Chaos Computer Club - recent events feed

Love reverse engineering? You'd be right since you always find something interesting! In this talk we're going to study absolutely every byte of the DNA source of a real bacterium. And in doing so, we'll find bootstrapping code, genes, duplicate genes, anti-viral defense mechanisms, idiomatic/non-idiomatic/borrowed code & much more. It helps if you've also visited the companion talk on DNA, but this presentation is broadly accessible even without prior knowledge. A typical bacterium has around one megabyte of DNA as its source code. And with our digital reverse engineering hat on, it turns out we can analyse this code and quickly learn things. Where do genes begin and end? What is the stuff between genes? How do bacteria bootstrap themselves? And, where do microbes store their immune system? Using digital skills, all this can be found just by looking at the DNA letters. And that is what we'll be doing in this talk. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/LUXFSP/

Digital money everywhere, all the time, all at once... isn't it getting a little boring? In this talk you will learn how [GNU Taler](https://taler.net/), a privacy-focused payment system, leverages the properties of digital tokens and blind signatures to enable a wide array of use cases such as discount coupons, subscriptions, and tax-deductible donation receipts; all while preserving untraceability in customer-to-merchant transactions. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/PHGSJC/

Passkeys are a new way to log in without passwords. They solve a lot of the traditional security risks associated with passwords. But passkeys are only secure if implemented well. When implemented incorrectly, they lead to new attack vectors that hackers can exploit. In this talk, we will first study the protocol behind passkeys, called Webauthn. We will then look at some common implementation mistakes, and how we can exploit them. Next, we will present a methodology to carry out pentests on Webauthn implementations, and finally we discuss some vulnerabilities that we detected (and disclosed!) in various web applications. This talk is based on joint research with Peizhou Chen (University of Twente). Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/WD99DB/

Why limit yourself to Ethernet and Wi-Fi when every wire in your house can carry packets? This talk explores alternative physical networking technologies that exist but are often overlooked. From Powerline Networking (HomePlug AV/AV2) to MoCA over coaxial cables, we’ll dive into how these systems work, their encryption and security models, known exploits, and the inherent risks of non-switched cable mediums. Beyond the theoretical, we’ll examine real-world applications, including whole-home audio and video distribution, network segmentation strategies, and the unexpected advantages of leveraging existing infrastructure. You’ll see how HDMI matrices, IP-based video distribution, and networked audio solutions like SONOS Net can integrate seamlessly over alternative backbones. We’ll cover segmentation techniques to isolate security cameras, IoT devices, and AV distribution, ensuring efficiency and security. Expect deep technical insights, practical lessons from years of experimentation, and a fresh perspective on what’s possible when you stop thinking of cables as just power or TV lines—and start treating them as network highways. Whether you're looking to expand connectivity in a complex environment or just want to push the limits of home networking, this talk will leave you with new tools, techniques, and ideas to explore. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/DJ7NXK/

During the first Pwn2Own Automotive, organised by ZDI in Tokyo in January 2024, Computest Sector 7 successfully demonstrated exploits for vulnerabilities in three different EV-chargers. All three could be exploited to execute arbitrary code on the charger, with the only prerequisite being close enough to connect to Bluetooth. As electric vehicles become increasingly integrated into our transportation infrastructure, the security of their charging systems is becoming paramount. A threat actor hacking EV chargers at scale could have a real life impact on the continuity of our power grid and the transportation sector. Therefore, it is important that manufacturers and operators are well aware of their role in protecting our power grid. During this talk we'll discuss the details on how we extracted the firmware, the vulnerabilities we found and the story of one drunk night of hacking till 07:00 AM in Tokyo that resulted in some much more high-impact vulnerabilities than were needed for the competition... Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/AGVUVM/

A brief retrospective over the past 16 years of organized voluntary repair initiatives and a look at the breakthroughs for the right to repair movement When Martine Postma organized her first Repair-Café in Amsterdam, would she have imagined the kind of traction that her initiative would gain worldwide? With rampant enshittification of services, but also products ("planned obsolescence") comes resistance from consumers and politics. I'll show a few blatant examples and outline the recent progress in EU legislation. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/BDQESV/

Any even remotely advanced tasks on unixoid systems will inevitably lead to an encounter with one of the systems oldest components: The shell. An ancient artefact that is in equal parts being feared, mystified, or possibly even glorified. In an effort to demystify origins, development, and current role of shells, this talk tells a tale deeply rooted in the earliest days of UNIX development. In the process, several (historic as well as current) shells will be introduced among their notable features and impact on contemporary systems. To finish of, the talk discusses the legacy of historic shells and their influence on modern operating systems with or without UNIX heritage. While technical in parts, this is first and foremost a historical presentation with a bit of an outlook. Less tech-savvy audience members should thus still be able to enjoy this. In fact, newcomers to the shell may find some useful hints. **Keywords:** *computing history; unix; multics; posix; linux* Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/CB7A9V/

It started with a simple idea in 2016: make the state of security of our government transparent/public. The simple idea has become national government policy. Using transparency we've helped fix tons of security issues, reduce costs and increased control on IT. This year we've rolled out in Belgium and started measuring accessibility of websites in the same fashion. Learn how we've achieved extreme impact with a minimal budget and keep on doing so. Security and accessibility must be commodities. (We're planning a couple of nice surprises during this talk exclusive for WHY2025. As always: it will make some people nervous, yet it will make society better.) A transparent and accountable society creates trust. We're currently monitoring all important organizations in the Netherlands on about 25 security, privacy and sovereignty metrics. You can see openly where organizations are doing great or where they are even (unknowingly) breaking the law. With the EU requiring accessibility on multiple sectors this year, we've also starting measuring accessibility in the same fashion. You can clearly distinguish organizations with and without an accessibility policy. We'll show what it looks like, the impact it has, the awesome cyber tokens and certificates we make and the sets of open data we create. The project is at its peak right now. If you want to make an impact on society: this is where it's at. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/3ZMKFQ/

