From the collected news items of our monthly radio show we've generated a game show somewhat inspired by "Who becomes millionaire?" but multi player. The questions cover all types of net-news we've found interesting to mention in our radio show.

An example question would be: "Who operates the biggest Cloud service?"
# Google
# Facebook
# Amazon
# Botnets

This game show was successfully beta tested at the [Datenspuren](http://www.datenspuren.de "Datenspuren") symposium this year but much improved since.

Honouring English as the language spoken by the most people at the congress we offer English and German depending on the audience.

The crusade against sharing the entertainment industries are waging against their customers is taking new directions.

Their obsession to apply models from the past to today's technologies leads these industries to turn copyright against their customers. Direct consequences would be damages to freedom of expression, privacy and the right to a fair trial, that would greatly serve the will of some politicians to control the Internet.

A number of extremely disturbing trends and upcoming legislative projects will be detailed in this session:

- ACTA. The "Anti-Counterfeiting Trade Agreement" is the flagship of the entertainment industries. It is a prototype of how to impose legislation while circumventing democratic process and public opinions. ACTA contains most of what the industries are dreaming about. By putting legal and monetary pressure over Internet technical intermediates, ACTA would force them to act as private copyright police and justice of the Net.

- IPRED2. The criminal enforcement directive was frozen in the Council of EU in 2006. It is about to be revived under the direction of the French commissioner Michel Barnier. It may contain sanctions for "inciting, aiding and abetting" infringement, which would blur the line between copyright infringement and political speech or the production of software and on-line services.

- "voluntary agreements", "extra-judicial measures", and "cooperation between rights-holders and Internet service providers" sound harmless, but they represent a growing trend in trying to force the ISPs into policing, through contracts, their networks and users. ISPs would be forced to use access restrictions ("three strikes") or even content filtering.

- Revision of the e-Commerce directive. The movie and music industries will use this occasion to attack the exoneration of liability for technical intermediates of the Net, with potential consequences on freedom of speech.

- Filtering of the Net. In the name of protecting the children or gamblers, it is being deployed all over Europe. These first steps will allow to further expand filtering mechanisms for the purpose of copyright enforcement, under influence the entertainment industries.

How those policies are put in place? What can a citizen do in order to help counter them? How can we better organize to gain momentum in protecting fundamental freedoms in the digital environment? What were the successful campaigns so far, and what will be the upcoming ones?

Join us in our effort!

Der Vortrag lässt die Themen noch einmal Revue passieren und bringt einen Ausblick, was uns in den nächsten Monaten eventuell noch blüht.

Die Präsentation von Wikileaks war einer der Höhepunkte der 26C3. Durch Wikileaks haben viele Hacker erstmals von Whistleblowing erfahren. Allerdings verkürzen einige Whistleblowing auch auf die anonyme Veröffentlichung brisanter Dokumente im Netz. Dem wollen Guido Strack und Johannes Ludwig vom Whistleblower-Netzwerk Deutschland mit ihrem Vortrag und einer begleitenden Ausstellung entgegenwirken.

Es werden Beispiele von Menschen gezeigt, die Zivilcourage an ihrem Arbeitsplatz bewiesen und teils offen, teils anonym, auf Missstände aufmerksam gemacht haben. Es wird dargestellt, dass diese Menschen von Kollegen und Rechtsordnung oft alleine gelassen werden und auch wo die Grenzen anonymer Hinweise und die Schwierigkeiten journalistischen Umgangs mit Whistleblowern liegen.
Die Referenten erläutern wie Whistleblowing ein archimedischer Punkt werden könnte, um Licht in Dunkelräume in Wirtschaft und Politik zu bringen, die Methoden der Hintermänner der Macht offen zu legen und Risiken für öffentliche Interessen rechtzeitig erkennen zu können.

Ansatzpunkte hierzu sind das Hinterfragen der Legitimität und Reichweite von (so genannten Sicherheitsrelevanten- oder Betriebs- und Geschäfts-) Geheimnissen, eine Vernetzung der Zivilgesellschaft und kritischer Medien zur Organisation von Gegenmacht, effektiver rechtlicher Schutz von Whistleblowern und ein anderer kultureller Umgang mit jenen, die bisher oft als Denunzianten oder Nestbeschmutzer verunglimpft werden.

