32th Chaos Communication Congress, part 1
Never underestimate the bandwidth of a van full of cypherpunks hurling down the highway. Never mind that the van originally wouldn't start and that we had to get off and push it until it finally started. Now we were hurling along the Autobahn towards Berlin, praying silently to Eris that we wouldn't get an engine failure right there, with BMW's and Porsche's being shot from a cannon behind us.
Hours later we ended up in a fairly up-scale collective, or as the inhabitants called it, a “Wohnungsgemeinschaft”, in Kreuzberg. There was beer cooling in the snow on the balcony, fair wifi and plans for a vegan buffet for New Year's Eve.
The real treat of the trip was of course the ~4000 hackers that were noisily gathering close to Alexanderplatz for the annual Chaos Communication Congress.
This was the start of my first ever C3 conference, a wonderful gathering of hackers and makers that I for a long time had mistakenly thought was just about computer security. I was so wrong. The conference is very much about technology and politics and how they interact and far from being just about computer (in)security.
Now, many years later, the many C3s I've been to have been the best conferences of my life. The organizers and the many volunteers continue to impress me, for example by having their own phone networks (one GSM, one DECT), a working pneumatic tube system covering the entire congress, and one of the best conference networks ever made: this year 4 * 10 Gigabit/s upstream and a wifi with a peak of 8150 clients.
They also offer a temporary co-location facility for your own servers for the duration of the conference.
All talks are streamed in real-time, now without Flash, on some talks including real-time interpretation and subtitling to English and/or German, as well recording everything and offering it to the public.
The talks, workshops and, perhaps best of all, the chance meetings with interesting individuals is why I keep going back year after year.
The 2015 version of the C3 had increased to about 14000 attendees with ~170 talks spread over four days from 11:30 to midnight every day.
If you just watch one of the talks, you should watch Shopshifting, where Karsten Nohl et al breaks commonly used payment protocols by... reading the manual! This includes attacks both against the customer and against the merchant.
If you have time for more, you should watch Alex Halderman's & Nadia Heninger's great talk about logjam: Diffie-Hellman, discrete logs, the NSA, and you. See, especially, the web page they have set up for helping mitigate the logjam:
A natural extension of the logjam talk is a talk about what happens if your adversary has a quantum computer (pro tip: they don't, yet) and how you might be able to mitigate that with post-quantum cryptography: PQCHacks with Daniel “djb” Bernstein and Tanja Lange.
Every year at least one of the talks at the C3 gets picked up by mainstream press. This year I would have guessed that the Shopshifting talk would get all the press. I was surprised to note that the thing the Swedish tabloids picked up was a closer look on a North Korean Linux distribution, Lifting the Fog on Red Star OS! I didn't even go to that talk, mostly because it seemed to mirror a similar talk on an earlier conference.
Below are some of my notes from the talks I attended and some that I watched later.
All talks are available at:
The congress main page is kept up at:
The schedule or, as the C3 people call it, die Fahrplan:
The keynote was held by a newcomer (as she called refugees), Fatuma Musa Afrah. I confess I didn't quite understand her talk or why she was at C3. Not quite as embarassing as Alec from Atari Teenage Riot was last year, though.
Towards (reasonably) trustworthy x86 laptops
Joanna Rutkowska is perhaps mostly known for the Qubes operating system. This talk was about all the state that is kept in a modern x86 computer and some of the components you have to trust, for instance the mysterious Intel Management Engine, that can do just about anything, runs it own OS, can access RAM, and continues to run even in sleep mode.
Memorable quote: “Trusted doesn't mean secure” and “The war is lost on x86”.
She suggested to keep most of the state outside of the laptop to keep it safer — have a trusted stick with all firmware code and everything else you need to bring up your laptop.
The talk has a corresponding paper: State considered harmful A proposal for a stateless laptop but see also her, in my opinion more interesting, Intel x86 considered harmful.
A Free and Open Source Verilog-to-Bitstream Flow for iCE40 FPGAs
The talk introduced three projects:
Project IceStorm - an almost complete reverse engineering of Lattice iCE40 FPGAs! 7680 4-input LUTs. Comes in reasonable packages that can be soldered by hand. Cheapest dev stick, Lattice ICE stick < 25USD!
Arachne-pnr - an FPGA place-and-route tool for these FPGAs. Works with Berkely Logic Interchange Format (BLIF) and outputs Icestorm's ASCII .txt format. Can use extra files for physical constraints.
Yosys - a Verilog synthesis suite to netlists. Reads Verilog, BLIF, Liberty cell libraries. Writes Verilog, BLIF, EDIF, SPICE decks, SMT2. Performs RTL synthesis and log optimizations, maps designs to FPGA and ASIC cell libraries. “LLVM for hardware”!
The workflow presented was: Verilog -> yosys -> Berkeley BLIF file -> arachne-pr -> icestorm .txt file -> icepack -> FPGA bitstream.
Multiple succesful tape-outs with these tools. People make silicon with this!
An interesting development board, IcoBoard was mentioned — an FPGA development board for Raspberry Pi HAT.
Clifford showed a Demo SoC built with his workflow. He used his own RISC-V compatible CPU, PicoRV32.