You’ve released your code under a free license, but your project runs on proprietary platforms like Slack, GitHub, Notion, or Zoom. What’s the harm? In this talk, we’ll explore how relying on closed tools contradicts open source values, excludes contributors, locks your community into corporate ecosystems, and drives away idealistic contributors who care deeply about freedom. We’ll also tackle common justifications, like convenience or popularity, and show how they often mask deeper trade-offs. My goal with this talk is to spark reflection and conversation about the tools we use to build open source projects, not just the code we write. I hope it encourages both new and experienced maintainers to think critically about how proprietary tools may be limiting their communities and values, even unintentionally. The audience will leave with a better understanding of the trade-offs involved, practical alternatives they can explore, and the motivation to make small changes that lead to more open, inclusive, and resilient projects. If more projects switch to even one open alternative, it strengthens the entire open source ecosystem by reducing dependency on tech giants and supporting community-owned infrastructure. Whether you're starting a new project or maintaining a mature one, this talk will challenge you to think critically about the tools you use and advocate for open, community-controlled alternatives that align with the spirit of FOSS. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/WPGMJU/

IPv6 has been talked about a lot since a very long time. It never really caught on... or did it? Where are we right now? Where are we heading and what can you do about it? What is the matter with IPv6? How did we go from something that was supposed to be the future of the internet to where we are today? Is it still like that? What plans are currently unfolding? Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/VBR7DQ/

A Domain-Specific Language is a computer language that’s made and suitable for a specific domain — *dûh*. But what happens when that domains is inhabited and operated by people that are – **gasp**! – not developers?! This is when a DSL has the opportunity to shine, and even outshine generic AI. The field of Domain-Specific Languages has been going through a quasi-perpetual, reincarnating Gartner hype cycle for decades. Nevertheless, there are many DSLs out there, with many aimed squarely at software devs, and some at non-devs. In this talk, I’ll explain what a DSL is and is made up of, and why you‘d want to make one – especially for non-devs! –, why and how to do that using something called “projectional editing”, why and how DSLs are better than AI, and why DSLs should be a standard tool in our dev-toolbox. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/LXNXVK/

Game randomizers can breathe fresh air into your favorite video games by changing where things are, what enemies you fight, or even what the win conditions are. But how do they work? Let's embrace chaos and learn about them! Game randomizers can breathe fresh air into your favorite video games by changing where things are, what enemies you fight, or even what the win conditions are. But how do they work? In this talk, I'll share my experience building a randomizer for the Gameboy Advance version of Final Fantasy 1. I'll tell you about the stumbling blocks I hit, and how I solved them. I'll also share the lessons I learned building my project, and how I'd do it better next time. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/YXDFYP/

Building entrance systems for prisons, hospitals an tv studio's should be secure. But is this really the case? After "Knock knock who's there 1.0" at MCH2022, we will again look at some high-tech lockpicking, this time at more sensitive locations. The responsible disclosure is a tale of it's own! And why exactly is a 3-letter agency in the US interested in the disclosure? Feeling safe at home and at work is one of the most basic requirements for living. Part of being, and feeling, safe is the physical access system of the building. Since the last talk at MCH2022 more building entrance systems have been researched. The findings will be presented in this talk. And these findings have led to multiple CVE's and the discovery of single DES encryption and Mifare classic access card systems. One manufacturer who makes building entrance systems used at very sensitive objects such as tv studio's and airports managed to leak the private key of a CA they use to manage the building access. In another case we were able to generate license key files under the name of a very well known person. In all cases we will look at the vulnerability disclosure and how to make sure you do not end up in prison (although with these locks....) Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/VZDSF3/

I developed a 100% open-source (Quad core A7, 512MB RAM) Linux-enabled Flipper module for WiFi pentesting and ethical hacking! This talk covers how and why I developed the Flipper Blackhat: starting at the hardware level through the bootloader, kernel and up to user space. On the hardware side, I'll detail the power supplies, the DDR3 routing, radios, and the A33 processor itself. I'll show the build system, device trees, Python scripts and the penetesting suite I ship with it. I'll provide an overview of the exploits I've written for it and how to control them from the Flipper app. I will also do a live demo of the device in honeypot mode, RAT driving, AP scanning, embedded exploit etc... Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/TQTUTQ/

Belgian creative technologist and artist Dries Depoorter, based in Ghent, creates thought-provoking work about technology, surveillance, AI and social media in a playful way that makes people laugh while delivering serious messages in an accessible way. His projects explore digital culture that can inspire marketers: privacy challenges, artificial intelligence applications, surveillance and authentic social media projects. With his unique background in electronics and digital innovation, Dries has become a voice for forward-thinking brands and marketing professionals looking to navigate today's complex digital landscape. His artistic approach can directly inspire brands to think differently and develop original marketing concepts that stand out. Through his work, Dries demonstrates how combining creativity with technological insight creates viral moments. His award-winning "Die With Me" app, accessible only when a user's phone battery drops below 5%, demonstrates how scarcity and unique user experiences can create powerful engagement. On Black Friday, he doubles the price of his app instead of offering discounts, showing brands how breaking marketing rules can create attention. In his viral project "The Follower," Dries leverages open cameras and AI to reveal the reality behind curated Instagram moments—offering marketers an unfiltered look at consumer behavior and content creation. Meanwhile, "The Flemish Scrollers" uses AI to automatically identify politicians using smartphones during parliamentary sessions, highlighting how technology can create accountability and transparency in public spaces. Dries has exhibited at prestigious venues including the Barbican in London, Art Basel, Mutek Festival in Montreal,ZKM, Bozar, WIRED and Ars Electronica. As a speaker, he's shared insights with innovative organizations including TEDx, MoMA, SXSW, Chanel, Adidas, Samsung, Deloitte, KBC and Adobe. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/XMMXBC/

