
Chaos Computer Club - archive feed
14,494 episodes — Page 10 of 290
Einführung in Embeddded Systeme. Von Maschinencode bis Rust (ulm)
Motivationsvortrag über verschiedene Microcontroller und Abstraktionsfähigkeit durch höhere Prorgammiersprachen Assembler->C->Rust, Arduino, STM32, ESP32 https://www.ulm.ccc.de/ccc/chaosseminar/2025_02_embedded-software-entwicklung/ https://wieerwill.dev/ about this event: https://www.ulm.ccc.de/ccc/chaosseminar/2025_02_embedded-software-entwicklung/
DG111: Open Source Political Intelligence - What is it and why does it matter? (datengarten)
🇬🇧 English Version Open Politics – Collaborative Tools for Open Political Data Politics is complex, and making sense of it requires access to good information. The Open Politics Project is working on and operationalising open-source tools that help analyse political structures, decisions, and developments—so that journalists, researchers, activists, and engaged citizens can better understand and interpret them. Our goal is to make political data more accessible and useful. We bring together existing methods from data analysis, political science, and AI, while also experimenting with new approaches—always in the open, documented, and improved through collaboration. From user-friendly visualisations to structured databases, we explore ways to work with political data in a way that’s practical and meaningful. We call it: Open Source Political Intelligence At Datengarten on February 5, 2025, we’ll share our latest progress, discuss challenges, and give a behind-the-scenes look at our work. 📍Chaos Computer Club Berlin (CCCB), Marienstraße 11, 10117 Berlin Let’s talk about how we can make political information more open and useful for everyone. 🔗 Open Politics Project: https://open-politics.org/about, https://github.com/open-politics/open-politics, https://github.com/open-politics/opol 🇧🇪 German Version Open Politics – Offene Werkzeuge für politische Daten Politik ist oft schwer durchschaubar – aber mit den richtigen Werkzeugen lassen sich Strukturen, Entscheidungen und Entwicklungen besser verstehen. Das Open Politics Project entwickelt und operationalisiert Open-Source-Methoden zur Analyse politischer Daten, um Journalist:innen, Forschenden, Aktivist:innen und interessierten Bürger:innen den Zugang zu politischen Informationen zu erleichtern. Unser Ziel ist es, politische Daten verständlich und nutzbar zu machen. Wir verbinden bestehende Ansätze aus Datenanalyse, Politikwissenschaft und KI, probieren neue Methoden aus und dokumentieren alles offen, um es gemeinsam weiterzuentwickeln. Von interaktiven Visualisierungen bis zu strukturierten Datensammlungen – wir experimentieren mit Wegen, politische Informationen alltagstauglicher zu gestalten. We call it: Open Source Political Intelligence Beim Datengarten am 05. Februar 2025 sprechen wir über unseren aktuellen Stand, diskutieren Herausforderungen und geben einen Einblick in unsere Arbeit. 📍Chaos Computer Club Berlin (CCCB), Marienstraße 11, 10117 Berlin Lasst uns gemeinsam überlegen, wie politische Informationen offener und zugänglicher werden können. 🔗 Open Politics Project: https://open-politics.org/about, https://github.com/open-politics/open-politics, https://github.com/open-politics/opol Licensed to the public under http://creativecommons.org/licenses/by-sa/3.0/ about this event: https://c3voc.de
Don't Panic! (cmc2025)
Your organisation has been using Puppet to manage its infrastructure, but it's grown organically over time with best practices and the long-term implications of decisions never really being thought about. A new Puppet administrator has just been handed responsibility for the Puppet infrastructure, we need to help them out. This is a common scenario, the Puppet admin has left an organisation and a new Puppet admin has been assigned but doesn't have any real experience of Puppet, just like their predecessor. We need to teach them what Puppet is, help them understand what they've taken on and use Puppet best practices such as roles and profiles, and Hiera to organize their configuration management into a clear and robust structure that will give them confidence to make the required changes as and when they are needed as the infrastructure grows. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/NPG9HP/
Progressive Infrastructure Delivery using Kargo and Argo CD (cmc2025)
Since the day Kargo was released, I have been exploring the idea of using it not only to deliver and promote applications but also to deliver infrastructure through its progressive delivery capabilities. Using Kubernetes-based tools like Crossplane or Pulumi, we can define infrastructure as code and deliver it progressively to our management clusters and then promote this infrastructure through different stages without the need for extra CD script magic. Let me show you how Kargo helps platform engineering streamline and automate the progressive rollout of infrastructure changes to all stages. This talk will cover the basics of Kargo and how to use it with Infrastructure as Code tools. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/DGYEV7/
Creating Immutable Infrastructures with Kairos (cmc2025)
In this talk, we will introduce Kairos, an open-source project that aims to create immutable Operating Systems designed for Kubernetes. This includes a toolset that simplifies operations at the edge in a cloud-native way. Edge computing has become increasingly popular due to its ability to save costs by processing information closer to the data before sending filtered and computed information to a centralized application or data warehouse hosted in the cloud. Kubernetes is an ideal solution for edge computing because it natively builds components that facilitate the lifecycle management of modern edge applications. However, as we scale the number of edge locations, we face operational challenges, such as interacting with cluster configurations at scale without creating unique configurations for each location, ensuring security for remote clusters and applications, upgrading Kubernetes clusters without specific domain knowledge, and minimizing disruptions during maintenance windows for smaller form factor hardware. Kairos acts as an engine delivering immutable Kubernetes-enabled Linux OS from OCI conformant container images. It provides unique capabilities such as VPN peer-to-peer mesh, a distributed ledger to automate Kubernetes cluster bootstrapping and coordination, and zero-touch provisioning with a QR code scan. But more importantly, it uses a declarative model backed by Kubernetes CRDs. It manages distributed Kubernetes operations at the edge from a centralized Kubernetes cluster. In this presentation, we will explain the foundations and concepts of Kairos and demonstrate its capabilities. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/3BSKZB/
Upgrading to Puppet 8: The Good, The Bad and The Ruby (cmc2025)
We use Puppet for about 1200 Linux machines. This talk will recount our journey in upgrading from Puppet 7 to Puppet 8. I will talk about the incompatible changes to be aware of, how we handled them, and general strategy for handling Puppet major upgrades. The talk will cover: - our Puppetserver architecture - changes in Puppet 8 like legacy facts and Ruby 3.2 - how to prepare for any Puppet major upgrade - how to prepare for the Puppet 8 changes specifically - things that the ecosystem could do better Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/T97UPU/
Turning Cloud Nightmares into Cost-Saving Dreams (cmc2025)
