The next couple of weeks I’m going to speak at some interesting and completely different events. Next week I will be at re:publica in Berlin doing a tunneling workshop. Last year there was a screen at the entrance of re:publica showing the output of dnsniff. Some people got very pissed because of their passwords turning up in full HD quality. So Markus had the idea of this workshop and asked to do that in order to give the attendees a possibility to protect themself. The re:publica is going to be very big this year (800 attendees all together as far as I know) and a lot of old friends will show up I haven’t seen in a while.

The next event I’m going to visit is Bluehat v7 in Seattle. I’ve never been to the States before, so I’m really excited going there - especially because Microsoft is the reason which I still find very weird. I’ll give a presentation together with Manuel Caballero about Silverlight and how it compares to Adobe Flash security-wise. Only a few of the speakers of Bluehat are already known to me. Beside Lieutenant Dan and kuza55 I’m looking forward to got to know Sowhat. We tried to invite him to one of the past Chaos Communication Congresses but it was far more complicate than we thought because of problems with the visa. I’m also looking forward to got to know Billy Rios. I guess he and Nitesh will talk about Phishing.

In May I’ll be at PH-Neutral and give a presentation together with BeF entitled “SWF and the Malware Tragedy”. The talk is about static analysis of SWF bytecode and we hopefully have some more time to look into less known SWF bytecode obfuscation techniques. BeF and me also wrote a paper with the same title which is mainly about using Erlang programming language based erlswf for SWF bytecode analysis.

LSO, also known as Flash Cookies or Flash Shared Objects, are somewhat nasty: There are persistent across browsers, don’t get deleted on browser exit nor is there an obvious way for viewing and managing them. One possibility is to use NoScript, disable Flash entirely or disable read/write access to the directories where they get stored is another. But I personally find it interesting to see what sites are actually using those cookies for tracking. So a good solution for this specific issue would something to take back control and have an overview over those sites without giving them access to LSOs.

There is one simple solution and it is even supplied by Adobe itself: The Flash Player Settings Manager. It’s actually a Flash movie which is able to access the file system and store the settings.

I know, it is weird that it resides on Adobes website and it is far from being perfect at all since it would be much nice to have a real interface to it.

This week my workmate Stefan and me are going to join Deepsec, an “in-depth security conference” in Vienna. Deepsec looks very promising to me since there are a lot of talks I like to attend to, like the talks from Halvar Flake, Dave Aitel, Martin Johns, Alexander Kornbrust, David Litchfield or from Melanie Rieback. I will also give a talk, once again on Adobe Flash Security.

Beside the conference there will be another nice great event in Vienna called Roböxotica, a festival for cocktail robotics. I am also looking forward to visit Metalab and meet some friends.

Last but not least we will visit Figlmüller to eat Wiener Schnitzel :)

I just want to remind you guys to submit your lecture puroposal for the upcoming 24C3 in between the next 3 days :)

TecChannel filed a charge against German BSI. BSI stands for “Bundesamt für Sicherheit in der Informationstechnik” (Federal Office for Information Security) and they are the central IT security service provider for the German government. The reason for the charge is BSIs distribution of BOSS (BSI OSS Security Suite), which is basically a Live CD containing Open Source security tools such as Nessus and John the Ripper.

It will be interesting to see what happens.

A couple of days ago we had a nice discussion at Netzladen about all the politicians deciding about IT-related topics without using computers themself. Thomas from the FAU came up with this little analogy:

Those politicians are just like racists: They fear what they don’t know.

Very good point!

A while ago Michael Kubert offered to host so-called “hacker tools” and prepares a self-accusation of delicts forbidden by 202c StGB to see what happens. He posted his offer in the comments of Stefan article about taking down MOPB exploits. Now he prepared a simple password cracking bruteforce tool himself and offered it for download. His self-accusation happend beginning that week at the local prosecution authority Mannheim. He is very confident that nothing will happen.

Although I think it’s one way to get some information regarding that shitty paragraph, I don’t think it will really help very much. In my point of view the worst thing is not 202c itself but its connection to 303b regarding “computer sabotage” which points to 129a “forming of a terrorist organization”. As I mentioned several times, I’m quite sure that no one will ever go to jail for 202c. It’s more likely that it 202c will be used to have a more easy way to do house searches, hoping to find something interesting.

129a for example is also such weird paragraph: No one was ever convicted by that one, but it was (and still is) heavily used for starting investigations against groups and individuals. The “benefit” is mainly, that a different police is doing this investigation, so it’s much more intensive than the usual investigation regarding “normal” criminals.

Anyways, we’ll see what will happen.

A “funny” side note: The German Minister of Interal Affairs, Wolfgang Schäuble, gave an interview to the newspaper [Tagespiegel][tagespiegel], where is talking about the internet as “the universal plattform of the holy war against the western world” and that the internet “is not only for communication but also advertising, university, training camp and think tank for terrorists”. The most interesting part of it is that the German government is preparing a law for accusing people being trained in terrorist training camps. So it seems that everybody using the internet obviously participated at such camp in one way or another.

This could be really funny, but, well, in fact it’s not.

After Phenoelit, Stefan Esser and Kismac also THC surrenders. I doubt that this was the last group moving their resources away from Germany.

By the way: Jan Münther of n.runs clarified the things in a post on FD regarding the discussion about the Sophos Antivirus UPX parsing vulnerability. He also stated very clearly what most security people in Germany think:

As of the recent German “anti-hacking-tool laws” - these really bug everyone around here. The biggest problem is the fuzziness of the actual punishable acts: The law implies that the “criminal energy” is basically contained within the tools themselves, which of course is an absurd thought that only someone with zero contact with the actual subject matter can come up with. However, due to these new rules nobody around here knows what the real deal is - is having nmap on your box dangerous now? Is having ping and telnet dangerous? What about metasploit, CANVAS or CORE Impact, or god beware, own exploits, possibly 0days?

202c just sucks balls.

Steven M. Christey from MITRE gave a good example on Bugtraq mailing list where the new “anti hacker laws” in Germany regarding publishing of exploits are back firing badly. Here’s his full posting:

Subject: n.runs, Sophos, German laws, and customer safety

The n.runs-SA-2007.027 advisory claims code execution through a UPX file. This claim is inconsistent with the vendor’s statement that it’s only a “theoretical” DoS:

   http://www.sophos.com/support/knowledgebase/article/28407.html

   ”A corrupt UPX file causes the virus engine to crash and Sophos
   Anti-Virus to return ‘unrecoverable error. leading to scanning being
   terminated. It should not be a security threat although repeated
   files could cause a denial of service.”

It is unfortunate that Germany’s legal landscape prevents n.runs from providing conclusive evidence of their claim. This directly affects Sophos customers who want to know whether it’s “just a DoS” or not. Many in the research community know about n.runs and might believe their claim, but the typical customer does not know who they are (which is one reason why I think the Pwnies were a good idea). So, many customers would be more likely to believe the vendor. If the n.runs claim is true, then many customers might be less protected than they would if German laws did not have the chilling effect they are demonstrating.

It should be noted that in 2000, a veritable Who’s Who of computer security - including Bruce Schneier, Gene Spafford, Matt Bishop, Elias Levy, Alan Paller, and other well-known security professionals - published a statement of concern about the Council of Europe draft treaty on Crime in Cyberspace, which I believe was the predecessor to the legal changes that have been happening in Germany:

http://homes.cerias.purdue.edu/~spaf/coe/TREATY_LETTER.html

Amongst many other things, this letter said:

   ”Signatory states passing legislation to implement the treaty may
   endanger the security of their computer systems, because computer
   users in those countries will not be able to adequately protect
   their computer systems… legislation that criminalizes security
   software development, distribution, and use is counter to that goal,
   as it would adversely impact security practitioners, researchers,
   and educators.”

If I recall correctly, we were assured by representatives that such an outcome would not occur.

- Steve

Thanks to Steve for pointing it out.

The new location of “The Turkey Curse” is http://blog.fukami.io. All requests to the old location are redirected.

Tinic Uro, an engineer at Adobe working on the Flash Player, blogged about the announcement that Adobe will support H.264 and AAC with the Flash Player.

Reading the blog post, I was very upset reading this part at the end of the article:

I am not in a position able to explain to you why we will not allow 3rd party streaming servers to stream H.264 video or AAC audio into the Flash Player. What I can tell you is that we do not allow this without proper licensing. Refer to Adobe’s friendly Flash Media Server sales staff for more information.

Someone on the OSFlash mailing list came up with the entry in Wikipedia regarding H.264:

Conversely, shipping a product in the U.S. which includes an LGPL H. 264 decoder/encoder would be in violation of the software license of the codec implementation. In simple terms, the LGPL and GPL licenses require that any rights held in conjunction with distributing and using the code also apply to anyone receiving the code, and no further restrictions are put on distribution or use. If there is a requirement for a patent license to be sought, this is a clear violation of both the GPL and LGPL terms. Thus, the right to distribute patent-encumbered code under those licenses as part of the product is revoked per the terms of the GPL and LGPL.

