35C3 Intro music Herald: Welcome to the next talk "You Can Hack Everything - Just Don't Get Caught". Quick survey: How many of you have found a security loophole and thought: "Oh shit, if I tell someone then I am in deep that could cause problems?" Put your hands up Who does that apply to? Interjection from the audience: Camera off Laughter Herald: Another question: How many of you would like to find a security loophole, hands up Laughter Alright, I hereby declare you all concerned parties and this talk relevant for you, because many hackers are at some point in their career confronted with this problem or are in the situation where they have found something or got into something or ran into it and know that if the people affected in this archictecture that they are inside get wind of it, then there will be trouble it will really stir up discontent. And this talk is about which worst case scenarios could be in store for you, how to deal with it and best of all, how to not let yourself get caught. And our speakers, Linus Neumann und Thorsten Schröder, are experts in IT security. You probably know them from the PC-Wahl hack. They found security vulnerabilities in the Bundestag voting software, it's a very recommendable episode. Alright, I'm talking rubbish, nevertheless I recommend the logbuch-netzpolitik.org episode. It's really worth a listen, especially number 228 "Interessierte Bürger". Now give a round of applause for Linus Neumann und Thorsten Schröder, have fun Applause Linus Neumann: Thank you all for being here. Thank you very much for the warm welcome. I also liked how a few of you have already done your first OpSec fail and outed yourself at the beginning. We have never hacked anything, we have nothing to do with it. Our short talk is about the topic everyone is talking about, hacking. We're seeing over the years that many fine, young hackers are ending up in prison and there are a lot of risks that come with hacking as a sport and spoil its enjoyment for example something like house searches broken down doors, high legal fees, this doesn't have to be. It's worth maybe thinking about how you can continue as free agents. Because we know that hackers are free agents, like artists, that get up in the morning and when they are in the mood, they sit down and paint their pictures. And we want you to be able to paint a lot more beautiful pictures. The key: OpSec And that's what we want to talk to you about today. Opsec is actually easy to summarise, here by the way... beautiful, beautiful... beautiful teaching material again from Russia, it seems to be on their minds for some reason. Let's start with a perfectly normal, the first computer worm: Pride comes before a fall, that is one of the most important teachings in your operational security Because showng off and cockiness will get you into trouble. And we have known this since computer worms have existed. The first big computer worm that became so international and incapacitated half of the internet was the Morris worm, that exploited weak points in Sendmail, Finger, Remote SH and a few weak passwords, in order to spread itself, so a computer worm. This lead to the internet outage of 1988. And you're probably asking yourselves: Why is the worm called the Morris worm? Well, because the creator was very proud of his worm and liked telling everybody how it worked. At one point he was even at Harvard University, standing on the table, preaching about how his worm worked in full detail. It was also obvious that the original infection started there, he told everybody about it. At one point someone told a journalist and he had to admit it. He got the worm to be named after him to this day. But also he got 3 years probation, 400 hours social work and a 10,000 dollar fine, without his need for admiration, he could have possibly been spared. But not only hackers have a small problem with operational security and a need for admiration, but also bank robbers. And here we have a young man, who has robbed a bank. And what do you do when you have experienced something exciting, and raked in a lot of money: a selfie of course. Yeah. If that's not enough, you can also take another selfie. Laughter Or the accomplice. And also food. And then you quickly go to Instajail. And you might think, that was a one off, no, you think: OK, nobody can actually be that stupid, but when you look on the internet, you really don't need long to find experts posting pictures like this. And it always ends the same way: Here is the young man with, he must have really awful teeth, they're already all gold, they were convicted, because they bragged about having money on Facebook. Now, if we look at the pioneers of car hacking, we have in principle the same phenomenon. It must be added that the first ventures in car hacking were more of an analogue nature and more brute force. And the pioneers in this area were also these two young men, who managed a really big hack, that is breaking in the windscreen. stole 5,000 dollars and an ipad from a truck. And what is the first thing you do, when you have an iPad: Well, first go to Burger King, because they have WiFi. And play around a bit with the iPad. And then they noticed: Hey, awesome you can make videos with this. [Video is played] ... This is my brother Dylan... This... good night's hussle L: And because they had connected to the WiFi in Burger King with this stolen iPad, that happened, what had to happen... Laughter L: And the owner of the vehicle then handed the video over to the police and the police said, they're actually already wanted. And they took care of the young men. Thorsten Schröder: But let's get back to the computer hacking corner, that we actually wanted to talk about today, now we have taken a short trip to the analogue world. What could go wrong if you, as an interested surfer, played around on online shopping portals.