cloud costs can feel like a nightmare, creeping up on your Kubernetes infrastructure. But with the right tools, you can be the hero your budget deserves! In this talk, we’ll dive into OpenCost, an open-source solution that can help you track and optimize your cloud spending in real time.You’ll discover how OpenCost works, why it matters, and how you can use it to become the cost-saving champion of your cloud environment. Get ready to conquer Kubernetes costs and take back control of your cloud! Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/PVN3XX/
Running Kubernetes on small scale - lessons learned on operating "small scale" clusters (cmc2025)
This talk will walk through and provide examples and war stories on how kubernetes can be used not only in large scale environments but also in small and small-ish scale environments. Kubernetes is often considered as the tool to tackle large scale traffic, which is supposed to be used by a big team of engineers. This talk presents an opposite approach which shows how Kubernetes can be used in a very small team with limited resources. It will explore the benefits of running k8s in a small scale and also what pitfalls come with it. It will walk through the steps of provisioning self hosted Kubernetes cluster - kOps - challenges of keeping clusters upgraded without downtime. It will discuss issues encountered in daily operations, applications taking too long to start up anyone, and then how it was tuned with tools like Goldilocks. It will delve into CI/CD on Kubernetes (using Jenkins and ArgoCD). Keeping an eye on operational costs is essential in a small environment and this talk will discuss how kOps can utlize spot instances everywhere and benefits/challenges with spot instances. The idea of downscaling on schedule with py-kube-downscaler project, mutating pods with kyverno will be discussed. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/A3QEP7/
Puppet, what future? (cmc2025)
Puppet is a mature tool, the company behind it has changed over the years and most of the people who developed it, are no more working there. For somebody Puppet is old, solving problems that are no more current. Yet, Puppet is still around , and as long as there'll be systems to manage over time, there'll be the need of such a tool. The question is if the tool of choice is going to be Puppet or not. What's its present and future? We will analyse the current Puppet situation, market demand and perception, and spend our two cents on what could be done to improve perception, usage and adoption. We will also try to raise the topic with the people in the audience, when the presentation will turn into a discussion, possibly stirring ideas and suggestions. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/VQUFXW/
Embracing Karpenter to scale, optimize & upgrade Kubernetes (cmc2025)
Kubernetes is still quite a popular choice with wide community adoption to run containerised workloads in the Cloud, but it doesn’t come with batteries included. And some of that is intentional to allow freedom to make different choices or extend its functionality as needed. For example scaling compute nodes is one of the things which is not built-in. Making sure you’re doing it in most efficient and cost-efficient way is paramount. But it’s not just efficienty than separates Karpenter (an open-source node lifecycle management) from other options, but also how it can help you stay on top with compliance, patching and drift. The project has come a long way in the last couple of year and it was also adopted by CNCF/SIG Autoscaling making it alternative approach compared to de-facto Cluster Autoscaler project. I this talk I’ll show how to set it up, different use cases and demonstrate hands-on what to expect in the real world scenario. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/P7CTWQ/
1001 ways of assigning a class to a node (cmc2025)
Overview of possibilities to assign classes to nodes The Puppet tutorial assembles configuration aus snippets in manifests/site.pp node default { include apache } . There are more possibilities than advertised by Puppet: * External Node Classifier * Roles und Profiles * Hiera Chainloading as Array or Hash * Puppet Enterprise Console/Foreman Host Groups We will get a quick intro to each of them, an explanation on how to shoot yourself in the knee with these and a field report of ways that have proven to cause less pain. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/TCKR7P/
HDM Release 3 (cmc2025)
What is new in HDM Release 3? Hiera Data Manager (HDM) is a web UI, which provides insight into your Hiera Data. One can easily check, which values are set in which layer and recognize, why a node receives which configuration data. With the newest release we added some new features, which I would like to present. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/FCSFJP/
Continuous Delivery on multi-architecture Kubernetes clusters with ArgoCD (cmc2025)
Kubernetes is the most popular container orchestration platform out there, and for anyone who wants to do GitOps on Kubernetes, ArgoCD is a leading open source project in this space. This presentation will walk you through the management of multi-architecture applications for Kubernetes with ArgoCD. In this presentation, we will run through the process of managing container applications on hybrid arm64 and x86 Kubernetes clusters using ArgoCD for GitOps, including: * Why add arm64 compute nodes to your Kubernetes clusters? * Tooling to build and manage multi-arch containers * Continuous integration and delivery patterns * Workload placement and orchestration in Kubernetes Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/L7WJRN/
Compliance as Code: Building an Open Source Compliance Backend for Puppet (cmc2025)
Managing compliance in infrastructure as code environments is essential but can be daunting. Enter `compliance_engine`, a new open-source Ruby gem designed to streamline the mapping of compliance standards to Puppet code. Building on the foundation of SIMP's `compliance_markup`, this reimagined backend prioritizes performance, flexibility, and maintainability. In this session, we’ll explore the evolution from `compliance_markup` to `compliance_engine`, highlighting the architectural improvements that make it faster and easier to use. We’ll dive into real-world examples, demonstrating how the gem simplifies the enforcement of compliance policies, reduces complexity, and supports emerging standards. Attendees will gain insights into the challenges of implementing compliance as code and learn how `compliance_engine` can transform their approach to regulatory compliance in Puppet environments. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/NXJTDG/
How we use Choria orchestration in an enterprise setting (cmc2025)
A real life view into how an enterprise company uses Choria for orchestration and what we had to build around it. This talk gives the basics of Choria along with infrastructure considerations such as running only from Jenkins and code considerations including control repo organization, org specific stdlib and interacting with other teams. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/W7WAZG/
Got a Secret, Can You Keep It? - Mastering Secret Management in Kubernetes (cmc2025)
Managing secrets in Kubernetes can be a complex and overwhelming process, especially with the wide range of available options. This talk, designed for intermediate users, aims to demystify the process by providing a practical roadmap drawn from my own journey. I will explore common challenges and share insights from transitioning through various approaches, from Kubernetes' built-in secrets to external tools like Sealed Secrets, CSI Secrets Store, and External Secrets. Through real-world examples and lessons learned, attendees will leave with actionable strategies to manage secrets more securely and efficiently in their Kubernetes environments, while contributing to stronger community practices and more resilient applications. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/HS8ELE/
