PLAY PODCASTS
Chaos Computer Club - archive feed

Chaos Computer Club - archive feed

14,494 episodes — Page 11 of 290

Dude, Where's My Crypto? - Real World Impact of Weak Cryptocurrency Keys (38c3)

We present Milksad, our research on a class of vulnerabilities that exposed over a billion dollars worth of cryptocurrency to anyone willing to 'crunch the numbers'. The fatal flaw? Not enough chaos. Learn how we found and disclosed issues in affected open source wallet software, brute-forced thousands of individual affected wallets on a budget, and traced over a billion US dollars worth of prior transactions through them. In July 2023, people in our circle of friends noticed a series of seemingly impossible cryptocurrency thefts, which added up to over one million US dollars. A common denominator was discovered across the set of victims we knew: the wallet software `libbitcoin-explorer`. Vulnerable versions used a weak pseudorandom number generator when creating cryptocurrency wallets. Within a short period of time, we disclosed the vulnerability, [CVE-2023-39910](https://milksad.info/disclosure.html). Using this weakness, attackers were able to compute private keys of victims, which is supposed to be impossible under normal circumstances. In this talk we * 📜 - tell the story of uncovering a digital currency heist * 🌐 - dive into similar vulnerabilities * 🔍 - trace the movement of coins * ⚖ - outline ethical challenges of cryptocurrency security research * 🛡 - explore methods to defend and protect against this bug class Our intention is to share the story of how little details can have big consequences and the importance of quality chaos. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/dude-where-s-my-crypto-real-world-impact-of-weak-cryptocurrency-keys/

Dec 30, 202439 min

Stadt.Land.Klima! - Für Transparenz im Kommunalen Klimaschutz (38c3)

Kommunaler Klimaschutz ist oft undurchsichtig, komplex und bürokratisch – das wollen wir ändern! Als gemeinsames bewegungsübergreifendes Projekt "Stadt.Land.Klima!" machen wir (fehlenden) kommunalen Klimaschutz sichtbar, messbar & verständlich! Mit einem einheitlichen Maßnahmenkatalog können alle klimainteressierten Menschen den Fortschritt ihrer Stadt oder Gemeinde bewerten und in unserem Ranking sichtbar machen: https://www.stadt-land-klima.de/municipalities Darüber hinaus möchten wir die vielen verschiedenen lokalen Akteure der Klimagerechtigkeitsbewegung in den einzelnen Kommunen zusammenbringen, Kooperationen fördern und Erfolgsprojekte einzelner Gruppen deutschlandweit teilen! Kommunaler Klimaschutz ist oft undurchsichtig, komplex und bürokratisch – das wollen wir ändern! Stadt.Land.Klima! ist ein gemeinsames bewegungsübergreifendes Portal für kommunalen Klimaschutz, was den Forschritt von Kommunen beim Klimaschutz sichtbar & messbar machen will. Das Herzstück davon ist ein klares Ranking, das zeigt, wie viele Klimaschutzmaßnahmen ein Ort bereits umgesetzt hat. Statt komplizierter CO₂-Bilanzen zählt der Maßnahmenkatalog konkrete Schritte zur Klimaneutralität - und ist gleichzeitig eine Roadmap für die Kommune auf dem Weg zur Klimaneutralität. Die Bewertungen kommen direkt von den Klimaaktiven vor Ort – z.B. von ForFuture-Ortsgruppen, LocalZero-Lokalteams oder lokalen Klimainitiativen. Aber der Plan geht über das Ranking hinaus: Wir wollen die vielen Initiativen, Angebote und Projekte der Klimabewegung vor Ort zusammenbringen, Kooperationen zwischen Organisationen fördern und Klima-Erfolgsprojekte einzelner Gruppen deutschlandweit teilen! Stadt.Land.Klima! wird komplett ehrenamtlich betrieben - von den Lokalteams, unserem SocialMedia-Team, unseren Designer- und Developer:innen und verschiedensten Fachexpert:innen. Die Applikation ist Open-Source und freut sich immer über Contributions: https://github.com/StrategieLukas/stadt-land-klima Gemeinsam wird kommunaler Klimaschutz sichtbar und wirksam. Mach mit & bewerte DEINE Kommune! Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/stadt-land-klima-fr-transparenz-im-kommunalen-klimaschutz/

Dec 30, 202447 min

From Simulation to Tenant Takeover (38c3)

All I wanted was for Microsoft to deliver my phishing simulation. This journey took me from discovering trivial vulnerabilities in Microsoft's Attack Simulation platform, to a Chinese company to which Microsoft outsourced its support department that wanted all my access tokens. I finally ended up hijacking remote PowerShell sessions and obtaining all data from random Microsoft 365 tenants, all the while reeling in bug bounties along the way. This talk is the result of what happens when you ask a hacker to simply automate sending out a phishing simulation. My first attempt with Microsoft's new Attack Simulation platform resulted in three bug bounties for the most trivial vulnerabilities and no more faith in the product. Then I tried building a phishing simulation program myself and the last thing I needed was to allowlist my IP address in Exchange Online. I ended up in a rabbit hole where I discovered that Microsoft outsourced their support department to a Chinese company that wanted all my access tokens. I then tried intercepting client-side requests made by the Security & Compliance center with the goal of replaying these to a backend API, only to discover that by fiddling with some parameters I could now hijack remote PowerShell sessions and access Microsoft 365 tenants that were not mine. Tenants where I could now export everything, e-mail, files, etc. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/from-simulation-to-tenant-takeover/

Dec 30, 202429 min

Longtermismus – der „Geist“ des digitalen Kapitalismus (38c3)

Der Vortrag wirft einen sozialwissenschaftlichen Blick auf die Ideologie des Longtermismus. Seine Funktion im digitalen Kapitalismus wird analysiert. Mithilfe von Klassikern der Soziologie wird dargestellt, warum sich diese Ideologie in eine faschistische Richtung entwickelt. Longtermismus ist die neue Hype-Ideologie des Silicon Valley. Elon Musk und Sam Altman haben sich als Anhänger geoutet, er ist die offizielle Firmenpolitik von OpenAI. Longtermismus postuliert, dass wir uns nicht mit der Gegenwart oder der nahen Zukunft beschäftigen sollten, sondern unser politisches Hauptaugenmerk auf die Entwicklung eines Computerhimmels in ferner Zukunft richten sollten. Zentral sind dabei Annahmen über die Entwicklungsmöglichkeiten von künstlicher Intelligenz, die deutlich religiöse Züge tragen. Der Vortrag stellt die Ergebnisse soziologischer Forschung zu dieser neuen Ideologie vor. Denn so neu ist das ganze gar nicht. Die „Moral“ des Longtermismus passt erstaunlich gut zu den Geschäftszielen der Digitalkonzerne und macht aus diesen eine Metaphysik. Diese soziale Funktion des Longtermismus ähnelt damit der Funktion, die Max Weber für den Protestantismus als „Geist“ des Kapitalismus im Frühkapitalismus ausgemacht hat. Wie der Protestantismus früher dient der Longtermismus heute einerseits als metaphysische Rechtfertigung der Geschäftsmodelle von Unternehmen und andererseits als individuelle Moral, die ihre Anhänger*innen zu mehr Leistung animieren soll. Gegenwärtig erleben wir einen Rechtsruck im Longtermismus, dessen prominente Vertreter*innen wie Elon Musk oder Peter Thiel sich offen für Donald Trump positionieren. Auch hier ähnelt die Entwicklung des Longtermimsus vergleichbaren früheren Ideologien. Klassische Analysen zeigen, warum individualistische Leistungsideologien das Potenzial haben, in eine faschistische Richtung zu kippen. Der Rechtsruck der Silicon-Valley-Eliten wird so verständlich. Abschließend wird auf den Einfluss von Musk und Thiel auf die US-Wahlen eingegangen und versucht, die weitere Entwicklung abzuschätzen. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/longtermismus-der-geist-des-digitalen-kapitalismus/

Dec 30, 202443 min

PC-Abkürzungen: Eine Lesung (38c3)

Ich lese aus einem antiken Werk zu Computerablürzungen vor Abkürzungen können alle verwirren, die sich noch nicht länger mit Computern beschäftigen. Aber auch der:dem Veteran:in sind nicht alle Abkürzungen bekannt oder weißt Du, dass IFE für intelligent front end steht, CAFS für Content Adressable File System oder RUN der Befehl ist, um Programme in BASIC auszuführen? Dieser Missstand muss behoben werden und wird es durch eine Lesung aus einem Kompendium gängiger PC-Abkürzungen. Damit auch was für Kenner:innen dabei ist, stammt das Kompendium aus 1994. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/pc-abkrzungen-eine-lesung/

Dec 29, 202421 min

OMG WTF SSO - A beginner's guide to SSO (mis)configuration (38c3)

A couple years ago I knew basically nothing about Single Sign-On but now I'm talking at 38c3 about it! Come find out how you too can go from beginner to the question-asker who protects your hackerspace/company/etc. from bad SSO implementations. Single Sign-On (SSO) is sold as a way to • centralize managing your organization’s users, • make life easier for your colleagues, and • enforce consistent security standards. But SSO protocols are just ways for an identity provider to share information about an authenticated identity with another service. Me having a way to tell my vendor “yeah, that’s Bob” doesn’t tell me what the vendor does with this information, or if the vendor always asks me who’s coming in the door. A bad SSO implementation can make you think you’re safer, while hiding all the new and fun things that have gone wrong. To get the most out of implementing SSO, I need to know what I’m trying to accomplish and what steps I need to follow to get there. To illustrate why SSO needs to be set up carefully, for each of the things you need to do right, I’ll give you some fun examples of creative ways you and your vendor can do this wrong. We all learn from failure, right??? I’m sharing this info because this year I got deeply involved in the SSO setup for several vendors at work. It turns out that I’m good at asking weird questions, and it’s an extremely valuable thing to do. If you know how things should be, then you know where they could be broken, and you can ask your vendors (and your colleagues!) “weird questions” before an adversary does. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/omg-wtf-sso-a-beginner-s-guide-to-sso-mis-configuration/

Dec 29, 202442 min

Selbstverteidigungskurs Meme Warfare (38c3)

You are not immune to propaganda and the only winning move is to first recognize you are forced to play The Game Meme Warfare - das heißt schnelllebige, leicht konsumierbare Propaganda auf Social Media. Jeden Tag sind wir Ziel absichtlicher Meinungsmanipulation - noch mehr wenn es mal wieder auf eine Wahl zugeht. Eine der wichtigsten Punkte von Medienkompetenz ist Propaganda und sog. "Fake News" zu erkennen, informiert damit umzugehen und sich vor Einflussnahme zu schützen. Aber wie? Wenig Dinge begegnen uns in unserem Alltag heutzutage häufiger wie Werbung, Propaganda und Desinformation. Dass diese Dinge messbare Effekte auf die Psyche haben und nur deswegen so omnipräsent sein können, machen wir uns als Gesellschaft schon gar nicht mehr klar. Wir sehen aber immer wieder in den Wahlergebnissen und politischen Skandalen der letzen 10 Jahre wie die öffentliche Meinung gezielt beeinflusst wird und wir spüren wie da etwas kippt in unserer Demokratie. Der Talk ist eine kurze Einführung ins Thema und umfasst drei kurz und knackige Themenblöcke: Was ist überhaupt Propaganda und warum sollte mich das interessieren? Wie sieht Propaganda im Zeitalter von Internet und Social Media aus? Und wie kann ich mich und meine nächsten vor Beeinflussung schützen? Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/selbstverteidigungskurs-meme-warfare/

Dec 29, 202420 min

Hacking Victorian Bodies: From Grid to Vector Space (38c3)

This performative lecture by SOLID FLESH Collective explores how generative AI can reshape historical body representations into tools for imagining new bodily futures. Drawing from Muybridge’s chronophotography, which fixed bodies into a rigid scientific grid, we investigate AI’s capacity for fluid, multidimensional embodiment. Using open-source AI models to ‘resurrect’ Muybridge’s subjects and defy commercial censorship, we reveal speculative possibilities for bodily motion and identity. Our work positions the ‘vector body’—a digitally-mediated form of self-imagination—within a broader conversation on identity fluidity, algorithmic embodiment, and liberating futures beyond conventional body ideals. In this performative lecture, the SOLID FLESH Collective reimagines how artistic practice can transform historical methods of body representation into tools for imagining radical new forms of embodiment. SOLID FLESH Collective, a hybrid space bridging the realms of gym, gallery, and think tank, examines how Muybridge’s chronophotography once ‘solidified’ bodies within a rigid grid, contrasting it with generative AI’s potential for unprecedented fluidity in self-reimagining. We present a series of experiments in ‘resurrecting’ Muybridge’s subjects, using open-source AI tools to transform scientific documentation into speculative fictions. When commercial AI flagged these Victorian images as ‘pornographic,’ this rejection spurred us to explore alternate approaches, resulting in the creation of wonderfully surreal, inhuman movements with animDiff—as if the AI, uninformed by human motion, were an animator imagining it for the first time. The lecture positions the AI-mediated body within a multidimensional vector space of possibilities, spanning dimensions of gender, age, class, and experience. Through our custom ComfyUI workflow and selected clips from our ongoing film project (solidflesh.com), we show how this ‘vector body’ allows for forms of self-imagination that break free from the solidifying gaze of the camera. Our technical explorations engage larger questions around identity fluidity, algorithmic embodiment, and the possibility of a new, digitally mediated somatic imagination. As mainstream AI development often reinforces conventional body ideals, we speculate on alternative futures, asking how these technologies might instead enable liberating bodily self-conceptions. Moving beyond Muybridge’s grid and current AI’s polished limitations, we explore what approaches to algorithmic embodiment might emerge when we embrace the glitches and ‘failures’ of these systems. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/hacking-victorian-bodies-from-grid-to-vector-space/

Dec 29, 202436 min

Mal was mit Holz (38c3)

Bildervortrag zum Thema "Nachhaltige Inneneinrichtung" mit Mitbringseln zum Anfassen sowie Tipps & Tricks zu Konstruktion, Gestaltung und Durchführung Holz ist als nachwachsender Rohstoff ein umweltfreundliches Baumaterial, hat als Naturprodukt jedoch seine Eigenheiten. Der Vortrag geht auf die Basics der Holzbearbeitung ein, worauf geachtet werden muss und wie stabile Verbindungen oft völlig ohne Leim oder Schrauben hergestellt werden können. Die Bilder dazu verfolgen zwei Projekte von der Konstruktionszeichnung über die rohen Bohlen bis zum fertigen Produkt und geben Einblicke in das Handwerk, das oft auch ohne Maschinen auskommen kann. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/mal-was-mit-holz/

Dec 29, 202443 min

Hacker Jeopardy (38c3)

The Hacker Jeopardy is a quiz show. The well known reversed quiz format, but of course hacker style. It once was entitled „number guessing for geeks“ by a German publisher, which of course is an unfair simplification. It’s also guessing of letters and special characters. ;) Three initial rounds will be played, the winners will compete with each other in the final. The event will be in German, we hope to have live translation again. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/hacker-jeopardy/

Dec 29, 20241h 45m

Release–Keynote: ChaosGPT und das Large Congress Model (38c3)

ChaosGPT hat den Weg wie wir denken revolutioniert! Die kongresserprobte Technik wird endlich _open source_, CEO Gitte Schmitz und CRO Deliria Tremenz feiern in dieser Keynote den Release des Large Congress Model und erklären, was wirklich in AI steckt. Beim diesjährigen Kongress hat ChaosGPT erfolgreich hunderte von Anfragen prozessiert und dabei für alle erdenklichen User-Anfragen erstaunlich genaue Antworten erzeugt: und das ganz analog! Als _community-sourced_ generatives Wissensmodell wurden diese sensationellen Erfolge mit einem herausragenden Energieverbrauch von 0 kWh erreicht (in anderen Worten: extrem Klimaneutral!). War es bisher eine Black Box? Ja! Wird es OpenSource? Auf jeden Fall!* Das Leitungsteam ist stolz, endlich den gesamten Code hinter ChaosGPT und dem Large Congress Modells (L38C3M) lüften zu können. Nach monatelanger Entwicklungszeit wird es Zeit, das Folle Potential von Analoge Intelligence an die Community zurückzugeben.** Exklusiv geben CEO Gitte Schmitz und CRO Deliria Tremenz einen Einblick hinter die Kulissen des blühenden New-New-Tech StartUps. Mit spielender Leichtigkeit verbinden sie den Track **Queerness** mit dem **Digitalzwang**, und generieren mit ihren Antworten erheblichen Mehrwert für potentielle Angel Investors (und solche die es werden wollen). Lasst uns die verkannten Potentiale der AI lüften! *Die genutzte Open Source-Definition von Studio Gitte Schmitz umfasst auch die _business models_ "Open Window" und "Freemium". ** Eventuelle Nutzungsentgelte werden weiterhin entsprechend Nutzungsordnung (NuOrG §283 Abs.15f) erhoben. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/release-keynote-chaosgpt-und-das-large-congress-model/

Dec 29, 202427 min

Attack Mining: How to use distributed sensors to identify and take down adversaries (38c3)

Ever wondered why your web server seems to be under constant attack from what feels like everyone on the internet? Me too! Join me in this session where we'll explore the data of millions of attacks from hundreds of sensors around the world, to identify who is attacking us from where and why. Additionally, we will have a look into how we can use that data to get abusive systems taken down, and how successful this approach actually is. Buckle up for a deep dive into the constant battle to protect systems on the internet against adversaries gaining access, and how you can help make the internet a safer place! Looking at the 2024 M-Trends report, brute force is still one of the main reasons for adversaries to gain access and compromise companies. In fact, 6% of all initial access is done via brute force. Knowing this, as well as that attackers are constantly trying all sorts of attacks against any internet-connected device, there seems to be a gap between what is currently mostly done (block the attack) versus what should be done (report and take down the attacker)! This talk will start with a short introduction on how to set up a system that is able to collect attacks from distributed sensors, enrich them at a central location, as well as use the data to reach out to ISPs and other governing bodies to report the abuse. The sensors are Docker containers with modified OpenSSH servers that will block any login attempt, no matter which username and password combination is used, as well as log the timestamp, source IP, username, and password to a central location. Using this, the so-called "attack pot" is indistinguishable from other Linux systems, ensuring that no suspicion on the attacker's side is raised. For the enrichment part, the ISP's contact data is identified, and abuse notifications are sent via multiple channels to initiate a take down. Furthermore, automated bots monitor if the take down was successful and how long it took, allowing us to share some information on how successful this approach is, which ISPs are more cooperative, and where it is nearly impossible to get any system taken down. Generally, lessons learned with what could be potentially done better will be discussed! The second part of the talk will focus on the analysis of the collected attacks. Across all of the attacks, multiple clusters, which likely are adversarial groups moving from one target to another, could be identified. Furthermore, by analyzing the used credentials, there seems to be some correlation between internet-identifiable information like DNS, region, or OS and the credentials used in an attack. This will allow defenders to get a better understanding of how to defend and even put out decoy information to quickly identify attacks. The closure of the presentation will be an outlook on what could be done better from an ISP or governing body side to speed up take downs of adversarial infrastructure, as well as what everyone can do to make the internet a safer place! Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/attack-mining-how-to-use-distributed-sensors-to-identify-and-take-down-adversaries/

