First of all: We wish all our readers a happy new year! A special writeup about Internetwache in 2014 and other projects will be published in about a week.
To be honest we planed to publish an article every day of the #31c3, but as you might have read in the other posts: We were very busy meeting cool people, hearing awesome talks and finally being tired as hell :) So we decided to postpone the blogposts after the #31c3. Finally we got some time after New Year’s Eve (without internet) to write down the experiences of the last two days.
Day 3:
Day 3 was quite cool. The first talk was about X-Ray scanners and how to bypass them to smuggle weapons (pistols/c4) into an aircraft. We were not sure if one can say that this is ‘hacking’ and the technical aspects came very short. It was more like a How-To for terrorists, but at the same time intresting and shocking how easy it seems to be.
Security Analysis of a Full-Body X-Ray Scanner
After that we learned about how quantum computers work. This was a small introduction into Qubits and their superposition state which would allow us to easily attack cryptographic algorithms.
Let’s build a quantum computer!
In Sebastians opinion, one of the most interesting talks of this day was about “Polyglots” and other tricky file-in-file combinations. The speaker showed awesome demos with up to 6-in-1 files. You can really have a lot of fun with file formats and maybe it isn’t that uninteresting from the security perspective.
If you’re lurking around in some of the darker corners of the internet, you probably want to know that your style of writing can be used to identify you. Regarding to the speakers that is not limited to normal text, but includes obfuscated source code, too. So if you’ll ever be interviewed by law enforcement and they ask you to write a small essay, you should remember this talk and immediately change your style of writing - in order not to get identified. The speakers also mentioned that this could be used to indentify the infamous Mr. Satoshi who developed the Bitcoin protocol - if only enough test data was available. All in all, this seems to be very interesting for law enforcement and for you to protect yourself and your privacy.
Source Code and Cross-Domain Authorship Attribution
Perl is quite old and has some ‘funny’ ‘features’, especially lists and hash maps seem to broken. Abusing those leads to some critical vulnerabilities in software like for example Bugzilla. During the Q&A people pointed out that the showed vulnerabilties would only arise due to bad programming style, but you can’t always blame the developer. We advice all people who write in perl to watch this talk and then review their code!
The Perl Jam: Exploiting a 20 Year-old Vulnerability
Last, but not least a talk about advanced password kracking using patterns. Using the tool Unhash which is developed by the speaker @kisasondi can increase the password cracking success rate by 25%. This tool uses context-based wordlists and generic/adaptive patterns to crack more complex passwords with > 12 characters.
You can view the slides on: Google Presentation: Unhash
UNHash - Methods for better password cracking
Day 4:
On day 4, we missed the first set of talks, because we had to pack our stuff and bring it to the train station.
We arrived at about 12:30 a.m at the CCH (#31c3 conference hall) and enjoyed some really interesting lightning talks. Lightning talks are short talks (max 5 minutes) and thus the information is dense.
Sebastian is supporting the TOR network with about 20 TB traffic per month. So he was interested in the current state of the tor network. Jacob Applebaum and ‘arma’ did a good job on giving a nice overview of the current situation. Result: We need more exit nodes and relays, but Tor still seems to be NSA resistant.
During lunch time, we met @redshark1802 and {0x41}. Both are cool guys to talk to :) It’s always cool to meet new people.
The show went on with Anonymous/WikiLeaks and Paypal. We all know that Paypal doesn’t like the other parties. The talk highlighted details and consequences, but wasn’t that interesting (Sebastian’s opinion).
We’re excited about the ‘Security nightmares’ talk, but this year’s wasn’t that cool like last year.
The very last “talk” during the #31C3 was the closing event including some keyfacts and a small review by the CCC. Again, the closing event of the #30C3 was much better than this year.
All in all, the #31C3 was awesome and we’re looking forward to the #32C3 - maybe some of you guys out there will also attend it next year?
The team of internetwache.org