#rC3 my Day Three

✍️ → Written on 2020-12-29 in 3205 words. Part of cs IT-security


I also joined the Chaos Communication Congress on Day Three. Sadly I missed “Better Justification for the Web” in the morning (why was it not on my list?). Because of this, I updated my personal “Fahrplan” with talks that have been rescheduled. During the day, I was interrupted for some time because my girlfriend visited me spontaneously.


Digitale Gewalt gegen Frauen

On franconion.net, the Pia Jäger and Mia Felder talked about textual violence against women (in German). They initiated the platform hassmelden.de to help victims in reporting hate in the internet. She illustrated that by many examples where sexualized violence is the main field. Then the talk continued to talk about legal aspects, platforms, and specific variants like dick pics. I did not take many notes during the talk, but the links stand for themselves:

Despite being short on notes, this talk was well-structured, well-delievered, and informative. However, legal topics are specific to Germany, of course.

When Lightning Strikes Thrice: Breaking Thunderbolt 3 Security

Bjorn Ruytenberg presented his master thesis which had a tremendous result: the Thunderspy attack, which is a new class of vulnerabilities breaking Thunderbolt security.

He introduced PCIe and talked about Thunderbolt 1 and 2. In the case of Thunderbolt 1, the user was allowed to read/write arbitrary data (thus no provided memory security). Thunderbolt 1 and 2 were rolled out almost exclusively to Macs. But Thunderbird 3 reached wider adoption and this version was the primary target of the attacks. He also talked about DMA attacks. Several attacks on Thunderbolt [including DMA-based ones] have been presented before (e.g. Inception by Maartmann-Moe 2014, PCILeech by Frisk 2016, Thunderclap by Markettos et al. 2019).

The threat model for such attacks in the evil maid attack (unattended device in a hotel room; or simply phrased “physical access”). Then the speaker continues to talk about the Thunderbird Security Architecture built upon 5 security levels. Five levels where SL0 corresponds to no security as in Thunderbird 1. And e.g. SL3 disables all Thunderbolt connectivity and restricts to USB and/or DisplayPort tunneling only. One additional level is called “Pre-boot protection” which enables PCIe tunneling only if the Thunderbolt device is authorized by the user.

Then the Thunderspy attacks are discussed encompassing 8 vulnerabilities and 9 practical exploitation scenarios. It is pointed out that Thunderbolt is a proprietary standard (little documentation), the JTAG interface does not work and thus analysis is difficult. However, they were able to collect some hardware data about Thunderbird. They looked into some actual controllers like Intel JHL6540 and the TPS65983 USB-PD controller from a hardware level. He started to focus on the firmware and on device ids (UUID).

Thunderspy Vulnerability 1

The firmware is authenticated when updating from host, but not adequately upon connecting device, during boot, or resuming from sleep

Thunderspy Vulnerability 2

A weak device authentication scheme is used. None of the identifiers linked to Thunderbolt PHY or each other, cryptographically or otherwise. Hence you can spoof arbitrary vendor ID that doesn’t match vendor name.

Thunderspy Vulnerability 3

This vulnerablity is the use of unauthenticated device metadata. The idea is that the DROM is not cryptographically verified. And when combined with vulnerabilities 1 and 2, this enables arbitrary identities and cloning user-authorized devices

Thunderspy Vulnerability 4

This attack is a downgrade attack. Due to backwards compatibility, you can simply downgrade your Thunderbolt 3 system to Thunderbolt 2 functionality and apply the attacks known for TB2 there.

He then visualized the Device Controller Firmware Outline. In this firmware, the secure key dictionary was not encrypted and the DROM device identity was not authenticated (IIRC). It was interesting to emphasize that UEFI enables users to set Thunderbolt Security Levels, which can also have some devastating effect. After this, he talked about write protection of the SPI flash which enables the 6th vulnerability.

Thunderspy Vulnerability 5

This is the use of unauthenticated controller configurations where we have two state machines (UEFI and host controller firmware maintains security level state). And the host controller firmware overrides the UEFI state, but the firmware signature does not cover the security configuration.

Thunderspy Vulnerability 6

SPI flash interface deficiencies in the sense that the Host controller firmware maintains the sec. level state (as in vuln. 5), but the SPI flash write protection allows to prevent users to change the sec. level

Then a demo was shown where the Windows login screen was bypassed by switching to Security Level 0: “Thunderspy PoC demo 1: Unlocking Windows PC in 5 minutes”. Sadly, on the CCC stream, the audio got lost every time a demo was shown. So the youtube link posted on IRC was helpful. They also built a tool SpyCheck which checks for vulnerabilities. Essentially all PCs released between 2011-2018 are vulnerable and all Macs running Windows and Linux (Boot Camp) too.

Finally, the speaker concludes with next steps to make Thunderpolt devices more secure (which issues were not addressed yet and mitigations were only applied partially).

Home automation for noobs and nerds

André Helwig talked about home automation. It was a very generic, shallow talk introducing hardware and software usable for home automation. In the following, you will find my notes:

Hardware to be automated:

  • Lights

  • Switches

  • Heating control (HomeMatic, TADO, AVM, …)

Useful software:

  • HomeAssistant (slim enough to run on a RaspPi, focus on security and control over data, easy to start with good documentation)

  • esphome.io

The talk was interrupted after 10min for a short period of time, because the bandwidth was too low.