Simplifying Kubernetes Monitoring with Icinga (cmc2025)
Monitoring Kubernetes doesn’t have to be complicated. In this talk, I’ll introduce a new module we’re developing for Icinga, currently in beta, that simplifies Kubernetes monitoring in the same way Icinga has for traditional infrastructure. We’ll explore how this module makes it easier to monitor your clusters’ health and performance, allowing you to identify issues early. Whether you’re new to Kubernetes or managing large-scale clusters, this session will provide a preview of what’s to come and how it can streamline your monitoring processes. Feedback and insights are welcome as we refine the tool. Kubernetes offers powerful orchestration capabilities, but monitoring its dynamic environment can be tricky. In this session, we’ll dive into the development of a new module for Icinga that simplifies Kubernetes monitoring, making it more accessible for users who are familiar with traditional IT infrastructure setups. While the module is still in the beta phase, I’ll walk through its current features, show how it integrates with your existing Icinga setup, and discuss future enhancements. We’ll look at practical examples of monitoring critical aspects like node health, pod status, and resource utilization, all through Icinga’s familiar interface. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/AH78JZ/
Doing mass Puppet Enterprise upgrades in highly restricted environments (cmc2025)
How do you upgrade 3000 individual PE environments? 3000 environments that you don't manage and others own. 3000 environments without SSH access. Come with me on a "funny" journey and learn how we made this possible and how the PE upgrade process differs from Open Source. Lets do a deep dive into PE 2019->2021->2023 Upgrades and our open source tooling that made this possible. You can also watch the slides online at: https://bastelfreak.de/cfgmgmtcamp2025/pe.html#1 Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/9NUL9E/
Overview of the new OpenVox build pipeline (cmc2025)
Description: Most of us remember how long it took for Puppet to get Debian 12 packages. The build pipeline was long and complex and used a lot of internal tooling that had to be updated manually. In current news though, the new OpenVox build pipeline has been totally revamped and simplified and adding support for RHEL 10 took about 10 minutes. Most of that was spent waiting for the build to complete. Nick would like to explain how it works and what we still have left to do. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/7HXT7V/
Bolt dynamic inventory making puppet easy (cmc2025)
It is very common now for developers to code and test their applications on VMs, either locally hosted or on the cloud. As individuals have editor preferences (nvim, vscode, etc), so they have hypervisor. Once you create a bolt inventory file listing the server or servers, then bolt can easily configure those servers using custom puppet code. Instead of manually creating the bolt inventory, it is easy to create a dynamic inventory plugin--if it doesn't already exist--to suit your particular use case. This talk illustrates how we setup our own local dynamic inventory plugins to help with our automated development and testing. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/GYKK3P/
Testing Puppet code with voxbox (cmc2025)
Testing Puppet code can be a hassle, but voxbox is here to save the day! Testing Puppet code can be a hassle, but voxbox is here to save the day! Voxbox is a complete testing environment in a container, with all the good gems from Vox Pupuli. Active maintained and ready to run locally or in your CI. It also has jq and yamllint on board. I will showcase how it is build, how it is used and how it can be integrated into gitlab-ci. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/WHTKEC/
State of Puppet (cmc2025)
In this talk well discuss what's happened in the open source product releases from Puppet to developer tools recently and what direction we're thinking.. did anyone say Puppet 9? We will also look at an overview of the state of community and where we think we can focus working better together. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/3BC7QX/
Kubernetes from Scratch, The Hard Way (cmc2025)
To understand the inner workings of Kubernetes and to prepare for the K8s certification exams, I decided to create a K8s cluster from scratch, the hard way, on premises (“de meterkast”) on virtual machines all using Alpine Linux. This talk is how I tried to do it, how I succeeded, failed and added a CEPH cluster and ETCD cluster along the way. It includes a lot of technical details, but if there is one thing that you should learn during this talk, it’s not about K8s at all: Containers are not VMs! Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/CR8UGL/
Tandem-Free Operation (TFO) in GSM and 3G (osmodevcall)
about this event: https://c3voc.de
38C3: Return to legal constructions (38c3)
Let's join in a quiet moment to bid farewell to the chaotic wonderland that has been 38C3 and prepare ourselves for the harsh reality outside. Gather round and take a deep breath and enjoy the unique atmosphere before you will feel the spirit again at the next hacker event close to you. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/38c3-return-to-legal-constructions/
Wie man auch mit FOSS Katastrophen-Warnungen bekommt (38c3)
Wetter- und Notfallwarnungen empfangen zu können kann Leben retten. Nutzende, die ihre Privatsphäre nicht Google oder Apple ausliefern möchten sollten dabei nicht im Nachteil sein. Wir berichten über den aktuellen Stand der FOSS Entwicklung und allerlei Beobachtungen rund um Notfallwarnungen. Die Flutkatastrophe vom Juli 2021 hat schmerzlich bewusst gemacht, wie wichtig die effektive Verteilung von Katastrophenwarnungen ist. Mit der Einführung von Cell-Broadcast in Deutschland gab es diesbezüglich eine deutliche Verbesserung, andere Verbreitungswege werden dadurch aber nicht weniger relevant. Apps wie NINA oder KATWARN stellen mehr Informationen zur Verfügung als in einer Cell Broadcast Nachricht übermittelt werden kann, und ermöglichen es auch, Regionen zu beobachten, in denen man sich nicht selbst aufhält. Diese Apps sind allerdings nur für die Plattformen von Google und Apple verfügbar, Nutzende freier Plattformen sind außen vor. Kein befriedigender Zustand. Was macht man in so einem Fall? Na, das, was man in so einem Fall immer macht: Wir bauen uns die Warn-Apps und die dazu nötige Infrastruktur halt selbst. Basis dafür bildet das Common Alerting Protocol (CAP) was seit vielen Jahren weltweit im Einsatz ist, und UnifiedPush als freie Alternative zu proprietären Push-Benachrichtigungen. Daraus ergibt sich ein Aggregations-Server der Warnmeldungen aus derzeit 100 Ländern einsammelt und Clients über Ereignisse in für sie relevanten Gebieten informiert. In diesem Talk erklären wir, wie CAP funktioniert, wie das in der Welt eingesetzt wird und welche merkwürdige Beobachtungen wir während der Entwicklung gemacht haben. Von den Entwicklern von FOSSWarn und dem FOSS Public Alert Server. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/wie-man-auch-mit-foss-katastrophen-warnungen-bekommt/
38C3: Infrastructure Review (38c3)
This talks gives a behind the scenes on how the infrastructure side of the event is done. A lot of teams help to make this event happen. This talk gives them the opportunity to show you what they do and how they do it. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/38c3-infrastructure-review/