Durch Einblicke in die Arbeit von Whistleblower-Netzwerk e.V. und seiner internationalen Kooperationspartner wird schließlich aufgezeigt wie einige dieser Ansatzpunkte bereits konkret angegangen werden, aber auch wo noch Unterstützung nötig ist und was die Netzgemeinde hier leisten könnte.

This talk is about security analysis of a class of mobile phone the so-called "feature phones". We show how we analyzed these type of phones for SMS security issues and what kind of problems to overcome in the process. We show results for the major mobile phone manufacturers in the world. Everyone of them has problems. Finally we show what kind of global scale attacks one can carry out with these kind of bugs. The attacks range from interrupting phone calls, to disconnecting people from the network, and sometimes even bricking phones remotely.

The talk is structured in the following way:
- Introduction to the Topic
- Problem Description
- The Analysis (major part of the talk)
- Analysis Results
- A look at the Operator Network
- Attacks based on our Results
- Conclusions

Tim Berners-Lee hat folgende griffige Definition gefunden: "Net neutrality is this: If I pay to connect to the Net with a certain quality of service, and you pay to connect with that or greater quality of service, then we can communicate at that level."

Welche der sagenumwobenen Kapazitätsengpässe existieren wirklich? Und wie soll Quality of Service (QoS) praktisch in Zukunft gehandhabt werden? Was ist machbar, was sind die Bedingungen für eine gesetzliche Regulierung? Fragen über Fragen, die mit Euch zusammen diskutiert werden sollen.

In December 2005, the European Parliament agreed to the data retention directive that introduced mandatory retention of the telecommunications behaviour of half a billion EU citizens and residents. That was a huge disappointment and perceived by many as the final opening of the floodgates. Frank Rieger and Rop Gongrijp at 22C3 even declared that "we lost the war" over privacy. But things turned out different than expected.

Now, five years later, a new privacy movement has risen in Germany and elsewhere, a number of constitutional courts all across Europe have declared national data retention laws illegal, a case against the whole directive is pending at the European Court of Justice, and the EU has a justice commissioner who openly said that she would not have suggested the whole thing in the first place, and a home affairs commissioner who voted against the directive when she was still a Member of Parliament.

The talk will give a full picture of the legal state of play, what is going on in Brussels, what is already being done and of course where you can help. The speakers are all active in European Digital Rights (EDRi.org) and are closely involved in the process on the European and national level.

Die Authentisierung mit dem neuen Personalausweis basiert auf dem Prinzip der Zweifaktorauthentisierung durch Besitz und Wissen. Notwendig sind der Besitz des Ausweises und die Kenntnis einer PIN. Mögliche Angriffe auf diese Faktoren wurden bereits vor der Einführung des neuen Personalausweises vorgestellt und als unrealistisch oder unvollständig zurückgewiesen.

Wir untersuchen die Machbarkeit und Auswirkung von Relay-Angriffen in Hinblick auf die verschiedenen Lesegeräteklassen und Anwendungsszenarien des neuen Personalausweises. Nach dem derzeitigen Stand der Spezifikationen lassen sich solche Angriffe kaum verhindern. Einige der Probleme erweisen sich als unlösbar, für andere existieren Lösungsansätze, welche von simpel, aber unzureichend bis komplex, aber kaum umsetzbar reichen.

We will discuss various techniques used in analyzing Stuxnet. First, we will share several tricks that were used to quickly identify the vulnerabilities. Second, we describe the thought processes that went into debugging and triaging the vulnerabilities themselves. Finally, we show some tips that you can use if you feel like decompiling stuff for fun :).

Analysis of malware binaries is constantly becoming more difficult with introduction of many different types of code obfuscators. One common theme in all obfuscators is transformation of code into a complex representation. This process can be viewed as inverse of compiler optimization techniques and as such can be partially removed using optimization algorithms.
Optimization algorithms present an effective way for removing most obfuscations that are used today. Much of the compiler theory can be applied in removing obfuscations and building fast and reliable deobfuscation systems. By understanding traditional optimization problems and techniques it is possible to develop and customize compiler optimization algorithms for usage in binary deobfuscation/analysis.
Optimization algorithms are especially successful in following:
• Removal of no operation instructions
• Simplifying complex instructions
• Removal of unconditional jumps
• Removal of conditional jumps
• Simplifying control-flow graph

This presentation shows common obfuscation techniques and a process of adapting optimization algorithms for removing obfuscations.
Additionally, a open-source plug-in for the IDA Pro disassembler is presented that demonstrates usability of the proposed optimization process as well as a set of techniques to speed up the process of analyzing obfuscated code.