This is Not A Game (de)

This talk by Arne Vogelgesang discusses QAnon in the gamification setting. First, the notion of LARPs, Live action role-playing games, is introduced. Then it is shown in many posts how conspiracy theories related to Trump, jews, and the Clintons emerged. Part of this story are the Clinton emails leaked by Wikileaks and Pizzagate. Then the rabbit hole/burrow theme is discussed which was adopted from the Matrix movie. Eventually, the conspiracy theories related to announced arrests resulted in sophiocratic questions over a long period of time signed by “Q”. This initiated the QAnon movement. In this context also the conspiracy theories related to Adrenochrome are mentioned where allegedly blood is collected to achieve rejuvenation for politians (the so-called elite). Then the speaker continued to talk about Augmented Reality Games (ARG). In this context, the game Majestic by EA games was mentioned as an early concept of this kind. Also lonelygirl15 can be seen as an augmented reality game, since this hoax created an alternate reality.

At this point, my girlfriend dropped by, but I continued to watch it later. Update 2021-01-02:

“Perception shapes reality”. ARGs are meant to be transmedial, interactive, immersive, and collective. “This Is Not A Game” (TINAG) is the title of a book by Dave Szulborski. Twitter account @THEWH17ERABB17 created a tweet series with questions creating a ARG. White Rabbit, at the same time, was a prior neonazi theme for white surpremacy and thus was adopted quickly in the far-right wing community. Tim Murdock created “White Rabbit Radio” in 2009. In the end, he concluded that the identity behind Q is unknown.

I think the presentation was extraordinarily good. At 36C3, Arne presented “Let’s play Infokrieg”, which covers a similar topic. The content sums up developments related to Q and looks at the status quo from a humanistic approach. In the Q&A, Arne pointed out that (even if it is cumbersome) you should not terminate contact to people who believe in these kinds of conspiracy theories.

Mehr als ein Tor zum Darknet: Tor-Exits an Universitäten

Christoph Döpmann and Matthias Marx explain in this German talk why universities should run Tor exit nodes and relays. First, they analyzed that less than 1% of the exit nodes are run by the university. Christoph explained by experience thats in 2 years his exit relay received 4 abuse complaints (TU Berlin), which were resolved without hazzle. Matthias explained that since 2019 his exit relay restricted to ports 80 and 443 had rarely any abuse notifications but one request for investigation by the federal police. His point was that port restrictions were important, because once they enabled port 22, they had one abuse notification per day. This was because DOS attack have been mounted through this port. And that is it.

The speakers were talking very slow, the content was too short (they could have given much more information about the configuration of they exit relays, etc) and during the Q&A audio was cut off. In the end, it was not worth my time since I learned almost nothing from this talk.

Hacking Google Maps

Simon Weckert and Moritz Ahlert are artists and look at Google Maps from an artistic point of view. The latter made a PhD on ‘Google Maps-Urbanism’. They developed an art illustration, which got quite some publicity. The talk started without sound, but once the pre-recorded talk introduced the artists, sound was working again.

The presentation style was distinct from other talks. Consider a user sitting in front of the computer and the talk is created by using the file explorer to open files, opening Google Maps, jumping around, then switching to the browser, scrolling on websites, and writing header titles into a text editor. The background music is running continuously making it occasionally difficult to understand the narrator, but matches the current storyline. In IRC, someone mentioned stilistic similarity with the art installation “How Not to Be Seen: A Fucking Didactic Educational .MOV File” by Hito Steyerl, but the video is only available on Youtube behind an age verification wall. As it turns out, some IRC users hated the presentation style and left immediately whereas some others praised the style. They themselves called the style “video essay”.

It was a fluent storyline with ever-new buzzwords, but I want to write down some mentioned concepts in my notes:

  • “Maps have always been instruments of power. They have always been a significant instrument of government abomination”

  • keyword: Critical Cartography

  • Google Maps (since 2005), Google Street View (since 2007), Google Earth (since 2005)

  • “… interactive, scrollable, searchable and zoomable. Google’s maps service has fundamentally changed our understanding of what a map is”

  • art project “Google Maps Borders” (IP address of different country might give a different Google Maps version with different country borders)

  • Simon Weckert: Data Cities Artist Talk · #DNL20

  • Mercator projection

  • keyword: Platformization

  • keyword: Dividual Map

  • Google Maps Hacks” by Simon Weckert (‘Fake-Stau durch 27 handys’)

  • GPS spoofing

  • “Pokemon Go turns the public space into an arena”

In the end, I liked their art installations, but the talk itself was not very informative.