But a server isn’t encoding/decoding anything, just streaming. More interesting, there is an announcement of the MPEG LA back from 2003:

Decoder-Encoder Royalties

• Royalties to be paid by end product manufacturers for an encoder, a decoder or both (”unit”) begin at US $0.20 per unit after the first 100,000 units each year. There are no royalties on the first 100,000 units each year. Above 5 million units per year, the royalty is US $0.10 per unit.
• The maximum royalty for these rights payable by an Enterprise (company and greater than 50% owned subsidiaries) is $3.5 million per year in 2005-2006, $4.25 million per year in 2007-08 and $5 million per year in 2009-10.
• In addition, in recognition of existing distribution channels, under certain circumstances an Enterprise selling decoders or encoders both (i) as end products under its own brand name to end users for use in personal computers and (ii) for incorporation under its brand name into personal computers sold to end users by other licensees, also may pay royalties on behalf of the other licensees for the decoder and encoder products incorporated in (ii) limited to $10.5 million per year in 2005-2006, $11 million per year in 2007-2008 and $11.5 million per year in 2009-2010.
• The initial term of the license is through December 31, 2010. To encourage early market adoption and start-up, the License will provide a grace period in which no royalties will be payable on decoders and encoders sold before January 1, 2005.

Participation Fees

• Title-by-Title – For AVC video (either on physical media or ordered and paid for on title-by-title basis, e.g., PPV, VOD, or digital download, where viewer determines titles to be viewed or number of viewable titles are otherwise limited), there are no royalties up to 12 minutes in length. For AVC video greater than 12 minutes in length, royalties are the lower of (a) 2% of the price paid to the licensee from licensee’s first arms length sale or (b) $0.02 per title. Categories of licensees include (i) replicators of physical media, and (ii) service/content providers (e.g., cable, satellite, video DSL, internet and mobile) of VOD, PPV and electronic downloads to end users.
• Subscription – For AVC video provided on a subscription basis (not ordered title-by-title), no royalties are payable by a system (satellite, internet, local mobile or local cable franchise) consisting of 100,000 or fewer subscribers in a year. For systems with greater than 100,000 AVC video subscribers, the annual participation fee is $25,000 per year up to 250,000 subscribers, $50,000 per year for greater than 250,000 AVC video subscribers up to 500,000 subscribers, $75,000 per year for greater than 500,000 AVC video subscribers up to 1,000,000 subscribers, and $100,000 per year for greater than 1,000,000 AVC video subscribers.
• Over-the-air free broadcast – There are no royalties for over-the-air free broadcast AVC video to markets of 100,000 or fewer households. For over-the-air free broadcast AVC video to markets of greater than 100,000 households, royalties are $10,000 per year per local market service (by a transmitter or transmitter simultaneously with repeaters, e.g., multiple transmitters serving one station).
• Internet broadcast (non-subscription, not title-by-title) – Since this market is still developing, no royalties will be payable for internet broadcast services (non-subscription, not title-by-title) during the initial term of the license (which runs through December 31, 2010) and then shall not exceed the over-the-air free broadcast TV encoding fee during the renewal term.
• The maximum royalty for Participation rights payable by an Enterprise (company and greater than 50% owned subsidiaries) is $3.5 million per year in 2006-2007, $4.25 million in 2008-09 and $5 million in 2010.
• As noted above, the initial term of the license is through December 31, 2010. To encourage early marketplace adoption and start-up, the License will provide for a grace period in which no Participation Fees will be payable for products or services sold before January 1, 2006.

So I don’t get why Adobe cares about OS media server. Isn’t it the problem of content providers?

The only thing I can think: Patents suck!

The Chaos Commnunication Camp is over, so it’s time to announce the Call for Participation of the 24th Chaos Communication Congress 2007 (24C3). The Chaos Communication Congress is the annual four-day conference organized by the Chaos Computer Club (CCC) and taking place in Berlin, Germany. The 24C3s slogan is Volldampf voraus! _– the German equivalent of “full steam ahead” – a particular request for talks and projects featuring forward looking hands-on topics. The Chaos Computer Club has always encouraged creative and unorthodox interaction with technology and society, in the good tradition of the real meaning of “hacking”.

This years congress introduces a new category for talks called “Making”. This category is all about making and breaking things and the wonderful stuff you can build in your basement or garage. Most welcome are submissions dealing with the latest in electronics, 3D-fabbing, climate-change survival technology, robots and drones, steam machines, alternative transportation tools and guerilla-style knitting.

As always, the date of this event is December 27th to 30th.

Lenin wore a hula skirt and a flower garland — do I have to say more? The Chaos Communication Camp 2007 of the Chaos Computer Club at Finowfurt Airport was a totally outstanding event. The whole crew, especially Julia and fh, did a great job organizing it. In the first place the setting was awesome. Camping on the historic Russian airport somewhere in Brandenburg, sitting next to old planes and listening to interesting talks in bunkers were unique experiences. It was fun for me to spend the first hours and days just walking around and discovering the area.

