HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
[
{
"id": "a877c904-f887-588e-9637-9b1df2f019dd",
"kind": "official",
"name": "10 years of Dieselgate",
"slug": "10-years-of-dieselgate",
"url": "https://api.events.ccc.de/congress/2025/event/a877c904-f887-588e-9637-9b1df2f019dd/?format=api",
"track": "security",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "en",
"description": "10 years ago, Felix spent a lot of sleepless nights on reverse-engineering the Diesel software that implemented the (by now) well-known \"Acoustic Function\" defeat device; he presented my findings at the 32c3 and 33c3 in 2015 and 2016, expecting this to be the last time we needed to hear about this.\r\n\r\nLittle did he know about the extent of the Diesel emissions cheating. Since then he has analyzed many more vehicles, learned a bit or two about mechanical engineering problems of cars.\r\n\r\nKarsten, working as a court-appraised expert, will add his unique view on the challenges in documenting software that was never meant to be understood by the public.\r\n\r\nThis talk will discuss methodologies of independent analysis of highly dynamic systems that many people see as black boxes (but that, of course, are not: they are just machines running software).",
"schedule_start": "2025-12-29T21:45:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-29T22:45:00+01:00"
},
{
"id": "5aaab022-3cb6-5d1a-9326-eec204bbb8f1",
"kind": "official",
"name": "1965 + 60 Years of Algorithmic Art with Computers",
"slug": "1965-60-years-of-algorithmic-art-with-computers",
"url": "https://api.events.ccc.de/congress/2025/event/5aaab022-3cb6-5d1a-9326-eec204bbb8f1/?format=api",
"track": "art-beauty",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "en",
"description": "We want to look at the complex topic of art created with computers, beginning with some careful and barely noticed first experiments and emerging into an ever more diverse and creative field, from different angles. In particular, we want to focus on the dynamics of power and how these developments were influenced by their context - from social movements to political pressure.\r\n\r\nWe want to start with explaining how the initial developments, both from an artistic - concrete art - and technological - the evolution of computers and the creation of the drawing machine Zuse Z64 in Germany and film techniques in the US, respectively - took place. We will do so in the context of the first three exhibitions that all took place in the year 1965. Their artworks were created by Georg Nees in Stuttgart, A. Michael Noll with Béla Julesz in New York and Frieder Nake with Georg Nees, again in Stuttgart.\r\n\r\nIn the following, we will try to give an outline of further developments. We provide examples how hierachies in art and science have developed and played a role in different events. In the domain of computer-generated art, similar to other art, there are two large influences hidden for the typical recipent of this art - galleries and critics. We will discuss this exemplary with early exhibitions of Frieder Nake being described by the FAZ and later on, how the east-west conflict has influenced the art and its exhibitions. Among other issues, we discuss patriarchal structures, the commercial side of art, how old tech is sold as revolutionary and how progress is still as connected with threatening feelings as in the early years.\r\n\r\nLooking back at the beginnings, it is interesting to observe how artists - also with an artistic, rather than technical background - worked with the limitations and overcame them. Fortunately, the technological entry barrier to create algorithmic art yourself has drastically decreased over time and we want to encourage you to experiment yourself!\r\n\r\nFrieder Nake is creating algorithmic drawings and doing visual research since 1964. In 1971, he published the influential essay \"there should be no computer art\" and he has been teaching computer graphics at the University of Bremen for decades. Enna Gerhard is pursuing a PhD in theory of computer science and creates algorithmic drawings in the meantime.",
"schedule_start": "2025-12-27T19:15:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-27T20:15:00+01:00"
},
{
"id": "da752c1f-1231-5039-a2a9-9daa2f114606",
"kind": "official",
"name": "51 Ways to Spell the Image Giraffe: The Hidden Politics of Token Languages in Generative AI",
"slug": "51-ways-to-spell-the-image-giraffe-the-hidden-politics-of-token-languages-in-generative-ai",
"url": "https://api.events.ccc.de/congress/2025/event/da752c1f-1231-5039-a2a9-9daa2f114606/?format=api",
"track": "art-beauty",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "en",
"description": "Tokens are the fragments of words that generative models use to process language, the step that breaks text into subword units before any neural networks are involved. There are 51 ways to combine tokens to spell the word giraffe using existing vocabulary: from a single token **giraffe** to splits using multiple tokens like *gi|ra|ffe*, *gira|f|fe*, or even *g|i|r|af|fe*.\r\n\r\nIn one experiment, we hijacked the prompting process and fed token combinations directly to text-to-image models. With variations like *g|iraffe* or *gir|affe* still generating recognizable results, our experiments show that the beginning and end of tokens hold particular semantic weight in forming giraffe-like images. This reveals that certain images cannot be generated through prompting alone, as the tokenization process sanitizes most combinations, suggesting that English, or any human language, is merely a subset of token languages.\r\n\r\nThe talk features experiments using genetic algorithms to reverse-engineer prompts from images, respelling words in token language to change their generative outcomes, and critically examining token dictionaries to investigate edge cases where the vocabulary breaks down entirely, producing somewhat *speculative languages* that include strange words formed at the edge of chaos where English meets token (non-)sense.\r\n\r\nThese experiments show that even before generation occurs, token dictionaries already encode a stochastic worldview, shaped by the statistical frequencies of their training data – dominated by popular culture, brands, platform-speak, and *non-words*. Tokenization is, therefore, a political act: it defines what can be represented and how the world becomes computationally representable. We will look at specific tokens and ask: Which models use which vocabularies? What *non-word* tokens are shared among models? And how do language models make sense of a world using a language we do not understand?",
"schedule_start": "2025-12-28T23:00:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-28T23:40:00+01:00"
},
{
"id": "fa59ce23-205c-5cd9-a7de-8ba768e3bf3f",
"kind": "official",
"name": "Aber hier Leben? Nein danke! …oder doch? Wie wir der autoritären Zuspitzung begegnen können.",
"slug": "aber-hier-leben-nein-danke-oder-doch-wie-wir-der-autoritaren-zuspitzung-begegnen-konnen",
"url": "https://api.events.ccc.de/congress/2025/event/fa59ce23-205c-5cd9-a7de-8ba768e3bf3f/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "de",
"description": "Mit dem „Super-Ost-Wahljahr“ 2024 (Landtagswahlen in Sachsen, Thüringen und Brandenburg) wurden bereits alle möglichen AfD-Regierungs-Horrorszenarien in Ostdeutschland in den Medien diskutiert und ausgemalt. Nächstes Jahr stehen jedoch noch die Landtagswahlen in Sachsen-Anhalt und Mecklenburg-Vorpommern an. Und die Prognosen sehen auch dort übel aus. Wären morgen Wahlen, würde die AfD in Sachsen-Anhalt 39% der Stimmen und in Mecklenburg-Vorpommern 38% bekommen. Um dem etwas entgegenzusetzen müssten wüste Bündnisse aus CDU, Die Linke, SPD und BSW entstehen. Kurzum: LSA und MV sind verloren!\r\n \r\nZusätzlich schrumpfen beide Bundesländer und altern gleichzeitig. In Sachsen-Anhalt gibt es keinen einzigen „wachsenden“ Ort. Weniger Kinder, immer mehr ältere Menschen, Fachkräftemangel und ein „Männerüberschuss“ – wer will da schon noch Leben und dem rechten Sog die Stirn bieten? Emanzipatorische Akteur:innen verlassen das Land, denn sie werden angegriffen und kriminalisiert. Also: Mauer drum und sich selbst überlassen? Ganz nach dem alten Tocotronic Song „Aber hier Leben? Nein danke!“ \r\n\r\nWir wollen den Osten aber nicht aufgeben, deshalb beleuchten wir in unserem Talk, wie wir mit einer gemeinsamen Kraftanstrengung die Mauer vermeiden können – denn es gibt sie (noch): Die Gegenstimmen und Linken Aktiven die in beiden Bundesländern täglich die Fähnchen hochhalten. Ob die „Zora“ in Halberstadt, das „AZ Kim Hubert“ in Salzwedel oder das „Zentrum für Randale und Melancholie“ in Schwerin: Sie organisieren Austauschräume, alternative Konzerte und Orte, die für alle Menschen offen sind. Sie brauchen unseren Support und wir zeigen euch Möglichkeiten wie dieser aussehen könnte.\r\n\r\nAußerdem wollen wir ins Gespräch kommen. Was hat eigentlich „der Westen“ mit all dem zu tun? Warum können wir es uns nicht länger leisten unpolitisch oder inaktiv zu sein? Wie kann die Chaos-Bubble sich in die ostdeutschen Herzen hacken? Und was können wir alle tun, um gemeinsam zu preppen und uns den Herausforderungen zu stellen?",
"schedule_start": "2025-12-29T20:30:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-29T21:30:00+01:00"
},
{
"id": "05e9ba1f-11c5-5d4e-b907-4feecc857ae5",
"kind": "official",
"name": "Agentic ProbLLMs: Exploiting AI Computer-Use and Coding Agents",
"slug": "agentic-probllms-exploiting-ai-computer-use-and-coding-agents",
"url": "https://api.events.ccc.de/congress/2025/event/05e9ba1f-11c5-5d4e-b907-4feecc857ae5/?format=api",
"track": "security",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "en",
"description": "During the Month of AI Bugs (August 2025), I responsibly disclosed over two dozen security vulnerabilities across all major agentic AI coding assistants. This talk distills the most severe findings and patterns observed.\r\n\r\nKey highlights include:\r\n* Critical prompt-injection exploits enabling zero-click data exfiltration and arbitrary remote code execution across multiple platforms and vendor products\r\n* Recurring systemic flaws such as over-reliance on LLM behavior for trust decisions, inadequate sandboxing of tools, and weak user-in-the-loop controls.\r\n* How I leveraged AI to find some of these vulnerabilities quickly\r\n* The AI Kill Chain: prompt injection, confused deputy behavior, and automatic tool invocation\r\n* Adaptation of nation-state TTPs (e.g., ClickFix) into AI ClickFix techniques that can fully compromise computer-use systems.\r\n* Insights about vendor responses: from quick patches and CVEs to months of silence, or quiet patching\r\n* AgentHopper will highlight how these vulnerabilities combined could have led to an AI Virus\r\n\r\nFinally, the session presents practical mitigations and forward-looking strategies to reduce the growing attack surface of probabilistic, autonomous AI systems.",
"schedule_start": "2025-12-28T13:30:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-28T14:30:00+01:00"
},
{
"id": "3e87bab2-575a-53be-8101-5d8144253646",
"kind": "official",
"name": "AI Agent, AI Spy",
"slug": "ai-agent-ai-spy",
"url": "https://api.events.ccc.de/congress/2025/event/3e87bab2-575a-53be-8101-5d8144253646/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "en",
"description": "The talk will provide a critical technical and political economy analysis of the new privacy crisis emerging from OS and application level AI agents, aimed at the 39C3 \"Ethics, Society & Politics\" audience.\r\n\r\n1. Defining the Threat: The OS as a Proactive Participant (5 mins)\r\nWe will begin by defining \"Agentic AI\" in two contexts - imbibed into the operating system and deployed via critical gateway applications such as web browsers. Traditionally, the operating systems and browsers are largely neutral enforcers of user agency, managing resources and providing APIs for applications to run reliably. We will argue that this neutrality is close to being eliminated. The new paradigm shifts these applications into a proactive agent that actively observes, records, and anticipates user actions across all applications.The prime example for this analysis will be Microsoft’s \"Recall\" feature, Google’s Magic Cue, and OpenAI’s Atlas. Politically, we will frame this not as a \"feature\" but as the implementation of pervasive, non-consensual surveillance and remote-control infrastructure. This \"photographic memory\" of and demand for non-differentiated access to everything from private Signal messages to financial data to health data creates a catastrophic single point of failure, making a single security breach an existential threat to a user's entire digital life. Ultimately, we hope to illustrate how putting our brains in a jar (with agentic systems) is effectively a prompt injection attack against our own humanity.\r\n\r\n2. The Existential Threat to Application-Level Privacy (10 mins)\r\nThe core of the talk will focus on what this means for privacy-first applications like Signal. We will explain the \"blood-brain barrier\" analogy: secure apps are meticulously engineered to minimize data and protect communications, relying on the OS to be a stable, neutral foundation on which to build. This new OS trend breaks that barrier. We will demonstrate how OS-level surveillance renders application-level privacy features, including end-to-end encryption, effectively useless. If the OS can screenshot a message before it's encrypted or after it's decrypted, the promise of privacy is broken, regardless of the app's design. We will also discuss the unsustainable \"clever hacks\" (like Signal using a DRM feature) that developers are forced to implement, underscoring the need for a structural solution.\r\n\r\n3. An Actionable Framework for Remediation (20 mins)\r\nThe final, and most important, part of the talk will move from critique to action. We will present an actionable four-point framework as a \"tourniquet\" to address these immediate dangers:\r\n\r\na. Empower Developers: Demand clear, officially supported APIs for developers to designate individual applications as \"sensitive\" with the default posture being for such applications being opted-out of access by agentic systems (either OS or application based) (default opt-out)\r\n\r\nb. Granular User Control: Move beyond all-or-nothing permissions. Users must have explicit, fine-grained control to grant or deny AI access on an app-by-app basis.\r\n\r\nc. Mandate Radical Transparency: OS vendors and application developers must clearly disclose what data is accessed, how it's used, and how it's protected—in human-readable terms, not buried in legalese. Laws and regulations must play an essential role but we cannot just wait for them to be enforced, or it will be too late. \r\n\r\nd. Encourage and Protect Adversarial Research: We will conclude by reinforcing the need for a pro-privacy, pro-security architecture by default, looking at the legal frameworks that govern these processes and why they need to be enforced, and finally asking the attendees to continue exposing vulnerabilities in such systems. It was only due to technically-grounded collective outrage that Recall was re-architected by Microsoft and we will need that energy if we are to win this war.",
"schedule_start": "2025-12-29T19:15:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-29T20:15:00+01:00"
},
{
"id": "13468ffb-06e8-53ca-9e7c-3cfa56cd44af",
"kind": "official",
"name": "AI-generated content in Wikipedia - a tale of caution",
"slug": "ai-generated-content-in-wikipedia-a-tale-of-caution",
"url": "https://api.events.ccc.de/congress/2025/event/13468ffb-06e8-53ca-9e7c-3cfa56cd44af/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "en",
"description": "It began as a standard maintenance project: I wanted to write a tool to find and fix broken ISBN references in Wikipedia. Using the built-in checksum, this seemed like a straightforward technical task. I expected to find mostly typos. But I also found texts generated by LLMs. These models are effective at creating plausible-sounding content, but (for now) they often fail to generate correct checksums for identifiers like ISBNs. This vulnerability turned my tool into an unintentional detector for this type of content. This talk is the story of that investigation. I'll show how the tool works and how it identifies this anti-knowledge. But the tech is only half the story. The other half is human. I contacted the editors who had added this undeclared AI content. I will talk about why they did it and how the Wikipedians reacted and whether \"The End is Nigh\" calls might be warranted.",
"schedule_start": "2025-12-27T23:55:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-28T00:35:00+01:00"
},
{
"id": "a2dd3dc7-ecae-50b3-82d9-266ad02f7a40",
"kind": "official",
"name": "All my Deutschlandtickets gone: Fraud at an industrial scale",
"slug": "all-my-deutschlandtickets-gone-fraud-at-an-industrial-scale",
"url": "https://api.events.ccc.de/congress/2025/event/a2dd3dc7-ecae-50b3-82d9-266ad02f7a40/?format=api",
"track": "security",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "en",
"description": "At last years Congress Q presented [a deep-dive into the technical details of train ticketing](https://media.ccc.de/v/38c3-what-s-inside-my-train-ticket) and its [Zügli](https://zügli.app) platform for this; since then, things have gone rather out of hand. The little side-project for looking into the details of train tickets turned into a full-time project for detecting ticketing fraud. This talk details an executive summary of the madness that has been the past year, and how we accidentally ended up in national and international politics working to secure the Deutschlandticket.\r\n\r\nShortly after last year's talk, we were contacted about some *interesting* looking tickets someone noticed, issued by the Vetter GmbH Omnibus- und Mietwagenbetrieb - or so they claimed to be. These were normal Deutschlandtickets, but with a few weird mistakes in them. At first, we thought nothing much of it; mistakes happen. But, on further investigation, these turned out to not be legitimate tickets at all, but rather from a fraudulent website by the name of d-ticket.su, using the private signing key obtained under suspicious circumstances. How exactly this key came into the wrong hands remains unclear, but we present the possible explanations for how this could've happened, how many responsible have been thoroughly uncooperative in getting to the bottom of this, and how the supporting systems and processes of the Deutschlandticket were unable to cope with this situation.\r\n\r\nParallel to this, another fraud has been draining the transport companies of their much-needed cash: SEPA Direct Debit fraud. Often, a direct debit payment can be setup online with little more than an IBAN and ticking a box; and most providers of the Deutschlandticket offer an option to pay via direct debit. Fraudsters have noticed this, and mass purchase Deutschlandtickets with invalid or stolen IBANs before flipping them for a discounted price on Telegram; made easier because most transport companies issue a ticket immediately, before the direct debit has been fully processed. The supporting systems of the Deutschlandticket in many cases don't even provide for the revocation of such tickets. We will detail the hallmarks of this fraud, how transport companies can work to prevent it, and how we tracked down the fraudsters by their own careless mistakes.",
"schedule_start": "2025-12-27T16:00:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-27T17:00:00+01:00"
},
{
"id": "304dd87b-7de5-557c-9951-1add24396a0b",
"kind": "official",
"name": "All Sorted by Machines of Loving Grace? \"AI\", Cybernetics, and Fascism and how to Intervene",
"slug": "all-sorted-by-machines-of-loving-grace-ai-cybernetics-and-fascism-and-how-to-intervene",
"url": "https://api.events.ccc.de/congress/2025/event/304dd87b-7de5-557c-9951-1add24396a0b/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "en",
