From December 27 to 30 the 35c3 took place in Leipzig. 35c3 stands for the 35th Chaos Communication Congress organized by the Chaos Computer Club (CCC), one of the oldest and most famous organisations of computer enthusiasts and security experts. During four days (and nights!), hackers and makers from across the world gathered in the cold but beautiful city of Leipzig. Check the 35c3 blog for more!
This con was the fourth one I attended since I started my PhD and I must say I was very impressed! Impressed by the thorough and precise organisation that made it possible to welcome more than 16’000 persons, but also impressed by how “chaotic” it was at the same time – chaotic in terms of openness, dynamism and unpredictability. I was also very much impressed by the boiling atmosphere even though I, as an outsider, might have experienced just a very little aspect of this constant improvisation!
I also deeply appreciated how inclusive and open-minded the event was, not only for economical aspects (you can choose yourself the price of your tickets and this ticket was also a 4-day pass for public transportation in Leipzig), but also and especially regarding people, knowledge and ideas. I did not have the feeling that it was a place for experts and experts only. Rather, anyone interested was welcome to participate to the discussions. I am a living piece of evidence of this: I found very easy to get in touch with people, from eminent professors to deeply engaged hacktivists – and even another fellow anthropologist!
In addition to the four main conference rooms, there were a dozen of smaller ones – sometimes even improvised – in the two main halls where hackerspaces and other organisations had installed their stuff. There were a lot of events not planned on the initial programme on a wide bunch of topics, from the presentation of new linux distributions to alternatives to commercial softwares and lock picking workshops. There was also the “freedom passage” where you would find the booths of many organizations such as Amnesty International, Edri (for European Digital Rights), the Free Software Foundation Europe, or the Swiss Digitale Gesellschaft. There were places to party, places to rest in a hammock, places to eat and drink, places for children to play with blocs (lego) and sandbox (among others), even a sauna! As you can see, the 35c3 was not solely about computers, it was about meeting others, creating stuff, learning from one another, and above all, as the moto says, being excellent with each other.
Finally, I have to say that I was really impressed by the quality of the presentations, the diversity of topics and the performances of the speakers – and almost all were translated live into English, German and French by polyglot angels! You could learn about so many different topics, from hardware and making to scientific experiments and space operations, from security issues to resilience, from politics to ethics and society. Check media.ccc.de, you’ll be very surprised!
What did I get from these presentations? Well, I appreciated the fact that there were general presentations that helped me to understand for example what were the most relevant security issues of 2018, how the Internet or DNS work, or how I could possibly retain some of my privacy. These talks were targeted to people with no specifically deep technical knowledge and were both pedagogical and somehow engaged. Just to give an example, here’s a quotation from the very informative presentation of Peter Stuge:
Peter Stuge, How does the Internet work?
“We don’t experience the network itself very much, right? We experience services that we use […]. I think it is dangerous to not talk a little bit about the network and to think about the network, and to actually fight for a public network, that is available to all and equal also, neutral. If we focus on the service providers alone, then they are going to be deciding what we can do with the network.”
But there were also great, in-depth and nevertheless not less pedagogical presentations about some big and frightened vulnerabilities. For example, Thomas Roth, Dmitry Nedospasov and Josh Datko publicly disclosed how they hacked popular cryptocurrency hardware wallets which were supposedly the most secure way to store cryptographic keys. I also enjoyed the performance with unique staging and scenario of Daniel Gruss and his team about Spectre and Meltdown, a series of serious vulnerabilities in Intel processors. I was also very impressed by the presentation of Sebastian Schinzel about eFail, a vulnerability in the email encryption protocols OpenPGP and S/MIME. Besides his findings, he also discussed the issues his team faced during the responsible disclosure process and why it went so badly, which was quite relevant for our project.
In the three cases, I find very interesting to think about how security is presented and experienced: in the first instance, the speakers apologized several times while saying that we must stop holding on to the belief that hardware wallets are secure. You might have thought that you were doing well with these hardware wallets, but you were not: they broke them. In other words, the speakers proved that the discourses of the vendors and the community were not true by showing concretely why. In the case of the Spectre and Meltdown vulnerabilities, the construction of insecurity seems to be slightly more complex since the flip side of security is not insecurity, but performance: performance undermines security but there is a fix: rethinking the trade-off between speed and security. The last example shows another aspect of insecurity. Showing a demo of a S/MIME attack in a recent Thunderbird client, Sebastian Schinzel said:
We require a little bit of user interaction, but we can basically change an S/MIME cyphertext in a way that it will contain links and when you click on a single link, you will loose your plain text. It’s just a single click on it. And the thing here is, … this is not a zero-day in a mail client, you just can do anything about it! That’s the problem.
Sebastian Schinzel, Attacking end-to-end email encryption
What can you do when there is no solution except avoiding using email at all? Well, being aware of these flaws, and use a very systematic (and tedious) approach to PGP email by not decrypting in a mail client, as advised by Edward Snowden.
So, what does exactly security mean? A beginning of an answer was given by FJW and Lukas in their great but quite technical (at least for me) presentation on provable security. They described three security levels where they distinguished computational security (where brute-force is possible), statistical security (where bad luck can break the scheme) and perfect security (which obviously won’t break) and said that backdoor could possibly be the solution to reach perfect security. I know – and apologize to them for that – that I am not honoring their very well developed argument by just saying this, but my point is that security is definitely paradoxical.