Chaos Computer Club - SHA2017: Still Hacking Anyway (mp3)

CVE-2017-2636 is a 7-year old race condition in the Linux kernel that was fixed by Alexander Popov in March, 2017. This vulnerability affected all major Linux distributions. It can be exploited to gain a local privilege escalation. In this presentation Alexander will describe the PoC exploit for CVE-2017-2636. He will explain the effective method of hitting the race condition and show the following exploitation techniques: turning double-free into use-after-free, heap spraying and stabilization, SMEP bypass. #DeviceSecurity about this event: https://c3voc.de

Off Grid is a different kind of hacking game, and it is fully moddable. The game logic runs on Lua under the hood, and all the computers you hack, whether desktop PCs or IoT devices are their own Lua VMs allowing modders and hackers to create their own LUA hackable devices, hacking tools, and data types. This flexibility allows anyone to model real life or cutting edge hacks in the game, so next time you find a bleeding edge exploit, why write a white paper, when you could model it in a mod and pass it on for people to play? #Games #DeviceSecurity about this event: https://c3voc.de

At the moment of submitting this talk there are 500+ escape rooms in The Netherlands alone. By the time SHA takes place there might be over 600. However, not all rooms are equal, and there is a vast difference in escape room experiences and quality. This talk, presented by an experienced escape room designer, will go in to all the facets of designing and building an escape room. It will show how to create the best experience for the players, the pitfalls and how to design the puzzles and puzzle flows. It will further give an insight in to the technique used behind the sound, lightning and puzzle interactions. #PhysicalSecurity #Making about this event: https://c3voc.de

Neurodiversity is the concept that neurological conditions are variations in the human genome. Therefore Autism, ADHD, and mood- and personality disorders are considered social categories intersecting with other social categories. While "Nerd" is very broadly defined, the number of neurodiverse people within our social group is much higher than in the general population. Our social circles, our hackerspaces, our coworkers are assembled from this group. And due to these differences our groups behave differently and encounter different problems that cannot be solved with standard management 101. Working together with a team of amazing people, nearly all of whom have distinctive cognitive needs, we found that classical management and strict structures are impediments rather than support. So we hacked around them. Like you do. In this talk we introduce the concept of cognitive empathy: Being able to think into the brain of your peers even though you might lack affective ("classical") empathy. We will share how we came to new solutions in managing our team by figuring out each others' needs. This talk will be about superpowers and super weaknesses: how to manage them, utilize them, and create an interdependent band of superheroes for which the sum is greater than the parts. #Society #Community about this event: https://c3voc.de

The blockchain invention allow us to take our freedom back and save the planet. This talk explains the fundamentals of blockchains, no fluffy talk and no unnecessary details. At the end of the talk you should be able to build your own stateful P2P network. We also demonstrate the Statebox system and some applications. #BlockchainTech about this event: https://c3voc.de

In 2012 I released a DES cracking service with Moxie Marlinspike for cracking MSCHAPv2 and quickly started seeing it being used for cracking other things besides MSCHAPv2. In this presentation we'll take a look at some of the research we've done into other widely used protocols and services that still rely on DES for security and provide an quick intro into the https://crack.sh API so you too can use this service for your own projects. #NetworkSecurity about this event: https://c3voc.de

What kind of work goes into implementing secure services? Service providers have to comply to the law, protect their users, worry about reputation, need to deal with vulnerability management, patch management and above all: business continuity. Researchers and attackers target the infrastructure for their own gain and suppliers have their own go-to-market drive which limits the amount of QA on their products. Various services are build upon existing or new foundations. They have to comply to the same company wide policies, like the security policy. In this talk I will give an insight on what goes into the technical analyses, generic preventative measures and provide example on how to use a technical oriented company wide policy to your advantage. #DeviceSecurity #NetworkSecurity #Politics about this event: https://c3voc.de

Capitalist underpinnings of advanced technology development threatens individual agency and the notion of self-defined identity. As we are seen by an increasing number of image capture systems, this session will discuss prospects for the degrees of control do we exert over digital representations of our bodies as vision technology becomes more ubiquitous. #Privacy #SurveillanceState about this event: https://c3voc.de

You’re trying to turn on https for your site for the first time. You have a certificate, but are sick of renewing it. You’ve set it up before, but now you’ve grown and want a more advanced setup. Or, you don’t need help but want to understand some of the finer points of certificate theory, use, and management. Come to Certbot & Let's Encrypt office hours to talk with Certbot developers and fellow users. No question too small or silly, no person too experienced or inexperienced to be worthy of our time. #NetworkSecurity about this event: https://c3voc.de

