It looks like you're having connection troubles. Reconnect now.
03/13/2021 16:50:24
30c3-talk-5564 Latest text of pad 30c3-talk-5564 Saved March 13, 2021 |
Hallo Du!
Bevor du loslegst den Talk zu transkribieren, sieh dir bitte noch einmal unseren Style Guide an: https://wiki.c3subtitles.de/de:styleguide. Solltest du Fragen haben, dann kannst du uns gerne direkt fragen oder unter https://webirc.hackint.org/#irc://hackint.org/#subtitles oder https://rocket.events.ccc.de/channel/subtitles erreichen.
Bitte vergiss nicht deinen Fortschritt im Fortschrittsbalken auf der Seite des Talks einzutragen.
Vielen Dank für dein Engagement!
Hey you!
Prior to transcribing, please look at your style guide: https://wiki.c3subtitles.de/en:styleguide. If you have some questions you can either ask us personally or write us at https://webirc.hackint.org/#irc://hackint.org/#subtitles or https://rocket.events.ccc.de/channel/subtitles .
Please don't forget to mark your progress in the progress bar at the talk's website.
Thank you very much for your commitment!
======================================================================
all right good morning welcome to the lightning talks i apologize for being late um uh so this is that what we're going to do today hit pause real quickly this lightning talk session is the most ambitious lightning talk session ever attempted we're going to try to do 32 talks in two hours and 15 minutes we have the three minute express lightning round that'll be coming up shortly but we're going to start off with some five minute talks go ahead and hit play and can everybody see this unit right here okay you see how it's going from yellow and the green is going away
open your eyes then okay well once the once the timer this is a timing unit right here and you can see some perhaps not that closely but there's red coming up from that when it hits that yellow amber color that means the speaker has 30 seconds left and right about now in we have
under normal circumstances i would have asked for another practice round for that but we're already running behind and it's my fault so i'm just going to have momo kick it off give him a round of applause for the first lightning talk today
good morning everyone i also have to kind of hurry because i have to check out by the reticent at one and there is a huge cube mainly the you just you have ever seen at any hotel ever and it's all your fault so i'll just start ahead um my talk has kind of a cryptic title and i don't have my slides on a beamer but if you put some color into it you think you can imagine so it's a mix of dhcp and xss so cross-site scripting but we'll get to that in the meantime with the talk first off i'm momo you might have seen me at the info desk i'm one of the shackspace members you can find me on twitter and also if you are ever interested in the trademark hackathon [ __ ] i am the guy owning hackathon.e so maybe it's interesting um first off i'd like to invite you to somewhat my event as it happened i was sitting at my hackerspace um was getting laid i was a bit drunk and i would think okay let's go home let's go catch the last train and as always if you're in a hurry you don't get the last stream and public transport stocks so i was going back to the hackerspace because home is where wi-fi is and yeah but something was different at my hackerspace that day um there were not only there was not only wifi there were enterprise new new enterprise wi-fi access points and i'm think i'm not the only hacker if he sees the word wi-fi and enterprise who has the natural attempt to break it so
thanks so anyway i was sitting at the hackerspace and trying to break this goddamn wireless so i was thinking what could i do i know i'm not the hardcore linux guy or hardcore protocol guys who was thinking of boring web security [ __ ] and uh thanks um so i was thinking it has a web interface um we could look for cross-site scripting in the web interface i don't know some static xss or something cross-site request forgery sql injections or whatever or we could test the underlying os but that's all boring it's all been done a thousand times so yeah let's think about think about something new um i was browsing around this web interface mainly being stupid clicking around and i found this beautiful screen first off it also has a common field i put in script alert one and i got a beautiful story xss but that's quite boring on the other hand you were seeing here uh the dhcp hostname of the client along with its ip address the assigned access point the assigned ssid and some other meter data so we have a dhcp hostname what happens if we do this
is there anyone who doesn't get or whatever i'll just explain it uh we're setting our dhcp host name to an illegal string uh being script alert one so basically our host name shouldn't even get through the rfc but our dhcp client allows us to and we have a payload in it and guess what it worked we just have a beautiful xss in the web interface we don't even have to be authenticated
or even better we don't even have to be in the [ __ ] management network because we're a client it has to display the client's mac address that's all so uh if you're ever going to attempt this there are few things to make your life way easier than i had because i know script alert one is nice but there's no payload in it if you might want to you know have a payload including a dot maybe an mp address to to get your scripts from um try to use the word um if you google d word and ip address you'll find a needy converter uh basically converting your dots in your ip to some weird string it's all math and all browsers support it which is quite nice and i didn't know of it before so use d word if you don't want any dots in your ip addresses and if you're fuzzing around or pen testing those weird things just always on every attempt change your mac address those things tend to be tend to try to be smart uh to display your host name and whatever but really it's not worth it so um 30 seconds okay um yeah and now what i've got 15 vendors affected um first off was ubiquity that's their nice cve you can't scan the qr code because there's this nice thing but whatever i can't get my hand on every shitty web interface that's out there so please go all of you go out and pen test all web interfaces if you find something please please disclose responsibly i think every security researcher knows how to do that um let me know because i'm interested in this stuff and you still owe me a chunk if you find something um yeah are they if there are any further questions mail to me at hackathon.de write me on twitter or find me at the info desk and i'm done
oh actually one one quick two quick reminders um to all of our presenters who are hopefully sitting in the front row and know which talks are happening before and after theirs um your slides appear on the screen down here so you don't need to go look up at the screen to see what's going on which then cuts off your microphone also um please be sure to talk in the direction of the microphone and adjust the microphone so it's pointed at your mouth you don't need to eat the microphone like this if you stand back at about this distance or even further from the podium mic the audio angels will figure it out um so thank you for that and you're good go okay hi everyone my name is arna i'm a phd student studying usable encryption and i'd like to tell you something about um some of the problems and possible solutions so currently most email is unencrypted well maybe a little some of it is encrypted but what we want to have is um for the gchq to go dark so three um possible pro so three problems and three solutions um i'll start with the problem of motivation so users are generally not too motivated to actually encrypt their emails and they don't have a lot of understanding of so all the actors in the game so what might we do i think we should raise awareness by maybe having a crypto hour so there's something called earth hour where everything goes dark supposed to go dark it doesn't maybe we should also have crypto hour where we also go dark for at least one where we try to convince lay people to go dark for just one hour then also co-design working with actual users and having more crypto parties then the problem of feedback how do we actually know that stuff is encrypted so which is so this is two screenshots of engmail uh actually the left is clear text the right one is encrypted you don't really know except for a small little icon right button button so also even even worse is outlook and pgp if pgp crashes it just sends your email unencrypted and doesn't actually tell yo
u so yeah very fun stuff so um uh better feedback this is a a screenshot of meal pile i think the the feedback there is a lot better but um it could be even better because if we blur it then we don't really see whether there's encryption happening or not then a solution to this is indicators which should be visible and we can build that on the principles of gestalt psychology um also we need to look at both positive and negative indicators so on the left maybe we can have something like a green background for encryption and a red background for plain text and also we should make sure that we don't cry wolf we don't just scare people for um uh threats that aren't aren't real because yeah otherwise um they'll just ignore our advice then there's also teaching it's uh it can be quite difficult to teach people the the basics of cryptography so these are two drawings by um that people do in a study of mine that i did about around a month ago um so this is someone who actually kind of understands uh email encryption and how well actually how the email system works and then here's someone who has absolutely no clue so yeah mill just goes from one point to the other and it's all magic then there's also lots of jargon so on the left of course there's gnupg and on the left on the right there's pgp both lots of jargon and i think the only place where i've seen normal english being used is in the word list of pgp
now there's also missing consistency so on the right there's the interface for admx otr and on the right there's overloop and the um what what what the button actually the the lock icon actually does is not too clear it was it's clear but it's it's different in both cases on the one in the one hand it starts a key exchange any other it actually you select whether to encrypt or not um but even within applications there can be inconsistency for example um gpg tools on the left we encrypt we send an email the the lock is actually closed and then when you receive something it says encrypted and the lock is open and that's a bit confusing and what it actually means is that stuff has been decrypted so how to solve this i think we should have interaction language um with one one idea being a common iconography so on the left there's isotype uh which was started somewhere in the 1930s if i uh if i'm correct and on the right there's the visual language of milpy which i think is a very good start then maybe we can also have something like the osi trademark to deal with all the various software that we have and also interactive building interaction patterns and maybe we can also have physical 30 seconds so something like a handshake um built built on on contactless devices now also i think we need to have an interaction architecture because well we used to have rudders for for cars but then we didn't really have um lots of of useful stuff so well what now um if you want to join the conversation there's the hashtag um i'd like to thank these people and that's it
all right do we have a representative for the nimrites talk
no in that case free software song
um are you gonna need your uh guitar mic or no um i don't think so i think it's loud enough okay um we'll be sure to to stand behind the podium so the people watching the streams can at least hear you okay so i guess i'm gonna have to drive these slides aren't i yeah okay all right i could run over there and now we're in the three minute round so we're going to reset the timer for three minutes and i'm going to try to follow along as best i can um
has it started already um well i guess we'll start it when you start singing how about that okay so hi i'm marios and i'm going to play this song the free software song which has been wrote in the 90s by richard m stalman when i was five and it has inspired me much so the first round is humming and then we'll sing together
join us now and share this software you'll be free join us now and share this software you'll be here you'll be free and now two slides please oh this can get miles of money that is true but they cannot help their neighbors that's not good hackers that's not good when we have enough free software at our call hackers
we'll kick out those dirty licenses
so join us now and share the software you'll be free hackers you'll be free join us now and share the software you'll be free hackers you'll be free thank you
