#rC3 talk notes continued

✍️ Written on 2021-03-21 in 3199 words.
Part of cs IT-security


I continued watching rC3 talks and wanted to share my notes here.


The Elephant in the background: Empowering users against browser fingerprinting

Julian Fietkau delivered a wonderful talk on their research which started one year ago. They want to evaluate the spread of fingerprinting technology on websites. The first step was evaluating the functionalities used for fingerprinting. They take a quantative approach, where they observe which kind of functionalities are requested in-order. If many features are requested one after another, it is considered as fingerprinting technology.

Their result is that they identified 115 Javascript functions and classified them into 40 fingerprinting features. They implemented the quantitative fingerprinting model in a Google Chrome browser extension called “FPMON”. Then they looked at the data fetched from websites. For example, wikileaks.org uses 0 features but metacafe.com uses 95 of 115 JS functions, 38 of 40 features, and 17 of 18 aggressive features have been used. A 50% score was identified as an estimated baseline. They continued to evaluate the alexa.com 10,000 most popular websites (by visiting the landing page for 60sec). 500 pages don’t use any features and 38 of 40 features have been the maximum attained by {breitbart.com, foursquare.com, and politifact.com}. 57% of pages use 11 plus/minus 4 features. Part of their research was to identify the major networks used. Here, Moatads is pointed out as particularly aggressive.

They conclude that in 7 years, the growth of font fingerprinting has grown by a factor of 10. The tools EFF Privacy Badger, DuckDuckGo PE, Firefox Strict, and Apple Safari were looked at as well. The first three simply use blacklisting strategies to block fingerprinting networks. However, this might break some website functionality. In contrast, Safari uses a different approach with unification and herd immunity. They unified the values of those features and thus users cannot be easily distinguished. The Safari was presented as much more effective than the others.

I expected this talk to be a boring talk about fingerprinting theory. But it was well-delivered, the browser extension is very useful for research and the research output is very interesting to me.

Kein Filter für Rechts

keinfilterfuerrechts.de is a journalist project by collectiv to evaluate the network of right-wing users on social platforms. Specifically, instagram was analyzed such that users and posts are taken into account, but user stories are only stored for 24h and thus have not been accessible to the journalists. First of all, they evaluated four dimensions that contributed data points per user:

  1. metadata & profile information

  2. connection data

  3. text data

  4. qualitative observations

Then they tried to find a proper sampling method for their purpose (because just following all followers of some person would yield unmanagable exponential growth quickly). They used a variant of exponential discriminative snowball sampling. They created a fake account which followed other right-wing accounts to build up a network. 86 non-right-wing complementary accounts were followed too. 281 origin accounts established the network analyzed:

  1. This network follows >58,000 accounts (“origin set”). Thus a methodology to reduce this number must be defined.

  2. Follower remains in list only if the account follows at least 3 accounts in the origin set ⇒ 4532 accounts

  3. Then an additional point-based system with web science criteria filters >58,000 into 10,805 accounts

  4. Then manual categorization of accounts into topic clusters have been performed

  5. And private accounts are filtered, because their content is inaccessible

  6. finally 4,501 accounts are left (with 331,956 connections and 838,505 posts)

Then, they analyzed the distribution of topics and generated nice colorful images of the network.

Furthermore they wanted to visualize the network by defining accounts as vertices and edges as interactions. The edge weights are defined by {mutually following, following the same accounts, mutually used hashtags, tagging in images, comments in posts of other accounts}. Two web science features, they looked at, are:

  1. Eigenvector centrality (measure for social relevance of a vertex) is high for AFD accounts and representatives.

  2. Betweeness centrality (measure for connection relevance of a vertex) is high for meme accounts and right-wing singers.

gephi was used for data analysis. In general, the images of the journalistic work summarize the goal of this work. It allows you to get a rough idea how the right-wing network works and which topics relate to each other in which way.

How to digitale Barrierefreiheit

Carola and Robert Köpferl discuss accessibility in German in Germany and in documents.

  • 12.77 mio. people have any disabilities

  • 7.5 mio. people have severe disabilities

  • about 18 mio. people are over the age of 65

First, Carola defines digital participation:

  • fair, safe, secure access to digital infrastructure, and

  • access to technology like computer/smartphone

  • cheap or free internet access

  • use of technologies

  • across all groups of the population

  • comprehensible due to user-specific offers

There are many norms including EN 301 549, DIN EN ISO 9241 and Web Accessibility guidelines 2016/2012. In the end, it would be a good approach to once use a device like a screenreader. A Braille keyboard is of interest as well as the Jabbla Zingui plus as a speech generating device.

