Chaos Computer Club - recent events feed

While trying to apply fault injection to the AMD Platform Security Processor with unusual (self-imposed) requirements/restrictions, it were software bugs which stopped initial glitching attempts. Once discovered, the software bug was used as an entry to explore the target, which in turn lead to uncovering (and exploiting) more and more bugs, ending up in EL3 of the most secure core on the chip. This talk is about the story of trying to glitch the AMD Platform Security Processor, then accidentally discovering several bugs and getting a good look inside the target, before returning to trying to hammer it with novel physical strategies. # BACKSTORY --------------- So here is the backstory of how it all started: - I bought a commercial gaming console - Then bought a VR headset (for this console) because of exclusive game - But also wanted to play beatsaber - I could, but builtin song selection was very limited - Custom songs exist (for example on steam), but not for this console - I didn't want to buy a second headset for steam That's when i decided i want to hack this console so that i can port community created customs songs to the console and play them there with the VR headset i already have. Initially starting with an approach similar to the usual "entrypoint through browser", then go for kernel and call it a day, but quickly annoying hurdles blocked my way. For one, the Hypervisor makes your live just miserable with it's execute only kernel text blind exploitation. Other issues were that one needs to be on latest version to download the game, which exists only as digital purchase title, preventing me to share my efforts with others even if i can get it working on my console. Though, what finally put the nail in the coffin was when porting a kernel zeroday to the console failed because of heavy sandboxing, unreachable syscalls or even entirely stripped kernel functions. Some may call it "skill issue". Anyways, that's when i was full of it and decided to bring this thing down for good. Everybody does glitching nowadays and according to rumors people did have success on this thing with glitching before, so how hard can it really be, right? So the question became: Is it possible to build a modchip, which glitches the board and lets me play beatsaber custom songs? Stuff like that has been done on other consoles before (minus the beatsaber part :P) Turns out that when manufacturing produces chips with broken GPUs, they are sold as spinoff desktop mainboards (with disabled GPU) rather than thrown away. Which is great, because those mainboards are much cheaper, especially if you buy broken spinoff mainboards on ebay. So on the journey to beatsaber custom songs, breaking this desktop mainboard became a huge chunk of the road. Because if i can glitch this and build a modchip for it, surely i can also do it for the console, right? I mean it's the exact same SoC afterall! Back when i started i didn't know i would be about to open pAMDoras box and discover so many bugs and hacks. # Actual talk description --------------- **Disclaimer: This is not a console hacking talk!** This talk is gonna be about breaking nearly every aspect of the AMD Platform Security Processor of the desktop mainboard with the same SoC as the console. While certainly usefuly for _several_ other AMD targets, unfortunately not every finding can directly be ported to the console. Still, it remains very useful nonetheless! Note: The final goal of custom songs on beatsaber has not been reached yet, this talk is presenting the current state of things. In this talk you'll be taken on a ride on how everything started and how almost every aspect of the chip was broken. How bugs were discovered, what strategies were used to move along. Not only will several novel techniques be presented for applying existing physical attacks to targets where those couldn't really be applied before, but also completely new approaches are shared which bring a whole different perspective on glitching despite having lots of capacitors (which we don't really want to remove) and extremely powerfull mosfets (which smooth out crowbar attempts in a blink of an eye). But that's not all! While trying to perform physical attacks on the hardware, the software would just start falling apart by itself. Which means, at least **6 unpatchable\* bugs** were discovered, which are gonna be presented in the talk alongside with **5 zero-day exploits**. Getting EL3 code execution on the most secure core inside AMDs SoC? No Problem! Apart from just bugs and exploits, many useful techniques and discovery strategies are shared which will provide an excellent knowedgle base and attack inspiration for following along or going for other targets. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/opening-pamdora-s-box-and-unleashing-a-thousand-paths-on-

Zwei Jahre nach dem ersten KIM-Vortrag auf dem 37C3: Die gezeigten Schwachstellen wurden inzwischen geschlossen. Weiterhin können mit dem aktuellen KIM 1.5+ nun große Dateien bis 500 MB übertragen werden, das Signaturhandling wurde für die Nutzenden vereinfacht, indem die Detailinformationen der Signatur nicht mehr einsehbar sind. Aber ist das System jetzt sicher oder gibt es neue Probleme? KIM hat sich als Dienst für medizinische E-Mails etabliert: Elektronische Arbeitsunfähigkeitsbescheinigungen (eAU), zahnärztliche Heil- und Kostenpläne, Laborinformationen, und Medikamentendosierungen sollen sicher per KIM übermittelt werden. Die Sicherheit soll unauffällig und automatisiert im Hintergrund, ohne Interaktion mit den Benutzenden gewährleistet werden. Dazu werden die Ver- und Entschlüsselung sowie die Signierungsfunktionalitäten in einer extra Software, dem sogenannten Clientmodul, abstrahiert. In diesem Vortrag wird das Design dieser Sicherheits-Abstraktion und dadurch bedingte Schwachstellen, wie das Fälschen oder Entschlüsseln von KIMs, beleuchtet. Fortsetzung von 37C3: KIM: Kaos In der Medizinischen Telematikinfrastruktur (TI) [https://media.ccc.de/v/37c3-12030-kim_kaos_in_der_medizinischen_telematikinfrastruktur_ti] Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/kim-1-5-noch-mehr-kaos-in-der-medizinischen-telematikinfrastruktur-ti

From the EU’s “Chat Control” to the UK’s age verification, there is a growing legislative momentum across jurisdictions to regulate the Internet in the name of protecting children. The monstrosity of child sexual abuse looms large in shaping how policymakers, advocates, and the public understand the problem area of and propose solutions for detecting, reporting, and removing harmful/illegal content. Children’s safety and adults’ privacy are thus pitted against each other, deadlocked into an impasse. As technologists deeply concerned with safety and privacy, where do we go from here? There is a path forward! Many, in fact. But the impasse framing seriously limits how policymakers, technologists, advocates, and our communities understand child sexual abuse (CSA). We need informed, principled, and bold alternatives to policing-driven tech solutions like client-side scanning and grooming classifiers. To effectively and humanely break the cycles of abuse that enables CSA in our communities, we have to think beyond criminalization. This talk will unpack how and why this impasse framing exists, how it constrains us from candidly engaging with the complexity of CSA. Drawing from scientific and clinical research and informed by transformative justice approaches, I detail what CSA is, how and why it happens offline and online, and why the status quo of detection and criminalization does not work. Ultimately, I argue that effective, humane, and collective interventions require protecting the safety and privacy of all those harmed by CSA, and that this creates a unique role for technologists to play. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/not-an-impasse-child-safety-privacy-and-healing-together

Did you ever wonder where all the drugs, which you can get at a pharmacy, come from? Who makes them, and how? Well, there is no easy answer, because the process of drug discovery and development is a very complex, expensive, and challenging journey, riddled with many risks and failures. This holds true for all types of drugs, from a simple pill to an mRNA vaccine or a gene therapy. Today, scientists support this process with a variety of AI applications, cutting-edge technologies, automation, and a huge amount of data. But can the race for new medicines and cures succeed only through more technology, or do we need to rethink the entire process? Let’s take a look at how the drug discovery and development process has worked so far, and how this entire process is changing – for better or worse. After presenting a high-level overview of the path from an idea to the medicine that you can buy at a pharmacy, this talk will present and discuss the following aspects of the drug discovery and development process: (1) The translation of an idea into a drug for a human patient faces many critical moments along the development process. This so-called “translational gap” is addressed through experiments in a test tube (or Petri dish), experimentation in lab animals, and eventually testing in humans. However, findings in a standard cell line or in a mouse do not necessarily reflect the complexity of biological processes in a human patient. Currently, there are many technological advancements under way to improve the current drug discovery and development process, and possibly even replace animal studies in the future (e.g., organs-on-chip). Nevertheless, the fundamental issues surrounding translational research remain, such as the lack of standardization, the limitations of model systems, and various underlying clinical biases. (2) Like in many industries today, AI applications are introduced at multiple levels and for various purposes within the drug discovery and development continuum. Often, a lot of hope is placed in AI-based technologies to accelerate the R&D process, increase efficiency and productivity, and identify new therapeutic approaches. Indeed, there are many highly useful examples, such as the automation of image analysis in research, which replaces repetitive tasks and hence frees up a lot of time for researchers to do meaningful research. However, there are also many applications that are likely misguided, because they still face fundamental problems in evaluating scientific knowledge. For instance, the use of LLMs to summarize huge amounts of very complex and heterogeneous scientific data relies on the accuracy, completeness, and reproducibility of the available scientific data, which is often not the case. In addition, AI is often employed in an IT environment with questionable data security and ownership practices, such as the storage of sensitive research data on third-party cloud platforms. (3) Until now, the overwhelming majority of drugs have been developed to treat large patient populations, which represent a considerable market and ultimately ensure a return on investment. Today, however, most common and homogeneous diseases can already be managed, often with several (generic) drugs. Slight improvements to current drugs do not justify a large profit margin anymore, so the focus of drug discovery and development is shifting toward more heterogeneous and rare diseases, for which no or only poor treatments are available. Novel medicines in those disease areas hold the promise of substantial improvement for patients; however, these new patient (sub)populations, and thus markets, are much smaller, leading to premium prices for individualized therapies in order to ensure a return on investment. This paradigm shift toward individualized therapy - referred to as precision and personalized medicine - is supported by the advent of novel technologies and the accumulation of large bodies of data. (4) The rise of precision and personalized medicine is challenging the current business model of today’s pharmaceutical industry, suggesting that the era of blockbuster drugs might be over. Moreover, many intellectual property rights for blockbuster drugs are going to expire in the next few years, ending the market dominance of a number of pharma companies and sending the current industry landscape into turmoil. These developments will likely alter the current modus operandi of the entire biopharmaceutical development process, and it is not clear how the next few years will look like. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/developing-new-medicines-in-the-age-of-ai-and-personalized-medicine

Ihr macht eine Veranstaltung für viele Menschen? Dann haben viele Menschen auch viel Hunger. Jetzt wird euch gezeigt wie man für viele (mehr als 75) Menschen Essen zubereitet. Es braucht nur etwas Vorbereitung und Motivation! Bei vielen Zeltlagern, Sommerfesten, ICMP, Village beim Chaos-Camp und ähnlichem habe ich gelernt wie man für viele Menschen kochen kann und wie nicht. Damit Du nicht die gleiche Lernkurve machen musst, möchte ich Dir zeigen mit welchen Überlegungen Du mit 2-3 Freunden Essen für viele Menschen zubereiten kannst. Planen, einkaufen, Logistik, vorbereiten, kochen, Hygiene, servieren und aufräumen, das kann jeder. Das so zu machen das es Spaß macht, sich nicht nach Arbeit anfühlt und dann auch noch allen schmeckt, das möchte ich Dir mit diesem Vortrag vermitteln. Wenn dein Space in Zukunft ein großes Event plant und Du darüber nachdenkst ob man vor Ort kochen kann und will, dann komme vorbei und lass Dir zeigen was man dafür braucht und wie das geht. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/chaos-macht-kuche

Despite how widely used the ESP32 is, its Bluetooth stack remains closed source. Let’s dive into the low-level workings of a proprietary Bluetooth peripheral. Whether you are interested in reverse engineering, Bluetooth security, or just enjoy poking at undocumented hardware, this talk may inspire you to dig deeper. The ESP32 has become an ubiquitous platform in the hacker and maker communities, powering everything from badges and sensors to mesh networks and custom routers. While its Wi-Fi stack has been the subject of previous reverse engineering efforts, its Bluetooth subsystem remains largely undocumented and closed source despite being present in millions of devices. This talk presents a reverse engineering effort to document Espressif’s proprietary Bluetooth stack, with a focus on enabling low-level access for researchers, security analysts, and developers to improve existing affordable and open Bluetooth tooling. The presentation covers the reverse engineering process itself, techniques and the publication of tooling to simplify the process of peripheral mapping, navigating broken memory references and symbol name recovery. The core of the talk focuses on the internal workings of the Bluetooth peripheral. The reverse engineering effort led to the discovery of the peripheral architecture, it’s memory regions, interrupts and a little bit of information about other related peripherals. By publishing open tooling, SVD files and other documentation, this work aims to empower researchers, hackers, and developers to build custom Bluetooth stacks, audit existing ones, and repurpose the ESP32 for novel applications. This may interest you if you care about transparency, low-level access, and collaborative tooling. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/liberating-bluetooth-on-the-esp32

Zur Überraschung Vieler sind Juristen Wissenschaftler, die nach wissenschaftlichen Maßstäben arbeiten sollten und ihre Schriftsätze und Urteile auch nach stringenten wissenschaftlichen Kriterien gestalten und untereinander diskutieren sollten. Doch nur in einigen Rechtsgebieten funktioniert dies. Wie jede Wissenschaft ist auch die Rechtswissenschaft nur so gut wie das ihr zugrundeliegende Quellenmaterial – in diesem Fall sind das meist Urteile. Empirische Untersuchungen über diese Daten sind nur möglich, wenn sie der Forschung auch zur Verfügung stehen. Doch wissenschaftliche Arbeit im juristischen Feld ist aktuell nicht wirklich möglich, da die wenigsten Urteile veröffentlicht werden, da sich die Gerichte meist vor der dadurch anfallenden Arbeit scheuen. Wir betrachten, warum dies Grundsätze der Rechtsstaatlichkeit infrage stellt und warum Player aus der Wirtschaft mehr über deutsche Rechtsprechung wissen, als unsere Gerichte – und wie sie das zu Geld machen. Es ist tatsächlich ein ernsthaftes und reales wissenschaftliches und gesellschaftliches Problem, wenn Urteile hinter den wurmstichigen Aktenschränken der Amtstuben weggeschlossen werden. Wir belegen das anhand einiger besonders hahnebüchener Zitate aus aktuellen und nicht mehr änderbaren Urteilen aus der Praxis. Wir erarbeiten aktuell Strategien, wie man das Rechtssystem power-cyclen kann, um Urteile in ihrer Gesamtheit, und damit die faktisch gesprochene Rechtslage in Deutschland wieder zugänglich werden. Als positiver Nebeneffekt der Verfügbarkeit von Urteilen kann Zivilgesellschaft und die Politik auch selber souverän überprüfen, ob unsere Richter das Recht typischerweise auch wirklich im Sinne der Legislative anwenden – keiner kann es aktuell wissen, wie können nur hoffen ... Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/endlich-maschinenlesbare-urteile-open-access-fur-juristen

Building electronics has never been easier, cheaper, or more accessible than the last few years. It's also becoming a precious skill in a world where commercially made electronics are the latest victim of enshittification and vibe coding. And yet, while removing technical and financial barriers to building things, we've not come as far as we should have in removing social barriers. The electronics and engineering industry and the cultures around them are hostile to newcomers and self-taught practitioners, for no good reason at all. I've been teaching advanced electronics manufacturing skills to absolute beginners for a decade now, and they've consistently succeeded at acquiring them. I'm here to tell you why it's not as hard as it seems, how to get into it, and why more people who think they can't should try. Electronics is easier and more fun to get into than it's ever been before. All the tools and resources are easily accessible and super cheap or free. There's an enormous amount of things to build from and build on. It's also never been more important to be able to build and understand electronics, as assholes running corporations are wasting their workers' unpaid overtime on making all the electronics in our lives shittier, more full of ads, slop, and spyware, and more frustrating to use. Encountering a device that works for you instead of against you is a breath of fresh air. Building one is an act of resistance and power. Not depending on the whims of corporate assholes is freedom. However, the culture around electronics and the electronics industry is one of exclusion and gatekeeping. It doesn't need to be. It would be stupidly easy to make things better, and we should. I've been teaching absolute beginners advanced electronics manufacturing skills for many years now. It's absolutely shocking how much more diverse the people who I teach are compared to the industry. The "hardware is hard" meme is true in some cases but toxic when worn as a badge of pride or a warning to people attempting it. I will tell you why designing and building electronics is not nearly as hard as it seems, how it's almost never been easier to get into it, and why it's very important that people who think or have been told they can't do it should be doing more of it. I'll tell you my experiences of what building devices is like, show and tell a few useful skills, and tell the story of how trying to prove someone wrong on the internet turned into a decade of teaching people with zero experience how to handle the most complex electronic components at all sorts of community events. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/building-hardware-easier-than-ever-harder-than-it-should-be

This project transforms a classic rotary phone into a mobile device. Previous talks have analyzed various aspects of analogue phone technology, such as rotary pulse detection or ringing voltage generation. Now this project helps you get rid of the cable: it equips the classic German FeTAp 611 with battery power and a flyback SMPS based ringing voltage generator - but still maintains the classical look and feel. The talk demonstrates the journey of bridging analog and digital worlds, explaining how careful design connects a vintage phone to today’s mobile environment - in a way that will make your grandparents happy. There are people who throw away old telephones - and then there are those who find them in the garbage and think, „How can a microcontroller actually read the digits from a rotary dial?“ This talk follows the journey of transforming a classic German FeTAp 611 rotary phone into a mobile device while keeping its vintage charm. Building on earlier retrofits, this project aims to combine the following design goals into a mobile version of the Fernsprechtischapparat: - Grandparents-compatible – The phone shall be easy to use by non-technical people, showing the same look and feel as the original phones, including details such as a dial tone. - easy phone switching – Switching between FeTAp and regular cellphone shall not require unscrewing the phone to switch SIM cards. - standard components – PCB/PCBA suppliers shall be capable of manufacturing boards at a reasonable price. - device-agnostic circuit design – Adapting to different phones (e.g. W48, FeTAp 791, FeTAp 611) shall minimize the need for changes in the schematic. This includes a ringing voltage generator that shall be powerful enough to drive an old W48 phone. This talk will walk you through certain aspects of the German analog telephony standard 1TR110-1, and the challenges faced when implementing those on a battery-powered device with little space. It explains - the state machine implemented on an STM32 microcontroller, - how to connect old carbon microphones to modern audio electronics, - designing (and avoiding mistakes in) a flyback based SMPS to generate 32V - 75V ringing voltage, - how to generate 25 Hz AC using an H-bridge, - and how to layout the PCB such that the ancient second handset connector can now be used for USB-C charging. In the course of the development, I discovered that the project is not only a good way to get a glimpse into various aspects of ancient and modern types of electronics - but also into people’s reactions when such a phone suddenly starts ringing on a flea market… :-) Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/fetap-611-unplugged-taking-a-rotary-dial-phone-to-the-mobile-age

Reports of GNSS interference in the Baltic Sea have become almost routine — airplanes losing GPS, ships drifting off course, and timing systems failing. But what happens when a group of engineers decides to build a navigation system that simply *doesn’t care* about the jammer? Since 2017, we’ve been developing **R-Mode**, a terrestrial navigation system that uses existing radio beacons and maritime infrastructure to provide independent positioning — no satellites needed. In this talk, we’ll share our journey from an obscure research project that “nobody needs” to a system now seen as crucial for resilience and sovereignty. Expect technical insights, field stories from ships in the Baltic, and reflections on what it means when a civilian backup system suddenly attracts military interest. Since 2017, our team at DLR and partners across Europe have been working on an alternative to satellite navigation: **R-Mode**, a backup system based on terrestrial transmitters. Our main testbed spans the Baltic Sea — a region now infamous for GNSS jamming and spoofing. We’ll start by showing what GNSS interference actually means in practice: aircraft losing navigation data, ships switching to manual control, and entire regions facing timing outages — such as the recent disruption of telecommunications in Gdańsk during Easter 2025. Then we’ll take you behind the scenes of building R-Mode: designing signals that can coexist with legacy systems, installing transmitters along the coast, and testing shipborne receivers in rough conditions. We’ll share personal moments — like the first time we received a stable position fix in the middle of the Baltic. Finally, we’ll talk about perception and politics: how a “research curiosity” became a critical infrastructure project, why ESA now wants to build a *satellite* backup (with the same vulnerabilities), and how it feels when your civilian open-source navigation system suddenly becomes strategically relevant. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/who-cares-about-the-baltic-jammer-terrestrial-navigation-in-the-baltic-sea-region

Die Legalisierung des Online-Glücksspiels in Deutschland im Jahr 2021 und die zunehmende Normalisierung von Glücksspiel und Sportwetten in den Medien haben ein Umfeld geschaffen, in welchem Glücksspielprodukte leichter zugänglich und gesellschaftlich stärker akzeptiert sind als je zuvor. Diese weit verbreitete Exposition birgt erhebliche Risiken für vulnerable Personen, insbesondere da die Grenzen zwischen Spielen und Glücksspiel zunehmend verwischen. Seit einiger Zeit ist beispielsweise ein deutlicher Anstieg von Spielen zu beobachten, die Glücksspiel-ähnliche Items wie Loot-Boxen beinhalten. Komplexe Designmerkmale in elektronischen Glücksspielprodukten, z.B. Glücksspielautomaten und Online-Slots, sind gezielt darauf ausgerichtet, Individuen zu verlängerten Spielsitzungen zu motivieren, um den Umsatz zu maximieren. Während Glücksspiel für viele Menschen eine Form der Unterhaltung darstellt, kann das Spielverhalten bei manchen eskalieren und schwerwiegende Folgen für das Leben der Betroffenen haben. Dieser Vortrag wird Mechanismen in Glücksspielprodukten und Loot Boxen beleuchten und aufzeigen, weshalb diese Merkmale das Suchtpotenzial fördern können. Hierbei spielen Mechanismen des sogenannten Verstärkungslernens (engl. Reinforcement Learning) eine Rolle, die das menschliche Belohnungssystem aktivieren, also dopaminerge Bahnen, welche an der Vorhersage von Belohnungen beteiligt sind. Besonderes Augenmerk liegt auf dem Reinforcement-Learning, einem Framework zur Modellierung von Lernen durch belohnungsbasiertes Feedback, welches sowohl in der Psychologie zur Beschreibung menschlichen Lernens und Entscheidungsverhaltens als auch zur Optimierung von Machine-Learning-Algorithmen eingesetzt wird. Im Vortrag werden auch Ergebnisse aus eigener Forschung am Labor der Universität zu Köln vorgestellt. Ziel ist es, Mechanismen des Glücksspiels zu erklären, sowie das Bewusstsein für potenzielle Schäden für Individuen und die Gesellschaft zu schärfen und die Notwendigkeit von Regulation sowie verantwortungsbewussten Designpraktiken zu diskutieren. In diesem Vortrag wird beleuchtet, wie moderne Glücksspielprodukte und glücksspielähnliche Spielmechaniken, etwa Lootboxen, gezielt psychologische und neurobiologische Lernprozesse ausnutzen, um Umsatz durch längeres Spielen und stärkere Interaktion zu generieren. Im Fokus stehen dabei Mechanismen des Verstärkungslernens (Reinforcement Learning) und deren Zusammenspiel mit dem dopaminergen Belohnungssystem. Anhand aktueller Forschungsergebnisse werden Designstrategien vorgestellt, die das Suchtpotenzial von Glücksspielen erhöhen können. Ziel des Vortrags ist es, ein wissenschaftlich fundiertes Verständnis dieser Dynamiken zu vermitteln, Risiken für Individuen und Gesellschaft aufzuzeigen und die Notwendigkeit von Regulierung und verantwortungsvollem Design zu diskutieren. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/neuroexploitation-by-design-wie-algorithmen-in-glucksspielprodukten-sich-wirkweisen-des-reinforcement-learning-und-dopaminergen-belohnungssystems-zunu

Es ist genau ein Jahr her, dass der Adenauer SRP+ in der Halle des 38C3 stand. Damals war er noch eine Baustelle, aber schon bald machte er sich auf den Weg, um Geschichte zu schreiben. Wir nehmen euch mit auf eine Reise: von Blockade über Protest, von Sommerinterviews bis zu Polizeischikanen lassen wir ein Jahr Adenauer SRP+ Revue passieren. Das könnte lustig werden. Außerdem: alles zum Walter Lübcke-Memorial-Park, den wir gerade direkt vor die CDU-Zentrale gebaut haben. Owei owei: Das wird viel für 40 Minuten. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/zps-ein-jahr-adenauer-srp-und-mehr