Security Nightmares (38c3)
Der IT-Sicherheitsalptraum-Rückblick: Manchmal belustigend, zuweilen beunruhigend, aber mit Ausblick. Es ist wieder ein Jahr vergangen und niemand ist von einem Smartmeter erwürgt worden: Ist überhaupt etwas Berichtenswertes passiert? Und wenn nein, wird es denn nächstes Jahr wenigstens schlimmer? Wir betrachten das vergangene Jahr, versuchen Muster zu erkennen und zu ahnen, wie es weitergehen muss, denn vorgewarnt zu sein, heißt gewappnet zu sein. Und sei es nur mit Popcorn und „In Übereinstimmung mit der Prophezeihung!“-Schildern. Publikumseinwürfe willkommen. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/security-nightmares/
Lokalnews-Mining (38c3)
Ihr wolltet schon immer wissen was der „Morgenthau-Plan“ mit Kreisverkehren und „Schönwetterfreizeitsportgeräten“ zu tun hat? Dann lasst mich euch mitnehmen in die wundersamen, obskuren und humoristisch wertvollen Untiefen eines lokalen Nachrichtenportals. Was kann die interessierte Beobachterin von außen über das System lernen? Welche Werkzeuge brauchen wir für diese Expedition? Welche Kreaturen der Nacht kriechen durch die Untiefen der anonymen Kommentarfunktion? Und kann man eigentlich auch etwas Schönes aus den Daten machen, die da täglich ins Netz gekippt werden? Wie viele Orte in Deutschland hat Lübeck eine von diesen etwas schrägen Lokalnews-Seiten, die wirken, als wären sie in der Zeit stecken geblieben. Aber dennoch sind sie irgendwie wichtig sind für das Leben in der Region. Der schnöde Wetterbericht, Beschwerden über Baustellen, Filz-Workshops und Veranstaltungsankündigungen für die LAN-Party des CDU-Ortsverbandes - alles kann einem hier begegnen. Natürlich garniert von Kommentaren aus dem ganzen Spektrum des Wahnsinns. Seit über einem Jahr sammle ich die Daten, die diese obskure Seite ins Internet bläst, werte sie aus und bastele daraus nützliche oder wenigstens lustige Dinge. Von all diesen Abenteuern meines Hobby-Projekts „hl-lol“ möchte ich euch berichten. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/lokalnews-mining/
Philosophical, Ethical and Legal Aspects of Brain-Computer Interfaces (38c3)
This talk examines philosophical, legal, and ethical questions of the merging of human minds with intelligent machines through Brain-Computer-Interfaces, provides an overview of current debates and international regulatory development - and what might be at stake when technologies increasingly access the human brain. Human minds and machines, or organic and artificial intelligence (AI), are increasingly merging through neurotechnologies such as Brain-Computer-Interfaces (BCIs) that may record or alter brain activity. While most current devices are developed and used for rehabilitative purposes, more and more consumer devices are about to come on the market, and some stakeholders such as Elon Musk and his company Neuralink pursue more transhumanist objectives. This merging of minds and machines raises multiple intriguing philosophical, ethical, and legal questions: Do these devices become part of the person, even more, might the AI operating these devices become part of her? (I argue that it does under certain conditions, creating the most intimate conceivable connection between AI and persons). Are there ethical boundaries, and what is the legal situation, especially with respect to human rights? (I call for a renaissance of the right to freedom of thought to provide at least some principled protection for privacy of thought). Moreover, the topic has received the attention of international organizations, which will negotiate the first international treaty on the ethics of neurotechnology under the auspices of UNESCO in the beginning of 2025 (expected to be concluded in late 2025). This will set the standards for the future trajectory of the technology, but whether agreement can be found is to be seen. The EU, US, and China have different regulatory approaches with different visions for the future. This talk addresses these political, philosophical, legal and ethical questions and presents results of an international research cooperation on the topic, HYBRID MIND, that is funded in Germany by the Federal Ministry of Education and Research and comes to its official conclusion during the days of the 38C3. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/philosophical-ethical-and-legal-aspects-of-brain-computer-interfaces/
corebooting Intel-based systems (38c3)
Gaining a reasonable level of trust on the firmware that runs your everyday activities Corebootable or not corebootable, that is the question. The nerdiest nerds already corebooted their old X230 ThinkPads... but what about your new ThinkPad, or even your gaming rig? Well, Intel has a trick called the "BootGuard" inside the Management Engine. It is supposed to protect the firmware and only allow updates from signed sources... somewhat like the Secure Boot. This means we can't coreboot our newer machines, right? ..right? Well, for that to work... it needs team-play between OEMs and Intel, which doesn't always work out. In this talk you will learn how to port coreboot to modern Intel systems - how we did it and even got to game on them. We'll go over coreboot development, tell you how to find ~~potential subjects~~ compatible mainboards and what it would take to boot on them!). We'll explain what are "payloads", which one is right for you, and what it takes to make such system run mainline Linux. We'll also take a look at current state of AMD systems and how they're doing with OpenSIL (which will replace AGESA in the coming years). Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/corebooting-intel-based-systems/
Observability is just Contextualized Monitoring. Change my mind. (38c3)
The infrastructure industry has recently started co-opting a well-established software engineering practice and is doing so badly. Observability is being overhyped as something revolutionary that you can only practice using the latest new shiny tool. Real observability provides insight only when we take the time to understand what we’re monitoring, why it matters to our organization, and how each metric connects to our goals. This talk critiques the tool-centric approach that has taken over infrastructure monitoring, encouraging infrastructure teams to step out of their offices, touch grass, and talk with their organizations to answer the essential question: What is it you want monitored anyway and why? We’ll explore the power of applying observability as a practice, not just a product, and highlight F/L/OSS tools that offer powerful, adaptable solutions without the hype. If you’re tired of replacing one flashy dashboard with the next, or if you’ve ever wondered whether observability is really the game-changer it’s made out to be, this talk is for you. Let’s take a cue from our software engineering friends and approach observability as a collaborative, cross-functional practice that builds on strategy rather than the next tool. The term “observability” is everywhere, packaged as the next game-changer for infrastructure. But beneath the hype, it’s little more than contextualized monitoring—and the infrastructure industry has co-opted it badly. This talk takes a critical look at the tool-centric approach to observability that’s dominating the market and offers an alternative: an approach to observability based on strategy, not the latest tool. We’ll explore the origins of observability as a software engineering practice, where things went wrong as it moved into infrastructure, and how tool-driven marketing misses the point. From understanding why we’re monitoring to identifying what actually matters to our organizations, this session challenges infrastructure teams to rethink observability and ask essential questions that can transform monitoring into a true asset. Finally, we’ll dig into powerful F/L/OSS tools that already do the job well, without the hype or the hefty price tag, and consider how infrastructure teams can use and contribute to open-source observability practices that support genuine insight. Join me in side-stepping the hype, and discover how real observability could mean thinking like a hacker—using practical, adaptable, and community-driven solutions that prioritize understanding over just another flashy dashboard. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/observability-is-just-contextualized-monitoring-change-my-mind/
