| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | ||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | Talk / Person | Laban | Alexander | Cjo | Artur | Robert | Joakim | Adrian | Jonas | Stigok | Konrad | David | Fnords | kfh | |||||||||||||
2 | The Rocky Road to TLS 1.3 and better Internet Encryption | 5/5 Very pedagogic, good introduction, nice English, funny speaker Short SSL/TLS history Padding Lucky Thirteen POODLE (padding oracle, in SSLv3 by design), version: POODLE-TLS Lucky Microseconds in s2n (2015) LuckyMinus20 in OpenSSL (2016) Bleichenmacher attacks (RSA encryption) ROBOT (2017) (Return of Bleichenbacher's Oracle Threat) TLS 1.2 and before: counter measures and more counter measures... TLS 1.3 deprecates a lot of things Formal verification One RT less in TLS 1.3 handshake before sending data 0-RTT only safe for idenpotent actions "Do web developers know what idemptent means?" <-- big applause! 0-RTT does not have PFS 0-RTT is optional TLS versioning schema which is strange TLS 1.0 is "SSL 3.1" and so on TLS record layer inside TLS. "Meaningless" version number which is just kept "Enterprise Product is something that is expensive and buggy" <-- big applause! Downgrade attacks (block new versions and force browser to use SSLv3) "GREASE": Servers should ignore unknown versions in supported_versions *Reserved* GREASE bogus versions ChangeCipherSpec message in 1.2 to make 1.3 look more like 1.2 so middle boxes accept it Dual EC DRBG by NSA, convinced RSA Security to implement it, "extanded random" proposal to TLS, which made the Dual EC DRBG backdoor easier to exploit. Canon Pixma printers implemented this which had a non-standard extension number colliding with TLS 1.3 Banking industry complained late in the TLS 1.3 draft process, "visibility mode" suggested | 4/5 nothing new | 5/5 | 4/5 Nothing new, good introduction to TLS. | ||||||||||||||||||||||
3 | Opening Event | German sucks | Always good with a GDPR joke. | ||||||||||||||||||||||||
4 | First Sednit UEFI Rootkit Unveiled | 4/5 Quite pedagogic, quite good introduction to subject, quite good English Sednit aka Fancy Bear, APT28 etc, active since early 2000s DNC, WADA, TV5 Monde LoJack also known as CompuTrace Configuration file vuln. Able to change which server is contacted Signed Windows kernel driver to talk to SPI flash memory UEFI layout in SPI flash memory BIOS Write Lock is vulnerable If changed, it will be changed back by a SMI handler -> race condition Note: Hacking Team's UEFI rootkit needed physical access The UEFI rootkit is a DXE driver "SecDXE" installs NTFS driver (from the Hacking Team leak), installs rpcnetp.exe, autoche.exe (instead of autochk.exe) NTFS driver is the way for UEFI to read and write NTFS file systems Prevention: UEFI update, Secure Boot, Hardware Root of Trust (e.g. Intel BootGuard, Apple T2), firmware security assessment (Intel CHIPSEC as example) Remediation: reflash UEFI firmware | 4/5 good information | 5/5, fattade dock inte sa mkt av uefi-droppern | |||||||||||||||||||||||
5 | Hunting the Sigfox: Wireless IoT Network Security | 5/5 Very pedagogic, great English, funny, good introduction No vulns found, but weaknesses UNB: Ultra Narrow Band Intro of SNR etc. Uplink: 0-12 bytes at 600 bps Downlink 8 bytes @ 600 bps, max 4 packets per day (GFSK) FTDMA Unlicensed 868 MHz Proprietary Sigfox uses phase modulation (D-BPSK) convolutional code (5, 7) Coding Gain == Uplink == First unencoded, then 5-encoded and last 7-encoded 4 byte device ID unencrypted payload CRC-16 CBC-MAC, AES: "secret key is stored in non-accessible memory" but plain text in flash memory Weaknesses: MAC too short (16 bits), SN too short MAC bruteforce possible within 4 hours on one channel (300 possible channels) Blacklist according to vendor (DoS possible) 12 bits serial number = 4096 possibilities = wraps in 30 days in worst scenario == Downlink == GFSK (freq mod) Scrambling algorithm based on SN + Device ID BCH(15,11,1) error correction Encrypted downlink available Sigfox' long term goal is to open source a device library jeija.net/sigfox | |||||||||||||||||||||||||
