#rC3 my Day Two

✍️ → Written on 2020-12-28 in 2603 words. Part of cs IT-security


I also joined the Chaos Communication Congress on Day Two.

Technical issues continued.

  • It was reported that some DDoS was ongoing (DDoS tweet 1 and 2).

  • For example, the talk “‘America First, Humanity Second’ Die extreme Rechte in den USA und die Präsidentschaft Donald Trumps” could not be held on BigBlueButton due to audio issues and was rescheduled to 2020-12-30.

  • I wanted to attend “youtube algorithm analysis”, but the links in the rc3.world lead to a loop. I assumed “assembly workshop” refers to the 2D rC3 world and I ran around in the world to find the “about:freedom & OIO” assembly, but could not. 1.5 hours later I discovered the link workshop.rc3.oio.social on twitter, which would have been the correct one.

  • The Assange and surveillance talks were swapped without reflecting this in r3c.world

  • The talk “But this politician said «xyz»!” had to be postponed.


Linux remixen - Ich back mir eine Linux-Distro

Even though the title is in German, this talk by “The one with the braid | Dфҿ mit dem Zopf” was held in English. The first interesting aspect was that the speaker claims the bare image contains 30 GB of data and squashfs allows it to be compressed to ~1 GB. He then continued with introducing casper and initramfs. Then we continued with installation frameworks like Ubiquity, Calamares, and Anaconda. A graphical tool called remastersys might also come in handy. Also Linux from Scratch is introduced which requires you to compile the kernel, compile the userland and requires you to configure everything manually.

In conclusion, this talk was very high-level and it would have been nice to provide a more hands-on guide accompanied with this talk.

Scientific Literacy 101

derJoram introduces the audience how to design scientific experiments in natural sciences.

His approach was to illustrate challenges and traps in designs. For example, the relativeness of the p-value based on the field was shown (Biology: 5% is fine, Particle physics: 0.0000003% is the way to go). Then the speaker points out that people are flawed. My favorite quote in this context is “Researchers are not people who poop wisdom”. Researchers themselves have biases and assumptions might be missed. Then careers are discussed. It is pointed out that only 1% become professors and the career might give an indication how experienced one is in the field. Then the publication process is illustrated (Scientific conference → pre-print → scientific paper). The debated order of names is mentioned. Figures in natural sciences are very important whereas in cryptography they are sometime negligible. Then the media exposure of a paper is discussed where journalism comes into play which continues into discussing the frame of reference to get a grasp of large numbers and data. Then sources are discussed where pre-print servers and sci-hub (libgen.rs was also mentioned in the IRC chat) come into play. Finally, he concludes “fact checking is tedious and so is science”.

This was an awesome talk about many aspects of science. The talk was done with great illustrations and a few jokes.

Wikidata for (Data) Journalists

“WikiData acts as a central storage repository for structured data” (TODO verify quote). With these words Elisabeth Giesemann introduced WikiData. She is an expert in this field which you will quickly recognize by her broad view on this topic.

After this introduction of the platform, she moves on by giving an overview of the technology. “You will want to learn (a bit) of SPARQL” is the central message and points out that expertise in R or python like a data scientist is not required. Then she mentions projects like “Ask me Anything” and “Scholia” which make WikiData more accessible. She gave an example of story-telling with WikiData which is “Women’s representation and voice in media coverage of the coronavirus crisis” (used data and evaluations of WikiData to show that coverage is below 20%). After less than 25min, this talk was already done. In the end, a high-level overview and I was missing more specific examples.

Why we need to reinvent media - and how

In this talk by Bitwäscherei Zürich, speaker Vardon Hamdiu raises the issues in current media business models. Essentially the advertising model and the paywall models are critized for fragmenting the web and promoting low-quality content.

Now the speaker has a vision. He introduces an alternative system called Butterfy with four content stages. The final stages 3 and 4 contain the high-quality content which is filtered by previous stages. At the same time, money must be paid to access the later stages and the money is distributed to content in stages 1–3, creators and the platform. So in some way all content is in the web, but if you want to have a democratic filter, you need to pay.