In late 2016 a TR-064 (LAN-side CPE management) misconfiguration in a wide range of CPE devices was disclosed that allowed for remote device takeover. Within days, botnets began exploiting a related command injection issue, leading to widespread internet outages for customers of certain ISP's in the UK and abroad. This talk will explore the impacts of these issues, along with taking a look at some other, related vulnerabilities related to TR-069 (WAN-side CPE management) protocol implementations that could allow for remote takeover of routers en-masse. #NetworkSecurity #DeviceSecurity about this event: https://c3voc.de

Privacy-minded charities have a hard time going up against silicon valley's army of corporate lawyers. Digital rights are becoming increasingly important in society, but politicians fail to come up with answers. Across the world law after law is being passed, eroding our civil liberties. Ancilla has been fighting to keep our digital rights for the past 5 years. At SHA she will share her lessons and thoughts on what comes next. #Politics #Society #Privacy about this event: https://c3voc.de

In this talk I describe my journey into reverse engineering parts of MikroTik system to gain access to hardware features and the shell behind the RouterOS that has no “ls”. #NetworkSecurity #DeviceSecurity about this event: https://c3voc.de

There has been much development in recent years on vulnerability disclosure. The Netherlands has taken the lead in 2013 by publishing an official guideline for "Responsible Disclosure". Since then much has happened, other countries have shown an interest and there is even a (free!) ISO standard on Coordinated Vulnerability Disclosure. In this talk I'll summarise the global developments and explain how and why things have gone as they are. At the end of this talk I'd also like to have an open discussion and collect feedback on how the Dutch government has handled this and can possibly improve this. #NetworkSecurity #PhysicalSecurity #DeviceSecurity #Politics about this event: https://c3voc.de

For the protection of (critical) infrastructures against complex virus attacks, deep packet inspection is unavoidable. In our project SpySpot we are developing new tools and techniques to assist analysts in gaining insight and reverse engineering WireShark PCAP files. In this talk we present and demo a new data visualization system Eventpad to study PCAP traffic by visualizing patterns according to user-defined rules. We illustrate the effectiveness of the system on real-world traffic including VoIP communication and Ransomware activity in file systems. #NetworkSecurity #DeviceSecurity about this event: https://c3voc.de

about this event: https://c3voc.de

Over the past year multiple people have been engaging language maintainers and designers to change their use of CSPRNGs (mainly relying on user-land RNGs like the one from OpenSSL, and sometimes suggesting "adding entropy" by various means from user-land daemons like haveged). In this short presentation we'll survey the struggle of cryptographers, developers and security engineers to change the path various high-profile languages have taken to provide randomness to their userbase. Affected languages include but are not limited to: Ruby, node.js and Erlang. We outline better approaches for language maintainers and implementers as well as coming changes within the Linux kernel crypto subsystem (i.e. /dev/random and /dev/urandom) w.r.t. security and performance. Recently these changes were merged into mainline Linux (4), problems with languages implementations however remain. We'll also discuss operating system provided randomness testing, attacks/mitigation in embedded and virtualized environments. #Software #Security about this event: https://c3voc.de

In this talk I will show positive and negative examples of how laws can influence the security of infrastructures and society for the good and the bad. Without proper attention for lawmakers, security teams, service providers and security researchers could be positively or negatively influenced in their work. #Legal #Politics about this event: https://c3voc.de

In the world of the "internet of shit" - where it's not just our computers and phones that gather data about you but also your cars, your pacemaker, the toys you children play with and your fridge among many others - the dramatic growth in data collection has led to a loss of control over data. Who owns the data? How is it processed and collected? And more importantly how is it used to make decisions about you? Those are some of the questions Privacy International has been trying to address in order to help of us reclaim control over our devices. This talk will aim at explaining how data exploitation works and how it has already started affecting our lives so we can be prepared for and start resisting the exploitation. #Privacy #IoT about this event: https://c3voc.de

FLOSS seems to be a natural choice for NGOs and not formalized entities (groups of activists, etc) -- evading vendor lock-in, harder to place a back-door, community support, and no licensing costs. And yet many NGOs continue to use closed-source software, even in areas where FLOSS tools are available and considered stable. Reasons are many; one of them can be tracked to papercuts -- small, annoying quirks and imperfections making FLOSS awkward, hard, or impossible to use in a given setting. #Society #Community about this event: https://c3voc.de

