Chaos Computer Club - archive feed

End-users in cellular networks are at risk of connecting to fake base stations, and we show that mitigations pushed in 5G are insufficient. Machine-in-the-Middle (MitM) attackers aim to overhear and manipulate network traffic. The MitM position can also be used as an entry point for baseband exploitation. Proceeding from there, attackers can gain full control of a user’s phone. Standardization bodies pushed many mitigations against MitM into the specification of cellular networks. However, roaming agreements still enable powerful attackers to perform seamless attacks – even in 5G! In this talk, you’ll learn about the complex nature of cellular roaming and how roaming is implemented in recent smartphones. The specification puts a lot of trust in network operators. This impedes security in real-world deployments. We show that the capabilities of network operators exceed the intended capabilities of lawful interception. If those are abused, end-users have no possibility of noticing the attacks. Attacks on roaming are challenging to prevent or even detect in practice. The specification needs a major update to make cellular roaming secure. Users at risk should be aware of the current state of the system. We discuss multiple mitigations, including solutions for end-user devices. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/how-roaming-agreements-enable-5g-mitm-attacks/

We built an Ethical Hardware Kit with a PCB microcontroller made of wild clay retrieved from the forest in Austria and fired on a bonfire. Our conductive tracks use urban-mined silver and all components are re-used from old electronic devices. The microcontroller can compute different inputs and outputs and is totally open source. It is an open secret that the hardware in our smart devices contains not only plastics but also ‘conflict minerals’ such as copper and gold. Technology is not neutral. We investigate alternative hardware from locally sourced materials from a feminist perspective, to develop and speculate upon renewable practices. We call it Feminist Hardware! Feminist Hardware is developed without mining in harmful ways, in an environmentally friendly way, under fair working conditions, and is manufactured from ubiquitously available materials, without generating e-waste, with consent, love and care. We researched on fair-traded, ethical, biodegradable hardware for environmental justice, building circuits that use ancient community-centered crafts encouraging de-colonial thinking, market forces to be disobeyed, and future technologies to be imagined. Our artistic outcome is an Ethical Hardware Kit with a PCB microcontroller at its core. Our PCB is made of wild clay retrieved from the forest in Austria and fired on a bonfire. Our conductive tracks used urban-mined silver and all components are re-used from old electronic devices. The microcontroller can compute different inputs and outputs and is totally open source. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/clay-pcb/

Capture The Flag (CTF) für Einsteiger: Wie man legal "hacken" ueben kann, warum man das tun sollte und wo man anfaengt. "Hacken" ist längst nicht mehr nur Hobby. WTF? CTF! Was ist ein "Capture The Flag", wie passt das in die aktuelle Menge aus Security Buzzwords, welchen Nutzen kann ich daraus ziehen und wie fange ich an? Es werden ein paar einfache Plattformen und Veranstaltungen zum starten und üben gezeigt. Dem folgen Spielarten, Wege "hacken" zu lernen, und ein Ausblick auf berufliche Möglichkeiten. Der Vortrag richtet sich an Einsteiger die neue Herausforderungen suchen und ihr Wissen um IT-Sicherheit vertiefen wollen. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/ctf-wtf-capture-the-flag-fr-einsteiger/

In a world of centralized internet control, building your own mesh network isn't just a technical challenge—it's digital independence. This beginner-friendly guide walks through creating resilient mesh networks using accessible hardware like LoRa and ESP devices. From antenna selection to node placement strategy, learn how to build networks that operate independently of traditional infrastructure. Ever wondered how to create your own independent communication network? This practical introduction demonstrates how to build resilient mesh networks using affordable, readily available components. We'll demystify the process while emphasizing legal and responsible deployment. The talk breaks down into four key segments: Hardware Selection & Setup • Understanding LoRa, ESP, and other low-cost communication devices • Choosing the right antennas for your environment • Basic hardware configuration and initial setup • Cost-effective shopping guide and alternatives Network Planning 101 • Basic principles of mesh network topology • Coverage planning and node placement strategy • Utilizing existing structures (old TV antennas, tall buildings) • Tools and software for network planning • Range testing and optimization Practical Deployment • Weather-proofing your nodes • Power considerations (solar, battery, mains) • Legal considerations and responsible deployment • Documentation and network monitoring • Common pitfalls and how to avoid them Advanced Topics & Future Expansion • Adding encryption and security layers • Integration with other network types • Scaling strategies • Community building and maintenance Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/building-your-first-lora-mesh-network-from-scratch/

Reverse engineering the Wi-Fi peripheral of the ESP32 to build an open source Wi-Fi stack. During the 38c3, there are probably multiple thousands of ESP32s in the CCH, all of which run a closed source Wi-Fi stack. And while that stack works, it would be nicer to have an open source stack, which would grant us the ability to modify and audit the software, which carries potentially sensitive data. So we set to work, reverse engineering the proprietary stack and building a new open source one. We soon discovered just how versatile the ESP32 can be, both as a tool for research and IoT SoC, when its capabilities are fully unlocked. This includes using it as a pentesting tool, a B.A.T.M.A.N. mesh router or an AirDrop client. You'll learn something about Wi-Fi, the ESP32, reverse engineering in general and how to approach such a project. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/liberating-wi-fi-on-the-esp32/

The European Commission is the executive branch of the European Union with the duty to uphold the law. The transparency of the Commission´s actions and decisions range from questionable to abysmal. Attempts by the public to access information are often thwarted. This talk will cover the Commission´s lack of transparency, challenges faced by the public in accessing information, Commission´s tactics and examples of the European Ombudsman´s interventions to improve the situation. Whether you are interested in ChatControl, AI or public procurement, this talk will have you covered. ~~Redacted~~ Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/transparency-not-from-the-european-commission/

Selbstbestimmung ein grundlegendes Prinzip des Hacken, ob technologisch oder geschlechtlich. Doch was wenn Selbstbestimmung nur bedingt umsetzbar ist- im besten Fall und mit staatlicher Repression als Standard? Selbstbestimmung selbst gemacht ist eine trans, inter, nonbinäre Aktionsgruppe deren Name Programm ist. Wir wollen das System hacken um wir selbst zu sein, Überwachungsfrei und mit (Kranken)Versicherung. Ob mögliche Informationsweitergabe/Offenbarungsgebot, für alle Menschen, ob Cis oder TIN*, das in letzter Minute für die Bezahlkarte aus dem mangelhaften „Selbstbestimmungs“Gesetz (SBSG) genommen wurde oder die Sabotage und Unmöglichmachung von geschlechtaffirmierender Gesundheitsversorgung- wir stehen wie migrantische Menschen im Mittelpunkt von staatlicher Überwachungsliebe und faschistischer Auslöschungsfantasien, jedoch unbeachtet im Chaos. Wir wollen dies ändern- hier, dieses Jahr und für alle Zeit. Wir werden den Prozess des SBSG ergründen, den Zusammenhang von (Un)Sicherheitspaket, Überwachungsmaßnahmen und Transsein herstellen wie auch ganz nebenbei illegalisierte Praktiken versichern, durch die Geschlechts-zusatzversicherung. Nur eure Bühne wird gebraucht und die Tastaturen unser aller Geschwister. Trans*, inter*, nicht-binäre (TIN*) Rechte und Datensicherheit gehen Hand in Hand. Das wollen wir in diesem Beitrag konkretisieren und für mehr Vernetzung zwischen Digitaler (Grund)rechte-/Datensicherheits-szene und TIN* Aktivismus eintreten. Dabei werden Zusammenhänge zwischen (Un)Sicherheitspaket, Überwachungsmaßnahmen und trans Geschlechtlichkeit erkundet und mit konkreten Gesetzesvorschlägen und aktivistischen Aktionen beantwortet, wie auch ein Einblick in die Teils starken parallelen In den Gesetzgebungsprozessen ermöglicht. Seit 01.11.2024 ist in Deutschland das neue Selbstbestimmungsgesetz (SBGG) in Kraft, das die Änderung von Namens- und Geschlechtseinträgen für TIN* Personen erleichtern soll. Drei Tage vor der Verabschiedung des SBGG am 12.4.2024 wurde dabei das sogenannte “Offenbarungsgebot” im Tausch für die Bezahlkarte für Asylbewerbende aus dem Gesetz herausverhandelt: Insbesondere das Bundesinnenministerium wollte gern eine automatische Weiterleitung persönlicher Daten, darunter Adresse, alter und neuer Geschlechtseintrag, an elf staatliche Institutionen, darunter BKA, Verfassungsschutz, [wie heißen die nochmal richtig: Schwarzgelddezernat und illegale Waffen]. Zu den daraus resultierenden “pinken Listen” ist es nicht gekommen. Allerdings nur unter der Zusicherung, dass die entsprechende Überwachungsmaßnahme für alle Personenstandsänderungen verbindlich wird - das umfasst Eheschließungen, Adoption etc. Eine entsprechende Absichtserklärung sollte im Dezember in den Bundestag gegeben und beschlossen werden, letztlich und vermutlich aber durch das Ende der Ampel vereitelt wurde. Ob, wie und in welcher Form dieses Vorhaben weiterbesteht ist zum jetzigen Zeitpunkt unklar. Datensicherheit und TIN* Rechte überschneiden sich hier unmittelbar. TIN* Personen werden gegen die Privatsphäre aller Menschen instrumentalisiert. In diesem Beitrag wollen wir darlegen, wie es dazu gekommen ist. Wir wollen auch erörtern, was daran schlecht ist und was wir tun können. Dazu werden wir unter andere die Abschnitte und Anschlussmöglichkeiten zur Datensicherheit aus unserem selbst geschriebenen, community produzierten Selbstbestimmungsgesetz 2.0 vorstellen. Wir wollen aber auch Vorschläge zu konkreten aktivistischen Aktionen machen. Dafür brauchen wir eure Bühne - und die Tastaturen unser aller Geschwister. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/die-geschlechter-denen-die-sie-hacken-selbstbestimmungsgesetz-pinke-listen-berwachungsstaat/

This talk announces the first public release of sixos, a two year project to create a nixpkgs-based operating system using skarnet's s6 supervisor instead of systemd. The monolithic design of `systemd` is inconsistent with the UNIX userspace philosophy. Its our-way-or-fork-off policy attracts influence-seekers, and thereby encourages *platform decay* within the free software ecosystem. Systemd's failure to provide Linux-grade ABI stability („we don't break userspace“) creates a large and tempting attack surface for *enshittification*. This talk announces the first public release of [sixos](https://codeberg.org/amjoseph/sixos), a two year project to create a nixpkgs-based operating system using [skarnet](https://skarnet.org/software/)'s [`s6`](https://skarnet.org/software/s6/) instead of `systemd`. Sixos replaces NixOS modules with the simpler [`infuse`](https://codeberg.org/amjoseph/infuse.nix) combinator. This allows sixos to treat services the same way nixpkgs handles packages: - A service (`svcs/by-name/.../service.nix`) in sixos is a Nix expression, just like an uninstantiated package (`pkgs/by-name/.../package.nix`) in nixpkgs. - A sixos target is a derivation, just like an instantiated package in nixpkgs. - The sixos target set (`targets`) is a scoped fixpoint, just like the nixpkgs instantiated-package set (`pkgs`). - The `override`, `callPackage`, and `overrideAttrs` tools work on targets and services, just like they do on instantiated and uninstantiated packages. Whenever possible, sixos retains good ideas pioneered by NixOS, like atomically-activated immutable configurations and the layout of `/run`. Sixos is not a fork of NixOS. It shares no code with `nixpkgs/nixos`, nor is any part of it derived from NixOS. Sixos and NixOS both depend on `nixpkgs/pkgs`. On [ownerboot](https://codeberg.org/amjoseph/ownerboot) hardware all [mutable firmware](https://codeberg.org/amjoseph/ownerboot/src/branch/master/doc/owner-controlled.md#clarifications) -- all the way back to the reset vector -- is versioned, managed, and built as part of the sixos configuration. This *eliminates the artificial distinction between firmware software and non-firmware software*. On NixOS, either the initrd „secrets“ or the software that decrypts them ([ESP](https://en.wikipedia.org/wiki/EFI_system_partition), [initrd ssh keys](https://github.com/NixOS/nixpkgs/blob/6b88838224de5b86f449e9d01755eae4efe4a1e4/nixos/modules/system/boot/initrd-ssh.nix#L73-L76)) is stored unencrypted on writable media. Ownerbooted sixos closes this loophole without any „trusted computing“ voodoo, eliminating all unencrypted storage except for an eeprom whose hardware write-protect pin is connected to ground. The speaker runs ownerbooted sixos on his workstations, servers, twelve routers, stockpile of disposable laptops, and on his company's 24-server/768-core buildfarm. So far all of his attempts to run sixos on his snowboard have failed. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/sixos-a-nix-os-without-systemd/

