Chaos Computer Club - archive feed

CubeSats are small satellites comprised of 10x10x10cm "units" and range in size from very small 1U or smaller PocketQubes to 24U beasts. What can be done with such a platform and why? CubeSats are small satellites comprised of 10x10x10cm "units" and range in size from very small 1U or smaller PocketQubes to 24U beasts. What can be done with such a platform and why? I will go in to a brief history as well as some applications with examples. The goal is to keep this talk TLP:Clear Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.hackerhotel.nl/2025/talk/QTVJFY/

The total number of vulnerabilities continues to rise. If we had to rely on just CVSS for prioritizing those vulnerabilities, we have an enormous hard time to remediate all of them. In this talk, we’ll explore the critical gaps in CVSS-based prioritization and discuss why factors like exploitability, asset criticality, and real-time threat intelligence are way more important. Expect real-world examples, a touch of humor, and actionable insights to help you move beyond the CVSS score and toward a smarter, risk-based approach to vulnerability management. Because let’s face it: a CVSS 7 can be way more critical to your organization then a CVSS 9! Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.hackerhotel.nl/2025/talk/DHNUWQ/

With the support of the Dutch embassy in Tokyo, I have researched Coordinated Vulnerability Disclosure (CVD) in Japan for DIVD. Japan’s governmental policy on CVD dates back to 2004. Although Japanese criminal law and jurisprudence do not allow for large-scale intrusive vulnerability research and disclosure, Japanese institutes help citizens disclose zero days to vendors and report vulnerabilities to website operators. Also, the Nation Institute for Information Communication Technology scans and notifies vulnerable IoT, and the Japanese government has adjusted laws to allow this. With the support of the Dutch embassy in Tokyo, I have researched Coordinated Vulnerability Disclosure (CVD) in Japan for the Dutch Institute for Vulnerability Disclosure. Key findings: Japan’s governmental policy on CVD dates back to 2004. The Japanese Computer Emergency Response Team Coordination Center (JPCERT/CC) is an independent institute founded in 1996 and currently funded by METI. The center handles incidents, analyses and shares information on online threats, monitors internet traffic, and has published Vulnerability Notes with Advisories since 2004. Japanese criminal law and jurisprudence do not allow for large-scale intrusive vulnerability research and disclosure as Dutch case law does. In Japan, doing CVD on a broader scope and without informed consent is perceived as very rare. Security researchers generally fear prosecution as they may violate cyber security and privacy laws. A common statement at hacker events was: “I only report if they provide a bug bounty.” Japanese institutes help citizens disclose zero days to vendors and report vulnerabilities to website operators. Organizations like IPA and JPCERT/CC provide structured processes for reporting vulnerabilities, focusing primarily on zero days affecting software or websites widely used in Japan. These reports are forwarded to vendors and operators, though researchers must navigate strict conditions. The Nation institute for Information Communition Technology scans and notifies vulnerable IoT, and the Japanese government has adjusted laws to allow this. The NOTICE project aims to prevent cyber-attacks by scanning IoT devices on weak passwords by attempting to log in. These activities run parallel to the Handling Regulations for Information Related to Vulnerabilities in Software Products and clearly violate cyber security laws. In order to proceed on this endeavor, the Cabinet overruled the Act on Prohibition of Unauthorized Computer Access by a special law, which provided NICT the mandate. To my knowledge, this is unique in the world. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.hackerhotel.nl/2025/talk/GEVFSR/

This workshop is especially for all attendants who are not Dutch natives. In an exact and logical manner I will guide you through the syntax and semantics of the Dutch language, from sounds (the famous 'ggh' and vowel inventory) to gender of nouns and word order. There will be simple illustrations to help you get a grip on the language and bluff your way into pub talk with locals. Please bring pen and paper for the old school school experience! I am a Dutch native teacher <i>Dutch as a second language</i>, with experience teaching expats. My background in general linguistics and artificial intelligence as well as participating in the hackers' community enables me to present a language workshop tailored for hackers. In fact, as a teacher for a a general audience I must refrain myself from being too "logical, analytical or just plain geeky" to keep all students happy. In this workshop I will focus on: * providing structure of the Dutch language, similar to how you would explain a programming language, showing the regularities that are present * giving small examples of words as well as expressions and grammatical rules to show a more specific idea of Dutch * interaction: exercises, individually and in groups, puzzle-like, but also speaking exercises (this is always a tough one, so we'll try) * concrete focus will be on gender of nouns: the article "the" in English can be "de" or "het" in Dutch, depending on the gender. Some grammar (demonstratives, adjectives) depends on this gender, following small yet counterintuitive rules * have fun: I will present weird exceptions, false friends and we will also listen to and analyze a Dutch song Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.hackerhotel.nl/2025/talk/NZZUQV/

This talk describes the computer and its interfaces the DSKY (DiSplay-KeYboard) on board the Apollo missions that got us to the moon and back. I will point out several modern sources of information about this historical project and how it entertains lots of people to this day, including several emulation projects. Back in the period 1962 to 1969 the US went on a mission to get people on the moon. This talk describes the computer and its interfaces the DSKY (DiSplay-KeYboard) that were used during that time on board the Apollo missions that got us to the moon and back. I will point out several modern sources of information about this historical project and how it entertains lots of people to this day, including several emulation projects. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.hackerhotel.nl/2025/talk/B7GZJY/

