More #rC3 talk notes

✍️ → Written on 2021-01-18 in 1840 words. Part of cs IT-security


I continued watching rC3 talks and wanted to share my notes here.


CIA vs. Wikileaks

Andy Müller-Maguhn starts with some disclaimer. This is a talk about how the CIA targeted WikiLeaks collaborators and shows some evidence how Andy himself was surveilled. This talk is necessarily biased and he tries to stay as objective as possible.

First, Andy reviews the CCC’s involvement into WikiLeaks (Wau Holland Foundation collects donations) and the ideology of CCC members shared regarding freedom of information. Andy himself visited Julian Assange in the embassy several times. Then he explains Mike Pompeo’s position towards WikiLeaks that he publicly voiced (Mike Pompeo was a CIA director): “WikiLeaks walks like a hostile intelligence service and talks like a hostile like a hostile intelligence service” and “It is time to call out WikiLeaks for what it really is – a non-state hostile intelligence service”.

  • He started to observe IT incidents in his daily life. For example LTE downgrade attacks to 3G followed by attacks there on IP level, attack on GPG-/PGP-Keys of communication partners, certificate errors when enabling VPN, …

  • From at least 2017-06 on, questions and treatment at the UK border changed. They asked simple questions again and again. The suspicion is that they only waited for a surveillance team to be ready (delay tactic). Unlike a German surveillance team (he was familiar with), the UK team did not care if he took photos of them and they even went against the direction of a one-way street which Andy started to consider as intimidation tactic; not as surveillance. And also “homeless looking people on the street with cheap plastic bags hiding digital cameras with zoom”. He consider this pure overt intimidation creating a “state of distress”.

  • Incident 2018-03-23: found a physical bug in cryptophone (modified Snom 870) with a modified keyboard PCB with integrated module (FPGA based design, HW crypto, 16 GB, Flash ROM, 800 MHz antenna). Surveillance time frame unclear (somewhat later than 2013-04).

  • Incident 2020-11-03: Tampering with apartment door while being away for about 30mins. Stealth key did not fit in cylinder, object was inserted. Questions raised:

    • Was the cylinder maybe opened in a destructive way and replaced?

    • Was it a trap to make him replace the tampered cylinder with one easier to open?

    • How much of my time did the incident eat that prevented me from realizing potential other events in that timeframe?

  • Incident 2011-02 (shipped) to 2011-04 (arrived): legal document shipped from Berlin to Madrid by DHL in the context of the case against UC Global suspect to have been working for the CIA, the document sealed by German custom (on the top level) was completely opened. In German law, this is a breach in attorney-client privilege (dt. “Anwaltsgeheimnis”).

    • Was the German customs involved or just their duct tape opened?

    • Why did the email with my report to my lawyer got deleted and ended in the trash of my lawyer?

    • Why does DHL refuse to name entity and legal grounds?

    • Is it potentially again just stealing Andy’s time and attention?

When reflecting on these events, he started to attributed a missing sock to Pompeo’s fault. He concluded that he became hypersensitive and the ongoing situational awareness is stressful. It also seems that this situation is infectious as his friends also start to be more sensitive. He wonders what are possible options for the future? He weighs in on a user’s suggestion to become a farmer or maintain a vineyard.

How to fuzz an FPGA

Pepijn de Vos had the opportunity to work as intern at Symbiotic EDA. First, he explains generically how hardware specification end up on an FPGA. With Verilog, SystemVerilog, or VHDL as frontend, some tool like Yosys, ODIN-II or Quartus performs synthesis. You end up with a JSON, EDIF, or (E)BLIF file. The next step is routing followed by generating the FPGA bitstream. Either you use Vivado, ISE, or Quartus to generate the bitstream or your tooling splits these steps up. First run “Verilog to Routing” routine or “nextpnr” to get fasm or fazm files. Then some open or close FPGA assembler generates the bitstream.

To get started with an FPGA, the following recommendations are given:

  1. Read the manual thoroughly

  2. Synthesize some designs

  3. Study all options and outputs/reports

  4. Goal: automate low-level bitstream generations and information extraction

The strategy for fuzzing, he developed, is to …

  1. Generate bitstream

  2. Modify code minimally

  3. Generate bitstream

  4. Compare

  5. Repeat

He continues to explain a “Binary trick” and “Balanced constant-weight code”, which I don’t get (the latter only considers bitstrings with constant Hamming weight, the former Idk), but seem to be heuristic approaches to reduce the number of possible bits to flip. He then continues to point out that fuzzing LUT bits is trivial and routing was his major goal, which was a challenge (manual intervention required). IO buffers, on the other hand, are useless (are very complex). He proceeds to explain the clock tree which is also part of each [good] design and then shows the final tile format: 4 LUT rows at bottom and about 80% MUXs above (80%? that is really a lot).

