Chaos Computer Club - archive feed

Ole Tange har startet en krig mod sin fjernaflæste elmåler. I dette oplæg går vi dybere ned i sagen - både teknisk og juridisk. Sagen handler om fjernaflæste elmålere, men perspektiverne er langt større: Hvis vi kan bruge GDPR til at tvinge firmater til at respektere vores privatliv - selv det koster dem penge, så er der mange andre situationer, hvor det er relevant. Datatilsynet har endnu ikke afgjort sagen, så vi ved ikke, hvor vi står. about this event: https://c3voc.de

Bad software is everywhere. We have all experienced programs crashing, hanging, or doing the wrong thing. Software has become so unreliable that we almost expect it to fail. But it doesn't have to be this way. There are simple principles that we can follow in our code to eliminate virtually all bugs. Leading to happier users and easier maintenance. In this talk, I present six principles that in object-oriented codebases lead to bug-free code, even without testing. about this event: https://c3voc.de

Flutter is a software development kit based on the Dart language enabling developers to create performant cross-platform applications. We'll have an introduction for people with some basic knowledge of Flutter or other cross-platform toolkits and later on a view on advanced topics. In this talk, we will have a look on performance-tuning, useful features as well as some background information on the Flutter framework, it's engine and the Dart runtime. In particular, the following topics will be addressed: - What's this fluttery Flutter? - Animations - example of animations - performance-tuning - UX patterns in Flutter - responsive layouts - routing - hight-quality Widgets - the Flutter Framework - under the hood of Flutter's rendering - Flutter Web, dart2js and what Flutter has (not) to do with JavaScript about this event: https://c3voc.de

European governments are proposing vague legislation that would likely require that messages be scanned for objectionable content before the message is sent (client-side scanning). This is bad. The legislation has been promoted under names like "fighting child sexual abuse", by lobbyists promoting a proprietary screening service. We don't have good reason to think such scanning would in fact prevent child sexual abuse. Moreover, to scan messages this way would in practice require that we forego end-to-end encryption. Client-side scanning would be terrible for information security, data protection, privacy, freedom, &c. It happens only I am presenting, but the idea for this talk came from discussions at Cryptohagen. about this event: https://c3voc.de

In this presentation, we will take a look at this years badge and give some hints and ideas as to how it can be hacked about this event: https://c3voc.de

The BornHack 2022 team would like to welcome you to this year's BornHack event. We will walk over changes to the venue, schedule, and other information about the event itself. This is also an excellent opportunity to meet the teams behind BornHack. about this event: https://c3voc.de

3D Modellierung ist zu aufwändig? Und auf Thingiverse nichts passendes gefunden? In diesem Petit Foo zeige ich anhand eines Beispieles wie man einfach und schnell 3D Projekte umsetzt indem man Modelle von Thingiverse remixt und daraus eine passende Lösung kreiert. about this event: https://www.chaospott.de

It's over before you know it... this talk looks back at the event, explains how the tear-down works, highlights next years camps and gives a tanks to all the organizers on stage. What more can i say? Except that i need to enter at least 250 characters. I'll just blabber on and fill up th 🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈🌈 about this event: https://program.mch2022.org/mch2022/talk/DZAUQA/

The traditional talk by most or all operational teams about the infrastructure built for MCH2022. While the site has some infrastructure in place, a lot of it has to be built for this event. On the other hand there's also teams that just make things go away. MCH2022 can not be organised without a lot of temporary infrastructure. Join the operational teams and discover the new, the unexpected or the surprising technologies that were necessary to make MCH2022 a success. Expect graphs, pictures of bodges, perhaps a few hacks but definitely a lot of hard work behind the scenes. Think fiber, LEDs, DatenKlos, trusses, waste bags, Terabytes, angels, vouchers, simultaneous viewers, amps, volts, golf carts etc. Please smile (or laugh) at our bad jokes, we're all running on fumes and in desperate need of a proper sleep. about this event: https://program.mch2022.org/mch2022/talk/ZLALJT/

The MCH2022 design speaks for itself, but we would still nerd about it for a while. It is beautiful, colorful, generative, and has some physics ideas behind it. Some of it is obvious, but if you want to know all the hidden depths, this is the talk to visit. The triangulair MCH2022 design is a colourfull generative kaleidoscope with some hidden depths. In that way it reflects the hacker community. It is in some ways a spiritual successor to the SHA2017 design, but it has its own look and feel. You can find it all around the field, on prints and stickers, on the website and on the event shirts. Do you want to know the nitty gritty details of the optical physics, the generative basis and symmetric math ideas behind it? Some of it is obvious, but we would like to talk about it, and go deeper in on the concepts. about this event: https://program.mch2022.org/mch2022/talk/KBP937/

Using cryptography can give you easy assurances, keep data confidential and keep prying eyes from stuff where they should not be. However it's not magic. This talk is intended for programmers, users and software designers. This talk is about hardcore mathematics while you should not have to understand what the mathematics are but what they do. What does cryptography do: encrypt, decrypt, sign and verify. How are certificates used in cryptogaphy and why are they totally not a magical thing. It covers what cool hardware is available, open design and open source, hardware tokens and how to use TPM for cool features. And last but not least: it contains best practices and warnings. After this talk you might be able to see what's snakeoil and what is real. == NFT's are a scam. If you are into crypto-bullshit please stay away. == Cryptography seems like magic anytime you at first look at it. In the past years I have been helping a lot of projects and customers with my more-than-basic knowledge about applied cryptography. I'll talk about: * What is cryptography (basic math) - encryption - decryption - digital signatures - digital signature verification * What can it do for you? - Deliver security - Deliver privacy - Deliver dataloss * When to use encryption - what cryptography do you want to build (hint: none) - what cryptography do you want to use (a- or symetrical encryption). - how do you do key management - where to find the best practices * About hardware - Provide security - Provide speed - HSM, TPM, processor and other acceleration * Standards - The good, the bad, the ugly - Old ones - New ones - Very special ones * Limitations and workarounds * Software - How to avoid OpenSSL * This all in random() order. Random = 4 about this event: https://program.mch2022.org/mch2022/talk/S7GEZF/

Data keeps flowing! In Android, we have the concept of permissions, users feel confident that only if they turn on the permission, their data is shared. But what about an app silently sitting on your device with no permission whatsoever! What can that app know about you? In this talk, I'll talk about the Privacy Posture of Android! What kind of data is being collected, and how is it channelled and used? How does advertising work on mobile? Can your device be fingerprinted? What kind of privacy threats exists on Android? We will learn about the permission model of Android and how permissions operate at the kernel level! This shall be followed by a demo of an Android app, which needs no permission from the user. We will see what all information can be retrieved from your device, without any permission! about this event: https://program.mch2022.org/mch2022/talk/DWWQAN/

Lightning talks are a 5 to 10 minute quick talk on an interesting subject. They can be with or without slides, and with or without proper preparation. if you weren't accepted in the main CfP, this is also a great opportunity to give an abridged version of your talk. These sessions will be available to sign up to later on, with details on the wiki: https://wiki.mch2022.org/Static:Lightning_Talks Lightning talks are a 5 to 10 minute quick talk on an interesting subject. They can be with or without slides, and with or without proper preparation. if you weren't accepted in the main CfP, this is also a great opportunity to give an abridged version of your talk. These sessions will be available to sign up to later on, with details on the wiki.Lightning talks are a 5 to 10 minute quick talk on an interesting subject. They can be with or without slides, and with or without proper preparation. if you weren't accepted in the main CfP, this is also a great opportunity to give an abridged version of your talk. These sessions will be available to sign up to later on, with details on the wiki: https://wiki.mch2022.org/Static:Lightning_Talks about this event: https://program.mch2022.org/mch2022/talk/78PVXQ/

The whole world depends on Global Navigation Satellite Systems like GPS, Galileo, BeiDou and GLONASS. The technology behind these systems is fascinating and far more interested than generally presented. Although GNSS is super important, up to recently no good monitoring was publicly available. The "galmon.eu" project changed this. In this talk I cover: * How your phone really figures out where it is (so it can sell more expensive ads) * How the "satellite ephemeris" is broadcast, what it means * What is really in this 'assisted GPS'? * The extensive ground infrastructure that is active 24/7 to determine the satellite orbits so GNSS is precise enough to tell which store you are in, or which side of the road you are driving on * How GNSS are monitored in public by 100 Galmon.eu volunteers, running open source receivers all over the world * And the research we enable * Discussion of suitable hardware and GNSS-SDR that allows hackers to see each and every bit coming from the satellites * A brief part on how GNSS can be spoofed and jammed, and the odd cryptography used to help detect or prevent this The goal of this presentation is to expose the fascinating reality behind that little circle on your maps app, but also to explain how vulnerable this system is, which is why we need to monitor it closely. The whole world depends on Global Navigation Satellite Systems like GPS, Galileo, BeiDou and GLONASS. The technology behind these systems is fascinating and far more interested than generally presented. Although GNSS is super important, up to recently no good monitoring was publicly available. The "galmon.eu" project changed this. In this talk I cover: * How your phone really figures out where it is (so it can sell more expensive ads) * How the "satellite ephemeris" is broadcast, what it means * What is really in this 'assisted GPS'? * The extensive ground infrastructure that is active 24/7 to determine the satellite orbits so GNSS is precise enough to tell which store you are in, or which side of the road you are driving on * How GNSS are monitored in public by 100 Galmon.eu volunteers, running open source receivers all over the world * And the research we enable * Discussion of suitable hardware and GNSS-SDR that allows hackers to see each and every bit coming from the satellites * A brief part on how GNSS can be spoofed and jammed, and the odd cryptography used to help detect or prevent this The goal of this presentation is to expose the fascinating reality behind that little circle on your maps app, but also to explain how vulnerable this system is, which is why we need to monitor it closely. about this event: https://program.mch2022.org/mch2022/talk/QTUAXG/

A high bar set by earlier creations, a pandemic, a postponed event and chip shortages made for a great challenge and a wild adventure creating the MCH2022 badge. This talk explains how we pulled off our most advanced creation yet. We will tell you about the process of converting a vague idea into a piece of electronics, including the prototyping process and the difficulties we encountered. Bodging badges in a time where the pandemic and the chip shortage makes creating a cool gadget near impossible. This talk explains how we pulled off our most advanced creation yet (or not, depending on how things go...). We will tell you about the process of converting a vague idea into a piece of electronics, including the prototyping process and the difficulties we encountered. about this event: https://program.mch2022.org/mch2022/talk/HVGFKB/

In 2017 (just before SHA2017) the Dutch healthcare sector came together to create Stichting Z-CERT, the Zorg Computer Emergency Response Team. A nonprofit to protect and advise the Dutch Healthcare sector. What started as a small startup has now grown into a scaleup with the ambitions to match. The COVID-19 pandemic restarted the discussion about whether or not healthcare is vital infrastructure. With NIS2 the role and importance of Z-CERT will only grow from here on. This talk is not to intended to be a corporate “Look how great we are and what kind of sexy products we have. BUY OUR STUFF.” No, we want to simply show what we do and what we learned in 5 years of being a CERT. This might help our (future) fellow CERT’s and the community. This talk is not to intended to be a corporate “Look how great we are and what kind of sexy products we have. BUY OUR STUFF.” No, we want to simply show what we do and what we learned in 5 years of being a CERT. These lessons include: - how to startup a sectoral CERT - How to build a community of members of your constituency - Connecting with fellow CERT organizations - Tools of the trade This might help our (future) fellow CERT’s and the community. about this event: https://program.mch2022.org/mch2022/talk/RHXDFR/

The LIMITS workshop concerns the role of computing in human societies affected by real-world limits*. As an interdisciplinary group of researchers, practitioners, and scholars, we seek to reshape the computing research agenda, grounded by an awareness that contemporary computing research is intertwined with ecological limits in general and climate- and climate justice-related limits in particular. LIMITS 2022 solicits submissions that move us closer towards computing systems that support diverse human and non-human lifeforms within thriving biospheres. For example, limits of extractive logics, limits to a biosphere's ability to recover, limits to our knowledge, or limits to technological "solutions". The LIMITS workshop concerns the role of computing in human societies affected by real-world limits*. As an interdisciplinary group of researchers, practitioners, and scholars, we seek to reshape the computing research agenda, grounded by an awareness that contemporary computing research is intertwined with ecological limits in general and climate- and climate justice-related limits in particular. LIMITS 2022 solicits submissions that move us closer towards computing systems that support diverse human and non-human lifeforms within thriving biospheres. For example, limits of extractive logics, limits to a biosphere's ability to recover, limits to our knowledge, or limits to technological "solutions". The LIMITS workshop concerns the role of computing in human societies affected by real-world limits*. As an interdisciplinary group of researchers, practitioners, and scholars, we seek to reshape the computing research agenda, grounded by an awareness that contemporary computing research is intertwined with ecological limits in general and climate- and climate justice-related limits in particular. LIMITS 2022 solicits submissions that move us closer towards computing systems that support diverse human and non-human lifeforms within thriving biospheres. * For example, limits of extractive logics, limits to a biosphere's ability to recover, limits to our knowledge, or limits to technological "solutions". https://computingwithinlimits.org/2022/ about this event: https://program.mch2022.org/mch2022/talk/FSYNES/

So, you know how to "use" the ssh command line? You enter connection parameters like username, hostname or private key every time you need to connect? You manually log into the jump/bastion host when connecting to your target host? Then come to this session and learn how you can make your life easier and your work more efficient by using custom config files and a tiny little bit of preparation. So, you know how to "use" the ssh command line? You enter connection parameters like username, hostname or private key every time you need to connect? You manually log into the jump/bastion host when connecting to your target host? Then come to this session and learn how you can make your life easier and your work more efficient by using custom config files and a tiny little bit of preparation. In addition, we will also cover common best practices and improvements to your current SSH setup. You will benefit the most from this talk, if you have used SSH before. SSH novices are welcome as well, SSH experts may drop by for the bad jokes. The target audience for this talk is people with a beginner/intermediate understanding of SSH. about this event: https://program.mch2022.org/mch2022/talk/KHWLR9/

My son Jurre and I got involved in helping less Tech-Savvy people find answers and recover precious data after someone close to them took their own life. This lecture describes our challenging and emotional journey as we hope to inspire others to follow our path. <a href="https://www.flickr.com/photos/dvanzuijlekom/24004514008/in/album-72157687649725580/">Picture of Jurre and Jilles</a> by <a href="https://www.flickr.com/photos/dvanzuijlekom/">Dennis van Zuijlekom</a> is licensed under <a href="https://creativecommons.org/licenses/by-sa/2.0/">CC BY SA 2.0</a> After several talks about Hardware Hacking this talk will be one on a more serious matter. After someone takes their life and the police closes their case, the next of kin may still have questions that are left unanswered. This talk is about our journey from being nerds helping out with computer problems to specialists trying to help the next of kin find answers to questions they might still have. And as this talk will be hosted for computer specialist who spend quite some effort making sure they are protected from external threat ask yourself this question; Will your loved ones be able to control the infrastructure or even have access to the family photo's when you pass away? about this event: https://program.mch2022.org/mch2022/talk/7PZANM/

HowNormalAmI.eu is an interactive documentary that showcases how algorithms judge your beauty, age, gender, weight, life expectancy and emotions by simply looking at your face. The project not only shows how face recognition technology is entering our everyday lives, but it lets you experience these judgements yourself in a safe and privacy friendly way. This talk will zoom in on one algorithm that tries to deduce your Body Mass Index (BMI). The 'making of' will discuss the ethical questions it raised, the dubious science behind it, the dodgy data sources, and the surprising companies that are playing around with this technology. HowNormalAmI.eu is an interactive documentary that showcases how algorithms judge your beauty, age, gender, weight, life expectancy and emotions by simply looking at your face. The project not only shows how face recognition technology is entering our everyday lives, but it lets you experience these judgements yourself in a safe and privacy friendly way. Dutch artist Tijmen Schep has created this interactive experience to reveal how we are increasingly being judged on our face. For example, dating websites like Tinder uses beauty scoring algorithms to match people who are about equally attractive. Services like HireVue claims to find the optimal job applicants based on their 'micro expressions'. This talk will zoom in on one algorithm that tries to deduce your Body Mass Index (BMI) from your face. The 'making of' will discuss the ethical questions it raised, the dubious science behind it, the dodgy data sources, and the surprising companies that are playing around with this technology. Since its launch in september of 2020 the project has been viewed over 185.000 times. If you want to find out if you're more attractive than the Spice girls, make sure you visit www.hownormalami.eu about this event: https://program.mch2022.org/mch2022/talk/TKPHQJ/

A demonstration of the power of MQTT in combination with Node-RED. We'll also take a look at the "universal" Tasmota firmware for ESP8266 and ESP32-based devices. This all to hopefully make you enthusiastic to start building your own projects with these building blocks. A demonstration of the power of MQTT in combination with Node-RED. We'll also take a look at the "universal" Tasmota firmware for ESP8266 and ESP32-based devices. This all to hopefully make you enthusiastic to start building your own projects with these building blocks. MQTT is a very light message transport mechanism that uses a standard network connection and a subscribe-publish protocol to get messages from one device to one or more others in the network in a structured manner. Node-RED is a programming tool for wiring together hardware devices, APIs and online services very suited for working with MQTT messages. Tasmota started as a universal firmware for ESP8266/8285 IoT-devices, now with added support for the ESP32 and it comes with MQTT-support out of the box. With these tools, a raspberry pi and a few lines of script, we can start building home automation or whatever you want. about this event: https://program.mch2022.org/mch2022/talk/B3REPR/

Since early 2021, it has been impossible to buy most integrated circuits and various other components. I'll explain how and why this happened, why it's going to keep happening, and where the fragility of the electronics manufacturing ecosystem comes from. A terrible miscalculation by one unrelated industry (car manufacturing) caused the entire electronics market to fall apart in a spectacular way, meaning that for over a year now it's been impossible to buy many important electronic components, including most ICs. I'll talk about how the electronics component ecosystem is structured, why it's inherently fragile, and how everyone acting in their own best interest has made the problem worse. I'll also share some stories about working around supply issues at various companies and projects I've been involved with during this period. Come hear a fireside chat about how car companies are trash, how you can build a world economy on shortsightedness, and how two conference calls can bring down the entire world's supply of essential parts. about this event: https://program.mch2022.org/mch2022/talk/QKKTTH/

Sensor.Community - Global platform for Open Environmental Data We invite you to become part of Sensor.Community. The worldwide largest Air Quality sensor network run by contributors generating Open Data. Build a sensor, collect Open Data, share it in a continuous stream with the global network and join forces in local Sensor.Community groups. Sensor.Community is the global platform for environmental open data. We provide the software and assembly guide for the DIY sensor kits for citizen empowerment. Mission Statement: Sensor.Community is a contributors driven global sensor network that creates Open Environmental Data. Our mission is to inspire and enrich people’s lives by offering a platform for the collective curiosity in nature that is genuine, joyful and positive. Sensor.Community started 2015 in Stuttgart / South Germany as a local project. The goal then was the deployment of 300 low cost Air-Quality sensors in Stuttgart. These devices should be easy to build for everyone. Until now the platform has grown to more than 14.000 sensors in over 70 countries (January 2022). These sensors are measuring environmental data as Air-Quality, temperature, pressure and relative humidity. You can see the live values on the live map at Maps.Sensor.Community. Everything ever measured is available as Open Environmental Data. You can download all historical Open Data. To participate you can join a local group which you can discover on the community layer of the map where live values are displayed. -> https://maps.sensor.community/#2/0.0/0.0 We invite you to become part of the community. Build a sensor, generate Open Data, share it in a continuous stream with the network and join forces in local Sensor.Community groups to analyse it. Find like-minded people which care about the environment and the implications on our health. Stay informed and exchange with your neighbours. Once the sensor tube is connected to the network its measured values are available live on the map at Sensor.Community. These values are refreshed every 2 ½ minutes and enable all citizens to see how the situation is around them. The available historical Open Data of all ever measured values enable other projects to serve citizens with other specific services and functionality. Sensor.Community is here to serve citizens on a global layer with environmental Open Data. Our focus is to add further sensor methods, collaborate with institutions as RIVM.nl on data standards and better integrations in their daily work. One great example here is the integration of the Open Data from Sensor.Community into the Data-portal of the National Institute for Public Health and the Environment in the Netherlands at RIVM.nl about this event: https://program.mch2022.org/mch2022/talk/GNVPXC/

Food affects your body, food affects your mind. This talk describes how the performance of my brain has decreased over time and has returned by changing my diet. Basic food is not enough for your brain to deliver exceptional performance. Come with us and open your mind. Let your remedies be your food and your food be your remedies. Just think about it, I'm eating all day and losing weight. To be wide awake and in your right mind without "Club Mate" or coffee. Great recipes with three ingredients in a blender in seconds. Step by step with food to healing. Can you imagine a tasty gourmet cleansing cure? Results are better appearance, feel reborn, more powerful, mentally more stable, stress-resistant. Hack your food. A report of personal experience and feelings. about this event: https://program.mch2022.org/mch2022/talk/ZZVHAL/

Open source code makes up 90% of most codebases. How do you know if you can trust your open source dependencies? Do you know what’s really going on in your node_modules folder? It is critical to manage your dependencies effectively to reduce risk but most teams have an ad-hoc process where any developer can introduce dependencies. Software supply chain attacks have exploded over the past 12 months and they’re only accelerating in 2022. We’ll dive into examples of recent supply chain attacks targeting the JavaScript, Node.js, and npm ecosystems, as well as concrete steps you can take to protect your apps, projects, and teams from this emerging threat. Open source code makes up 90% of most codebases. How do you know if you can trust your open source dependencies? Do you know what’s really going on in your node_modules folder? It is critical to manage your dependencies effectively to reduce risk but most teams have an ad-hoc process where any developer can introduce dependencies. Software supply chain attacks have exploded over the past 12 months and they’re only accelerating in 2022. We’ll dive into examples of recent supply chain attacks targeting the Node.js, JavaScript, and npm ecosystems, as well as concrete steps you can take to protect your apps, projects, and teams from this emerging threat. Takeaways for this talk: 1. Understand the scope of the supply chain threats against the open source ecosystem, specifically with a focus on JavaScript, Node.js, and npm. 2. Review of our work to audit every open source package on npm to detect the following types of attacks: malware, typo-squats, hidden code, misleading packages, permission creep 3. Specific examples and code walk-throughs of actual malware that was found on npm 4. Discussion of existing methods and tools for detecting supply chain attacks against open source, including limitations 5. Introduction of new open source tool which helps detect supply chain attacks in real-time about this event: https://program.mch2022.org/mch2022/talk/VWGMEH/

Smart lights have become pervasive in many homes, but they are often designed in such a way that makes them completely reliant on the manufacturer's servers and connectivity to the Internet. However, we would much rather be fully in control of our own devices. As a target, we took on the cheap and popular Tuya white-label smart lights, which can be commonly found under many different brand names. In this talk, we'll take you on a trip through our 1-year journey of hacking these devices, including the details of finding and remotely exploiting a vulnerability in the firmware for devices based on the custom BK7231 SoC. Smart lights have become pervasive in many homes, but they are often designed in such a way that makes them completely reliant on the manufacturer's servers and connectivity to the Internet. However, for people who want full control of their own devices, there weren't many affordable and easily usable options. One such option became available near the end of 2018 when a vulnerability was discovered in the firmware of smart devices manufactured by Tuya Smart. Shortly after the discovery of said vulnerability, a project by the name of tuya-convert popped up. It allowed its users to remotely flash Tuya devices with custom firmware by exploiting the - at the time - new vulnerability. By 2020, however, tuya-convert stopped working for an increasing number of new devices. The manufacturer had patched the vulnerability, and unexploitable devices have begun showing up on the market. That's when we decided to look for the next vulnerability for Tuya's smart devices in order to allow remote custom firmware flashing once more. We spent some time hacking on early devices which were based on the ESP8266 platform, and a while later switched to the newer devices based on the custom BK7231 SoC. During the course of our research, we found issues in firmware on both platforms and rediscovered some helpful reversing techniques. In this talk, we'll cover our research journey with its ups and downs on both platforms, as well as the details of a memory corruption vulnerability which we exploited on the BK7231-based devices. about this event: https://program.mch2022.org/mch2022/talk/WKJKEY/

Reproducible Builds is a technique that can be used to secure the software delivery pipeline. For open source software, they even allow independently auditing published binaries, removing a single point of trust from the distribution process. This can be used by individual projects or even complete Linux distributions. The software delivery pipeline is an increasingly popular attack vector: even when your project source code is known-good (audited), an attacker can inject malware by gaining access to the machine used to build (and sign) the binaries. Reproducible Builds provides a mechanism to counter such attacks: by building the same source code on independently-administered machines and comparing their outcome. Several Linux distributions (Debian, Arch, openSUSE, NixOS, OpenWrt, ...) are working towards using Reproducible Builds to make their binary packages independently verifiable, but also individual projects use it to verify their deliverables. This talk will give an overview of progress, results and next steps. about this event: https://program.mch2022.org/mch2022/talk/E33B8K/

What is inside a Verifone VX820 payment terminal and how can we run our own code (i.e. Doom) on it? This is a story of a software guy messing around with an interesting embedded device. It includes some reverse engineering, *interesting* security practices, proprietary executable formats, and a game of bootloader hopscotch. Starting with an overview of the Verifone VX820 payment terminal's hardware and software, we will follow my curious exploration with the final goal of arbitrary code execution. We will see how such seemingly single-purpose devices actually allow for general purpose computing under the hood, and even contain all the peripherals needed for a fun (retro-)gaming experience. I will show the struggles and practicalities of turning a (previously found and published) bootloader vulnerability into a practical exploit. This includes some reverse-engineering of bootloaders, kernel code, communication protocols and file headers. Following this I will cover the "engineering" part: how to construct a minimum viable "toolchain" to be able to port a codebase like Doom. There will be demos of the exploit and some programs that have been ported :) about this event: https://program.mch2022.org/mch2022/talk/PBTBJG/

Overview of **SmartOS** - an illumos based distribution with **focus of virtualization**. Must be named technologies used by SmartOS: ZFS, Crossbow, Zones, DTrace, Bhyve. The talk will show you the benefits of SmartOS; Configuration and management of SmartOS virtualization technologies; Tooling on top of SmartOS. SmartOS is a specialized Type 1 Hypervisor platform based on illumos. It supports two types of virtualization: - OS Virtual Machines (Zones): A light-weight virtualization solution offering a complete and secure userland environment on a single global kernel, offering true bare metal performance and all the features illumos has, namely dynamic introspection via DTrace - Hardware Virtual Machines (KVM, Bhyve): A full virtualization solution for running a variety of guest OS's including Linux, Windows, *BSD, Plan9 and more Virtualization in SmartOS builds on top of the foundational illumos technologies inherited from OpenSolaris, namely: - ZFS for storage virtualization - Crossbow (dladm) for network virtualization - Zones for virtualization and containment - DTrace for introspection - SMF for service management - RBAC/BSM for auditing and role based security - And more about this event: https://program.mch2022.org/mch2022/talk/SNNLNX/

The Dutch Institute for Vulnerability disclosure goes international. We’re building a community of enthusiasts to help stop the downward spiral of the internet, we’re calling it CSIRT.global. It’s aimed at international collaboration. Trust and communication, balanced with a sense of reality about the sensitive information we deal with, are key. Here’s how you can help, one vulnerability at a time. The internet is wonderful. It is also broken and spiralling downward. Governments and big tech often don’t serve the interests of internet enthusiasts. Some people decided to “be the change”. In 2019, The Dutch Institute for Vulnerability was founded, and now it has over 70 volunteers. You have likely heard of our work, like Citrix and Kaseya. Communication is key in disclosing and informing organizations. Internationally, this can pose a real challenge. Therefore, we are building an international community, and we’re calling it CSIRT.global. Trust and communication are key. In this talk, you will learn why we’re expanding, what our challenges are, how we deal with sensitive information, and why it’s logical a volunteer organisation takes the lead. Finally, you’ll learn how you can help. about this event: https://program.mch2022.org/mch2022/talk/ZY39UT/

One of the most used video entry systems is analysed for this talk. Severe security implications that range from passive, information gathering, attacks to active attacks where unauthorised access to buildings can be gained. During the talk the technical details of the bus system will be discussed and multiple attackvectors will be demonstrated. At the end of the talk the disclosure procedure to high value targets and the manufacturer are also discussed. Feeling safe at home and at work is one of the most basic requirements for living. Part of being, and feeling, safe is the physical access system of the building. For this talk the video intercom system designed and manufactured by one of the most used brands in building access control and video entry technology is… evaluated. In order to paint a picture of the magnitude of the security implications it is good to mention that this system is not just used in apartment buildings but also in government offices such as the probation office in The Netherlands. The talk will discuss the technical aspects of the bus system and how and why this has major security implications. Not only passive attacks will be shown but also more active attacks that can compromise physical security in the buildings where the system is used. The talk will also include how disclosure to some potential targets was done. The reaction from the manufacturer will also be discussed in the talk. about this event: https://program.mch2022.org/mch2022/talk/NV9RBY/

We will walk through the basics of sound field control systems and what you would need to build your own Wave Field Synthesis and Beamforming enabled system. We will unveil some of the challenges we faced at HOLOPLOT and what solutions power our tech stack. Most of us are very familiar with multiple ways of manipulating or creating audio content; filters, effects, synthesizers, etc., and most certainly don’t think about where the audio content is going to be reproduced. What if I told you your creativity could go further, and you can also control how sound is being reproduced? In this talk, we will learn about sound field generation and control systems, their benefits, and everything you need to build your own Wave Field Synthesis and Beamforming system. Additionally, we will unveil some of the implementation and infrastructure challenges we faced and solved at HOLOPLOT and then let you hear what a HOLOPLOT Matrix Array can actually do. about this event: https://program.mch2022.org/mch2022/talk/JN39DH/

In recent times, internet censorship has increased throughout the world. With governments realising the potential of the internet in spreading information as well as misinformation. To curb or rather control this, governments around the globe have taken to censoring parts of the internet by directing major ISPs to block access to those websites. The ISPs around the globe have used different methods to block the access. Some resulting in DNS filtering to others doing SNI ( Server Name Information ) inspection. There have been ways to bypass these restrictions, like DoH ( DNS over HTTPS ) and eSNI ( encrypted SNI ), now ECH ( Encrypted Client Hello ), supported by TLS 1.3. To counter these, some authoritarian regimes ( like China ) have blocked eSNI traffic altogether, to be able to sniff the traffic and block the websites accordingly on their ‘Great Firewall’. I will be talking about how these different mechanisms of blocking user traffic works, by doing a live demo of packet analysis using wireshark. Later on in the talk, I will show a comparative study of the different ISPs around the globe and what their approaches are at blocking the internet ( if any ). After understanding how the technologies work, I will show ways to bypass the censorship by some open source tools, DIY solutions and finally some paid/managed alternatives. What are the things that one should look for when choosing one such paid solution. Towards the end, I will announce the open source repo for the tool used to conduct this project, where people can contribute and use it for their own research purposes. I am analysing some of the major ISPs 'around the globe' and how they’re blocking websites and easy + cost-effective ways to bypass them. There has been some previous research into this, but that has included some limited dataset, back in 2020. From then to now a few things have changed including the way ISPs are blocking websites. With this project, I am trying to : 1. Analyse the global censorship of internet 1. Globally, how different ISPs block the network traffic 2. Distribute the client globally and ask volunteers to run this at least once 2. Release the client and server code as open source 3. Publish all the data, country wise on a github repo for everyone to consume The talk would be in two parts : - First : Where I talk about the technical nitty-gritties as to how censoring in modern times work. - Second : After understanding how the technologies work, we will try to bypass those by some open source tools, some DIY solutions and finally some paid/managed alternatives, what are the things to look for when choosing one such provider. Hence, even for folks who aren't much into the technical details of censorship, would have some arsenal of tools to bypass it, by the end of the talk. Starting with the famous question : “What happens when you type a (https) URL in your browser and press enter ?” I will cover all the aspects, starting with 1. DNS lookup 2. TLS Handshake - ClientHello,TLS negotiation, ServerHello etc 3. Encrypted Data Transfer All of these would be shown a live demo of in wireshark, alongwith decrypting the traffic using certificates. Explaining these stages are important because each of these involve ISPs tampering with to censor the internet. Once we know how it’s done, we will figure out how to resolve this privacy issue. Like : Stage How ISPs censorConfirmation TestBypass DNS Lookup Their own DNS as default DNS filtering Check on dnsleaktest.com Use DoH ( DNS over HTTPS ) dnscrypt TLS Handshake SNI Inspection Use the tool Check on wireshark Use VPN eCH Further move on to ECH ( Encrypted Client Hello ) and why China hates it . Show a comparative analysis of the different ISPs I’ve tested using the tool. Towards the end talk about the open source tool, the client and server code themselves. The tool, client app : 1. Sends request to alexa top 1M domains 2. Records packet response and to find what kind of filtering is in place ( if any ) 3. Sends data to central dashboard server for generating heatmaps and graphs The tool, server app : 1. Will consume all the JSON data and validate its findings. 2. Generate heat maps for all the ISPs and different websites that are blocked. Talk about solutions to bypassing the censorship : 1. Open source tools & solutions - DoH, changing default DNS etc 2. DIY things - self hosted 1-click VPN, ephemeral on-demand sshtunnel etc 3. Paid solutions - Things to look for when choosing one such paid solution about this event: https://program.mch2022.org/mch2022/talk/VYSFLR/

This talk gives an introduction in how single sign-on protocols (such as SAML, OAuth 2, and Open ID Connect) work. Subsequently, I will talk about the most commonly found vulnerabilities in these protocols. Finally, I will show various ways to resolve these vulnerabilities. Single sign-on remains a hot topic in 2022. Many organisations are in the process of moving identity management and authentication out of of their application, and offload it to an identity provider. By doing so, application owners hope to avoid the challenges that come with identity management. However, the application will still needs to obtain the user’s identity from the identity provider, which is done using a single sign-on protocol. Unfortunately (or fortunately?), single sign-on protocols are difficult to get right. Flaws in the implementation of single sign-on protocols can have serious consequences. In the worst case, such flaws allow hackers to log into the application as an arbitrary user. And this is not just a theoretical risk, but something I encounter in my work as ethical hacker on a regular basis. I will start this talk by giving an introduction to some of the protocols that are commonly used to achieve single-sign on. Such protocols include SAML, OAuth 2, and Open ID Connect. Subsequently, I will talk about the state of single-sign on applications as I encounter them as an ethical hacker. I will demonstrate which vulnerabilities I encounter in the real world, and what the consequences of such vulnerabilities could be. At the end of this talk, you should have a good overview of how single sign-on protocols work, what types of vulnerabilities typically occur in them, and how to protect against such vulnerabilities. about this event: https://program.mch2022.org/mch2022/talk/MTTAXV/

The web is a mess, bloated with data-gathering trackers, predatory UX, massive resource loads, and it is absorbing everything it touches. The Small Internet is a counter-cultural movement to wrangle things back under control via minimalism, hands-on participation, and good old fashioned conversation. At its heart are technologies like the venerable Gopher protocol or the new Gemini protocol offering a refuge and a place to dream of a better future. Join me and be reintroduced to Gopher in 2021 and learn what this old friend has to offer us in a world full of web services and advertising bombardment. We will also explore the new Gemini protocol and how it differs from Gopher and HTTP. We will explore the protocols themselves, their history, and what the modern ecosystems are like. I will briefly review the technical details of implementing servers or clients of your own, and how to author content as a user. Discussion will cover limitations, grey-areas, and trade-offs in exchange for speed and simplicity. Through these alternative protocols we'll see the small internet in action. about this event: https://program.mch2022.org/mch2022/talk/RPVQD8/

During crises – like COVID19 – software is made under immense pressure in a volatile environment. Security should focus on anything that makes one vulnerable. OpenKAT does this with real forensic proof, with the right context and useful in real life. The COVID19-crisis forced to build dozens of software solutions rapidly with too few people under immense pressure. Meanwhile the threat level as well as the stakes are high. Failure is not an option yet guaranteed. You can no longer afford vague questions like are we secure? You need to find what makes you vulnerabilities before that hit you as well as soon as they hit you. With dozens COVID-testing organizations to monitor, three countries to help, 17 projects to help come to life and to guard during operation security is an impossible job with the tools and people available. The options are simple: drown or find a trick to survive.The COVID19-crisis forced to build dozens of software solutions rapidly with too few people under immense pressure. Meanwhile the threat level as well as the stakes are high. Failure is not an option yet guaranteed. You can no longer afford vague questions like are we secure? You need to find what makes you vulnerabilities before that hit you as well as soon as they hit you. With dozens COVID-testing organizations to monitor, three countries to help, 17 projects to help come to life and to guard during operation security is an impossible job with the tools and people available. The options are simple: drown or find a trick to survive. The OpenKAT-project was started to fill in that gap to take a radical different approach on security while not discarding what we have already. KAT (cat in Dutch) delivers information on vulnerabilities in a forensic accurate manners, monitors environments and more over proves how things change over time. The OpenKAT-project was started to fill in that gap to take a radical different approach on security while not discarding what we have already. Just like a cat you see more while looking at the same information just by interpreting it differently. KAT (cat in Dutch) delivers information on vulnerabilities in a forensic accurate manners, monitors environments and more over proves how things change over time. about this event: https://program.mch2022.org/mch2022/talk/UB3SGY/

The Dutch Institute for Vulnerability Disclosure scans the internet for vulnerabilities and reports these to the people who can fix them. Our researchers will go into some of our recent cases, our board members will describe how we professionalise vulnerability disclosure and why we are allowed to somewhat break laws on computer crime and privacy. The Dutch Institute for Vulnerability Disclosure scans the internet from our own AS (50.559) for vulnerabilities and reports these to the people who can fix them. In this session our board members will describe how we professionalise vulnerability disclosure with an independent foundation, a Code of Conduct, a common identity, a collaboration platform for independent researchers and a CSIRT to report vulnerabilities to owners of vulnerable systems. Our researchers will go into some of our more known cases, ranging from Citrix 2020, to KaseyaVSA and Log4j in 2021 and others which commenced between filing this proposal and the conference. They will demonstrate how to scan, validate data, report to users and how they responded. By doing this, we kind of break several laws on computer crime and privacy protection. Still, we are allowed to as we serve to make the internet more secure. Moreover, we also guide young security researchers to the responsible path of vulnerability disclosure. And we do it Dutch style: open, direct and for free. Chris and Astrid will go into the way we work, Frank and Lennaert will do the cases. about this event: https://program.mch2022.org/mch2022/talk/9LMTLA/

The use of data is accelerating, not only owing to increasing technical possibilities like AI and earth observation, but also as a result of crises such as COVID-19 and climate change which accelerate the deployment of data and technology. This is happening on a small and local scale, as well as on a large and global one. Precisely because these data are potentially personal, and its use is becoming commonplace, it is urgent to internalize shared principles for the responsible use of data to achieve greater common value, better data and better products. These are preferably intrinsic principles that guarantee the safety and privacy of people, our social values and human dignity. In this talk we discuss an ethical framework for the use of location data. Together with the crowd we will investigate several dilemma's in which location data play an important role. How far can you go? Which values are more important? These are the kind of questions we will present and discuss. The ethical framework is designed for the use of (personal) location data. How do we ensure that the technology we develop is at the service of society? How do we respect shared public values and the individual rights when developing applications made possible by location data? With the discussions that have erupted around apps for monitoring the COVID-19 pandemic, it is clear that the answers to these questions are not crystal clear. The purpose of the ethical reference is to inspire data users, but also policy makers and decision makers to help them collect, use and apply personal location data responsibly. Location data are all data that show where people are located and how they move, whether or not they can be traced. This data can, for example, be collected via mobile apps. In this talk we discuss the different values that are conflicting in the use of location data. We present several dilemma's and cases and will involve the public actively in discussing these dilemma's. You can find a concept of the ethical framework at https://www.geonovum.nl/themas/geo4covid/ethical-framework In our work looking for responsible use of spatial data we are working together with W3C: https://w3c.github.io/sdw/responsible-use/ about this event: https://program.mch2022.org/mch2022/talk/VJVH9E/

"SomeApp would like to access files in your Documents folder." Anyone who has used macOS recently will be familiar with these prompts. But how do they work? What happens if you deny the access? Are they an effective defense against malware? This talk will give an up to date overview of the local security measures of macOS and describe some ways they can be defeated in practice. Sandboxing on macOS was introduced 13 years ago, but Apple didn't leave it at that. Starting with the release of macOS Catalina in 2019, even non-sandboxed apps need to deal with sandbox-like restrictions for files: all apps now need to ask permission to access sensitive files, like those in the user's documents or desktop folder. Features such as the camera and geolocation already needed user approval from a permission prompt. This system of user controlled permissions is known as Transparency, Consent, and Control (TCC). Any new security measure like this will also mean the introduction of new security boundaries, with new classes of vulnerabilities. Many parts of the system have to be re-examined to check for these vulnerabilities. For example, apps can now try to attack other apps in order to "steal" the permissions granted by the user to those apps. Apple has taken steps to allow apps to defend themselves against this, such as the hardened runtime. Ultimately, however, it is up to the developer of an app to safeguard its permissions. Many developers are not aware of this new responsibility or do not take it seriously. Developers who are used to the security model of Windows or Linux often do not know that these boundaries even exist. To make matters worse, Apple's documentation and APIs for these features are not as clear and easy to use as they should be. This talk will start with an overview of local security restrictions on the latest version of macOS, Mojave. Then, it will cover some ways these protections might be bypassed in third-party applications. Finally, we will show some vulnerabilities we found in software that allowed escaping the macOS sandbox, stealing TCC permissions and privilege escalation, such as CVE-2021-30688, CVE-2020-10009 and CVE-2020-24428. about this event: https://program.mch2022.org/mch2022/talk/WEBRZC/

Pentesting can provide vital information to organisations about their security. However, many reports end up never being used or not being used to their full potential. That is partly due to the pentesters and their writing skills. But in large part is also to be attributed to CISO's lack of guidance and involvement. I am not a spokesperson for all CISOs, but I do have quite a bit of experience in the pentesting field as a CISO. As such; I would like to share my thoughts about how a CISO can lead the pentesting process as effectively as possible, as well as what I as a CISO like to see in my pentesting reports. I will also highlight why some reports don't get used and why I think we struggle with this as much as we sometimes do. I think this information is usefull for pentesters and CISO's alike, because it shows both sides how the other one works and thinks. Many pentesting reports are never followed up on, which is a shame, because a lot of hard work goes into them a lot of the time. In this talk I will try to explain why this happens and will try to clarify how we can make some changes to the practice, reporting and follow up to make pentests more effective. I will also talk about some of the things that have gone wrong during pentests I've been involved in. Scoping is important y'all! If you're interested in what managers generally think certain jargon means (what's a checksum?), come check out the talk and you'll find out ;). p.s. I can't find where to edit my personal profile, but I'm currently no longer CISO for DIVD. Since the beginning of this year I've joined the Board instead. about this event: https://program.mch2022.org/mch2022/talk/QXRYJH/

In his 1948 [scientific article](https://en.wikipedia.org/wiki/A_Mathematical_Theory_of_Communication) entitled ["A mathematical theory of communication"](https://people.math.harvard.edu/~ctm/home/text/others/shannon/entropy/entropy.pdf), Claude E. Shannon introduced the word “bit”. The article laid down the foundations for the field of information theory which in turn opened up the way to digital information processing. In this overview talk, I will present in an accessible way three nuggets from Shannon information theory: 1. Shannon entropy, a mathematical quantification of uncertainty of a probability distribution. 2. Information Compression: Shannon entropy provides a fundamental lower bound on how much information from a source can be compressed so that it can later be recovered. 3. Error correction: when digital information is transmitted over a noisy channel, the methods of error-correction provide ways to protect this information from noise. Yet again, Shannon entropy provides the fundamental quantity of how much information can be transmitted over a noisy channel. While the content of this talk is of mathematical nature, I will try my best to make it accessible to anybody with (very) basic knowledge of probabilities and programming. **All material (including presentation, Jupyter notebooks etc.) for this talk are available at https://github.com/cschaffner/ITNuggets** Since 2014, I have been teaching a yearly master course about information theory at the University of Amsterdam. Together with my PhD student Yfke Dulek, we have written [lecture notes](https://github.com/cschaffner/InformationTheory/blob/master/Script/InfTheory3.pdf) on the topic and developed some additional learning tools based on these notes. I love the mathematical beauty of Shannon’s information theory, and I believe that the three concepts above can be appreciated by a much wider audience that does not regularly read scientific papers of the mathematical kind. While I will focus on making the fundamental theoretical aspects accessible to the audience, all of these concepts also have some interesting (and challenging) programming aspects to them that can be explored further after my talk. about this event: https://program.mch2022.org/mch2022/talk/8DFDSE/

Your organization suffers from a serious system compromise from a cyber-crime ring, state-actor or both. The cyber inferno is raging through your organisation. In this talk I’d like to walk you through a situation which escalated quickly. The talk is intended to inspire people to take preventative measures, keep their heads as cool as possible, and keep a grip on the situation. Your organisation suffers from a serious system compromise from a cyber-crime ring, state-actor or both. The cyber inferno is raging through your organisation. The problems are countless. A neighbouring organisation is looking at your problems and wondering about the potential of spillovers. What if these spillovers escalate beyond your grasp? How and what do you communicate internally and externally? In this talk I’d like to walk you through a situation which escalated quickly. The talk is intended to inspire people to take preventative measures, keep their heads as cool as possible, and keep a grip on the situation regardless of the size of the challenge. about this event: https://program.mch2022.org/mch2022/talk/CVGHG9/

The security of Tesla's cars has been a hot topic in recent months. In addition to being one of the safest cars on the road, it is also well-protected from hacks and attacks. But how does Tesla make sure their vehicles are safe and secure? This case study sheds light on the inner workings of Tesla's Passive Entry System and core VCSEC protocol, and reveals possible attack vectors. The security of Tesla's cars has been a hot topic in recent months. In addition to being one of the safest cars on the road, it is also well-protected from hacks and attacks. But how does Tesla make sure their vehicles are safe and secure? Tesla is a company that has been innovating in the automobile industry for many years. They have been designing and manufacturing electric vehicles which are environmentally friendly and sustainable. Tesla has also been pioneering and implementing new technologies in the automotive industry. One of these innovations is their Bluetooth interface which is used for locking and unlocking vehicles and can be used to uniquely identify cars, as well as to track them in real-time with apps like "Tesla Radar". The introduction of Tesla's Bluetooth passive entry system, previously only used by model 3 and model y, into new product lines like the Tesla 2021 Model S/X facelift variant, shows the strategic importance of this technology for Tesla in the years to come. This case study sheds light on the inner workings of Tesla's Passive Entry System and core VCSEC protocol, and reveals possible attack vectors. about this event: https://program.mch2022.org/mch2022/talk/DCTJDE/

