The State of the Network: 31th Chaos Communication Congress
Unless a geomagnetic storm throws us back into the pre-electronic age, communication networks will play an ever larger role in humanity's development. Yet too few people posses knowledge about how information technology works and the political impact these technological systems have on our societies, eroding one of the primary conditions for a good working democracy: a well-informed people.
The Chaos Communication Congress, the annual hacker get-together in Germany organized by the Chaos Com...
Unless a geomagnetic storm throws us back into the pre-electronic age, communication networks will play an ever larger role in humanity's development. Yet too few people posses knowledge about how information technology works and the political impact these technological systems have on our societies, eroding one of the primary conditions for a good working democracy: a well-informed people.
The Chaos Communication Congress, the annual hacker get-together in Germany organized by the Chaos Computer Club is an antidote to that knowledge gap. In those odd couple of days between Christmas and New Years, 13.000 people gathered in Hamburg for the 31th edition, 31C3, to discuss, learn about, build upon, hack and improve the state of our networks.
The previous Congress in 2013 took place under the shadows of the Snowden documents, which revealed that the beloved nets had been infiltrated, deliberately weakened, and turned into a global surveillance system. For the first time in its history going back to 1984, the Congress did not have a motto. Speechless. This year's motto is A New Dawn, a call to rise up after the initial shock and reclaim the networks.
Thanks to the amazingly well-organized CCC Video Operation Center every talk of the four main tracks is available in HD to those who couldn't make it.
Security holes in the global phone system
In his talk Locate. Track. Manipulate. Tobias Engel discusses the vulnerabilities in SS7, Signaling System #7, an ancient protocol suite that enables communication between seperate telephone networks.
Because SS7 was designed in a time when there were only hard line phones and a few major (mostly) state owned telecom operators which trusted each other, authentication requirements weren't build into the system and still aren't in place today. Engel demonstrates how easy it is to access the system and retrieve information about a user including their location. Needing only their phone number, Engel tracked a couple of his friends for two weeks. A map depicting the hourly location updates traces their movements quite accurately until they all mysteriously converge in Hamburg.
Besides location tracking attackers can also exploit SS7 to record phone calls, reroute data to an alternate destination and deplete prepaid credits. Engel demonstrates some of the exploits live on the stage.
That SS7 vulnerabilities are actively exploited is proven by advertising brochures of companies offering tracking as a service. Engel explains how SS7 security can be upgraded quite easily and some operators have done so. But many haven't, leaving extremely private data of their customers up for grabs.
Hacking cyber-physical systems
Moving beyond traditional communication network hacking, researcher Marmusha talks about hacking networked industrial control systems a.k.a. cyber-physical systems in her talk Damn Vulnerable Chemical Process. She explains what kind of tools are available, the types of attacks that can be staged, how to prepare them and what knowledge is required. She warns that the importance of cyber-physical security is underestimated because attacks often aren't made public for fear of bad publicity. The high cost of testing the security of these highly specialized systems is another obstacle to making them more resilient against cyberattacks.
Heartbleed bug
Society has become more sensitive to security issues, though, when the internet is concerned. The Heartbleed vulnerability in OpenSSL got a lot of attention in mainstream media. In the talk The Matter of Heartbleed Zakir Durumeric discussed the measures that were taken in the aftermath of the disclosure. He is part of a research team of the University of Michigan that started making massive scans of the internet to track the reactions to the Heartbleed bug. Their findings contain both good and bad news. The bug effected between 24 to 55% of all HTTPS sites on the web. The good news is that through collaboration and communication the vast majority of effected sites were patched. This goes to show that the internet, a complex system of systems operated and maintained by a countless number of people, can respond quite comprehensively to a security threat.
However, the Heartbleed bug made servers vulnerable to their cryptographic keys being stolen. So next to the patch it was also necessary to change cryptographic keys. The bad news is that this advice received a significantly lower following, only 10% of vulnerable sites replaced their certificates. This goes to show that the internet, a complex system of systems operated and maintained by a countless number of people, can respond quite dismally to a security threat.
Trackography
It's not just governments that revel in their new found capabilities of mapping out the lives of individuals in minute detail, companies enjoy this power as well. During their talk Trackography. You Never Read Alone Claudio Agosti of Globaleaks and Maria Xynou of Tactical Tech launched a tool that tracks the third party urls and trackers on media sites. It shows which other parties get access to your data while you are reading the news as well as the countries the data travels through. The live demo showed for instance, that when someone connects to the Wall Street Journal, in actuality they are connecting 37 different parties.
"A world without privacy is a world without freedom"
What life becomes when subjected to all these elements of electronic tracking and surveillance was addressed by Hans de Zwart, director of Bits of Freedom. In his talk Ai Weiwei Is Living In Our Future he describes the surveillance the Chinese artist Ai WeiWei is undergoing.
De Zwart was not on one of the main stages. At least as much of information sharing and connecting during Congress takes place in ad hoc workshops and self-organized sessions. It means there is no video of this talk but De Zwart wrote it down: “Ai Weiwei has been living in our future. His movements are restricted and he is structurally being watched by the government. He lives in a world without privacy. A world without privacy is a world without freedom.”
De Zwart points out that it is not only those under surveillance who are dehumanized by the extensive system of control but the guards and agents who realize it as well. “They are actually being used as a small piece of human cognitive processing inside a giant automated surveillance system”, writes De Zwart.