"description": "The idea of the Super-Human is not a new one, neither is the idea of charismatic „good“ leader nor to sort humans into classes, races, abilities. The idea of a view controlling many by force and ideas that justify their rulership and cruelties is an old one, as is the opposing idea of a free society and humans as equals.\r\nA central aspect is how people involved see the human nature and according to that what society they want to build. And what role is intended for technology.\r\nIn the 19th century the beliefs of both the opposing sides dripped into science, as well as individual’s heads, and social movements around the world. While some wanted to form a wold society of equals others wanted to breed a master race that to control everything.\r\n\r\nThe love of industrial leaders for authoritarianism has played an important role since the beginning in funding and providing access to powerful networks. Industrialists like Henry Ford loved and promoted ideas at least close to fascism. German, Italian, and Austrian counterparts funded Hitler and Mussolini. And it is not that they did it because they did not understand the fascist leader’s yearning – it was because they shared and loved their aims and violence. \r\n\r\nIn Futurism, one of the often overlooked roots of fascism, and its Manifesto the enemies and societal goals are proclaimed crystal clear: “We will glorify war — the only true hygiene of the world — militarism, patriotism, the destructive gesture of anarchist, the beautiful Ideas which kill, and the scorn of woman.“\r\n\r\nAfter WWII most of the people believing in dominating others by force and eugenics lived on, they and their cronies had slaughtered millions and destroyed whole social movements were opposing them. These people warning us about authoritarian prophets of doom and concentration camps are still missing.\r\n\r\nIn the post-war time ideas of authoritarianism met a new player: Cybernetics, the believe in a future, where all problems will be solved through technology and we are “All Watched Over by Machines of Loving Grace” (Richard Brautigam, 1967). The ideas split, merged, and melted into new beliefs and quasi-religions. Into something that is called “Cyber-Libertarianism” by David Golumbia or “TESCREAL” by Émile P. Torres and Timnit Gebru. \r\n\r\nThis talk will address an aspect that is often missing in analyses: What kind of breeding ground is it where ideas of fascism hatches best? And how can we stop iFascism instead of participating in it?\r\n\r\nFurthermore, as being sorted by machines is not everyone's secret dream, ways to stop iFascism will be provided.\r\n\r\nBecause we are more, we care for people in need – and we are the chaos!",
"schedule_start": "2025-12-27T11:00:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-27T11:40:00+01:00"
},
{
"id": "0df52094-ee30-5d05-bf48-573a5eae1a8d",
"kind": "official",
"name": "Amateurfunk im All – Kontakt mit Fram2",
"slug": "amateurfunk-im-all-kontakt-mit-fram2",
"url": "https://api.events.ccc.de/congress/2025/event/0df52094-ee30-5d05-bf48-573a5eae1a8d/?format=api",
"track": "hardware",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "de",
"description": "Schon kurz nachdem die ersten Satelliten den Weltraum eroberten, waren auch Amateurfunkende dabei und brachten ihr Hobby in dieses Feld ein. Auch bei Fram2, der ersten bemannten Mission, die beide Polarregionen überflog, war der Sprechfunkkontakt mit einer Universität fest eingeplant.\r\n\r\nDer studentische Funkclub \"AFuTUB\" (https://dk0tu.de) an der TU Berlin hat die Crew der Fram2 angefunkt – mit einem experimentellen Funksetup, das für viele von uns Neuland war.\r\n\r\nWir geben Einblicke in zwei intensive Wochen Planung, Koordination und Aufbau, den Betrieb einer (improvisierten) Bodenstation, sprechen über technische Hürden, Antennendesign und Organisation – und wie wir schließlich mit der Astronautin Rabea Rogge im Weltraum gefunkt haben.",
"schedule_start": "2025-12-28T15:40:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-28T16:20:00+01:00"
},
{
"id": "8a09918c-9b59-53b2-ab8e-4f2cfdb460d5",
"kind": "official",
"name": "a media-almost-archaeology on data that is too dirty for \"AI\"",
"slug": "a-media-almost-archaeology-on-data-that-is-too-dirty-for-ai",
"url": "https://api.events.ccc.de/congress/2025/event/8a09918c-9b59-53b2-ab8e-4f2cfdb460d5/?format=api",
"track": "art-beauty",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "en",
"description": "In 1980s, non-white women’s body size data was categorized as dirty data when establishing the first women's sizing system in US. Now in the age of GPT, what is considered as dirty data and how are they removed from massive training materials? \r\n\r\nDatasets nowadays for training large models have been expanded to the volume of (partial) internet, with the idea of “scale averages out noise”, these datasets were scaled up by scrabbling whatever available data on the internet for free then “cleaned” with a human-not-in-the-loop, cheaper-than-cheap-labor method: heuristic filtering. Heuristics in this context are basically a set of rules came up by the engineers with their imagination and estimation that are “good enough” to remove “dirty data” of their perspective, not guaranteed to be optimal, perfect, or rational.\r\n\r\nThe talk will show some intriguing patterns of “dirty data” from 23 extraction-based datasets, like how NSFW gradually equals to NSFTM (not safe for training model), and reflect on these silent, anonymous yet upheld estimations and not-guaranteed rationalities in current sociotechnical artifacts, and ask for whom these estimations are good-enough, as it will soon be part our technological infrastructures.",
"schedule_start": "2025-12-29T11:55:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-29T12:35:00+01:00"
},
{
"id": "7557e54c-89e9-530d-aafb-8736570661d4",
"kind": "official",
"name": "Amtsgeheimnis raus, Datenhalde rein: was die Informationsfreiheit in Österreich bringt",
"slug": "amtsgeheimnis-raus-datenhalde-rein-was-die-informationsfreiheit-in-osterreich-bringt",
"url": "https://api.events.ccc.de/congress/2025/event/7557e54c-89e9-530d-aafb-8736570661d4/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "de",
"description": "Die Kampagne – wie aus \"binnen zwei Wochen\" mehr als elf Jahre wurden\r\nDie Strategien – die man übernehmen kann\r\nDer Vergleich – wie ist Österreichische IFG im Vergleich zum Deutschen, und ist das der richtige\r\nDie (besten) Preisträger – aus mehr als zehn Jahren des Schmähpreises \"Mauer des Schweigens\"\r\nDie Datenhalde – mit Aufruf, was aus dem Datenberg zu machen",
"schedule_start": "2025-12-28T19:15:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-28T19:55:00+01:00"
},
{
"id": "fae65b90-30c4-5ce1-8d59-d8f3600c7845",
"kind": "official",
"name": "And so it begins - Wie unser Rechtsstaat auf dem Highway Richtung Trumpismus rast – und warum afghanische Kläger*innen für uns die Notbremse ziehen",
"slug": "and-so-it-begins-wie-unser-rechtsstaat-auf-den-highway-richtung-trumpismus-rast-und-warum-afghanische-klager-innen-fur-uns-die-notbremse-ziehen",
"url": "https://api.events.ccc.de/congress/2025/event/fae65b90-30c4-5ce1-8d59-d8f3600c7845/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "de",
"description": "•\tVersprochen ist versprochen und wird auch nicht gebrochen“ – das lernen wir schon als Kinder. Aber der Kindergarten ist schon lange her, und Politiker*innen haben zwar oft das Auftreten eines Elefanten, aber das Gedächtnis eines Goldfischs.\r\n•\tDeswegen hätte die Bundesregierung auch fast 2.500 Afghan*innen mit deutschen Aufnahmezusagen in Islamabad „vergessen“, die dort seit Monaten auf die Ausstellung ihrer deutschen Visa warten\r\n•\tDas Kalkül dahinter: Pakistan erledigt die Drecksarbeit und schiebt sie früher oder später ab, Problem solved! - selbst wenn dabei Menschenleben auf dem Spiel stehen.\r\n•\tWie kann die Zivilgesellschaft die Notbremse ziehen, wenn sich Regierung und Verwaltung nicht mehr an das eigene Recht gebunden fühlen?\r\n•\tEine Möglichkeit: wir vernetzen die afghanischen Familien mit Anwält*innen, damit sie Dobrindt und Wadephul verklagen - und sie gewinnen! Die Gerichtsbeschlüsse sind eindeutig: Visa sofort erteilen – sonst Strafzahlungen! Inzwischen laufen über 100 Verfahren an vier Verwaltungsgerichten, weitere kommen täglich hinzu. \r\n•\tDas dürfte nicht ganz das gewesen sein, was die neue Bundesregierung meinte, als sie im Koalitionsvertrag verkündete, „freiwillige Aufnahmeprogramme so weit wie möglich zu beenden“. \r\nÜbersetzung der politischen Realitätsversion: Wenn es nach Dobrindt und dem Kanzler geht, sollen möglichst gar keine Schutzsuchenden aus Afghanistan mehr nach Deutschland kommen – rechtsverbindliche Aufnahmezusagen hin oder her. Einreisen dürfen nur noch anerkannte Terroristen aus der Taliban-Regierung, um hier in Deutschland die afghanischen Botschaften und Konsulate zu übernehmen\r\n•\tDurch die Klagen konnten bereits 78 Menschen einreisen, etwa 80 weitere Visa sind in Bearbeitung – und weitere werden vorbereitet.\r\n•\tDoch wie in jedem Drehbuch gilt: The Empire strikes back! Die Regierung entwickelt laufend neue Methoden, um Urteile ins Leere laufen zu lassen und Einreisen weiterhin zu blockieren.\r\n•\tWillkommen im „Trumpismus made in Germany“.",
"schedule_start": "2025-12-27T19:15:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-27T20:15:00+01:00"
},
{
"id": "c9f5a6df-6c79-5492-b3e0-110347358445",
"kind": "official",
"name": "A post-American, enshittification-resistant internet",
"slug": "a-post-american-enshittification-resistant-internet",
"url": "https://api.events.ccc.de/congress/2025/event/c9f5a6df-6c79-5492-b3e0-110347358445/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "en",
"description": "Enshittification wasn't an accident. It also wasn't inevitable. This isn't the iron laws of economics at work, nor is it the great forces of history.\r\n\r\nEnshittification was a choice: named individuals, in living memory, enacted policies that created the enshittogenic environment. They created a world that encouraged tech companies to merge to monopoly, transforming the internet into \"five giant websites, each filled with screenshots of the other four.\" They let these monopolists rip us off and spy on us. \r\n\r\nAnd they banned us from fighting back, claiming that anyone who modified a technology without permission from its maker was a pirate (or worse, a terrorist). They created a system of \"felony contempt of business-model,\" where it's literally a crime to change how your own devices work. They declared war on the general-purpose computer and demanded a computer that would do what the manufacturer told it to do (even if the owner of the computer didn't want that).\r\n\r\nWe are at a turning point in the decades-long war on general-purpose computing. Geopolitics are up for grabs. The future is ours to seize. \r\n\r\nIn my 24 years with EFF, I have seen many strange moments, but never one quite like this. There's plenty of terrifying things going on right now, but there's also a massive, amazing, incredibly opportunity to seize the means of computation. \r\n\r\nLet's take it. '",
"schedule_start": "2025-12-28T13:30:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-28T14:30:00+01:00"
},
{
"id": "11d5c612-0e50-500b-b071-c4ba0dd076cd",
"kind": "official",
"name": "APT Down and the mystery of the burning data centers",
"slug": "apt-down-and-the-mystery-of-the-burning-data-centers",
"url": "https://api.events.ccc.de/congress/2025/event/11d5c612-0e50-500b-b071-c4ba0dd076cd/?format=api",
"track": "security",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "en",
"description": "In August 2025 Phrack published the dump of an APT member's workstation. The attacker was most likely Chinese, working on targets aligned with North Korea's doctrine. The dump was full of exploits, attacker tools and loot. Data from government networks, cell carriers and telcos, including server databases and loads or private keys stemming from the government PKI. The attacker had maintained a steady foothold in various targets in South Korea and Taiwan before accidentally \"losing\" their workstation.\r\n\r\nThe dump sparked a government investigation, and big corporations like LG, Lotte and Korea Telecom were asked to explain themselves. The government also mandated an on-site audit in the data center where the hacks had taken place. On the day of the audit, some li-ion batteries in the data center mysteriously caught fire. The blaze destroyed close to 100 servers (which had no backup) and plunged public service in South Korea into disarray. \r\nShortly after, the Lotte data center burned as well - the corporation had been victim of a breach recently, albeit by a different threat actor. In the beginning of October, one of the officers examining the government data center fire tragically died by his own hand.\r\n\r\nThe talk aims to revisit this mysterious sequence of events that was started by an article in Phrack #72. It doesn't hope to give answers or a solution, but narrates a story that could be from a spy thriller. Caution: Conspiracies and technical gore could be present.\r\n[TW: Suicide, self-harm]",
"schedule_start": "2025-12-29T16:00:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-29T17:00:00+01:00"
},
{
"id": "b3ef337e-bfb3-51bf-bcaa-0b2d697b9c7f",
"kind": "official",
"name": "A Quick Stop at the HostileShop",
"slug": "a-quick-stop-at-the-hostileshop",
"url": "https://api.events.ccc.de/congress/2025/event/b3ef337e-bfb3-51bf-bcaa-0b2d697b9c7f/?format=api",
"track": "security",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "en",
"description": "[HostileShop](https://github.com/mikeperry-tor/HostileShop) creates a simulated web shopping environment where an **attacker agent LLM** attempts to manipulate a **target shopping agent LLM** into performing unauthorized actions. Crucially, HostileShop does not use an LLM to judge attack success. Instead, success is determined automatically and immediately by the framework, which reduces costs and enables rapid continual learning by the attacker LLM.\r\n\r\nHostileShop is best at discovering **prompt injections** that induce LLM Agents to make improper \"tool calls\". In other words, HostileShop finds the magic spells that make LLM Agents call functions that they have available to them, often with the specific input of your choice.\r\n\r\nHostileShop is also capable of [enhancement and mutation of \"universal\" jailbreaks](https://github.com/mikeperry-tor/HostileShop?tab=readme-ov-file#prompts-for-jailbreakers). This allows **cross-LLM adaptation of universal jailbreaks** that are powerful enough to make the target LLM become fully under your control, for arbitrary actions. This also enables public jailbreaks that have been partially blocked to work again, until they are more comprehensively addressed.\r\n\r\nI created HostileShop as an experiment, but continue to maintain it to let me know if/when LLM agents finally become secure enough for use in privacy preserving systems, without the need to rely on [oppressive](https://runtheprompts.com/resources/chatgpt-info/chatgpt-is-reporting-your-prompts-to-police/) [levels of surveillance](https://www.anthropic.com/news/activating-asl3-protections).",
"schedule_start": "2025-12-28T17:35:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-28T18:15:00+01:00"
},
{
"id": "e0739bd6-f804-5fde-8cf6-fc940567bf45",
"kind": "official",
"name": "Asahi Linux - Porting Linux to Apple Silicon",
"slug": "asahi-linux-porting-linux-to-apple-silicon",
"url": "https://api.events.ccc.de/congress/2025/event/e0739bd6-f804-5fde-8cf6-fc940567bf45/?format=api",
"track": "hardware",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "en",
"description": "In this talk, you will learn how Apple Silicon hardware differs from regular laptops or desktops.\r\nWe'll cover how we reverse engineered the hardware without staring at disassembly but by using a thin hypervisor that traces all MMIO access and then wrote Linux drivers.\r\nWe'll also talk about how upstreaming to the Linux kernel works and how we've significantly decreased our downstream patches in the past year.\r\n\r\nAs an example, we will use support for the Type-C ports and go into details why these are so complex and required changes across multi subsystems.\r\n\r\nIn the end, we'll briefly talk about M3/M4/M5 and what challenges we will have to overcome to get these supported.",
"schedule_start": "2025-12-30T11:00:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-30T11:40:00+01:00"
},
{
"id": "3ad7da57-ece4-5a75-9e52-f93d7df79734",
"kind": "official",
"name": "A space odyssey #2: How to study moon rocks from the Soviet sample return mission Luna 24",
"slug": "a-space-odyssey-2-how-to-study-moon-rocks-from-the-soviet-sample-return-mission-luna-24",
"url": "https://api.events.ccc.de/congress/2025/event/3ad7da57-ece4-5a75-9e52-f93d7df79734/?format=api",
"track": "science",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "en",
"description": "In this talk, members of the Museum for Natural History in Berlin will present the story of a Luna 24 sample retrieved by the GDR from the USSR. The sample has been almost \"lost\" to time. When it fell into our hands, we started understanding its historical and scientific significance, produced specialized sample containers and initiated curation efforts of the sample while slowly understanding its history and geochemical composition.\r\n\r\n### Luna 24 Moon Mission\r\nWhat happened on the 18th & 19th of August 1976 on the moon? Why was this landing site chosen and how was the sample retrieved and brought back to Earth? Which way did the scientists handle these extremely precious samples? Picture: Музей Космонавтики (CC0 1.0)\r\n\r\n### Methods and Results\r\nWhich methods can be utilized to gather new information from such a sample without destroying it? Which storage and curation methods must be used to preserve its value for the scientists that come after us? How did advanced analytical methods like µCT, electron microscopes, µ X-ray fluorescence spectrometers and nitrogen-cooled infrared spectrometers contribute to our understanding of the sample?\r\n\r\nFly with us to the moon!\r\n\r\nThis work has been developed together with Christopher Hamann.",
"schedule_start": "2025-12-28T13:30:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-28T14:30:00+01:00"
},
{
"id": "ba655198-f461-5a1b-998c-12ed49fc7aae",
"kind": "official",
"name": "A Tale of Two Leaks: How Hackers Breached the Great Firewall of China",
"slug": "a-tale-of-two-leaks-how-hackers-breached-the-great",
"url": "https://api.events.ccc.de/congress/2025/event/ba655198-f461-5a1b-998c-12ed49fc7aae/?format=api",
"track": "security",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "en",
"description": "While probing the Great Firewall’s DNS injection system in 2021, we noticed something strange: Sometimes the injected responses contained weird garbage. After some investigation, we realized we’d stumbled onto a memory disclosure vulnerability that would give us an unprecedented window into the Great Firewall’s internals: Wallbleed.\r\n\r\nSo we crafted probes that could leak up to 125 bytes per response and repeatedly sent them for two years. Five billion responses later, the picture that emerged was... concerning. Over 2 million HTTP cookies leaked. Nearly 27,000 URL parameters with passwords. SMTP commands exposing email addresses. We found traffic from RFC 1918 private addresses - suggesting we were seeing the Great Firewall’s own internal network. We saw x86_64 stack frames with ASLR-enabled pointers. We even sent our own tagged traffic into China and later recovered those exact bytes in Wallbleed responses, proving definitively that real user traffic was being exposed.\r\n\r\nIn September 2023, the patching began. We watched in real-time as blocks of IP addresses stopped responding to our probes. But naturally the same developers that made this error in the first place made further mistakes. Within hours, we developed “Wallbleed v2” queries that still triggered the leak. The vulnerability persisted for another six months until March 2024.\r\n\r\nGFW measurement research went back to business as usual until September of this year when an anonymous source released 600GB of leaked source code, packages, and documentation via Enlace Hacktivista. This data came from Geedge Networks - a company closely connected to the GFW and the related MESA lab. Geedge Networks develops censorship software not only for the GFW but also for other repressive countries such as Pakistan, Myanmar, Kazakhstan, and Ethiopia.\r\n\r\nWe will discuss some of our novel findings from the Geedge Networks leak, including new insights about how the leak relates to Wallbleed.\r\n\r\nWallbleed and the Geedge Networks leak show that censorship measurement research can be about more than just actively probing censored networks. We hope this talk will be a call to arms for hackers against Internet censorship.\r\n\r\n\r\nMore information about Wallbleed can be found at the GFW Report:\r\nhttps://gfw.report/publications/ndss25/en/",
"schedule_start": "2025-12-27T11:00:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-27T11:40:00+01:00"
},
{
"id": "dac63c75-58d4-5d97-9910-c9ec9c9c63b7",
"kind": "official",
"name": "Atoms in Space",
"slug": "atoms-in-space",
"url": "https://api.events.ccc.de/congress/2025/event/dac63c75-58d4-5d97-9910-c9ec9c9c63b7/?format=api",
"track": "science",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "en",
