The thirty-second annual Chaos Communication Congress carried the tagline "Gated Communities". CCC is probably the oldest hacker conference and "Gated communities" worked very well as a theme for this year. From Orwellian-looking modern gates and doors with huge walls and cameras, cold-blue lights, to a discrete entrance to an integrated party place created from discarded RVs and huge propeller resembling the Burning Man festival, all suggest that the organizers filled their roles perfectly. There was not much to criticize at the Congress and the same holds true with the participation of the Czech Republic and Slovakia. The CZSK community organized a surreal disco-party with triangular flags, luminous 3D-printed dildo, and a cheering crowd hailing - at a toilet. The trending hashtag #toiletparty caused that this great achievement has been mentioned by many speakers the next day and even deserved the first slide of the closing lecture.
One of my favorite topics at the Congress is lectures about the universe. Excellent representation of this type of hacking was a presentation by students who participated in REXUS and BEXUS university programs. R in REXUS is a Rocket; B in BEXUS is a Balloon. It is a program that allows student teams to create an experiment, which flies either on the rocket to high altitudes or finds itself on a meteorological balloon. One of the students explained how you can get involved with their projects and described their experiments (an accelerometer based on fiber-optics in REXUS project and a radio receiver for aircraft beacons in the case of BEXUS).
Daniel Lange and Felix Domke in their lecture on "Dieselgate" talked about the scandal of the Volkswagen group. Thanks to the fact that the standard for measuring the emissions is so precise and specific (it requires exact speeds and timing), it is very easy to find out whether the car is in emissions testing laboratory or it is just an ordinarily used on the motorway. The presenters explained the background of the car industry and the fact that these tests are almost of no informative value. They test the car emissions in a situation that is artificial and thus has no real relation to how the car operates in real world scenarios. It's as if you wanted to measure the load on the webserver, so you measure the behavior of your users once and then tune the servers to this pre-recorded behavior forever. If you are interested in cars and the background of automotive industry, I recommend you see this lecture.
Let’s stay with transportation industry for a while. In the lecture "The Great Train Cyber Robbery ", we have learnt about how modern trains operate, to which systems is the train connected and how safe or unsafe they are. An interesting finding for me was that most of the people responsible for train safety refer to the "air-gap" principle, i.e. the physical separation of networks. In this case, they claim that the security does not need to be addressed. And then we learn that the equipment on trains (at least in Germany) is using a wireless network standard called GSM-R. This standard is based on GSM, but it is served by specific network providers. How many of the vulnerabilities that people like Karsten Nohl or LaForge found in the GSM standard are applicable to GSM-R? And how many of them are patched in GSM-R, when there are almost no customers that are actually interested in security of this network? Another interesting fact that we need to understand is that train security (or security of industrial and transportation systems) is not about a small financial loss or an embarrassing skull and crossbones logo on your hacked hompage. Sergey Gordeychik showed us how a collision and crash of trains really look like. Not nice.
LaForge showed us the results of his efforts to operate his own 3G / 3.5G mobile network. He is the co-author of the Osmocom project that brings open-source implementation of common protocols used in mobile networks. The last few months he has been playing with the implementation of some protocols of 3G and 3.5G protocol stacks. I cannot help it, but seeing how the protocols are design makes me feel a little bit dizzy and uncomfortable. There's an enormous amount of unnecessary protocols that are translated one to another with no apparent sense - except that it is a protocol used historically somewhere.
Karsten Nohl and his team performed several attacks at the standard POS (Point of Sale) terminals in Germany. They managed to create attacks that can rob you both if you are the customer and the merchant that accepts payment cards. Payment card systems have long-term security issues - their actual implementation often adds even more problems. If you are interested in payment systems, I recommend watching the recording of this lecture.
DJB and Tanja Lange explained to us that although they do not believe that there currently is a functional quantum computer on this planet, we have to prepare for it’s arrival. Hah, that sounds like a religion – “The coming of quantum computer”! Almost all industries view quantum computers as a positive thing which will help them in better and faster calculations in some cases - except cryptography, where ultimately faster calculations can have catastrophic consequences. Conventional ciphers that we use when shopping, communication and so on can be broken using one of these quantum computers thanks to the Shor’s algorithm. This algorithm does not work on conventional computers though, so it’s unusable right now. Many people attribute magical capabilities to quantum computers, but it is not quite so. It does not solve all fundamental problems of computation or speed up any algorithm. The fact remains that the problem of factoring numbers (i.e. finding of the prime numbers that produce a particular number) is a simple task for a quantum computer - unlike classical computers. And several encryption algorithms like RSA depend on the fact that number factorization is a computationally difficult problem. Algorithms can be based on other asymmetric problems too, including algorithms based on elliptic curves (used in TLS or Bitcoin network) or the discrete logarithm problem, which is used in the first asymmetric cryptosystem - Diffie-Hellman. DJB and Tanja Lange scared us a little and began to speak openly about the need to start working intensively on Post-quantum cryptography. They introduced some digital signature algorithms and asymmetric encryption algorithms that are immune to Shor’s algorithm and hopefully won’t be broken easily by quantum computers. Now it is time to test their safety, create implementations and include support for these ciphers to standards like SSH, TLS, and the like.
The fact that this may be the right way forward was reinforced by J. Alex Halderman and Nadia Heringer, who told us about the issue in Diffie-Helman key exchange. The complexity of the algorithm that breaks down the problem is known. The problem comes with the fact that it is not necessary to do all the calculations for each key exchange - a large part of the calculations can be pre-computed for one of the parameters that is usually constant in different implementations of Diffie-Helman key exchange. In this way, it is possible to relatively quickly compute the individual keys. Recommendation - do not use Diffie Hellman key exchange with known and frequently used parameters and instead use a minimum 2048-bit keys (for RSA and DH) and as quickly as possible move to an elliptical curve based ciphers.
Electronic Frontier Foundation presented their project "Let's Encrypt". It is a publicly accessible certificate authority that browsers accept and trust for domain-validated TLS certificates. If you want to set-up https on your servers (or IMAPS, or other services) without the ugly “self-signed certificate” or “unknown certificate authority” notices, Let's Encrypt is currently probably the easiest way to obtain a working and trusted certificate. As the Electronic Frontier Foundation has no employees in customer support, certification and validation processes are fully automated. Let's Encrypt certificates are issued for a maximum of 90 days and for this reason that people have implemented automated renewal of certificates. I encourage all operators of any websites to use this certificate authority. It even supports multiple domain names in one certificate (currently there is a maximum of one hundred names on one certificate).
Art projects and lectures at this year's congress were really interesting. Darsha created “20 oscillators in 20 minutes”. If you like electronic music, keep in mind that the only true electronic music is analog! (http://bit.ly/oscilators). Peng! Collective presented their project Intelexit – a site and a marketing campaign for the employees of intelligence agencies to quit their jobs. In addition to explanatory videos, which can be found at intelexit.org, they created a billboard campaign in front of the buildings of the secret services. The campaign ended by a drone flight over Dagger Complex that belongs to NSA where they dropped leaflets on how to quit the NSA.
My favorite art lecturer was Constant Dullaart, who told us the story of the first "photoshopped" photograph called "Jennifer in Paradise" and his journey to search for the truth about this famous photo. He then used steganography to insert a secret encrypted message into the JPEG and distribute his version. Then he talked about the fact that many artists compare with others - and not by their achievements, but they compare how many "followers" on social networks they have. Constant decided to institute socialism in social capital – all shall be equal. He bought a “robotic army” of followers for some colleagues, so that each of the artists had exactly one hundred thousand followers. How can they compare, if the number of the followers is the same?