The 36th Chaos Commnunication Congress (36c3) was held once again in Leipzig this year.
I have never documented my experiences at Congress, but I feel like this year is different. I did less ‘Angeling’ than I used to, and I feel like I should find ways to contribute back to this beautiful event.
Congress is a hacker gathering and then some. It's a place where the motto is “All Creatures Welcome”. In fact, there's a great documentary with that title. I recommend all those who can to watch it. You can find it on this media.ccc.de link.
Chaos Communication Congress (CCC) is where people go to learn, collaborate, share, educate, create, and communicate. It holds the heart of many a soul, and it's spirit can be found across all corners of this globe.
It is held close to the shortest, darkest days of the year in Germany; it holds some of the brightest minds and warmest hearts in a concentration I have ever yet to experience in any other congregation of our species.
It gives me hope for humanity, perhaps that is why I keep coming back–a glimmer of hope and a chance for growth amidst the chaos.
To begin to explain my experience at Congress, I must first confess that I am a geek and lover of all things that bring light to this world–blinkenlights among them, and Congress is full of blinkenlight!
I'll share with you the hardware I was given, the software I was exposed to, and some of the creatures that help shape my affection for Congress.
Hardware and Talks are in 36c3 - PART 2
- Session: YubiKey 101
- Communication Stack
- Chaotic Reflections
Session: YubiKey 101
This was my first Congress running a self-organized workshop.
I recruited the help of friends as well as received YubiKeys donated from Yubico and BitGo. (By the way, the thoughts, ideas, and anything else coming from this blog post are my own and do not reflect BitGo nor Yubico in any way, shape, or form). Also, there's something that should be said for the generosity of these companies for donating these devices to help educate and protect random strangers.
We spent the morning before the workshop updating hashbang/book personal-hsm section.
The first YubiKey workshop was in a room that could hold 80 people, and it was full to the point of people sitting on the floors and at the door.
A lot of people had interest in YubiKeys, and they did not know that YubiKeys would be freely distributed to those without one. We had 50 YubiKeys graciously donated by BitGo and Yubico–both companies believing in empowering individuals and organizations in digital protection, whether it be assets or identity.
- YubiKey usecases (why you should have one)
- YubiKey Distribution (how you might get one)
- Begin Instructions (Verify your YubiKey is authentic)
Best if done before workshop (if possible):
- Step 0: Install Required Software
Stretch Goals (Time permitting)
- Step 0: Setup an Airgap Machine
- Step 1: Advanced GPG Setup
- Step 2: Email setup
- Step 3: Share Your Knowledge!
We made sure everyone verified their YubiKey was actually from Yubico and many added Two-Factor Authorization to one of their online identities. We did not want to represent ourselves by any means as a ‘trustworthy source’. Although we did want to expess that education in this area of digital identity protection is very important, and that tools like YubiKeys can be very easy to integrate into your daily digital routine.
Our workshop had a broad array of people with various degress of technical expertise. We decided to have a second workshop for a more advanced subset of participants.
About 40 people showed to this workshop we did a walkthrough demonstration of the Simple GPG setup and then fielded questions as well as welcomed the presentation from the TIF-IT smartcard people.
Assembly::402 Payment Required - Securing Your (Crypto)Assets
Although not an official organized session, it was fun showing people interested in the lightning node beer dispenser at
402 Payment Required Bitcoin Assembly.
I gave them $5 which they received/confirmed fairly fast on their bitcoin wallet app, then they filled their lightning channel (with a small initial fee), and were ‘off to the races’, pouring me beer.
One minor annoyance is that there are no lightning apps that are hosted on F-Droid. Which means I could not convince my friends that refuse to install anything but opensource applications on their mobile devices. I have never put an app on F-Droid, but I liked my experience with the Phoenix App, and will be taking a look at putting this app up in an F-Droid repo sometime soon.
Explaining how this process and the setup of the two apps to naive users was pretty fun and was an exercise in explaining how things worked on a variety of levels. My knowledge in this area is only so deep though, and it was nice to have deeper-knowledge experts within an arms-length away when things started getting into the nitty-gritty details.
The BIP-39 and BIP-32 Bitcoin Improvement Proposals definitely came up in the more technical discussions when curious people came and asked questions about setting up a bitcoin wallet and why this secret key was so secret.
A more human-friendly interface for encoding entropy for a secret
This BIP describes the implementation of a mnemonic code or mnemonic sentence – a group of easy to remember words – for the generation of deterministic wallets. It consists of two parts: generating the mnemonic, and converting it into a binary seed. This seed can be later used to generate deterministic wallets using BIP-0032 or similar methods.
Hierarchical Deterministic Wallets (or “HD Wallets”)' spec implements the key derivation path and comes up when someone new to using a crypto wallet doesn't understand why the receive address might be different each time they try to receive funds, but that the previous receive address would still work.