We will show, amongst others:

* ways of distinguishing bots from humans. We use this technique to provide crawlers with false data or lure them into tar pits.

Other than CAPTCHAs we introduce methods that profile the holistic behaviour within a single web session to distinguish users or bots within a longer timeframe based on subtle charactistics in most bots' implementations.

* breaking filtering of JavaScript in web-based proxies.

While next to all web proxies advertise the capability of filtering JavaScript, the ubiqity of XSS and CSRF attacks have proven that correct filtering of arbitrary HTML is extremly difficult.

* track and re-identifying users based upon their web-profile.

We show how a third-party observer (e. g. proxy server or DNS server) can create a long-term profile of roaming web users using only statistical patterns mined from their web traffic. These patterns are used to track users by linking multiple surfing sessions. Our attack does not rely on cookies or other unique identifiers, but exploits chatacteristic patterns of frequently accessed hosts. We demonstrate that such statistical attacks are practicable and we will also look into basic defense strategies.

* traffic analysis and fingerprinting attacks on users of anonymizing networks.

Even if anonymizeres like Tor are used, a local adversary can measure the volume of transfered data and timing characteristics to e. g. determine the retrieved websites. We will shortly sketch the current state of the art in traffic analysis, which has been improved significantly within the last year.

Zur Verhinderung einer zivilgesellschaftlichen Bewegung gegen eine neuerliche Volkszählung, erarbeitete die amtliche Statistik seit mehr als 10 Jahren das jetzt geplante alternative Erfassungsverfahren, genannt „registergestützter Zensus“, bei dem nur noch rund 25% der Bevölkerung mit persönlichen Fragebögen beschickt werden müssen. In der ersten Stufe der Volkszählung werden Daten von verschiedensten Stellen erfasst und bei den Landesstatistikämtern und dem Bundesstatistikamt in einer noch nie dagewesenen Datenbank zusammengeführt. Erst wenn dieser bisher unvorstellbare Datenberg angehäuft wurde, kommen die Bundesländer bzw. deren Ausführungsgesetze ins Spiel. Das führt dazu, dass die zu erwartende gesellschaftliche Diskussion erst stattfinden wird, wenn das Kind schon im Brunnen ertrunken ist.

Der Vortrag versucht den interessierten Zuhörern einen möglichst umfassenden, aber bestimmt nicht langweiligen Überblick über die Thematik Zensus 2011 zu geben.

Selbstverständlich muss im Rahmen solch eines Vortrags auch darüber gesprochen werden, warum die Verfassungsbeschwerde gegen das ZensG 2011 mit immerhin 13000 Unterstützern abgewiesen wurde und wie es jetzt weitergeht.

Für knapp fünfzig Millionen Menschen in Deutschland gilt das Bundesdatenschutzgesetz nur eingeschränkt. Grund: Sie sind Mitglied einer der beiden Amtskirchen. Diese haben sich noch aus Weimarer Zeit das Privileg eines teilweise vom staatlichen Recht abgekoppelten Rechtswesens bewahrt. Man merkt dies besonders frappierend bei der bisweilen sehr eigenwilligen Verfolgung von Kindervergewaltigung, aber auch viel weniger sensationell im täglichen Leben beim Umgang mit personenbezogenen Daten, wie sie im Religionsunterricht, bei Amtshandlungen oder ganz schlicht bei Raumvermietungen anfallen. Die Kirchen stehen im Spagat, eigentlich mit Datenschutz wenig am Hut zu haben, gleichzeitig aber in der Seelsorge absolute Verschiegenheit bewahren zu wollen. Beginnend mit einem theoretischen Einstieg beschreibt dieser Vortrag anhand mehrerer Praxisbeispiele Gemeinsamkeiten und Unterschiede zwischen kirchlichem und staatlichem Datenschutz, zeigt, wo man selbst als Nicht-Kirchenmitglied vom innerkirchlichen Recht betroffen ist, benennt Lücken, an denen Handlungsbedarf besteht, und gibt Tipps, wie man innerhalb dieser Organisationen für besseren Datenschutz sorgen kann und wie man auch als Außenstehender dafür sorgt, dass mit den eigenen Daten kein Unfug getrieben wird. Hierbei werden sowohl rechtliche als auch technische Aspekte angesprochen.

