Chaos Communication Congress

Hier geht es los.

The combination of the ongoing technological revolution, globalisation and what are usually called 'neo-liberal' economic policies has generated a global system of rentier capitalism in which property rights have supplanted free market principles and in which a new global class structure has taken shape. The 20th century income distribution system has broken down irretrievably, and a new mass class, the precariat has been growing dramatically fast in every part of the world. What are the deeper reasons for these developments? How does an ecologically sustainable strategy look like? Is it possible to restore a balanced market economy in which inequalities and insecurities will lessen and in which the drift to populist and even neo-fascist politics will be reversed? This talk will try to provide answers.

Since a few months we have a new version of TLS, the most important encryption protocol on the Internet. From the vulnerabilities that created the need of a new TLS version to the challenges of deploying it due to broken devices this talk will give an overview of the new TLS 1.3. In August the new version 1.3 of the Transport Layer Security (TLS) protocol was released. It‘s the result of a process that started over four years ago when it became increasingly clear that previous TLS versions suffered from some major weaknesses. In many ways TLS 1.3 is the biggest step ever done in the history of TLS and its predecessor SSL. While previous TLS versions always tried to retain compatibility and not change too many things, the new version radically removes problematic and insecure constructions like static RSA key exchanges, fragile CBC/HMAC constructions and broken hash functions like MD5 and SHA1. As a bonus TLS 1.3 comes with a reworked handshake that reduces the number of round-trips and thus provides not just more security, but also better performance. If that sounds too good to be true: An optional, even faster mode of TLS 1.3 – the zero round trip or 0RTT mode – makes some security researchers worried, because they fear it introduces new security risks due to replay attacks. Though the road to TLS 1.3 was complicated. The Internet is a buggy place and particularly Enterprise devices of all kinds – middleboxes, TLS-terminating servers and TLS-interception devices – slowed down the deployment and finalization of the new encryption protocol. Also some banks thought that TLS 1.3 is too secure for them. The talk will give an overview of the developments that led to TLS 1.3, the major changes it brings, the challenges it had to face and some practical advice for deployment.

Restricting access to knowledge and science is not beneficial for society. So why are scientific results still locked up behind paywalls? Even though the answer to this question is enlightening, the story is quickly told. Much more important is the knowledge on how to change this. Politics, research funders, libraries and scientists have to join forces and to push forward to flip scholarly communication from closed to open access. What has happened so far? What are the current developments? What can each of these parties contribute to the transformation of scholarly communication? Open access guidelines, repositories and the hashtag #ICanHazPDF are just a few examples of approaches that jointly undermine the paywalls. One that has been recognized even beyond the scientific community is Project DEAL which aims to achieve open access for scientific publications from German scientists with major academic publishers. Things are currently progressing very fast and a lot can happen in the weeks between now and the congress. The talk will start with a brief introduction to the most common way of scholarly communication, where science is still mainly locked up behind paywalls. In line with the most recent developments, the talk will then focus on different approaches to open up science and their political and practical consequences. Whatever happens, the transformation of scholarly communication is well underway and it will affect not only the scientific community but society as a whole. So let’s join forces!

When a electrical device needs to be a piece of art or used as a mechanical component, a printed circuit board is more than a piece of fiberglass with wires embedded in it. In chemical engineering applications internal holes which allow fluids to be transported through the PCB need to be placed in complex precise patterns. As art, holes can be used to create positive and negative space, allowing you to see a charlieplexed LED display as a snowflake. Creating complex shapes in PCB design software is difficult to impossible. However, it is easy in CAD software. In this talk I will present the project workflow I use to design and manufacture my PCBs. Additionally, I will discuss the problems I have run into during manufacturing and how these problems were resolved. Making electrical-artistic and electrical-mechanical PCBs adds steps and complications to the usual PCB fabrication process. In this talk I will go over my project workflow and discuss how and why I do each step. I will also discuss problems I have run into during both the design and the manufacturing process.

Neutrinos are “ghost-like” elementary particles that can literally go through walls. They can bring information from places that are impossible to observe through other means. This talk provides a glimpse behind the scenes of a next-generation neutrino detector called Hyper-Kamiokande – a cylindrical water tank the size of a high-rise building. I will describe some of the problems you encounter when planning a subterranean detector of this size, and explain how this detector helps us figure out why the sun shines and how giant stars explode. Neutrinos are tiny elementary particles that do not interact through the electromagnetic force. Almost like ghosts, they can literally go through walls and escape places that are inaccessible by other means, giving us a unique way of observing the interior of stars or nuclear reactors. Hyper-Kamiokande – a cylindrical water tank that is 62 m high and 76 m in diameter – is a next-generation neutrino detector, which will be built inside a mountain 250 km northwest of Tokyo starting in 2020. The talk will give an overview on the process of designing and building a subterranean detector of this size, starting from preparations for cavern construction and ending with the design of photodetectors, electronics and data analysis. In addition, the talk will cover selected areas of the physics programme of this detector. It will be explained how detecting neutrinos from our sun lets us figure out why the sun shines and how we can measure the temperature at its core to a precision of about 1%. Finally, I will explain how such a neutrino detector can help us watch, millisecond by millisecond, how giant stars explode in a supernova, creating many of the chemical elements that are necessary for life and computers to exist.

Die AfD-Bundestagsfraktion wird in der Öffentlichkeit vor allem mit ihren rassistischen Positionen wahrgenommen – mit ihren netzpolitischen Aktivitäten bleibt sie zumeist unter dem Radar. Dieser Talk zeigt, wie die AfD-Fraktion die Netzpolitik dennoch als vermeintlich neutrales Thema nutzt, um für ihre rechtsextreme Partei eine parlamentarische und gesellschaftliche Normalisierung herzustellen. Als Mitarbeiterin einer Bundestagsabgeordneten von den Grünen verfolge ich täglich das Verhalten der AfD in netzpolitischen Debatten im Bundestag: Im Plenarsaal, im Ausschuss Digitale Agenda, in der Enquête-Kommission Künstliche Intelligenz und bei Veranstaltungen und Diskussionen mit außerparlamentarischen Organisationen. Dabei ist mir aufgefallen, dass die netzpolitischen AfD-Abgeordneten in ihrem Verhalten eher einem kooperationsorientierten statt einem krawallorientierten Parlamentariertyp innerhalb ihrer Fraktion zuzuordnen sind. Die inhaltliche Positionierung der AfD wiederum folgt bei verschiedenen netzpolitischen Debatten zumeist einer von drei verschiedenen Strategien: Konsensorientiert, anti-europäisch oder Opfermythos-betonend. Diese Beobachtungen werden mit einer Reihe von Beispielen illustriert. Bei den netzpolitischen Diskussionen im Bundestag finden die zentralen Auseinandersetzungen zwischen der Großen Koalition und den demokratischen Oppositionsparteien statt. Was die AfD-Fraktion dazu sagt, wird häufig kaum wahrgenommen. Dieser Talk zeigt, wie die AfD-Fraktion die Netzpolitik dennoch als vermeintlich neutrales Thema nutzt, um für ihre rechtsextreme Partei eine parlamentarische und gesellschaftliche Normalisierung herzustellen. Er belegt dies anhand zahlreicher Beispiele aus dem parlamentarischen Alltag und zeigt auf, wo diese Strategie bereits aufgeht und wo nicht. Deswegen soll es auch darum gehen, wie zivilgesellschaftliche Organisationen und Akteure damit umgehen können, wenn AfD-Abgeordnete in der netzpolitischen Szene auftauch

Recent attacks against elections in the U.S. and Europe demonstrate that nation-state attackers are becoming more aggressive, even as campaigning and voting are becoming increasingly reliant on computers. How much has changed since 2016, when the U.S. experienced unprecedented attacks on its election infrastructure? What has to happen to ensure that the 2020 presidential election is secure? In this talk, I'll give a progress report on election security in the U.S. and around the world, informed by results from my own research and my work with legislators and election officials over the past two years. I'll also hold a mock election with a current U.S. voting machine to demonstrate how cyberattacks on election infrastructure could potentially change the results of national elections. Finally, I'll explain what everyone can do to get involved and help safeguard the foundations of democracy. Strengthening election cybersecurity is essential for safeguarding democracy. For over 15 years, I and other computer scientists have been warning about the vulnerable state of election security, but attacks against recent elections in the U.S. and Europe demonstrate that sophisticated attackers are becoming more aggressive, even as campaigning and voting become increasingly reliant on computers. Since 2016, I’ve been working with election officials and members of congress to strengthen election cybersecurity. In this talk, I’ll give a progress report about what’s happened since then and what still needs to happen to secure future elections. While many U.S. states have made progress at securing some aspects of their election infrastructure, and Congress provided $380M in new funding to the strengthen elections, significant vulnerabilities remain that put the integrity of future elections at risk. To demonstrate the ongoing threat, I’ll hold a mock election on stage with a real U.S. voting machine still used in 18 states, and show how remote attacks could potentially

The Chinese Social Credit System (SCS) has been discussed a lot in Western media. However, we do not know currently how the system that is supposed to take nationwide effect by 2020 will look like, as there are more than 70 pilot projects currently undertaken. These pilots rank from commercial royalty and rewards programs (Sesame Credit) to an Orwellian system, where each action has a predetermined associated score (Rongcheng). In-between, there’s nebulous algorithmic systems that basically act as a Black Box (Honesty Shanghai). This talk, therefore, looks at some of these pilots and their implementation details, and through an agent-based modeling framework, discusses the likely effects of different implementations. In doing so, it shows that most of the systems currently being tested are prone to manipulation by leaders from all levels of government, and that the ostensible goal of allocating scarce resources more efficiently is unlikely to be served by the new system(s). The author, Antonia Hmaidi, is a PhD candidate in East Asian Economics with a focus on China. She presented a talk on the impact of internet censorship at the 33C3. This talk’s goal is to provide those interested with a technically-grounded understanding of “the” Chinese social credit system and its possible impact on Chinese society and economy. In doing so, it seeks to provide a more nuanced picture than is usually presented in either Chinese or Western media. Working on data science and machine learning in her free time allows the author to better understand the algorithms comprising “the” social credit system.

While a lot of projects are currently developing their own processors, mostly as open source in Verilog, VHDL or even Chisel, we miss the free process that actually manufactures these chips. So we're developing the "Libre Silicon" project, a portable semiconductor manufacturing process and technology, using only free and open source tools: We would like to introduce the project, who we are, what we are doing and where we are now. The manufacturing is proprietary and has vendor lock-ins with triple NDAs – one for the process development kit (PDK), the technology itself; – one for the Standard Cell Library you can use to synthesize your RTL; – and even another one for the details of all purchase commitments. Our purpose is a free and open, community based silicon manufacturing process (GitHub link) without any NDAs, a Standard Cell Library (GitHub link) not only for that process as well as a suitable, refurbished, new-written open source tool chain QtFlow (GitHub link). During the last couple of months we already developed the first free 1µm process and are now close to manufacturing a first test wafer (GitHub link). Even though 1µm does not sounds very ambitious, this process node is still quite well documented in text books, robust and 5 Volt-tolerant. Once we get a hang on this, the machinery park in the clean room allows us to shrink down to 500nm and less.

UEFI rootkits have been researched and discussed heavily in the past few years, but sparse evidence has been presented of real campaigns actively trying to compromise systems at this level. Our talk will reveal such a campaign successfully executed by the Sednit group. We will detail the full infection chain showing how Sednit was able to install their custom UEFI module on key targets' computers. Additionally, we will provide an in-depth analysis of their UEFI module and the associated trojanized LoJack agent. UEFI rootkits have been researched and discussed heavily in the past few years, but sparse evidence has been presented of real campaigns actively trying to compromise systems at this level. Our talk will reveal such a campaign successfully executed by the Sednit group. This APT group, also known as Fancy Bear, Sofacy and APT28, has been linked to numerous high profile cyberattacks such as the 2016 Democratic National Committee email leak scandal. Earlier this year, there was a public report stating that the infamous Sednit/Sofacy/APT28 APT group successfully trojanized a userland LoJack agent and used it against their targets. LoJack, an embedded anti-theft application, was scrutinized by security researchers in the past because of its unusual persistence method: a module preinstalled in many computers' UEFI/BIOS software. Over the years, several security risks have been found in this product, but no significant in-the-wild activity was ever reported until the discovery of the Sednit group leveraging some of the vulnerabilities affecting the userland agent. However, through our research, we now know that Sednit did not stop there: they also tried to, and succeeded, in installing a custom UEFI module directly into a system's SPI flash memory. In this talk, we will detail the full infection chain showing how Sednit was able to install their custom UEFI module on key targets' computers. Additionally, we will provide an in-depth analysis of their UEFI mo

Die EU-Grenzagentur Frontex nimmt eine Reihe neuer Überwachungsmethoden im Mittelmeer in Betrieb. Die Fähigkeiten zur Beobachtung des sogenannten Grenzvorbereichs gehören zum Grenzüberwachungssystem EUROSUR, das die Europäische Union vor fünf Jahren gestartet hat. EUROSUR vernetzt die Zentrale von Frontex in Warschau mit den Grenzbehörden der 28 Mitgliedstaaten. Über deren nationale Koordinierungszentren wird Frontex über alle wichtigen Vorkommnisse an den Außengrenzen der Europäischen Union unterrichtet. Kern des EUROSUR-Systems ist die Satellitenaufklärung, über die Frontex auch selbst an den Grenzen beobachten kann. Die Bilder stammen von kommerziellen Satellitendiensten sowie von optischen und radarbasierten Satelliten des EU-Erdbeobachtungsprogramms „Copernicus“. Sie werden vom Satellitenzentrum der Europäischen Union (SatCen) erhoben, aufbereitet und an Frontex übermittelt. Zu den Bildlieferanten gehört der Rüstungskonzern Airbus, der Bilder seiner Radarsatelliten „TerraSar-X“ und „TanDEM-X“ mit einer Auflösung von 24 cm verkauft. Für die schnelle Kommunikation mit den Satelliten nutzt „Copernicus“ als erster Kunde die „Weltraumdatenautobahn“ des Airbus-Konzerns. Die Nutzung der Daten für die einzelnen AnwenderInnen wurde erst kürzlich mithilfe einer App vereinfacht, die ein Mitarbeiter der Abteilung „Informationshoheit“ als eine Art Instagram für Sicherheitsanwendungen beschreibt. Nun werden auch die technischen Fähigkeiten von „Copernicus“ ausgebaut. Das System soll „Unregelmäßigkeiten im Schiffsverhalten“ erkennen und melden. Dabei werden Informationen zum Standort, der Schiffsbezeichnung und zum abweichenden Verhalten übermittelt. Als verdächtig kann etwa gelten, wenn ein Schiff keine gewöhnlichen Routen fährt oder die Geschwindigkeit verlangsamt. Frontex hat im vergangenen Jahr einen „Mehrzweck-Flugdienst“ gestartet. Von Flugzeugen über dem Mittelmeer aufgenommene Videos werden in Echt

