Lenin wore a hula skirt and a flower garland — do I have to say more? The Chaos Communication Camp 2007 of the Chaos Computer Club at Finowfurt Airport was a totally outstanding event. The whole crew, especially Julia and fh, did a great job organizing it. In the first place the setting was awesome. Camping on the historic Russian airport somewhere in Brandenburg, sitting next to old planes and listening to interesting talks in bunkers were unique experiences. It was fun for me to spend the first hours and days just walking around and discovering the area.
When at night the whole place changed into an illuminated party zone, I wondered once again, how an event like that was possible at all. The two thousand attendees had a quite fast and mostly working internet in the middle of nowhere. Everybody around was helpful and even the short rainstorms couldn’t spoil the fun.
There were a lot of interesting talks — shame on me that I only listened to few of them: Lisa`s talk on finding and exploiting concurrency issues in software, Seth Hardy’s excellent talk “A Crash Course In The Math of Public Key Cryptography”, Dan’s Black Ops 2007, Fefe’s “Know your compiler” and Gil’s talk about ZERT and binary patches. Unfortunately, I missed the talk about the A5 Cracking Project — well, all the talks have been recorded, so I will see it online in a few weeks. Update: kuza55 notified me that the recording is already online :)
It was so much fun hanging around with all the Italians (especially ascii, Alessio and Fabio), the guys from Leiwandville, the Illuminats from Entropia, the crowd from Berlin, Dresden and Cologne, the Americans at Camp Anaconda and all the other dudes from all over Europe. I had some great conversations, for example with Dan Kaminsky regarding attacks using DNS rebinding with a very cool private presentation of his “Suckets” and I talked with FX regarding so-called Security 2.0 and other funny things.
I was somewhat unsatisfied by my own talk entitled “Testing and Exploiting Flash Applications”. Since I’m not a native speaker, I was extremely nervous in the beginning. Funny thing is that especially the German listeners were upset about my poor language skills and some even claimed that I should have held the presentation in German. But in the aftermath I had quite a few interesting conversations, i.e. with Rob (the maintainer of Gnash, a free and open Flash Player alternative) about Flash security models. I would not have had this chance if I had held my lecture in German.
Well, I guess badly spoken English is one of the most spoken languages in the world =)
Since one hour is a short period of time, I only explained the basics and demonstrated some funny but harmless example exploits with XML.load functions like CNNs v0te teh l33t, Nokias OpenMoko support and RTLs feature of the camp talks (Update: fixed by RTL. Update 2: They didn’t get it right: It’s only fixed if variable ‘’xmldata'’ starts with “http://”). I also explained a flaw in AS3 socket handling, mainly discovered by David Neu after a discussion we had a while ago. Adobe has already acknowledged the problem and told us they will patch it by end of October. We decided to release the info to the public before then, since it is less dangerous than buffer overflows in their player or media server.
During my talk I introduced a Flash Security Project called FlashSec. This project aims at developing testing methods and tools for Flash/AIR security auditing and documentation.
I found it very funny to get applause after showing how one can use simple LocalConnections to let Flash movie talk to each other cross domain. For attackers it is especially useful to build Flash based attack back channels. By the way: In this context I`d also like to mention Thai Duong, who notified me about his lecture at VNSECON07 where he demonstrated how to zombify a browser with Flash just a couple of days before.
Nonetheless, both the positive and the negative feedback I got was very useful for preparing and extending my talk for FrOSCON next week.