On 23 October 2019 peaceful activist Frank van der Linde found out the Dutch Police was associating him with terrorism to other countries' law enforcement. This talk goes over the bizarre, worrying and, frankly, quite funny journey that Frank van der Linde has embarked on, hoping on a litigation frenzy to seek justice and fight back against the institutional intimidation of activists. In 2014 the Dutch police started monitoring Frank van der Linde after he demonstrated and publicly opposed racism, climate change, animal cruelty, homelessness, and other social injustices. By 2019 the Dutch law enforcement had put him on a terror list and shared his personal data with the German Federal Criminal Police Office, Europol and Interpol. Frank challenged the police for sharing his data and categorising him as "terrorist", they responded "The term ‘terrorism’ is a broad term, and they don't really mean it." The Police maintained the categorisation. Last year, a Dutch police officer blew the whistle and spoke out in favor of Frank during a hearing in court. He told the court that the police file about Frank contained grossly mischaracterised and biased information. Overall is seems that wherever van der Linde data is processed, data gets lost and accountability processes cave in. To quote Frank, “What do they have to hide?!” Speakers: Frank van der Linde Lori Roussey, Director of Data Rights, who participates in supporting Frank courageous journey Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/police-2-0-peaceful-activism-is-terrorism-and-fakenews-are-facts/

„Um nach diesem Begriff zu suchen, dich auf dieser Website anzumelden oder dieses Video anzuschauen, halte bitte deinen Personalausweis bereit, damit wir dein Alter überprüfen können.“ Solche Aufforderungen könnten uns in Zukunft häufiger begegnen, denn immer mehr Websites wollen unser Alter wissen. Doch woher kommt dieses Interesse und ist das eigentlich zulässig? Gemeinsam setzen wir die Datenschutzbrille auf und gehen folgenden Fragen auf den Grund: Welche Methoden der Altersprüfung gibt es und wie funktionieren sie? Können oder sollten Methoden der Altersprüfungen eingesetzt werden und gibt es Fälle, in denen sie sogar eingesetzt werden müssen? Sind Datenschutz und Kinderschutz tatsächlich Gegensätze oder haben sie doch mehr gemeinsam, als oft vermutet wird? Und was sagt eigentlich die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) dazu? Hand aufs Herz – hast du, bevor du 18 warst, Webseiten besucht, die nur für Erwachsene bestimmt waren? Welche Mechanismen haben versucht dich davon abzuhalten? Wie häufig begegnest du diesen Mechanismen heute? Altersprüfungen sind nicht zuletzt durch die Bestimmungen des Digital Services Act (DSA) und die Diskussionen um die Alterstauglichkeit von Social Media heiß diskutiert. Dabei geht es längst nicht mehr allein um Ab-18-Inhalte. Die Idee ist einfach: Wer zu jung ist, darf bestimmte Bereiche des Internets nicht betreten – wie früher in der Videothek - oder wer zu alt ist, bekommt keinen Zutritt – wie auf manchen Spielplätzen. Aber könntest du dir vorstellen, in der Videothek eine Kopie deines Personalausweises abzugeben, zusammen mit der Liste der Filme, die du ausgeliehen hast? Der wichtige Unterschied ist: Um in digitalen Diensten das Alter einer Person prüfen zu können, müssen mehr Daten verarbeitet werden als bei einem kurzen Blick auf den Ausweis, und das ist nicht ohne weiteres zulässig! Der Umgang mit Methoden der Altersprüfung wird einen erheblichen Teil dazu beitragen, wie das Internet in Zukunft aussehen wird und wie frei es sein wird. Es geht nicht nur darum, wie Kinderschutz im Netz umgesetzt wird, sondern auch, wie viel Teilhabe im Digitalen möglich ist – nicht nur für Kinder. In diesem Vortrag erwarten euch ein Überblick über aktuelle (politische) Forderungen nach Altersprüfungen im Internet und den verschiedenen Methoden, die dabei zum Einsatz kommen. Wir machen einen kurzen Exkurs ins Datenschutzrecht und gehen der Frage nach, wie Altersprüfungen, Kinderschutz und Datenschutz zusammenspielen. Nicht zuletzt bekommt ihr die Einschätzung der Bundesbeauftragten für den Datenschutz und die Informationsfreiheit zu hören. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/natrlich-bin-ich-18-altersprfungen-im-netz-aus-datenschutzperspektive/

With the iPhone 15 & iPhone 15 Pro, Apple switched their iPhone to USB-C and introduced a new USB-C controller: The ACE3, a powerful, very custom, TI manufactured chip. But the ACE3 does more than just handle USB power delivery: It's a full microcontroller running a full USB stack connected to some of the internal busses of the device, and is responsible for providing access to JTAG of the application processor, the internal SPMI bus, etc. We start by investigating the previous variant of the ACE3: The ACE2. It's based on a known chip, and using a combination of a hardware vulnerability in MacBooks and a custom macOS kernel module we managed to persistently backdoor it - even surviving full-system restores. On the ACE3 however, Apple upped their game: Firmware updates are personalized to the device, debug interfaces seem to be disabled, and the external flash is validated and does not contain all the firmware. However using a combination of reverse-engineering, RF side-channel analysis and electro-magnetic fault-injection it was possible to gain code-execution on the ACE3 - allowing dumping of the ROM, and analysis of the functionality. This talk will show how to use a combination of hardware, firmware, reverse-engineering, side-channel analysis and fault-injection to gain code-execution on a completely custom chip, enabling further security research on an under-explored but security relevant part of Apple devices. It will also demonstrate attacks on the predecessor of the ACE3. The Lightning and USB-C ports on Apple devices have been well known to "hide" secrets beyond just exposing USB and charging functionality: For example last year at CCC, we showed how we can gain access to JTAG on the iPhone 15 using a custom-build PCB ("Tamarin-C"). All this is handled on new Apple devices using a chip called the ACE3: While previous Apple USB-C devices used a slightly modified Texas Instruments TPS65986, the ACE3 is significantly more custom - and significantly more powerful: It runs a full USB stack (implementing the "Port DFU" mode) and is connected to different internal busses of the phone, making it an interesting target for persistent firmware-implant style attacks. Imagine modifying/backdooring the USB-C controller in a way where it will automatically compromise the main operating-system - essentially making (potential) USB jailbreaks untethered. But how do we approach a custom chip without any documentation and which has its firmware in an internal ROM? With the ACE2 it was possible to dump the integrated ROM using JTAG/SWD, which allowed us to identify & exploit a hardware (on all MacBooks except the M3 Pro & Max) vulnerability to persistently modify the ACE2. However the ACE3 is different: We don't even have a pinout for the chip (which has 120 pins), JTAG seems disabled, and the external flash does not even contain the actual firmware, but only tiny patches for the actual firmware in the chip - and the contents are cryptographically validated! After attempting different software avenues of attacking the ACE3 (including building a small fuzzer and finding a timing side-channel attack to enumerate available commands) with no success, and seeing that the ACE3 implements firmware personalization, it was time for the ace up the sleeve: Hardware attacks. After reverse-engineering the external flash layout (including CRCs) and finding that the flash is cryptographically verified (and that a secure-boot bypass vulnerability we found on the ACE2 does not work on the ACE3), the idea was born to use electro-magnetic measurements to determine when during the startup of the chip the validation fails. And by triggering a software-defined radio on the activity of the external flash, it was possible to gather a very precise point in time where the check is being done - perfect to try some fault injection! Unfortunately no good isolated power-supply for the ACE3 could be found to use with voltage fault injection, and so instead I decided to try electro-magnetic fault injection: By "blasting" the chip with strong electro-magnetic fields at just the point in time determined during the EM measurement I was hoping to be able to bypass the check - and after hours of trying, debugging, moving the injection tip, more debugging, and more time, it eventually succeeded: A modified patchset could be booted into the CPU. But … How do we make sure our "patch" actually gets executed? How do we dump the ROM without having any IO? And how do we even know what (in the 32-bit address space of the processor) we should dump? And can we implement the attack without thousands of dollars of hardware? We will look at all of these things during the talk. Itemized progression draft: - Introduction - whoami - History of Lightning/USB-C secrets on Apple devices - A quick look at ACE2 - Technical details & usage - Dumping the ACE2 - Analyzing the MacBook hardware - Building

I'm not big-brained enough to use cameras on Linux, so I decided to write my own camera stack (based on a real story). The libobscura experiment exists to find out what a point-and-shoot API abstracting Video4Linux should look like. It has its roots on one hand in the Librem 5 project, where I wrote some 70% of the camera stack, and on the other hand in libcamera, which I found too difficult to use. You think controlling a modern camera is easy? Think again. Between pixel formats, depths, media entities, pads and links, sensitivity, denoising, phase detection, shutter lengths, DMAbuf, OpenGL, feedback loops, requests, and statistics, there's enough opportunities to get lost in the detail. Thankfully, Prototype Fund thinks I'm up for the challenge, so they are funding me through libobscura in order to get lost, and maybe find something in the process. Project repo: https://codeberg.org/libobscura/libobscura Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/libobscura-cameras-are-difficult/

Vor einem Jahr veröffentlichte Correctiv die Recherche “Geheimplan gegen Deutschland”, die ein geheimes Treffen von Rechtsextremen, AfD-Funktionären und CDU-Mitgliedern enthüllte. Diese Enthüllung führte zu massiven Demonstrationen, während rechtsextreme Gruppen versuchten, das Geschehen zu relativieren. Die politische Reaktion blieb jedoch verhalten, und die AfD setzte die demokratischen Parteien weiter unter Druck. In diesem Vortrag gibt Jean Peters, leitender Reporter der Recherche, einen Überblick über die Recherchemethoden, analysiert den medialen Diskurs und zeigt zukünftige Perspektiven zur Berichterstattung über Rechtsextremismus auf. Vor einem Jahr enthüllte Correctiv in der investigativen Recherche "Geheimplan gegen Deutschland" ein brisantes Treffen in Potsdam, an dem Rechtsextreme, AfD-Funktionäre, CDU-Mitglieder aus unteren Rängen sowie bedeutende Geldgeber teilnahmen. Diese Veröffentlichung schlug in der deutschen Öffentlichkeit hohe Wellen und führte zu den größten Demonstrationen, die die Bundesrepublik seit ihrer Gründung erlebt hat. Menschen in ganz Deutschland gingen auf die Straße, um gegen die rechtsextreme Bedrohung und die wachsende politische Einflussnahme dieser Kreise zu protestieren. Die Rechtsextremen hingegen versuchten, die Bedeutung dieses Treffens herunterzuspielen und die Enthüllungen als überzogen darzustellen. Sie bemühten sich, ihre Pläne zu relativieren. Gleichzeitig trieb die AfD die demokratischen Parteien bei den Landtagswahlen der neuen Bundesländer weiter vor sich her und konnte in mehreren Bundesländern beachtliche Wahlerfolge feiern. Die Reaktionen auf Bundesebene waren in vielen Augen enttäuschend: Statt die Warnungen aus der Zivilgesellschaft und den Demonstrationen ernst zu nehmen, schien die Bundespolitik in Teilen auf AfD-freundliche Maßnahmen zu setzen. Jean Peters, der leitende Reporter der Recherche, wird in seinem Vortrag detaillierte Einblicke in die Vorgehensweise und die Methodik der Enthüllung geben. Er wird erläutern, wie Correctiv die Verbindungen zwischen den rechtsextremen Akteuren und den finanziellen Unterstützern aufdeckte, welche Herausforderungen es nach der Recherche gab und wie das Team mit der enormen öffentlichen Resonanz umging. Zudem wird er den medialen Diskurs kritisch einordnen: Welche Rolle spielten die Medien bei der Verbreitung und der Einordnung der Informationen? Wie reagierte die Öffentlichkeit auf die Berichterstattung? Und welche Konsequenzen ergaben sich daraus für die politische Debatte in Deutschland? Abschließend wird Peters mögliche nächste Schritte und Ansätze für die weitere Berichterstattung über Rechtsextremismus und den Stand der Debatte rund um ein potenzielles AfD Verbot aufzeigen. Er wird darlegen, wie der investigative Journalismus weiterhin dazu beitragen kann, diese Netzwerke aufzudecken, und welche Hacks die Demokratie bietet, um Autoritarismus zu bekämpfen. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/correctiv-recherche-geheimplan-gegen-deutschland-1-jahr-danach/

In a world dominated by digital communication and the drive toward linguistic unification, the simple act of 'typing' varies significantly across languages and writing systems. For European languages like English and German, typing typically involves a set of about 100 letters and symbols. In contrast, Japanese—and by extension, Okinawan—requires three distinct scripts: hiragana, katakana, and kanji. Each of these adds layers of complexity and cultural depth to written expression. This presentation delves into the development of an input method engine (IME) for Okinawan, an endangered language spoken in Japan's Ryukyuan archipelago. Moving beyond technical challenges, this project reveals how modern digital ‘calligraphy’ intersects with language preservation. Every keystroke becomes a deliberate cultural choice, as the IME reflects the aesthetic and linguistic essence of Okinawan language. Highlighting linguistic expression, cultural significance, and the urgent need for language preservation, this talk presents a model for future digital tools that empower endangered languages and cultures to thrive in the digital realm. This presentation begins by illustrating how different languages transliterate speech globally and then shifts focus to the Ryukyu-Japonic language family, showcasing how over 10,000 characters can be input on a QWERTY keyboard. The Input Method Engine (IME) has played a unique role in facilitating character input for Chinese, Japanese, and Korean (CJK) languages. This talk explores expanding the CJK family to include Okinawan, addressing how phonologically distinct sounds are recorded and encoded. This addition lays the groundwork for other Okinawan speakers to express themselves and document their lives in today’s interconnected, digital world. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/typing-culture-with-keyboard-okinawa-reviving-the-japanese-ryukyu-language-through-the-art-and-precision-of-digital-input/

Exploring the security of the new iPhone Mirroring feature as well as the current threat model of the iOS ecosystem The tight integration between devices is something you only get in Apple’s Continuity ecosystem. It enables seamless interaction between devices, such as using your iPhone as a webcam for your Mac and even letting an iPad act as a second screen with stylus input. All of this relies on Apple’s Continuity framework, a system that builds on local wireless protocols such as Bluetooth and Wi-Fi to communicate among a user’s devices. The interactions enabled between the devices result in a complex threat model that researchers have started to explore over the past years. This summer, Apple newly introduced iPhone Mirroring, a feature that allows users to remote control their locked iPhone wirelessly from their Mac, further blurring the security boundaries in the ecosystem. How does this new feature work? Are the security and privacy checks introduced for iPhone Mirroring sufficient or is it possible to trick the system? What do they protect against and how might this differ from how iOS devices are used in practice? In this talk, you will get demos and explanations of bypasses found in early versions of the iOS 18 beta along with an explanation of why and how they work. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/breaking-the-mirror-a-look-at-apple-s-new-iphone-remote-control-feature/

Glad you could make it! Take a seat and buckle up for a ride through four days of chaotic adventures. This ceremony will prepare you for the 38C3 in all its glory, underground and above, hacks and trolls, art and radical ideas. Let's kick this thing off together! Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/38c3-opening-ceremony/

Team Leads give a short update about the current status of their planning. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://c3voc.de

Jeden Tag hinterlassen wir unbewusst Unmengen an Datenspuren. Diese Daten werden laufend durch unterschiedliche Parteien gesammelt, ausgewertet und analysiert. Dies häufig, ohne unser Wissen. Von vielen solcher Auswertungen profitieren wir direkt oder indirekt. Zugleich schlummert in solchen Datenpraktiken aber auch das Potenzial, Menschen oder Gesellschaften negativ zu beeinflussen. Die Ethik beschäftigt sich entsprechend vermehrt mit dem Bereich der Datenethik. Was macht die Nutzung von Daten fair? Wie stehen Datenpraktiken im Verhältnis zum Recht auf Privatsphäre? Was haben wir für Erwartungen an Organisationen? Wie kann jede:r Einzelne mit Daten ethisch umgehen und zur Datenethik beitragen? Diese und weitere Fragen diskutiert Nicole Pauli mit Cornelia Diethelm (Expertin für Digitale Ethik) und Veronika Ludwig (Swiss Data Alliance). Cornelia Diethelm ist Expertin für Digitale Ethik und vermittelt zwischen der Wirtschaft und den Erwartungen der Gesellschaft. Sie setzt sich mit strategischen Trends auseinander und gibt ihr Wissen auch als Studiengangsleiterin und Dozentin für Digitale Ethik an der Hochschule für Wirtschaft Zürich weiter. Sie ist ausserdem Mitglied in drei Verwaltungsräten. Veronika Ludwig ist Juristin mit Schwerpunkt im Europäischen und Schweizer Datenschutz und in der Data Governance. Sie bringt über 17 Jahre Berufserfahrung als In-House Counsel im Konzernumfeld in der Logistik-Branche und dem Bankwesen mit. Als Vorstandsmitglied der Schweizer Data Privacy Community und aktive Mitgestalterin und Datenschutzberaterin bei Swiss Data Alliance engagiert sie sich für eine zukunftsorientierte und ethische Datenpolitik. Ihr besonderes Interesse gilt der Entwicklung rechtlicher Rahmenbedingungen, die die Nutzung von Gesundheitsdaten fördern und gleichzeitig die Patientenrechte wahren. about this event: https://www.digitale-gesellschaft.ch/event/netzpolitischer-abend-zu-datenethik-in-der-schweiz/

Thank you for joining us for DENOG16, join us for a quick review and some announcements before heading home! Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/P8QBJW/

This talk will give an overview of DTs DNS platform and the challenges arising from carrier scale DNS deployments. It will cover the architecture and new requirements as well as scalability and the implementation status and impact of encrypted DNS (e.g., DoH/DoT and DNS discovery). The presentation will also address shortcomings of the new discovery mechanisms which are currently being standardized within IETF. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/GJGBFQ/

News from IXPs in Germany As introduced 2021 we collect some parameters from all IXPs, which are active in Germany. This talk aggregates the Updates for all the IXPs in a common format and will be presented in a neutral way. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/Y9RMD9/

In this talk, we explore the changes needed to convert a set of fully open source amd64 based VPP routers running in AS8298 to be able to use exactly one IPv4 and IPv6 address in an OSPFv3 and iBGP configuration. The use of /30 or /31 IPv4 transit networks between routers is a thing of the past, paving the way to conserve IPv4 addresses! The talk discusses the changes made to VPP and a popular routing suite Bird2, to enable both Babel and OSPFv3 to route traffic without using IPv4 transit networks, including operational notes how the author rolled this out in AS8298. Finally, the author will make good on his promise from previous DENOG, predicting a 1Tbps VPP machine. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/YGU3SW/

Metro networks are arguably one of the more challenging areas in carrier network engineering: Feature creep, space constraints, harsh physical environments and the requirement to deliver all services everywhere, for cheap. At Wobcom AS9136 we _just_ wanted to modernize the transport network. Two years later we ended up redesigning just about everything: Putting white box routers into outdoor shelters, moving subscriber services to the edge and rethinking business CPEs. This talk covers our journey and what design considerations lead us where we are. We will explore a wide range of linked topics: - Environment (Power, Space, Temperature) - Optical problems and solutions (OWDM, OpenZR+) - Network ASICs - Network Operating Systems - Protocols (MPLS, SR, EVPN, etc.) - Subscriber Management - Full Automation - CPEs and their management Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/ZDGXDY/

We had to move a couple of hundred machines from a big Layer 2 broadcast domain into a fully routed network. We also increased the bandwidth available for each server by mounting a new NIC into each server, To avoid synchronisation with service owners, we did not renumber hosts. In addition, there is connectivity to the large Layer 2 domain that is still in place and still has a few thousand hosts in need of migration. In this talk you will learn how we engineered this migration, minimised downtime and ensured the documentation of our network is always up to date. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/WNS7MA/

The Domain Name System (DNS) is a critical component of the Internet infrastructure, responsible for translating human-readable domain names into machine-readable IP addresses. However, the increasing centralization of DNS traffic through large content-delivery hyper-giants (such as Google), coupled with the fact that the majority of DNS communication traditionally runs over unencrypted transports (UDP/TCP), has led to increased security and privacy concerns. In this talk, I will present recent results on the resiliency and efficiency of DNS, the state of adoption of protocols that enable DNS privacy and their performance implications. I will conclude with a future outlook of a protocol design whereby traditional communications no longer have to trade performance for privacy, but can achieve the best of both worlds: privacy-enhancing DNS + secure communication on the Web. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/SLHTY7/

DDoS attacks and attackers are out there today, and likely won't go away anymore. This talk will outline some current available technologies and developments in the area of DDoS countermeasures, which are designed to make DDoS detection faster, provide better information and decision criteria on what is currently going on in a network, and what is required to mitigate attacks with as few as possible unwanted side effects. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/TG9GBD/

As communication speeds increase, a new problem of communication errors caused by "return loss" has become apparent in optical connector connections. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/LYC7PW/

Everything uses IP nowadays but some stuff is special: Telephony. The connection between customers and their provider is well known but the interconnections of providers themselves are something different. This talk covers the German market, other countries work totally different (some examples might be given). Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/HSQJC7/

Following up on last year's introductory talk about NIS2 and the cybersecurity regulations, we'll look at the technical and methodological requirements specifically for digital service providers. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/Y88EBE/

That's a wrap for day1, we'll share all details about the social and how to get there! Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/38JPGU/

This presentation investigates the proximity to a low Signal-to-Noise Ratio (SNR) threshold that can still maintain a tolerable Bit Error Rate (BER) in 100G / 400G / 800G network links. Additionally, we account for factors such as temperature and cable length to predict the duration for which a reliable network connection can be sustained between transceivers. The analysis, based on data retrieved using a Flexbox, focuses on comparing the reliability of coherent (16QAM) and non-coherent (PAM4) transceivers, with a detailed discussion on the implications of these technologies on network performance. For a better understanding of the correlation between these factors, Machine Learning techniques were used. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/KBFMT3/