We rely on mainstream computer engineering every day, but it's insanely complex, poorly understood, unreliable, and, as CCC reminds us every year, chronically insecure. This talk will explain some ways that we can do better: taming parts of this this chaos with precise understanding - illustrated with disturbing facts and clean models for current architectures and the C language, from the REMS project, and principled but pragmatic new alternatives, that build in more hardware and software security protection,as developed in the CHERI project. Computing has been massively successful, and we routinely trust computer systems with our personal, financial, medical, commercial, and governmental information. But at the same time, these systems are pervasively prone to security flaws and subject to malicious attacks. We have to trust them, but they are not *trustworthy*. There are two root causes. First, the pan-industry computing infrastructure, of processors, programming languages, and operating systems, is based on designs from a more forgiving time, with simpler systems and little incentive to design-in strong security protection. Second, the conventional engineering techniques we use (prose specifications, manually written tests, and test-and-debug development) are good enough to make systems work in common cases, but cannot exclude all errors - and a single coding error can lead to a devastating exploit. Are we doomed? Perhaps not. This talk will highlight the sorry state of the art and then draw on cutting-edge research, from the University of Cambridge, SRI International, ARM, and other partners, to show some ways we can do better. First, we'll show how it's become possible to build and use rigorous models for key existing interfaces to improve engineering: for the ARMv8-A and RISC-V architectures, and the C language, in the REMS project. Then we'll describe a principled but pragmatic path to build in more hardware and software security protection to future

Six years ago the idea behind CensoredPlanet started, that is now launched at censoredplanet.org. We had a simple (yet essential) guiding principle: measurements that may be politically sensitive should be done without volunteer participation. In this talk, besides a detailed scientific overview of the techniques and the current state of CensoredPlanet, I plan to talk about my experience in developing the project from the ground up. Despite the pervasive nature of Internet censorship and the continuous evolution of how and where censorship is applied, measurements of censorship remain comparatively sparse. Current censorship projects, including OONI, depend on participants within countries to help them collect measurements. While these projects are valuable, we have empirically seen that there are issues relating to continuity in terms of measurement, coverage of the geographical area, and ethical dilemmas when user participation is a requirement. Censored Planet use tens of thousands of *remote infrastructural and organizational vantage points* from over 170 countries to conduct it’s measurements, thereby removing the need for user participation. This allows us to regularly measure Internet disruptions over a longer period of time in significantly more countries in a safer way. The research we conduct at Censored Planet provides unique insights and data points on Internet disruptions. This information is extremely valuable to researchers in diverse fields from political science to computer science as well as to activists and journalists living and operating in countries where Internet disruptions are prevalent. By making our data easily accessible to the public, we aim to encourage future research in the field. Link to our data: https://censoredplanet.org/data/raw.

Der Datenschutz ist als erst relativ frisch erkämpftes Abwehrrecht von Bürgern gegen Firmen und Staat ein wichtiges, aber häufig missverstandenes Rechtsgebiet. Zuletzt ist es durch die Grundverordnung auf europäischer Ebene in den Blick der Netzöffentlichkeit geraten. Dieser Vortrag soll einen niedrigschwelligen Einstieg in den Datenschutz geben und aus Perspektive einer Datenschützerin mit zehnjähriger Erfahrung im Gebiet die aufregenden Aspekte und Herausforderungen aufzeigen, dem Bürgerrecht Leben einzuhauchen.

Als Organisation für Menschenrechtsbeobachtungen geben wir Euch einen Überblick der aktuellen Entwicklungen an der EU-Außengrenze auf dem Mittelmeer. Mare Liberum betreibt ein Schiff auf dem Mittelmeer, um Menschenrechtsverletzungen zu dokumentieren. Dabei arbeiten wir zur Zeit in der Ägäis, der Seegrenze zwischen der Türkei und Griechenland. Hier flüchten noch immer tausende Menschen auf der Suche nach Schutz und Würde. Seit den Vorträgen von Sea-Watch und der Iuventa-Crew ist viel Zeit vergangen. Die zivilen Seenotrettungsorganisationen fahren nicht mehr raus – sind alle gerettet? Wie hat sich die Situation für die Flüchtenden und Helfer verändert? Wie werden Euch einen Überblick der aktuellen Entwicklungen an der EU-Außengrenze auf dem Mittelmeer geben. Warum schaffen es die europäischen Staaten nach fünf Jahren Katastrophe im Mittelmeer nicht, das Sterben zu beenden? Was ist eigentlich deren Agenda? Warum wollen alle ständig eine neue Flagge? Wie gut funktionert eigentlich der EU-Türkei-Deal? Welche staatlichen Akteure gibt es auf dem Wasser und was machen sie? Warum ist die Rolle der Menschenrechtsbeobachter, selbst in Europa, so wichtig?

Meet SiliVaccine – North Korea's national Anti-Virus solution. SiliVaccine is deployed widely and exclusively in the DPRK, and has been continuously in development by dedicated government teams for over fifteen years. When we heard of this strange software, we were immediately driven to investigate it: it's not every day that you can catch a glimpse of the malware landscape inside the closed garden of the DPRK's intranet. In this talk, we will describe how we were able to obtain a rare copy of SiliVaccine; how we reverse-engineered it, despite the hair-tearing obstacles; and what surprising discoveries we made about its program architecture – all the way down to the file scanning engine, the system level drivers, the user mode utilities, and the most bizarre and puzzling implementation details. As it turns out, there is plenty going on behind the scenes of this product, away from the public eye. How was SiliVaccine created? Who created it? What was the game plan? We will try to shed light on these questions, and on the sheer effort that must have gone into developing this product. If there is anything we learned from this research, it's that DPRK state-sponsored software is a secretive industry underlied by incredibly shady practices, and that if Kim Jong-Un sends you a free trial of his latest security solution, the correct answer is "thank you but no thank you". Disclaimer: No significant knowledge in reverse engineering is required to understand the talk. We break down our thought process and methodology to its very basics, so that this talk can relate to both technical and non-technical audiences. Another Disclaimer: We guarantee an entertaining talk. :)

Sigfox is an emerging low-power wide-area network (LP-WAN) technology for IoT devices, comparable to LoRa. This talk recounts my analysis of Sigfox's radio protocol and presents an open reference implementation of an alternative Sigfox protocol stack. It confirms that while Sigfox ensures authenticity and integrity, transmitted payloads are not confidential. This presentation is targeted at a technical audience with some basic knowledge of cryptography (security goals, AES), but no knowledge in RF technology (modulation, scrambling, error correction) is required. Sigfox can be compared to a cellular network, but for mostly battery-powered IoT devices that don't need to transmit much data. While some sparse details on Sigfox's architecture and its security have been published and some basic reverse engineering has been carried out, most of the protocol specifications remain proprietary and closed, so by now, no independent security audit was performed. Advertised use cases of Sigfox include air quality monitoring, weather stations, utilities metering and tracking farm animals. In this talk, I illustrate why these applications are fine, but why one might not want to track a money transporter with Sigfox or base a home alarm system on it. The Sigfox network is very atypical, with uplink and downlink based on different physical layers. After a short introduction, I begin the presentation by taking a deep dive into Sigfox's radio protocol with a focus on its Security. Basics of radio technology (SDRs, ultra-narrow band (UNB) modulation, SRD bands) and techniques for analyzing protocols are briefly summarized and the uplink's and downlink's frame structures are presented. Subsequently, I show how a radio sniffer that has captured Sigfox messages can extract the uplink's and downlink's contents. While the uplink's payload is already contained in plaintext, the downlink is scrambled, but I indicate how the downlink's pseudorandom whitening sequence used

This Foundations talk explains the systems and protocols that make up the Internet, starting from a laptop with a Wi-Fi connection. No particular technical knowledge required. Many consider "the Internet" a utility similar to electricity - and that's a great attitude! - but for most, "the Internet" only means access to a few centralized services offered by mega-corporations "for free", around which people build their entire social and professional lives. Come along for a look behind the scenes of all those fancy websites, let's go through what the Internet actually is! Knowing the difference between the network and services reachable through the network is perhaps more important than ever, because if we implicitly give service providers all the power by never asking for a public, utility-like network then that's the end of the Internet as we know it. Key word: Net neutrality. So in this talk we will discover the network. In simple terms and without too much technical detail we'll start out with the "atom" of networks the packet, then cover the fundamental Internet Protocol (IPv4-only for simplicity), we'll try to answer what is a network? - not obvious it turns out, we'll look at where do IP addresses come from? and then we'll move on to the Internet cornerstone that is routing. We'll approach routing from the perhaps most well-known router - the wireless home router - and then look at how similar or dissimilar routers on the Internet are to that home router, leading us to a look at the routing protocol which constantly determines how our packets flow throughout the world. Those are the basic building blocks of the Internet. Now for some delicious alphabet soup! We'll take a step toward applications and compare UDP, TCP and SCTP, which are all used together with IP for most if not all end-user Internet communication. Finally, we'll arrive at the most common applications, looking into how DNS (domain names), SMTP (sending email) and HTTP (web) wo

After launching a spacecraft into orbit the actual work for mission control starts. Besides taking care of the position and speed of the spacecraft this includes e.g. detailed modeling of the power usage, planning of ground station contacts, payload operations and dealing with unexpected anomalies. In this talk we will see many examples of problems particular to space crafts and how they influence the way space craft mission operations works. Suppose you built your own satellite and somehow managed to launch it into space, what are you going to do next? Can you just ssh into your onboard computer and try out a couple of things to take a picture of earth and download the file? Did you just lose contact with your satellite due to an empty battery, because it heated up too much or because it rotated in the wrong direction? What are other issues you might forget to account for? After understanding why in spacecraft operations nothing works the way one expects we will have some answers to these questions. Also we will see how these problems are nowadays tackled by mission control centers all over the world, what happens in emergencies, what FDS, GDS, LEOP and TTC stand for and why spacecraft operators worry so much about weird particularities of time systems. Everything will be illustrated by real-life examples. The only prerequisite for this talk is that you know that earth is not flat!

Von unerwünschten Nachrichten über Bedrohungen bis hin zum Intimizid. Allein im Jahr 2017 wurden rund 18.483 Fälle von Stalking polizeilich erfasst, die Dunkelziffer wird auf 600.000-800.000 Betroffene geschätzt. Unter dem Begriff Stalking wird allgemein das „wiederholte, widerrechtliche Verfolgen und Belästigen eines Menschen, so dass dessen Sicherheit bedroht und er/sie in seiner/ihrer Lebensgestaltung schwerwiegend beeinträchtig wird“ verstanden. Die Ausführungsformen und Intensität des Stalkings oder Cyberstalkings sind sehr heterogen, sodass sich oft die Frage nach der Grenze zur Strafbarkeit stellt. Neben einer kurzen Einführung in den Phänomenbereich werden die Ursachen und Typologien des Stalkings skizziert, sowie Internventionsmöglichkeiten präsentiert: Welche psychotherapeutischen Unterstützungsmaßnahmen gibt es für Betroffene und Ausführende? Welche juristischen Möglichkeiten gibt es? Da rund jeder zwölfte Mensch in Deutschland in seinem Leben von Stalking betroffen ist und der/die Ausführende zumeist aus dem Nahbereich der/des Betroffenen stammt, kann sich auch im eigenen Freundeskreis die Frage stellen: Wie kann ich einer/m Stalking-Betroffen/m unterstützen und helfen? Oder wie spreche ich eine/n vermutlichen Stalking-Ausführende/n auf sein/ihr Verhalten an?

In this talk @zelf invites to the world of Scuttlebutt, the decentralized P2P gossiping protocol, and how it can be transformative for society through decentralization of data and enabling local community development. Scuttlebutt is a fast growing decentralized social network. As an alternative to the large corporate social networks it enables autonomy for the users and a free zone from big data harvesting. It’s based on a protocol (referred to as SSB) which connects the users via a blockchain styled base with each user functioning as a node. Since the information is collected via a 2 or 3 step social connection it’s completely usable while offline and syncs when connected to a local network, a friend or wifi. Scuttlebutt has a large community of users who together develop the protocol and platforms. Completely open-source there are many initiatives of projects, maintenance and explorations as part of the Scuttlebutt ecosystem. Some of these projects range from local community on-boarding by @luandro in Quilombola - Brazil, git-ssb by @cel, and even a chess interface! As the Scuttlebutt interface is interchangeable, with the one most widely used being Patchwork, there is a possibility to utilize the same network with multiple applications. Perfect for local communities in rural areas or for environments which require offline workability or simply for user with integrity, the potentials are grand. As of today the estimate is that the user base is beyond 8000 individuals, yet there's no way to surely know. We will explore the Scuttleverse and beyond. What is Scuttlebutt now, and and importantly, what can it enable society to become?