The Election Council is working on Abacus, the tabulation software for the elections. Come to this workshop to try your hands on the software in a production-like setting and learn more about the choices and concepts behind it. The Election Council is working on Abacus, the tabulation software for the elections. This workshop will show you how it works, in a production style setting involving test data. After all the counting we take a tour through the GitHub repo (https://github.com/kiesraad/abacus), explain the architecture and choices behind the project so far. Come to this workshop if you are interested in the Dutch Elections and want to understand the actual process, learn about the software development that is being done and ask everything you always wanted to know. Do visit the presentation by Fleur van Leusden, our CISO. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.hackerhotel.nl/2025/talk/7YBMR3/

"AiTM: Lessons Learned" dives into the evolving threat of AiTM attacks. Our presentation highlights the transition from basic phishing tactics to sophisticated methods that compromise organizational security. The presentation outlines the journey from oldschool phishing attacks, to phishing framework like UADMIN, and the introduction of tools like Evilginx. And now the SaaS providers allowing anyone to buy access to an AiTM platform. We give an insight into a popular AiTM SaaS platform and the revenue stream hosting such software creates. The session ends by outlining common techniques to prevent these types of attacks. Most organizations use M365 and experience attacks using AITM to bypass MFA. At the same time SaaS providers are building AITM services that allow targeteted attacks allowing for supply chain attacks (AITM targeted against admin sites for: pypi, npmjs and rubygems). At the same time used for very specific scams for example against booking.com. Attackers use the booking.com hotel login to extract creditcard information for upcomming hotel guests. There's been an uprising in the amount of AITM based attacks. BEC fraud operators use it as MFA is more and more common. But the apearance of SaaS providers in the AITM space make these attacks easier to perform and therefore making them more common. Booking.com has been a popular target allowing attackers to use the hotel operator login to phish creditcards by sending upcomming guests reminders to pay. The fact that these reminders are sent via the booking.com app makes them super trustworthy. At the same time environments such as M365/EntraID are popular targets for other operators. This past year we've been trying to prevent and detect these types of attacks. The goal of the presentation is make attendees aware of the risks, the different operators and types of attacks happening today. outline: 1) What is AiTM/BITB 1.1) Phishing history 1.2) Old school phish 1.3) Introduction of commong framework (UADMIN, opwelk, haiku) 1.4) Evilginx 1.5) AiTM SaaS providers 2) How to detect phishes 2.1) The concept 2.2) What we have built - didsomeoneclone.me 2.3) Then came the Microsoft idea 2.4) Gaining insight into the amount of phishes 3) Fingerprint tool 3.1) The goal 3.2) How does it work? 3.3) Adding certificate transparency to preempt attacks 3.4) Outcome and statistics 4) What we see 4.1) How often does it actually occur? 4.2) Different actors. Example.com. Evilginx Rick Roll, MSPHP 4.3) Microsoft sandbox also visits the URLs and they come in 4.4) How quickly is Evilginx taken down 5) actors 5.1) various offers 5.2) actor revenue 6) Future work 6.1) automatically finding victims in our EDR tooling 6.2) Attempts at improvement - CSS exfil. 6.3) Roadmap Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.hackerhotel.nl/2025/talk/WYLJK3/

I have been struggling with my weight for over 25 years. After reading the book : The Obesity Code" everything clicked. Since I have lost 13 kg within 6 months. The great thing about this is that it is effortless. In this workshop we start with the theory of gaining and loosing weight. After that we are going to look at recipes for individual participants. What works, what doesn't. In the end you will know what should work for you, and how you can loose weight effortlessly. I have been struggling with my weight for over 25 years. After reading the book : The Obesity Code" everything clicked. Since I have lost 13 lg within 6 months. The great thing about this is that it is effortless. In this workshop we start with the theory of gaining and loosing weight. After that we are going to look at recipes for individual participants. What works, what doesn't. In the end you will know what should work for you, and how you can loose weight effortlessly. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.hackerhotel.nl/2025/talk/HPGGPC/

How to use screenreaders to scan the operatingsystem, building blocks of an application or web-enviroment. How to use screenreaders to scan the operatingsystem, building blocks of an application or web-enviroment. Other topics are: * Reading and analysing logging * Capture a scrolling text * Query of classes etc Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.hackerhotel.nl/2025/talk/AXL9WT/

De opkomst van geavanceerde technologie en kunstmatige intelligentie heeft ongekende mogelijkheden gecreëerd, maar ook een sluimerend probleem blootgelegd: de validatiecrisis. In deze lezing neemt Brenno de Winter, gerenommeerd cybersecurity-expert en auteur van De Validatiecrisis, u mee in de wereld van misleidende aannames, ongeteste technologie, en de gevaren van een gebrek aan kritische evaluatie. Hij toont aan hoe deze crisis niet alleen technologie, maar ook maatschappelijke besluitvorming ondermijnt. Een belangrijk deel van de lezing is gewijd aan de MIAUW-methodiek (Methodiek voor Informatiebeveiligingsonderzoek met Auditwaarde). Dit gestructureerde framework biedt een oplossing voor de validatiecrisis in informatiebeveiliging door de nadruk te leggen op reproduceerbaarheid, transparantie en auditwaarde. MIAUW stelt organisaties in staat om kwetsbaarheden niet alleen te identificeren, maar ook te documenteren op een manier die zowel controleerbaar als bruikbaar is voor bredere compliance- en risicomanagementstrategieën. Tijdens de lezing bespreekt Brenno de Winter praktische voorbeelden, biedt hij concrete handvatten om kritisch denken te bevorderen, en illustreert hij hoe MIAUW organisaties kan helpen de kloof tussen complexe technologie en verantwoorde toepassing te overbruggen. Technologie en kunstmatige intelligentie hebben onze samenleving fundamenteel veranderd, maar brengen ook een diepe uitdaging met zich mee: de validatiecrisis. In deze lezing onthult Brenno de Winter, cybersecurity-expert en auteur van De Validatiecrisis, hoe een gebrek aan kritische controle en grondige evaluatie van data en technologieën leidt tot risico’s op het gebied van veiligheid, ethiek en besluitvorming. De validatiecrisis is een fenomeen dat zich niet alleen in de echte wereld afspeelt, maar zelfs in fictieve experimenten fascinerende en leerzame inzichten biedt. De Validatiecrisis: Wat Gaat Er Mis? De validatiecrisis is een fundamenteel probleem waarbij aannames en technologieën zonder grondige controle worden geaccepteerd. Dit leidt tot mislukte projecten, gebrekkige AI-systemen en besluitvorming gebaseerd op onjuiste gegevens. De Winter illustreert dit met praktijkvoorbeelden, waaronder AI-modellen die falen in het herkennen van nuance, en situaties waarin vertrouwen in onbewezen technologie desastreuze gevolgen heeft. Hij legt de nadruk op het belang van kritische evaluatie en hoe een gebrek daaraan leidt tot blinde vlekken in onze technologische ontwikkeling. Een Lessenpakket van de Maan Een belangrijk onderdeel van de lezing zijn de fictieve experimenten op de maan, waarin menselijke en technologische interacties werden onderzocht in een context waar katten een sleutelrol spelen. In deze hypothetische samenleving, waar katten niet alleen huisdieren maar politieke actoren zijn, faalden AI-systemen in het begrijpen van de complexe hiërarchieën en sociale dynamiek. Dit leidde tot een fictieve oorlog met de planeet Bananie, die volledig had kunnen worden voorkomen als technologie op een grondigere manier gevalideerd was. De experimenten fungeren als een metafoor voor de gevaren van slecht gevalideerde technologieën. Ze tonen hoe kleine fouten in de basis van systemen kunnen leiden tot grote gevolgen, of het nu gaat om ethische kwesties, veiligheid of zelfs internationale relaties. Dit fictieve voorbeeld onderstreept de bredere boodschap: technologie moet niet blind worden vertrouwd, maar moet voortdurend worden getest en gecontroleerd. De MIAUW-methodiek: Een Gestructureerde Aanpak Als antwoord op de validatiecrisis presenteert De Winter de MIAUW-methodiek (Methodiek voor Informatiebeveiligingsonderzoek met Auditwaarde). Dit framework biedt een gestructureerde aanpak voor penetratietesten die niet alleen technische kwetsbaarheden identificeert, maar deze ook documenteert op een manier die reproduceerbaar en controleerbaar is. MIAUW stelt organisaties in staat om niet alleen inzicht te krijgen in risico’s, maar ook om deze te verbinden aan bredere compliance- en risicomanagementstrategieën. Met concrete voorbeelden laat De Winter zien hoe MIAUW organisaties helpt om niet alleen veiliger te worden, maar ook om transparant en verantwoord om te gaan met hun technologie. Door reproduceerbare resultaten en sterke auditwaarde mogelijk te maken, biedt MIAUW een praktische oplossing voor de uitdagingen van moderne technologie. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.hackerhotel.nl/2025/talk/7VXSPZ/

This you really want to know. Huib has been responsibly disclosing the Secret Services, criminals and hackers. Now we turn it around: ask Huib anything. Chris van ‘t Hof will guide the conversation. Books: 2024 “Dit wil je echt niet weten”, 2019 “Het is oorlog en niemand die het ziet”, “There's a War Going On But No One Can See It” - Its war and everyone can see it now. “Der digitale Weltkrieg, den keiner bemerkt” Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.hackerhotel.nl/2025/talk/NBZPQZ/

Openingstalk by Dimitri opening Hackerhotel 2025 In this openingstalk i will open Hackerhotel 2025 and thank all people that helped me and explain about how this Hackerhotel 2025 organisation went. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.hackerhotel.nl/2025/talk/EMVMAX/

You've maybee seen the raking robot that got a CEH (Certified Estetisch Harker) certificate, the Telex linked to Twitter/Telegram or the ASCII foto booth. They are all made by me. If this talk gets accepted I will do a deep dive on these three contraptions and what I learned building them. Beside Schuberg Philis, DIVD, attending the farm and keeping my bees I als build machines. It is an interesting process and I want to share it with you. Machiens I will be talking about: * The (worlds?) 1st 3d color printer from TNO * The raking robot * AI/Twitter/Telegram/Slack connected Telex * ASCII photo booth Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.hackerhotel.nl/2025/talk/XSSZ9J/

How to make an Android App for Android Auto, a demo of the MapLibre sample app, and stories about Flitsmeister. FrankkieNL has worked on the Android Auto (and Automotive) version of the Flitsmeister app. This navigation app uses MapLibre to render a map on the Car screen. During this talk, we will discuss how this works and how you can create your own Android Auto-based app. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.hackerhotel.nl/2025/talk/ZQ3RYV/

In today's rapidly evolving digital landscape, the increasing frequency and the scale of security incidents pose significant challenges for incident response teams. The traditional approach, rooted in digital forensics, is no longer sufficient nor is it efficient enough. It's time for a shift towards an automated incident response strategy that combines the investigative prowess of a digital detective with a DevOps mindset. In this talk, we will present how the incident response process of acquiring data, processing data, and analyzing information can be automated. Based on how we have built our incident response lab using open-source software packages developed by Microsoft (AVML), Google (Timesketch, WinPmem), Rapid7 (Velociraptor), Fox-IT (Dissect), Elastic, KROLL (KAPE) and HashiCorp (Terraform, Vault). We will guide you from using tools manually to using these tools automatically and magically. Well not really magically, but we will emphasise the application of a DevOps mindset to the process that most incident responders execute on a daily basis including ourselves, combined with examples that can be put into practice. In today's rapidly evolving digital landscape, the increasing frequency and the scale of security incidents pose significant challenges for incident response teams. The traditional approach, rooted in the perspective of digital forensics, is no longer sufficient. It's time for a shift towards an automated incident response strategy that combines the investigative prowess of a digital detective with a DevOps mindset. In this talk, we will present how the incident response process of acquiring data, processing data, and analyzing information can be automated. We will guide you from using tools manually to using these tools automatically and magically . Well not really magically, but we will emphasize the application of a DevOps mindset to the process that most incident responders execute on a daily basis including ourselves, combined with examples that can be put into practice. An example of this is that the human knowledge of an incident responder should feed into the repeatable methods and should not stay in the mind of the best incident responder in the team. By using feedback loops, the knowledge that is gained during a case can be transformed into methods that can be re-used during new cases. In setting up our incident response service, we had the benefit that we could start from scratch, without any legacy, in a cloud native world and with a significant number of lessons learned in the past, we have built an innovative incident response lab using open-source software packages developed by Microsoft, Google, Rapid7, Fox-IT, Elastic, KROLL and HashiCorp. By using Infrastructure as Code (IaC) we can automatically provision the lab on the Google Cloud Platform, acquire and process data and perform analysis using various methods within two hours, without the intervention of an incident responder. We still need humans, but we should focus on doing the creative and research part of an incident response case. Besides that, there is no silver bullet, humans cannot fully trust the automated analysis. This is where the investigative prowess of a digital detective comes into play, ensuring the validation of results and the reproducibility of findings throughout the entire incident response process, from data acquisition to analysis of information. References https://hackernoon.com/the-devops-mindset-a-step-by-step-plan-to-implement-devops-s03p35rr https://nluug.nl/bestanden/presentaties/2022-11-29-francisco-dominguez-en-zawadi-done-automating-incident-response-should-be-the-default.pdf https://zawadidone.nl/automating-dfir-using-cloud-services/ https://www.huntandhackett.com/blog/scalable-forensics-timeline-analysis-using-dissect-and-timesketch Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.hackerhotel.nl/2025/talk/ARDG3T/

A short introduction to cryptography, its past, present and future for the not yet fully initiated. Many talks mentioned cryptography somewhere along the presentation and everybody just nods. But how many people actually know the insights of cryptography? Why some things work and some things don't? During this talk I will explain the difference between encoding and encryption, the most common uses of cryptography, the difference between synchronous and asynchronous encryption, hashes. I will include some history and some future developments like quantum and why wel call cryptocoin cryptocoin. In a slow pace, scratching the surface for uninitiated, but the scratches will go deep enough for more initiated to get some more background. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.hackerhotel.nl/2025/talk/KPBZKG/

Lockpicking is a sport where you open locks without force and mostly without keys. While doing this activity nothing much can be seen of the actual process. In stead you need to rely on sound and feel (tactile feedback from the lock). Therefor a lot of people (including us) think a visual impaired person could be rather good at this (as they are more trained to use the "other" senses) The firsts steps into locksport however are VERY visually heavy (video's, pictures, diagrams) which makes it rather hard for a visual impaired person to get started. We believe we fixed that now. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.hackerhotel.nl/2025/talk/WBSRED/

A year later, we are back at the wonderful company Acme where nice people make beautiful things. This time we will follow up on that and tell you how the company can improve their own maturity and security levels as explained in the standard. A year later, we are back at the wonderful company Acme where nice people make beautiful things. How did they fare, and what steps can they take now to protect their beautiful company from unwanted incidents. Last time we explained the challenges the company faces and how they could start their OT cybersecurity journey. This time we will follow up on that and tell you how the company can improve their own maturity and security levels as explained in the standard. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.hackerhotel.nl/2025/talk/J33HDT/

Motivationsvortrag über verschiedene Microcontroller und Abstraktionsfähigkeit durch höhere Prorgammiersprachen Assembler->C->Rust, Arduino, STM32, ESP32 https://www.ulm.ccc.de/ccc/chaosseminar/2025_02_embedded-software-entwicklung/ https://wieerwill.dev/ about this event: https://www.ulm.ccc.de/ccc/chaosseminar/2025_02_embedded-software-entwicklung/

🇬🇧 English Version Open Politics – Collaborative Tools for Open Political Data Politics is complex, and making sense of it requires access to good information. The Open Politics Project is working on and operationalising open-source tools that help analyse political structures, decisions, and developments—so that journalists, researchers, activists, and engaged citizens can better understand and interpret them. Our goal is to make political data more accessible and useful. We bring together existing methods from data analysis, political science, and AI, while also experimenting with new approaches—always in the open, documented, and improved through collaboration. From user-friendly visualisations to structured databases, we explore ways to work with political data in a way that’s practical and meaningful. We call it: Open Source Political Intelligence At Datengarten on February 5, 2025, we’ll share our latest progress, discuss challenges, and give a behind-the-scenes look at our work. 📍Chaos Computer Club Berlin (CCCB), Marienstraße 11, 10117 Berlin Let’s talk about how we can make political information more open and useful for everyone. 🔗 Open Politics Project: https://open-politics.org/about, https://github.com/open-politics/open-politics, https://github.com/open-politics/opol 🇧🇪 German Version Open Politics – Offene Werkzeuge für politische Daten Politik ist oft schwer durchschaubar – aber mit den richtigen Werkzeugen lassen sich Strukturen, Entscheidungen und Entwicklungen besser verstehen. Das Open Politics Project entwickelt und operationalisiert Open-Source-Methoden zur Analyse politischer Daten, um Journalist:innen, Forschenden, Aktivist:innen und interessierten Bürger:innen den Zugang zu politischen Informationen zu erleichtern. Unser Ziel ist es, politische Daten verständlich und nutzbar zu machen. Wir verbinden bestehende Ansätze aus Datenanalyse, Politikwissenschaft und KI, probieren neue Methoden aus und dokumentieren alles offen, um es gemeinsam weiterzuentwickeln. Von interaktiven Visualisierungen bis zu strukturierten Datensammlungen – wir experimentieren mit Wegen, politische Informationen alltagstauglicher zu gestalten. We call it: Open Source Political Intelligence Beim Datengarten am 05. Februar 2025 sprechen wir über unseren aktuellen Stand, diskutieren Herausforderungen und geben einen Einblick in unsere Arbeit. 📍Chaos Computer Club Berlin (CCCB), Marienstraße 11, 10117 Berlin Lasst uns gemeinsam überlegen, wie politische Informationen offener und zugänglicher werden können. 🔗 Open Politics Project: https://open-politics.org/about, https://github.com/open-politics/open-politics, https://github.com/open-politics/opol Licensed to the public under http://creativecommons.org/licenses/by-sa/3.0/ about this event: https://c3voc.de

Your organisation has been using Puppet to manage its infrastructure, but it's grown organically over time with best practices and the long-term implications of decisions never really being thought about. A new Puppet administrator has just been handed responsibility for the Puppet infrastructure, we need to help them out. This is a common scenario, the Puppet admin has left an organisation and a new Puppet admin has been assigned but doesn't have any real experience of Puppet, just like their predecessor. We need to teach them what Puppet is, help them understand what they've taken on and use Puppet best practices such as roles and profiles, and Hiera to organize their configuration management into a clear and robust structure that will give them confidence to make the required changes as and when they are needed as the infrastructure grows. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/NPG9HP/

Since the day Kargo was released, I have been exploring the idea of using it not only to deliver and promote applications but also to deliver infrastructure through its progressive delivery capabilities. Using Kubernetes-based tools like Crossplane or Pulumi, we can define infrastructure as code and deliver it progressively to our management clusters and then promote this infrastructure through different stages without the need for extra CD script magic. Let me show you how Kargo helps platform engineering streamline and automate the progressive rollout of infrastructure changes to all stages. This talk will cover the basics of Kargo and how to use it with Infrastructure as Code tools. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/DGYEV7/

In this talk, we will introduce Kairos, an open-source project that aims to create immutable Operating Systems designed for Kubernetes. This includes a toolset that simplifies operations at the edge in a cloud-native way. Edge computing has become increasingly popular due to its ability to save costs by processing information closer to the data before sending filtered and computed information to a centralized application or data warehouse hosted in the cloud. Kubernetes is an ideal solution for edge computing because it natively builds components that facilitate the lifecycle management of modern edge applications. However, as we scale the number of edge locations, we face operational challenges, such as interacting with cluster configurations at scale without creating unique configurations for each location, ensuring security for remote clusters and applications, upgrading Kubernetes clusters without specific domain knowledge, and minimizing disruptions during maintenance windows for smaller form factor hardware. Kairos acts as an engine delivering immutable Kubernetes-enabled Linux OS from OCI conformant container images. It provides unique capabilities such as VPN peer-to-peer mesh, a distributed ledger to automate Kubernetes cluster bootstrapping and coordination, and zero-touch provisioning with a QR code scan. But more importantly, it uses a declarative model backed by Kubernetes CRDs. It manages distributed Kubernetes operations at the edge from a centralized Kubernetes cluster. In this presentation, we will explain the foundations and concepts of Kairos and demonstrate its capabilities. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/3BSKZB/

We use Puppet for about 1200 Linux machines. This talk will recount our journey in upgrading from Puppet 7 to Puppet 8. I will talk about the incompatible changes to be aware of, how we handled them, and general strategy for handling Puppet major upgrades. The talk will cover: - our Puppetserver architecture - changes in Puppet 8 like legacy facts and Ruby 3.2 - how to prepare for any Puppet major upgrade - how to prepare for the Puppet 8 changes specifically - things that the ecosystem could do better Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/T97UPU/

cloud costs can feel like a nightmare, creeping up on your Kubernetes infrastructure. But with the right tools, you can be the hero your budget deserves! In this talk, we’ll dive into OpenCost, an open-source solution that can help you track and optimize your cloud spending in real time.You’ll discover how OpenCost works, why it matters, and how you can use it to become the cost-saving champion of your cloud environment. Get ready to conquer Kubernetes costs and take back control of your cloud! Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/PVN3XX/

This talk will walk through and provide examples and war stories on how kubernetes can be used not only in large scale environments but also in small and small-ish scale environments. Kubernetes is often considered as the tool to tackle large scale traffic, which is supposed to be used by a big team of engineers. This talk presents an opposite approach which shows how Kubernetes can be used in a very small team with limited resources. It will explore the benefits of running k8s in a small scale and also what pitfalls come with it. It will walk through the steps of provisioning self hosted Kubernetes cluster - kOps - challenges of keeping clusters upgraded without downtime. It will discuss issues encountered in daily operations, applications taking too long to start up anyone, and then how it was tuned with tools like Goldilocks. It will delve into CI/CD on Kubernetes (using Jenkins and ArgoCD). Keeping an eye on operational costs is essential in a small environment and this talk will discuss how kOps can utlize spot instances everywhere and benefits/challenges with spot instances. The idea of downscaling on schedule with py-kube-downscaler project, mutating pods with kyverno will be discussed. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/A3QEP7/

Kubernetes is still quite a popular choice with wide community adoption to run containerised workloads in the Cloud, but it doesn’t come with batteries included. And some of that is intentional to allow freedom to make different choices or extend its functionality as needed. For example scaling compute nodes is one of the things which is not built-in. Making sure you’re doing it in most efficient and cost-efficient way is paramount. But it’s not just efficienty than separates Karpenter (an open-source node lifecycle management) from other options, but also how it can help you stay on top with compliance, patching and drift. The project has come a long way in the last couple of year and it was also adopted by CNCF/SIG Autoscaling making it alternative approach compared to de-facto Cluster Autoscaler project. I this talk I’ll show how to set it up, different use cases and demonstrate hands-on what to expect in the real world scenario. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/P7CTWQ/

Puppet is a mature tool, the company behind it has changed over the years and most of the people who developed it, are no more working there. For somebody Puppet is old, solving problems that are no more current. Yet, Puppet is still around , and as long as there'll be systems to manage over time, there'll be the need of such a tool. The question is if the tool of choice is going to be Puppet or not. What's its present and future? We will analyse the current Puppet situation, market demand and perception, and spend our two cents on what could be done to improve perception, usage and adoption. We will also try to raise the topic with the people in the audience, when the presentation will turn into a discussion, possibly stirring ideas and suggestions. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/VQUFXW/

Overview of possibilities to assign classes to nodes The Puppet tutorial assembles configuration aus snippets in manifests/site.pp node default { include apache } . There are more possibilities than advertised by Puppet: * External Node Classifier * Roles und Profiles * Hiera Chainloading as Array or Hash * Puppet Enterprise Console/Foreman Host Groups We will get a quick intro to each of them, an explanation on how to shoot yourself in the knee with these and a field report of ways that have proven to cause less pain. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/TCKR7P/

Kubernetes is the most popular container orchestration platform out there, and for anyone who wants to do GitOps on Kubernetes, ArgoCD is a leading open source project in this space. This presentation will walk you through the management of multi-architecture applications for Kubernetes with ArgoCD. In this presentation, we will run through the process of managing container applications on hybrid arm64 and x86 Kubernetes clusters using ArgoCD for GitOps, including: * Why add arm64 compute nodes to your Kubernetes clusters? * Tooling to build and manage multi-arch containers * Continuous integration and delivery patterns * Workload placement and orchestration in Kubernetes Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/L7WJRN/

What is new in HDM Release 3? Hiera Data Manager (HDM) is a web UI, which provides insight into your Hiera Data. One can easily check, which values are set in which layer and recognize, why a node receives which configuration data. With the newest release we added some new features, which I would like to present. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/FCSFJP/

Managing compliance in infrastructure as code environments is essential but can be daunting. Enter `compliance_engine`, a new open-source Ruby gem designed to streamline the mapping of compliance standards to Puppet code. Building on the foundation of SIMP's `compliance_markup`, this reimagined backend prioritizes performance, flexibility, and maintainability. In this session, we’ll explore the evolution from `compliance_markup` to `compliance_engine`, highlighting the architectural improvements that make it faster and easier to use. We’ll dive into real-world examples, demonstrating how the gem simplifies the enforcement of compliance policies, reduces complexity, and supports emerging standards. Attendees will gain insights into the challenges of implementing compliance as code and learn how `compliance_engine` can transform their approach to regulatory compliance in Puppet environments. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/NXJTDG/

Managing secrets in Kubernetes can be a complex and overwhelming process, especially with the wide range of available options. This talk, designed for intermediate users, aims to demystify the process by providing a practical roadmap drawn from my own journey. I will explore common challenges and share insights from transitioning through various approaches, from Kubernetes' built-in secrets to external tools like Sealed Secrets, CSI Secrets Store, and External Secrets. Through real-world examples and lessons learned, attendees will leave with actionable strategies to manage secrets more securely and efficiently in their Kubernetes environments, while contributing to stronger community practices and more resilient applications. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/HS8ELE/

A real life view into how an enterprise company uses Choria for orchestration and what we had to build around it. This talk gives the basics of Choria along with infrastructure considerations such as running only from Jenkins and code considerations including control repo organization, org specific stdlib and interacting with other teams. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/W7WAZG/

How do you upgrade 3000 individual PE environments? 3000 environments that you don't manage and others own. 3000 environments without SSH access. Come with me on a "funny" journey and learn how we made this possible and how the PE upgrade process differs from Open Source. Lets do a deep dive into PE 2019->2021->2023 Upgrades and our open source tooling that made this possible. You can also watch the slides online at: https://bastelfreak.de/cfgmgmtcamp2025/pe.html#1 Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/9NUL9E/

Monitoring Kubernetes doesn’t have to be complicated. In this talk, I’ll introduce a new module we’re developing for Icinga, currently in beta, that simplifies Kubernetes monitoring in the same way Icinga has for traditional infrastructure. We’ll explore how this module makes it easier to monitor your clusters’ health and performance, allowing you to identify issues early. Whether you’re new to Kubernetes or managing large-scale clusters, this session will provide a preview of what’s to come and how it can streamline your monitoring processes. Feedback and insights are welcome as we refine the tool. Kubernetes offers powerful orchestration capabilities, but monitoring its dynamic environment can be tricky. In this session, we’ll dive into the development of a new module for Icinga that simplifies Kubernetes monitoring, making it more accessible for users who are familiar with traditional IT infrastructure setups. While the module is still in the beta phase, I’ll walk through its current features, show how it integrates with your existing Icinga setup, and discuss future enhancements. We’ll look at practical examples of monitoring critical aspects like node health, pod status, and resource utilization, all through Icinga’s familiar interface. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/AH78JZ/

