[Intro Music] Engel: Good morning, Linus! Linus: Good morning, Sebastian! [Applause] I'm glad, you showed up so numerous and fell for this baiting title! I want to talk about human factors in IT security and chose "hacking brains" for the title. Background to this is the fact, that when you talk about "hackers" most people think of halfgods in black. Nobody really knows what they are doing, but those hackers get into my device somehow and i don't know what they want from me or how they did it. And the reality out there is typically pretty different than most people imagine it. I stand firm in the believe that basically all relevant problems in IT security have been solved in theory. So we don't have like... we don't miss the knowledge on solutions for particular problems, but we still can't make it work. Even though we've solved everything theoretically, the actual IT security is a desaster. And that's most likely, because we build some fascinating IT-mechanisms and we test them. As we can see this pole and it encloses some animal now, but if we observe it in reality, it looks more like that... [audience laughing] [someone singing to "Einzug der Gladiatoren"] That's only a small threat and somehow we imagine, that it will be different with bigger threats. Let's have a look: We read about Emotet everywhere. Hackers compromise PCs, encrypt all the data, demand a lot of ransom, and Heise covered it a lot, until they got hit by it themselves. [laughter] That means, even those who really should have known better are still effected by it and i think that's pretty interresting. And if we have a look at what happens in the IT security research, even here on this congress, which is why i handed in this talk, so the research has to be avant garde. It's like big applause and Voodoo, and another exploit there and whatever, and remote code execution, while the reality on the other hand what actually happens out there, is actually more like this. Am I in already? This means, we basically live, because we as hackers and nerds find it interessting, we live like in this world, while the real crime that happens outside looks more like this! sleight of hands. and theses sleight of hands are not addressed or solved! And i think that's kinda counterproductive or bad, that we don't care about those problemfields, which prevail and are seen everywhere even in the "Heise" publishing company, that we don't address them. And we haven't made any progress on that front for years. I want to talk a bit about easy Scams, a bit about password issues, a little about malware. A scam that amused even us in the CCC, is the scam by the Chaos-Hacking-Group. They sent E-Mails that said: "Yeah i have compromised your system with a trojan and we are aware about your adventures on the internet. We know, that you love adult sites and know about your sex addiction." And try to blackmail those people. Provide a Bitcoin Wallet and, yeah, try to blackmail people. Intresstingly there are people, that are really concerned. They deny everything! Obviously this isn't true at all and there's just no truth to any of it. When you're practiced in blackmailing, you know: Don't pay anything until proof is provided. When people then try to inform themselfs and goolge it, they land here immediatly. When you google "Chaos-CC group", then some random websites explain that it's a trojan and you should download the next malware. Basically how to remove this damage. That means people are getting out of the frying pan into the fire. "Haha you want to get fooled! There i got another one for you. That means the world outside is relativly dangerous for our unknowing users. Let's have a look how this looks like when done by expierienced folks. The Linux Kernelmailinglist is known by a bunch of you. There recently was an E-Mail on the 31st of October, so a while ago. They even provided the password, yeah that's the next Level Scam: You just write some password leak with it and folks will get their pumps racing, because their password is written in the Mail and as before they wanted Bitcoins, amongst other things, from the Kernel-Devs themselfs. Bitcoin is pretty nice, You can have a look in the Blockchain and see how many the devs paid. In this wallet are 2.98 Bitcoin which has been about 19000€ some days ago. There are still people out there claiming you can't make a profit on linux. [laughter] [applause] This E-Mail was sent to many many more people outside the Kernellist, but i think, you get my point, and ask yourself: Why do we even do all that stuff we do ,when we could easily get people to send us their money with some spam mails. But there's more: transfer money, the classic! The CEO fraud Big topic. This is one of the big scenarios, that middle size and big size companys are exposed to. You get a mail, where it states "Ey, we need to pay those bills! It hast to happen TODAY" most of the time it's small amounts, that get overlooked. but can also be a lot worse. Acutally happend pretty often already, with a story like: "Yeah the big deal with the chinease is almost through and you mustn't talk to anybody about it, but you have to transfer 2 Mils to the Seychelles " and then folks do that and those Mails work a litte with authority, trust, haste and pressure and guide people to do what they shouldn't. This might sound funny in the first moment but when you talk to someone that fell for it, they are really rattled, because they know that it wasn't smart and damaging for the company. and that's not that entertaining anymore. :( Let's get back to entertaining stuff: The authentication. A thing that many folks have problems with, is their password and the problem is that they only have one and it lingers in such a collection you and everyone has them and you can look up you passwords, i.e. 23bonobo42, Tim Pritlove, so on The beauty of these lists: even WE who should know better are in those lists. When you enter my E-Mail adress in "haveibeenpwned" - a website where you can check if you've been inlcuded in a leak you can also find ME. So, i will explain how that might have happend. The thing that makes me furious about this, is that since there have beeen computers we have never really done anything against this password problem. We tell people: Ok your password shouldn't be guessable, best case random, whithout any system. It should be as long as possible, best case not a word And it should be different everywhere. And NOBODY does that. Recently i went to the dentist and when you talk with him, he's always like: Yeah, floss morning, lunch, evening and everytime and so on "yeah, yeah, first you change all your passwords and then we can talk about that" [laughter] [applause] and yeah i've done that