Dec 29, 20241h 1m

How election software can fail (38c3)

Experiences from a hacker working at the Election Council of The Netherlands. After critically following the elections for 8 years from the outside, a hacker was employed as one of the functional administrators of the software supporting the elections. Sharing experiences of the use of election software during 7 elections (2020-2023), from local, national to European in The Netherlands. A governmental software project with strict deadlines, and high security expectations. The software project for elections in The Netherlands is build an IT organization [owned by German local governments](https://www.regioit.de/unternehmen/zahlen-daten-fakten). More than 10.000 Java files, what can possible go wrong? During this time multiple emergency patches were needed and incidents occur. Although at first explicitly *not* hired as a coder, within 3 months a Java code contribution was made that was unexpectedly more crucial than anticipated. This talk will show some incidents with the election software in The Netherlands: how the software failed, and when/how it was discovered. Go over how seeing the elections from the outside, and give some history of voting computers and software. Ending with some reflecting on the future. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/how-election-software-can-fail/

Dec 29, 202457 min

Hacker's Guide to Meshtastic: Off-Grid, Encrypted LoRa Meshnets for Cheap! (38c3)

Beginners can now create off-grid, encrypted mesh networks for cheap, with applications in emergency communication, sensor monitoring, and more! These mesh networks have been popping up in cities all over the world, and this talk will go over everything a beginner needs to run or build their own nodes. If you've ever wanted to legally create off-grid, encrypted mesh networks that can span over a hundred miles, you can get started with Meshtastic for around $10. This talk will serve as a beginner user's guide to Meshtastic, covering everything from hardware basics to advanced software configuration. We will explore making custom Meshtastic hardware, real-world results from deploying Meshtastic in Los Angeles, and attacks against mesh networks. Attendees will learn about LoRa, Meshtastic node and antenna options, software setup and configuration to extend its functionality, and real-world deployments of remote nodes. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/hacker-s-guide-to-meshtastic-off-grid-encrypted-lora-meshnets-for-cheap/

Dec 29, 202442 min

5 Jahre nach Ibiza (38c3)

Wie Rechtspopulisten in Österreich innerhalb von 5 Jahren zurück zu alter Größe kamen und sogar die Wahl gewannen. Die Ibiza-Affäre gilt als einer der größten politischen Skandale in der Geschichte der Zweiten Republik Österreich. Das heimlich aufgezeichnete Ibiza-Video zeigt den damaligen FPÖ-Chef Heinz-Christian Strache und FPÖ-Politiker Johann Gudenus in einer Villa mit einer vermeintlichen Nichte eines russischen Oligarchen. Seit dem ist viel passiert. Zu wenig hat sich zum Guten gewandt aber immerhin ist mittlerweile zumindest oberflächlich klarer geworden wie sehr die einzelnen Skandale die die Alpenrepublik erschütterten seit dem in einander verwoben sind. Die Umwälzungen der letzten Jahre nicht nur in Österreich erlauben es Parallelen zu ziehen auch über die Landesgrenzen hinweg. Die Kausen um den früheren Wirecard Vorstand Jan Marsalek, seines Zeichens zufällig auch Österreicher, lassen sich mit dem Gesamteindruck von Ibiza schlüssig verknüpfen. Die geopolitischen Umwälzungen wie auch die politischen Herausforderungen die selbige für Europa mit sich bringen sollten am Beispiel von der Alpenrepublik nicht nur als Belustigung dienen. Wie schnell und wie weit eines der Vorbilder der EU Länder unter den richtigen Gegebenheiten und Einflüssen sich zum Paria wandeln kann sollte als ernstzunehmende Warnung auch in Deutschland verstanden werden. Wenn die Säulen der Demokratie ins Wanken geraten ist es oft sehr viel schneller beim Ernstfall als die meisten es sich einreden wollen. Österreich mag klein sein, manchmal auch speziell aber die Faktoren die innerhalb kürzester Zeit von einem Musterschüler ein Sorgenkind machten sind nicht kleinzureden. Fünf Jahre später, im September 2024, wurde die FPÖ mit 29,2 Prozent erstmals Sieger bei einer Parlamentswahl. Mittlerweile steht sie in Prognosen bei über 35% und der allgemeine politische Diskurs hat sich meilenweit verschoben. Es ist Vorsicht geboten. Nicht nur in Österreich Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/5-jahre-nach-ibiza/

Dec 29, 202440 min

Mushroom-DJs, Strong AI & Climate Change: Connecting the Dots with Artistic Research (38c3)

The exploratory nature of artistic research can aide in the production of knowledge. Sometimes, this takes a detour through music-making mushrooms and making moonshine, sometimes it deals with societal reverberations of AI usage or how lithium extraction affects the planet. This talk gives an insight on how we do technology-assisted artistic research at ZKM | Hertzlab, the artistic research & development department of the Center for Art and Media, Karlsruhe. Artistic research takes the exploratory impulse of art and combines it with the wish for knowing the world that characterizes scientific research. It is neither science communication, nor purely artistic practice - it is located somewhere in between. As a field of its own, artistic research is still relatively young; at ZKM | Center for Art and Media, Karlsruhe, we explore what this means in the context of one of Europe's oldest media art institutions. Our six themes - lifecycles, connect, a common(s) world, ai-lab, post-human world, fellow futures - guide us in what we hope is a contribution to larger discourses from the point of view of art. With examples and projects, this talk will illuminate artistic research practices, its benefits and challenges and how having a hacker mindset is the first step into becoming an artistic researcher. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/mushroom-djs-strong-ai-climate-change-connecting-the-dots-with-artistic-research/

Dec 29, 202437 min

(K)Ein Beinbruch - Datenverarbeitung im CERT (38c3)

Das CERT - der allseits bekannte Sanitäts- und Brandschutzdienst des Congresses - ist wie alles andere auch gewachsen. Dazu gehört, dass Patient\*innen- und Einsatzverwaltung auf Klebezetteln langsam aber sicher nicht mehr skaliert. Jede\*r auf dem Congress kann mal Hilfe vom CERT benötigen. Um Einsätze zu verwalten, zu protokollieren und zu managen hat der Sanitäts- und Brandschutzdienst der CCC Veranstaltung GmbH in der Vergangenheit vor allem auf Whiteboards und Papier gesetzt. Durch das Wachstum der letzten Jahre skaliert das aber nicht mehr und es musste eine übersichtliche und auf die besonderen Bedürfnisse zugeschnittene Software entwickelt werden. Auftritt: THOT - Trouble Handling Operations Terminal, die neue Einsatzsteuerungs- und Patient\*innenmanagementsoftware des CERT, das im Rahmen des Congresses als Open Source Projekt endlich in die Community entlassen wird. Welche Daten erhoben und wie sie verarbeitet werden wenn es brennt, ihr euch verletzt oder schlimmeres passiert möchten wir euch in diesem Vortrag transparent machen, Fragen beantworten und die Möglichkeit geben, das System im Nachgang selbst unter die Lupe zu nehmen. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/k-ein-beinbruch-datenverarbeitung-im-cert/

Dec 29, 202454 min

Postpartum Punk: make space for unfiltered creativity (38c3)

After years as a journalist and filmmaker covering topics like crypto, holocaust and showbiz, everything changed for me 3 years ago after the birth of my daughter. While I haven't planned to be a mother, I decided to keep this pregnancy at 41, however this grass turn out to be too high for lawn mower – I was ready to go for a rave, not to be locked in a baby dark room for 3 years. I felt like my brain had been reprogrammed overnight. The analytical mindset I once relied on—quick to analyse, explore, and understand complex topics—seemed to vanish, replaced by a simpler, instinct-driven state that prioritized pure survival and nurturing yet mixed with unhinged chaos, aux naturelle psychedelic downloads plus no sense of inhibition or fear of being seen. Hand cuffed to a rainbow I was gazing at the black clouds. Despite the shock at this involuntarily IQ transplant, I quickly realised this new mind-tool-set was all in all fulfilling and liberating. I became my own fire brigade with an alternative emergency strap-on. Without the pressure to think analytically, I began channelling this raw energy into my joke band PUShY PUShY PUShY, creating what I now call postpartum punk movement. The idea caught on – this summer we have been featured in the Guardian and The New Yorker. This fuels my missionarism towards another level: how can we embrace this wild, intuitive mindset, not only as parents but as people? And could new technologies help us experience or even learn from this state? In this talk, I’ll share my story and propose some solutions to help people connect and utilise with this raw, abstract, flippant side of the mind, whether or not they’ve experienced parenthood: haptic births, transcranial nursering, chaos VR sessions, neurofeedback baths, quantum aerobics, algorithm jams, and 'Near-Birth-Experiences' Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/postpartum-punk-make-space-for-unfiltered-creativity/

Dec 29, 202437 min

Klimaschädlich by Design – die ökologischen Kosten des KI-Hypes (38c3)

Sogenannte Generative KI hat einen hohen Rechenbedarf und braucht damit automatisch viel Energie. Wir wollen zeigen, was die AI-Bubble uns alle bisher an Ressourcen gekostet hat. Wer verdient sich daran dumm und dusslig? Und wer trägt die ökologischen und sozialen Kosten? Sogenannte „Generative KI“ ist nicht nur ein Hype-Thema in Politik und Gesellschaft, mit ihr schießen auch die benötigten Rechenkapazitäten in die Höhe. Der Energiebedarf ist so hoch, dass Google, Microsoft und Meta 2024 nacheinander ihre Klima-Ziele zurücknahmen und nun auf dubiose Kernkraft-Lösungen umsteigen wollen. Das hat System, denn Big Tech entwickelt und finanziert nicht nur die gehypten KI-Anwendungen, die gleichen Konzerne bieten auch die benötigten Cloud-Kapazitäten an. Von Chile, Spanien bis nach Taiwan – weltweit regen sich Proteste gegen die Infrastruktur hinter dem KI-Boom, von neuen Bergbauprojekten, Chipfabriken bis zu Hyperscale-Rechenzentren. Der steigende Energie-, Wasser- und Ressourcenverbrauch feuert die Klimakrise an, bedroht Ökosysteme und verletzt indigene Landrechte – für erhoffte Milliardengewinne auf der Seite von Big Tech. In diesem Vortrag schauen wir auf die ökologischen und menschenrechtlichen Kosten des KI-Booms. Wir tragen die Fakten zusammen und liefern kritische Analysen und Argumentationshilfen zum KI-Hype. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/klimaschdlich-by-design-die-kologischen-kosten-des-ki-hypes/

Dec 29, 202438 min

Gala Be Need Inn - 38c3 Ausgabe (38c3)

Kein Congress ohne "Gala Be Need Inn" , der deutschsprachige Quizpodcast dessen Name ein Anagramm des Originals ist. Wir klären die wirklich wichtigen Fragen des Lebens: Was ist ein Alarmstuhl, was ist die Kotzkurve und wieso haben Schaffner in Frankreich Knallerbsen dabei? Seid dabei, auf der Bühne oder im Publikum! Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/gala-be-need-inn-38c3-ausgabe/

Dec 29, 20241h 31m

Woman in the Middle (38c3)

Ist Cybercrime der attraktivere “Arbeitsplatz” für Menschen, die aus dem stereotypischen Rahmen des Bildes eines IT-lers fallen - im Gegensatz zur Cybersecurity? Wir decken auf! "Wir leben doch längst in einer gleichberechtigten Welt!", sagen manche. Doch mal ehrlich, wer von euch denkt bei einem Man-in-the-Middle-Angriff an eine Hackerin? Wir sprechen über Hürden und Herausforderungen, denen Menschen, die nicht dem Stereotypen-Bild des IT-lers entsprechen, heute immer noch begegnen. Von absurd hohen Einstiegshürden über Kompetenzabsprechungen bis hin zu völlig anderen Maßstäben für Auftreten und Aussehen - wir decken Mechanismen von Benachteiligung und Diskriminierung auf. Mit lebhaften Geschichten, die wir selbst als Frauen in der Cybersecurity erlebt haben, vielen Interviews mit FINTAS und aktuellen Trendzahlen zeichnen wir ein anschauliches Bild dieser Realität. Wir erzählen darüber hinaus entsprechende Geschichten aus anderen Berufsfeldern. Doch das Bild hat zwei Seiten: Die Unterschätzung von Kompetenzen kann ein unerwarteter Vorteil sein, besonders in der Welt der Cyberkriminalität. Wenn Nicht-Stereotypische Hackende im digitalen Untergrund agieren, ergeben sich neue, überraschende Perspektiven. Wir beleuchten die Gleichstellung im Cybercrime und fragen uns: Was können wir hieraus lernen und für bessere Arbeitsbedingungen in legalen Berufszweigen übernehmen? Dazu haben wir einen Hack, den wir vorschlagen möchten und der aus unserer Perspektive helfen würde, dass alle Menschen Ihr Recht auf freie Berufswahl, freie Entfaltung und weitere Menschenrechte auch wirklich zugestanden bekommen - Damit alle Wesen dieses Universums ein Leben in Frieden und Freiheit genießen können. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/woman-in-the-middle/

Dec 29, 202459 min

Ultrawide archaeology on Android native libraries (38c3)

A bug in a scraper script led to us downloading every single native library in every single Android app ever published in any market (~8 million apps). Instead of deleting this massive dataset and starting again, we foolishly decided to run some binary similarity algos to check if libraries and outdated and still vulnerable to old CVEs. No one told us we were opening Pandora's box. A tragic story of scraping, IP-banning circumvention, love/hate relationships with machine learning, binary similarity party tricks, and an infinite sea of vulnerabilities. A rumor has been going around: Android developers are slow to update native dependencies, leaving vulnerabilities unpatched. In this talk we will show how *wrong* this rumor is: Android developers are not slow to patch - they never heard of the word patching. We conduct a massive study over the every single app ever published on Android (more than 8 million!). We explore trendy topics like Play Store scraping, Androzoo scraping, Maven repository scraping, the state of the Android ecosystem, binary similarity state-of-the-art methods vs binary similarity pre-historic methods, and the consequences of thinking you know how databases work when you actually don't. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/ultrawide-archaeology-on-android-native-libraries/

Dec 29, 202439 min

Das IFG ist tot – Best of Informationsfreiheit, Gefangenenbefreiung & Machtübernahmen (38c3)

Die Versprechungen waren groß: Blühende Transparenz-Landschaften, Mitbestimmung, Korruptionsprävention, De-mo-kra-tie! Das Informationsfreiheitsgesetz sollte den deutschen Staat besser machen. Nach Jahren schlechter Verwaltungspraxis, schlechter Gerichtsurteile und schlechter Politik ist es in wichtigen Teilen aber nutzlos geworden. Das zeigt sich vor allem, wenn man sich Szenarien einer antidemokratischen Regierungsübernahme vorstellt - die Transparenz wäre als erstes hinüber, der Boden dafür ist schon bereit. Was tun? Wenn das IFG tot ist, sollten wir dafür kämpfen, es wiederzubeleben – vielleicht als Untote? Zahlreiche Skandale, die FragDenStaat in diesem Jahr aufgedeckt hat, zeigen, wohin der Weg gehen sollte: - Wir brauchen mehr Leaks & illegal instructions für Beamte - Es ist Zeit, Verwaltungen zu infiltrieren Mit dem Best of Informationsfreiheit, FragDenStaat, Gefangenenbefreiung und Machtübernahmen. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/das-ifg-ist-tot-best-of-informationsfreiheit-gefangenenbefreiung-machtbernahmen/

Dec 29, 202441 min

Hacking Life: How to decode and manipulate biological cells with AI (38c3)

AI methods are advancing biological research in diverse directions. In this talk, you will learn how we decode the fundamental building blocks of life with AI, and how it will help us to hack cells to cure diseases and beyond. The cell is the fundamental building block of biological organisms, such as us humans. As such, technologies to understand and hack cells enable the cure of diseases and potentially even to expand our life span. In my talk, I provide an overview on how biologists and bioinformaticians use AI to understand and hack cells. Understanding the role of individual cells is a core aspect of biological research, given the extreme diversity of cellular states and functions. A common measurement method to characterize a given cell quantifies which of its genes are activated and how strongly. While this provides a rich high-dimensional readout, it is complex to interpret, given the challenge of deriving an intuition about the meaning of all the individual gene activation levels, as well as their combinatorial effects. In my research, I combine recent AI methods, most prominently multimodal large language models, to enable the analysis and interpretation of these measurements with the English language. I will present this work alongside a more general overview into the research landscape of “AI cell models”. Furthermore, I will provide preliminary insights into how these interpretations form the basis to “hack” cells, which is accomplished through the introduction of complex “illegal instructions” in the form of molecular agents, which alter the behavior of the cell's internal programs. With this talk, I aim to provide the Chaos community with a focused insight into the biological cell and the ways in which recent developments in AI help us understand and manipulate them. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/hacking-life-how-to-decode-and-manipulate-biological-cells-with-ai/

Dec 29, 202441 min

Howto Digitale Bildungspolitik (38c3)

Wie funktioniert digitale Bildungspolitik? Was läuft auf Länder-, Bundes- oder Kommunalebene und wie kann man sich sinnvoll einbringen damit Schulen richtig digital werden? Darüber sprechen cyber4EDU in dieser Episode des Digital Education Cyber Talks Podcast mit zwei Expert/innen aus dem Bildungsapparat. https://dect42.de/ https://cyber4edu.org/ Die Digitalisierung der Schulen besteht aus einem Mosaik an Anforderungen und zu verstehen wie diese eigentlich zusammenhängen und wer wofür zuständig ist, ist alles andere als einfach: Infrastruktur, Geräteausstattung, digitale Verwaltung, Bildungsapps, Datenschutz, offene Bildungsressoucen (OER), digitale Kompetenzen, Medienbildung und jetzt auch noch KI. Sich im digitalen Bildungskontext zu engagieren kann ziemlich undurchsichtig und herausfordernd sein. Um besser zu verstehen wie das alles zusammenhängt wollen wir in diesem Podcast besprechen wie digitale Bildungspolitik funktioniert, wie Föderalismus, das BMBF, die Kultusministerkonferenz und der Digitalpakt Schule zusammenhängen und wie man sich als Aktivist oder Verein sinnvoll einbringen kann. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/howto-digitale-bildungspolitik/

Dec 29, 202446 min

Drawing with circuits – creating functional and artistic PCBs together (38c3)