"description": "Quantum technologies have seen a wide field of applications in medicine, geosciences, computing and communications, in many cases bridging the gap from laboratory experiments to commercial products in the last decade. For terrestrial applications that is. But what about going to space?\r\n\r\nQuantum physics based sensors and experiments promise higher accuracy, sensitivity or better long term stability as they rely on immutable properties of atoms. When properly manipulated, these (ultra-)cold atoms are likely to outperform state of the art instruments. Experiments conducted on sounding rockets demonstrated important steps like Bose-Einstein Condensate creation during a few minutes in microgravity, enabling more advanced quantum experiments in the future. The International Space Station and the Tiangong Space Station host dedicated experiments like ultrastable clocks as well as flexible research infrastructure for fundamental research benefitting from long free-fall times. However, the deployment of such technologies on satellites is not as advanced. Satellite missions utilizing quantum sensors or performing long term experiments are subject to studies and proposals backed by a broad scientific community aiming at better understanding of climate change, interplanetary navigation or tests of general relativity. First steps towards realization of such missions are taken by ESA, NASA and various national space agencies as well as universities funded by national agencies or the EU.\r\n\r\nThis talk will detect the current state of atoms in space and give an overview of active programs to deploy quantum sensors on operational satellite missions. The focus is on future applications in geosciences and related fields employing the same technology.\r\n\r\n- [Presentation](https://cfp.cccv.de/media/39c3/submissions/TXYU83/resources/39C3_Atoms_in_Space_CHOIpRv.pdf)\r\n- [Extended list of references](https://cfp.cccv.de/media/39c3/submissions/TXYU83/resources/References_v11_AryJX8G.pdf)",
"schedule_start": "2025-12-30T11:00:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-30T11:40:00+01:00"
},
{
"id": "0425efd8-fec5-5dbc-860b-8478857dc9ac",
"kind": "official",
"name": "Auf die Dauer hilft nur Power: Herausforderungen für dezentrale Netzwerke aus Sicht der Soziologie",
"slug": "auf-die-dauer-hilft-nur-power-herausforderungen-fur-dezentrale-netzwerke-aus-sicht-der-soziologie",
"url": "https://api.events.ccc.de/congress/2025/event/0425efd8-fec5-5dbc-860b-8478857dc9ac/?format=api",
"track": "science",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "de",
"description": "Die Soziologie hat immer etwas mitzuteilen, sobald Fragen kollektiven Handelns auftreten. Dies gilt sowohl für soziale wie auch digitale Räume. So hat der Soziologe Peter Kollock bereits in den 1990er Jahren festgestellt, „the Internet is filled with junk and jerks“ (Kollock, 1999, S. 220). Gegenwärtig dürfte die Mehrheit dieser Aussage anstandslos zustimmen. Aber dies ist nicht der entscheidende Punkt, sondern die weitere Beobachtung: „Given that online interaction is relatively anonymous, that there is no central authority, and that it is difficult or impossible to impose monetary or physical sanctions on someone, it is striking that the Internet is not literally a war of all against all” (1999, S. 220).\r\n\r\nDie Welt kennt inzwischen zahlreiche Gegenbeispiele, bei denen Autoritäten das Internet nutzen, um das Nutzungsverhalten zu monetarisieren oder Überwachungstechnologien zur Sanktionierung einsetzen (Zuboff, 2019). Diese Ausgangslage beziehe ich in meiner Forschung ein, wenn ich dezentrale Netzwerke wie das Fediverse oder das Tor-Netzwerk aus soziologischer Perspektive betrachte. In erster Linie bin ich daran interessiert zu verstehen, wie dezentrale Netzwerke – organisatorisch nicht technisch – entstehen und welche Herausforderungen es dabei zu überwinden gilt (Sanders & Van Dijck, 2025). Eine zentrale Motivation orientiert sich an der Frage, wie ein Internet ohne zentrale Autorität, verringert von Marktabhängigkeiten, resilient gegenüber Sanktionsmechanismen und Souverän bezüglich eigener Daten, aufgebaut werden kann. Motiviert durch diesen präskriptiven Rahmen, betrachte ich im Vortrag die Herausforderungen zunächst deskriptiv und beziehe meine soziologische Perspektive ein. Denn in der Regel profitieren Menschen, die einen Vorteil aus der Realisierung eines bestimmten Ziels ziehen, unabhängig davon, ob sie persönlich einen Anteil der Kooperation tragen – oder eben nicht. Das kollektive Handeln fällt mitunter schwer, obwohl oder gerade, weil ein begründetes kollektives Interesse zur Umsetzung eines bestimmten Zieles besteht. Gleiche Interessen sind nicht gleichbedeutend mit gemeinsamen Interessen. Diese Situationsbeschreibung ist vielfältig anwendbar von WG-Aufräumplänen bis zu Fragen der klimaneutralen Transformation. Der Grund ist, dass kollektives Handeln ein Mindestmaß an Zeit, Aufwand oder Geld verursacht, sodass vielfach ein Trittbrettfahren gewählt wird in der Hoffnung, dass immer noch genug andere kooperieren, um das gewünschte Ziel zu erreichen (Hardin, 1982). \r\n\r\nAus dieser Perspektive betrachte ich dezentrale Netzwerke. So kann das Fediverse oder der Tor-Browser genutzt werden, ohne eine eigene Instanz oder Knoten zu hosten. Dies ist auch nicht das Ziel der genannten dezentralen Netzwerke. Dennoch: Die Kosten und der Aufwand für die technische Infrastruktur müssen von einem kleinen Teil getragen werden, während die überwältigende Mehrheit der Nutzer:innen von der Infrastruktur profitieren, ohne einen Beitrag zu dieser zu leisten. Dies führt zur originären Instabilität dezentraler Netzwerke und stellt eine relevante Herausforderung für die Zukunft dar. Während durch Netzwerkanalysen das Wachstum und die Verstetigung von dezentralen Netzwerken beschrieben wird, fehlt es an einem vertieften Verständnis über Bedingungen wie dezentrale Netzwerke überhaupt entstehen. Während des Vortrags werde ich empirische Daten zur Entwicklung des Fediverse und des Tor-Netzwerkes zeigen, um die Herausforderung zu verdeutlichen. Insbesondere das Tor-Netzwerk steht dabei vor dem Problem, dass die Möglichkeit zur De-Anonymisierung steigt, wenn die Anzahl an Knoten sinkt. Die Überwindung des von mir dargestellten Kollektivgutproblems nimmt demnach eine zentrale Rolle zur Aufrechterhaltung ein.\r\n\r\nDie Motivation sich mit dezentralen Netzwerken auseinanderzusetzen, resultiert aus der Umkehr der Argumentation, wenn Netzwerke über eine zentrale Autorität verfügen und zugleich in der Lage sind, Sanktionsmechanismen zu nutzen, beispielsweise um unliebsame User:innen zu sperren, das Nutzungsverhalten zu überwachen und zu monetarisieren (Zuboff, 2019). Hierbei beziehe ich mich offensichtlich auf die Entwicklung sozialer Medien, die das oben beschriebene Problem kollektiven Handelns durch Kommodifizierung der Infrastruktur lösen. Ähnliches ist aus dem Bereich der Kryptowährung bekannt, welche ebenfalls durch den individualisierten monetären Vorteil, das heißt der Verheißung einer Kapitalakkumulation, Kooperationsprobleme überwindet. Stellen wir uns so die Zukunft des Internets vor?\r\nDezentrale Netzwerke sind nicht per se eine allumfassende technische Lösung für gesellschaftlich-soziale Probleme. Im Gegenteil: Dezentrale Netzwerke, wenn sie nicht auf Kommodifizierung basieren, unterliegen einer sozialen Ordnung, die sich eben nicht technisch lösen lässt. Ein Bewusstsein über die Notwendigkeit dezentraler Netzwerke ist hierbei leider nicht ausreichend, sondern es braucht Menschen und Organisationen, die bereit sind einen Teil der Infrastruktur zu tragen, ohne einen direkten Vorteil hiervon zu erhalten. Diese Selbstorganisation steht im Vergleich zu profitorientierten Unternehmen immer im Nachteil (Offe & Wiesenthal, 1980). \r\n\r\nIn meiner Forschung verbinde ich mein Interesse an Grundstrukturen und Bedingungen sozialer Ordnung, wie dem Kooperationsproblem, mit dem Anspruch gesellschaftlicher Gestaltung. Allein das Bewusstsein über diese Bedingungen kann noch kein Kooperationsproblem lösen. Es kann allerdings helfen, den Rahmen dieser Bedingungen aktiv zu gestalten. Ich werde mich dabei zwischen kritischen Realitäten und hoffnungsvollen Ausblicken bewegen, denn ganz offensichtlich existieren dezentrale Netzwerke, die eine organisatorische und technische Alternative anbieten. Doch wie der Titel suggeriert, hilft hier auf die Dauer nur die (zivilgesellschaftliche) Power.\r\n\r\nLiteratur\r\nHardin, R. (1982). Collective Action. Hopkins University Press.\r\nKollock, P. (1999). The Economies of Online Cooperation: Gifts and Public Goods in Cyberspace. In M. A. Smith & P. Kollock (Hrsg.), Communities in Cyberspace (S. 220–239). Routledge.\r\nOffe, C., & Wiesenthal, H. (1980). Two Logics of Collective Action: Theoretical Notes on Social Class and Organizational Form. Political Power and Social Theory, 1, 67–115.\r\nSanders, M., & Van Dijck, J. (2025). Decentralized Online Social Networks: Technological and Organizational Choices and Their Public Value Trade-offs. In J. Van Dijck, K. Van Es, A. Helmond, & F. Van Der Vlist, Governing the Digital Society. Amsterdam University Press. https://doi.org/10.5117/9789048562718_ch01\r\nZuboff, S. (2019). Surveillance Capitalism—Überwachungskapitalismus. Aus Politik und Zeitgeschichte, 24–26, 4–9.",
"schedule_start": "2025-12-28T16:35:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-28T17:15:00+01:00"
},
{
"id": "970c40cb-3332-5e64-97f4-465a56f1b96a",
"kind": "official",
"name": "Azubi-Tag Einführung",
"slug": "azubi-tag-einfuhrung",
"url": "https://api.events.ccc.de/congress/2025/event/970c40cb-3332-5e64-97f4-465a56f1b96a/?format=api",
"track": "ccc-community",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "de",
"description": "Weitere Informationen findest du auf [https://events.ccc.de/congress/2025/infos/azubi-tag.html](https://events.ccc.de/congress/2025/infos/azubi-tag.html)",
"schedule_start": "2025-12-29T09:30:00+01:00",
"schedule_duration": "01:15:00",
"schedule_end": "2025-12-29T10:45:00+01:00"
},
{
"id": "d1174c82-6e99-5acb-98f2-3c0f55b046c7",
"kind": "official",
"name": "Battling Obsolescence – Keeping an 80s laser tag system alive",
"slug": "battling-obsolescence-keeping-an-80s-laser-tag-sys",
"url": "https://api.events.ccc.de/congress/2025/event/d1174c82-6e99-5acb-98f2-3c0f55b046c7/?format=api",
"track": "hardware",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "en",
"description": "Looking at the effects of obsolescence in the context of a laser tag system from the 1980s Q-Zar (Quasar in the UK), what needed to happen to keep it going to enable people to continue playing. What lessons we can learn from that and some good examples from other projects, and how that can be applied to our own projects. \r\n\r\nThis talk covers the electronics involved in the laser tag system, why the continued availability of components has varied a lot. The need to develop new computer software that continues to work years later. The way the physical equipment can have its life extended. \r\n\r\nTopics covered range from electronics design through to software coding and onto physical unit repair. A look at the tooling created to help maintain, support and repair the laser tag packs. The challenges Covid-19 created and how things were rapidly pivoted to enable continued playing in challenging times.\r\nThis is about how we all can make simple decisions that help build something that will last the maximum time possible with the least amount of effort.",
"schedule_start": "2025-12-30T13:50:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-30T14:30:00+01:00"
},
{
"id": "678b899b-7d32-56e3-9d1d-7f2208cfe2d7",
"kind": "official",
"name": "BE Modded: Exploring and hacking the Vital Bracelet ecosystem",
"slug": "be-modded-exploring-and-hacking-the-vital-bracelet-ecosystem",
"url": "https://api.events.ccc.de/congress/2025/event/678b899b-7d32-56e3-9d1d-7f2208cfe2d7/?format=api",
"track": "hardware",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "en",
"description": "The Vital Bracelet series, active from 2021 to 2024, was a line of toys that revolved around a number of fitness bracelets that encouraged exercise by raising characters from the Digimon series, and expanding into tokusatsu and popular anime characters later. Think of it as Tamagotchi, but nurturing through exercise instead of button presses.\r\n\r\nIn this presentation, we'll look at the different parts of this series' ecosystem, how they work, and the different ways to circumvent various security measures and customize the devices' behavior.\r\n\r\nWe start by looking at the first Vital Bracelet, with a quick introduction to hardware reverse engineering and how to dump firmware out of flash. Following that, we will take a look at the microcontroller used in the devices, and its obscure instruction set architecture. This will lead into an exploration of how to reverse engineer code when you are missing a significant portion of it, and how the embedded ROM was dumped. After this, we will look at the DRM applied to content, and how it was circumvented. Next, the device's NFC capabilities will be explored.\r\n\r\nWith the release of the Vital Bracelet BE, which introduced upgradable firmware, came new challenges and opportunities. We will take a look at the new content format and additional DRM measures it incorporated, plus how the device's bootloader was dumped despite its signature verification scheme.\r\n\r\nFinally, we will take a look at the process for modding the various Vital Bracelet releases, and some techniques to use while writing patches.\r\n\r\nThe material in this talk can be applied beyond just the Vital Bracelet series, and can be useful if you want to explore other electronic toys, or just hardware reverse engineering in general.",
"schedule_start": "2025-12-29T12:50:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-29T13:30:00+01:00"
},
{
"id": "f09b0595-daf8-52ac-89cb-5cf5e222c3dc",
"kind": "official",
"name": "BitUnlocker: Leveraging Windows Recovery to Extract BitLocker Secrets",
"slug": "bitunlocker-leveraging-windows-recovery-to-extract-bitlocker-secrets",
"url": "https://api.events.ccc.de/congress/2025/event/f09b0595-daf8-52ac-89cb-5cf5e222c3dc/?format=api",
"track": "security",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "en",
"description": "In Windows, the cornerstone of data protection is BitLocker, a Full Volume Encryption technology designed to secure sensitive data on disk. This ensures that even if an adversary gains physical access to the device, the data remains secure and inaccessible.\r\n\r\nOne of the most critical aspects of any data protection feature is its ability to support recovery operations in case of failure. To enable BitLocker recovery, significant design changes were implemented in the Windows Recovery Environment (WinRE). This led us to a pivotal question: did these changes introduce any new attack surfaces impacting BitLocker?\r\n\r\nIn this talk, we will share our journey of researching a fascinating and mysterious component: WinRE. Our exploration begins with an overview of the WinRE architecture, followed by a retrospective analysis of the attack surfaces exposed with the introduction of BitLocker. We will then discuss our methodology for effectively researching and exploiting these exposed attack surfaces. Our presentation will reveal how we identified multiple 0-day vulnerabilities and developed fully functional exploits, enabling us to bypass BitLocker and extract all protected data in several different ways.\r\n\r\nNotably, the findings described reside entirely in the software stack, not requiring intrusive hardware attacks to be exploited.\r\n\r\nFinally, we will share the insights Microsoft gained from this research and explain our approach to hardening and further securing WinRE, which in turn strengthens BitLocker.",
"schedule_start": "2025-12-27T20:30:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-27T21:30:00+01:00"
},
{
"id": "bf34e289-afe1-59a8-8c1c-018b755772e3",
"kind": "official",
"name": "Blackbox Palantir",
"slug": "blackbox-palantir",
"url": "https://api.events.ccc.de/congress/2025/event/bf34e289-afe1-59a8-8c1c-018b755772e3/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "de",
"description": "Software von Palantir analysiert für Polizeien und Militär deren Daten – dafür lizenzieren auch deutsche Polizeibehörden seit Jahren die Analysesoftware Gotham des US-Unternehmens. Die Software verarbeitet strukturierte und unstrukturierte Informationen aus Polizeidatenbanken. Die genauen Funktionsweisen sind für die Öffentlichkeit, Gesetzgeber und Kontrollbehörden jedoch nicht einsehbar. \r\n\r\nDas US-Unternehmen ist hochumstritten und auch in Deutschland seit einigen Gesetzesinitiativen wieder umkämpft – wegen seiner intransparenten Analysemethoden, seiner Zusammenarbeit mit autoritären Staaten und seiner Nähe zur US-Regierung.\r\n\r\nRechtlich ist der Einsatz von Analysetools wie von Palantir in Deutschland ohnehin komplex, denn das Bundesverfassungsgericht hat 2023 deutliche Grenzen für polizeiliche Datenanalysen gezogen. Dennoch haben mehrere Bundesländer für ihre Polizeien Verträge oder streben sie an. Auch auf Bundesebene wird der Einsatz für das Bundeskriminalamt und die Bundespolizei hitzig diskutiert.\r\n\r\nWie funktioniert Gotham und welche Gefahren gehen damit einher?\r\nWelche Entwicklungen sind im Bund und in den Ländern zu beobachten? Wie geht es weiter?\r\n\r\nWir wollen über den Stand der Dinge in Bund und Ländern informieren und auch zeigen, wie wir versuchen, rechtliche Vorgaben durchzusetzen. Denn die GFF und der CCC sind an Verfassungsbeschwerden beteiligt, unter anderem in Hessen, Hamburg und zuletzt in Bayern.",
"schedule_start": "2025-12-29T20:30:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-29T21:30:00+01:00"
},
{
"id": "887fe87e-6ef2-5d94-98c8-f582cb22f442",
"kind": "official",
"name": "Bluetooth Headphone Jacking: A Key to Your Phone",
"slug": "bluetooth-headphone-jacking-a-key-to-your-phone",
"url": "https://api.events.ccc.de/congress/2025/event/887fe87e-6ef2-5d94-98c8-f582cb22f442/?format=api",
"track": "security",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "en",
"description": "Airoha is a vendor that, amongst other things, builds Bluetooth SoCs and offers reference designs and implementations incorporating these chips. They have become a large supplier in the Bluetooth audio space, especially in the area of True Wireless Stereo (TWS) earbuds. Several reputable headphone and earbud vendors have built products based on Airoha’s SoCs and reference implementations using Airoha’s Software Development Kit (SDK).\r\n\r\nDuring our Bluetooth Auracast research we stumbled upon a pair of these headphones. During the process of obtaining the firmware for further research we initially discovered the powerful custom Bluetooth protocol called *RACE*. The protocol provides functionality to take full control of headphones. Data can be written to and read from the device's flash and RAM.\r\n\r\nThe goal of this presentation is twofold. Firstly, we want to inform about the vulnerabilities. It is important that headphone users are aware of the issues. In our opinion, some of the device manufacturers have done a bad job of informing their users about the potential threats and the available security updates. We also want to provide the technical details to understand the issues and enable other researchers to continue working with the platform. With the protocol it is possible to read and write firmware. This opens up the possibility to patch and potentially customize the firmware.\r\n\r\nSecondly, we want to discuss the general implications of compromising Bluetooth peripherals. As smart phones are becoming increasingly secure, the focus for attackers might shift to other devices in the environment of the smart phone. For example, when the Bluetooth Link Key, that authenticates a Bluetooth connection between the smart phone and the peripheral is stolen, an attacker might be able to impersonate the peripheral and gain its capabilities.",
"schedule_start": "2025-12-27T23:00:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-28T00:00:00+01:00"
},
{
"id": "a4d303fc-6761-551a-834e-204bc539eab4",
"kind": "official",
"name": "Breaking architecture barriers: Running x86 games and apps on ARM",
"slug": "breaking-architecture-barriers-running-x86-games-and-apps-on-arm",
"url": "https://api.events.ccc.de/congress/2025/event/a4d303fc-6761-551a-834e-204bc539eab4/?format=api",
"track": "hardware",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "en",
"description": "ARM-powered hardware in laptops promises longer battery life at the same compute performance as before, but a translation layer like FEX is needed to run existing x86 software. We'll look at the technical challenges involved in making this possible: designing a high-performance binary recompiler, translating Linux system calls across architectures, and forwarding library calls to their ARM counterparts.\r\n\r\nGaming in particular poses extreme demands on FEX and raises further questions: How do we enable GPU acceleration in an emulated environment? How can we integrate Wine to run Windows games on Linux ARM? Why is Steam itself the ultimate boss battle for x86 emulation? And why in the world do we care more about page sizes than German standardization institutes?\r\n\r\nThis talk will be accessible to a technical audience and gaming enthusiasts alike. However, be prepared to learn cursed knowledge you won't be able to forget!",
"schedule_start": "2025-12-27T23:00:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-27T23:40:00+01:00"
},
{
"id": "3d82c56b-fb2f-545f-b8f1-264c220c8f09",
"kind": "official",
"name": "Breaking BOTS: Cheating at Blue Team CTFs with AI Speed-Runs",
