466 lines
22 KiB
Plaintext
466 lines
22 KiB
Plaintext
==Phrack Magazine==
|
|
|
|
Volume Five, Issue Forty-Five, File 13 of 28
|
|
|
|
****************************************************************************
|
|
|
|
The 10th Chaos Computer Congress
|
|
|
|
by Manny E. Farber
|
|
|
|
Armed only with an invitation in English addressed to the "global
|
|
community" and a small pile of German Marks, I arrived at the
|
|
Eidelstedter Buergerhaus about an hour or so before the beginning of
|
|
the 10th Chaos Communication Congress (subtitled "Ten years after
|
|
Orwell"), sponsored by the (in)famous Chaos Computer Club. The
|
|
Buergerhaus (literally, "citizen's house") turned out to be a modest
|
|
community hall; needless to say, not all invited showed up. The
|
|
Congress took place between the 27th and the 29th of December. As the
|
|
title implies, social as well as technical issues were on the docket.
|
|
|
|
After forking over 30 DM (about $20) for a pass for the first two
|
|
days of the Congress, I sort of felt like asking for a schedule, but
|
|
refrained, thinking that asking for scheduled chaos might seem a bit
|
|
odd. I went to the cafeteria for breakfast. An organizer started out
|
|
announcing, "Anyone who wants to eat breakfast pays 5 Marks, and gets a
|
|
stamp, which--no, rather, anyone who wants breakfast pays 5 Marks and
|
|
eats breakfast."
|
|
|
|
The atmosphere was quite collegial and informal, with little more
|
|
order than was absolutely necessary. The approximately 150 attendees
|
|
were predominantly German (a few from Switzerland and Holland, at least
|
|
-- and probably only -- one from the United States, namely myself),
|
|
male, and technically oriented. (During an explanation of the
|
|
mathematical algorithm underlying electronic cash, a non-techie
|
|
objected, "But I don't want to have to think up a 200-digit random
|
|
number every time I buy something!" It was explained to him that this
|
|
was done by software in the chip-card ...).
|
|
|
|
Although not mentioned in the invitation, not a word of English was to
|
|
be heard; all the events were conducted in German. Some were conducted
|
|
in a "talk show" format, with a host asking questions, simplifying
|
|
answers, making jokes. A television network carried the video from the
|
|
auditorium to other rooms throughout the building (albeit without
|
|
sound) along with up-to-the-minute event schedules.
|
|
|
|
The tone of the discussions of how electronic cash could be
|
|
embezzled, or chip cards abused, digital signatures forged, etc., was
|
|
constructive rather than destructive. And it was balanced, i.e. not
|
|
only "how could a malicious individual embezzle money?" was discussed,
|
|
but also "how could the government use chip cards to reduce people's
|
|
privacy?" Here, the "hackers" were hackers in the positive sense of
|
|
understanding a technology, not in the negative sense of wreaking
|
|
havoc. It was, however, noted that trying out a potential weakness of
|
|
the "EuroScheck" cash cards was quite easy: it would require buying a
|
|
card reader for 1,500 DM and maybe a week of time.
|
|
|
|
The question of technical solutions to "big brother" did come up in
|
|
the presentations about chip cards. The danger is that a pile of cards
|
|
is eliminated in favor of a card containing someone's driver's license,
|
|
driving record (maybe), employee information, credit information, etc.
|
|
etc. A chip card could theoretically be programed to give out *only*
|
|
the information absolutely necessary, e.g. telling a policeman only
|
|
that someone is allowed to drive, without disclosing his identity.
