Behind enemy lines: reporting from the CCC 28C3 Congress

For the past 28 years, the Chaos Computer Club has organized its Congress – covering ‘technology, society and utopia’ – between Christmas and New Year. For the past nine years, the Congress has been held in the Berlin Congress Center, right in the heart of Berlin on Alexanderplatz. The large, glass-walled building strikes one immediately as being rather inappropriate for a meeting of hackers – or perhaps appropriate for the transparency that many of the delegates wish to promote. (It is certainly a welcome departure from many conference venues that might as well be deep underground for all one could tell.)

The four-day Congress has grown over the years to attract far more international participants than the 3,000 that is the venue’s capacity. For that reason, the last two years have seen the introduction of pre-paid tickets and an elaborate system that has been put in place to make it easier for would-be delegates to order tickets anonymously in advance (the system itself does not provide any anonymity, it just tries to facilitate it). As such, there were no four-day passes available at the door as these had sold out within minutes of the three separate ticket allotments coming online. Day passes could be obtained, with a bit of luck, for all days except the first.

One consequence of this new ticket regime was that the Congress had a different feel from previous years. While the rooms were not as ridiculously overpacked, it felt as if the usual spontaneity was lacking. In an attempt to accommodate the vast interest in the Congress, numerous parallel conferences and meetings were organized – for instance, BerlinSides_0x2, the cBase Sidebar and satellite events around the world – from which ‘virtual’ delegates could watch the live stream and pose questions via IRC.

The live streams themselves were excellent this year and the FeM team from the Technical University of Ilmenau was able to get most of the talks online for download within a day, allowing particularly obsessed delegates to watch parallel tracks (sometimes at the same time).

The topics of the talks and workshops ranged from information society politics through technologies to arts and crafts. This year I (and others) lamented the lack of interesting arts projects and even the crafts (a.k.a. ‘makers’) were not as prominent this year – though there were an alarming number of workshops on hacking food technology and Geiger counters. There were quite a few talks about German information society politics and a few more general political ones as well.

One of these ‘political’ talks was by Cory Doctorow, who departed a little from his core topic of copyright issues to remind us of copyright’s evil twin: the DRM (Digital Rights Management) technologies that are eroding our control over the devices we believe we own. Of course, DRM technologies are already in place on the iPhone, iPad and many Android devices, but Doctorow believes this will extend to laptops and PCs in the future and he decried the death of general computing that has benefited society so much. It was apt that, shortly after his talk, government-mandated backdoors were discovered in iPhone devices.

Once again, the Congress sported its own GSM base station that one could register with (sporting an SMS to Telex gateway), and there was a continuation of the talks given at previous Congresses about GSM security. GSM security is still largely broken, but many providers have at least pledged to upgrade their networks. Karten Nohl and Luca Melette introduced an instrumented phone that can determine whether the GSM provider has updated their security in a particular area. Using this, they were able to document the roll-out of the security updates. They also mentioned that conversation eavesdropping devices for GSM were far cheaper and more pervasive than expected.

Dan Kaminski gave his usual Black-Ops of TCP/IP talk, in which he broached many subjects that he has worked on over the past year. Bitcoin was one of these and, together with Travis Goodspeed, he demonstrated the use of Bitcoin as a form of permanent information storage. But he also explained that Bitcoin suffers from scalability and anonymity issues, though there are no known security issues in the core code, despite being very opaque indeed. The uPNP protocol is always a bundle of trouble on the LAN side, but now it turns out that some routers also listen to the uPNP protocol on the WAN side. Oh, joy. Dan also talked at BerlinSides_0x2, where he predicted that IPv6 is coming, and will probably be important for P2P voice communication on smartphones. SOPA came up in the context of DNSSEC, which will break if arbitrary domains are blocked. On that subject he also believed that Certificate Authorities are on the way out, and a possible replacement may be the Electronic Frontier Foundation (EFF) Sovereign Keys proposal.

Back at the Congress, the EFF’s Peter Eckersley explained this alternative to the current hierarchical CA infrastructure. Users are now so used to clicking through certificate warnings that they are not much use. The EFF’s proposed alternative, Sovereign Keys, removes the need for CAs and allows domain owners to deploy their TLS keys directly. While this sounds promising, there are still many issues to be worked out.

There were a few talks about Tor and similar traffic anonymizing systems. Much was made of the fact that many governments are trying to block Tor nodes. Eric Filiol’s team claimed to have broken the Tor security by demonstrating that a Tor node could be compromised and then traffic directed through it. By engineering a weak key, that traffic could then be sniffed. The Tor team, who were present, countered that the vulnerability he described was already patched, and that the routing mechanisms would actively try to prevent such traffic redirection.

DC+ was presented as an alternative to Tor. This peer-to-peer system, where all participants receive all messages but can only decrypt the ones intended for them, turns out to be an incredibly slow anonymizing overlay network. Given that the performance of such a system is very poor, it is a fair way from being ready for prime time.

There was much hallway chatter about alternatives to the DNS system as a response to government censorship and initiatives like SOPA/PIPA. Tor, for instance, has the Tor2Web services for accessing anonymous sites. In general, it is far from clear whether any DNS alternative could possibly scale as well as DNS – a point that was confirmed by Dan Kaminsky.

Perhaps the best session (in my opinion) was Travis Goodspeed’s talk entitled ‘Packets in Packets’. He debunked the myth that the ISO network layers completely encapsulate each other by demonstrating a Layer 1 packet insertion from a Layer 7 protocol. In this way, data sent by HTTP could attack an unrelated machine on a local network. He first showed this on the Zigbee Layer 1 (802.15.4) and then on the more sophisticated 802.11B protocol. The trick is to realize that radio (or wire) signals look for certain patterns to mark the beginning of network frames and can be fooled by specially crafted contents being sent in a larger packet than they match on.

Artur Janc of Google demonstrated techniques that can be used to create backdoors in a browser session using a method he calls ‘resident XSS’. The premise is that an exploit can take up residence in the client-side storage or cache and persist over multiple sessions, creating a backdoor into the user’s web client. Mitigating this is hard for the web application developer as it is really a web client problem. Also, HTML5 will make these attacks easier as it has more elaborate storage methods.

Mathias Payer, from ETH Zürich, introduced a framework for crafting format string attacks, which he calls string-oriented programming. While it’s nice to see that DEP, ASLR and ProPolice have made code injection a lot harder, he showed that it is still possible to insert malicious code through other means. Given that there is a market for exploits, people will be motivated to create them, despite the complexity.

Taking a cue from other hacking conferences, this year, the Congress organizers produced an electronic badge. It wasn’t the official access badge: that still consisted of a wrist band crimped onto the wearer’s wrist. The ‘R0cket’, as it was called, featured a little backlit LCD matrix display, a wireless mesh network transceiver, two buses (one for shields and one for lower-level hacking), a five-way mini joystick, a USB connector for programming and power, a light sensor and probably other features I missed. All this for EUR 30 if you were willing to stand hours in line for it.

As usual, there was also a hack centre in the basement where undisclosed stuff probably happened, but it had a less interesting feel than in previous years.

As usual, there was far too much to report on and I’ve left a lot out here. The complete schedule is available at: http://events.ccc.de/congress/2011/Fahrplan/ and this includes some links to slides and other material. The videos from some of the conference sessions are available at: http://events.ccc.de/congress/2011/wiki/Documentation. Next year, the organizers are debating moving to a different venue to accommodate the growing number of delegates. In any case, the CCC event will likely remain the premier hacker event in Europe for many years to come.