Sadly, the moderator combined questions from IRC which are IMHO not related. The speaker appeared very young to me, but his train of thought was easy to follow. Little mishaps like mixing internet and WWW occured, but I liked his positive vibe. Overall, it was a good talk and I like the general idea (even though it cannot solve issues like promoting news where speed is crucial).

BBB-Admin-Stammtisch beim rC3

I wanted to attend “Porting Linux to your favorite obscure Arm SoC”, but somehow the stream did not connect. After some minutes, I decided to jump to “BBB-Admin-Stammtisch”. chris and waschtl answered questions about BigBlueButton. They have experiences from educational settings (i.e. schools). Of course, this was helpful for our planning of GLT, but I was not prepared to ask specific questions. So I only asked about scaling, load balancing, and stress tests. I took a few notes:

  • 20 audio+video users in same room (with default settings) usually just works. With pagination it scales to about 50 video users in one room

  • One experience: 30 audio-only users: minimal hardware requirements: 4 pinned CPUs, 8GB RAM

  • One experience: only the maximum number of users in one room matters, 20 users in one room is good baseline to communicate

  • One experience: 4 cores, 8GB RAM for about 250 users (finetuning + educated users available? much more possible)

  • Scaling depends heavily on TURN instance. Use your own TURN instance! Per 1000 users, 1 core and 1 GBit bandwidth (w/o redundancy, less than 2 cores not recommended)

  • Number of video streams is square of number of users (20 users = 400 streams)

  • Grafana for visualizing metrics

  • BBB requires a lot of attention

  • Testing and Metrics

  • Notes taken by watschl (thank you!)

  • Automated setup with ansible: ansible-bigbluebutton-tiny and ansible-role-bigbluebutton (the former is based on the latter)

  • Automated setup with docker: bigbluebutton-docker

  • Scripts for stress tests will be released on gitlab

  • nixOS setup exists, but one user reports that meteor is currently not buildable

  • Security tips:

    • fix file permissions in systemd units

    • fix owner of the executing applications

    • don’t run services as root

    • disable recordings

    • modify nginx configs (rate limits for APIs, improve regexes for paths)

    • separate users for systemd services

    • use new BBB VM after every update, don’t upgrade

  • Official community on BBB Matrix channel: #bigbluebutton-de:matrix.org

Pagination settings
  enabled: false
    - threshold: 8
      profile: low-u8
    - threshold: 12
      profile: low-u12
    - threshold: 15
      profile: low-u15
    - threshold: 20
      profile: low-u20
    - threshold: 25
      profile: low-u25
    - threshold: 30
      profile: low-u30
  enabled: true
  pageChangeDebounceTime: 2500
    moderator: 0
    viewer: 5
    moderator: 2
    viewer: 2

Google’s quantum supremacy – is China about to break cryptocurrency?

Victoria Hanna Eva Riess talked about Google’s quantum supremacy result.

Even before the talk, there was some bold claim on twitter and the Q&A board in use. Little Detritus (at 17:43) on the Q&A etherpad wrote “long story short, der Talk für 18 Uhr von Frau Riess ist grober Unsinn” (engl. “long story short, the talk at 18:00 by Riess is mumpitz”) and he repeated the same claim on twitter “Der talk wurde mehrfach abgelehnt, die Aussagen von Frau Riess zum Thema Quantum Supreamcy sind grober Unsinn.” (engl. “The talk has been rejected multiple times. The statements by Riess regarding Quantum Supremacy are mumpitz”). I was trying to get some context for the claim and looked into the background of the people involved. LittleDetritus on twitter uses the name “Gregor Bransky” as well. The twitter biography mentions “Quantuminfo guy”, but I could not find more information about Gregor. I only found some twitter thread where some handwavy connection between lattice-based crypto and the Travelling Salesman Problem is made. On the other hand Riess' background (@RiessVictoria on twitter) seems to be AWS Cloud DevOps. Later, LittleDetritus mentioned that Riess continued her “selfpromotion”. Some user asked him to stop his bullying actions. xhain intervened in the Etherpad chat and I asked for justification of his claims. He replied:

  • “Given current understanding superposition and entangelment are necessary to make quantumcomputers work. Superposition alone is not sufficient.”

