36C3 Resource Exhaustion Talks

All talks @ 36C3: Resource Exhaustion can be found here.

Following talks I did choose to listen and watch:

• What's left for private messaging? - A really great talk - kw: Secure Messaging, Identity Adversaries & Threats, Existing Mechanisms, Remaining Challenges, Encryption, Message Expiry, Isolation, Models: [ Centralized, Federated, Decentralized ], Ricochet and Tox.chat mentioned, Encryption: [ Unencrypted (cleartext), Transport Encryption (TLS), End to End Encryption (E2EE, Signal Protocol (Double Ratchet Algorithm (previously Axolotl Ratchet), Off-The-Record (OTR), OMEMO) ], Connecting, Keybase, Trust-On-First-Use (TOFU), Pond / Password-authenticated key agreement, Deniability, Forward Secrecy, Tinfoil Chat, Traffic Obfuscation (Domain Fronting, DNS tunnels), Padding, Phonotactic Reconstruction, Metadata attacks (timing, activity, confirmation, intersection attacks), Server Hardening, Link-ability, Mix Network, Katzenpost, Tor (low latency), Private Information Retrieval, Multiparty, Leaked Correlation, Cwtch, Riot, Identity Management - After all good stuff, but nothing new, let's hope the OTR4 talk is deeper. - But yeah, great talker Will Scott as well. - Thank you!
• What the World can learn from Hong Kong - Nice talk, lot's of nice privacy, organizing and protesting tips.
• PSD2 - Sounds like typical IT project. As expected, it's a really complex mess. kw: FinAPI, API, integration, banking, EU
• Security Nightmaers 0x14 - Responsible Encryption, smile. Review of security issues in 2019 and previous years.
• Boeing 737MAX: Automated Crashes - Nice talk, even if this subject has been covered in so many tech nerd articles. kw: 737 MAX, MCAS, engineering, software, fail
• SIM card technology from A-Z - kw: ISO7816, APDU, TPDU, ADF, IMS, SIM, UICC, USIM, ISOM, eSIM, Secure Core, SIM Card OS, Java, STK / CAT, OTA, MVNOs
• Energy storage of today for the energy of tomorrow - kw: Li-ion, Battery technology, Hydrogen, Renewable Energy, etc
• The KGB Hack: 30 Years Later - Some classic hacking history...
• How (not) to build autonomous robots - This is hopefully going to be entertaining. Robot thief was fun stuff. Hardware manufacturing in China part was interesting. Yet, noting special after all.
• Open Source is Insufficient to Solve Trust Problems in Hardware - TOCTOU problem, Supply Chain, Chip-on-Chip implants, Wirebonded Implants, Through-Silicon Via, WLCSP, Chip modification attacks, IC Fab Attack Surfaces. Brings me to the classic question: Do you trust this computer? Can it keep a secret? Verifiable Hardware. User-generated keys that are hard to extract. Secrets in hardware can be extracted. Using layer seals and inspectable tamper barriers.
• The Internet of rubbish things and bodies - Nothing really worth of mentioning.
• Technical aspects of the surveillance in and around the Ecuadorian embassy in London - This should be super interesting, if they've done good job. Countering counter measures <3, inspecting and photographing everything, checking all items for cavities for extra items, using white noise generators. It was interesting. So if you talk secrets next to your coffee mug, don't wonder if agents rush in. Intimidation, targetting, we're watching you and other basic concepts. Paranoia or just good situational awareness.
• All wireless communication stacks are equally broken - Not watched yet, watch next. kw: NFC, Bluetooth, connection forwarding, NFCGate, Fuzzing, Frankenstain, Wi-Fi.
• SELECT code_execution FROM * USING SQLite; - SQLite3 exploits, CTF, query hijacking, WebSQL attacks, FTS (Full Text Search), Virtual tables, Query Oriented Programming (QOP), Libsqlite leak, Heap leak, Creating pointers, Pointer packing, Faking objects, Ceating tokenizer function, Heap spray, QOP chaining, "QOP.py", iOS persistency, Whoa, this talk was really awesome. - Thank you @GullOmer
• Harry Potter and the Not-So-Smart Proxy War - This talk wasn't so interesting after all.
• 36C6 infrastructure review - Lot's of fun and geeky stuff. 2.4 GHz RIP, 26 GHz 802.11ay would be perfect for situations like 36C3. DECT and mobile networks were great. Seems that nerds can consume some power. Ah, sustainability discussion, ok. Great.
• The Large Hadron Collider Infrastructure Talk - Engineering talk, Circular Particle Collider 101, Proton Synchrotron Booster (PSB) (I guess I would like to have one), CCC CERN Control Center (using Linux, All software is open source). This is great talk. I love it. Focusing using magnets, Superdocuctivity, Cryogenics, 1.4 degree tilt, that's interesting. Haven't seen that mentioned earlier. Klystrons, Timing and timing distribution, Turbomolecular pumps, Cryopumping, Synchrotron radiation, Collimation and halo particles, position monitoring per beam and bunch tracking, Beam profile measurement (Transversal, Longitudinal), Beam loss monitoring, ionization chambers, beam dump. Haha, Q&A section was great, "do you often use the big red master shutdown button", and "is it's possible to use particle beam as a weapon".
• Infrastructure of Wikipedia - All software is open source. 2 data centers, 3 caching points and 100k-200k reqs/sec. MediaWiki. Application Layer caches (Redis, Memcached, Parsercache, mcrouter, nutcracker, OPCACHE, APCu, Casandra). Services: Thumbor, Mathoid, ORES, Mobile Content Service (MCS), and many more they said. Queueing using Apache Kafka. Databases using MariaDB, master and several replicas, Elasticsearch used for search and used by Search Platform team. Media storage using Swift. LVS Linux loadbalancer and managed using LVS. Own CDN using NGINX- for TLS termination, two layers of Varnish frontend + Varnish backend in front of the application layer. Soon going to replace NGINX with ATS. Cache invalidation complexity. Wikimedia Cloud Services (what?!?), OpenStack and Toolforge using Kubernets. See: - WikiTech - https://wikitech.wikimedia.org/wiki/Main_Page -.
• Ref: 36C6 talks

2020-04-12