We present “olmogo”, a novel cryptographic, distributed data storage system and end user application that could – within a single platform – replace today’s cloud storage, messaging / chat and social networks with a cryptographically secure alternative in which users can trustfully share their data while the infrastructure itself has no access to the content. #Privacy #NetworkSecurity about this event: https://c3voc.de

Of course we will need security - but maybe not in the way we've 'always' done it. In this session we will explore whether a lot of what we consider to be part of security’s tasks, actually requires a separate organisation. #NetworkSecurity #PhysicalSecurity #DeviceSecurity about this event: https://c3voc.de

Part 2 of the presentation "DNA: The Code of Life" at SHA2017. This recording was made by Bart Smit and post-processed to compensate for the bad lighting conditions for the projector. The sound improves after the first few minutes. Part one of the presentation is at https://media.ccc.de/v/SHA2017-31-dna_the_code_of_life - slides and more can be found on https://ds9a.nl/dna/ about this event: https://c3voc.de

Developments in the last few years have shown that computing can no longer be considered neutral or without morals. Most kinds of programs or services have some hidden or implicit morals in them. Especially when things are published at the Internet scale, you see clashes in what is considered morally acceptable. There have been several examples of this in the past few years: Facebook and its emotional contagion study where they tried to influence emotions of their users without telling them. Or academic researchers trying to measure censorship by tricking users into attempting to load censored webpages. There are many more of these examples. Fortunately many academic researchers have realised that this is happening and are calling for action: more ethics education in computer and data science. This is more easily said than done however, but things are moving in the right direction. This talk will discuss some recent cases to explain how computing and ethics are related. I will also describe developments in the academic and professional field on how to deal with these issues. #Society about this event: https://c3voc.de

<p>What do you get when you cross cybersecurity themes with the mindset and the discipline of martial arts? You get the Zanshin Tech.</p> <p>Zanshin Tech is a digital martial art focusing on the digital aggression and teaching how to use mind and technology to avoid, solve or stop the conflict.</p> <p>Through continuous practice, both youth and adults learn how to identify and manage Cyberbullying, Child enticement, Cyberstalking and much more.</p> <p>The lecture is intended to introduce the discipline of Zanshin Tech, describing the activities, the educational method and the structure of the art itself.</p> #PhysicalSecurity #Sharing #Kids #Training about this event: https://c3voc.de

Firefox has amazing dev tools that support the last technologies but they can used also with other browser and nodejs. #Software about this event: https://c3voc.de

I have made several diesel powered motorcycles and this is a simple talk or walk through of all the things I had to consider and things I had to do to complete the project. #Making about this event: https://c3voc.de

Today’s tech companies have enormous power over what we can access and share, and the input we—as users and citizens—have the ability to provide is minimal. Increasingly, algorithms are being deployed to control how information is delivered to us, as well as for the purpose of moderating user-generated content. These algorithms are proprietary, created by human beings at companies that fail on nearly all measures of diversity, and accountable to few. As user-generated content platforms like Facebook and Twitter reach monopolistic proportions, it has become more difficult to “vote with our feet” (or, more accurately, our data) than ever before. This talk will examine the state of the networked public sphere, the actors determining our destinies online and, most importantly, what we can do about it. #Society #Privacy #SurveillanceState about this event: https://c3voc.de

In this talk we look at The World in 24 Hours, an early computer network art performance from 1982, which took place between 13 different cities around the world in the messaging system of the computer time-sharing, consulting and services firm IP Sharp. Canadian artist and initiator Robert Adrian wanted to explore the way culture can live in computer networks. The recent interest in saving and restoring digital heritage has created the opportunity to re-evaluate this work and to look for ways to re-enact or interpret it in the present day network landscape. A description of the work is presented, along with information about the technical circumstances and the artistic intent behind the work. The audience is invited to join a discussion about what would be the best way to re-enact this event in today's post-Snowden era as close to the original optimistic spirit of the work as possible. #Making #Society about this event: https://c3voc.de

Within the framework of the "Hacking Words" writing workshop, interested participants will deal with this year's theme of the Shah2017: resilience. The creative writing principle is written for 30 minutes. There is only one motto: do not think of rules, readers, quality or your inner censor. Instead, it is about putting first ideas to paper and getting into the write flow. #Making about this event: https://c3voc.de

We have entered the era of President Trump. Activists, NGOs, and charities thus need to reexamine the stability of (and motives behind) their funding sources. Surprisingly, business is an excellent tool that one can leverage to change the system. While business is not perceived as sexy by most activist-types, this talk will explain why social enterprises are tactical, lightweight, independent, effective, and why they are now more important than ever. #Society about this event: https://c3voc.de