This talk will take a look at the smart phone attack surface, only from and end-to-end point of view. the baseband type stuff and things owned by the telco's will not be covered. Basically, it'll cover 5 major areas:

- identifying operating systems (through for example the user-agent with mms)
- identifying entrypoints
- identifying trust boundaries
- identifying bugs
- exploiting bugs

There has been a fair amount of cellphone and smartphone reseach done in the past, and yet, when it comes to attack surface, we've barely scratched the surface. SMS alone allows for a dozen or so different types of messages, there's mms, all sorts of media codecs are build into smart phones. The entrypoints can be roughly categorized as:

primary entypoints:
- zero-click remote attacks over default communication network (sms, mms, ...)
secondary entrypoints:
- zero-click remote attacks over non-default communication network (email, ...)
tertiary entrypoints:
- proximity attacks (wifi, bluetooth, irda, mitm wifi connection, ...)
- not-zero click remote attacks (e.g. start application XYZ and connect to my evil server)

The main focus in this talk will be on the primary entrypoints, however some of the secondary and tertiary entrypoints will be talked about aswell, in particular irda, since unlike bluetooth and wifi, very little security research has ever been done with irda, which on itself is weird, since after less than a day of poking around it became quite clear most irda stacks are pretty weak (as a hilarious irda sidenote which got me started to look at idra, one should read the following microsoft bulletin http://www.microsoft.com/technet/security/bulletin/ms01-046.mspx).

once's the interesting entrypoints for various smartphones are explored the talk will dive into some of the trust boundaries on different smartphones, things their sandboxes allow, things they don't, wether or not it's documented and wether or not the documentation is actually accurate.

in the spirit of keeping the best for last, some of the bugs discovered during the smartphone research will be discussed, both the details of them, as well as the pains the speaker had to go through to make exploits for them.

The first decade of the 21st century brought huge progress in the development of FOSS Desktop systems. Users can now choose from a broad range of environments, which all adhere to a coherent set of standards. Not to forget that FOSS did even pioneer some GUI technologies which were later adopted by other (read: non free) systems.

There's one year left of this decade. Time to take a look back and under the hood of the current state of FOSS based desktops: The Good, The Bad and The Ugly.

- "Yo Dawg!" Stacking layers of redundancy. (Phonon -> GStreamer -> Pulseaudio)

- Do you really need a full blown desktop session for a login screen? (GDM >2.21)

- The graphics subsystem (X11) is network transparent and provides IPC. So let's build our own IPC system, that's not network transparent (DBus).

- I think the login process is not complicated enough yet. (ConsoleKit)

- Good ideas, poor implementation, abusive use. (PolicyKit)

- Making things happen automatically doesn't "make things just work!". (Network Manager, ivman, HAL based mount)

- Unified configuration madness. (gconf, XSettings)

- Zombies: Some things are so bad, that even their original creators now abandon them (HAL).

- What if special use cases require you, to get rid of some or multiple of the above? Admin's Nightmares!

and last but not least

- Possible security flaws in each of the above.

And of course we'll also look at some of the pearls of strange API design in some of the above.

Five years have past since my initial talk on IPv6 insecurities at the CCC Congress.
New protocol features have been proposed and implemented since then and ISPs are now slowly starting to deploy IPv6.
Few changes have led to a better security of the protocol, several increase the risk instead.
This talk starts with a brief summary of the issues presented 5 years ago, and then expands on the new risks especially in multicast scenarios.
As an add-on, discovered implemention security issues in Windows 7/2008, Linux and Cisco will be shown too. Lets hope patches are out until the conference, if not - they had enough time.
All accompanied with GPL'ed tools to and a library: the new thc-ipv6 package. rewritten, expanded, enhanced.


For those who could not attend: on the 29th at 12:00 at b(erlin)sides @ c-base I do the presentation again

1) Immer noch Fahrzeuge für das 21te Jahrhundert, die Freiheit. die wir meinen.

Die Auflagen für klassische Fahrzeuge steigen stetig. Windschutzscheiben werden mehr und mehr mit amtlichen Aufklebern zugetaped, die Zahl der Regularien und die Überwachung auf verstopften Autobahnen und im urbanen Raum nimmt immer weiter zu. Parallel dazu macht sich eine kleine Nischenbewegung zur voll funktionsfähigen Alternative: E-Bikes - die momentan wohl angenehmste Form des Individualverkehrs.

