Chaos Computer Club - archive feed

The infrastructure industry has recently started co-opting a well-established software engineering practice and is doing so badly. Observability is being overhyped as something revolutionary that you can only practice using the latest new shiny tool. Real observability provides insight only when we take the time to understand what we’re monitoring, why it matters to our organization, and how each metric connects to our goals. This talk critiques the tool-centric approach that has taken over infrastructure monitoring, encouraging infrastructure teams to step out of their offices, touch grass, and talk with their organizations to answer the essential question: What is it you want monitored anyway and why? We’ll explore the power of applying observability as a practice, not just a product, and highlight F/L/OSS tools that offer powerful, adaptable solutions without the hype. If you’re tired of replacing one flashy dashboard with the next, or if you’ve ever wondered whether observability is really the game-changer it’s made out to be, this talk is for you. Let’s take a cue from our software engineering friends and approach observability as a collaborative, cross-functional practice that builds on strategy rather than the next tool. The term “observability” is everywhere, packaged as the next game-changer for infrastructure. But beneath the hype, it’s little more than contextualized monitoring—and the infrastructure industry has co-opted it badly. This talk takes a critical look at the tool-centric approach to observability that’s dominating the market and offers an alternative: an approach to observability based on strategy, not the latest tool. We’ll explore the origins of observability as a software engineering practice, where things went wrong as it moved into infrastructure, and how tool-driven marketing misses the point. From understanding why we’re monitoring to identifying what actually matters to our organizations, this session challenges infrastructure teams to rethink observability and ask essential questions that can transform monitoring into a true asset. Finally, we’ll dig into powerful F/L/OSS tools that already do the job well, without the hype or the hefty price tag, and consider how infrastructure teams can use and contribute to open-source observability practices that support genuine insight. Join me in side-stepping the hype, and discover how real observability could mean thinking like a hacker—using practical, adaptable, and community-driven solutions that prioritize understanding over just another flashy dashboard. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/observability-is-just-contextualized-monitoring-change-my-mind/

Massenspektrometer sind unverzichtbare Analysewerkzeuge in der Chemie und zudem hochinteressante und verblüffende Instrumente. In diesem Talk wird die Massenspektrometrie mit Schwerpunkt auf Quadrupolmassenspektrometer anschaulich vorgestellt. Massenspektrometer aus der Hacker-Perspektive: Die Massenspektrometrie mag auf den ersten Blick kompliziert wirken, doch mit einem grundlegenden Verständnis der Physik und etwas logischem Denken kann man sich überraschend gut in diese Welt einarbeiten. Ich beschäftige mich seit vier Jahren intensiv mit Massenspektrometern – eine Technik, die mich immer mehr fasziniert und in die ich tief eintauche. Dieser Vortrag richtet sich an alle, die bisher wenig bis gar nichts über Massenspektrometrie wissen und erklärt auf zugängliche Weise, wie (Quadrupol-)Massenspektrometer funktionieren und warum sie so entscheidend für die chemische Analyse sind. Wir schauen uns an, wie diese Geräte auf molekularer Ebene arbeiten und welche spannenden Anwendungen es gibt, die unseren Alltag beeinflussen. Dabei werden die physikalischen Grundlagen verständlich erklärt, sodass jeder – auch ohne Vorkenntnisse – nachvollziehen kann, wie und warum diese Technologie so wichtig ist. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/von-ionen-zu-daten-die-funktionsweise-und-relevanz-von-quadrupol-massenspektrometern/

Gaining a reasonable level of trust on the firmware that runs your everyday activities Corebootable or not corebootable, that is the question. The nerdiest nerds already corebooted their old X230 ThinkPads... but what about your new ThinkPad, or even your gaming rig? Well, Intel has a trick called the "BootGuard" inside the Management Engine. It is supposed to protect the firmware and only allow updates from signed sources... somewhat like the Secure Boot. This means we can't coreboot our newer machines, right? ..right? Well, for that to work... it needs team-play between OEMs and Intel, which doesn't always work out. In this talk you will learn how to port coreboot to modern Intel systems - how we did it and even got to game on them. We'll go over coreboot development, tell you how to find ~~potential subjects~~ compatible mainboards and what it would take to boot on them!). We'll explain what are "payloads", which one is right for you, and what it takes to make such system run mainline Linux. We'll also take a look at current state of AMD systems and how they're doing with OpenSIL (which will replace AGESA in the coming years). Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/corebooting-intel-based-systems/

Wir Hackende müssen eine große Gefahr für unsere eigenen Daten sein, wenn die Hersteller die Maßnahmen ergreifen, die ich euch in diesem Talk unter Anderem vorstelle. Wie bekomme ich Daten aus DJ-Systemen und vielleicht auch wieder hinein? Wenn wir als DJs Daten in DJ Systeme eingeben, wollen wir diese vielleicht auslesen oder von außen mit unserer eigenen Software verändern. Dieser Talk ist ein Überblick über die Entwicklung und den Stand von Datenbanken, Reverse Engineering, Netzwerk Protokoll Mitschnitten und Verschlüssellung. Leider machen uns das AlphaTheta, Serato und co. schwieriger als es sein muss. Manchmal ist es kaum zu fassen, wie weit sie dafür gehen. Hinweis: Dieser Talk kann Spuren von SQL beinhalten. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/en/event/rekordbox-gib-mir-meine-daten-berblick-von-datenzugriff-in-dj-software-hardware/

Dieser Talk deckt die Fundamentals zu Samplingrate, Bitdepth und Bitrate ab und erklärt die Stärken und Schwächen aller Audio Datei-Formate, die für DJs und Produzent/innen relevant sind: MP3, AAC, FLAC, WAV, AIFF und vielleicht noch mehr. Wenn du mal Probleme mit manchen Dateien auf CDJs hattest, ist das hier der richtige Talk für dich. Neben den im Abstract genannten Fundamentals erkläre ich, was lossy und lossless bedeuten, weshalb lossless nicht unbedingt der beste Begriff ist, was Interpolation ist und was es mit PCM auf sich hat. Ich beleuchte außerdem verschiedene Seiten der Datei-Formate: Qualität, Datei-Größe / Kompression, Metadaten-Support, Kompatibilität mit populärer DJ-Hardware und Mehr. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/en/event/everyone-vs-mp3-audio-datei-formate-fr-djs-und-co/

More money for Free and Open Source Software - a never ending issue. In a tech world built on start-ups, venture capital and data-gathering apps, the fight for sustainable funding for ethical technology projects is a fierce one. After some big victories for FOSS funding in the last years, this talk is about the importance of not forgetting the small, underdog civil society projects. How do we fund technology in a sustainable way? Fund infrastructure, fund maintenance, fund that project some random person in Nebraska has been thanklessly maintaining since 2003. While infrastructure is extremely important (no questions asked), in this talk we want to explore why a diverse funding landscape that also allows for supporting new people and groups with fresh ideas can only be incredibly valuable to the field of FOSS. How can we use existing funding structures, bend and twist them to meet the real needs of communities? How can we make them more useful to projects and people who are not typically the recipients of their money? We want to talk about how to build support infrastructure that allows us to fund in ways that bring more diversity, more novel ideas and more inclusivity to our communities - and we want to talk about how to do this in a sustainable way. This talk is a call to government institutions, funders and other organisations with the power to distribute money to join forces, break down the barriers of their traditional funding models and create a broad and vibrant network of small, diverse and lightweight funds that meet the needs of different groups and communities. It is an invitation to communities to come together and share their needs in order to help build structures that can actually support their work. There is hope in FOSS projects, old and new, big and small. Let's hack all kinds of systems to give them the support they need. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/small-seeds-why-funding-new-ideas-matters/

In the October 2023 update, Windows 11 introduced support for 11 additional compression formats, including RAR and 7z, allowing users to manage these types of files natively within File Explorer. The enhancement significantly improves convenience; however, it also introduces potential security risks. To support these various compression formats, Windows 11 utilizes the libarchive library, a well-established open-source library used across multiple operating systems like Linux, BSD, and macOS, and in major projects such as ClickHouse, Homebrew, and Osquery. The libarchive has been continuously fuzzed by Google’s OSS-Fuzz project, making it a time-tested library. However, its coverage in OSS-Fuzz has been less than ideal. In addition to the two remote code execution (RCE) vulnerabilities disclosed by Microsoft Offensive Research & Security Engineering (MORSE) in January, we have identified several vulnerabilities in libarchive through code review and fuzzing. These include a heap buffer overflow vulnerability in the RAR decompression and arbitrary file write and delete vulnerabilities due to insufficient checks of libarchive’s output on Windows. Additionally, in our presentation, we will reveal several interesting features that emerged from the integration of libarchive with Windows. And whenever vulnerabilities are discovered in widely-used libraries like libarchive, their risks often permeate every corner, making it difficult to estimate the potential hazards. Moreover, when Microsoft patches Windows, the corresponding fixes are not immediately merged into libarchive. This delay gives attackers the opportunity to exploit other projects using libarchive. For example, the vulnerabilities patched by Microsoft in January were not merged into libarchive until May, leaving countless applications exposed to risk for four months. The worst part is that the developers might not know the vulnerability details or even be aware of its existence. To illustrate this situation, we will use the vulnerabilities we reported to ClickHouse as an example to demonstrate how attackers can exploit the vulnerabilities while libarchive remains unpatched. We will introduce the new Compressed Archived folder feature in Windows 11 and review the vulnerabilities of the previous Compressed (zipped) folder. Next, we will explain how we analyzed the libarchive that Windows 11 introduced to support various compression formats. Despite extensive fuzz testing by OSS-Fuzz, we discovered several vulnerabilities in libarchive through code review and fuzzing, including an RCE (Remote Code Execution) vulnerability. Finally, we will use the ClickHouse case to explain how we triggered an RCE vulnerability in ClickHouse while the patch had not been merged upstream. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/from-convenience-to-contagion-the-libarchive-vulnerabilities-lurking-in-windows-11/

The Russian disinformation campaign Doppelgänger is considered to be technically highly sophisticated. Research by CORRECTIV and Qurium has revealed that the Russian state relies on the toolbox of internet fraudsters for the dissemination of propaganda and fakes. A talk on the state's possible alliance with the criminal world - and on possibilities and limitations of countering it. Its goal is to undermine the support for Ukraine and polarize Western states: For more than two years, the Russian disinformation campaign Doppelgänger has been running on social networks and its own portals. Despite sanctions, the affected countries have not been able to stop the campaign. This is also because the architects of the campaign employ methods tried and tested by cyber criminals: Identity theft, use of stolen credit cards, bulletproof hosting, cloaking services and multi-level forwarding mechanisms. Research by CORRECTIV and Qurium based on data provided by Antibot4Navalny has uncovered the technical infrastructure of the campaign. The talk guides the audience through details of the new potential alliance between the Russian state and the criminal world. It raises questions about the accountability of authorities and platforms and opens the discussion to the possibilities and limits of resistance against malign foreign influences in the digital sphere. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/identity-theft-credit-card-fraud-and-cloaking-services-how-state-sponsored-propaganda-makes-use-of-the-cyber-criminal-toolbox/

Mars is famously the only planet (we know of) that is entirely inhabited by robots. And these robots are working hard on looking for something that would be one of the most significant discoveries in the history of science: Alien life. But how do you look for something that no one has ever seen? And would we recognize it if we find it? Join me on a journey through Mars’ ancient past and Earth’s most extreme environments, where scientists hunt for strange microbes that defy all our expectations: Organisms thriving in salt lakes, breathing metal, and building bizarre microbial ‘cities’ out of rock. Are they the blueprint of what alien life might look like? I will introduce you to the cutting-edge technology we use to analyse and understand them, and how we detect their “biological fingerprints” that might one day help us to find Martian life. This talk will not only give you a deep look behind the scenes of the search for life on Mars, but also a new appreciation for the strange and wonderful life on our own planet. I am a PhD student in astrobiology and planetary science at the University of Hong Kong and want to introduce you to the exciting research that is happening in the search for life on Mars. We will talk about what Earth and Mars looked like 3 billion years ago, you will get to know some truly weird microbes, learn about the instruments on Mars rovers and the exciting upcoming Mars sample return missions. I will also share highlights from my own research and fieldwork in Mars-like environments: From growing extremophiles in the lab to testing planetary rovers on Mount Etna, and research adventures in the remote deserts of the Atacama and western China. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/microbes-vs-mars-a-hacker-s-guide-to-finding-alien-life/

You want to share your code with the world. That's great! But how? Just uploading it to Github? Or how do I do this? In this talk I want to give you an overview about the minimal steps you should take to prepare your code for publication. Covering what belongs into a repository, how to make your code sharable and which license to pick. This talk is based on the training [Foundations of Research Software Publication](https://codebase.helmholtz.cloud/hifis/software/education/hifis-workshops/foundations-of-research-software-publication/workshop-materials-data-pub). The target is to enable developers to create and publish sustainable software which can be used and built up on by others. While this talk is an introduction, even more experienced developers might take something home. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/basics-of-software-publication/

Computer network operators depend on optical transmission everywhere as it is what glues together our interconnected world. But most of the industry is running the same kinds of signals down the optical transceivers. As part of my need to "Trust, but verify" I wanted to check my assumptions on how the business end of modern optical modules worked, so join me in a adventure of sending weird signals many kilometres, and maybe set some records for the most wasteful bandwidth utilisation of optical spectrum in 2024! Computer network operators depend on optical stuff everywhere as it is what glues together our interconnected world. But most of the industry is running the same kinds of signals down the optical transceivers. As part of my need to "Trust, but verify" I wanted to check my assumptions on how the business end of modern optical modules worked, so join me in a adventure of sending weird signals many kilometres, and maybe set some records for the most wasteful bandwidth utilisation of optical spectrum in 2024! In this talk we will cover the basis of optical networks, how it fits in with networking, some of the weird things pluggable optics do, the perhaps odd industry defacto standards, and bending the intended use cases of existing tech to make signals that would would deeply probably confuse a modest signals intelligence agency Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/going-long-sending-weird-signals-over-long-haul-optical-networks/

How do you think? People can experience thoughts, feelings, and sensory inputs very differently. While context and substances are known to promote changes in perception and thinking, the biological basis is very diverse, contrary to what is often assumed. Brain cells come in extraordinary varieties in size, shape, and complexity. Their synaptic connectivity provides the foundation of all our sensory input, motor output, cognitive functions, and thoughts. In short: They shape us. This talk gives an introduction about the extent of variability in neuronal patterns that underlies neurodiversity and critically discusses the idea of neurodivergence, diagnosis criteria in Autism and ADHD from a biological and first person-perspective. We find that biological variability of brains is an evolutionary feature that helps us to adapt to our environment but comes with certain risks and downsides in our modern society. While many things are still unknown, scientists have identified genes and environmental impacts that shape our network architecture during brain development and which help to explain why we think and experience the world so differently. This talk gives an introduction about the extent of variability in neuronal patterns that underlies neurodiversity and critically discusses the idea of neurodivergence, diagnosis criteria in Autism and ADHD from a biological and affected person-perspective. It aims to clear up stereotypes, dogmas that still stick in our society and provides latest insights from science and community about what makes our brains work so differently. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/all-brains-are-beautiful-the-biology-of-neurodiversity/

Habt ihr euch immer schon gefragt wie Museumssammlungen ins Netz kommen, warum online Sammlungen meist immer noch aussehen wie Kataloge seit dem 19. Jahrhundert, was für Strategien und Förderprogramme dahinter stecken, welche Firmen hier quasi-Monopole haben, und warum Museen so viele Hoffnungen (Zugang! Partizipation! Demokratie!) mit der Digitalisierung verbinden? Der Talk ist eine Einladung an Hacker*innen sich an der kritischen Weiterentwicklung, Öffnung und Reflexion von Museen zu beteiligen. GLAM = Abkürzung für Sammlungsinstitutionen: Galleries, Libraries, Archives, Museums LOD = Buzzword in Museen: Linked Open Data ¯\_(ツ)_/¯ = Platzhalter für: Lass irgendwas mit KI, Google Arts & Culture, Facebook Metaverse machen! Als vor vier Jahren mein Forschungsprojekt zur Digitalisierung in Museen losging habe ich meine ersten Ideen auf der rC3 präsentiert ("Wie können wir das digitale Museum aufhalten"). Und jetzt möchte ich die Ergebnisse aus vier Jahren Forschung zur Digitalisierung von Museen teilen. Meine Quellen sind vor allem die Jahresberichte der Staatlichen Museen zu Berlin seit 1990, und die Digitalstrategien der Deutschen Bundesregierung, mit ihrem Fokus auf Künstliche Intelligenz, Virtual Reality und Vernetzte Daten, die zum Beispiel die Millionenprojekte "museum4punkt0" und "Datenraum Kultur" beinhalten. Ich zeige größere Entwicklungen und Konflikte und viele Beispiele, alles anhand der Frage: Welche Brücken können wir bauen zwischen Museumskritik und Datenpolitik? Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/glam-zwischen-lod-und----museumskritik-fr-hacker-innen/

Not only the energy consumption of AI is exploding. Less known is that other resources like water or metal are also affected. The talk gives an overview on the devastating impact of datacenters on our environment. Degrowth scenarios seem to be the only way to escape from this ecological nightmare. Summarizing the known facts and serious predictions the talk gives an overview on the upcoming possible and impossible scenarios of the energy and resource consumptions. Even if predictions are not easy economical and ecological limits are discussed. Finally, degrowth will be discussed. Can we degrow datacenters without loosing too much of our digital life? How much can be saved using alternative technologies. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/resource-consumption-of-ai-degrow-or-die/

What does it take to get a Genome into the computer? A slightly technical, political and personal dive into the field of genomics. This will be in the first part an introductory talk to Genomics, covering "How do you get a genome into your computer?". As I'm a bioinformaticist, i will briefly mention sequencing, but focus on the computation. Because it turns out that getting a human genome into your computer involves a lot of computation! In the second part i will outline where privacy comes in here, and why it is essential, if we want to do work with genomic data responsibly. Understanding privacy goes beyond the technical: economic incentives, legal policy and security need to be taken into consideration to protect genomic data adequately. In the third part i will tell of a University program which i organized in which we did our own Genomic Analysis with students, as privacy preserving and digitally sovereign as possible, and tell of the challenges we faced and the learnings we made. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/computing-genomes-what-that-has-to-do-with-privacy/

In an accelerating climate crisis, renewable energy and electrification are the most important tools to reduce greenhouse gas emissions. However, in sectors where electrification is infeasible or impossible, other solutions will be needed. While hydrogen gets a lot of attention, it suffers from challenges like being difficult to transport and store. While it does not receive nearly as much attention as hydrogen, another molecule, methanol, could play a crucial role in bringing down emissions in challenging sectors like shipping, aviation, or the chemical industry. Methanol is the simplest carbon-containing liquid and is currently almost exclusively made from fossil fuels. However, it could be made by utilizing renewable energy, green hydrogen, and carbon dioxide, and such green methanol could play an important role in a climate-neutral future - both as a fuel and as a chemical feedstock[1]. Methanol is relatively easy to store and transport. It could provide energy during times with little sun and wind and possibly even balance multi-year fluctuations [2][3]. It could also serve as a shipping fuel and, indirectly, help make aviation fuels. Furthermore, it could form the basis of a fossil-free production of chemical products like plastics [4][5]. That raises important questions about stranded assets in today's chemical industry, as the existing plastic production with steam crackers could become obsolete. Despite its prospects, methanol is no magic silver bullet. Making it from CO2 requires enormous amounts of energy. It should be used carefully and only where efficient direct electrification is infeasible (no methanol car, sorry). Alternative production pathways using climate-friendly biomass and waste have turned out to be challenging in the past, but they could lower some of the enormous energy needs. [1] [From Coal enabler to the Minimal Green Methanol Economy, Industry Decarbonization Newsletter, 2024](https://industrydecarbonization.com/news/from-coal-enabler-to-the-minimal-green-methanol-economy.html) [2] [Ultra-long-duration energy storage anywhere: Methanol with carbon cycling, Joule, Brown, Hampp, 2023](https://www.cell.com/joule/abstract/S2542-4351(23)00407-5) [3] [Should we burn Methanol when the Wind does not blow?, Industry Decarbonization Newsletter, 2023](https://industrydecarbonization.com/news/should-we-burn-methanol-when-the-wind-does-not-blow.html) [4] [Climate change mitigation potential of carbon capture and utilization in the chemical industry, PNAS, Kätelhön et al, 2019](https://www.pnas.org/doi/full/10.1073/pnas.1821029116) [5] [How to make Plastics without Fossil Fuels, Industry Decarbonization Newsletter, 2023](https://industrydecarbonization.com/news/how-to-make-plastics-without-fossil-fuels.html) Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/is-green-methanol-the-missing-piece-for-the-energy-transition/

How to run an MVNO with values: What are the requirements? Do you need a government license, maybe a lot of investment? There are different types of MVNOs. We will talk about how to do business as an MVNO while respecting users' privacy, supporting free software, believing in the right to repair and making your customers technologically sovereign. The issues with data privacy are being discussed more than ever. However, from the end user perspective, it is difficult to understand the full extent of the impact on their privacy when using well known "free" services or maybe acquired hardware like a vacuum cleaner or a cooking robot. On the other side, there are projects that demonstrate that they can do business respecting their users. One way to start to take care of your privacy is by using free software, but this software needs to be high quality, easy to use for the end user, has to be documented in a clear way and has to resolve issues and bugs as fast as possible. This is very hard work for the developers, so their work has to be compensated. Last but not least, the right to repair plays a big role for being technologically sovereign. It's as important to be aware of your privacy when using online services as it is to know how repairable and privacy-respecting hardware is before you buy it. Can you fight for and support what you believe in while doing business? I think so! Let's talk about it. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/moving-with-feelings-behind-the-scenes-of-a-one-man-show-mobile-fiber-operator-in-spain/

The density of memory cells in modern DRAM is so high that disturbance errors, like the Rowhammer effect, have become quite frequent. An attacker can exploit Rowhammer to flip bits in inaccessible memory locations by reading the contents of nearby accessible memory rows. Since its discovery in 2014, we have seen a cat-and-mouse security game with a continuous stream of new attacks and new defenses. Now, in 2024, exactly 10 years after Rowhammer was discovered, it is time to look back and reflect on the progress we have made and give an outlook on the future. Additionally, we will present an open-source framework to check if your system is vulnerable to Rowhammer. In 2014, Kim et al. reported a new disturbance effect in modern DRAM that they called Rowhammer. The Rowhammer effect flips bits in inaccessible memory locations just by reading the content of nearby memory locations that are attacker-accessible. They trigger the Rowhammer effect by accessing memory locations at a high frequency, using memory accesses and flushes. The root problem behind Rowhammer is the continuous increase in cell density in modern DRAM. In early 2015, Seaborn and Dullien were the first to demonstrate the security impact of this new disturbance effect. In two different exploit variants, they demonstrated privilege escalation from the Google Chrome NaCl sandbox to native code execution and from unprivileged native code execution to kernel privileges. Later, in 2015, Gruss et al. demonstrated that this effect can even be triggered from JavaScript, which they presented in their talk "Rowhammer.js: Root privileges for web apps?" at 32C3. Now, in 2024, it is precisely 10 years after Rowhammer was discovered. Thus, we believe it is time to look back and reflect on the progress we have made. We have seen a seemingly endless cat-and-mouse security game with a constant stream of new attacks and new defenses. We will discuss the milestone works throughout the last 10 years, including various mitigations (making certain instructions illegal, ECC, doubled-refresh rate, pTRR, TRR) and how they have been bypassed. We show that new Rowhammer attacks pushed the boundaries further with each defense and challenge. While initial attacks required native code on Intel x86 with DDR3 memory, subsequent attacks have also been demonstrated on DDR4 and, more recently, DDR5. Attacks have also been demonstrated on mobile Arm processors and AMD x86 desktop processors. Furthermore, instead of native code, attacks from sandboxed JavaScript or even remote attacks via network have been demonstrated as well. Furthermore, we will discuss how the Rowhammer effect can be used to leak memory directly, as well as related effects such as Rowpress. We will discuss these research results and show how they are connected. We will then talk about the lessons learned and derive areas around the Rowhammer effect that have not received sufficient attention yet. We will outline what the future of DRAM disturbance effects may look like, covering more recent effects and trends in computer systems and DRAM technology. Finally, an important aspect of our talk is that we invite everyone to contribute to solving one of the biggest unanswered questions about Rowhammer: What is the real-world prevalence of the Rowhammer effect? How many systems, in their current configurations, are vulnerable to Rowhammer? As large-scale studies with hundreds to thousands of systems are not easy to perform, such a study has not yet been performed. Therefore, we developed a new framework to check if your system is vulnerable to Rowhammer, incorporating the state-of-the-art Rowhammer techniques and tools. Thus, we invite everyone to participate in this unique opportunity at 38C3 to join forces and close this research gap together. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/ten-years-of-rowhammer-a-retrospect-and-path-to-the-future/

Der Vortrag wirft einen sozialwissenschaftlichen Blick auf die Ideologie des Longtermismus. Seine Funktion im digitalen Kapitalismus wird analysiert. Mithilfe von Klassikern der Soziologie wird dargestellt, warum sich diese Ideologie in eine faschistische Richtung entwickelt. Longtermismus ist die neue Hype-Ideologie des Silicon Valley. Elon Musk und Sam Altman haben sich als Anhänger geoutet, er ist die offizielle Firmenpolitik von OpenAI. Longtermismus postuliert, dass wir uns nicht mit der Gegenwart oder der nahen Zukunft beschäftigen sollten, sondern unser politisches Hauptaugenmerk auf die Entwicklung eines Computerhimmels in ferner Zukunft richten sollten. Zentral sind dabei Annahmen über die Entwicklungsmöglichkeiten von künstlicher Intelligenz, die deutlich religiöse Züge tragen. Der Vortrag stellt die Ergebnisse soziologischer Forschung zu dieser neuen Ideologie vor. Denn so neu ist das ganze gar nicht. Die „Moral“ des Longtermismus passt erstaunlich gut zu den Geschäftszielen der Digitalkonzerne und macht aus diesen eine Metaphysik. Diese soziale Funktion des Longtermismus ähnelt damit der Funktion, die Max Weber für den Protestantismus als „Geist“ des Kapitalismus im Frühkapitalismus ausgemacht hat. Wie der Protestantismus früher dient der Longtermismus heute einerseits als metaphysische Rechtfertigung der Geschäftsmodelle von Unternehmen und andererseits als individuelle Moral, die ihre Anhänger*innen zu mehr Leistung animieren soll. Gegenwärtig erleben wir einen Rechtsruck im Longtermismus, dessen prominente Vertreter*innen wie Elon Musk oder Peter Thiel sich offen für Donald Trump positionieren. Auch hier ähnelt die Entwicklung des Longtermimsus vergleichbaren früheren Ideologien. Klassische Analysen zeigen, warum individualistische Leistungsideologien das Potenzial haben, in eine faschistische Richtung zu kippen. Der Rechtsruck der Silicon-Valley-Eliten wird so verständlich. Abschließend wird auf den Einfluss von Musk und Thiel auf die US-Wahlen eingegangen und versucht, die weitere Entwicklung abzuschätzen. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/longtermismus-der-geist-des-digitalen-kapitalismus/

All I wanted was for Microsoft to deliver my phishing simulation. This journey took me from discovering trivial vulnerabilities in Microsoft's Attack Simulation platform, to a Chinese company to which Microsoft outsourced its support department that wanted all my access tokens. I finally ended up hijacking remote PowerShell sessions and obtaining all data from random Microsoft 365 tenants, all the while reeling in bug bounties along the way. This talk is the result of what happens when you ask a hacker to simply automate sending out a phishing simulation. My first attempt with Microsoft's new Attack Simulation platform resulted in three bug bounties for the most trivial vulnerabilities and no more faith in the product. Then I tried building a phishing simulation program myself and the last thing I needed was to allowlist my IP address in Exchange Online. I ended up in a rabbit hole where I discovered that Microsoft outsourced their support department to a Chinese company that wanted all my access tokens. I then tried intercepting client-side requests made by the Security & Compliance center with the goal of replaying these to a backend API, only to discover that by fiddling with some parameters I could now hijack remote PowerShell sessions and access Microsoft 365 tenants that were not mine. Tenants where I could now export everything, e-mail, files, etc. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/from-simulation-to-tenant-takeover/

Kommunaler Klimaschutz ist oft undurchsichtig, komplex und bürokratisch – das wollen wir ändern! Als gemeinsames bewegungsübergreifendes Projekt "Stadt.Land.Klima!" machen wir (fehlenden) kommunalen Klimaschutz sichtbar, messbar & verständlich! Mit einem einheitlichen Maßnahmenkatalog können alle klimainteressierten Menschen den Fortschritt ihrer Stadt oder Gemeinde bewerten und in unserem Ranking sichtbar machen: https://www.stadt-land-klima.de/municipalities Darüber hinaus möchten wir die vielen verschiedenen lokalen Akteure der Klimagerechtigkeitsbewegung in den einzelnen Kommunen zusammenbringen, Kooperationen fördern und Erfolgsprojekte einzelner Gruppen deutschlandweit teilen! Kommunaler Klimaschutz ist oft undurchsichtig, komplex und bürokratisch – das wollen wir ändern! Stadt.Land.Klima! ist ein gemeinsames bewegungsübergreifendes Portal für kommunalen Klimaschutz, was den Forschritt von Kommunen beim Klimaschutz sichtbar & messbar machen will. Das Herzstück davon ist ein klares Ranking, das zeigt, wie viele Klimaschutzmaßnahmen ein Ort bereits umgesetzt hat. Statt komplizierter CO₂-Bilanzen zählt der Maßnahmenkatalog konkrete Schritte zur Klimaneutralität - und ist gleichzeitig eine Roadmap für die Kommune auf dem Weg zur Klimaneutralität. Die Bewertungen kommen direkt von den Klimaaktiven vor Ort – z.B. von ForFuture-Ortsgruppen, LocalZero-Lokalteams oder lokalen Klimainitiativen. Aber der Plan geht über das Ranking hinaus: Wir wollen die vielen Initiativen, Angebote und Projekte der Klimabewegung vor Ort zusammenbringen, Kooperationen zwischen Organisationen fördern und Klima-Erfolgsprojekte einzelner Gruppen deutschlandweit teilen! Stadt.Land.Klima! wird komplett ehrenamtlich betrieben - von den Lokalteams, unserem SocialMedia-Team, unseren Designer- und Developer:innen und verschiedensten Fachexpert:innen. Die Applikation ist Open-Source und freut sich immer über Contributions: https://github.com/StrategieLukas/stadt-land-klima Gemeinsam wird kommunaler Klimaschutz sichtbar und wirksam. Mach mit & bewerte DEINE Kommune! Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/stadt-land-klima-fr-transparenz-im-kommunalen-klimaschutz/

We present Milksad, our research on a class of vulnerabilities that exposed over a billion dollars worth of cryptocurrency to anyone willing to 'crunch the numbers'. The fatal flaw? Not enough chaos. Learn how we found and disclosed issues in affected open source wallet software, brute-forced thousands of individual affected wallets on a budget, and traced over a billion US dollars worth of prior transactions through them. In July 2023, people in our circle of friends noticed a series of seemingly impossible cryptocurrency thefts, which added up to over one million US dollars. A common denominator was discovered across the set of victims we knew: the wallet software `libbitcoin-explorer`. Vulnerable versions used a weak pseudorandom number generator when creating cryptocurrency wallets. Within a short period of time, we disclosed the vulnerability, [CVE-2023-39910](https://milksad.info/disclosure.html). Using this weakness, attackers were able to compute private keys of victims, which is supposed to be impossible under normal circumstances. In this talk we * 📜 - tell the story of uncovering a digital currency heist * 🌐 - dive into similar vulnerabilities * 🔍 - trace the movement of coins * ⚖ - outline ethical challenges of cryptocurrency security research * 🛡 - explore methods to defend and protect against this bug class Our intention is to share the story of how little details can have big consequences and the importance of quality chaos. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/dude-where-s-my-crypto-real-world-impact-of-weak-cryptocurrency-keys/

Ich lese aus einem antiken Werk zu Computerablürzungen vor Abkürzungen können alle verwirren, die sich noch nicht länger mit Computern beschäftigen. Aber auch der:dem Veteran:in sind nicht alle Abkürzungen bekannt oder weißt Du, dass IFE für intelligent front end steht, CAFS für Content Adressable File System oder RUN der Befehl ist, um Programme in BASIC auszuführen? Dieser Missstand muss behoben werden und wird es durch eine Lesung aus einem Kompendium gängiger PC-Abkürzungen. Damit auch was für Kenner:innen dabei ist, stammt das Kompendium aus 1994. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/pc-abkrzungen-eine-lesung/

A couple years ago I knew basically nothing about Single Sign-On but now I'm talking at 38c3 about it! Come find out how you too can go from beginner to the question-asker who protects your hackerspace/company/etc. from bad SSO implementations. Single Sign-On (SSO) is sold as a way to • centralize managing your organization’s users, • make life easier for your colleagues, and • enforce consistent security standards. But SSO protocols are just ways for an identity provider to share information about an authenticated identity with another service. Me having a way to tell my vendor “yeah, that’s Bob” doesn’t tell me what the vendor does with this information, or if the vendor always asks me who’s coming in the door. A bad SSO implementation can make you think you’re safer, while hiding all the new and fun things that have gone wrong. To get the most out of implementing SSO, I need to know what I’m trying to accomplish and what steps I need to follow to get there. To illustrate why SSO needs to be set up carefully, for each of the things you need to do right, I’ll give you some fun examples of creative ways you and your vendor can do this wrong. We all learn from failure, right??? I’m sharing this info because this year I got deeply involved in the SSO setup for several vendors at work. It turns out that I’m good at asking weird questions, and it’s an extremely valuable thing to do. If you know how things should be, then you know where they could be broken, and you can ask your vendors (and your colleagues!) “weird questions” before an adversary does. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/omg-wtf-sso-a-beginner-s-guide-to-sso-mis-configuration/

You are not immune to propaganda and the only winning move is to first recognize you are forced to play The Game Meme Warfare - das heißt schnelllebige, leicht konsumierbare Propaganda auf Social Media. Jeden Tag sind wir Ziel absichtlicher Meinungsmanipulation - noch mehr wenn es mal wieder auf eine Wahl zugeht. Eine der wichtigsten Punkte von Medienkompetenz ist Propaganda und sog. "Fake News" zu erkennen, informiert damit umzugehen und sich vor Einflussnahme zu schützen. Aber wie? Wenig Dinge begegnen uns in unserem Alltag heutzutage häufiger wie Werbung, Propaganda und Desinformation. Dass diese Dinge messbare Effekte auf die Psyche haben und nur deswegen so omnipräsent sein können, machen wir uns als Gesellschaft schon gar nicht mehr klar. Wir sehen aber immer wieder in den Wahlergebnissen und politischen Skandalen der letzen 10 Jahre wie die öffentliche Meinung gezielt beeinflusst wird und wir spüren wie da etwas kippt in unserer Demokratie. Der Talk ist eine kurze Einführung ins Thema und umfasst drei kurz und knackige Themenblöcke: Was ist überhaupt Propaganda und warum sollte mich das interessieren? Wie sieht Propaganda im Zeitalter von Internet und Social Media aus? Und wie kann ich mich und meine nächsten vor Beeinflussung schützen? Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/selbstverteidigungskurs-meme-warfare/

The Hacker Jeopardy is a quiz show. The well known reversed quiz format, but of course hacker style. It once was entitled „number guessing for geeks“ by a German publisher, which of course is an unfair simplification. It’s also guessing of letters and special characters. ;) Three initial rounds will be played, the winners will compete with each other in the final. The event will be in German, we hope to have live translation again. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/hacker-jeopardy/

Bildervortrag zum Thema "Nachhaltige Inneneinrichtung" mit Mitbringseln zum Anfassen sowie Tipps & Tricks zu Konstruktion, Gestaltung und Durchführung Holz ist als nachwachsender Rohstoff ein umweltfreundliches Baumaterial, hat als Naturprodukt jedoch seine Eigenheiten. Der Vortrag geht auf die Basics der Holzbearbeitung ein, worauf geachtet werden muss und wie stabile Verbindungen oft völlig ohne Leim oder Schrauben hergestellt werden können. Die Bilder dazu verfolgen zwei Projekte von der Konstruktionszeichnung über die rohen Bohlen bis zum fertigen Produkt und geben Einblicke in das Handwerk, das oft auch ohne Maschinen auskommen kann. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/mal-was-mit-holz/

This performative lecture by SOLID FLESH Collective explores how generative AI can reshape historical body representations into tools for imagining new bodily futures. Drawing from Muybridge’s chronophotography, which fixed bodies into a rigid scientific grid, we investigate AI’s capacity for fluid, multidimensional embodiment. Using open-source AI models to ‘resurrect’ Muybridge’s subjects and defy commercial censorship, we reveal speculative possibilities for bodily motion and identity. Our work positions the ‘vector body’—a digitally-mediated form of self-imagination—within a broader conversation on identity fluidity, algorithmic embodiment, and liberating futures beyond conventional body ideals. In this performative lecture, the SOLID FLESH Collective reimagines how artistic practice can transform historical methods of body representation into tools for imagining radical new forms of embodiment. SOLID FLESH Collective, a hybrid space bridging the realms of gym, gallery, and think tank, examines how Muybridge’s chronophotography once ‘solidified’ bodies within a rigid grid, contrasting it with generative AI’s potential for unprecedented fluidity in self-reimagining. We present a series of experiments in ‘resurrecting’ Muybridge’s subjects, using open-source AI tools to transform scientific documentation into speculative fictions. When commercial AI flagged these Victorian images as ‘pornographic,’ this rejection spurred us to explore alternate approaches, resulting in the creation of wonderfully surreal, inhuman movements with animDiff—as if the AI, uninformed by human motion, were an animator imagining it for the first time. The lecture positions the AI-mediated body within a multidimensional vector space of possibilities, spanning dimensions of gender, age, class, and experience. Through our custom ComfyUI workflow and selected clips from our ongoing film project (solidflesh.com), we show how this ‘vector body’ allows for forms of self-imagination that break free from the solidifying gaze of the camera. Our technical explorations engage larger questions around identity fluidity, algorithmic embodiment, and the possibility of a new, digitally mediated somatic imagination. As mainstream AI development often reinforces conventional body ideals, we speculate on alternative futures, asking how these technologies might instead enable liberating bodily self-conceptions. Moving beyond Muybridge’s grid and current AI’s polished limitations, we explore what approaches to algorithmic embodiment might emerge when we embrace the glitches and ‘failures’ of these systems. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/hacking-victorian-bodies-from-grid-to-vector-space/

ChaosGPT hat den Weg wie wir denken revolutioniert! Die kongresserprobte Technik wird endlich _open source_, CEO Gitte Schmitz und CRO Deliria Tremenz feiern in dieser Keynote den Release des Large Congress Model und erklären, was wirklich in AI steckt. Beim diesjährigen Kongress hat ChaosGPT erfolgreich hunderte von Anfragen prozessiert und dabei für alle erdenklichen User-Anfragen erstaunlich genaue Antworten erzeugt: und das ganz analog! Als _community-sourced_ generatives Wissensmodell wurden diese sensationellen Erfolge mit einem herausragenden Energieverbrauch von 0 kWh erreicht (in anderen Worten: extrem Klimaneutral!). War es bisher eine Black Box? Ja! Wird es OpenSource? Auf jeden Fall!* Das Leitungsteam ist stolz, endlich den gesamten Code hinter ChaosGPT und dem Large Congress Modells (L38C3M) lüften zu können. Nach monatelanger Entwicklungszeit wird es Zeit, das Folle Potential von Analoge Intelligence an die Community zurückzugeben.** Exklusiv geben CEO Gitte Schmitz und CRO Deliria Tremenz einen Einblick hinter die Kulissen des blühenden New-New-Tech StartUps. Mit spielender Leichtigkeit verbinden sie den Track **Queerness** mit dem **Digitalzwang**, und generieren mit ihren Antworten erheblichen Mehrwert für potentielle Angel Investors (und solche die es werden wollen). Lasst uns die verkannten Potentiale der AI lüften! *Die genutzte Open Source-Definition von Studio Gitte Schmitz umfasst auch die _business models_ "Open Window" und "Freemium". ** Eventuelle Nutzungsentgelte werden weiterhin entsprechend Nutzungsordnung (NuOrG §283 Abs.15f) erhoben. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/release-keynote-chaosgpt-und-das-large-congress-model/

Ever wondered why your web server seems to be under constant attack from what feels like everyone on the internet? Me too! Join me in this session where we'll explore the data of millions of attacks from hundreds of sensors around the world, to identify who is attacking us from where and why. Additionally, we will have a look into how we can use that data to get abusive systems taken down, and how successful this approach actually is. Buckle up for a deep dive into the constant battle to protect systems on the internet against adversaries gaining access, and how you can help make the internet a safer place! Looking at the 2024 M-Trends report, brute force is still one of the main reasons for adversaries to gain access and compromise companies. In fact, 6% of all initial access is done via brute force. Knowing this, as well as that attackers are constantly trying all sorts of attacks against any internet-connected device, there seems to be a gap between what is currently mostly done (block the attack) versus what should be done (report and take down the attacker)! This talk will start with a short introduction on how to set up a system that is able to collect attacks from distributed sensors, enrich them at a central location, as well as use the data to reach out to ISPs and other governing bodies to report the abuse. The sensors are Docker containers with modified OpenSSH servers that will block any login attempt, no matter which username and password combination is used, as well as log the timestamp, source IP, username, and password to a central location. Using this, the so-called "attack pot" is indistinguishable from other Linux systems, ensuring that no suspicion on the attacker's side is raised. For the enrichment part, the ISP's contact data is identified, and abuse notifications are sent via multiple channels to initiate a take down. Furthermore, automated bots monitor if the take down was successful and how long it took, allowing us to share some information on how successful this approach is, which ISPs are more cooperative, and where it is nearly impossible to get any system taken down. Generally, lessons learned with what could be potentially done better will be discussed! The second part of the talk will focus on the analysis of the collected attacks. Across all of the attacks, multiple clusters, which likely are adversarial groups moving from one target to another, could be identified. Furthermore, by analyzing the used credentials, there seems to be some correlation between internet-identifiable information like DNS, region, or OS and the credentials used in an attack. This will allow defenders to get a better understanding of how to defend and even put out decoy information to quickly identify attacks. The closure of the presentation will be an outlook on what could be done better from an ISP or governing body side to speed up take downs of adversarial infrastructure, as well as what everyone can do to make the internet a safer place! Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/attack-mining-how-to-use-distributed-sensors-to-identify-and-take-down-adversaries/

Experiences from a hacker working at the Election Council of The Netherlands. After critically following the elections for 8 years from the outside, a hacker was employed as one of the functional administrators of the software supporting the elections. Sharing experiences of the use of election software during 7 elections (2020-2023), from local, national to European in The Netherlands. A governmental software project with strict deadlines, and high security expectations. The software project for elections in The Netherlands is build an IT organization [owned by German local governments](https://www.regioit.de/unternehmen/zahlen-daten-fakten). More than 10.000 Java files, what can possible go wrong? During this time multiple emergency patches were needed and incidents occur. Although at first explicitly *not* hired as a coder, within 3 months a Java code contribution was made that was unexpectedly more crucial than anticipated. This talk will show some incidents with the election software in The Netherlands: how the software failed, and when/how it was discovered. Go over how seeing the elections from the outside, and give some history of voting computers and software. Ending with some reflecting on the future. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/how-election-software-can-fail/

Beginners can now create off-grid, encrypted mesh networks for cheap, with applications in emergency communication, sensor monitoring, and more! These mesh networks have been popping up in cities all over the world, and this talk will go over everything a beginner needs to run or build their own nodes. If you've ever wanted to legally create off-grid, encrypted mesh networks that can span over a hundred miles, you can get started with Meshtastic for around $10. This talk will serve as a beginner user's guide to Meshtastic, covering everything from hardware basics to advanced software configuration. We will explore making custom Meshtastic hardware, real-world results from deploying Meshtastic in Los Angeles, and attacks against mesh networks. Attendees will learn about LoRa, Meshtastic node and antenna options, software setup and configuration to extend its functionality, and real-world deployments of remote nodes. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/hacker-s-guide-to-meshtastic-off-grid-encrypted-lora-meshnets-for-cheap/

Wie Rechtspopulisten in Österreich innerhalb von 5 Jahren zurück zu alter Größe kamen und sogar die Wahl gewannen. Die Ibiza-Affäre gilt als einer der größten politischen Skandale in der Geschichte der Zweiten Republik Österreich. Das heimlich aufgezeichnete Ibiza-Video zeigt den damaligen FPÖ-Chef Heinz-Christian Strache und FPÖ-Politiker Johann Gudenus in einer Villa mit einer vermeintlichen Nichte eines russischen Oligarchen. Seit dem ist viel passiert. Zu wenig hat sich zum Guten gewandt aber immerhin ist mittlerweile zumindest oberflächlich klarer geworden wie sehr die einzelnen Skandale die die Alpenrepublik erschütterten seit dem in einander verwoben sind. Die Umwälzungen der letzten Jahre nicht nur in Österreich erlauben es Parallelen zu ziehen auch über die Landesgrenzen hinweg. Die Kausen um den früheren Wirecard Vorstand Jan Marsalek, seines Zeichens zufällig auch Österreicher, lassen sich mit dem Gesamteindruck von Ibiza schlüssig verknüpfen. Die geopolitischen Umwälzungen wie auch die politischen Herausforderungen die selbige für Europa mit sich bringen sollten am Beispiel von der Alpenrepublik nicht nur als Belustigung dienen. Wie schnell und wie weit eines der Vorbilder der EU Länder unter den richtigen Gegebenheiten und Einflüssen sich zum Paria wandeln kann sollte als ernstzunehmende Warnung auch in Deutschland verstanden werden. Wenn die Säulen der Demokratie ins Wanken geraten ist es oft sehr viel schneller beim Ernstfall als die meisten es sich einreden wollen. Österreich mag klein sein, manchmal auch speziell aber die Faktoren die innerhalb kürzester Zeit von einem Musterschüler ein Sorgenkind machten sind nicht kleinzureden. Fünf Jahre später, im September 2024, wurde die FPÖ mit 29,2 Prozent erstmals Sieger bei einer Parlamentswahl. Mittlerweile steht sie in Prognosen bei über 35% und der allgemeine politische Diskurs hat sich meilenweit verschoben. Es ist Vorsicht geboten. Nicht nur in Österreich Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/5-jahre-nach-ibiza/

The exploratory nature of artistic research can aide in the production of knowledge. Sometimes, this takes a detour through music-making mushrooms and making moonshine, sometimes it deals with societal reverberations of AI usage or how lithium extraction affects the planet. This talk gives an insight on how we do technology-assisted artistic research at ZKM | Hertzlab, the artistic research & development department of the Center for Art and Media, Karlsruhe. Artistic research takes the exploratory impulse of art and combines it with the wish for knowing the world that characterizes scientific research. It is neither science communication, nor purely artistic practice - it is located somewhere in between. As a field of its own, artistic research is still relatively young; at ZKM | Center for Art and Media, Karlsruhe, we explore what this means in the context of one of Europe's oldest media art institutions. Our six themes - lifecycles, connect, a common(s) world, ai-lab, post-human world, fellow futures - guide us in what we hope is a contribution to larger discourses from the point of view of art. With examples and projects, this talk will illuminate artistic research practices, its benefits and challenges and how having a hacker mindset is the first step into becoming an artistic researcher. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/mushroom-djs-strong-ai-climate-change-connecting-the-dots-with-artistic-research/

Das CERT - der allseits bekannte Sanitäts- und Brandschutzdienst des Congresses - ist wie alles andere auch gewachsen. Dazu gehört, dass Patient\*innen- und Einsatzverwaltung auf Klebezetteln langsam aber sicher nicht mehr skaliert. Jede\*r auf dem Congress kann mal Hilfe vom CERT benötigen. Um Einsätze zu verwalten, zu protokollieren und zu managen hat der Sanitäts- und Brandschutzdienst der CCC Veranstaltung GmbH in der Vergangenheit vor allem auf Whiteboards und Papier gesetzt. Durch das Wachstum der letzten Jahre skaliert das aber nicht mehr und es musste eine übersichtliche und auf die besonderen Bedürfnisse zugeschnittene Software entwickelt werden. Auftritt: THOT - Trouble Handling Operations Terminal, die neue Einsatzsteuerungs- und Patient\*innenmanagementsoftware des CERT, das im Rahmen des Congresses als Open Source Projekt endlich in die Community entlassen wird. Welche Daten erhoben und wie sie verarbeitet werden wenn es brennt, ihr euch verletzt oder schlimmeres passiert möchten wir euch in diesem Vortrag transparent machen, Fragen beantworten und die Möglichkeit geben, das System im Nachgang selbst unter die Lupe zu nehmen. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/k-ein-beinbruch-datenverarbeitung-im-cert/

Sogenannte Generative KI hat einen hohen Rechenbedarf und braucht damit automatisch viel Energie. Wir wollen zeigen, was die AI-Bubble uns alle bisher an Ressourcen gekostet hat. Wer verdient sich daran dumm und dusslig? Und wer trägt die ökologischen und sozialen Kosten? Sogenannte „Generative KI“ ist nicht nur ein Hype-Thema in Politik und Gesellschaft, mit ihr schießen auch die benötigten Rechenkapazitäten in die Höhe. Der Energiebedarf ist so hoch, dass Google, Microsoft und Meta 2024 nacheinander ihre Klima-Ziele zurücknahmen und nun auf dubiose Kernkraft-Lösungen umsteigen wollen. Das hat System, denn Big Tech entwickelt und finanziert nicht nur die gehypten KI-Anwendungen, die gleichen Konzerne bieten auch die benötigten Cloud-Kapazitäten an. Von Chile, Spanien bis nach Taiwan – weltweit regen sich Proteste gegen die Infrastruktur hinter dem KI-Boom, von neuen Bergbauprojekten, Chipfabriken bis zu Hyperscale-Rechenzentren. Der steigende Energie-, Wasser- und Ressourcenverbrauch feuert die Klimakrise an, bedroht Ökosysteme und verletzt indigene Landrechte – für erhoffte Milliardengewinne auf der Seite von Big Tech. In diesem Vortrag schauen wir auf die ökologischen und menschenrechtlichen Kosten des KI-Booms. Wir tragen die Fakten zusammen und liefern kritische Analysen und Argumentationshilfen zum KI-Hype. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/klimaschdlich-by-design-die-kologischen-kosten-des-ki-hypes/

After years as a journalist and filmmaker covering topics like crypto, holocaust and showbiz, everything changed for me 3 years ago after the birth of my daughter. While I haven't planned to be a mother, I decided to keep this pregnancy at 41, however this grass turn out to be too high for lawn mower – I was ready to go for a rave, not to be locked in a baby dark room for 3 years. I felt like my brain had been reprogrammed overnight. The analytical mindset I once relied on—quick to analyse, explore, and understand complex topics—seemed to vanish, replaced by a simpler, instinct-driven state that prioritized pure survival and nurturing yet mixed with unhinged chaos, aux naturelle psychedelic downloads plus no sense of inhibition or fear of being seen. Hand cuffed to a rainbow I was gazing at the black clouds. Despite the shock at this involuntarily IQ transplant, I quickly realised this new mind-tool-set was all in all fulfilling and liberating. I became my own fire brigade with an alternative emergency strap-on. Without the pressure to think analytically, I began channelling this raw energy into my joke band PUShY PUShY PUShY, creating what I now call postpartum punk movement. The idea caught on – this summer we have been featured in the Guardian and The New Yorker. This fuels my missionarism towards another level: how can we embrace this wild, intuitive mindset, not only as parents but as people? And could new technologies help us experience or even learn from this state? In this talk, I’ll share my story and propose some solutions to help people connect and utilise with this raw, abstract, flippant side of the mind, whether or not they’ve experienced parenthood: haptic births, transcranial nursering, chaos VR sessions, neurofeedback baths, quantum aerobics, algorithm jams, and 'Near-Birth-Experiences' Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/postpartum-punk-make-space-for-unfiltered-creativity/

Kein Congress ohne "Gala Be Need Inn" , der deutschsprachige Quizpodcast dessen Name ein Anagramm des Originals ist. Wir klären die wirklich wichtigen Fragen des Lebens: Was ist ein Alarmstuhl, was ist die Kotzkurve und wieso haben Schaffner in Frankreich Knallerbsen dabei? Seid dabei, auf der Bühne oder im Publikum! Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/gala-be-need-inn-38c3-ausgabe/

Ist Cybercrime der attraktivere “Arbeitsplatz” für Menschen, die aus dem stereotypischen Rahmen des Bildes eines IT-lers fallen - im Gegensatz zur Cybersecurity? Wir decken auf! "Wir leben doch längst in einer gleichberechtigten Welt!", sagen manche. Doch mal ehrlich, wer von euch denkt bei einem Man-in-the-Middle-Angriff an eine Hackerin? Wir sprechen über Hürden und Herausforderungen, denen Menschen, die nicht dem Stereotypen-Bild des IT-lers entsprechen, heute immer noch begegnen. Von absurd hohen Einstiegshürden über Kompetenzabsprechungen bis hin zu völlig anderen Maßstäben für Auftreten und Aussehen - wir decken Mechanismen von Benachteiligung und Diskriminierung auf. Mit lebhaften Geschichten, die wir selbst als Frauen in der Cybersecurity erlebt haben, vielen Interviews mit FINTAS und aktuellen Trendzahlen zeichnen wir ein anschauliches Bild dieser Realität. Wir erzählen darüber hinaus entsprechende Geschichten aus anderen Berufsfeldern. Doch das Bild hat zwei Seiten: Die Unterschätzung von Kompetenzen kann ein unerwarteter Vorteil sein, besonders in der Welt der Cyberkriminalität. Wenn Nicht-Stereotypische Hackende im digitalen Untergrund agieren, ergeben sich neue, überraschende Perspektiven. Wir beleuchten die Gleichstellung im Cybercrime und fragen uns: Was können wir hieraus lernen und für bessere Arbeitsbedingungen in legalen Berufszweigen übernehmen? Dazu haben wir einen Hack, den wir vorschlagen möchten und der aus unserer Perspektive helfen würde, dass alle Menschen Ihr Recht auf freie Berufswahl, freie Entfaltung und weitere Menschenrechte auch wirklich zugestanden bekommen - Damit alle Wesen dieses Universums ein Leben in Frieden und Freiheit genießen können. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/woman-in-the-middle/

AI methods are advancing biological research in diverse directions. In this talk, you will learn how we decode the fundamental building blocks of life with AI, and how it will help us to hack cells to cure diseases and beyond. The cell is the fundamental building block of biological organisms, such as us humans. As such, technologies to understand and hack cells enable the cure of diseases and potentially even to expand our life span. In my talk, I provide an overview on how biologists and bioinformaticians use AI to understand and hack cells. Understanding the role of individual cells is a core aspect of biological research, given the extreme diversity of cellular states and functions. A common measurement method to characterize a given cell quantifies which of its genes are activated and how strongly. While this provides a rich high-dimensional readout, it is complex to interpret, given the challenge of deriving an intuition about the meaning of all the individual gene activation levels, as well as their combinatorial effects. In my research, I combine recent AI methods, most prominently multimodal large language models, to enable the analysis and interpretation of these measurements with the English language. I will present this work alongside a more general overview into the research landscape of “AI cell models”. Furthermore, I will provide preliminary insights into how these interpretations form the basis to “hack” cells, which is accomplished through the introduction of complex “illegal instructions” in the form of molecular agents, which alter the behavior of the cell's internal programs. With this talk, I aim to provide the Chaos community with a focused insight into the biological cell and the ways in which recent developments in AI help us understand and manipulate them. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/hacking-life-how-to-decode-and-manipulate-biological-cells-with-ai/

A bug in a scraper script led to us downloading every single native library in every single Android app ever published in any market (~8 million apps). Instead of deleting this massive dataset and starting again, we foolishly decided to run some binary similarity algos to check if libraries and outdated and still vulnerable to old CVEs. No one told us we were opening Pandora's box. A tragic story of scraping, IP-banning circumvention, love/hate relationships with machine learning, binary similarity party tricks, and an infinite sea of vulnerabilities. A rumor has been going around: Android developers are slow to update native dependencies, leaving vulnerabilities unpatched. In this talk we will show how *wrong* this rumor is: Android developers are not slow to patch - they never heard of the word patching. We conduct a massive study over the every single app ever published on Android (more than 8 million!). We explore trendy topics like Play Store scraping, Androzoo scraping, Maven repository scraping, the state of the Android ecosystem, binary similarity state-of-the-art methods vs binary similarity pre-historic methods, and the consequences of thinking you know how databases work when you actually don't. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/ultrawide-archaeology-on-android-native-libraries/

Die Versprechungen waren groß: Blühende Transparenz-Landschaften, Mitbestimmung, Korruptionsprävention, De-mo-kra-tie! Das Informationsfreiheitsgesetz sollte den deutschen Staat besser machen. Nach Jahren schlechter Verwaltungspraxis, schlechter Gerichtsurteile und schlechter Politik ist es in wichtigen Teilen aber nutzlos geworden. Das zeigt sich vor allem, wenn man sich Szenarien einer antidemokratischen Regierungsübernahme vorstellt - die Transparenz wäre als erstes hinüber, der Boden dafür ist schon bereit. Was tun? Wenn das IFG tot ist, sollten wir dafür kämpfen, es wiederzubeleben – vielleicht als Untote? Zahlreiche Skandale, die FragDenStaat in diesem Jahr aufgedeckt hat, zeigen, wohin der Weg gehen sollte: - Wir brauchen mehr Leaks & illegal instructions für Beamte - Es ist Zeit, Verwaltungen zu infiltrieren Mit dem Best of Informationsfreiheit, FragDenStaat, Gefangenenbefreiung und Machtübernahmen. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/das-ifg-ist-tot-best-of-informationsfreiheit-gefangenenbefreiung-machtbernahmen/

Wie funktioniert digitale Bildungspolitik? Was läuft auf Länder-, Bundes- oder Kommunalebene und wie kann man sich sinnvoll einbringen damit Schulen richtig digital werden? Darüber sprechen cyber4EDU in dieser Episode des Digital Education Cyber Talks Podcast mit zwei Expert/innen aus dem Bildungsapparat. https://dect42.de/ https://cyber4edu.org/ Die Digitalisierung der Schulen besteht aus einem Mosaik an Anforderungen und zu verstehen wie diese eigentlich zusammenhängen und wer wofür zuständig ist, ist alles andere als einfach: Infrastruktur, Geräteausstattung, digitale Verwaltung, Bildungsapps, Datenschutz, offene Bildungsressoucen (OER), digitale Kompetenzen, Medienbildung und jetzt auch noch KI. Sich im digitalen Bildungskontext zu engagieren kann ziemlich undurchsichtig und herausfordernd sein. Um besser zu verstehen wie das alles zusammenhängt wollen wir in diesem Podcast besprechen wie digitale Bildungspolitik funktioniert, wie Föderalismus, das BMBF, die Kultusministerkonferenz und der Digitalpakt Schule zusammenhängen und wie man sich als Aktivist oder Verein sinnvoll einbringen kann. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/howto-digitale-bildungspolitik/

Der Harz wurde von Borkenkäfern gefressen, nur jeder vierte Baum in Deutschland gilt als gesund und in Russland sowie Nordamerika brennen die Wälder in einem enormen Ausmaß. Gleichzeitig gelten Wälder als eine der Lösungen in der Klimakrise, als CO2-Speicher und Produzent von nachhaltigen, nachwachsenden Rohstoffen. Sind Wälder in Gefahr auf Grund von Dürre, Borkenkäfer und Feuer? Und können wir mit Wiederaufforstungen der Klimakrise was entgegensetzten? Kirsten Krüger forscht an der Technischen Universität München zu Störungsdynamiken in Wäldern und erklärt in ihrem Vortrag, was Wälder eigentlich alles für uns leisten, warum Störungen ein natürlicher Bestandteil von Wäldern sind und Bäume pflanzen allein keine akkurate Antwort auf die Klimakrise ist. Störungen im Wald durch Dürre, Borkenkäfer und Feuer prägen zunehmen das Landschaftsbild und erhalten mehr Aufmerksamkeit von Medien und Politik. Die Sorge reicht von dem Szenario, dass wir alle Wälder verlieren werden hin zu dem Verlust von einem wertvollen CO2-Speicher und Produzenten von Holz. Global neue Bäume zu pflanzen scheint eine intuitive Antwort drauf zu sein, löst aber nicht die Herausforderung der Klimakrise vor der wir gerade stehen. In meinem Vortrag möchte ich aufklären, warum Störungen im Wald per se kein Problem, sondern ein Teil der Waldentwicklung sind und wie sich diese auf die CO2-Speicherfähigkeit und andere Fähigkeiten von Wäldern auswirken. Wälder sind keine statischen Konstrukte in der Landschaft, sondern ein dynamisches System, welches uns viele Dienstleistungen bereitstellt. Es gibt genug Gründe Bäume zu pflanzen, aber warum, wo und wie sind entscheidende Fragen, die ich beleuchten möchte. Außerdem berichte ich aus der aktuellen Forschung um den Zustand der Wälder, wie vor allem wir Menschen den Wald beeinflussen und möglichen Ansätzen, wie wir Wälder widerstandsfähiger machen können. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/may-the-forest-be-with-you-bume-pflanzen-gegen-die-klimakrise/

We are a professional electronics designer and a professional artist. We'd like to share our experience of integrating an artist into the design workflow for EMF's 2022 and 2024 event badges, how we ensured that form and function grew together, and how you might make a board so fancy it crashes your PCB vendor’s CAM software. Circuit boards are increasingly being made to be seen. Whether they're personal or commercial, many projects show off their PCBs in an array of shapes, colours and sizes instead of hiding them in enclosures. While making an electronic design work correctly and making it look amazing are not conflicting goals, they do require very different skillsets. If you are not one of the rare people whose expertise spans both graphic and electronic design, it may feel very daunting to collaborate with someone who has a very different skillset. You must figure out what you don't know about each other's fields, what the other needs to know, and find the right language to bridge that divide. We will share our experience of working together as circuit designer and artist, and will talk about: - the possibilities and constraints of modern PCB technology as a medium for visual art - turning a functional electronic design into an artistic playground - our experience of communicating across fields of expertise, developing a common language and conveying essential ideas without getting in each other's way - some fantastic free software for art and electronic design - sample workflows for embellishing circuits - what PCB design software and manufacturers expect and how to get away with doing "weird" things - many examples of beautiful things we and others have made We hope this will inspire and encourage you to make your own beautiful collaborative designs a reality. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/drawing-with-circuits-creating-functional-and-artistic-pcbs-together/

In Deutschland sitzen über 40.000 Menschen im Knast. Weitgehend ohne Zugang zu digitaler Infrastruktur - außer einem Telefon. Wir schauen uns die Systeme an, die sie nutzen dürfen und in denen sie verwaltet werden. Von HamSy oder SoPart haben die meisten Menschen noch nie etwas gehört. Außer sie hatten bereits Kontakt mit deutschen Knästen. Das führt dazu, das es kaum Dokumentation darüber gibt, wie Digitalisierung für Menschen dort funktioniert und welche Folgen sie in Zukunft haben kann. Im letzten Jahr beschäftigte ich mich mit verschiedenen Systemen in deutschen Knästen und möchte über Datenabflüsse und strukturelle Probleme, die verhindern, dass wir Menschen dort Zugang zu digitaler Teilhabe gewähren, sprechen. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/knste-hacken/

Das Podcast-Stiftungs-Abenteuer beginnt & ihr könnt auf dem #38c3 live bei der Geburt dabei sein. Ja, der Titel 'Liebe Werte Stiften Alles' zunächst klingt wie ein durchgeknalltes Kreuzworträtsel, aber wir versprechen, dass am Ende alles Sinn ergibt ;-) 🎭 Warnung: Dieser Podcast könnte schwerwiegende Nebenwirkungen haben, wie: - Plötzliche Anfälle von Großzügigkeit - Unkontrollierbare Ausbrüche von sinnstiftendem Handeln - Chronisches Weltverbesserer-Syndrom - Akute Philanthropie-Euphorie s sind die Zufälle, die unserem Chaos seinen Zauber geben & ein solcher *zenga*zauber*zufall war es, der Maria Reimer und derPUPE mal wieder für ein neues Abenteuer zusammenbrachte. Denn derPUPE sinniert seit seinem 50ten Geburtstag viel über Werte und den Sinn des Lebens. Konkret spielt er mit dem Gedanken, eine Stiftung zu gründen. Dazu ist er im Austausch mit Menschen, um sich in das Thema einzunerden und gleichzeitig mit Chaos Wesen zu sprechen, die wellenkompatible Werte haben und auch vorleben. Plötzlich postet Maria genau zu diesem Thema etwas auf Linkdin - Wow, da paßte mal wieder die liebe Schicksals Glücksdrachen-Fee und kurzentschlossen wurde einfach mal telefonisch angepingt und kurz gemeinsam Gedanken ausgespeichert und gespiegelt. Diese gemeinsame Gespäch bewies die Wellenkompatibilität zwischen den beiden, und Marias Profession passt auch perfekt zu dieser möglichen Mission. Weil der Flow zwischen ihnen schon beim ersten Gespäch einfach harmonisch und befruchtend war, lag es auf der Hand, das Abenteuer einer Stiftungsgründung mit einem Podcast zu begleiten. In diese initialen Geburtsfolge bringen sie unter anderem Antworten auf folgende Fragen mit: Was will man hinterlassen in einem Leben, das vermutlich mehr als halb vorbei ist? Kann eine Stiftung ein Stilmittel sein in einer Welt, die besser gepatcht werden muss? Und was hat ein Kinosaal voller Kinder mit derPUPEs Plan zu tun? P.S,: Angelehnt ist der Titel natürlich an die großartigen Liebe.Freiheit.Alles Sticker. Wer kennt und fühlt es nicht? ;) Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/liebe-werte-stiften-alles/

Was haben Triton, Fontus und Railguns gemeinsam ? Coole Sales Slides aber evtl. wenig Ahnung von Physik. Ein kleiner Live Podcast zu Projekten wo eine Grundlage an Physik ein Verschwenden von Geld verhindert hätten. Der Failpodcast live auf der Bühne: Es gibt viele Projekte die ja wunderschön Shiny aussehen. Und der CEO hat sogar Industriedesign studiert. Und die Slides sind toll. Und es gibt ein tolles 3D Video. Was soll schon schiefgehen ? Warum kann man nicht Unterwasser mit der Triton atmen, in der Wüste nicht aus der Fontus trinken ? Ich nehme euch mit in eine kleine Reise durch Kickstarter Fails / Scams bis hin zu Militärprojekten die auf dem Papier schön aussahen aber halt im Ende ne ganze Menge Geld verblasen haben. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/och-menno-physik-sagt-nein-von-kickstartern-und-scifi-waffen/

In August 2023, we published the TETRA:BURST vulnerabilities - the result of the first public in-depth security analysis of TETRA (Terrestrial Trunked Radio): a European standard for trunked radio globally used by government agencies, police, military, and critical infrastructure. Authentication and encryption within TETRA were handled by proprietary cryptographic cipher-suites, which had remained secret for over two decades through restrictive NDAs until our reverse-engineering and publication. This talk is not TETRA:BURST, but dives into the latest TETRA revision introduced in 2022. Most notably, it contains a new suite of cryptographic ciphers. Of course the cipher available for critical infrastructure and civilian use (TEA7) is intentionally crippled, and of course these ciphers were to be kept secret, but this decision was overruled due to public backlash following our publication last year. In this talk we will present a practical attack on the TEA7 cipher, which while taking a 192-bit key, only offers 56 bits of security. Furthermore, we point out improvements and shortcomings of the new standard, and present an update on TEA3 cryptanalysis, where we previously found a suspicious feature, and draw a parallel with its successor TEA6. All in all, in this short and relatively crypto-forward talk, we assess with all-new material whether the new TETRA standard is fit for its intended purpose. This crucial technology seeks to once again take a very central role in our society for decades to come, and its cryptographic resilience is of fundamental importance - for emergency networks, but possibly even more for our critical infrastructure and associated processes. The new authentication suite (TAA2, as opposed to the old TAA1) features longer keys and completely new cryptographic primitives. The new Air Interface Encryption algorithms (TEA set B) consist of three new ciphers, for differing target audiences. TEA5 is intended for European emergency networks, and is the successor of TEA2. TEA6 is intended for friendly extra-european emergency and military networks, and replaces TEA3. Lastly, TEA7 is the only one available for use by critical infrastructure and other civil applications, and replaces TEA1. Initially, ETSI envisaged to keep the new algorithms secret again, once more eliminating the possibility of public scrutiny. However, following our publication, a promise was made to release the algorithms to the public for inspection. Additionally, a statement was made that TEA7 has a reduced effective strength of 56 bits. As mentioned, this algorithm is the successor to TEA1, which has an effective strength of only 32 bits, in a time where 40 bits was the maximum for freely exportable crypto. In TETRA:BURST, we presented several vulnerabilities found in the old standard. Obviously, the backdoored TEA1 algorithm is now replaced by a new cipher, and we will dive into how this works, how it can be attacked, and what the practical implications will be. Second, we previously presented a method of decrypting and injecting traffic on all network types, even those using the stronger TEA2 and TEA3 algorithms. This relies on the lack of cryptographic integrity guarantees on message - something that is still unaddressed. We discuss how this leads to issues. Lastly, TETRA:BURST described a way of decrypting the pseudonymized identities of TETRA users (first demonstrated at the 37C3), allowing for a powerful intelligence capability. We will discuss how the new standard seeks to resolve this issue. Lastly, we previously recommended caution regarding TEA3, due to a suspicious feature in its design. While no full attack will be presented, progress in its cryptanalysis was made, which we will discuss during the talk. And, there is an interesting parallel to be drawn between the suspicious quirk in TEA3 and the design of its successor, TEA6. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/tetra-algorithm-set-b-can-glue-mend-the-burst/

What are we, and where do we come from? - Searching for flavour in beauty Nowadays the Large Hadron Collider (LHC) at CERN is the best known high energy physics research facility. However, there are other facilities around the world performing cutting edge high energy physics research. Some of these are the so called flavour factories which have a long tradition in high energy physics. Two of these are currently in operation: BES III in China and Belle II in Japan. Collecting huge amounts of data, the goal of these experiments is to measure free parameters of the standard model of particle physics with very high precision to find deviations from predictions by theory. Such deviations can hint to new physics, and physicists are still searching for the reasons of our very existence as by our best knowledge nothing but light should have remained after the big bang. But testing the standard model is challenging. Huge data sets in the order of tera bytes need to be analysed requiring advanced analysis software and techniques. By now these analyses usually employ machine learning and artificial intelligence in various kinds, while using custom hardware and software, and a world spanning computing infrastructure. All of this is only possible with more than 1000 people working together in a collaboration. Part of the work in high energy physics nowadays would not be possible anymore without the groundbreaking research by this year's Nobel laureates for physics. In this talk I will present what flavour physics is, the reasons why flavour physics is interesting and why it matters, and which challenges we are facing, using the Belle II experiment as an example. Most of the challenges are not unique to Belle II but to high energy physics in general, so I will also set this into the bigger context and take a look to what is ahead of us in the field of high energy physics. Developed in the 1950s to 1960s, the standard model of particle physics has been a huge success. However, there are parts it cannot describe: * During the big bang the same amount of matter and anti-matter should have been produced, and they should have annihilated only leaving light. But here we are, so there must have been some sort of imbalance or asymmetry. With our current understanding of particle physics and the big bang we cannot explain the amount of asymmetry necessary to explain our existence. So why are we here? * We found that neutrinos do have mass, while the SM predicts them to be massless. So why do neutrinos have mass and where does it come from? * The orbital velocities of stars in distant galaxies show deviations from expectations if only visible matter is taken into account. These deviations in the galaxy rotational curves hints to additional matter which nowadays we call "dark matter". But what is its origin * The universe seems to expand with an increasing rate, but what is the driver behind this rate? We now describe this as "dark energy" but do not really know what it is made of. * ... Cosmology, astrophysics, and high energy physics are working on solving these mysteries. While the first two require observations of space and simulations on earth, the last one can be fully conducted on earth. In high energy physics we currently are following to paths of finding physics beyond our current understanding called the "standard model" of particle physics: direct and indirect discoveries. This can be achieved by testing ever higher energies, or by probing known processes with improved precision. The discovery of the Higgs Boson in 2012 was of the first category, a direct discovery at high energies. Flavour factories work differently. They operate at much lower energies (about 1000 times lower than the Large Hadron collider), but are collecting huge amounts of data to precisely test the standard model to find hints for unknown physics effects. One of the current flavour physics experiments is Belle II in Japan. There physicists try to find hints explaining the asymmetry between matter and anti-matter seen at the big bang, and are searching for dark matter candidates, as well as other indications of deviations from the standard model. By precisely measuring the standard model processes it is possible check for particles 10,000 times heavier than the energies used in Belle II, and 10 times heavier of what the LHC can achieve in direct searches. This talk focuses on the challenges that modern high energy physics experiments, as well as other experiments are facing, and how to tackle them, as well as the public relevance of the research fields. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/high-energy-physics-aside-the-large-hadron-collider/