We are a professional electronics designer and a professional artist. We'd like to share our experience of integrating an artist into the design workflow for EMF's 2022 and 2024 event badges, how we ensured that form and function grew together, and how you might make a board so fancy it crashes your PCB vendor’s CAM software. Circuit boards are increasingly being made to be seen. Whether they're personal or commercial, many projects show off their PCBs in an array of shapes, colours and sizes instead of hiding them in enclosures. While making an electronic design work correctly and making it look amazing are not conflicting goals, they do require very different skillsets. If you are not one of the rare people whose expertise spans both graphic and electronic design, it may feel very daunting to collaborate with someone who has a very different skillset. You must figure out what you don't know about each other's fields, what the other needs to know, and find the right language to bridge that divide. We will share our experience of working together as circuit designer and artist, and will talk about: - the possibilities and constraints of modern PCB technology as a medium for visual art - turning a functional electronic design into an artistic playground - our experience of communicating across fields of expertise, developing a common language and conveying essential ideas without getting in each other's way - some fantastic free software for art and electronic design - sample workflows for embellishing circuits - what PCB design software and manufacturers expect and how to get away with doing "weird" things - many examples of beautiful things we and others have made We hope this will inspire and encourage you to make your own beautiful collaborative designs a reality. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/drawing-with-circuits-creating-functional-and-artistic-pcbs-together/

Dec 29, 202438 min

Knäste hacken (38c3)

In Deutschland sitzen über 40.000 Menschen im Knast. Weitgehend ohne Zugang zu digitaler Infrastruktur - außer einem Telefon. Wir schauen uns die Systeme an, die sie nutzen dürfen und in denen sie verwaltet werden. Von HamSy oder SoPart haben die meisten Menschen noch nie etwas gehört. Außer sie hatten bereits Kontakt mit deutschen Knästen. Das führt dazu, das es kaum Dokumentation darüber gibt, wie Digitalisierung für Menschen dort funktioniert und welche Folgen sie in Zukunft haben kann. Im letzten Jahr beschäftigte ich mich mit verschiedenen Systemen in deutschen Knästen und möchte über Datenabflüsse und strukturelle Probleme, die verhindern, dass wir Menschen dort Zugang zu digitaler Teilhabe gewähren, sprechen. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/knste-hacken/

Dec 29, 202439 min

May the forest be with you – Bäume pflanzen gegen die Klimakrise? (38c3)

Der Harz wurde von Borkenkäfern gefressen, nur jeder vierte Baum in Deutschland gilt als gesund und in Russland sowie Nordamerika brennen die Wälder in einem enormen Ausmaß. Gleichzeitig gelten Wälder als eine der Lösungen in der Klimakrise, als CO2-Speicher und Produzent von nachhaltigen, nachwachsenden Rohstoffen. Sind Wälder in Gefahr auf Grund von Dürre, Borkenkäfer und Feuer? Und können wir mit Wiederaufforstungen der Klimakrise was entgegensetzten? Kirsten Krüger forscht an der Technischen Universität München zu Störungsdynamiken in Wäldern und erklärt in ihrem Vortrag, was Wälder eigentlich alles für uns leisten, warum Störungen ein natürlicher Bestandteil von Wäldern sind und Bäume pflanzen allein keine akkurate Antwort auf die Klimakrise ist. Störungen im Wald durch Dürre, Borkenkäfer und Feuer prägen zunehmen das Landschaftsbild und erhalten mehr Aufmerksamkeit von Medien und Politik. Die Sorge reicht von dem Szenario, dass wir alle Wälder verlieren werden hin zu dem Verlust von einem wertvollen CO2-Speicher und Produzenten von Holz. Global neue Bäume zu pflanzen scheint eine intuitive Antwort drauf zu sein, löst aber nicht die Herausforderung der Klimakrise vor der wir gerade stehen. In meinem Vortrag möchte ich aufklären, warum Störungen im Wald per se kein Problem, sondern ein Teil der Waldentwicklung sind und wie sich diese auf die CO2-Speicherfähigkeit und andere Fähigkeiten von Wäldern auswirken. Wälder sind keine statischen Konstrukte in der Landschaft, sondern ein dynamisches System, welches uns viele Dienstleistungen bereitstellt. Es gibt genug Gründe Bäume zu pflanzen, aber warum, wo und wie sind entscheidende Fragen, die ich beleuchten möchte. Außerdem berichte ich aus der aktuellen Forschung um den Zustand der Wälder, wie vor allem wir Menschen den Wald beeinflussen und möglichen Ansätzen, wie wir Wälder widerstandsfähiger machen können. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/may-the-forest-be-with-you-bume-pflanzen-gegen-die-klimakrise/

Dec 29, 202440 min

Liebe Werte Stiften Alles (38c3)

Das Podcast-Stiftungs-Abenteuer beginnt & ihr könnt auf dem #38c3 live bei der Geburt dabei sein. Ja, der Titel 'Liebe Werte Stiften Alles' zunächst klingt wie ein durchgeknalltes Kreuzworträtsel, aber wir versprechen, dass am Ende alles Sinn ergibt ;-) 🎭 Warnung: Dieser Podcast könnte schwerwiegende Nebenwirkungen haben, wie: - Plötzliche Anfälle von Großzügigkeit - Unkontrollierbare Ausbrüche von sinnstiftendem Handeln - Chronisches Weltverbesserer-Syndrom - Akute Philanthropie-Euphorie s sind die Zufälle, die unserem Chaos seinen Zauber geben & ein solcher *zenga*zauber*zufall war es, der Maria Reimer und derPUPE mal wieder für ein neues Abenteuer zusammenbrachte. Denn derPUPE sinniert seit seinem 50ten Geburtstag viel über Werte und den Sinn des Lebens. Konkret spielt er mit dem Gedanken, eine Stiftung zu gründen. Dazu ist er im Austausch mit Menschen, um sich in das Thema einzunerden und gleichzeitig mit Chaos Wesen zu sprechen, die wellenkompatible Werte haben und auch vorleben. Plötzlich postet Maria genau zu diesem Thema etwas auf Linkdin - Wow, da paßte mal wieder die liebe Schicksals Glücksdrachen-Fee und kurzentschlossen wurde einfach mal telefonisch angepingt und kurz gemeinsam Gedanken ausgespeichert und gespiegelt. Diese gemeinsame Gespäch bewies die Wellenkompatibilität zwischen den beiden, und Marias Profession passt auch perfekt zu dieser möglichen Mission. Weil der Flow zwischen ihnen schon beim ersten Gespäch einfach harmonisch und befruchtend war, lag es auf der Hand, das Abenteuer einer Stiftungsgründung mit einem Podcast zu begleiten. In diese initialen Geburtsfolge bringen sie unter anderem Antworten auf folgende Fragen mit: Was will man hinterlassen in einem Leben, das vermutlich mehr als halb vorbei ist? Kann eine Stiftung ein Stilmittel sein in einer Welt, die besser gepatcht werden muss? Und was hat ein Kinosaal voller Kinder mit derPUPEs Plan zu tun? P.S,: Angelehnt ist der Titel natürlich an die großartigen Liebe.Freiheit.Alles Sticker. Wer kennt und fühlt es nicht? ;) Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/liebe-werte-stiften-alles/

Dec 29, 202440 min

Och Menno: Physik sagt NEIN-Von Kickstartern und SciFi Waffen (38c3)

Was haben Triton, Fontus und Railguns gemeinsam ? Coole Sales Slides aber evtl. wenig Ahnung von Physik. Ein kleiner Live Podcast zu Projekten wo eine Grundlage an Physik ein Verschwenden von Geld verhindert hätten. Der Failpodcast live auf der Bühne: Es gibt viele Projekte die ja wunderschön Shiny aussehen. Und der CEO hat sogar Industriedesign studiert. Und die Slides sind toll. Und es gibt ein tolles 3D Video. Was soll schon schiefgehen ? Warum kann man nicht Unterwasser mit der Triton atmen, in der Wüste nicht aus der Fontus trinken ? Ich nehme euch mit in eine kleine Reise durch Kickstarter Fails / Scams bis hin zu Militärprojekten die auf dem Papier schön aussahen aber halt im Ende ne ganze Menge Geld verblasen haben. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/och-menno-physik-sagt-nein-von-kickstartern-und-scifi-waffen/

Dec 29, 202444 min

KI nach dem Kapitalismus: Hat ChatGPT in der besseren neuen Welt einen Platz? (38c3)

Unsere Welt funktioniert nur, wenn sich immer neue Bereiche finden, in denen Profite erbeutet werden können. Nach Blockchain, Metaverse und Web3 ist "Künstliche Intelligenz" die neueste Wette der Tech-Investoren auf kräftige Gewinne. Ob "KI" tatsächlich irgendeinen gesellschaftlichen Wert hat, ist dabei völlig nebensächlich. Was tun wir also mit "KI" nach dem Kapitalismus? Brauchen wir Large Language Models überhaupt in einer Welt, die radikal auf Kooperation statt Konkurrenz, auf Bedürfniserfüllung statt Profit und auf Solidarität statt Privateigentum basiert? In diesem Talk besprechen wir, was gegenwärtige "KI" ist, wie sich ökonomische Macht in "KI" zeigt und wie sich "KI" in die breitere Debatte um Technologiekritik einordnet. Wir fragen uns, was man mit Mustererkennung, Deep Learning und Sprachmodellen überhaupt anfangen will in der besseren Welt nach der Revolution und ob uns eine Technologie wie "KI" auf dem Weg dahin helfen kann oder eher behindert. Der Talk wird zu gleichen Teilen von Malte Engeler und Sandra Sieron gehalten. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/ki-nach-dem-kapitalismus-hat-chatgpt-in-der-besseren-neuen-welt-einen-platz/

Dec 29, 202432 min

High energy physics aside the Large Hadron Collider (38c3)

What are we, and where do we come from? - Searching for flavour in beauty Nowadays the Large Hadron Collider (LHC) at CERN is the best known high energy physics research facility. However, there are other facilities around the world performing cutting edge high energy physics research. Some of these are the so called flavour factories which have a long tradition in high energy physics. Two of these are currently in operation: BES III in China and Belle II in Japan. Collecting huge amounts of data, the goal of these experiments is to measure free parameters of the standard model of particle physics with very high precision to find deviations from predictions by theory. Such deviations can hint to new physics, and physicists are still searching for the reasons of our very existence as by our best knowledge nothing but light should have remained after the big bang. But testing the standard model is challenging. Huge data sets in the order of tera bytes need to be analysed requiring advanced analysis software and techniques. By now these analyses usually employ machine learning and artificial intelligence in various kinds, while using custom hardware and software, and a world spanning computing infrastructure. All of this is only possible with more than 1000 people working together in a collaboration. Part of the work in high energy physics nowadays would not be possible anymore without the groundbreaking research by this year's Nobel laureates for physics. In this talk I will present what flavour physics is, the reasons why flavour physics is interesting and why it matters, and which challenges we are facing, using the Belle II experiment as an example. Most of the challenges are not unique to Belle II but to high energy physics in general, so I will also set this into the bigger context and take a look to what is ahead of us in the field of high energy physics. Developed in the 1950s to 1960s, the standard model of particle physics has been a huge success. However, there are parts it cannot describe: * During the big bang the same amount of matter and anti-matter should have been produced, and they should have annihilated only leaving light. But here we are, so there must have been some sort of imbalance or asymmetry. With our current understanding of particle physics and the big bang we cannot explain the amount of asymmetry necessary to explain our existence. So why are we here? * We found that neutrinos do have mass, while the SM predicts them to be massless. So why do neutrinos have mass and where does it come from? * The orbital velocities of stars in distant galaxies show deviations from expectations if only visible matter is taken into account. These deviations in the galaxy rotational curves hints to additional matter which nowadays we call "dark matter". But what is its origin * The universe seems to expand with an increasing rate, but what is the driver behind this rate? We now describe this as "dark energy" but do not really know what it is made of. * ... Cosmology, astrophysics, and high energy physics are working on solving these mysteries. While the first two require observations of space and simulations on earth, the last one can be fully conducted on earth. In high energy physics we currently are following to paths of finding physics beyond our current understanding called the "standard model" of particle physics: direct and indirect discoveries. This can be achieved by testing ever higher energies, or by probing known processes with improved precision. The discovery of the Higgs Boson in 2012 was of the first category, a direct discovery at high energies. Flavour factories work differently. They operate at much lower energies (about 1000 times lower than the Large Hadron collider), but are collecting huge amounts of data to precisely test the standard model to find hints for unknown physics effects. One of the current flavour physics experiments is Belle II in Japan. There physicists try to find hints explaining the asymmetry between matter and anti-matter seen at the big bang, and are searching for dark matter candidates, as well as other indications of deviations from the standard model. By precisely measuring the standard model processes it is possible check for particles 10,000 times heavier than the energies used in Belle II, and 10 times heavier of what the LHC can achieve in direct searches. This talk focuses on the challenges that modern high energy physics experiments, as well as other experiments are facing, and how to tackle them, as well as the public relevance of the research fields. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/high-energy-physics-aside-the-large-hadron-collider/

Dec 29, 202440 min

Sicherheitslücke gefunden... und nun? (38c3)

Der CCC unterstützt bei der Meldung von Sicherheitslücken nach dem Responsible-Disclosure- beziehungsweise Coordinated-Vulnerability-Disclosure-Verfahren. Am Beispiel verschiedener Lücken, die wir in den vergangenen Monaten gemeldet haben, zeigen wir, wie Disclosures ablaufen können. Eine Rechtsberatung findet nicht statt. Bei angewandter Sicherheitsforschung führen Hackerparagraphen nach wie vor zu großer Unsicherheit. Meldende von Sicherheitslücken müssen befürchten, angezeigt und verklagt zu werden. Daher unterstützt der CCC bei der Meldung von Sicherheitslücken. Wie läuft so ein Disclosure-Prozess eigentlich ab? In diesem Vortrag geben wir Einblicke in die Praxis und erläutern anhand aktueller Beispiele aus den vergangenen Monaten, wie wir Sicherheitslücken gemeldet haben. Dabei beleuchten wir typische Herausforderungen und mögliche Konflikte. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/sicherheitslcke-gefunden-und-nun/

Dec 29, 202449 min

TETRA Algorithm set B - Can glue mend the burst? (38c3)

In August 2023, we published the TETRA:BURST vulnerabilities - the result of the first public in-depth security analysis of TETRA (Terrestrial Trunked Radio): a European standard for trunked radio globally used by government agencies, police, military, and critical infrastructure. Authentication and encryption within TETRA were handled by proprietary cryptographic cipher-suites, which had remained secret for over two decades through restrictive NDAs until our reverse-engineering and publication. This talk is not TETRA:BURST, but dives into the latest TETRA revision introduced in 2022. Most notably, it contains a new suite of cryptographic ciphers. Of course the cipher available for critical infrastructure and civilian use (TEA7) is intentionally crippled, and of course these ciphers were to be kept secret, but this decision was overruled due to public backlash following our publication last year. In this talk we will present a practical attack on the TEA7 cipher, which while taking a 192-bit key, only offers 56 bits of security. Furthermore, we point out improvements and shortcomings of the new standard, and present an update on TEA3 cryptanalysis, where we previously found a suspicious feature, and draw a parallel with its successor TEA6. All in all, in this short and relatively crypto-forward talk, we assess with all-new material whether the new TETRA standard is fit for its intended purpose. This crucial technology seeks to once again take a very central role in our society for decades to come, and its cryptographic resilience is of fundamental importance - for emergency networks, but possibly even more for our critical infrastructure and associated processes. The new authentication suite (TAA2, as opposed to the old TAA1) features longer keys and completely new cryptographic primitives. The new Air Interface Encryption algorithms (TEA set B) consist of three new ciphers, for differing target audiences. TEA5 is intended for European emergency networks, and is the successor of TEA2. TEA6 is intended for friendly extra-european emergency and military networks, and replaces TEA3. Lastly, TEA7 is the only one available for use by critical infrastructure and other civil applications, and replaces TEA1. Initially, ETSI envisaged to keep the new algorithms secret again, once more eliminating the possibility of public scrutiny. However, following our publication, a promise was made to release the algorithms to the public for inspection. Additionally, a statement was made that TEA7 has a reduced effective strength of 56 bits. As mentioned, this algorithm is the successor to TEA1, which has an effective strength of only 32 bits, in a time where 40 bits was the maximum for freely exportable crypto. In TETRA:BURST, we presented several vulnerabilities found in the old standard. Obviously, the backdoored TEA1 algorithm is now replaced by a new cipher, and we will dive into how this works, how it can be attacked, and what the practical implications will be. Second, we previously presented a method of decrypting and injecting traffic on all network types, even those using the stronger TEA2 and TEA3 algorithms. This relies on the lack of cryptographic integrity guarantees on message - something that is still unaddressed. We discuss how this leads to issues. Lastly, TETRA:BURST described a way of decrypting the pseudonymized identities of TETRA users (first demonstrated at the 37C3), allowing for a powerful intelligence capability. We will discuss how the new standard seeks to resolve this issue. Lastly, we previously recommended caution regarding TEA3, due to a suspicious feature in its design. While no full attack will be presented, progress in its cryptanalysis was made, which we will discuss during the talk. And, there is an interesting parallel to be drawn between the suspicious quirk in TEA3 and the design of its successor, TEA6. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/tetra-algorithm-set-b-can-glue-mend-the-burst/

Dec 29, 202440 min

The ongoing (silent) storm in the medical devices industry and since when cybersecurity is a thing (38c3)

Medical technology is a heavily regulated industry and while there are very big name companies with deep pockets, small to medium manufacturers are struggling to keep up with the sheer amount of cybersecurity requirements. On top of all this, the requirements are many, qualified people are rare, and essential dependencies have shown not to be always stable. - Intro and giving a tangible sense of how heavily regulated is medical device industry - Dates and ongoing movements in the industry (eStar evolution, regulatory bodies, manufacturers, notified bodies, security companies, pentest providers) - How are the new aspects affecting new products and product updates: SBOM, threat modeling, security risk management - The long list of challenges, pitfalls and other fun aspects: legacy, embedded, certifications, SBOMs, CPEs, NVD chaos, risk management, etc.) Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/the-ongoing-silent-storm-in-the-medical-devices-industry-and-since-when-cybersecurity-is-a-thing/

Dec 29, 20241h 0m

Biological evolution: writing, rewriting and breaking the program of life (38c3)

Biological evolution is a great inventor. Over 4 billion years, it has generated an astonishing diversity of lifeforms, from the tiniest bacteria to the tallest trees. Each new organism inherits a genetic program from its parents - a set of instructions to “build” the organism itself. Random mutations in this program can alter the organism’s traits, affecting its ability to survive in its environment. But how do these small changes combine over thousands of generations to yield the vast complexity we see in present-day lifeforms? In this talk, we discuss examples from our research, using computer simulations to model the early evolution of animals, from single-celled microbes to complex multicellular organisms. We show that evolution behaves a bit like a hacker, repurposing the programs it previously built in unexpected ways to create new functions and structures. Understanding how evolution continually innovates is one of biology’s grand challenges. We also hope that uncovering these processes in biological systems will provide new perspectives on current debates about the generative and creative capabilities of AI. The history of life abounds with examples of how biological evolution repurposes old tools for new functions. Feathers, indispensable for bird flight, first appeared in dinosaurs, where they served an entirely different purpose: to stay warm in the Jurassic winter. Analogously, the proteins that focus light in the lens of our eyes originally functioned as metabolic enzymes. One of evolution’s most transformative repurposing events is the emergence of multicellularity — a transition that laid the groundwork for complex life as we know it. Before multicellularity evolved, single cells lived autonomously, each with their own genetic program to find food and survive harsh environments. Evolution repurposed these cellular programs, to organise self-sufficient cells into cooperative multicellular groups, with surprising new capabilities and collective survival strategies. For example, cells in the group can divide tasks among each other and share resources, paving the way for the extreme specialisation we find in the organs of modern animals. Our computational models simulate this evolutionary transition to explore how the rewriting of cellular programs sets the stage for further biological innovations. One striking insight from our computational approach is that it requires little input data to generate novel solutions to evolutionary problems, revealing an inherent efficiency in biological systems that stands in contrast to modern generative AI. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/biological-evolution-writing-rewriting-and-breaking-the-program-of-life/