|
|
|
|
The "Hackzentrum" (Hacking Center) turned out to be a room filled
|
|
with networked computers and people hacking on them. It seemed mostly
|
|
harmless. (I nevertheless did not try a remote login -- I had no
|
|
reason to doubt good intentions, but on the other hand, who knows who
|
|
wrote or replaced the keyboard driver and what sort of supplemental
|
|
functionality it might have?) The packet radio room had a "Digi"
|
|
repeating station and, true to the ham radio tradition, where the
|
|
conversation centers on who is talking to whom and how well they hear
|
|
each other and on what other frequency they might hear each other
|
|
better, the computers attached were mostly displaying maps of the
|
|
packet radio network itself. I didn't delve very deeply into the
|
|
"Chaos Archive," but noticed a collection of maintenance sheets for
|
|
telephone equipment among CCC newsletters and other paraphenalia.
|
|
|
|
Some "signs of the Congress":
|
|
|
|
- Bumper sticker: "I (heart) your computer"
|
|
- Telephone stickers: "Achtung, Abhoergefahr" ("Attention,
|
|
Eavesdropping danger"; and the German PTT logo transformed into a
|
|
pirate insignia, with the words "Telefun - Mobilpunk" (derived from
|
|
"Telefon - Mobilfunk")
|
|
- T-shirt: "Watching them (eye-ball) watching us"
|
|
- Post-It Note pad (for sale for DM 1.50): a pad of about 50,
|
|
pre-printed with a hand-written note: "Vorsicht, Stoerung.
|
|
Automat macht Karte ungueltig" ("Careful--Defect. Machine makes
|
|
card invalid")
|
|
- Word coinage: "Gopher-space"
|
|
- Stamp: "ORIGINALE KOPIE" ("ORIGINAL COPY")
|
|
|
|
The press were told not to take pictures of anyone without their
|
|
explicit permission.
|
|
|
|
Schedules were distributed throughout the Congress. By the evening
|
|
of the 27th, a schedule for the 28th, "Fahrplan 28.12 Version 2.0," was
|
|
already available ("Fahrplan" means a bus/train schedule; this is
|
|
presumably an "in" joke). By 17:30 on the 28th, "Fahrplan 28.12
|
|
Version 2.7" was being distributed. (I missed most of the intervening
|
|
versions; presumably they were neatly filed away in the Chaos Archive
|
|
by then ...)
|
|
|
|
The scheduled events (in translation) were as follows; a "*" means
|
|
that I have included some comments later in this report:
|
|
|
|
|
|
December 27, 1993
|
|
|
|
- Welcoming/opening
|
|
- How does a computer work?
|
|
- ISDN: Everything over one network
|
|
- Internet and multimedia applications: MIME/Mosaik/Gopher
|
|
- Data transport for beginners
|
|
- Chip-cards: Technology
|
|
* Media and information structures: How much truth remains? Direct
|
|
democracy: information needs of the citizen
|
|
- Encryption for beginners, the practical application of PGP
|
|
* Alternative networks: ZAMIRNET, APS+Hacktic, Green-Net, Knoopunt,
|
|
Z-Netz and CL
|
|
|
|
|
|
December 28, 1993
|
|
|
|
- Encryption: Principles, Systems, and Visions
|
|
- Modacom "wireless modem"
|
|
- Electronic Cash
|
|
- Bulletin board protocols: Functional comparison and social form, with the
|
|
example of citizen participation
|
|
- Discussion with journalist Eva Weber
|
|
- Net groups for students, Jan Ulbrich, DFN
|
|
* What's left after the eavesdropping attack? Forbidding encryption?
|
|
Panel: Mitglied des Bundestags (Member of Parliament) Peter Paterna,
|
|
Datenschutz Beauftragter Hamburg (Data privacy official) Peter Schar,
|
|
a journalist from Die Zeit, a representative from the German PTT, a
|
|
student writing a book about related issues, and a few members of the
|
|
Chaos Computer Club
|
|
- Cyber Bla: Info-cram
|
|
* How does an intelligence service work? Training videos from the
|
|
"Stasi" Ministrium fuer STAatsSIcherheit (Ministry for National Security)
|
|
- System theory and Info-policies with Thomas Barth
|
|
- Science Fiction video session: Krieg der Eispiraten
|
|
("War of the ice pirates")
|
|
|
|
|
|
December 29, 1993
|
|
|
|
- Thoughts about organization ("Urheben")
|
|
- Computer recycling
|
|
- Dumbness in the nets: Electronic warfare
|
|
- Lockpicking: About opening locks
|
|
- The Arbeitsgemeinschaft freier Mailboxen introduces itself
|
|
- In year 10 after Orwell ... Visions of the hacker scene
|
|
|
|
|
|
-------------------------------------------------------------------------------
|
|
THE EAVESDROPING ATTACK
|
|
|
|
This has to do with a proposed law making its way through the German
|
|
Parliament. The invitation describes this as "a proposed law reform
|
|
allowing state authorities to listen in, even in private rooms, in
|
|
order to fight organized crime." This session was the centerpiece of
|
|
the Congress. Bayerische Rundfunk, the Bavarian sender, sent a
|
|
reporter (or at least a big microphone with their logo on it). The
|
|
panel consisted of:
|
|
|
|
MdB - Mitglied des Bundestags (Member of Parliament) Peter Paterna
|
|
DsB - Datenschutz Beauftragter Hamburg (Data privacy official) Peter Schar
|
|
Journalist - from Die Zeit
|
|
PTT - a representative from the German PTT
|
|
Student - writing a book about related issues
|
|
CCC - a few members of the Chaos Computer Club
|
|
|
|
My notes are significantly less than a word-for-word transcript. In
|
|
the following, I have not only excerpted and translated, but
|
|
reorganized comments to make the threads easier to follow.
|
|
|
|
|
|
IS IT JUSTIFIED?
|
|
|
|
MdB - There is massive concern ("Beunruhigung") in Germany: 7 million
|
|
crimes last year. Using the US as comparison for effectiveness of
|
|
eavesdroping, it's only applicable in about 10-20 cases: this has
|
|
nothing to do with the 7 million. The congress is nevertheless
|
|
reacting to the 7 million, not to the specifics. In principle, I am
|
|
opposed and have concerns about opening a Pandora's box.
|
|
|
|
CCC #1 - The 7 million crimes does not surprise me in the least. I am
|
|
convinced that there is a clear relationship between the number of laws
|
|
and the number of crimes. When you make more laws, you have more
|
|
crimes. Every second action in this country is illegal.
|
|
|
|
Journalist - Laws/crimes correlation is an over-simplification. There
|
|
are more murders, even though there are no more laws against it.
|
|
|
|
MdB - There is a conflict between internal security, protecting the
|
|
constitution, and civil rights. How dangerous is 6 billion Marks of
|
|
washed drug money to the nation? Taking the US as an example, the
|
|
corrosion may have gone so far that it's too late to undo it. I hope
|
|
that this point hasn't been reached yet in Germany.
|
|
|
|
DsB - I am worried about a slippery slope. There is a tradeoff between
|
|
freedom and security, and this is the wrong place to make it; other
|
|
more effective measures aren't being taken up.
|
|
|
|
|
|
EFFECTIVENESS OF CONTROLS ON EAVESDROPING
|
|
|
|
MdB - Supposedly federal controls are effective. Although there are
|
|
very few eavesdroping cases, even if you look at those that are
|
|
court-approved, it's increasing exponentially. No proper brakes are
|
|
built into the system. As for controls for eavesdroping by the
|
|
intelligence service, there is a committee of three members of
|
|
parliament, to whom all cases must be presented. They have final say,
|
|
and I know one of the three, and have relatively much trust in him.
|
|
They are also allowed to go into any PTT facility anytime, unannounced,
|
|
to see whether or not something is being tapped or not.
|
|
|
|
MdB - Policies for eavesdroping: if no trace of an applicable
|
|
conversation is heard within the first "n" minutes, they must terminate
|
|
the eavesdroping [...] The question is, at which point the most
|
|
effective brakes and regulations should be applied: in the
|
|
constitution? in the practice?