Description: Most of us remember how long it took for Puppet to get Debian 12 packages. The build pipeline was long and complex and used a lot of internal tooling that had to be updated manually. In current news though, the new OpenVox build pipeline has been totally revamped and simplified and adding support for RHEL 10 took about 10 minutes. Most of that was spent waiting for the build to complete. Nick would like to explain how it works and what we still have left to do. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/7HXT7V/

It is very common now for developers to code and test their applications on VMs, either locally hosted or on the cloud. As individuals have editor preferences (nvim, vscode, etc), so they have hypervisor. Once you create a bolt inventory file listing the server or servers, then bolt can easily configure those servers using custom puppet code. Instead of manually creating the bolt inventory, it is easy to create a dynamic inventory plugin--if it doesn't already exist--to suit your particular use case. This talk illustrates how we setup our own local dynamic inventory plugins to help with our automated development and testing. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/GYKK3P/

Testing Puppet code can be a hassle, but voxbox is here to save the day! Testing Puppet code can be a hassle, but voxbox is here to save the day! Voxbox is a complete testing environment in a container, with all the good gems from Vox Pupuli. Active maintained and ready to run locally or in your CI. It also has jq and yamllint on board. I will showcase how it is build, how it is used and how it can be integrated into gitlab-ci. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/WHTKEC/

To understand the inner workings of Kubernetes and to prepare for the K8s certification exams, I decided to create a K8s cluster from scratch, the hard way, on premises (“de meterkast”) on virtual machines all using Alpine Linux. This talk is how I tried to do it, how I succeeded, failed and added a CEPH cluster and ETCD cluster along the way. It includes a lot of technical details, but if there is one thing that you should learn during this talk, it’s not about K8s at all: Containers are not VMs! Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/CR8UGL/

In this talk well discuss what's happened in the open source product releases from Puppet to developer tools recently and what direction we're thinking.. did anyone say Puppet 9? We will also look at an overview of the state of community and where we think we can focus working better together. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://cfp.cfgmgmtcamp.org/ghent2025/talk/3BC7QX/

about this event: https://c3voc.de

Let's join in a quiet moment to bid farewell to the chaotic wonderland that has been 38C3 and prepare ourselves for the harsh reality outside. Gather round and take a deep breath and enjoy the unique atmosphere before you will feel the spirit again at the next hacker event close to you. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/38c3-return-to-legal-constructions/

Der IT-Sicherheitsalptraum-Rück­blick: Manchmal belustigend, zuweilen beunruhigend, aber mit Ausblick. Es ist wieder ein Jahr vergangen und niemand ist von einem Smartmeter erwürgt worden: Ist überhaupt etwas Berichtenswertes passiert? Und wenn nein, wird es denn nächstes Jahr wenigstens schlimmer? Wir betrachten das vergangene Jahr, versuchen Muster zu erkennen und zu ahnen, wie es weitergehen muss, denn vorgewarnt zu sein, heißt gewappnet zu sein. Und sei es nur mit Popcorn und „In Übereinstimmung mit der Prophezeihung!“-Schildern. Publikumseinwürfe willkommen. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/security-nightmares/

This talks gives a behind the scenes on how the infrastructure side of the event is done. A lot of teams help to make this event happen. This talk gives them the opportunity to show you what they do and how they do it. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/38c3-infrastructure-review/

Wetter- und Notfallwarnungen empfangen zu können kann Leben retten. Nutzende, die ihre Privatsphäre nicht Google oder Apple ausliefern möchten sollten dabei nicht im Nachteil sein. Wir berichten über den aktuellen Stand der FOSS Entwicklung und allerlei Beobachtungen rund um Notfallwarnungen. Die Flutkatastrophe vom Juli 2021 hat schmerzlich bewusst gemacht, wie wichtig die effektive Verteilung von Katastrophenwarnungen ist. Mit der Einführung von Cell-Broadcast in Deutschland gab es diesbezüglich eine deutliche Verbesserung, andere Verbreitungswege werden dadurch aber nicht weniger relevant. Apps wie NINA oder KATWARN stellen mehr Informationen zur Verfügung als in einer Cell Broadcast Nachricht übermittelt werden kann, und ermöglichen es auch, Regionen zu beobachten, in denen man sich nicht selbst aufhält. Diese Apps sind allerdings nur für die Plattformen von Google und Apple verfügbar, Nutzende freier Plattformen sind außen vor. Kein befriedigender Zustand. Was macht man in so einem Fall? Na, das, was man in so einem Fall immer macht: Wir bauen uns die Warn-Apps und die dazu nötige Infrastruktur halt selbst. Basis dafür bildet das Common Alerting Protocol (CAP) was seit vielen Jahren weltweit im Einsatz ist, und UnifiedPush als freie Alternative zu proprietären Push-Benachrichtigungen. Daraus ergibt sich ein Aggregations-Server der Warnmeldungen aus derzeit 100 Ländern einsammelt und Clients über Ereignisse in für sie relevanten Gebieten informiert. In diesem Talk erklären wir, wie CAP funktioniert, wie das in der Welt eingesetzt wird und welche merkwürdige Beobachtungen wir während der Entwicklung gemacht haben. Von den Entwicklern von FOSSWarn und dem FOSS Public Alert Server. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/wie-man-auch-mit-foss-katastrophen-warnungen-bekommt/