6 | wallet.fail | 5/5 New vulns, great entertainment, great English, funny, good presentation wallet.fail BIP32/BIP44 to derive key pairs for different wallets (seeded) BIP39 is a format for storing seed as words (mnemonic) Hologram seals are easy take off and re-apply New version have a sticker on the USB-C port, but also easy to remove Easy to open enclosure They created an impant which is a RF controlled button (to sign stuff) supermicro.fun "Genuine device" check works on Windows but not Linux "f00dbabe" vuln Ledger Nano S has enabled programming pins STM32 + ST31 secure element Boots firmware if 0xf00dbabe is found at a specific address Prevents writes to that address, but allows it if it's mapped to another addressWrites to address 0 allowed STM32 sends firmware to ST31 on boot LiverOverflow 20 min video on YouTube AI analyzing intercepted signals from display commands when entering PIN -> accuracy ~98 % == Glitching == STM32 read-out protection Not able to read flash but RAM in some circumstances STM32F2 Successful glitch in three months... RDP2 -> RDP1 downgrade Firmware upgrade procedure copies interesting data from flash to RAM Stopping in time will get the seed BIP39 mnemonic words found with "strings" in the RAM dump (!) FPGA to glitch. Bench built and design released (?) Protection: use pass phrase on the Trezor [something] | 4/5 underhallande, hardware glitching | ||||||||||||||||||||||||
7 | Lecture: Scuttlebutt | 1/5 inga detaljer | 2/5 ingen teknik | 1/5 osammanhangande | |||||||||||||||||||||||
8 | Lecture: Information Biology - Investigating the information flow in living systems | 4/5 informative | |||||||||||||||||||||||||
9 | What The Fax?! | 4/5 Entertainment, new CVEs, fun to learn some FAX, quite good English @Eyalltkin, @ynvb Standard from 1980 Dissecting HP printer Firmware upgrade via PJL (Print Job Language) feature for upgrading NULL, TIFF, Delta Raw decoders Spidermonkey (Mozilla JavaScript implementation) in the firmware PAC: Proxy Auto Configuration uses JavaScript HP printers connect to fakedomain1234.com owned by the researchers :) ITU T.30 RCE in gSOAP -> printer vulnerable Need to send 2 GiB of data (takes about 7 minutes) Non-stable exploit Writing an own debugger "Scout" opening a TCP socket for debugging How FAX works: HDLC tunnel, send Called ID string, capability negitiation G.3/G.4 TIFF file Color Extension (JPEG file instead of TIFF) Stack overflow in JPEG Demo: EthernalBlue on internal network | 5/5 great tempo | 4/5 oerhort underhallande, inte sa spannade exploit | 5/5 fun, good stuff | 4/5 Good pace, clearly well researched. | 4/5 fun fax hax | 5/5 entertaining and educational | |||||||||||||||||||
10 | Lecture: A farewell to soul-crushing code | 2/5 haskell masturbation | 3/5 haskell promotion | ||||||||||||||||||||||||
11 | Lecture: The nextpnr FOSS FPGA place-and-route tool | 3/5 informative | 3/5 informative | 4/5 Obviously only interesting if you care about FPGAs | |||||||||||||||||||||||
12 | Lecture: SymbiFlow - Finally the GCC of FPGAs! | 4/5 Nice update | |||||||||||||||||||||||||
13 | Jailbreaking iOS | 3/5 | 3/5 some interesting parts | 3/5 INFODUMP. Not very interesting unless you care a lot about this. Speaker had a lot of information but it's a bit monotone. | |||||||||||||||||||||||