Dec 29, 202441 min

Vulnerability management with DefectDojo (38c3)

Defect Dojo is an open source tool for vulnerability management. I will give an introduction into vulnerability management and show how that is implemented with defect dojo Vulnerability management is a try to integrate finding, managing and mitigating of vulnerabilities in code into your workflow. It usually starts with some tools to find vulnerabilities in different areas - let it be with image scanning like Trivy and Clair, classical vuln scanning like Nessus, Static code analysis like Sonar or dependency management with the OWASP dependency tracker. Defect Dojo takes all those reports, dedublicates findings, manages the handling of false positives and gives a Product Owner a tool to the hand how to move that on into your development tracking software like Jira or else. I will show how all of that works and what advantages this have. Also some insight how its used in a medium size critical infrastructure company. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/vulnerability-management-with-defectdojo/

Dec 29, 202439 min

Der Milliarden-Steuerraub Cum/Ex (38c3)

Nachdem kurz erklärt wird, was Cum/Ex eigentlich ist, widmet sich der Vortrag zunächst der Frage, wie die Aufklärung in diesem international organisierten Fall schwerer Steuerhinterziehung überhaupt gelingen konnte und was noch zu tun ist. Wer sind die Akteure auf Seiten der Finanzbranche und wie ticken die Täter? Anschließend wird der generelle Umgang des Staates mit Wirtschaftskriminalität dargestellt und Lösungsansätze entwickelt. Dabei geht es auch um die Frage, was jeder Einzelne tun kann und warum die NGO Finanzwende ein wichtiger Ort sein kann, um politische Veränderungen bei finanzpolitischen Themen zu bewirken. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/der-milliarden-steuerraub-cum-ex-wie-schdlich-ist-wirtschaftskriminalitt-fr-unsere-gesellschaft/

Dec 29, 202443 min

Das Technikjahr 2024 - Ki, Klima, Crypto (mspr0 & Ali Hackalife) Auch-interessant! (38c3)

Ali Hackalife (Auch-interessant!) und Michael Seemann (wmr) sprechen über das vergangene Technikjahr. Der Auch-interessant! Podcast (https://auch-interessant.de ) ist ein Podcast der sich sowohl mit Technik als auch Gesellschaftsthemen befasst. Öfter war der Computer-Philosoph Michael Seemann (mspr0) zu Gast. Auf dem 38c3 treffen sich Ali und mspr0 um auf das vergangene Technikjahr zurück zu schauen. Wie geht es Alis Technik-Optimismus nach diesem Jahr. Und was lief anders als erwartet. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/das-technikjahr-2024-ki-klima-crypto-mspr0-ali-hackalife-auch-interessant/

Dec 29, 20241h 13m

UX for Hackers: Why It Matters and What Can You Do (38c3)

The hacker community is great at making brilliant tools and solving fascinating problems, but we often suck at making the tools and solutions available to the rest of humanity - sometimes even to ourselves. UX and usability are frequently dismissed or misunderstood as the superficial art of adding unnecessary whitespace to perfectly usable things. The assumption is that the prospective users should just "get better" at using computers. That's all quite bad - but what's even worse, we often forget that the user - their human brain and their human perception - is often the biggest attack surface, and as we harden our solutions against all technical threats, we prefer to ignore this one. Over the last couple of years, I have been working on making Qubes OS - a secure operating system - more usable for both hackers and the less technically brilliant users. It has been a very interesting journey that has taught me a lot about clever hackers, so-called normal people and the way you can make security and usability work together, not against each other. In this talk, I will share those insights, show how UX and usability are in fact part of security, discuss some common human interface mistakes open source developers and hackers make - and tell you how you can improve the UX of your projects without dying inside. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/ux-for-hackers-why-it-matters-and-what-can-you-do/

Dec 29, 20241h 2m

Beyond BLE: Cracking Open the Black-Box of RF Microcontrollers (38c3)

Despite the recent popularity and breadth of offerings of low-cost RF microcontrollers, there is a shared absence of documentation for the internal workings of their RF hardware. Vendors might provide an API for their supported protocols, such as BLE, but their documentation will only provide as much detail as necessary to use these libraries. For practically every BLE MCU available to hobbyists, interfacing with the on-chip radio is limited to secret ROMs or binary blobs. In this talk, we will finally peel back the curtain on one of these RF MCUs, giving the ability to understand and unlock the full potential of the hardware to operate in new modes. The TI SimpleLink family of BLE and Sub-GHz RF MCUs present a general-purpose Cortex-M4F platform with extensive documentation for developing custom embedded/IoT devices. With a reference manual filled with countless diagrams and register maps for all its peripherals, the Radio section is surprisingly sparse, only mentioning a high-level API for exchanging commands between an RF coprocessor core. This secondary undocumented CPU is what handles the actual RF communication, running from an inaccessible ROM. There’s no mention of what peripherals lay beyond the coprocessor aside from generic “DSP Modem” and “RF Engine” modules. This talk serves to be the unofficial “Radio Reference Manual” of the SimpleLink MCUs, opening the black box of the RF subsystem and painting the full picture on how the radio operates - from the stack to the antenna. As part of this effort to fully understand these chips, we reverse engineered TI’s proprietary RF patch format, which enables SDK updates to introduce support for newer protocols on existing chips. We show how these patches allow you to modify the behavior of almost every part of the RF subsystem, control the RF subsystem in ways not intended, or even replace the ROM firmware entirely. Additionally, we investigate the hidden DSP Modem cores, and decode their proprietary ISA to disassemble and craft new firmware patches for them as well, potentially opening up the door for a cheap single-chip SDR. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/beyond-ble-cracking-open-the-black-box-of-rf-microcontrollers/

Dec 29, 202440 min

Let's build dodos! How generative AI is upturning the world of synthetic biology and hopelessly overwhelming traditional governance instruments. (38c3)

Have you always wanted to build an egg-laying woolly milk sow or bring the legendary dodo back to life? The dream of some biologists to not only understand organisms, but also to redesign, build or bring living beings back to life is accelerating towards reality with the convergence of synthetic biology and generative AI in ‘generative biology’. For example, large language models are now being used to write genes and proteins, while complex laboratory tests are being replaced by machine vision and automation. The pace of these developments is so fast that they are barely noticed by the public, politicians or related experts such as environmental scientists. Questions about the reliability and safety of these new biodigital methods and applications are not yet being asked and research into risk assessment methods is not keeping pace. At the same time, this shift of generative AI systems from generating text and images to generating protein, bacteria, viruses and organisms could transform many areas of life, from medicine and the environment to bioweapons. So let's talk about it and discuss it. This is what the talk will be about: - What is the science behind synthetic biology? What is genome editing, CRISPR/cas, RNAi or off-target effects etc.? - And how does generative AI and generative biology come into play? What is actually happening in laboratories and corporate R&D around the world, including in the USA and China? I will report on AI platforms that generate designs for novel viruses and proteins to experiments ranging from medical drug development and attempts to bring extinct species back to life. I will also present current scenarios in the field of bioweapons. - How big tech is moving to get into bioeconomy – Titans such as Google, Microsoft, Nvidia, Alibaba, Meta, Amazon and Salesforce, with no specific experience in life sciences, are now the leaders in a new ‘generative biology’ run. - I will then continue with our own research on risk and technology assessment of genetically modified organisms and synthetic biology. This includes experiments and method development on biosafety, but also poses more fundamental questions such as investigating if the AI/biodigital design of nature is in line with nature conservation concepts or asking if democratization of biotech research (garage biology) relates to “dual use” risks. We also work on instruments to better understand impacts on society and improved social participation. - Finally, I would like to report on the very controversy negotiations on this topic at the UN Convention on Biological Diversity in Colombia in November – among parties, with perspectives from developing countries, indigenous peoples and local communities, scientist and others and discuss ways forward for fair, multidisciplinary assessment and oversight that is urgently needed. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/let-s-build-dodos-how-generative-ai-is-upturning-the-world-of-synthetic-biology-and-hopelessly-overwhelming-traditional-governance-instruments/

Dec 29, 202444 min

Can We Find Beauty in Tax Fraud? (38c3)

What do Olaf Scholz, blue ikea bags, Moldova, Deutsche Bank, fine art, and Butyrka Prison have in common? Join us for a brief stroll through the hidden, shady world of large-scale tax fraud, cross-border financial crime, money laundering, and corruption. We’ll examine both common and lesser-known financial exploits, drawing on revelations from journalists, activists, and investigators over the last few decades. Can there be beauty in abstraction? And are dividend stripping or VAT fraud diagrams really as dull as they seem? But most importantly: Is defrauding the public of 64 billion euros considered science, engineering, or art? And what does this have to do with you—and why should you care? Using real-world case studies, we’ll explore how corporations and individuals defraud populations and how these schemes—though sometimes confusing or complex on the surface—rely on surprisingly simple, chained tactics, much like exploits in information systems. We’ll break down the roles of various actors, service providers, fraudsters, and corrupt officials, as well as their playbooks, exploring how these crimes work or how they break and fail. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/can-we-find-beauty-in-tax-fraud/

