PLAY PODCASTS
Chaos Computer Club - archive feed

Chaos Computer Club - archive feed

14,494 episodes — Page 15 of 290

DENOG16 Closing (denog16)

Thank you for joining us for DENOG16, join us for a quick review and some announcements before heading home! Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/P8QBJW/

Nov 19, 202429 min

Carrier Scale DNS - DNS@DT (denog16)

This talk will give an overview of DTs DNS platform and the challenges arising from carrier scale DNS deployments. It will cover the architecture and new requirements as well as scalability and the implementation status and impact of encrypted DNS (e.g., DoH/DoT and DNS discovery). The presentation will also address shortcomings of the new discovery mechanisms which are currently being standardized within IETF. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/GJGBFQ/

Nov 19, 202412 min

IXP Update (denog16)

News from IXPs in Germany As introduced 2021 we collect some parameters from all IXPs, which are active in Germany. This talk aggregates the Updates for all the IXPs in a common format and will be presented in a neutral way. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/Y9RMD9/

Nov 19, 202429 min

VPP: A 1Tbps+ router with a single IPv4 address (denog16)

In this talk, we explore the changes needed to convert a set of fully open source amd64 based VPP routers running in AS8298 to be able to use exactly one IPv4 and IPv6 address in an OSPFv3 and iBGP configuration. The use of /30 or /31 IPv4 transit networks between routers is a thing of the past, paving the way to conserve IPv4 addresses! The talk discusses the changes made to VPP and a popular routing suite Bird2, to enable both Babel and OSPFv3 to route traffic without using IPv4 transit networks, including operational notes how the author rolled this out in AS8298. Finally, the author will make good on his promise from previous DENOG, predicting a 1Tbps VPP machine. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/YGU3SW/

Nov 19, 202428 min

Modern Metro Networks: Everything, Everywhere, all at Once (denog16)

Metro networks are arguably one of the more challenging areas in carrier network engineering: Feature creep, space constraints, harsh physical environments and the requirement to deliver all services everywhere, for cheap. At Wobcom AS9136 we _just_ wanted to modernize the transport network. Two years later we ended up redesigning just about everything: Putting white box routers into outdoor shelters, moving subscriber services to the edge and rethinking business CPEs. This talk covers our journey and what design considerations lead us where we are. We will explore a wide range of linked topics: - Environment (Power, Space, Temperature) - Optical problems and solutions (OWDM, OpenZR+) - Network ASICs - Network Operating Systems - Protocols (MPLS, SR, EVPN, etc.) - Subscriber Management - Full Automation - CPEs and their management Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/ZDGXDY/

Nov 19, 202435 min

From shared broadcast domain into fully routed network without renumbering (denog16)

We had to move a couple of hundred machines from a big Layer 2 broadcast domain into a fully routed network. We also increased the bandwidth available for each server by mounting a new NIC into each server, To avoid synchronisation with service owners, we did not renumber hosts. In addition, there is connectivity to the large Layer 2 domain that is still in place and still has a few thousand hosts in need of migration. In this talk you will learn how we engineered this migration, minimised downtime and ensured the documentation of our network is always up to date. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/WNS7MA/

Nov 19, 202426 min

Measuring the State of DNS Privacy: Past, Present and Future (denog16)

The Domain Name System (DNS) is a critical component of the Internet infrastructure, responsible for translating human-readable domain names into machine-readable IP addresses. However, the increasing centralization of DNS traffic through large content-delivery hyper-giants (such as Google), coupled with the fact that the majority of DNS communication traditionally runs over unencrypted transports (UDP/TCP), has led to increased security and privacy concerns. In this talk, I will present recent results on the resiliency and efficiency of DNS, the state of adoption of protocols that enable DNS privacy and their performance implications. I will conclude with a future outlook of a protocol design whereby traditional communications no longer have to trade performance for privacy, but can achieve the best of both worlds: privacy-enhancing DNS + secure communication on the Web. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/SLHTY7/

Nov 19, 202424 min

DDoS mitigation state-of-the-union (denog16)

DDoS attacks and attackers are out there today, and likely won't go away anymore. This talk will outline some current available technologies and developments in the area of DDoS countermeasures, which are designed to make DDoS detection faster, provide better information and decision criteria on what is currently going on in a network, and what is required to mitigate attacks with as few as possible unwanted side effects. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/TG9GBD/

Nov 19, 202431 min

Return loss problems associated with faster optical networks (denog16)

As communication speeds increase, a new problem of communication errors caused by "return loss" has become apparent in optical connector connections. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/LYC7PW/

Nov 19, 202424 min

SIP Interworking between voice carriers (denog16)

Everything uses IP nowadays but some stuff is special: Telephony. The connection between customers and their provider is well known but the interconnections of providers themselves are something different. This talk covers the German market, other countries work totally different (some examples might be given). Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/HSQJC7/

Nov 19, 202428 min

NIS2 Implementing Act for Digital Services – EU regulation maze revisited (denog16)

Following up on last year's introductory talk about NIS2 and the cybersecurity regulations, we'll look at the technical and methodological requirements specifically for digital service providers. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/Y88EBE/

Nov 19, 202431 min

End of Day 1 (denog16)

That's a wrap for day1, we'll share all details about the social and how to get there! Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/38JPGU/

