Silicon Valley and the automotive industry want to fabricate – and thus new aesthetics and politics of mappings.

In contrast to this I will follow the question how other views can be created by antagonistic maps, that question the brutal “objectivity” and shiny “correctness” of computer-generated maps and that tell different stories from the perspective of the inhabitants living in those mapped cities and landscapes.

Speaker: ctrapp

The NibbleTronic is a MIDI wind controller that features a novel user interface resulting in a unique tonal range. The standard configuration allows to precisely play a bit more than four full octaves including semitones with only one hand.

In my talk I want to describe the individual stages of development from a barely usable electronic recorder to a useful and unique instrument that could come as a kit. The interface that puts four octaves at the fingertips of a single hand will be the second core topic.

Speaker: Vincent Haupert

FinTechs increasingly cut the ground from under long-established banks’ feet. With a "Mobile First" strategy, many set their sights on bringing all financial tasks—checking the account balance, making transactions, arranging investments, and ordering an overdraft—on your smartphone. In a business area that was once entirely committed to security, Fintechs make a hip design and outstanding user experience their one and only priority. Even though this strategy is rewarded by rapidly increasing customer numbers, it also reveals a flawed understanding of security. With the example of the pan-European banking startup N26 (formerly Number26), we succeeded independently from the used device to leak customer data, manipulate transactions, and to entirely take over accounts to ultimately issue arbitrary transactions—even without credit.
Over the last few years, smartphones have become an omnipresent device that almost everybody owns and carries around all the time. Although financial institutions usually react conservatively to new technologies and trends, most established banks today offer their customers banking apps and app-based second-factor authentication methods. Fintechs, technology startups in the financial sector, pressure the tried and trusted structure of established banks, as they highlight the customer’s smartphone as the hub of their financial life. This business model is especially appealing to younger customers. FinTechs, however, also play an important role in the advancing downfall of important conceptual security measures. While the latter can be understood as the next step in the decay process of second-factor authentication, which was started with the introduction of app-based legitimization methods, FinTechs also reveal limited insights into conceptual and technical security. We have encountered severe vulnerabilities at the Berlin-based FinTech N26, which offers their smartphone-only bank account to many countrie

Speaker: Aylin Caliskan

Artificial intelligence and machine learning are in a period of astounding growth. However, there are concerns that these technologies may be used, either with or without intention, to perpetuate the prejudice and unfairness that unfortunately characterizes many human institutions. We show for the first time that human-like semantic biases result from the application of standard machine learning to ordinary language—the same sort of language humans are exposed to every day. We replicate a spectrum of standard human biases as exposed by the Implicit Association Test and other well-known psychological studies. We replicate these using a widely used, purely statistical machine-learning model—namely, the GloVe word embedding—trained on a corpus of text from the Web. Our results indicate that language itself contains recoverable and accurate imprints of our historic biases, whether these are morally neutral as towards insects or flowers, problematic as towards race or gender, or even simply veridical, reflecting the status quo for the distribution of gender with respect to careers or first names. These regularities are captured by machine learning along with the rest of semantics. In addition to our empirical findings concerning language, we also contribute new methods for evaluating bias in text, the Word Embedding Association Test (WEAT) and the Word Embedding Factual Association Test (WEFAT). Our results have implications not only for AI and machine learning, but also for the fields of psychology, sociology, and human ethics, since they raise the possibility that mere exposure to everyday language can account for the biases we replicate here.
There is no Alice and Bob in this talk. This talk is intended for an audience that genuinely cares for humanity and believes in equality while supporting fairness and acts against discrimination. This talk might not be interesting for folks who promote exclusion while discouraging diversity. Many

Speakers: Beata Hubrig, erdgeist

Im Spannungsfeld zwischen der Vorderfront der Computertechnik und einem Spezialbereich des Urheberrechts hat sich eine Industrie eine Nische geschaffen, in der sie durch Hochspezialisierung und Automatisierung ein einträgliches Geschäft aufgezogen haben. Dabei nehmen sie als Kollateralschaden in Kauf, dass Unschuldige durch die Drohkulisse zum Zahlen bewegt und zum Schließen ihres offenen Netzwerks gebracht werden. Wir beschreiben, was man dagegen tun kann und was wir dagegen schon getan haben.
Probleme:
• Die Abmahnungen sind fein austariert, um das Kostenrisiko für eigene Auslagen für fast jeden Schritt beim Abgemahnten zu belassen.
• Die Anschreiben sind technisch und juristisch komplex und der einzig “überschaubare” Pfad ist der Überweisungsträger, zudem ist die Frist auf Einschüchterung angelegt.
• Die Abmahner können beliebig bis kurz vor Verjährung warten, um den Fall am Leben zu halten, es gibt bis zur Feststellung keine Sicherheit.
• Die Abmahner können sich auf bewährte Textbausteine, fachlich überforderte Richter und (bis zuletzt) den fliegenden Gerichtsstand mit dem Anliegen wohl gesonnenen Richtern stützen.
• Dazu kommt verunsichernde Rechtssprechung beim BGH, was Störerhaftung betrifft.
• Die Abmahner können sich darauf verlassen, dass eine Solidarität unter den Abgemahnten faktisch nicht besteht und Fälle mit Aussicht auf ungünstige Präzedenzen noch außergerichtlich beilegen. Quasi kein normaler Abgemahnter hat Lust, das Verfahren durch eine negative Feststellungsklage abschließend zu klären.
• Aber erst durch das Risiko, die Auslagen für eine große Zahl von Fällen selber tragen zu müssen, in denen sich die Abgemahnten mit potentiell kostspieligen Strategien wehren, kann dem industriell betriebenen Abmahnen Grenzen aufzeigen.
• Problem ist dabei, dass bei einer Abmahnung grundsätzlich “jeder trägt seins” gilt, was für den normal nicht Rechtsschut

Speaker: Nika Dubrovsky

I would like to present my project called Anthropology for kids and a specific book, that I am working on in the larger framework of this project.
This book will look like an ordinary school notebook in which a teacher checks a student if the lesson had been learnt. But it is actually not! I gathered this collection of historical and anthropological notes, so that together with school kids we can think about how the very idea of privacy was developed in different countries and in different historical epochs. In ancient Babylon wealthy women were allowed to cover their faces and their bodies, but the poor ones were not. In the Soviet Union during Stalin times it was dangerous to tell a political joke even in the group of close friends. One of them may report a joke to the authorities. Punishment for a political joke could be a prison sentence.
Today more or less all our online communication is watched or recorded by authorities.
How does our present relate to other times in history, how is the western notion of privacy related to the ideas in other cultures.
About the speaker:
Her practice evolved from visual arts, journalism, internet culture and publishing. After an artistic career in Israel in the early Nineties, Dubrovsky was among the pioneers in Russia's new media start-up scene and specialized in social media and open source culture. Moving to New York in 2001 she became a significant voice in Russian blogging. Her critical position on educational regimes led to the development and publishing of doodle books for children. Her current project Anthropology For Kids aims at creating a publication series with a participatory approach. Reframing crucial aspects of human life – family, money, health, beauty, and alike – Anthropology For Kids seeks to deconstruct conditioned notions of how we (should) live, demonstrating the diversity of perspectives and possibilities that exist in different cultures.

Speaker: Max Bazaliy

This talk will take an in-depth look at the technical capabilities and vulnerabilities used by Pegasus. We will focus on Pegasus’s features and the exploit chain Pegasus used called Trident. Attendees will learn about Pegasus’s use of 0-days, obfuscation, encryption, function hooking, and its ability to go unnoticed. We will present our detailed technical analysis that covers each payload stage of Pegasus including its exploit chain and the various 0-day vulnerabilities that the toolkit was using to jailbreak a device. After this talk attendees will have learned all of the technical details about Pegasus and Trident and how the vulnerabilities we found were patched.
Presentation Outline:
1. Introduction
Introduction to the talk and the background of the speaker
2. Technical Analysis
In the technical analysis section we will cover in-depth the three stages of this attack including the exploits and the payloads used at each stage. We will detail the obfuscation and encryption techniques the developers used to hide the payloads. We will also examine the 0-day vulnerabilities, called Trident, that we found, which allow for a remote jailbreak on the latest versions of iOS (up to 9.3.4) via Safari.
* 0-days (responsibly disclosed to Apple)
* Malware techniques
* Obfuscation and encryption techniques
The technical analysis will continue and detail the software that gets installed including what it was designed to collect, which includes texts, emails, chats, calendars, and voice calls from apps including Viber, WhatsApp, Skype, SMS, iMessage, Facebook, WeChat, Viber, WhatsApp, Telegram, Vkontakte, Odnoklassniki, Line, Mail.Ru Agent, Tango, Pegasus, Kakao Talk, and more.
* Application Hooking
* Use of SIP for exfiltration
* Historical Analysis of jailbreaks
We will detail how the jailbreak techniques used by this software have changed and adapted to the changing security mechanisms added to iOS over the years.
4. Summary

Speaker: Erik

This talk presents the results of the technical analysis for the German Parliamentary Committee investigating the NSA spying scandal on geolocation methods in mobile networks.
Which data are required to localize a mobile device? Which methods can be applied to accurately assess the geolocation? How can a single drone with a flight altitude of a few kilometers determine the position of a mobile device? Which role have mobile network operators in geolocation?
In my talk I will provide solid answers to these and related questions.

Speaker: Max Mehl

Nach drei Jahren wurde endlich die nutzerunfreundliche Praxis des Routerzwangs („Compulsory Routers“) gesetzlich für unzulässig erklärt, und aktuell treibt uns die EU-Funkabschottung („Radio Lockdown Directive“) um. Um was geht es dabei? Und was können wir daraus für andere Fälle lernen?
Im Vortrag wird klar werden, warum politischer Aktivismus so wichtig ist und dass er eigentlich gar nicht so schwer ist, wenn man ein paar Dinge beachtet.
Es hat drei Jahre gebraucht, um die nutzerunfreundliche Praxis des Routerzwangs endlich gesetzlich für ungültig zu erklären. Diese ermöglicht es Internetanbietern, ihren Kunden ein Endgerät aufzuzwingen, auf das sie nur geringen Einfluss nehmen können. Schlimmer noch: Will man einen eigenen Router anschließen, etwa weil man bestimmte technische Dienste benötigt, Geräte auf Basis Freier Software bevorzugt oder ein stromsparenderes Modell einsetzen möchte, ist dies bei vielen Anbietern entweder gar nicht möglich oder man wird bei Support-Anfragen diskriminiert. Dieses Verhalten von Providern ist in vielerlei Hinsicht höchst problematisch, da es hohe Sicherheitsrisiken für Nutzer birgt, fairen Wettbewerb verzerrt und den technologischen Fortschritt hemmt.
Und seit einigen Monaten steht die EU-Richtlinie für Funkabschottung auf unserer Agenda, die möglicherweise schon bald die Nutzung und Entwicklung von Freier Software auf allen Geräten, die in irgendeiner Art Funkwellen verwenden, enorm einschränkt.
Die Free Software Foundation Europe, für die der Referent Max Mehl arbeitet, hat schon seit den ersten Debatten vor über drei Jahren gegen den Routerzwang angekämpft und dabei viele Erfahrungen gesammelt. In Zusammenarbeit mit Freie-Software-Entwicklern, Organisationen wie dem Chaos Computer Club oder Digitalcourage sowie mit Endgeräteherstellern, Verbänden und Politik ist es gelungen, den Routerzwang gesetzlich offiziell ab Sommer 2016 zu beenden.
Ein wesentlicher Grund für

Speakers: Fritz Herzrasen, Lisa Tschorn

Die Dynamik der globalen Agrarmärkte hat sich in den letzten Jahren verstärkt und birgt neue Herausforderungen für die Landwirte. Hoffnungsträger sind ähnlich wie in anderen Branchen auch Sensor- & Datenverarbeitungstechnik sowie das Internet: Produktionsprozesse steuern sich selbst, Anhänger werden halbautomatisch mittels Bilderkennung beladen, Maschinen kommunizieren mittels Maschinen und Fahrzeuge steuern sich weitestgehend schon jetzt autonom.
Die Dynamik der globalen Agrarmärkte hat sich in den letzten Jahren verstärkt und birgt neue Herausforderungen für die Landwirte. Ebenso ändert sich das vielfach verbreitete Berufsbild des Landwirts oder des Bauers zunehmend hin zu einem landwirtschaftlichen Unternehmer, der das komplette Spektrum des aktuellen Standes des Technik einzusetzen vermag. Themen wie Ressourcenknappheit, Veränderungen im Klima sowie die weltweit steigende Nachfrage nach Nahrungsmitteln und nachwachsenden Rohstoffen zwingen dabei auch in Deutschland die Bauern bzw. landwirtschaftlichen Unternehmer über neue Strategien und Arbeitstechniken nachzudenken um Produktivität und Effizienz zu steigern.
Die rasante Entwicklung in der Sensor- & Datenverarbeitungstechnik in Verbindung mit dem Internet ist dabei einer der Schlüssel der helfen kann den aktuellen Herausforderungen der Landwirtschaft zu begegnen. Dabei sind – ohne dass ein Großteil der Bevölkerung dies vermuten würde – gerade in der Landwirtschaft und dem landwirtschaftlichen kommunalen Dienstleistungssektor große Fortschritte in Arbeitsabläufen und Arbeitserledigungen vollzogen worden. Es darf dabei – gänzlich modern & smart von Landwirtschaft 4.0 gesprochen werden: Produktionsprozesse steuern sich selbst, Anhänger werden halbautomatisch mittels Bilderkennung beladen, Maschinen kommunizieren mittels Maschinen und Fahrzeuge steuern sich weitestgehend schon jetzt autonom.

Speaker: Bernd Sieker

Legend has it that most airline pilots will at one time have uttered the sentence "What's it Doing now?", whenever the autopilot or one of its related systems did something unexpected. I will be exploring some high-profile accidents in which wrong expectations of automation behaviour contributed to the outcome.
"Pilot Error" is often publicly reported as "the cause" of an accident whenever a member of the flight crew did something which had consequences for the chain of events. We maintain that there is never a single cause, and every mistake a pilot may make has causes, and other factors contributing to it. We use the notion of a "necessary causal factor" to investigate the causes of accidents, and almost invariable there is a combination of both technical and human causal factors.
I will look in some detail at accidents in which a combination of a technical problem, misleading or missing indications, and inappropriate (but often understandable) crew actions contributed to an accident, and also some in which unprecedented actions of the human crew turned a problem with potentially fatal consequences into a survivable accident.
Automation in modern airliners has become so reliable and useful that it may be argued that it leads to a deterioration of hand-flying skills and, perhaps more importantly, of decision-making skills.
Sample accident cases will include Asiana Flight 214, Spanair Flight 5022, Turkish Flight 1951, TAM Flight 3054 and others. I will also briefly touch on technical and ethical problems with self-driving vehicles highlighted by the recent Tesla crash as well as increasing automation in General Aviation and its consequences.
In conclusion I will look at ways to improve safety and maintain the very high standard currently achieved in commercial aviation.

Speakers: Thomas Lohninger, Christopher Talib

After three years the EU has for the first time new Net Neutrality rules. What do they mean in practice? Which commercial practices by ISPs are allowed and which have to be punished by the telecom regulator. We give an overview about three years of campaign and where we go from here.
As part of the Savetheinternet.eu coalition, we fought hard over three years in all stages of the legislative and regulatory process to make the new Net Neutrality protections as strong as possible. We explain our tactics and goals for this campaign of 32 NGOs from 14 countries that managed to submit half a million comments to the European Regulators, BEREC.
This talk focusess on the pracitcal implications of the new rules and which types of potential network discrimination are prohibited, disputed or allowed. We explain how enforcement is working in different countries and what you can do to put these new rules into practice and extinguish Net Neutrality violations by your ISP.
A core component in this fight is the platform RespectMyNet.eu. Users can submit Net Neutrality violations on this website and thereby give them visibility and allow others to confirm, discuss and act upon them. As BEREC guidelines will be regurlaly reviewed this tool is of utmost importance to track the implementation of Net Neutrality rules as well as commercial practices by ISPs and mobile operators.
RespectMyNet lived different lives, one of our current tasks is to make the tool and the submissions fit the new BEREC Guidelines in order to provide an easy to use and efficient tool for net neutrality activists in Europe.
Let's protect the Internet as an open, free and neutral platform with the new rules the EU has given us.