  • “Google has not reached quantum supremacy. The term is not well defined, this was clarified by Scott Aaronson.”

  • “Grovers Algorithm: The way the algorithm was discussed was misleading at best”

This sounds like valid criticism. Anyhow, let us skip the formalization and let us get to the content.

She covered fundamentals in a broad manner by explaining the notion of qubits, mentioning the Bloch sphere and then showing some pictures of Google’s quantum processor. I found the figures non-informative and purely promotional. She then continued to mention Grover’s search algorithm (mainly affecting symmetric cryptography) and Shor’s algorithm (affecting asymmetric cryptography). She implied familiarity with many cryptographical concepts, but I could not spot any major errors. Then she continued with PQCRYPTO, where she mixed up some minor things.

I would love to continue explaining the content and discuss the criticized parts, but I got a call by someone who needed help with some Linux system. I will update this section accordingly, once I have rewatched her talk.

Regarding the quantum supremacy result, the article by Scott Aaronson is mentioned often.

Crypto Wars 2.0 (de)

Erich Moechel (DE Wikipedia) is a well known journalist in the IT security world. In this talk, he revisited historical development related to sharing the master key with governmental institutions (a current EU initiative). He started with Snowden’s revelations and pointed out how TLS was adopting and encrypted traffic in the WWW doubled post-snowden. Then he covered political decisions such as the request by the CIA to Apple to hand out the secret key to decrypt the iPhone of a terrorist. Another topic was the eTLS standard. Then the language of politicians is discussed where backdoors are reframed as frontdoors.

I feel like Erich has a good understanding of the context in this field and observed the historical developments. But I think his presentation style is lurid (e.g. intonation and wording used to emphasize the point of view he wants to convey but neglecting the politician’s point of view). I think reading and reflecting on the articles is more pleasant than watching the talk.

Das Assange-Auslieferungsverfahren

I followed the link to “Spot the Surveillance”, but ended up in the talk “Das Assange-Auslieferungsverfahren” which started 10 minutes earlier. I thought this was a technical malfunction, but I later recognized that I could have changed to the other room where the surveillance talk just started. I stayed in this room. It was not easy to always follow since audio was lost multiple times.

First, Dustin Hoffman (@dhbln on twitter) talked about the lawsuit itself. All I understood is that my aspects are susceptible and was somehow awkward (for example that he was behind glass during the questioning). Then he continued with political background. In the context, Trumps “War on journalism” and Trumps “Head on a Spike” was mentioned. Links were made to cases like Khalid El-Masri. The it was emphasized that extradition must be avoided at all costs. Assange is very afraid of this since he does not expect a fair trial. Dustin finished with Julian’s health concerns:

  • Julian was diagnosed with Asperger’s

  • Julian was diagnosed to suffer from depressions

  • It is claimed that Julian has previously prepared for suicide with razor blades and in case of extradition, there is an eminent danger of execution (all possible countermeasures have been put in place though)

He concluded that many surveillance techniques have been applied, e.g.

  • Unrecognized exchange of surveillance cam to support audio recording to collect audio samples

  • Microphones in fire extinguishers in conference rooms and microphone in bathrooms

… and as such Julian remains to be a high-profile target for the US. I think the presentation of the facts was great and the lawsuit reporter discussed both perspectives of the story. Audio issues made it difficult to follow, but user linked to a previous interview with Dustin.


The day was meant to finish with Lisa Becker’s talk about GANs to create deepfakes. It started with audio issues which could not be fixed. The moderator did a great job engaging in small talk to keep the audience and the speaker entertained which technicians were trying to fix the issues. As he said, “our director is running around in circles and screaming”. In the end, it was cancelled.

On this day, technical issues continued. What is my recommendation of the day?