"slug": "breaking-bots-cheating-at-blue-team-ctfs-with-ai-speed-runs",
"url": "https://api.events.ccc.de/congress/2025/event/3d82c56b-fb2f-545f-b8f1-264c220c8f09/?format=api",
"track": "security",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "en",
"description": "THE PLAN\r\n\r\nLive demonstrations of AI agents speed-running blue team challenges, including the failure modes that break investigations. We'll show both what happens when we try the trivial approaches like “just have claude do it”, “AI workflows”, and what ultimately worked, like managed self-planning, semantic SIEM layers, and log agents. Most can be done with free and open tools and techniques on the cheap, so we will walk through that as well.\r\n\r\nTHE DEEP DIVE\r\n\r\n* Why normal prompts and static AI workflows fail\r\n* Self-planning investigation agents that evolve task lists dynamically\r\n* What we mean by semantic layers for calling databases and APIs\r\n* How to handle millions of log events without bankrupting yourself\r\n* Why \"no AI\" rules are misguided technically and conceptually\r\n\r\nGOING BEYOND CTFS\r\n\r\nThe same patterns that trivialize training exercises work on real SOC investigations. We're watching blue team work fundamentally transform - from humans investigating to humans managing AI investigators. Training programs teaching skills AI already automates. Hiring practices that can't verify who's doing the work. Certifications losing meaning. More fundamentally, when we talk about who watches the watchers, a lot is about to shift again.",
"schedule_start": "2025-12-30T13:50:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-30T14:30:00+01:00"
},
{
"id": "59b5d6cc-bc07-5554-80f1-7d1008573d92",
"kind": "official",
"name": "Brennende Wälder und Kommentarspalten - Klimaupdate mit dem FragDenStaat Climate Helpdesk",
"slug": "brennende-walder-und-kommentarspalten-klimaupdate-mit-bits-baume-und-dem-fragdenstaat-climate-helpdesk",
"url": "https://api.events.ccc.de/congress/2025/event/59b5d6cc-bc07-5554-80f1-7d1008573d92/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "de",
"description": "Chatgpt hat (bald) mehr Nutzer*innen als Wikipedia, OpenAI will in Zukunft den Energieverbrauch von Indien haben und das notfalls auch mit fossilen Energien. Der Energiehunger der künstlichen Intelligenz und der globale Ressourcenhunger für Chips und Elektroautos scheint den Rest Hoffnung einer klimagerechten Welt aufzufressen.\r\n\r\nAuch in Deutschland finden wir uns in den Wasserkämpfen wieder, während global längst Bewegungen gegen wasserhungrige Konzerne und Rechenzentren zusammenfließen. Auf der ganzen Welt, von Lateinamerika bis Portugal und Serbien wehren sich Menschen gegen den Abbau des weißen Goldes Lithium, das für Elektroautos und Chips benötigt wird. Zusammen mit Wäldern brennen auch die Kommentarspalten und die staatlichen Repressionen gegen Klimaaktivismus nehmen zu. Ich möchte einen Überblick geben zum Zustand unserer Erde und der Klimabewegung und was Hacker*innen für die Rettung des Planeten können und welche Tech-Milliardäre wir dafür bekämpfen müssen.\r\n\r\nIch bin Joschi (they/them) vom FragDenStaat Climate Helpdesk. Ich bringe 10 Jahre Erfahrung in der Klimabewegung und Expertise für verschiedene Themen rund um Nachhaltigkeit und Digitalisierung mit.",
"schedule_start": "2025-12-27T11:55:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-27T12:35:00+01:00"
},
{
"id": "5454618f-fcfb-568a-b82b-eb0b10bf89cb",
"kind": "official",
"name": "Build a Fake Phone, Find Real Bugs: Qualcomm GPU Emulation and Fuzzing with LibAFL QEMU",
"slug": "build-a-fake-phone-find-real-bugs-qualcomm-gpu-emulation-and-fuzzing-with-libafl-qemu",
"url": "https://api.events.ccc.de/congress/2025/event/5454618f-fcfb-568a-b82b-eb0b10bf89cb/?format=api",
"track": "security",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "en",
"description": "Mobile phone manufacturers ship competitive hardware supported by increasingly complex software stacks, ranging from firmware and bootloaders to kernel modules, hypervisors, and other TrustZone environments. In an effort to keep their products secure, these companies rely on state-of-the-art testing techniques such as fuzzing. They commonly perform their fuzzing campaigns on-device to find vulnerabilities. Unfortunately, this approach is expensive to scale and does not always provide fine-grained control over the target. To address these issues, we approached the problem through the prism of emulation, by partially reimplementing the hardware as a normal software to run on a computer. That way, we could scale fuzzing instances, and gain full control over the emulated target.\r\n\r\nThe presentation will outline how we made the full emulation of Qualcomm’s Android ecosystem possible by tweaking the complex build system of the Android image and implementing a custom board (including more than 10 custom devices) in QEMU. We will review the steps required and the technical challenges encountered along the way.\r\n\r\nAfter providing a quick recap and the latest updates on LibAFL QEMU (presented at 37C3) by one of the LibAFL maintainers, we will delve into the gory details of how we partially emulated the latest version of Adreno—the GPU designed by Qualcomm—and built a fuzzer for its Android kernel driver. In particular, we will show how LibAFL QEMU was integrated into our custom board and the few improvements we made to the kernel to get better coverage with KCOV. Finally, we will demonstrate how our approach enabled us to find a new critical vulnerability in the GPU kernel driver.",
"schedule_start": "2025-12-29T19:15:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-29T19:55:00+01:00"
},
{
"id": "ab19e1f1-ca13-531e-9d30-0ca5b0c7551c",
"kind": "official",
"name": "Building a NOC from scratch",
"slug": "building-a-noc-from-scratch",
"url": "https://api.events.ccc.de/congress/2025/event/ab19e1f1-ca13-531e-9d30-0ca5b0c7551c/?format=api",
"track": "ccc-community",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "de",
"description": "Zum Zeitpunkt der 29. Eurofurence (also dieses Jahr) hatte das Event eine Größe erreicht, bei der typische Event-Locations unsere speziellen Anforderungen nicht mal eben so erfüllen konnten. Beispielsweise ist eine aufwändige Audio/Video-Produktion Teil der Eurofurence, welche ein IP-Netz mit hoher Bandbreite, niederiger Latenz, niedrigem Jitter, Multicast-Transport und präzise Zeitsynchronisierung benötigt. Deshalb wurde dieses Jahr das _Onsite Eurofurence Network Operation Center_ _(EFNOC)_ gegründet. Unsere Aufgabe sollte es sein, alle Anforderungen der anderen Teams kompetent zu erfüllen wovon wir euch in diesem Vortrag etwas aus dem Nähkästchen erzählen wollen.\r\n\r\nGrob haben wir wärend der EF29 das Team etabliert und ein Netzwerk gebaut, welches für A/V-Produktion, Event-Koordination und Event-Management (z.B. Security, Ticketing) benutzt wurde. Unser persönliches Ziel war es außerdem, ein benutzbares WLAN-Netzwerk für alle Besuchenden über dies gesamte Event-Venue hinweg zu schaffen – also von Halle H bis zum Vorplatz.\r\nUnsere Architektur bestand dafür aus einem simplen Layer2-Netzwerk mit VLAN-Unterteilung, welches von _Arista DCS-7050TX-72Q_ mit 40Gbit/s Optiken bereitgestellt wurde. Die Aristas haben außerdem ein PTP-Signal propagiert, welches von einer Meinberg Master-Clock gesteuert wurde. Zusätzlich war ein Linux-Server als Hypervisor für diverse Netzwerk-Services wie DNS, DHCP, Monitoring und Routing im Einsatz.\r\nSo zumindest der Plan, denn während des Events wurden wir mit der Realität und vielen „spaßigen“ Problemen konfrontiert.\r\n\r\nUnser Talk wird sich unter anderem mit diesen technischen Problemen beschäftigen, allerdings den Fokus nicht nur auf die technische Darstellung legen. Stattdessen werden wir auch beleuchten, wie wir als Team menschlich untereinander und in der Kommunikation mit anderen Teams damit umgegangen sind.",
"schedule_start": "2025-12-27T23:55:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-28T00:35:00+01:00"
},
{
"id": "4bfb9f9c-a8cd-5bcb-8b0f-ce20509f2a36",
"kind": "official",
"name": "Building hardware - easier than ever - harder than it should be",
"slug": "building-hardware-easier-than-ever-harder-than-it-should-be",
"url": "https://api.events.ccc.de/congress/2025/event/4bfb9f9c-a8cd-5bcb-8b0f-ce20509f2a36/?format=api",
"track": "hardware",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "en",
"description": "Electronics is easier and more fun to get into than it's ever been before. All the tools and resources are easily accessible and super cheap or free. There's an enormous amount of things to build from and build on.\r\n\r\nIt's also never been more important to be able to build and understand electronics, as assholes running corporations are wasting their workers' unpaid overtime on making all the electronics in our lives shittier, more full of ads, slop, and spyware, and more frustrating to use. Encountering a device that works for you instead of against you is a breath of fresh air. Building one is an act of resistance and power. Not depending on the whims of corporate assholes is freedom.\r\n\r\nHowever, the culture around electronics and the electronics industry is one of exclusion and gatekeeping. It doesn't need to be. It would be stupidly easy to make things better, and we should. I've been teaching absolute beginners advanced electronics manufacturing skills for many years now. It's absolutely shocking how much more diverse the people who I teach are compared to the industry. The \"hardware is hard\" meme is true in some cases but toxic when worn as a badge of pride or a warning to people attempting it.\r\n\r\nI will tell you why designing and building electronics is not nearly as hard as it seems, how it's almost never been easier to get into it, and why it's very important that people who think or have been told they can't do it should be doing more of it. I'll tell you my experiences of what building devices is like, show and tell a few useful skills, and tell the story of how trying to prove someone wrong on the internet turned into a decade of teaching people with zero experience how to handle the most complex electronic components at all sorts of community events.",
"schedule_start": "2025-12-27T12:50:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-27T13:30:00+01:00"
},
{
"id": "878d9a0c-0446-561d-9f85-c81033aad209",
"kind": "official",
"name": "Burn Gatekeepers, not Books!",
"slug": "burn-gatekeepers-not-books",
"url": "https://api.events.ccc.de/congress/2025/event/878d9a0c-0446-561d-9f85-c81033aad209/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "de",
"description": "Der Buchmarkt ist kaputt; das ist keine neue Erkentnis. Wir dröseln auf, an welchen Ecken es hakt und zeigen auf, wie schlimm es wirklich ist. Dabei machen wir auch ein bisschen Name & Shame, denn irgendwer ist ja schuld. Wir zeigen aber auch, wo uns auf dem deutschen Markt noch fehlende APIs (im Gegensatz zum internationalen Buchmarkt) das Leben deutlich leichter machen würden.",
"schedule_start": "2025-12-28T15:40:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-28T16:20:00+01:00"
},
{
"id": "49b35210-41ea-547d-86da-1ca62612c7b6",
"kind": "official",
"name": "CCC-Jahresrückblick",
"slug": "ccc-jahresruckblick",
"url": "https://api.events.ccc.de/congress/2025/event/49b35210-41ea-547d-86da-1ca62612c7b6/?format=api",
"track": "ccc-community",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "de",
"description": "2025 war ein gutes Jahr für Exploits, kein gutes Jahr für die Freiheit und ein herausragendes für schlechte Ideen. Regierungen kämpften weiter für Massenüberwachung, natürlich mit KI-Unterstützung™. Kriege wurden weiter „digitalisiert“, Chatkontrolle als Kinderschutz verkauft, Waffensysteme haben inzwischen mehr Autonomie als die meisten Bürger*innen und künstliche Intelligenz löst endlich alle Probleme – vor allem die, die bisher niemand hatte.",
"schedule_start": "2025-12-28T16:35:00+01:00",
"schedule_duration": "01:40:00",
"schedule_end": "2025-12-28T18:15:00+01:00"
},
{
"id": "471f65aa-7729-5e51-b849-4603cfac762f",
"kind": "official",
"name": "CCC&T - Cosmic ray, the Climate Catastrophe and Trains.",
"slug": "ccc-t-cosmic-ray-the-climate-catastrophe-and-trains",
"url": "https://api.events.ccc.de/congress/2025/event/471f65aa-7729-5e51-b849-4603cfac762f/?format=api",
"track": "science",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "en",
"description": "The Dürremonitor is a programme that is often mentioned in the German news when some regions experience drought. Alongside the Dürremonitor and the underlying Mesoscale Hydrological Model (MHM), there is ongoing research at the UFZ concerning soil moisture. Some of these studies involve measuring soil moisture using a technique called cosmic ray neutron sensing (CRNS). Rather than taking measurements, the MHM uses a physics-based model incorporating precipitation forecasts to predict drought or flood. These two strategies for quantifying soil moisture are therefore in opposition: the measurement-based approach (CRNS) and the modelling-based approach (MHM/Dürremonitor). CRNS is a relatively new method of measuring soil moisture based on the proportion of neutrons reflected by the soil (the principles were discovered in the 1980s, but it has only recently become commercially applicable). This method has several advantages over previous soil moisture measurement methods: it is non-invasive, easy to set up, portable and can therefore be used on trains.\r\n\r\nIn the talk I will give an overview of the Dürremonitor and MHM and then focus on CRNS. I will explain the physical principles behind the method, how it is implemented in practice by making serveys using trains.",
"schedule_start": "2025-12-30T11:55:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-30T12:35:00+01:00"
},
{
"id": "967b7f53-aa2b-578b-9403-e1ba380cda15",
"kind": "official",
"name": "Celestial navigation with very little math",
"slug": "celestial-navigation-with-very-little-math",
"url": "https://api.events.ccc.de/congress/2025/event/967b7f53-aa2b-578b-9403-e1ba380cda15/?format=api",
"track": "hardware",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "en",
"description": "Since the dawn of time people have asked themselves: where am I and why am I here? This talk won't help you answer the why question, but it will discuss how determine the where in the pre-GPS age of sextants, slide rules and stopwatches by taking the noon sight, aka the meridian passage.\r\n\r\nThe usual way to find your position using the Sun requires a large almanac of lookup tables and some challenging math. The books are frustrating to consult on every sight and the base 60 degree-minute-second math is frustrating even with a calculator, and if you're on a traditional ship it seems wrong to do traditional navigation with electronic devices.\r\n\r\nTo speed up the process I’ve designed a specialized circular slide rule that handles most of the table lookups to correct height of eye, semi-diameter, temperature, refraction and index errors, and also simplifies the degree-minute-second arithmetic required to calculate the exact declination of the Sun.\r\n\r\nIn this talk I’ll demonstrate how to make your own printable paper slide rule and use it to reduce the meridian passage measurement to a lat/lon with just a few rotations of the wheels and pointer, no electronics or bulky books necessary!",
"schedule_start": "2025-12-29T11:55:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-29T12:35:00+01:00"
},
{
"id": "42fe49fd-0068-5456-a326-7687603aead8",
"kind": "official",
"name": "Chaos all year round",
"slug": "chaos-all-year-round",
"url": "https://api.events.ccc.de/congress/2025/event/42fe49fd-0068-5456-a326-7687603aead8/?format=api",
"track": "ccc-community",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "de",
"description": "Bei diesem Vortrag im Lightning-Talk-Format habt ihr die Möglichkeit, euch quasi im Schnelldurchlauf über viele weitere tolle Chaos-Events zu informieren. Zusätzlich werden auch ein bis zwei größere Events vorgestellt, die sich gerade in der Planungsphase befinden und noch Verstärkung für ihr Team suchen. \r\n\r\nFalls ihr euer Chaos-Event auf der großen Bühne kurz vorstellen möchtet, tragt euch bitte [im Wiki ein](https://events.ccc.de/congress/2025/hub/de/wiki/event-vorstellungen).",
"schedule_start": "2025-12-27T16:00:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-27T17:00:00+01:00"
},
{
"id": "656a3c17-8cd8-516f-bf31-645c98af7990",
"kind": "official",
"name": "Chaos Communication Chemistry: DNA security systems based on molecular randomness",
"slug": "chaos-communication-chemistry-dna-security-systems-based-on-molecular-randomness",
"url": "https://api.events.ccc.de/congress/2025/event/656a3c17-8cd8-516f-bf31-645c98af7990/?format=api",
"track": "science",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "en",
"description": "Nucleic acids have been theorized as potential data storage and computation platforms since the mid-20th century. In the meantime, notable advances have been made in implementing such systems, combining academic research with industry efforts. \r\nAfter providing a general introduction to the interdisciplinary field of DNA information technology, in the second half of the talk focuses on DNA-based cryptography and security systems, in particular zooming in on the example of chemical unclonable functions (CUFs) based on randomly generated, synthetic DNA sequences. Similar to Physical Unclonable Functions (PUFs), these DNA-based systems contain vast random elements that cannot be reconstructed – neither algorithmically nor synthetically. Using biochemical processing, we can operate these systems in a fashion comparable to cryptographic hash functions, enabling new authentication protocols. Aside from covering the basics, we delve into the advantages, as well as the drawbacks, of DNA as a medium. Finally, we explore how CUFs could in the future be implemented as physical security architectures: For example, in anti-counterfeiting of medicines or as personal signatures for artworks. \r\nIn a broader sense, this talk aims to inspire a reconsideration of entropy, randomness and information in the experimental sciences through a digital lens. In doing so, it provides examples of how looking at physical systems through an information perspective can unravel new synergies, applications and even security architectures.",
"schedule_start": "2025-12-28T14:45:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-28T15:25:00+01:00"
},
{
"id": "90cb7149-ec4d-5499-9649-9091374100ad",
"kind": "official",
"name": "Chaos macht Küche",
"slug": "chaos-macht-kuche",
"url": "https://api.events.ccc.de/congress/2025/event/90cb7149-ec4d-5499-9649-9091374100ad/?format=api",
"track": "ccc-community",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "de",
"description": "Bei vielen Zeltlagern, Sommerfesten, ICMP, Village beim Chaos-Camp und ähnlichem habe ich gelernt wie man für viele Menschen kochen kann und wie nicht. Damit Du nicht die gleiche Lernkurve machen musst, möchte ich Dir zeigen mit welchen Überlegungen Du mit 2-3 Freunden Essen für viele Menschen zubereiten kannst. \r\n\r\nPlanen, einkaufen, Logistik, vorbereiten, kochen, Hygiene, servieren und aufräumen, das kann jeder. \r\nDas so zu machen das es Spaß macht, sich nicht nach Arbeit anfühlt und dann auch noch allen schmeckt, das möchte ich Dir mit diesem Vortrag vermitteln.\r\n\r\nWenn dein Space in Zukunft ein großes Event plant und Du darüber nachdenkst ob man vor Ort kochen kann und will, dann komme vorbei und lass Dir zeigen was man dafür braucht und wie das geht.",
"schedule_start": "2025-12-27T13:50:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-27T14:30:00+01:00"
},
{
"id": "f9204594-d3f2-5c45-ba71-542a99eb9e5d",
"kind": "official",
"name": "Chaospager - How to construct an Open Pager System for c3",
"slug": "chaospager-how-to-construct-an-open-pager-system-for-c3",
"url": "https://api.events.ccc.de/congress/2025/event/f9204594-d3f2-5c45-ba71-542a99eb9e5d/?format=api",
"track": "hardware",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "en",
"description": "At 38c3, we conducted an experiment to test out our self-built POCSAG Pager infrastructure. Together with DL0TUH and CERT, we are now working on an open pager solution leveraging well-known components in the maker commmunity (e.g. ESP32, SX1262) to support the alarming of action forces at c3 events. In this talk, we will guide you through the process of developing such a project, problems that are occuring and what our future plans are.",
"schedule_start": "2025-12-28T14:45:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-28T15:25:00+01:00"
},
{
"id": "9296cd85-f869-5687-94cb-e87d805249a2",
"kind": "official",
"name": "Chatkontrolle - Ctrl+Alt+Delete",
"slug": "episode-ii-der-rat-schlagt-zuruck",
"url": "https://api.events.ccc.de/congress/2025/event/9296cd85-f869-5687-94cb-e87d805249a2/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "de",
"description": "Die Chatkontrolle liest sich mehr wie eine tragische Komödie, als ein Gesetzgebungsverfahren. Nach dem dramaturgischen Rückblick auf dem 37C3 wird es nun Zeit einen Blick auf die Seite der Rebellen zu werfen. \r\nMarkus Reuter und khaleesi haben den Gesetzgebungsprozess rund um die Chatkontrolle von Anfang an eng begleitet, er aus der der journalistischen, sie aus der Policy-Perspektive. \r\nNach den ersten Jahren mit großen Rummel und Hollywoodstars ist es nach den EU-Wahlen doch etwas ruhig geworden. Doch die Gefahr ist nicht vom Tisch: \r\n\r\nZwar steht die Position des EU-Parlaments gegen die Chatkontrolle - aber wie sicher sie wirklich ist, ist unklar.\r\nDerzeit hängt alles am Rat: Es gab sehr positive Vorschläge (polnische Ratspräsidentschaft) und negative Vorschläge (dänische Ratspräsidentschaft) - doch einigen können sich die Länder nicht und eine Mehrheit will die Chatkontrolle, kann sich aber nicht durchsetzen.\r\n\r\nUnd auch in Deutschland hat die Chatkontrolle den ganz großen Sprung in die Öffentlichkeit geschafft und die Gegner:innen einen Etappensieg errungen. Was dieser Erfolg mit der Arbeit der letzten vier Jahre zu tun hat und warum auch in Deutschland noch nichts in trockenen Tüchern ist, erzählen wir in diesem Talk.",
"schedule_start": "2025-12-27T20:30:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-27T21:30:00+01:00"
},
{
"id": "319c31a2-af90-5db9-89f0-fe9ac582726e",
"kind": "official",
"name": "Closing Ceremony",
"slug": "closing-ceremony",
"url": "https://api.events.ccc.de/congress/2025/event/319c31a2-af90-5db9-89f0-fe9ac582726e/?format=api",
"track": "ccc-community",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "de",
"description": " ",
"schedule_start": "2025-12-30T16:00:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-30T17:00:00+01:00"
},
{
"id": "6938a1f1-4ee3-5fca-ae37-d59274e529de",
"kind": "official",
"name": "Code to Craft: Procedural Generation for the Physical World",
"slug": "code-to-craft-procedural-generation-for-the-physical-world",
"url": "https://api.events.ccc.de/congress/2025/event/6938a1f1-4ee3-5fca-ae37-d59274e529de/?format=api",
"track": "art-beauty",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "en",
"description": "In this talk, I will share practical insights from developing procedural generation tools for physical objects: ranging from stickers and paper lanterns to printed circuit boards and even furniture. I will outline key challenges and considerations when generating designs for fabrication tools such as laser cutters or pen plotters, as well as how to adapt procedural systems so they can be reproduced by a wide audience (not everyone has access to CNC machines or industrial equipment, sadly!).\r\n\r\nBeyond technical considerations, I aim to encourage attendees to translate their own generative ideas into tangible artifacts and to foster a culture of open-sourcing and knowledge sharing within the community.",
"schedule_start": "2025-12-28T23:55:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-29T00:35:00+01:00"
},
{
"id": "d743f89d-684b-5a29-a0e1-4b788caa4255",
"kind": "official",
"name": "Coding Dissent: Art, Technology, and Tactical Media",
"slug": "coding-dissent-art-technology-and-tactical-media",
"url": "https://api.events.ccc.de/congress/2025/event/d743f89d-684b-5a29-a0e1-4b788caa4255/?format=api",
"track": "art-beauty",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "en",
"description": "In this talk, media artist and curator Helena Nikonole presents her work at the intersection of art, activism, and tactical technology — including interventions into surveillance systems, wearable mesh networks for off-grid communication, and AI-generated propaganda sabotage.\r\n\r\nFeaturing projects like Antiwar AI, the 868labs initiative, and the curatorial project Digital Resistance, the talk explores how art can do more than just comment on sociotechnical systems — it can interfere, infiltrate, and subvert them.\r\n\r\nThis is about prototypes as politics, networked interventions as civil disobedience, and media hacks as tools of strategic refusal. The talk asks: what happens when art stops decorating crisis and starts debugging it?\r\n\r\nThe talk will also introduce an upcoming HackLab initiative — a collaboration-in-progress that brings together artists, hackers, and activists to develop open-source tools for disruption, resilience, and collective agency — and invites potential collaborators to get involved.",
"schedule_start": "2025-12-27T23:00:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-27T23:40:00+01:00"
},
{
"id": "6189eca4-8ac2-5606-af23-628b82eb4a54",
"kind": "official",
"name": "CPU Entwicklung in Factorio: Vom D-Flip-Flop bis zum eigenen Betriebssystem",
"slug": "cpu-entwicklung-in-factorio-vom-d-flip-flop-bis-zum-eigenen-betriebssystem",
"url": "https://api.events.ccc.de/congress/2025/event/6189eca4-8ac2-5606-af23-628b82eb4a54/?format=api",
"track": "hardware",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "de",
"description": "Factorio ist ein Spiel über Fabrikautomation - Förderbänder, Dampfmaschinen und Produktionsketten stehen im Vordergrund. Eigentlich ist das interne Logiksystem („Combinators“) gedacht für die Steuerung der Fabrik, jedoch erlaubt es auch die Entwicklung komplexer Hardware.\r\n\r\nIn diesem Vortrag erzähle ich meine Geschichte, wie ich eine vollständige RISC-V-Architektur in Factorio rein aus Vanilla-Combinators erschaffen habe:\r\nDie CPU arbeitet mit 32 Bit-Wörtern, verfügt über 32 General Purpose Register, 128 KB RAM/Persistent Storage, eine 5-stufige Pipeline mit Forwarding und Hazard-Handling sowie eine Logikeinheit für Branches und Interrupts. Ein Display-Controller steuert eine Konsolen-Ausgabe sowie ein Farbdisplay, während ein Keyboard-Controller Eingaben über physische In-Game-Tasten ermöglicht.\r\n\r\nErgänzt wird die Hardware auf der Softwareseite durch das Betriebssystem *FactOS*, das ein einfaches Filesystem sowie Systemcalls (zum Beispiel zum Drucken eines Strings im Terminal) zur Verfügung stellt. Außerdem schränkt das Betriebssystem das ausführende User-Programm auf einen festen Bereich des RAMs ein und verhindert so direkten Zugriff auf die Hardware.\r\n\r\nIm Talk möchte ich euch durch alle Schichten dieser Konstruktion führen:\r\nVon den Grundlagen der Factorio-Signalphysik über CPU-Design und Pipeline-Hazards bis zur Toolchain und dem Betriebssystem. Außerdem gebe ich einen Einblick, wie die Limitierungen aber auch die Vorteile von Factorio im Vergleich zu herkömmlichen Logik Simulatoren das Design einer CPU beeinflussen können. Ich runde meinen Talk mit einer Live-Demonstration des Systems ab. \r\n\r\nDie vollständige CPU, inklusive Quellcode des Assemblers, Blueprints und Beispielprogramme, stelle ich öffentlich zur Verfügung. Dadurch kann jede interessierte Person die Architektur in Factorio laden, erweitern und eigene Software dafür entwickeln.\r\n\r\nEs wird im Anschluss eine [Self-organized Session](https://events.ccc.de/congress/2025/hub/en/event/detail/cpu-entwicklung-in-factorio-wie-benutze-ich-phds-f) geben, in der ich eine hands-on Einleitung geben werde, wie man die CPU in Factorio lädt, wie man Programme schreibt, diese assembliert und in Factorio einfügt. Auch kann man dort gerne mit mir über das Projekt quatschen, ich freue mich auf alle Beiträge und Kommentare :)",
"schedule_start": "2025-12-28T19:15:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-28T19:55:00+01:00"
},
{
"id": "c8fe18e8-6cd5-5354-aad7-1a51e64fd529",
"kind": "official",
"name": "Cracking open what makes Apple's Low-Latency WiFi so fast",
"slug": "cracking-open-what-makes-apple-s-low-latency-wifi-so-fast",
"url": "https://api.events.ccc.de/congress/2025/event/c8fe18e8-6cd5-5354-aad7-1a51e64fd529/?format=api",
"track": "hardware",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "en",
"description": "Apple's Continuity features make up a big part of their walled garden. From AirDrop and Handoff to AirPlay, they all connect macOS and iOS devices wirelessly. In recent years, security researchers have opened up several of these features showing that the Apple ecosystem is technically compatible with third-party devices.\r\n\r\nIn this talk, we present the internal workings of Low-Latency WiFi (LLW) – Apple's link-layer protocol for several real-time Continuity features like Continuity Camera and Sidecar Display. We talk about the concepts behind LLW, how it achieves its low-latency requirement and how we got there in the reverse engineering process.\r\n\r\nWe also present the tooling we built to enable more kernel-level tracing and logging on iOS through a reimplementation of cctool from macOS and the source code of trace that was buried deep inside of Apple’s open-source repository system_cmds. We build a log aggregator that combines various kernel- and user-space traces, log messages and pcap files from both iOS and macOS into a single file and finally investigate the network stack on Apple platforms that is implemented in both user- and kernel space. There we find interesting configuration values of LLW that make it the go-to link-layer protocol for Apple's proprietary real-time Continuity applications.",
"schedule_start": "2025-12-28T15:40:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-28T16:20:00+01:00"
},
{
"id": "29678965-8b0b-5428-b63f-4de3a79b0a47",
"kind": "official",
"name": "CSS Clicker Training: Making games in a \"styling\" language",
"slug": "css-clicker-training-making-games-in-a-styling-language",
"url": "https://api.events.ccc.de/congress/2025/event/29678965-8b0b-5428-b63f-4de3a79b0a47/?format=api",
"track": "art-beauty",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "en",
"description": "This talk is about how HTML and CSS can be used to make interactive art and games, without using any JS or server-side code. \r\n \r\nI'll explain some of the classic Cohost CSS Crimes, how I made [CSS Clicker](https://lyra.horse/css-clicker/), and what's next for the CSS scene. \r\n \r\nI hope this talk will teach and/or inspire you to make cool stuff of your own! \r\n \r\n---\r\n \r\n*Content notes:* \r\n- Slides feature animations and visual effects \r\n- Short video clip (with music) will be played \r\n- Clicker sound at the end of the talk\r\n\r\n---\r\n\r\nSlides will be available after the talk at: [https://lyra.horse/slides/#2025-congress](https://lyra.horse/slides/#2025-congress)",
"schedule_start": "2025-12-28T21:05:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-28T21:45:00+01:00"
},
{
"id": "910d24ff-efce-5adc-8b86-0f9c55fb1cda",
"kind": "official",
"name": "CUII: Wie Konzerne heimlich Webseiten in Deutschland sperren",
"slug": "cuii-wie-konzerne-heimlich-webseiten-in-deutschland-sperren",
"url": "https://api.events.ccc.de/congress/2025/event/910d24ff-efce-5adc-8b86-0f9c55fb1cda/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "de",
"description": "In Deutschland entscheidet eine private Organisation aus Internetanbietern und großen Unterhaltungskonzernen, welche Webseiten für den Großteil der Bevölkerung nicht mehr erreichbar sind. \r\nDie selbsternannte \"Clearingstelle Urheberrecht im Internet\" sperrt ohne richterliche Beschlüsse den Zugriff auf Hunderte von Domains. \r\nWir haben daraufhin cuiiliste.de ins Leben gerufen, um die geheim gehaltene Liste von Domains zu veröffentlichen und so mehr Transparenz in die heimliche Zensur der Konzerne zu bringen.\r\nUnsere Auswertung der Liste zeigte: Fast ein Drittel der gesperrten Domains erfüllte – teils seit Jahren – nicht mehr die Kriterien für eine Sperre.\r\nWir werden uns ansehen, wie dutzende Domains nach öffentlichem Druck wieder entsperrt wurden, während Provider gleichzeitig deren Sperren noch mehr verschleierten.\r\nVor ein paar Monaten soll sich angeblich viel geändert haben bei der CUII - doch diese Änderung sieht leider verdächtig nach einem PR-Stunt aus, um weiterhin Seiten ohne Transparenz sperren zu können.",
"schedule_start": "2025-12-30T11:55:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-30T12:35:00+01:00"
},
{
"id": "562f7db7-c4c4-5120-903d-a782e8a17894",
"kind": "official",
"name": "Current Drone Wars",
"slug": "current-drone-wars",
"url": "https://api.events.ccc.de/congress/2025/event/562f7db7-c4c4-5120-903d-a782e8a17894/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "en",
"description": "The character of drone wars has changed. The large, cumbersome long-range drones have been complemented with small and low-budget drones. Moreover, more and more states are developing, deploying and selling them. Ten years ago at least 50 states were developing them. At the top are USA, Israel, Turkey, China, Iran and Russia.\r\n \r\nRussia's attack on Ukraine has unleashed a drone war unlike any seen before.\r\nIn short time the Ukraine has build significant drone production capabilities and announcement that it will increase its own production of quadcopters and kamikaze drones to one million units per year.\r\n \r\nGerman defense companies and startups are now promoting a “drone wall on NATO's eastern flank.” Moreover, despite their vulnerability to air defenses, large drones are also being further developed. They are intended to accompany next generation fighter jets in swarms.\r\n \r\nIn this talk, past and current developments are discussed. What are the perspectives now?",
"schedule_start": "2025-12-28T17:35:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-28T18:15:00+01:00"
},
{
"id": "077fbf39-e49b-5f13-8a6f-c5c71bcb309c",
"kind": "official",
"name": "Demystifying Fuzzer Behaviour",
"slug": "demystifying-fuzzer-behaviour",
"url": "https://api.events.ccc.de/congress/2025/event/077fbf39-e49b-5f13-8a6f-c5c71bcb309c/?format=api",
"track": "science",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "en",
"description": "Fuzz testing (or, \"fuzzing\") is a testing technique that passes randomly-generated inputs to a subject under test (SUT). This term was first coined in 1988 by Miller to describe sending random byte sequences to Unix utilities (1), but was arguably preceded in 1971 by Breuer for fault detection in sequential circuits (2) and in 1972 by Purdom for parser testing by generating sentences from grammars (3). Curiously, they all exhibit different approaches for generating inputs based on knowledge about the SUT, though none of them use feedback from the SUT to make decisions about new inputs.\r\n\r\nFuzzing wasn't yet popular, but industry was catching on. Between the late 90s and 2013, we see a number of strategies appear in industry (4). Some had success with constraint solvers, where they would observe runtime behavior or have knowledge about a target's structure to produce higher quality inputs. Others operated in a different way, by taking an existing input and tweaking it slightly (\"mutating\") to address the low-likelihood of random generation to produce structured inputs. None was as successful, or as popular, as American Fuzzy Lop, or \"AFL\", released in 2013. This combined coverage observations for inputs (Ormandy, 2007) with concepts from evolutionary novelty search (5) into a tool which could, from very few initial inputs, _evolve_ over multiple mutations to find new, untested code.\r\n\r\nDespite its power, this advancement made it far more difficult to understand how fuzzers even worked. Now all you had to do was point this tool at a program and it would start testing, and the coverage would go up; users were now only responsible for writing \"harnesses\", code which processed fuzzer-produced inputs and sent them to the SUT. Though there have been a few real advances to fuzzing since (or, at least, strategies which combined previous methods more effectively), fuzzing research has mostly deadended, with new methods squeezing only minor improvements out of older ones. This, and inadequate harness writing, comes from this opaqueness in how fuzzers internally operate: without understanding what these tools do from first principles, there's no clear \"right\" and \"wrong\" way to do things because there is no mental model to test them against.\r\n\r\nThis talk doesn't talk about new bugs, new fuzzers, or new harness generation tools. The purpose of this talk is to uncover mechanisms of fuzzer input production in the context of different classes of SUT and harnesses thereon, highlighting recent papers which have clarified our understanding of how fuzzers and SUTs interact. By the end, you will have a better understanding of _why_ modern fuzzers work, _what_ their limitations are, and _how_ you can write better fuzzers and harnesses yourself.\r\n\r\n(1): https://pages.cs.wisc.edu/~bart/fuzz/CS736-Projects-f1988.pdf\r\n(2): https://ieeexplore.ieee.org/document/1671733\r\n(3): https://link.springer.com/article/10.1007/BF01932308\r\n(4): https://afl-1.readthedocs.io/en/latest/about_afl.html\r\n(5): https://www.academia.edu/download/25396037/0262287196chap43.pdf",
"schedule_start": "2025-12-27T11:55:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-27T12:35:00+01:00"
},
{
"id": "1adb7e54-9bc5-5947-a7ff-dc286b0b14c2",
"kind": "official",
"name": "Design for 3D-Printing",
"slug": "design-for-3d-printing",
"url": "https://api.events.ccc.de/congress/2025/event/1adb7e54-9bc5-5947-a7ff-dc286b0b14c2/?format=api",
"track": "hardware",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "en",
"description": "Over the years, the 3d-printing community has discovered many tricks and rules that help creating parts that can be printed well and fulfill their purpose as best as possible. I started collecting these rules and wrote an article guide to make this knowledge more accessible. I want to present the most important principles and the mindset that is needed to achieve perfected design.\r\n\r\nThis is not about how to use a CAD program to design a part — but rather about the thought process of the design engineer while drawing up a part. A though process that consists of compromises between many objectives, of heuristic rules, and many neat little tricks.\r\n\r\nThe article that this talk is based on can be found on my blog: https://blog.rahix.de/design-for-3d-printing/",
"schedule_start": "2025-12-29T11:00:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-29T11:40:00+01:00"
},
{
"id": "5cf7d973-5a94-5e8f-9f8d-8b5f4ec5bb6d",
"kind": "official",
"name": "Developing New Medicines in the Age of AI and Personalized Medicine",
"slug": "developing-new-medicines-in-the-age-of-ai-and-personalized-medicine",
"url": "https://api.events.ccc.de/congress/2025/event/5cf7d973-5a94-5e8f-9f8d-8b5f4ec5bb6d/?format=api",
"track": "science",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "en",
"description": "After presenting a high-level overview of the path from an idea to the medicine that you can buy at a pharmacy, this talk will present and discuss the following aspects of the drug discovery and development process:\r\n(1) The translation of an idea into a drug for a human patient faces many critical moments along the development process. This so-called “translational gap” is addressed through experiments in a test tube (or Petri dish), experimentation in lab animals, and eventually testing in humans. However, findings in a standard cell line or in a mouse do not necessarily reflect the complexity of biological processes in a human patient. Currently, there are many technological advancements under way to improve the current drug discovery and development process, and possibly even replace animal studies in the future (e.g., organs-on-chip). Nevertheless, the fundamental issues surrounding translational research remain, such as the lack of standardization, the limitations of model systems, and various underlying clinical biases.\r\n(2) Like in many industries today, AI applications are introduced at multiple levels and for various purposes within the drug discovery and development continuum. Often, a lot of hope is placed in AI-based technologies to accelerate the R&D process, increase efficiency and productivity, and identify new therapeutic approaches. Indeed, there are many highly useful examples, such as the automation of image analysis in research, which replaces repetitive tasks and hence frees up a lot of time for researchers to do meaningful research. However, there are also many applications that are likely misguided, because they still face fundamental problems in evaluating scientific knowledge. For instance, the use of LLMs to summarize huge amounts of very complex and heterogeneous scientific data relies on the accuracy, completeness, and reproducibility of the available scientific data, which is often not the case. In addition, AI is often employed in an IT environment with questionable data security and ownership practices, such as the storage of sensitive research data on third-party cloud platforms.\r\n(3) Until now, the overwhelming majority of drugs have been developed to treat large patient populations, which represent a considerable market and ultimately ensure a return on investment. Today, however, most common and homogeneous diseases can already be managed, often with several (generic) drugs. Slight improvements to current drugs do not justify a large profit margin anymore, so the focus of drug discovery and development is shifting toward more heterogeneous and rare diseases, for which no or only poor treatments are available. Novel medicines in those disease areas hold the promise of substantial improvement for patients; however, these new patient (sub)populations, and thus markets, are much smaller, leading to premium prices for individualized therapies in order to ensure a return on investment. This paradigm shift toward individualized therapy - referred to as precision and personalized medicine - is supported by the advent of novel technologies and the accumulation of large bodies of data.\r\n(4) The rise of precision and personalized medicine is challenging the current business model of today’s pharmaceutical industry, suggesting that the era of blockbuster drugs might be over. Moreover, many intellectual property rights for blockbuster drugs are going to expire in the next few years, ending the market dominance of a number of pharma companies and sending the current industry landscape into turmoil. These developments will likely alter the current modus operandi of the entire biopharmaceutical development process, and it is not clear how the next few years will look like.",
