Third day started with Herald Welte's talk about running your own GSM network (He also had a talk the previous day about the state-of-the-art in smart phone architectures). He bought an old Siemens Base Transceiver Station, connected it to a PC (simulating a Base Station Controller) and basically setup a one cell GSM network using freely accessible GSM specs. The source for his OpenBSC software should be available shortly.
The interesting part was where he was able to get phones of random visitors to connect to his network, recording their IMSI and IMEI numbers and intercepting their SMS messages. They used this to create some statistics of where the congress visitors were from and found at least one telephone with a spoofed IMEI. Herald also announced that he bought all of the remaining stock of this hardware and that he is offering to resell pieces to any interested developers for 300€. The idea was that perhaps in August on HAR there will be an experimental GSM network running (provided somebody manages to solve all the legal problems - transmitting on the GSM band with any significant power requires a license).
In the science track there was Tor E. Bjørstad's guide to new stream cipher designs. He presented eSTREAM, an European project meant to develop new standardized ciphers to software and hardware implementations. The idea is that while AES has been widely deployed and tested it also means that it's the target of most attacks and the goal of the project was to develop alternatives. The project has come up with some promising new ciphers that endured the 4-year long testing period. But as Tor warned, the confidence in a cipher's strength can only increases with time, so AES is still the recommended choice for new software.
Back on the hacking track there was a presentation about breaking into the infamous Storm botnet. A small team managed to reverse engineer the Storm and found out how to present their computer as a controlling node of the P2P command & control structure. With this they could do practically everything they wanted with the computers in the network, from triggering DDOS to recursively disinfect nodes in the network. I wonder when they'll receive a friendly knock on the door from whoever created the botnet in the first place.
The same people also shared some of their experience in building honeypots. The most amusing part: how you can get most attackers to break into their own computer by simply mirroring their connections to your honeypot and recording everything.
Continuing on the same topic, there were also a talk about how to find exploits in Microsoft Office documents (Bruce Dang's ability to read assembly code from an executable written out in ASCII was a bit scary there). Later FX from Phenoelit showed the latest development in Cisco IOS attacks, like how to get stable code execution after a buffer overflow despite the large number of different OS images that are deployed in the wild.
The day ended with Hacker Jeopardy, some kind of a quiz with questions from various topics discussed at the congress. This year the quiz was in German, but was simultaneously translated from German into English for the rest of us.