Open-Source-Initiativen der deutschen und europäischen Regierungen

Thomas Fricke explained in German which Open Source initiatives were taking place in governmental settings. In 2001–2003 SuSE was presented in the German Bundestag. Eventually, the project was stopped in 2003 by intervention of a lobbyist (this is revealed in this talk for the first time). Then economical properties were discussed. Captial Accumulation and Politics of Interest are the keywords discussed (privatizing profits and socializing losses and interest is economically framed). Then Thomas discusses which open source projects have been (successfully or unsuccessfully) acquired by businesses and that open source projects are necessarily quantified by other businesses. Then the political context is discussed raising the question: Is investment good or bad? For example, Curevac was on the brink of bankruptcy and got a huge investment by the government. Investments into road constructions are given as bad example.

Thomas shows the Linuxfoundation survey which drew the conclusion that 35% of developers are EU based (12% from Germany) and 80–95% of products in use are Open Source. Rafael de Laguna de la Vera is mentioned as a pacifist at heart, 2018 became CEO of Open-Xchange (web-based office suite) and 2019 he became the first director of “Agentur für Sprunginnovation” (agency for disruption) promoting Open Source. It was unusual to see a [CDU] politician promoting Open Source. However, Thomas points out that economical interests were framed as values. Günther Oettinger as EU commissioner is mentioned as well. Artifical Intelligence and Big Data are sectors which currently receive a lot of political attention. This often leads to bad developments related to questions like who owns the code and the data. Here copyright, remixing, patents, and Creative Commons come into play (e.g. Kraftwerk vs Moses Pelham, Mickey Mouse Laws). When people start talking about costs of Open Source solutions, then you need to balance it with the costs of proprietary solutions. Peter Ganten is mentioned who provides a definition for digital sovereignity.

Then project GAIA-X is discussed, initiated by German minister Altmaier. Recently it was published that Palantir joined. Marco-Alexander Breit pointed out that it is only “a so-called Gaia-X Day 1 membership”. But what is GAIA-X? It is advertized as Sovereignity Stack which basically seems to be a huge Kubernetes cluster managed in several security zones. So essentially, GAIA-X basically uses Open Source in central components, but is intransparent at the same time and it can be expected that little money goes back to the FLOSS projects themselves. The issue with Palantir (this was added in the Q&A) that if Palantir Technologies has influence on the design of GAIA-X, it will likely not lead to the desired digital sovereignity, GAIA-X could be closed immediately and data could be put into the American cloud right away.

Other smaller projects include the Corona Warn App, the Governmental Code Repo (basically a git hoster) and the “Zentrum für Digital Souveränität” which also surround Open Source. In some way, it is also acknowledged that the Intel architecture has issues and RISC-V is presented as an alternative.

Thomas concludes that Open Source is Big Business. In the Q&A, it was pointed out that digital sovereignity is a term used by right-wing communities in the US and needs to be defined properly to put it in proper context. In total, I think Thomas has an in-depth view in this field and gave a wonderful talk for the German-specific setting.

DevOps Disasters 3.11

Stefan Walluhn revisits in this German talk DevOps Disasters.

Docker vs. Cron

Periodic tasks in Docker. AsyncWorker frameworks: sidekiq, celery beat, … issue: docker logs stdout but cronD logs by sending mail. “logging is a solved problem”. Use the logging library of your programming language (with log-levels and log-output). Via IRC: How to redirect cron job output to stdout and supercronic to dump to sentry

Config Handling

docker uses environment variables (→ but no booleans & no complex data types), never put config into database (like mattermost, Sensu Go, InfluxDB2 ⇒ fail!), config is not code!

High Availability

distributed state machine across servers and clients introduced by Apache ZooKeeper ⇒ fail

Packaging & Installer

Ansible drops pypi and introduces “collections”, Poetry with “poetry export” to export a requirements.txt for pip, anaconda modifies $PATH, minio does not flag security-relevant releases, “packaging & installers are a solved problem – don’t reinvent the wheel!”


“containers are a standardized unit of software that allows developers to isolate their app from its environment”, recognize that it is not only the app running but also the runtime, monitor for security releases of the Docker base images (!), you are responsible for the security updates of your runtime and thus need to build Docker base images every 2 days, Ubuntu 18.04 base image has 58 vulnerabilities, Debian 10 base image has 81 vulnerabilities, CentOS 8 base image has 133 vulnerabilities, Alpine base images publishes only data to already fixes vulnerabilities, base image security is a big issue

Docker node:stretch

“FROM buildpack-deps:stretch”, node+npm curl pre-compiled, in yarn curl is pre-packaged Javascript and thus impossible to check for security issues, … thus compilation is intransparent


sentry as example, tianon/exim4 + memcached:1.5-alpine + confluentic/cp-zookeeper:5.5.0 + yankex/clickhouse-server: + … with the open question whether these services with root access are trustworthy


issues like php base image applies “chmod 777 /var/www/html”, “In 2020, I had no docker setup which didn’t such upon first look”, issues are regular not exception, look into Dockerfiles, build your containers yourself, use only minial and trustworthy containers, use packages from package manager of OS

  • TIL: Nepal uses UTC+05:45

  • Detecting the use of "curl | bash" server side

  • oasis is a small linux system completely statically linked with 100% reproducible builds, minimal bootstrap dependencies, BearSSL as system TLS and crypto library, and no package manager

Security scanner:

I learned some data about Docker base image security, which was nice to get a sense of the actual threat.


My recommendations for today are: