Chaos Computer Club - recent events feed

TIC-80 fantasy console Byte Jam is a friendly competition to livecode a demo in a relaxed atmosphere. TIC-80 fantasy console Byte Jam is a friendly competition to livecode a demo in a relaxed atmosphere. This can take an hour or more depending on the inspiration and time needed of the participants. You could follow the suggested random chosen topic or do your own thing. TIC-80 is a fantasy console with limited resources like 240x136 pixels display, 16 color palette, 256 8x8 color sprites, 4 channel sound , etc. This gives the TIC-80 a very retro look and feel. This byte jam is a good representation of the demoscene, where coders/hackers with very limited resources in hard or software make stunning audio and visual effects. In Europe the demoscene got status of cultural heritage in Finland, Germany and Polen and requested for Netherlands and other countries. Want to join this ByteJ am as coder? Check with Dave / zeno4ever for the possibilities!! Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/ZRBZAC/

Afturmath closes the live music program with an immersive journey of sound and light. Combining modular synthesizers, lasers, and abstract video synthesis, Afturmath crafts dense, evolving sonic landscapes that invite you to lose yourself in the experience. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/7W9GTM/

The Light and Music entertainment platform Lightupyourbanjo began in 2010 when “Cash-a-billy with a Bluegrass bite” band Ed and the Fretmen wanted to have better lights on their banjo. They developed banjo lights with addressable LEDs for in and outside mounting showing interactive animations, written in C++ supporting the songs, and wrote songs to support the lights. In 2025 the Lightupyourbanjo bands will be fighting the darkness with the new O4 model build into their 3 banjos. In the WHY Lightupyourbanjo talk, we will look at the world of banjo lights, present the new O4 model and features, apply the 5xWHY analysis on this all to explore the greater meaning, and finally we hope to bring some Light and Music to WHY 2025. https://www.youtube.com/watch?v=_j19nTYNWv4 Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/9NQTEL/

Modern software development and operations heavily relies on third-party applications, libraries, containers etc. This presentation will showcase how dev, ops, but also security management can be transparent about dependency versioning and known vulnerabilities, while also staying on track with updates. It will show demos of Open Source Standards like SBOM and Frameworks like Dependency-Check, Dependency-Track and Renovate that can help automate the sadness of today's supply chain issues. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/7C8XYS/

This talk introduces participants to the Bosch BMI270 (inertial sensor) and BME690 (environmental sensor) on the WHY2025 Hackathon Badge. After a brief overview of MEMS technology and how these tiny sensors are made and used, we’ll dive into a hands-on session showing how to read sensor data using MicroPython — so you can start experimenting right away. MEMS (Micro-Electro-Mechanical Systems) sensors are miniature, highly precise components that detect motion, position, and environmental conditions. They are widely used in smartphones, cars, wearables, and smart home devices and are manufactured in specialized cleanrooms using advanced semiconductor processes. This talk starts with a short introduction covering: What are MEMS? How are they made? What can the Bosch BMI270 (6-axis IMU) and BME690 (gas, humidity, temperature, and pressure sensor) do? After this overview, we’ll switch to a practical session: you’ll learn how to get started with MicroPython to access real-time sensor data on the WHY2025 Badge. By the end, you’ll be ready to experiment with your own ideas and prototypes based on the badge’s powerful sensing capabilities. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/9HUFEX/

This talk will present the design philosophy behind Offworld Voyage, a decentralized science initiative that develops ecologically sustainable training habitats for use in simulated Mars surface exploration missions - while also solving for adaptation to extreme climate change on Earth. The Offworld Voyage M.A.R.S. Tesseract Space Analog Simulation Habitats were designed with a zero waste ethos for minimal environmental impact by inventor Scott Beibin and visual wizard Michael Flood. The modular and portable structures of the habitats include: a bio-dome for cultivating organic vegan plant-based and fungi-based nutrition sources, autonomous power production, advanced waste reclamation, a science laboratory for experimentation and research, a space medicine bay, a fabrication lab for prototyping and repair, facilities for fitness and creativity as well as a kitchen and living quarters. Mission immersions incorporate a vision of the future when space has become accessible to all through the use of emerging ecologically sustainable appropriate technologies enabled by new types of egalitarian economic structures and coordination methods. Crew activities include EVA explorations in pressurized space suits outfitted with bio-sensors, 3D printed construction using regolith, utilization of open source communications tools, cooperative governance exercises and the practice of mutual aid and consensus decision making in mission planning, problem-solving and self-sufficiency challenges in the face of extreme resource scarcity, simulated time-delayed communications and experiments to analyze the effects of isolation on astronauts during offworld missions. The inaugural mission for the M.A.R.S. Tesseract habitats will occur in a remote desert location in the near future. It will include the founders of the project, Scott Beibin and Elizabeth Jane Cole, who are both alumni of the Mars Desert Research Station (Mission 286) and core committee members of the Journal for Space Analog Research. Future plans for the project include the development of pressurized facilities and closed loop systems, as well as development of public goods including hardware and software for Space Analog Research and S.T.E.A.M based educational programs. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/ZDE7NN/

This talk will enable you to lead architecture conversations and discuss their security options through an informal diagramming technique. I will use examples such as key/encryption architectures, DevOps, and even your home music system. Presentation at https://digitalinfrastructures.nl/why2025/ You have seen many diagrams of computer and information systems in your career. They have been around since the early days of computing. They can be useful, but there are a few typical problems with them: • They are drawn with obscure symbols that are only understood by architects • They are drawn in an inconsistent way • They are not used to their fullest potential. In my practice I have run into these problems often, and I have found ways to turn a certain type of diagram, a simplified version of deployment diagrams, into the cornerstone of explanation of what goes on in cloud and cybersecurity. In the talk I will lead you through the basic principles, and a few examples. This will enable you to lead architecture conversations and discuss their security options. I will use examples such as key/encryption architectures, DevOps, and even your home music system. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/PRV9UP/

