Your Ad Here
                          ==Phrack Magazine==

             Volume Five, Issue Forty-Five, File 13 of 28

The 10th Chaos Computer Congress

by Manny E. Farber

Armed only with an invitation in English addressed to the "global community" and a small pile of German Marks, I arrived at the Eidelstedter Buergerhaus about an hour or so before the beginning of the 10th Chaos Communication Congress (subtitled "Ten years after Orwell"), sponsored by the (in)famous Chaos Computer Club. The Buergerhaus (literally, "citizen's house") turned out to be a modest community hall; needless to say, not all invited showed up. The Congress took place between the 27th and the 29th of December. As the title implies, social as well as technical issues were on the docket.

After forking over 30 DM (about $20) for a pass for the first two days of the Congress, I sort of felt like asking for a schedule, but refrained, thinking that asking for scheduled chaos might seem a bit odd. I went to the cafeteria for breakfast. An organizer started out announcing, "Anyone who wants to eat breakfast pays 5 Marks, and gets a stamp, which--no, rather, anyone who wants breakfast pays 5 Marks and eats breakfast."

The atmosphere was quite collegial and informal, with little more order than was absolutely necessary. The approximately 150 attendees were predominantly German (a few from Switzerland and Holland, at least -- and probably only -- one from the United States, namely myself), male, and technically oriented. (During an explanation of the mathematical algorithm underlying electronic cash, a non-techie objected, "But I don't want to have to think up a 200-digit random number every time I buy something!" It was explained to him that this was done by software in the chip-card ...).

Although not mentioned in the invitation, not a word of English was to be heard; all the events were conducted in German. Some were conducted in a "talk show" format, with a host asking questions, simplifying answers, making jokes. A television network carried the video from the auditorium to other rooms throughout the building (albeit without sound) along with up-to-the-minute event schedules.

The tone of the discussions of how electronic cash could be embezzled, or chip cards abused, digital signatures forged, etc., was constructive rather than destructive. And it was balanced, i.e. not only "how could a malicious individual embezzle money?" was discussed, but also "how could the government use chip cards to reduce people's privacy?" Here, the "hackers" were hackers in the positive sense of understanding a technology, not in the negative sense of wreaking havoc. It was, however, noted that trying out a potential weakness of the "EuroScheck" cash cards was quite easy: it would require buying a card reader for 1,500 DM and maybe a week of time.

The question of technical solutions to "big brother" did come up in the presentations about chip cards. The danger is that a pile of cards is eliminated in favor of a card containing someone's driver's license, driving record (maybe), employee information, credit information, etc. etc. A chip card could theoretically be programed to give out only the information absolutely necessary, e.g. telling a policeman only that someone is allowed to drive, without disclosing his identity.

The "Hackzentrum" (Hacking Center) turned out to be a room filled with networked computers and people hacking on them. It seemed mostly harmless. (I nevertheless did not try a remote login -- I had no reason to doubt good intentions, but on the other hand, who knows who wrote or replaced the keyboard driver and what sort of supplemental functionality it might have?) The packet radio room had a "Digi" repeating station and, true to the ham radio tradition, where the conversation centers on who is talking to whom and how well they hear each other and on what other frequency they might hear each other better, the computers attached were mostly displaying maps of the packet radio network itself. I didn't delve very deeply into the "Chaos Archive," but noticed a collection of maintenance sheets for telephone equipment among CCC newsletters and other paraphenalia.

Some "signs of the Congress":

- Bumper sticker:  "I (heart) your computer"
- Telephone stickers:  "Achtung, Abhoergefahr" ("Attention,
  Eavesdropping danger"; and the German PTT logo transformed into a
  pirate insignia, with the words "Telefun - Mobilpunk" (derived from
  "Telefon - Mobilfunk")
- T-shirt:  "Watching them (eye-ball) watching us"
- Post-It Note pad (for sale for DM 1.50):  a pad of about 50,
  pre-printed with a hand-written note:  "Vorsicht, Stoerung.
  Automat macht Karte ungueltig" ("Careful--Defect. Machine makes
  card invalid")
- Word coinage:  "Gopher-space"
- Stamp:  "ORIGINALE KOPIE" ("ORIGINAL COPY")

The press were told not to take pictures of anyone without their explicit permission.

Schedules were distributed throughout the Congress. By the evening of the 27th, a schedule for the 28th, "Fahrplan 28.12 Version 2.0," was already available ("Fahrplan" means a bus/train schedule; this is presumably an "in" joke). By 17:30 on the 28th, "Fahrplan 28.12 Version 2.7" was being distributed. (I missed most of the intervening versions; presumably they were neatly filed away in the Chaos Archive by then ...)