Like 39C3, the last CCC camp (2023) and congress (38C3) have seen volunteer-driven deployments of legacy ISDN and POTS networks using a mixture of actual legacy telephon tech and custom open source software. This talk explains how this is achieved, and why this work plays an important role in preserving parts of our digital communications heritage. Just like at this very event (39C3), the last few years a small group of volunteers has delpoyed and operated legacy telephony networks for ISDN (digital) and POTS (analog) services at CCC-camp2023 and 38C3. Anyone on-site can obtain subscriber lines (POTS, ISDN BRI or PRI service) and use them for a variety of services, including telephony, fax machines, modem dial-up into BBSs as well as dial-up internet access and video telephony. These temporary event networks are not using soft-PBX or VoIP, but are built using actual de-commissioned hardware from telecom operators, including a Siemens EWSD digital telephone exchange, Nokia EKSOS V5 access multiplexers, a SDH ring for transporting E1 carriers and much more. While some may enjoy this for the mere hack value, others enjoy it to re-live the digital communication sear of their childhood or youth. Howevre, there is a more serious aspect to this: The preservation and restoration of early digital communications infrastructure from the 1970s to 1990s, as well as how to operate such equipment. As part of this effort, we have already been able to help communications museums to fill gaps in their collections. The talk will cover * the equipment used, * the network hierarchy we build, * the services operated * the lessons learnt * newly-written open source software for interfacing retro telcommunications gear Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/isdn-pots-telephony-at-congress-and-camp

Despite how it's often portrayed in blogs, scientific articles, or corporate test planning, fuzz testing isn't a magic bug printer; just saying "we fuzz our code" says nothing about how _effectively_ it was tested. Yet, how fuzzers and programs interact is deeply mythologised and poorly misunderstood, even by seasoned professionals. This talk analyses a number of recent works and case studies that reveal the relationship between fuzzers, their inputs, and programs to explain _how_ fuzzers work. Fuzz testing (or, "fuzzing") is a testing technique that passes randomly-generated inputs to a subject under test (SUT). This term was first coined in 1988 by Miller to describe sending random byte sequences to Unix utilities (1), but was arguably preceded in 1971 by Breuer for fault detection in sequential circuits (2) and in 1972 by Purdom for parser testing by generating sentences from grammars (3). Curiously, they all exhibit different approaches for generating inputs based on knowledge about the SUT, though none of them use feedback from the SUT to make decisions about new inputs. Fuzzing wasn't yet popular, but industry was catching on. Between the late 90s and 2013, we see a number of strategies appear in industry (4). Some had success with constraint solvers, where they would observe runtime behavior or have knowledge about a target's structure to produce higher quality inputs. Others operated in a different way, by taking an existing input and tweaking it slightly ("mutating") to address the low-likelihood of random generation to produce structured inputs. None was as successful, or as popular, as American Fuzzy Lop, or "AFL", released in 2013. This combined coverage observations for inputs (Ormandy, 2007) with concepts from evolutionary novelty search (5) into a tool which could, from very few initial inputs, _evolve_ over multiple mutations to find new, untested code. Despite its power, this advancement made it far more difficult to understand how fuzzers even worked. Now all you had to do was point this tool at a program and it would start testing, and the coverage would go up; users were now only responsible for writing "harnesses", code which processed fuzzer-produced inputs and sent them to the SUT. Though there have been a few real advances to fuzzing since (or, at least, strategies which combined previous methods more effectively), fuzzing research has mostly deadended, with new methods squeezing only minor improvements out of older ones. This, and inadequate harness writing, comes from this opaqueness in how fuzzers internally operate: without understanding what these tools do from first principles, there's no clear "right" and "wrong" way to do things because there is no mental model to test them against. This talk doesn't talk about new bugs, new fuzzers, or new harness generation tools. The purpose of this talk is to uncover mechanisms of fuzzer input production in the context of different classes of SUT and harnesses thereon, highlighting recent papers which have clarified our understanding of how fuzzers and SUTs interact. By the end, you will have a better understanding of _why_ modern fuzzers work, _what_ their limitations are, and _how_ you can write better fuzzers and harnesses yourself. (1): https://pages.cs.wisc.edu/~bart/fuzz/CS736-Projects-f1988.pdf (2): https://ieeexplore.ieee.org/document/1671733 (3): https://link.springer.com/article/10.1007/BF01932308 (4): https://afl-1.readthedocs.io/en/latest/about_afl.html (5): https://www.academia.edu/download/25396037/0262287196chap43.pdf Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/demystifying-fuzzer-behaviour

Das Klima-Update vom FragDenStaat Climate Helpdesk. Chatgpt hat (bald) mehr Nutzer*innen als Wikipedia, OpenAI will in Zukunft den Energieverbrauch von Indien haben und das notfalls auch mit fossilen Energien. Der Energiehunger der künstlichen Intelligenz und der globale Ressourcenhunger für Chips und Elektroautos scheint den Rest Hoffnung einer klimagerechten Welt aufzufressen. Auch in Deutschland finden wir uns in den Wasserkämpfen wieder, während global längst Bewegungen gegen wasserhungrige Konzerne und Rechenzentren zusammenfließen. Auf der ganzen Welt, von Lateinamerika bis Portugal und Serbien wehren sich Menschen gegen den Abbau des weißen Goldes Lithium, das für Elektroautos und Chips benötigt wird. Zusammen mit Wäldern brennen auch die Kommentarspalten und die staatlichen Repressionen gegen Klimaaktivismus nehmen zu. Ich möchte einen Überblick geben zum Zustand unserer Erde und der Klimabewegung und was Hacker*innen für die Rettung des Planeten können und welche Tech-Milliardäre wir dafür bekämpfen müssen. Ich bin Joschi (they/them) vom FragDenStaat Climate Helpdesk. Ich bringe 10 Jahre Erfahrung in der Klimabewegung und Expertise für verschiedene Themen rund um Nachhaltigkeit und Digitalisierung mit. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/brennende-walder-und-kommentarspalten-klimaupdate-mit-bits-baume-und-dem-fragdenstaat-climate-helpdesk

The Great Firewall of China (GFW) is one of, if not arguably the most advanced Internet censorship systems in the world. Because repressive governments generally do not simply publish their censorship rules, the task of determining exactly what is and isn’t allowed falls upon the censorship measurement community, who run experiments over censored networks. In this talk, we’ll discuss two ways censorship measurement has evolved from passive experimentation to active attacks against the Great Firewall. While probing the Great Firewall’s DNS injection system in 2021, we noticed something strange: Sometimes the injected responses contained weird garbage. After some investigation, we realized we’d stumbled onto a memory disclosure vulnerability that would give us an unprecedented window into the Great Firewall’s internals: Wallbleed. So we crafted probes that could leak up to 125 bytes per response and repeatedly sent them for two years. Five billion responses later, the picture that emerged was... concerning. Over 2 million HTTP cookies leaked. Nearly 27,000 URL parameters with passwords. SMTP commands exposing email addresses. We found traffic from RFC 1918 private addresses - suggesting we were seeing the Great Firewall’s own internal network. We saw x86_64 stack frames with ASLR-enabled pointers. We even sent our own tagged traffic into China and later recovered those exact bytes in Wallbleed responses, proving definitively that real user traffic was being exposed. In September 2023, the patching began. We watched in real-time as blocks of IP addresses stopped responding to our probes. But naturally the same developers that made this error in the first place made further mistakes. Within hours, we developed “Wallbleed v2” queries that still triggered the leak. The vulnerability persisted for another six months until March 2024. GFW measurement research went back to business as usual until September of this year when an anonymous source released 600GB of leaked source code, packages, and documentation via Enlace Hacktivista. This data came from Geedge Networks - a company closely connected to the GFW and the related MESA lab. Geedge Networks develops censorship software not only for the GFW but also for other repressive countries such as Pakistan, Myanmar, Kazakhstan, and Ethiopia. We will discuss some of our novel findings from the Geedge Networks leak, including new insights about how the leak relates to Wallbleed. Wallbleed and the Geedge Networks leak show that censorship measurement research can be about more than just actively probing censored networks. We hope this talk will be a call to arms for hackers against Internet censorship. More information about Wallbleed can be found at the GFW Report: https://gfw.report/publications/ndss25/en/ Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/a-tale-of-two-leaks-how-hackers-breached-the-great

While the extreme right is on the rise in many countries and climate change is unrolling, a promising future seems to be written: According to Elon Musk, Sam Altman, and some other “tech bros” it is to leave the dying planet to go to space. With the help of something called “A(G)I”. But what kind of future is the one that is promised? And what is the connection between power cycles of tech company owners and people who's believes can be called fascist? As we moved power through data in the hands of very view, it is important to examine what ideas these view have in their heads. This talk will explore the roots of today's tech fascism and its love for tech. From the early thoughts and movements in the US and Europe to Futurism and the Holocaust, organised with Hollerith punching cards. It will dive into the its blooming relationship with cybernetics, and take a look in the future the “tech bros” want to lure us in. This talk will address the often overlooked topic of how and when people get comfy with diving into movements of hate and how to stop a white supremacy future where we will be sorted by machines. And, in taking a look on past movements opposing authoritarianism and will examine mindsets and possibilities of resistance as well as the possibility of restarting everything. Because we have a planet and loved ones to lose. Wear your safety cat-ears, buckle up, it will be a wild, but entertaining ride. The idea of the Super-Human is not a new one, neither is the idea of charismatic „good“ leader nor to sort humans into classes, races, abilities. The idea of a view controlling many by force and ideas that justify their rulership and cruelties is an old one, as is the opposing idea of a free society and humans as equals. A central aspect is how people involved see the human nature and according to that what society they want to build. And what role is intended for technology. In the 19th century the beliefs of both the opposing sides dripped into science, as well as individual’s heads, and social movements around the world. While some wanted to form a wold society of equals others wanted to breed a master race that to control everything. The love of industrial leaders for authoritarianism has played an important role since the beginning in funding and providing access to powerful networks. Industrialists like Henry Ford loved and promoted ideas at least close to fascism. German, Italian, and Austrian counterparts funded Hitler and Mussolini. And it is not that they did it because they did not understand the fascist leader’s yearning – it was because they shared and loved their aims and violence. In Futurism, one of the often overlooked roots of fascism, and its Manifesto the enemies and societal goals are proclaimed crystal clear: “We will glorify war — the only true hygiene of the world — militarism, patriotism, the destructive gesture of anarchist, the beautiful Ideas which kill, and the scorn of woman.“ After WWII most of the people believing in dominating others by force and eugenics lived on, they and their cronies had slaughtered millions and destroyed whole social movements were opposing them. These people warning us about authoritarian prophets of doom and concentration camps are still missing. In the post-war time ideas of authoritarianism met a new player: Cybernetics, the believe in a future, where all problems will be solved through technology and we are “All Watched Over by Machines of Loving Grace” (Richard Brautigam, 1967). The ideas split, merged, and melted into new beliefs and quasi-religions. Into something that is called “Cyber-Libertarianism” by David Golumbia or “TESCREAL” by Émile P. Torres and Timnit Gebru. This talk will address an aspect that is often missing in analyses: What kind of breeding ground is it where ideas of fascism hatches best? And how can we stop iFascism instead of participating in it? Furthermore, as being sorted by machines is not everyone's secret dream, ways to stop iFascism will be provided. Because we are more, we care for people in need – and we are the chaos! Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/all-sorted-by-machines-of-loving-grace-ai-cybernetics-and-fascism-and-how-to-intervene

Typography is the art of arranging type to make written language legible, readable, and appealing when displayed. However, for the neophyte, typography is mostly apprehended as the juxtaposition of characters displayed on the screen while for the expert, typography means typeface, scripts, unicode, glyphs, ascender, descender, tracking, hinting, kerning, shaping, weigth, slant, etc. Typography is actually much more than the mere rendering of glyphs and involves many different concepts. If glyph rendering is an important part of the rendering pipeline, it is nonetheless important to have a basic understanding of typography or there’s a known risk at rendering garbage on screen, as it has been seen many times in games, software and operating systems. Text is everywhere in our modern digital life and yet, no one really pay attention to how it is rendered on a screen. Maybe this is a sign that problem has been solved. But it isn't. A few people are still looking at the best way to display text on any devices & any languages. This talk is based on a lesson I gave at SIGGRAPH a few years ago (https://www.slideshare.net/slideshow/siggraph-2018-digital-typography/110385070) to explain rendering techniques and concepts. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/the-art-of-text-rendering

Power On! Lasst uns gemeinsam an diesem magischen Ort ankommen und alles vorbereiten, um die nächsten vier Tage in einer fröhlich-kreativen, fantastischen Wunderwelt zu verbringen und Kraft zu tanken. Das Opening gibt euch die wichtigsten Infos für den Congress, stimmt euch ein und ... äh ... bis Späti! Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/opening-ceremony

Digitale Dienstleistungen und Angebote sind aus dem Alltag nicht mehr wegzudenken. Von reiner Informationsvermittlung bis zur KI-Interaktion: Das Web ist unser ständiger Begleiter. Was aber tun all jene Menschen, die aufgrund von körperlichen oder geistigen Beeinträchtigungen nur bedingt oder im schlimmsten Fall gar nicht am Netz teilhaben können? Die Stiftung «Zugang für Alle» beschäftigt sich seit 25 Jahren mit genau dieser Frage und gilt als Kompetenzzentrum für Fragen rund um Barrierefreiheit und Inklusion im Netz. Dr. Andreas Uebelbacher und Mo Sherif vermitteln uns am Netzpolitischen Abend einen Einblick in das vielfältige Gebiet und die mannigfaltigen digitalen Herausforderungen, welche Menschen mit Beeinträchtigungen täglich meistern. about this event: https://www.digitale-gesellschaft.ch/event/netzpolitischer-abend-zu-barrierefreiheit-das-internet-ist-fuer-alle-da/

Gegenwärtig ist in den USA zu beobachten, wie einst demokratisch kontrollierte Institutionen und Vorgänge an private High-Tech Unternehmen wie Palantir, Anduril oder SpaceX ausgelagert werden. Diese Firmen übernehmen staatliche Aufgaben und übertragen Gesetze und Entscheidungen in Algorithmen, ohne dabei demokratischen Kontrollen zu unterliegen. Eine Entwicklung, die auch in Europa droht. In der Vergangenheit war zu sehen, wie die libertären Tech-Oligarchen des Silicon Valley nach Wegen suchten, sich der staatlich demokratischen Autorität zu entziehen. Doch mit der zweiten Trump Administration ist ein Strategiewechsel zu beobachten, der darauf abzielt, die demokratischen Institutionen zu übernehmen, anstatt selbst parallele Strukturen (wie Crypto-Währungen und Hochsee-Habitate) zu errichten. Gestützt ist diese Strategie auf Technologie, Investitionen von Risikokapital in potenzielle Staatsprojekte sowie die gezielte Platzierung von Personal in wichtigen Positionen. Das Ziel: Die Privatisierung von demokratisch legitimierter staatlicher Souveränität. In den USA ist zu sehen, wie dieser Plan erfolgreich umgesetzt wird und die Tech-Billionäre aus dem Silicon Valley immer mehr Einfluss über zentrale Regierungsstellen erhalten. Der Vortrag will diese Strategie, die konkreten Vorgehensweisen und Auswirkungen und die damit einhergehenden Verflechtungen von privaten Konzernen und demokratischen Institutionen näher beleuchten, um die geplanten und bereits umgesetzten Vorhaben in Europa besser einordnen zu können. In England wurde das Gesundheitssystem (NHS) mit Palantirs Gotham neu implementiert, Italien plant die feste Integration von Starlink in die militärische Kommunikation und in Deutschland (neben der Nutzung von Palantir bei der Polizei) wurde jüngst die strategische Partnerschaft zwischen Palmer Luckeys Rüstungsunternehmen Anduril und Rheinmetall verkündet, in der gemeinsam ein autonomes Drohensystem für die Bundeswehr entwickelt werden soll. Dabei wurden diese Entscheidungen ohne große Öffentlichkeit, ohne transparente Vergabeprozesse oder ernsthafte parlamentarische Debatten getroffen. Was bedeutet es für Demokratien, wenn ihre Institutionen wie die öffentliche Verwaltung, Sozial- und Gesundheitswesen und das Militär von privaten Unternehmen übernommen werden, deren primäres Interesse dem Gewinn ihrer Aktionäre und nicht dem Wohlergehen der Bürgerinnen und Bürger dient? Und wie sind diese Entwicklungen mit den gleichzeitigen europäischen Bemühungen um digitale Souveränität zusammenzubringen? Da Peter Thiel, die sog. PayPal-Mafia und die Ideologie der Tech-Unternehmer des Silicon Valley einen maßgeblichen Einfluss auf die Entwicklungen haben, sei an dieser Stelle auf das vorherige Open Chaos zum Thema Palantir und Dark Enlightenment verwiesen: https://media.ccc.de/v/c4.openchaos.2025.10.palantir-dark-enlightenment-deutsche-polizei Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