You've maybee seen the raking robot that got a CEH (Certified Estetisch Harker) certificate, the Telex linked to Twitter/Telegram or the ASCII foto booth. They are all made by me. If this talk gets accepted I will do a deep dive on these three contraptions and what I learned building them. Beside Schuberg Philis, DIVD, attending the farm and keeping my bees I als build machines. It is an interesting process and I want to share it with you. Machiens I will be talking about: * The (worlds?) 1st 3d color printer from TNO * The raking robot * AI/Twitter/Telegram/Slack connected Telex * ASCII photo booth Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/FYPY7C/

Learn how to build end-to-end encrypted social apps including the newly released Bitchat using Nostr and MLS (Messaging Layer Security). We'll go from Nostr basics through to encrypted groups, explore the open source libraries and apps already in production, and show how to build your own. Includes live coding demonstrating how to create secure, private social tools that actually scale. You'll leave knowing how to build real e2e apps using tested, working tools. Building truly private social applications isn't just about adding encryption - it's about rethinking how we build social spaces. By combining Nostr's decentralized protocol with MLS's efficient group encryption, we can create social apps that are both private and practical. The talk walks through: Technical Foundation: - How Nostr works: events, relays, and NIPs - Understanding MLS tree-based group key management - Implementing encrypted groups that actually scale - Real-world performance and security considerations Practical Building: - Tour of working libraries - Open source apps you can use today - Common implementation challenges and solutions - Live coding of a basic encrypted group chat Beyond the Code: - Why traditional platform encryption fails - How forking solves community governance - Building tools that empower rather than control - Real examples from nos.social and communities.nos.social You'll leave understanding not just the protocols, but how to build real applications that respect privacy and community autonomy. We'll look at actual code running in production, discuss practical challenges we've solved, and show how you can start building your own encrypted social tools today. This isn't just theory - everything shown is running in production now. Whether you're interested in cryptography, social protocols, or just want to build better tools for human communication, you'll get concrete knowledge you can use. Prerequisites: Basic familiarity with public key cryptography helpful but not required. Examples will use JavaScript/TypeScript but concepts apply to any language. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/3QQLRN/

In 2017 a large corporation announced that they wanted to build a € 50 million theme park in a small forest that I had known from my childhood, thus replacing the future of our children with simple entertainment. An overwhelming feeling of injustice came over us. We created a plan, and we stuck to it. We drew a line in the sand. Fatalism can be your greatest enemy, but it doesn’t have to be. Welcome to the rebellion. In 2017 a large corporation announced that they wanted to build a water theme park in a small forest that I had known from my childhood. Immediately an overwhelming feeling of injustice came over me. Why would you sacrifice the future of our children for a theme park? It turned out a number of neighbours had the same feeling. We decided to draw a line in the sand. For seven years we fought a battle with the corporation and the government, and the whole time everybody was telling us this was a fight we could not win. In 2024 we won that fight. It turned out it wasn’t just luck. We created a plan, and we stuck to it. Since then we have been sharing our experiences with other organisations. Fatalism can be your greatest enemy, but it doesn’t have to be. Welcome to the rebellion. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/7EMW3A/

It's hard for a platform to have meaningful, useful ratings/reviews without both substantially Knowing Your Customer, engineering to detect manipulated reviews, and responding in a nuanced way -- to increase a fraudster's costs, and not just train them to hide better. Lots of examples of diverse platforms not doing a very good job of this. (I'll also talk about how this knowledge sometimes leads platforms try to manipulate their own customers to maximize their sales). Ratings and reviews, although almost universally relied on by consumers, are, like much other online info, often manipulated to increase sales, pump up merchant reputation but are sometimes used malicious to slam a competitor). Even sites that only allow reviews from purchasers can be manipulated, particularly on platforms when low cost products are sold. Ebay harbors fraudulent sellers by combining buyer and seller reputation, and not weighting by sale price. (So a 5 star rating for a trivial purchase accrues equal reputation as a large value sale.) Many manipulations should be easily detectable by looking for some clear behavioral signatures, and then not training the adversaries by using adversary engineering rather than simply deactivating accounts. (I'll show you how to spot a lot of the red flags.) Examples ranging from pumped up restaurant listings (up to #1 in London), Amazon and Ebay's problems, a puppy sales site that had a rating system so bad by design that they were sued by an animal rights org for facilitating fraud by puppy mills. (There are a lot of sick puppies out there...) Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/CJQD7U/

During this talk we look at hardware and firmware reverse engineering, but also at corporate intimidation tactics and how to respond ethically as a security researcher. Leveraging the hard-coded AES keys, outdated software, and lots and lots of custom code we found, we were able to install "custom code" on some phones and access global customer configuration data by exploiting Yealink's global cloud provisioning service (RPS). Communication is the cornerstone of human collaboration and vital to functional governments, flourishing businesses, and our personal lives. We take for granted that sensitive information we send through our digital communication infrastructure is only received by the intended recipient. This puts immense responsibility on communication equipment manufacturers and service providers to keep our communications safe from prying eyes. Surely we can trust a global, leading manufacturer of video conferencing, voice communication and collaboration solutions to keep our data safe, right? ...right? They may have shiny devices and their marketing slides might be impressive, but we care about what's on the inside. In this talk, we take a look at Yealink VoIP business phones and their cloud infrastructure. Come with us on a technical deep dive involving hardware hacking and firmware reverse engineering, but also listen to a story about corporate intimidation tactics and lessons on how not to treat security researchers. What we find is a security researcher's dream: hard-coded AES keys, outdated software, and lots and lots of custom C code (including cryptography!). We were not only able to run custom code on some phones, but were also able to access configuration data of their global cloud provisioning service while casually answering the age-old question: "Does it run DOOM?". This project concluded in a wide-ranging coordinated vulnerability disclosure involving the manufacturer, telecom providers, national cybersecurity agencies, and major customers, which we will also outline in this talk. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/CXVW7V/