The scheduled events (in translation) were as follows; a "*" means that I have included some comments later in this report:

December 27, 1993

December 28, 1993

December 29, 1993

THE EAVESDROPING ATTACK

This has to do with a proposed law making its way through the German Parliament. The invitation describes this as "a proposed law reform allowing state authorities to listen in, even in private rooms, in order to fight organized crime." This session was the centerpiece of the Congress. Bayerische Rundfunk, the Bavarian sender, sent a reporter (or at least a big microphone with their logo on it). The panel consisted of:

MdB - Mitglied des Bundestags (Member of Parliament) Peter Paterna DsB - Datenschutz Beauftragter Hamburg (Data privacy official) Peter Schar Journalist - from Die Zeit PTT - a representative from the German PTT Student - writing a book about related issues CCC - a few members of the Chaos Computer Club

My notes are significantly less than a word-for-word transcript. In the following, I have not only excerpted and translated, but reorganized comments to make the threads easier to follow.

IS IT JUSTIFIED?

MdB - There is massive concern ("Beunruhigung") in Germany: 7 million crimes last year. Using the US as comparison for effectiveness of eavesdroping, it's only applicable in about 10-20 cases: this has nothing to do with the 7 million. The congress is nevertheless reacting to the 7 million, not to the specifics. In principle, I am opposed and have concerns about opening a Pandora's box.

CCC #1 - The 7 million crimes does not surprise me in the least. I am convinced that there is a clear relationship between the number of laws and the number of crimes. When you make more laws, you have more crimes. Every second action in this country is illegal.

Journalist - Laws/crimes correlation is an over-simplification. There are more murders, even though there are no more laws against it.

MdB - There is a conflict between internal security, protecting the constitution, and civil rights. How dangerous is 6 billion Marks of washed drug money to the nation? Taking the US as an example, the corrosion may have gone so far that it's too late to undo it. I hope that this point hasn't been reached yet in Germany.

DsB - I am worried about a slippery slope. There is a tradeoff between freedom and security, and this is the wrong place to make it; other more effective measures aren't being taken up.

EFFECTIVENESS OF CONTROLS ON EAVESDROPING

MdB - Supposedly federal controls are effective. Although there are very few eavesdroping cases, even if you look at those that are court-approved, it's increasing exponentially. No proper brakes are built into the system. As for controls for eavesdroping by the intelligence service, there is a committee of three members of parliament, to whom all cases must be presented. They have final say, and I know one of the three, and have relatively much trust in him. They are also allowed to go into any PTT facility anytime, unannounced, to see whether or not something is being tapped or not.

MdB - Policies for eavesdroping: if no trace of an applicable conversation is heard within the first "n" minutes, they must terminate the eavesdroping [...] The question is, at which point the most effective brakes and regulations should be applied: in the constitution? in the practice?

PTT - True, but often the actual words spoken is not important, rather who spoke with whom, and when.

DsB - There is no catalog for crimes, saying what measures can be applied in investigating which crimes. It's quite possible to use them for simple crimes, e.g. speeding. There is no law saying that the PTT has to store data; they may. They can choose technical and organizational solutions that don't require it.

MdB - This is a valid point, I don't waive responsibility for such details. The PTT could be required to wipe out detailed information as soon as it is no longer needed, e.g. after the customer has been billed for a call.

TECHNICAL TRENDS

Journalist - Digital network techniques make it easy to keep trails, and there is an electronic trail produced as waste product, which can be used for billing as well as for other purposes. Load measurements are allowable, but it can also be used for tracking movements.

DsB - The PTT claims they need detailed network data to better plan the network. The government says they need details in order to be able to govern us better.

DsB - In the past, the trend has always been to increasingly identificable phone cards. There is economic pressure on the customer to use a billing card instead of a cash card, since a telephone unit costs less. With "picocells," your movement profile is getting more and more visible.

PTT - As for the trend towards less-anonymous billing-cards: with the new ISDN networks, this is necessary. Billing is a major cost, and this is just a technical priority.

Student - As for techniques to reduce potential for eavesdroping, it is for example technically possible to address a mobile phone without the network operator needing to know its position. Why aren't such things being pursued?

PTT - UMTS is quite preliminary and not necessarily economically feasible. [Comments about debit cards]. We have more interest in customer trust than anything else. But when something is according to the law, we have no option other than to carry it out. But we don't do it gladly.

THE BIG CONSPIRACY?

CCC #2 - I don't give a shit about these phone conversations being overheard. I want to know why there is such a big controversy. Who wants what? Why is this so important? Why so much effort? Why are so many Mafia films being shown on TV when the eavesdroping law is being discussed? What's up? Why, and who are the people?

Student - I am writing a book about this, and I haven't figured this out myself. My best theory: there are some politicians who have lost their detailed outlook ("Feinbild"), and they should be done away with ("abgeschaffen").