2) E-Bike / Pedelecs / LEV in der EU

Als E-Biker nimmt man am öffentlichen Straßenverkehr teil. Es soll klargestellt werden, wie elektrisch betriebene Fahrzeuge in der EU rechtlich definiert werden, wann ein elektrisch betriebenes Fahrrad kennzeichenpflichtig ist und wo die Tücken und Lücken der EU-Regulierung liegen.

3) Technik

Nach einem Überblick über existierende Motortechnik wird es um bürstenlose Gleichstrommotoren (brushless DC motors) gehen, welche gewisse aufzuzeigende Vorteile für den Einsatz in Fahrzeugen besitzen und außerdem als Nabenmotoren vor allem für Um- und Nachrüstungskonzepte geeignet sind.
Mit dem Microcontroller für die Ansteuerung der Motoren und schließlich der aktuellen Akkumulatorentechnik soll die Erklärung des Antriebsstrang eines modernen E-Bikes vervollständigt werden.

4) Zukunft

Kein Orakel, sondern unsere Wünsche für die Zukunft. Das 21te Jahrhundert lässt uns noch ein bisschen Luft, weiter an der Sache zu arbeiten - hier unser Aufruf an Interessierte und die Hackergemeinde, wie es weiterhin beim Thema E-Bikes spannend bleibt.
Verbunden mit dem aktuellen Boom-Aufruf der Industrie entsteht das klassische Ungleichgewicht zwischen Marketing-befeuerter Massenware und frei dokumentierten bzw. offen entwickelten Systemen und Konzepten. Wir wollen an dieser Stelle Neugierde und Interesse wecken, um im Rahmen von OpenEverything auch bei den E-Bikes weitere Schritte voranzukommen.

Student Robotics pushes engineering into schools by running a robotics competition between 16 to 18 year-olds. We send university students into schools to mentor the participating teams. The organisation is run entirely by students, who also develop the hardware and software for the participants to use.

Student Robotics involves a whole range of software and hardware development, including including microcontroller programming, computer vision, and web-apps. This year we've started shipping the BeagleBoard as the robot's main computing device, providing us with a lot of scope for future hacking.

In this talk I will:
- Discuss the motivation behind Student Robotics
- Provide a technical overview our current hardware and software
- Discuss the future of Student Robotics in Europe

Hey Teacher. Leave them hackers alone.

"All non-trivial abstractions, to some degree, are leaky." -- Joel on Software

This applies just as well to hardware. In the soft center of embedded security are the human abstraction layers between embedded developers, pcb designers and asic designers which expose attack surfaces that are often rudimentary and unmovable.

Using a theoretical embedded target we walk through each surface overcoming obfuscation to gain control. Will release a slew of embedded analysis tools, some lolarduino based, some not. These tools are based on frameworks that support Industrial Design students with electronics prototyping. Meaning, with little technical background you can adapt these tools to your needs.

The audience is invited to bring their target where contributors will be clustered in the hack center and be available to suggest means of protection or application of analysis techniques in your project.

## Tools discussed

* [Serial Scanner] Arduino based, will scan 30+ pins for a Serial Port at any baudrate. Includes stimulating lines with wakeup signals (\n,etc).
* [JTAGenum] Arduino based, will scan 30+ pins for a JTAG port. Once found can be used to scan for undocumented instructions and functionality.
* [Parallel FLASH Dumper] Arduino based, dumps FLASH memory. Flash programmers can be expensive or distribution restricted. Includes discussion for how to dump FLASH where public documentation/footprint cannot be found.
* [DePCB] (in progress) Given images of PCB layers, can be used to auto-route IC interconnects. Research in-progress. Based on DeGate which does the same at the transistor level of IC's.

## Topics covered

* Overview of debug surfaces
* Basic electrical analysis of pins to narrow target scans
* Using Serial and JTAG scanners
* Examining undocumented FLASH targets
* Dumping FLASH
* Discussion of clues that can be found in PCB design choices

Using dynamic binary instrumentation, we record instructions of a program during runtime and create a fine-grained trace. We implement a trace analysis
tool, which also provides methods to reconstruct high-level information from a trace, for example control flow graphs or loops, to detect cryptographic
algorithms and their parameters.