|
|
|
|
PTT - True, but often the actual words spoken is not important, rather
|
|
who spoke with whom, and when.
|
|
|
|
DsB - There is no catalog for crimes, saying what measures can be
|
|
applied in investigating which crimes. It's quite possible to use them
|
|
for simple crimes, e.g. speeding. There is no law saying that the PTT
|
|
*has to* store data; they *may*. They can choose technical and
|
|
organizational solutions that don't require it.
|
|
|
|
MdB - This is a valid point, I don't waive responsibility for such
|
|
details. The PTT could be required to wipe out detailed information as
|
|
soon as it is no longer needed, e.g. after the customer has been billed
|
|
for a call.
|
|
|
|
|
|
TECHNICAL TRENDS
|
|
|
|
Journalist - Digital network techniques make it easy to keep trails,
|
|
and there is an electronic trail produced as waste product, which can
|
|
be used for billing as well as for other purposes. Load measurements
|
|
are allowable, but it can also be used for tracking movements.
|
|
|
|
DsB - The PTT claims they need detailed network data to better plan the
|
|
network. The government says they need details in order to be able to
|
|
govern us better.
|
|
|
|
DsB - In the past, the trend has always been to increasingly
|
|
identificable phone cards. There is economic pressure on the customer
|
|
to use a billing card instead of a cash card, since a telephone unit
|
|
costs less. With "picocells," your movement profile is getting more
|
|
and more visible.
|
|
|
|
PTT - As for the trend towards less-anonymous billing-cards: with the
|
|
new ISDN networks, this is necessary. Billing is a major cost, and
|
|
this is just a technical priority.
|
|
|
|
Student - As for techniques to reduce potential for eavesdroping, it
|
|
is for example technically possible to address a mobile phone without
|
|
the network operator needing to know its position. Why aren't such
|
|
things being pursued?
|
|
|
|
PTT - UMTS is quite preliminary and not necessarily economically
|
|
feasible. [Comments about debit cards]. We have more interest in
|
|
customer trust than anything else. But when something is according to
|
|
the law, we have no option other than to carry it out. But we don't do
|
|
it gladly.
|
|
|
|
|
|
THE BIG CONSPIRACY?
|
|
|
|
CCC #2 - I don't give a shit about these phone conversations being
|
|
overheard. I want to know why there is such a big controversy. Who
|
|
wants what? Why is this so important? Why so much effort? Why are so
|
|
many Mafia films being shown on TV when the eavesdroping law is being
|
|
discussed? What's up? Why, and who are the people?
|
|
|
|
Student - I am writing a book about this, and I haven't figured this
|
|
out myself. My best theory: there are some politicians who have lost
|
|
their detailed outlook ("Feinbild"), and they should be done away with
|
|
("abgeschaffen").
|
|
|
|
PTT - We're in a difficult position, with immense investments needed to
|
|
be able to overhear phone conversations [in digital networks (?)]. We
|
|
have no interest in a cover-up.
|
|
|
|
MdB - As for the earlier question about what NATO countries may do.
|
|
During the occupation of Berlin, they did want they wanted on the
|
|
networks. In western Germany, it has always been debated. Funny
|
|
business has never been proved, nor has suspicion been cleared up.
|
|
|
|
CCC #2 - After further thought, I have another theory. American
|
|
companies are interested in spying on German companies in order to get
|
|
a jump on their product offerings.
|
|
|
|
MdB - That's clear, but there are more benign explanations. Government
|
|
offices tend towards creating work. Individuals are promoted if their
|
|
offices expand, and they look for new fields to be busy in. In Bonn,
|
|
we've gone from 4,000 people to 24,000 since the 50's.
|
|
|
|
CCC #1 (to MdB) - Honestly, I don't see why you people in Bonn are
|
|
anything other than one of these impenetrable bureaucracies like you
|
|
described, inaccessible, out of touch with reality, and interested only
|
|
in justifying their own existence.
|
|
|
|
MdB - Well, *my* federal government isn't that.
