Happy 2011!

From Berlin, Germany, a loud HAPPY NEW YEAR!

I wish a great 2011 to everyone, full of laughter, smiles and success!

Posted by Luca Longinotti on 31 Dec 2010 at 18:00
Categories: Longi Comments

27C3: Day 4

Last day of 27C3 (but not last day in Berlin!), the weather is the usual: foggy and damn cold.
I thought to visit the Fernsehturm tomorrow, but that doesn't make much sense if the fog covers the city and you don't even see a mile in the distance...
I managed to get a 27C3 T-shirt, but no jacket, as those were all sold out right away, at least in my size, like no one could predict that people would buy jackets when it's -10 °C outside, and that IT guys mostly aren't an S or an M size. :(
Arrived at about 12:20 at the BCC, managed to get the same places as yesterday, and it seems to me that today there are less people around.

  • 12:45 "Cybernetics for the Masses", I didn't really know what to expect here, and it totally blew me away: that woman is a mix of awesomeness and total craziness (though she calls it curiosity, and I can kinda understand that :D). She presented a few projects she did on herself, concerning body modification through sub-dermal implants, though she kinda seems to disregard her own health doing them. Not something for me.
  • 13:45 "Hackers and Computer Science", I kinda started watching this as a filler, waiting for "Data Analysis in Terabit Ethernet Traffic" to start, but then this turned out to be an amazing talk about how Hacking is (or should be) considered its own discipline, and how it deeply connects to academic research and topics, and how the interaction between the two should be increased. In the end "Data Analysis in Terabit Ethernet Traffic" wasn't even transmitted over stream, so I didn't see it at all.
  • 16:00 "How the Internet sees you" promised to be a good talk, but I was disappointed, I mean, I already know that my ISP can look at my packets and can thus tell basic stuff like source IP, destination IP, size, etc. and that he can see the DNS queries I make (as he owns the DNS server usually), and so on...
    I hoped to see some special tools in action that actually give you precise user tracking, and maybe some real world cases from ISPs having to tap someone for law-enforcement, but this wasn't the case, there were just a few graphs about how the traffic was distributed at the Congress, and that was it. So I switched to "International Cyber Jurisdiction", which raised very interesting points about how jurisdiction matters in the Internet-Age and how it gets a lot more complicated.
  • 17:15 will bring "Security Nightmares", which usually is a very good talk about security problems, both in retrospective and in the future.

We'll go grab a bite at Las Malvinas, it's a steak-house near the hotel, and it looks like they have some really great meat. I'll probably not blog anything until after I return to Switzerland, because WLAN at the hotel is very expensive. By the way, it's offered by our very own Swisscom! Yeah, Swisscom does hotel WLAN in other countries, surprising!

Posted by Luca Longinotti on 30 Dec 2010 at 16:50
Categories: Longi, CCC Comments

27C3: Day 3

Today we slept in even longer and arrived at the Congress past 12:30...
Found a nice place upstairs, facing Alexa. Ate lots of awesome Belgian butter waffles!

  • 14:00 "Cognitive Psychology for Hackers", awesome talk on psychological "hacks" on humans, biases and so on that influence our decision making, very well done, great examples, I'll probably buy the book he cited at the end, as I'm very interested in this too, and he even mentioned "Harry Potter and the Methods of Rationality", a fan-fiction I've been following, as being very much spot-on in its explanation of rational thinking.
  • 16:00 "Console Hacking 2010" was gearing up to be great, presenting results on hacking the PS3 now that you can't run Linux on it anymore by default, but I had massive problems with the stream, it continued to die on me (I'll have to download it later!), so I started playing with the LigHTTPD installation that powers this blog, setting up SSL (so now you can also use https:// to access it) correctly, with a real certificate (at least on Firefox), thanks to StartSSL, great service there. I also fixed redirection from other subdomains/domains, so now www.longitekk.com or test.longitekk.com automatically redirect you to the blog.
    I also now serve my Trac installation over HTTPS on dev.longitekk.com, thanks to mod_proxy.

Between exploring Lighty's configuration syntax, eating a very good curry&rice from the BCC's catering and getting more waffles from Alexa, I missed a few talks in the evening.

