notes.velouria.dev

Search

SearchSearch

37th Chaos Communication Congress - Day 2

Jan 04, 2024, 7 min read

Infrastructure of a migratory bird (video)

A talk about the rewilding project of the Northern bald ibis (Waldrapp). Waldrapp became extinct (see also: Threatened species) north of the alps in 1621, however wild populations still exist in Morocco, Syria, Turkey (source).

What immediately stands out to me is its interdisciplinary aspect. To build a tracker that has as minimal impact as possible on the individuals, obviously the domain expertise of an ornithologist is needed, and I suppose that’s just one example I could think off the top of my head. Coming from a very tech-first bubble, I’ve long been fascinated by how interdisciplinary projects, where tech plays just a small part of the larger project, works and how and domain experts from different fields collaborate. Sadly this remains unanswered; someone in the answer asked this question and the speakers didn’t really give a satisfactory answer.

The speakers put a lot of emphasis on mundane tech and maintainability for long-term projects. This is a concept I’m interested in exploring further.

A question I wanted to ask, but I didn’t get a chance to, was external dependencies and contingency plans. Switzerland cutting off G2/GSM was an external factor that is out of the team’s control and there was nothing they could do about it. But I wonder if there are examples of other external dependencies and what their contingency plans/recovery plans are, if any. Implementing mundane tech, as opposed to cutting-edge tech, might be considered one but I see it as more of a preventive measure.

Notes:

  • Goal: rewilding. Self-sustaining population

  • = 357: a minimum number for migratory individuals to sustain catastrophes

  • Infrastructure will be downsized once it reaches this point, but will not go away.
    • Why can’t we leave nature alone? Humans already intervened too much - we’re at a point of The Sixth Extinction (related: The Sixth Extinction by Elizabeth Kolbert). This is a repair effort.
  • Challenges:
    • No elders to learn from, so humans have to teach.
    • Bonding - need humans as foster mothers.
    • Aerodynamics of the individuals are affected by the device. So the tracking device is optimized to make the least aerodynamical impact.
    • External dependencies
      • For example: Switzerland cut off G2/GSM early this year. This affected old trackers that are still using GSM.
  • Mundane tech, instead of cutting-edge tech
    • For long-term projects like this, we need to think about the long-term aspect. Once deployed it’s difficult to upgrade hardware / update it.
    • Stability and reliability
    • Frugality
  • Criticism - isn’t this surveillance tech?
    • Depends on the objective

Related links:

Predator Files: How European spyware threatens civil society around the world (video)

There is probably not a lot of new information for those already familiar with the Predator spyware. Admittedly, I completely missed out on this so I learned a lot of new things from this talk.

One part of the talk that stood out to me was about the advent of zero-click attacks. We may be familiar with one-click attacks which require targets to interact with the malicious link that will trigger the exploitation. This is the kind of attack that phishing trainings warn us about. However, we are now seeing the increase of zero-click attacks, and as you may have probably guessed, unlike one-click attacks, the zero-click attacks do not require targets to interact with it. Another tricky thing is because zero-click attacks do not leave a trace the way one-click attacks do—the malicious link itself—it makes detection and investigation of these attacks more difficult.

Another shocker to me is that these surveillance tools literally have a user-friendly UI. I always thought of these spywares as a jumbled mess of code running in a terminal that only certain people can understand. To my surprise, one of the slides actually showed the example of the UI, which literally has a WhatsApp icon in it (as I expressed to my friend once we exited the conference hall: “are they saying that there is literally a designer who goes to Figma to drag and drop colorful boxes while thinking to themselves, ‘ho ho ho, I’m going to make the user-friendliest surveillance tool for these governments!’!?”). And the answer is yes, there is. That’s why, at the end of the talk, there is one call-to-action from the speaker to the audience: don’t work for mercenary spyware companies.

Related links:

Notes:

  • Entrypoint: malicious links being spread across social media
  • Zero-day exploits
  • 1-click attacks can be expensive:
    • People don’t click
    • People share with researchers
  • 0-click attacks do not require user actions
  • How to turn 1-click attacks to 0-click attacks?
    • Route traffic to malicious network
      • Q: how can we as a user know if our traffic has been redirected or not?
    • Make users click on links that are http only
  • Getting around https
    • Network injection on the hosting provider network
    • Request a new TLS cert, e.g. LetsEncrypt. Redirect their verification request (bc the host is injected)
  • Tactical network injection
    • e.g. deployed at a protest with drones/portable tools
  • Defending against Predator
    • Lockdown Mode for iOS
    • Enable HTTPS only mode in browsers
    • Always on VPNs
    • … and don’t work for mercenary spyware companies!

Tractors, Rockets and the Internet in Belarus (video)

An overview of how a technological authoritarian regime looks like. I didn’t take any notes because I was too busy thinking if this is how it will be like in my country if it ever comes down to it again. My country is no stranger to a dictatorship, and I have some faint idea of how the flow of information was tightly controlled by the government, which pretty much revolves around TVs and radios. But it’s a different world now: people’s lives are more intertwined with technology more than ever, social media is how a lot of people get their information and organize these days, attacks are no longer limited to physical*, and thus resistance will look wildly different from how it was twenty years ago. I wonder what tech-savvy people in my country can if it ever comes down to it again.

  • Physical attacks still exist, though. Authorities still use classic torture tactics to force activists to give up their password, for example. How to resist? The moment an authority approaches you, the suggestion is to break the encrypted device immediately. If there is no device to decrypt, then there is no use torturing.

Related links:

Rust binary analysis, feature by feature (video)

Turning Chromebooks into regular laptops (video)

Tor censorship attempts in Russia, Iran, Turkmenistan (video)

A talk by the cofounder of Tor himself. The cyber arms race is not necessarily about hackers exchanging malicious scripts to each other. Instead, this is what is happening at this moment: regular citizens trying to exercise their rights to access information, government officials manually inputting Tor relays to be blocklisted into an Excel spreadsheet, and the Tor community being actively engaged in running and maintaining bridges, relays, and Snowflakes to circumvent censorship.

Notes:

  • Tor runs on 8000 relays, listed publicly. Transparency is key for Tor
  • Govts used this list to block relays
  • Bridge: unlisted relays with additional configuration to cirvumvent censorship
  • Pluggable transports:
    • Snowflake: makes your traffic look like WebRTC
    • domain fronting/meek: meek-azure, looks like you browse from an MS website
    • obfs4: traffic looks random
    • webtunnel: looks like you’re accessing website via HTTPS
  • Censorship attempts:
    • Russia: public tor relays, meek-azure, obfs4, Snowflake
    • Iran
    • Turkmenistan: blocks cloud by IP address - can’t solve this with technical tricks
  • Takeaway: heavy burden on users (users need to switch to bridges, try out different pluggable transports, etc). Need to find ways to reduce that burden otherwise users will stop caring.
  • CTAs: run snowflakes (they can be run by volunteers using an extension), relays, bridges