OWASP Juice Shop went through some significant renovation and enhancements over the last year in order to keep current with the underlying Node.js and Angular frameworks. MultiJuicer was entirely rewritten in GoLang and is now faster and more reliable than ever before. All Juice Shop side-projects have been migrated to TypeScript and brought to a common stack for testing and code linting. But the team did not only clean up and refactor behind the scenes. There are also lots of exciting new features and enhancements available, such as: Several new hacking challenges, e.g. a YAML memory bomb attack and an API key leakage Enhancing MultiJuicer's team score board to deliver a more holistic CTF experience Reimagining the hint system for all challenges, integrating now even better with CTF servers and making the use of hints more explicit for users Of course the popular Juice Shop Success Pyramid™ will be back with beyond-crazy Docker image download stats and other usage figures! Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Der Kurzvortrag stellt den aktuellen Stand der OWASP Top 10:2025 vor, mit etwas Glück haben wir bis dahin schon mehr... Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Der Cyber Resilience Act, kurz CRA, ist eine neue Verordnung der EU und tritt im Dezember 2027 vollständig in Kraft. Das Kernelement der Verordnung ist die Softwaresicherheit für alle so genannten „Produkte mit digitalen Elementen“, die auf dem EU-Markt kommerziell angeboten werden. Diese umfassen sowohl vernetzte Hardware-Produkte, in denen Firmwares laufen, als auch reine Softwareprodukte. Die Anforderungen an die Software-Hersteller erstrecken sich von grundsätzlichem „Security by Design“ und „Secure by Default“, über Bedrohungsanalysen der Software bis hin zu verpflichtendem Patching und Schwachstellenmanagement. Die Themen klingen irgendwie familiär? Kein Wunder, denn eine ganze Reihe von Projekten aus dem OWASP-Ökosystem sind geradezu prädestiniert zum Einsatz im Kontext des CRAs. Nicht nur, dass mit CycloneDX einer der zwei de-facto SBOM-Standards aus OWASP heraus entstanden ist - auch Frameworks wie OWASP SAMM oder Tools wie Dependency-Track können ganz entscheidende Rollen für die Umsetzung von Supply-Chain-Security und SDLC-Prozessen spielen. In diesem Talk schauen wir uns die Anforderungen der Verordnung genauer an und blicken dann auf Schnittstellen zu OWASP-Projekten. Dies soll am Ende helfen, sowohl für die Seite der Hersteller ein besseres Bild für OWASP zu erzeugen, als auch von OWASP-Seite aus zielgenauer auf CRA-Verpflichtete zugehen zu können. Je mehr Menschen sich in den Themen wiederfinden und Zusammenarbeit entstehen kann, desto besser. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Web application scanners are popular and effective black-box testing tools, automating the detection of vulnerabilities by exploring and interacting with user interfaces. Despite their effectiveness, these scanners struggle with discovering deeper states in modern web applications due to their limited understanding of workflows. This study addresses this limitation by introducing YuraScanner, a task-driven web application scanner that leverages large-language models (LLMs) to autonomously execute tasks and workflows. YuraScanner operates as a goal-based agent, suggesting actions to achieve predefined objectives by processing webpages to extract semantic information. Unlike traditional methods that rely on user-provided traces, YuraScanner uses LLMs to bridge the semantic gap, making it web application-agnostic. Using the XSS engine of Black Widow, YuraScanner tests discovered input points for vulnerabilities, enhancing the scanning process's comprehensiveness and accuracy. We evaluated YuraScanner on 20 diverse web applications, focusing on task extraction, execution accuracy, and vulnerability detection. The results demonstrate YuraScanner's superiority in discovering new attack surfaces and deeper states, significantly improving vulnerability detection. Notably, YuraScanner identified 12 unique zero-day XSS vulnerabilities, compared to three by Black Widow. This study highlights YuraScanner's potential to revolutionize web application scanning with its automated, task-driven approach. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

As a CISO (or any other security expert) in the area of AI, you can find yourself in increasingly challenging and sometimes bizarre AI-related situations not unlike Alice's adventures in Wonderland. Depending on whom you speak to, people either have high (inflated?) expectations about the (magic?) benefits of AI for security efforts, or try to explain why "AI security Armageddon" is looming... and that is just the security part of the story. All other areas in your organization are heavily using or experimenting with AI (e.g., vibe coding, automation, decision making, etc.), challenging (or ignoring) established security practices. This talk tells the story of the daily experience of dealing with AI as a CISO in a cloud-application startup. Which experiments failed or were successful, which advice is helpful, what is difficult to apply in practice, which questions are still open... The motivation for this talk is to start a conversation among security experts on how we can shape a secure AI future and not get pushed into the role of being seen as "hindering" AI progress. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Coding Assistants wie Github Copilot, Cursor oder Claude versprechen einen Effizienzboost für die Softwareentwicklung. Doch welchen Einfluss hat die Nutzung dieser Tools auf die Software Security? Dieser Vortrag analysiert die Vor- und Nachteile von Coding Assistants in Hinblick auf die Sicherheit des entstehenden Codes. Er gibt einen Überblick über die aktuelle Studienlage und die Benchmarks zu den verschiedenen Modellen und diskutiert die Ergebnisse. Neben der Bedeutung von eingebrachten Schwachstellen im Code selbst werden Risiken wie Slopsquatting, Model Poisoning und Rules File Backdoors erläutert. Zuletzt gibt der Vortrag Empfehlungen zu Best Practices für die Nutzung von Coding Assistants: von der richtigen Konfiguration und Nutzung über Richtlinien zum Review und Testen von solchem Code. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

We hacked 7 of the16 publicly-accessible YC X25 AI agents. This allowed us to leak user data, execute code remotely, and take over databases. All within 30 minutes each. In this session, we'll walk through the common mistakes these companies made and how you can mitigate these security concerns before your agents put your business at risk. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Browser extensions are a powerful part of the Web ecosystem as they extend browser functionality and let users personalize their online experience. But with higher privileges than regular web apps, extensions bring unique security and privacy risks. Much like web applications, vulnerabilities often creep in, not just through poor implementation, but also through gaps in developer awareness and ecosystem support. In this talk, we share insights from a recent study in which we interviewed and observed 21 extension developers across the world [1] as they worked on security and privacy-related tasks that we designed based on our prior works and observations [2, 3]. Their live decision-making revealed common misconceptions, unexpected pain points, and ecosystemic obstacles in the extension development lifecycle. Extending beyond our published results, we plan to highlight some of the untold anecdotes, insecure development practices, their threat perception, the design-level challenges, as well as the misconceptions around them. The audience will take away the following items from the presentation/discussion: Common insecure practices in extension development. Why security ≠ privacy ≠ store compliance, as often perceived by extension developers! Hidden design gaps and loopholes in extension architecture that developers can't spot or comprehend. Anecdotes on the course of extension development in the era of LLMs. Developers, regulations (GDPR/CCPA/CRA), and a few “interesting” opinions. And, most importantly, why you should NOT give up on them just yet! :) References: [1] Agarwal, Shubham, et al. “I have no idea how to make it safer”: Studying Security and Privacy Mindsets of Browser Extension Developers. Proceedings of the 34th USENIX Security Symposium 2025. [2] Agarwal, Shubham, Aurore Fass, and Ben Stock. Peeking through the window: Fingerprinting Browser Extensions through Page-Visible Execution Traces and Interactions. Proceedings of the 31st ACM SIGSAC Conference on Computer and Communications Security. 2024. [3] Agarwal, Shubham. Helping or hindering? How browser extensions undermine security. Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 2022. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Model Context Protocol (MCP) is the latest hot topic in cybersecurity. Business wants it (AI is the new mantra), developers are excited (new toys, new code), and security teams are left to make it safe—often with already packed schedules. Let's treat it like just another Tuesday. Like many shiny new technologies (remember the early days of cloud?), MCP is being built with a “features first, security later” mindset. As a fresh piece of tech, it blends novel vulnerabilities with familiar, well-known ones. If you're an early adopter, it's important to accept that MCP and its current implementations are imperfect—and to be ready for that. In this talk, we'll dive into the real-world challenges companies are facing with MCP and equip you with practical remediations. We'll cover topics such as: An introduction to the MCP protocol and its security considerations, including authentication Emerging vulnerabilities like prompt injections, tool poisoning, rug pull attacks, and cross-server tool shadowing Classic vulnerabilities that may resurface around MCP, based on recent CVEs Remediation strategies and available tooling Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Do you always read the documentation before using a function in your languages' standard library? This talk explores the attack surface of a special feature in PHP which is easy to misuse with unforseen consequences. The `extract` function allows to replace the value of local variables named after the keys in an array. Calling it with user-controlled input allows the attacker to change arbitrary variables in the program. The documentation warns against the dangers of using it with untrusted data, but our large-scale analysis on 28.325 PHP projects from GitHub shows, that this warning is ignored. The talk walks through the process of identifing `extract`-based vulnerabilities and how they might have ended up the way they are by looking at the surrounding code. After introducing different levels of attacker-control guided by concrete exploits, listeners gain an intuition on what to look out for while reviewing code. Attending this talk, the audience will learn: Rich ways users have control over input in PHP. How to exploit insecure calls to `extract` given multiple real-world case-studies from the dataset of open source projects from GitHub. Tips on how to avoid this and similar threats in new and legacy code. Possible changes to PHP itself for risk reduction. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Threat modeling stands at a critical juncture. While essential for creating secure systems, it remains mostly manual, handcrafted, and often too slow for today's development cycles. At the same time, automation and AI offer new levels of speed and scalability— but how much can we rely on them? This talk explores the tension between automation and human expertise in threat modeling. We'll dissect the traditional threat modeling process—scoping, modeling, threat identification, risk analysis, and mitigation—and perform a step-by-step gap analysis to identify what can realistically be automated today, what cannot, and why. We'll dive into: Current tooling: Review the AI threat modeling tools that handle diagram-based automation, template-driven modeling, risk scoring, and pattern matching. Emerging AI use cases: automatically generating threat models from architecture diagrams, user stories, or use case descriptions; providing AI-assisted mitigation suggestions; and conducting NLP-driven threat analysis. Limitations and risks: False confidence, hallucinations, model bias, ethical accountability, and the challenge of modeling new or context-specific threats. We will ground this analysis with examples from organizations and academic research that aim to scale threat modeling without compromising depth or quality, drawing parallels to how other activities, such as SAST and DAST scanning, evolved. Attendees will walk away with a practical roadmap for integrating automation without undermining the human insight threat modeling still requires. This talk isn't a tool pitch. It's a candid, experience-based view of where automation can meaningfully accelerate threat modeling—and where the human must remain firmly in the loop. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Apple CarPlay is a widely known protocol that connects smartphones to car multimedia systems. Based on AirPlay, CarPlay is installed in millions of cars, as it is supported by hundreds of car models from dozens of different manufacturers across the globe. In our talk, we will share how we managed to exploit all devices running CarPlay using a single vulnerability we discovered in the AirPlay SDK. We'll take you through our entire exploit development process from identifying the vulnerability, to testing it on a custom device emulator, and finally, executing the exploit on actual devices. The session will include a demonstration of our RCE exploit on a well known third-party CarPlay device to show how an attacker can run arbitrary code while in physical proximity to a target car. We will also share how we managed to blindly exploit CarPlay without a debugger, knowing the vulnerable code is present on the system. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

In this presentation, we will highlight how threat modeling, as a proactive measure, can increase security in DevOps projects. We will introduce OWASP Cumulus, a threat modeling card game designed for threat modeling the Ops part of DevOps processes. This game (in combination with similar games like Elevation of Privilege or OWASP Cornucopia) enables DevOps teams to take the security responsibility for their project in a lightweight and engaging way. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

WebAuthn was supposed to replace swords on the web: uniform, secure, manageable authentication for everyone! One of its unique selling points was supposed to be the impossibility of phishing attacks. When passkeys were introduced, some of WebAuthn's security principles were watered down in order to achieve some usability improvements and thus reach more widespread adoption. This presentation discusses the security of passkeys against phishing attacks. It explains the possibilities for an attacker to gain access to accounts secured with passkeys using spear phishing, and what conditions must be met for this to happen. It also practically demonstrates such an attack and discusses countermeasures. Participants will learn which WebAuthn security principles still apply to passkeys and which do not. They will learn why passkeys are no longer completely phishing-proof and how they can evaluate this consideration for their own use of passkeys. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

The OWASP secureCodeBox project aims to provide a unified way to run and automate open-source scanning tools like nmap, nuclei, zap, ssh-audit, and sslyze to continuously scan the code and infrastructure of entire organizations. This allows setting up automated scans that will regularly scan internal networks and internet-facing systems for vulnerabilities. The SCB also allows defining rules to automatically start more in-depth scans based on previous findings, e.g., to start a specialized SSH scan if a port scan discovers an open SSH port. Scan results can be uniformly handled with prebuilt hooks, e.g. to send out alerts via messaging tools, or to ingest the findings into vulnerability management systems like OWASP DefectDojo. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

The future of authentication is passwordless - Passkeys are the key technology. This talk supports developers in implementing Passkeys in their organizations and helps with the decision between in-house development, SDK, or Passkey-as-a-Service solutions. You will learn how to design recovery flows and fallback mechanisms in a user-friendly way, how Passkeys can be securely shared across devices and platforms, and what level of security they offer compared to traditional methods. Practical user stories and concrete examples highlight common pitfalls and help you optimally communicate the benefits of Passkeys. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Web application firewalls are often seen as a hindrance when going live, as perimeter WAFs can clash with GitOps-driven platforms. Empowering development teams with an application-centric WAF setup allows them to run and tune the WAF throughout the entire development lifecycle. It also enables full integration into any CI/CD pipeline or GitOps approach, reducing late surprises during deployment. In this talk, we demonstrate the application-centric approach with Envoy Proxy, OWASP Coraza, and the OWASP Core Rule Set (components are examples and interchangeable; focus is on principles and selection criteria), and take you along our real-world journey - highlighting the challenges and lessons learned. What you'll take away: We show where this reusable reference design reduces friction and where it backfires, and we outline the governance and guardrails needed to make it work in practice. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Die von LangSec beschrieben grundlegenden Sicherheitsprinzipien erklären die Hauptursachen vieler Sicherheitslücken und wie man diese beheben kann. LangSec sieht die anhaltende Schwachstellen-Epidemie in Software als eine Folge der ad-hock Entwicklung von Code, der Ein- und Ausgaben verarbeitet. Gemäß LangSec besteht der Schlüssel zur Entwicklung vertrauenswürdiger Software, die mit potenziell bösartigen Eingaben korrekt umgeht, darin alle gültigen oder erwarteten Eingaben und Ausgaben als formale Sprache zu behandeln. Dementsprechend müssen die Routinen zur Verarbeitung von Eingaben und Ausgaben als Parser beziehungsweise Unparser für diese Sprache behandelt werden und auch dementsprechend entwickelt werden. In diesem Vortrag möchte ich LangSec und die Implikationen für unsere tägliche Arbeit in AppSec vorstellen ohne in die Tiefen der Theoretischen Informatik und des Compilerbaus abzudriften. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Security teams often inherit their organisation's structure - for better or worse. The way you design your AppSec programme and choose your team topology can determine whether security becomes a trusted enabler or a frustrating bottleneck. In this story-driven session, we follow Alex, who begins as the only security person in a 50-person startup. At first, Alex builds a centralised AppSec team, finding it effective for control but slow to scale. As the company grows to hundreds of employees, bottlenecks appear, and burnout looms. Alex experiments with embedded security engineers, Security as a Platform, and a Security Champions network, learning the trade-offs of each approach along the way. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Companies within the European Union are increasingly required to be able to issue and process electronic invoices according to EU standards. For example, since January 2025, companies in Germany have been required to support electronic invoices in B2B contexts. While it is desirable to standardize invoice data formats, the EU standards have severe problems. They are overly and needlessly complicated, and security was not given much consideration. An unfortunate design choice to use a problematic "standard" (XSLT 2/3) only supported by a single implementation with inherent security problems makes security vulnerabilities in electronic invoicing software even more likely. The EU standard allows multiple redundant XML data formats to encode electronic invoices. XML processing has several well-known, inherent security problems, most notably file exfiltration via XML eXternal Entity (XXE) attacks. It appears that XML security was not considered during the creation of these standards. Neither the standardization documents nor the information found on various government and EU web pages contain any information about avoiding XML security flaws. Therefore, unsurprisingly, security vulnerabilities in software processing these electronic invoices are very common. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