Nov 18, 20245 min

Analyzing network reliability up to 800G - Impact of SNR thresholds on BER for Coherent (16QAM) and Non-Coherent (PAM4) high speed transceivers under environmental variations (denog16)

This presentation investigates the proximity to a low Signal-to-Noise Ratio (SNR) threshold that can still maintain a tolerable Bit Error Rate (BER) in 100G / 400G / 800G network links. Additionally, we account for factors such as temperature and cable length to predict the duration for which a reliable network connection can be sustained between transceivers. The analysis, based on data retrieved using a Flexbox, focuses on comparing the reliability of coherent (16QAM) and non-coherent (PAM4) transceivers, with a detailed discussion on the implications of these technologies on network performance. For a better understanding of the correlation between these factors, Machine Learning techniques were used. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/KBFMT3/

Nov 18, 202430 min

Certification of Network Products for Application in German Public Mobile Networks (denog16)

Starting with 1st of January, 2026, operators of public mobile networks in Germany are obliged to employ certified network products within their networks. The obligation affects all network products, which are newly introduced into public mobile networks and provide functions, for which a security assessment document has been approved by the BSI. This also includes network products, which provide 3GPP-specified functionalities and are listed in the list of critical functions by the Federal Office for Information Security (BSI) and the Bundesnetzagentur (BNetzA). The talk will address the necessary steps by operators of public mobile networks to successfully include certification of network products into their procurement and onboarding processes. Therefore, the talk will showcase the technical approaches taken in the certification process and how they are intended to interplay with provider processes. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/BHTKAJ/

Nov 18, 202427 min

What could possibly go wrong with FTTH - ask the Swiss! (denog16)

The so-called ‘Glasfaserstreit' (fibre optic dispute), an antitrust case, successfully prevented the intention of the incumbent to monopolise the Swiss fibre optic network. As a result, >2 million households can currently subscribe to a symmetrical 25 Gigabit FTTH connection for ~€70 per month. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/DJAA3V/

Nov 18, 202427 min

Instant Overflow Injection - Shifting traffic to overflow providers in a moment's notice (denog16)

Single peering interfaces can get loaded during peak usage and/or failure scenarios while the network as a whole still has spare capacity. As remedy we can use upstream via our so-called overflow providers. In normal operation mode we will prefer direct peerings and only use overflow providers as fallback. For events like the European Football Championship we want to be able to shift traffic to those fallback routes with low effort, low wait times, high granularity and high confidence. We have implemented a service that injects on-demand copies of the existing fallback routes with the preferences tuned to let them be preferred over the "normal" peering routes. The routes are advertised via BGP sessions to our routers and are not distributed any further. The service is using GoBGP and running in Kubernetes. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/NCYK9Q/

Nov 18, 202412 min

IPv4 over IPv6 networks (denog16)

In this session we are going to cover usage of RFC8950 (IPv4 NLRIs with IPv6 Next Hop) Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/BWWEJ7/

Nov 18, 202411 min

SCION: Secure Path-Aware Internet Routing (denog16)

SCION is a secure path-aware Internet architecture, designed to achieve high resilience to routing attacks and path selection for Internet users and operators with safety critical traffic such as in financial and healthcare sectors. RPKI/ROV is useful for origin validation but does not validate paths, ASPA is still an evolving technology, whilst BGPSEC has yet to be widely deployed and needs explicit router support along a path to achieve the full benefits. SCION has commercial and open-source implementations and is in production use by the financial services and healthcare industry in Switzerland and internationally. This includes the SCION Research & Education Network (SCIERA) which includes connections to OVGU Magdeburg. It is also currently being evaluated for use in government, power utility, aviation, military and other applications, with a number of vendors interested in implementing it in their products. This talk will discuss the SCION design and architecture, its trust model, how it can be deployed, as well as some deployment experiences to-date. It will also discuss the IETF/IRTF work, and the community efforts supported by the SCION Association to encourage further deployment and development. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/GZAQ7E/

Nov 18, 202414 min

“Subsea internet cables could help detect earthquakes” (denog16)

There are plenty of seismic stations on land helping detect and record earthquakes but very little deployed in our sea’s and oceans. Marine seismic detectors have traditionally been expensive, unreliable and not widely deployed. In recent years, research has shown that new and existing submarine cables can be used to detect seismic activity. Given that two thirds of our planet is covered by Oceans, this new development provides a great opportunity to improve our knowledge of the geological activity of our planet. Additionally, an early warning of an imminent Tsunami can save thousands of lives. This presentation will introduce the recent developments in sensing on Submarine Fibre Optic Cables and introduce the key sensing technologies employed. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/SVMJWM/

Nov 18, 202412 min

Submarine cables - lifelines of countries and continents (denog16)

In recent years, we’ve heard a bit more about submarine cables, mostly related to fiber cuts. Given that they’re lifelines of countries or even continents, they are important, yet we know little about them. So, what’s the rationale behind the large selection of submarine cables, often on the same route? Is it just about resiliency and shorter routes, or are there other differentiators? This talk will provide insight into the construction, operation, maintenance, and selection of submarine cables, using the connections between the United Kingdom and Continental Europe as an example. We will dive into what it takes to construct a submarine cable, discover why and how it breaks, and provide guidance on what to consider when purchasing. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/CKRBRG/

Nov 18, 202421 min

Deployment of a multi vendor EVPN based data center fabric using Netbox and Ansible (denog16)

This year we deployed a new data center fabric from scratch. A requirement was to use different vendors with different nos. In addition we use Ansible for the whole configuration. This talk is about: - how to efficiently use Netbox with Ansible - using Ansible with multi vendor equipment - challenges building a multi vendor EVPN fabric from scratch Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/DSWSHD/

Nov 18, 202429 min

Creating a Sustainable Supply Chain in the Network Industry (denog16)

In response to increasing regulatory pressures, major telecommunications providers have begun to measure and report their carbon footprints. However, this initial step is just the beginning of a complex journey toward achieving sustainability. One of the most significant challenges these companies face is addressing Scope 3 emissions, which are generated by their supply chains and lie outside their direct control. In this presentation, I will discuss the current state of sustainability efforts within the telecom industry, with a particular focus on the intricacies of reducing Scope 3 emissions. Rather than offering quick fixes, I will explore practical approaches companies can consider, such as switching to more sustainable suppliers, collaborating closely with existing suppliers, and gradually introducing contractual clauses that emphasize sustainability. Attendees will gain a realistic understanding of the challenges involved and will be introduced to strategies that can help their organizations begin the process of reducing their supply chain's carbon footprint. This discussion aims to provide a balanced view, emphasizing that while these steps are crucial, they require time, commitment, and a willingness to engage in long-term efforts. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/7VPLSK/

Nov 18, 202424 min

Introduction of RPKI at the Deutsche Telekom global Network AS 3320 (denog16)

Introduction of RPKI at the Deutsche Telekom global Network AS3320 was finalized in February 2024, since 22nd February 2024 AS 3320 rejects RPKI invalid Prefixes. This presentation talks about the Project phases, the implementation and experiences we made during the introduction of RPKI on a global Tier-1 ISP Network. This includes some technical details and organizational view for the continuous RPKI operation. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/ACGCDS/

Nov 18, 202434 min

The Elephant on an Adventure: A Custom-Built Shelter for Network Devices (denog16)

We take you along on our adventurous journey through the design and implementation phases of a custom-built outdoor cabinet, from conception to completion, sharing what we’ve learned in the process. While building a new fiber network from scratch, Eurofiber faced a dilemma: We needed to install network devices in the great outdoors of Berlin’s heating power plant sites, but your typical data center devices wouldn’t fit in the standard telco cabinets available on the market. For our purposes, we require full-depth racks, access from both sides, and active cooling. So we could either go for smaller, hardened outdoor equipment, which limits the choice of devices. Or we’d have to buy concrete data center containers the size of a garage, which are larger than we need, take more bureaucracy to build, and are also expensive. To bridge this gap and keep the costs reasonable, we designed our own micro-datacenter, basically a larger street cabinet tailored specifically to our requirements: It provides active cooling, front and rear access, and fits full-depth devices while providing redundant power and sufficient protection from the elements. This adventure took us deep into the engineering world of the infrastructure required for operating network devices. Have you ever had to consider cooling capacities, battery temperatures, air-flow velocities, or noise emission laws? We take you through the design process as well as the lessons we learned on the construction site and the operational experiences after finally taking the network into production. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/8GNVX9/

Nov 18, 202427 min

DENOG16 Opening (denog16)

Welcome to Berlin, welcome to DENOG16 Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/AYJDAW/

Nov 18, 202436 min

Newcomer Session (denog16)

Welcome to DENOG, if this is your first event, feel free to join us to learn everything about the event, the community and more! Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.com/denog16/talk/VWX3FM/

Nov 18, 202418 min

Closing (god2024)

Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Nov 13, 20244 min

Modern solutions against Cross-Site Attacks (god2024)

Web security is increasingly an opt-in approach, leaving developers with both the opportunity and the responsibility to protect their applications. This talk will explore why and how developers can secure their sites against evolving threats. We'll delve into the nuances of cross-site leaks (xs-leaks) and discuss the Cross-Origin Resource Policy (CORP) as well as the abstractions provided by. Learn how these tools can empower you to build custom defenses and proactively safeguard your web applications. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Nov 13, 202427 min

Double-Edged Crime: How Browser Extension Fingerprinting Might Endanger Users and Extensions Alike (god2024)

Browser extensions are powerful tools that enhance the web browsing experience, offering their users a wide range of functionalities. However, these features can also introduce security and privacy issues for their users, mainly through a technique known as extension fingerprinting — where malicious websites track users based on the extensions they have installed. This is particularly interesting since many websites rely on advertising-based revenue for their existence, and the cookie-less form of tracking is also increasingly getting traction on the Web. Popular libraries such as FingerprintJS and Castle have already incorporated extensions as identifiable sources in their armor. In this talk, we will present the growing threat of browser extension fingerprinting, shedding light on how extensions can inadvertently expose both users and the extension to certain risks. Our recent research uncovers that over 3,000 Chrome and Firefox extensions are vulnerable to fingerprinting through techniques such as JavaScript namespace pollution and other observable side effects despite existing defense mechanisms [1]. The audience will takeaway the following: What are some of the ways by which browser extensions can be fingerprinted. The risks for both user privacy and extensions' behavior. Insights from recent research on vulnerable extensions. Potential strategies to mitigate fingerprinting risks. And, of course, how to keep your extensions from being the "most wanted" on the Web! [1] Agarwal, Shubham, Aurore Fass, and Ben Stock. "Peeking through the window: Fingerprinting Browser Extensions through Page-Visible Execution Traces and Interactions." (To appear at) Proceedings of the 31st ACM SIGSAC Conference on Computer and Communications Security. 2024. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Nov 13, 202423 min

Protecting Web Applications with Project Foxhound (god2024)

Recent developments in web technologies have seen a paradigm shift from monolithic server-based applications to REST-based microservices with feature-rich browser-based frontends. This progression has brought with it novel classes of security flaws. In this talk we review how client-side variants of injection vulnerabilities such as cross-site scripting (XSS), cross-site request forgery (CSRF) and the recently discovered client-side request hijacking, arise and how traditional defense mechanisms are ineffective. We summarize recent research in this area which shows that such issues are widespread and can have a diverse range of consequences. We go on to show how dynamic taint-tracking has proved to be an effective technique for the discovery of vulnerabilities in client-side JavaScript. The initial overhead in implementing tainting is, however, extremely high, as it typically involves delving into the inner workings of modern web browsers and JavaScript interpreters. We show how Project Foxhound (https://github.com/SAP/project-foxhound/) can help to reduce this burden by providing a flexible, open-source tool which can be fully integrated into browser automation frameworks such as Playwright. Foxhound is gaining traction in the community as the go-to tool for client-side vulnerability studies. We finish the talk by showing how Foxhound can also be used in privacy studies, an update on upcoming features, and how the community use and contribute to the project to help build a safer web! Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Nov 13, 202411 min

SSRF: Attacks, Defense and Status Quo (god2024)

Web apps use Server-Side Requests to request data from other servers, e.g., for link previews. However, they are exploited by attackers who might request internal resources or non-public services. This attack is called Server-Side Request Forgery (SSRF). The talk explains what SSRF is, how it can be used to exploit servers, and how to defend against it, which is surprisingly complex. Finally, we will discuss our research on the prevalence of countermeasures in the wild. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Nov 13, 202410 min

„Well, What Would You Say if I Said That You Could?” – Scanning for Vulnerabilities Without Getting Into Trouble (god2024)

The need for comprehensive measurements of security and privacy risks on the Web is undeniable as it helps developers in focusing on emerging trends in security. However, large-scale scans for server-side vulnerabilities remains a sensitive topic, due to their potential to harm servers, disrupt services, and incur financial losses. Even smaller, singular tests can be controversial, as demonstrated by incidents like the CSU scandal around Lilith Wittmann in 2021 or the Modern Solution case in 2023. The gray area surrounding the legality, ethics, and industry perspectives on server-side scanning has led to hesitancy among researchers and ethical hackers, creating a critical gap in our understanding of how to conduct such scans responsibly. In this talk, we investigate and interactively discuss the murky boundaries of vulnerability scanning by exploring five typical scanning scenarios that researchers face on the Web. Drawing from We give insights into 23 in-depth interviews we conducted with legal experts, research ethics committee members, and website/server operators to identify what types of scanning practices are acceptable and where the red lines are drawn. We further substantiate these insights with findings from an online survey conducted with 119 server operators. Attendees will gain great insights into the current state of Web scanning, including the lack of judicial clarity and the ethical dilemmas researchers and ethical hackers face. This interactive session also offers a platform for audience members to challenge their own understanding of ethics, share opinions, and contribute to shaping the future of responsible Web security scans. In this talk, the audience will: Get an in-depth understanding of the legal and ethical challenges associated with large-scale server-side scanning research. Learn current best practices for conducting responsible Web security scans (at scale). See firsthand insights from legal experts, ethics committees, and operators on acceptable security research practices. Get an opportunity to engage in an interactive discussion to voice opinions and help influence future research Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Nov 13, 202427 min

SAP from an Attacker's Perspective – Common Vulnerabilities and Pitfalls (god2024)

As organizations increasingly rely on SAP systems to manage critical business processes, the security of these environments is an increasing challenge for companies and has also been recognized by the OWASP Core Business Application Security (CBAS) project. This talk will explore the security of SAP systems from an attacker's perspective, uncovering common vulnerabilities and pitfalls and their respective impact. Drawing from extensive penetration testing experience, this presentation will provide a deep dive into how attackers might exploit SAP vulnerabilities and offer practical guidance on mitigating these threats. We will begin by highlighting prevalent SAP vulnerabilities discovered during real-world pentesting engagements, covering key attack techniques used against SAP systems that exploit misconfigurations, insecure coding practices, and authentication flaws. As an example, we will illustrate the configuration options of SNC, the proprietary protocol for transport layer encryption in SAP environments. Using the open-source tool sncscan, security professionals and administrators alike can assess the encryption and signing settings of SAP systems, ensuring the confidentiality and integrity of sensitive data. The session will also provide actionable guidance on mitigating these vulnerabilities, focusing on best practices and tools that can significantly enhance the security posture of SAP systems. By raising awareness of common vulnerabilities and pitfalls we aim to empower security professionals and SAP administrators to better protect their systems against potential exploitation. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Nov 13, 202422 min

Network Fingerprinting for Securing User Accounts - Opportunities and Challenges (god2024)

Network fingerprinting exists for a while and some methods such as JA3 have achieved wide adoption across the industry. Introducing network fingerprinting into login flows can help you stave off attackers. However, there are various challenges that you need to overcome: technical, organizational and regulatory. In this talk we will take a look at the opportunities that network fingerprinting provides us. We will go through the various challenges that can arise and discuss possible ways of tackling them. I will draw from insights gathered at 1&1 Mail & Media - the company behind web.de, GMX and mail.com. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Nov 13, 202425 min

The Debian OpenSSL bug and other Public Private Keys (god2024)

In early 2024, hundreds of DKIM setups still used cryptographic keys vulnerable to a bug from 2008 in Debian's OpenSSL package. Vulnerable hosts included prominent names like Cisco, Oracle, Skype, and Github. In 2022, it was discovered that printers generated TLS keys that could be trivially broken with an over 300-year-old algorithm by Pierre de Fermat. Vulnerabilities in public/private key generation are amongst the most severe ones in cryptographic software. The speaker has developed the open-source tool badkeys, a tool to check cryptographic keys for known vulnerabilities. The talk will cover some of the findings and plans for future improvements in badkeys. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Nov 13, 202421 min

GenAI im Threat Modeling (god2024)

Viele Teams stehen vor der Herausforderung, beim Threat Modeling relevante Bedrohungen zu identifizieren, insbesondere wenn nur wenig Security-Expertise vorhanden ist. Die Auswahl und Bewertung von potenziellen Risiken kann für Nicht-Experten schwierig sein. Dieser Lightning Talk zeigt, wie Generative AI (GenAI) hier unterstützen kann, indem sie Bedrohungsszenarien basierend auf bestehenden Daten und Modellen vorschlägt und hilft, erste Entscheidungen zu treffen. Der Vortrag gibt einen kurzen Überblick, wie GenAI als Hilfestellung den Threat-Modeling-Prozess effizienter und zugänglicher machen kann - und welche Einschränkungen es gibt. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Nov 13, 20249 min

GenAI in the Battle of Security: Attacks, Defenses, and the Laws Shaping AI's Future (god2024)

The presentation explores the security challenges and opportunities posed by Generative AI (GenAI). While GenAI offers tremendous potential, it also has a darker side, such as its use in creating deepfakes that can spread misinformation, manipulate political events, or facilitate fraud, as demonstrated in a live deepfake example. Malicious variants of GenAI, are used in phishing attacks, social engineering schemes, and the creation of malware. Additionally, GenAI enables more intelligent network attacks through autonomous botnets decreasing the risk of exposure. Despite these risks, GenAI also provides defensive advantages by enhancing security measures, such as improving threat detection, strengthening access control, and identifying code vulnerabilities. This is exemplified in a live demo showcasing deepfake and AI-based content detection. The presentation also examines the different types of attacks that AI models, including GenAI, are susceptible to, across any task, model, or modality. This includes adversarial attacks, where inputs are specifically crafted to deceive AI systems. Additionally, attacks such as Prompt Injection and Visual Prompt Injection manipulate inputs to mislead models. However, navigating the complex landscape of AI compliance is essential. Organizations must adhere to regulations like the EU AI Act and standards such as ISO 27090, while also following guidelines from bodies like OWASP to ensure the security, transparency, and ethical use of AI systems. The OWASP AI Exchange plays a key role in modeling threats to GenAI, addressing risks and point out solutions. To defend against these threats, various detection and mitigation techniques have been developed and will briefly be presented. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Nov 13, 202428 min

Overview of OWASP AI Exchange: A Comprehensive Guide to AI Security (god2024)

The OWASP AI Exchange provides a comprehensive framework to address the evolving security challenges presented by AI systems. As artificial intelligence continues to transform industries, securing these systems against emerging threats has become a top priority. This presentation will offer an in-depth overview of the OWASP AI Exchange, focusing on its mission to foster collaboration and align AI security standards across various industries. Attendees will explore the major security risks in AI, such as model poisoning, data theft, adversarial attacks, and vulnerabilities in machine learning algorithms. The session will also delve into the controls and countermeasures highlighted in the OWASP AI Exchange, offering mitigating risks throughout the AI lifecycle. Additionally, the session will address how organizations can use the AI Exchange to improve governance, implement best practices, and protect the confidentiality, integrity, and availability of AI systems. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Nov 13, 202421 min

NIS2 entmystifiziert - Was Unternehmen nun tun müssen (god2024)

Die NIS2-Richtlinie (Network and Information Security Directive) der Europäischen Union stellt eine Weiterentwicklung der bestehenden Cybersicherheitsanforderungen dar und zielt darauf ab, die Resilienz und Sicherheit kritischer Infrastrukturen in der EU zu stärken. In Deutschland liegt derzeit mit dem NIS2UmsuCG (NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz) ein Regierungsentwurf zur konkreten Ausprägung auf nationaler Ebene vor. Im Vergleich zur ursprünglichen NIS-Richtlinie erweitert NIS2 den Anwendungsbereich und verpflichtet mehr Unternehmen und Sektoren, strenge Cybersicherheitsmaßnahmen zu implementieren. Unternehmen müssen sich nun auf umfassendere Risikomanagementanforderungen, Meldepflichten bei Sicherheitsvorfällen und Sanktionen bei Nichteinhaltung einstellen. Doch was heißt das konkret für Unternehmen, sicherheitsverantwortliche Stellen und EntwicklerInnen in Unternehmen? Der Vortrag entmystifiziert die wesentlichen Neuerungen der NIS2 und zeigt, welche konkreten Schritte Unternehmen jetzt unternehmen müssen, um Compliance zu erreichen. Dazu gehören unter anderem die Etablierung robuster Cybersicherheitsstrategien, die Anpassung interner Prozesse und die Einführung effektiver Meldeverfahren. Angesichts strengerer Vorgaben und verstärkter Kontrollen wird es für Unternehmen entscheidend, die richtigen Maßnahmen rechtzeitig umzusetzen, um Bußgelder und Reputationsverluste zu vermeiden. Im Rahmen des Vortrages wird insbesondere praxisnah auf den aktuellen Stand des Gesetzgebungsverfahrens und relevante Pflichten für Unternehmen eingegangen. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Nov 13, 202423 min