Speaker: jaseg

It is a sad fact of reality that we can no longer trust our CPUs to only run the things we want and to not have exploitable flaws. I will provide an proposal for a system to restore (some) trust in communication secrecy and system security even in this day and age without compromising too much the benefits in usability and speed modern systems provide.
CPUs have not only massively grown in complexity in the last years, they have unfortunately also spawned a slew of proprietary vendor subsystems that execute unauditable code beyond our control (TrustZone, Intel ME etc.).
There are some projects attempting to mitigate this issue somewhat by running less unauditable code (Coreboot, Novena etc.), but in the long run even using those we are still at the whims of some very large corporations which can decide whether or not we still have control over the systems we own.
In this talk, I propose an alternative approach to regain privacy and security on our systems. Instead of trying to fix our CPUs by reverse-engineering large amounts of proprietary blobbiness, I propose we move as much sensitive data as possible out of these compromised systems.
In practice, the architecture I propose places a trusted interposer into the compromised system's display bus (LVDS, (e)DP or HDMI) that receives in-band control data containing intact ciphertext (read: PGP/OTR encoded into specially formatted RGB pixel data) and that transparently decrypts, verifies and renders the decrypted data into the pixel data stream.
The resulting system looks almost identical from a user-interface perspective, but guarantees plaintext message data is never handled on the compromised host CPU while all the juicy computational power and fancy visual effects that one provides remain intact.
I will outline the implementation problem areas of this approach and some possible solutions for them. I will also provide an analysis of this system from a privacy and security perspective.

Speaker: Lisa Charlotte Rost

tl;dr: Mother Teresa said "If I look at the mass I will never act. If I look at the one, I will." I'll present ways that make us act when looking at the mass.
Remember when we thought that data would solve all our problems? Ah, the good old days. We thought we finally found all the important problems. And all the right answers. We just forgot one important thing: The audience of data is very often....people. Irrational people. People who didn't care if Trump lied or not in the Election Year of 2016. People who know that "millions of people starve in Africa", but who want to donate for that one hungry child in Norway they saw in a TV documentary. People who read about a portfolio company and then think the whole night about becoming a farmer in Chile, like the main character of their favourite book.
Stories stick, but data doesn't. Stories stick because they make us feel something; and we remember situations in which we felt intense feelings. Stories make us act; they change our beliefs. Stories make us feel warm and empathic and alive. Data doesn't make us feel anything on it’s own. Data is cold.
And still, I love data, and I love to work with it. Can we create feelings with data? Away from the beaten paths of company dashboards, scientific plots and newspaper graphics? I believe it's possible. In my talk, I will showcase some ways to present data so that it sticks and makes you feel things. We'll talk about the status quo of data presentation and where we still need to go. If you like data and want to look at more of it, you should come by.

Speaker: Daniel Lange (DLange)

At 32C3 we gave an overview on the organizational and technical aspects of Dieselgate that had just broken public three months before. In the last year we have learned a lot and spoken to hundreds of people. Daniel gives an update on what is known and what is still to be revealed.
As predicted at 32C3 the last year showed basically every car manufacturer has been cheating with NOx emissions. The whole regulatory scene is a chaotic and over-complex mess of copy-and-paste legislation.The legal battle reveals more of the methods and organizations involved. The political scene tries to look busy and drive clientele agendas.
Daniel reports from the EU parliament, why Mayo fries VW layers in Ireland and how the Michigan Attorney General does the Braunschweig AGO’s job.

Speakers: fraulutz, NoAverageRobot

Auf der Hoaxmap werden seit vergangenem Februar Gerüchte über Geflüchtete und deren Widerlegungen gesammelt, sortiert und in Kartenform präsentiert. Die Themen sind dabei so vielfältig wie die Erzählformen.
Nach einem knappen Jahr Arbeit an der Karte wollen wir ein Zwischenfazit ziehen und einen Blick auf die Gerüchte, ihre Verbreiter*innen und deren Vorgehen werfen.
Seit im Sommer des letzten Jahres die Zahl der Geflüchteten in der Bundesrepublik anstieg, sind vermehrt Gerüchte und auch Falschmeldungen über Asylbewerber*innen und Migrant*innen im Umlauf. Die Hoaxmap hat sich des Phänomens angenommen und stellt gesammelte Gerüchte und ihre Widerlegungen auf einer Karte dar.
Und deren Spannbreite ist groß. Die Themen umfassen angebliche Kriminalität ebenso wie vermeintliche Sozialleistungen. Und auch ihre Form beschränkt sich nicht auf Facebook-Posts und klassische Stammtischgespräche, wie ein Blick auf die gesammelten Daten zeigt.
Im Talk wollen wir außerdem der Frage nachgehen, wer die Akteure sind, die Gerüchte verbreiten oder gar erst in die Welt setzen. An Beispielen werden wir betrachten, welche politische Wirkung Gerüchte entfalten können und womöglich auch sollen.
Wir möchten aber auch zeigen, wie einfach es zumindest auf technischer Ebene ist, mit Werkzeugen, die das Netz zur Verfügung stellt, gegen rassistische Zerrbilder vorzugehen.

Speaker: raquel meyers

Keys Of Fury is a brutalist storytelling about technology and keystrokes where text is used unadorned and roughcast, like concrete. I define my practice as KYBDslöjd (drawing by Type In) who uses the Commodore 64 computer, Teletext technologies and Typewriter. Brutalism has an unfortunate reputation of evoking a raw dystopia and KYBDslöjd evokes an “object of nostalgia”. But nostalgic‬, ‪retro‬, obsolete or ‪limited‬ are rhetoric qualities earn by constant repetition. We live in a time where hardware and software become obsolete before most of the users have learned how to use them or disappear into pure functionality. The obedience to standards who made us passive observers and consumers.
Keys Of Fury is a brutalist storytelling about technology and keystrokes where text is used unadorned and roughcast, like concrete. I define my practice as KYBDslöjd (drawing by Type In) who uses the Commodore 64 computer, Teletext technologies and Typewriter. Brutalism has an unfortunate reputation of evoking a raw dystopia and KYBDslöjd evokes an “object of nostalgia”. But nostalgic‬, ‪retro‬, obsolete or ‪limited‬ are rhetoric qualities earn by constant repetition. We live in a time where hardware and software become obsolete before most of the users have learned how to use them or disappear into pure functionality. The obedience to standards who made us passive observers and consumers.
KYBDslöjd is heavy, flat, brutal, and there is no CTRL-Z. You cannot make corrections, so any unintended strikes force you to start all over again. The screen is the canvas, use as rectilinear grid on which one keystroke at a time build a character by character animation. The remote control triggers the ghost on the television screen hiding in the vertical blanking interval (VBI) lines like REM (rapid eye movement) sleep intervals. A door to unlock the Imagination. The joy of Text-mode.
KYBDslöjd is not “dead media” of the past

Speaker: Felix „tmbinc“ Domke

A technical talk on how to reverse-engineer electronic control units in order to document what was left apparently intentionally undocumented by the vendor – including how Volkswagen tweaked their cycle detection code while already being investigated by the EPA, how different the Volkswagen approach is really to the rest of the industry, and of course some trivia on how the „acoustic function“ got its name.
A year ago, I showed how I pinpointed the cycle detection technique in the ECU software of a Volkswagen car. This talk will focus on the technical part of what has happened since then – how to reverse engineer an ECU, what other vendors do, what their reaction was, and putting the „isolated findings of a hacker“ into perspective.
I’ll talk about data collection over CAN, understanding EGR/SCR control strategies (and how to characterize them), and how to find the needle in a 17000-element haystack (and how to understand whether it’s indeed a needle and or just a thin, cylindrical object with a sharp point at the end which legally does not represent a needle).

Speakers: derrek, nedwill, naehrwert

This talk will give a unique insight of what happens when consoles have been hacked already, but not all secrets are busted yet.
This time we will not only focus on the Nintendo 3DS but also on the Wii U, talking about our experiences wrapping up the end of an era.
We will show how we managed to exploit them in novel ways and discuss why we think that Nintendo has lost the game.
As Nintendo's latest game consoles, the 3DS and Wii U were built with security in mind.
While both have since been the targets of many successful attacks, certain aspects have so far remained uncompromised, including critical hardware secrets.
During this talk, we will present our latest research, which includes exploits for achieving persistent code execution capabilities and the extraction of secrets from both Wii U and 3DS.
Basic knowledge of embedded systems, CPU architectures and cryptography is recommended, though we will do our best to make this talk accessible and enjoyable to all.
We also recommend watching the recording of last year's C3 talk called "Console Hacking - Breaking the 3DS".

Speaker: Hendrik Lüth

Mit steigendem Datenaufkommen und einer immer größer werdenden Zahl von Geräten muss auch das WLAN wachsen. Nach "ur WiFi sucks!!1!" ist dieser Talk eine kleine Einführung in die Neuerungen, welche mit dem 802.11ac-Standard gekommen sind und gibt eine Erklärung, wie sie funktionieren.
Seit 2013 der 802.11ac-Standard veröffentlicht wurde, haben die Hersteller schon viele Geräte hergestellt, welche das neue "Gigabit"-WLAN unterstützen. Aber was ist das eigentlich? Warum ist es so viel schneller? Was ist eigentlich dieses "MultiUser-MIMO" und wie funktioniert eigentlich dieses Beamforming?
In diesem Talk werden alle Fragen behandelt und ein Grundverständnis über die Funktionalität und den Aufbau des Standards vermittelt. Zusätzlich schauen wir auf die praktischen Vorteile, die sich für eine WLAN-Installation bieten und was man als Hersteller bei der Entwicklung der AccessPoints falsch machen kann.

Speaker: Hakuna MaMate

Ein Überblick zur netzpolitischen Situation in der Schweiz. Wir geben einen umfassenden Rückblick auf das ereignissreiche Jahr 2016, in dem die Schweizer Bevölkerung über gleich zwei Massenüberwachungsgesetze entschieden hat. Die netzpolitischen Gruppierungen haben mit viel Einsatz gegen die Gesetze gekämpft . Wir berichten darüber, wie wir das angengangen sind, wie es ausgegangen ist und was wir dabei gelernt haben.
Zudem machen wir einen Ausblick auf kommende netzpolitische Herausforderungen.
In Sachen Netzpolitik hat sich im Jahr 2016, seit unserem letzten Vortrag zu dem Thema, viel getan.
Gleich zu Beginn 2016 kam die Nachricht, dass das Referendum zum NDG erfolgreich war. Damit hat das Schweizer Stimmvolk die Chance erhalten, über das Geheimdienstgesetz (NDG) abzustimmen. Mit dem Zustandekommen des Referendums war aber erst die halbe Arbeit getan.
Es galt nun der in Gang gesetzten staatlichen Propagandamaschinerie sowie einigen, insbesondere bürgerlichen, Parteien entgegenzuwirken. Die netzpolitischen Gruppierungen waren also gefragt, sich aktiv, parteipolitisch unabhängig und mit technischen Fakten in den Abstimmungskampf einzubringen. Am 25. September 2016 hat dann das Schweizer Stimmvolk über das neue Nachrichtendienstgesetz entschieden: 65% der Bevölkerung hat das gesetz angenommen, nur gerade 35 % teilten unsere Meinung.
Im Frühling hat das Parlament gleich das nächste fragwürdige Gesetz verabschiedet - das revidierte Bundesgesetz betreffend die Überwachung des Post- und Fernmeldeverkehrs (BÜPF). Auch gegen dieses Gesetz hat die Schweizer Netzgemeinde, unterstützt von einer ganzen Reihe Jungparteien, umgehend das Referendum ergriffen. Das Sammeln der Unterschriften wurde diesmal aus den Räumen des CCC Zürich (CCCZH) koordiniert, da es sich abgesehen von der stark netzpolitisch verankerten Pirtatenpartei, nicht um eine parteipolitische Initiative handelte. Auch wenn das Referendum gegen das BÜPF leider n

Speaker: Ray

"Smart" devices using BTLE, a mobile phone and the Internet are becoming more and more popular. We will be using mechanical and electronic hardware attacks, TLS MitM, BTLE sniffing and App decompilation to show why those devices and their manufacturers aren't always that smart after all. And that even AES128 on top of the BTLE layer doesn't have to mean "unbreakable". Our main target will be electronic locks, but the methods shown apply to many other smart devices as well...
This talk will hand you all the tools you need to go deeply into hacking smart devices. And you should! The only reason a huge bunch of these products doesn't even implement the most basic security mechanisms, might be that we don't hack them enough!
We start by looking at the hardware layer, dissecting PCBs and showing which chips are usually used for building those devices. Even if the firmware is read protected they still can be used as nice devboards with unusual pheripherals - if you can't flash it, you don't own it!
But you don't always have to get out your JTAG interfaces. The most simple part is intercepting an Apps communication with its servers. We show an easy Man-in-the-middle setup, which on the fly breaks the TLS encryption and lets you read and manipulate the data flowing through. This was enough to completely defeat the restrictions on a locks "share to a friend" feature and of course helps you recover your password...
Understanding the API also is the best way to actually OWN your device - giving you the option to replace the vendors cloud service with an own backend. We show how this can be for example used to continue using your bike lock when the kickstarter you got it from goes bankrupt after a presentation about it's bad crypto. Just kidding, they are already notified and working on a patch.
Also going for the wireless interface and sniffing BTLE isn't as difficult as it might sound. Turning a cheap 10 EUR devboard into a sniffer we show how to use Wir

Speakers: Filippo Valsorda, Nick Sullivan

Transport Layer Security (TLS) 1.3 is almost here. The protocol that protects most of the Internet secure connections is getting the biggest ever revamp, and is losing a round-trip. We will explore differences between TLS 1.3 and previous versions in detail, focusing on the security improvements of the new protocol as well as some of the challenges we face around securely implementing new features such as 0-RTT resumption. At Cloudflare we will be the first to deploy TLS 1.3 on a wide scale, and we’ll be able to discuss the insights we gained while implementing and deploying this protocol.
Version 1.3 is the latest Transport Layer Security (TLS) protocol, which allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. TLS is the S in HTTPS.
A lot has changed between 1.2 (2008) and 1.3. At the a high level, 1.3 saves a round-trip, making most connections much faster to establish. We'll see how the 1.2 handshake worked, and what had to change to enable 1-RTT handshakes.
But even more importantly, the 1.3 design shifted towards putting robustness first. Anything that is not strictly necessary to the main function of TLS was removed (compression, renegotiation); choices of suboptimal security aren't offered at all (static RSA, CBC, RC4, SHA1, MD5); secure, easy to implement designs are introduced or privileged (RSA-PSS, AEAD implicit nonces, full handshake signatures, Curve25519, resumption forward secrecy). We will go into the why and how of all of these.
But two major trade-offs had to be made: first, 1-RTT handshakes inherently prevent the introduction of encrypted domain names (SNI). We'll see why and what can replace them to provide similar privacy.
Most interestingly, 1.3 comes with 0-RTT resumption. The catch there is that the protocol itself provides no complete protection against replay attacks. We'll unpack the proble

Speakers: Karsten Nohl, Nemanja Nikodijevic

Travel booking systems are among the oldest global IT infrastructures, and have changed surprisingly little since the 80s. The personal information contained in these systems is hence not well secured by today's standards. This talk shows real-world hacking risks from tracking travelers to stealing flights.
Airline reservation systems grew from mainframes with green-screen terminals to modern-looking XML/SOAP APIs to access those same mainframes.
The systems lack central concepts of IT security, in particular good authentication and proper access control.
We show how these weaknesses translate into disclosure of traveler's personal information and would allow several forms of fraud and theft, if left unfixed.