"schedule_start": "2025-12-27T13:50:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-27T14:30:00+01:00"
},
{
"id": "6396165e-0c44-58d3-a345-a63966473508",
"kind": "official",
"name": "Die große Datenschutz-, Datenpannen- und DS-GVO-Show",
"slug": "die-groe-datenschutz-datenpannen-und-ds-gvo-show",
"url": "https://api.events.ccc.de/congress/2025/event/6396165e-0c44-58d3-a345-a63966473508/?format=api",
"track": "entertainment",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "de",
"description": "Datenschutz wird oftmals als lästige Pflicht wahrgenommen – aber was will und macht Datenschutz, für was ist er sinnvoll und was ist zu beachten? In welche Stolperfallen können auch Nerds hineinfallen? **Die Datenschutz- und DSGVO-Show vermittelt spielerisch Datenschutzgrundlagen,** bietet einen Einblick in die Praxis der Datenschutz-Aufsichtsbehörden und zeigt typische technische wie rechtliche Fehler im Umgang mit personenbezogenen Daten. Aber auch für Datenschutz-Profis und Superhirne sind einige harte Nüsse dabei.\r\n\r\nDer Moderator arbeitet beim Landesbeauftragten für den Datenschutz und die Informationsfreiheit Baden-Württemberg und berichtet aus der praktischen Arbeit einer Aufsichtsbehörde, nennt rechtliche Grundlagen, gibt Hinweise zu notwendigen technischen Maßnahmen nach Artikel 32 DS-GVO und die oftmals schwierige Risikoabschätzung nach „wir wurden gecybert“-Sicherheitsvorfällen.\r\n\r\nIm Quiz selbst müssen die Kandidat:innen in ihren Antworten praktische Lösungsvorschläge für häufige technische und rechtliche Probleme vorschlagen, zum Beispiel welche technischen Maßnahmen bei bestimmten Datenpannen nach dem „Stand der Technik“ angebracht sind, ob man als Website-Betreiber denn nun Google Analytics nutzen darf oder wie man sich gegen (rechtswidrige) Datensammler wehrt. Dadurch können Teilnehmer wie Zuschauer die praktische Anwendung der DS-GVO spielerisch lernen.",
"schedule_start": "2025-12-30T01:00:00+01:00",
"schedule_duration": "01:30:00",
"schedule_end": "2025-12-30T02:30:00+01:00"
},
{
"id": "514cda00-fd8e-5417-ba56-a882572a660e",
"kind": "official",
"name": "Die Känguru-Rebellion: Digital Independence Day",
"slug": "die-kanguru-rebellion-digital-independence-day",
"url": "https://api.events.ccc.de/congress/2025/event/514cda00-fd8e-5417-ba56-a882572a660e/?format=api",
"track": "ccc-community",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "de",
"description": "Vielleicht auch was von Elon und Jeff on Mars.\r\nUnd dann ruft das Känguru zum Digital Independence Day auf.",
"schedule_start": "2025-12-27T19:15:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-27T20:15:00+01:00"
},
{
"id": "184bb132-6a17-5aa5-9ebe-08b1d5e3a767",
"kind": "official",
"name": "Digitale Inklusion: Wie wir digitale Barrierefreiheit für alle erreichen können",
"slug": "digitale-inklusion-wie-wir-digitale-barrierefreiheit-fur-alle-erreichen-konnen",
"url": "https://api.events.ccc.de/congress/2025/event/184bb132-6a17-5aa5-9ebe-08b1d5e3a767/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "de",
"description": "Für viele Menschen ist es selbstverständlich, online unterwegs zu sein. Dennoch sind weiterhin viele Menschen mit Beeinträchtigung online ausgeschlossen. Seit Juni 2025 sind durch das Barrierefreiheitsstärkungsgesetz ist digitale Barrierefreiheit für Unternehmen verpflichtend. Damit ist digitale Barrierefreiheit von einer Option zu einem Recht geworden. Trotz der gesetzlichen Vorgaben scheitert die digitale Barrierefreiheit in der Praxis häufig an der fehlenden Expertise von Verantwortlichen. Wir möchten aus drei Perspektiven auf Barrierefreiheit in der digitalen Welt schauen:\r\n\r\nLena Müller ist Entwicklerin und für die barrierefreie Gestaltung von Inhalten verantwortlich. Kathrin Klapper promoviert und nutzt in ihrem Alltag zum Sprechen einen Sprachcomputer mit Augensteuerung. Und Jakob Sponholz setzt sich in seiner Forschung mit der Frage auseinander, wie digitale Medien zur Inklusion beitragen können.\r\n\r\nWir möchten zunächst einen Einblick in die Mechanismen geben, die digitale Inklusion verhindern - sowohl theoretisch als auch praktisch. Anschließend möchten wir anhand von einfachen Beispielen zeigen, dass der Einstieg in die Gestaltung von barrierefreien Inhalten eigentlich gar nicht so schwer ist und es sich lohnt, einfach anzufangen.",
"schedule_start": "2025-12-28T11:00:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-28T12:00:00+01:00"
},
{
"id": "2b044342-d98d-5821-beb8-14a662373af2",
"kind": "official",
"name": "DNGerousLINK: A Deep Dive into WhatsApp 0-Click Exploits on iOS and Samsung Devices",
"slug": "dngerouslink-a-deep-dive-into-whatsapp-0-click-exploits-on-ios-and-samsung-devices",
"url": "https://api.events.ccc.de/congress/2025/event/2b044342-d98d-5821-beb8-14a662373af2/?format=api",
"track": "security",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "en",
"description": "In August 2025, it attracted significant attention when Apple patched CVE-2025-43300, a vulnerability reportedly exploited in-the-wild to execute \"extremely sophisticated attack against specific targeted individuals”. A week later, WhatsApp issued a security advisory, revealing the fix for a critical vulnerability, CVE-2025-55177, which was also exploited in-the-wild. Strong evidence indicated that these two vulnerabilities were chained together, enabling attackers to deliver a malicious exploit via WhatsApp to steal data from a user's Apple device, all without any user interaction.\r\n\r\nTo deconstruct this critical and stealthy in-the-wild 0-click exploit chain, we will detail our findings in several parts:\r\n1. WhatsApp 0-Click Attack Vector (CVE-2025-55177). We will describe the 0-click attack surface we identified within WhatsApp. We will detail the flaws in WhatsApp's message handling logic for \"linked devices,\" which stemmed from insufficient validation, and demonstrate how an attacker could craft malicious protocol messages to trigger the vulnerable code path.\r\n2. iOS Image Parsing Vulnerability (CVE-2025-43300). The initial exploit allows an attacker to force the target's WhatsApp to load arbitrary web content. We will then explain how the attacker leverages this by embedding a malicious DNG image within a webpage to trigger a vulnerability in the iOS image parsing library. We will analyze how the RawCamera framework handles the parsing of DNG images, and pinpoint the resulting OOB vulnerability.\r\n3. Rebuilding the Chain: From Vulnerability to PoC. In addition, we will then walk through our process of chaining these two vulnerabilities, constructing a functional Proof-of-Concept (PoC) that can simultaneously crash the WhatsApp application on target iPhones, iPads, and Macs.\r\n\r\nBeyond Apple: The Samsung Connection (CVE-2025-21043). Samsung's September security bulletin patched CVE-2025-21043, an out-of-bounds write vulnerability in an image parsing library reported by the Meta and WhatsApp security teams. This vulnerability was also confirmed to be exploited in-the-wild. While an official WhatsApp exploit chain for Samsung devices has not been publicly detailed, we will disclose our findings on this related attack. Finally, we will share some unexpected findings from our investigation, including the discovery of several additional, previously undisclosed 0-day vulnerabilities.",
"schedule_start": "2025-12-27T21:45:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-27T22:45:00+01:00"
},
{
"id": "832b4de9-1ee3-5905-a4dc-692a71ac87d3",
"kind": "official",
"name": "Don’t look up: There are sensitive internal links in the clear on GEO satellites",
"slug": "don-t-look-up-there-are-sensitive-internal-links-in-the-clear-on-geo-satellites",
"url": "https://api.events.ccc.de/congress/2025/event/832b4de9-1ee3-5905-a4dc-692a71ac87d3/?format=api",
"track": "security",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "en",
"description": "In this talk, we will cover our hardware setup, alignment techniques, our parsing code, and survey some of the surprising finds in the data. This talk will include some previously unannounced results. This data can be passively observed by anyone with a few hundred dollars of consumer-grade hardware. There are thousands of geostationary satellite transponders globally, and data from a single transponder may be visible from an area as large as 40% of the surface of the earth.",
"schedule_start": "2025-12-28T22:05:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-28T22:45:00+01:00"
},
{
"id": "7cca9076-3454-5229-b1f4-9069def42bfd",
"kind": "official",
"name": "Doomsday-Porn, Schäferhunde und die „niedliche Abschiebung“ von nebenan: Wie autoritäre Akteure KI-generierte Inhalte für Social Media nutzen",
"slug": "radikalisierungspipeline-esoterik-von-eso-nazis-de",
"url": "https://api.events.ccc.de/congress/2025/event/7cca9076-3454-5229-b1f4-9069def42bfd/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "de",
"description": "KI-generierter Content ist aus der Kommunikationsstrategie autoritärer Akteure nicht mehr wegzudenken. Social Media wird derzeit mit rechtem KI-Slop geflutet, in dem wahlweise die Welt dank Migration kurz vor dem Abgrund steht oder blonde, weiße Familien fröhlich Fahnen schwenken. Im politischen Vorfeld der extremen Rechten werden zudem immer häufiger mal mehr oder weniger offensichtliche Deepfakes geteilt, die auf die jeweilige politische Botschaft einzahlen. Das reicht von KI-generierten Straßenumfragen über Ausschnitte aus Talksendungen, die nie stattgefunden haben, bis hin zu gänzlich KI-generierten Influencerinnen (natürlich blond). Was macht das mit politischen Debatten? Und wie sollten wir als Gesellschaft damit umgehen?",
"schedule_start": "2025-12-27T21:45:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-27T22:45:00+01:00"
},
{
"id": "8f6e4391-96fc-5d29-b66c-328026fc35f0",
"kind": "official",
"name": "Endlich maschinenlesbare Urteile! Open access für Juristen",
"slug": "endlich-maschinenlesbare-urteile-open-access-fur-juristen",
"url": "https://api.events.ccc.de/congress/2025/event/8f6e4391-96fc-5d29-b66c-328026fc35f0/?format=api",
"track": "science",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "de",
"description": "Es ist tatsächlich ein ernsthaftes und reales wissenschaftliches und gesellschaftliches Problem, wenn Urteile hinter den wurmstichigen Aktenschränken der Amtstuben weggeschlossen werden. Wir belegen das anhand einiger besonders hahnebüchener Zitate aus aktuellen und nicht mehr änderbaren Urteilen aus der Praxis.\r\n\r\nWir erarbeiten aktuell Strategien, wie man das Rechtssystem power-cyclen kann, um Urteile in ihrer Gesamtheit, und damit die faktisch gesprochene Rechtslage in Deutschland wieder zugänglich werden. Als positiver Nebeneffekt der Verfügbarkeit von Urteilen kann Zivilgesellschaft und die Politik auch selber souverän überprüfen, ob unsere Richter das Recht typischerweise auch wirklich im Sinne der Legislative anwenden – keiner kann es aktuell wissen, wie können nur hoffen ...",
"schedule_start": "2025-12-27T13:50:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-27T14:30:00+01:00"
},
{
"id": "910e5f22-945b-5196-8e21-246acbcaadd3",
"kind": "official",
"name": "“End Of 10”: How the FOSS Community is Combatting Software-Driven Resource and Energy Consumption",
"slug": "end-of-10-how-the-foss-community-is-combatting-software-drive-resource-and-energy-consumption",
"url": "https://api.events.ccc.de/congress/2025/event/910e5f22-945b-5196-8e21-246acbcaadd3/?format=api",
"track": "ccc-community",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "en",
"description": "This is a talk about digital sustainability and the role software plays in hardware longevity. At the 38C3, the End Of 10 campaign held a workshop to co-ordinate contributions across FOSS communities. Many people currently involved started contributing after this workshop, including 2 of the 3 presenters.",
"schedule_start": "2025-12-30T11:55:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-30T12:35:00+01:00"
},
{
"id": "1632d233-fb88-5f58-aaec-823ea32f8b56",
"kind": "official",
"name": "Escaping Containment: A Security Analysis of FreeBSD Jails",
"slug": "escaping-containment-a-security-analysis-of-freebsd-jails",
"url": "https://api.events.ccc.de/congress/2025/event/1632d233-fb88-5f58-aaec-823ea32f8b56/?format=api",
"track": "security",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "en",
"description": "FreeBSD’s jail feature is one of the oldest and most mature OS-level isolation mechanisms in use today, powering hosting environments, container frameworks, and security sandboxes. But as with any large and evolving kernel feature, complexity breeds opportunity. This research asks a simple but critical question: If an attacker compromises root inside a FreeBSD jail, what does it take to break out?\r\n\r\nTo answer that, we conducted a large-scale audit of FreeBSD kernel code paths accessible from within a jail. We systematically examined privileged operations, capabilities, and interfaces that a jailed process can still reach, hunting for memory safety issues, race conditions, and logic flaws. The result: roughly 50 distinct issues uncovered across multiple kernel subsystems, ranging from buffer overflows and information leaks to unbounded allocations and reference counting errors—many of which could crash the system or provide vectors for privilege escalation beyond the jail.\r\n\r\nWe’ve developed proof-of-concept exploits and tools to demonstrate some of these vulnerabilities in action. We’ve responsibly disclosed our findings to the FreeBSD security team and are collaborating with them on fixes. Our goal isn’t to break FreeBSD, but to highlight the systemic difficulty of maintaining strict isolation in a large, mature codebase.\r\n\r\nThis talk will present our methodology, tooling, and selected demos of real jail escapes. We’ll close with observations about kernel isolation boundaries, lessons learned for other OS container systems, and a call to action for hardening FreeBSD’s jail subsystem against the next generation of threats.",
"schedule_start": "2025-12-27T17:15:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-27T18:15:00+01:00"
},
{
"id": "62f556ab-b1b4-51fb-9c86-b49ea1f3c45f",
"kind": "official",
"name": "Excuse me, what precise time is It?",
"slug": "excuse-me-what-precise-time-is-it",
"url": "https://api.events.ccc.de/congress/2025/event/62f556ab-b1b4-51fb-9c86-b49ea1f3c45f/?format=api",
"track": "hardware",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "en",
"description": "Where even a few microseconds of drift can turn perfect sync into complete chaos.\r\nThis talk takes a deep dive into the mysterious world of precise time distribution in large networks. We’ll start by exploring how PTP 1588 actually works, from announce, sync, and follow-up messages to delay measurements and the magic of hardware timestamping. We’ll look at why PTP is critical for modern audio/video-over-IP standards like AES67 and SMPTE 2110, and how they push Ethernet to its absolute temporal limits.\r\nAlong the way, we’ll discover how transparent and boundary clocks fight jitter, and why your switch’s buffer might secretly hate you. We will do live Wireshark dissections of real PTP traffic, demos showing what happens when timing breaks, and some hands-on hardware experiments with grandmasters and followers trying to stay in sync.\r\nExpect packets, graphs, oscilloscopes, crashing live demos and at least one bad joke about time travel.",
"schedule_start": "2025-12-27T20:30:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-27T21:30:00+01:00"
},
{
"id": "cc16de00-c31f-5c44-a34a-615e6beba883",
"kind": "official",
"name": "FeTAp 611 unplugged: Taking a rotary dial phone to the mobile age",
"slug": "fetap-611-unplugged-taking-a-rotary-dial-phone-to-the-mobile-age",
"url": "https://api.events.ccc.de/congress/2025/event/cc16de00-c31f-5c44-a34a-615e6beba883/?format=api",
"track": "hardware",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "en",
"description": "There are people who throw away old telephones - and then there are those who find them in the garbage and think, „How can a microcontroller actually read the digits from a rotary dial?“\r\nThis talk follows the journey of transforming a classic German FeTAp 611 rotary phone into a mobile device while keeping its vintage charm. Building on earlier retrofits, this project aims to combine the following design goals into a mobile version of the Fernsprechtischapparat:\r\n\r\n- Grandparents-compatible – The phone shall be easy to use by non-technical people, showing the same look and feel as the original phones, including details such as a dial tone.\r\n- easy phone switching – Switching between FeTAp and regular cellphone shall not require unscrewing the phone to switch SIM cards.\r\n- standard components – PCB/PCBA suppliers shall be capable of manufacturing boards at a reasonable price.\r\n- device-agnostic circuit design – Adapting to different phones (e.g. W48, FeTAp 791, FeTAp 611) shall minimize the need for changes in the schematic. This includes a ringing voltage generator that shall be powerful enough to drive an old W48 phone.\r\n\r\nThis talk will walk you through certain aspects of the German analog telephony standard 1TR110-1, and the challenges faced when implementing those on a battery-powered device with little space. It explains\r\n- the state machine implemented on an STM32 microcontroller,\r\n- how to connect old carbon microphones to modern audio electronics,\r\n- designing (and avoiding mistakes in) a flyback based SMPS to generate 32V - 75V ringing voltage,\r\n- how to generate 25 Hz AC using an H-bridge,\r\n- and how to layout the PCB such that the ancient second handset connector can now be used for USB-C charging.\r\n\r\nIn the course of the development, I discovered that the project is not only a good way to get a glimpse into various aspects of ancient and modern types of electronics - but also into people’s reactions when such a phone suddenly starts ringing on a flea market… :-)",
"schedule_start": "2025-12-27T12:50:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-27T13:30:00+01:00"
},
{
"id": "49ceb68c-bcbe-592f-9c62-b1085f657190",
"kind": "official",
"name": "Fossile Industrie liebt KI!",
"slug": "fossile-industrie-liebt-ki",
"url": "https://api.events.ccc.de/congress/2025/event/49ceb68c-bcbe-592f-9c62-b1085f657190/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "de",
"description": "Obwohl die negativen Klimaauswirkungen generativer KI immer deutlicher werden, sollen in ganz Europa Großrechenzentren gebaut werden und Deutschland „KI-Nation“ werden, was ungeahnte „Wirtschaftskräfte freisetzen soll“ – zumindest, wenn es nach der Bundesregierung geht.\r\n\r\nDer Ausbau der Recheninfrastruktur für generative KI benötigt viel Energie, Wasser und Ressourcen, was global zu Umweltschäden führt. Prognosen für die EU zeigen, dass der Energieverbrauch in Zukunft so groß werden könnte, dass der Ausbau der erneuerbaren Energien nicht mithalten kann – doch die fossile Industrie steht bereits in den Startlöchern.\r\n\r\nDer Hype um generative KI liefert ihnen die perfekte Begründung für den Ausbau fossiler Infrastruktur- mitten in der eskalierenden Klimakrise. Tech- und Fossilkonzerne investieren massiv in neue Gaskraftwerke für energiehungrige Rechenzentren. Dabei ist der wirtschaftliche Nutzen und die Wertschöpfung durch die Technologie weiterhin unklar.\r\nKlar ist: wir erleben derzeit eine fossile Gegenoffensive im Gewand digitaler Versprechen. Auf Kosten des Klimas und der Zukunft.\r\n\r\nDieser Vortrag schließt an den Talk \"Klimaschädlich by Design\" vom 38C3 an und gibt Updates zu Entwicklungen in Deutschland und Europa.",
"schedule_start": "2025-12-30T12:50:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-30T13:30:00+01:00"
},
{
"id": "4c285dd4-58fc-5378-9434-628f7871ee9f",
"kind": "official",
"name": "freiheit.exe - Utopien als Malware",
"slug": "freiheit-exe-utopien-als-malware",
"url": "https://api.events.ccc.de/congress/2025/event/4c285dd4-58fc-5378-9434-628f7871ee9f/?format=api",
"track": "art-beauty",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "de",
"description": "Ich lade das CCC-Publikum ein, die Betriebssysteme hinter unseren Betriebssystemen zu untersuchen.\r\nWährend wir uns mit Verschlüsselung, Datenschutz und digitaler Selbstbestimmung beschäftigen, installieren Tech-Milliardäre ihre Weltanschauungen als Default-Einstellungen unserer digitalen Infrastruktur. Die Recherchen beleuchten die mitgelieferte Malware.\r\n\r\nIch navigiere durch die Ideengeschichte zwischen Marinettis Futuristischem Manifest (1909) und Musks Mars-Kolonien, von den ersten Programmiererinnen zur Eroberung des Alls, von neoliberalen Think Tanks zur Schuldenbremse, von nationalen Christen zu Pronatalisten.\r\nInvestigative Recherche trifft auf performative Vermittlung. \r\nMit O-Tönen von Peter Thiel, Nick Land und anderen zeigt die Lecture ideologische Verbindungslinien zwischen Theoretikern autoritär-technoider Träume und den Visionen der Tech-Oligarchen auf:\r\n\r\nEs geht um „Freedom Cities“, Steuerflucht und White Supremacy.\r\nUm Transhumanismus als Upgrade-Zwang bis hin zu neo-eugenischen Gedanken.\r\nUm Akzeleration als politische Strategie: Geschwindigkeit statt Reflexion, Disruption statt Demokratie, Kolonisierung – jetzt auch digital.\r\n\r\nAus Theaterperspektive betrachte ich das Revival der Cäsaren und die Selbstinszenierung von Tech-CEOs als Künstler, Priester oder Genies. \r\nUnd mit der Investigativ Reporterin Sylke Grunwald habe ich recherchiert, was all das mit den Debatten rund um Palantir zu tun hat.\r\n\r\nDie scheinbar alternativlose Logik von \"Move Fast and Break Things\" ist nicht unvermeidlich – sie ist gewollt, gestaltet, ideologisch aufgeladen.",
"schedule_start": "2025-12-28T20:10:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-28T20:50:00+01:00"
},
{
"id": "481f7cae-da59-5506-9801-625227113981",
"kind": "official",
"name": "From Silicon to Darude Sand-storm: breaking famous synthesizer DSPs",
"slug": "from-silicon-to-darude-sand-storm-breaking-famous-synthesizer-dsps",
"url": "https://api.events.ccc.de/congress/2025/event/481f7cae-da59-5506-9801-625227113981/?format=api",
"track": "hardware",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "en",
"description": "This talk is a sequel to my last year's talk \"Proprietary silicon ICs and dubious marketing claims? Let's fight those with a microscope!\", where I showed how I reverse engineered a pretty old device (1986) by looking at microscope silicon pics alone, with manual tracing and some custom tools. Back then I claimed that taking a look at a more modern device would be way more challenging, due to the increased complexity.\r\n\r\nThis time, in fact, I've reverse engineered a much modern chip: the custom Roland/Toshiba TC170C140 ESP chip (1995). Completing this task required a different approach, as doing it manually would have required too much time. We used a guided automated approach that combines clever microscopy with computer vision to automatically classify standard cells in the chip, saving us most of the manual work.\r\nThe biggest win though came from directly probing the chip: by exploiting test routines and sending random data to the chip we figured out how the internal registers worked, slowly giving us insights about the encoding of the chip ISA. By combining those two approaches we managed to create a bit-accurate emulator, that also is able to run in real-time using JIT.\r\n\r\nIn this talk I want to cover the following topics:\r\n- What I learned since my previous talk by looking at more complicated chips\r\n- Towards automating the silicon reverse engineering process\r\n- How to find and exploit test modes to understand how stuff works\r\n- How we tricked the chips into spilling its own secrets\r\n- How the ESP chip works, compared to existing DSP chips\r\n- How the SuperSaw oscillator turned out to work",
"schedule_start": "2025-12-27T23:55:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-28T00:35:00+01:00"
},
{
"id": "755f1d78-c910-56cb-a37e-13870013bff6",
"kind": "official",
"name": "Gegenmacht - Best of Informationsfreiheit",
"slug": "gegenmacht-best-of-informationsfreiheit",
"url": "https://api.events.ccc.de/congress/2025/event/755f1d78-c910-56cb-a37e-13870013bff6/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "de",
"description": "Transparenz braucht Rechenschaft. Ohne Konsequenzen bleibt Transparenz wirkungslos. Wie können wir also eine wirksame Gegenmacht schaffen, die Veränderungen durchsetzt? \r\n\r\nPhilipp Amthors Angriff aufs Informationsfreiheitsgesetz konnten wir erst einmal abwehren - jetzt geht's in die Offensive! Mit den Highlights aus Strafanzeigen gegen Alexandeer Dobrindt, Spahns geleaktem Maskenbericht, der Milliardärslobby im Wirtschaftsministerium und allen Steueroasen in Deutschland.",
"schedule_start": "2025-12-29T16:00:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-29T17:00:00+01:00"
},
{
"id": "9c8bec33-f71a-5090-857d-1648a027c8a9",
"kind": "official",
"name": "GPTDash – Der Reverse-Turing-Test",
"slug": "gptdash-der-reverse-turing-test",
"url": "https://api.events.ccc.de/congress/2025/event/9c8bec33-f71a-5090-857d-1648a027c8a9/?format=api",
"track": "entertainment",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "de",
"description": "In unserem Reverse-Turing-Test schlüpfen die Teilnehmenden in die Rolle einer KI und versuchen so robotisch-menschlich wie möglich zu klingen. In einer anschließenden Blindstudie prüfen wir, wer sich am besten unter KIs mischen und beim nächsten Robot Uprising die Spionin der Wahl wäre.\r\n\r\nHumor, Kreativität und ein Hang zu allgemeingültigen, nichtssagenden Floskeln sind die perfekten Voraussetzungen! Ein digitales Endgerät (Smartphone, Tablet, Laptop, …) reicht zum Mitspielen aus.",
"schedule_start": "2025-12-29T01:00:00+01:00",
"schedule_duration": "01:30:00",
"schedule_end": "2025-12-29T02:30:00+01:00"
},
{
"id": "dd990a78-1e11-5c5e-aef4-6eb0214c772a",
"kind": "official",
"name": "Greenhouse Gas Emission Data: Public, difficult to access, and not always correct",
"slug": "greenhouse-gas-emission-data-public-difficult-to-access-and-not-always-correct",
"url": "https://api.events.ccc.de/congress/2025/event/dd990a78-1e11-5c5e-aef4-6eb0214c772a/?format=api",
"track": "science",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "en",
"description": "Which factory in my city is the largest emitter of CO2? Which industrial sector is\r\nresponsible for the largest share of a country's contribution to climate change? It\r\nshould not be difficult to answer these questions. Public databases and reporting\r\nrequired by international agreements usually allow us to access this data.\r\n\r\nHowever, trying to access and work with these datasets — or, shall we say, Excel tables\r\n— can be frustrating. UN web pages that prevent easy downloads with a \"security\r\nfirewall\", barely usable frontends, and other issues make it needlessly difficult to\r\ngain transparency about the sources of climate pollution.\r\n\r\nWhile working with official EU datasets, the speaker observed data points that could not\r\npossibly be true. Factories suddenly dropped their emissions by orders of magnitude\r\nwithout any explanation, different official sources report diverging numbers for the\r\nsame emission source, and responsible European and National authorities appear not to\r\ncare that much.\r\n\r\nThe talk will show how to work with relevant greenhouse gas emission data sources and\r\nhow we can access them more easily by converting them to standard SQL tables. Furthermore, we will dig into some of the\r\nstrange issues one may find while investigating emission datasets.\r\n\r\n# Background / Links\r\n\r\n* Why is it needlessly difficult to access UNFCCC Emission Data? [https://industrydecarbonization.com/news/why-is-it-needlessly-difficult-to-access-unfccc-emission-data.html](https://industrydecarbonization.com/news/why-is-it-needlessly-difficult-to-access-unfccc-emission-data.html)\r\n* UNFCCC Emission Data Downloads: [https://industrydecarbonization.com/docs/unfccc/](https://industrydecarbonization.com/docs/unfccc/)\r\n* Code (Docker, MariaDB/MySQL, phpMyAdmin) to easily access EU emisison data: [https://github.com/decarbonizenews/ghgsql](https://github.com/decarbonizenews/ghgsql)\r\n* Errors and Inconsistencies in European Emission Databases: [https://industrydecarbonization.com/news/errors-and-inconsistencies-in-european-emission-data.html](https://industrydecarbonization.com/news/errors-and-inconsistencies-in-european-emission-data.html)\r\n* Slides: [https://slides.hboeck.de/39c3-climatedata/](https://slides.hboeck.de/39c3-climatedata/)",
"schedule_start": "2025-12-29T11:00:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-29T11:40:00+01:00"
},
{
"id": "418f57a7-435b-5835-98ad-85158338b6c4",
"kind": "official",
"name": "Hacking Karlsruhe - 10 years later",
"slug": "hacking-karlsruhe-10-years-later",
"url": "https://api.events.ccc.de/congress/2025/event/418f57a7-435b-5835-98ad-85158338b6c4/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "de",
"description": "Wenn Gesetze Grundrechte verletzen, warum nicht das Bundesverfassungsgericht hacken – mit Strategie, Teamwork und guter Begründung? Aus dieser Idee ist inzwischen ein zentrales Werkzeug zivilgesellschaftlicher Gegenmacht geworden: Strategische Prozessführung. Das Prinzip ist einfach: Gesetze nicht nur kritisieren, sondern systematisch angreifen, mit gezielten Verfassungsbeschwerden gegen Überwachung, Zensur und staatliche Eingriffe in die digitale Freiheit.\r\nSeitdem hat sich viel getan. Organisationen wie die Gesellschaft für Freiheitsrechte (GFF) haben den Weg nach Karlsruhe professionalisiert und Verfahren angestoßen, die viele aus den Nachrichten kennen:\r\ngegen die Vorratsdatenspeicherung,\r\ngegen das BND-Gesetz zur Auslandsüberwachung,\r\ngegen den Einsatz von Palantir,\r\nund gegen den Einsatz von Staatstrojanern.\r\nEinige dieser Verfahren waren erfolgreich und haben Gesetze gekippt. Andere sind krachend gescheitert – oder hängen seit Jahren in Karlsruhe fest. Dabei zeigt sich: Der Weg zum Urteil wird härter, die Erfolgsaussichten kleiner, und das Verfassungsgericht ist nicht mehr der progressive Motor, der es mal war.\r\nDieser Talk zieht eine ehrliche Bilanz: Was bringt strategische Prozessführung wirklich? Was lässt sich aus Erfolgen und Misserfolgen lernen? Welche Fälle lohnen sich – und wo wird der Rechtsweg zur Sackgasse? Und wie verschiebt sich das Ganze inzwischen auf die europäische Ebene – wo neue Schauplätze wie der Digital Services Act oder der AI Act warten?\r\nKeine juristische Vorlesung, sondern ein Erfahrungsbericht aus zehn Jahren digitaler Grundrechtsarbeit. Es geht um Taktik, Fehlentscheidungen, unerwartete Allianzen – und um die Frage, wie man auch heute noch im Rechtssystem rütteln kann, wenn die Türen in Karlsruhe enger werden.\r\nDer Vortrag wird gehalten von Simone Ruf und Jürgen Bering von der Gesellschaft für Freiheitsrechte.",
"schedule_start": "2025-12-29T11:55:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-29T12:35:00+01:00"
},
{
"id": "efa55b63-86b6-56c5-88ab-46408b59b18d",
"kind": "official",
"name": "Hacking washing machines",
"slug": "hacking-washing-machines",
"url": "https://api.events.ccc.de/congress/2025/event/efa55b63-86b6-56c5-88ab-46408b59b18d/?format=api",
"track": "hardware",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "en",
"description": "Modern home appliances may seem simple from the outside, but inside they contain complex electronic systems, proprietary communication protocols, and diagnostic interfaces rarely documented outside the manufacturer. In this talk, we'll explore the challenges of reverse-engineering these systems: from analyzing appliance control boards and internal communication buses to decompiling and modifying firmware to better understand device functionality.\r\n\r\nWe'll also look at the security mechanisms designed to protect diagnostic access and firmware readout, and how these protections can be bypassed to enable deeper insight into device operation. Finally, this talk will demonstrate how the results of this research can be used to integrate even legacy home appliances into popular home automation platforms.\r\n\r\nThis session combines examples and insights from the reverse-engineering of B/S/H/ and Miele household appliances.",
"schedule_start": "2025-12-27T21:45:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-27T22:45:00+01:00"
},
{
"id": "9c3ce2ac-1531-5a5a-ae7d-df3511b5c914",
"kind": "official",
"name": "Handy weg bis zur Ausreise – Wie Cellebrite ins Ausländeramt kam",
"slug": "handy-weg-bis-zur-ausreise-wie-cellebrite-ins-auslanderamt-kam",
"url": "https://api.events.ccc.de/congress/2025/event/9c3ce2ac-1531-5a5a-ae7d-df3511b5c914/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "de",
"description": "Seit Anfang 2024 dürfen Ausländerbehörden Smartphones von ausreisepflichtigen Menschen nicht nur durchsuchen, sondern gleich ganz behalten – „bis zur Ausreise“. \r\n\r\nWas als geringfügige Änderung im Aufenthaltsgesetz daherkommt, erweist sich als massiver Eingriff in Grundrechte: Menschen verlieren nicht nur die Kontrolle über ihre Daten, sondern auch ihr wichtigstes Kommunikationsmittel – auf unbestimmte Zeit. \r\n\r\nHier hört ihr, welche absurden Blüten das treibt. Von Bayern bis NRW haben Bundesländer inzwischen eigene IT-forensische Tools für ihre Behörden angeschafft, um auf den Geräten nach “Indizien” für die Herkunft zu suchen. Sie setzen Methoden ein, wie wir sie sonst aus Ermittlungsverfahren oder von Geheimdiensten kennen – um die Geräte von Menschen zu durchsuchen, die nichts verbrochen haben. \r\n\r\nIm Vortrag zeige ich, welche absurden Konsequenzen das für die Betroffenen mit sich bringt, welche Bundesländer an der traurigen Spitze der Statistik stehen – und wie sich das Ganze in das Arsenal der digitalen und sonstigen Repressionen von Geflüchteten einreiht.",
"schedule_start": "2025-12-27T17:15:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-27T18:15:00+01:00"
},
{
"id": "13360c32-568f-519d-a8fd-0a9740089ccf",
"kind": "official",
"name": "Hatupangwingwi: The story how Kenyans fought back against intrusive digital identity systems",
"slug": "hatupangwingwi-the-story-how-kenyans-fought-back-against-intrusive-digital-identity-systems",
"url": "https://api.events.ccc.de/congress/2025/event/13360c32-568f-519d-a8fd-0a9740089ccf/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "en",
"description": "In 2019, the Kenyan government announced the transition to a centralised database named National integrated Identity management system (Huduma Namba) in a bid to develop a digital Identity system that went on to be termed a “single source of truth. Historically, Kenya has not had the best track record with civil registration and identity systems. This is particularly due to the linkages with colonial practices with the first ID “Kipande” being used as a tool for surveillance of natives and imposed for restriction of movement. This system carried on post independence creating different classes of citizens in terms of access to nationality documents. \r\nIt is for this reason that CSOs, mostly community-based, chose a three pronged approach to counter this; seeking legal redress, grassroots/community mobilization and advocacy and spotlighting ways in which in a shrinking civil society space, Kenyan civil society was able not only take up space, but make their impact felt in protecting the rights of those on the margins. The session shares lessons of how we shaped the Media narrative that took down a multi million dollar project that was not people centered but rather oppression driven. This session shares experiences of how we created a heightened sense of citizenry awareness to shoot down oppressive digitalisation agendas. \r\nThe aim is to show how these efforts led to over 10 million Kenyans resisting to enroll in the system especially the young people (Gen Z) who felt they were being coerced to join a system due to the poor messaging by the government and they connected with the NGO campaign thus choosing to resist the system in the true spirit of Hatupangwingwi, with Hashtags like #DOIDRIGHT and #DEPORTME trending on social media as a sign of resistance. This led to the collapse of the whole project.\r\nFinally, the session will share how in 2022, when the new government wanted to roll out the new DPI project known as Maisha Namba, they realised the importance of including civil society voices and they convened over 50 NGOs to try to build buy-in for the new digital ID program. It was the first time the government and NGOs were on the same table discussing how to build an inclusive digital ID system. This is the story of how the power of us led to civil society earning their space in the designing phase of the new Digital Public Infrastructure.",
"schedule_start": "2025-12-28T11:00:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-28T12:00:00+01:00"
},
{
"id": "c31906d3-4cd5-5b05-aebe-5ce1538c70b8",
"kind": "official",
"name": "Hegemony Eroding: Excavating Diversity in Latent Space",
"slug": "hegemony-eroding-excavating-diversity-in-latent-space",
"url": "https://api.events.ccc.de/congress/2025/event/c31906d3-4cd5-5b05-aebe-5ce1538c70b8/?format=api",
"track": "art-beauty",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "en",
"description": "Generative AI models ingest huge datasets gathered all over the web. Unsurprisingly, they reflect decades of Western cultural hegemony. Yet, the hegemony is not absolute.\r\n\r\nNon-Western motifs, that is, recurring patterns and themes with deep cultural resonance, can be discovered and reproduced across different generative AI models.\r\n\r\nIn this talk I will explain the methods I developed to draw out motifs, the journey I took and what I learned along the way. I will present motifs and use them to outline a space stretching from representation to prejudice on the one hand and western to non-western depiction on the other.\r\n\r\nFinally, I will make a case for AI as a tool for cultural exploration and discuss how monetary incentives jeopardise this endeavour, adding to the long list of reasons to break up monopolies with transparent, publicly-funded AI-models.",
"schedule_start": "2025-12-29T21:05:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-29T21:45:00+01:00"
},
{
"id": "b472503f-7336-586b-aa63-d082c14e0945",
"kind": "official",
"name": "How to keep Open Source open without leaving our communities open to threats",
"slug": "how-to-keep-open-source-open-without-leaving-our-communities-open-to-threats",
"url": "https://api.events.ccc.de/congress/2025/event/b472503f-7336-586b-aa63-d082c14e0945/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "en",
"description": "The state of the internet, c 1990:\r\n\r\n* Limited, opt-in connectivity: people had to both have access to a computer and that computer had to have access to the internet.\r\n* Tooling required some in-industry knowledge to be able to run and use, not only for development but also for communication. \r\n* Open source was a young movement. The \"common source\" was proprietary.\r\n\r\nThe state of the internet, c 2025:\r\n\r\n* Always online, might-not-even-be-to-opt-out connectivity: devices are almost always collecting and transmitting data, including audio/visual, in some cases even if \"turned off\".\r\n* Easy to use tooling has made it easier for everyone to come together. The pervasiveness of technology also means that most people, of any background, can easily access other people in the thousands or even millions.\r\n* Open source is common, accessible, and matured. A $9 **_trillion_** resource. Yes, **_trillion_**.\r\n\r\nThese three significant changes drastically change the threat model for OSS communities. In the beginning, someone had to have both knowledge and resources to harm or otherwise compromise a community of developers. Now, anyone with a grudge can make a bot army with seamless integrations and gracious freemium tiers for AI/LLMs. Likewise, when open source was small, the \"who\" who would be motivated to harm and otherwise disrupt those communities was limited. Now there is both massive social and economic benefit to harm and disrupt. This means that risks and threats now still include the motivated and resourced **_with the addition of_** those who are scarce in both.\r\n\r\nWe need to come together to build new organizational threat models that account for how this consequence has posed new risks to our communities. With care and attention to detail, we can introduce responsible friction that will protect our communication infrastructure, the lifeblood of what allows open source to grow.\r\n\r\nThere will also be a workshop with this presentation, with the outcome of creating an ongoing working group dedicated to helping OSS Foundations of all sizes protect their communities.\r\n\r\nThere will be a workshop about the same topic on 12.30, Day 4: [https://events.ccc.de/congress/2025/hub/de/event/detail/how-to-keep-open-source-open-without-leaving-our-c](https://events.ccc.de/congress/2025/hub/de/event/detail/how-to-keep-open-source-open-without-leaving-our-c)",
"schedule_start": "2025-12-30T11:00:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-30T11:40:00+01:00"