When at night the whole place changed into an illuminated party zone, I wondered once again, how an event like that was possible at all. The two thousand attendees had a quite fast and mostly working internet in the middle of nowhere. Everybody around was helpful and even the short rainstorms couldn’t spoil the fun.

There were a lot of interesting talks — shame on me that I only listened to few of them: Lisa`s talk on finding and exploiting concurrency issues in software, Seth Hardy’s excellent talk “A Crash Course In The Math of Public Key Cryptography”, Dan’s Black Ops 2007, Fefe’s “Know your compiler” and Gil’s talk about ZERT and binary patches. Unfortunately, I missed the talk about the A5 Cracking Project — well, all the talks have been recorded, so I will see it online in a few weeks. Update: kuza55 notified me that the recording is already online :)

It was so much fun hanging around with all the Italians (especially ascii, Alessio and Fabio), the guys from Leiwandville, the Illuminats from Entropia, the crowd from Berlin, Dresden and Cologne, the Americans at Camp Anaconda and all the other dudes from all over Europe. I had some great conversations, for example with Dan Kaminsky regarding attacks using DNS rebinding with a very cool private presentation of his “Suckets” and I talked with FX regarding so-called Security 2.0 and other funny things.

I was somewhat unsatisfied by my own talk entitled “Testing and Exploiting Flash Applications”. Since I’m not a native speaker, I was extremely nervous in the beginning. Funny thing is that especially the German listeners were upset about my poor language skills and some even claimed that I should have held the presentation in German. But in the aftermath I had quite a few interesting conversations, i.e. with Rob (the maintainer of Gnash, a free and open Flash Player alternative) about Flash security models. I would not have had this chance if I had held my lecture in German.

Well, I guess badly spoken English is one of the most spoken languages in the world =)

Since one hour is a short period of time, I only explained the basics and demonstrated some funny but harmless example exploits with XML.load functions like CNNs v0te teh l33t, Nokias OpenMoko support and RTLs feature of the camp talks (Update: fixed by RTL. Update 2: They didn’t get it right: It’s only fixed if variable ‘’xmldata'’ starts with “http://”). I also explained a flaw in AS3 socket handling, mainly discovered by David Neu after a discussion we had a while ago. Adobe has already acknowledged the problem and told us they will patch it by end of October. We decided to release the info to the public before then, since it is less dangerous than buffer overflows in their player or media server.

During my talk I introduced a Flash Security Project called FlashSec. This project aims at developing testing methods and tools for Flash/AIR security auditing and documentation.

I found it very funny to get applause after showing how one can use simple LocalConnections to let Flash movie talk to each other cross domain. For attackers it is especially useful to build Flash based attack back channels. By the way: In this context I`d also like to mention Thai Duong, who notified me about his lecture at VNSECON07 where he demonstrated how to zombify a browser with Flash just a couple of days before.

Nonetheless, both the positive and the negative feedback I got was very useful for preparing and extending my talk for FrOSCON next week.

This weekend the first DevHouse in Germany happened in Cologne. The idea behind is a bit like BarCamp, but the main difference is the strong focus on development and security. The host for this event was people interactive. This company draw some attention by winning a Multimedia Award this year for an impressive interactive tablet made for T-Com. I personally gave two presentation, one about Flash Security Basics, one about Performance Testing using DTrace.

The only session where I personally learned something new was during a talk called “Flash without Flash” from David Neu. Since he’s using Flash in a professional production workflow without Adobes IDE it was interesting for me to see how those Open Source Flash tools are used from a developers perspective. I had an insightful talk with him afterwards about the direction the player/plugin will evolve. He also showed me a couple of things he has done with his company (people interactive) in the past and showed me a funny buffer overflow in a piece of popular ATM hardware.

All in all I liked the event pretty much. It was a bit chaotic and sometimes a bit noisy during the sessions. Nonetheless I found it much more fun than the usual BarCamps where it’s more about VC bull crap than interesting developments and methodologies.

FX of Phenoelit wrote an interesting rant about Web2.0 security FUD titled Security 2.0 and Ethics 0.2 Beta:

The Web 2.0 has all the potential for the next big wave of FUD in security. First of all, it’s not done yet. We are seeing new players on the Web but the general direction of developments is sketchy at best. One of the more solid observations is that the Web 2.0 is a work of composition from known technologies at a higher abstraction level than before. Most components are not reinvented but rearranged and adjusted. This leads to some of the lesser-known components and especially patterns [6] to be considered new, revolutionary developments [4].

The new Web primarily teaches us lessons we should already know. Basics like the fact that perimeter security cannot work in networked environments, since they wouldn’t be networked if it did - think mesh-ups. Basics like: defence in depth is one of the few paradigms that actually have a chance to work in the wild and keep complex systems alive. But we knew that before, didn’t we?

There is a little discussion about this article at Slackers.

I think FX is just plain right!