Find My * 101 (38c3)
I'll introduce the technology underlying bluetooth trackers from Apple and Google, and will describe and show what can actually be seen on the air (using a hackrf/rad1o for example). This is part demonstration of what is possible right now, part explanation of the underlying principles, and part invitation to would-be hackers to make creative use of this technology. Apple's "Find My" network has been online for more than 5 years. Google has launched its own variant "Find My Device" this year. The Apple protocol has been previously reverse-engineered, while Google's specs are publicly available. Both take part in Detecting Unwanted Location Trackers (DULT), an IETF draft. Underlying this is standard Bluetooth Low Energy (BLE) which can be analyzed, and toyed with, with all the standard BLE research tools. I'll show how to sniff and interact with these trackers using tools that many hackers might already have available. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/find-my-101/
Von Ionen zu Daten: Die Funktionsweise und Relevanz von (Quadrupol-)Massenspektrometern (38c3)
Massenspektrometer sind unverzichtbare Analysewerkzeuge in der Chemie und zudem hochinteressante und verblüffende Instrumente. In diesem Talk wird die Massenspektrometrie mit Schwerpunkt auf Quadrupolmassenspektrometer anschaulich vorgestellt. Massenspektrometer aus der Hacker-Perspektive: Die Massenspektrometrie mag auf den ersten Blick kompliziert wirken, doch mit einem grundlegenden Verständnis der Physik und etwas logischem Denken kann man sich überraschend gut in diese Welt einarbeiten. Ich beschäftige mich seit vier Jahren intensiv mit Massenspektrometern – eine Technik, die mich immer mehr fasziniert und in die ich tief eintauche. Dieser Vortrag richtet sich an alle, die bisher wenig bis gar nichts über Massenspektrometrie wissen und erklärt auf zugängliche Weise, wie (Quadrupol-)Massenspektrometer funktionieren und warum sie so entscheidend für die chemische Analyse sind. Wir schauen uns an, wie diese Geräte auf molekularer Ebene arbeiten und welche spannenden Anwendungen es gibt, die unseren Alltag beeinflussen. Dabei werden die physikalischen Grundlagen verständlich erklärt, sodass jeder – auch ohne Vorkenntnisse – nachvollziehen kann, wie und warum diese Technologie so wichtig ist. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/von-ionen-zu-daten-die-funktionsweise-und-relevanz-von-quadrupol-massenspektrometern/
What's inside my train ticket? (38c3)
Ever wondered what data is stored inside DB print-at-home train tickets or those in your local transport association's app? Join me for the deep dive into digital railway ticketing you didn't know you needed. After getting my shiny new Deutschlandsemesterticket from University I was so annoyed with the quality of the SaarVV app that I set out to put my train tickets into Apple Wallet - whether the train companies wanted me to or not. What followed was several weeks of banging my head against the wall and googling various terms with "filetype:pdf" until I understood how they're encoded. This talk is a highly condensed executive summary of the most interesting parts of that journey - from the surprising to the downright weird. Finally, I'll cover how you can issue your own train tickets - for fun and absolutely no profit! Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/what-s-inside-my-train-ticket/
Rekordbox, gib mir meine Daten! - Überblick von Datenzugriff in DJ Software & Hardware (38c3)
Wir Hackende müssen eine große Gefahr für unsere eigenen Daten sein, wenn die Hersteller die Maßnahmen ergreifen, die ich euch in diesem Talk unter Anderem vorstelle. Wie bekomme ich Daten aus DJ-Systemen und vielleicht auch wieder hinein? Wenn wir als DJs Daten in DJ Systeme eingeben, wollen wir diese vielleicht auslesen oder von außen mit unserer eigenen Software verändern. Dieser Talk ist ein Überblick über die Entwicklung und den Stand von Datenbanken, Reverse Engineering, Netzwerk Protokoll Mitschnitten und Verschlüssellung. Leider machen uns das AlphaTheta, Serato und co. schwieriger als es sein muss. Manchmal ist es kaum zu fassen, wie weit sie dafür gehen. Hinweis: Dieser Talk kann Spuren von SQL beinhalten. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/en/event/rekordbox-gib-mir-meine-daten-berblick-von-datenzugriff-in-dj-software-hardware/
Everyone VS. MP3 - Audio Datei-Formate für DJs und co. (38c3)
Dieser Talk deckt die Fundamentals zu Samplingrate, Bitdepth und Bitrate ab und erklärt die Stärken und Schwächen aller Audio Datei-Formate, die für DJs und Produzent/innen relevant sind: MP3, AAC, FLAC, WAV, AIFF und vielleicht noch mehr. Wenn du mal Probleme mit manchen Dateien auf CDJs hattest, ist das hier der richtige Talk für dich. Neben den im Abstract genannten Fundamentals erkläre ich, was lossy und lossless bedeuten, weshalb lossless nicht unbedingt der beste Begriff ist, was Interpolation ist und was es mit PCM auf sich hat. Ich beleuchte außerdem verschiedene Seiten der Datei-Formate: Qualität, Datei-Größe / Kompression, Metadaten-Support, Kompatibilität mit populärer DJ-Hardware und Mehr. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/en/event/everyone-vs-mp3-audio-datei-formate-fr-djs-und-co/
From Convenience to Contagion: The Libarchive Vulnerabilities Lurking in Windows 11 (38c3)
In the October 2023 update, Windows 11 introduced support for 11 additional compression formats, including RAR and 7z, allowing users to manage these types of files natively within File Explorer. The enhancement significantly improves convenience; however, it also introduces potential security risks. To support these various compression formats, Windows 11 utilizes the libarchive library, a well-established open-source library used across multiple operating systems like Linux, BSD, and macOS, and in major projects such as ClickHouse, Homebrew, and Osquery. The libarchive has been continuously fuzzed by Google’s OSS-Fuzz project, making it a time-tested library. However, its coverage in OSS-Fuzz has been less than ideal. In addition to the two remote code execution (RCE) vulnerabilities disclosed by Microsoft Offensive Research & Security Engineering (MORSE) in January, we have identified several vulnerabilities in libarchive through code review and fuzzing. These include a heap buffer overflow vulnerability in the RAR decompression and arbitrary file write and delete vulnerabilities due to insufficient checks of libarchive’s output on Windows. Additionally, in our presentation, we will reveal several interesting features that emerged from the integration of libarchive with Windows. And whenever vulnerabilities are discovered in widely-used libraries like libarchive, their risks often permeate every corner, making it difficult to estimate the potential hazards. Moreover, when Microsoft patches Windows, the corresponding fixes are not immediately merged into libarchive. This delay gives attackers the opportunity to exploit other projects using libarchive. For example, the vulnerabilities patched by Microsoft in January were not merged into libarchive until May, leaving countless applications exposed to risk for four months. The worst part is that the developers might not know the vulnerability details or even be aware of its existence. To illustrate this situation, we will use the vulnerabilities we reported to ClickHouse as an example to demonstrate how attackers can exploit the vulnerabilities while libarchive remains unpatched. We will introduce the new Compressed Archived folder feature in Windows 11 and review the vulnerabilities of the previous Compressed (zipped) folder. Next, we will explain how we analyzed the libarchive that Windows 11 introduced to support various compression formats. Despite extensive fuzz testing by OSS-Fuzz, we discovered several vulnerabilities in libarchive through code review and fuzzing, including an RCE (Remote Code Execution) vulnerability. Finally, we will use the ClickHouse case to explain how we triggered an RCE vulnerability in ClickHouse while the patch had not been merged upstream. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/from-convenience-to-contagion-the-libarchive-vulnerabilities-lurking-in-windows-11/
Microbes vs. Mars: A Hacker's Guide to Finding Alien Life (38c3)
Mars is famously the only planet (we know of) that is entirely inhabited by robots. And these robots are working hard on looking for something that would be one of the most significant discoveries in the history of science: Alien life. But how do you look for something that no one has ever seen? And would we recognize it if we find it? Join me on a journey through Mars’ ancient past and Earth’s most extreme environments, where scientists hunt for strange microbes that defy all our expectations: Organisms thriving in salt lakes, breathing metal, and building bizarre microbial ‘cities’ out of rock. Are they the blueprint of what alien life might look like? I will introduce you to the cutting-edge technology we use to analyse and understand them, and how we detect their “biological fingerprints” that might one day help us to find Martian life. This talk will not only give you a deep look behind the scenes of the search for life on Mars, but also a new appreciation for the strange and wonderful life on our own planet. I am a PhD student in astrobiology and planetary science at the University of Hong Kong and want to introduce you to the exciting research that is happening in the search for life on Mars. We will talk about what Earth and Mars looked like 3 billion years ago, you will get to know some truly weird microbes, learn about the instruments on Mars rovers and the exciting upcoming Mars sample return missions. I will also share highlights from my own research and fieldwork in Mars-like environments: From growing extremophiles in the lab to testing planetary rovers on Mount Etna, and research adventures in the remote deserts of the Atacama and western China. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/microbes-vs-mars-a-hacker-s-guide-to-finding-alien-life/
identity theft, credit card fraud and cloaking services – how state-sponsored propaganda makes use of the cyber criminal toolbox (38c3)
The Russian disinformation campaign Doppelgänger is considered to be technically highly sophisticated. Research by CORRECTIV and Qurium has revealed that the Russian state relies on the toolbox of internet fraudsters for the dissemination of propaganda and fakes. A talk on the state's possible alliance with the criminal world - and on possibilities and limitations of countering it. Its goal is to undermine the support for Ukraine and polarize Western states: For more than two years, the Russian disinformation campaign Doppelgänger has been running on social networks and its own portals. Despite sanctions, the affected countries have not been able to stop the campaign. This is also because the architects of the campaign employ methods tried and tested by cyber criminals: Identity theft, use of stolen credit cards, bulletproof hosting, cloaking services and multi-level forwarding mechanisms. Research by CORRECTIV and Qurium based on data provided by Antibot4Navalny has uncovered the technical infrastructure of the campaign. The talk guides the audience through details of the new potential alliance between the Russian state and the criminal world. It raises questions about the accountability of authorities and platforms and opens the discussion to the possibilities and limits of resistance against malign foreign influences in the digital sphere. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/identity-theft-credit-card-fraud-and-cloaking-services-how-state-sponsored-propaganda-makes-use-of-the-cyber-criminal-toolbox/
Small seeds - why funding new ideas matters (38c3)
More money for Free and Open Source Software - a never ending issue. In a tech world built on start-ups, venture capital and data-gathering apps, the fight for sustainable funding for ethical technology projects is a fierce one. After some big victories for FOSS funding in the last years, this talk is about the importance of not forgetting the small, underdog civil society projects. How do we fund technology in a sustainable way? Fund infrastructure, fund maintenance, fund that project some random person in Nebraska has been thanklessly maintaining since 2003. While infrastructure is extremely important (no questions asked), in this talk we want to explore why a diverse funding landscape that also allows for supporting new people and groups with fresh ideas can only be incredibly valuable to the field of FOSS. How can we use existing funding structures, bend and twist them to meet the real needs of communities? How can we make them more useful to projects and people who are not typically the recipients of their money? We want to talk about how to build support infrastructure that allows us to fund in ways that bring more diversity, more novel ideas and more inclusivity to our communities - and we want to talk about how to do this in a sustainable way. This talk is a call to government institutions, funders and other organisations with the power to distribute money to join forces, break down the barriers of their traditional funding models and create a broad and vibrant network of small, diverse and lightweight funds that meet the needs of different groups and communities. It is an invitation to communities to come together and share their needs in order to help build structures that can actually support their work. There is hope in FOSS projects, old and new, big and small. Let's hack all kinds of systems to give them the support they need. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/small-seeds-why-funding-new-ideas-matters/
Basics of software publication (38c3)
You want to share your code with the world. That's great! But how? Just uploading it to Github? Or how do I do this? In this talk I want to give you an overview about the minimal steps you should take to prepare your code for publication. Covering what belongs into a repository, how to make your code sharable and which license to pick. This talk is based on the training [Foundations of Research Software Publication](https://codebase.helmholtz.cloud/hifis/software/education/hifis-workshops/foundations-of-research-software-publication/workshop-materials-data-pub). The target is to enable developers to create and publish sustainable software which can be used and built up on by others. While this talk is an introduction, even more experienced developers might take something home. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/basics-of-software-publication/
GLAM zwischen LOD und ¯\_(ツ)_/¯. Museumskritik für Hacker*innen (38c3)