Then they provide a table:

disability devices


screenreaderm, tab order

deaf & blind

refreshable braille display, tab order


audio transcription to sign language

visual impairment

higher contrast, magnification, cursor aids

red/green blindness

avoid red & green combination

light sensitivity

dark mode


sensor input, joystick

Screen readers are very popular. As a result, tab orders and proper declaration of the navigation menu is required. One important aspect is also that in talks the content of a slide is also recognizable without video channel. One example is that the main parts of a figure need to be explained orally in order to support people with visual impairments. Norm “Barrierefreie Informationstechnik-Verordnung 2.0” lists the following desirable aspects:

  • searchable texts

  • easy navigability

  • keyboard accessibility

  • well-defined reading order

  • textual/alternative description of an image

  • automatic recognition of the document language

  • adjustment of fonts

  • adjustment of colors (foreground and background)

PDF has a separate PDF standard PDF/UA (ISO 14289-1) which covers:

  • navigability of document

  • logical reading order, semantic elements must occur in structure tree

  • alternative texts for images

See also WAI standard by W3C:

In order to implement the guidelines, a persona concept of design thinking, interviews, and reflection on your own assumptions is useful. Robert points out the significance of the accessibility tree. The accessibility tree of GUI toolkits allows navigation for many people. The continues to discuss HTML as exemplary topic. The ARIA standard still exists, but lost significance in HTML5, because many aspects got integrated into the new HTML5 elements. Input validation should done as early as possible and illustration by red color might now suffice for blind people. Also <label> is important for input field.

Some (sadly many German) links are provided:

In conclusion, a quite good talk about accessibility, but rather introductory.

Alexa, who else is listening?

sveckert is a journalist talking about Amazon’s Alexa. She installed the device for half a year until April 2020. Then she asked Amazon for the data (as part of the GDPR). She described access/download as smooth and easy. She showed several samples which random situations were recorded which happened due to accidental triggers (i.e. not just “Alexa”). Then she included the research of a German research team in her talk.

Lea Schönherr, Maximilian Golla, Thorsten Eisenhofer, Jan Wiele, Dorothea Kolossa, Thorsten Holz: “Unacceptable, where is my privacy? Exploring Accidental Triggers of Smart Speakers.” CoRR abs/2008.00508 (2020).

The research team faked some living room and put some Alexa device inside. Then they played famous TV series like “Game of Thrones” the entire day. Followingly they downloaded (due to GDPR it is possible to fetch all data easily) all recordings and looked into the accidential triggers. As pointed out on their research webpage, Alexa reacts to the words “unacceptable” and “election”, while Google often triggers to "OK, cool”. Siri can be fooled by "a city", Cortana by “Montana”, Computer by “Peter”, Amazon by "and the zone" and Echo by "tobacco".

Some interesting implementation detail: The LED indicator shows when Alexa is uploading data, but without user’s knowledge Alexa also submits metadata. For example, Alexa has a fingerprint database such that Alexa is not triggered by an Alexa commercial on TV. The database is updated once a week and uploads information how many times a fingerprint matched. So in theory, Amazon could collect information how often you have watched a certain commercial.

In conclusion, Alexa is presented as a surveillance tool recording your daily life with justified arguments. It has some fundamental privacy issues which it shares with other speech assistants.

Datenkanal: IT bei der Polizei

At Datenkanal, this German podcast with moderator Jens Kubieziel discusses the IT at the German police.

“Good police work requires good IT” is a statement published by Polizei Thüringen on Twitter and Andreas Ufert replied. Then Jens contacted Andreas and asked him about the German police in the Datenkanal podcast. Andreas worked at the Thüringer LKA between 2002 and 2013. He maintained the systems and Oracle databases to run the INPOL-neu and INPOL-Land information systems. Thus, the system handled the entire information infrastructure of Thüringen. Essentially, these systems store all data about people and their crimes. As a result, you can make queries like asking for warrants of a person.

This podcast lasts for 2 hours 15 minutes and goes into depth of the technologies involved. He explains the system architecture, formal procedures and the work environment. I don’t think it is particular interesting for people outside the law enforcement field or that particular area of Germany.