My experience of contributing to an open-source project for the first time and the juicy details (maths) of the geometry of the Sferical lamps (the ones that hang in Heaven / Silent Lounge) I'd like to take you with me on how I build a generator for spherical lampshades. I'll talk about how math slowly turns into magic. The math is mainly trigonometry, so we can reminisce about highschool. But don't worry too much about it. It will be visualised, so everyone can follow along. The real magic happens when we introduce light into the equation, illuminating the creations in stunning ways. Plus, since this project is open source, you'll have the opportunity to craft your own unique lampshades! Or hack it into something else entirely... Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/Y9YKJF/

Over the past few years, I’ve been casually poking around and stumbling upon exposed data and insecure infrastructure all across the telco ecosystem. From unsecured debug portals to full backend access, the leaks themselves might seem technically boring. In this talk, I’ll walk through a handful of real-world cases, showing how misconfigurations, sloppy code, and forgotten interfaces can lead to serious exposures. These include: * an eSIM provisioning portal exposed via unauthenticated debug web interface * full backend access to a smartphone retail platform, including CRM data and hotline audio recordings * publicly accessible SIM inventory systems, Call Data Records (CDRs), and even passport scans * "open source" telco functions running in plain PHP, sometimes with hardcoded credentials * …and more strange eSIM-related findings This isn’t a high-end 0-day story. This is about minimal-effort, boring data leaks that still manage to have a surprisingly high impact. The talk will include examples, screenshots, and recurring patterns that keep coming up. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/7A7QJV/

In a world of relentless cyber-threats, MIAUW (Methodology for Information Security Assessment with Audit Value) turns every pentest into a high-impact, traceable mission. This session reveals how its storyline-driven playbook fuses technical exploitation, legal rigor and forensic reporting into a reusable blueprint that regulators love and attackers fear. Expect war-stories, live-demo snippets, and a roadmap to weaponize compliance while clawing back control over risk. This talk introduces MIAUW — Methodology for Information Security Assessment with Audit Value — a structured approach to penetration testing that goes beyond technical exploits to deliver legal defensibility, governance value, and repeatable insight. We begin with a familiar problem: many pentests are technically sound but fail to produce lasting impact. Reports are delivered, risks are noted — and then nothing changes. There’s little accountability, no alignment with organizational processes, and limited value for oversight. MIAUW changes that. It brings structure, traceability, and dual accountability by involving not just the pentester, but also a dedicated auditor. Every step — from planning and scenario definition to execution, reporting, and organizational learning — is part of a documented process. The auditor produces a formal protocol, providing legal and governance-grade assurance over the findings. In this session, we’ll cover: - How MIAUW works: from the first conversation to the final deliverables. Why including an auditor raises the bar for quality, traceability, and board-level trust. - Real-world stories of organizations that transformed their security posture through structured offensive testing. - How to get started with MIAUW, even when working with external testing partners. Whether you're a CISO, security consultant, internal auditor or board advisor, this talk will challenge the way you think about pentests — and show you how to make every test a reusable asset for control and improvement. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/NLDDV7/

In 2017 (just before SHA2017) the Dutch healthcare sector came together to create Stichting Z-CERT, the Zorg Computer Emergency Response Team. A nonprofit to protect and advise the Dutch Healthcare sector. What started as a small startup has now grown into a scaleup with the ambitions to match. A lot has changed in the 3 years since the last talk about Z-CERT. In this talk we will: - Tell who we are - Show what we do - Give a little peak behind the curtain how we do that Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/KJEMMF/

live-bootstrap is a worthy attempt to provide a reproducible, automatic, complete end-to-end bootstrap from a minimal number of binary seeds to a supported fully functioning operating system. Although it is starts with a minimal binary seed of only 280 bytes it also depends on a lot of other sources. What are those sources exactly and how can we review these to make sure that live-bootstrap can be trusted? In the past two years, I spend studying stage0 of the live-bootstrap project in order to understand how it works, to find out on what sources it depends, and to create an interactive documentation hopefully helping others to understand it and review the sources. In this process, I have written programs to interpret the kaem scripts, an emulator for stage0, and a program to analyze the strace output and generate a T-diagram. In the presentation, I will talk about the steps I have taken, present the results, and also discuss ways to simplify the stage0 sources, such as developing a C-compiler targeted for compiling the Tiny C Compiler using a small stack based languages as intermediate language. 'Slides' for the presentation: https://iwriteiam.nl/WHY2025_talk.html Links: - https://iwriteiam.nl/Software.html - https://iwriteiam.nl/livebootstrap.html - https://github.com/FransFaase/Emulator/ - https://fransfaase.github.io/Emulator/tdiagram.html - https://github.com/FransFaase/MES-replacement Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/33HD7W/

Adversary-in-the-Middle (AiTM) phishing kits have matured into full-service SaaS platforms. This talk dives into the infrastructure, control panels, and sellers behind modern AiTM attacks. From Dockerized environments to Telegram bot-based UIs, we unpack how these platforms operate, scale, and monetize. We also highlight how this SaaS model is spreading. Expect a technical walkthrough of the ecosystem fueling today’s phishing economy. This talk offers a deep dive into the infrastructure and operational models behind modern Adversary-in-the-Middle (AiTM) phishing attacks. These aren't hobbyist scripts—they are mature, productized platforms that resemble legitimate SaaS offerings. We explore how these platforms work under the hood: How attackers deploy dockerized phishing kits The use of CDNs, Telegram bots and proxy networks Panel features like token capture, mailers, and multi-user support Revenue models, actor branding, and upsells We will showcase real examples of AiTM panels (including EvilProxy, Tycoon, Mamba2FA, and Raccoon), backed by original research and detection data gathered from over 2,000 incidents across hundreds of Microsoft 365 tenants. Attendees will walk away with an understanding of how these platforms scale, how attackers manage their infrastructure, and how defenders can detect and preempt them using techniques like pixel beacons and certificate transparency. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/SKKCEM/

Placeholder for WHY2025 Infrastructure Review... various *OC teams will present about the infrastructure they have built for WHY2025. At least Team:NOC will join; previously also Team:Nuts (Power), Team:POC and Team:VOC have joined. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/FY8CXY/

You want to learn more about Linux permissions? This is the talk for you. Let's learn about the basic UID/GID concepts in Linux and expand into more complex ACLs. Then escalating on the "everything-is-a-file" concept and applying the learned security logic onto program behavior using SELinux or AppArmor. The first point a "normal" user encounters Linux permissions, is often when he wants to execute a downloaded file (from the internet) - requiring him to set the executable-bit... But this one bit is just a part of a much larger world of the Linux permissions - starting with the usual umask-reduced "drwxrwxr-x" and including access-contol-lists for more complex scenarios. The learned concepts can then be applied onto not only files, but also devices (e.g. using udev)... Most users also know how to bypass "Permission Denied" touble (by just using "sudo"), but how does that actually work? But managing access to files and devices from the users perspective is just one side of Linux security, as one can also apply these filtering logic onto system-calls programs make: For this we will take a quick look into SELinux and AppArmor, two of the more popular hardening frameworks and how their rulesets work. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/QNH3VU/

I (hopefully) will have cycled from my home city of Mannheim all the way to the WHY camping grounds (>500km) in one go. I will report how I approached the whole endeavour, how I prepared, what the challenges were and what the hard part was. If I happen to not make it, I will describe how, why and what I should have done better. Planing and executing a plan like that, cycling more than 500km in one go demands equal parts preparation and lack of sanity. I want to share the story in an attempt to inspire people to explore their limits and achieve things that they did not think they would be able to do. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/FQNMBE/

Afterparty for "Reverse Engineering Life: A teardown of the DNA source code of a whole bacterium". Q&A and some bonus content. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/A8LMHV/

For a good decade now, containerisation has been a popular solution: Addressing issues such as security, fault tolerance, and scalability, it has turned into a mainstay in IT. Though with a technology that ubiquitous, it does deserve investigation whether it has been put to good use or rather pressed into service. This talk includes a brief history of container solutions while challenging a number of common assumptions. While geared at a more seasoned audience, the presentation is very much from the perspective of the ‘plumbing layers,’ which comes with the discussion of many core concepts of Docker/OCI. Hence this should be beginner-friendly to a degree. Mild audience participation is to be expected; may contain traces of DevOps. **Keywords:** *containers; cloud; linux; docker; oci; kubernetes* Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/MREBV9/

TETRA is a European standard for trunked radio used globally by police, military and civilian parties alike. In the past, we already published the hitherto secret inner workings of TETRA and on several of its severe security issues. We're now back to discuss the last crucial part of TETRA security - its optional (and costly) end-to-end encryption, reserved for the most sensitive use cases. We'll discuss in detail how we obtained and analyzed those elusive algorithms, and what we found. TETRA is a European standard for trunked radio used globally by police and military operators. Additionally, TETRA is widely deployed in industrial environments such as harbors and airports, as well as critical infrastructure such as SCADA telecontrol of pipelines, transportation and electric and water utilities. In previous research, we published [TETRA:BURST](https://www.midnightblue.nl/tetraburst), revealing vulnerabilities in the TETRA air interface encryption, and publishing the secret cryptographic primitives for public scrutiny. We now present all-new material, assessing the optional and often expensive end-to-end encryption, which adds an additional layer of encryption on top of the air interface encryption, a layer that can only be decrypted by the traffic's recipient, and not by the infrastructure. These solutions enjoy significant end-user trust and are intended for the most sensitive of use cases. While the ETSI standard on TETRA does facilitate integration of some E2EE solution, the solutions themselves are vendor-proprietary, and proved quite hard to obtain. The opaque nature of this solution and TETRA's history of offering significantly less security than advertised (including backdoored ciphers) is worrying enough, but given our previous TETRA:BURST research, E2EE is frequently mentioned as a potential mitigation. In order to shed light on its suitability, we decided to undertake the effort of reverse-engineering a TETRA E2EE solution. We'll discuss how we investigated the E2EE landscape, and how we (after being scammed on a Motorola device) managed to extract an implementation from a popular Sepura radio. We'll then discuss the E2EE design (that we have published on GitHub) along with a security analysis, identifying several severe shortcomings ranging from the ability to inject voice traffic into E2EE channels and replay SDS (short text) messages to an intentionally weakened E2EE variant, which reduces its 128-bit key to only 56 bits. In addition, we will discuss new findings related to multi-algorithm networks and official patches, relevant for asset owners mitigating the TETRA:BURST vulnerabilities previously uncovered by us. Finally, we will demonstrate the E2EE voice injection attack as well as the previously theoretical TETRA packet injection attack on SCADA networks. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/WSM3XV/

Komm in die Gruppe, sei dabei, werd ein echter Macher. about this event: https://c3voc.de

Pwn2Own Ireland added a new target in the smarthome category: the Aeotec Smart Hub. We assumed this target would be an easy win. However, getting the firmware of this device turned out te be a lot harder than anticipated. First, we had to modify the board to dump the encrypted flash. Then, we abused a secure boot flaw to get the decryption key. This process took so long, we had no time left to look for vulnerabilities, but our approach may be interesting for others looking at similar targets. Usually extracting the firmware of an IoT device is easy. The firmware is often not encrypted on flash and debug interfaces such as UART are often exposed and left open. This was our assumption when we started investigation the Aeotec. However, we turned out to be very wrong on our assumptions. The Aeotec firmware is actually encrypted on flash, with a key that is stored in OTP. Furthermore, all debug interfaces such as UART were closed down. This meant we needed to go through great lengths, first doing in-circuit dumping of the flash, then breaking the encryption configuration in order to get code execution on the APCPU. Our goal was to do vulnerability research, but we ran out of time for that. By sharing our process, we hope to help others who are interested in this or other devices with a similar configuration. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/DJKYA7/

Ever received a phishing simulation so painfully obvious it offended your intelligence? This talk is for you. Join us as we turn the tables on corporate security theater and show how you can phish back, with humor, skill, and plausible deniability. Learn how to fingerprint your company’s phishing campaigns, spoof the spoofers, and maybe even get your CISO to click a link labeled “Definitely Not Malware.exe.” This talk is part satire, part technical walkthrough, and all rebellion. Corporate phishing simulations are broken. You know it, I know it. And yet, every quarter, some overfunded awareness campaign lands in your inbox with all the subtlety of a Nigerian prince. The goal? To test whether you're “cyber aware.” The result? A war of attrition between InfoSec and the click-happy masses. But what if we made visible what these simulations actually prove? In this talk, we explore how to recognize and hack your organization's phishing simulations. Without getting fired (probably, no guarantees). From fingerprinting CISO-run campaigns using SPF records, consistent sender patterns and timing, to launching your own “counter-phishing” emails that prove how absurd the entire exercise is. We’ll walk through real-world tactics for flipping the script: phishing the phishers, automating chaos, and pushing back against checkbox security culture. All with a healthy dose of satire, social engineering, and plausible deniability. If you’ve ever wanted to troll your security team for a good cause, this one’s for you. Just don’t click the link in the description. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/QX3G3G/

Komm in die Gruppe, sei dabei, werd ein echter Macher. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://c3voc.de

The most common configurations seen in scanning domain names with [Internet.nl](https://internet.nl), e.g. those found in [biannual governmental measurements](https://www.forumstandaardisatie.nl/metingen/informatieveiligheidstandaarden). This talk will explain how to configure modern security standards on your domain name with the help of [the open source](https://github.com/internetstandards/Internet.nl/) [Internet.nl](https://internet.nl). It will show common misconfigurations in DNS and security headers. Teach you why you should probably want to avoid `www CNAME @`, want to enable IPv6 and other observations from the [biannual measurements](https://www.forumstandaardisatie.nl/metingen/informatieveiligheidstandaarden) of scanning more than 10.000 governmental host names in The Netherlands. After this talk you'll know at least one DNS or security header improvement for your own or organization domain. This presentation will touch: - why enable DNSSEC ([RFC 4033](https://datatracker.ietf.org/doc/html/rfc4033) and many more), some common failures (e.g. CNAME's) - why enable IPv6, not talking about 'IPv4-mapped IPv6 address' here, issues if you're still not supporting IPv6 (almost 30 years after [RFC 1883](https://datatracker.ietf.org/doc/html/rfc1883)) - why not CNAME to your apex domain (if you have an Mx record) - why use Null MX ([RFC 7505](https://datatracker.ietf.org/doc/html/rfc7505)) - why configuration SPF ([RFC 7208](https://datatracker.ietf.org/doc/html/rfc7208)) on all hostnames - why there are more reasons to avoid CNAME's - why enable DANE ([RFC 6698](https://datatracker.ietf.org/doc/html/rfc6698)) and TLSRPT ([RFC 8460](https://datatracker.ietf.org/doc/html/rfc8460)) and why it's superior to MTA-STA ([RFC 8461](https://datatracker.ietf.org/doc/html/rfc8461)), how to rotate DANE - why monitoring matters - why first doing a `https://` redirect before a domain redirect - why a strict Content-Security-Policy ([CSP v3](https://www.w3.org/TR/CSP3/)) will save you - why configure `ssl_reject_handshake` (nginx only) - why have an accessible security.txt (special allow rule if you have basic auth!) that contains at least one email address - why start cookie names with `__Host-`or `__Secure-` ([MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#cookie-namecookie-value)) Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/XVET7C/

Komm in die Gruppe, sei dabei, werd ein echter Macher. about this event: https://c3voc.de

By 2025, an estimated 1.1 billion women globally will enter menopause, a natural, but misunderstood phase of life. This talk will address the stigma, myths, and misinformation surrounding menopause, focusing on the mental, physical, social, and economic challenges women face. It will also explore the struggles of LGBTQ+ individuals, often overlooked in discussions. The goal is to close the knowledge gap, empower women to advocate for their health, and foster a culture of support and inclusivity. Disclaimer: For the sake of simplicity, throughout this talk the term ‘women’ will be used when referring to individuals suffering the effects of menopause, however this information is relevant for all individuals born with female reproductive organs. Menopause remains shrouded in stigma, silence, and common misinformation, leaving many women unsupported and uninformed. Myths and a lack of understanding about menopause contribute to confusion, fear, and inadequate care. It will go beyond the well-known symptoms to uncover the diverse range of life changing symptoms women face during menopause. By openly discussing menopause and moving beyond the idea of 'fixing' women the focus can instead be on building a culture that recognizes and respects the diverse challenges for all women at every stage of life. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/9C7CHJ/

An insight and analysis of the events leading up to and during the fight to preserve XS4ALL in 2019, as well as exploring the underlying issues that ultimately lead to its demise. In 2019 it was announced that XS4ALL as a brand and company would be integrated into KPN. What followed was a stormy year of customers rising up, employees resisting and frequent media coverage culminating in a court case which ultimately failed to preserve XS4ALL as an independent entity. How did the once happy union of XS4ALL and KPN turn sour, what events lead to the decision to integrate XS4ALL and what did the fight to preserve XS4AL look like from the inside? This talk will explore these topics from the perspective of history, the relationship of XS4ALL and KPN and the wider system into which they were embedded. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/GRPAX8/

RFID reverse engineering has seen significant advancements, yet a comprehensive overview of the field remains scattered across research and practitioner communities. Here the authors presents a structured survey of existing RFID technologies, encryption protocols, and known attack methodologies. Take the opportunity to listen to both Kirils' practical experiences and the deep insights of Iceman when it comes to RFID hacking. The talk will cover: 1) An overview of RFID types, including both low-frequency (LF) and high-frequency (HF) cards, briefly touching upon ultra-high-frequency (UHF) systems as well. 2) A breakdown of encryption protocols used in RFID security, highlighting their strengths and weaknesses. 3) A review of documented attacks, including cloning, sniffing, relay, cryptographic, and side-channel techniques. Additionally, analysis of the latest developments in magic RFID cards will be presented. Findings are based on an aggregation of academic research, industry reports, and hands-on testing of RFID systems in real-world environments. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/MWLGZB/

Serendiep is a 42m inland cargo barge with a theatre, a fablab and an art/science labyrinth on board. It's being converted to electric propulsion using second hand EV parts and hardware from openinverter. The ultimate goal is to harvest all the energy needed from solar panels mounted on the hatches covering the cargo hold. Sailing is among the most efficient modes of cargo transport. Yet in the much needed transition away from fossil it seems to be falling behind other sectors. We set ourselves the challenge to be sailing electrically, to harvest the energy needed on the ship itself, and to do all this with open tech and second hand parts, taking advantage of an upcoming category of e-waste and achieving a minimal budget as a result. In this talk we'll present a rundown of all the hurdles on the way, how they were overcome or which consequences they have for thoroughly low impact transport. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/JALJPD/

Everybody talks about cryptography, but only a few understand what it means. This interactive session will explain the very basics of cryptography and will leave the attendants with more confidence why to use cryptography. Many talks mentioned cryptography somewhere along the presentation and everybody just nods. But how many people actually know the insights of cryptography? Why some things work and some things don't? During this talk I will explain the difference between encoding and encryption, the most common uses of cryptography, the difference between synchronous and asynchronous encryption, hashes. I will include some history and some future developments like quantum and why we call cryptocoin cryptocoin. In a slow pace, scratching the surface for uninitiated, but the scratches will go deep enough for more initiated to get some more background. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/7P3ZYV/

ZenDiS, the Zentrum Digitale Souveränität in Germany, is at the forefront of loosening the grip the US tech industry (and, via the CLOUD act, the US government) has over the European governments by providing open source solutions for the public sector. Do we do it alone? No! The french and the dutch governments are also onboard and we welcome more countries into our fold! An overview over the ZenDiS‘ projects such as openDesk and the 100 day challenges together with our open source accomplices DINUM of France and the Ministerie van Binnenlandse Zaken en Koninkrijksrelaties of the Netherlands. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/EHZBQB/

RAdio-frequency Detection And Ranging (RADAR) aims at using electromagnetic signals for detecting target location and motion. We demonstrate in this talk various RADAR architectures using dual-channel coherent Software Defined Radio (SDR) receivers and the associated signal processing techniques relying heavily on cross-correlations. Embedded systems are tackled, with a Raspberry Pi providing enough computational power for recording and post-processing. RAdio-frequency Detection And Ranging (RADAR) aims at using electromagnetic signals for detecting target location and motion. Being constantly illuminated with electromagnetic smog, we can benefit from existing radiofrequency emitters meeting RADAR requirements -- strong power and wide bandwidth -- for passive RADAR measurements where no active emitter is needed, using only coherent passive dual-channel Software Defined Radio (SDR) receivers for passive recording of existing signals. If existing signals are unsuitable, we can use the same principle with non-cooperative emitters such as a Wi-Fi dongle in an active RADAR setup. All processing flowcharts are implemented using GNU Radio for real time acquisition, and GNU/Octave or Python for post-processing: generic principles will be demonstrated, applicable to all sorts of receiver hardware. We will conclude with Synthetic Aperture RADAR (SAR) where antenna motion is used to simulate wide aperture receiving antennas, adding azimuth resolution to range resolution. Supporting documents are found a https://github.com/jmfriedt/SDR-GB-SAR or https://github.com/jmfriedt/passive_radar or https://github.com/jmfriedt/sentinel1_pbr Addendum following feedback on the presentation: 1/ I should have made it clear that the first part of the presentation (pulse, FMCW, FSCW) involved emitting a signal which is often not legal, while the subsequent part involves PASSIVE radar using existing emitters, and hence becoming legal. 2/ the core parameter determining maximum target range is NOT emitted power but isolation between emitter and receiver (especially on a monostatic setup). Increasing TX power if saturating RX and hence reducing RX gain does not help: this is especially true in the VNA implementation when selecting between S11 measurement (limited by the circulator isolation) and S21 (limited by emitting/receiving antenna coupling) 3/ the rail system presented in the SAR part of the discussion uses a WiFi dongle broadcasting random signals as illuminating signal, halfway between passive (a WiFi signal can be many other things than for RADAR measurements) and active (we are controlling the WiFi emission) Thank you for attending or looking at this followup. Reach me (email on the front slide) for more information or corrections. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/YMLNME/

When embedded into JavaScript, WebAssembly modules can be "sandboxed" by defining a limited set of _imports_. It turns out that an obscure "feature" allows us to craft an exploit which bypasses this barrier, enabling us to run arbitrary JavaScript code (pop an alert) from within a malicious WASM module. All within spec... by accident? (Also released as write-up in Phrack #72) When talking about WebAssembly, the word "sandbox" comes up often: modules are isolated from eachother, and from the host runtime. Hence, it is perfectly safe to run untrusted WASM modules (e.g. plugins) in a web-app: the module's interfaces can be limited, making it such that any malicious code has no way of escaping. ... is what I thought. In this talk I will show how a sneaky specification detail allows us to program a JavaScript version of a _weird machine_, to eventually escape from WebAssembly into running arbitrary JavaScript code. This trick is fully in-spec and requires no actual browser exploitation (we don't break _that_ sandbox). Hence, this talk should be accessible for anyone with a basic JavaScript understanding. No WebAssembly experience is required: I will cover everything required to understand the exploit. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/NK7YTF/

The need for digital sovereignty has always been great, but now there is an autocrat in the White house that is fighting everything he deems “Woke”. This renders USA Big Tech that is run by billionaires that have sworn loyalty to this new King unsuitable for use in education. In this presentation we'll present the WHY for the FOSS stack for schools, our plan how to get there, and the progress we have made so far on our pilot schools. The need for digital sovereignty has always been great, but now there is an autocrat in the White house that is fighting everything he deems “Woke”. This renders USA Big Tech that is run by billionaires that have sworn loyalty to this new King unsuitable for use in education. Schools are yearning for a more fair digital environment, but most schools don’t have the funding, knowledge or capacity to create a public-values-by-design school IT environment with all the fantastic free and open source software that is out there. That is why we started the coalition for fair digital education, so we can bring together the knowledge of free and opensource with the needs of the educational sector. In this presentation we'll present the WHY for the FOSS stack for schools, our plan how to get there, and the progress we have made so far on our pilot schools. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/XZBREW/

We use it every day, but how does it really work? USB has been around for almost 30 years and it evolved into really universal interface that even extended from the world of computers into the world of extra low voltage electric distribution. In this talk, I will present the basic ideas of the interface with focus on physical layer. We will cover: - how the world of computer peripherals looked like before USB - how did USB evolved - how USB became the universal interface for delivering extra low voltage - how the Type-C connector changed everything Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/8MWKCY/

Fuzzing is one of the most effective ways to find elusive software vulnerabilities. Despite years of research, general purpose fuzzers such as AFL++ and Libfuzzer struggle to mutate complex data structures effectively, preventing them from exploring deep functionality. Grammar fuzzing, an alternative fuzzing strategy is much more effective but complex to setup and run. Autarkie abstracts away all complexity and and surpasses all other grammar fuzzers in performance while offering novel features. Gone are the days of finding bugs in the parser or on the surface of applications. The bugs now lie in the core application logic, well beyond the parser. Fuzzing complex targets such as interpreters, databases or network protocols has always been difficult due to their strict input structures. Autarkie was born out of the need of fuzzing complex and evolving data structures with the convenience of fuzzers such as AFL++. Autarkie leverages a simple insight: the target needs to parse the input, so it must define the structure internally. Macros could be used to gain insight into the structure and build a grammar fuzzer. Autarkie does not just out perform all other grammar fuzzers, but also offers novel features such as removing grammar derivation and maintenance, ability to learn from other fuzzers, constraint solving and resumable fuzzing campaigns. Join me for this talk where I go through Autarkie's internals, features, and its development journey. I will also talk about my journey hunting for bugs with Autarkie and hopefully convince you to use it on yours. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/BNTTXU/

I want to talk about how we are setting the standards for our digital world and society. Now that our whole world and everything in it seems to have become a business case for for-profit digitalisation, we are purposefully driven to use off the shelve, inflexible, data-absorbing and exploitative products marketed to us by big companies. Can standards help change that? And how do we do that? Here at WHY we are all curious about everything technical and, on average, also pretty adept at working with digital nails and hammers. But even so, these big companies drive out many grassroots alternatives, making it harder and harder to set your own course. And not just that. It is not everybody’s forte to ‘do digitalisation’. If not, you still deserve a decent quality product. Maybe you should not be tricked into handing over all your data to marketing companies, including pretty private information. And with promises of big profits come the investors, the people that don’t care about the product but instead focus on profit margins and return on investment - with varying levels of appreciation of trivialities like workers rights or environmental protection. (/s) Europe, and the Netherlands, has something to protect though, like the right not to be surveilled by big tech and employers, to have a high quality education system and medical devices that are catered to finding ailments rather than to selling medical interventions for instance. It also has a responsibility to ensure people outside of Europe are not abused and exploited for the products we use to enlighten our lives and avoid further climate catastrophe because we all want to make our own individual generated film of Will Smith slurping spaghetti. In the past decade(s), the EU has worked with the New Legislative Framework, the idea that standards organisations develop the ‘how to comply’ options that industry can use to make a product that is presumed to be in accordance with the European rules. This takes time and in AI we see the backlash of trying to do this for an area where there really isn’t a ‘state of the art’ yet. Much of it is still just experiments, and rules need to be in place before evaluation of experiments has even started. And hardly anyone is daring enough to address the question of sustainability with regards to the enormous demands of generative AI models, and the words copyrights and creator are nowhere to be found. I actually have little answers at all, iI wish I knew. I do however have a desire to ask: why are we not talking about this? Why are we not demanding the return on investment results of extremely demanding and expensive tools for our society? And why are we avoiding to remind the very few enormous companies (and their owners) making all the money that they need to pay for the costs of their resources they are ruthlessly seizing from our public domain? Why do we leave this depletion to individuals to solve - to the individual creator to go to court, to the tiny village where the water is being depleted, where is the support of those we need to help to stand up to this exhaustion? <b>Can we please ask ourselves where ALL THIS will be addressed <i>before</i> it is too late?</b> Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/TFRMSB/

We present EntrySign, a cryptographic flaw in AMD’s microcode patch verification logic, including how we discovered the bug and how you can extend our results. EntrySign lets us execute arbitrary microcode on all AMD CPUs from Zen to Zen 5 and modify the behavior of x86 instructions. We will delve into the format of AMD microcode, how their patches are verified, how we were able to reverse engineer this process, and how we were able to access the key information required to defeat it. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/9WTQU3/

This is a first introduction to quantum computers. This is a first introduction to quantum computers: no prior background needed. We will discuss how quantum mechanics, a theory of microscopic particles, contains counter-intuitive effects like superposition and entanglement. Schrödinger’s cat is an iconic example, where the poor animal is both dead and alive at the same. Interestingly, the same laws of nature make it possible to build an extended set of algorithms, with speedups beyond what we can achieve ‘classically’. I’ll show how we can program today’s quantum computers and show a short live demonstration of the Python package Qiskit. We will learn how to write code that creates something equivalent to Schrödinger’s cat. Then, we will look at one of the most impactful applications. Quantum computers turn out to be incredible hacking machines, making it straightforward to crack widely-used encryption schemes such as RSA and Elliptic Curve Cryptography. We will discuss how long it will take until we have sufficiently large devices, and what alternative cryptography we can fall back to. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/CDGWTU/

*WHY* did I donate a kidney? *H*ow did I donate a kidney? *Y*ou might want to donate a kidney! Donating a kidney is quite a thing. But it also isn't. But mostly, it is. I will talk about all the aspects (personal, technical, logistical, ethical) of the process. Lots of related but entirely different things. How does it affect me? How long did it take? What does everything look like? What do the numbers mean? What does it feel like? Can you do the same? Should you do the same? Who shouldn't do it? WHY? Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/WJQNXZ/

The WHY2025 Capture the Flag competition (CTF) has multiple lockpicking challenges as part of the CTF. Successfully picking these locks gives you one of the flags. To be able to create a solid CTF challenge out of an ordinary lock we had to come up with some kind of solution. We used our past experiences in CTFs as inspiration to see how we could do it better. This talk shows the concepts we came up with and which are currently used in the WHY2025 CTF. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/8VGLJQ/

Zero Trust (ZT) is a security paradigm gaining traction and popularity. In the talk I will show how ZT is the progression of many security ideas that you may already be familiar with, and how you can rebrand and review what you are already doing to show that you are making progress. Zero Trust (ZT) is a security paradigm gaining traction, especially in the US defense community. The underlying idea is to reduce implicit trust as much as possible. This makes great sense from a security perspective. Its implementation is daunting though, because it is not about dropping a new product in the security landscape. Instead, it is more an approach and a process. It is still hard to prioritize ZT and to retrofit it to existing system architectures. In the talk I will show how ZT is the progression of many security ideas that you may already be familiar with, and how you can rebrand and review what you are already doing to show that you are making progress. Outline: As a contributor to the Cloud Security Alliances Zero Trust cert (CCZT), and experienced instructor, I intend to borrow from the (public) body of knowledge and my experiences in teaching that. This will give the audience a good insight in Zero Trust content and trends. This will include - the core idea (never trust, always verify) - the major use cases - business value of ZT - steps in implementing - publicly available maturity models - example implementations and status thereof (e.g. US Airforce) - link to earlier principles - retrofitting ZT on an existing application - experiences Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/BVSMJZ/

Smart devices are deeply embedded in the physical world: they can see, hear, and control things around us, often with zero real limits. When they’re hacked, it’s not just your data on the line; it’s your safety, privacy, and environment. In this talk, I’ll share some new ideas for putting a layer of access control between these devices and the real world, so we stop giving them a blank check. These days, “smart” devices aren’t just watching and listening: they can act on the physical world, often with zero meaningful limits. They unlock doors, adjust thermostats, steer vacuums, and record what’s going on around us 24/7. When these devices get compromised, and many do, it’s not just boring data on the line. It’s your safety, privacy, and physical space. The problem? We’ve handed out root access to the physical world like candy. Any device can sense or actuate whenever it wants. There's no layered control, no boundaries between software and the real world. If malware gets in, it gets full access to your home, office, or anything else the device is wired into. In this talk, I’ll show how we can fix that by treating _sensing and actuation as privileges_,not defaults. Instead of giving every device free rein over what it can hear or control, we can build mechanisms that require software to explicitly request, and be granted, access to the physical world. That access can be temporary, conditional, or denied altogether. We'll look at how to physically separate sensors and actuators from the software stack so that even if a device is compromised, it can’t automatically reach into your environment. We'll also explore approaches that enforce forgetfulness: ensuring that standby devices like smart speakers can’t quietly hoard data or leak it when compromised. If nothing relevant to the device's task happened, nothing should be remembered. The goal is simple: to take back control from black-box devices and start designing systems where physical-world access isn’t assumed, it’s earned. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/AUF93C/

Prins S. en De Geit is one of the most exciting acts in the Dutch music scene today. This trio from The Hague — fronted by Scott Beekhuizen, with Marne Miesen on bass and Daniel Ortgiess producing — creates infectious electro-punk-pop with sharp lyrics and unrestrained energy. Their bold sound and theatrical performances have electrified festivals like Lowlands, Rock Werchter, Pinkpop, and Appelpop. Their WHY2025 show promises to be equally wild and unpredictable. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/S8WQTC/

So, it is 2025 and mailservers are getting more and more replaced by cloud-based solutions, which promise to be easy and secure... But what if you can just do it yourself? Hosting your private message server and applying common modern mailserver security practices on your own? This talk wants to introduce a few common software solutions and introduce multiplie techniques from an operators toolbox. This talk will cover typical pitfalls you encounter if you try to host your own mailserver solution: Often, those issues are only noticed by users not being able to sent emails successfully - let's go ahead and learn about those beforehand. Starting off with the basics of secure mail transmission using (START)SSL on top of SMTP and advancing into DKIM, SPF for secured mailserver origins. Then mentioning a few nice-to-have tools for delivery monitoring like DMARC and Postmark. Then being careful with DNS configuration and RFC-restrictions quickly overlooked. Furthermore, let's take a look into TLSA for SMTP, BIMI or complex setups with satellite delivery systems. Finally, let's discuss user-based security with locked-down IMAP, PGP signatures and encryption or enforcing secure connections. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/HXDAMY/