The Valhalla team just got back from our trip to Hamburg to visit the 31st annual Chaos Communications Congress (dubbed 31c3), Europe's largest security/hacking conference. In this article we would like to give a summary of our experience and an overall explanation of the congress to help others who may be interested in attending in the future.
As we first arrived at the conference we were a bit lost. We were actually expecting to see various stands where you can talk to representatives from businesses or individuals demonstrating their devices or software and handing out free pens and so on like you typically see at such conferences, but these were nowhere to be found aside from a few activist groups (possibly due to the CCC's no-corporate-sponsoring policy). As we walked around we were initially worried we would end up pretty bored since we soon discovered that most of the conference was actually just a big meet-up for various hackerspaces around Germany. We additionally began to worry that we were very much falling out of the crowd as we observed so many black-clad, poorly-groomed participants wearing clothing in the stereotypical hacker style. There were additionally quite a few extreme-looking people wearing very unusual costumes. I have to admit I've never had so much difficulty determining the gender of people until now (e.g. a "probably guy" wearing a goth maid costume).
Once the talks began our outlook began to perk up a bit since there were quite a few excellent speakers, most of which were highly qualified being professors and scholars. Most of the talks we saw were very well-prepared and well-presented, covering very complex and interesting topics. There were of course a few bad ones, but overall the talks were the main draw for us.
The four-day conference took place from the 26th through the 30th of December. On each day, the events began around 11 in the morning and went until somewhere between midnight and 2 in the morning. Here are some additional facts and figures about the conference:
- 202 speakers (including lightning talks)
- 186 talks
- 8,500 preordered tickets
- 10,000 total attendees
- 400 kids
- 122.5 hours of program
- 1,152 volunteers (referred to as "angels")
- 14,000 man hours of work
- 228 assemblies
There were many talks on a variety of topics and in a variety of formats ranging from short talks, long talks, lightning talks (will explain later), comedy shows, and even a theatrical play. One of the talks was even mentioned popularly in the news.
In the next sections we'll outline some of the best and worst of the talks. We of course did not attend all talks, so we cannot say much about the ones we didn't see. This list also does not mention every talk we witnessed since for some there isn't much to say. We'll also include links to the videos of the talk for those interested in watching them.
Revisiting SSL/TLS Implementations
This talk explained the Bleichenbacher attack on SSL and how it actually still works in some implementations (Java for instance) and can also be vulnerable to a timing attack. The speaker was excellent and spoke extremely clearly. The whole thing was very well explained despite the high complexity of the topic.
SS7 Locate. Track. Manipulate
This was a very interesting topic about hijacking mobile signals and manipulating them, and the talk even included a live demo. The talk was very well-explained. It was a pity though that childish members of the audience decided to repeatedly call the demo phone while the speaker was trying to show his techniques.
From Computation to Consciousness
This talk had a really good speaker who presented an interesting combination of IT, neurology, and philosophy with the discussion over consciousness and what it really is.
Mining for Bugs with Graph Database Queries
A very interesting topic about parsing code into a Neo4j graph database and then constructing Cypher queries to search for vulnerabilities in the code. The speaker showed numerous real examples of 0day vulnerabilities he found using this technique.
Net neutrality: days of future past?
This talk had a pair of good speakers who gave an interesting summary of the world's governments' current state in the net neutrality debate.
The Matter of Heartbleed / Heartache and Heartbleed: The Insider's perspective on the aftermath of Heartbleed
These were two half-hour talks back-to-back. The first gave a very clear summary of what happened and how Heartbleed works. The second speaker was a guy from the large CDN CloudFlare explaining the aftermath of the vulnerability including the rate at which implementations were patched and the impact of revoking over 100,000 certificates in one day.
Security Analysis of a Full-Body X-Ray Scanner
This one was a really great talk; it was both informative and extremely entertaining. The talk gave an interesting and entertaining look into the safety, security, and effectiveness of the TSA body scanners and demonstrated how poorly they actually prevent weapons from being smuggled past security checkpoints.
What Ever Happened to Nuclear Weapons?
This talk was a very informative history lesson about nuclear weapons, how they work, and their development and regulation over the last 60 years.
The Perl Jam: Exploiting a 20 Year-old Vulnerability
Just as a disclaimer, if you absolutely love the Perl programming language then you might not enjoy this talk. The talk was a very entertaining critique of the Perl programming language including an interesting walkthrough of surprisingly easy vulnerabilities in many pieces of Perl code which have existed for the last 20 years undetected.
Ich sehe, also bin ich ... du
This was a very interesting talk and is worth a view if you can understand German. This talk was the one which was mentioned widely in the news. The talk demonstrates how weak the security is which is provided through biometrics, and he even goes as far as to capture a fingerprint of the German Defense Minister from a photograph.
Just as a foreword, one interesting pattern we noticed is that the talks in the room "Saal 6" on the ground floor were fairly consistently lower quality than the others. This may be a detail to keep in mind for future congresses.
This talk was the talk which directly followed the opening speech of the CCC. The talk was given by one of the members of the band Atari Teenage Riot. He said a few interesting and smart things, but it took an extremely long time before it even became clear how the talk was at all related to the theme of the CCC. Basically the topic was related to civil disobedience and hacktivism. The talk included quite a lot of shameless self-promotion.
The Lightning Talks
These weren't really bad, just very disappointing. We were expecting interesting 15-20 minute talks (like TED talks) but they were actually 5 minute talks which were mostly just things like a quick sales pitch about an idea or summary of a project.
Long War Tactics
It was difficult really to see what the actual main topic of this talk was. It seemed like a random collection of statements and complaints about politics.
Open-BCI DIY - Neuroscience Maker-Art Mind-Hacking
This talk was pretty ridiculous, although at least somewhat entertaining. Basically it was a talk about brain computer interfaces which use EEG. There was even some mention of how they can be used to send electrical signals to certain parts of the brain as positive reinforcement, which the main speaker appears to have done possibly a bit too often (watch and you'll get what I mean). The main speaker began by doing some sort of tai chi towards the audience and at one point when one of his partners was speaking he sat down in the center of the stage and meditated. I also recall some mention of the military possessing technology which can read your dreams...
Paypals War on Terror
This talk was infuriating. It was basically a couple of punks claiming "the government is so bad for prosecuting us for causing millions of dollars in damage and committing a crime". Basically, they and other members of Anonymous were upset because banking institutes such as PayPal refused to make transfers to Wikileaks. They then apparently DDoS'd PayPal and wasted money using other methods such as sending "black faxes" (sending a black piece of paper to a fax machine). The pair on the stage ended up getting very large fines from the government and they wanted donations from people to help pay it off (which people seemed eager to give for some reason). It was ridiculous that they were actually treated as heroes. We felt very much at this point like we did not fit in this group.
Overall, we had a good time at the conference even though we found many aspects of it somewhat disappointing and we felt we didn't really fit into the demographic. If you're an active member of the CCC, a fan in general of hackerspaces, or a have a strong anti-government / hacktivist / civil disobedience feeling then the Chaos Communications Congress is probably perfect for you. However we would not recommend it as a professional or business conference. For those who are primarily interested in the talks, it may or may not be worth attending for that reason depending on whether or not you're comfortable streaming them rather than seeing them in person.For those interested, here are a few more photos from the conference: