36C3 Day 1 – Highlights from the 36th Chaos Communication Congress

The Christmas rush is over and the New Year is already waiting to begin. But the last highlight of the decade has only just begun. From December 27th to 30th, the Chaos Computer Club (CCC) is hosting the Chaos Communication Congress for the 36th time (36C3), with this year’s theme “Resource Exhaustion”. Once again, thousands of hackers and IT-enthusiasts have gathered at the Leipzig Messegelände (exhibition centre) to exchange thoughts on the latest topics of the scene. However, socio-critical and political presentations are also strongly represented. In addition to the wide range of talks, there are once again numerous workshops and self-organised sessions to choose from, offering visitors four days of pure entertainment.

I’ll summarize my personal experiences and absolute highlights of the individual Congress days in this series of blog posts.

Full House at 36C3

The Chaos Communication Camp, which only takes place every four years, has already swallowed up many of the available resources this summer. That is why the unofficial motto of the Congress this time is rather “Copy & Paste”. Compared to last year, not much has changed and both the organization and the set-up are based on last year’s proven concepts – which should not be seen as criticism. On the contrary: it is remarkable that despite the short preparation time, such a spectacular event was once again successfully put together. During the summer there was still a discussion about whether it would not be more reasonable to skip the Congress this year completely. However, the sold out ticket contingent and the 17,000 expected visitors demonstrate that the motivation of the hackers was greater at the end of the day.

Assange, Bugs and Cats

Right on the first day, many of the presentations made a big splash in the German media landscape. Andy Müller-Maguhn, former speaker of the CCC, explained in “Technical aspects of the surveillance in and around the Ecuadorian embassy in London” the technical background to the surveillance of Julian Assange in the Ecuadorian embassy. At that time, the company Undercover Global S.L. was contracted to provide security for Assange. But according to Müller-Maguhn, David Morales, the chef of the company, took a bribe from the American security agency CIA with a monthly salary of 200,000 US dollars. As a result, cameras throughout the embassy were equipped with additional microphones and bugs were installed. To bypass the noise generators used by Assange, laser microphones were also used in combination with special films in the window panes.

In the end, apart from a few clips of Assange’s cat there isn’t much more left in the room than pessimism. In Müller-Maguhn’s view, the fight against the CIA’s budget is similar to David’s fight against Goliath. Even encrypted emails, noise generators and special crypto cell phones do not seem to offer a comprehensive solution.

No Patient is Safe

The day continued spectacularly with “Hacker hin oder her: Die elektronische Patientenakte kommt!” (Hacker or not: The electronic patient record is coming!). Martin Tschirsich, Christian Brodowski and the expert for identity management, André Zilch, demonstrated in their presentation that there are still massive problems with regard to the security of data for the introduction of the electronic patient record planned for 2021. In the end, almost 170,000 doctors are expected to use the new telematics infrastructure. Any access to patient records will be secured by a cryptographic identity check. Brodowski, however, managed to obtain one of the necessary ID cards in an almost stupidly easy way. Using publicly available data and the doctor’s date of birth, he was able to have one of the cards for proof of identity delivered to his address. Afterwards, the new ID card provides unrestricted access to all patient data.

Similarly, the team were able to compromise the “Heilberufsausweise” (health professional cards). The security researchers also succeeded in identifying further serious vulnerabilities in the IT infrastructure surrounding the electronic patient records. Based on the current results, however, the CCC considers the mitigation of all problems by 2021 to be unrealistic. Germany’s national news agencies (e.g. Tagesschau) reported on this issue on the same evening.

I see smart People

In addition, my other personal highlights of the day were:

• Geheimdienstliche Massenüberwachung vs. Menschenrechte (Mass Surveillance vs. Human Rights)
• What the World can learn from Hongkong
• The KGB Hack: 30 Years Later
• Messenger Hacking: Remotely Compromising an iPhone through iMessage

In the evening, my legs and back are already complaining like I’d run a half-marathon. For me the first day ended nicely with a cool Tschunk, the Hacker Jeopardy, and a cuddly and crowded ride with the tram to the hotel.