Habt ihr euch immer schon gefragt wie Museumssammlungen ins Netz kommen, warum online Sammlungen meist immer noch aussehen wie Kataloge seit dem 19. Jahrhundert, was für Strategien und Förderprogramme dahinter stecken, welche Firmen hier quasi-Monopole haben, und warum Museen so viele Hoffnungen (Zugang! Partizipation! Demokratie!) mit der Digitalisierung verbinden? Der Talk ist eine Einladung an Hacker*innen sich an der kritischen Weiterentwicklung, Öffnung und Reflexion von Museen zu beteiligen. GLAM = Abkürzung für Sammlungsinstitutionen: Galleries, Libraries, Archives, Museums LOD = Buzzword in Museen: Linked Open Data ¯\_(ツ)_/¯ = Platzhalter für: Lass irgendwas mit KI, Google Arts & Culture, Facebook Metaverse machen! Als vor vier Jahren mein Forschungsprojekt zur Digitalisierung in Museen losging habe ich meine ersten Ideen auf der rC3 präsentiert ("Wie können wir das digitale Museum aufhalten"). Und jetzt möchte ich die Ergebnisse aus vier Jahren Forschung zur Digitalisierung von Museen teilen. Meine Quellen sind vor allem die Jahresberichte der Staatlichen Museen zu Berlin seit 1990, und die Digitalstrategien der Deutschen Bundesregierung, mit ihrem Fokus auf Künstliche Intelligenz, Virtual Reality und Vernetzte Daten, die zum Beispiel die Millionenprojekte "museum4punkt0" und "Datenraum Kultur" beinhalten. Ich zeige größere Entwicklungen und Konflikte und viele Beispiele, alles anhand der Frage: Welche Brücken können wir bauen zwischen Museumskritik und Datenpolitik? Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/glam-zwischen-lod-und----museumskritik-fr-hacker-innen/
Resource Consumption of AI - Degrow or Die (38c3)
Not only the energy consumption of AI is exploding. Less known is that other resources like water or metal are also affected. The talk gives an overview on the devastating impact of datacenters on our environment. Degrowth scenarios seem to be the only way to escape from this ecological nightmare. Summarizing the known facts and serious predictions the talk gives an overview on the upcoming possible and impossible scenarios of the energy and resource consumptions. Even if predictions are not easy economical and ecological limits are discussed. Finally, degrowth will be discussed. Can we degrow datacenters without loosing too much of our digital life? How much can be saved using alternative technologies. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/resource-consumption-of-ai-degrow-or-die/
Going Long! Sending weird signals over long haul optical networks (38c3)
Computer network operators depend on optical transmission everywhere as it is what glues together our interconnected world. But most of the industry is running the same kinds of signals down the optical transceivers. As part of my need to "Trust, but verify" I wanted to check my assumptions on how the business end of modern optical modules worked, so join me in a adventure of sending weird signals many kilometres, and maybe set some records for the most wasteful bandwidth utilisation of optical spectrum in 2024! Computer network operators depend on optical stuff everywhere as it is what glues together our interconnected world. But most of the industry is running the same kinds of signals down the optical transceivers. As part of my need to "Trust, but verify" I wanted to check my assumptions on how the business end of modern optical modules worked, so join me in a adventure of sending weird signals many kilometres, and maybe set some records for the most wasteful bandwidth utilisation of optical spectrum in 2024! In this talk we will cover the basis of optical networks, how it fits in with networking, some of the weird things pluggable optics do, the perhaps odd industry defacto standards, and bending the intended use cases of existing tech to make signals that would would deeply probably confuse a modest signals intelligence agency Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/going-long-sending-weird-signals-over-long-haul-optical-networks/
All Brains are Beautiful! – The Biology of Neurodiversity (38c3)
How do you think? People can experience thoughts, feelings, and sensory inputs very differently. While context and substances are known to promote changes in perception and thinking, the biological basis is very diverse, contrary to what is often assumed. Brain cells come in extraordinary varieties in size, shape, and complexity. Their synaptic connectivity provides the foundation of all our sensory input, motor output, cognitive functions, and thoughts. In short: They shape us. This talk gives an introduction about the extent of variability in neuronal patterns that underlies neurodiversity and critically discusses the idea of neurodivergence, diagnosis criteria in Autism and ADHD from a biological and first person-perspective. We find that biological variability of brains is an evolutionary feature that helps us to adapt to our environment but comes with certain risks and downsides in our modern society. While many things are still unknown, scientists have identified genes and environmental impacts that shape our network architecture during brain development and which help to explain why we think and experience the world so differently. This talk gives an introduction about the extent of variability in neuronal patterns that underlies neurodiversity and critically discusses the idea of neurodivergence, diagnosis criteria in Autism and ADHD from a biological and affected person-perspective. It aims to clear up stereotypes, dogmas that still stick in our society and provides latest insights from science and community about what makes our brains work so differently. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/all-brains-are-beautiful-the-biology-of-neurodiversity/
Computing Genomes & what that has to do with privacy (38c3)
What does it take to get a Genome into the computer? A slightly technical, political and personal dive into the field of genomics. This will be in the first part an introductory talk to Genomics, covering "How do you get a genome into your computer?". As I'm a bioinformaticist, i will briefly mention sequencing, but focus on the computation. Because it turns out that getting a human genome into your computer involves a lot of computation! In the second part i will outline where privacy comes in here, and why it is essential, if we want to do work with genomic data responsibly. Understanding privacy goes beyond the technical: economic incentives, legal policy and security need to be taken into consideration to protect genomic data adequately. In the third part i will tell of a University program which i organized in which we did our own Genomic Analysis with students, as privacy preserving and digitally sovereign as possible, and tell of the challenges we faced and the learnings we made. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/computing-genomes-what-that-has-to-do-with-privacy/
Moving with feelings: Behind the scenes of a one man show mobile & fiber operator in Spain (38c3)