Speakers: Thomas Lohninger, Alexander Czadilek

Die Netzpolitik der österreichischen Bundesregierung hat sich im Jahr 2016 nicht besser dargestellt als die Jahre davor: Neue Überwachungsgesetze, (bislang erfolgreich verhinderte) Versuche eine staatliche Spionagesoftware (Bundestrojaner) einzuführen, der ewige Kampf um ein Transparenzgesetz, eine scheinheilige Simulation demokratischer Partizipation und das totglaubte E-Voting sind brennende Themen und bedürfen einer breiten gesellschaftlichen Diskussion. Der AKVorrat zeigt in einem netzpolitischen Jahresrückblick, was wir dagegen tun können und zeigt, dass Zivilgesellschaft wirkt.
Polizeiliches Staatsschutzgesetz beschlossen, Gesetzesvorlage für die Legalisierung einer Überwachungssoftware (Bundestrojaner) eingebracht, weitreichende Überwachungsmaßnahmen neuerdings schon bei Verwaltungsübertretungen möglich etc. – die Liste der datenschutzrechtlichen und netzpolitischen Problemfälle in Österreich ist lang. Das Arbeitspensum für Aktivistinnen und Aktivisten in Österreich steigt.
Auch für zivilgesellschaftliche Initiativen gilt, dass Politik das Bohren harter Bretter bedeutet. Mit einer wohldosierten Mischung aus juristischer und technischer Expertise sowie Aktionismus konnten 2016 ein paar sehr tiefe Löcher in die offizielle unausgewogene Netzpolitik Österreichs gebohrt werden.
Herzstück der Aktivitäten des abgelaufenen Jahres war HEAT, das Handbuch zur Evaluation der Anti-Terror-Gesetze in Österreich.
Das Ausmaß der staatlichen Eingriffe in unsere Privatsphäre und in die informationelle Selbstbestimmung lässt sich nur durch die Betrachtung der Summe aller Eingriffe richtig erfassen. Diese wichtige Erkenntnis der Notwendigkeit einer „Überwachungs-Gesamtrechnung“ wurde erstmals vom deutschen Bundesverfassungsgericht im Urteil zur Aufhebung der deutschen Vorratsdatenspeicherung im März 2010 formuliert. HEAT listet alle Überwachungsgesetze Österreichs auf, kombiniert dies mit

Speaker: marcan

Last year, we demonstrated Linux running on the PS4 in a lightning talk - presented on the PS4 itself. But how did we do it? In a departure from previous Console Hacking talks focusing on security, this year we're going to focus on the PS4 hardware, what makes it different from a PC, and how we reverse engineered it enough to get a full-blown Linux distro running on it, complete with 3D acceleration.
So you have an exploit. You have code execution. Great! But what do you do now?
In the past, console homebrew usually focused on bringing up a development environment similar to the one used for commercial games. However, with the increasing complexity of console hardware, it's becoming impractical for a small team of hackers to create a full blown development SDK. Using leaked official SDKs is illegal. What can we do? Well, there's Linux.
The PS4 is particularly great for Linux, because it is based on a modified x86 platform and a modified Radeon GPU. That means that once the basic OS port is complete, it can run existing games - even Steam games and other commercial software. But just how similar is the PS4 to a PC? Can you just throw GRUB on it and boot an Ubuntu kernel? Not quite.
In this talk we'll cover the PS4 hardware and part of its software environment, and how we reverse engineered enough of it to write Linux drivers and kernel patches. We'll go over how we went from basic code execution to building a 'kexec' function that can boot into Linux from the PS4's FreeBSD-based kernel. We'll reverse engineer the PS4's special hardware, from special PCI interrupt management to the HDMI encoder. We'll dive deep into the Radeon-based GPU architecture, and we'll share some previously unreleased research and tools of interest to AMD Radeon driver developers and hackers.
If you're interested in the strange world of x86 hardware that isn't quite a PC, then this talk is for you.

Speaker: Tobias Fiebig

In this talk we will explore and present various IPv6 scanning techniques that allow attackers to peek into IPv6 networks. With the already known difference between IPv4 and IPv6 firewalling (the latter is worse... ) we then demonstrate how these techniques can be combined and used to obtain a large-scale view on the state of IPv6 in infrastructures and data centers. To give the whole issue a somewhat more fun dimension, we will also look at some (security) sensitive applications of this technique. Complimentary code-snippets will be provided.
Scanning networks is a basic tool for security researchers. Software misconfiguration like with unprotected key-value stores and software bugs like heartbleed are analyzed and investigated in the wild using scanning of networks.
At least since the rise of zMap, scanning the I---Pv4---nternet has become a rather simple endeavour. When one happens to be at a conference that tends to supply 1gE or 10gE ports on the access layer, scanning the Internet can be done in 60-10 Minutes. Scanning the 2^32 possible addresses (with certain limitations) of IPv4 has become cheap.
However, the small searchspace of IPv4 that makes it so scannable is also what renders it increasingly obsolete. To overcome this issue, IPv6 was designed. Along with IPv6 we receive a theoretical maximum of 2^128 different addresses. Scanning this larger space is a challenge that---so far---has been mostly approached by researchers. Specifically, not security but network measurement researchers. Their works usually focus on having access to large datasets of IPv6 addresses, the most famous ones using the access logs of a large CDN.
With the average nerd lacking a small enterprise scale CDN in the basement, we set out to utilize other techniques for enumerating IPv6 that only utilizes public data sources. Following RFC7707, we found various interesting candidate techniques. Especially probing the PTR sets of IPv6 networks sounded promi

Speakers: Florian Grunow, Niklaus Schiess, Manuel Lubetzki

Speaker: Jessy Campos

Sednit, a.k.a Fancy Bear/APT28/Sofacy, is a group of attackers
operating since at least 2004 and whose main objective is to steal
confidential information from specific targets. Over the past two years,
this group's activity increased significantly, in particular with numerous attacks against foreign affairs ministries and embassies all over the world. They are supposedly behind the DNC hack, and the WADA hack, which happened earlier this year. This talk presents the results of a two-year hunt after Sednit, during which we dug up and analyzed many of their software.
Technically speaking, Sednit is probably one of the best espionage
group out there. Not only have they created a complex software ecosystem -- composed of tens of different components --, but they also regularly come out with 0-day exploits. Also remarkable is their ability to very quickly integrate newly published techniques in their toolkit.
In particular, we will explain how they tend to operate and we will dive into technical details of their most impressive components:
- DOWNDELPH, a mysterious downloader deployed in very rare cases and with advanced persistence methods. In particular, we found a Windows bootkit dropping this component, and also a Windows rootkit, both never documented.
- XTUNNEL, a network proxy tool able to transform an infected machine into a pivot to contact computers normally unreachable from the Internet. Heavily obfuscated, and based on a custom encrypted protocol, XTUNNEL is a major asset in Sednit post-infection toolkit.
- XAGENT, the flagship Sednit backdoor, for which Windows, Linux and iOS versions have been developed. Built as a modular framework around a so-called "kernel", it allows to build flexible backdoors with, for example, the ability to switch between various network protocols.
- SEDKIT, a full-fledged exploit-kit, which depending on the target's configuration may drop 0-day exploits or revamped exploits.
And also, during

Ein Geheimdienst als Zeuge. Szenen aus dem NSA-Untersuchungsausschuss.

Speakers: anna, Kai Biermann, Felix Betzin, Elisabeth Pleß, Johannes Wolf, vieuxrenard

Der NSA-Untersuchungsausschuss im Bundestag soll aufklären, was die NSA in Deutschland tut und wie deutsche Geheimdienste in diese Aktivitäten verwickelt sind. Fast wie in einer Gerichtsverhandlung – doch es gibt eine Besonderheit: Der Zeuge ist der BND, ein Geheimdienst. Und der tut alles dafür, nichts zu verraten.
Die Inszenierung enthält originale Szenen und Zitate aus dem Ausschuss, die zeigen, wie mühsam es ist, einen Geheimdienst zu vernehmen, wie schwer er es dem Parlament macht, ihn zu kontrollieren. Doch sie belegen auch, dass demokratische Aufklärung nicht umsonst ist, auch wenn sie manchmal nur aus Versehen passiert. Oder wenn den Aufklärern statt einer verschiedene Wahrheiten zu einem Thema präsentiert werden.

Speaker: André Lampe

Jeder weiß ungefähr was ein Mikroskop ist und vielleicht hat man auch mal davon gehört das da immernoch dran geforscht wird – Stichwort Hochauflösungsmikroskopie (Nobelpreis 2014 in Chemie). Es gibt deutlich mehr Mikroskope in der professionellen Forschung als es Teleskope gibt, deutlich mehr – und da könnte man sich jetzt fragen: "Warum sehe ich so viele Bilder von Sterne, aber kaum Mikroskopiebilder von öffentlichen Einrichtungen und Stellen?". Um diese Frage zu beantworten will ich kurz in die Welt der Hochauflösungsmikroskopie einführen und die Techniken erklären. Ein bisschen über die Community erzählen und versuchen klar zu machen, warum es hier mit der Offenheit noch etwas hapert. UND: Es soll auch mikroskopiert werden.
Ich habe die letzten 6 Jahre ein Mikroskop gebaut. Eins, dass mit Licht Dinge sehen kann unterhalb der Beugungsgrenze von Licht, in mehreren Farben, in 3D. Das Ding ist fertig – so fertig wie etwas sein kann, das man als Doktorarbeitsprojekt bezeichnet. Ich will das niemandem verkaufen, die Forschung ist Veröffentlicht, unsere Software dazu ist open source. Für mich war die Arbeit daran Eintrittskarte in eine andere Welt. Ich will erzählen was Hochauflösungsmikroskopie ist, die drei verschiedenen Ansätze dazu (PALM/STORM, STED, SIM), wie sie sich ergänzen und wie die technologische Entwicklung des 21. Jahrhunderts das erst möglich gemacht hat. Wie Techniken basierend auf Laserphysik (STED), stochastischem Blinken von Molekülen (PALM/STORM) oder schneller Fouriertransformation (SIM) uns ermöglichen tiefer in Zellen hinein zu schauen – und man sich plötzlich Gedanken darüber machen muss wie man etwas in einem Bild darstellt, dass eigentlich gar kein richtiges Bild ist, sondern ein vielschichtiges Messergebnis. Aber auch die Community in diesem Feld ist interessant. Langsam aber sicher verbreitet sich der open science Gedanke, immer mehr Software ist Quelloffen, es gibt sogar einen Jährlich

Speakers: maxigas, mel

The proper relationship of technology and politics have been the subject of an evergreen debate on the floor of the Chaos Communication Congress. Rather than taking a position in this debate, we are asking how the two have been co-articulated in practice so far by CCC participants?
The proper relationship of technology and politics and thereby the percentage each covers in the Congress schedule have been the subject of an evergreen debate at the floor and in the corridors of the Chaos Communication Congress. Rather than taking a position in this debate, we are asking how the two have been co-articulated in talks so far by CCC participants? In order to answer this question, we are analysing the available titles and abstracts of Congress talks from 1984 until now. This ongoing research seeks to identify changing trends, significant outliers, apparent patterns and common threads throughout the years. We also wonder if it is possible to identify turning points in the narrative. The empirical data is contextualised by reflections on the shifting ground of technology, politics and society in the world during the long history of the CCC, as well as by qualitative reflections of attendants. We are inviting the audience to help us with the latter by joining in a follow-up discussion after the presentation.

Speakers: Roland Schilling, Frieder Steinmetz

Most of us use mobile messaging every day. We use certain apps that we chose for a number of factors, like our friends using it, good press, privacy promises, or simply their feature sets. This talk aims to enable more of us to reason about the privacy and security of messaging apps. We will try to present simple analogies translating abstract security and privacy expectations into concrete feature sets. We will illustrate these features using the the popular messaging app Threema. Our analysis of its protocol is based on our own reverse-engineering efforts and a re-implementation of the Threema protocol that we will release during the talk.
Despite its ubiquitous application and widespread acceptance, mobile instant messaging remains a complex matter and is often not understood by its users. Easy-to-use apps and security assurances by their developers suggest users a safe and private environment for conversation. At the same time, more and more apps flood the market and it is becoming increasingly difficult, even for technically-educated users, to keep track of both technological development and their own security and privacy requirements. We want to present a talk that sheds some light into technical aspects of mobile instant messaging and presents an overview of techniques and design decisions by different mobile instant messaging app developers. We aim at both technically-educated and casual users alike, trying to present simple analogies and break down complex details into understandable components. After an introduction to the mobile instant messaging world, we will dissect one of the most popular mobile instant messaging apps in Germany: Threema. It is closed-source and only superficially documented, yet widely used. We picked it for a particular design decision in its protocol, the lack of which we consider the most important flaw in competitor protocols like Signal: the use of discardable IDs in favor of pho

Speaker: taxman

The Common Reporting Standard is a multinational agreement signed by more than 80 nations, including all EU member states. The signatories promised to exchange bank account information on foreigners.
Paypal, a Luxembourg company, is expected to report millions of accounts to German, French, Spanish etc. tax auditors. This lecture will give an overview of the technical and legal aspects of the exchange.
The Common Reporting Standard (CRS) and FATCA obligate banks to collect information from their customers and forward this information to the national tax authorities. The national tax authorities in turn forward this information to whatever country it is designated for.
It is estimated that Paypal Luxembourg will report 60 million accounts in Europe. These reports will land on the desk of tax auditors which then will start asking questions to taxpayers.
This talk will give an overview who is affected, what type of information will be exchanged, and what you can do about it.

Speaker: Axel

Physicists are not computer scientists. But at CERN and worldwide, they need to analyze petabytes of data, efficiently. Since more than 20 years now, ROOT helps them with interactive development of analysis algorithms (in the context of the experiments' multi-gigabyte software libraries), serialization of virtually any C++ object, fast statistical and general math tools, and high quality graphics for publications. I.e. ROOT helps physicists transform data into knowledge.
The presentation will introduce the life of data, the role of computing for physicists and how physicists analyze data with ROOT. It will sketch out how some of us foresee the development of data analysis given that the rest of the world all of a sudden also has big data tools: where they fit, where they don't, and what's missing.