ORM's and/or developers don't understand databases, transactions, or concurrency. After the [Air France-KLM dataleak](https://media.ccc.de/v/37c3-lightningtalks-58027-air-france-klm-6-char-short-code) I kept repeating this was not a real hack, and confessed I always wanted to hack a system based on triggering race conditions because the lack of proper transactions. This was way easier than expected. In this talk I will show how just adding `$ seq 0 9 | xargs -I@ -P10 ..` can break some systems, and how to write safe database transactions that prevent abuse. In this talk I will explain what race conditions are. Many examples of how and why code will fail. How to properly create a database transaction. The result of abusing this in real life (e.g. free parking). Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/EYKRPS/

To understand the inner workings of Kubernetes and to prepare for the K8s certification exams, I decided to create a K8s cluster from scratch, the hard way, on premises (“de meterkast”) on virtual machines all using Alpine Linux. This talk is how I tried to do it, how I succeeded, failed and added a CEPH cluster and ETCD cluster along the way. It includes a lot of technical details, but if there is one thing that you should learn during this talk, it’s not about K8s at all: Containers are not VM Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/TQXDPD/

So you have a new microcontroller, how do you get started programming it? This is going to be the talk I wished already existed when I first got into microcontroller programming. Getting started with a new microcontroller can be daunting. They do come with datasheets, but these are often hundreds if not thousands of pages long and assume you already know the basics. So that's what I will be explaining: how to get started programming these thing, from `Reset_Handler` to blinking LED. This talk will cover the following things: * How to read datasheets * How to write a simple linker script * How to do basic initialization of a chip, enough to get a LED blinking * How to get the binary you created onto a microcontroller. I will assume you have some programming experience, but experience with embedded software is not required. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/HBMWXL/

The European electricity network has become a ‘smart grid.’ This offers many opportunities for sustainability but also makes our energy system more vulnerable to digital attacks. DIVD has been conducting research into vulnerabilities in charging stations, solar panel inverters, home batteries, and Energy Management Systems. In this talk, we will demonstrate how we could have generated power outages using these zero-days and how we prevent this by disclosing them responsibly. The European electricity network has become a ‘smart grid.’ This offers many opportunities for sustainability but also makes our energy system more vulnerable to digital attacks. In a time of increasing threat of hybrid warfare, the government and the energy sector realize that we as a society must prepare for possible disruption of the energy system and do everything we can to prevent it. Various institutions test smart devices, set safety standards, and monitor compliance with these standards. However, parties such as our grid operators only have control over the energy grid equipment up to the front door. They are not allowed to look beyond the electricity meter, where most smart equipment is located. DIVD is allowed to do this because we are volunteers and a nonprofit. By identifying devices that can form a botnet, DIVD helps to make the smart grid more secure. DIVD has been conducting research into vulnerabilities in equipment of the energy system, such as charging stations, solar panel inverters, home batteries, and (Home) Energy Management Systems. Previous findings have led to several parliamentary questions and follow-up actions by authorities such as RDI, the Dutch Authority on Digital Infrastructure. With the CVD in the Energy Sector program, DIVD conducts research at its own hardware hacking lab in collaboration with the energy sector to reduce the digital vulnerability of our energy system. We also organise hack events. During WHY2025 we also give demos at the Vulnerability Disclosure Village. In this talk, we will demonstrate how we could have generated power outages using zero-days we found in solar converters, electric car chargers and energy management systems. Still, we also did it with just one user-password combination… Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/AREWXH/

Challenge the Cyber is a foundation that actively fosters security skills in young hackers (<25 y). In this talk a couple of our (former) participants will share their experience and talk about the varieties of events that the foundation runs throughout the year and how you can prepare and participate. This includes the yearly CTF, a Cyber bootcamp, recurring training events with CTF team Superflat and the participation at the European Cybersecurity Challenge. There's an overall shortage of cyber security experts. Challenge the Cyber (CTC) is the foundation that actively fosters security skills in young people and works on closing the gap between the need of experts in companies and talented young people who want to become these experts. CTC run a national hacking competition (CTF) with roughly 120 participants each year. The best (30-40) performers are then invited to a week long bootcamp in the summer in which highly technical workshops are given, a lot of attention is spent on team building and eventually a team of 10 players is selected for the European Cyber Security Challenge (ECSC). At ECSC team NL is supported again by CTC. Next to the competition there are side events where anyone can participate, such as playing CTFs with team Superflat. All in all, young people develop and progress through the years to our absolute elite in cyber security. (No, I'm not exaggerating here. We've got zero days as proof :D ) The presentation will tell all that and more but the story will be told with anecdotes by active participants and volunteers of the foundation. They will give an inspiring insight into the world of the young star hackers and their journeys throughout CTC. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/8VF3QU/

In this WHY2025 session, Mischa van Geelen from Anovum will walk through his recent dive into Synology’s Disk Station Manager. After months inside the software, he surfaced with a mix of intriguing discoveries and a few findings that raise eyebrows. Without getting lost in technical weeds, the talk sketches DSM’s inner logic, hints at overlooked traces, and shows how a sharper view of the platform can flip a “nothing here” scenario into a solid lead. Expect a pragmatic tour of what’s possible. In this WHY2025 session, Mischa van Geelen from Anovum will walk through his recent dive into Synology’s Disk Station Manager. After months inside the software, he surfaced with a mix of intriguing discoveries and a few findings that raise eyebrows. Without getting lost in technical weeds, the talk sketches DSM’s inner logic, hints at overlooked traces, and shows a sharper view of the platform. Expect a pragmatic tour of what’s recoverable, and where things get murky—plus takeaways to sharpen your own incident-response playbook. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/KRG3AP/

