...stuff I do and things I like...

Once again I attended Black Hat USA and Defcon. This year I was actually speaking at Black Hat again. My talk Probing Mobile Operator Networks was received well as what I understood from the feedback. The slides can be downloaded from my project web page. I'm planning a follow up project to extend my work for an academic research paper.

Some personal comments.

Black Hat: 1. I really liked the track idea, putting related talks into one room. I basically staid in my room "Mobile" for the whole day. 2. The new room layout of Black Hat was good and bad. Moving the vendor area into the back was an good move. Also for some reason the new layout made it impossible to meet people randomly (as confirmed by some people I actually met). 3. The "vendor talk" aka the iOS security talk: I didn't like the talk since it only listed iOS security features. Also the speaker didn't take questions. 4. All in all a good event.

Defcon: 1. too many people! 2. I saw three talks by accident, the one I liked was Eddie's NFC Credit Card talk, nice work. 3. too many people!

Both events where to crowed with people I know and like that I didn't get the chance to hangout with everyone. I even missed a few people entirely, could even say hi :-(

Best thing this year was playing at HackCup with the good guys from the Intrepidus Group.

Finally, NinjaTel! How cool is this! See here

I'm quite busy these days which is good and bad at the same time. My travel schedule is packed for my opinion.

June 1 : Bochum @ RUB to give a talk (that was last week)

June 18 : BSides/NinjaCon @ Vienna to give a talk on NFC security.

June 26-28 : I'm doing a talk on NFC security at RFIDsec 11 in Amherst, MA, USA.

Last week I attended Troopers11 in Heidelberg Germany. Troopers is a nice and small IT security conference. One of two that exist in Germany as far as I know (IT-Defense being the other one). I'm not counting CCC congress and similar events this they are not security focused (which is good!).

Troopers was well organized, very nice location, good break times, good food, and a nice evening program. The conference badges where totally awesome.

The conference included a nice challenge that was based on their badges. You had to fulfil a number of tasks in order to get the number one your badge increased by the staff. Since this was a security con our SecT team took it in to our own hands and hacked the badges to show the maximum score.

Get an impression by checking the Twitter search for #troopers11.

I had a great time and hope to make it again next year.

CanSec was a blast. I had a real good time. Meeting people I only knew by email and seeing people I only see at cons :-)

Pwn2Own was quite interesting for mobile security folks like me. First, finally BlackBerry was pwnd and this was really hard work since there is no SDK and/or debugger available for BlackBerry (the Java stuff does not count). ZDNet has a longer article on the case. Second, no body was able to pwn Android and Windows Phone 7 - which is quite interesting to. Third, the iPhone (pre 4.3) was pwnd once again.



All in all the talks were quite good and mostly interesting. A collection of reviews on the various talks are here: day I day II day III by talk

So this is my first time at the MobileWorldCongress somehow I expected more but it feels like CeBIT just for mobile communications. Well it is just CeBIT for mobile phones only :-)

One thing that you notice is that Android is every where here. Its like no other smart phone OS exists. Okay I saw the WindowsPhone 7 booth but everything else is non existent. Apple of course does not need to come here, Symbian is dead. MeeGo has a tiny tiny booth when compared with the Android area. Interestingly no Google logos anywhere.

The only hardware I looked at so far was the Galaxy Tab 10.1. A real nice Android tablet. I could actually imagine to buy this thing. Probably very expensive for a toy.

Lets see what the other days bring.

the 27th Chaos Communication Congress (27c3) was awesome altogether. I met all my buddies from around the world and had a great time. This year -- due to the ticketing system -- the congress seemed less crowded, very nice! Talks were still packed but not crazy packed.

Talks:

The keynote by Rob was very nice -- I even saw it again as recording.

Karsten and Sylvain's talk on Wideband GSM sniffing was quite nice - as they combined "Karsten's" A5/1 project with Sylvain's awesome sniffer :)

DJB's talk on High-speed high-security cryptography: encrypting and authenticating the whole Internet was quite entertaining but certainly not new. I saw more or less the same talk at USENIX WOOT'09. Still very awesome of him to come to 27c3!.

Renaud Lifchiz did a great presentation on Android geolocation using GSM network. He explained the whole Android geolocation system in great detail and showed how to recover previous locations of a phone. For me this talk was the best in terms of expectations to delivery!

Ilja van Sprundel gave a talk on hacking smart phones. I must sadly say this was not very good -- sorry Ilja. Many previously known stuff (without citing them).

Bruce Dang and Peter Ferrie did a nice job with their talk Adventures in analyzing Stuxnet.

Thanks again CCC for this nice congress!

Sadly I totally missed out going to berlinsides. I registered and everything but I just didn't make it :-( I especially wanted to see Travis' talk on the IM-ME (I just bought it for that reason).

On Monday I will travel to Nancy, France to attend MALWARE 2010 and present my paper Rise of the iBots: 0wning a telco network on smartphone botnet design.

First day of ICIN 2010 was quite interesting. I presented my paper: Privacy Leaks in Mobile Phone Internet Access which was quite well received. Also ICIN is really telco biased rather than security (the kind of conferences I normally go to) I meat some interesting people.

next week I'm going to attend ISSE GI-SICHERHEIT 2010 here in Berlin. Ping me via twitter if you're coming and want to chat.