Berg-Karabakh zwischen Krieg und Frieden

Larissa Willamowski discusses the on-going conflict between Armenia and Azerbaijan. Nagorno-Karabakh is a South Caucasus region that was not known globally as conflict region in previous years, but this changed in 2020-09. According to Larissa, it is a territorial conflict with an ethnic dimension. The region is recognized as part of Aserbaijan under international law.

  • 1991–1993 First war

  • Larissa points out that Armenia and Azerbaijan are politically wastly different.

  • e.g. Press Freedom Index (via Reporters Without Borders): Armenia 60th place, Azerbaijan 168th place

  • Russia was primary mediator in first war, has 2 military bases in Armenia, Russia provides military weaponery to both nations

  • Since 2016, Turkey plays some role in conflict. Turkey supports Azerbaijan militarily

  • Europe uses Azerbaijan’s gas pipeline

  • Both countries have one of the highest military expenses

  • Russia placed troups in Lachin corridor which is used for exchange of prisoners of war.

In conclusion, this talk was a good overview over the conflict. However, the speaker sometimes built complex, long sentences and the loud noise when taking breath made it more difficult to follow.

Drogenhandel 3.0

Anika talks (in German) about drug trading in its third version. She investigated in Berlin (Germany). What does the versioning scheme mean? Anika consider 1.0 as trading on the street. Version 2.0 was trading using the DarkNet and anonymous payments via Bitcoin. Finally, version 3.0 refers to the use of messenger services. She starts to discuss (dis)advantages of a particular distribution form:


you know your dealer, no/little scamming (→ Exit Scam), no fluctuation of currency, no usability issues with currency, no risks resulting from mail distribution, dealer does not have to write down your contact, no/little waiting time for delivery, more intermediates means lower quality of drugs


simple interface similar to Amazon, arbitrary number of dealers, payment only via digital currencies, better quality of drugs, better price, anonymous, ratings of payer & payee, distribution via post is actually very reliable

Drugs in DarkWeb are actually only a small fraction of the overall DarkWeb, but have the largest trading volume. Anika proceeds to explain cocaine-taxis (cocaine because it had the highest profit margin). Those taxis can be ordered 24/7 and were known by business cards spread around in clubs. The customer enters the taxi and the deal happens. Then the customer leaves again. The organization was similar to actual companies with drivers organized in shifts. Mainly in the context of organized Arabic clans.

Anika illustrates by screenshots how deals actually work on messaging platforms. Here, Telegram is the most important one. The usability is high, phone availability is almost always given, and E2E encryption is theoretically possible. There are two ways of distributions in case of Telegram (i.e. groups and channels). Allows broad overview among many dealers. Delivery happens by car (similar to Cocaine taxis), but they are typically organized by smaller operators. This is usually faster than pizza delivery. Payments are done locally and by cash. On this platform, customers can also ask for offers. Disadvantages include minimal order prices (typically 50€), higher prices (Cannabis costs typically 10€ per gram, but not others), scammers (deliver white powder but not drugs), contact between payer and payee (even enter the car), not completely anonymous, groups and dealers vanish/change quickly, and everyone can “become” dealer.

On instagram, the structure looks a bit different. Dealers contact customers and organize themselves through hashtags. A particular interest is put on younger audience.

What about consequences? Instagram and facebook do not act. Telegram is actively supporting censorship and control (thus a new home of right-wing extremists, drug dealers and conspiracy theorists). Why does the police not just order and catch the drivers of delivery services? Because the police is actively engaged in finding the management people; not the small fish like local distributors. The most popular substances are Cannabis, followed by Cocaine, and party drugs. She concludes:

  • consumers have easy access to a broad range of substances

  • young consumers get easy access

  • classical marketing techniques applied

  • fast access 24/7

  • minimum prices

  • contact with other illegal products

  • career as dealer looks easy and lucrative


“CIA vs. Wikileaks” got quite some media attention. I don’t want to push it further and recommend it only, if you have never asked which psychological effects surveillance can have on oneself. But I recommend “Drogenhandel 3.0”, but this opened my eyes to a world which I wasn’t aware of. I was aware of offers in the DarkWeb, but the societal effects of encrypted chats are interesting for me to see.