In this talk I'll present my findings when researching the security of the Dutch voting system. I quickly found various important security mistakes which would made it very easy to tamper with the results. Based on my research the Dutch government dumped the voting software. #NetworkSecurity #DeviceSecurity about this event: https://c3voc.de

Ever wonder where your malware ends up after you deploy it? Are you curious how the United States Government researches Cyber Security on the backs of students? First, this is not a technical talk. This is an informative talk on the insides of how the inner workings of an Information Security Lab in one of the Top Technical Universities in the United States works with its Government to provide insights in the world of, as the feds like to call it, "CyberSecurity". (All Americans apologize for Trump. We're sorry.) #Politics #SurveillanceState about this event: https://c3voc.de

Dutch police officially started using bodycams eight years ago – although the oldest sightings of Dutch police officers outfitted with a ‘bobbycam’ date back twenty years. Such camera’s are another tool of surveillance, unless there is a solid policy governing their use. Of course, at the time of writing this summary, this policy is lacking. In this talk I’ll give an overview of the use of bodycams by the Dutch police in the last twenty years, explain the up- and downside for you and me and I’ll provide a summary of my policy recommendations. #Politics #SurveillanceState about this event: https://c3voc.de

From 2005 to 2010 I spent my time hopping freight trains all over the United States and Canada. With over 250,000km of railways in the U.S and Canada security is a huge task. With so much space to cover there are many opportunities to enter and ride the trains that move along the North American railways. This talk will cover some of the basics of doing so as well as the legal implications of these actions. #PhysicalSecurity about this event: https://c3voc.de

Qt meets Python and allow you to create a GUI in few minutes. So we will show how this works while live coding. #Software about this event: https://c3voc.de

Centralized services enable mass surveillance, control and censorship. Decentralization on the other hand can be laborious. The Sovereign project makes it easy to run your own dirt-cheap dedicated server for mail and many other services. #Making about this event: https://c3voc.de

GNU Taler is an online payment system that uses Chaum's blind signatures to provide robust unbreakable privacy for customers along with accountability for merchants. Taler avoids the the performance issues that plague Byzantine fault-tolerant consensus-based solutions, and is developed entirely as free software. The talk will cover everything about GNU Taler, including the cryptography, the system architecture and a demonstration. #Privacy #NetworkSecurity about this event: https://c3voc.de

Most of our data is held in a fuzzy uncontrollable manner. We propose a totally different solution, a new paradigm in thinking about your data. In this paradigm you know where your data is, you are in control and data losses are a thing of the past. This presentation will introduce the personal locker. A technical reference (and device) that allows you to actually own and control your data. Big data can have many benefits. But until now you had to store your data somewhere in the cloud instead of at home. This idea will show how to combine different open source software and hardware solutions to build a device which complies to regulations but where you own and control the data. Think blockchain, distributed file systems, encryption, PKI and Open mHealth. #NetworkSecurity #BlockchainTech about this event: https://c3voc.de

All the pieces to make encryption easy, secure and anonymous are in widespread use. Only we're not using them properly, making it difficult for the users. In this talk, Guido will show what benefits can be gained by using existing cryptographic protocols in a slightly different configuration. Doing so makes authentication easy, community building possible and truly private messaging between strangers a reality. All without requiring the users to think about cryptography. It just works. #Privacy #NetworkSecurity about this event: https://c3voc.de

More and more (secure) embedded systems implement a feature to assure the integrity and confidentiality of all software executed after power-on reset, commonly referred to as secure boot. When not logically flawed, other attack techniques must be used to bypass the provided security. Such an attack technique is fault injection. #DeviceSecurity about this event: https://c3voc.de

All those shiny cloud services sound tempting, but unfortunately they might mean giving up your private information to someone else. But with modern hardware and crypto, you can have your cake and eat it, too. How does searchable encryption work? What can oblivious RAM protect you from? Where do secure enclaves like Intel SGX shine, and where do they fail? We'll give an overview of how the latest research and products work, how experimental they are, and what they might be used for. #DeviceSecurity #NetworkSecurity about this event: https://c3voc.de

In the age of corporate surveillance, invasive ad-driven business models and lucrative zero-days, it is no surprise that the words “profitable business” can sound destructive to internet freedom and human rights. However, if we want to change this trend and have a lasting impact, we need to make sure we can build profitable businesses on privacy-friendly and open source technologies, that respect all humans, without bias. #Society #Privacy about this event: https://c3voc.de

