The mad and beautiful landscape of the conference this year covers four floors of a Hamburg conference center like and electrical/human forest undergrowth. The topics range as wildly as technology itself. Sessions include the mathematics of factoring (cracking) RSA encryption, the state of the surveillance state in Russia, SCADA vulnerabilities, often in critical infrastructure, Romantic poets, and massively hacking tamagotchis. The halls and "assembly" areas for affinity groups all full of the interests of hacker culture: coding tables, hackerspaces, lockpicking, blinky lights, food hacking, etc. The undercurrents and background noise of the conference saturate in the hallway track. Legal crackdowns and the rising surveillance states crowd on in on us from outside, old fights over misogyny, sex and violence, and exclusion riddle the event from within. And through it, also the revitalization of friendships that are, in some cases, four days wide but decades deep. The starts and ends of countless projects, some of which will amuse us all, some fail, and others that will in time shape the world.

The hacker community that comes together at CCC is an extraordinary thing, physical and ethereal, a communion of wizards and fools, often trading roles through the day.

This year's theme is Not My Department, ominously lifted from Tom Lehrer's song about Wernher von Braun and the nuclear age. It's a self-conscious choice, a sign of growing awareness that this community is poised to sit in a position of strange power in the 21st century -- without yet knowing what kind of ethics should accompany that position. A nest of geeks whose real-world influence has grown out of all proportion in the last 30 years, these hackers, coders, and makers are struggling with the weird machine they have created in the heart of the world.

ONCE-THE.ROCKETS/ARE-UP..WHO>CARES-WHERE.THEY/COME-DOWN. THAT'S
N.O-T/MY-D/E.PA/R.T-ME-N-T.
2.9-C/3

Nearly all the talks are available on Youtube within a day of being completed -- follow along at home, and on Twitter at the #29c3 hashtag. But for the hallway track, there is only here.]]> http://boingboing.net/2012/12/30/the-led-dawn-at-29c3-the-29th.html/feed 2 http://boingboing.net/2012/12/29/your-cisco-phone-is-listening.html http://boingboing.net/2012/12/29/your-cisco-phone-is-listening.html#comments Sat, 29 Dec 2012 20:02:11 +0000 Cory Doctorow http://boingboing.net/?p=203159

Here's a video of Ang Cui and Michael Costello's Hacking Cisco Phones talk at the 29th Chaos Communications Congress in Berlin Hamburg. Cui gave a show-stealing talk last year on hacking HP printers, showing that he could turn your printer into a inside-the-firewall spy that systematically breaks vulnerable machines on your network, just by getting you to print out a document.

Cui's HP talk showed how HP had relied upon the idea that no one would ever want to hack a printer as its primary security. With Cisco, he's looking at a device that was designed with security in mind. The means by which he broke the phone's security is much more clever, and makes a fascinating case-study into the cat-and-mouse of system security.

Even more interesting is the discussion of what happened when Cui disclosed to Cisco, and how Cisco flubbed the patch they released to keep his exploit from working, and the social issues around convincing people that phones matter.

We discuss a set of 0-day kernel vulnerabilities in CNU (Cisco Native Unix), the operating system that powers all Cisco TNP IP phones. We demonstrate the reliable exploitation of all Cisco TNP phones via multiple vulnerabilities found in the CNU kernel. We demonstrate practical covert surveillance using constant, stealthy exfiltration of microphone data via a number of covert channels. We also demonstrate the worm-like propagation of our CNU malware, which can quickly compromise all vulnerable Cisco phones on the network. We discuss the feasibility of our attacks given physical access, internal network access and remote access across the internet. Lastly, we built on last year's presentation by discussing the feasibility of exploiting Cisco phones from compromised HP printers and vice versa.

We present the hardware and software reverse-engineering process which led to the discovery of the vulnerabilities described below. We also present methods of exploiting the following vulnerabilities remotely.

Hacking Cisco Phones [29C3] (Thanks, Ang!) ]]> http://boingboing.net/2012/12/29/your-cisco-phone-is-listening.html/feed 11 http://boingboing.net/2011/12/28/linguistics-turing-completene.html http://boingboing.net/2011/12/28/linguistics-turing-completene.html#comments Thu, 29 Dec 2011 07:35:10 +0000 Cory Doctorow http://boingboing.net/?p=136369

Yesterday's keynote at the 28th Chaos Computer Congress (28C3) by Meredith Patterson on "The Science of Insecurity" was a tour-de-force explanation of the formal linguistics and computer science that explain why software becomes insecure, and an explanation of how security can be dramatically increased. What's more, Patterson's slides were outstanding Rageface-meets-Occupy memeshopping. Both the video and the slides are online already.

Hard-to-parse protocols require complex parsers. Complex, buggy parsers become weird machines for exploits to run on. Help stop weird machines today: Make your protocol context-free or regular!

Protocols and file formats that are Turing-complete input languages are the worst offenders, because for them, recognizing valid or expected inputs is UNDECIDABLE: no amount of programming or testing will get it right.

A Turing-complete input language destroys security for generations of users. Avoid Turing-complete input languages!

Patterson's co-authors on the paper were her late husband, Len Sassaman (eulogized here) and Sergey Bratus.

LANGSEC explained in a few slogans ]]> http://boingboing.net/2011/12/28/linguistics-turing-completene.html/feed 49