Without a Traceroute

Another historic first from 25C3, the first-ever (confirmed) Dual Dunkin’ Donuts Distributed Denial of Service (DDDDDoS) attack.

Two Dunkin’ Donuts stores near the conference center in Alexanderplatz were simultaneously flashmobbed by hundreds of hackers, temporarily interrupting normal donut delivery. It would appear that the stores did not have adequate caching implemented, although local mirrors were available.

Happy New Year’s, everyone!

Photos and video courtesy the 25C3 wiki:

There is no Swedish Conspiracy.

Hacker fuel

One of the important elements of a subculture is its tendency to collectively select visible markers of membership in that culture: clothes, hairstyles, preferred products. Hackers as a culture are certainly not immune to this, but as a culture that prides itself on valuing accomplishment over image, the markers of membership in hacker culture tend to be functional outgrowths rather than stylistic flourishes.
(more…)

Well, sometimes, they are really 1337 elitist Cambridge hackers who figure out how it’s possible to steal your credit card number when you use it at the cash register.

Then, occasionally, they go to German hacker conferences and explain how to do it. Hint for those of you playing along at home: it involves power drills, acid, and paperclips. Sometimes, they show off their method on a special BBC news report and leave a representative from the banking industry spluttering and making excuses.

Money quotes:
@15:15:
“I think the important thing to remember from this piece is that we’re not talking about a break of the chip & PIN security overall.”
“Well I think, according to that, we certainly are.”
@17:10:
“Let’s clarify, the system is not vulnerable. Chip & PIN is very secure. It’s not 100% guaranteed against fraud—”
“So it is vulnerable.”
“No, there’s no guarantee, 100% against fraud.”
“So it’s vulnerable! By definition. If it’s not 100% guaranteed, it’s vulnerable.”
@19:19:
“So despite the fact that new cards have enhanced security, the old cards don’t lack anything by not having it? Are you seriously saying that?”

Note to American newspeople: This is called a real interview. I realize it may look strange and unfamiliar to you. The person on the right is called a journalist, his job is to ask hard questions to his interview subject, and not let her get away with answers that are blatantly absurd or self-contradictory on their face.

I’ve arrived in Berlin at the 25th Chaos Computing Congress (25C3). I’ve only been here a couple hours, but so far it’s been really cool.

Things I’ve seen:

1. A little toy RC flying saucer with blinking LEDs and a tendency to crash into (or “attack”) passersby.
2. A guy with a multimeter working on repairing a cold-war era phone that looks like it could be the nuclear hotline.
3. A pretty cool rig using a wiimote to spot points where green laser beams are broken. Imagine a harp with laser beams instead of strings.

There’s a strict no-photos-without-permission policy at the Congress, so I haven’t been taking a lot of photos so far. If I see some cool stuff tomorrow, and people are ok with pictures, I’ll try to post some.

I’m really tired right now, I stayed up late putting off packing, and I didn’t sleep much on the train. They’ve got a gym/flophouse thing where you can crash for €5, so I’ve been waiting for that to open.

Also I’ve been encrypting and tunneling like crazy. I normally err on the side of convenience when it comes to security. I figure I don’t deal with any data that’s really top secret or anything, so, for instance, I don’t encrypt my drives because I figure it’s far more likely that I’ll wind up locking myself out of my data than that I’ll foil a thief. However, the 25C3 website includes a “How to Survive” primer that really put the fear of God in me with regard to security.
Sample reassuring passages:

“Of course there is no reason to get paranoid, even though security and paranoia go hand in hand a bit. But be careful: Just because you’re paranoid, this doesn’t mean that nobody will break into your box or is after you. ” [Translation: don't be paranoid. Well, do be paranoid. Actually, being paranoid won't save you anyway.]

“Another thing worth mentioning: Even when all consoles are locked and the passwords theoretically unguessable, most recent notebooks and desktops are equipped with Firewire, which can be quite a lot of fun as well: http://www.ccc.de/congress/2004/fahrplan/event/14.de.html (German only) And who knows, maybe somewhere in the RAM there’s a clear text copy of the necessary password…? ” [Do everything right and you can still get pwn3d.]

“NO Social hacking (don’t trust anyone)” [And have fun!]