De Tweede Kamerverkiezingen komen eraan en de digitale vraagstukken liggen op tafel. Wat moet het volgende kabinet doen op het gebied van cyberveiligheid, AI, privacy en digitale autonomie? Welke keuzes zijn écht nodig, en wie durft ze te maken? Tijdens WHY2025 organiseren we Het Grote Cyber Debat waar politici het gesprek aangaan met de mensen die dagelijks aan de knoppen zitten: ethische hackers, open source-ontwikkelaars, securityprofessionals en AI-tinkerers. Scherpe vragen en eerlijke antwoorden, van en voor een publiek dat weet waar het over gaat. Onlangs presenteerde het huidige kabinet de vernieuwde Nederlandse Digitaliseringsstrategie. Maar de toekomst? Die wordt straks geschreven in partijprogramma’s. Daarom nodigen we juist nu Kamerleden, bestuurders en beleidsmakers uit om te luisteren, te leren en te debatteren met de tech-community vóór de verkiezingskoorts losbarst. **Astrid Oosenbrug (GroenLinks/PvdA)** Voormalig Tweede Kamerlid voor de PvdA (2012–2017); speerpunten cybersecurity en LHBTI’ers, daarna oprichter van het Dutch Institute for Vulnerability Disclosure, en nog steeds werkzaam in cybersecurity. **Erik Kemp (Volt)** Fractievoorzitter van Volt in de gemeenteraad van Enschede. Doet een master Cybersecurity aan de Universiteit van Twente. **Haitske van de Linde (VVD)** VVD-raadslid te Hilversum, bij het Waterschap Rijn en IJssel programmamanager Wetgeving Data en Informatie. En in een grijs verleden nog even lijsttrekker van Leefbaar Nederland. **Janarthanan Sundaram (D66)** Directeur van glasvezel-leverancier Bright Access en lid van de Landelijke Verkiezingscommissie van D66. **Sebastiaan van ’t Erve (GroenLinks)** Volgens zijn LinkedIn “inwoner van de gemeente Lochem” - maar hij was er ooit ook burgemeester, was IT-politicus van het jaar, en promoveert nu op cybercrisis-management bij gemeenten. En meer! Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/CJZV8J/

Fruit machines are everywhere.....and they contain cash. This is a talk about the efforts people go to to steal cash from the machines, and what can go wrong when the engineers creating them make mistakes. I've been working with fruit machines as a software engineer for over 30 years, primarily on system platforms and machine security. This talk gives an insight into some of the physical techniques thieves have developed over the years to steal cash from machines, and the catastrophic consequences of poor software. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/A9ZQBL/

Birdsong is all around us, but is there a deeper meaning? Can computer analysis help us decipher these hidden patterns in our own backyards? This talk charts my journey exploring the world of open source projects for bird (and bat!) audio identification, some of the systems I've operated, and the data art pieces I've created from the results. From the science of birdsong, to machine learning models and data visualization, there's something for every hacker to be inspired by. - How birds sing, spectrograms and analysis - Neural networks for identifying animal sounds - Feature pre-processing for sound ID - Open source projects you can build yourself - Data art and visualizations - The psychology of shifting baselines and why the data matters Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/L79ASB/

PLOT4AI 2.0 is a pioneering open source AI threat modeling tool that provides a structured, lifecycle-based approach to AI risk identification. With over 100 AI-specific risk sources across eight categories, it aligns with the EU AI Act and supports trustworthy AI development and deployment. In this talk, the author will present the story of this internationally recognized tool, first published in 2022, and will introduce its new, expanded 2.0 version. More info @ https://plot4.ai/ After three years of research, in 2022 the first version of PLOT4AI launched with 86 AI-related threats. At that time AI security was still a niche topic discussed mainly by a few and AI safety was barely recognized beyond robotics and reinforcement learning. Then, just seven months later, ChatGPT launched, and the AI landscape changed overnight. Suddenly, AI became a central topic in public discourse, governance, and policy. The EU AI Act entered the scene, putting fundamental rights at the heart of AI product regulation. What was once a niche technical concern had become a global geopolitical issue, influencing regulatory and economic agendas around the world. It became clear: PLOT4AI needed a major update. In this talk, the author of PLOT4AI will take you behind the scenes of the tool’s creation and introduce PLOT4AI 2.0: a major new release of this open source AI threat modeling framework. The updated version includes over 138 AI-related threats, including threats related to Generative AI, Agentic AI, and complex deployment environments. PLOT4AI isn’t just a tool, it’s a collaborative effort to make AI safer for everyone! As an open source initiative, it's built on feedback, shared experience, and contributions. Whether you’ve spotted a missing threat, devised a new mitigation, or have real-world examples to add, your input is welcome and encouraged! This talk is both a deep dive into the evolution of AI threat modeling and a call to action for the AI open source communities to shape safer, more accountable AI together. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/KB7ATS/

AI is everywhere and where it isn't today, it most likely will be tomorrow. But jumping on the hype train and adding AI often does not sufficiently consider security. This talk walks you through cases of AI failures, how they've come about, and how they could have been avoided. We're also going over some projections of spectacular AI failures we're likely to see going forward. AI is everywhere and where it isn't today, it most likely will be tomorrow. But hype does not sufficiently consider security and AI has the ability to cause errors and failures the developers haven't considered. As was stated in the first Jurassic Park "they were so busy thinking if they could, they didn't stop to think if they should". So we're seeing more examples of failures than are needed for this talk that walks you through a few cases of AI failures, how they've come about, and how they could have been avoided. We're also going over some projections of what we're most likely going to see when you combine AI alignment issues, ability of AI agents to take action, and over confidence of developers in focusing if they could. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/UXXZMU/

We developed an open-source low-field MRI and got the clinical certification started! The aim is to create a reference technology for healthcare – which comes with its own complex questions. The Open Source Imaging Initiative has developed an open-source low-field MRI – and is now working on the clinical certification for it (+will open-source it as far as legally possible)! This started raising some discussions around the costs and patenting-schemes in public healthcare. But what about the rest of the public infrastructure? And who keeps control of what? This talk will give an overview of the current state of the project, a bit of historic context (how could this happen??) and will explore the current discussions around governance and property models – and the idea of Open-Source Standard Hardware Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/T9JW9Z/

I briefly explain quantum cryptography. It is unbreakable in principle, but its real implementations have vulnerabilities arising from equipment imperfections. Certification standards [1] and accredited labs are being established that can test commercial products for these flaws. I explain how we have analysed a commercial quantum key distribution system for loopholes, patched them, and designed tests for the certification lab [2]. [1] ISO/IEC 23837-2:2023(en) international standard. [2] V. Makarov et al., Phys. Rev. Appl. 22, 044076 (2024), https://arxiv.org/abs/2310.20107 Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/DFCBQD/

Modern UI/UX design is rooted in centuries-old geometry. This talk explores how historic tools—from Greek constructions to Bézier curves— is still broadly used to solve real problems today. Through demos and visual examples, we’ll uncover practical, eye-opening methods that blend math, art, and design. No technical background needed—just curiosity. Prepare to rethink how we build and understand the visual world. Modern UI/UX design is built upon concepts much older than computers. This talk uncovers how ideas from the history of geometry continue to shape the ways we define and render interfaces today—while also revealing a deeper story: how practical mathematical problems, from antiquity to today, have been approached not with algebra, but with the elegance of geometric construction. We’ll explore geometric throughlines, from Greek straightedge-and-compass methods, through innovations of the Islamic Golden Age, to Renaissance engineers and their mechanical drawing tools, all the way to Bézier curves of the 1960s—now foundational to every smooth SVG path on the web. Alongside interactive demos and visual examples, we’ll dive into surprisingly current problems that are solved through construction alone, in ways that are both rigorous and astonishingly intuitive. This talk is for anyone with a curious mind—no technical background required. While code snippets will appear, the real goal is to spark insight and wonder. Join us to discover how a blend of math, history, and art can transform the way we see both digital and physical space—and how centuries-old ideas continue to solve problems in ways that are as beautiful as they are practical. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/VRMZEG/

From (political) climate change to people marrying AI chatbots. The world can be a scary place. This talk will be a comprehensive guide to anxiety. We’ll go through the basics of neuroscience and **causes of anxiety**, look at **the effects of the neurodivergent brain on anxiety** and you will be provided with **tools backed by science to implement directly into your daily life!** You might feel tension in your chest when preparing a presentation, or a funny feeling in your stomach when you know you'll have to take public transport. Almost everyone feels anxious every once in a while, and about 15% of adults in the Netherlands have or have had an anxiety disorder. An explanation about what causes these feelings, and good applicable solutions on managing these feelings are sadly not always easy to find. This talk will first provide you with a basic understanding of the (neuro)science behind anxiety. After we have a clear picture of **the causes of anxiety** we’ll look at neurodivergent brains, as many of us are blessed with one of those, and how that can influence anxiety. Last, but definitely not least, we’ll look at current research on anxiety interventions. And I'll provide you with **practical tips**, applicable **long term changes** that might help with daily well-being and **what to do when stressing about the existence of blockchains!** (Ps. don’t worry, I won't tell you to just go for a run) Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/3NHUZB/

This is an English spoken talk about the Dutch language, from a Dutch linguist's point of view. Some grammar and quirks of the language are illustrated using theory and examples, as well as a small "bluff your way into Dutch" The inspiration for this talk comes from my background as a general linguist and current work as a teacher of Dutch as a foreign language. Eveybody with an interest in the Dutch language is welcome to join. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/3MF3N3/

As tinker and software geek robotics is a brilliant field. Finally a field that combines the beautiful creations coming out of your FDM printer and the results of multiple cups of coffee turned into (almost) working software. However where do you get started and how does it actually work? This talk is about all these questions and the corresponding answers that I found during my journey to build my first hexapod robot. From designs to simulation, custom pcbs to finally a walking robot. I'm by no means a roboticist, I'm just an average tinker with a 3d printer and an IDE. This is about my journey to build a hexapod and everything I encountered along the way. From mechanical design and custom PCBs to math and software simulation I'll take you along for the ride. And hopefully help you along on your journey. If you want to get some insight in the inner workings of a hexapod robot, not afraid of some math equations and interested in gazebo simulators this is a good place to be. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/DHCFRP/

FreeSewing is the leading open-source library for parametric sewing patterns and combines sewing patterns with code; instead of drafting patterns on paper (hardly an easy task!), you can now enter the measurements of your body into the platform to get a sewing pattern that fits YOU. In this talk, I will introduce you to FreeSewing, the sewing world as a whole and FreeSewing's role in it, and I will show a peek under the hood of a FreeSewing pattern. If you want to learn how to sew, you must first have a sewing pattern. You are left to either buy (or find) sewing patterns, which are commonly graded (resized) up and down (often based on some "ideal" body shape, which does not take variations into account well), or you have to learn a whole new skill of pattern drafting. Although that skill has become more accessible through the internet, it is still difficult to learn the more complex you go. With FreeSewing, sewing patterns are parametric: they adapt to the measurements you put in, which is a lot more comprehensive than the grading-up-and-down system, and more inclusive of "different" body types too. (We don't believe in an "average body type".) Plus, it's available for free to anyone with access to an internet browser. FreeSewing also includes documentation for both sewing and programming. FreeSewing is a baby born out of spite, as the founder Joost was (and still is) too tall for what clothing stores have to offer. The talk will not be given by him, but by an enthusiastic contributor (who is too short for what clothing stores have to offer ;)). Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/TYQMAS/

Economic models are increasingly challenged for destroying our planet. But it is not easy to design a sustainable alternative. In a follow-up on my OHM talk "hacking for bankers", I would like to present a few realistic currencies that we can use to move away from the unsustainable path that we are currently walking. We could build a profitable yet sustainable grassroots movement. At OHM2013 I gave a talk entitled _Hacking for Bankers_ where I explained the perverse motives in the present monetary system. This talk presents solutions. They are grassroots systems, that redefine money by choosing another basis for it. A humane basis. * **Sensible Bullion.** Founded on precious metals such as gold and silver, stored safely in a vault, with (title of) ownership claimable by the one who presents the corresponding digital coins. While the coins exist, they can circulate for online trading. Great for long-term savings, neutral for spending, but difficult to handle for investors. * **Sensible Energy.** Trading in sustainable energy at zero cost at a parallel energy market. In the Netherlands, we have rolled out so much sustainable energy that the energy market is giving a push-back instead of handling it with storage systems. Bypassing this market allows at least wind and solar energy to give each other mutual support, expressing that these are dependent elements in our country's sustainable future, and that they need to evolve together. * **Sensible Focus.** Economic theory teaches us that human attention is the most valuable asset overall. But since money expresses something else, it makes _business sense_ to optimise humans (and humanity) out of products and services. Were money to express the actual focus of a human being, then the world would be a different place. * **Sensible Dinosaur.** What if we put a (monetary) value on unexcavated fossil fuels? Would we then be able to resist digging it up and burning it? If we created such a money, could it pay for climate debt? Perhaps to correct the inequalities caused by climate change? Or maybe to pay for CO₂ recovery measures? Essential to all these currencies are a few guiding principles, with details in the [Book of Sensible Taler](http://book.sensible-taler.org/): 1. Currencies must be **fully backed** by an underlying value; this leaves no room for inflation 2. The underlying value cannot be borrowed, so **no interest** can be charged. Deep **participation with profit-sharing** offers a substitute investment mechanism. 3. Digital money entitles the owner to **claim the underlying value**. Payment systems must have **legal structures** to maintain this property even after bankruptcy. 4. Expenses are out in the open, there ore **no concealed fees** or indirect costs. Different underlying rules about the workings of money triggers people to make different choices. This is how these monetary system designs can focus on sustainability, rather than mindlessly chasing short-term profit. Such a system can co-exist with the fiat money issued by governments. And the digital money form is founded on [GNU Taler](https://www.taler.net/en/), it is fit for secure and private online payment at least as easily as fiat money. This project is kindly supported by [NLnet Foundation](https://nlnet.nl). Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/UHHGZT/

This talk is based on my experience working for Comcast/Sky Group in WLAN (802.11) standardisation. It follows the trajectory from environmental laws through to technical regulations and finally in to technical standards, patents and technologies. The talk argues that well-enforced norms and regulations remain a good way of incentivising socially and globally desirable outcomes, while explaining how technical regulations and standardisation work in practice from the industry insider perspective. A version of this presentation was previously given at the SICT Summer School at ULB in Brussels. It will also be presented at Bornhack and BalcCon in 2025. I feel like such a talk is especially important now that Europe is no longer under an American security umberella. Europe consistently fails in pushing a rules-based world order, while, in fact, it is difficult to see any other form of world order work either for Europe or indeed the vast majority of countries. We have many parallel examples from privacy, security and data protection law where Europe, again, fails to understand and identify its own critical interests. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/YUAA7M/

Experimental archeology to understand the development of woodwind instruments. What I learned about woodwind instruments by using a spoon drill to make a bore and a whip lathe to reinvent medieval woodturning. I will discuss cylindrical and conical bores, why they are different in a musical sense and why the technology of the times favours one over the other. I will also link some peculiar instruments to the medieval education system of the guilds. The famous leather archeologist Olaf Goubitz once said "You can only understand a historical shoe after you have made it". After following a hobby course in instrument building and a year working as a medieval woodworker in the historical theme park Archeon, I wanted to go back to the roots and build instruments with the tools of the time. I basically want to become a medieval instrument builder's apprentice, even tough all masters are gone for centuries. With this talk I want to share what I have learned so far. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/V3ANNV/

BadgeHub is a Badge Application Website that enables Badge Enthousiasts to share Badge Apps. In this talk, we first explain what BadgeHub is and what you can do with it. After that, we go into all the technical details and difficult decisions that went into building BadgeHub with PostgreSQL, Node.js and Vite. We will talk about Infra, Frameworks, Databases, Backend and Frontend. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/CMMUH8/

WHY2025 contains a lot of activities and entertainment for the attendees. This presentation focuses on two of these activities, namely the CTF (Capture The Flag) and Secret Token Game. These activities focus on a wide range of visitors, including seasoned hackers, inspired newcomers and even the youngest generation. Want to try the CTF or search for some Secret Tokens? Join this talk for an introduction and background information. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/TJJR3W/

Archives are vulnerable. Modern archival methods are robust, but no archive or institute alone can withstand the threats we are currently facing. Safeguarding Research & Culture (SRC) is creating an alternative infrastructure for archiving and disseminating of cultural heritage & scientific knowledge. We focus on publicly available material under threat of being deleted or altered. We preserve this data using open standards, open-source software, distributed storage and your help! No single archive is permanent, nor large enough to store all of our cultures at risk. Modern archival methods are robust, but no archive or institute alone can withstand the threats we are currently facing. The destruction of knowledge and cultural heritage has happened, and is happening again. Whether it is caused by human action<sup><a id="fnref1"></a>[\[1\]](#fn1)</sup> or natural causes.<sup><a id="fnref2"></a>[\[2\]](#fn2)</sup>. Without our archives we lose knowledge and culture which has a negative impact on our ability to learn, study and innovate. However, digital information can be copied easily and quickly. Safeguarding Research & Culture (SRC) is creating an alternative infrastructure for archiving and disseminating of cultural heritage and scientific knowledge. We seek to preserve cultural memory in a way that traditional archives cannot. Together, we can ensure that our cultural, intellectual and scientific heritage exists in multiple copies, in multiple places, and that no single entity or group of entities can make it all disappear. In this session, we will present why we are doing this, what our approach is and why we need your help. After attending this session, participants will: * Gained an insight into the importance of data to support culture preservation & research purposes * Understand how this project relates to and supplements more “traditional” archiving & preservation infrastructure * Feel empowered to contribute to the project in various ways, including seeding existing datasets, identifying at-risk datasets, downloading & adding at-risk datasets to the swarm and supporting this project in other ways References 1. See for example [NYT: *Health Resources Vanish Following D.E.I. and Gender Orders*](https://www.nytimes.com/2025/01/31/health/trump-cdc-dei-gender.html), [Atlantic: *Why Is the Trump Administration Deleting a Paper on Suicide Risk?*](https://www.theatlantic.com/ideas/archive/2025/02/heath-science-data-trump/681631/), [Boston Globe: *CDC removal of databases on sexual orientation, gender identity sparks alarm*](https://www.bostonglobe.com/2025/01/31/metro/cdc-removes-databases-sexual-orientation-gender-identity/), and [404media: *GitHub Is Showing the Trump Administration Scrubbing Government Web Pages in Real Time*](https://www.404media.co/github-is-showing-the-trump-administration-scrubbing-government-web-pages-in-real-time/). [↩︎](#fnref1) 2. See for example [Smithsonian: *Why Brazil’s National Museum Fire Was a Devastating Blow to South America’s Cultural Heritage*](https://www.smithsonianmag.com/smart-news/artifacts-destroyed-brazil-devastating-national-museum-fire-180970194/) and [UN: *Destruction of cultural heritage is an attack on people and their fundamental rights*](https://news.un.org/en/story/2016/10/543912). [↩︎](#fnref2) Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/B8DANE/

The hacker ethic teaches us that information should be free. So why do governments still keep so much of it inaccessible and out of reach? In this talk, we'll break down the barriers to digital transparency, show how hackers can help open up the government, and lay out a vision for a more democratic, accountable and open state. Governments should be radically more transparent, because public information and open data allow researchers, businesses, and voters to make better decisions. But too often, public data is fragmented, incomplete, hard to access, or never published at all. At [Open State Foundation](https://openstate.eu/), we’ve spent more than a decade working to unlock that information. In this talk, we’ll share how we use a hacker's mindset to reverse-engineer transparency: - from tracking how long ministries take to answer Access to Information requests (the answer will surprise you), - to scraping hundreds of document portals into one search engine, - to building public calendars of ministerial meetings that anyone can subscribe to. But above all, we’ll ask: how can hackers help open up the government? Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/3BFFLY/

For over 23 years, the Dutch National Cyber Security Centre (NCSC) and its predecessors - GOVCERT.NL and CERT-RO - have been publishing security advisories to help protect Dutch digital infrastructure. Over the decades, this advisory service has evolved significantly in scope, scale, and approach. From the tooling and processes used, to the volume of vulnerabilities handled, the format of our advisories, and our audience - nearly every aspect of our work has changed and keeps changing. This presentation will explore the history and development of the NCSC-NL security advisory service, reflecting on key milestones and lessons learned along the way. We will then look forward, discussing how the service is adapting to current challenges and future demands, most notably automation. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/G8AJKY/

A showcase of creative Web of Things use cases – fun prototypes that are nothing like light bulbs. The W3C seeks to counter fragmentation of the Internet of Things, finding common ground and enabling long-term support. That's the goal of the Web of Things (WoT) ecosystem. Alongside an introduction to Web of Things, I'll show off my collection of WoT prototypes that cover unusual use cases – like note taking or browsing maps. As a hobbyist, I've been implementing the Web of Things standards for many years. I've developed a server and a client which power the prototypes. About Web of Things: https://www.w3.org/WoT/ My server: https://gitlab.com/jaller94/wot-anything My client: https://gitlab.com/jaller94/wot-wrench Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/CBRZPX/

Enter the fascinating world of corruption, chicanery, low-tech fraud, and forensic tools that uncover it. The story is told through the eyes of a Russian election official who has participated in campaigns of all levels in the past 4 years and fought for justice (mostly unsuccessfully). Watch a demo how to tamper with a security bag and learn how to use statistics to detect ballot stuffing [1]. See the obstacles faced by Russians wanting a change. See how the government “wins” the elections. [1] A. Podlazov and V. Makarov, Dual approach to proving electoral fraud via statistics and forensics, https://arxiv.org/abs/2412.04535 Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/U7HBTJ/

The MCH2022 Badge is an wonderful piece of hardware, with a great screen, a dual-core ESP32 CPU, and an Lattice FPGA to act as a co-processor. What if we could use the power of the FPGA to render 3D graphics? In this talk I'll take you through the basics of 3D rendering, the challenges of doing this on the Badge, and how I made the little Lattice produce pretty polygons. I don't know about you, but when I get my hands on a piece of hardware with a lovely screen and a bit of processing power, my first thought is "Can I make this produce 3D graphics?" (Well, the *real* first question is "Can it run Doom?" but that was already answered by the wonderful Sylvain Lefebvre.) So when the MCH2022 Badge was announced to come with an FPGA to play around with, well I knew where my free time would end up for a while. The FPGA on the MCH2022 badge is, to put it mildly, *petite* at just 5K LUTs. And while it has plenty of memory space, memory bandwidth is limited. A traditional framebuffer-based 3D renderer wasn't going to work. So I had to get creative and instead render in vertical strips, while using as few operations per pixels as possible. In this talk I'll explain how rasterization (the process of turning triangles into pixels) typically works, why this is challenging to do on the Badge hardware, and what I did instead. I'll talk about texturing and I'll add some crunchy digital details like memory bandwidth. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/PR3VHT/

We all live in a fair democracy 🎶 ... or do we? No, we live in a world where the major corporations decide how we interact with digital systems and digital systems govern the world. That's corporatocracy - a system in which corporations, rather than elected officials, have major influence over decision-making, laws, and societal direction. And they are not on our side. This talk is about what happens when the system isn't built for you — because it never was. - If something goes wrong and you're not the 1,000th person to report it, it's your problem. Customer service? That's just a chatbot pretending to care. - A mobile operator refused to sign a contract with me because they couldn't remove “I agree to receive ads.” - My orders get randomly cancelled because I refuse to have a phone number. - My industry certifications? Gone. Because I stood up for my privacy rights. We'll go through these experiences and dissect why things are this way. Why must we adapt to their systems, but they won't adapt to ours? Why does a company's "official support channel" usually mean "no support at all"? Why do startups optimize for growth at the cost of basic usability? This isn't just a rant (though there will be rants). It's a call to stop playing by their rules. We'll discuss examples of where people have pushed back and won, and where we've completely failed. If you've building an app or website, and intend to respect your users, this talk is for you. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/993NXA/

How noticing a vulnerability in a website has led to a foreign government threatening to revoke my permission to publicly discuss the existence of an abstract vulnerability class. Belgium has laws regulating the reporting and public disclosure of vulnerabilities. While the goal is to protect both organisations and reporters of vulnerabilities, the assumptions behind it conflict with the practice of coordinated vulnerability disclosure. I will discuss the parts of my experience I’m allowed to tell. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/3R8JLD/

Compromising a well-protected enterprise used to require careful planning, proper resources, and ability to execute. Not anymore! Enter AI. From Initial Access to Impact and Exfiltration. AI is happy to oblige the attacker. In this talk we will demonstrate access-to-impact AI vulnerability chains in most flagship enterprise AI assistants: ChatGPT, Gemini, Copilot, Einstein, and their custom agent . Some require one bad click by the victim, others work with no user interaction – 0click attacks. Compromising a well-protected enterprise used to require careful planning, proper resources, and ability to execute. Not anymore! Enter AI. Initial access? AI is happy to let you operate on its users’ behalf. Persistence? Self-replicate through corp docs. Data harvesting? AI is the ultimate data hoarder. Exfil? Just render an image. Impact? So many tools at your disposal. There's more. You can do all this as an external attacker. No credentials required, no phishing, no social engineering, no human-in-the-loop. In-and-out with a single prompt. Last year at BHUSA we demonstrated the first real-world exploitation of AI vulnerabilities impacting enterprises, living off Microsoft Copilot. A lot has changed in the AI space since... for the worse. AI assistants have morphed into agents. They read your search history, emails and chat messages. They wield tools that can manipulate the enterprise environment on behalf of users – or a malicious attacker once hijacked. We will demonstrate access-to-impact AI vulnerability chains in most flagship enterprise AI assistants: ChatGPT, Gemini, Copilot, Einstein, and their custom agent . Some require one bad click by the victim, others work with no user interaction – 0click attacks. The industry has no real solution for fixing this. Prompt injection is not another bug we can fix. It is a security problem we can manage! We will offer a security framework to help you protect your organization–the GenAI Attack Matrix. We will compare mitigations set forth by AI vendors, and share which ones successfully prevent the worst 0click attacks. Finally, we’ll dissect our own attacks, breaking them down into basic TTPs, and showcase how they can be detected and mitigated. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/SELH79/

Celebrate 40 years of legendary hacking with Phrack! We’re dropping a special anniversary release packed with cutting-edge research, underground insights, and tributes to decades of digital rebellion. Don’t miss this milestone issue—crafted by hackers, for hackers. Grab your copy, meet the crew, and honor the zine that defined an era. #Phrack72 #WHY2025 #HackThePlanet Meet us later at the release party by the Milliways village for some beer (while it lasts) & snacks! Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/B9EYZF/

Gosling is a Tor onionservice-based protocol and Rust reference-implementation which allows developers to build privacy-preserving p2p applications with the following properties: - persistent authenticated peer identity - end-to-end encrypted - anonymity - metadata resistance - decentralisation - real-time communication This talk will go over the complexities involved in combining all of these properties (with a focus on metadata resistance) and describe how Gosling solves these problems. Project Website: https://gosling.technology Github Page: https://github.com/blueprint-freespeech/gosling Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/TMS3DC/

Web scraping continues to be a cornerstone of OSINT operations, particularly during Red Team engagements and external attack surface reconnaissance. Yet, as anti-bot technologies grow more sophisticated, traditional scraping methods based on direct HTTP requests are increasingly ineffective. This talk takes a technical dive into browser-based scraping techniques that closely mimic real user behavior to evade detection, inspired by real-world mechanisms observed across major web platforms. In Red Team operations and external attack surface assessments, open-source intelligence (OSINT) is a critical step for identifying internet-exposed assets and assessing the associated risks. One of the most common techniques in this phase is web scraping, which automates the collection of publicly available data—often without relying on official APIs that are frequently rate-limited, monitored, or entirely unavailable. In previous conferences, such as Fabien Vauchelles’s talk "Cracking the Code: Decoding Anti-Bot Systems", the focus was on detecting scraping activities at the network layer using TCP/IP fingerprinting and IP intelligence. This presentation builds on that work by shifting the focus to client-side techniques—specifically, browser-based approaches that mimic legitimate user behavior to evade detection. The objective of this session is to explore modern strategies for conducting stealthy web scraping by avoiding API usage and minimizing anomalies detectable at both the network and application layers. Based on real-world use cases, the talk aims to provide actionable insights for security professionals involved in scraping—whether performing it or defending against it.The talk will present concrete methods for data collection, including: - Making direct HTTP/HTTPS requests to web servers—such as websites or HTTP-based services—using libraries that handle protocol-level communication. This method allows efficient data retrieval by bypassing the need to render the page or load additional resources like images, videos, stylesheets, or scripts. It’s fast and lightweight, especially suited for static or partially dynamic content. - Leveraging headless browsers to simulate real browser behavior without a graphical interface. These tools embed full HTML, CSS, and JavaScript engines, enabling interaction with modern, dynamic web applications. This technique is essential when scraping content that relies on client-side rendering or asynchronous JavaScript operations. - Using browser-side scripting tools, such as TamperMonkey, within standard browsers. These tools allow custom JavaScript code to be injected and executed directly on the page, offering a practical and discreet way to automate data collection from within the browsing environment itself. This technique has been successfully applied in large-scale scraping operations, including on major social networks where traditional approaches are often ineffective due to advanced client-side defenses. Beyond the scraping techniques themselves, the presentation will also cover the current detection methods employed by websites to identify automated behavior and how these can be bypassed, including: - Detection of automation environments via specific JavaScript variables (e.g., navigator.webdriver) or discrepancies in the DOM. - Behavioral detection mechanisms such as mouse movements, keyboard activity, or interaction timing. - Identification of scraping-specific browser extensions or content injection tools. - Detection of headless execution environments using debugging interfaces or timing-based heuristics. This talk will provide a technically grounded exploration of the current capabilities and limitations of stealth web scraping from both offensive and defensive perspectives. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/7DMBVR/