14 | Lecture: Attacking end-to-end email encryption | 5/5 good speed and informative | 5/5 great content, great speaker | ||||||||||||||||||||||||
15 | The year in post-quantum crypto | 4/5 quite interesting but a bit boring | 4/5 Good stuff, general overview of what has been cooking. Nothing | ||||||||||||||||||||||||
16 | Lecture: The Layman's Guide to Zero-Day Engineering | 5/5 very nice to show none security focused people | |||||||||||||||||||||||||
17 | Lecture: Provable Security | 3/5 nice overview | |||||||||||||||||||||||||
18 | Memsad | 4/5 quite interesting, not very pedagogic, some new findings memset_s() crypto libs usually have their own functions for this -fno-buildin-memset #pragma GCC optimize ("O0") Weak symbols (ELF specific) Memory barriers A lot of software have memsets and the like which gets optimized out! 9 bugs | 5/5 insatt, intressanta detaljer om kompilatorer | ||||||||||||||||||||||||
19 | The Mars Rover On-board Computer | 5/5 Nice fairytale full of technology! | |||||||||||||||||||||||||
20 | Lecture: Viva la Vita Vida | 5/5 very good explanation of glitching | 5/5 well explained | 5/5 | |||||||||||||||||||||||
21 | Lecture: Truly cardless: Jackpotting an ATM using auxiliary devices. | 3/5 low on details | 4/5 fun exploits, few details | 3/5 Nothing really surprising here - using wireless keyboard usb sticks when you have physical access isn't really that interesting. | 3/5 Good content, need better presenting | ||||||||||||||||||||||
22 | Internet of Dongs | 4/5 Entertaining, several vulns | 3/5 was fun live but probably not that interesting to watch recorded | 5/5 Very entertaining. I had hoped for more interesting exploits, but it was interesting to see how bad comapnies can fail at securing their cms. | |||||||||||||||||||||||
23 | A WebPage in Three Acts: live coding performance | 5/5 Very entertaining | |||||||||||||||||||||||||
24 | "The" Social Credit System | 4/5 Demystifying | |||||||||||||||||||||||||
25 | Kernel Tracing With eBPF | 3/5 TOO MUCH TEXT and details on slides!!! Native English. Too fast. A few intestering findings. bcc: compile C to BPF (BPF Compiler Collection) The validator is apparently crappy and doesn't tell you what the problems are. eBPF bad for defensive security Offensive: "conjob" to spoof cron jobs glibcpwn github/nccgroup/ebpf | 4/5 good overview, need to read slides again afterwards | 4/5 otippat intressant, fokus pa sakerhetsaspekter | |||||||||||||||||||||||
26 | Lecture: Dissecting Broadcom Bluetooth | 5/5 showed live exploits on the scene | 4/5 droppade zero day | ||||||||||||||||||||||||
27 | Lecture: 35C3 Infrastructure Review | 2/5 nothing special | 3/5 underhallande | 4/5 An impresive amount of work from the organizers | |||||||||||||||||||||||
28 | Modchips of the state | ||||||||||||||||||||||||||
29 | Exploring fraud in telephony networks | 2/5 lite mkt telco-perspektiv, inte sa intressant | |||||||||||||||||||||||||
30 | Deep dive into the world of DOS viruses | 3/5 kulturskatt, hoppade dock mkt detaljer | 4/5 Very simple introduction to the machine architecture. Good for DOS noobs like me. Cool to hear ideas to analyse large sets of programs. Custom DOS emulator. Native British | ||||||||||||||||||||||||
31 | From zero to zero-day | 3/5 bra teknik, inte sa bra talk, amnet (JIT-exploit t MS Edge) inte sa intressant for mig | |||||||||||||||||||||||||
32 | In soviet russia smart card hacks you | 5/5 intressanta resultat, fuzzade smartcard-drivers | 3/5 Good content, but perhaps a little bit boringly presented | ||||||||||||||||||||||||