|
|
|
|
|
|
CLIPPER CHIP CONTROVERSY
|
|
|
|
Student - Observation/concern: in the US, AT&T's encryption system is
|
|
cheap and weak. If this becomes a de facto standard, it is much harder
|
|
to introduce a better one later.
|
|
|
|
Journalist - In the US, the Clipper chip controversy has centered more
|
|
on the lost business opportunities for encryption technology, not on
|
|
principles. There every suggestion for forbidding encryption has
|
|
encountered stiff opposition.
|
|
|
|
Student - As for the Clipper algorithm, it's quite easy to invite
|
|
three experts to cursorily examine an algorithm (they weren't allowed
|
|
to take documents home to study it) and then sign-off that they have no
|
|
complaints.
|
|
|
|
Journalist - As for the cursory rubber-stamping by the three experts
|
|
who certified the Clipper algorithm, my information is that they had
|
|
multiple days of computing days on a supercomputer available. I don't
|
|
see a problem with the algorithm. The problem lies in the "trust
|
|
centers" that manage the keys. I personally don't see why the whole
|
|
question of cryptology is at all open ("zugaenglich") for the
|
|
government.
|
|
|
|
|
|
CONCLUDING REMARKS
|
|
|
|
DsB - The question is not only whether or not politicians are separated
|
|
from what the citizens want, but also of what the citizens want.
|
|
Germans have a tendency to valuing security. Different tradition in
|
|
the US, and less eavesdroping. I can imagine how the basic law
|
|
("Grundgesetz") could be eliminated in favor of regulations designed to
|
|
reduce eavesdroping, the trade-off you (MdB) mentioned earlier. The
|
|
headlines would look like "fewer cases of eavesdroping", "checks built
|
|
in to the system," etc., everyone would be happy, and then once the law
|
|
has been abolished, it would creep back up, and then there's no limit.
|
|
|
|
MdB - (Nods agreement)
|
|
|
|
CCC #2 - There are things that must be administered centrally (like the
|
|
PTT), and the government is the natural choice, but I suggest that we
|
|
don't speak of the "government," but rather of "coordination." This
|
|
reduces the perceived "required power" aspect ... As a closing remark,
|
|
I would like to suggest that we take a broader perspective, assume that
|
|
a person may commit e.g. 5,000 DM more of theft in his lifetime, live
|
|
with that, and save e.g. 100,000 DM in taxes trying to prevent this
|
|
degree of theft.
|
|
|
|
-------------------------------------------------------------------------------
|
|
MEDIA AND INFORMATION STRUCTURES
|
|
|
|
In this session, a lot of time was wasted in pointless philosophical
|
|
discussion of what is meant by Truth, although once this topic was
|
|
forcefully ignored, some interesting points came up (I don't
|
|
necessarily agree or disagree with these):
|
|
|
|
- In electronic media, the receiver has more responsibility for judging
|
|
truth placed on his shoulders. He can no longer assume that the sender
|
|
is accountable. With "Network Trust," you would know someone who knows
|
|
what's worthwhile, rather than filtering the deluge yourself. A
|
|
primitive form of this already exists in the form of Usenet "kill" files.
|
|
|
|
- A large portion of Usenet blather is due to people who just got their
|
|
accounts cross-posting to the entire world. The actual posting is not
|
|
the problem, rather that others follow it up with a few dozen messages
|
|
debating whether or not it's really mis-posted, or argue that they
|
|
should stop discussing it, etc. People are beginning to learn however,
|
|
and the ripple effect is diminishing.
|
|
|
|
- Companies such as Microsoft are afraid of the Internet, because its
|
|
distributed form of software development means they are no longer the
|
|
only ones able to marshal 100 or 1,000 people for a windowing system
|
|
like X-Windows or Microsoft Windows.
|
|
|
|
- If someone is trying to be nasty and knows what he's doing, a Usenet
|
|
posting can be made to cost $500,000 in network bandwidth, disk space, etc.
