35C3 Intro music Herald: Welcome to the next talk "You Can Hack Everything - Just Don't Get Caught". Quick survey: How many of you have found a security loophole and thought: "Oh shit, if I tell someone then I am in deep that could cause problems?" Put your hands up Who does that apply to? Interjection from the audience: Camera off Laughter Herald: Another question: How many of you would like to find a security loophole, hands up Laughter Alright, I hereby declare you all concerned parties and this talk relevant for you, because many hackers are at some point in their career confronted with this problem or are in the situation where they have found something or got into something or ran into it and know that if the people affected in this archictecture that they are inside get wind of it, then there will be trouble it will really stir up discontent. And this talk is about which worst case scenarios could be in store for you, how to deal with it and best of all, how to not let yourself get caught. And our speakers, Linus Neumann und Thorsten Schröder, are experts in IT security. You probably know them from the PC-Wahl hack. They found security vulnerabilities in the Bundestag voting software, it's a very recommendable episode. Alright, I'm talking rubbish, nevertheless I recommend the logbuch-netzpolitik.org episode. It's really worth a listen, especially number 228 "Interessierte Bürger". Now give a round of applause for Linus Neumann und Thorsten Schröder, have fun Applause Linus Neumann: Thank you all for being here. Thank you very much for the warm welcome. I also liked how a few of you have already done your first OpSec fail and outed yourself at the beginning. We have never hacked anything, we have nothing to do with it. Our short talk is about the topic everyone is talking about, hacking. We're seeing over the years that many fine, young hackers are ending up in prison and there are a lot of risks that come with hacking as a sport and spoil its enjoyment for example something like house searches broken down doors, high legal fees, this doesn't have to be. It's worth maybe thinking about how you can continue as free agents. Because we know that hackers are free agents, like artists, that get up in the morning and when they are in the mood, they sit down and paint their pictures. And we want you to be able to paint a lot more beautiful pictures. The key: OpSec And that's what we want to talk to you about today. Opsec is actually easy to summarise, here by the way... beautiful, beautiful... beautiful teaching material again from Russia, it seems to be on their minds for some reason. Let's start with a perfectly normal, the first computer worm: Pride comes before a fall, that is one of the most important teachings in your operational security Because showng off and cockiness will get you into trouble. And we have known this since computer worms have existed. The first big computer worm that became so international and incapacitated half of the internet was the Morris worm, that exploited weak points in Sendmail, Finger, Remote SH and a few weak passwords, in order to spread itself, so a computer worm. This lead to the internet outage of 1988. And you're probably asking yourselves: Why is the worm called the Morris worm? Well, because the creator was very proud of his worm and liked telling everybody how it worked. At one point he was even at Harvard University, standing on the table, preaching about how his worm worked in full detail. It was also obvious that the original infection started there, he told everybody about it. At one point someone told a journalist and he had to admit it. He got the worm to be named after him to this day. But also he got 3 years probation, 400 hours social work and a 10,000 dollar fine, without his need for admiration, he could have possibly been spared. But not only hackers have a small problem with operational security and a need for admiration, but also bank robbers. And here we have a young man, who has robbed a bank. And what do you do when you have experienced something exciting, and raked in a lot of money: a selfie of course. Yeah. If that's not enough, you can also take another selfie. Laughter Or the accomplice. And also food. And then you quickly go to Instajail. And you might think, that was a one off, no, you think: OK, nobody can actually be that stupid, but when you look on the internet, you really don't need long to find experts posting pictures like this. And it always ends the same way: Here is the young man with, he must have really awful teeth, they're already all gold, they were convicted, because they bragged about having money on Facebook. Now, if we look at the pioneers of car hacking, we have in principle the same phenomenon. It must be added that the first ventures in car hacking were more of an analogue nature and more brute force. And the pioneers in this area were also these two young men, who managed a really big hack, that is breaking in the windscreen. stole 5,000 dollars and an ipad from a truck. And what is the first thing you do, when you have an iPad: Well, first go to Burger King, because they have WiFi. And play around a bit with the iPad. And then they noticed: Hey, awesome you can make videos with this. [Video is played] ... This is my brother Dylan... This... good night's hussle L: And because they had connected to the WiFi in Burger King with this stolen iPad, that happened, what had to happen... Laughter L: And the owner of the vehicle then handed the video over to the police and the police said, they're actually already wanted. And they took care of the young men. Thorsten Schröder: But let's get back to the computer hacking corner, that we actually wanted to talk about today, now we have taken a short trip to the analogue world. What could go wrong if you, as an interested surfer, played around on online shopping portals. Next you maybe want to aquire some wares, then you start clicking around in the online shop. Suddenly you slip and click the wrong thing, that happens sometimes, you accidentally somehow enter a wrong signal, and what's important here is: We are talking about a threat level for the hacker, so when you are on the online shopping portal and there your mouse accidentally slips, then you have a certain threat scenario. It of course increases if you have actually entered some strange symbols You're there probably without an anonymisation service because you wanted to buy something. And now you think: Hmm, I like playing and am curious, I'll activate Tor or something, and will visit this website later with an anonymisation service. And yes, over time you might accidentally find cross site scripting, the threat level grows gradually, but you've got Tor at the start. The threat level continues to grow, when perhaps you have found a somewhat more critical weakness like an SQL injection. And it continues to grow when you have perhaps also found a remote code execution, then we're already pretty high. So if you got caught now, it would be pretty bad, because you've already proved that you didn't directly go to the portal after having found an xss exploit or another trivial weak point and told them about it. Well, what happens then, when you continue rummaging around. Depends what you're looking for. Maybe you also find a few credit cards. Now we're on a really high threat level, and it quickly sinks because ...it becomes more relaxed. You don't need to be scared anymore about ever getting caught again for this hack. Yes, why would anyone get caught there? Because I thought of OpSec much too late. At the moment where I slipped with the mouse, I should have basically already had an anonymisation service, some kind of Tor service or something, right at the start, because at the moment where the portal provider realises, that something happened, they'll just look and see: Alright, we'll follow this back, it's a Tor session, bad, but at some point they come across this case where you said "oops". And then they will find you. L: It actually happens quite a lot that people are like: Oh, look, I found something and now I'll go to Tor No, guys, it's too late, you have to do it beforehand. T: Sorry, if you notice something like that, you can of course think about what the data protection regulation looks like, then you can look at what kind of data protection guidelines they have, some companies tell you how long they keep your logfiles