Ihr wolltet schon immer wissen was der „Morgenthau-Plan“ mit Kreisverkehren und „Schönwetterfreizeitsportgeräten“ zu tun hat? Dann lasst mich euch mitnehmen in die wundersamen, obskuren und humoristisch wertvollen Untiefen eines lokalen Nachrichtenportals. Was kann die interessierte Beobachterin von außen über das System lernen? Welche Werkzeuge brauchen wir für diese Expedition? Welche Kreaturen der Nacht kriechen durch die Untiefen der anonymen Kommentarfunktion? Und kann man eigentlich auch etwas Schönes aus den Daten machen, die da täglich ins Netz gekippt werden? Wie viele Orte in Deutschland hat Lübeck eine von diesen etwas schrägen Lokalnews-Seiten, die wirken, als wären sie in der Zeit stecken geblieben. Aber dennoch sind sie irgendwie wichtig sind für das Leben in der Region. Der schnöde Wetterbericht, Beschwerden über Baustellen, Filz-Workshops und Veranstaltungsankündigungen für die LAN-Party des CDU-Ortsverbandes - alles kann einem hier begegnen. Natürlich garniert von Kommentaren aus dem ganzen Spektrum des Wahnsinns. Seit über einem Jahr sammle ich die Daten, die diese obskure Seite ins Internet bläst, werte sie aus und bastele daraus nützliche oder wenigstens lustige Dinge. Von all diesen Abenteuern meines Hobby-Projekts „hl-lol“ möchte ich euch berichten. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/lokalnews-mining/

This talk examines philosophical, legal, and ethical questions of the merging of human minds with intelligent machines through Brain-Computer-Interfaces, provides an overview of current debates and international regulatory development - and what might be at stake when technologies increasingly access the human brain. Human minds and machines, or organic and artificial intelligence (AI), are increasingly merging through neurotechnologies such as Brain-Computer-Interfaces (BCIs) that may record or alter brain activity. While most current devices are developed and used for rehabilitative purposes, more and more consumer devices are about to come on the market, and some stakeholders such as Elon Musk and his company Neuralink pursue more transhumanist objectives. This merging of minds and machines raises multiple intriguing philosophical, ethical, and legal questions: Do these devices become part of the person, even more, might the AI operating these devices become part of her? (I argue that it does under certain conditions, creating the most intimate conceivable connection between AI and persons). Are there ethical boundaries, and what is the legal situation, especially with respect to human rights? (I call for a renaissance of the right to freedom of thought to provide at least some principled protection for privacy of thought). Moreover, the topic has received the attention of international organizations, which will negotiate the first international treaty on the ethics of neurotechnology under the auspices of UNESCO in the beginning of 2025 (expected to be concluded in late 2025). This will set the standards for the future trajectory of the technology, but whether agreement can be found is to be seen. The EU, US, and China have different regulatory approaches with different visions for the future. This talk addresses these political, philosophical, legal and ethical questions and presents results of an international research cooperation on the topic, HYBRID MIND, that is funded in Germany by the Federal Ministry of Education and Research and comes to its official conclusion during the days of the 38C3. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/philosophical-ethical-and-legal-aspects-of-brain-computer-interfaces/

Ever wondered what data is stored inside DB print-at-home train tickets or those in your local transport association's app? Join me for the deep dive into digital railway ticketing you didn't know you needed. After getting my shiny new Deutschlandsemesterticket from University I was so annoyed with the quality of the SaarVV app that I set out to put my train tickets into Apple Wallet - whether the train companies wanted me to or not. What followed was several weeks of banging my head against the wall and googling various terms with "filetype:pdf" until I understood how they're encoded. This talk is a highly condensed executive summary of the most interesting parts of that journey - from the surprising to the downright weird. Finally, I'll cover how you can issue your own train tickets - for fun and absolutely no profit! Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/what-s-inside-my-train-ticket/

The infrastructure industry has recently started co-opting a well-established software engineering practice and is doing so badly. Observability is being overhyped as something revolutionary that you can only practice using the latest new shiny tool. Real observability provides insight only when we take the time to understand what we’re monitoring, why it matters to our organization, and how each metric connects to our goals. This talk critiques the tool-centric approach that has taken over infrastructure monitoring, encouraging infrastructure teams to step out of their offices, touch grass, and talk with their organizations to answer the essential question: What is it you want monitored anyway and why? We’ll explore the power of applying observability as a practice, not just a product, and highlight F/L/OSS tools that offer powerful, adaptable solutions without the hype. If you’re tired of replacing one flashy dashboard with the next, or if you’ve ever wondered whether observability is really the game-changer it’s made out to be, this talk is for you. Let’s take a cue from our software engineering friends and approach observability as a collaborative, cross-functional practice that builds on strategy rather than the next tool. The term “observability” is everywhere, packaged as the next game-changer for infrastructure. But beneath the hype, it’s little more than contextualized monitoring—and the infrastructure industry has co-opted it badly. This talk takes a critical look at the tool-centric approach to observability that’s dominating the market and offers an alternative: an approach to observability based on strategy, not the latest tool. We’ll explore the origins of observability as a software engineering practice, where things went wrong as it moved into infrastructure, and how tool-driven marketing misses the point. From understanding why we’re monitoring to identifying what actually matters to our organizations, this session challenges infrastructure teams to rethink observability and ask essential questions that can transform monitoring into a true asset. Finally, we’ll dig into powerful F/L/OSS tools that already do the job well, without the hype or the hefty price tag, and consider how infrastructure teams can use and contribute to open-source observability practices that support genuine insight. Join me in side-stepping the hype, and discover how real observability could mean thinking like a hacker—using practical, adaptable, and community-driven solutions that prioritize understanding over just another flashy dashboard. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/observability-is-just-contextualized-monitoring-change-my-mind/