#rC3 my Day Three

On franconion.net, the Pia Jäger and Mia Felder talked about textual violence against women (in German). They initiated the platform hassmelden.de to help victims in reporting hate in the internet. She illustrated that by many examples where sexualized violence is the main field. Then the talk continued to talk about legal aspects, platforms, and specific variants like dick pics. I did not take many notes during the talk, but the links stand for themselves:

Despite being short on notes, this talk was well-structured, well-delievered, and informative. However, legal topics are specific to Germany, of course.

Bjorn Ruytenberg presented his master thesis which had a tremendous result: the Thunderspy attack, which is a new class of vulnerabilities breaking Thunderbolt security.

He introduced PCIe and talked about Thunderbolt 1 and 2. In the case of Thunderbolt 1, the user was allowed to read/write arbitrary data (thus no provided memory security). Thunderbolt 1 and 2 were rolled out almost exclusively to Macs. But Thunderbird 3 reached wider adoption and this version was the primary target of the attacks. He also talked about DMA attacks. Several attacks on Thunderbolt [including DMA-based ones] have been presented before (e.g. Inception by Maartmann-Moe 2014, PCILeech by Frisk 2016, Thunderclap by Markettos et al. 2019).

The threat model for such attacks in the evil maid attack (unattended device in a hotel room; or simply phrased “physical access”). Then the speaker continues to talk about the Thunderbird Security Architecture built upon 5 security levels. Five levels where SL0 corresponds to no security as in Thunderbird 1. And e.g. SL3 disables all Thunderbolt connectivity and restricts to USB and/or DisplayPort tunneling only. One additional level is called “Pre-boot protection” which enables PCIe tunneling only if the Thunderbolt device is authorized by the user.

Then the Thunderspy attacks are discussed encompassing 8 vulnerabilities and 9 practical exploitation scenarios. It is pointed out that Thunderbolt is a proprietary standard (little documentation), the JTAG interface does not work and thus analysis is difficult. However, they were able to collect some hardware data about Thunderbird. They looked into some actual controllers like Intel JHL6540 and the TPS65983 USB-PD controller from a hardware level. He started to focus on the firmware and on device ids (UUID).

He then visualized the Device Controller Firmware Outline. In this firmware, the secure key dictionary was not encrypted and the DROM device identity was not authenticated (IIRC). It was interesting to emphasize that UEFI enables users to set Thunderbolt Security Levels, which can also have some devastating effect. After this, he talked about write protection of the SPI flash which enables the 6th vulnerability.

Then a demo was shown where the Windows login screen was bypassed by switching to Security Level 0: “Thunderspy PoC demo 1: Unlocking Windows PC in 5 minutes”. Sadly, on the CCC stream, the audio got lost every time a demo was shown. So the youtube link posted on IRC was helpful. They also built a tool SpyCheck which checks for vulnerabilities. Essentially all PCs released between 2011-2018 are vulnerable and all Macs running Windows and Linux (Boot Camp) too.

Finally, the speaker concludes with next steps to make Thunderpolt devices more secure (which issues were not addressed yet and mitigations were only applied partially).

André Helwig talked about home automation. It was a very generic, shallow talk introducing hardware and software usable for home automation. In the following, you will find my notes:

Hardware to be automated:

Useful software:

The talk was interrupted after 10min for a short period of time, because the bandwidth was too low.

This talk by Arne Vogelgesang discusses QAnon in the gamification setting. First, the notion of LARPs, Live action role-playing games, is introduced. Then it is shown in many posts how conspiracy theories related to Trump, jews, and the Clintons emerged. Part of this story are the Clinton emails leaked by Wikileaks and Pizzagate. Then the rabbit hole/burrow theme is discussed which was adopted from the Matrix movie. Eventually, the conspiracy theories related to announced arrests resulted in sophiocratic questions over a long period of time signed by “Q”. This initiated the QAnon movement. In this context also the conspiracy theories related to Adrenochrome are mentioned where allegedly blood is collected to achieve rejuvenation for politians (the so-called elite). Then the speaker continued to talk about Augmented Reality Games (ARG). In this context, the game Majestic by EA games was mentioned as an early concept of this kind. Also lonelygirl15 can be seen as an augmented reality game, since this hoax created an alternate reality.

At this point, my girlfriend dropped by, but I continued to watch it later. Update 2021-01-02:

“Perception shapes reality”. ARGs are meant to be transmedial, interactive, immersive, and collective. “This Is Not A Game” (TINAG) is the title of a book by Dave Szulborski. Twitter account @THEWH17ERABB17 created a tweet series with questions creating a ARG. White Rabbit, at the same time, was a prior neonazi theme for white surpremacy and thus was adopted quickly in the far-right wing community. Tim Murdock created “White Rabbit Radio” in 2009. In the end, he concluded that the identity behind Q is unknown.

I think the presentation was extraordinarily good. At 36C3, Arne presented “Let’s play Infokrieg”, which covers a similar topic. The content sums up developments related to Q and looks at the status quo from a humanistic approach. In the Q&A, Arne pointed out that (even if it is cumbersome) you should not terminate contact to people who believe in these kinds of conspiracy theories.