you ready yes go okay hi everybody i'm jalen i'm from linux user group of navisal from serbia and we are organizing balkan computer congress it's balkan named balcom you can see there uh balkan computer congress has been conceptualized as two two days gathering of the hakka community international and uh on focus on this part of europe on balkan so what we are trying to do is make the first part of program like concept of set of presentations workshops lecturing on current topics of ideas technology privacy software development free software and everything else so and the second part of the program will be organized for the hacker communities so lagoons is the oldest hockey community in serbia we are we are more than one decade we are working together so our goal is to call communities in the region to put on one spot on the one place do they get to know each other and to meet the exchange knowledge together so why not be sad because the novi sad is a center of the south province of serbia there is a multicultural town and there is a very active artistic and technology scene for example music festival exit is happening in novi sad every year more than decade so that's why novi said we chose and we are all from navisad so we are all inviting you to come to balcon because last year it was for our first congress that's happening that part of europe khaki congress the big one we have more than two three thousand participations more than 30 lecturings so everybody who is interesting to join us work with us have fun play a lot of parties and everything else is more than welcome we will publish our cfp at the end of june end of january so if you are interesting you have something to tell us for the next year so the dates are 5th 6th and 17th september next year will be novice and having fun and having parties
okay uh can you hear me okay hello my name is najib i want to talk i i just need to fix the display for a quick moment but that's okay sorry i i won't take it out of your time i promise thank you
i hate all you guys
uh
um well waiting could you maybe tell us something about yourself who are you yes my name is najib i'm a biochemist but i'm involved in the
resistance
i promise to be to finish after three minutes
all right we'll fix it at the break i'm sorry about that okay thank you very much okay go ahead thanks so my name is najib i'm involved in the resistance against survey agency in hamburg and i want to talk today about the concept of total control and getting freedom through total control actually experience freedom of total control was a marketing slogan introduced by sony when they tried to market vcr in the 80s and the idea behind this is quite simple and obvious because by gaining control about the content you have the freedom to see what you want and independ and independent from the broadcaster but this is not the concept i want to talk about at the 80s sociologists have investigated the relationships between the consumer the media the broadcaster and the technology and they found something very interesting because control technologies instrumentalize the freedom of choice as a governing strategy and this is very important because personal freedom is in this respect a tool which can be disciplined and which can be also disciplined by influencing and disciplining the media and the broadcaster and the content provider very important and as a result new social arrangements emerge out of the situation that lead to a self-governing of ourselves through technologies and this is something that is linked to our present time because if we look at how people behave with their smartphones and the internet we see these patterns already that have been investigated in the past and what is the consequence out of this and i think this is the most important part of my talk um we have to be aware that providing the people with information about the surveillance is not enough because we can reach their minds but not their gut feelings and this is something that marketing specialists already know and we have to approach this also because desires and needs are directed and are not created by convincing the minds but by the emotions and we are in a battle which is quite unfair becau
se the other side can address very strong feelings like fear and a desire for security and 30 seconds and i fear that they also address the desire for freedom and we need to understand this because people have the perception that they are free when they give some other people the control about over the lives we see this ancient principle when we look at the catholic church the catholic church gets all the sense and gets a level of control by this and i want to discuss this further with you thank you very much and and it's at this point that i think a very big round of applause is owed to especially the angels working the video for dealing with my dumb ass yeah give him a round of applause and and figuring out at the very last minute a way to make both the uh timer unit and the slides display at the same time so thank you very much to them and give your give the clicker a quick test cause i think it's all good okay great now don't forget you have three minutes adjust the microphone you know your slots are down there and and i will buzz you these guys have had two practice rounds and they're they're ready on it okay three minutes is yours okay hi my name is obelix and i do a lot of 3d printing and i think like every other person when i started using a 3d printer i used software on my computer and last summer at the local hacker he went i went to sleep and i shut down my computer and the print was still running so it crashed um i talked to somebody and he told me yeah use a web server use a raspberry pi and control your 3d printer with it so he told me about octoprint and it's really nice because you can control your printer over the internet so what are the features it runs with python so you can use it principally everywhere but the most cool thing to do is use it on the pi and you get a nice web interface where you can control speed you have a webcam you can upload files and everything and you even have a user management so it's you can use it in your hacker space y
ou can create users that can only look or you have users that can even change parameters
sorry so um here you see a screenshot so one cool thing is that you can upload files to the pi or you can even upload them to the sd card in the 3d printer for later use without the pie really cool it's the webcam feature so if you have your 3d printer at work and you go home and in lying in bed you want to see how the print is going or if you are too lazy to get up to look inside on the on the couch you can take a tablet and watch it and it has a live gcode viewer so you can see what is supposed to do and check if it's doing the right thing um what is under the hood it's written with python and javascript uh yeah this you can i can i can't say any more than this because i i didn't write it it's from someone else just wanted to present it um so it has a rest app you can this is a work in progress to communicate with uh with it and it has a nice framework so even mobile use is possible to get more information i can send you to the website octoprint.org the developer is fusel she she wrote it and so you can get more information on the websites about it if you want to see it in action i have running it in the 3d assembly and you have any more question or how to set it up or stuff like this just come and see me and i can help you or just write there's a google plus page and every social stuff so you can ask questions i don't need it well someone else will
and three minutes is yours thank you because i was a lazy ass i don't i only have one slide i apologize for this so i'll make it very dramatic it all started in a toilet one year ago in finland a colleague of mine who happens to teach electronics had the idea that since it really took a long time to write a book but it wasn't that difficult so he called his friends along and called me and i called my friends along and then we had 30 mathematics enthusiasts working in the same room over one weekend that was a book sprint that had never ever been seen at least in finland before and we all decided to hey let's do it all in creative commons attribution that was even a better idea so what we did we had researchers we had teachers we had students my personal pupils along and we use one weekend and we managed to make an open i could call it open source mathematics textbook for the finnish operating secondaries all for free all up for modification use and even even purchasing and selling them their by themselves we used later and github to do that
what we learned was pretty important because we had our problems later wasn't that easy after all for everyone sadly although it's superior
so if you're going to make a book sprint i strongly urge you get your tech site done way early get it pre-configured because you can't spend half of your weekend configuring all that stuff if you want to make a book in a weekend that's an important thing also it can be done but you need a lot of people we have 30 working on single book at the same time that was pretty much a feat and what i want to leave you is something let's say the most important thing i learned now that we we did a book in one weekend then we took another weekend and we did the next book and we've been keep we've been keeping this up for a year we've been writing weekends and weekends and weekends and we get though we got fancy and famous we got donations and people are sending us books hey publish this because a big publisher didn't and we found out that we can print 2 000 books with fancy color covers and it costs less than two euros per book and what are the what are the big publishers doing they're gonna sell it for 30 euros that's not fair anyways uh my name is on the wiki because i couldn't have it here i am jonas from finland berkeley and uh let me also listed that for you in case you won't find it yourselves thank you
uh you've got the clicker up there
okay three minutes is yours thank you hi my name is shri harshap i'm from tum and i'm a developer of the grunette project a problem we face every day is to is while testing our peer-to-peer applications oh thanks so what we try to do is we try to uh test our application our p2p software with as many peers as possible so uh so that we can learn as much as possible from uh from the test case scenario or any bugs which can happen when we try to run with thousands of peers and uh so so what we uh sorry
so uh at what uh so we have this idea of uh testing with thousands of peers but we don't really have uh a compute power to to do that on our local hardware so we try to uh uh use some of our high performance computing systems at our university uh but sadly there uh we had some restrictions like uh ssh was not available for us to to run our software but what they what we can do around is that we can we can run mpi programs but uh we really don't have mpi software we just want to run some some peers after all which are just plain c binaries compiled from c programs so that's why i started writing this a little hack project called uh mpi shell i call it msh so you can use it as a remote shell within a within a hpc system where ssh is not available it uses mpi communications layer instead of doing a direct network protocol because this is the only allowed path where the system administrator can guarantee you guarantee access to you to use the hpc system and yeah it resolves the allocated hosts because if you have an application which is using ssh and and and you try to use ssh with an ip address or a host name and here at the at the hvc system you will often have one minute host allocated uh dynamically so beforehand you will not know what ip address you get and that's going to solve by this mba shell yeah other than that it also includes pda support and this is quickly uh this is an architecture which uh i will just explain quickly the scheduler is something which uh which which uh spawns your job uh execution rapper is something like the mpi exec and then you have these uh mshd daemon services started on each host 30 seconds and each uh the master host master daemon will start the application the application starts the msh this is a substitute as a saturate if you have ssh you can use it there but if you don't have to use a message and you do the handshake at six eight seven and nine and then the for the output and input streams are multiplexed and that's it thank you
okay good to go uh yes three minutes is yours yes hi everybody my name is jen stomber i'm a member of the international coordination team of the german pirate party and today i'd like to speak about the foundation of the european pirate party
okay just clicking oh it's the side button okay so um the european pirate party is simply an umbrella organization that tries to get all european pirate parties uh under one hood so and uh basically uh its uh a purpose is to act in the interest of its members and that means um that it's coordinating efforts between the private parties in europe in a common election campaign in the upcoming european elections that it's it promotes the pirate party across europe and also helps you to found maybe a pirate party in your country if there is does not exist one today and uh of course uh we are also uh focused on uh being a link between members of the european parliament like amelia understood and the european pirate movement so we are doing a lot of coordination and being a platform for people uh that uh need information uh what's going on in the environment and of course we're also doing uh like uh conferences and stuff like that so um let me now talk about the program so what's what what what is the the program is simply the the core values of the pirate movement this is of course civil rights this is of course citizen participation open government uh transparency we want a transparent uh politics and of course copyright reform patent system reform and of course net neutrality which is a topic that is right now discussed in brussels and free and libra culture so um now let me explain to you about the foundation process so uh since the um april 2012 at the ppi conference in prague we've been negotiating for about 18 months with all private parties across europe one minute um right now uh we are already uh in the national ratification process so we are done until step number three so what we are doing right now is the step number four german pirate party and uh for example swedish pirate party and the private party in switzerland and others have already ratified the pbu institutes and what's upcoming next is the foundation conference in brussels which will be in march so u
h at the 21st and 22nd of march 30 seconds we will have the foundation um ceremony in brussels and um uh yeah uh everybody who's interested in that is of course invited uh to uh come around and uh yeah uh if you have any uh questions go to ppu.net where you find all the information and thank you very much for your attention
hi i'm wright of the hacker fleet can we start um i'll be presenting cape which is our middleware for our various tasks which we are doing cape is a component based framework with flow based components we do this because we have a lot of machine to machine control systems and lots of sensors we still interact with humans and we're distributed we have this mesh capability because the hackerfield is aiming to connect ships together and reinvent the conventional navigation systems which you usually have on border ship the concept of flow-based systems is pretty old but um it's been forgotten a little bit um i haven't seen any books about it in german universities so we are still um conquering new land which is 30 years old and it has a lot of advantages over conventional programming systems because you have reusability of components you have a strong
graphical development for example you can actually visualize what you're doing and work from that visual perspective to really solve your problems and you can easily integrate other systems and the whole concept is gearing toward or aimed for flowing data so you can really have some shipper system for example and have the data flow and convert and merge it with some other data and transmit to other ships that's very comfy to do so the project is an open development but very young i'm right now one of uh few very few developers developing it so we're looking for more python coders um a lot of the work the groundwork has already been done we have a very strong component system so you can install components from other sources for example it's tightly integrated with mercurial for example but still there's a lot of stuff to do the next milestone in january will um embrace the flow based system so we are actually implementing it uh by by the book which is from jp morrison flow based programming it's available online and there's other flow-based projects going on like no flow which is in javascript if you like javascript have a look at it you can do lots of magic browser things with it we're probably going to use it as user interface um if you have some questions you can ask me viadect or irc will have a channel and stuff fleet is an open source organization and we're trying to conquer the seven seas and connect reconnect all the ships and vessels so we have will build probably the greatest mesh network on the planet if everything goes to plan thank you
okay can you just go to the first one
yep it was there crap okay all good yep okay three minutes is yours hi my name is tobias um i guess you all have been using the toilets here is there anyone who did not use the toilet oh too okay that's good um did you like it i mean your wizard was it clean and it was awesome that's good so um have you have you been waiting for other people i mean a lot no that's good okay this is a about a project called [ __ ] happens and um i started this uh on another conference and uh years ago it's unfinished it's not really started and it's about tracking restrooms and it's like those and lots of those but
sometimes it's quite easy to go there and do whatever you do uh but it sucks i mean it's occupied all the time and you don't know i mean you get off your couch and you walk there maybe it's a long distance and then you don't know um so it would be cool to know what's going on and if there's a lot of toilets like there then that's not a problem but sometimes it's like this or it's more open so you can guess what's going on but um yeah i mean that's probably occupied um but you don't know what what's going on on the toilet but maybe you want to know and but what's the benefit i mean i want visualizations um there are so many use cases you can get like graphs of uh how how many people go there how often how long do they stay and um i want you to participate on that and we can uh really benefit from that and uh you can you can build a community and then maybe you find out that you have a [ __ ] body that is always using the same toilet as you and we can have awards
and um if you did not realize this this is a serious project and please bookmark this url and just contact me if you're interested thank you
wait jokes during the lightning talks no
um do we have the clicker upside down first slide please you're halfway through
okay
yep three minutes is yours thank you my name is charlie um a few months ago i i changed my car and it came with this really boring old stereo um but the most interesting thing about the stereo is that it can uh send the currently playing like radio station or track information or whatever to this lcd in the middle of the of the dashboard clocks um but when you take the radio out that information goes away fair enough um so when i changed the radio i spent a lot of time looking at the pin outs um so it's a horrible mess really complicated pin outs but uh this is the most interesting thing in the pinups uh pins eight nine and ten here are clock data and enable and doesn't say what they're for so i was wondering what this was for and i figured out it was probably you know probably this missing uh segment of the display um so hooking up to an oscilloscope and logic analyzer we're trying to figure out you know what is the protocol here what's it doing and is this really for this component um this logic analyzer was really hard to use it was really old there was no manual they had a button on it said don't care it's the best thing about this logic analyzer so i uh i moved to a uh um uh recording it with a sound card just so i can get this data and i can start playing with it and with the help of my girlfriend we all figure out that the the the format for this data um so it looks a little bit like this there's a bunch of payload bytes there's a command byte there's a checksum it's really simple it's spi in only one direction um these messages are 18 bytes long and the last byte is a checksum um so i wrote a bunch of python that will listen to the microphones the stereo microphone on your soundcard we'll identify these messages decode them validate the checksums and tell them to tell you about them so this was generated from me pressing buttons on the on the radio and having them all turn out in the terminal um so that really helped with understanding it but the next stage
of course is to generate these messages i was using a raspberry pi and i had to buy a logic analyzer the sound card method was just not good enough anymore so this is the first picture of replaying the radio's data back through the raspberry pi but doing all of the generation and tracks check some calculation myself this was the first arbitrary text that we got in there um
thank you so there's uh uh yes this is some alignment issues but for a first message not too bad this is how much data we have to play with i don't know why it's only 15 and not 16 there's a bunch more work we need to do with this this one i took a few days ago but also note the difference between these two this is lowercase uppercase lowercase so the lowercase characters are all used for the special characters so there's clearly not much uh you know memory available for this so if i haven't mapped out the character space yet it's more more work to do the next most sensible thing to do is clearly to make a kernel module for this 30 seconds there's a bunch of shell scripts in python for the camera system and all that running on this raspberry pi that's hidden under the dashboard and all of these things just send text they just echo it into proc and it turns up on the dashboard all of this code is out there and this uh this should work on any modern uh like like audi skoda volkswagen or whatever from the last 10 years or so mine's 12 years old so it should work on yours thank you very much
okay that that last talk just reminded me that all of the lightning talks are being translated or or at least they were up until that presentation so could we have a huge round of applause for the translators all right three minutes is your scope okay um hello my name is
um
is
just a quick reminder as a speaker please look at the screen below you not don't turn back towards the the projector thank you
ready uh yeah three minutes is yours uh hi my name is cooper orwell uh for the last two years i've been in iceland uh doing a lot of things and this is an update to a talk that happened last year which was uh what is up in iceland one this is uh islam so i've learned a little bit of icelandic since then um where we left off last time we were about to run the pirates in the elections in iceland um and uh oh sorry i'm skipping uh what where is iceland iceland's middle located in the middle of the the north atlantic ocean it's a little bit larger than ireland why should you care what's going on in iceland um because a lot of the things that are happening in iceland uh affect uh everything that we're doing out in the world how do i even slide here on the slide side okay cool so elections went well we got 5.2 of the vote we needed five percent even to get people into parliament we got three people in the parliament this is young thought oversight
um we have city elections in april we are polling currently 10 or 11 which is quite well uh there was a lightning talk yesterday by pedro from uh open press and uh that hit the news feeds over in iceland i believe last night and that's probably going to help as well um we'll see uh city elections are a lot different uh the mayor that was famous in iceland uh uh is not running this year so that may affect the elections there um other developments i'm having in iceland that i talked about last time were the very fast low latency cable to north america is happening it got funded vodafone is a major player that bought in on that cable it will be five times ten times as fast as the fastest cable we have going to ice uh to europe right now uh amy is still alive and kicking um there are projects that are planned for me uh sumanee mccarthy is very involved in emmy and started in me and now a lot of the people that are along with the pirate group are interested in seeing immediate completion the new constitution unfortunately in iceland is pretty much sunk unless there's a massive vote by a large percentage of the population um so there's a small but growing i.t startup in iceland uh that means a lot of money is coming into the country a lot of interesting people are showing up in the country like the mailpile team that's in iceland and they're floating around the conference here uh there's been some interesting developments with low-cost electricity and bitcoin mining that just happened about a week ago in the new york times so that should be a very interesting development because iceland's already got cursing controls going on and uh bitcoin is pretty frictionless between currencies uh countries um this is my contact info [ __ ] and if you have questions just hit me up thanks a lot
the general rule of the lightning talks if you've been following this program for the last couple years is that i'm generally pretty strict about the rules unless i somehow screw up and this is one of those examples where i realized maybe five minutes before i took the stage that i couldn't get this presenter's presentation to work on my hardware so we're going to make an exception to the rule that says that all slides are pre-loaded and run off of one machine in advance and so i'm going to do my best to try to kill time while they bring up um the presentation on the video display that's coming out of the podium