Once you start going down key derivation paths though it's very handy to have something to draw with, at least for me, it was nice to explain the structure of this system and the ‘flow’ of creating children keys visually.
Session::Kritical Kubernetes - Thomas Frick from Endocode
This workshop was more of a discussion about the best practices for securing kubernetes.
Various Links Shared during the Discussion/Workshop
- Establsishing Zero Trust for Kubernetes
- kelefstis – Thomas Fricke wants support for his project
- NIST Security Guidelines
This workshop was based on a lot of his previous work. See his talk from CCCamp 2019 Hacking Containers and Kubernetes.
Do not trust other people's images! Esepcially the
latest tagged images. It is best to always build the images yourselves
and store in a private repository.
In one of the slides presented, there was an interesting ‘challenge’ to demonstrate why
kubectl apply -f https://random-website-here might not be the best idea.
I decided to implement a demo of why this would be the case, changing the yaml file retrieved based on the User-Agent used.
The code for that is at jnaulty/kubectl-apply-demo.
Why Does Kubernetes not use Linux Namespacing??
It's a feature that's been in Docker for quite some time.
Yet it is an enhancement request in kubernetes currently. Support node-level user namespace remapping
It was disabled when Docker became ‘secure by default’ See the following links for the historical context in the codebase, and a nice reflection from Jess Frazelle on this particular issue:
- Kubernetes Issues #20870
- PR to ‘Fix’ #20870
- Jess Frazelle Blog Post “Containers, Security, and Echo Chambers”
Why this is Important
The best way to prevent privilege-escalation attacks from within a container is to configure your container’s applications to run as unprivileged users. For containers whose processes must run as the root user within the container, you can re-map this user to a less-privileged user on the Docker host. The mapped user is assigned a range of UIDs which function within the namespace as normal UIDs from 0 to 65536, but have no privileges on the host machine itself.
If container (think: pod) that is running as root escapes onto the host node, the container then has root on the host node.
See runc-and-cve-2019-5736 for more info on this happening in the wild
Longer Thoughts on this
In order to run Pods with software which expects to run as root or with elevated privileges while still containing the processes and protecting both the Nodes and other Pods, Linux kernel mechanism of user namespaces can be used make the processes in the Pods view their environment as having the privileges, while on the host (Node) level these processes appear as without privileges or with privileges only affecting processes in the same Pods The purpose of using user namespaces in Kubernetes is to let the processes in Pods think they run as one uid set when in fact they run as different “real” uids on the Nodes.
Thomas talked about how most helm charts could be improved from a security perspective. I found this snyk blog on public helm chart state of security and thought it was very relevant and illustrated some of the common issues helm charts have with security issues in the images they use. However, I was unable to find a tool that does a proper audit and report of helm charts, Open Policy Agent can fill that role, but requires learning Rego.
My friends and I try to stick to a FOSS stack.
If you haven't used Matrix, it's feature rich, and easy to install:
- e2e encrypted
- does not require a phone number
Every Congress has been different in it's own unique way. For this Congress, I wanted a big part of it to be educating others on things I've learned from the last couple of years. Things that help protect digital identity and privacy.
The YubiKey workshop was one way to do that and I cannot thank the help I had from @dgrove, @lrvick, @stinethebean, @toybomb, @jonf3n, @tingwai, and @maxammann. They have as much (if not more) knowledge about YubiKeys than me. I would have never had the courage to host a Session at CCC without their help in planning, coordinating, and content creating.
Next year, I plan on continuing with this desire to spend more time educating those interested in topics I've become acquainted and proficient in.
I think I have piqued the interest of others as well–specifically those in the
#! (Hashbang) group.
Hashbang plans to have an assembly at 37c3. A space where people can come and learn why a lot of us align with @lrvick's sentiment, “the best gifts to loved ones or yourself are security and privacy.”
Next year, we will organize workshops at our assembly where anyone can come learn the following and more:
- Setup YubiKeys and hardware wallets
- Install QubesOS or AOSP
- Try apps from F-Droid
- Ditch VPNs for Tor
- Move contacts to Riot
- Migrate to password-store or Mooltipass
- Buy with cash or Bitcoin
- Use DuckDuckGo instead of Google
This is the kind of endeavour I look forward to in 2020 (as well as the next Chaos Communication Congress)!
I also look forward to seeing my Chaos Creatures Family. The people I met through CCC. The people who I bonded with over discussions of privacy, security, or blinkenlights. The people I bonded with while picking up bottles and doing teardown after the Closing Ceremony. These people become my friends so easily it seems like magic. And they are everywhere. Curiousity is pervasive and contagious. Conversations are warm and rich. The atmosphere is alive with questions and laughter and club mate carts whizzing by on wheels using a Wii remote.
It is absolute chaos, and I love it.
Thank you to everyone who made it so.