In a couple of days I'm travelling to Darmstadt to attend the CAST-Workshop on Embedded Security to talk about our embedded systems security lab.

So I survived Black Hat and Defcon, it was great fun, f**ing expensive and totally exhausting but totally worth it. Saw a bunch of talks at Black Hat some of which where cool stuff but others sadly where not worth it. Defcon was way too crowded. 12K people I was told. Therefore I couldn't attend any talk :-( Talking to cool (new) people made up for it.

Now I'm at Stanford for a couple of days. Many things planed but ping me if you want to chat.

Today Tobias Engel presented his SMS exploit for Symbian S60. The exploit basically prevents the attacked phone from receiving any SMS. F-Secure has a nice writeup on their blog over here: Curse of Silence, a Symbian S60 SMS Exploit

Update: get the advisory and demo video from: http://berlin.ccc.de/~tobias/cos/

Day three was really hard core, many good talks such as howto run your own GSM network, RFID Security, DECT In-Security, Cisco exploits and attacks using office documents. Of course I couldn't see all of them but the videos of most talks are already available.

My NFC talk went quite nice I think. Also I kind of went overtime (+20 minutes), since I didn't get thrown of the stage I just continued :-)

Day four was very short for me since we already left at 2 o'clock to catch our flight. I only attended the Debian RNG talk which was very nice, good demos and fun slides.

All in all the congress was just awesome. Also it was way to crowed the first two days.

Happy new year everybody!

I saw Harald's talk on smartphone hardware which was quite interesting. I also saw Ben's talk since we had nice seats in Saal 1 the talk was nice too :-)

I got some nice feedback for my talk, thanks everybody!. Also I think I spent too much time on the boring introduction. Next time I will remove some slides instead of planning to skip them.

the first day of 25C3 has been great fun. I attended 3 talks: PLC (the power line stuff), 202c, iPhone dev-team, and SS7. I must say the SS7 talk was the best. The iPhone talk was boring (maybe they showed something interesting in the last 10 minutes but I left before the end).

The congress is really packed with people, they sold all tickets on the first day (3800).

Good night.

the conference was in Frankfurt at a nice hotel. The food was good and the event seemed to be organized quite well. But unfortunately the conference was not technical enough in my opinion. The organizers actually said that this is going to be the German OWASP theme: not be too technical and focus more on management/organizational aspects. This is rather sad in my opinion - since I'm just starting with the whole web security stuff now. (Of course I've played with web security many years ago but this was really just for fun and not professional.)

Lets see if there is going to be a OWASP Germany conference in 2009 and how technical it will be.

the Fahrplan (schedule) finally got published tonight, also it is not complete yet but this is normal. After having to cancel my talk last year (for time reasons) I'm going to do two talks this year. I'll do my Symbian talk from BlackHat Japan and my NFC talk from EuSecWest. Both talks will be updated of course.

So far I'm pretty happy with the time slots I got. Also being selected for speaking in Saal1 (the really big room) is awesome.

BlackHat Japan was a lot of fun, I met many new people who do really cool security stuff. I had the chance to hangout with Jeroen van Beek and he got to clone my German ePassport. He made a copy (on to a smart card - he didn't make me a new passport) for myself that doesn't contain the fingerprint record. Really awesome. I also had the chance to talk to Charlie Miller about iPhone security. All in all I had a really good time.

later today I'll board a plane to Tokyo for BlackHat. This time I'm really traveling light. I only take my MSI Wind netbook, my Nokia N810, my Nokia 6131 NFC, and my iPhone. It may sound a lot to you but all the stuff combined is just slightly over 2KG. In comparison my old T42p alone is heavier (not including the power supply).

For those of you who use Twitter can follow me there.

today I visited FrOSCon for the first time. My impression is very mixed. The location is quite nice, the admission fee is low (5 Euros) and the talks are mixed.

I visited the OpenVZ talk which was OK but not great. The iPhone talk was garbage or worse. The guy didn't have a clue. He didn't talk about free/open software he did a 35 minute iPhone tour. I wished he would have covered the free SDK that exists since the first iPhone was released. ARG I'm pissed about this what a waste of time. The OpenMoko talk was interesting, I saw many talks about OpenMoko and the Neo device and every time they tell you a little more.

The actual reason for me going to FrOSCon was the keynote by Andrew Tannenbaum (the MINIX guy). His talk about MINIX 3 was interesting and funny.

All in all a nice day - also we only stayed until 4pm.

I'm going to do a talk on my InfoPanel project.

Event website is at: MRMCD111

at the Cast Workshop SmartCards und Bezahlsysteme here in Darmstadt. Looking forward to visit my employer of my undergrad days (Fraunhofer IGD).

I'll be at ph-neutral this weekend ;-]

nothing more to say :-)

Yesterday I spent the day at Embedded World in Nuernbeg. Embedded World is quite small (no comparison with CeBIT) so it was not very crowed and therefore not too stressful. I really like small computers so I had a good time looking at stuff you only know from catalogues or web-shops. Some of the designs were even smaller then I thought. Since yesterday was the last day of the exhibition the exhibitors seem to be more generous with giveaways so I got some cool stuff for free. Maybe it is like this on every day of Embedded World.