This talk will teach you the fundamentals of machine learning and give you a sneak peek into the internals of the mystical black box. You'll see how crazy powerful neural networks can be and understand why they sometimes fail horribly. Computers that are able to learn on their own. It might have sounded like science-fiction just a decade ago, but we're getting closer and closer with recent advancements in Deep Learning. Or are we? In this talk, I'll explain the fundamentals of machine-learning in an understandable and entertaining way. I'll also introduce the basic concepts of deep learning. With the current hype of deep learning and giant tech companies spending billions on research, understanding how those methods works, knowing the challenges and limitations is key to seeing the facts behind the often exaggerated headlines. One of the most common applications of deep learning is the interpretation of images, a field that has been transformed significantly in recent years. Applying neural networks to image data helps visualising and understanding many of the faults as well as advantages of machine learning in general. As a research scientist in the field of automated analysis of bio-medical image data, I can give you some insights into these as well as some real-world applications.

Digitale Formen von Gewalt gegen Frauen sind keine eigenständigen Phänomene, sondern in der Regel Weiterführungen oder Ergänzungen von anderen Gewaltformen. Stalking, Kontrolle, Bedrohung, Erpressung, Beleidigung, Überwachung sind altbekannte Aspekte häuslicher Gewalt. Für alle diese Phänomene gibt es digitale Entsprechungen, allerdings ist wenig darüber bekannt, wie oft sie ausgeübt werden, wann und von wem. Das macht es für die Betroffenen schwer, sich zu wehren, auch weil Politik und Justiz hier genauso verständnislos reagieren wie bei anderen digitalen Entwicklungen. Warum ist Kinderpornographie ein Kernthema der deutschen und europäischen Innenpolitik, aber kaum jemand redet über Revenge-Porn? In diesem Talk geht es um die verschiedenen Formen digitaler Gewalt und darum, wie oft sie vorkommen und wer davon betroffen ist. Es gibt kaum aussagekräftige Zahlen und wenig Hilfe für Betroffene. Warum wissen wir sowenig und was gibt es für Möglichkeiten, sich gegen die verschiedenen Formen digitaler Gewalt zu wehren?

How to apply Shannon's information theory to biology. Cells, from bacteria to human cells, constantly take up, store, retrieve, communicate and make decisions based on information. How they realise all this computation using very unreliable components is still largely an open question. Instead of transistors they have to employ proteins, but proteins constantly degenerate and are re-built making their numbers fluctuate. If cellular signalling is impaired severe diseases can be the result, for instance cancer or epilepsy. As cellular communication is so pervasive and essential, researchers start to look into this information flow in biological systems in more detail. My research group at the BioQuant centre, Heidelberg University, is also active in this area, an area which I would call Information Biology — the study of how biological systems deal with information. I will show you how you can apply Shannon's information theory to biological systems. For this we need three ingredients, namely dynamic models of biological pathways, stochastic simulation algorithms (that take into account intrinsic fluctuations in molecular numbers), and, of course, Shannon's theory of information. I will give brief and user-friendly introductions to these three ingredients. After that I am going to talk about a number of use cases, such as: How much memory does a bacterium have? And how long can it remember things? How many bits per second can a liver cell process via its calcium signalling pathway? How must signalling pathways be constructed, structurally and dynamically, for certain stimuli to be decoded? and others… I will also give links to (open source) software that is being developed in my group, which you can use to simulate and play around with biochemical pathways, and also to estimate information flows and do information biology. FYI: The research I am talking about here is part of a research area which is called Computational Systems Bi

In this presentation we will take a look at how to break the most popular cryptocurrency hardware wallets. We will uncover architectural, physical, hardware, software and firmware vulnerabilities we found including issues that could allow a malicious attacker to gain access to the funds of the wallet. The attacks that we perform against the hardware wallets range from breaking the proprietary bootloader protection, to breaking the web interfaces used to interact with wallets, up to physical attacks including glitching to bypass the security implemented in the IC of the wallet. Our broad look into several wallets demonstrates systemic and recurring issues. We provide some insight into what needs to change to build more resilient hardware wallets. Hardware wallets are becoming increasingly popular and are used to store a significant percentage of the world’s cryptocurrency. Many traders, hedge funds, ICOs and blockchain projects store the entirety of their cryptocurrency on one or very few wallets. This means that users of hardware wallets store tens of millions of euros of cryptocurrency on small USB peripherals that costs only a few euros to manufacture. Moreover, many users that trade and speculate in cryptocurrency interact, update, and generate transactions using their hardware wallets on a daily basis. In this talk we look at the good, the bad and the ugly of hardware wallet security: We will walk through the different architectures of the wallets, look at the different attack vectors and talk about the challenges of building secure hardware before diving in deep finding vulnerabilities in the different wallets. The vulnerabilities we will present range from vulnerabilities that can be fixed in a firmware upgrade, to bugs that will require a new hardware revision, up to attacks on the microcontrollers themselves, requiring new silicon to be fixed. Some of the (most entertaining) vulnerabilities will be demonstrated live on stage. Classes of Vuln

Encoding or decoding random radio-waveforms doesn't need incredible expensive hardware anymore which offers new possibilities for building up over-the-air communication systems. There are Software Defined Radios providing affordable cellular radio to remote villages, Community Radios are using SDR to build up digital radio networks and other cool stuff. Some basic knowledge what is going on in SDR Hard/Software as the influence of the samplerate, I/Q-data of the math behind the waterfall-diagram is helpful to have fun with SDR. Some theory on modulation techniques helps you to decode or encode your waveforms. With a cheap DVB-T USB receiver used with some SDR-Software you can already have a look whats going on in the airwaves around you at certain frequencies. But what happens between the antenna and your computer display showing or decoding the signal? The talk should give basic information and background about SDR and some modulation theory. There will probably be a SDR Challenge at the Congress to practice you new skills.

Die Hackerethik ist die Grundlage für den Umgang mit den diversen ethischen Problemen, die sich beim schöpferisch-kritischen Umgang mit Technologie (auch "hacking" genannt) stellen. Die Hackerethik ist die Grundlage für den Umgang mit den diversen ethischen Problemen, die sich beim schöpferisch-kritischen Umgang mit Technologie (auch "hacking" genannt) stellen. Sie bietet Anhaltspunkte für die alltäglichen Fragestellungen und Probleme, die aufkommen, wenn man Technologie anders benutzt, als der Hersteller es sich gedacht hat, wenn man Lücken in Systemen findet und ausnutzt oder über Berge von persönlichen Daten stolpert. Dieser Talk gibt eine Einführung in die verschiedenen Aspekte der Hackerethik und regt zum Nachdenken über die ethischen Fragen an, die sich Menschen mit speziellen Fähigkeiten und Fertigkeiten stellen, wenn sie ihren Neigungen nachgehen.

Voicemail systems can be compromised by leveraging old weaknesses and top of current technology. The impact goes way beyond having your messages exposed. Voicemail systems have been with us since the 80s. They played a big role in the earlier hacking scene and re-reading those zines, articles and tutorials paints an interesting picture. Not much has changed. Not in the technology nor in some of the attack vectors. Can we leverage the last 30 years innovations to compromise voicemail systems? And what is the real impact today of pwning these? In this talk I will cover voicemail systems, it's security and how we can use oldskool techniques and new ones on top of current technology to compromise them. I will discuss the impact of gaining unauthorized access to voicemail systems and introduce a new tool that automates the process

Let's think "Beyond Slavery": Afroroutes is a one-of-a-kind VR experience conceived as a journey through 3 displaced African heritages, immersing users in Rituals and Ceremonies to experience that well-conserved memory form, but also to feel the power of Music as a strong anthropological tool. Connecting Afro-diasporic narratives: alterity and heritage transcendence within the digital era, Afroroutes is a trigger to open a crucial debate about diasporic identity. Afroroutes is a VR experience taking you to some burning key destinations where African culture has been displaced through slavery and then, rooted again. From Salvador to Bahia to Gujarat through Tangier, there is a common history. Based on this VR Experience, the debate should be extended around "Beyond Slavery".
 What happened with the millions of displaced African men and women? Where are their descendants living today? Did their original culture and language disappear? How did their heritage contribute to building their new countries? How did the assimilation or rejection process go? How has this memory subsisted, and how is it lived and celebrated today? But also, how to assimilate that chapter of history and transform it into a real global narrative - is there what we call a "diasporic identity"? And if it is the case, how to build this identity within a global, disrupted world? How can digital tools push this storytelling process? 
 The medium "Virtual Reality" takes all its sense in this project, allowing an immersive and almost physical experience of those paths of slavery. This experience is triggered by music and sounds. Music is much more than a simple way of being together: it is the oral legacy of our intertwined culture. Music is such a powerful tool to explain and tackle the cultural dynamics of displaced heritage, but also as a most trustful narrative connector.

Sieben Jahre lang musste den Behörden jedes Stück der versprochenen Aufklärung des NSU-Komplexes abgerungen werden. Das Urteil im ersten NSU-Prozess zeigt: Deutschland ist nur sehr eingeschränkt bereit, rechtem Terror entgegenzutreten und ihn aufzuarbeiten, den Betroffenen, Geschädigten und Überlebenden zuzuhören und ihnen Schutz zu garantieren. Das zu leisten ist unsere Aufgabe: die Aufgabe der Gesellschaft, die Aufgabe einer antifaschistischen und antirassistischen Linken. Am 4. November 2011 enttarnte sich der „Nationalsozialistische Untergrund“ (NSU) selbst. Fast sieben Jahre später, am 10. Juli 2018, wurde das Urteil im ersten NSU-Prozess gesprochen. Heute, fünf Monate nach der von Neonazis bejubelten mündlichen Urteilsverkündung, müssen wir mit einem Urteil umgehen, in dem sich viele gebrochene Aufklärungsversprechen zuspitzen. Das Gericht geht von der These aus, der NSU sei ein weitgehend isoliertes „Trio“ ohne Netzwerk und ohne Verstrickung der Behörden gewesen. Nach allem, was in den letzten Jahren – teilweise mühsam – über den NSU-Komplex ans Licht gezerrt werden konnte, ist die „Trio“-These aber nicht haltbar. Zum NSU-Komplex gehören ein Neonazinetzwerk, der gesamtgesellschaftliche Rassismus und das Handeln der Polizei sowie des Verfassungsschutzes. Gleichzeitig stellen sich die Angehörigen der vom NSU Ermordeten und die Überlebenden der Anschläge immer noch die gleichen Fragen wie 2011: Wer hat die Tatorte ausgewählt? Warum wurde gerade ihr Vater, Ehemann, Sohn, ihre Tochter ermordet? Wer ist Teil des Unterstützungsnetzwerks des NSU? Was wusste der Verfassungsschutz und was machte er warum mit seinem Wissen (nicht)? Klar ist: Die gesellschaftlichen Verhältnisse, die den NSU hervorgebracht haben, müssen abgeschafft werden. Das Urteil im ersten NSU-Prozess hat noch einmal unterstrichen: Deutschland ist nur in sehr eingeschränktem Maße bereit, rechtem Terror entgegenzutreten und ihn aufzuarbeiten, den Betroff

Technology is the solution: What is the problem? This seems to be the motto. Algorithms may be about to control our free speech while tracking technologies could control our bodies and communications. Will we react or stay quiet? Technology is the solution: What is the problem? This seems to be the motto. Whether it is about preventing the dissemination of terrorist content or to prevent copyright infringements the solution from the legislator is upload filters. While content is controlled by algorithms, devices need to be under scrutiny. That is why confidentiality of communications needs to be secured now too. We have little time to stop these threats from becoming a reality, but we have most citizens on our side and the EU elections near. We still can and have to win this battle. Otherwise, once filters are put for copyright or terrorist content, they will be used for anything else. And if software and hardware does not defend our privacy by design and by default, 24/7 surveillance will be the new "normal".

Die Venenerkennung ist eine der letzten Bastionen biometrischer Systeme, die sich bisher der Eroberung durch Hacker widersetzt hat. Dabei ist sie ein lohnendes Ziel, schützt sie doch Bankautomaten und Hochsicherheitsbereiche. In diesem Talk machen wir die Verteidigungsanlagen dem Erdboden gleich. Seit Jahrzehnten vor allem im asiatischen Raum eingesetzt sind bisher keine ernsthaften Versuche bekannt Venenerkennungssysteme zu üeberwinden. Neben dem Mythos der Hochsicherheit sind vor allem die, unsichtbar im Körper gelegenen Merkmale dafür verantwortlich. In diesem Talk werden wir zeigen, mit welch geringem Aufwand man an die "versteckten" Venenbilder gelangen kann und wie, auf Grundlage dieser, Attrappen gebaut werden können, welche die Systeme der beider grosser Hersteller überwinden.

TCP/IP is the most widely used protocol on the Internet for transmitting data. But how does it work in detail? This talk will explain the TCP protocol, from handshake over established to teardown in detail - and elaborate a bit on protocol adjustments over time and congestion control. I will briefly explain how computers talk to each other via the Internet Protocol (IP), and explain the transport protocols UDP and TCP, and their interaction with ICMP (for error and control messages). UDP is the user datagram protocol, an unreliable packet-oriented protocol. TCP provides a reliable stream of data, and includes connection establishment, feature negotiation, window management, and teardown. Over the last years at University of Cambridge I contributed to a formal model of TCP/IP and the Unix sockets API, developed in HOL4. We validated our HOL4 model with the FreeBSD-12 stack using Dtrace (packets, system calls, internal TCP state). In this research, we formalised a more exact TCP state machine than in initial RFCs or common literature (Stevens).