|
|
|
|
- At a Dutch university, about 50% of the network bandwidth could have
|
|
been saved if copies of Playboy were placed in the terminal rooms.
|
|
Such technical refinements as Gopher caching daemons pale in comparison.
|
|
|
|
- All e-mail into or out of China goes through one node. Suspicious,
|
|
isn't it?
|
|
|
|
-------------------------------------------------------------------------------
|
|
ALTERNATIVE NETWORKS
|
|
|
|
Several people reported about computer networks they set up and are
|
|
operating. A sampling:
|
|
|
|
APS+Hacktic - Rop Gonggrijp reported about networking services for the
|
|
masses, namely Unix and Internet for about $15 per month, in Holland.
|
|
There are currently 1,000 subscribers, and the funding is sufficient to
|
|
break even and to expand to keep up with exponential demand.
|
|
|
|
A German reported about efforts to provide e-mail to regions of
|
|
ex-Yugoslavia that are severed from one another, either due to
|
|
destroyed telephone lines or to phone lines being shut off by the
|
|
government. A foundation provided them with the funds to use London
|
|
(later Vienna), which is reachable from both regions, as a common node.
|
|
|
|
The original author of the Zerberus mail system used on many private
|
|
German networks complained about the degree of meta-discussion and how
|
|
his program was being used for people to complain about who is paying
|
|
what for networking services and so forth. He said he did not create
|
|
it for such non-substantial blather. The difference between now and
|
|
several years ago is that now there are networks that work,
|
|
technically, and the problem is how to use them in a worthwhile manner.
|
|
|
|
A German of Turkish origin is trying to allow Turks in Turkey to
|
|
participate in relevant discussions on German networks (in German) and
|
|
is providing translating services (if I heard right, some of this
|
|
was being done in Sweden). This killed the rest of the session,
|
|
which degenerated into a discussion of which languages were/are/should
|
|
be used on which networks.
|
|
|
|
-------------------------------------------------------------------------------
|
|
HOW AN INTELLIGENCE SERVICE WORKS: STASI TRAINING VIDEOS
|
|
|
|
The person introducing the videos sat on the stage, the room
|
|
darkened. The camera blotted out his upper body and face; all that was
|
|
to see on the video, projected behind him, was a pair of hands moving
|
|
around.
|
|
|
|
It apparently didn't take much to earn a file in the Stasi archives.
|
|
And once you were in there, the "10 W's: Wo/wann/warum/mit wem/..."
|
|
("where/when/why/with whom/...") ensured that the file, as well as
|
|
those of your acquaintances, grew.
|
|
|
|
The videos reported the following "case studies":
|
|
|
|
- The tale of "Eva," whose materialistic lifestyle, contacts with
|
|
Western capitalists, and "Abenteuerromantik" tendencies made her a
|
|
clear danger to the state, as well as a valuable operative. She swore
|
|
allegiance to the Stasi and was recruited. Eventually the good working
|
|
relationship deteriorated, and the Stasi had to prevent her from trying
|
|
to escape to the West. The video showed how the different parts of the
|
|
intelligence service worked together.
|
|
|
|
- A member of the military made a call to the consulate of West
|
|
Germany in Hungary. The list of 10,000 possible travellers to Hungary
|
|
in the relevant time frame was narrowed down to 6,000 on the basis of a
|
|
determination of age and accent from the recorded conversation, then
|
|
down to 80 by who would have any secrets to sell, then down to three
|
|
(by hunch? I don't remember now).
|
|
|
|
One video showed how a subversive was discreetly arrested. Cameras
|
|
throughout the city were used to track his movements. When he arrived
|
|
at his home, a few workers were "fixing" the door, which they claimed
|
|
couldn't be opened at the moment. They walked him over to the next
|
|
building to show him the entrance, and arrested him there. A dinky
|
|
little East German car comes up, six people pile into it. Two
|
|
uniformed police stand on the sidewalk pretending nothing is happening.
|