PTT - We're in a difficult position, with immense investments needed to be able to overhear phone conversations [in digital networks (?)]. We have no interest in a cover-up.

MdB - As for the earlier question about what NATO countries may do. During the occupation of Berlin, they did want they wanted on the networks. In western Germany, it has always been debated. Funny business has never been proved, nor has suspicion been cleared up.

CCC #2 - After further thought, I have another theory. American companies are interested in spying on German companies in order to get a jump on their product offerings.

MdB - That's clear, but there are more benign explanations. Government offices tend towards creating work. Individuals are promoted if their offices expand, and they look for new fields to be busy in. In Bonn, we've gone from 4,000 people to 24,000 since the 50's.

CCC #1 (to MdB) - Honestly, I don't see why you people in Bonn are anything other than one of these impenetrable bureaucracies like you described, inaccessible, out of touch with reality, and interested only in justifying their own existence.

MdB - Well, my federal government isn't that.

CLIPPER CHIP CONTROVERSY

Student - Observation/concern: in the US, AT&T's encryption system is cheap and weak. If this becomes a de facto standard, it is much harder to introduce a better one later.

Journalist - In the US, the Clipper chip controversy has centered more on the lost business opportunities for encryption technology, not on principles. There every suggestion for forbidding encryption has encountered stiff opposition.

Student - As for the Clipper algorithm, it's quite easy to invite three experts to cursorily examine an algorithm (they weren't allowed to take documents home to study it) and then sign-off that they have no complaints.

Journalist - As for the cursory rubber-stamping by the three experts who certified the Clipper algorithm, my information is that they had multiple days of computing days on a supercomputer available. I don't see a problem with the algorithm. The problem lies in the "trust centers" that manage the keys. I personally don't see why the whole question of cryptology is at all open ("zugaenglich") for the government.

CONCLUDING REMARKS

DsB - The question is not only whether or not politicians are separated from what the citizens want, but also of what the citizens want. Germans have a tendency to valuing security. Different tradition in the US, and less eavesdroping. I can imagine how the basic law ("Grundgesetz") could be eliminated in favor of regulations designed to reduce eavesdroping, the trade-off you (MdB) mentioned earlier. The headlines would look like "fewer cases of eavesdroping", "checks built in to the system," etc., everyone would be happy, and then once the law has been abolished, it would creep back up, and then there's no limit.

MdB - (Nods agreement)

CCC #2 - There are things that must be administered centrally (like the PTT), and the government is the natural choice, but I suggest that we don't speak of the "government," but rather of "coordination." This reduces the perceived "required power" aspect ... As a closing remark, I would like to suggest that we take a broader perspective, assume that a person may commit e.g. 5,000 DM more of theft in his lifetime, live with that, and save e.g. 100,000 DM in taxes trying to prevent this degree of theft.

MEDIA AND INFORMATION STRUCTURES

In this session, a lot of time was wasted in pointless philosophical discussion of what is meant by Truth, although once this topic was forcefully ignored, some interesting points came up (I don't necessarily agree or disagree with these):

ALTERNATIVE NETWORKS

Several people reported about computer networks they set up and are operating. A sampling:

APS+Hacktic - Rop Gonggrijp reported about networking services for the masses, namely Unix and Internet for about $15 per month, in Holland. There are currently 1,000 subscribers, and the funding is sufficient to break even and to expand to keep up with exponential demand.

A German reported about efforts to provide e-mail to regions of ex-Yugoslavia that are severed from one another, either due to destroyed telephone lines or to phone lines being shut off by the government. A foundation provided them with the funds to use London (later Vienna), which is reachable from both regions, as a common node.

The original author of the Zerberus mail system used on many private German networks complained about the degree of meta-discussion and how his program was being used for people to complain about who is paying what for networking services and so forth. He said he did not create it for such non-substantial blather. The difference between now and several years ago is that now there are networks that work, technically, and the problem is how to use them in a worthwhile manner.

A German of Turkish origin is trying to allow Turks in Turkey to participate in relevant discussions on German networks (in German) and is providing translating services (if I heard right, some of this was being done in Sweden). This killed the rest of the session, which degenerated into a discussion of which languages were/are/should be used on which networks.

HOW AN INTELLIGENCE SERVICE WORKS: STASI TRAINING VIDEOS

The person introducing the videos sat on the stage, the room darkened. The camera blotted out his upper body and face; all that was to see on the video, projected behind him, was a pair of hands moving around.

It apparently didn't take much to earn a file in the Stasi archives. And once you were in there, the "10 W's: Wo/wann/warum/mit wem/..." ("where/when/why/with whom/...") ensured that the file, as well as those of your acquaintances, grew.

The videos reported the following "case studies":