Speakers: Jeff Deutch, Hadi Al-Khatib

Journalists and human rights groups need to find and use verified visual evidence in order to accurately report about what’s happening in conflict zones. In the case of Syria, there are more hours of online footage online than there have been hours of conflict.
There is currently no tool that supports finding, collecting, preserving and collaboratively verifying and curating visual evidence from social media platforms: The Syrian Archive is the first to do so.
In this talk, members of the Syrian Archive team will give an overview of the Syrian Archive project, explore the technical components and verification procedures, and review investigations completed using open source methodologies.
Journalists and human rights groups need to find and use verified visual evidence in order to accurately report about what’s happening in conflict zones.
We have currently developed an open source tool in alpha stage in collaboration with developers from Tactical Tech which collects and preserves video evidence from Youtube. We have additionally developed a unique workflow in order to verify video documentation and to conduct our investigations. By aggregating, preserving, cataloging and securing digital documentation relating to human rights violations in Syria, the Syrian Archive project helps Syrian civil society, human rights activists, media offices, journalists and lawyers increase their capacity to respond to human rights violations thorough using documentation and investigations that adhere to international standards, and using better tools to demand accountability against perpetrators of those violations.
Findings from investigations have been used by Human Rights Watch, the United Nations Security Council and the Organisation for the Prevention of Chemical Weapons in their work investigating the Syrian conflict. Further, research has been cross-published by Bellingcat, an award-winning open source investigation platform an

Speaker: Saud Al-Zaid

This talk discusses the representation of Arab males in video games and the adverse effect it has on the collective political imagination. Anonymous military-aged Arab men become increasingly the exception to the laws of human rights, and become default targets for conventional and unmanned drone attacks. This devolution is seen through the lens of the changing nature of conflict through digitalization, the collapse of the nation state in Iraq and Syria, and the future of war.
In the popular video game series "Call of Duty: Modern Warfare", Arab men are consistently depicted as the mindless throngs of the indestinguishable enemy. The First Person Shooter (FPS) genre lends itself to killing enemies, usually many in the same round, but the evolution of the target went from Nazi's in Wolfenstein 3D in 1992, to targets that become increasingly comparable to Arabs and Muslims in the following years. So besides historically oriented games that focus on the combatants of World War II, most games since the 1990's begin to shift their focus to another kind of enemy--one that suspiciously looks Arab or Islamic. Even Sci-Fi epics like the Halo series, which take place may hundreds of years in the future, the enemies start taking on an exotified look and feel, and follow an obviously religious ideology that is inimical to universal peace. The smallest insignificant alien becomes a strategic risk as they become "suicide bombers" blowing themselves up before they die, expressing a sigh of cowardice before they die.
In "Modern Warfare 2", something suprising happens. The Arab characters are given a little more depth and backstory, and the Arabic dialogue is the most realistic of any of the other games. It also becomes the version of the game that is most modified by users (in so-called "mods"). Hacked and converted to other versions, there is significantly a version used by Al-Qaeda for recruitment purposes. The production company responsible, Infinity

Speaker: Claudio "nex" Guarnieri

In this lecture I wish to reflect on the maturation of the security and hacking communities and their role in larger societal and political participation. We'll reflect on the predominant role that technology has been growing into our lives, and the responsibilities we have in nurturing it. After having spent the last years in researching, exposing, and preventing the electronic targeting of dissidents and journalists, I hope to synthesize my experience and suggest how to reconsider our tactics, the successes, and the failures, and hopefully draw some inspiration for a brighter future.
Computer systems were destined for a global cultural and economic revolution that the hacker community anticipated. We saw the potential, we saw it coming. And while we enjoyed the little time of reckless banditism, playing cowboys of the early interconnected age, we also soon welcomed the public realization that we were right all along, that information technology was going to change everything, and that information security was critical. Now, the Internet governs our lives.
Success always comes with strings attached.
The Internet morphed with us. Once an unexplored space we were wandering in solitude, now it has become a marketplace for goods, the vehicle for communication, as well as an instrument for control, and a field for battle.
We learned the many ways it was abused and broken. We learned the stories of those who were victims of the shortcomings of computer and network systems, and we realized how often and brutally they were turned into means of persecution against those who struggle for free speech and democracy around the world.
In this lecture I wish to reflect on the maturation of the security and hacking communities and their role in larger societal and political participation. We'll reflect on the predominant role that technology has been growing into our lives, and the responsibilities we have in nurturing it. After having s

Speaker: KaLeiMai

The Anthropocene is widely understood to mean the current "period of Earth's history during which humans have a decisive influence on the state, dynamics and future" of this planet. For several years, scientists in the Working Group on the 'Anthropocene' (AWG) have worked (and voted!) on defining the beginning of the Anthropocene in geochemical terms. The mid-20th century provides an obvious geochemical 'timestamp': fallout from nuclear weapons detonations. Which other chemicals and timestamps are being considered for marking the Anthropocene's start? How is 'define-by-committee' even working out for geological epochs? This talk boils the scientific background of the Anthropocene debate down for non-stratigraphers.

Stratigraphers are geologists, who focus on sediment, rock or ice layers, etc. These 'strata' form by deposition of organic or inorganic material (such as microorganisms or volcanic ash) and provide a records of the history of our planet's surface. Because gas bubbles, isotopes, etc. are captured in the strata, scientists can analyse the geochemistry of the past, date certain events, and more. That kind of data ultimately underlies xkcd's recent 'Earth Temperature Timeline'. Direct measurements of geochemical signals such as atmospheric CO2 concentration and ocean pH started only in the mid-20th century.

Besides the Intergovernmental Panel on Climate Change, the AWG is possibly the most diverse scientific committee with most public attention currently. Therefore, defining the Anthropocene is a multi-disciplinary, collaborative scientific effort, as well as an inherently political statement. This talk will explain why.

Speakers: Maxim Goryachy, Mark Ermolov

Engaging universally available deep debug functionality of modern
Intel cores, with zero software or hardware modifications
required on the target side.
Our research team at Positive Technologies has discovered a way
to engage the advanced debug machinery on modern Intel cores.
This advanced machinery can be employed to exercise deep control
of the running system across all execution modes using merely a
USB port connection, with zero software or hardware modifications
required on the target side.
It goes without saying that such functionality carries profound
security implications.

Speaker: Rich Jones

More and more businesses are moving away from monolithic servers and turning to event-driven microservices powered by cloud function providers like AWS Lambda. So, how do we hack in to a server that only exists for 60 milliseconds?

This talk will show novel attack vectors using cloud event sources, exploitabilities in common server-less patterns and frameworks, abuse of undocumented features in AWS Lambda for persistent malware injection, identifying valuable targets for pilfering, and, of course, how to exfiltrate juicy data out of a secure Virtual Private Cloud.

This talk will be the first public anatomy of an attack on a server-less application deployed to AWS Lambda and AWS API Gateway. It'll be useful for any application developer looking to build a server-less application, and for any hacker who's come up against this interesting new class of application.

First, we'll take a look at the current state of server-less architectures and show some common deployment patterns and how they're used in production, comparing the advantages and trade offs against traditional monolithic servers.

Next, we'll explore the attack surface of a server-less application, showing that where Satan closes a door, he opens a window. Using exploitables in common server-less patterns, we'll use cloud event sources as a vector for delivering our obfuscated payload.

Then, we'll use some undocumented features in AWS Lambda to persist our malware, explore the Lambda environment looking for secret keys and other buried treasures, and pillage a remote database.

Finally, we'll use a few more tricks to sneak out of the VPC with our precious data in tow! And, of course, we'll tidy up after ourselves leaving the DevOps team none-the-wiser.

Speaker: hanno

Applied IT security is largely a science-free field. The IT-Security industry is selling a range of products with often very questionable and sometimes outright ridiculous claims. Yet it's widely accepted practice among users and companies that protection with security appliances, antivirus products and firewalls is a necessity. There are no rigorous scientific studies that try to evaluate the effectiveness of most security products or strategies. Evidence-based IT security could provide a way out of the security nihilism that's often dominating the debate – however it doesn't exist yet.
From Next-Generation APT-Defense to Machine Learning and Artificial Intelligence: The promises of IT security product vendors are often bold. Some marketing promises are simply impossible, because they violate a fundamental theorem of computer science, the halting problem.
Many IT security professionals are skeptical of security appliances, antivirus software and other IT security products and call them snake oil. Furthermore security products often have security vulnerabilities themselves, which has lately been shown by the impressive work done by Tavis Ormandy from Google's Project Zero.
When there's disagreement about the effectiveness of an approach then rational people should ask for scientific evidence. However, surprisingly this evidence largely doesn't exist. While there obviously is a lot of scientific research in IT security it rarely tries to answer practical questions most relevant to users. Decisions are made in an ad-hoc way and are usually based on opinions rather than rigorous scientific evidence. It is quite ironic that given the medical analogies this field likes to use (viruses, infections etc.), nobody is looking how medicine solves these problems.
The gold standard of scientific evidence in medicine (and many other fields) is to do randomized controlled trials (RCTs) and meta-analyses of those trials. An RCT divides patients in groups and

Speakers: Jos Wetzels, Ali Abbasi

Secure random number generators play a crucial role in the wider security ecosystem. In the absence of a dedicated hardware True Random Number Generator (TRNG), computer systems have to resort to a software (cryptographically secure) Pseudo-Random Number Generator (CSPRNG). Since the (secure) design of a CSPRNG is an involved and complicated effort and since randomness is such a security-critical resource, many operating systems provide a CSPRNG as a core system service and many popular security software products assume their presence. The constraints imposed by the embedded world, however, pose a variety of unique challenges to proper OS (CS)PRNG design and implementation which have historically resulted in security failures. In this talk we will discuss these challenges, how they affect the quality of (CS)PRNGs in embedded operating systems and illustrate our arguments by means of the first public analysis of the OS random number generators of several popular embedded operating systems.
Randomness is a fundamental, security-critical resource in the wider security ecosystem utilized by everything from cryptographic software (eg. key and nonce generation) to exploit mitigations (eg. ASLR and stack canary generation). Ideally secure random number generation is done using a dedicated hardware True Random Number Generator (TRNG) collecting entropy from physical processes such as radioactive decay or shot noise. TRNGs, however, are both relatively slow in their provision of random data and often too expensive to integrate in a system which means computer systems have to resort to a software (cryptographically secure) Pseudo-Random Number Generator (CSPRNG). Such a CSPRNG is seeded (both initially and continuously) from a variety of sources of 'true' entropy which are effectively stretched into additional pseudo-random data using cryptographic methods. Since the design and implementation of such CSPRNGs is a complicated and involved

Speakers: Matt Bernhard, J. Alex Halderman

The 2016 U.S. presidential election was preceded by unprecedented cyberattacks and produced a result that surprised many people in the U.S. and abroad. Was it hacked? To find out, we teamed up with scientists and lawyers from around the country—and a presidential candidate—to initiate the first presidential election recounts motivated primarily by e-voting security concerns. In this talk, we will explain how the recounts took place, what we learned about the integrity of the election, and what needs to change to ensure that future U.S. elections are secure.

Speaker: RA Ulrich Kerner

Der neue Straftatbestand der Datenhehlerei gem. § 202d StGB kriminalisiert Whistleblower und droht mit Haftstrafe bis zu drei Jahren oder Geldstrafe. Das schwächt die Zivilgesellschaft und verhindert wichtige demokratische Aufklärungsprozesse.
Im Dezember 2015 hat der Bundestag mit dem Gesetz zur Vorratsdatenspeicherung auch von der Öffentlichkeit zunächst unbemerkt die „Datenhehlerei“ unter Strafe gestellt und den § 202d StGB erlassen. Der Straftatbestand soll nach Ansicht des Gesetzgebers eine Lücke im Bereich der Cyber-Kriminalität schließen und den Verkauf von rechtswidrig erlangen Daten erfassen, mit denen typischerweise von den Käufern Straftaten begangen werden. Hier geht es z. B. um den illegalen Handel mit Kreditkartendaten, Bankverbindungen und Log-In-Daten für Onlineshops.
Das ist zunächst mal durchaus akzeptabel. Die Strafbarkeit beschränkt sich jedoch nicht auf diese Fälle. Denn auch Whistleblower sind von der neuen Regelung betroffen. Strafbar macht sich nämlich durchaus auch, wer rechtswidrig erlangte Daten weitergibt, an deren Veröffentlichung die Allgemeinheit ein überaus großes Interesse hat. Das aber schadet dem demokratischen Gemeinwesen und verhindert die Aufklärung von gesellschaftlichen Missständen.

Speaker: Michaela Vieser

Aus ihrem Buch „Von Kaffeeriechern, Abtrittanbietern und Fischbeinreißern – Berufe aus vergangenen Zeiten“: es geht darin um Berufe, die einfach verschwunden sind, deren Bezeichnung bereits in Bedeutungslosigkeit versunken sind. Aber was machte z.B. ein Kaffeeriecher? Er war kein Hipster-Barista, sondern ein Auswuchs der Politik von Friedrich II.: durch den Schmuggel von Kaffeebohnen sah sich Friedrich II genötigt, ausgediente Kriegsveteranen durch Berlin zu schicken. Sie durften in die Häuser der Bürger eindringen, um unversteuerten Kaffee aufzufinden. Sie verletzten dabei die Privatsphäre und schnüffelten buchstäblich nach einem Vergehen. Anders als die Überwachung im Netz heute waren sie laut und derb und nicht unsichtbar. Den Bürgern waren sie so verhasst, dass sie sich gegen sie aufbäumten. Nach nur acht Jahre war der Spuk vorbei, die Kaffeeriecher wurden durch Protest des Volkes ausrangiert. Wäre es heute nur so einfach.
Akribisch nach Fakten, Formen und Verbindungen suchend, entstand auch die Auftragsarbeit „Altes Handwerk“ , für die Stiftung Preußischer Kulturbesitz: ein Jahr lang wühlte Michaela Vieser in den Archiven des BPK: zum Teil lagen die Bilder in einer alten Kegelbahn in einem Offizierskasino in Charlottenburg. Die Fotografien stammen aus einer Zeit, als der Fotograf selbst noch Handwerker war. Anhand der Bilder lassen sich Ästhetik und Funktionalität des neuen Berufes klar erkennen. Das Buch wurde gemeinsam in einem Interview mit dem Bundesarbeitsminister im Radio vorgestellt, es war über zwei Jahre lang das wichtigste Buch des Verlags Braun editions.
Im Folgewerk „Das Zeitalter der Maschinen – Von der Industrialisierung des Lebens“ geht es um den Übergang in die Industrielle Revolution:
„Die Zeit“ schreibt: „Seit der Industrialisierung bestimmen Maschinen unseren Alltag – damals waren sie aus Eisen und Stahl, und manche überlebensgroß. Heute denken wir über die winzigen

Speaker: Martin Haase/maha

Mit dem Erstarken der Rechtspopulisten (nicht nur in Deutschland) werden populistische Positionen immer häufiger hingenommen, obwohl es sich dabei um vermeintliche "Gewissenheiten" handelt, die bei näherer Betrachtung inakzeptabel sind. Solche Positionen beruhen nicht auf einer nachvollziehbaren Argumentation, sondern auf sprachlich-rhetorischen Tricks, die im Grunde leicht zu durchschauen sind, denen jedoch immer mehr Menschen auf den Leim gehen. Dieser Vortrag soll zeigen, welche Tricks das sind und wie Populisten demaskiert werden können. Dabei wird deutlich werden, dass nicht nur eine Partei für populistische Parolen anfällig ist.
Populismus besteht darin, einfache politische "Gewissheiten" zu vertreten, die leicht Anhänger finden (also populär sind). Statt diese Positionen argumentativ zu untermauern, was oft gar nicht möglich oder zumindest wenig überzeugend ist, wird oft mit Stereotypisierungen und Scheinargumenten gearbeitet. Oft verweisen Populisten auf das "Recht des Stärkeren" (der Mehrheit) und stellen das als "demokratisch" dar, obwohl der Minderheitenschutz ein wesentliches Merkmal demokratischer Systeme ist. Gleichzeitig wird eine Minderheit zum Sündenbock gemacht. Eine populistische Forderung wird sprachlich oft auf eine einfache Formel gebracht ("Obergrenze", "Kinder statt Inder", "Flüchtlingswelle", "Leistung muss sich wieder lohnen" usw.), wobei oft mit bestimmten Tricks gearbeitet wird, z.B. mit Unterstellungen (genauer: Präsuppositionen bzw. Implikaturen) und framing (Einordnung in einen größeren, möglicherweise unpassenden Zusammenhang). Sich auf populistische Scheinargumentationen einzulassen, ist gefährlich, weil damit oft unbewusst unhaltbare Positionen, auf denen die Argumentation beruht (z.B. ein bestimmtes framing), hingenommen und nicht mehr hinterfragt werden.

Speaker: Julia Reda

EU copyright reform plans threaten freedom of expression: Commissioner Günther Oettinger wants to make sharing even the tiniest snippets of news content subject to costly licensing, and obligate internet platforms to monitor all user uploads. We can still stop these proposals – if you join the fight now.
Two years ago, I laid out the urgent need for EU copyright reform at 31c3. Now the reform proposal is finally on the table – but Commissioner Oettinger has let big business interests hijack it.
Instead of updating copyright law to better fit the digital age, he wants to try to use it to make the internet fit the established business models of analogue industry giants:
• The link is under attack: Extra copyright for news sites would make most ways of sharing even 20-year-old news articles illegal without a license. Website owners, news aggregators, social networks, curation/bookmarking apps, „read later“ services, etc. would need to pay news sites for linking to with even the shortest of teaser snippets.
• Internet platforms would be obligated to scan all user uploads for copyright infringements – a huge burden on community projects like Wikipedia as well as EU startups. Because robots are bad at evaluating when copyright exceptions apply, lots of legal works would be taken down.
• The new copyright exception for text and data mining would restrict the freedom to do so to public institutions. Hackers and amateur scientists would be left out in the cold.
• The proposals leave discriminatory geoblocking and restrictions on the freedom of panorama here to stay.
We must stop these proposals from harming the internet. I’ll lay out how you can help.