This lecture tells the story of Internet infrastructure transformations in Crimea, the peninsula disputed between Russia and Ukraine between 2014 and 2018. It is based on an extensive year-long study involving network measurements and interviews with key players. Crimea has become a "laboratory" where we can observe, in just 4 years, a rapid and profound transition of infrastructure, that deeply impacted the Internet Service Provider market, routing trajectories, Internet censorship practices in the region. Annexation has transformed the way Crimea is plugged to the "outer world" - in terms of peering and transit relations between various autonomous systems, creating a much more centralized infrastructure and monopolized market. This, in its turn, had an important impact for Crimean end-users - in terms of quality, speed, price of Internet service, as well as in terms of Internet censorship and various traffic anomalies that they experience. Moreover, server-side geoblocking by online payment platforms, Google Play, Apple and other important services, is imposed on Crimean users, because of international sanctions that have a controversial impact, including a risk of overblocking, further isolation of Crimean civil society and reinforcing a more general trend towards "balkanization" of the Internet(s). [1] This talk is based on a one-year long research conducted at Citizen Lab [2], using a mixed methods approach. On the one hand, we conducted network measurements with OONI probe [3], testing a set of URLs from Crimean vantage points, and comparing results with mainland Russia and Ukraine. We have done an analysis of BGP routing history, and AS neighbouring history, using data from RIPE and CAIDA in collaboration with researchers behind the "Internet Health Report" initiative [4] using the recently deployed methodology of "AS Hegemony Index" [5]. On the other hand, we conducted an extensive qualitative study, including interviews with Crimean ISPs, Ukrainian and R

Der Vortrag behandelt die Klage des Internetknotens DE-CIX gegen die strategische Fernmeldeüberwachung des BND vor dem Bundesverwaltungsgericht in Leipzig, was wir aus dem Urteil über den Rechtsschutz der Bürger lernen können und wieso der Fall nun das Bundesverfassungsgericht in Karlsruhe beschäftigt.

We all know what FAX is, and for some strange reason most of us need to use it from time to time. Hard to believe its 2018, right? But can FAX be something more than a bureaucratic burden? Can it actually be a catastrophic security hole that may be used to compromise your entire network? Come watch our talk and find out … Unless you've been living under a rock for the past 30 years or so, you probably know what a fax machine is. For decades, fax machines were used worldwide as the main way of electronic document delivery. But this happened in the 1980s. Humanity has since developed far more advanced ways to send digital content, and fax machines are all in the past, right? After all, they should now be nothing more than a glorified museum item. Who on earth is still using fax machines? The answer, to our great horror, is EVERYONE. State authorities, banks, service providers and many others are still using fax machines, despite their debatable quality and almost non-existent security. In fact, using fax machines is often mandatory and considered a solid and trustworthy method of delivering information. What the Fax?! We embarked on a journey with the singular goal of disrupting this insane state of affairs. We went to work, determined to show that the common fax machine could be compromised via mere access to its fully exposed and unprotected telephone line – thus completely bypassing all perimeter security protections and shattering to pieces all modern-day security concepts. Join us as we take you through the strange world of embedded operating systems, 30-year-old protocols, museum grade compression algorithms, weird extensions and undebuggable environments. See for yourself first-hand as we give a live demonstration of the first ever full fax exploitation, leading to complete control over the entire device as well as the network, using nothing but a standard telephone line. This talk is intended to be the canary in the coal mine. The tech

Seit Juli 2016 darf ich – nominiert unter anderem vom CCC – den Bereich "Internet" im Fernsehrat des ZDF vertreten. Nach gut zwei Jahren ist es Zeit für eine Zwischenbilanz: Was macht ein Fernsehrat, was machen öffentlich-rechtliche Angebote im Netz, und was sollten sie eigentlich tun? Der Fernsehrat vertritt die Interessen der Allgemeinheit gegenüber dem ZDF. Deshalb ist er kein Expertengremium, sondern so vielfältig wie die Gesellschaft selbst. Seine Mitglieder werden von unterschiedlichen gesellschaftlichen Gruppen entsandt. Der Fernsehrat tagt öffentlich. Sowohl die Tagesordnung als auch die Zusammenfassungen der wesentlichen Ergebnisse der Sitzungen werden im Internet veröffentlicht. So beschreibt sich der ZDF-Fernsehrat auf seiner Webseite selbst. Nach einem Urteil des Bundesverfassungsgerichts im Jahr 2014 mussten die Länder den ZDF-Staatsvertrag neu formulieren, der Fernsehrat ist deshalb seit Juli 2016 neu zusammengesetzt. Nur noch maximal 20 von 60 Mitgliedern dürfen aktive Politiker sein, der Rest soll verschiedene gesellschaftliche Gruppen repräsentieren. Neu hinzu kamen im Zuge der Neuordnung Vertreter, die von den Ländern – in der Regel auf Vorschlag von Vereinen oder Verbänden – für Bereiche wie Minderheiten, Menschen mit Behinderung, Digitales oder LGBTQI nominiert werden. Während Bayern das Nominierungsrecht für den Bereich "Digitales" an den Branchenverband der Telekommunikationsindustrie BITKOM delegiert hat, wurde ich vom Land Berlin auf gemeinsamen Vorschlag der vier Vereine Chaos Computer Club (CCC), D64 – Zentrum für Digitalen Fortschritt e. V., eco – Verband der Internetwirtschaft und media.net berlinbrandenburg e. V. für den Bereich "Internet" nominiert. Nach etwas mehr als der Hälfte meiner vierjährigen Periode möchte ich im Rahmen des 35C3 von meinen Aktivitäten als und im Fernsehrat berichten – zumindest soweit das übertriebene Verschwiegenheitsklauseln zulassen – und skizzieren, welche (neue

This talk is about new challenges in exploiting kernel memory corruptions on brand new Microsoft Windows RedStone 5. Each new version of Windows OS Microsoft enhances security by adding security mitigation mechanisms - Kernel land vulnerabilities are getting more and more valuable these days. For example, the easy way to escape from a sandbox is by using a kernel vulnerability. That's why Microsoft struggles to enhance security of Windows kernel. Kernel pool allocator plays a significant role in security of whole kernel. Since Windows 7, Microsoft started to enhance the security of the Windows kernel pool allocator. In Windows 8, Microsoft has eliminated almost all reliable (previously published) techniques of exploiting kernel pool corruptions. Then Microsoft eliminated "0xBAD0B0B0" technique in Windows 8.1, and there was no easy technique to exploit Pool Overflows on Windows 8.1 Then DKOM/DKOHM technique was present that gave really nice primitives(arbitrary read/write/execute) for kernel exploitation. Following up Microsoft obfuscated TypeIndex in an object header leaving DKOM/DKOHM technique useless. But Microsoft left unprotected optional headers that gave born to DKOOHM technique. Sadly enough, Microsoft introduced brand new Kernel Memory Allocator on Windows 10 RS5 leaving current pool memory manipulation techniques useless. This talk presents new techniques of exploiting kernel memory corruptions on Windows 10 RS5.

Performance lecture by Cornelia Sollfrank that makes a (techno-)feminist comment on the entanglements of gender, technology and information politics exemplified by the case of Julian Assange and Wikileaks. The artist takes us in her text assemblage on an adventurous trip into the realm of zeros and ones, of data and pure information, of ciphers, signifiers and figures. On the other side of reality we encounter suspected heroes, leaks and phreaks, engineers of escape who control our secret desires. Rape can be performed in many ways. In a state of total transparency: what shall we eat, when society feeds upon the repressed? Knowing yourself means knowing what to look for. The performance is a technofeminist comment on the wikileaks case, in particular the fact that Julian Assange has spent more than five years in confinement following a rape accusation. Instead of making a moral judgement, however, the performance uses and combines sources from information science, psychoanalysis, cultural studies, feminist studies and activism to embed the case is a wide cultural landscape in which gendered structures becomes more than obvious. The performance is divided into 9 chapters with headers such as Information, Organisation, Zeroes&Ones, Binary Worlds, Pure Difference, Cyberfeminism, Gender&Technology, Naked Information and Transparency, and creates a captivating atmosphere by the use of sound and visuals.

CRISPR/Cas hat die Genforschung revolutioniert und könnte bald in großem Stil gentechnisch eingesetzt werden. Aber was ist CRISPR und wie funktioniert es? Kurz gesagt: Teile des adaptiven Immunsystems von Bakterien werden genutzt, um Gene zu verändern. Und das funktioniert präziser als mit jedem anderen Werkzeug zuvor und offenbar in allen Tier- und Pflanzenarten. Damit ist CRISPR anders als die herkömmlichen Methoden der Gentechnik. Es ist einfach anzuwenden, preiswert, schnell, extrem vielseitig und damit in jedem Biologielabor erhältlich. Bio-Hacker haben sogar begonnen, CRISPR zu Hause zu nutzen. CRISPR wird bereits eingesetzt, um mehr über Genfunktionen und -dysfunktionen zu erfahren. So könnte es realistischerweise zur Behandlung einiger Krankheiten eingesetzt werden. Aber welche Hürden gibt es noch und welche ethischen Fragen würden sie mit sich bringen? Wie kann (oder sollte?) CRISPR in der Landwirtschaft eingesetzt werden, wenn der Klimawandel die Erträge verringert und die Biodiversität gefährdet? Unser Vortrag gibt einen Überblick darüber, was mit dem CRISPR/Cas-System möglich ist. Wir möchten genügend Informationen liefern, um zwischen Pseudowissenschaften und dem, was tatsächlich möglich ist, unterscheiden zu können. André ist Physiker, Biochemiker und Wissenschaftskommunikator. Katrin studierte Biochemie, verpodcastete Wissenschaftsnachrichten und berät wissenschaftliche Softwareprojekte. Anna ist Biologin und hat während ihrer Doktorarbeit teilweise mit CRISPR gearbeitet. Obwohl wir aus verschiedenen Bereichen der Wissenschaft kommen, haben wir eine gemeinsame Leidenschaft: Themen aus der Wissenschaft verständlich darzustellen. Eine der vielversprechendsten neuen Technologien ist CRISPR/Cas. Dabei handelt es sich um eine Gentechnikmethode, die ein großes Potenzial für Mensch und Umwelt hat. Aber wie jedes Werkzeug kann CRISPR sowohl für Gutes als auch für Böses eingesetzt werden - und es ist nicht immer einfach

Plötzlich geht alles ganz schnell: Online-Behandlungen und elektronische Gesundheitsakten sind dieses Jahr für Millionen Krankenversicherte Wirklichkeit geworden. Zu einem hohen Preis: Bereits einfache Angriffe lassen das Sicherheitskonzept der Apps und Plattformen zusammenbrechen. Warum das so ist, welche kritischen Fehler Vivy & Co. gemacht haben und wie das möglicherweise verhindert werden kann, das soll dieser Vortrag zeigen - denn in spätestens drei Jahren sollen auch die Gesundheitsdaten aller übrigen Versicherten zentral gespeichert und online abrufbar sein. Die elektronische Gesundheitskarte ist gescheitert. Stattdessen kommt jetzt die elektronische Patientenakte: In spätestens drei Jahren sollen die Befunde, Diagnosen, Röntgenbilder und Rezepte aller gesetzlich Krankenversicherten online und zentral gespeichert verfügbar sein. Schon heute können Millionen Versicherte eine solche Lösung nutzen und, wie Gesundheitsminister Jens Spahn fordert, "auch auf Tablets und Smartphones auf ihre elektronische Patientenakte zugreifen". Zeitgleich zur elektronischen Patientenakte steht die Onlinebehandlung vor der Tür: Das Fernbehandlungsverbot wurde vor wenigen Monaten gekippt, und schon heute können sich Millionen Versicherte ausschließlich online behandeln lassen. Nach Jahren des Wartens geht dabei alles ganz schnell. "Diese Maßnahmen dulden keinen Aufschub", sagt Spahn. Und macht uns alle damit zu Beta-Testern in Sachen Gesundheit. Mit fatalen Folgen: Unsere streng vertraulichen Gesundheitsdaten liegen für alle sichtbar im Netz. In diesem Vortrag zeige ich an fünf konkreten Beispielen, welche fahrlässigen Entscheidungen die Online-Plattformen und Apps der Anbieter aus dem Bereich Gesundheitsakte und Telemedizin so angreifbar machen und demonstriere, wie einfach der massenhafte Zugriff auf unsere vertraulichen Gesundheitsdaten gelang. Zur Debatte steht, was angesichts dieser neuen alten Erkenntnisse zu tun ist - und was wir besser bleiben lass

An (almost) self-contained introduction to the basic ideas of quantum mechanics. The theory and important experimental results will be discussed. Quantum mechanics is one of the two paradigm-changing physical theories of the early twentieth century (the other being special and general relativity). Suddenly, one of the most fundamental physical theories was no longer deterministic: Measurement is a probabilistic process in quantum mechanics. This caused a controversy on how to interpret this and whether quantum mechanics is a complete theory that continues until today. This talk tries to counter a trend: Most people know the fundamentals of special relativity, while few know quantum mechanics beyond the Bohr model of hydrogen. On reason is that the presentation of quantum mechanics in schoolbooks is often dated, inaccurate and incomplete, and, as a consequence, quantum mechanical concepts are often used as a magical component in fringe science and esoteric theories. The talk will shortly discuss some of the experimental results that have lead to the formulation of quantum mechanics and then formulate the theory. The parts of quantum mechanics that often show up in quack theories will be examined and dissected. Allergy advice: This talk may contain mathematics. Some prior knowledge of linear algebra will help to understand this talk.

Open Source firmware ist ein Begriff seit 1999 wo LinuxBIOS (coreboot) und u-boot als Projekt starteten. Heute nach fast 20 Jahren ist endlich Open Source firmware bei den Herstellern von Hardware angekommen: Google Chromebooks - coreboot Facebook Open Compute Hardware - coreboot / LinuxBoot Purism Laptops - coreboot Microsoft Olympus - TianoCore Microsoft Surface - TianoCore IBM Power 9 - Hostboot / Skiboot ARM Hardware - ARM Trusted Firmware Intel Minnowboard - TianoCore, coreboot A lot embedded hardware - u-boot In diesem Vortrag werden wir uns den Weg der Open Source firmware Entwicklung von der Vergangeheit bis in die Gegenwart anschauen. Dabei werden wir ein Schwerpunkt auf neue Technologien in der Firmware Entwicklung und eine Einführung in bestehende Konzepte legen. Teil des Vortrags werden auch Sicherheitstechnologien und Konzepte der Firmware sein. Zum Schluss werden wir einen Ausblick auf die Zukunft und damit verbundenen Ideen uns anschauen. Dies ist ein Einsteiger Vortrag der dazu dienen soll mehr Menschen von der Open Source Firmware Entwicklung zu begeistern.

During her talk “Tactical Embodiment,” artist and activist Angela Washko will present several different strategies for performing, participating in and transforming online environments that are especially hostile toward women. She will introduce her long-term performative intervention “The Council on Gender Sensitivity and Behavioral Awareness in World of Warcraft” alongside several interventions, interviews, performances, written works and video games works she has created with the manosphere and online men’s seduction communities. In addition to walking the audience through her research, Washko will screen excerpts from her interview with a seduction coach who has been dubbed “The Web’s Most Infamous Misogynist” and highlight instructional DVDs, books, and hidden-camera videos created by a community of pick-up artists who teach men how to interact with and seduce women. The talk will close with an audience-participation based performative play-through of her most recent project “The Game: The Game,” a dating simulator video game presenting the practices of several infamous pick-up artists. During her talk “Tactical Embodiment,” artist and activist Angela Washko will present several different strategies for performing, participating in and transforming online environments that are especially hostile toward women. She will introduce her long-term performative intervention “The Council on Gender Sensitivity and Behavioral Awareness in World of Warcraft” alongside several interventions, interviews, performances, written works and video games works she has created with the manosphere and online men’s seduction communities. In addition to walking the audience through her research, Washko will screen excerpts from her interview with a seduction coach who has been dubbed “The Web’s Most Infamous Misogynist” and highlight instructional DVDs, books, and hidden-camera videos created by a community of pick-up artists who teach men how

Hardware implants and supply chain attacks have been in the news recently, but how feasible are they and what can we do about them? In this talk we'll examine the design of a proof of concept SPI bus hardware implant that has similar capabilities to those described in the Bloomberg/Supermicro article as well as some countermeasures that we can use to try to detect these "modchips" and increase our trust in our systems. We don't know how much of the Bloomberg story about hardware implants installed in Supermicro servers shipped to Apple and Amazon is true, nor do we know the story behind the story and the reasons for the vehement denials by all the parties involved. However, a technical assessment of details of the describe implants reveals that a supply chain attack on the hardware is definitely possible, that the capabilities of the BMC can be used to bypass OS protections, and that there are means to access the BMC that would not necessarily generate readily identified network traffic. In this talk we'll examine the design of a proof of concept SPI bus hardware implant that has similar capabilities to those described in the Bloomberg/Supermicro article as well as some countermeasures that we can use to try to detect these "modchips" and increase our trust in our systems.

Heimatminister Horst Seehofer und seine Amtskollegen in den Ländern erweitern die Rechte der Polizeien und planen ein „Musterpolizeigesetz“. Damit handelten sie sich die größten Proteste gegen Überwachungsvorhaben seit Jahren ein. Wir geben nicht nur einen Überblick über die zahlreichen Neuregelungen der Polizeigesetze in den Bundesländern, sondern berichten auch aus den Anhörungen in den Landtagen und von den Stellungnahmen. Wir erklären, was in den neuen Gesetzen steht und welche rechtlichen und technischen Grenzüberschreitungen wir zu kritisieren haben. Und wir haben ein paar Forderungen.

This talk will discuss all about the Five Eyes, the espionage alliance between Australia, Canada, New Zealand, the United Kingdom and the United States. It is one of the largest intelligence operations in the world, which monitors billions of communications around the globe in the name of security. Yet the Five Eyes propose to weaken security, privacy and eroded the possibility of secure systems. This talk will go into details about the Five Eyes (FVEY), covering its origins in the aftermath of World War II, its expansion in the cold war, ECHELON, and further expansion in the the era of counter-terrorism, through today, where the Five Eyes have set their sights on enabling mass surveillance and stopping strong encryption. The discussion will include: - The history and background of the Five Eyes Origins Cold War (ECHELON) Terrorism - How the FVEY spying and intelligence sharing works - Malware - Backdoors - Routers - Internet exchanges - Domestic sharing: when one member spies on another’s citizens, and shares the information back to get around prohibitions on domestic surveillance. - More Eyes, More Problems. Proposals to expand the number of eyes, including many within the EU - Whistleblowers: What the documents shared by Edward Snowden revealed about the Five Eyes - The Five Eyes latest fight: Against strong encryption. FVEY member claim to aim to "thwart the encryption of terrorist messaging,” and the UK and Australia have taken steps through legislation to weaken security. - Why this matters - the legal and policy framework for communications surveillance and the application of human rights principles for surveillance.

As humans have a large negative impact on ecosystems all around the globe, we are approaching a major extinction event in which around 70% of all species will go extinct. This talk will give an introduction to a data-driven and system-based view of ecology. Since life emerged on this planet around 3 billion years ago, five global extinction events took place, that are characterized by over 60% of all species disappearing within a geologically short time interval. The last decades of environmental research, however, made it evidently clear that anthropogenic impacts on the global ecology could lead to a sixth global extinction. Being caused by the destabilization of ecosystems due to climate change, poaching, fragmenting of habitats, species invasions, pollution and other human activities, this extinction event would be the first induced by a species and not by natural catastrophes. Two general paths of action seem available to mitigate this threat or at least limit the damage: One consists of radically limiting anthropogenic influence on nature by restricting human habitats (to, as argued by E. O. Wilson among others, half of the earths surface), which, however, seems politically infeasible. A second strategy aims to effectively re-stabilize ecosystems by selective and specific intervention, but this would require a much deeper knowledge of ecosystem processes and how to modulate them. In this talk, I will provide an overview of the declining quality of ecosystems worldwide and argue that data-driven approaches as well as a hacker mindset will be essential to tackle open questions. I will support this argument by examples from my own research, in which I aim to identify important interactions between microbes in lake ecosystems. Finally, I will try to start a discussion on how to create citizen science projects that will help us understand our natural environment.

The software defined wide-area network is technology based on SDN approach applied to branch office connections in Enterprises. According to Gartner's predictions, more than 50% of routers will be replaced with SD-WAN Solutions by 2020. The SD-WAN can have firewalls and other perimeter security features on board which makes them attractive targets for attackers. Vendors promise "on-the-fly agility, security" and many other benefits. But what does "security" really mean from a hand-on perspective? Most of SD-WAN solutions are distributed as Linux-based Virtual Appliances or a Cloud-centric service which can make them low-hanging fruit even for script kiddie. Complexity of SDN creates additional security issues and cybersecurity pro should address it before an attack occurs. This presentation will introduce practical analysis of different SD-WAN solutions from the attacker perspective. Attack surface, threat model and real-world vulnerabilities in SD-WAN solutions will be presented.

Microcode runs in most modern CPUs and translates the outer instruction set (e.g. x86) into a simpler form (usually a RISC architecture). It is updatable to fix bugs in the silicon (see Meltdown/Spectre), but these updates are encrypted and signed, so no one knows how microcode works on conventional CPUs. We successfully reverse engineered part of the microde semantics of AMD CPUs and are able to write our own programs. We also recovered the mapping between the physical readout (electron microscope) and the "virtual" addresses used by microcode itself. In this talk we present background on microcode, our findings, our open source framework to write custom microcode and our custom defensive measures implemented in microcode. We build on our results presented on 34C3 to provide more insight into how microcode works and more details of the microcode ROM itself. tl;dr diff to last talk: - Mapped physical readout to virtual addresses, we can now read the microcode implementation of specfic instructions - More microcode semantics known, more stable programs - Opensource framework for creating, diassembling and testing microcode on AMD CPUs - Simple hardware setup to develop microcode programs - More practical examples of what you can do with microcode, focused on defense instead of offense this time Since 34C3 we worked on recovering the microcode ROM completely and used that knowledge to implement constructive microcode programs that add to or enhance functionality of the CPU. We also worked on our now open source framework to create and diassemble microcode for AMD CPUs up to 2013. We will give a short intro into how to use it to create custom microcode programs and test them on real hardware. We also provide guidelines on how to construct the test setup we used, which is essentially any old AMD mainboard (native serial port required), a RaspberryPi with a serial adapter and some wiring including a few basic electronic components. Using this you can r

Nico Semsrott hat in Zeiten des globalen Rechtsrucks den überflüssigsten Job der Welt: Er ist Demotivationstrainer. Mit Powerpointpräsentationen und viel Pessimismus schafft er es, komplexe Themen zu vereinfachen, ohne dabei auf alternative Fakten zurückgreifen zu müssen. Politisch gesehen ist zwar alles aussichtslos. Aber wenn man schon aufgibt, kann man man genauso gut auch das Resignieren aufgeben. Deswegen kandidiert Nico auf Platz 2 der Europaliste der Partei Die PARTEI. Um dann in Brüssel als Kommissionspräsident die Demokratie in Europa einzuführen. Notfalls gegen den Willen der Bürgerinnen und Bürger.

This talk investigates fake science factories; international twilight companies whose sole purpose is to give studies an air of scientific credibility while cashing in on millions of dollars in the process. We present the findings, outcomes and methodology from a team of investigative journalists, hackers and data scientists who delved into the parallel universe of fraudulent pseudo-academic conferences and journals. The story was published in Germany (ARD and Süddeutsche Zeitung Magazin) in mid of July and then went around the world. How did it begin? What did we learn in the process? And: What happened since the story got published? Until recently, fake science factories have remained relatively under the radar, with few outside of academia aware of their presence; but the highly profitable industry has been growing significantly in the last five years and with it, so are the implications. To the public, fake science is often indistinguishable from legitimate science, which is facing similar accusations itself. We expose the scale and value of two fake science operations: Well-known institutions and professors who abuse this route of publication for personal gain and the deadly consequences when the public believe in fake cures or weird discoveries that seem scientific at a very first glance. Beyond the pressure to publish, we find varying motivations from paid vacations and promotions to obtaining stipends and research grants. Our findings highlight the prevalence of the pseudo-academic conferences, journals and publications and the damage they can and are doing to society. For 35C3 we did some extra analytics and will publish new numbers, how pseudo-academic publishing has dropped since the story got out in several countries in July 2018.

Lightning Talks are short lectures (almost) any congress participant may give! Bring your infectious enthusiasm to an audience with a short attention span! Discuss a program, system or technique! Pitch your projects and ideas or try to rally a crew of people to your party or assembly! Whatever you bring, make it quick! Did you think that the thrill of sharing your ideas in front of a huge audience at a C3 was something you'd never experience? Do you work on a cool project and want to get the word out? Was your talk one of the hundreds that got rejected? Did you come up with an awesome hack that you need to share? Go ahead and enter your Lightning Talk now! The 35C3 Lightning Talks consist of three fast paced sessions which are perfect for pitching new software or hardware projects, exploits, creative pranks or strange ideas you need to get out to a global audience. Even if you don't have an awesome idea or project to share, a Lightning Talk is perfect for pitching your Assembly, your workshop or even a longer talk you'll give as a self-organized session. Your five minutes of fame!

Telephone networks form the oldest large scale network that has grown to touch over 7 billion people. Telephony is now merging many complex technologies (PSTN, cellular and IP networks) and enabling numerous services that can be easily monetized. However, security challenges for telephony are often neither well understood, nor well addressed. As a result, telephone networks attract a lot of fraud. In this talk, we will systematically explore the fraud in telephone networks, focusing on voice telephony. We will present a taxonomy of fraud, and analyze two prevalent fraud schemes in more detail: looking into the ecosystem of International Revenue Share Fraud (IRSF), and discussing a new countermeasure to the well-known problem of voice spam. This talk aims to improve the understanding of the fraud ecosystem in telephony networks. We first provide a clear taxonomy that differentiates between the root causes, the vulnerabilities, the exploitation techniques, the fraud types and finally the way fraud benefits fraudsters. As concrete examples, we first look into International Revenue Share Fraud (IRSF), where phone calls to certain destinations are hijacked by fraudulent operators and diverted to the so-called ‘international premium rate services’. This fraud often involves multiple parties who collect and share the call revenue, and is usually combined with other techniques (such as voice scam, mobile malware, PBX hacking) to generate call traffic without payment. We will further explore the IRSF ecosystem by analyzing more than 1 million `premium rate' phone numbers that we collected from several online service providers over the past 3 years. In the second part, we will look into voice spam, a prevalent fraud in many countries. After giving an overview of various types of unwanted phone calls, we will focus on a recent countermeasure which involves connecting the phone spammer with a phone bot (“robocallee”) that mimic

A major part of software development is maintenance, i.e. tinkering with software that should already be completed but still somehow does not work as it should. Software developed by tinkering is the antithesis to resilient technology, and a growing threat to our profession and our lives. Working on this kind of software crushes the soul. Yet this is exactly how most IoT devices (and computers in general) are programmed these days. We need to replace the dead technology-oriented objects of the past with supple models enriching our domains and our souls. This talk shows how it is done. So how do we gain autonomy over the software of the future, which is currently spiralling out of control? Not with object-oriented programming, as it turns out: Mutable state, the absence of uniform abstraction mechanisms and the complexity introduced by inheritance make it hard for humans to develop correct and robust software. While "agile" has given developers autonomy over the soul-crushing processes of the past, the prevalent technology - object-orientation - is a fundamental part of the problem, not of the solution. It is time to say goodbye; we must start to teach the principles of systematic construction of correct software instead. At the core of this revolution is the consistent application of functional programming, i.e. of immutable data structures, systematic abstraction and data modelling. The talk illustrates the problems of the programming techniques of the past, and shows how to build robust models that lead to useful software.

From Cyberfeminism to XenoFeminism - a short history of radical appropriations of media. This discussion will question how media is made (for whom and for what) and how meaning is produced through different contexts. it will feature media hacks and productions spanning a century and three continents. Sci-Hub, film excerpts, Red Planet and more will be referenced. It will also address how and where media matter, comparing different technologies, commenting on CCC projects and what is more/less relevant in different African and European contexts. We will also explore how media and technical developments are informed by their social, economic and political environments.

Biometrische Videoüberwachung, Hausdurchsuchungen, Polizeiaufgabengesetze, Staatstrojaner und ganz viel Cyber: Wir geben einen Überblick über die Themen, die den Chaos Computer Club 2018 beschäftigt haben. Neben der Zusammenfassung und der Rückschau auf das vergangene Jahr wollen wir aber auch über zukünftige Projekte und anstehende Diskussionen reden.

The SymbiFlow project aims to be the "GCC of FPGAs" - a fully open source toolchain supporting, multiple FPGAs from different vendors. Allowing compilation from Verilog to bitstream without touching vendor provided tools, it includes support for large modern FPGAs like the Lattice ECP5 and Xilinx 7 series. These FPGAs can be used for things previously out of reach of FOSS tools, things like high resolution video and many gigabit networking. We have also documented the FPGA bitstreams to allow other new tools and a process for replicating this effort on new types of FPGAs!

In this talk we will go through the different mitigations in Windows 10 and see how they affect modern userspace exploitation. We will explain the primary ones and the different ways to bypass them. Finally, we will demo a cool exploit that achieves code execution.

This talk will engage the practises and protocols of hacking in the context of Hong Kong, drawing parallels from the stigmergic responses of the city (consensus network organisation) and the peer-production (or attempt) of the hackerspace, Dim Sum Labs. Perspectives on this will also draw from the publication, The Field Guide to Hacking (_TFGTH), a collection of (project and essay) snapshots generated from the hackerspace and its surrounding community.

Over the summer Facebook, Google, and Twitter have started making transparent United States political ads shown on their platforms. We have been collecting and analyzing these political ads to understand how candidates, elected officials, PACs, non-profits, for-profit companies, and individual citizens are disseminating U.S. political content using these advertising platforms.

Project IceStorm provides the first end-to-end open source FPGA toolchain, was originally presented at 32c3, and only targetted Lattice iCE40 FPGAs. nextpnr is the next big step for open source FPGA tools, providing a retargetable open source FPGA place-and-route tool that will enable open source flows for many different FPGAs from many different vendors.

Learn to see the world without your eyes. Wonder what it's like to navigate while blind? Want to learn to use your everyday senses in ways you don't know you don't know? In this talk, I hack you with permanently enhanced sensory perceptions. This is very participatory, not just "sit and listen", and workshops are even more hands-on (blindfolded w/ cane in hand).

This talk will share the experience of a leading African extended reality lab - Imisi 3D. It will highlight this African journey to adopt augmented and virtual reality, the challenges and lessons learned and will then focus on some of the arts and culture use cases that have emerged so far. In particular we will explore the collaboration with the IAF Basel festival (organisers of the Contemporary Africa Photography prize) that resulted in Reality Check, a simultaneous virtual reality tour of Lagos and Basel.

An update on the circumstances of the Snowden Refugees will be provided at the 35C3 event and venue in December 2018. There have been many significant events and incidents during 2018, and some of these will be disclosed at the talk. Updates will provided on the Snowden Refugees appeals in Hong Kong and their refugee claims with Canada. There will also be disclosures on continued surveillance and harassment by the Hong Kong authorities.

Es ist 6 Uhr und ein Trupp uniformierter Polizisten steht vor deiner Wohnungstür. Was solltest du bis dahin getan haben und was solltest du jetzt tun?

Men with osteoporosis or depression, women with heart attacks - these are examples of diseases where medicine still shows a gender bias. Assuming that men and women have the same bodies, except when it comes to the reproductive organs still causes maltreatment up to death. In the past few years sex- and gender-sensitive medicine has discovered that the assumption of the same body has lead to the unnecessary death of patients and needs to be challenged. This is a brief introduction into the paradigm shifting realm of sex- and gender-sensitive medicine showing how and where the sexes differ, that there are actually more than two sexes and that your gender also plays a role in how you are being treated by medical professionals.

Seit 2010 ist die Sehnsucht des Schauspiel Dortmund, ein gegenwärtiges und wagemutiges Schauspiel für ein Publikum des 21. Jahrhunderts zu schaffen, ein Volkstheater für die Digitale Moderne. Intendant Kay Voges, Videokünstler Mario Simon und Engineer Lucas Pleß berichten über Dortmunder Theaterarbeiten zum Menschsein im Digitalen Zeitalter, speziell über die Stückentwicklung "Die Parallelwelt", die im September 2018 am Berliner Ensemble und am Schauspiel Dortmund gleichzeitig Premiere hatte, sowie über die "Akademie für Digitalität und Theater", die 2020 in Dortmund gegründet werden soll.

The internet has become essential services, and offline methods of sharing data are rapidly disappearing. Other possible networks are often better suited when connectivity is not available or affordable. Radios, sensors, and computing are available in the cheapest of smartphones and routers. Wind is integrating nearby/offline data exchange with the internet services that we all rely on.

More than 10,000 different device manufacturers from all over the world use the basic platform (WIFI module, cloud, app) of a single company to technically implement their smart home products. The analysis of this base shows considerable security deficiencies, also of a conceptual nature, and thus various points of attack, which affects millions of smart devices. The lecture will present the functionality of smart devices in relation with the above-mentioned basic platform, show the extent of the security gaps using various attack scenarios and offer the community a solution for the secure use of the affected devices.

Teaching beginners how to program is often hard. We love building programs, and seeing our loved ones struggle with this is painful. Showing them how to copy-paste a few example programs and change a few parameters is easy, but bridging from there to building substantial programs is a different game entirely. This talk is about how to teach programming successfully, through comprehensible design recipes, which anyone can follow, using languages and tools designed for beginners. This approach is probably different from how you learned how to program, or how you're used to teaching. It is more effective, however, as it teaches more material successfully to a broader spectrum of people. It is also more enjoyable.

What's been good, exciting, spooky and challenging in art and science/technology over this past year. With a short incursion into the ugly because even artists have the right to be awful.

Never Forgetti is a didactic live gaming lecture about the deaths of female video game characters and how their normative framing prevents them from developing agency to avert their fatal destiny. The performance investigates on power relationships between lecturer and audience to reflect on how models of subjugation are established in media and our current social realities. Taking on the persona of Jenny Vorfahrt, a mysterious character that exists both outside and inside the gaming realm, I provide attendees with showcase of gameplay and theoretical knowledge about life and death of popular heroines, as well as the symbolism of classical game design. In reality, however, Jenny is pursuing her own secretive agenda...

Um das Entwickeln von eigenen Laufrobotern zu erleichtern, brauchen wir offene Alternativen zu bestehenden Plattformen. Am Beispiel unseres Projektes "Hannah" stellen wir euch Möglichkeiten vor, wie Open Source in Robotik-Hardware praktisch eingesetzt werden kann.

A variety of initiatives aims at encouraging female engagement in the hacker and maker scene. We present there some promising approaches and key learnings in a joint panel discussion.

The Enemy brings you face-to-face with combatants from three conflict zones: with the Maras in Salvador, in the Democratic Republic of the Congo, and in Israel and Palestine. Their testimonies and confessions about their lives, experiences, and perspectives on war will allow you to better understand their motivations… and their humanity.

Welchen Dialekt spricht eine Geflüchtete aus Syrien? Was verrät das Handy eines Asylsuchenden aus dem Irak darüber, wo er herkommt? Und ist der Name Wasef eigentlich typisch für Afghanistan? Über diese Fragen entscheiden im Bundesamt für Migration und Flüchtlinge (BAMF) zunehmend Computer. Sie spucken Wahrscheinlichkeiten für Herkunftsländer aus, die entscheidend dafür sind, ob Geflüchtete Asyl bekommen - oder nicht. Kurz: Menschliche Schicksale hängen von Maschinen ab. Diese Maschinen wissen nichts darüber, ob einem Menschen in seiner alten Heimat Verfolgung, Folter und Tod drohen. Mitarbeiter des BAMF verlassen sich auf diese Ergebnisse, auch wenn sie falsch sein können. Recherchen und bisher unveröffentlichte Dokumente zeigen, warum das schiefgehen muss und welche schweren Folgen für Schutzsuchende das haben kann.

Facebook monopoly is an issue, but looking for replacements it is not enough. We want to develop critical judgment on algorithms, on why data politics matter and educate, raise awareness for a broad audience. With our tool, we enable an individual to collect evidence and see how Facebook's algorithm truly shares their data. Not data about themselves, but the bias of facebook treats data, re-shares certain content over other content. Collectively we can analyze the algorithm, understand Facebooks agendas and show how little agency users have.

Beim Datenschutz geht es mitnichten um Privatsphäre, um das eigene Schlafzimmer oder um das Teilen privater Daten bei Facebook. Es geht gleichermaßen um den Erhalt einer demokratischen Gesellschaftsordnung wie um den Erhalt individueller Handlungsalternativen im digitalen Zeitalter. Wir dürfen also nicht so sehr über Einzelpersonen und ihre höchst subjektiven Privatheitswünsche sprechen, sondern viel mehr von Machtasymmetrien, Durchsetzungsmacht, sowie „starken“ und „schwachen“ Akteuren.

In this talk, I’ll present several attacks that leak the plaintext of OpenPGP or S/MIME encrypted emails to an attacker. Some of the attacks are technically interesting, i.e. the two different efail attacks, some are somewhat silly, yet effective. Some abuse HTML emails, some also work with plain ASCII emails. Furthermore, I’ll discuss our lessons learned and describe the efail-related changes to mail clients and the OpenPGP and S/MIME standards.

This talk will present a historical narrative of the background behind how the NeTV + Milkymist inspire the HDMI2USB then helped the NeTV2 projects and how they all became interlinked through events like Congress! From the study of this history, we will attempt to distill a few core lessons learned that can hopefully be applied to other open hardware projects.

With the beginning of last year, two major security vulnerabilities have been disclosed: Meltdown and Spectre. While mitigations in software and hardware have been rolled out right away, new variants have been continuously released in the following months. With all those confusing names, how can you possibly still have a clear overview of all those vulnerabilities (SpectreV1, SpectreV2, Meltdown, Spectre-NG, SpectreRSB, L1TF, Foreshadow, ...)? With this talk, we present a novel classification that will ease the naming complexity of the current jungle of variants. Along with all different attacks, we will give an overview of all proposed mitigations and show how an attacker still can mount an attack despite the presence of implemented countermeasures. Furthermore, we will present new variants of the Meltdown attack, exploiting different parts of the CPU.

This talk aims to give a general overview of iOS Jailbreaking by starting at what jailbreaking was back in the days and how it evolved up until today, while also taking a quick look at how it might evolve in future. Therefore the following topics are covered: - Jailbreaking goals (technical) - Types of jailbreak and it's origins (tethered, untethered, semi-tethered, semi-untethered) - Exploit mitigations (ASLR, iBoot-level AES, KPP, KTRR, PAC) - Kernel patches (h3lix) - Kppless jailbreaks The goal is to give an insight into the jailbreak terminology, exploit mitigations and how these are dealt with in past and modern jailbreaks.

Datenreichtum, E-Voting, Massenüberwachung und andere netzpolitische Schauplätze in der Schweiz Der Kampf um die Freiheit im digitalen Raum wird auch in der Schweiz intensiver. Wir blicken auf das netzpolitische Jahr 2018 in der Schweiz zwischen Bodensee und Matterhorn zurück. Wir behandeln jene Themen, die relevant waren und relevant bleiben. Weiter zeigen wir, was von der Digitalen Gesellschaft in der Schweiz im neuen Jahr zu erwarten ist.

There are multiple different ways to store cryptocurrency secret keys. This talk will investigate advantages and disadvantages of different methods with regards to cryptographic backdoors known as kleptograms.

Artificial Intelligence gives us a uniquely fascinating and clear perspective at the nature of our minds and our relationship to reality. We will discuss perception, mental representation, agency, consciousness, selfhood, and how they can arise in a computational system, like our brain.

There's a certain allure to zero-day exploits. At the apex of the security industry, these elusive technologies are engineered by a persistent few to open doors of software systems that were never meant to exist. We go behind-the-scenes to provide an inside look at the zero-day development lifecycle, breaking common misconceptions regarding this increasingly difficult tradecraft.

Der nationale Höchstleistungsrechner SuperMUC-NG unterstützt die öffentliche Wissenschaft in Deutschland. Wie ist er aufgebaut, was kann man damit tun, und wo steht er im Vergleich mit den schnellsten Supercomputern der Welt?

In this talk I want to present the computational undertakings in the field of cosmological structure formation and galaxy formation. Here, sometimes gigantic simulations help us to unravel the processes that led to the Universe that we can see today. I will give a short overview of our current understanding of the evolution of the Universe, the history and techniques of the simulations and their current state and future.

Through the hacking of surveillance techniques, machine learning, and big-data analytics, DISNOVATION.ORG’s trilogy of internet bots is uncovering and repurposing some of the influential and opaque operating systems of our online environment.

It is now 27 years since MS-DOS 5.0 was released. During its day there was the threat of viruses breaking your system or making it act in unpredictable ways. Due to its age and near total lack of consumer use it is safe to assume that all of the viruses for MS-DOS have been written. Using community archives and modern analysis methods we can uncover how they worked and reflect on how things have changed.

The last years, we all have felt the impact of applying technologies like machine learning, social networks and data-driven decision making on a massive scale to our societies. Yet all that technology has been developed by engineers like us. It's become clear that we have to do more than chase the ever evolving technological challenges and start to assume responsibility for our creations - or we too will wake up one day to the realization that technology we helped develop has done more harm than good. We want to present practical, every day guidelines and principles that can help engineers and organizations to build technology that not only serves the application and business purpose, but also minimizes negative long-term effects on society and the people that use it.

The world is finally catching on to the urgency of deploying post-quantum cryptography: cryptography designed to survive attacks by quantum computers. NIST's post-quantum competition is in full swing, and network protocols are exploring post-quantum extensions. This talk will take the audience on a journey through selected recent highlights from the post-quantum world.

"Mondnacht" von Stanislav Lem. Das berühmte SF Rundfunk-Hörspiel als Lesung mit analogen und digitalen Mitteln.