With the increasing reliance on third-party software components, ensuring their security against known vulnerabilities has become a daily challenge for individuals and organizations. Despite the availability of a variety of tools and databases, we found all of them fall short when applied to real-world scenarios - raising questions about their effectiveness, generalizability, and practical utility. Starting from our perspective as penetration testers, we identified three main problems with existing solutions in vulnerability identification: Accuracy and completeness of results - Many tools exhibit limited precision and recall, often depending on a single data source (e.g. NVD) and overlooking critical indicators such as known exploits or patch history. Rigid input requirements - Most solutions enforce strict formatting constraints (e.g., requiring exact CPEs), creating usability and reliability issues when dealing with diverse or incomplete data. Lack of usable outputs - The inability to meaningfully export or integrate results into broader workflows hampers both manual and automated security processes. In order to solve these challenges, we developed the open-source tool search_vulns. It leverages information from multiple data sources and uses text comparison techniques and CPEs in combination to increase accuracy in software identification. Due to this approach, it can even automatically generate CPEs that have yet to be published. Together with its custom logic for version comparison, this further enhances the quality of results. Finally, search_vulns provides a fine-granular export of results in different formats. In conclusion, this talk aims to simplify the surprising complexity of finding known vulnerabilities in software. To do so, we discuss common challenges in mapping software names to CPEs, e.g. for product rebrandings, single-version vulnerabilities and yet to be published software versions. In addition, we present an approach using multiple data sources in combination to enrich CVE data with information on known exploits, likelihood of exploitability (EPSS) and other data sources. Finally, we present search_vulns as open-source tool. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Generative AI is supposed to make our lives easier. But what if it's really just coding us straight into a new Dark Age? We hand over our systems to AI agents, only to watch them invent backdoors nobody asked for. Developers are left with the glamorous job of bug janitors, while attackers get new exploits. It's hard not to feel like we are front-row spectators to the collapse of digital civilization. This talk shows how these risks are multiplying, and how the public debate around security often misses the point, making it even harder to fix what is broken. Maybe what we are really witnessing is the world's biggest live demo of the digital apocalypse. But sometimes you have to watch everything burn down before you can rebuild it better. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

Pen and Paper Rollenspiele verfügen über viele Facetten, die eine Person in ihrer Entwicklung unterstützen können. Sei es soziale Kompetenz, den Erwerb von Problemlösungsstrategien oder das Ausbrechen aus traditionellen Rollenbildern - das alles kann in einer Pen and Paper Runde vermittelt werden. Und die Teilnemenden haben auch noch Spaß dabei. Dieses Seminar erklärt kurz die Grundlagen von Pen and Paper Rollenspielen und wendet sich dann den positiven Aspekten einer PnP Runde zu. Es wird viel Raum für Fragen und Austausch geben. Am Stand zu diesem Vortrag gibt es bereits vor dem Vortrag Einblicke in die Welt der Pen and Paper Rollenspiele und Material zum Ausprobieren. Korrektur: „Das im Video erwähnte Zitat ‚Ich hab in den Bergen Schwedens fahren gelernt, da werde ich ja wohl den Anlegesteg rückwärts runterfahren können‘ stammt von Marcus’ jüngstem Kind, nicht von seinem ältesten.“ Die Nights of Open Knowledge (Nook) in Lübeck ist eine offene Vortragsveranstaltung, die einem weiten Publikum Einblicke in die verschiedene Bereiche der Informatik, aber auch technikfremde Themen bietet. Die NooK wird vom Chaotikum e.V. aus Lübeck und der Studierendenschaft der Uni Lübeck veranstaltet. https://nook-luebeck.de/ This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License (CC BY NC ND 4.0). https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0 about this event: https://2025.nook-luebeck.de/talks/gateway-to-adventure/

Die deutsche Verkehrspolitik ist seit Jahrzehnten geprägt von einer autozentrierten Sichtweise, die gesellschaftlich tief verankert und medial normalisiert ist. Während die Wissenschaft längst auf die Grenzen dieses Modells hinweist – ökologisch, gesundheitlich, wirtschaftlich – wird die öffentliche Debatte auch hier in Lübeck oft emotional, ideologisch oder verzerrt geführt. Der Vortrag beleuchtet verbreitete Mythen, strukturelle Verantwortungsdiffusion sowie die systematische Ausblendung evidenzbasierter Erkenntnisse. Ziel ist es, Mobilität als gesamtgesellschaftliches System zu verstehen und Lösungen zu diskutieren, die über bloßen Technizismus (E-Auto, autonomes Fahren) hinausgehen. Die Nights of Open Knowledge (Nook) in Lübeck ist eine offene Vortragsveranstaltung, die einem weiten Publikum Einblicke in die verschiedene Bereiche der Informatik, aber auch technikfremde Themen bietet. Die NooK wird vom Chaotikum e.V. aus Lübeck und der Studierendenschaft der Uni Lübeck veranstaltet. https://nook-luebeck.de/ his work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License (CC BY NC ND 4.0). https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0 about this event: https://2025.nook-luebeck.de/talks/stadt-land-parkplatz/

In der Magic Sword Academy wird die MSA-Vorbereitung zu einem Fantasy-Rollenspiel: Die Schüler:innen sammeln XP, lösen Quests in Gilden und treten in Bosskämpfen in verschiedenen Gebieten an. So verwandelt sich Prüfungsstress in Motivation – und Mathe in ein Spiel. Mein Ziel ist es, dass dadurch die Schüler:innen mit mehr Freude und Einsatz lernen und bestmöglich auf ihre Abschlussprüfung vorbereitet werden. Wer spielerische Ideen hat: Immer her damit! Die Nights of Open Knowledge (Nook) in Lübeck ist eine offene Vortragsveranstaltung, die einem weiten Publikum Einblicke in die verschiedene Bereiche der Informatik, aber auch technikfremde Themen bietet. Die NooK wird vom Chaotikum e.V. aus Lübeck und der Studierendenschaft der Uni Lübeck veranstaltet. https://nook-luebeck.de/ This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License (CC BY NC ND 4.0). https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0 about this event: https://2025.nook-luebeck.de/talks/lightning-talks-samstag/#level-up-mathe-gamifiziert

Ihr kennt das: Ihr habt ein Gitter im Raum, und das Gitter ist irgendwie so schräg. Und dann fragt ihr euch für jeden Punkt im Raum, welcher Gitterpunkt eigentlich der nächste ist. Das macht ihr so abends beim Spazieren, in Gedanken versunken, und dann fallt ihr plötzlich in den Topf mit den Linearkombinationen und es gibt einen hübschen Trick mit Matrizenmultiplikation, an den ihr noch ein Jahr später immer mal wieder denken müsst. Die Nights of Open Knowledge (Nook) in Lübeck ist eine offene Vortragsveranstaltung, die einem weiten Publikum Einblicke in die verschiedene Bereiche der Informatik, aber auch technikfremde Themen bietet. Die NooK wird vom Chaotikum e.V. aus Lübeck und der Studierendenschaft der Uni Lübeck veranstaltet. https://nook-luebeck.de/ This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License (CC BY NC ND 4.0). https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0 about this event: https://2025.nook-luebeck.de/talks/lightning-talks-samstag/#die-dichtesten-gitterpunkte-im-raum

Eine globale Mindeststeuer für Milliardäre wird international diskutiert. Der Vorschlag von Gabriel Zucman für die G20 soll sicherstellen, dass Superreiche unabhängig vom Wohnsitz einen fairen Steuerbeitrag leisten. Der Talk gibt einen Überblick über Problem, Lösungsansätze, Umsetzung und Kritik. Die Nights of Open Knowledge (Nook) in Lübeck ist eine offene Vortragsveranstaltung, die einem weiten Publikum Einblicke in die verschiedene Bereiche der Informatik, aber auch technikfremde Themen bietet. Die NooK wird vom Chaotikum e.V. aus Lübeck und der Studierendenschaft der Uni Lübeck veranstaltet. https://nook-luebeck.de/ This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License (CC BY NC ND 4.0). https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0 about this event: https://2025.nook-luebeck.de/talks/lightning-talks-samstag/#milliardärssteuer-steuer-für-überreiche