Blog‎ > ‎

33C3 notes & keywords part 2

posted Feb 25, 2017, 11:15 PM by Sami Lehtinen   [ updated Feb 25, 2017, 11:16 PM ]
Watched more talks...

So much bad 'secure' code. You shouldn't expect much from normal programs, hehe.
Bootstrapping a slightly more secure laptop - Amazing talk about how deep exploits and malware go in the hardware. As expected, current systems are littered with different serious attack vectors.
Law Enforcement Are Hacking the Planet - Yep, USA can 'legally' hack any computer, anywhere. Let's watch the World Police again! As well as they can decoy sites, while committing actual serious crimes while doing it. It also makes it very clear that there's no "cyber virtual world", it's actually very real and physical.
Shut Up and Take My Money! - This pretty much proves the point I've been raising repeatedly. As long as user authentication sucks, there's no way to make things secure. Almost all 2FA schemes I've seen are more or less bad. Good ones are extremely rare. It's not ok to give generic authentication token. It's just as stupid as using static password. The token should naturally be 'command / action' specific at specific time. Aka cryptographic signature for that particular transaction now. Otherwise the user can 'authorize' anything at all, without even knowing it. Most of 2FA schemes are just like 'signing blank contract'. Fill in whatever you want to later. - Real-time Transaction Manipulation and user / automation system misleading is very real and works great. Awesome talk, no hammering protection, trivial brute force attacks in minutes etc. Totally laughably fun talk, I mean in terms of security fails. But truth is that security is usually totally amazingly bad. "Banking by design", laughable security. Hahaha. I'm clapping too, great! N26 Security. Only amazing thing is that when the issues were reported, they seemed to understand that there is an problem. Often they don't. Which makes it even more fun. This was absolutely great talk.
Pegasus internals - Neat espionage software payload, vulnerabilities and exploits. Kernel exploit on each boot.
A Data Point Walks Into a Bar - Wonderful talk about data visualizations. Data driven design.
Make the Internet Neutral Again - EU net neutrality rules and laws. Hmm, I don't know if zero rating is a real problem. I can see many benefits for it too. These are complex questions. European commission regulation.
Untrusting the CPU - Secure Access Module (SAM) -
What's It Doing Now? - The Role of Automation Dependency in Aviation Accidents - Interesting talk, how systems can confuse, disinform and mislead users.
Dieselgate – A year later - Interesting talk about Volkswagen and court cases & differences between American (US) and European (EU, Germany) justice systems. Europe lacks class action law suits.
Make Wi-Fi fast again - Nice talk, 802.11n comparison included. Beam forming, QAM, BPSK, QPSK. Multi-User MIMO (MU-MIMO). Beam forming. Phased Array Antenna. Multiple data streams. Measuring Radio Channel. Limited WiFi / WLAN bandwidth. 80 & 160 MHz channel widths basically unavailable.
Lockpicking in the IoT - Bluetooth Low-Energy (BLE / BTLE) might be dangerous. - Security hardware & software, is ridiculous. So full of absolutely laughable fails. I love talks which really make you laugh. Because security is just so laughable. Nothing new. But the BTLE putton pusher made me laugh. It's "IoT" kit for any device with button(s) to make it IoT and Internet compatible. Decompiling applications. Downloading firmware. Modifying firmware, hacking locks. Totally awesome talk. Hard coded fixed encryption keys. That 8 months to fix simple issues, typical. Laugh! And the final magnet part, omfg and lulz rotfl. Great, that's just great.  Really loved this talk. The NDA comments were really true too. Why they want to ship shitty vulnerable products. How about fixing those and not worrying someone spilling the secret sauce?

There will be more stuff later, on subsequent posts.