Ein kurzer Grundlagenabriss über die Institution der Europäischen Union, insbesondere zur Funktionsweise und Zusammenarbeit

This event is not going to be recorded Bei der Europawahl 2014 wurde ich als Spitzenkandidat der Partei für Arbeit, Rechtsstaat, Tierschutz, Elitenförderung und basisdemokratische Initiative in das Europäische Parlament gewählt.

"All Creatures Welcome sketches a utopian image of society in the digital era. Accompanied by the appeal to “use hacking as a mindset,” the viewers immerse themselves, together with the filmmaker, in a documentary adventure game and explore the world of digital communities at the events held by the Chaos Computer Club; a real-world reflection of the virtual spectrum." – after the rough cut screening at the 34c3 we will show now the final version. Join us and be part of the moment when we put the movie online and make it freely available under a creative commons license at the beginning of the screening!

Kann man empirischen Studien trauen oder nicht? Wie kann ich gute Studien von schlechten unterscheiden? Und was mache ich, wenn es zu einem Thema Studien mit gegensätzlichen Befunden gibt? Der Vortrag soll helfen, Antworten auf diese Fragen zu finden und empirische Studien besser zu verstehen.

Lightning Talks are short lectures (almost) any congress participant may give! Bring your infectious enthusiasm to an audience with a short attention span! Discuss a program, system or technique! Pitch your projects and ideas or try to rally a crew of people to your party or assembly! Whatever you bring, make it quick!

In this talk I will share my story of how in a little over a year, a high school student with almost zero knowledge in security research found his first RCE in Edge.

Modern cryptography is based on security-proofs. We will demonstrate how these work, why they are desirable and what their limitations are.

Net neutrality, a big buzzword in the last years. It is not only a buzzword? There are economic reasons why it is a stake. This talk tries to give an overview and explain how money is made in the "internet" and how it is related to net neutrality.

Der Vortrag beleuchtet die Einflüsse auf den geheimnisvollen Teil des Mobilfunks – Störquellen im Uplink und deren Auswirkungen auf die Mobilfunk-Kommunikation sowie Praktiken zum Aufspüren von HF-Störquellen. Die Feldstärke-Balkenanzeige eines Smartphones (die Downlink-Empfangsfeldstärke) ist nur die Hälfte der Wahrheit zur Bewertung einer Mobilfunkversorgung. Die andere Hälfte ist der weithin unsichtbare aber gegen Störeinflüsse hochempfindliche Uplink, die Richtung vom Endgerät zu den Basisstationen. In diesem Vortrag werden Uplink-Störquellen, deren Auswirkungen sowie Mess- und Analysemöglichkeiten erläutert.

Vor 5.7 Milliarden Jahren emittierte der Blazar TXS0506+056 eine große Menge schwach wechselwirkender Neutrinos. Von dem durch ein supermassives schwarzes Loch im Zentrum seiner Galaxie angetriebenen kosmischen Teilchenbeschleuniger fand eines dieser Teilchen seinen Weg zur Erde und interagierte mit Wassermolekülen im antarktischen Eis. Durch einen glücklichen Zufall konnte das IceCube Neutrino Observatory, ein Kubikkilometer großer Detektor aus instrumentiertem Eis, am 22. September 2017 eine Lichtspur aufzeichnen, die direkt zur Quelle zurück zeigte. Damit konnte erstmals ein bekanntes astrophysikalisches Objekt mit dem Ursprung eines kosmischen Neutrinos assoziert werden und das Ereignis IceCube-170922A schrieb Geschichte. Ein näherer Blick auf die während 2014-2015 gesammelten Daten zeigte, dass die Neutrino-Emission von TXS0506+056 phasenweise erhöht ist. Dies unterstützt die These, dass das Ereignis von 2017 tatsächlich dem Blazar zugeordnet werden kann und die Entdeckung wurde zu einem großer Erfolg für die Multi-Messenger Astrophysik.

Drivers are usually written in C for historical reasons, this can be bad if you want your driver to be safe and secure. We show that it is possible to write low-level drivers for PCIe devices in modern high-level languages. We are working on super-fast user space network drivers for the Intel 82599ES (ixgbe) 10 Gbit/s NICs in different high-level languages. We've got fully working implementations in Rust, C#, go, OCaml, Haskell, and Swift. All of them are written from scratch and require no kernel code.

The meeting point of art and science as a place of inspiration, exchange of knowledge and creation is the main focal point of the talk. Together with Prof. Oliver Deussen, the PhD candidate Marvin Guelzow, and Liat Grayver we will discuss both the technical challenges and innovation aspects in the development of the e-David robot, alongside the the social and artistic practice its offers. Topics as such “paradigms of creativity” under the title “New Materialism / Anthropocentrism / Posthumanism” will be presented with the goal to position and understand machine-assisted creative interfaces within the broader field of media art and painting traditions.

Was für die Breitbandversorgung in Deutschland gilt, gilt auch für Transparenz: Überall Demokratie-Funklöcher, die man stopfen muss, am besten mit Klagen. Wir erzählen, was das Informationsfreiheitsgesetz in diesem Jahr für die Demokratie-Infrastruktur getan hat, welche Rolle dabei Klagen gespielt haben und was die IFG-Meisterschaften damit zu tun haben.

Critical Thinking + Making = Critical Making. Around the world, academics and grassroots communities alike are engaging in critical making. With roots in critical design and critical engineering, etc., the point is to re-politicise making, help people understand that it needs to be more than printing cheap plastic knickknacks and can be used for activism and social innovation to improve peoples' lives.

MicroPython is a lean and efficient implementation of the Python 3 programming language that includes a small subset of the Python standard library and is optimised to run on microcontrollers and in constrained environments. This talk will give an overview about the MicroPython hard- and software and introduces the community.

We have analyzed the hardware full-disk encryption implementation of several Self-Encrypting Drives (SEDs) from Samsung and Crucial (Micron) by reverse engineering their firmwares. The vendors combined cover a majority of the market share of SEDs sold today.

The death rate at Europes seaborder reached a historical record: One out of five trying for Europe drowned this September: Main reason is the crackdown on sea rescue by European authorithies who barely pass any information on distress cases to competent rescue workers. The hope of those trying to escape torture, slavery hunger and other forms of violence therefore soleyly lies on the efforts of the civil rescue fleet. In the future, a civil society run maritime rescue coordination center could help to significantly reduce the death rate at sea. This talk will focus on the software and hardware components used on the aerial and nautical assets of the civil rescue fleet. We´ll talk about the difficulties installing sat com on a moving ship or even an aircraft, how the camera system of the Sea-Watch 3 recorded the evidence that is now challenging the Italian state at the European Court of human rights, how important data is secured if the state challenges you as in the case of the LIFELINE and about a software that will help to join forces in the near future to coordinate rescues in an efficient way. Help is still needed to tear down Europes wall.

Jeder Nutzer hat das Recht bei seinen Dienstanbietern eine Kopie seiner Daten anzufordern. Doch wer macht das schon? Wir haben genau das getan. Das Ergebnis war nicht nur eine intensive und emotionale Brieffreundschaften mit der Datenschutz-Abteilung von Amazon. Das Ganze hat auch sehr viel Datenmüll zu Tage befördert.

Since its release in 2012, the PlayStation Vita has remained one of the most secure consumer devices on the market. We will describe the defenses and mitigations that it got right as well as insights into how we finally defeated it. The talk will be broken into two segments: software and hardware. First, we will give some background on the proprietary security co-processor we deem F00D, how it works, and what we had to do to reverse an architecture with minimal public information. Next, we will talk about hardware attacks on a real world secure hardware and detail the setup process and the attacks we were able to carry out. This talk assumes no prior knowledge in hardware and a basic background in system software. Focus will be on the methods and techniques we've developed along the way.

The classic spy movie hacking sequence: The spy inserts a magic smart card provided by the agency technicians into the enemy's computer, … the screen unlocks … What we all laughed about is possible!

Matrix is an open standard for communication over the Internet. I will talk about the matrix standard, both the technical implementation and the reasons for its creation. We will focus on the changes and progress that has been made in the previous year, particularly getting the specification out of beta, and the growth of the ecosystem. Finally, the Matrix environment continues to develop, and we’ll look at the roadmap for the future.

We are presenting an innovative technology, which allows verifying the authenticity, integrity and/or the physical state of an item by employing the propagation behaviour of electromagnetic waves. In particular, it enables to check for any tamper attempts for larger structures, such as off-the-shelf computers and their periphery. The technology extends existing tamper proof approaches from the chip/PCB to a system level and is easily retrofittable. In this presentation, we are demonstrating exemplary tamper proofing in order to protect secret information without an attack-detection or data-deletion circuit (!), which is a known difficult problem and an imperfect undertaking. Therefore, we demonstrate the simplicity and effectiveness using a very cheap self-made testbed (using alumium foil) to protect standard hardware against invasive attacks, such as needle probing through the case.

Pursuit of “good customers’ experience“ not only leads to new customers, but also attract criminals of all sorts. Presentation will give overview of current security situation of ATMs with different auxiliary devices allowing cardless transactions. Cardless is new sexy for criminals.

Whenever you enter a name into your computer, it resolves it to a numerical IP address. This resolution uses the Domain Name System (DNS), which is a hierarchical decentralised naming system used on the Internet. DNS is organised in a way that top-level domain (e.g. .com, .org) are delegated to registrars, which delegate subdomains (e.g. foo.com). This delegation is done as well via the DNS protocol via nameserver (NS) records. Since different types of data are kept in DNS, it can as well be seen as a distributed (and cached!) key-value store - which is fault-tolerant. I will explain the basic usage of DNS, including stub and recursive resolver, server, various protocol extensions (zone transfer, dynamic updates, authentication, notifications, ...), privacy extensions (query path minimisation, DNS-over-TLS), provisioning let's encrypt certificates. I will talk about attacks (poisoning, amplification, ...) and implementation pitfalls (not get stuck in the recursive resolver). I implemented DNS with above mentioned extensions as minimized MirageOS unikernels over past years.

Wir wenden uns gegen Gentrifizierung, Luxussanierung und Spekulation mit Häusern. Das Mietshäuser Syndikat ist ein bundesweiter Verbund linker, selbstverwalteter Hausprojekte mit dem Ziel der Initiierung und dauerhaften Erhaltung von gemeinschaftlich genutztem und bezahlbarem Wohn- und Gewerberaum. Der Grundgedanke: Gemeineigentum wird geschaffen und dauerhaft dem Markt entzogen. Die Mieter*innen sind zugleich Besitzer*innen ohne private Gewinnerzielungsabsichten, sie transferieren Knowhow und oft auch Direktkredite an andere Hausprojekte.

This presentation will start off with a simple problem (how do you clear memory that holds sensitive content). It explores numerous possible solutions, and presents real live facts and figures. bugs in common applications will be shown.

Highly compartmentalized network segmentation is a long-held goal of most blue teams, but it's notoriously hard to deploy once a system has already been built. We leveraged an existing service discovery framework to deploy a large-scale TLS-based segmentation model that enforces access control while automatically learning authorization rules and staying out of the way of developers. We also did it without scheduling downtime or putting a halt to development. This talk covers how we engineered this, and shares lessons learned throughout the process.

It's time to highlight facts and epic fails that were observed on the wire during attempts to block Telegram in Russia.

A cryptojacking website abuses the computing resources of its visitors to covertly mine for cryptocurrencies in the browser. In this talk, we explore this phenomenon and answer, amongst others, the following questions: How does the mining script work under the hood? How common is this attack? How much money do the attackers earn? And how can I defend myself against such attacks?

Reverse Engineering zum Aufspüren von Schwachstellen ist gängige Praxis. Umso überraschender kam für 2 Forschungsteams die Abmahnung durch Rechtsanwälte eines Herstellers. Sie hatten Schwachstellen aufgedeckt und damit, so der Hersteller, seine Rechte verletzt. Vorwurf? Vom Verstoß gegen das Urheberrecht bis zum Verrat von Geschäftsgeheimnissen war alles dabei. Nach hunderten Seiten an Schriftsätzen, einem zurückgehaltenen Paper sowie 7 Stunden Marathon-Prozess konnte ein Vergleich geschlossen werden, bei dem wir mit einer Verpflichtung zum Responsible Disclosure davon kamen - die Kernfragen bleiben jedoch offen: Welche Teile des Reverse Engineering sind rechtswidrig? Verstößt Reversing auch zum Zwecke der IT-Sicherheitsforschung gegen das Urheberrechtsgesetz? Was schützt in Zukunft Sicherheitsforscher vor rechtlichen Schritten des Herstellers? Wie können sich Unternehmen verhalten und welche Abwägungen müssen vor der Veröffentlichung getroffen werden? Wir berichten vom Ablauf eines solchen Prozesses inklusive Anekdoten, weisen auf die Unklarheiten in geltendem Recht hin und schaffen ein Bewusstsein für die Problematik.

Der Talk gibt einen Überblick über die Arbeit der Gesellschaft für Freiheitsrechte (GFF): Wir klagen, um Grund- und Menschenrechte vor Gesetzgebern und Behörden zu schützen.

In this talk, I discuss how to reliably find bugs in the Chrome IPC system with the goal of escaping the sandbox. I show how to enumerate the attack surface, how to identify the weak areas, and how to fuzz those areas efficiently to consistently produce bugs.

Mars Rover Curiosity is one of the most sophisticated pieces of hardware ever launched into space. Because of the communication delay from Earth to Mars, it needs to accomplish most of its tasks completely autonomously: landing, navigation, exploration and singing birthday songs to itself. To do all this, it only has one central onboard computer. Let's look at that computer and the software it runs in detail.

This is a foundations talk about modeling and simulation as tools for development, testing and debugging systems. It requires very little previous knowledge to address all makers and hobbyists interested in creating or modifying hardware that physically interacts with its environment (e.g. robots, drones, etc.). It explains the purpose of modeling and simulation, basic principles, and tips and tricks on a practical level.

Where is the blockchain, how long is it, and what does it have to do with cryptography? And is it really something completely new? I spent a lot of time in pubs explaining to people what this blockchain hype is all about. It turns out that the best way to do that is to use images - literally. The idea behind this talk is to give you a rough understanding of the scientific background behind the Blockchain technology.

