While the year 2014 comes to an end, two very interesting conferences have taken place in Hamburg. The annual Chaos Communication Congress 31C3 occupied the Congress Center of Hamburg (CCH) for 4 days and the first BSidesHH was held in the heart of the city.
Luckily, I was able to attend both and like to recap my experiences and outline their really different strengths in terms of their concepts and their talks.
31C3 - Oldschool and full of craziness!
The 31st Chaos Communication Congress was held for the third time in a row now in Hamburg!
This annual event is the biggest of its kind with over 12.000 visitors (roughly estimated) in Germany and (probably?) Europe, where people interested in Security, Hacking, Ethics and Politics from all over the world come together to exchange their ideas and views.
Like every year, the talks are a very important part of this event, but as there are so many interesting talks and even more different topics, I’d like to outline only the two most interesting talks, which affect my next year’s researching focuses.
The talk “EMET 5.1 - armor or curtain” by Rene Freingruber from SEC Consult was by far the most inspiring one. He exploited a previously known vulnerability in Mozilla’s Firefox, which was protected by a fully-enabled EMET 5.1. Really amazing work, although he went through a lot of slides quite quickly, but since this topic is too complex to cover it in just one hour, it is really understandable! I can absolutely recommend to watch this talk!
So bypassing EMET will be one of my focuses for the next year, because I have actually a lot of ideas how to do more evil stuff with it ;-)…
The second interesting talk “Thunderstrike: EFI Firmware Rootkits for Apple MacBooks” by Trammel Hudson was real hardware hacking and reverse engineering stuff about placing a custom and persistent bootloader onto MacBooks via the Thunderbold interface. Although I don’t own a MacBook (and probably won’t ever), it represents my second focus for the next year: Hardware Reversing. Really interesting stuff :-)!
And I’d also like to mention the funniest talk! This years award goes to Netanel Rubin, who presented his talk “The Perl Jam”. He uncovered some basic language concept flaws of the scripting language Perl, which may lead to SQLi and even RCE in some cases. The funny thing about this talk, was Netanel’s style, which could best be shown using his following (funny) slide:
But since there were really a lot of interesting talks - you have to watch these as soon as they’re online on the CCC TV repository!
From idea to Con in just under a month (or how to BSides)!
This was amazing! As I have read about BSidesHH for the first time on the 29th November in a tweet by its father f1nux, I was just like: “nah, i don’t think they can organize a security conference in just under a month of time. Well, but good luck with that.”. But I was astonished by hearing about its rapid process in planning, so I decided to give it a try by recruiting some sponsors, which was unluckily unsuccessful, because of some stupid ROI discussions with potential sponsors (!). Anyways I’ve reserved my free ticket for the 28th December (in parallel to the 2nd day of the 31C3) and headed there on this day.
And I was really impressed of what the orga team of f1nux, Daniel and Caroline have managed to create in such a short time frame: An amazing, community-close and individual conference (with a lot of Club Mate for free!) !
In my opinion this is a very big advance in comparison to the 31C3, which is a huge event, where thousands of people come together. You have time to talk closely with your security fellows about things and everything is a bit more individual.
Although the time frame was such short, there have been a couple of great talks, the best one (in my opinion) was held by Stefan Frei:
“The Known Unknowns in Cyber Security & Outbidding Cyber Criminals” was about security vulnerability disclosure principles and the speaker discussed the theory of what happens if someone buys every single vulnerability report for “just” 150.000 USD. A crazy idea, but in comparison to GDPs and revenues, it really starts to make sense and additionally: It is above the black market prices! We definitely have to work on this ;-)
Another really interesting talk “The wrong side of history - everything that is old is new again” was held by f1nux himself, where he tried to compare the current Snowden world with all its NSA disclosures to one major event in the past: the Manhatten project. You don’t believe that there is connection? Well f1nux proved otherwise, with a really great conclusion at the end, which is such meaningful!
All in all it was a really great time, and I’d like to thank the team for creating such an amazing conference:
I’m looking forward to next year’s BSidesHH and probably prepare a talk by myself about some crazy stuff ;-)!
Thanks for reading my blog for another year :-)!