With the results of this work, encrypted data, sent by a malicious program for example, may be decrypted and used by an analyst to gain further insight
on the behavior of the analyzed binary executable. Applications include de-DRM'ing, security auditing, and malware C&C analysis. After the talk we will demonstrate the functionality with a ransomware which uses cryptographic primitives and release the implementation to the public.

The talk goes under the hood of the ubiquitous standard and clarifies many concepts that are important to understand when developing either device firmware or host software for USB; host, device, hubs, low speed, full speed, high speed, super speed, bus power supply, cable lengths, transfer types, endpoints, descriptors and more. The choice between kernel mode or user mode drivers will also be discussed, and finally we'll take a look at libusb; a cross-platform (WinMacLinuxBSD) library for USB programming.

There will be a workshop that builds on this talk. Check the workshop schedule if you would like to join in the building of a custom USB device on an ARM microcontroller!

The windows were illuminated by remotely controllable, networked RGB LEDs in colorfully light the facade. A web editor was developed to ease the creation of animations at home or in front of the building with a laptop or mobile phone. Furthermore, animations could be put in a queue by sending a simple text message (SMS). Running animations could be viewed with a client program or by a webcam stream. Over 400 animations were created by the public. Next year another, bigger installation in Munich is planned.

The purpose of our talk is to outline the infrastructure we built for this project and inspire other hackers to use it for rolling their own installation in their hometown. We will explain our open hardware and software design in the background and talk about our rationale behind our design decisions and comment on possible improvements in future iterations. We won't forget to include the biggest fails, fnords and pitfalls concering funding, authorizations and communication.

At the Congress we will rebuild our installation using boxes. Interested hackers are very welcome to play with this colorful blinkenwall by writing animations and games.

iButtons sind insbesondere wegen ihrer vergleichsweise einfachen und kostengünstigen Ansteuerung weiter verbreitet, als es auf den ersten Blick scheint. Obwohl die Sicherheitsrisiken teilweise mehr als offensichtlich sind, finden sie ihren Einsatz in Anwendungen, die eigentlich einer kryptografisch abgesicherten Lösung bedürfen. Der erste Teil des Vortrags zeigt, welche allgemeinen Sicherheitsprobleme bestehen und wie sich diese auf die Sicherheit der jeweiligen Anwendungen auswirken. Betroffen sind hiervon Wächtersysteme, elektronsiche Türschließanlagen, Kassenschlüsselsysteme / POS Terminals, Fahrkartenautomaten uvm.

Neben iButtons, die lediglich statische Seriennummern oder RO/RW-Speicher beinhalten, existieren auch noch verschiedene Crypto iButtons, z.B. mit SHA1 MAC und Challenge-Response-Verfahren. Diese finden vorzugsweise im Micropayment-Bereich Anwendung, wobei die Systeme darauf ausgelegt sind, dass der Geldbetrag nur auf dem iButton selbst gespeichert wird. Ein Beispiel für ein solches System ist Akbil in Istanbul mit mehr als 5 Mio. Teilnehmern. Des weiteren finden sie z.B. Anwendung auf RAID Controllern zwecks Soft Feature Management (z.B. Supermicro).
Der Hersteller bedient sich der Security-by-Obscurity-Methode und hält die Datenblätter sowie alle anderen wichtigen Details zurück. Diese iButtons verfügen über mehrere Vorkehrungen, die die Extraktion der 64 Bit großen Schlüssel verhindern sollen. Wir haben mehrere Angriffe entwickelt, die die Extraktion der Schlüssel erlauben, von denen wir die besten Angriffe im Vortrag vorstellen werden. Der beste Angriff auf den DS1963S lässt sich mit minimalen finanziellen Mitteln in wenigen Minuten durchführen, wobei der eigentliche Berechnungsaufwand pro 64 Bit Schlüssel unter 10 Sekunden liegt.

The legal consequences, lost/damaged business and reputation can be disastrous depending on the type of the attack. While companies invest a lot to secure SAP systems at business process level for example by designing authorization concepts, implementing separation of duties or by using GRC (Governance Risk and Compliance) tools, the security at technical level mostly lacks attention. In this paper, I present several attack paths exploiting configuration weaknesses at technical level, leading to attack potential to single systems, to whole SAP landscapes, and finally the whole enterprise network. By demonstrating creative exploit variants of configuration weaknesses, I motivate the necessity to safeguard a SAP system at technical level.