Schon Wladimir Wladimirowitsch Putin wusste: "Hacker, das sind freie Menschen, so wie Künstler." Wie wollen dafür sorgen, dass es so bleibt.

We are going to outline the ingredients necessary to perform measurements at the LHC, starting from an ordinary bottle of hydrogen. Let us take you on a journey following the path of the protons from this bottle to being ready for collisions in one of the detectors. Once the collisions are recorded we show the approaches and tools on how to extract the metaphorical needle in the haystack.

Moderne Medizintechnik ist teuer und wenn sie kaputt geht, dann kann man sie normalerweise nur durch Servicetechnikerinnen austauschen lassen. Designkriterien orientieren sich an den Gesundheitsversorgung reicher Länder. Wir stellen ein System zur Messung der wichtigsten Vitalparameter vor, das nicht nur open source und frei, sondern auch für den off-road Einsatz ausgelegt ist, wenn die Servicehotline nicht erreichbar ist.

Ich möchte euch zeigen, wie ich mir aus einem Raspberry PI ein Smartphone baue. Auf welche Probleme und Schwierigkeiten ich dabei gestoßen bin und welche Lösungen ich gefunden habe. Das Projekt ist noch nicht abgeschlossen, es fehlen noch ein paar Kleinigkeiten. Trotzdem will ich euch schon mal mein Smartphone in der praktischen Butterbrotdose zeigen und euch erzählen wie es entstanden ist.

A Web Page in Three Acts is a live coding performance which combines principles of choreography within the formal structures of coding. An assemblage of semi-improvised visuals and composition experiments in web environments. The screen becomes an open stage for the hybrid code which links choreography and web programming as well as body and language.

OTRv4 is the newest version of the Off-The-Record protocol. It is a protocol where the newest academic research intertwines with real-world implementations. It is also one of the first protocols that comes from the global south which makes the political discussion around protocols an urgency. This newest versions also asks us to revisit our definitions around deniability (online and offline) and how important is it to the world. In this talk we will try to start a discussion around the importance of protocols, its political/moral foundations, the real-world implementation of academic ideas, the importance of securely implementing them, the definition of deniability in the current world and the design of OTRv4.

The human microbiome is a diverse community of bacteria that lives inside us. Their contribution towards our personal well-being or sickness is controversially discussed within the scientific world and, likewise, in our society. First attempts to rationally (reverse-)engineer the human microbiome are hyped in medicine and within the DIY biohacking scene. The implications of these endeavours potentially concern several aspects of our life: eating habits, fitness state, susceptibility for infections, aging, and cancer. But what about ethical aspects of hacking the human microbiome? How can biosafety be maintained? Are there any data security issues? I will seriously discuss the state-of-the-art and future directions of the research to show whether actual hacking of the human microbiome is rather science or fiction.

Visual culture dominates our societies, every day encouraging and rewarding corporations and their users to create more visual content to populate their digital spaces and build their digital lives. But what if there was an unseen method of disruption to these powers? What can we learn from the blind and their increased awareness of sound and vibration to disrupt and circumvent these powers without detection?

The lecture will give an introduction into the "EC Proposal for a Regulation on European Production and Preservation Orders for Electronic Evidence in Criminal Matters (COM (2018) 225 final)" and . the impact to civil liberties of the users as well as the challenges for service providers of the diverse range of services covered by the proposal. Urgent action is required now by diverse groups to fight the existing proposal and prevent it from becoming binding law throughout the EU..

Polizei und Geheimdienste sammeln per "Funkzellenabfrage" Tag für Tag Millionen von Standort-Daten. Netzbetreiber liefern den Behörden regelmäßig Datensätze aller Mobilfunknummern, die zu einem bestimmten Zeitpunkt in bestimmten Funkzellen waren. Entgegen den gesetzlichen Bestimmungen erfahren Betroffene nicht davon.

With great pleasure comes great responsibility. A responsibility, which is not taken enough into consideration by the smart sex toy manufacturers as they should, while handling extremely sensitive data. As long as there is no serious breach, there is no problem, right? This was the basis for a research project (Master Thesis) called “Internet of Dildos, a long way to a vibrant future”, dealing with the assessment of smart sex toys and identification of vulnerabilities in those products, including mobile apps, backends and the actual hardware. After the assessment of a selection of multiple smart sex toys an abyss of vulnerabilities was revealed. The identified vulnerabilities range from technically interesting vulnerabilities to vulnerabilities which affect the privacy of the users in extreme and explicit ways.

Video identification is the process of establishing the identity of a person via video chat. The person to be identified has to show his face as well as her official ID card to the camera. This lecture gives a step-by-step tutorial on how such video streams can be augmented with computer-generated official ID cards, including all visible watermarks.

When you're fighting for a cause, you need tools that reflect your values. While venture capital-backed tools are seductive, especially at the beginning of your movement, they can be harmful in the long-term. This session shows how co-operatively owned, non-hierarchically built Free and Open Source Software (FOSS) provides a more sustainable, and equitable, solution.

Für Journalisten bieten soziale Netzwerke eine Vielzahl von Quellen und Informationen, in einem Ausmaß, das vor Jahren unvorstellbar war. Doch damit steigt auch das Risiko immer weiter, auf Manipulationen und „Fake News“ hereinzufallen. In Zeiten von „Lügenpresse“-Rufen stellt das Journalisten vor neue Herausforderungen. Der Vortrag zeigt, wie die Verifizierung von Bildmaterial bei großen Medienhäusern abläuft – und warum auch normale Nutzer diese Möglichkeiten kennen und benutzen sollten.

Im Mai 2018 initiierte Reclaim Club Culture (RCC) in Berlin einen Protest gegen einen Aufmarsch der AfD und die AFDsierung der Gesellschaft. Zusammen mit mehr als 170 Techno Clubs, Festivals und Veranstalter*innen organisierten wir innerhalb von zwei Wochen drei Demozüge, auf denen sich mehr als 60.000 Demonstrant*innen versammelten. Dies ereignete sich in einem politischen Klima, in dem die Linke von den Erfolgen der Faschist*innen wie gelähmt schien und ein großer Teil der Gesellschaft immer weiter nach rechts abdriftete. Ausgehend von einer selbstkritischen Praxis werden wir der Frage nachgehen, wie und warum dies (scheinbar) plötzlich gelang.

In this talk, we’re looking at third party tracking on Android. We’ve captured and decrypted data in transit between our own devices and Facebook servers. It turns out that some apps routinely send Facebook information about your device and usage patterns - the second the app is opened. We’ll walk you through the technical part of our analysis and end with a call to action: We believe that both Facebook and developers can do more to avoid oversharing, profiling and damaging the privacy of their users.

In Österreich regiert seit einem Jahr eine Koalition aus der rechtskonservativen ÖVP und der rechtsextremen FPÖ. Eine ihrer ersten Maßnahmen war eine vollkommen überzogene Verschärfung von Überwachungsbefugnissen: Bundestrojaner, Anlassdatenspeicherung, verstärkte Videoüberwachung, Straßenüberwachung. Registrierungspflicht für SIM-Karten, etc. Zugleich wurde versucht, die Datenschutzgrundverordnung (DSGVO) zu untergraben. Betroffenenrechte wurden ausgeschlossen, weite Ausnahmen geschaffen und Strafen sollen am besten gleich gar nicht angewendet werden. In diesem Talk geben wir ein Update über die netzpolitische Lage in Österreich.

Die Repaircafé-Bewegung rollt über unser Land herein. Wie können wir uns daran beteiligen und Synergien nutzen?

We let the technically ungifted build robots and to fight each other for the laughs.

Chaos meets Poetry Slam. Der humoristische Dichterwettstreit mit Informatikhintergrund. Mitmachen ausdrücklich erwünscht.

Every year since 2011 on the 28C3 we organize a Capture the Flag contest for people on the Congress and from all over the world. This year we want to give you an overview about what a CTF is, the challenges, the players, the community and how much fun it is to play (not only our) CTF.

Lightning Talks are short lectures (almost) any congress participant may give! Bring your infectious enthusiasm to an audience with a short attention span! Discuss a program, system or technique! Pitch your projects and ideas or try to rally a crew of people to your party or assembly! Whatever you bring, make it quick!

We mostly see with the mind, and the mind is flexible. For the four hundred million people with amblyopia (lazy eye), their brain encountered an installation error when linking both eyes as babies. As a "Plan B", their brain switched one eye off. I'll talk a bit about how the visual system works, and how our open-source virtual reality software (backed by social impact lab Leipzig and the prototypefund.de) can hack through that suppression and provide a chance to "re-install" full sight with two eyes.

Why do navigation systems have feminine voices? We know Tay, Eliza, Siri not only as female names, but also as chatbots and software, which directly interact with humans. Although computer programs are per se genderless, gender seems not to be cancelled out in human-machine interaction, but why?

Radical Digital Painting groups and presents several ideas and artifacts related to contemporary painting and contextualizes its connection to historical processes and digital technology. It is inspired by and is a continuation of Radical Computer Music.

Die Möglichkeiten des Microtargetings, aber auch der Desinformation mit Hilfe von Werbeplattformen wie Facebook sind vielfältiger, als man vor dem Cambridge-Analytica-Skandal vielleicht vermutet hätte. Darauf wollen wir auch angesichts der anstehenden Wahlen in Europa einen Blick werfen.

Private Unternehmen müssen nicht so transparent sein wie Behörden - selbst wenn sie sich wie Behörden benehmen. Welche Mittel können wir nutzen, um trotzdem Lichts ins Dunkel der Konzerne zu bringen? Wir stellen zwei Projekte mit unterschiedlichen Herangehensweise vor: Zum einen OpenSchufa, das das Scoring-Verfahren der Schufa rekonstruieren soll und erste Ergebnisse vorstellen kann. Zum anderen OffeneGesetze, das alle Bundesgesetzblätter seit 1949 erstmals kostenfrei und zur freien Weiterverwendung bereitstellt und jetzt dafür möglicherweise verklagt wird.

Spaß und ein kleines Bisschen Wissenschaft mit 3D-gedruckten Orgelteilen

Have you ever wanted to trace all syscalls or dump all IPC traffic across a Linux system? Until recently, doing so may have required some significant setup involving a half-baked tracing kernel module, a custom kernel module, or even using a kernel debugger. This talk will introduce the eBPF functionality of the Linux kernel and cover practical uses of the technology beyond mere code profiling. We will show how eBPF can be used both defensively and offensively to protect, or compromise, a system.

Das Jahr 2018 bietete wieder zahlreiche Beispiele für einen netzpolitischen Wetterbericht. Die Große Koalition lief sich mit der Bundesregierung warm und am Ende des Jahres droht man den Überblick über zahlreiche Kommissionen und Arbeitsgruppen zur Digitalisierung zu verlieren. Die gute Nachricht ist: Netzpolitik ist angekommen und geht nicht mehr so schnell weg. Die schlechte Nachricht ist: Beispiele für eine bessere Netzpolitik, Wert auf den Schutz und Ausbau von Grund- und Verbraucherrechte legt, gibt es leider eher weniger.

There is four times more dark matter and over fifteen times more dark energy than regular matter in the universe. And we have absolutely no idea what these invisible dark substances might be. This talk will show how we know that dark energy and dark matter exist, although we cannot see them directly. This kind of reverse enigneering of the universe already revealed some interesting features of the dark parts. However, the true nature of dark matter and dark energy are literally in the dark.

The deepening of global Internet infrastructure comes accompanied with an invigorated capacity and intent by adversaries to control the information that flows across it. Inextricably, political motivations and embedded power structures underlie the networks through which we interpret and understand our societies and our world - censorship threatens the integrity of the public sphere itself. The increasing technical sophistication of information controls deployed by censors in adversarial network environments around the world can be uniquely viewed and researched by circumvention tool providers, whose work continues to preserve access to the open Internet for all communities. Through this presentation, we endeavour to share insights gained from the front lines of this technical contest.

There has been a lot of talk about Virtual Reality (VR), but still there are very little applications to enhance our everyday lives outside of entertainment. Augmented Reality (AR), the less known sibling of VR, has the power to have a more profound impact on our lives than VR ever could. Instead of replacing the real world with a virtual one, AR enhances the reality with virtual content. Therefore, AR can be a gateway for people in accessing and understanding todays technology and could provide vast possibilities to support our everyday lives, e.g., for navigation, traveling, or education. This talk will give an overview on AR in general and explain its possible benefits and use cases, as well as the issues that may arise, e.g., regarding privacy, data security, as well as psychological and sociological challenges. The talk requires no special knowledge and is suited for people with little exposure to AR and mixed reality, but it will also give insights into current relevant research and development.

Broadcom's Bluetooth firmware on popular devices – such as Nexus 5, Nexus 6P, Raspberry Pi 3, and Raspberry Pi 3+ – shares the same firmware update mechanisms, which allows for local firmware modifications. With InternalBlue we published a framework to change lower Bluetooth layers. In this talk we go even further and demonstrate a remote exploit in the Broadcom firmware.

Laut Mythos wurde der CCC nur zu einem Verein, weil als einzige andere Rechtsform nur noch die kriminelle Vereinigung zur Alternative stand. Damit es bei euch nicht soweit kommt zeigen wir euch wie ihr bequem aus eurem Interessensverband, der Brettspielgruppe oder dem Nerdstammtisch einen guten deutschen e.V. macht. Alles mit einer Prise Humor aus unserem eigenen Versagen und einer Gemeinnützigkeit als Kirsche obendrauf.

Was hat sich im letzten Jahr im Bereich IT-Sicherheit getan? Welche neuen Entwicklungen haben sich ergeben? Welche neuen Buzzwords und Trends waren zu sehen?

35C3 is run by teams of volunteers. In this event, they will provide some insight into the challenges they faced while building the GSM, DECT and IP networks, running video streams, or organizing ticket sales. All graphs will be pointing up and to the right.

Hier hört es auf.