A New Dawn
Admittedly, most of the talks described here do not exactly paint picture of hope concerning the state of our networks. But awareness is growing and the Chaos Communication Congress and what it represents is drawing more participants each year. A new dawn does not mean we're done, it means it's time to start working with renewed energy.
The Chaos Communication Congress, the annual hacker get-together in Germany organized by the Chaos Computer Club is an antidote to that knowledge gap. In those odd couple of days between Christmas and New Years, 13.000 people gathered in Hamburg for the 31th edition, 31C3, to discuss, learn about, build upon, hack and improve the state of our networks.
The previous Congress in 2013 took place under the shadows of the Snowden documents, which revealed that the beloved nets had been infiltrated, deliberately weakened, and turned into a global surveillance system. For the first time in its history going back to 1984, the Congress did not have a motto. Speechless. This year's motto is A New Dawn, a call to rise up after the initial shock and reclaim the networks.
Thanks to the amazingly well-organized CCC Video Operation Center every talk of the four main tracks is available in HD to those who couldn't make it.
Security holes in the global phone system
In his talk Locate. Track. Manipulate. Tobias Engel discusses the vulnerabilities in SS7, Signaling System #7, an ancient protocol suite that enables communication between seperate telephone networks.
Because SS7 was designed in a time when there were only hard line phones and a few major (mostly) state owned telecom operators which trusted each other, authentication requirements weren't build into the system and still aren't in place today. Engel demonstrates how easy it is to access the system and retrieve information about a user including their location. Needing only their phone number, Engel tracked a couple of his friends for two weeks. A map depicting the hourly location updates traces their movements quite accurately until they all mysteriously converge in Hamburg.
Besides location tracking attackers can also exploit SS7 to record phone calls, reroute data to an alternate destination and deplete prepaid credits. Engel demonstrates some of the exploits live on the stage.
That SS7 vulnerabilities are actively exploited is proven by advertising brochures of companies offering tracking as a service. Engel explains how SS7 security can be upgraded quite easily and some operators have done so. But many haven't, leaving extremely private data of their customers up for grabs.
Hacking cyber-physical systems
Moving beyond traditional communication network hacking, researcher Marmusha talks about hacking networked industrial control systems a.k.a. cyber-physical systems in her talk Damn Vulnerable Chemical Process. She explains what kind of tools are available, the types of attacks that can be staged, how to prepare them and what knowledge is required. She warns that the importance of cyber-physical security is underestimated because attacks often aren't made public for fear of bad publicity. The high cost of testing the security of these highly specialized systems is another obstacle to making them more resilient against cyberattacks.
Heartbleed bug
Society has become more sensitive to security issues, though, when the internet is concerned. The Heartbleed vulnerability in OpenSSL got a lot of attention in mainstream media. In the talk The Matter of Heartbleed Zakir Durumeric discussed the measures that were taken in the aftermath of the disclosure. He is part of a research team of the University of Michigan that started making massive scans of the internet to track the reactions to the Heartbleed bug. Their findings contain both good and bad news. The bug effected between 24 to 55% of all HTTPS sites on the web. The good news is that through collaboration and communication the vast majority of effected sites were patched. This goes to show that the internet, a complex system of systems operated and maintained by a countless number of people, can respond quite comprehensively to a security threat.
However, the Heartbleed bug made servers vulnerable to their cryptographic keys being stolen. So next to the patch it was also necessary to change cryptographic keys. The bad news is that this advice received a significantly lower following, only 10% of vulnerable sites replaced their certificates. This goes to show that the internet, a complex system of systems operated and maintained by a countless number of people, can respond quite dismally to a security threat.
Trackography
It's not just governments that revel in their new found capabilities of mapping out the lives of individuals in minute detail, companies enjoy this power as well. During their talk Trackography. You Never Read Alone Claudio Agosti of Globaleaks and Maria Xynou of Tactical Tech launched a tool that tracks the third party urls and trackers on media sites. It shows which other parties get access to your data while you are reading the news as well as the countries the data travels through. The live demo showed for instance, that when someone connects to the Wall Street Journal, in actuality they are connecting 37 different parties.
"A world without privacy is a world without freedom"
What life becomes when subjected to all these elements of electronic tracking and surveillance was addressed by Hans de Zwart, director of Bits of Freedom. In his talk Ai Weiwei Is Living In Our Future he describes the surveillance the Chinese artist Ai WeiWei is undergoing.
De Zwart was not on one of the main stages. At least as much of information sharing and connecting during Congress takes place in ad hoc workshops and self-organized sessions. It means there is no video of this talk but De Zwart wrote it down: “Ai Weiwei has been living in our future. His movements are restricted and he is structurally being watched by the government. He lives in a world without privacy. A world without privacy is a world without freedom.”
De Zwart points out that it is not only those under surveillance who are dehumanized by the extensive system of control but the guards and agents who realize it as well. “They are actually being used as a small piece of human cognitive processing inside a giant automated surveillance system”, writes De Zwart.
A New Dawn
Admittedly, most of the talks described here do not exactly paint picture of hope concerning the state of our networks. But awareness is growing and the Chaos Communication Congress and what it represents is drawing more participants each year. A new dawn does not mean we're done, it means it's time to start working with renewed energy.