How to run an MVNO with values: What are the requirements? Do you need a government license, maybe a lot of investment? There are different types of MVNOs. We will talk about how to do business as an MVNO while respecting users' privacy, supporting free software, believing in the right to repair and making your customers technologically sovereign. The issues with data privacy are being discussed more than ever. However, from the end user perspective, it is difficult to understand the full extent of the impact on their privacy when using well known "free" services or maybe acquired hardware like a vacuum cleaner or a cooking robot. On the other side, there are projects that demonstrate that they can do business respecting their users. One way to start to take care of your privacy is by using free software, but this software needs to be high quality, easy to use for the end user, has to be documented in a clear way and has to resolve issues and bugs as fast as possible. This is very hard work for the developers, so their work has to be compensated. Last but not least, the right to repair plays a big role for being technologically sovereign. It's as important to be aware of your privacy when using online services as it is to know how repairable and privacy-respecting hardware is before you buy it. Can you fight for and support what you believe in while doing business? I think so! Let's talk about it. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/moving-with-feelings-behind-the-scenes-of-a-one-man-show-mobile-fiber-operator-in-spain/
Is Green Methanol the missing piece for the Energy Transition? (38c3)
In an accelerating climate crisis, renewable energy and electrification are the most important tools to reduce greenhouse gas emissions. However, in sectors where electrification is infeasible or impossible, other solutions will be needed. While hydrogen gets a lot of attention, it suffers from challenges like being difficult to transport and store. While it does not receive nearly as much attention as hydrogen, another molecule, methanol, could play a crucial role in bringing down emissions in challenging sectors like shipping, aviation, or the chemical industry. Methanol is the simplest carbon-containing liquid and is currently almost exclusively made from fossil fuels. However, it could be made by utilizing renewable energy, green hydrogen, and carbon dioxide, and such green methanol could play an important role in a climate-neutral future - both as a fuel and as a chemical feedstock[1]. Methanol is relatively easy to store and transport. It could provide energy during times with little sun and wind and possibly even balance multi-year fluctuations [2][3]. It could also serve as a shipping fuel and, indirectly, help make aviation fuels. Furthermore, it could form the basis of a fossil-free production of chemical products like plastics [4][5]. That raises important questions about stranded assets in today's chemical industry, as the existing plastic production with steam crackers could become obsolete. Despite its prospects, methanol is no magic silver bullet. Making it from CO2 requires enormous amounts of energy. It should be used carefully and only where efficient direct electrification is infeasible (no methanol car, sorry). Alternative production pathways using climate-friendly biomass and waste have turned out to be challenging in the past, but they could lower some of the enormous energy needs. [1] [From Coal enabler to the Minimal Green Methanol Economy, Industry Decarbonization Newsletter, 2024](https://industrydecarbonization.com/news/from-coal-enabler-to-the-minimal-green-methanol-economy.html) [2] [Ultra-long-duration energy storage anywhere: Methanol with carbon cycling, Joule, Brown, Hampp, 2023](https://www.cell.com/joule/abstract/S2542-4351(23)00407-5) [3] [Should we burn Methanol when the Wind does not blow?, Industry Decarbonization Newsletter, 2023](https://industrydecarbonization.com/news/should-we-burn-methanol-when-the-wind-does-not-blow.html) [4] [Climate change mitigation potential of carbon capture and utilization in the chemical industry, PNAS, Kätelhön et al, 2019](https://www.pnas.org/doi/full/10.1073/pnas.1821029116) [5] [How to make Plastics without Fossil Fuels, Industry Decarbonization Newsletter, 2023](https://industrydecarbonization.com/news/how-to-make-plastics-without-fossil-fuels.html) Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/is-green-methanol-the-missing-piece-for-the-energy-transition/
Ten Years of Rowhammer: (38c3)
The density of memory cells in modern DRAM is so high that disturbance errors, like the Rowhammer effect, have become quite frequent. An attacker can exploit Rowhammer to flip bits in inaccessible memory locations by reading the contents of nearby accessible memory rows. Since its discovery in 2014, we have seen a cat-and-mouse security game with a continuous stream of new attacks and new defenses. Now, in 2024, exactly 10 years after Rowhammer was discovered, it is time to look back and reflect on the progress we have made and give an outlook on the future. Additionally, we will present an open-source framework to check if your system is vulnerable to Rowhammer. In 2014, Kim et al. reported a new disturbance effect in modern DRAM that they called Rowhammer. The Rowhammer effect flips bits in inaccessible memory locations just by reading the content of nearby memory locations that are attacker-accessible. They trigger the Rowhammer effect by accessing memory locations at a high frequency, using memory accesses and flushes. The root problem behind Rowhammer is the continuous increase in cell density in modern DRAM. In early 2015, Seaborn and Dullien were the first to demonstrate the security impact of this new disturbance effect. In two different exploit variants, they demonstrated privilege escalation from the Google Chrome NaCl sandbox to native code execution and from unprivileged native code execution to kernel privileges. Later, in 2015, Gruss et al. demonstrated that this effect can even be triggered from JavaScript, which they presented in their talk "Rowhammer.js: Root privileges for web apps?" at 32C3. Now, in 2024, it is precisely 10 years after Rowhammer was discovered. Thus, we believe it is time to look back and reflect on the progress we have made. We have seen a seemingly endless cat-and-mouse security game with a constant stream of new attacks and new defenses. We will discuss the milestone works throughout the last 10 years, including various mitigations (making certain instructions illegal, ECC, doubled-refresh rate, pTRR, TRR) and how they have been bypassed. We show that new Rowhammer attacks pushed the boundaries further with each defense and challenge. While initial attacks required native code on Intel x86 with DDR3 memory, subsequent attacks have also been demonstrated on DDR4 and, more recently, DDR5. Attacks have also been demonstrated on mobile Arm processors and AMD x86 desktop processors. Furthermore, instead of native code, attacks from sandboxed JavaScript or even remote attacks via network have been demonstrated as well. Furthermore, we will discuss how the Rowhammer effect can be used to leak memory directly, as well as related effects such as Rowpress. We will discuss these research results and show how they are connected. We will then talk about the lessons learned and derive areas around the Rowhammer effect that have not received sufficient attention yet. We will outline what the future of DRAM disturbance effects may look like, covering more recent effects and trends in computer systems and DRAM technology. Finally, an important aspect of our talk is that we invite everyone to contribute to solving one of the biggest unanswered questions about Rowhammer: What is the real-world prevalence of the Rowhammer effect? How many systems, in their current configurations, are vulnerable to Rowhammer? As large-scale studies with hundreds to thousands of systems are not easy to perform, such a study has not yet been performed. Therefore, we developed a new framework to check if your system is vulnerable to Rowhammer, incorporating the state-of-the-art Rowhammer techniques and tools. Thus, we invite everyone to participate in this unique opportunity at 38C3 to join forces and close this research gap together. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/ten-years-of-rowhammer-a-retrospect-and-path-to-the-future/