35C3 Intro music
Herald:
Welcome to the next talk
"You Can Hack Everything -
Just Don't Get Caught".
Quick survey:
How many of you
have found a security loophole
and thought:
"Oh shit, if I tell someone
then I am in deep
that could cause problems?"
Put your hands up
Who does that apply to?
Interjection from the audience: Camera off
Laughter
Herald: Another question: How many of you
would like to find a security
loophole, hands up
Laughter
Alright, I hereby declare you all
concerned parties and this talk
relevant for you, because many hackers
are at some point in their career
confronted with this problem or
are in the situation where they
have found something or got into
something or ran into it
and know that if the people affected
in this archictecture that they are inside
get wind of it, then there will be trouble
it will really stir up discontent.
And this talk is about
which worst case scenarios could be
in store for you, how to deal with it and
best of all, how to not let yourself
get caught. And our speakers,
Linus Neumann und Thorsten Schröder, are
experts in IT security. You probably
know them from the PC-Wahl hack.
They found security vulnerabilities
in the Bundestag voting software,
it's a very recommendable episode.
Alright, I'm talking rubbish,
nevertheless I recommend the
logbuch-netzpolitik.org episode.
It's really worth a listen,
especially number 228
"Interessierte Bürger". Now give
a round of applause for Linus
Neumann und Thorsten Schröder, have fun
Applause
Linus Neumann: Thank you all
for being here. Thank you very much for
the warm welcome. I also liked how
a few of you have already done your
first OpSec fail and outed yourself
at the beginning. We have never
hacked anything, we have nothing
to do with it. Our short talk is about
the topic everyone is talking about,
hacking. We're seeing over the years that
many fine, young hackers are ending up
in prison and there are a lot of risks
that come with hacking as a sport
and spoil its enjoyment
for example something like house searches
broken down doors, high legal fees,
this doesn't have to be. It's worth maybe
thinking about how you can continue
as free agents.
Because we know that hackers are
free agents, like artists, that get up
in the morning and when they
are in the mood, they sit down
and paint their pictures. And we want
you to be able to paint a lot more
beautiful pictures. The key: OpSec
And that's what we want to
talk to you about today.
Opsec is actually
easy to summarise,
here by the way...
beautiful, beautiful...
beautiful teaching material again
from Russia, it seems to be on their minds
for some reason. Let's start with a
perfectly normal, the first computer worm:
Pride comes before a fall,
that is one of the most important
teachings in your operational security
Because showng off and cockiness
will get you into trouble. And we have
known this since computer worms have
existed. The first big computer worm
that became so international
and incapacitated half of the internet
was the Morris worm,
that exploited weak points in
Sendmail, Finger, Remote SH and a few
weak passwords, in order to
spread itself, so a computer worm.
This lead to the internet outage
of 1988. And you're probably asking
yourselves: Why is the worm called
the Morris worm? Well, because the
creator was very proud of his worm
and liked telling everybody how it worked.
At one point he was even
at Harvard University, standing on the
table, preaching about how his worm
worked in full detail.
It was also obvious that
the original infection started there,
he told everybody about it.
At one point someone told a journalist
and he had to admit it. He got the
worm to be named after him to this day.
But also he got
3 years probation, 400 hours social work
and a 10,000 dollar fine, without
his need for admiration, he could have
possibly been spared. But
not only hackers have a small problem
with operational security and
a need for admiration, but also
bank robbers. And here we have a
young man, who has robbed a bank.
And what do you do when you have
experienced something exciting, and raked
in a lot of money: a selfie of course.
Yeah. If that's not enough, you can also
take another selfie.
Laughter
Or the accomplice. And also food. And then
you quickly go to Instajail. And
you might think, that was a one off,
no, you think: OK, nobody can actually
be that stupid, but when you
look on the internet, you really don't
need long to find experts
posting pictures like this. And
it always ends the same way: Here is
the young man with, he must have
really awful teeth, they're already
all gold, they were convicted,
because they bragged about
having money on Facebook.
Now, if we look at the pioneers
of car hacking, we have in principle
the same phenomenon. It must be added
that the first ventures in car hacking
were more of an analogue nature
and more brute force. And the pioneers in
this area were also these two
young men, who managed a really big hack,
that is breaking in the windscreen.
stole 5,000 dollars and an ipad
from a truck.
And what is the first thing you do, when
you have an iPad: Well, first go to
Burger King, because they have WiFi.
And play around a bit with the iPad.
And then they noticed: Hey, awesome
you can make videos with this.
[Video is played]
... This is my brother Dylan... This...
good night's hussle
L: And because they had connected
to the WiFi in Burger King with this
stolen iPad, that happened,
what had to happen...
Laughter
L: And the owner of the vehicle then
handed the video over to the police
and the police said, they're
actually already wanted.
And they took care of the young men.
Thorsten Schröder:
But let's get back
to the computer hacking corner, that
we actually wanted to talk about today,
now we have taken a short trip to
the analogue world. What could
go wrong if you, as
an interested surfer, played around
on online shopping portals.