Starting with 1st of January, 2026, operators of public mobile networks in Germany are obliged to employ certified network products within their networks. The obligation affects all network products, which are newly introduced into public mobile networks and provide functions, for which a security assessment document has been approved by the BSI. This also includes network products, which provide 3GPP-specified functionalities and are listed in the list of critical functions by the Federal Office for Information Security (BSI) and the Bundesnetzagentur (BNetzA). The talk will address the necessary steps by operators of public mobile networks to successfully include certification of network products into their procurement and onboarding processes. Therefore, the talk will showcase the technical approaches taken in the certification process and how they are intended to interplay with provider processes. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/BHTKAJ/

The so-called ‘Glasfaserstreit' (fibre optic dispute), an antitrust case, successfully prevented the intention of the incumbent to monopolise the Swiss fibre optic network. As a result, >2 million households can currently subscribe to a symmetrical 25 Gigabit FTTH connection for ~€70 per month. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/DJAA3V/

Single peering interfaces can get loaded during peak usage and/or failure scenarios while the network as a whole still has spare capacity. As remedy we can use upstream via our so-called overflow providers. In normal operation mode we will prefer direct peerings and only use overflow providers as fallback. For events like the European Football Championship we want to be able to shift traffic to those fallback routes with low effort, low wait times, high granularity and high confidence. We have implemented a service that injects on-demand copies of the existing fallback routes with the preferences tuned to let them be preferred over the "normal" peering routes. The routes are advertised via BGP sessions to our routers and are not distributed any further. The service is using GoBGP and running in Kubernetes. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/NCYK9Q/

In this session we are going to cover usage of RFC8950 (IPv4 NLRIs with IPv6 Next Hop) Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/BWWEJ7/

SCION is a secure path-aware Internet architecture, designed to achieve high resilience to routing attacks and path selection for Internet users and operators with safety critical traffic such as in financial and healthcare sectors. RPKI/ROV is useful for origin validation but does not validate paths, ASPA is still an evolving technology, whilst BGPSEC has yet to be widely deployed and needs explicit router support along a path to achieve the full benefits. SCION has commercial and open-source implementations and is in production use by the financial services and healthcare industry in Switzerland and internationally. This includes the SCION Research & Education Network (SCIERA) which includes connections to OVGU Magdeburg. It is also currently being evaluated for use in government, power utility, aviation, military and other applications, with a number of vendors interested in implementing it in their products. This talk will discuss the SCION design and architecture, its trust model, how it can be deployed, as well as some deployment experiences to-date. It will also discuss the IETF/IRTF work, and the community efforts supported by the SCION Association to encourage further deployment and development. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/GZAQ7E/

There are plenty of seismic stations on land helping detect and record earthquakes but very little deployed in our sea’s and oceans. Marine seismic detectors have traditionally been expensive, unreliable and not widely deployed. In recent years, research has shown that new and existing submarine cables can be used to detect seismic activity. Given that two thirds of our planet is covered by Oceans, this new development provides a great opportunity to improve our knowledge of the geological activity of our planet. Additionally, an early warning of an imminent Tsunami can save thousands of lives. This presentation will introduce the recent developments in sensing on Submarine Fibre Optic Cables and introduce the key sensing technologies employed. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/SVMJWM/

In recent years, we’ve heard a bit more about submarine cables, mostly related to fiber cuts. Given that they’re lifelines of countries or even continents, they are important, yet we know little about them. So, what’s the rationale behind the large selection of submarine cables, often on the same route? Is it just about resiliency and shorter routes, or are there other differentiators? This talk will provide insight into the construction, operation, maintenance, and selection of submarine cables, using the connections between the United Kingdom and Continental Europe as an example. We will dive into what it takes to construct a submarine cable, discover why and how it breaks, and provide guidance on what to consider when purchasing. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/CKRBRG/

This year we deployed a new data center fabric from scratch. A requirement was to use different vendors with different nos. In addition we use Ansible for the whole configuration. This talk is about: - how to efficiently use Netbox with Ansible - using Ansible with multi vendor equipment - challenges building a multi vendor EVPN fabric from scratch Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/DSWSHD/

In response to increasing regulatory pressures, major telecommunications providers have begun to measure and report their carbon footprints. However, this initial step is just the beginning of a complex journey toward achieving sustainability. One of the most significant challenges these companies face is addressing Scope 3 emissions, which are generated by their supply chains and lie outside their direct control. In this presentation, I will discuss the current state of sustainability efforts within the telecom industry, with a particular focus on the intricacies of reducing Scope 3 emissions. Rather than offering quick fixes, I will explore practical approaches companies can consider, such as switching to more sustainable suppliers, collaborating closely with existing suppliers, and gradually introducing contractual clauses that emphasize sustainability. Attendees will gain a realistic understanding of the challenges involved and will be introduced to strategies that can help their organizations begin the process of reducing their supply chain's carbon footprint. This discussion aims to provide a balanced view, emphasizing that while these steps are crucial, they require time, commitment, and a willingness to engage in long-term efforts. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/7VPLSK/

Introduction of RPKI at the Deutsche Telekom global Network AS3320 was finalized in February 2024, since 22nd February 2024 AS 3320 rejects RPKI invalid Prefixes. This presentation talks about the Project phases, the implementation and experiences we made during the introduction of RPKI on a global Tier-1 ISP Network. This includes some technical details and organizational view for the continuous RPKI operation. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/ACGCDS/