The Crucial Role of Web Protocols and Standards in Digital Wallet Ecosystems (god2024)

In the coming years, all EU member states will be required to provide their citizens with a digital identity wallet, as mandated by the European Union. The EU Digital Identity Wallet (EUDI Wallet) represents the largest implementation of its kind to date and brings with it significant challenges, particularly in terms of security, privacy, and interoperability. To address these challenges, the EU has chosen to leverage open standards widely adopted in the web ecosystem — such as OpenID for Verifiable Presentations (OpenID4VP) based the widely-used web standard OAuth 2.0, and Selective Disclosure JWT (SD-JWT) built on the JSON Web Token (JWT) framework. However, wallet ecosystems operate quite differently from the traditional web, requiring adaptations to these protocols to meet the unique demands of secure, decentralized identity management. This talk will provide a comprehensive overview of the EUDI Wallet's architecture and the key challenges posed by adapting native web protocols for wallet ecosystems. It will also explore the crucial role browser vendors will play in ensuring the security and smooth functioning of this new digital identity landscape. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Nov 13, 202431 min

How (Not) to Use OAuth in 2024 (god2024)

OAuth 2.0 has become the backbone of secure delegated authorization on the web, enabling users to grant third-party applications access to their data without revealing their credentials. It's also foundational for federated authentication via OpenID Connect and plays a critical role in emerging technologies like wallet ecosystems. However, despite its wide adoption, OAuth implementations are fraught with risks — many of which can lead to serious security breaches. The challenges arise from OAuth's use in contexts far more dynamic and high-stakes than what was originally envisioned. Today, OAuth protects sensitive financial APIs, powers identity verification systems, and secures modern app ecosystems — yet, many implementations remain vulnerable to attack. Even with the guidance from RFC6749 and RFC6819, subtle misconfigurations and outdated practices are still common, often due to the complexities of real-world deployments. To address these evolving security needs, the IETF is finalizing the OAuth 2.0 Security Best Current Practice (BCP), an updated set of recommendations designed to mitigate common vulnerabilities and improve OAuth implementations across industries. This new RFC introduces stronger security measures and deprecates insecure approaches like the Implicit Grant, while also tackling new threats such as the Authorization Server Mix-Up Attack. In this talk, we will dive into the core challenges of securing OAuth in today's dynamic and high-stakes environments. Attendees will learn about the most critical updates from the Security BCP, including the MUSTs, MUST NOTs, and SHOULDs that are essential for robust OAuth implementations. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Nov 13, 202436 min

OWASP Juice Shop 10th anniversary: Is it still fresh? (god2024)

Once upon a time, developers and security experts relied on mostly server-side rendered vulnerable applications to train their web hacking skills. In 2014 the Juice Shop entered the stage as one of the first Rich Internet Application representatives. What started as a personal pet project with two dozen hacking challenges, became an OWASP Flagship project shortly after and grew in size, scope and use case coverage significantly over the years. Join us on a 10th anniversary tour through the origins, history and evolution of OWASP Juice Shop from 2014 to 2024, including new juicy hacking delicacies as well as some crazy shenanigans happening in and around the project. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Nov 13, 202431 min

Begrüßung (god2024)

Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Nov 13, 20244 min

HL-lol 2: "zwar nicht schön, aber ..." (nook24)

HL-Live ist 20 Jahre alt geworden dieses Jahr! Böse Zungen behaupten, dass das auch für die Technik dahinter gilt. Wir wünschen auf jeden Fall alles Gute, haben aber noch etwas Gesprächsbedarf. Was ist eigentlich seit dem letzten Jahr so passiert? Gibt’s Trends? Weiterentwicklungen? Bei der letzten NooK haben wir primär auf wahnsinnige Kommentare geschaut, aber was ist eigentlich mit den Artikeln (die solche Kommentatoren anziehen)? Okay, und neue, wahnsinnige Kommentare kommen auch vor. Und Spiele. Und die Zukunft. Und überhaupt. Keine Sorge: Kenntnisse aus Teil 1 werden nicht vorausgesetzt. Sie schaden aber auch nicht. Die Nights of Open Knowledge (Nook) in Lübeck ist eine offene Vortragsveranstaltung, die einem weiten Publikum Einblicke in die verschiedene Bereiche der Informatik, aber auch technikfremde Themen bietet. Die NooK wird vom Chaotikum e.V. aus Lübeck und der Studierendenschaft der Uni Lübeck veranstaltet. https://nook-luebeck.de/ This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License (CC BY NC ND 4.0). https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY NC ND 4.0 about this event: https://2024.nook-luebeck.de/talks/hl-lol-2-zwar-nicht-schoen-aber-/