wait where were the funny noises coming from did can i make any funny noises where were you guys at like 5 30 this morning
there were a lot of funny noises going on then i'm not so sure that i'm uh in in the disposition to be able to do that but yes if we could possibly do i have the what on that i'm so sorry i'm only video game the question was do i have the app for funny noises on my phone
and and i just got some updates for apps that i don't remember installing so
pound um and yeah are we do i need to give the video over to her or are they going to um you give it away oh then let me switch it is it their switch here to the video
do you have the i i i can give it to you but it's not going to be long enough
something ah
again huge round of applause for all the pros that end up working in this room making up for my last-minute screw-ups yeah okay mikro's working hi three minutes is not a lot a lot i'm linda simon and i'm working for commons machinery um we want to support open licenses if you are using free licenses you might have encountered some problems uh with proper attribution so um for example if our photographer joey puts his pictures under a free license we well we can all profit from his work but if like emma for example really wants to do that she can put damn it she can put her the picture on her blog and of course she's a good girl she attributes according to the license but she has to do that manually we think that the more we attribute uh the more creators will be encouraged to share their work but attribution is really exhausting and drudging so it's everything is very complicated it's too complicated to keep track of all the different licenses and information and as a private user we usually don't have our personal legal department at home to make sure that everything is right today almost no cc license is attributed correctly and it's of course because it's very confusing but why bother thinking about that we could this is work that could easily be done by uh software so um imagine you have a catalog with all the information about the images textures and so on that you ever used and reused and created this catalog could be integrated into your creative tools making it easy to find use attribute and create new works
this could work like an automatically in inclusion of the actual uh of the accurate credits into your work we would be using metadata for this and wait a minute would be easier to find your work and to attribute it and you even could get a notification that your work has been used that's commons machinery wants to do we want to make sure that the context of a work is persistently associated with the work itself um let's bring licensing into the 21st century and make it usable for everyone instead of worsening copyright law if you're interesting interested we have a mailing list which is about licensing with metadata you can write me an email to sign up for that or you can visit our website commons machinery.se and sign up for our newsletter thank you very much
hello
don't forget slides are you can see them down there you adjusted your mic and three minutes is yours um hi i'm brennan i'm the ux uh designer uh guy from the mailpile team and my goal is to try to make pgp and sending encrypted emails really really easy uh so normal people like my mom can start sending uh private messages with me um the problem with this is that good ux design is less complex number of steps required the better and it's not really about uh making a button that looks really pretty and straightforward because a lot of times the problem is steps it's like how many steps does it take to do this this and this there's no magic button that's going to solve and make pgp easy um so the problem really is how do we transmit a user's public key in a way that is easy requires a few steps and is verifiable that's the part that is really like a mind [ __ ] like how do you do this that's actually secure and actually easy and i kind of came up with this idea the other day and i was like oh cool i want to light and talk about it um so the pgp keys as most of you know are huge blobs of cumbersome text and email power we're going to start attaching pg keys by default to outgoing mail so that's going to help with proliferating keys throughout the general public there'll be all these keys everywhere all over the place but and that's that's a really good thing but a lot of those keys most of them in fact are going to be unverified so there are some solutions for this such as receiving a fingerprint in real life which some people do they put them on business cards i received probably like 10 here at the conference and that's great because i know what that is and i know where to navigate through my program to figure out how to add that and verify okay great now i've got a verified pgp key but as soon as you start telling a normal person to do that it's like five steps later what program are they going to use what box you can't exactly tell because you don't know what hardwa
re or software they're on what like sure you're using mac pgp uh for mac mail or or an email or whatever so um and it requires reading and transcribing a bunch of little numbers between two screens and going and it's very mathy alright not matthew but uh techy so a better solution might be uh to put a qr code on a business card and in this qr code uh we could get about 311 characters at uh the most optimum setting and uh if you can read it from a card why not on a screen such as laptops you're at a conference you show somebody your screen such as this it has your info it takes they they take a picture of the qr code uh you can even go phone to phone and in that qr code they'll be your name email address pgp fingerprint or a key server url and fingerprint if the length of the data is too long and then that qr code data is transmitted securely back to your user's address book on your mail node or any other application this isn't something that is just going could be specific to male pilots a user interaction flow that could be adopted and used by many different applications and it could make the idea of a key signing party extremely easy because you could just anybody that a friend of yours knows and trusts you could scan multiple things swoop up the fingerprints and call it good it's a three-step flow meet person scan qr code saved contacts
hello i'm david so you want to write a tour plugable transport what is a tour plugable transport and why do i want one let me show you an example this is what the beginning of your traffic looks like when you connect to normal tor as you can see it's actually tls it's a tls client hello you can see in here some distinguishing characteristics for example a list of cipher suites and this kind of characteristic randomly generated server name unfortunately these distinguishing characteristics also make it easy for sensors to block tor to find out that you're using tor and block all your traffic and sensors do in fact block tor in exactly this way in a lot of places in the world today on the other hand let's look at what your tour looks like when you turn on something called ops proxy at this point all the sensor sees is a bunch of random bytes there are no byte patterns to look for and identify that you're using tor ops proxy is in fact the way that many people in the world right now are accessing the tor network in places where it would otherwise be impossible so this may literally be lifesaver in some cases for some people ops proxy is wonderful but it doesn't do all the things that we want and this is where you come in
here we have a block diagram of the tor plugable transports infrastructure slightly simplified but not much you can see that tor client talks to some code that you wrote your code does something magical and then your code again talks to a tour relay there's something magical the sky's the limit it's only limited by your imagination we have proposals right now to send to our transport over ssh or send tor over git centaur over http udp all sorts of things that we think will make it hard for sensors to block tor we also need transports that do clever things like randomized packet links randomize packet timings because these are also things that are characteristic of tor and make it easy to block right now we have all the infrastructure in place to do these pluggable transports and we're looking for creative ideas and we need your help one minute to make toilet pluggable transports work there is like a little protocol that you use to talk to tor but you don't have to worry about that too much we have libraries for you to use if you're interested google these words and you can find out more about it uh we have libraries right now for python and go and see to find out a little bit more download the slides because these are hyperlinks and they'll take you to some more information we have a wiki page that tells you the current state of the art of pluggable transports there's a specification right to the mailing list if you want some more help and you want to get in touch with uh developers like me and others and every two weeks on friday we have a meeting uh just for plugable transport services for dev irc channel we're looking for a few good hackers so come back with us
and three minutes is yours thanks hey there um my name is tobias i'm looking like the guy who did the [ __ ] abs but that's another talk um so this is about umbertone low emission zone uh i guess there are people here from hamburg and they don't know a heck about over its owner because they don't have it and there might be uh people riding a bicycle and but if you want to leave stop because there are always relatives and friends who visit the town and they will ask you about where's this umbed zone and um that happened to me so if you want to download the app it's an android app it's free it's open source and we set that up a friend of mine uh and i within uh one month and it's on the play store you can download it and um there's also a repository where you can have uh have a look at the code or work on it send per request whatever so the app is quite basic it's uh just a screen a map that shows the invert zone of uh of a city and um you can pick a city then uh additional information whether this uh regulation is going to change in the future and uh of course the faqs where you can look up about this whole topic whether your car is affected or restricted to enter a certain area
and we kind of uh looked for data that is officially published and you can have those wonderful pdf files where they scan old map data and draw the the zone on and it's on low resolution so you kind of have to guess where the zone is and i also asked for uh official information at the government but they said it's it's meant for orientation but not so this way um so this is another one and um yeah thanks to uh open street map we have some more cities that people uh put in there and they're wonderful tools where you can grab the data with so that's it um tell your friends i mean if there's anybody visiting you you might have a problem finding the zone thanks
cad note going once going twice
and seven
no no no no
um he asked if there was any problem with two of them being on stage at the same time and as long as you can share the microphone which means you're gonna have to cuddle at the podium a little bit or swap off hey do you hear me okay three minutes if cuddy cat wasn't there so it means we have six minutes or not no all right never mind two minutes okay you give up easily i was about ready to let you have it so five minutes
let's stick to three minutes because yeah we might actually catch up so go ahead all right so if you're ready uh hey my name is slavamir and here's justine we are the guys who are organizing the confidence conference a conference which is held in krakow and if i can use the pointer all right so um the confidence has been organized for almost 10 years already we've already had 11 editions this year in may we're going to have a 12th edition and to sum it up what the confidence is about it's an i.t security conference for about 400 people we've been doing it for the last couple of years and since for every year we're increasing the number of technical presentations during the conference then it was we organized the first confidence in 2005. it's been organized in krakow and as you may see there was one edition in prague and one in warsaw as well but we tried to keep keep to stay in krakow every may which is basically the switch between them