33 | Lecture: MicroPython – Python for Microcontrollers | 3/5 Good if you don't know anything about MP. Shows possibilities and limitations of the tech. Easy to follow, but purely informational (~no code) | |||||||||||||||||||||||||
34 | Domain Name System | 4/5 Shows what DNS is from bottom up. Pretty quick walkthrough and some gotchas and exploits towards the end, including Q&A. Learned something new. | |||||||||||||||||||||||||
35 | Compromising online accounts by cracking voicemail systems | 5/5 phreaking 4ever | |||||||||||||||||||||||||
36 | Lecture: The good, the strange and the ugly in 2018 art &tech | 4/5 Strangest talk of the conference, but interesting stuff. Well performed. | |||||||||||||||||||||||||
37 | Film: All creatures welcome | 3/5: Very interesting overview of the culture around CCC, but a bit niche narrative which might make it hard for people outside hacker and popular culture to grasp | |||||||||||||||||||||||||
38 | Hebcon | 5/5: Watching junk robots fight is the best kind of late night entertainment | |||||||||||||||||||||||||
39 | |||||||||||||||||||||||||||
40 | |||||||||||||||||||||||||||
41 | |||||||||||||||||||||||||||
42 | |||||||||||||||||||||||||||
43 | |||||||||||||||||||||||||||
44 | |||||||||||||||||||||||||||
45 | |||||||||||||||||||||||||||
46 | |||||||||||||||||||||||||||
47 | |||||||||||||||||||||||||||
48 | |||||||||||||||||||||||||||
49 | |||||||||||||||||||||||||||
50 | |||||||||||||||||||||||||||
51 | |||||||||||||||||||||||||||
52 | |||||||||||||||||||||||||||
53 | |||||||||||||||||||||||||||
54 | |||||||||||||||||||||||||||
55 | |||||||||||||||||||||||||||
56 | |||||||||||||||||||||||||||
57 | |||||||||||||||||||||||||||
58 | |||||||||||||||||||||||||||
59 | |||||||||||||||||||||||||||
60 | |||||||||||||||||||||||||||
61 | |||||||||||||||||||||||||||
62 | |||||||||||||||||||||||||||
63 | |||||||||||||||||||||||||||
64 | |||||||||||||||||||||||||||
65 | |||||||||||||||||||||||||||
66 | |||||||||||||||||||||||||||
67 | |||||||||||||||||||||||||||
68 | |||||||||||||||||||||||||||
69 | |||||||||||||||||||||||||||
70 | |||||||||||||||||||||||||||
71 | |||||||||||||||||||||||||||
72 | |||||||||||||||||||||||||||
73 | |||||||||||||||||||||||||||
74 | |||||||||||||||||||||||||||
75 | |||||||||||||||||||||||||||
76 | |||||||||||||||||||||||||||
77 | |||||||||||||||||||||||||||
78 | |||||||||||||||||||||||||||
79 | |||||||||||||||||||||||||||
80 | |||||||||||||||||||||||||||
81 | |||||||||||||||||||||||||||
82 | votes: candidates a2;a3;a4;a5;a6;a7;a8;a9;a10;a11;a12;a13;a14;a15;a16;a17;a18;a19;a20;a21;a22;a23;a24;a25;a26;a27;a28;a29;a30;a31;a32;a33;a34 votes a2=a3=a4=a5=a6=a7=a8=a9=a10=a11=a12=a13=a14=a15=a16=a17=a18=a19=a20=a21=a22=a23=a24=a25=a26=a27=a28=a29=a30=a31=a32=a33=a34 laban a2=a5=a6=a19>a22=a18=a15=a9=a4>a13=a25 Alexander a9=a14=a16=a20=a26>a2=a4=a8=a25>a11=a17=a21>a10=a27>a7 cjo a2 arthur a2=a4=a5=a6=a7=a8=a9=a10=a11=a12=a13=a14=a15=a16=a17=a18=a19=a20=a21=a22=a23=a24=a25=a26=a27=a28=a29=a30=a31=a32=a33=a34>a3 robert a12 joakim a14=a20>a21>a10=a11>a7 adrian a23>a24>a13 jonas a4=a18=a32>a26=a25=a9=a6>a27=a30=a31>a29>a7 stigok a30=a34>a33 konrad a20=a9>a11=a15>a13=a21=a22 David a22>a9=a2 silje a35>a9=a27>a32=a21 | ||||||||||||||||||||||||||
83 | |||||||||||||||||||||||||||
84 | |||||||||||||||||||||||||||
85 | |||||||||||||||||||||||||||
86 | |||||||||||||||||||||||||||
87 | |||||||||||||||||||||||||||
88 | |||||||||||||||||||||||||||
89 | |||||||||||||||||||||||||||
90 | |||||||||||||||||||||||||||
91 | |||||||||||||||||||||||||||
92 | |||||||||||||||||||||||||||
93 | |||||||||||||||||||||||||||
94 | |||||||||||||||||||||||||||
95 | |||||||||||||||||||||||||||
96 | |||||||||||||||||||||||||||
97 | |||||||||||||||||||||||||||
98 | |||||||||||||||||||||||||||
99 | |||||||||||||||||||||||||||
100 |