Nov 9, 202441 min

Shut up, do research and take our money! (nook24)

Willkommen beim Chaotischen Catalysator Stipendium! Seit zwei Jahren fördern wir Masterarbeiten, die die Welt ein kleines bisschen besser machen. Auf was haben wir die letzten Jahre eigentlich unser Geld geworfen und warum? Zeit für einen Rückblick und einen Ausblick. Lerne unsere Stipendiat*innen kennen und freue dich auf spannende Einblicke in von uns geförderte Arbeiten. chaos-stipendien.de Die Nights of Open Knowledge (Nook) in Lübeck ist eine offene Vortragsveranstaltung, die einem weiten Publikum Einblicke in die verschiedene Bereiche der Informatik, aber auch technikfremde Themen bietet. Die NooK wird vom Chaotikum e.V. aus Lübeck und der Studierendenschaft der Uni Lübeck veranstaltet. https://nook-luebeck.de/ This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License (CC BY NC ND 4.0). https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY NC ND 4.0 about this event: https://2024.nook-luebeck.de/talks/shut-up-do-research-and-take-our-money/

Nov 9, 202442 min

Mobil im Alltag – Umwelt.Zeit.Geld.Leben (nook24)

Die Wahl des Mobilitätsmusters hat gravierende Auswirkungen auf den Einzelnen, die Allgemeinheit, und die Umwelt. Diese Auswirkungen sind gut erforscht, sie sind aber außerhalb des Wissenschaftsbereichs nur ansatzweise bekannt. Die Nights of Open Knowledge (Nook) in Lübeck ist eine offene Vortragsveranstaltung, die einem weiten Publikum Einblicke in die verschiedene Bereiche der Informatik, aber auch technikfremde Themen bietet. Die NooK wird vom Chaotikum e.V. aus Lübeck und der Studierendenschaft der Uni Lübeck veranstaltet. https://nook-luebeck.de/ This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License (CC BY NC ND 4.0). https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY NC ND 4.0 about this event: https://2024.nook-luebeck.de/talks/mobil-im-alltag---umweltzeitgeldleben/

Nov 9, 20241h 32m

Der Fischerkrieg - Forschungsfragen (nook24)

Zeit: Die 1910er Jahre Ort: Die Trave Fischer Heinz holt seine Netze ein. Wieder nix drin. Missmutig betrachtet er die orange-gelben Wellen des Flusses, stinkend und ölfilmverschmiert. Letzte Woche hatten sie wieder hunderte toter Fische im Schilf gefunden, junge Brassen, Heringe, alles hin. Das reicht! Es muss etwas geschehen! So oder so ähnlich oder auch ganz anders könnte es angefangen haben. Wenige Jahre zuvor war in einem kleinen Örtchen namens Herrenwyk ein Industriebetrieb entstanden, wie es ihn in ganz Schleswig Holstein zu dieser Zeit nicht gegeben hat und auch später nicht geben sollte: ein Hochofen. Hunderte Tonnen an Kohle wurden zu Koks verarbeitet, Erze gerieben und zu kleinen Kügelchen geformt, die Höllenglut des ersten Hochofens (später sollten es noch drei Stück werden) wurde Tag und Nacht befeuert. Kupfer, Zink und sogar Gold wurden aus der Schlacke gewonnen, Gichtgas wurde in das städtische Netz eingespeist. Und jeder einzelne dieser Prozesse produzierte nicht nur Abgase, die den Himmel über dem heutigen Kücknitz verdunkelten, sondern auch giftige und schwermetallbelastete Abwässer. Und wo blieben die wohl? Andererseits waren da noch die großen Fischfabriken in Schlutup… Direkt gegenüber des blökernden, bollernden Industriebetriebes befand sich damals wie heute Schlutup, ein Stück flussaufwärts Gothmund. Beides traditionsreiche Fischerorte, die zum Aufstieg Lübecks zu einem sehr bedeutenden Fischereistandort beigetragen haben. Fischerorte, deren Fänge massiv einbrachen. Das ließen sie sich nicht gefallen und zogen gegen das Hochofenwerk vor Gericht. Im Archiv der Geschichtswerkstatt Herrenwyk lagert ein Aktenkonvolut, das diese Prozessreihe, die sich bis in die 50er Jahre erstreckte, behandelt. Gerichtsakten, Gutachten, Zeitungsartikel und Briefverkehr lagern in drei Leitz-Ordnern. Der Verein für Lübecker Industrie- und Arbeiterkultur e.V., der Förderverein der Geschichtswerkstatt, will dieses Aktenkonvolut nun erstmals erschließen, erforschen und eine Ausstellung über das Thema erarbeiten. Wir wollen das Projekt und den aktuellen Stand der Forschung vorstellen. Wir möchten das Projekt, dessen Ziel zunächst die Erforschung eines beispielhaften Stückes Regionalgeschichte ist, transparent und öffentlich gestalten und dabei regelmäßig über den aktuellen Stand der Forschung informieren. Dies wird die erste Veranstaltung dazu sein. Die Nights of Open Knowledge (Nook) in Lübeck ist eine offene Vortragsveranstaltung, die einem weiten Publikum Einblicke in die verschiedene Bereiche der Informatik, aber auch technikfremde Themen bietet. Die NooK wird vom Chaotikum e.V. aus Lübeck und der Studierendenschaft der Uni Lübeck veranstaltet. https://nook-luebeck.de/ This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License (CC BY NC ND 4.0). https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY NC ND 4.0 about this event: https://2024.nook-luebeck.de/talks/der-fischerkrieg---forschungsfragen/