„Elektromobilität“ und warum sie so, wie sie derzeit vorgeschlagen wird, nicht funktionieren kann

André Igler, Philipp Schaumann, and telegnom looked into the topic of electric mobility. André started with a few facts, I want to translate/recite his first slide:

  • global warming is the major problem (not Covid19)

  • EU tightens policies

  • EU budgets 35・109 € on electric mobility

  • Individual mobility is important (public transport does not suffice on the countryside)

  • No nationwide autonomous driving within next 10 years

Then André talks about the cars. An electric car is a different product. It contains more software and can be updated. At the same time, more electronics also means there are more security incidents. For example, Jeep Cherokee was taken over in 2015 via a GSM module.

telegnom then covers the current situation in Germany. There are 47.7 mio. cars and in average, cars cover 13 602 km per year. Now, telegnom estimates that 130 TWh per year are required (assuming 20 kWh per 100 km) to run all cars in an electric manner. With respect to charging, the assumption is that charging can be done at night and your personal charging wire can be connected by an electrician in your home. However, it becomes increasingly more difficult if there are more parties in one large house.

Philipp Schaumann (CCC Wien) talks about opinions which he considers incomplete/impractical. Philipp argues in favor of multi-modality, because issues with mobility won’t be solved by the electric car.

In conclusion, the talk summed up some generic arguments pro/contra electric mobility. In the end, they pointed out that their main message was “there is no single solution for the mobility problem in opposition what some politicians claim”. They somehow succeeded, but the arguments were very rough. They did not follow a scientific approach and just collected some arguments which can be found at your next regular’s table. I think it is worth watching, if you are not into the topic, but neglectible if you follow the debate in recent years more carefully.

Nazis in Games: Depiction, Normalization, Consequences

In this English talk, “Manuel (EEL) Manhard” explains how games are used to push fascist ideology. Essentially, including Nazism content must be done very careful for moral & ethical reasons. In particular, Shoah is difficult to integrate into game play. Awareness itself is not enough. He explains the concept in general first: more people, who play Assassin’s Creed, believed the Boston Tea Party was a violent event (which it wasn’t). As such, the game defines the perception of historical facts.

In general, he discussed the following games:

  • Wolfenstein: A WWII video game series. Those developed by MachineGames are set in an alternate history in which Axis powers won World War II.

  • Attentat 1942: a Czech point-and-click adventure game

  • Through the Darkest of Times: Advertised as “historical resistance strategy game”. You are the leader of a small resistance group in 1933’s Berlin trying to spread awareness undercover about Nazi acitivities.

  • Caves of Qud: A roguelike role-playing video game in an open world inspired by D&D.

  • Shadowrun: Dragonfall: turn-based tactical role-playing video game.

Then, he shifted the discussion towards community topics:

  • Where does Nazi content occur?

  • What is the effect of just removing symbols of Nazi ideology?

  • What is the definition of nazism/facism? Appearance is often subtle. Neo-nazis don’t look like nazis during WWII.

  • the question of granularity: how much Nazi content do you allow? If you allow any kind of customization and have a few more users than one hundred, you will probably find Nazi content.

In the end, you can find profiles in Nazi style on Steam. Also, you can find Nazi symbols whenever people can customize cars or flowers on a field.

Manuel gives the general advice to game developers that one can prevent glorification of Nazi Germany. For example, one can remove potential trophies for Nazis. One can build a storyline around WWII shooters, but remove achievements that might be abused for glorification. One interesting and specific ruleset in the one by CoQ on Discord:

A note on the Putus Templar: of the various antagonistic factions that populate Qud, the Templar are particularly relevant in the present day. Their goals are eugenics and genocide, and their means are extermination and subjugation. We do not wish to quell discussion or speculation on them, but be conscious that discussion can easily veer into the code of conduct breaches described above. Facetious support of the Templar’s fascist and genocidal behavior is prohibited. At best, it reads as callousness to the reality of these things. At worst, it reads as actual support. Be sensitive when your audience includes many of those who have suffered from the historical or present consequences of genocide or eugenics. Jokes have consequences.

— from Caves of Qud Discord server #code-of-conduct

In the end, one needs to take care of community management:

  • build an inclusive community

  • remember the paradoxon of tolerance

  • start early

A quite good talk. I didn’t like the fact that the questions “in which ways does Nazi content occur in games?” and “what is Nazi content” is kept under such vague terms. I would love to see a more rigorous approach. In the end, I think the talk addresses people in the gaming community (developers and players) who need to deal with community content and can/should reflect about the story line.


  • I recommend “The Elephant in the background: Empowering users against browser fingerprinting” as a technical talk with elements which affect every webbrowser user.

  • “Kein Filter für Rechts” shows neat images, but the webscience part might not be for everyone.

  • “How to digitale Barrierefreiheit” sheds some light on accessibility requirements, but rather introductory content in this field was presented.

  • I do not recommend the last three talks as they are too biased towards an opinion or too specific.