A lecture about the brain as electrical Input Output system (the What the Hack logo would fit nice). But also other body parts as eyes and muscles will pass the revue. Debunking some myths on the way. This would be for all hackers that dream about connecting computer processing power to themselves. For most of them this dream will be joyfully shattered, but some might become enthusiastic. #Making #Experimental about this event: https://c3voc.de

How to modify the speed of audio without altering its pitch ? #Making about this event: https://c3voc.de

The pretty Easy privacy (p≡p) project has the primary goal to make encryption accessible to the masses. By experience, the initiators know from CryptoPartys that regular users -- even after getting everything explained (e.g., basics of public key cryptography) -- continue to be unable to communicate in private on a regular basis in practice. That's where p≡p jumps in: instead of just providing good privacy, privacy must also be easy to achieve. p≡p automates all steps necessary to engage in end-to-end encryption without hassling the users involved or asking questions. The p≡p project started to provide easy to use OpenPGP-compatible encryption for as many platforms as possible, with the ultimate goal to transfer all written digital communications to the GNUnet, thus not just protecting contents, but also metadata. In this talk, the basic ideas and technologic foundations of p≡p are presented. Furtherly, it's shown in which cases p≡p is already operational and what's to be expected next. #NetworkSecurity #DeviceSecurity #Privacy about this event: https://c3voc.de

I'd like to discuss with your my experience with hormones and perceived hysteric behaviour and moments one feels extra vulnerable. I have researched this topic for several years and would like to share my experience with you, including the most recent scientific research. </br> </br> One time asked the internet "Why am I such a Bitch?" .. so my quest started.. </br> </br> Because depression, mega reactions, feeling-the-whole-world-is-bad, witch-hunts, suicides, community drama and fears are sometimes more hormone related than we think. </br> </br> I also found out what works for me: understanding and hacking your body, sometimes tuning small things like eating Broccoli make a difference. </br> </br> I would like to share our ideas. </br></br> #Society #Hormones #Drama #Community #Biohacking #Bio #Biology #Suicides #Suicide #Women #Mensplaining #Science #Chemistry #Prisons #Psychiatry #SelfHacking #BioPunk #Self #Relationships #Love #Food about this event: https://c3voc.de

For SHA2017, Off<>zz will present a two part music concert of piano and live coding. In the first part, we will present “Code Our Glance”: a 30min musical journey where the audience influences the performance through an interactive web-application. The second part will feature the beta version of the CodeKlavier: a new project in which a pianist is able to code through playing the piano. #Making about this event: https://c3voc.de

This talk is about setting up mobile fermentation education centers for experimental fermentation as well as means of legal production and vending points of fermented and other products at a variety of events and places. After a decade of fermenting around the world I have come to the conclusion that having mobile bases, where kvasirs (brewers, fermentors) can do what they love and legally make their living by carrying out their activities, is a sustainable way to promote the fermentation art and science long term. Being able to meet your needs by choosing and later on keeping working in your profession is one of the founding principles of human society. You can build up experience and knowledge of the persons and groups achieving progress in your field. Establishing fermentation communities guarantees more stable conditions for fermentation related projects, which take time, energy, and resources. A mobile approach to fermentation helps to reduce efforts and resources to a minimum. This is crucial especially at the first phases of community build up, when least resources are available. Importantly it also allows promotion, exchange, and resource generation by collaboration with other communities and participation at events when the “home community” is not “fermentized”, or strong enough, to support the project fully yet. Fermentation mobile therefore aims to build up stable, local fermentation communities by helping them to achieve their sustainability and self reliance faster and more efficiently, integrating them into a legal framework, and combining collaboration and exchange of resources with other communities and projects. #Making about this event: https://c3voc.de

Making physical games requires a unique knack for creating robust systems. In this talk, Phoenix Perry will share some common strategies for developing DIY artists driven systems which can last through thousands of users and interactions in a museum and installation context. #gaming #hardwarehacking about this event: https://c3voc.de

You’ve designed and implemented the perfect protocol to keep your target users private and secure. Come make sure that it will be used effectively by real users. In this workshop, you’ll learn the basics of evaluating and improving usability. You’ll gain practical skills in applying usability guidelines, and in designing and carrying out user studies. Your project will become more intuitive and protected from user mishap. If you have a project that users interact with, bring it or printouts of its interface - we’ll be conducting small user studies during the workshop. This is intended for anyone involved in creating tools or products. #Software about this event: https://c3voc.de