Nov 9, 20241h 2m

Negative Glaubenssätze & ihre Wirkung (nook24)

Glaubenssatz – Ein Wort, das im alltäglichen Sprachgebrauch und auf Social Media immer häufiger verwendet wird. Besonders etabliert hat es in den letzten Jahren die Psychotherapeutin und Autorin Stefanie Stahl mit ihrem Buch “Das Kind in dir muss Heimat finden”. Doch was sind eigentlich genau Glaubenssätze? Wie entstehen sie überhaupt? Wie können sie unser Gehirn verändern? Warum ist unsere Kindheit so stark für unsere Verhaltensweise im Erwachsenenalter verantwortlich? Und wie schaffe ich es, einen liebevollen Umgang mit mir selber zu erreichen? Fragen über Fragen, die ich gerne beantworten möchte. In diesem Vortrag soll es darum gehen, zu verstehen, warum es für unsere Gesellschaft so bedeutsam ist, die eigenen (und gerade die negativen) Glaubenssätze zu kennen und ihnen keinen Glauben zu schenken. Zudem möchte ich “Erste-Hilfe-Maßnahmen” erklären, wie der Umgang mit negativen Glaubenssätzen gelingen und dadurch ein besseres Leben ermöglicht werden kann. Dieser Vortrag ist für alle Menschen geeignet. Sprich, er richtet sich an Menschen, die keine Ahnung von Psychologie haben aber auch an Therapieerfahrene, die ihr Wissen aufstocken möchten. Natürlich sind aber auch Therapeuten herzlich eingeladen. Die Nights of Open Knowledge (Nook) in Lübeck ist eine offene Vortragsveranstaltung, die einem weiten Publikum Einblicke in die verschiedene Bereiche der Informatik, aber auch technikfremde Themen bietet. Die NooK wird vom Chaotikum e.V. aus Lübeck und der Studierendenschaft der Uni Lübeck veranstaltet. https://nook-luebeck.de/ This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License (CC BY NC ND 4.0). https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY NC ND 4.0 about this event: https://2024.nook-luebeck.de/talks/negative-glaubenssaetze-ihre-wirkung/

Nov 9, 20241h 14m

Jeder Mensch ein:e Künstler:in (nook24)

Kein:e Künstler:in ist immer kreativ. Vielleicht geht, kocht oder schreibt ein:e Künstler:in unkreativ beliebig, wiederholt, egoistisch. Mit den hier vorgestellten drei Kriterien für künstlerisches Wahrnehmen, Denken und Handeln, kann jede:r die eigene künstlerische Praxis erkennen und somit auch entwickeln. Dazu werden sechs mögliche Ebenen der kreativen Entwicklung vorgestellt und erläutert. Dieser Talk entsteht aus aktuellem Handlungsforschen und in künstlerischer Praxis. Zum Schluss werden die bereits gefundenen “Ungeborenen Sehenswürdigkeiten Lübecks” vorgestellt. Die Nights of Open Knowledge (Nook) in Lübeck ist eine offene Vortragsveranstaltung, die einem weiten Publikum Einblicke in die verschiedene Bereiche der Informatik, aber auch technikfremde Themen bietet. Die NooK wird vom Chaotikum e.V. aus Lübeck und der Studierendenschaft der Uni Lübeck veranstaltet. https://nook-luebeck.de/ This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License (CC BY NC ND 4.0). https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY NC ND 4.0 about this event: https://2024.nook-luebeck.de/talks/lightning-talks-samstag/

Nov 9, 20248 min

AlekSIS® – Freie Schul-Information (nook24)

AlekSIS® bietet sinnvolle und praktische Features rund um Schulorganisation und -verwaltung. Doch neben Stammdatenverwaltung, Stundenplan, und Kursbuch sticht ein Merkmal besonders hervor: Die Mitgestaltbarkeit. Schüler*innen können lernen statt nur zu konsumieren. Ihren Schulalltag aktiv gestalten, statt an Wegwerfprojekten zu programmieren. Und wer das noch nicht braucht, wendet sich an Dienstleister für Hosting und Support. Dank freier Software natürlich herstellerunabhängig. Dieser Talk zeigt den aktuellen Stand des Projektes. Sowohl organisatorisch in Bezug auf Kooperationen des Projektes, als auch technisch im Hinblick auf die Software. Die Nights of Open Knowledge (Nook) in Lübeck ist eine offene Vortragsveranstaltung, die einem weiten Publikum Einblicke in die verschiedene Bereiche der Informatik, aber auch technikfremde Themen bietet. Die NooK wird vom Chaotikum e.V. aus Lübeck und der Studierendenschaft der Uni Lübeck veranstaltet. https://nook-luebeck.de/ This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License (CC BY NC ND 4.0). https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY NC ND 4.0 about this event: https://2024.nook-luebeck.de/talks/lightning-talks-samstag/

Nov 9, 202410 min