Lightning talks are a 5 to 10 minute quick talk on an interesting subject. They can be with or without slides, and with or without proper preparation. if you weren't accepted in the main CfP, this is also a great opportunity to give an abridged version of your talk. These sessions will be available to sign up to later on, with details on the wiki: https://wiki.mch2022.org/Static:Lightning_Talks Lightning talks are a 5 to 10 minute quick talk on an interesting subject. They can be with or without slides, and with or without proper preparation. if you weren't accepted in the main CfP, this is also a great opportunity to give an abridged version of your talk. These sessions will be available to sign up to later on, with details on the wiki.Lightning talks are a 5 to 10 minute quick talk on an interesting subject. They can be with or without slides, and with or without proper preparation. if you weren't accepted in the main CfP, this is also a great opportunity to give an abridged version of your talk. These sessions will be available to sign up to later on, with details on the wiki: https://wiki.mch2022.org/Static:Lightning_Talks about this event: https://program.mch2022.org/mch2022/talk/LGUFFZ/

We know that we are in trouble as a human society, so what are we going to do about it? Showcase projects that do good things What can you do? Tension between system-level problems and the massive powers that be and the scope of individual impact. How do you leverage your privilege? imagining yourself in 2050 narratives. We know that we are in trouble as a human society, so what are we going to do about it? Showcase projects that do good things What can you do? Tension between system-level problems and the massive powers that be and the scope of individual impact. How do you leverage your privilege? imagining yourself in 2050 narratives. about this event: https://program.mch2022.org/mch2022/talk/KFEEZ7/

TASBot has appeared at multiple charity events raising more than $1.3M to date by hacking classic video game consoles through controller ports. In this talk, dwangoAC will show how TASBot, with help from a human speedrunner, can use a Stale Reference Manipulation exploit in the N64 game Legend of Zelda: Ocarina of Time to achieve persistent Arbitrary Code Execution to obtain the Triforce and many other surprising outcomes that have to be seen to be believed. The TASBot community, led by dwangoAC, has exploited glitches in a variety of creative ways leading to Twitch chat streamed through a Super Game Boy, Super Mario Bros. being played inside Super Mario World, and many more. Most of these exploits were on older NES and SNES consoles, but what could be done if Arbitrary Code Execution could be achieved on an N64? This talk aims to show the beautiful results that can ensue after taking complete control of Legend of Zelda: Ocarina of Time, including obtaining the Triforce itself! The talk will cover controller protocol evil maid attacks, Stale Reference Manipulation (Use After Free) exploitation, a four stage bootstrap chain to attain high speed data transfer, and more with audiovisual elements that are sure to be a surprise. about this event: https://program.mch2022.org/mch2022/talk/CNYE7A/

Only three years ago you wouldn't have had a chance to get this so-called reality past any decent editor. Now, plotting a book or movie has become increasingly hard and the next years in publishing will be interesting, since our standards in what is scary or believable or how dumb can one be to do XY as a book character, to get into whatever problems, have tremendously changed. I'm an author, writing crime novels and scifi and during the last three years, some collegues and I have often said the phrase "if this was a book, you wouldn't get that past an editor". But it seems, our standards on what is real, believable or doable have changed somewhat over the pandemic. This does not only afflict society itself (fake news, mobs, conspiracy myths etc.), but also (pop) culture and the its creators like authors of books or movie scripts. I have no forecast, on where we might end up or if movies and books will return to story worlds of our old believes, but I can share musings about society, tech and humanity's deepest desire in stories and authors who have to face a different kind of basic understanding of the world to start from when writing stories. about this event: https://program.mch2022.org/mch2022/talk/CPT3CD/

PolyCoin - A distributed game across MCH. The history at EMF Camp 2018 and 2022, and how it was made and works. See what is on the inside of the PolyCoin crypto miner devices, and why they were designed the way they were and what had to be compromised along the way, what can be improved, and plans for future versions. PolyCoin - is a game being deployed at MCH 2022, you'll see the PolyCoin crypto miner units installed throughout the site. This game involves "capturing" the crypto miners using an RFID card to collect the fictional crypto currency PolyCoin. Each player selects one of four fictional global corporations to support, and captures the crypto miners for their chosen company producing PolyCoins for them. The company with the most PolyCoins wins! Delving in to the brief history of the game at EMF Camp 2018 and 2022, and then explaining how it works and the various bits hang together to create the overall game. Covering PICmicro, ESP8285 (micropython), DFR0299, RC522 RFID, MQTT, Python on Raspberry Pi, and the hidden features of the game waiting to be discovered. I'll cover the problems with the original game deployed in EMF 2018 and how they were addressed with the PolyCoin game in 2022. Then the problems encountered in 2022 at EMF camp (far less issues!). This would ideally be suited to having this presentation followed by a hands-on session to see the parts that make the game. I should have enough bits to run a workshop as well to build a PolyCoin crypto miner unit, including surface mount and hand soldering all the parts and assembling the units themselves. about this event: https://program.mch2022.org/mch2022/talk/CRHHCU/

When the pandemic was declared over, Europe went into a war. This was the first major conflict in Europe where an important part of the war was waged online. Anonymous, disBalancer, IT ARMY, and the western governments. These are stories from the cyber front lines. Welcome to a panel of speakers from Ukraine and EU. We will discuss what happened on the front, how it helped to turn the war in Ukraine's favor, the international cooperation, the cyber offensive, and the how and why of it. We will discuss, DDoS, information disclosures, backdooring, psyops, and propaganda. Chris Kubecka, CEO and Founder of HypaSec, Anastasiia Voitova, security software engineer at Cossack Labs, and Peter van den Heuvel, Security analyst from Saxion, are joining us to share their stories. https://twitter.com/SecEvangelism https://twitter.com/vixentael https://twitter.com/pvdheuvel_ https://twitter.com/KirilsSolovjovs about this event: https://program.mch2022.org/mch2022/talk/PL3FTM/

Mechanical locks are everywhere and come in all shapes and flavors. But choosing the right lock can be rather difficult. For example, what is better? A lock that is hard to pick, or a lock with hard to duplicate keys. This talk will not give you the answers, but it will help you understand the trade-offs. Furthermore, we will have fun threat modeling our locks. Is lockpicking a threat you should be concerned about, or is the brick the tool you should care for? Jan-Willem, from The Open Organization of Lockpickers (Toool), will share his ideas on mechanical security and threat modeling. We will make it fun and use several case studies, starting with defining a lock, threat modeling mechanical puzzles, and use several case studies where the threat was overrated. Simply put, attacks against locks range from the trivial to mastery. I'll share multiple failed attempts of attacks that should be trivial, but were not in practice, and we will analyze them together. about this event: https://program.mch2022.org/mch2022/talk/T8MCQW/