Speaker: Xobs

How to get USB running on an ARM microcontroller that has no built in USB hardware. We'll cover electrical requirements, pin assignments, and microcontroller considerations, then move all the way up the stack to creating a bidirectional USB HID communications layer entirely in software.
USB is amazing. It's hot-pluggable, auto-negotiating, and reasonably fast. It's robust, capable of supplying power, and works cross-platform. It lives up to the “Universal” claim: your PC definitely has USB, but it may not have TTL Serial, I2C, or SPI available. Hardware USB support is available in all manner of embedded microcontrollers. However it's not available on all microcontrollers, and integrating a hardware USB PHY can double the cost of a low-end microcontroller. This problem is particularly acute in the sub-$1 microcontrollers: a companion USB PHY chip would typically cost more than the microcontroller (example: the MAX3420E USB-to-SPI adapter costs around $5), so your only option for USB is to get your hands dirty and bit bang the missing protocol.
This talk describes the implementation of a new bitbanged USB stack, starting with a primer on the USB PHY layer and continuing up the stack, concluding with "Palawan", a feature-complete open-source bitbanged USB Low Speed stack available for use on microcontrollers priced for under a dollar. We'll go over requirements for getting USB to work, as well as talking about USB timing, packet order, and how to integrate everything together.
Unlike other bitbang USB implementations such as V-USB and LemcUSB, Palawan makes fewer assumptions about GPIO layout. With Palawan, USB's D+ and D- signals can be on different GPIO banks, and need not be consecutive. By doing so, more pins are available to the user, making it easier to use with devices that have special restrictions on what pins can do what. The only requirements are that both GPIO pins can be both inputs and push-pull outputs, and that at least one pin c

Speaker: Kate Genevieve

Inspired by a long history of bold reality hacks this talk considers the kinds of potentials opening up through emerging Virtual Reality (VR) and Mixed Reality technologies. In this current moment of climate crisis and structural metamorphosis how can we work with powerful immersive technologies to understand our own perceptual systems, to radically communicate and to innovate new ways of being together?
Our physical body and the spaces we inhabit seem very real, but what is this sense of reality – of presence in the world – and is it simply a story told to us by our brain, a neural fiction? Just over a decade ago, neuroscientists at Princeton discovered the ‘rubber hand illusion’, a way of persuading the brain to incorporate a fake hand into its internal body image, so that the fake hand became a felt part of the body. Since then, scientists and virtual reality experts have developed ‘full body’ illusions showing how our attachment to our whole body is somehow provisional and flexible.
The talk will consider these strange findings and what potentials are emerging through creative VR projects. I will discuss my own work with Virtual Reality, which investigates how immersive audio, visual, touch and haptic environments enable us to "slip our moorings" and experience transformed relationships to our environment, to other people and to our own bodies. I’ll describe the interdisciplinary experimentation undertaken in the Sackler Centre's Labs and the development of visual technologies and multi-sensory techniques that invite audiences to investigate the architecture of their own subjective experience for themselves.
Our understanding of what it is to be human is undergoing a dramatic seachange: a biological, embodied, emotional and fundamentally social understanding of human subjectivity is emerging across disciplines. These powerful immersive technologies and techniques for hacking the human sensory system have uses beyond

Speakers: anna, Andre Meister

Germany has a good reputation for strong data protection. It also features the only parliamentary inquiry committee investigating the Snowden revelations. But what are actual results of parliamentary, journalistic and public engagement?
What did we learn from 3 years of debate on secret service surveillance? What did the the inquiry committee find out? What are political consequences?
Is Germany really a desirable role model in the anti-surveillance movement? Or at least efficiently controlling its own secret services?
We’ll provide answers. They might change your perception of how Germany deals with the fundamental right to privacy.
The speakers work for netzpolitik.org, the leading news outlet on digital rights in Germany. They have published many classified documents on surveillance, dodged treason-charges, and live-transcribe every hearing of the parliamentary inquiry committee on mass surveillance, totaling over 3.000 pages of text.

Speaker: vimja

Blockchain ist die Technologie welche moderne Kryptowährungen ermöglicht. In dem Vortrag wird die Funktionsweise von Blockchains ganz allgemein erklärt. Anhand der Bitcoin Blockchain wird ausserdem gezeigt, wie diese Funktionen in einem echten System umgesetzt werden können.
Blockchain ist die Technologie hinter Bitcoin. Sie macht Kryptowährungen überhaupt erst möglich und die meisten Vorgänge moderner Kryptowährungen können anhand der jeweiligen Blockchain aufgezeigt und erklärt werden.
Der Vortrag gibt eine Einführung zu Blockchains. Es wird gezeigt, was Blockchains bezwecken sollen und wie sie das erreichen. Die Grundlegenden Eigenschaften werden anhand eines abstrakten Modells erklärt:

Wie wird ein Konsens etabliert

Wie schützen Blockchains vor doublespending

Wie schützen Blockchains vor Angriffen auf einzelne Teilnehmer des P2P Netzwerkes

Was ist ein Proof of work und welche Rolle spielt er für die Sicherheit

Wie kann der Zustand effizient an alle Teilnehmer verteilt werden

Anhand der Bitcoin Blockchain soll ausserdem gezeigt werden, wie diese Funktionen in einem echten System umgesetzt werden können. Ausserdem wird die Funktionsweise von Light-clients behandelt. Dabei spielen insbesondere der Aufbau der Bitcoin Blöcke und der Schutz der Transaktionen mittels eines Merkle Baumes eine wichtige Rolle.
Der Vortrag fokussiert auf die Blockchain-Technologie. Funktionen und Implementationsdetails von Bitcoin, die mit der Blockchain nicht in direktem Zusammenhang stehen, werden nicht behandelt. Es werden die Eigenschaften öffentlicher, POW basierter, Blockchains behandelt, private Blockchains, wie sie in von Finanzinstituten entwickelt werden, werden nicht behandelt.

Speakers: Steini, Ruben Neugebauer, benthor

Refugees are dying in the Mediterranean Sea. Thousands of them.
We are building fixed wing drones, autonomously searching for refugee-vessels in a radius of 50km around a base-ship.
The association "Seawatch e.V." has bought two well equipped Ships to help and rescue those people. But to help them we first have to find them.
CCC-Berlin and "Sea Watch e.V." are working together to use high tech for humanitarian projects.
In this talk we will explain the situation in the Mediterranean Sea and show possibilities to help refugees in mortal danger with high tech.
We will present a smartphone app for organising the multidimensional chaos in the Mediterranean Sea and we explain in depth, how the development of the drones is proceeding, what already works and which challenges are still waiting.
After some deliberation, we reluctantly decided to give this talk in German since we have a lot to show and talk about within a constrained time window. However, live translation services should be available via streaming (or DECT) so our international guests can participate. Of course, questions asked in English are welcome as well.

Speaker: Clifford

Yosys is a free and open source Verilog synthesis tool and more. It gained prominence last year because of its role as synthesis tool in the Project IceStorm FOSS Verilog-to-bitstream flow for iCE40 FPGAs. This presentation however dives into the Yosys-SMTBMC formal verification flow that can be used for verifying formal properties using bounded model checks and/or temporal induction.
Yosys is a free and open source Verilog synthesis tool and more. It gained prominence last year because of its role as synthesis tool in the Project IceStorm FOSS Verilog-to-bitstream flow for iCE40 FPGAs. This presentation however dives into the Yosys-SMTBMC formal verification flow that can be used for verifying formal properties using bounded model checks and/or temporal induction.
Unlike FPGA synthesis, there are no free-to-use formal verification tools available and licenses for commercial tools cost far more than most hobbyists or even small design companies can afford. While IceStorm was the first complete free-as-in-free-speech synthesis tool-chain, Yosys-SMTBMC is the first free Verilog verification flow for any definition of the word "free".
Because of the prohibiting pricing of commercial tools it can be expected that most audience members never had a chance to work with formal verification tools. Therefore a large portion of the presentation is dedicated to introducing basic concepts related to formal verification of digital designs and discussing small code examples.

Speaker: Christopher Soghoian

We didn’t win the second crypto wars. Governments merely made a strategic retreat and they’ll be back. Although they will likely give up on trying to regulate or prohibit encryption, we should expect that malware and law enforcement hacking will play a starring role in the next battle in the crypto wars.
In a world where encryption is increasingly the norm, the cops aren’t going to give up and go home. No, they’ll target our scarily insecure mobile devices and computers. How did we get here, what's going on, and what can we do to stop it? Come to this talk to find out.
For more than fifteen years, the FBI has had a dedicated hacking team. Until recently, this team’s hacking operations were shrouded in near-complete secrecy. That is slowly starting to change. And while we still don’t know a lot, what we have learned is alarming. For example, in order to deliver malware, the FBI has impersonated journalists and engaged in bulk-hacking operations that targeted users of legitimate communications services (TorMail).
As the next crypto wars unfold in Washington, London and Brussels, we should expect to see law enforcement hacking play a central role in the debate. With the mass, default adoption of full disk encryption storage and end-to-end encryption for communications, law enforcement agencies will no doubt struggle to acquire data that has traditionally been easy for them to get. This will likely result in two significant policy shifts – first, it will force law enforcement hacking out of the shadows, and second, it will cause hacking tools to trickle down from elite, well-resourced federal law enforcement units to regional and local cops, who are most impacted by encryption, the least technically sophisticated and the most likely to abuse hacking tools.
If a world in which the FBI hacks is scary, just wait until local police departments are doing it too.
We must stop the spread of hacking as a law enforcement tool,

Speakers: Lena Rohrbach, Sönke Iwersen, Robert Tibbo

On June 9, 2013, Edward Snowden revealed massive civil rights abuses by the NSA. On June 10, Snowden didn’t know where to hide.
Snowden’s revelations had started the greatest intelligence man hunt in history. The entire US secret service apparatus was looking for the American Whistleblower. Every policeman in Hong Kong was on the lookout. And hundreds of journalists were flooding the city to find the man who shocked the world.
No one could find him. On June 23, Snowden boarded a plane to Moscow. In the two weeks before that, he had simply been invisible.
For three years, these two weeks have been unexplained. Then, investigative journalist Sönke Iwersen from the German newspaper Handelsblatt filled in the gaps.
Today, Sönke will present the people who kept Snowden alive: rights lawyer Robert Tibbo, who is coming from Hong Kong to Hamburg to join us on stage. Ajith, a former soldier from Sri Lanka. Vanessa, a domestic helper from the Philippines. And Nadeeka and Supun, a refugee couple in Hong Kong.
Without any preparations, these five men and women were given an almost impossible task: Hide the most wanted man alive. This hour at 33c3 will tell how they succeeded. You will learn about Snowden’s days in hiding, the human rights situation for refugees in Hong Kong, and how you can help both Snowden and the refugees who saved his life. Also, you will hear the latest news on Edward Snowden himself. Lena Rohrbach from Amnesty International will tell you about the Pardon Snowden Campaign and how you can participate. Time is running out!

Speakers: Guido Schmitz (gtrs), dfett

Many web sites allow users to log in with their Facebook or Google account. This so-called Web single sign-on (SSO) often uses the standard protocols OAuth and OpenID Connect. How secure are these protocols? What can go wrong?

OAuth and OpenID Connect do not protect your privacy at all, i.e., your identity provider (e.g., Facebook or Google) can always track, where you log in. Mozilla tried to create an authentication protocol that aimed to prevent tracking: BrowserID (a.k.a. Persona). Did their proposition really solve the privacy issue? What are the lessons learned and can we do better?

Most ordinary web users have accounts at (at least) one of the big players in the web: Facebook, Google, Microsoft (Hotmail, Live), or even Yahoo. Also, many of these users are always logged in at some web sites of these companies. For web sites by other parties, it seems convenient to just re-use this already established authentication: They do not need to annoy the user with registration and login, and these web sites also do not need to maintain and protect an authentication database on their own. This is where SSO protocols come into play -- most times OAuth 2.0 or OpenID Connect. Both protocols have in common that they even require that the identity providers track where users log in. The only attempt so far, that tried to do better to protect the user's privacy, is Mozilla's BrowserID (a.k.a. Persona).

We have analyzed these SSO protocols and discovered various critical attacks that break the security of all three protocols and also break the privacy promise of BrowserID. In our research, however, we aim to get positive security proofs for such SSO systems: We will discuss fixes and redesigns and whether it is possible to create a secure and privacy-respecting SSO.

Contents of the talk:

How do OAuth, OpenID Connect, and BrowserID protocols work?

Attacks on these protocols!

Can we make SSO great again?

Speaker: Mark van Cuijk

Instant money transfer, globally without borders and 24/7. That’s one of the promises of Bitcoin. But how does national and international money transfer work in the world of banks?

I moved from the world of Bitcoin and blockchain to the world of domestic and international payments at banks. I had a lot of questions and managed to get my job moving in the place where I can learn how those things work and to get answers. In this presentation, I’m going to share what I’ve learned and I’ll help you understand something about the current payment systems that exist in the world.

The topics I’ll bring are going to present some answers to the following questions:

How do banks communicate?

Why does a payment between two banks take longer than a payment within a single bank?

Where is the money when it’s debited from my account, but not yet in the beneficiary account?

Why are international payment so expensive?

We can do instant payments with credit cards, how come normal bank transfer aren’t instant?

!!! This event is not going to be recorded !!!

Der Kampf der Hinterbliebenen um die Wahrheit

Geride kalanların gerçekler için savaşı

Fünf Jahre nach Bekanntwerden des "Nationalsozialistischen Untergrunds" erzählen die NSU-Monologe von den jahrelangen Kämpfen dreier Familien der Opfer des NSU - von Elif Kubaşık, Adile Şimşek und İsmail Yozgat: von ihrem Mut, in der 1. Reihe eines Trauermarschs zu stehen, von der Willensstärke, die Umbenennung einer Straße einzufordern und vom Versuch, die eigene Erinnerung an den geliebten Menschen gegen die vermeintliche Wahrheit der Behörden zu verteidigen.

“Nasyonal sosyalist yeraltı” oluşumundan tam beş yıl sonra NSU-monologları NSU kurbanları olan üç ailenin savaşını anlatıyor - Elif Kubaşık, Adile Şimşek ve İsmail Yozgat: onların cesaretini, cenaze töreninde ilk sırada durmayı, irade gücünü, bir sokağın tekrar isim değiştirme talebini ve son olmayacak şekile, sevdiği kişinin hatıralarını sözde doğruları konuşan araştırmacı karşısında savunma yapmalarını anlatıyor.

Veranstaltung auf Deutsch mit Türkischen und Englischen Übertiteln

Publikumsgespräch im Anschluss mit:
Nissar Gardi,
Referentin des Projekts "Empower. Beratungsstelle für Betroffene rechter, antisemitischer und rassistischer Gewalt"
& Andreas Kienzle,
Nebenklageanwalt der Familie Yozgat.

Speakers: Andreas Dewes, @sveckert

When thinking about surveillance, everyone worries about government agencies like the NSA and big corporations like Google and Facebook. But actually there are hundreds of companies that have also discovered data collection as a revenue source. We decided to do an experiment: Using simple social engineering techniques, we tried to get the most personal you may have in your procession.
When thinking about surveillance, everyone worries about government agencies like the NSA and big corporations like Google and Facebook. But actually there are hundreds of companies that have also discovered data collection as a revenue source. Companies which are quite big, with thousands of employees but names you maybe never heard of. They all try to get their hands on your personal data, often with illegal methods. Most of them keep their data to themselves, some exchange it, but a few sell it to anyone who's willing to pay.
We decided to do an experiment: Using simple social engineering techniques, we tried to get the most personal you may have in your procession. Your “click-stream data”, every URL you have been visiting while browsing the web.
After a couple of weeks and some phone calls we were able to acquire the personal data of millions of German Internet users - from banking, over communication with insurance companies to porn. Including several public figures from politics, media and society. In the talk, we'll explain how we got our hands on this data, what can be found inside and what this could mean for your own privacy and safety now and in the future.
* Introduction & background
* Who collects data and for which purposes
* How we got our hands on a large data sample
* What's in it? Detailed analysis of the data set
* How does it work? Analysis of the collection methods
* Outlook: Can we still save our privacy?

Speakers: Will Scott, Philipp Winter

2016 has been marked by major shifts in political policy towards the Internet in Turkey and Thailand, a renegotiation of the responsibilities of content platforms in the west, and a continued struggle for control over the Internet around the world. Turbulent times, indeed. In this session, we'll survey what's changed in Internet surveillance and censorship in the last year, and provide context for the major changes affecting the net today.
The good news is the community ability to monitor and act as a watchdog on policy changes is continuing to develop. The Open Observatory effort has set its sights on monitoring country policy, the US Department of State has called for proposals in the area infusing additional money, and groups like Access Now and Great Fire are working on regular measurement of services and access technologies.
As we move from an Internet regulated by DPI and technical controls to one dominated by mobile applications and legal regulations on companies, our ability to argue for policy change from an accurate factual basis is critical for advocacy and our continued right to expression. This session will arm you with an updated set of facts for your discussions in the coming year.

Speaker: tihmstar

This talk is about the iOS secure boot chain and how it changed throughout different iOS versions, while focusing on downgrading despite countermesures.
It will explain basics like what SHSH blobs and APTickets are and how IMG3 and IMG4 file format works.
Also a new technique called "prometheus" will be introduced which allows for the first time downgrading 64bit devices.
This talk shows how Apple's secure boot chain works and what changes where made with new software and hardware updates.
It explains how the boot/restore process works, what SHSH blobs and APTickets are and how they are structured.
Each time a new feature is introduced to improve the secure boot chain, a technique is shown how it can be bypassed in order to downgrade.
This talk recaps how it was possible to downgrade with TinyUmbrella and limera1n back in the old days and presents a new approach by showing how a technique called odysseus is able to downgrade newer 32bit devices.
It is pointed out why Basebands are such a pain when trying to downgrade, as well as why odysseusOTA is able to downgrade Basebands anyways.
Components new to 64bit devices like IMG4 file format and SEPOS are introduced and embedded into the context of downgrading.
At the end a new technique called "prometheus" is presented, which is the first one to be able to downgrade 64bit device and also the first method since the introduction of APTickets which can work without a Jailbreak or Bootrom/iBoot exploits.

Speaker: David Kriesel

Seit Mitte 2014 hat David fast 100.000 Artikel von Spiegel-Online systematisch gespeichert. Diese Datenmasse wird er in einem bunten Vortrag vorstellen und erforschen.
Der Vortrag gibt tiefe und überraschende Einblicke in das Verhalten des vielleicht größten Meinungsmachers Deutschlands. Ihr werdet Spiegel-Online danach mit anderen Augen lesen.
Dazu gibt er einen allgemeinverständlichen Überblick, was mit der heutigen Daten-Auswerterei alles geht. Ihr werdet also vielleicht auch mehr aufpassen, was für Daten von euch ihr ins Internet lasst.
Der Vortrag hat drei rote Fäden:
1) Wir reverse engineeren Spiegel-Online. Wir nehmen den Datensatz so richtig auseinander und betrachten Spiegel-Online aus vielen völlig neuen Blickwinkeln. Das Ganze wird bunt, unterhaltsam und anschaulich passieren, so dass es für Techies und Nicht-Techies eingängig ist. Warum sind manche Artikel lang, manche kurz? Kann man Artikeln ansehen, ob die Redakteure wirklich dahinter stehen oder nicht? Welche Redakteure sind enger miteinander verbandelt als andere? Welche Inhalte hält der Spiegel selbst für politisch inkorrekt?
Kann man sowas wirklich einfach so von außen messen? Glaubt’s mal – man kann. Bei einigen der Auswertungen wird vielleicht „nur“ das rauskommen, was ihr euch schon vorher denken konntet. Bei anderen werden wir überraschende Ergebnisse erhalten. Und manchmal entdeckt man auch Systematiken da, wo man überhaupt keine erwartet hat. Kurz: Wir werden kreativ sein. Wir werden etwas lernen und Spiegel-Online auch.
2) Ein Überblick über „Data Science“. Wir betrachten nicht nur die Vorgehensweise, sondern auch die Möglichkeiten und gesellschaftlichen Gefahren der Datensammelwut und Auswerterei. Über den Vortrag hinweg wird David – locker und unmathematisch – verschiedene Methoden des Datenauswertens anhand des Spiegel-Online-Datensatzes anschaulich machen. Nicht mit Formeln, sondern mit bunten Grafiken. Nach dem Vortrag

Speaker: Sebastien Dudek

To break into a building, several methods have already been discussed, such as trying to find the code
paths of a digicode, clone RFID cards, use some social engineering attacks, or the use of archaic methods
like lockpicking a door lock or breaking a window.

New methods are now possible with recent intercoms.
Indeed, these intercoms are used to call the tenants to access the building. But little study has been
performed on how these boxes communicate to request and grant access to the building.

In the past, they were connected with wires directly to apartments. Now, these are more practical and
allow residents to open doors not only from their classic door phone, but to forward calls to their home
or mobile phone. Private houses are now equipped with these new devices and its common to find these
“connected” intercoms on recent and renovated buildings.

In this short paper we introduce the Intercoms and focus on one particular device that is commonly
installed in buildings today. Then we present our analysis on an interesting attack vector, which already
has its own history. After this analysis, we present our environment to test the intercoms, and show some
practical attacks that could be performed on these devices. During this talks, the evolution of our mobile lab and some advances on the 3G intercoms, and M2M intercoms attacks will be also presented.

Speaker: Dolu1990

Since too long we use VHDL and Verilog to describe hardware. SpinalHDL is an alternative language which does its best to prove that it is time to do a paradigm shift in hardware description.
SpinalHDL is a Scala library which allow to describe RTL by using object oriented programming and functional programming.
This talk will present basics of SpinalHDL and then show by which way this alternative approach offers a huge benefit in code clarity, genericity and reusability.

Speaker: Friedrich Burschel

Seit einigen Jahren formieren sich am rechten Rand der Gesellschaft explosionsartig neue rassistische, völkisch-nationalistische und offen nazistische Strömungen, Gruppen und Parteien. Einen erschreckenden Verstärker findet das neue braune Getöse in den sozialen Medien und sein Resonanzraum reicht inzwischen bis weit in die Mitte der Gesellschaft.
Teil des Problems sind institutioneller Rassismus in den Behörden und unkontrollierbare Geheimdienste, die den Mob gewähren lassen: Dafür bietet der NSU-Komplex ein erschütterndes Beispiel. Vor dem neuen, sehr lauten, in der Tendenz aber auch gewalttätigen und terroristischen Phänomen rechter Formierung stehen Linke und bürgerliche Mitte ziemlich verdattert und hilflos.
Jetzt kommt es darauf an, diese Hilflosigkeit zu überwinden, das Geschehen zu analysieren und sich Gegenstrategien einfallen zu lassen. Das ist „unser“ Job.
Wann hat es begonnen? Wann hat sich der rechte Erdrutsch in Bewegung gesetzt? War es Ende der Nuller Jahre mit Eva Hermann? War es Thilo Sarrazins Bestseller „Deutschland schafft sich ab“? Seither ging es Schlag auf Schlag und spätestens seit der Ankunft Hundertausender Geflüchteter aus globalen Krisengebieten gibt es eine Dauerpräsenz rassistischer Proteste wie Pegida auf den Straßen und eine alarmierende Welle offener Gewalt gegen Geflüchtete, Migrant_innen und Linke. Laut Bundesinnenministerium haben sich seit 2014 bis Mitte 2016 rund 2500 Angriffe und Anschläge auf zum Teil bewohnte Geflüchtetenunterkünfte ereignet; im Frühjahr 2016 hat selbst das Bundeskriminalamt vor der Entstehung neuer rechter Terrorgruppen á la NSU gewarnt, die sich von rassistischen Protesten zum Handeln ermuntert fühlen.

Als hätten Zehntausende nur auf das Stichwort gewartet, entlädt sich derzeit in sozialen Netzwerken blanker Hass gegen das Establishment, gegen „links-versiffte Gutmenschen“, gegen „Nicht-Deutsche“ und Geflüchtete, progressive p

Speaker: hunz

This talk will explore the hard- and software of the Amazon Dash button.
While the old hardware-revision of the button has already been analyzed and can be repurposed easily, the new hardware-revision is locked more tightly to prevent tinkering.
In this talk a detailed teardown of the dash button hardware will be given. The talk will also have a closer look at the software running on the device and how communication with the server works.
Although the new hardware-revision of the button makes use of the controller lockbits to prevent the user from reprogramming the device, a method for running custom code on the device and extracting stored secret keys will be presented.

Speakers: Olga Kochetova, Alexey Osipov

How to stop the ATMs fraud? How to protect ATMs from attacks such as black box jackpotting? How to prevent network hijacking such as rogue processing center or MiTM? Some of these issues can be fixed by configuration means, some fixed by compensation measures, but many only by vendor. We will tell you about what bank can do now and what we as a community of security specialists should force to vendors.
Guys with malicious intentions never sleep, but make their bad deal all days, all nights.
When you have your five-o-clock beer, they open service zone of ATM and connect "magic box" that make ATM empty. Alternatively, sometimes banks security guys may watch video surveillance footage with man-in-the-hoody, who make something in the nearby corner of ATM. Surely, ATM is empty again! On the other hand, banks may not have any video monitoring so they cannot imagine how ATM became empty without any forensics evidence.
We have collected huge number of cases on how ATMs could be hacked during our researches, incidents responses and security assessments. A lot of malware infects ATM through the network or locally. There are black boxes, which connect to communications port of devices directly. There are also network attacks, such as rogue processing center or MiTM.
Before we spoke about vulnerabilities and fraud methods used by criminals. Now we would like to combine our expertise to help financial and security society with more direct advices how to implement security measures or approaches to make ATMs more secure.

Speaker: miaoski

The talk is about the paging system, an old technology in the 90's, used in healthcare, ICS and government, a systematic review of security impacts that it brought to us in the age of SDR, covering the United States, Canada, England and Japan. By sniffing known pager frequencies in the general vicinity of hospitals, factories and public facilities with a $20 DVB-T, we discovered that not only is pager technology alive and kicking, but much of the traffic is not encrypted, resulting in violation of privacy laws and more importantly, leaks of sensitive information. The talk is not about the protocol nor the hardware device.

Pager was once very popular in the 90's. It did not disappear from the world as cellular technology
phased in, but found a niche market in hospitals, industry control systems, public services and
defense industries where low transmitting power or uni-directional transmission are mandatory. Just like
other old technologies, systematic risk can emerge as new technology, for example SDR, becomes affordable.

It is well known that one can decode POCSAG and FLEX messages with SDR as early as in 2013. After four
months of observation, prudent metadata collection and data analysis, however, the researchers believe that
the extensive use of email-to-pager and SMS-to-pager gateways, along with the unencrypted nature of paging
system, makes it a huge security impact to the users and companies. Workflow software integrated with pagers
can cause a huge leak of personal information. We can fix it only after people are fully aware of the status quo.

The talk is a summary of data analysis and a demonstration of how far passive intelligence using pagers can go,
scenarios including,

Workflow systems in hospitals

Patient tracking

Pharmacy and prescription

Nuclear plants

Power stations

ICS and HVAC in chemical and semiconductor companies

Automation and intelligence in defense sector

SNMP

Speakers: Joachim Schautenbach, Pia Fortunata

Der Vortrag gibt einen Abriss über die Geschichte der Parlamentsschlägerei, ordnet diese politisch und geografisch ein - um dann die verschiedenen Typen und Formen anhand von Videomaterial zu zeigen und gemeinsam zu analysieren.
Die beiden Vortragenden betreiben seit 2010 gemeinsam das weltweit einzige Fachblog für Parlamentsschlägereien.
Du findest Parlamentsdebatten todlangweilig? Bei Phoenix TV schläfst du ein? Politischer Kampf klingt für dich nur nach Geschichtsbuch? Unsympathische Abgeordnete in Parlamenten wecken bei Dir Gewaltphantasien?
Wir haben die Lösung für all diese Probleme: Internationale Parlaments-Schlägereien!
Die beiden Vortragenden betreiben mit großer Freude ein Fachblog für diese Form der handfesten parlamentarischen Auseinandersetzung. In sieben Jahren haben sie über 100 Videos gesammelt, wie Abgeordnete raufen, schlagen, treten - und so manches Inventar zur Waffe umfunktionieren.
Im kurzweiligen Abend-Vortrag geben sie einen kleinen Abriss über die Geschichte der Parlamentsschlägerei, zeigen verschiedene Typen und Formen, vergeben Preise für außergewöhnliche Leistungen - und stellen sogar die neuesten wissenschaftlichen Erkentnisse zum Thema vor. Aber keine Angst: Es bleibt unterhaltsam.

Speakers: Fefe, frank

Wenn mal wieder der Zensor pinkeln war, wenn DAMIT ja wohl NIEMAND rechnen konnte, wenn es um demokratisch legitimiertes Baumanagement oder um Stahlbälle geht, dann ist es wieder an der Zeit für eine lockere Abendshow mit den High- und Lowlights des Jahres.
Lehnen Sie sich zurück, bringen Sie die Poppfolie in Stellung, tragen Sie die Schwielencreme gegen Facepalm-Blutergüsse auf der Stirn auf, brechen Sie das Popcorn an und genießen Sie die lockere Abendrevue zum Jahr 2016!

Speakers: Bill Marczak, John Scott-Railton

In August 2016, Apple issued updates to iOS and macOS that patched three zero-day vulnerabilities that were being exploited in the wild to remotely install persistent malcode on a target’s device if they tapped on a specially crafted link. We linked the vulnerabilities and malcode to US-owned, Israel-based NSO Group, a government-exclusive surveillance vendor described by one of its founders as “a complete ghost”.
Apple’s updates were the latest chapter in a yearlong investigation by Citizen Lab into a UAE-based threat actor targeting critics of the UAE at home and around the world. In this talk, we will explain how Citizen Lab discovered and tracked this threat actor, and uncovered the first publicly-reported iOS remote jailbreak used in the wild for mobile espionage. Using the NSO case, we will detail some of the tools and techniques we use to track these groups, and how they try to avoid detection and scrutiny. This investigation is Citizen Lab’s latest expose into the abuse of commercial “lawful intercept” malcode.
We will begin the presentation with our discovery and investigation of a UAE-based threat actor we call Stealth Falcon, and explain how a small error in the operators’ operational security led us to a mobile attack infrastructure consisting of hundreds of servers, which we determined was associated with NSO’s Pegasus product. We will detail the Internet scanning we undertook to enumerate this infrastructure, and some techniques we used to try and find “live” exploit links.
It was through these techniques that we identified suspicious links sent via SMS to UAE human rights defender Ahmed Mansoor. We will describe how we caused the exploit server to “fire”, and how we determined that it served us a one-click zero-day iPhone remote jailbreak to deliver NSO’s Pegasus, a powerful and sophisticated piece of government-exclusive malcode.
We will outline the functionality of the ex

Speakers: pancake

radare is a libre framework and a set of tools to ease several tasks related to reverse engineering, exploiting, forensics, binary patching, .. this year, the project gets 10 year old.
In the process, the design evolved and several new functionalities has appeared, defining better development rules, improving code reviews and introducing RDD and fuzzing as part of the development process. Constant refactoring, writing usage examples and documentation and giving talks, to enlarge the community has been key elements to reach the great user base and health the project lives nowadays.
This year, in order to celebrate the 10th anniversary, the author organized the first r2con, a congress around the tool that aims to be an excuse for sharing knowledge, tools, scripts about what different parties and people is doing with it.
The congress was pretty successful and allowed to meet developers, users and other interested parties for learning more about the future of the tool and understanding its capabilities.
This talk will show the evolution and structure of the project, its roots, some of the most notorious capabilities, showing several usage examples to let the attendees the power in functionalities and extensibility the tool provides.
The target for this talk is everyone, from beginners to experts, from curious to skeptics.

Pseudo-random number generators (PRNGs) are critical pieces of security
infrastructure. Yet, PRNGs are surprisingly difficult to design,
implement, and debug. The PRNG vulnerability that we recently found in
GnuPG/Libgcrypt (CVE-2016-6313) survived 18 years of service and several
expert audits. In this presentation, we not only describe the details of
the flaw but, based on our research, explain why the current state of
PRNG implementation and quality assurance downright provokes incidents.
We also present a PRNG analysis method that we developed and give
specific recommendations to implementors of software producing or
consuming pseudo-random numbers to ensure correctness.

Speakers: frank, Linus Neumann, Constanze Kurz, nexus

Wir werden einen Überblick über die Themen geben, die den Chaos Computer Club 2016 beschäftigt haben. Neben der Zusammenfassung und der Rückschau auf das vergangene Jahr wollen wir einen Blick in die Zukunft wagen.

Speaker: Netanel Rubin

Smart City is an abstract concept everyone talks about but no one knows what it actually means. No one, except Energy utilities.
In this talk we will explore the vast world of Smart Energy, and see how energy providers used the "Smart City" concept to get better control over our energy consumption, all while almost completely ignoring security aspects along the way.
Join me and see how Smart Energy is making our lives a little bit better, but also dangerously insecure.
While "Smart Cities" are starting to pop all over the world, no city has ever standardized what that term actually means. Smart Energy, on the other hand, has been standardized both by governments and by large private utilities.
This positive regulation made the Smart Energy market one of the largest IoT industries today, with over 100,000,000 smart devices currently implemented at consumer premises by utilities all over the world.
In this talk We will dive into the Smart Grid, exploring security issues both in the utility infrastructure and the Smart Meters present at consumers. We will explore the magical world called ZigBee, the confusing world of incomplete RFCs, and the hazardous world of insecure wireless devices that control your electricity grid.
You will leave this talk with a much better understanding at what's going on in your city, your energy provider, and, surprisingly, your home; And trust me, it won't make you feel any better.

Speakers: Ben Gras, Kaveh Razavi, brainsmoke, Antonio Barresi

We are 4 security researchers who have collectively worked on 3 different attack techniques that all (ab)use memory deduplication in one way or another. There is a cross-vm data leak attack, a cross-vm data write attack, and an in-sandbox (MS Edge) Javascript data leak + full memory read/write attack based in MS Edge.
In this talk we detail how memory deduplication works and the many different ways it is exploited in our attacks.
Memory deduplication is a widely applied technique to reduce memory consumption in servers, VM hosts, desktop systems and even mobile devices. Deduplication maps multiple identical copies of a physical page onto a single shared copy with copy-on-write semantics. As a result, a write to such a shared page triggers a page fault and is thus measurably slower than a write to a unshared page. Prior work has shown that an attacker able to craft pages on the target system can use this timing difference as a simple single-bit side channel to discover that certain pages exist in the system.
In this talk, we show that the security implications of using memory deduplication are much more severe than initially assumed. We show that by maliciously programming memory deduplication, an attacker can build primitives to read arbitrary data from memory and even write to memory in a limited but powerful way. We exemplify these primitives using three attacks that we have recently developed.
The first attack, CAIN, uses memory deduplication to brute-force ASLR’s entropy bits from a co-hosted victim VM. The second attack, Dedup Est Machina, extends CAIN in order to leak arbitrary data such as ASLR heap/code pointers and password hashes in a victim’s browser from JavaScript. Using the leaked pointers, Dedup Est Machina uses a Rowhammer exploit to own Microsoft Edge without relying on a single software vulnerability. The third attack, Flip Feng Shui, uses memory deduplication to control the p

Speakers: LaForge, holger

Let's have a detailed look at some modern 3G/4G cellular modems and see what we can find out about their internals using undocumented debug interfaces and software or hardware based hacking techniques.
Cellular modems are not only present in smartphones, tablets and laptops, but these days also in many M2M and internet-of-toilets (IoT) applications. Long gone are the days where those modules were GSM/GPRS/EDGE only with ancient ARM7TMDI or ARM926EJS cores and a relatively small-sized firmware in the range of kilobytes to very few megabytes, like on the famous OsmocomBB supported phones.
Modern cellular modems re-use the cellular chipsets of smartphones one or two generations ago, like the MDM9615 used in the iPhone 5. As those chipsets contain plenty of processors and are quite sophisticated SoCs on their own, one can even find (undocumented) Linux or Android in some modems, which of course makes them a very attractive target for further exploration or running your own code inside the modem.
We will give a short overview about the current market of cellular modems, the major chipset suppliers and chipset families and then pick one or two examples and show the methods used for reverse engineering them to a point where they can be used for much more than the AT command or QMI interface officially documented/supported by the manufacturer. This includes the execution of custom code inside modems, as well as protocol tracing of the air-interface. We'll also look at the FOTA (Firmware Update Over The Air) features, and perform a security analysis of our findings.
This talk understands itself following the tradition of various baseband processor related talks at many CCC events of the past decade, including 25C3: Anatomy of smartphone hardware and 28C3: Reverse-engineering a Qualcomm baseband.
Both speakers (Harald Welte and Holger Freyther) have been working on Free Software related to cellular telephony for more than a decade, including

Speakers: Agnes, Christopher Talib

France is under a state of emergency since November 2015. Several laws and a more intrusive surveillance framework, infringing rights and freedoms, have been adopted these recent years in the name of the fight against terrorism.
Privacy, freedom of expression… these words could soon disappear from French vocabulary as the number of measures increases as the same time than their intensity. We will show how it happened and what are our actions to try to defend the rights of all to privacy and freedom of speech.
The next French presidential elections will take place in spring 2017 under the state of emergency while all laws recently adopted are making our national motto „liberté, égalité, fraternité“ out of date. Furthermore, the increasing surveillance drifts are undermining Privacy whereas this is a fundamental right and a sine qua non condition for freedom.
We are looking back on the three years span of law adopted on surveillance in France as well as the more than one-year old state of emegency. What does that mean for our rights ? What is at stake ? In which society model are we heading?
What can we learn form the French experience? Let’s find out.

Speaker: bunnie

The participation of women in computer education is low; undergraduate classrooms in Germany were only 10% female in 2000[1]. The picture at the primary school level is fuzzier, as students do not declare majors at that level, but evidence indicates the trend starts from a young age. Can we make computer education more gender-inclusive? Presenting technology in familiar, non-threatening contexts can lead to more balanced gender participation. For example, Chibitronics uses the context of papercraft to present electronics to beginners; the familiarity of papercraft improves the participation of women of all ages in the creation of electronics. Based on these learnings, we have devised the “Love to Code” platform, an open source hardware-to-cloud stack which combines the familiarity of paper craft with a web-based, driver-free embedded firmware development environment based on FSK audio provisioning via a headphone jack. In this talk, we will dive into the novel open source technical contributions of this platform, which includes the audio-based provisioning protocol and the unique rigid-flex design of the circuitry enabling papercraft integration, as well as the multi-threaded client OS and cloud infrastructure required to complete the picture. This combination of new technology with familiar interfaces aims to lower the barrier to computer education, thus making coding a more accessible and inclusive activity.
Computer technology tends to be a male-dominated field. One study from 2002 placed female participation in undergraduate computer education classrooms around 10% for Germany, and 26% for the US[1]. The picture is fuzzier at the primary school level, because students do not declare majors at such a young age, but evidence indicates that this strong gender bias has roots extending to primary school. Can we make computer education more inclusive? There is evidence that presenting technology in familiar, non-threatening contexts can lead to

Speaker: Joscha

Artificial Intelligence provides a conceptual framework to understand mind and universe in new ways, clearing the obstacles that hindered the progress of philosophy and psychology. Let us see how AI can help us to understand how our minds create the experience of a universe.
Unlike the machine learning systems of the past, minds are not just classifiers or policy optimizers. Minds are not accumulators of knowledge about the world. Minds are generative systems: they actively produce the world that we subjectively experience. Ordinary day-time experiences are in fact dreams constrained by sensory data. This simple insight of contemporary cognitive science turns realist notions of embodiment on their head. The idea of the brain as a dreaming machine opens a way to understand the nature of our experiences.
This is the proposed fourth installment of a series of presentations about using AI perspectives to understand minds and their relationship to the universe. "How to build a mind" (30c3) suggested specifications for an architecture of cognition; "From computation to consciousness" (31c3) explored the mind's computational foundations; "Computational metapsychology" (32c3) discussed the individual and social construction of meaning. "Machine dreams" sketches how the computational machinery of our brains leads to our experience a subjective world. We will look at the conductor theory of consciousness, some of the mental structures contributing to our models of self and world, and the unreasonable effectiveness of neural processes in modeling physics.

Speaker: jab

How to build a pinball machine? We introduce you to all basics and explain the different options for hardware and software. As an example, we show images of our own custom pinball machine.
This talk gives an overview over all the components in a pinball machine which includes software and a lot of hardware. Afterwards, we go over all the steps when designing and building a pinball machine. We start with basic design rules, physical limits and best practices. Then, we focus on the mechanical and electronic components. After that, we talk about software and display (DMD vs LCD) options. At the end, we explain how to build or manufacture certain parts for your machine.
For the hardware, we talk about:
- EM, WPC and modern machines
- Coils and Switches
- Sources for mechanical elements
- Gi/Lamps
- RGB LEDs
- Display option (DMDs, LED-DMDs, LCDs) and how to control them
Electronics:
- Open Pinball Project (Open Hardware)
- Multimorphic P-Roc and P3-Roc
- FAST Pinball Boards
- Full custom options
- Fadecandy/Openpixel
- I2C and ServoControllers
Software options:
- Mission Pinball Framework (Disclaimer: I'm one of the authors)
- pypinprocgame/pypinprocgameHD
Building/Manufacturing Parts:
- Playfields (including printing)
- Cabinet
- Metal ramps
- Wire ramps
- Plastic ramps
- Plastics/Decals
- Inserts
- Mechanics

Speakers: Ali Abbasi, Majid

Input/Output is the mechanisms through which embedded systems interact and control the outside world. Particularly when employed in mission critical systems, the I/O of embedded systems has to be both reliable and secure. Embedded system’s I/O is controlled by a pin based approach. In this work, we investigate the security implications of embedded system’s pin control. In particular, we show how an attacker can tamper with the integrity and availability of an embedded system’s I/O by exploiting cerain pin control operations and the lack of hardware interrupts associated to them.
Embedded systems are widely used today in a variety of applications, such as consumer, industrial, automotive, medical, commercial and military. As such, they are often employed in mission critical systems that have to be both reliable and secure. In particular, it is important that their I/O (Input/Output) be stable and secure, as this is the way they interact with the outside world.
Digging into their architecture, we know that the I/O interfaces of embedded systems (e.g., GPIO, SCI, USB, etc.), are usually controlled by a so-called System on a Chip (SoC), an integrated circuit that combines multiple I/O interfaces. In turn, the pins in a SoC are managed by a pin controller, a subsystem of SoC, through which one can configure pin multiplexing or the input or output mode of pins. One of the most peculiar aspects of a pin controller is that its behavior is determined by a set of registers: by altering these registers one can change the behavior of the chip in a dramatic way. This feature is exploitable by attackers, who can tamper with the integrity or the availability of legitimate I/O operations, factually changing how an embedded system interacts with the outside world. Based on these observations, in this research, we introduce a novel attack technique against embedded systems, which we call pin control attack. As we will demonstrate in the work,

Speaker: Tim 'mithro' Ansell

Ever wondered what is actually happening when a speaker can't get their laptop to project? While developing the FPGA-based HDMI2USB.tv open hardware for recording conferences, we discovered just how convoluted the HDMI protocol can be. Come hear all the horrible details!

The TimVideos.us group aims to make it easy for anyone to create high quality recordings of conferences and user groups. To achieve this goal we have developed the HDMI2USB.tv project, an FPGA based, fully open (hardware and firmware) solution for capturing HDMI video signals. The solution has been in use since late 2015 and used at numerous conferences such as Linux.conf.au, DebConf and many PyCon conferences around the world.

To be truly FOSS has however meant developing code for doing HDMI receiving and sending. Come hear about all the issues we have run into and the nitty gritty details about how it works (or doesn't!). By the end of the talk you will know more than you ever wanted to about the HDMI protocol!

This talk will cover:

The HDMI video standard, including
An overview of the many protocols and standards required.
A high level description of the low speed protocols needed such as DCD (EDID) and CEC.
A indepth dive into the high speed TMDS protocol and encoding.
How to build a HDMI receiver and transmission to run on an FPGA.
War stories from trying to use the HDMI2USB capture device for recording FOSS conference, including;
Why your HDMI cable can actually matter.
Some of the reasons why plugging in a screen doesn't always "just work".
Doing error correction on a protocol which doesn't have any.

Speakers: ruedi, vgrass, Prof. Stefan Lucks

''Technologien für und wider Digitale Souveränität''
Die weltweite Vernetzung ist die tiefgreifendste Veränderung seit der
industriellen Revolution. In einer Zeit der maßlose Massenüberwachung scheint die Digitale Souveränität den Einsatz privatsphärenfreundlicher Technologien als ein unverzichtbarer Bestandteil von gesellschaftlichen Lösungsversuchen zwingend zu erfordern.
In unserem Beitrag möchten wir hackerrelvante Teilaspekte und Verfahren aus einer Studie für das Bundesministerium für Justiz und Verbraucherschutz vorstellen. Unter anderem sind hier kryptographische Protokolle (z. B. Blinde Signaturen, Zero-Knowlege Protokolle) und Methoden zur statistischen Auswertung von vertraulichen Daten (z.B. K-Anonymität, Differentielle Vertraulichkeit) zu nennen.

Speaker: James Bridle

James Bridle is a British writer and artist living in Greece. His work explores the impact of technology on society, law, geography, politics, and culture. His Drone Shadow installations have appeared on city streets worldwide, he has mapped deportation centres with CGI, designed new kinds of citizenship based on online behaviour. and used neural networks and satellite images to predict election results. A New Dark Age is an exploration of what we can no longer know about the world, and what we can do about it.
The history of computation and the history of the weather are deeply intertwined. The possibilities of mathematical prediction have driven a belief in our ability to model and control the world. Today, the pervasive metaphor of "the Cloud" shapes how we think about the world - but not always in useful or democratic ways. James Bridle's Cloud Index explored this history and sets out a new model for thinking about the world with the cloud at its heart: a nebulous, ever-changing set of possibilities, founded on unknowing.
The Cloud Index (http://cloudindx.com, 2016) is an online artwork using neural networks to generate new weather patterns corresponding to differing electoral outcomes. The work challenges our ability to predict and thus control the future, and questions our intentions and ethics when it comes to the things we build.
Using the Cloud Index as a starting point, Bridle's lecture explores the military and political histories of computation, networking, and weather control. As the processes of computational thinking - the belief that the gathering of ever-increasing volumes of data and the application of vast engines of computing power - fail to produce coherence or agency in the world, Bridle suggests that we should take the Cloud at its word. Cloud thinking is the acknowledgement that we cannot know or predict everything, and our technology is trying to teach us a different way of seeing and understanding the world.

Speakers: Vasilios Mavroudis, Federico Maggi

In the last two years, the marketing industry started to show a fast increasing interest in technologies for user cross-device tracking, proximity tracking, and their derivative monetization schemes. To meet these demands, a new ultrasound-based technology has recently emerged and is already utilized in a number of different real-world applications. Ultrasound tracking comes with a number of desirable features (e.g., easy to deploy, inaudible to humans), but alarmingly until now no comprehensive security analysis of the technology has been conducted. In this talk, we will publish the results of our security analysis of the ultrasound tracking ecosystem, and demonstrate the practical security and privacy risks that arise with its adoption. Subsequently, we will introduce some immediately deployable defense mechanisms for practitioners, researchers, and everyday users. Finally, we will initiate the discussion for the standardization of ultrasound beacons, and outline our proposed OS-level API that enables both secure and effortless deployment for ultrasound-enabled applications.
This talk will present the outcomes of the first comprehensive security study on the ultrasound tracking ecosystem.

This ecosystem remained almost unknown to the general public until recently, when a newly-founded company faced the nemesis of the security community and the regulators (e.g., the Federal Trade Commission) for its controversial tracking techniques. However, there are many more “traditional players” using ultrasound tracking techniques for various purposes, raising a number of levels of security and privacy issues with different security and privacy models.

In general, the main advantage of the ultrasound technology compared to already existing solutions is that it does not require any specialized equipment (unlike wifi and bluetooth), while it remains inaudible to humans. For this reason, the technology is already utili

Speakers: Jake Davis, Lauri Love, Mustafa Al-Bassam

Lauri Love has never set foot in the United States, yet he is facing a potential century in jail if extradited for his alleged involvement in #OpLastResort, an Anonymous-related protest action that occurred in response to the death of Aaron Swartz.
The case against Love, a Finnish and UK citizen, has profound implications for United States claims of global jurisdiction over the internet, for the treatment of neurodivergent individuals under the law, and for privacy rights in the UK and beyond.
Lauri has been involved in two important legal cases this year. In
May, Lauri scored a rare victory for digital rights in the UK,
ensuring the National Crime Agency did not establish a dangerous new precedent to compel the decryption of stored data. Then this summer, during his extradition hearings, a significant portion of defense testimony related to Love’s diagnosis with Aspergers syndrome, his depression and long-term health symptoms for which he is under medical observation. Expert testimony reinforced the inadequacy, violence and injustice of the U.S. prison system for dealing with these concerns.
This September, a judge agreed that Lauri was at serious risk of
self-harm, yet she approved his extradition nonetheless, reopening a
debate in the UK over how to protect vulnerable individuals that was
ostensibly resolved after Gary McKinnon’s extradition was blocked by
Theresa May in 2012.
Ex-Lulzsec member Jake Davis – who was indicted in the United States but prosecuted in the UK, will give his take on Lauri’s case and its broader ramifications. Lauri himself will also participate via video link.
How does the possibility of Lauri’s extradition change the threat
landscape for digital activists? Is there any way to prevent
extradition being used as a tool of US global jurisdiction over the
internet? Where has the law on both sides of the Atlantic failed
Lauri, and what are the changes we

Speaker: Markus Landgraf

Why is it so hard to go to the Moon? The curse of Newtonian Mechanics and Tsiolkovsky's Rocket Equation force us to build huge rockets to achieve any meaningful activity on the Moon. There are two strategies to hack the laws of celestial mechanics: making fuel on the Moon and using cables to climb out of the gravity well. Here we focus on the latter, which is the Moon version of the famous space elevator. The difference to an Earth elevator is - anelevator to the Moon's surface is realistic with today's materials. In the talk an introduction to the general problem is given and a starting point for a discussion is given that can easily lead to a sustainable access to the Moon if there is demand to do so.

Speakers: Michael Weiner, RFguy

Die Verfügbarkeit preiswerter Maschinentechnik und Open Source CAD-Software hat den Aufwand des Herstellens eigener mechanischer Schlüssel signifikant abgesenkt, die wir noch vor zehn Jahren als „sicher“ bezeichnet haben.
Klassische Zylinderschlösser sind in der Vergangenheit bereits ausführlich analysiert worden, doch wie sieht die Situation bei anspruchsvolleren mechanischen Schließsystemen aus?
Wir zeigen, wie man den Generalschlüssel einer hoch präzisen, hochpreisigen Schließanlage ermittelt. Weiterhin präsentieren wir unseren Workflow der Software und Mechanik, mit dem man Rohlinge und Schlüssel eines Hochsicherheitssystem mit einer „Low Cost“ CNC-Fräse herstellen kann. Im Gegensatz zum 3D-Drucken bietet uns dies eine deutlich höhere Präzision und mechanische Stabilität - und das für unter 2 Euro pro Schlüssel.
Die Verfügbarkeit preiswerter Maschinentechnik und Open Source CAD-Software hat den Aufwand des Herstellens eigener mechanischer Schlüssel signifikant abgesenkt, die wir noch vor zehn Jahren als „sicher“ bezeichnet haben. Beispielsweise sind CAD-Daten von TSA-Schlüsseln veröffentlicht und mit 3D-Druckern nachgedruckt worden; auf dem 32C3 wurden Tools zur automatisierten Erstellung von Schlüsselrohlingen gezeigt. Klassische Zylinderschlösser sind in der Vergangenheit bereits ausführlich analysiert worden, ebenso die Decodierung einer Schließanlage bis zum 3D-Drucken von geschützten Schlüsselrohlingen anhand eines einfachen Fotos.
Doch wie kann dieses Wissen adaptiert und erweitert werden, um es auch bei anspruchsvolleren Systemen anwenden zu können? Wir zeigen, wie man den Generalschlüssel einer komplexen Schließanlage bestimmt. Als Beispiele dienen EVVA 3KS und KESO. Wir erklären, wie man Schlüssel und Schlösser als Informationsquelle nutzt.
Weiterhin präsentieren wir unseren Workflow der Software und Mechanik, mit dem man Rohlinge und Schlüssel eines Hochsicherheitss

Speaker: Matt Knight

LoRa is an emerging Low Power Wide Area Network, a new class of wireless technology designed to connect everything from streetlights to intelligent mousetraps. I will discuss the design and security implications of LPWANs, dive deep into the LoRa PHY, and demonstrate sniffing and injection with an open source LoRa transceiver built on commodity Software Defined Radio tools.
This talk will demonstrate techniques for decoding the LoRa PHY layer and will introduce gr-lora, an open source implementation of the protocol. LoRa is a Low Power Wide Area Network (LPWAN), an emerging class of wireless technology optimized for embedded and Internet of Things focused applications. LoRa is unique because it uses a chirp spread spectrum modulation that encodes data into RF features more commonly encountered in RADAR systems. LoRa is also designed to operate in unlicensed ISM frequency bands, both avoiding costly spectrum licensing requirements and democratizing long-range network infrastructure to consumers and new commercial operators alike. After briefly introducing the audience to LPWANs, I will walk through the SDR and DSP techniques required to demodulate and decode LoRa packets. In addition I will discuss gr-lora, an open-source implementation of the PHY that can be leveraged to design LoRa security test tools and drive future research.

Speaker: Jan Wörner

Since the early successes of moon missions in the Sixtie, mankind has moved on to the earth orbit and other deep space missions. But interest in the moon as a target has intensified recently as the strategies for future missions are evolving.

Speaker: Anja Drephal

Used in cell phone technology, bluetooth devices, and WiFi, Frequency Hopping Spread Spectrum (FHSS) is often said to have been invented in the early 1940s by none other than Hollywood actress and sex symbol Hedy Lamarr. This talk will present the undeniably entertaining history of a well-known actress moonlighting as a military inventor as well as give an overview of the 100-year-old history of frequency hopping and its past and present uses.
Imagine no WiFi, no cell phones, no bluetooth. (Everything’s better with bluetooth!)
It is often said that we owe the convenience of all these modern technologies to Hollywood actress Hedy Lamarr and her invention of Frequency Hopping Spread Spectrum (FHSS) in the early 1940s. Do we?
Born Hedwig Eva Maria Kiesler on November 9, 1914, the daughter of an affluent Viennese family became famous at age 18 for starring naked and faking the first onscreen orgasm in history in the Czech-Austrian film “Ekstase” – fame which led to a successful Hollywood career after Hedwig Kiesler emigrated to the USA and renamed herself Hedy Lamarr. “The most beautiful woman in the world”, as director Max Reinhardt called her, starred in more than two dozen Hollywood movies over the course of twenty years, all the while being bored by the intellectual limitations her job offered. On the subject of what it takes to be a Hollywood sex symbol, she is quoted to have said “Any girl can look glamorous. All you have to do is stand still and look stupid.”
Lamarr had always been interested in science and technology and wanted to help the United States' war effort during World War II by doing more than just using her fame and physical beauty to sell war bonds and entertaining the troops at the Hollywood Canteen. In her spare time, she thought about torpedoes: powerful, yet hard to control weapons which might hit their targets more precisely when guided by radio signals. Lamarr knew that the problem with radio signal

Speaker: Karl Urban

Wer all unsere Daten der Gegenwart mit selbstlernenden Algorithmen auswertet, wird die nahe Zukunft grob vorhersagen können. Die Instrumente dafür sind so weit, viele seriöse Forscher arbeiten an Teilbruchstücken. Die Folgen für die Gesellschaft scheinen fatal zu sein. Orwell naht gewaltig.
Vorhersagen hatten lange einen zweifelhaften Ruf: von den antiken Orakeln mit ihrer eigenen Agenda bis zu den Meinungsumfragen der Gegenwart. Die Gesellschaft galt seriösen Forschern seit jeher als zu komplex, um die Zukunft seriös vorausberechnen zu können. Aber das ändert sich heute: Selbstlernende Algorithmen finden in den exponentiell wachsende Datenbergen immer mehr über uns alle heraus. Kollektives Verhalten vieler Menschen wird, im kleinen zeitlichen Rahmen, vorhersehbar. Die Facebook- und Twitterdaten vom arabischen Frühling waren ein ausgezeichneter Lerndatensatz.
Dieser Vortrag beginnt mit den Zutaten, die für einen echten Weltsimulator nötig sind. Und er endet mit der Frage, was demokratische und weniger demokratische Machthaber damit anfangen könnten. Wenn sie derartige Instrumente nicht längst nutzen.

Speakers: Maria Reimer, Daniel Seitz, Paula Glaser, Robert Alisch

Wie würdigen verschiedene Tech-Communities das ehrenamtliche Engagement ihrer Mitglieder? Wie lassen sich gewünschte Lernprozesse verstärken? Was sind unsere Erfahrungen bei Jugend hackt? Und was haben Badges damit zu tun?
Wir wollen verschiedene Möglichkeiten von Anerkennung ehrenamtlicher Arbeit beleuchten und unsere eigenen Erfahrungen mit Jugend hackt, einer vier Jahre jungen Tech-Community von Jugendlichen und deren MentorInnen, teilen. Das Ziel des Talks ist, euch dabei zu helfen, Lernprozesse um Motivationsfaktoren in euren eigenen Tech-/FOSS-Communities besser zu unterstützen, verschiedenste Erfahrungen zusammenzutragen und existierende Ideen weiterzuentwickeln.
Communities, insbesondere im FOSS-Bereich, können ohne ehrenamtliches Engagement kaum überleben. Doch die Anerkennung und Wertschätzung dieses Engagements kommt häufig zu kurz. Gleichzeitig kommen immer wieder Open-Source-Projekte, auf denen unsere technische und zivilgesellschaftliche Infrastruktur aufbaut, zum Erliegen. Doch was ist, wenn sich das Problem nicht mit Geld lösen lässt?
Wir gehen in unserem Talk der These nach, dass Anerkennungskultur nicht nur durch vorrangig technische Lösungen (wie z. B. Geld oder auch meritokratische Herangehensweisen), sondern auch durch soziale Lösungen entsteht. Bei Jugend hackt haben wir seit vier Jahren die Möglichkeiten, verschiedenste Formen von Anerkennungskultur und Wertschätzung zu erproben. Wir möchten diese Erfahrungen mit euch teilen und mit Anerkennungsformen anderer Communities vergleichen und dabei Erfolgsfaktoren und Hinderungsgründe sichtbar machen.
Außerdem werden wir folgende Fragen beantworten: Wie weit reicht intrinsische Motivation? Welche Würdigungen gibt es außer Geld? Wie funktioniert Lernen und gegenseitige Motivation in solchen Communities? Und was haben (Open) Badges damit zu tun?

Speakers: Liz George, Peter Buschkamp

The long term survival of the human species requires that we become an interplanetary species. But we must answer two big questions: where are we going, and how do we get there? We explore what scientists know (and don’t know) about humanity’s potential future homes both inside and outside the solar system, and then we’ll dive into the technological challenges of (and potential solutions for) getting humans to and colonizing a new planet.
Long the realm of science fiction, interplanetary colonization is now taken more and more seriously by scientists and space agencies alike as technologies come within reach. We will evaluate obstacles and solutions by looking at two topics: Where to go? and How to get there?
Part 1 explores the options that humans have in expanding to new planets. There are now 3,439 exoplanets in 2,569 planetary systems confirmed. We’ll discuss how astronomers find planets, and how they learn about the conditions there. How do we pick a colonization target based on the data we can gather when there is no way of sending probes there and getting information back in reasonable time like we do in our solar system?
Part 2 gives an overview of technologies currently available to get humans to other planets, and what that means in terms of humanity’s expansion. We'll also talk about the technology advancements necessary for truly interstellar colonization.

Speakers: Arne Semsrott

Dieses Jahr feiert das Informationsfreiheitsgesetz (IFG) seinen zehnten Geburtstag – und niemand feiert mit. Zeit für eine Abrechnung. FOIA frei!
Zehn Jahre ist es her, seit das Informationsfreiheitsgesetz (IFG) in Kraft getreten ist und das erste Mal beim Congress vorgestellt wurde. In den USA wird der Freedom of Information Act (FOIA) dieses Jahr 50, in Schweden sogar 250 Jahre alt. Trotzdem ist das Gesetz auf Bundesebene in den letzten Jahren nicht besser geworden, sondern nur schlechter.
Zeit für uns, die Verbesserung selbst in die Hand zu nehmen: Mit unserer Kampagne „FragDenBundestag“ haben wir dieses Jahr den Wissenschaftlichen Dienst des Bundestags gezwungen, tausende Gutachten herauszugeben. Auf wen richten wir das dazugehörige Kampagnen-Tool als nächstes?
Außerdem haben wir neben einigen Klagen auch eine Verfassungsbeschwerde eingereicht. Wir zeigen, wie wir die Klage massentauglich machen wollen.
FOIA frei!

Speaker: Benjamin Rupert

Describing the science behind new high tech vegan foods which will replace animal agriculture. I will also discuss the potential impact to lessen the severity of climate change and give an update on the Real Vegan Cheese biohacker project.
Climate change is the most pressing issues ever faced by humans. While many people are aware of the need for renewable energy, electric vehicles and more efficient homes and manufacturing, fewer people are aware that animal agriculture is a major issue which must be addressed. In fact animal agriculture is one of the highest impact human activities, producing greenhouse gas emissions and environmental damage on par with worldwide transportation and industrial manufacturing.
Rather than convincing people to give up animal products, some groups (academic, industrial and biohackers) are using science to produce near-identical, or in some cases identical, replacements for these products. Replacing animal products will greatly reduce the environmental impact of our diets, without making people give up the food they desire.
I will discuss various approaches including plant protein databases used for engineering realistic animal product replacement, production of proteins in genetically modified microorganisms, and culturing of animal cells without the growing of a whole animal. The science behind these approaches, potential impact, and progress by various players in these fields will be presented. Finally I give a progress update on the Real Vegan Cheese project, which is run out of biohacker spaces in the SF bay area and aims to produce real cheese from engineered yeast.