Christoph Döpmann and Matthias Marx explain in this German talk why universities should run Tor exit nodes and relays. First, they analyzed that less than 1% of the exit nodes are run by the university. Christoph explained by experience thats in 2 years his exit relay received 4 abuse complaints (TU Berlin), which were resolved without hazzle. Matthias explained that since 2019 his exit relay restricted to ports 80 and 443 had rarely any abuse notifications but one request for investigation by the federal police. His point was that port restrictions were important, because once they enabled port 22, they had one abuse notification per day. This was because DOS attack have been mounted through this port. And that is it.

The speakers were talking very slow, the content was too short (they could have given much more information about the configuration of they exit relays, etc) and during the Q&A audio was cut off. In the end, it was not worth my time since I learned almost nothing from this talk.

Simon Weckert and Moritz Ahlert are artists and look at Google Maps from an artistic point of view. The latter made a PhD on ‘Google Maps-Urbanism’. They developed an art illustration, which got quite some publicity. The talk started without sound, but once the pre-recorded talk introduced the artists, sound was working again.

The presentation style was distinct from other talks. Consider a user sitting in front of the computer and the talk is created by using the file explorer to open files, opening Google Maps, jumping around, then switching to the browser, scrolling on websites, and writing header titles into a text editor. The background music is running continuously making it occasionally difficult to understand the narrator, but matches the current storyline. In IRC, someone mentioned stilistic similarity with the art installation “How Not to Be Seen: A Fucking Didactic Educational .MOV File” by Hito Steyerl, but the video is only available on Youtube behind an age verification wall. As it turns out, some IRC users hated the presentation style and left immediately whereas some others praised the style. They themselves called the style “video essay”.

It was a fluent storyline with ever-new buzzwords, but I want to write down some mentioned concepts in my notes:

In the end, I liked their art installations, but the talk itself was not very informative.

Thomas Fricke explained in German which Open Source initiatives were taking place in governmental settings. In 2001–2003 SuSE was presented in the German Bundestag. Eventually, the project was stopped in 2003 by intervention of a lobbyist (this is revealed in this talk for the first time). Then economical properties were discussed. Captial Accumulation and Politics of Interest are the keywords discussed (privatizing profits and socializing losses and interest is economically framed). Then Thomas discusses which open source projects have been (successfully or unsuccessfully) acquired by businesses and that open source projects are necessarily quantified by other businesses. Then the political context is discussed raising the question: Is investment good or bad? For example, Curevac was on the brink of bankruptcy and got a huge investment by the government. Investments into road constructions are given as bad example.

Thomas shows the Linuxfoundation survey which drew the conclusion that 35% of developers are EU based (12% from Germany) and 80–95% of products in use are Open Source. Rafael de Laguna de la Vera is mentioned as a pacifist at heart, 2018 became CEO of Open-Xchange (web-based office suite) and 2019 he became the first director of “Agentur für Sprunginnovation” (agency for disruption) promoting Open Source. It was unusual to see a [CDU] politician promoting Open Source. However, Thomas points out that economical interests were framed as values. Günther Oettinger as EU commissioner is mentioned as well. Artifical Intelligence and Big Data are sectors which currently receive a lot of political attention. This often leads to bad developments related to questions like who owns the code and the data. Here copyright, remixing, patents, and Creative Commons come into play (e.g. Kraftwerk vs Moses Pelham, Mickey Mouse Laws). When people start talking about costs of Open Source solutions, then you need to balance it with the costs of proprietary solutions. Peter Ganten is mentioned who provides a definition for digital sovereignity.

Then project GAIA-X is discussed, initiated by German minister Altmaier. Recently it was published that Palantir joined. Marco-Alexander Breit pointed out that it is only “a so-called Gaia-X Day 1 membership”. But what is GAIA-X? It is advertized as Sovereignity Stack which basically seems to be a huge Kubernetes cluster managed in several security zones. So essentially, GAIA-X basically uses Open Source in central components, but is intransparent at the same time and it can be expected that little money goes back to the FLOSS projects themselves. The issue with Palantir (this was added in the Q&A) that if Palantir Technologies has influence on the design of GAIA-X, it will likely not lead to the desired digital sovereignity, GAIA-X could be closed immediately and data could be put into the American cloud right away.

Other smaller projects include the Corona Warn App, the Governmental Code Repo (basically a git hoster) and the “Zentrum für Digital Souveränität” which also surround Open Source. In some way, it is also acknowledged that the Intel architecture has issues and RISC-V is presented as an alternative.

Thomas concludes that Open Source is Big Business. In the Q&A, it was pointed out that digital sovereignity is a term used by right-wing communities in the US and needs to be defined properly to put it in proper context. In total, I think Thomas has an in-depth view in this field and gave a wonderful talk for the German-specific setting.

Stefan Walluhn revisits in this German talk DevOps Disasters.

Security scanner:

I learned some data about Docker base image security, which was nice to get a sense of the actual threat.