Africa-focused technology, digital and innovation ecosystem insight and commentary.
…
continue reading
محتوای ارائه شده توسط CCC media team. تمام محتوای پادکست شامل قسمتها، گرافیکها و توضیحات پادکست مستقیماً توسط CCC media team یا شریک پلتفرم پادکست آنها آپلود و ارائه میشوند. اگر فکر میکنید شخصی بدون اجازه شما از اثر دارای حق نسخهبرداری شما استفاده میکند، میتوانید روندی که در اینجا شرح داده شده است را دنبال کنید.https://fa.player.fm/legal
مشابه Chaos Computer Club - recent events feed (high quality)
Show notes are at https://stevelitchfield.com/sshow/chat.html
…
continue reading
The director’s commentary track for Daring Fireball. Long digressions on Apple, technology, design, movies, and more.
…
continue reading
Download This Show is your weekly guide to the world of media, culture, and technology. From social media to gadgets, streaming services to privacy issues. Each week Rae Johnston and guests take a fun, deep dive into how technology is reshaping our lives.
…
continue reading
WSJ’s Bold Names brings you conversations with the leaders of the bold-named companies featured in the pages of The Wall Street Journal. Hosts Tim Higgins and Christopher Mims speak to CEOs and business leaders in interviews that challenge conventional wisdom and take you inside the decisions being made in the C-suite and beyond.
…
continue reading
The power of Data is undeniable. And unharnessed - it’s nothing but chaos. Making data your ally. Using it to lead with confidence and clarity. Host Jess Carter is solving problems in real-time to reveal what’s possible. Helping communities and people thrive. This is Data Driven Leadership, a show brought to you by Resultant.
…
continue reading
Android Backstage, a podcast by and for Android developers. Hosted by developers from the Android engineering team, this show covers topics of interest to Android programmers, with in-depth discussions and interviews with engineers on the Android team at Google. Subscribe to Android Developers YouTube → https://goo.gle/AndroidDevs
…
continue reading
This is the audio podcast version of Troy Hunt's weekly update video published here: https://www.troyhunt.com/tag/weekly-update/
…
continue reading
We help founders make something people want.
…
continue reading
Three nerds discussing tech, Apple, programming, and loosely related matters.
…
continue reading
Player FM - برنامه پادکست
با برنامه Player FM !
با برنامه Player FM !
))
پادکست هایی که ارزش شنیدن دارند
حمایت شده
Taxes, Voting, Recycling—oh my! After navigating this jungle of grown-up responsibilities together, we're taking a quick summer breather to recharge our adulting batteries. But before we temporarily hang up our responsible pants, join us for this special episode packed with our favorite kernels of wisdom from the season so far AND get an exclusive preview of the fresh adulting adventures awaiting you when Grown-Up Stuff returns in late summer! Think of this episode as your adulting victory lap—complete with confetti and zero paperwork required! See omnystudio.com/listener for privacy information.…
What does "make opensource ecosystem secure one audit at time" mean (for you and for me)? (osc25)
Manage episode 491324191 series 2475293
محتوای ارائه شده توسط CCC media team. تمام محتوای پادکست شامل قسمتها، گرافیکها و توضیحات پادکست مستقیماً توسط CCC media team یا شریک پلتفرم پادکست آنها آپلود و ارائه میشوند. اگر فکر میکنید شخصی بدون اجازه شما از اثر دارای حق نسخهبرداری شما استفاده میکند، میتوانید روندی که در اینجا شرح داده شده است را دنبال کنید.https://fa.player.fm/legal
Ever wonder what goes on behind the scenes to keep your favorite open-source projects (relatively) secure? Spoiler alert: it's not magic (mostly)! This talk is a peek into the world of a security engineer who spends their days auditing code, hunting down vulnerabilities, and trying to make the open-source world a little less "Oops!" and a little more "Awesome!". We'll dive into: - What actually goes into a software audit. (Think less "spreadsheets," more "WTF is that?") - The thrill (and occasional horror) of vulnerability research. - Why this matters to you, even if you don't write code for a living. (Hint: it's about more than just avoiding the next big breach.) - How we, as a community, can all contribute to making open source safer – because, let's face it, we're all in this together. So, if you've ever been curious about the security side of open source, or just want to hear some war stories from the front lines, come join me! Let's talk about how we can make the open-source ecosystem more secure, one audit at a time. For you, for me, for everyone! Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de
…
continue reading
2022 قسمت
اشتراک گذاریManage episode 491324191 series 2475293
محتوای ارائه شده توسط CCC media team. تمام محتوای پادکست شامل قسمتها، گرافیکها و توضیحات پادکست مستقیماً توسط CCC media team یا شریک پلتفرم پادکست آنها آپلود و ارائه میشوند. اگر فکر میکنید شخصی بدون اجازه شما از اثر دارای حق نسخهبرداری شما استفاده میکند، میتوانید روندی که در اینجا شرح داده شده است را دنبال کنید.https://fa.player.fm/legal
Ever wonder what goes on behind the scenes to keep your favorite open-source projects (relatively) secure? Spoiler alert: it's not magic (mostly)! This talk is a peek into the world of a security engineer who spends their days auditing code, hunting down vulnerabilities, and trying to make the open-source world a little less "Oops!" and a little more "Awesome!". We'll dive into: - What actually goes into a software audit. (Think less "spreadsheets," more "WTF is that?") - The thrill (and occasional horror) of vulnerability research. - Why this matters to you, even if you don't write code for a living. (Hint: it's about more than just avoiding the next big breach.) - How we, as a community, can all contribute to making open source safer – because, let's face it, we're all in this together. So, if you've ever been curious about the security side of open source, or just want to hear some war stories from the front lines, come join me! Let's talk about how we can make the open-source ecosystem more secure, one audit at a time. For you, for me, for everyone! Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de
…
continue reading
2022 قسمت
All episodes
×
The goodbye and look back on the camp. The thank you, the funny stories. All of them. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/VSKJMH/
Zero Trust (ZT) has evolved from pure network access to hype. ZT Everywhere has become a buzzword. If you ask about it during product presentations, the sales person sometimes runs out of the meeting. If we look beneath the surface, we find a lot of code that we trust in zero trust environments without realising it. Istio containers in service meshes, key management systems in SSH/Ansible environments and a whole lot of legacy code in confidential computing require trust in strange containers, ex-employees and attestation processes and a CI/CD pipeline for microcode in the cloud. What questions should we ask ZT? As the management of keys is crucial for TLS (encryption on transport), disk encryption (encryption on rest) and the new kid on the block confidential computing (encryption of data in use) we look under the carpet of implementations and raise a lot of questions to ask if implementing the concept. This immediately affects any digital souvereignty. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/3EHJGJ/…
A shared understanding of what time it is and the rate at which time progresses is essential in many areas of technology from industrial control to broadcast. There are two main ways of synchronizing time between multiple computers, Network Time Protocol (NTP) and Precision Time Protocol (PTP). NTP is sufficient for certificate validation, but when timing is crucial we need PTP. In this talk we will take a deep dive into PTP: what it is, how it works, and various ways to abuse it. In my previous talks about Audio over IP and AV technologies the Precision Time Protocol has come up repeatedly as something that deserves its own talk. PTP has a wider use case which makes it interesting as a target for shenanigans. The talk aims to consolidate several years of experience and research into a concise understanding of this fundamental technology. No prior knowledge about PTP or network time will be assumed. Some familiarity with networking basics will be helpful, but not essential. Warning may contain hacker humor. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/LJ9879/…
The Dutch Electoral Council builds its new software-to-be, with a small in-house team, open source and in public. We call her Abacus. In this talk we'll go in depth on the technical and management side of our project. We invite you to join and check out our work! Our talk contains actual code written in Rust. "The software used in elections is developed open source", according to the Dutch law on elections. As we are working on this software at the Dutch Electoral Council, we want to share our experience and invite you to check out our progress so far. We'll go into our development process and technical choices, show some of the cool contributions we received, some of our own code and show what happens when a small government organisation decides to take software development into its own hands. At the talk both the lead developer and teamlead are present, to be able to elaborate on the actual development and on the management of such a project. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/ALPRVC/…
After some internal evaluation and a journalists inquiry on the possibility of chinese state actors having access to camera footage, Muncipality the Hague decided to do a security test focused on an APT threat on their traffic camera infrastructure. During the session we will show how the team approached this project, how some of the cinematic scenarios of causing traffic jams and using the camera's for espionage were possible in real life and what lessons were learned from the project. The session will start with providing a bit of context on why the project was started, what was already going on at that time and why the muncipality of the Hague had further questions for which they needed a hacking team. We then discuss how we approached the project in a complex environment, where APT threats are involved and how that changes how you assess certain systems and features. The core of the presentation focuses on disclosing the actual vulnerabilities found within the systems, how we went through the full cyber kill chain within the environment and what that actually means in the physical realm if this had been exploited with malicious intent. Finally we end the presentation with some details on how the discovered issues were addressed and what general lessons can be learned from this project that could also be applicable for other similar environments. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/RJTUR8/…
This is NOT an introductory talk about ISMS (Information-Security-Management)! It is about my experiences and reflections about real-life issues when deploying an ISMS. There will be a section dedicated to 'hacking' an ISMS, though. The presumed audiences are: - individuals working in the realm of IS-/IT-security management - hackers working in environments that expose them to ISMS-related TODOs (I'll try to put these things into context!) - anyone trying to understand this ISMS-nonsense Agenda: 1) Introduction - Management-Systems - Information-Security-Management-Sytems (ISO 27001, German BSI IT-Grundschutz) 2) Theory - Corporate overlords (a.k.a "hacking ISMSes") - Risk-Management - Compliance(-Reporting) - Certifications 3) Reality - What? Why? How? - Anecdotes 4) Conclusion Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/RMHF3N/…
This talk will take you along with a deep dive on how the internet works at its core and how you can participate yourself. You'll learn all about BGP, AS- numbers, IP-prefixes and more. Ever wanted to become sovereign on the internet? Want to know what its like to run an ISP? Are you a sysadmin that wants to learn more about networking? Then you're at the right place. This talk will take you along with a deep dive on how the internet works at its core and how you can participate yourself. You'll learn all about BGP, AS- numbers, IP-prefixes and what you need to do if you want to participate. You will walk away with practical knowledge on how you can get started. We'll also take a short tour of my own network, how I set it up and what I use it for. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/NCFHN3/…
How do you scale up victim notifications from a couple of hundreds, to thousands, to millions to billions of stolen credentials? Credential theft is on the rise. Cybercriminals are gettings smarter and more efficient. Why hack in, if you can log in? At the DIVD we see this trend in the cases where we assist with notifying victims of credential theft. Where our first such cases started with a mere threehundred-something credentials we are now sometimes faced with credential dumps that contains millions of even billions of credentials. How can we scale this up, what problems did we face, how did we solve them, and what haven;t we solved yet? Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/KUVEEL/…
We in Quantum Development (WIQD) is a growing community dedicated to promoting diversity, equity, and inclusion (DEI) in the quantum ecosystem. In this presentation, we will introduce WIQD’s mission and activities, share insights from our first Women’s Day Hackathon, and highlight why fostering an inclusive quantum community is essential for innovation and impact. WIQD (We in Quantum Development) aims to build a thriving, inclusive network for professionals in quantum science and technology. During this 25-minute interactive presentation, we will briefly introduce WIQD and discuss the importance of DEI in quantum development. We will also share lessons learned from our 2024 Women’s Day Hackathon (https://www.wiqd.nl/event/womens-day-hackathon/), where participants collaborated to tackle technical and societal challenges in quantum. By reflecting on these experiences, we hope to inspire more people to get involved, collaborate across disciplines, and help shape an open, innovative quantum community. To make the talk interactive, we’ll use an e-tool to collect thoughts and ideas from the audience in real time. The speakers, Nina & Jay, will be based in the Quantum.Amsterdam village tent, please feel free to drop by to meet them. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/SUCW9S/…
Are you interested in maps? Are you searching for a FLOSS mapping navigation? Do you need geodata? Do you need a map on your site? Do you want to help creating maps from your local environment or from vulnerable places? Then, you have come to the right talk! This talks gives a broad overview of OpenStreetMap, the community and how to get started with it. OpenStreetMap is an open database of geodata and has become the biggest geodataset of the world. It is often called 'the wikipedia of maps' and is getting used in more and more applications - from grassroot movements to big corporations. A tremendous lot is possible, but it can be confusing to get started and to dive into the ecosystem. In this talk, I'll give a high-level overview of OpenStreetMap and answer the most important questions: - What is OpenStreetMap (and what is it not?) - What applications exist? - What tools exist? - How can one contribute? - How can one export data? - How can one get in touch with the local mapping community? No previous experience with mapping or GIS needed! This is a talk, so you don't have to bring anything. However, if you need some help with your first OSM-edits, I'll stick around after the talk to get you started. In that case, it might be useful to bring your laptop (or smartphone) Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/LLRPVY/…
Experiences from a hacker working at the Election Council of The Netherlands. After critically following the elections for 8 years from the outside, a hacker was employed as one of the functional administrators of the software supporting the elections. Sharing experiences of the use of election software during 7 elections (2020-2023), from local, national to European in The Netherlands. A governmental software project with strict deadlines, and high security expectations. The software project for elections in The Netherlands is build an IT organization owned by German local governments. More than 10.000 Java files, what can possible go wrong? During this time multiple emergency patches were needed and incidents occur. Although at first explicitly not hired as a coder, within 3 months a Java code contribution was made that was unexpectedly more crucial than anticipated. This talk will show some incidents with the election software in The Netherlands: how the software failed, and when/how it was discovered. Go over how seeing the elections from the outside, and give some history of voting computers and software. Ending with some reflecting on the future. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/MPH9CD/…
What happens when an attacker controls time on a Linux system? This talk looks at how system clocks work, and what breaks when they’re manipulated. From bypassing delays to triggering subtle logic errors, we’ll explore how unstable time can subvert assumptions, break security controls, and cause software to behave in unexpected or unsafe ways. This talk explores the consequences of full control over time on a Linux system. We’ll start with a brief overview of how system clocks work, highlighting common assumptions made by applications and security mechanisms. The focus will be on local manipulation of the system clock — jumping forward, rewinding, or freezing time — and the unexpected ways software can break when time becomes unreliable. Through practical examples, we’ll see how time-based defences and logic can be bypassed, exposing vulnerabilities that often go unnoticed. Not every issue leads to a full exploit, but many reveal fragile trust assumptions rarely tested in real environments. This talk is for hackers, tinkerers, and developers who’ve ever relied on `sleep(1)` as a defence mechanism. You might rethink your assumptions about time-based security after attending. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/NZRWGU/…
1 Towards digital sovereignty with cloud federation: how to break the dominance of the hyperscalers (WHY2025) 45:52
A team of Dutch scientist and cloud engineers is working on Ecofed: European Cloud Services in an Open Federated Ecosystem. The objective and scope of the ECOFED project are to develop a technical framework for a more open and integrated cloud usage model. This framework will enable multiple clouds from various providers to function as a single, cohesive system, offering a European alternative to hyperscaler clouds. In this open cloud ecosystem, users can easily switch between different clouds. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/KVXYMB/…
Wikipedia tells us that _low-background steel_ is steel produced before the detonation of the first nuclear bombs. Yep, you guessed it, **this is a talk about Large Language Models**. LLM outputs have quickly spread like radionuclides, threatening everything from the scientific record to the existence of the Internet as we know it. In this talk I'll discuss _practical small web approaches_ that we can use to build a new Internet that doesn't suck quite so badly. There will also be memes ;-) Have you noticed how the **good stuff** on the Internet is increasingly hidden behind bot checks, subscriptions and paywalls? And that it's getting harder and harder to find things online due to LLM pollution? Welcome to the club! You are in the right place. In this talk I'll highlight some of the most egregious examples, consider how we can best preserve _low background information_ for future generations, and how we can use small web techniques like **self-hosted blogs and static site generators** to bootstrap a new infosphere that doesn't rely on a handful of _hyperscale operators_. I'm particularly interested in how we can _federate and syndicate search_, learning from protocols and standards like RSS and ActivityPub. As part of the talk I'll give you some practical tools and approaches to try. If you find this interesting, consider joining us in the [SearchClub](https://matrix.to/#/#searchclub:matrix.org). **Let's have fun building the new Internet together!** Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/FHLCMR/…
As everybody knows, "L" in IoT stands for long-term support. I'll take you on a tour of my technical adventure where I revived an abandoned IoT "AI" translator and gave it a new life, 2025-style. Through deciphering peculiar protocols and formats, reverse engineering firmware and software and doing the necessary research to write new software, we'll see how curiosity and persistence can help you overcome the most obscure technical challenges. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/TUD7EB/…
C
Chaos Computer Club - recent events feed (high quality)
Lightning talks are a 5 to 10 minute quick talk on an interesting subject. They can be with or without slides, and with or without proper preparation. if you weren't accepted in the main CfP, this is also a great opportunity to give an abridged version of your talk. These sessions will be available to sign up to later on, with details on the wiki: https://wiki.why2025.org/Lightning_Talks Lightning talks are a 5 to 10 minute quick talk on an interesting subject. They can be with or without slides, and with or without proper preparation. if you weren't accepted in the main CfP, this is also a great opportunity to give an abridged version of your talk. These sessions will be available to sign up to later on, with details on the wiki.Lightning talks are a 5 to 10 minute quick talk on an interesting subject. They can be with or without slides, and with or without proper preparation. if you weren't accepted in the main CfP, this is also a great opportunity to give an abridged version of your talk. These sessions will be available to sign up to later on, with details on the wiki: https://wiki.why2025.org/Lightning_Talks Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: various…
C
Chaos Computer Club - recent events feed (high quality)
Did you know that if you change a single bit from 1 to 0 (or vice versa) in the first 'g' of the domain name google.com (which is 01100111 in binary) you will end up with variety of valid "bitflip" domains like coogle.com, oogle.com, & woogle.com So what happens if you generate and register a bunch of cheap bitfliped versions of popular cloud / Saas provider domains, point them to your VPS, log all incoming requests & then forget about the whole thing for two years? Well you will in fact receive a stiff bill, generate huge log files and eventually run out of disk space. But on the upside, you will also have collected a treasure trove of legit credentials & interesting stuff like valid OAuth refresh tokens, JWT tokens, bearers, cookies, emails, meeting invites with passwords & truckloads of internet scanner noise. In this session we will revisit bitflip research from the last decade and weponize it. Showcase 'Certainly' a pioneering offensive / defensive tool that employs Wildcard DNS matching & on-the-fly generated SSL certificates and custom payloads for incoming requests across various protocols. All with the intention to downgrade security, harvest credentials, capture emails and replacing dependencies with custom "malicious" payloads Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/WQEGCU/…
C
Chaos Computer Club - recent events feed (high quality)
Security teams want to prevent incidents - but what if controlled breaking prevents catastrophic failures? Drawing from aviation safety, chaos engineering, and resilience design, discover why 'unbreakable' security comes from breaking things on purpose. Learn to transform incident culture from blame to learning, implement controlled failure practices, and build psychological safety that turns near-misses into competitive advantages. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/AATCT7/…
C
Chaos Computer Club - recent events feed (high quality)
1 A journey into reverse engineering arcade PCBs for video game preservation via FPGA emulation (WHY2025) 48:10
Sometimes ago, I embarked on a journey into the world of electronics and FPGA technology with no prior knowledge. What began as passion for retro gaming evolved into a quest for preservation via reverse engineering and FPGA-based emulation. This presentation will share my journey, highlighting the challenges of learning Verilog, the tools, the resources, and the lessons I learned along the way. By sharing my experiences I hope to inspire others to contribute to preservation of video games. **Abstract:** In an era where classic arcade games risk becoming obsolete, preserving them is crucial. This presentation chronicles a journey from curiosity to creation, demonstrating how FPGAs can be used to create accurate emulator. **Introduction to FPGAs:** FPGAs are versatile integrated circuits that offer unparalleled flexibility for hardware design. Unlike fixed CPUs or GPUs, FPGAs allow for reconfiguration, making them ideal for creating custom solutions like game emulators. This section will explore the advantages of FPGA-based emulation over traditional software emulators, and the existing plateform like the MiSTeR FPGA. **Verilog Programming:** Verilog is a hardware description language used for defining digital circuits in FPGAs. This part introduces Verilog's role in designing these circuits, and how it differ to traditional programming languages. **Reverse Engineering PCBs:** This segment breaks down the process of reverse engineering an arcade PCB. From identifying components and they're connections, to reverse custom IC and schematics creation. **Creating an arcade games core** A case study on the creation of an arcade game FPGA core. Challenges faced during development, and specifities of arcade games emulation. **Conclusion :** The presentation concludes by encouraging attendees to embark on their own journey, offering practical advice and resources tofacilitate their exploration into FPGA-based gaming preservation. The goal is to inspire and equip newcomers with the knowledge and tools to preserve classic arcade games through FPGA emulation. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/3AKXN7/…
C
Chaos Computer Club - recent events feed (high quality)
TIC-80 fantasy console Byte Jam is a friendly competition to livecode a demo in a relaxed atmosphere. TIC-80 fantasy console Byte Jam is a friendly competition to livecode a demo in a relaxed atmosphere. This can take an hour or more depending on the inspiration and time needed of the participants. You could follow the suggested random chosen topic or do your own thing. TIC-80 is a fantasy console with limited resources like 240x136 pixels display, 16 color palette, 256 8x8 color sprites, 4 channel sound , etc. This gives the TIC-80 a very retro look and feel. This byte jam is a good representation of the demoscene, where coders/hackers with very limited resources in hard or software make stunning audio and visual effects. In Europe the demoscene got status of cultural heritage in Finland, Germany and Polen and requested for Netherlands and other countries. Want to join this ByteJ am as coder? Check with Dave / zeno4ever for the possibilities!! Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/ZRBZAC/…
C
Chaos Computer Club - recent events feed (high quality)
I used CircuitPython (but could have also used MicroPython as well, so this is not about A vs. B) to implement various smart-home related projects. I will present some of my projects and also dive into what Python has to offer for (personal, not corporate-style) embedded devices (and the development process). 1) Introduction - My (past) smart-home setup - Moonshot: my future smart-home setup 2) Projects - Thermal printer(s) - RFID scanners - Media controls - Family calendar 3) Circuitpython - Ups and downs - Circuitpython on various Microcontrollers: real-life 4) Conclusion Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/M3GWAJ/…
C
Chaos Computer Club - recent events feed (high quality)
Our digital communities are controlled by corporate platforms that surveil, manipulate, and arbitrarily deplatform us. We need a Bill of Digital Rights—ensuring privacy, ownership, algorithmic control, and self-governance. This talk lays out the Four Freedoms for Social Media and how open protocols like ATProtocol, ActivityPub, and Nostr make them possible. The future of social media must serve communities, not corporations—and we must demand it. The Four Freedoms of Social Media: A Bill of Rights for Digital Communities Just as free software has the Four Freedoms, our digital communities need Four Freedoms for Social Media—fundamental rights that ensure people, not corporations, control their online spaces. Social media today is defined by surveillance, manipulation, and arbitrary control—but it doesn’t have to be. This talk lays out what we must demand from social protocols: 1. The Freedom to Connect – No one should be prevented from communicating or organizing due to corporate interests or government pressure. 2. The Freedom to Move – Users and communities must be able to leave one platform and take their relationships, content, and identity elsewhere. 3. The Freedom to Understand & Control Algorithms – People should know how their feeds are shaped and have the power to change them. 4. The Freedom to Self-Govern – Communities should set their own rules, rather than being subject to arbitrary moderation and deplatforming. Technologies like AT Protocol (BlueSky), ActivityPub (the Fediverse), and Nostr offer glimpses of this future, but they must be built around these freedoms—not just as features, but as non-negotiable principles. This talk isn’t just about what’s possible—it’s about what we must demand from the next generation of social protocols. The future of digital communities should belong to us—not corporations. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/WDPPRA/…
C
Chaos Computer Club - recent events feed (high quality)
Afturmath closes the live music program with an immersive journey of sound and light. Combining modular synthesizers, lasers, and abstract video synthesis, Afturmath crafts dense, evolving sonic landscapes that invite you to lose yourself in the experience. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/7W9GTM/…
C
Chaos Computer Club - recent events feed (high quality)
This talk introduces participants to the Bosch BMI270 (inertial sensor) and BME690 (environmental sensor) on the WHY2025 Hackathon Badge. After a brief overview of MEMS technology and how these tiny sensors are made and used, we’ll dive into a hands-on session showing how to read sensor data using MicroPython — so you can start experimenting right away. MEMS (Micro-Electro-Mechanical Systems) sensors are miniature, highly precise components that detect motion, position, and environmental conditions. They are widely used in smartphones, cars, wearables, and smart home devices and are manufactured in specialized cleanrooms using advanced semiconductor processes. This talk starts with a short introduction covering: What are MEMS? How are they made? What can the Bosch BMI270 (6-axis IMU) and BME690 (gas, humidity, temperature, and pressure sensor) do? After this overview, we’ll switch to a practical session: you’ll learn how to get started with MicroPython to access real-time sensor data on the WHY2025 Badge. By the end, you’ll be ready to experiment with your own ideas and prototypes based on the badge’s powerful sensing capabilities. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/9HUFEX/…
C
Chaos Computer Club - recent events feed (high quality)
Modern software development and operations heavily relies on third-party applications, libraries, containers etc. This presentation will showcase how dev, ops, but also security management can be transparent about dependency versioning and known vulnerabilities, while also staying on track with updates. It will show demos of Open Source Standards like SBOM and Frameworks like Dependency-Check, Dependency-Track and Renovate that can help automate the sadness of today's supply chain issues. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/7C8XYS/…
The Light and Music entertainment platform Lightupyourbanjo began in 2010 when “Cash-a-billy with a Bluegrass bite” band Ed and the Fretmen wanted to have better lights on their banjo. They developed banjo lights with addressable LEDs for in and outside mounting showing interactive animations, written in C++ supporting the songs, and wrote songs to support the lights. In 2025 the Lightupyourbanjo bands will be fighting the darkness with the new O4 model build into their 3 banjos. In the WHY Lightupyourbanjo talk, we will look at the world of banjo lights, present the new O4 model and features, apply the 5xWHY analysis on this all to explore the greater meaning, and finally we hope to bring some Light and Music to WHY 2025. https://www.youtube.com/watch?v=_j19nTYNWv4 Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/9NQTEL/…
C
Chaos Computer Club - recent events feed (high quality)
This talk will enable you to lead architecture conversations and discuss their security options through an informal diagramming technique. I will use examples such as key/encryption architectures, DevOps, and even your home music system. Presentation at https://digitalinfrastructures.nl/why2025/ You have seen many diagrams of computer and information systems in your career. They have been around since the early days of computing. They can be useful, but there are a few typical problems with them: • They are drawn with obscure symbols that are only understood by architects • They are drawn in an inconsistent way • They are not used to their fullest potential. In my practice I have run into these problems often, and I have found ways to turn a certain type of diagram, a simplified version of deployment diagrams, into the cornerstone of explanation of what goes on in cloud and cybersecurity. In the talk I will lead you through the basic principles, and a few examples. This will enable you to lead architecture conversations and discuss their security options. I will use examples such as key/encryption architectures, DevOps, and even your home music system. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/PRV9UP/…
C
Chaos Computer Club - recent events feed (high quality)
1 Offworld Voyage: Can Training for Mars Exploration Also Address Human Adaptation to Climate Bio-devastation on Earth? (WHY2025) 46:53
This talk will present the design philosophy behind Offworld Voyage, a decentralized science initiative that develops ecologically sustainable training habitats for use in simulated Mars surface exploration missions - while also solving for adaptation to extreme climate change on Earth. The Offworld Voyage M.A.R.S. Tesseract Space Analog Simulation Habitats were designed with a zero waste ethos for minimal environmental impact by inventor Scott Beibin and visual wizard Michael Flood. The modular and portable structures of the habitats include: a bio-dome for cultivating organic vegan plant-based and fungi-based nutrition sources, autonomous power production, advanced waste reclamation, a science laboratory for experimentation and research, a space medicine bay, a fabrication lab for prototyping and repair, facilities for fitness and creativity as well as a kitchen and living quarters. Mission immersions incorporate a vision of the future when space has become accessible to all through the use of emerging ecologically sustainable appropriate technologies enabled by new types of egalitarian economic structures and coordination methods. Crew activities include EVA explorations in pressurized space suits outfitted with bio-sensors, 3D printed construction using regolith, utilization of open source communications tools, cooperative governance exercises and the practice of mutual aid and consensus decision making in mission planning, problem-solving and self-sufficiency challenges in the face of extreme resource scarcity, simulated time-delayed communications and experiments to analyze the effects of isolation on astronauts during offworld missions. The inaugural mission for the M.A.R.S. Tesseract habitats will occur in a remote desert location in the near future. It will include the founders of the project, Scott Beibin and Elizabeth Jane Cole, who are both alumni of the Mars Desert Research Station (Mission 286) and core committee members of the Journal for Space Analog Research. Future plans for the project include the development of pressurized facilities and closed loop systems, as well as development of public goods including hardware and software for Space Analog Research and S.T.E.A.M based educational programs. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/ZDE7NN/…
C
Chaos Computer Club - recent events feed (high quality)
You've maybee seen the raking robot that got a CEH (Certified Estetisch Harker) certificate, the Telex linked to Twitter/Telegram or the ASCII foto booth. They are all made by me. If this talk gets accepted I will do a deep dive on these three contraptions and what I learned building them. Beside Schuberg Philis, DIVD, attending the farm and keeping my bees I als build machines. It is an interesting process and I want to share it with you. Machiens I will be talking about: * The (worlds?) 1st 3d color printer from TNO * The raking robot * AI/Twitter/Telegram/Slack connected Telex * ASCII photo booth Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/FYPY7C/…
C
Chaos Computer Club - recent events feed (high quality)
During this talk we look at hardware and firmware reverse engineering, but also at corporate intimidation tactics and how to respond ethically as a security researcher. Leveraging the hard-coded AES keys, outdated software, and lots and lots of custom code we found, we were able to install "custom code" on some phones and access global customer configuration data by exploiting Yealink's global cloud provisioning service (RPS). Communication is the cornerstone of human collaboration and vital to functional governments, flourishing businesses, and our personal lives. We take for granted that sensitive information we send through our digital communication infrastructure is only received by the intended recipient. This puts immense responsibility on communication equipment manufacturers and service providers to keep our communications safe from prying eyes. Surely we can trust a global, leading manufacturer of video conferencing, voice communication and collaboration solutions to keep our data safe, right? ...right? They may have shiny devices and their marketing slides might be impressive, but we care about what's on the inside. In this talk, we take a look at Yealink VoIP business phones and their cloud infrastructure. Come with us on a technical deep dive involving hardware hacking and firmware reverse engineering, but also listen to a story about corporate intimidation tactics and lessons on how not to treat security researchers. What we find is a security researcher's dream: hard-coded AES keys, outdated software, and lots and lots of custom C code (including cryptography!). We were not only able to run custom code on some phones, but were also able to access configuration data of their global cloud provisioning service while casually answering the age-old question: "Does it run DOOM?". This project concluded in a wide-ranging coordinated vulnerability disclosure involving the manufacturer, telecom providers, national cybersecurity agencies, and major customers, which we will also outline in this talk. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/CXVW7V/…
C
Chaos Computer Club - recent events feed (high quality)
1 How we stopped a € 50 million project from destroying a forest (and other ways to pick fights with corporations and governments) (WHY2025) 37:31
In 2017 a large corporation announced that they wanted to build a € 50 million theme park in a small forest that I had known from my childhood, thus replacing the future of our children with simple entertainment. An overwhelming feeling of injustice came over us. We created a plan, and we stuck to it. We drew a line in the sand. Fatalism can be your greatest enemy, but it doesn’t have to be. Welcome to the rebellion. In 2017 a large corporation announced that they wanted to build a water theme park in a small forest that I had known from my childhood. Immediately an overwhelming feeling of injustice came over me. Why would you sacrifice the future of our children for a theme park? It turned out a number of neighbours had the same feeling. We decided to draw a line in the sand. For seven years we fought a battle with the corporation and the government, and the whole time everybody was telling us this was a fight we could not win. In 2024 we won that fight. It turned out it wasn’t just luck. We created a plan, and we stuck to it. Since then we have been sharing our experiences with other organisations. Fatalism can be your greatest enemy, but it doesn’t have to be. Welcome to the rebellion. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/7EMW3A/…
C
Chaos Computer Club - recent events feed (high quality)
1 Building Bitchat: Offline first protocols and E2E Encrypted Social Apps with Nostr, Noise, and MLS (WHY2025) 43:47
Learn how to build end-to-end encrypted social apps including the newly released Bitchat using Nostr and MLS (Messaging Layer Security). We'll go from Nostr basics through to encrypted groups, explore the open source libraries and apps already in production, and show how to build your own. Includes live coding demonstrating how to create secure, private social tools that actually scale. You'll leave knowing how to build real e2e apps using tested, working tools. Building truly private social applications isn't just about adding encryption - it's about rethinking how we build social spaces. By combining Nostr's decentralized protocol with MLS's efficient group encryption, we can create social apps that are both private and practical. The talk walks through: Technical Foundation: - How Nostr works: events, relays, and NIPs - Understanding MLS tree-based group key management - Implementing encrypted groups that actually scale - Real-world performance and security considerations Practical Building: - Tour of working libraries - Open source apps you can use today - Common implementation challenges and solutions - Live coding of a basic encrypted group chat Beyond the Code: - Why traditional platform encryption fails - How forking solves community governance - Building tools that empower rather than control - Real examples from nos.social and communities.nos.social You'll leave understanding not just the protocols, but how to build real applications that respect privacy and community autonomy. We'll look at actual code running in production, discuss practical challenges we've solved, and show how you can start building your own encrypted social tools today. This isn't just theory - everything shown is running in production now. Whether you're interested in cryptography, social protocols, or just want to build better tools for human communication, you'll get concrete knowledge you can use. Prerequisites: Basic familiarity with public key cryptography helpful but not required. Examples will use JavaScript/TypeScript but concepts apply to any language. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/3QQLRN/…
C
Chaos Computer Club - recent events feed (high quality)
It's hard for a platform to have meaningful, useful ratings/reviews without both substantially Knowing Your Customer, engineering to detect manipulated reviews, and responding in a nuanced way -- to increase a fraudster's costs, and not just train them to hide better. Lots of examples of diverse platforms not doing a very good job of this. (I'll also talk about how this knowledge sometimes leads platforms try to manipulate their own customers to maximize their sales). Ratings and reviews, although almost universally relied on by consumers, are, like much other online info, often manipulated to increase sales, pump up merchant reputation but are sometimes used malicious to slam a competitor). Even sites that only allow reviews from purchasers can be manipulated, particularly on platforms when low cost products are sold. Ebay harbors fraudulent sellers by combining buyer and seller reputation, and not weighting by sale price. (So a 5 star rating for a trivial purchase accrues equal reputation as a large value sale.) Many manipulations should be easily detectable by looking for some clear behavioral signatures, and then not training the adversaries by using adversary engineering rather than simply deactivating accounts. (I'll show you how to spot a lot of the red flags.) Examples ranging from pumped up restaurant listings (up to #1 in London), Amazon and Ebay's problems, a puppy sales site that had a rating system so bad by design that they were sued by an animal rights org for facilitating fraud by puppy mills. (There are a lot of sick puppies out there...) Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/CJQD7U/…
C
Chaos Computer Club - recent events feed (high quality)
My experience of contributing to an open-source project for the first time and the juicy details (maths) of the geometry of the Sferical lamps (the ones that hang in Heaven / Silent Lounge) I'd like to take you with me on how I build a generator for spherical lampshades. I'll talk about how math slowly turns into magic. The math is mainly trigonometry, so we can reminisce about highschool. But don't worry too much about it. It will be visualised, so everyone can follow along. The real magic happens when we introduce light into the equation, illuminating the creations in stunning ways. Plus, since this project is open source, you'll have the opportunity to craft your own unique lampshades! Or hack it into something else entirely... Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/Y9YKJF/…
C
Chaos Computer Club - recent events feed (high quality)
In a world of relentless cyber-threats, MIAUW (Methodology for Information Security Assessment with Audit Value) turns every pentest into a high-impact, traceable mission. This session reveals how its storyline-driven playbook fuses technical exploitation, legal rigor and forensic reporting into a reusable blueprint that regulators love and attackers fear. Expect war-stories, live-demo snippets, and a roadmap to weaponize compliance while clawing back control over risk. This talk introduces MIAUW — Methodology for Information Security Assessment with Audit Value — a structured approach to penetration testing that goes beyond technical exploits to deliver legal defensibility, governance value, and repeatable insight. We begin with a familiar problem: many pentests are technically sound but fail to produce lasting impact. Reports are delivered, risks are noted — and then nothing changes. There’s little accountability, no alignment with organizational processes, and limited value for oversight. MIAUW changes that. It brings structure, traceability, and dual accountability by involving not just the pentester, but also a dedicated auditor. Every step — from planning and scenario definition to execution, reporting, and organizational learning — is part of a documented process. The auditor produces a formal protocol, providing legal and governance-grade assurance over the findings. In this session, we’ll cover: - How MIAUW works: from the first conversation to the final deliverables. Why including an auditor raises the bar for quality, traceability, and board-level trust. - Real-world stories of organizations that transformed their security posture through structured offensive testing. - How to get started with MIAUW, even when working with external testing partners. Whether you're a CISO, security consultant, internal auditor or board advisor, this talk will challenge the way you think about pentests — and show you how to make every test a reusable asset for control and improvement. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/NLDDV7/…
C
Chaos Computer Club - recent events feed (high quality)
In 2017 (just before SHA2017) the Dutch healthcare sector came together to create Stichting Z-CERT, the Zorg Computer Emergency Response Team. A nonprofit to protect and advise the Dutch Healthcare sector. What started as a small startup has now grown into a scaleup with the ambitions to match. A lot has changed in the 3 years since the last talk about Z-CERT. In this talk we will: - Tell who we are - Show what we do - Give a little peak behind the curtain how we do that Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/KJEMMF/…
live-bootstrap is a worthy attempt to provide a reproducible, automatic, complete end-to-end bootstrap from a minimal number of binary seeds to a supported fully functioning operating system. Although it is starts with a minimal binary seed of only 280 bytes it also depends on a lot of other sources. What are those sources exactly and how can we review these to make sure that live-bootstrap can be trusted? In the past two years, I spend studying stage0 of the live-bootstrap project in order to understand how it works, to find out on what sources it depends, and to create an interactive documentation hopefully helping others to understand it and review the sources. In this process, I have written programs to interpret the kaem scripts, an emulator for stage0, and a program to analyze the strace output and generate a T-diagram. In the presentation, I will talk about the steps I have taken, present the results, and also discuss ways to simplify the stage0 sources, such as developing a C-compiler targeted for compiling the Tiny C Compiler using a small stack based languages as intermediate language. 'Slides' for the presentation: https://iwriteiam.nl/WHY2025_talk.html Links: - https://iwriteiam.nl/Software.html - https://iwriteiam.nl/livebootstrap.html - https://github.com/FransFaase/Emulator/ - https://fransfaase.github.io/Emulator/tdiagram.html - https://github.com/FransFaase/MES-replacement Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/33HD7W/…
C
Chaos Computer Club - recent events feed (high quality)
Over the past few years, I’ve been casually poking around and stumbling upon exposed data and insecure infrastructure all across the telco ecosystem. From unsecured debug portals to full backend access, the leaks themselves might seem technically boring. In this talk, I’ll walk through a handful of real-world cases, showing how misconfigurations, sloppy code, and forgotten interfaces can lead to serious exposures. These include: * an eSIM provisioning portal exposed via unauthenticated debug web interface * full backend access to a smartphone retail platform, including CRM data and hotline audio recordings * publicly accessible SIM inventory systems, Call Data Records (CDRs), and even passport scans * "open source" telco functions running in plain PHP, sometimes with hardcoded credentials * …and more strange eSIM-related findings This isn’t a high-end 0-day story. This is about minimal-effort, boring data leaks that still manage to have a surprisingly high impact. The talk will include examples, screenshots, and recurring patterns that keep coming up. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/7A7QJV/…
C
Chaos Computer Club - recent events feed (high quality)
Placeholder for WHY2025 Infrastructure Review... various *OC teams will present about the infrastructure they have built for WHY2025. At least Team:NOC will join; previously also Team:Nuts (Power), Team:POC and Team:VOC have joined. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/FY8CXY/…
Adversary-in-the-Middle (AiTM) phishing kits have matured into full-service SaaS platforms. This talk dives into the infrastructure, control panels, and sellers behind modern AiTM attacks. From Dockerized environments to Telegram bot-based UIs, we unpack how these platforms operate, scale, and monetize. We also highlight how this SaaS model is spreading. Expect a technical walkthrough of the ecosystem fueling today’s phishing economy. This talk offers a deep dive into the infrastructure and operational models behind modern Adversary-in-the-Middle (AiTM) phishing attacks. These aren't hobbyist scripts—they are mature, productized platforms that resemble legitimate SaaS offerings. We explore how these platforms work under the hood: How attackers deploy dockerized phishing kits The use of CDNs, Telegram bots and proxy networks Panel features like token capture, mailers, and multi-user support Revenue models, actor branding, and upsells We will showcase real examples of AiTM panels (including EvilProxy, Tycoon, Mamba2FA, and Raccoon), backed by original research and detection data gathered from over 2,000 incidents across hundreds of Microsoft 365 tenants. Attendees will walk away with an understanding of how these platforms scale, how attackers manage their infrastructure, and how defenders can detect and preempt them using techniques like pixel beacons and certificate transparency. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/SKKCEM/…
C
Chaos Computer Club - recent events feed (high quality)
You want to learn more about Linux permissions? This is the talk for you. Let's learn about the basic UID/GID concepts in Linux and expand into more complex ACLs. Then escalating on the "everything-is-a-file" concept and applying the learned security logic onto program behavior using SELinux or AppArmor. The first point a "normal" user encounters Linux permissions, is often when he wants to execute a downloaded file (from the internet) - requiring him to set the executable-bit... But this one bit is just a part of a much larger world of the Linux permissions - starting with the usual umask-reduced "drwxrwxr-x" and including access-contol-lists for more complex scenarios. The learned concepts can then be applied onto not only files, but also devices (e.g. using udev)... Most users also know how to bypass "Permission Denied" touble (by just using "sudo"), but how does that actually work? But managing access to files and devices from the users perspective is just one side of Linux security, as one can also apply these filtering logic onto system-calls programs make: For this we will take a quick look into SELinux and AppArmor, two of the more popular hardening frameworks and how their rulesets work. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/QNH3VU/…
C
Chaos Computer Club - recent events feed (high quality)
I (hopefully) will have cycled from my home city of Mannheim all the way to the WHY camping grounds (>500km) in one go. I will report how I approached the whole endeavour, how I prepared, what the challenges were and what the hard part was. If I happen to not make it, I will describe how, why and what I should have done better. Planing and executing a plan like that, cycling more than 500km in one go demands equal parts preparation and lack of sanity. I want to share the story in an attempt to inspire people to explore their limits and achieve things that they did not think they would be able to do. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/FQNMBE/…
C
Chaos Computer Club - recent events feed (high quality)
Afterparty for "Reverse Engineering Life: A teardown of the DNA source code of a whole bacterium". Q&A and some bonus content. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/A8LMHV/
C
Chaos Computer Club - recent events feed (high quality)
For a good decade now, containerisation has been a popular solution: Addressing issues such as security, fault tolerance, and scalability, it has turned into a mainstay in IT. Though with a technology that ubiquitous, it does deserve investigation whether it has been put to good use or rather pressed into service. This talk includes a brief history of container solutions while challenging a number of common assumptions. While geared at a more seasoned audience, the presentation is very much from the perspective of the ‘plumbing layers,’ which comes with the discussion of many core concepts of Docker/OCI. Hence this should be beginner-friendly to a degree. Mild audience participation is to be expected; may contain traces of DevOps. **Keywords:** *containers; cloud; linux; docker; oci; kubernetes* Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/MREBV9/…
C
Chaos Computer Club - recent events feed (high quality)
TETRA is a European standard for trunked radio used globally by police, military and civilian parties alike. In the past, we already published the hitherto secret inner workings of TETRA and on several of its severe security issues. We're now back to discuss the last crucial part of TETRA security - its optional (and costly) end-to-end encryption, reserved for the most sensitive use cases. We'll discuss in detail how we obtained and analyzed those elusive algorithms, and what we found. TETRA is a European standard for trunked radio used globally by police and military operators. Additionally, TETRA is widely deployed in industrial environments such as harbors and airports, as well as critical infrastructure such as SCADA telecontrol of pipelines, transportation and electric and water utilities. In previous research, we published [TETRA:BURST](https://www.midnightblue.nl/tetraburst), revealing vulnerabilities in the TETRA air interface encryption, and publishing the secret cryptographic primitives for public scrutiny. We now present all-new material, assessing the optional and often expensive end-to-end encryption, which adds an additional layer of encryption on top of the air interface encryption, a layer that can only be decrypted by the traffic's recipient, and not by the infrastructure. These solutions enjoy significant end-user trust and are intended for the most sensitive of use cases. While the ETSI standard on TETRA does facilitate integration of some E2EE solution, the solutions themselves are vendor-proprietary, and proved quite hard to obtain. The opaque nature of this solution and TETRA's history of offering significantly less security than advertised (including backdoored ciphers) is worrying enough, but given our previous TETRA:BURST research, E2EE is frequently mentioned as a potential mitigation. In order to shed light on its suitability, we decided to undertake the effort of reverse-engineering a TETRA E2EE solution. We'll discuss how we investigated the E2EE landscape, and how we (after being scammed on a Motorola device) managed to extract an implementation from a popular Sepura radio. We'll then discuss the E2EE design (that we have published on GitHub) along with a security analysis, identifying several severe shortcomings ranging from the ability to inject voice traffic into E2EE channels and replay SDS (short text) messages to an intentionally weakened E2EE variant, which reduces its 128-bit key to only 56 bits. In addition, we will discuss new findings related to multi-algorithm networks and official patches, relevant for asset owners mitigating the TETRA:BURST vulnerabilities previously uncovered by us. Finally, we will demonstrate the E2EE voice injection attack as well as the previously theoretical TETRA packet injection attack on SCADA networks. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/WSM3XV/…
به Player FM خوش آمدید!
Player FM در سراسر وب را برای یافتن پادکست های با کیفیت اسکن می کند تا همین الان لذت ببرید. این بهترین برنامه ی پادکست است که در اندروید، آیفون و وب کار می کند. ثبت نام کنید تا اشتراک های شما در بین دستگاه های مختلف همگام سازی شود.
مشابه Chaos Computer Club - recent events feed (high quality)
Africa-focused technology, digital and innovation ecosystem insight and commentary.
…
continue reading
Show notes are at https://stevelitchfield.com/sshow/chat.html
…
continue reading
The director’s commentary track for Daring Fireball. Long digressions on Apple, technology, design, movies, and more.
…
continue reading
Download This Show is your weekly guide to the world of media, culture, and technology. From social media to gadgets, streaming services to privacy issues. Each week Rae Johnston and guests take a fun, deep dive into how technology is reshaping our lives.
…
continue reading
WSJ’s Bold Names brings you conversations with the leaders of the bold-named companies featured in the pages of The Wall Street Journal. Hosts Tim Higgins and Christopher Mims speak to CEOs and business leaders in interviews that challenge conventional wisdom and take you inside the decisions being made in the C-suite and beyond.
…
continue reading
The power of Data is undeniable. And unharnessed - it’s nothing but chaos. Making data your ally. Using it to lead with confidence and clarity. Host Jess Carter is solving problems in real-time to reveal what’s possible. Helping communities and people thrive. This is Data Driven Leadership, a show brought to you by Resultant.
…
continue reading
Android Backstage, a podcast by and for Android developers. Hosted by developers from the Android engineering team, this show covers topics of interest to Android programmers, with in-depth discussions and interviews with engineers on the Android team at Google. Subscribe to Android Developers YouTube → https://goo.gle/AndroidDevs
…
continue reading
This is the audio podcast version of Troy Hunt's weekly update video published here: https://www.troyhunt.com/tag/weekly-update/
…
continue reading
We help founders make something people want.
…
continue reading
Three nerds discussing tech, Apple, programming, and loosely related matters.
…
continue reading
Player FM - برنامه پادکست
با برنامه Player FM !
با برنامه Player FM !
))