it's almost like it's almost as hot as during summer time so it's a really good good time to go to poland and by the way if no somebody doesn't recall poland is the country next to this uh why did i say why did i say that why do i say that because it's super easy to get for example from berlin or from hamburg to krakow it actually takes six hours because we eventually made it we have the highways in poland so we can really go pretty fast to krakow and visit us at the confidence so on what was the conference about so on the conference last two days uh usually we have one or two tracks most of the presentations are heard in english and all of them are super technical basically the topics we cover are starting from the really down hardware layer and are ending at the secure architectures and web services and in between we have some exploits always presented at the conference so the technical parts are really awesome you would have to see it and then what can you see here we always try to pick up a really interesting place for the conference for the last two years we've been doing it in the water pumping station you may see the pictures this year we're gonna use an abandoned hotel for that and there's something we've been doing for the last two years we call it the extraction point together with the core group guys from us we are organizing a game a spying leaf game where you can sneak then you can use asg guns you have to shoot the leaf targets which are like calculating points and every every every every minute then you have to use your lock picking skills then you have to at some point freak the freak phone so so that you can contact the base you are doing every games in two teams in teams of two and you have the guy who is like walking around as a spy and the cooperation person who sits at the office then you have to break into surveillance systems so if you're lucky we're going to run it for the third time this year and the contact so um right now we have a call fo
r papers open and there's the registration is open so if you're up for visiting krakow just hit it up the 2720 fmi and the contacts are over there thank you
and oh no that actually we've been at this for um a little more than an hour so we're just gonna take a quick break but we will be back here and go straight on until three so come back in about six minutes and we'll hear stitches great presentation about awesome retro thank you
after what you did yesterday this is a cakewalk this
hello
hey
so
now
so
uh
news
so
you
foreign
so
now
so
all right ladies and gentlemen uh if you could please take your seats
um before we get back to the awesome retro talk and we are and just as a reminder we're going back into five-minute lightning talks this time but uh the three-minute lightning the three-minute express round was an experiment this year um and i think it went off pretty well so could you get a round of applause for all of the great
all of the really awesome talks and i i believe that except for a couple of submissions which came in at 2am some of which were obviously not serious um we managed to get everybody who wanted to give a lightning talk in this year and that that's the that's a first for the full lightning talk so a huge round of applause for that
just a couple of quick reminders the lightning talks are being translated i really hope that we have the audio from that because that's going to be i i can't wait to hear what they did with some of them um there's also a declaration john perry barlow at the 20 c3 issued a declaration of independence for the internet and we decided that we're going to try to update it this year so if you would please check out the pad at that address right there and finally
because the lightning talks there's so much content in a relatively small space to help people who are going to work on the video afterwards to make sure that you can find the lightning talk content that you want to find please check out this pad at this address right here if you're if you're on your laptop and you can help out just describe what's going on with the talks give some keywords and things like that it's on the pad right now could we get a huge round of applause for the three people who worked on that for the first session of the lightning talks
and without any further ado um stitch you ready to go
okay and i prepared for three minutes so it's two three minutes for me i i sent out i sent you an email saying that you had five oh and and just so that we do a quick review of the other things that i mentioned in the email you've got the clicker everybody figured that out and actually a huge round of applause for the video guys who figured out how to put the time unit on the screen full size so that you can see it another round of applause for those guys i i just i just love how awesome these guys are and how they make every effort to make this really really awesome despite everything that i do to prevent them from doing so um so with that to do you have five minutes stitch are you ready to go yeah i'm ready go thanks hi i'm stitch i'm one of the guys from awesome retro we are dedicated a non-profit organization to bring retro gaming to all kinds of events you might have seen some projectors and and sega's and the nintendo's and seen the world's leading security experts playing video games
well um we're an organization that's based in the netherlands we have uh currently 50 volunteers just had our first anniversary uh made this awesome 3d printed 2d objects space invaders very nice and i want to show a few things that we do and
say what we are currently doing and begging for your donations because we are a non-profit and well working very very hard to make awesome things possible so i know for you a little time this are this is uh some some slides of uh of the crew um one in the other large dance event you see those tetris blocks we made six of them one by one by one cubes a lot of engineering went into that it's it's really nerdy it's like you can have the same clothes same sizes same frames and make all six shapes of them so that was really nice you see a large nintendo controller on the roof of the tent and you see lots of cool people um yeah we visit about 15 to 16 events every year and and furthermore we land or yeah if you we lend all kinds of retro gaming gear to uh well if you have an event and you want to do something with retro gaming and you're also a non-profit just drop by and send an email and yeah well you can pick it up and yeah use it at your events um so we're have this we have this mission retro gaming for everyone and everyone is a lot of people well we're also here as i told you see these projectors they are starting to die after four days slowly they're still usable and in the front you see this nintendo table and this thing works it's like you can play with two players the game mario brothers three this time and you can see a lot of people fail at this game it's really nice to see coordination and um i didn't see anyone beat the game yet so there's a challenge for you the third level ah no one oh oh i'm disappointed the current record is at the first castle but they nobody beat that yet so some lies we currently have 49 consoles that were donated and those are complete with all controllers all cables preferably original stuff we have partial consoles so maybe one cable or one controller of something and we have a database with 433 items we try to have as much statistics as possible but due to the time frame i make it a little bit shorter the oldest console is from 19
73 it's i think a philips video pack it's a nice nice great or i think it's a pawn console yes it's a pawn console the newest is uh screwing up our statistics but we bought it just because it should be hacked it's a kitty's video game and it should have other other more violent games on it so currently we have this um this um rally a donation rally called donation december i encourage everybody everybody in this room and watching this stream to check your attic see if you have got some retro gaming stuff that you didn't touch or see for years that's the stuff we give a second life and everybody can use that 30 seconds these are some pictures we got even got a donation from finland all kinds of dreamcast gear old school audio cards stack of xbox and everything so send an email right now if you have some stuff laying around you really help everybody and well thank you very much
hi
okay hello i'm i'm last fisher from yeah during my days i work at the university in siege and i'm talking about a project that is more or less yeah night and day of me sometimes because it's a little bit too cool i'm here on vacation that's why there are no icons on the slide that stayed where i'm coming from the project is called physical objects and sneaker transport and has been conceived in a way i think three years ago that uh doesn't mean it's too far uh gone now but meaning we're still developing it the thing i want to do there and here is to make all of you into postman and post women meaning you i want you to transport physical object that's the title obviously what's the thing here ah thank you okay a little bit about the the idea the idea uh was conceived when um aaron battle introduces dead drops you probably all know this usb sticks and the idea was that you can somehow store data on it and so anonymously completely anonymously exchange data so that means you're storing data there taking data with you um meaning making these things and yourself into mobile storing and forward devices transport in data that is actually not a really new idea but we thought we can do this with physical objects and that is not a new idea again because everybody of you is transporting physical physical objects from one place to another what we want you to do is handing them over in between so that they can reach beyond your transportation range being transported by something somebody else and that again is nothing new it's called co-presence networks and is researched well kinda throughout lee not too much um there's another guy from the university uh in darmstadt here who's working on something similar here if he's here i i'm interested in meeting you just after the talk probably okay the the main advantage of this idea is not only that it is a completely distributed network that we're building here and that we're building something that is censorship hardened and so on and
is by that quite cool the cool idea the cool thing too is that it opens up a lot of problems that are not only interesting for transporting physical objects but are also interesting for well anything else if you like so if you want to have distributed networks you have to provide some kind of transport security for some kind of transport security you need some kind of authenticity if you want to stay distributed then you have some kind of distributed authentication schemes if you are dealing with other peoples and you're dealing with locations you have a huge location problem because you have always to disclose your location to everybody else which is well probably not what you want to do and that are problems that we are trying to solve on the way we already have created some kind of a demo to just check the basic feasibility that is also not not really really that new we just use the random waypoint simulation we have green dots that is you moving stuff around we have red dots being stuff and um the lines are just uh somehow showing off the destinations of people and of objects and the purple objects are objects and we found out that well stuff can be moved by at a really strange cost you have something like a a past deletion of factor 20 or something
yeah good i'm here so to provide at least some structural basic security and basic privacy on the way the the core idea to provide is is the negotiation protocol if we do routing in a way we always have a routing protocol what we are doing here and what is new is that we negotiate routes we have don't have some router who is for himself just stay stating something like all right i have a packet i have that ports and their ports and i just can run them there we have two people and they have to negotiate the routes and you see some kind of circular structures with maybe and yes no should we hand over the goods or not the idea in itself if we at some point in time will be able to provide this and we won't provide it via this small cell phone that you're carrying around because it's kind of tedious to talk to everybody else where you go and i'm going to there and if we finally can have it you have some kind of automated transportation system that is somehow usable in infrastructure poor areas and well usable to uh somehow um transport contraband you probably might be um you might realize that this experiment um is i'm too slow okay is in the making please contact me if you want to know more
go yep it rotis and see what is that where's the clicker okay wait we're going to need to do over on that one uh pause reset the time all right all right good now you can go iteration c what is that
are we go
is this going off my time no no you keep you telling all right well
the fail just never ends
all right that i think that's a very appropriate title for what's just happened in the last two two minutes
okay can we reset the clock again okay fingers crossed third time's a charm five minutes is yours try again all right iterates and see what um entertains are an api aimed at input processing it has its origins and functional programming and as such it makes heavy use of first class functions so it was a little bit of a challenge to transfer the concept to c
but the motivation is to provide a high level and formal way to describe in code the behavior of io what input to accept and what to do with it and to do this for the code that is still for better or worse being written in c so as an example here's the main part of a program to count the number of words on standard in these highlighted things would be low level iteratives defined elsewhere drop ws would drop any white space from the beginning of input drop word would drop any non-white space a count will simply take all its input and return the number of elements in the stream so these entities each one has a result this can be null as would be the case with drop ws drop word and by extension also word underscore that you can see there now these highlighted things would be standard functions provided by the library bind underscore simply runs its two arguments one after the other decode runs its argument repeatedly and passes via rap the the stream of results to in this case count so count receives for each word on on the input one value of null and counting those gives you the number of words right so going on um enumf will enumerate as it is called the file standard in and pass it as a stream again via apply to the iterative we just defined so this is where all the actual work happens and finally finish signals the end of input and extracts the result now as a benchmark i ran this against a list of about 14 million 14 million passwords um compared to wc minus w wc minus w takes 3.8 seconds my initial naive version took 9 seconds i got that down with some easy optimization to actually 3.7 seconds which is pretty cool memory allocation peaks out at 3 megabytes at a time
so the the proof of concept code consists of about 1500 lines of stuff this includes basic iterative construction uh combinators and several examples the memory management happens transparently by a bespoke garbage collector and in fact adapting the memory management to hard constraint environments such as device drivers embedded systems etc is one of the things for the future also high on the to-do is a larger case study before the poc can be turned into a proper library
finally you can find all this stuff at this address that includes all the code the slides of this talk some docs i hope to add hopefully today as well as the slides to a longer version of this talk that was given a few weeks ago ago and finally if you'd like to if you have any feedback if anybody has any suggestions or thinks this is a great or stupid idea please do send it to me at this email address and i'm a bit fast i suppose
because that's it thank you hiya
hi there i'm michael i'm from mit lab in vienna and this talk is going to be about an arbitrary tcp connection from the clearnet to a hidden service so i hope you're all familiar with tor hidden services if you're not tour2web is a way to connect to a location anonymous service which basically enables the people that provide some content or yeah some website anyway to stay anonymous in contrast to the user or sorry tortu web doesn't really secure the user from being anonymized when uh uh looking at a certain content so i was interested in uh yeah basically having that a clear net connection a trans transparent proxy to an arbitrary hidden service saying for example to do uh tls handshakes with an onion from the clear net enabling safe transport and storage as it can read and the way that i wanted to do it is to have a very tiny uh virtual private server with i don't know 128 megabytes of ram uh that doesn't have anything on it except for configuration files and maybe public ssh keys so how about going a proof of concept hdbs servers are so easy to set up that would be boring but i actually have a use case i want to store my email in an anonymous location because hey you never know when law enforcement drops by and forces your provider to hand over the machine and in some certain jurisdictions you are also obliged to provide the password for the full disk encryption so throw your hands up in the air for smtp yeah i hate it too but anyway the actual configuration is awkwardly simple uh it's really for the tor configuration on uh the transparent proxy side it's three lines and it's only two if you don't use tor to web mode which uh drops uh uh three um three uh yeah nodes no sorry a three circle like half of the circuit for a hidden service connection which basically makes it faster and if you want more ports and more services on the same connection you can just oops use that with uh iptables rerouting to the same port so here we go that works i have a localhost connec
tion from an actual clearnet server it's all ecdhe so ephemeral private sorry ephemeral and perfect forward secret so it's such dark very hackathon much hide location anonymous saving for email that's great but i also would like to have outgoing connections but we don't want to be spam so what we're actually trying to do is send our email out of the same machine that we use as a transparent proxy uh so we're gonna we're gonna do uh ssh we're gonna use ssh for tox socks uh proxy and there is this wonderful little application which i'm not quite sure how to trust but red sox enables uh transparent proxying over socks so that's fun but wait [ __ ] tord doesn't support mx records and postfix [ __ ] up if it doesn't get udp requests for dns and we also don't want the hidden service that we're running to leak dns records so there's this i don't know how dodgy it is it's called it's from jt ripper uh on github uh but it's uh enabling basically yeah a dns socks proxy which you can then uh place regular udp dns requests over a sox proxy well that's great so let's do some more iptables fun and all of a sudden there i fixed it
36. yeah uh fun i have uh outgoing connection from my uh hidden service
transport secured and uh hello there from the dark net many locations anonymous such secure very spam work around wow
so there's some issues there's some future and that's it
and five minutes is yours thanks hi uh my name is falca grace and i want to present to you a small tour that i wrote some time ago it's called bitcoin proof it's a kind of digital notary so i think i have to explain what this means
the idea is to kind of use or misuse the bitcoin network as a way to to timestamp your data so that you can prove afterwards that this piece of data existed at a certain point in time
for example you you have a new flat you make some pictures and there was some damage and afterwards you want to prove that this damage existed when you moved to this flat and you can simply do this if you can prove that this picture had this time and was not created afterwards and this is not so much surprising because the whole bitcoin network exists to ensure this kind of timestamping the only difference is that they timestamp transactions um and not other kinds of data so yeah but it's still possible to to plug other data into the bitcoin network and this is what this tool is about um yeah so this allows you to save some money for for a notary that you would have to hire otherwise the tool is quite quite simple and you can put in your data note that everything is calculated on javascript's site so nothing is uploaded but if you don't trust me just calculate your sha-256 check some offline and then copy this into there it's it will work too and this from this one it's a bitcoin address is calculated to which you can put any amount of money so as few as possible of course and because you almost certainly won't get it back um if this if you put in some new data you will see uh yeah you will get an address and it will tell you oh this is not known so you can create this timestamp this is a simple link to this bitcoin address where you can put some minimum amount of money and in the other case um you have uh it shows you yeah i found this in a bitcoin network there was a transaction to that account with that number and um at that point in time so no need to put any more money on it just this is your proof and of course you can this is just a convenience feature you can calculate everything on your own if you want to prove it
yeah the there's also another tour that isn't mentioned in the slides it's a nice android app by some some different person he called his tour satoshi proof which is compatible with this one and the basic idea is that um this sha checksum is the check sum of your normally is your checksum of your probability of your bitcoin account but the network doesn't make any assumptions on the structure of this public key so it can be the checksum of any kind of data and that's what i'm using here if you want to do this little hack with a real bank account of course you can use the purpose field and put any text in you want but you can't do this in bitcoin so i have to misuse the the bitcoin address for that there's also a nice idea for an extension that isn't implemented yet it's to not to use this checksum to create the fake public key but to create a private key which would allow you to to get this money back after this fake transaction of course the question is whether two times the transaction fee is worth the trouble of moving this minimum amount of that of money so you would have still have to decide on your own yeah and that's it please have a look at it and i'm happy to get any feedback or help or tell me if it was useful for you thank you so all right oh and you see your slides there too in front right yeah okay five minutes is yours okay hi so uh let me introduce myself to you first i'm nick i am 23 years old and well on paper i am a student in linguistics and information science but this is a bit vacant because of the several projects i am doing in the area of open source projects and such things but this is not all too important because what i want to present today is an organization that we founded only this year and this is tickets so um the first question i want to answer is what is this texas thing and first of all we are a german nonprofit organization and we have consolidated several projects in the area of um youth work so um we started out with a why doesn
't this oh i'm a bit confused okay so um we started out with the holiday camp we ran at the foscon which is a foss event in saint augustine near born and after that we picked up the work on several other projects one of the one of these things is a partner network we the the core of our project is a strong network of projects and people and also companies that share our goals and um one thing is uh for example when we are building a network between uh companies and uh for example students then maybe we can get these students into in into into internships that are a bit more exciting than the average stuff you get when you are when you're a school kid okay um i already mentioned the holiday camp we ran this is a short impression of this event the idea is that we integrate the kids in to the whole of this event not only do they attend it but they also run it and the reason is that we want as a central goal build up a community among young among youngsters just as we did through many years in yes among us hackers we also want to port this community to youngsters i will go into detail about this in a few seconds okay
there are a few projects we plan to run in the near future in the near future one of this is um we want we want to um
we want to build a build a communication platform nothing really new we just want to put together all that stuff that is already there but we have found that uh most free alternatives and most free software is not that not as attractive for school kids as it as it should be and we do not blame this this on the open source projects because they have different things to do so we want to be some kind of glue between the the young community and the open source projects to help them make their their software and their services more attractive for for the young members of the community
okay and there's also another point where we need to network because we do some negotiation with parents and teachers and all this there are there are two worlds that that clash a bit because uh one thing is of course parents have an obligation to care they need to know what their kids do on the internet of course but this does not mean that basic civil rights like um like telecommunication secrets one minute does not exist for miners we need to care about this to get these two things under one head
okay why do children need an open source community this is fairly easy you all know why we need an open source community because we need to get together on topics that matter both technical and social so we need to help youngsters to build up such a community as well because they do not have the possibilities to do this to do this on their own like we did or are doing okay i need to hurry a bit um
exceptions of free software and education must grow this is uh yeah okay okay if if you really feel the urge to support us drop by at our booth we are on ground one in the corner thank you
oh um
i i think uh french check did you want to did you want to come talk for a second okay yeah sure um do you mind letting french check uh come in because he just baked us a whole bunch of chocolate chip cookies
oh well explain which cookies you had let's and uh can i have it two minutes
you brought cookies i think that's a pretty good bribe for the audience no one's ever done better than that in the history of the lightning talks so we'll start handing out these cookies and uh your time lasts as long as the cookies do how about that
go for it thank you very much my name is frederick olgoropfebeck and i am food hacker and biotechnologist capacitor if you like i am interested in things which support the hacker movement in a way which is sustainable and connected to the food and beverages you may know the food hacking based project which i am involved for last few years and which actually nick helped to start long time ago in a way in a camp in finnafort we move on from the camp to camp to the congress to congress in this moment we have several crowdsourcing campaigns after behind ourselves we managed to grow our community build up portals online and work on projects which we think should happen our belief is that combining the ancient knowledge of fermentation and today's scientific understanding and technology it's a very good idea and it's important most of the people here knows a lot about the technology and science uh many of you unfortunately forgot a bit about the connection with nature with the life and things like that so we are trying to be together so the community is around the table together enjoying uh at the moment uh we for the first time managed to actually build the food hacking hab here on the congress where you could come take a workshop all based on donation no one turn away of the lack of funds the image tube experimental kitchen running water expert incubator experimental fridge and many other things i hope that you had managed to talk to us and take some of our lessons if not you have a chance on the next congress where we are very likely to grow and we hope to provide better and better environment not just here but through our activities build up scheme which could be applied for activities of this type diy bio food looking beverage checking on conferences and hacker communities all around the world i would like to thank you for your time i think the cookies are nearly gone so it'll be tough this is your last call for cookies i think they're they're about done yes thank yo
u very much for your attention please keep in touch and last announcement we are just starting another class was a campaign and a tour around europe for the next six weeks around hackerspaces all around thank you very much and thank you very much nick for your thank you bye
all right thank you for so what did you guys think of the cookies all right so uh thank you for letting us have that and um five minutes is yours hello my name's mick lemon i'm with the metal lab in vienna um we've heard a lot about crypto and hardening services the crypto party movement teaching the crypto tools to everyone um how good implemented tls can thwart a lot of sneaky three-letter acronym organizations from eavesdropping on our traffic uh so there's the better crypto project and it's all these things are based around a simple idea which is um no more plain text we encrypt everything all the traffic has to be encrypted so we've created the definitive guide to applied crypto hardening for your servers and we're targeting system administration so if you're administering a server or a cloud or something like that this guide is for you so if you go to betacrypto.org what can you find there the scope of the document currently covers testing so you can see how good or bad actually is your server at this moment with easy ratings as well we cover web servers like apache light ttp engine x of course we cover mail servers you're running postfix exim daf cut cyrus we get you covered we're talking about key lengths what is the minimum key length you should use today what is what shouldn't you use anymore and if you have a high security application where should you move on to uh we're covering algorithms which cryptographic algorithms should you not use anymore we've heard a lot about rc4 being broken don't use that anymore we tell you what's what's best to use at this moment random number generators um all your crypto can go pretty much down if you have bad random numbers and not every dice roll should give you a four we hope you're using vpns we're giving advice on l2tp ipsec openvpn the pptp section is very short it's basically don't also proprietary stuff like cisco also yeah not only open source we even care for commercial products yeah you're using ssh to adminis
ter your server and you never can know enough about ssh so here's how to harden your ssh servers of course gpg is a well-known and respected tool we all use instant messaging it happens you can do a lot in improving instant messaging security databases encryption of databases and when you go there you find tested configurations you can just copy paste them from the document into your server configuration this is what it looks like probably you don't need to photograph that now it's in the document um we want you to participate in this project um you can help us with reviewing the contents if you're creating cryptography cryptanal crypt analytics uh if you're a sysadmin test these things we have done a lot of testing but we cannot cover every aspect and every situation that is in the field
some parts are missing we have a huge wish list of topics we would like to cover in this document please help us write them and most importantly deploy the hard crypto if you have seen jacob applebaum's talk about the packet injection he said tls can mitigate this this threat and also the eavesdropping deploy this it's not that hard it's usually a few lines to copy to improve your crypto so go to the website you can focus on github of course join the mailing list all the discussions and reviewing and each addition to the document gets a review this is how we do quality control we have a repository clone that you can see the complete creation of the uh document from the first creation of an empty file with including every typo we made the whole process is transparent from the beginning on um and we want to keep it that way uh yeah download my pdf um go to bettercrypto.org and if you have questions we're around here um we're on twitter on betacrypto as well as app.net uh join us deploy hardcrypto and come to us thanks
oh don't bring your microphone down a little just up just a tiny bit okay okay and five minutes is your slide is down there five minutes is yours okay hi i'm going to talk about something that happened during the tunisian revolution that wasn't very widely publicized and i feel that it deserves more attention because gchq and nsa are not the only surveillance organizations that we have to worry about basically during the ben ali dictatorship that the tunisian government were actively harvesting the usernames and passwords of gmail and facebook users by injecting malicious javascript into login pages so basically uh indonesia there's one big isp that's run by the state and for quite a while now they've used this software made by a san francisco company called smart filter which essentially allows them to sensor and monitor all the internet traffic that goes to this isp so this is the actual code that they were injecting through a man-in-the-middle attack in the facebook login page and if you look carefully you'll actually see that for some reason they're using lead speak in their javascript functions and variables so basically what this code does is when you hit the login bus button it sends your username and password over plain text to a url at facebook so that way they can intercept intercept it and get you get your username and password now the reason why they can't just use a tool like ssl strip to replace https with http is because facebook actually uh facebook actually um doesn't allow logins through http http so they have to you do it like this so this was a very simple very simple browser add-on that i released that a tunisian could install to to basically strip out those javascript functions in the facebook login page and it was downloaded over 4000 times so hopefully that someone found that helpful so i think the lesson here is that i really don't think that right now the way browsers are implementing https is secure at all i think it makes https almost use
less i would propose that if a browser knows that a website is using https or has https enabled then it should completely disable and block all http connections to that website so a man in the middle attack wouldn't be possible because right now the user doesn't really have a choice to use http or https
thanks
hi i'm tim and i have written a piece of code you might care for or not let's see um it's called sharing secrets and it's a networked password manager what does network mean mean it can store password of course but you can share passwords uh yeah it's a bad idea it's insecure but many people practice sharing passwords and these passwords get sent from one person to another and that's really bad so it can the sharing secrets can share passwords with a right click and of any person which has access to the password changes the password every person connected get the update and everybody has the password which is the newest um it can also be used for encrypted password distribution with read-only accounts and of course since it is a client server model you can have multiple instances on as many computers as you like and it doesn't run into synchronization issues another thing is you can make digital testimonies for example if you have a root account for your server and it's it's an important server with important service and you get run over by a car and you die your server can be accessed and can be cannot be maintained and with the digital testimonies you can encrypt your password with the keys for multiple multiple people and these people combined can access your password but not a single person alone
another thing is if a password gets changed it doesn't get overwritten you always can view the old status so you don't lose anything and it's not you don't have to decide which server you use you can set up your own and use any other server you want so how does it work well this
so what does sharing passwords really mean um every user can have partners which is a bit like a trusted user group and there's an invite system where you can invite other people people to be your partner and if they say it's okay you're partners if you're partners you can share your password with a right click and if on a change of the password every one of the partners gets a notification and stores the new password a big thing is that the every item a password key or something can be shared individually so if you have 10 passwords you can share only one password and leave the other nine private um this means that there are no big crypto containers with password stored in it so there are also almost no synchronization issues
there are several different kinds of sharing supported the normal sharing is read right sharing but you can also say let's make a reach here so people can only read the password but not change it or a write only share for example for external applications so the this means an external application can write into your password manager but not read anything
so how does it work in principle everything you do really everything you do like saving a password is a message and each message is encrypted by gpge so it should be safe on the crypto level and these measure messages are sent to a server which then relays and stores these message messages since these meshes messages are completely encrypted by gpsg the server doesn't know anything about the user state one minute
and this since it's server based it doesn't matter matters you if your partner is online or not
the messages can be requested from the server again so if you [ __ ] up delete your passwords you can just ask your server hey send me everything again you know the testimonial passwords were mentioned 30 seconds so where can you help i need code i need testing i need i ideas and security advice and you can reach the project page and with sharing secrets you can reach me with this email address yeah so done
hi my name is ben i'm from hacker space called marketing laboratories from fulda and together with dustin who's in the audience here we wrote a tool called dd server that we are running at our hackerspace dd server is a tool used for dynamic dns management what does that mean dns allows you to to have dynamic zones where you have subdomains or hostname records that you can update dynamically why would you need this because you're sitting on a dsl uplink changing your ip address frequently for example at telecom every night you get a new ip address and you still want to have host names or domain names that you can use as a static name for your home server for example such services are available by now called dundee and s for example or no ip so why did we implement a new one because maybe many of you know what happened within dns they started with a number of host names then they reduced the number of host names you can use then they got to uh you have to log in every now and then or we kill your account and now they are a paid service and uh mcfly from dumpster gave a great talk on how to run your called run your own [ __ ] infrastructure to get rid of such uh such uh happenings so we started that own service and when we started there was no such thing now we know that there is another service called nsupdate.info the guys are sitting in the heck center as we do we both implemented the same idea but we did it on different ways what we did is we wrote a python program the other project is also written in python called dd server it's it consists of three parts the dd server update the dd server interface what is in the middle here is a nice looking web interface where you have some basic user management you can define dns zones where the host names go in and users can add their host names we have the dd server updater what is in the middle uh top um what is the rest interface that implements the dundeen s2 protocol so this is the protocol that's also used by dunder ns
or no ip for updating the ip address of your host um so as it's the dns protocol every fritz box every w vr w ddw rt or open the open wrt router can use this or a tool called ddclient if you are on a linux machine can also send updates to that tool and we have the dd server recurser which is a small python program that is executed by the power dns server using the pipe back end of powerdns which gets the ip address of some hostname back and allows powerdns to give you out the ip address of the of the hostname your aquarium for the whole thing can run in read and done setup so you can just mirror the database and run the dd server recurser on the second server with the replicated database to have a backup dns server all the tools can be installed on different servers or you can't just run it as a whole thing as the whole thing on the right side on one server this is how the web interface looks like it's implemented with the bootstrap layout that's very common the project homepagestdserver.crx80.io there is some basic documentation we have to do further documentation of the project i guess the project is on github there is an email address where you can reach us i would be happy to get some feedback maybe feature requests or bug reports tell us what you think about the tool and again the info the ns update project is also on github and i think they will also be happy to get any feedback you have thank you very much all right and now we have our final lightning talk um i hope that's the correct version we have our final lightning talk of the 30c3 so um uh
next to the mic yeah there you go okay so we have our fight we have our final lightning talk of the 30c3 and you know we're only we're only gonna end up half an hour over time um so huge round of applause for everybody who was involved in this process all of the speakers the angels the
yep
um it's it's a lot of fun for me and uh we're just gonna clear the stage right after christine's talk so thank you for showing up and um think about spending a liking talk for next year so without any further ado uh you've got 15 minutes go okay hi um when i submitted this talk um i had a very different mindset first of all the talk was originally intended to be an hour long and they didn't accept it so i'm here closer to the microphone please oh oh sorry um yeah tying down to a microphone so um what i'm really focusing on is the legislative process um i i tried to try to change the law as an individual as a hacker because hackers change things and i'm in silicon valley and what you do is you you come up with great ideas and you buy yourself and build steam you implement them well uh government doesn't work that way so um i spent a lot of time figuring out how you would go about changing the law and i learned a whole lot along the way it was pretty pretty interesting a lot of washington insiders a lot of brussels insiders and i imagine some insiders in berlin are are aware of some of these issues but i think it's it's useful to think about for hackers because once you understand a system you can figure out ways to get around it and this is a system that needs to be gotten around so why legislation um i i started this project to change the law but what needs to happen or it's it's an important democratic process that's kind of gotten subverted we all talk about voting when we talk about democracy but voting isn't what changes your life voting gets people in and those people you get in are supposed to change your life but that's not happening elections and law making they're not the same thing most voters don't don't really consider the breadth of all the issues that will come before the legislator when they elect them and voting just doesn't get you any laws it just puts somebody in there that you um have to place some faith in that they'll they'll do what you want a
nd that's not happening um uh legislators have um they don't have money they don't have um i i've been talking to people in the last month in the eu about the situation here thinking that you guys were much more together and it's like no we're in the same boat it's worse in the united states but it's about the same worldwide the same things are happening the same failures are going about um so you have a bubble forming around your centers of power because people who want power want power for power's sake not because they want to serve there are a few people who want to serve who have ideologies that they're forwarding but there's there's this quest for power that we cannot ignore and it clouds it obfuscates getting the real technical good people in for advice it hides it hides the ball basically when you're when you're trying to get good answers um so i i've identified some of the reasons why um so what it takes um uh to change the law you need a dedicated full-time presence at the site of the legislator in the u.s d.c or in california sacramento um berlin um even if you want your own um directives at the eu um in brussels um so you have to you have to be there you have to have feet on the ground all the time you have to lobbyists are paid a tremendous amount of money because they can bring home the bacon for the big companies um they seven figures to um to schmooze congressmen most of them are former congressmen or former mps um uh or um other um agency ministry heads uh come in and and um so it um it takes quite a bit to um to get there and and but more than anything else more than his feet on the ground more than the the real glad handing it takes patience and dedication which is something i'll get to a little later but it's it's something that is really hard for this community for most um ordinary day-to-day people to to do is these long-term 10 minutes thanks um two three four five-year programs uh that that other organizations do so this is how corporations su
cceed they hire the the mps they hire the the uh former congressman um and they write their own bills that's what we were trying to do we were trying to write our own bill and part of that is there's a lot of overhead in you have to know oh in the united states you have to know all the case law you have to know all the interpretations all the opinions on that particular piece of legislation and its history and who's edited it before and why and what was wrong with it before why did they edit it and and all these other things and and so it's it's there's a lot of um knowledge behind that and all this knowledge is kind of locked away in this language this highly legalistic language that even law people don't always um can't always wrap their head around so they have the expertise to do that and they have the long-term vision they commit three six-year pro programs to to change legislation in their favor but you can't imagine how long the say motion picture industry has been working on copyright law and just really seriously focusing on that telecommunications companies are also big lobbyers
a big government in the united states again this is really a bad problem mostly because our central federal government has a lot of money i've been talking to a lot of people and and trying to figure out why why uh brussels is the place where you send politicians to die and washington is a place politicians aspire to and a lot of that probably has to do with money um but they have all that money goes to pay agencies and specialists and professionals and these professionals are going to be anticipating challenges that their agency could potentially face and so when a crisis occurs they slap down legislation that gives them everything they ever wanted and so that by being ready by being um knowledgeable and by being in touch with congress and trusted by congress or uh parliament then they um they have the ability to come in and propose legislation um that uh can get uh moved through fairly quickly um you might notice i i didn't mention it before but but both these scenarios involve the proposer or the the interested party proposing their own legislation legislators don't write legislation this is true in the united states this is true here in europe and and different people there are more government permanent employees writing legislation in europe than there are in the united states this is something i was surprised to discover um but um lobbying for corporate interests is huge in the united states and and i see the the trickling in in europe as well where you have professional lobbyists you have everybody coming in and doing that so um yeah nobody ever uh questions the authority of the government um officials so so they can usually get a lot of uh stuff through even if their tech is bad so
so public interest the eff the uh in in united states there's all sorts of different um grassroots political organizations that that purport to represent the people and there they exist i'm sure here too but you guys are much better organized having having spoken with them um and and a lot of a lot of these organizations are really directed at the people not at the parliamentarians not at the the members of congress or parliament they they are focused on keeping the people interested excited and donating money it's not that their goal is to donate money but it's to keep people and the cause alive um and they're not necessarily so good at actually achieving results so
they they tend to be more reactive than proactive like the last two the long term planning of the corporate um and the anticipatory preparation of the governments so so public interest is is failing mostly because people have shifting goals and desires we're responding every week to a new snowden revelation and every week there's a different interest in changing the law and it might be something different and it's um and it's it's good that the snowden revelations have been spaced out so at least that interest has stuck with us for a while but we we we live in atlanta sound bites and it are what what is important to us changes from week to week so um it's very difficult to have the long-term persistence that will be required to actually see laws all the way through to completion it's a process that takes anywhere from six months to two years very rarely can you get legislation in place in less than a month anywhere so yeah can we do better what can we do um what i want to see is um i want to see an opportunity for individuals who are passionate about a single issue to be able to come together and build something build support build long-term support because they're passionate about this issue and hold on to it and continue to work on it week after week after month after year and and protect their interests it takes a lot there are there's a lot of legislation going on there's a lot of um a tremendous amount of laws being enacted every day
so um it has to be an individual interest thing um advocacy groups are great at really general stuff and you're yeah i support pretty much everything this group does but no one thing are you especially passionate about um i'd like to uh or maybe you are one thing and and the rest is okay um i'd like to to uh enable people to to do to roll their own to not have to rely on a a pre-set organization to to create the change that you're looking to create so um as a result i am trying to build this um website social network organization um something um called fork the law to um to enable people to come together to research the background on the law to um
figure out and and translate it into plain english and and get all the information together so that experts in a specific field that are trusted experts by everybody else in their field not just the washington insiders or the insiders to get everybody involved and to get to get something built that say we can change the computer fraud and abuse act we can change any particular piece of legislation one minute that you want to have changed so i think i am finishing early um if you would like to see uh if you would like to talk more with me about this if you're passionate about changing the law and enabling individuals to pursue their goals i like to get people together for a kind of workshop ething downstairs at the milly ways table in the back room so you can come see me there and i would like to talk to you later you
