Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

33rd Chaos Communication Congress


I spent the time between Christmas and New Year in Hamburg, Germany, at the Chaos Communication Congress, 33rd edition (33C3 in short). 33C3’s motto was “Works for Me”, a phrase that everyone working in IT/engineering will hear at some point during their career. It quickly became a meme in the congress, showing up every time a presenter had a laptop issue for example.

I used some of the time between talks to update a bit my personal infrastructure to include Owncloud in addition to the existing Gitlab instance. This is still a work in progress, and I may write about it in the future.

I also had a lot of project ideas that I will leave here, in case I need some ways to lose my time soon!

WhatsApp-b-gone, an idea that was created after @SyrianSpock and I realized that social gatherings were annoyingly filled with people glaring at their phone. The easiest way to implement this is probably to add some rules in the firewall to block WhatsApp traffic. The rules should be easy to turn on and off (webapp for example). Learning how to use radare2. Radare2 is a reverse engineering framework like IDA pro, but libre and commandline. It seems powerful but the learning curve is rather steep, so I must stick to it. Related to the previous one: reverse engineer the Xiaomi Band fitness device. This is a small connected device that is still complete enough to be interesting to reverse engineer. Gaining code execution on it would be nice, as it is a small wearable device with a lot of autonomy. Modifying the CVRA’s USB to CAN adapter to use SocketCAN. It would allow us to plug it into linux and use Wireshark to analyze traffic. A “smart” time tracker, which works by detecting what is your current working directory and guessing on which project I am working.

Anyway: aslast year , I took some notes about the talk I went to and also the talk I had to miss, so that I can watch them later. This year marks the introduction of French translation for streams, which are included in the recording if you want to. Kudos to the translation team!

The Global Assassination Grid

As they say in the Air Force, No comms no bombs‘, A technician’s insight into the invisible networks governing military drones and the quest for accountability

It was impressive to hear him talk about his experience as a drone pilot and why he switched to alert the public about the drone program. I don’t think it is technical but some military acronyms slipped in without being explained.

Shut Up and Take My Money!

FinTechs increasingly cut the ground from under long-established banks’ feet. With a “Mobile First” strategy, many set their sights on bringing all financial tasks―checking the account balance, making transactions, arranging investments, and ordering an overdraft―on your smartphone. In a business area that was once entirely committed to security, Fintechs make a hip design and outstanding user experience their one and only priority. Even though this strategy is rewarded by rapidly increasing customer numbers, it also reveals a flawed understanding of security. With the example of the pan-European banking startup N26 (formerly Number26), we succeeded independently from the used device to leak customer data, manipulate transactions, and to entirely take over accounts to ultimately issue arbitrary transactions―even without credit.

Good talk showing the issues in a banking startup. The exploits were not complicated but are a good example of what not to do when you are developing an application. Not very technical.

What’s It Doing Now?

Legend has it that most airline pilots will at one time have uttered the sentence “What’s it Doing now?”, whenever the autopilot or one of its related systems did something unexpected. I will be exploring some high-profile accidents in which wrong expectations of automation behavior contributed to the outcome.

This talk was trying to see how we could transpose the lessons learnt from plane autopilots to self-driving car, especially regarding to what to do when it fails. Not very technical.

Dieselgate A year later

At 32C3 we gave an overview on the organizational and technical aspects of Dieselgate that had just broken public three months before. In the last year we have learned a lot and spoken to hundreds of people. Daniel gives an update on what is known and what is still to be revealed.

Awesome talk! Daniel was one of the two presenters on the 32C3 Dieselgate talk. This year they decided to split their talk in one about politics/law (this one) and one about hacking methods used (I could not watch it). I recommend it to anyone interested in the Dieselgate scandal. Not technical.

Nintendo Hacking 2016

This talk will give a unique insight of what happens when consoles have been hacked already, but not all secrets are busted yet. This time we will not only focus on the Nintendo 3DS but also on the Wii U, talking about our experiences wrapping up the end of an era. We will show how we managed to exploit them in novel ways and discuss why we think that Nintendo has lost the game.

I like talks about console hacking: Since console systems are exotic, they usually start with an overview of the platform, which allows you to understand the exploits part without too much specific knowledge (unlike say, talks about PC systems). A good talk, with three passionate hackers showing us how they owned the Wii U and the 3DS. However, the attacks presented are highly technical, and might be hard to understand if you are not familiar with ROP and Use-after-free.

How physicists analyze massive data: LHC + brain + ROOT = Higgs

Physicists are not computer scientists. But at CERN and worldwide, they need to analyze petabytes of data, efficiently. Since more than 20 years now, ROOT helps them with interactive development of analysis algorithms (in the context of the experiments’ multi-gigabyte software libraries), serialization of virtually any C++ object, fast statistical and general math tools, and high quality graphics for publications. I.e. ROOT helps physicists transform data into knowledge.

The presentation will introduce the life of data, the role of computing for physicists and how physicists analyze data with ROOT. It will sketch out how some of us foresee the development of data analysis given that the rest of the world all of a sudden also has big data tools: where they fit, where they don’t, and what’s missing.

Fun thing about this talk: the topics were chosen by the audience, based on the amount of cheering for a given topic. However, I did not learn much in this talk, especially on ROOT, which was supposed to be the theme of the talk. Somewhat technical.

No USB? No problem.

How to get USB running on an ARM microcontroller that has no built in USB hardware. We’ll cover electrical requirements, pin assignments, and microcontroller considerations, then move all the way up the stack to creating a bidirectional USB HID communications layer entirely in software.

xobs is the co-creator of the Novena open source laptop. I highly recommend reading his blog , if you are into hardware hacking or manufacturing. About the talk itself, I enjoyed it, as it was a nice introduction to USB and debugging, and I worked on those two topics before. However, if you are not planning to implement USB soon, or don’t like firmware hacking, this talk might not be your cup of tea.

Formal Verification of Verilog HDL with Yosys-SMTBMC Yosys is a free and open source Verilog synthesis tool and more. It gained promi

Viewing all articles
Browse latest Browse all 12749
click here for Latest and Popular articles on SAP ERP