Dec 29, 202434 min

we made a globally distributed DNS network for shits and giggles (38c3)

DNS infrastructure is a bespoke pile of interconnected "standards", and its management is often treated as an afterthought. With Project SERVFAIL we aim to change that perception, providing both general docs and a community-run alternative to commercial nameservers - all of which while staying exceedingly *silly*. What started as a joke shitpost on fedi ended up with us spending multiple weeks hacking on everything DNS: from infra setups, through automating DNSSEC deployments, up to writing a fully custom zone edit website. With [Project SERVFAIL](https://beta.servfail.network), we set out to discover what we could do better than the status quo. With barely any progress in the past 15 years, the NS provider field has seemingly stagnated. We set out to change that - and while SERVFAIL is still a Work in Progress, we're already at a point where we have a lot to share: stories of horror, upstream negligence, but also of hope and wonder for the future. All of this while still bringing a vibe that wouldn't let you mistake us for for an enterprise - and for free, OSS, of course. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/we-made-a-globally-distributed-dns-network-for-shits-and-giggles/

Dec 29, 202443 min

Aufräumen Podcast (38c3)

Udo ist vor Ort und wird versuchen Johannes zuzuschalten. Dann räumen wir beide auf. Und ihr könnt zuhören und zugucken! Es wird vielleicht auch ein Gast teilnehmen! Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/aufrumen-podcast/

Dec 29, 202442 min

The whois protocol for internet routing policy, or how plaintext retrieved over TCP/43 ends up in router configurations (38c3)

Whois is one of the historic internet protocols. There are two types of whois databases on the Internet: domain names, and internet numbers (IP addresses, autonomous system numbers). In this talk, we introduce the history of the whois databases for Internet numbers and explain how they are used (and what is ongoing to replace this way of accessing this information). Spoiler: yes, people still use MD5 to authenticate updates, and still put policy derived from data retrieved over unauthenticated protocols in their router configurations. Whois is one of the older protocols still in use on the Internet, playing a critical role in managing and distributing information about domain names and Internet numbers, such as IP addresses and autonomous system numbers (ASNs). This talk focuses on using whois for internet routing information, aka as an internet routing registry. It's well known that BGP is a trust-based protocol for distributing internet routes. When network operators configure a BGP link with a peer [another network], they often want to restrict the routes accepted from that peer; A small customer is very unlikely to be the upstream network of a hyperscaler. But how do you gather information about what prefixes and networks are likely announced by that network? The session will start by exploring what whois databases contain ("RPLS - Routing Policy Specification Language"), and how they have a role as a database for internet routing registry (IRR) information. We explain the various (authoritative and non-authoritative) IRR databases and how they differ. We then continue by describing the routing policy present in these databases. After introducing the information present, we will explain how this policy is applied to routers... as well as the surprisingly fragile aspects of this mechanism (unauthenticated retrieval channels, updates via email with plaintext passwords). Finally, we introduce the more modern alternatives under development; not only for access to the same IRR information (Registration Data Access Protocol) but also the Routing Public Key Infrastructure, that is currently actively being deployed. We will gloss over the RPKI architecture, and explain that it stores part of the information available in the IRR (and how policy from this distributed system is fed into routers), including the trade-off (centralisation). Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/the-whois-protocol-for-internet-routing-policy-or-how-plaintext-retrieved-over-tcp-43-ends-up-in-router-configurations/

Dec 29, 202454 min

The Design Decisions behind the first Open-Everything FABulous FPGA (38c3)

With the availability of robust silicon-proven open-source tools, IPs, and process design kits (PDKs), it is now possible to build complex chips without industry tools. This is exactly what we did to design our first open-everything FABulous FPGA, which is an example of open silicon that is designed and programmed entirely with open tools. Produced in the Skywater 130nm process node, our chip features 672 LUTs (each with 4 inputs and a flop), 6 DSP blocks (8x8 bit multipliers with 20-bit accumulators), 8 BRAMs (with 1KB each), and 12 register file primitives (each having 32 4-bit words with 1 write and 2 read ports). The resources are sufficient to run, for instance, a small RISC-V system on the fabric. The FPGA comes with a small board that is designed to fit into an audio cassette case and that can be programmed directly via an USB interface. Moreover, the FPGA supports partial reconfiguration, which allows us to swap the logic of parts of the FPGA while continuing operation in the rest of the chip. The chip was designed with the help of the versatile FABulous framework, which integrates several further open-source projects, including Yosys, nextpnr, the Verilator, OpenRAM, and the OpenLane tool suite. FABulous was used for various embedded FPGAs, including multiple designs manufactured in the TSMC 28nm process node. The talk will discuss and analyze differences and similarities with industry FPGAs and dive into design decision taken and optimizations applied to deliver good quality of results (with respect to area cost and performance). The talk will highlight state-of-the-art in open-source FPGA chip design and provide a deeper than usual discussion on the design principles of these devices. The talk will target both FPGA novices and experts and discuss the technology from two angles: 1) the capabilities of open tools to build an entire FPGA ecosystem and 2) FPGA technology insights. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/the-design-decisions-behind-the-first-open-everything-fabulous-fpga/

Dec 29, 202441 min

Open Accessibility - (nicht nur) F/OSS barriereärmer gestalten! (38c3)

Barrierefreiheit für alle, immer und überall, zumindest in F/OSS-SW wie Communities, ist bisher ein frommer Wunsch. Warum ist das so und wie lässt es sich grundlegend ändern? Accessibility spielt bisher in Deutschland, wenn überhaupt, nur bei Webseiten eine Rolle. Desktop-Software, Online-Kommunikation, IT-Systeme generell sind hingegen für die meisten Menschen mit Behinderungen nicht oder nur mit großen Einschränkungen nutzbar. Diese Mängel werden bisher meist durch individuelle Workarounds versucht zu beheben, nur, damit beim nächsten Upgrade alles wieder vorbei ist. Für diese Misere gibt es technische, soziale wie gesellschaftliche und rechtliche Gründe, vielmehr: Defizite. Diese werde ich vorstellen. Darauf aufbauend plädiere ich für grundlegenden Verbesserungen und zeige mögliche Ansätze dafür u.a. den Bereichen Standards, individuelles Engagement, Prozesse und Organisation von Communities. Fragen, Diskussion und eigene Vorschläge sind erwünscht! Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/open-accessibility-nicht-nur-f-oss-barrierermer-gestalten/

Dec 29, 202440 min

Dialing into the Past: RCE via the Fax Machine – Because Why Not? (38c3)

Remember the days when faxes were the pinnacle of office tech, and the sound of a paper getting pulled in was as satisfying as a fresh cup of coffee? Well, it's time to dust off those memories and reintroduce ourselves to the quirky world of printers and their forgotten fax interfaces – yes, those relics that make us all feel like we're in an '80ies sci-fi movie – and specifically, how they can unlock a new frontier in printer security exploits! In this talk, we'll show you how we leveraged a printer bug that we found at Pwn2Own Ireland this year to gain remote code execution. Over its fax interface. You might think, "Who cares about faxes?" – but what if I told you that lurking within this vintage feature is a potential pathway for remote code execution? That's right, while everyone else is busy patching the latest vulnerabilities in trendy software and half the world is obsessed with cloud security, we'll be having a blast with tech that should've been retired to the attic long ago, exploiting a feature that's older than some of the attendees! We'll explore how this vintage tech can be the gateway to some serious mischief. Think of the possibilities: municipalities, banks, courts, you pick your favorite bureaucracy. Unfortunately, we can't do any of those things -- that'd be naughty -- so we're restricted to doing the stupidest things we can think of in our live demos. In case you're wondering: of course we'll be running doom on this thing, proving that even the most outdated tech can still pack a punch, as we take control over this device in style. Expect a mix of technical insights and many moments of "why would you do that?". So join us in this wild ride through simpler times -- who knew the key to world domination lays in a dusty fax machine? Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/dialing-into-the-past-rce-via-the-fax-machine-because-why-not/

Dec 29, 202438 min

Eat the Rich! Die Menschen wollen soziale Sicherheit, aber kriegen „Deutschland den Deutschen“. Holt das Geld bei den Reichen! (38c3)

Bezahlkarte bald auch für Bürgergeld-Empfänger*innen, verschärfte Sanktionen, Pauschale für die Kosten der Unterkunft, weniger Regelsatz, Umzugszwang, verschärfte Zumutbarkeitsregelungen für Arbeitsangebote und Komplett-Überwachung: Die Debatte über das Bürgergeld ist völlig durchgedreht. Was kommt noch auf uns zu? Und wie kommen wir aus der Hetz-Spirale wieder heraus? Die Union hat das Bürgergeld zum wichtigsten Wahlkampfthema 2025 auserkoren und will es am liebsten sofort abschaffen. An Menschen, die Sozialleistungen beziehen, werden soziale und technische Methoden der Entmenschlichung erprobt. Im Talk geht es um die Frage, wie es sich im Bürgergeld lebt, was die Unterschiede zu Hartz IV sind, welche Auswirkungen die Überwachungsmethoden der Jobcenter haben und welche gesellschaftliche Funktion das Bürgergeld erfüllt. Ist das alles wirklich legal? Ist das vielleicht sogar egal? Und vor allem: Was können wir dagegen tun? Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/eat-the-rich-die-menschen-wollen-soziale-sicherheit-aber-kriegen-deutschland-den-deutschen-holt-das-geld-bei-den-reichen/

Dec 29, 202445 min