We take you along on our adventurous journey through the design and implementation phases of a custom-built outdoor cabinet, from conception to completion, sharing what we’ve learned in the process. While building a new fiber network from scratch, Eurofiber faced a dilemma: We needed to install network devices in the great outdoors of Berlin’s heating power plant sites, but your typical data center devices wouldn’t fit in the standard telco cabinets available on the market. For our purposes, we require full-depth racks, access from both sides, and active cooling. So we could either go for smaller, hardened outdoor equipment, which limits the choice of devices. Or we’d have to buy concrete data center containers the size of a garage, which are larger than we need, take more bureaucracy to build, and are also expensive. To bridge this gap and keep the costs reasonable, we designed our own micro-datacenter, basically a larger street cabinet tailored specifically to our requirements: It provides active cooling, front and rear access, and fits full-depth devices while providing redundant power and sufficient protection from the elements. This adventure took us deep into the engineering world of the infrastructure required for operating network devices. Have you ever had to consider cooling capacities, battery temperatures, air-flow velocities, or noise emission laws? We take you through the design process as well as the lessons we learned on the construction site and the operational experiences after finally taking the network into production. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/8GNVX9/

Welcome to Berlin, welcome to DENOG16 Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/AYJDAW/

Welcome to DENOG, if this is your first event, feel free to join us to learn everything about the event, the community and more! Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/VWX3FM/

Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Web security is increasingly an opt-in approach, leaving developers with both the opportunity and the responsibility to protect their applications. This talk will explore why and how developers can secure their sites against evolving threats. We'll delve into the nuances of cross-site leaks (xs-leaks) and discuss the Cross-Origin Resource Policy (CORP) as well as the abstractions provided by. Learn how these tools can empower you to build custom defenses and proactively safeguard your web applications. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Browser extensions are powerful tools that enhance the web browsing experience, offering their users a wide range of functionalities. However, these features can also introduce security and privacy issues for their users, mainly through a technique known as extension fingerprinting — where malicious websites track users based on the extensions they have installed. This is particularly interesting since many websites rely on advertising-based revenue for their existence, and the cookie-less form of tracking is also increasingly getting traction on the Web. Popular libraries such as FingerprintJS and Castle have already incorporated extensions as identifiable sources in their armor. In this talk, we will present the growing threat of browser extension fingerprinting, shedding light on how extensions can inadvertently expose both users and the extension to certain risks. Our recent research uncovers that over 3,000 Chrome and Firefox extensions are vulnerable to fingerprinting through techniques such as JavaScript namespace pollution and other observable side effects despite existing defense mechanisms [1]. The audience will takeaway the following: What are some of the ways by which browser extensions can be fingerprinted. The risks for both user privacy and extensions' behavior. Insights from recent research on vulnerable extensions. Potential strategies to mitigate fingerprinting risks. And, of course, how to keep your extensions from being the "most wanted" on the Web! [1] Agarwal, Shubham, Aurore Fass, and Ben Stock. "Peeking through the window: Fingerprinting Browser Extensions through Page-Visible Execution Traces and Interactions." (To appear at) Proceedings of the 31st ACM SIGSAC Conference on Computer and Communications Security. 2024. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Recent developments in web technologies have seen a paradigm shift from monolithic server-based applications to REST-based microservices with feature-rich browser-based frontends. This progression has brought with it novel classes of security flaws. In this talk we review how client-side variants of injection vulnerabilities such as cross-site scripting (XSS), cross-site request forgery (CSRF) and the recently discovered client-side request hijacking, arise and how traditional defense mechanisms are ineffective. We summarize recent research in this area which shows that such issues are widespread and can have a diverse range of consequences. We go on to show how dynamic taint-tracking has proved to be an effective technique for the discovery of vulnerabilities in client-side JavaScript. The initial overhead in implementing tainting is, however, extremely high, as it typically involves delving into the inner workings of modern web browsers and JavaScript interpreters. We show how Project Foxhound (https://github.com/SAP/project-foxhound/) can help to reduce this burden by providing a flexible, open-source tool which can be fully integrated into browser automation frameworks such as Playwright. Foxhound is gaining traction in the community as the go-to tool for client-side vulnerability studies. We finish the talk by showing how Foxhound can also be used in privacy studies, an update on upcoming features, and how the community use and contribute to the project to help build a safer web! Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Web apps use Server-Side Requests to request data from other servers, e.g., for link previews. However, they are exploited by attackers who might request internal resources or non-public services. This attack is called Server-Side Request Forgery (SSRF). The talk explains what SSRF is, how it can be used to exploit servers, and how to defend against it, which is surprisingly complex. Finally, we will discuss our research on the prevalence of countermeasures in the wild. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

The need for comprehensive measurements of security and privacy risks on the Web is undeniable as it helps developers in focusing on emerging trends in security. However, large-scale scans for server-side vulnerabilities remains a sensitive topic, due to their potential to harm servers, disrupt services, and incur financial losses. Even smaller, singular tests can be controversial, as demonstrated by incidents like the CSU scandal around Lilith Wittmann in 2021 or the Modern Solution case in 2023. The gray area surrounding the legality, ethics, and industry perspectives on server-side scanning has led to hesitancy among researchers and ethical hackers, creating a critical gap in our understanding of how to conduct such scans responsibly. In this talk, we investigate and interactively discuss the murky boundaries of vulnerability scanning by exploring five typical scanning scenarios that researchers face on the Web. Drawing from We give insights into 23 in-depth interviews we conducted with legal experts, research ethics committee members, and website/server operators to identify what types of scanning practices are acceptable and where the red lines are drawn. We further substantiate these insights with findings from an online survey conducted with 119 server operators. Attendees will gain great insights into the current state of Web scanning, including the lack of judicial clarity and the ethical dilemmas researchers and ethical hackers face. This interactive session also offers a platform for audience members to challenge their own understanding of ethics, share opinions, and contribute to shaping the future of responsible Web security scans. In this talk, the audience will: Get an in-depth understanding of the legal and ethical challenges associated with large-scale server-side scanning research. Learn current best practices for conducting responsible Web security scans (at scale). See firsthand insights from legal experts, ethics committees, and operators on acceptable security research practices. Get an opportunity to engage in an interactive discussion to voice opinions and help influence future research Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de