Date: Tue, 14 Jan 92 12:15 MST From: Moderators Subject: File 4--Report: 8th Chaos Computer Congress ((For those who do not receive either RISKS-L or TELECOM Digest, we reprint the following form TELECOM Digest, Vol 13 #35 (14 Jan '92)). *********************************************** Date: Tue, 14 Jan 1992 06:33:50 PST From: Eric_Florack.Wbst311@xerox.com Subject: Report: 8th Chaos Computer Congress The following message was copied from RISKS-L. Of particular interest to TELECOM reader will be where the writer speaks of HACKTIC. That such gatherings are becoming more sparsely populated is a positive step. But is it, perhaps, time for people such as the UN , or perhaps the ITU, to invoke sanctions against countries that allow such groups to thrive? ( Comments are my own ... I don't expect anyone else to have the guts to agree with me.) (Grin) -=-=-=--=-=-= Date: 9 Jan 92 16:37 +0100 From: Klaus Brunnstein Subject: Chaos Congress 91 Report Report: 8th Chaos Computer Congress On occasion of the 10th anniversary of its foundation, Chaos Computer Club (CCC) organised its 8th Congress in Hamburg (Dec.27-29, 1991). To more than 400 participants (largest participation ever, with growing number of students rather than teen-age scholars), a rich diversity of PC and network related themes was offered, with significantly less sessions than before devoted to critical themes, such as phreaking, hacking or malware construction. Changes in the European hacker scene became evident as only few people from Netherlands (see: Hacktick) and Italy had come to this former hackers' Mecca. Consequently, Congress news are only documented in German. As CCC's founding members develop in age and experience, reflection of CCC's role and growing diversity (and sometimes visible alienity between leading members) of opinions indicates that teen-age CCC may produce less spectacular events than ever before. This year's dominating theme covered presentations of communication techniques for PCs, Ataris, Amigas and Unix, the development of a local net (mousenet.txt: 6.9 kByte) as well as description of regional (e.g. CCC's ZERBERUS; zerberus.txt: 3.9 kByte) and international networks (internet.txt: 5.4 kBytes), including a survey (netzwerk.txt: 53.9 kByte). In comparison, CCC'90 documents are more detailed on architectures while sessions and demonstrations in CCC'91 (in "Hacker Center" and other rooms) were more concerned with practical navigation in such nets. Phreaking was covered by the Dutch group HACKTIC which updated its CCC'90 presentation of how to "minimize expenditures for telephone conversations" by using "blue" boxes (simulating specific sounds used in phone systems to transmit switching commands) and "red" boxes (using telecom-internal commands for testing purposes), and describing available software and recent events. Detailed information on phreaking methods in specific countries and bugs in some telecom systems were discussed (phreaking.txt: 7.3 kByte). More information (in Dutch) was available, including charts of electronic circuits, in several volumes of Dutch "HACKTIC: Tidschrift voor Techno-Anarchisten" (=news for techno-anarchists). Remark #1: recent events (e.g. "Gulf hacks") and material presen- ted on Chaos Congress '91 indicate that Netherland emerges as a new European center of malicious attacks on systems and networks. Among other potentially harmful information, HACKTIC #14/15 publishes code of computer viruses (a BAT-virus which does not work properly; "world's shortest virus" of 110 bytes, a primitive non-resident virus significantly longer than the shortest resident Bulgarian virus: 94 Bytes). While many errors in the analysis show that the authors lack deeper insight into malware technologies (which may change), their criminal energy in publishing such code evidently is related to the fact that Netherland has no adequate computer crime legislation. In contrast, the advent of German computer crime legislation (1989) may be one reason for CCC's less devotion to potentially harmful themes. Remark #2: While few Netherland universities devote research and teaching to in/security, Delft university at least offers introductory courses into data protection (an issue of large public interest in NL) and security. Professors Herschberg and Aalders also analyse the "robustness" of networks and systems, in the sense that students may try to access connected systems if the addressed organisations agree. According to Prof. Aalders (in a recent telephone conversation), they never encourage students to attack systems but they also do not punish students who report on such attacks which they undertook on their own. (Herschberg and Alpers deliberately have no email connection.) Different from recent years, a seminar on Computer viruses (presented by Morton Swimmer of Virus Test Center, Univ. Hamburg) as deliberately devoted to disseminate non-destructive information (avoiding any presentation of virus programming). A survey of legal aspects of inadequate software quality (including viruses and program errors) was presented by lawyer Freiherr von Gravenreuth (fehlvir.txt: 5.6 kByte). Some public attention was drawn to the fact that the "city-call" telephone system radio-transmits information essentially as ASCII. A demonstration proved that such transmitted texts may easily be intercepted, analysed and even manipulated on a PC. CCC publicly warned that "profiles" of such texts (and those addressed) may easily be collected, and asked Telecom to inform users about this insecurity (radioarm.txt: 1.6 kByte); German Telecom did not follow this advice. Besides discussions of emerging voice mailboxes (voicebox.txt: 2.8 kBytes), an interesting session presented a C64-based chipcard analysis systems (chipcard.txt: 3.3 kBytes). Two students have built a simple mechanism to analyse (from systematic IO analysis) the protocol of a German telephone card communicating with the public telephone box; they described, in some detail (including an elctronmicroscopic photo) the architecture and the system behaviour, including 100 bytes of communication data stored (for each call, for 80 days!) in a central German Telecom computer. Asked for legal implications of their work, they argued that they just wanted to understand this technology, and they were not aware of any legal constraint. They have not analysed possibilities to reload the telephone account (which is generally possible, due to the architecture), and they didnot analyse architectures or procedures of other chipcards (bank cards etc). Following CCC's (10-year old charta), essential discussions were devoted to social themes. The "Feminine computer handling" workshop deliberately excluded men (about 25 women participating), to avoid last year's experience of male dominancy in related discussions (femin.txt: 4.2 kBytes). A session (mainly attended by informatics students) was devoted to "Informatics and Ethics" (ethik.txt: 3.7 kByte), introducing the international state-of-discussion, and discussing the value of professional standards in the German case. A discussion about "techno-terrorism" became somewhat symptomatic for CCC's actual state. While external participants (von Gravenreuth, Brunnstein) were invited to this theme, CCC-internal controversies presented the panel discussion under the technical title "definition questions". While one fraction (Wernery, Wieckmann/terror.txt: 7.2 kByte) wanted to discuss possibilities, examples and dangers of techno-terrorism openly, others (CCC "ol'man" Wau Holland) wanted to generally define "terrorism" somehow academically, and some undertook to describe "government repression" as some sort of terrorism. In the controversial debate (wau_ter.txt: 9.7 kByte), few examples of technoterrorism (WANK worm, development of virus techniques for economic competition and warfare) were given. More texts are available on: new German games in Multi-User Domain/Cyberspace (mud.txt: 3.8 kByte), and Wernery's "Btx documentation" (btx.txt: 6.2 kByte); not all topics have been reported. All German texts are available from the author (in self-extracting file: ccc91.exe, about 90 kByte), or from CCC (e-mail: SYSOP@CHAOS-HH.ZER, fax: +49-40-4917689). Downloaded From P-80 International Information Systems 304-744-2253