  • 21:45 "Zero-sized heap allocations vulnerability analysis" gave an interesting introduction to a problem not every programmer is aware of, and then went off into verification land, so I switched to "Fnord-Jahresrückblick 2010", which was hilarious, as usual.
  • Around 23:15 "Hacker Jeopardy" started, which is disputing its final round as I'm writing this, it's a cool game to play with your colleagues, some incredibly tricky and funny questions in there.

Posted by Luca Longinotti on 30 Dec 2010 at 01:25
Categories: Website, Longi, CCC Comments

27C3: Day 2

Day 2 of Congress started late, sleeping is important!
At around 11:00 we were there again, and again upstairs, which I personally prefer: it's much more open, there's a better view of outside (I know it's strange, but I kinda like those things called windows :D ) and better lightning. Network seems to work better than yesterday, LAN works fine, WLAN on the phone too, and the streams are mostly stable.

  • 12:30, I started by following the "Lying To The Neighbors" talk about tracker-less BitTorrent, but, while it was interesting and well done, I don't use tracker-less BitTorrent, and it couldn't hold my attention, so I switched over to the "Reverse Engineering the MOS 6502 CPU" talk, which I found more enjoyable.
  • 14:00, "I Control Your Code" was a very well done overview of the main flaws in programs that allow for compromise of your system, how they work, and how user-space virtualization (basically another layer of indirection that translates code and adds lots of checks, both static and dynamic, to prevent problems) could mitigate/block them.
    It was a very informative talk, providing examples, and both explaining basic as well as more advanced attacks and techniques.
  • 16:00, "Is the SSLiverse a safe place?" provided an overview on how SSL is deployed worldwide (courtesy of the EFF's SSL Observatory project) and what problems there are in the current SSL infrastructure (mostly related to trusting too many CAs, that can't really be verified as being trustworthy).
  • 17:15, the talk I wanted to watch about "Data Analysis in Terabit Ethernet Traffic" by Lars Weiler got moved to Day 4, so I watched part of FX's talk on "Building Custom Disassemblers", very interesting, but also very specialized, I don't think I'll ever have to analyze the binary code from some PLC or other obscure embedded device in the near future myself.
  • 18:30 brought "Defense is not dead", a talk on how todays computers still rely on security models from the 70/80s, and how there actually are programming languages, techniques and so on that were developed in the last 20 years that can prevent many of the security problems we encounter constantly, along with formal verification of code (or parts of it at least), and how using those can lead to more secure computers.

We then went to get some food at Alexa (hmm Nordsee, fish, yeah!), to be ready for the expected highlight of the day:

  • 20:00, "High-speed high-security cryptography: encrypting and authentication the whole Internet", by Daniel J. Bernstein, a very interesting talk on why DNSSEC and HTTPS are incomplete (and sometimes faulty) solutions to fully securing the Internet, and how to deploy new protocols he developed (CurveCP and DNSCurve) to fix that. While it sounds great and seems to be deployable easily and without breaking compatibility too much, I don't really see this taking over HTTPS/DNSSEC's market share easily, but we'll see.

After that, we went back to the Hotel, where we watched four episodes of "Two and a Half Men" on the television (awesome, I hadn't seen those yet!), and coded a little; I managed to finish the Rig stack and queue and write much better documentation for them.

Posted by Luca Longinotti on 29 Dec 2010 at 15:00
Categories: Longi, CCC Comments

27C3: Day 1

Hello from Berlin, where we arrived after a good 8:40 travel time on Sunday evening, 1:30 behind schedule... At least ICE trains are very comfortable and have power outlets. ;)
The first day of congress was a mixed experience... On one side the new ticket-presale system had the pleasant effect of eliminating the usual Monday morning queue to get tickets, on the other hand I'm not so sure it managed to reach the goal of keeping the participants to a manageable level, every conference room is routinely full, every table in the hackcenter and upstairs too, and lots of people have to sit on the floors just to get some kind of place (especially in the evening)... I really hoped that if they actually limited the number of tickets with the presale system, they also would have based the number of them on the sum of real, available chairs in the building (or just a little more), seems that was wishful thinking.
I also can't really support the table reservation system for groups in the HackCenter, you get entire tables reserved by projects that no one ever heard of, and which are not there most of the time, but leave an incredible mess of hardware and junk to occupy the table. Which brings me to another point: looking at HackCenter tables, one can come to only one conclusion: hackers are freaking messy! There's bottles, caps, paper, junk, half-eaten food and everything in between lying around, people just leave it there when they go away, and it's not like there isn't a trashcan every 10 meters or even less... Use them? If you don't find one, organize one? Just keep the place tidy, please.
Also the first day was plagued by infrastructure problems, LAN works well, WLAN was mostly unusable (either you got no IP or it was so slow to be unusable, things seem to be better now), the streams initially didn't really work (sound just disappeared at random, even over DVB-T at times), in the evening they actually worked very well over DVB-T, over LAN I couldn't (and still can't) watch 10 minutes without it dieing and me having to restart it.
So let's come to the talks, which are the main reason I'm here:

  • 12:30, "Code deobfuscation by optimization": didn't see it as the room was overloaded and the streams broken, will have to download a recording when they're available...
  • I managed to follow some of the "Copyright Enforcement Vs. Freedoms" and "Von Zensursula über Censilia ..." talks on a big screen upstairs outside of the conference room, they both made some great points on why censorship and too tight copyright enforcement are bad and not helpful at all.
  • 16:00, "Automatic Identification of Cryptographic Primitives in Software": this time I managed to find place in the conference room, but I might not have bothered, while the talk wasn't bad, I couldn't see anything exciting or groundbreaking in it, it all boiled down to using some heuristics and signatures to find if a program was using crypto code and what kind of crypto code, it's an interesting, kinda specialized way to analyze binaries, using more or less reliable techniques to do it.

After that we went to eat, got a really great pizza at an Italian place on the Fernsehturm square, right besides the Rathaus. Food really costs less here.
After we were back at the BCC the real fun began:

  • 20:30, "Desktop on the Linux": it was just a big ROFL, the speaker (while he made some very good points about avoiding complexity and putting lots of stuff together, which I agree with) had not really researched every issue in-depth, and sitting in the audience was Lennart Poettering, which pretty much trashed him on every point he was trying to make by explaining why those decisions were made, how the implementation really works in-depth, and so on. It was almost sad to watch, while the speaker had some good points, he didn't manage to really bring any of them across without trashing and laughter ensuing.

And then the good stuff came:

  • 21:30, "Recent advances in IPv6 insecurities": really great talk, the speaker was very good, you saw right away this guy is used to giving talks. Very interesting and understandable explanations of the security problems he found in the IPv6 protocol, lots of images, very good English accent. All in all a very enjoyable and informative talk!
  • 23:00, "Adventures in analyzing Stuxnet": like the speaker would say it: "Hey dude, this was fucking awesome!", really. The talk by Microsoft's Bruce Dang was incredibly interesting, he explained how they handled finding the various zero-day bugs Stuxnet used to infect a Windows system, how they used various debugging techniques, binary analysis, team work with other Windows subsystem teams and so on to understand how Stuxnet actually got onto a Windows system and how to fix those flaws. Very informative stuff, and presented in a very relaxed and funny, down-to-earth way. As one spectator said at the end: "I never expected to enjoy a Microsoft talk so much!".
  • Last but not least, 00:15 brought the "Pentanews Game Show", a new multi-player game show they introduced this year, based on "Who wants to be a millionaire?" but with IT-news related questions, quite enjoyable and funny. I personally like this game much more than "Hacker Jeopardy" (which will be on Day 3).

Posted by Luca Longinotti on 28 Dec 2010 at 12:12
Categories: Longi, CCC Comments

Merry Christmas!

I wish everyone an awesome and merry Christmas, have lots of fun (and presents)!

On another note, exams finally ended, I'm pretty confident about most of them, so, yay!

Posted by Luca Longinotti on 24 Dec 2010 at 17:45
Categories: Longi Comments

27C3, we're definitely coming!

Yeah, me and a friend will be present at this year's Chaos Communication Congress.
I'm keeping up my "every-two-years" schedule, went to the 23rd, 25th, and now 27th Congress.
I managed to get tickets at the last sales window, thankfully, since we already got the rooms and train reserved and paid for before we even knew that they changed the ticket selling system this year...
So I missed the first two pre-sales, but managed to get two tickets on the last one... It would not have been fun to go to Berlin and just watch the Congress from outside!
We'll be in Berlin from the evening of the 26th to the morning of the 2nd, which means we'll also be celebrating New Year's Eve in the big city of Berlin, that ought to be lots of fun! ;)
Let me know if you'll be there too, see you there!

Posted by Luca Longinotti on 11 Dec 2010 at 00:29
Categories: Longi, CCC Comments

(Page 1 of 1)