},
{
"id": "3f442497-4f90-5868-ac13-3f4b0f857c59",
"kind": "official",
"name": "How To Minimize Bugs in Cryptography Code",
"slug": "how-to-minimize-bugs-in-cryptography-code",
"url": "https://api.events.ccc.de/congress/2025/event/3f442497-4f90-5868-ac13-3f4b0f857c59/?format=api",
"track": "security",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "en",
"description": "Over the last 10 years or so, using mathematical proof assistants and other formal-logic tools for cryptography code has gone from a relatively new idea to standard practice. I've been lucky enough to have a front-row seat to that transformation, having started doing formal-methods research in 2015 and then switched to a focus on cryptography implementation since 2021. Code from my master's thesis project, [\"fiat-crypto\"](https://github.com/mit-plv/fiat-crypto), is [included](https://andres.systems/fiat-crypto-adoption.html) in every major browser as well as AWS, Cloudflare, Linux, OpenBSD, and standard crypto libraries for Go, Zig, and Rust (RustCrypto, dalek). In addition to verifying code correctness, designers of high-level protocols like Signal's recently announced post-quantum ratchet increasingly use mathematical tools (ProVerif in Signal's case) to check their work.\r\n\r\nDespite the growing popularity of these formal techniques and their relevance to personal information security, few people are aware of them, and they maintain a reputation for being hard to learn and esoteric. I'd like to demystify the topic and show examples of how anyone can use proof assistants in small, standalone ways as part of the coding or design process. My hope is that next time a colleague asks for review of a complex high-speed bit-twiddling algorithm, instead of staring at the code line-by-line, attendees of my talk will know they can write a computer-checked proof to confirm or deny that the algorithm achieves its intended result.",
"schedule_start": "2025-12-28T22:05:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-28T22:45:00+01:00"
},
{
"id": "039c6510-1a33-57fe-8bbf-08bcc31df8bb",
"kind": "official",
"name": "How to render cloud FPGAs useless",
"slug": "how-to-render-cloud-fpgas-useless",
"url": "https://api.events.ccc.de/congress/2025/event/039c6510-1a33-57fe-8bbf-08bcc31df8bb/?format=api",
"track": "security",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "en",
"description": "FPGA instances are now offered by multiple cloud service providers (including Amazon EC2 F1/F2 instances, Alibaba ECS Instances, and Microsoft Azure NP-Series). The low-level programmability of FPGAs allows implementing new attack vectors including DOS attacks. While some severe attacks (such as short circuits) cannot be easily deployed as users are prevented to load own configuration bitstreams on the cloud FPGAs, it has been demonstrated that it is possible to leak information (like cloud instance scheduling policies or the physical topologies of the FPGA servers) or to mount DoS attacks by excessive power hammering. For instance, basically all cloud FPGAs provide logic cells that can be configured as small shift registers. This allows building toggle-shift-registers with 10K and more flip-flops, which can draw over 1 KW power when clocked at a few hundred MHz. \r\nIn our work, we created fast ring-oscillators that bypass all design checks applied during bitstream cloud deployment and how we achieved toggle rates of 8 GHz inside an FPGA by using glitch amplification. The latter one was calibrated with the help of a time-to-digital converter (TDC).\r\nAs a first attack, we used power hammering to crash AWS F1 instances by increasing power consumption to 300 W (three times the allowed power envelope). We used physical unclonable functions (PUFs) to examine the behaviour of the attacked FPGA cloud instances and we found that most remained unavailable for several hours after the attack.\r\nAs a more subtle attack, we tried to cause permanent damage to FPGAs in our lab by driving fast toggling signals to virtually any available wire (and primitive) into a small region of the chip. With this, we created hotspot designs that draw 130 W in less than 1% of the available logic and routing resources of a datacenter FPGA. Even though the achieved power density was excessive, it was insufficient to induce permanent damages. This is largely due to the area inefficiencies of an FPGA that limit the power density. For instance, FPGAs use large multiplexers to implement the switchable connections and there exists only one active path that is routed through the multiplexers, hence, leaving most of the transistors sitting idle. Similarly, FPGAs provide a large number of configuration memory cells (about 1 Gb on a typical datacenter device) that draw negligible power as these do not switch during operation. All these idle elements force the power drawing circuits to be spread out, hence limiting power density. Anyway, when experimenting with different hotspot variants, we found thermal runaway effects and excessive device aging with up to a 70% increase in delay on some wires. We achieved this aging in just a few days and under normal operational conditions (i.e. by staying within the available power budget and having board cooling running). Such a large increase in latency can be considered to render an FPGA useless as it will usually not be fast enough to host (realistic) user designs.\r\nBeyond exploring these attack vectors, we developed countermeasures and design guidelines to prevent such attacks. These include scans of the user designs, use restrictions to resources like IOs and clock trees, as well as runtime monitoring and FPGA health checks. With this, we believe that FPGAs can be operated securely and reliably in a cloud setting.",
"schedule_start": "2025-12-28T19:15:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-28T19:55:00+01:00"
},
{
"id": "f894f246-6bd4-5750-a66b-d073e37b7acd",
"kind": "official",
"name": "Human microservices at the Dutch Railways: modern architecture, ancient hardware?",
"slug": "human-microservices-at-the-dutch-railways-modern-architecture-ancient-hardware",
"url": "https://api.events.ccc.de/congress/2025/event/f894f246-6bd4-5750-a66b-d073e37b7acd/?format=api",
"track": "hardware",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "en",
"description": "When a train breaks down in the Netherlands, a system of interconnected humans is shifted into gear. The current state of that system has been developed for over 80 years and as such should be seen as an architectural marvel. Even though there is nowadays a significant amount of software involved in the process, the people involved are still very much necessary.\r\n\r\nThis talk describes the processes and roles involved in the Dutch railway day to day operations. We will start at a broken down train on a busy track and work our way towards solutions including dragging the train, evacuating travelers and redirecting other trains on that trajectory. We will explore this from a software developer's perspective. We will consider the people involved as an ancient form of hardware, and the protocols between them as software. We will also go over the more modern additions to the system: phone lines and software running on actual computers.\r\n\r\nAfter our investigation you will have a new understanding of the complexity of running a railway network. And we will ask ourselves: is this an outdated system that needs to be digitized? Or is this actually a modern system with microservices and a \"human in the loop\"?",
"schedule_start": "2025-12-29T23:00:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-30T00:00:00+01:00"
},
{
"id": "c43046a1-bac9-54d3-a551-d86630e7ab3b",
"kind": "official",
"name": "I Hated All The Cross-Stitch Software So I Made My Own: My Deranged Outsider Software Suite For Making Deranged Outsider Art",
"slug": "i-hated-all-the-cross-stitch-software-so-i-made-my-own-my-deranged-outsider-software-suite-for-making-deranged-outsider-art",
"url": "https://api.events.ccc.de/congress/2025/event/c43046a1-bac9-54d3-a551-d86630e7ab3b/?format=api",
"track": "art-beauty",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "en",
"description": "Designing cross-stitch patterns, I got frustrated with all the programs which expected me to click around a canvas setting individual pixels. I wanted a cross-stitch design software suite that I could drive with a Makefile, which could give me an interactive interface for stitching or compile them to PDF. In short, I wanted to say `echo \"shutdown -h now\" | embellish --border | export pattern --pdf` and get a design worthy of stitching on a pillow.\r\n\r\nSo, I made the thing I wanted. I'll discuss the many yak shaves along the way (proprietary file format reverse-engineering, OAuth2, what 'color' even means, unikernel hosting, and more). I'll talk a bit about the joy of making something so you can make something, and how it feels to craft software that is unapologetically personal.",
"schedule_start": "2025-12-30T11:00:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-30T11:40:00+01:00"
},
{
"id": "323248d0-1bcf-5440-a8b3-9d35d40fb06d",
"kind": "official",
"name": "Infrastructure Review",
"slug": "infrastructure-review",
"url": "https://api.events.ccc.de/congress/2025/event/323248d0-1bcf-5440-a8b3-9d35d40fb06d/?format=api",
"track": "ccc-community",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "en",
"description": "39c3 is a big challenge to run, install power, network connectivity and other services in a short time and tear down everything even faster. This is a behind the scenes of the event infrastructure, what worked well and what might not have worked as expected.",
"schedule_start": "2025-12-30T14:45:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-30T15:45:00+01:00"
},
{
"id": "151d4fb0-5d25-586b-8063-c7706bbd9094",
"kind": "official",
"name": "In-house electronics manufacturing from scratch: How hard can it be?",
"slug": "in-house-electronics-manufacturing-from-scratch-how-hard-can-it-be",
"url": "https://api.events.ccc.de/congress/2025/event/151d4fb0-5d25-586b-8063-c7706bbd9094/?format=api",
"track": "hardware",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "en",
"description": "Our industry needs a reboot as well, it no longer serves the people.\r\n\r\nOur work is based on our belief that high-quality high-mix/low volume manufacturing of electronics in Europe is economically viable and accessible to small companies with a lower-than-expected up-front investment.\r\n\r\nWe believe that relocation of industry to Europe depends on small innovative companies, and will not come from slow and bloated industry giants whose products are victims of enshittification and maximum profit extraction.\r\n\r\nBy using open-source hardware and software whenever possible, we are attempting to set up our own production operation in Hamburg and we want to share the solutions and enable others to do the same and collectively reclaim ownership of the means of production.\r\n\r\nWe will cover:\r\n- How we acquired and set up production machines, their costs, and our learnings\r\n- Quirks of paste printing and reflow soldering at scale (up to 50 batches a day)\r\n- Component inventory, tracking, DfM, etc.\r\n- How OpenPnP is a key enabler of our prcesses\r\n - Our proposed changes to OpenPnP\r\n - Our work integrated Siemens Siplace Feeders in OpenPnP\r\n\r\nCheck out our ressources on the topic at https://eilbek-research.de/blog/thank-you-for-attending-our-talk-at-39c3/",
"schedule_start": "2025-12-28T19:15:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-28T19:55:00+01:00"
},
{
"id": "382a6def-2dbb-5ba8-bde5-0bf509c5eb02",
"kind": "official",
"name": "ISDN + POTS Telephony at Congress and Camp",
"slug": "isdn-pots-telephony-at-congress-and-camp",
"url": "https://api.events.ccc.de/congress/2025/event/382a6def-2dbb-5ba8-bde5-0bf509c5eb02/?format=api",
"track": "hardware",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "en",
"description": "Just like at this very event (39C3), the last few years a small group of volunteers has delpoyed and operated legacy telephony networks for ISDN (digital) and POTS (analog) services at CCC-camp2023 and 38C3. Anyone on-site can obtain subscriber lines (POTS, ISDN BRI or PRI service) and use them for a variety of services, including telephony, fax machines, modem dial-up into BBSs as well as dial-up internet access and video telephony.\r\n\r\nThese temporary event networks are not using soft-PBX or VoIP, but are built using actual de-commissioned hardware from telecom operators, including a Siemens EWSD digital telephone exchange, Nokia EKSOS V5 access multiplexers, a SDH ring for transporting E1 carriers and much more.\r\n\r\nWhile some may enjoy this for the mere hack value, others enjoy it to re-live the digital communication sear of their childhood or youth. Howevre, there is a more serious aspect to this: The preservation and restoration of early digital communications infrastructure from the 1970s to 1990s, as well as how to operate such equipment. As part of this effort, we have already been able to help communications museums to fill gaps in their collections.\r\n\r\nThe talk will cover\r\n* the equipment used,\r\n* the network hierarchy we build,\r\n* the services operated\r\n* the lessons learnt\r\n* newly-written open source software for interfacing retro telcommunications gear",
"schedule_start": "2025-12-27T11:55:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-27T12:35:00+01:00"
},
{
"id": "6022aa96-3706-5910-9fd1-dfe882a4c473",
"kind": "official",
"name": "Junghacker:innentag Einführung",
"slug": "junghackerinnentag-einfuhrung",
"url": "https://api.events.ccc.de/congress/2025/event/6022aa96-3706-5910-9fd1-dfe882a4c473/?format=api",
"track": "ccc-community",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "de",
"description": "Weitere Informationen [findest du hier](https://events.ccc.de/2025/11/25/39c3-junghackerinnentag/).",
"schedule_start": "2025-12-28T10:00:00+01:00",
"schedule_duration": "00:45:00",
"schedule_end": "2025-12-28T10:45:00+01:00"
},
{
"id": "4b106a63-ac7e-5c39-945a-26ce0d071897",
"kind": "official",
"name": "„KI“, Digitalisierung und Longevity als Fix für ein kaputtes Gesundheitssystem?",
"slug": "ki-digitalisierung-und-longevity-als-fix-fur-ein-kaputtes-gesundheitssystem",
"url": "https://api.events.ccc.de/congress/2025/event/4b106a63-ac7e-5c39-945a-26ce0d071897/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "de",
"description": "In der Analyse sind sich alle einig: Das Gesundheitssystem steht vor großen Herausforderungen, die von explodierenden Kosten, wachsenden Zugangsbarrieren bis hin zum anstehenden demographischen Wandel reichen: viele Menschen werden alt und kränker, während gleichzeitig sehr viele Mitarbeiter:innen des Gesundheitswesens in Rente gehen. Wir brauchen also Lösungen fürs Gesundheitssystem, die nachhaltig tragen und Menschenwürde ermöglichen. \r\n\u2028Während ganz unterschiedliche Lösungsansätze diskutiert werden, taucht ein Narrativ immer wieder auf: Dass Digitalisierung durch massive Effizienzgewinne die bestehenden Probleme im Gesundheitswesen fixen werden: Dank „KI“ sollen Menschen weniger häufig Ärzt:innen brauchen, zum Beispiel, indem durch Symptomchecker und Co vorgefiltert wird, wer wirklich behandelt werden muss, und wer nicht. Manche behaupten, dass Hausärzt:innen künftig ein vielfaches an Patient:innen behandeln könnten, wenn nur die richtigen technischen Hilfsmittel gefunden wurden. Und längst befinden wir uns tatsächlich in einer Realität, in der Chats mit LLMs an vielen Stellen zumindest Dr. Google ersetzt haben.\r\n\r\nWeitere Lösungsansätze zielen auf mehr Eigenverantwortung ab: \"Longevity\" ist das Trendwort in aller Munde. Ein Ansatz der „Langlebigkeit“, der maßgeblich durch technische \r\nMaßnahmen gestützt sein soll: Selbstoptimierung per App, „KI“ als individueller Gesundheitsassistent und allerlei experimentelle Untersuchungen. Die Grundidee: Wenn Menschen länger gesund bleiben und leben, wird das Gesundheitssystem weniger belastet, während Menschen länger zu Gesellschaft und Wirtschaft beitragen können. Die ideologischen Grundzüge und Geschäftsmodelle der „Longevity“ kommen aus den USA, von Tech-Milliardären und ihren Unsterblichkeitsfantasien bis hin zu wenig seriösen Gesundheitsinfluencer:innen, die am Ende oft mehr schaden als dass sie zu einem größeren Wohlbefinden ihrer Kund:innen beitragen würden - und trotzdem hunderttausende auf Social Media in ihren Bann ziehen.\r\n\r\nDer Vortrag zieht Verbindungslinien zwischen naiver Technikgläubigkeit, aktuellen Diskursen im Gesundheitswesen, ihren fragwürdigen ideologischen Wurzeln und der Frage, wie wir Herausforderungen und insbesondere sozialen Ungleichheiten im Feld der Gesundheit wirklich effektiv begegnen.",
"schedule_start": "2025-12-27T16:00:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-27T17:00:00+01:00"
},
{
"id": "eeb77e44-8a29-5235-960b-e50575570c5c",
"kind": "official",
"name": "KIM 1.5: Noch mehr Kaos In der Medizinischen Telematikinfrastruktur (TI)",
"slug": "kim-1-5-noch-mehr-kaos-in-der-medizinischen-telematikinfrastruktur-ti",
"url": "https://api.events.ccc.de/congress/2025/event/eeb77e44-8a29-5235-960b-e50575570c5c/?format=api",
"track": "security",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "de",
"description": "KIM hat sich als Dienst für medizinische E-Mails etabliert: Elektronische Arbeitsunfähigkeitsbescheinigungen (eAU), zahnärztliche Heil- und Kostenpläne, Laborinformationen, und Medikamentendosierungen sollen sicher per KIM übermittelt werden. Die Sicherheit soll unauffällig und automatisiert im Hintergrund, ohne Interaktion mit den Benutzenden gewährleistet werden. Dazu werden die Ver- und Entschlüsselung sowie die Signierungsfunktionalitäten in einer extra Software, dem sogenannten Clientmodul, abstrahiert.\r\n\r\nIn diesem Vortrag wird das Design dieser Sicherheits-Abstraktion und dadurch bedingte Schwachstellen, wie das Fälschen oder Entschlüsseln von KIMs, beleuchtet.\r\n\r\nFortsetzung von 37C3: KIM: Kaos In der Medizinischen Telematikinfrastruktur (TI) [https://media.ccc.de/v/37c3-12030-kim_kaos_in_der_medizinischen_telematikinfrastruktur_ti]",
"schedule_start": "2025-12-27T14:45:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-27T15:45:00+01:00"
},
{
"id": "8ddb3a95-bce6-56a7-89f6-d2d50d084e9f",
"kind": "official",
"name": "Laser Beams & Light Streams: Letting Hackers Go Pew Pew, Building Affordable Light-Based Hardware Security Tooling",
"slug": "laser-beams-light-streams-letting-hackers-go-pew-pew-building-affordable-light-based-hardware-security-tooling",
"url": "https://api.events.ccc.de/congress/2025/event/8ddb3a95-bce6-56a7-89f6-d2d50d084e9f/?format=api",
"track": "hardware",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "en",
"description": "Stored memory in hardware has had a long history of being influenced by light, by design. For instance, as memory is represented by the series of transistors, and their physical state represents 1's and 0's, original EPROM memory could be erased via the utilization of UV light, in preparation for flashing new memory.\r\n\r\nNaturally, whilst useful, this also has proven to be an avenue of opportunity to be leveraged by attackers, allowing them to selectively influence memory via a host of optical/light-based techniques. As chips became more advanced, the usage of opaque resin was used as a \"temporary\" measure to combat this flaw, by coating chips in a material that would reflect undesirable UV.\r\n\r\nPresent day opinions are that laser (or light) based hardware attacks, are something that only nation state actors are capable of doing; due to both limitations of cost in tooling as well as personnel expertise required. Currently, sophisticated hardware labs use expensive, high frequency IR beams to penetrate the resin.\r\n\r\nThis project demonstrates that with a limited budget and hacker-and-maker mentality, similar results can be obtained at a fraction of the cost, from the comfort of your home or garage. With the modifications of an opensource low-cost microscope, addition of a home-built beam splitter and interchangeable diode laser, it has been shown that consumer-grade diodes are capable of producing results similar to the high-cost variants, such as the YAG lasers.\r\n\r\nOne example of results includes introducing affordable avenues to conduct laser-based fault injection, via the usage of such budget-friendly tooling. We are opening the study of these low-level hardware attacking methodologies to more entry-level security testers, without the need for hundreds of thousands of dollars in startup capital.\r\n\r\nBy leveraging more affordable technology alternatives, we have embarked on a mission to uncover hardware malware, detect supply-chain chip replacements, and delve into the realm of laser-logic-state imaging. Our approach integrates optics, laser selection, and machine learning components.",
"schedule_start": "2025-12-30T12:50:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-30T13:30:00+01:00"
},
{
"id": "272591e8-0754-5fa1-8472-50f00dab31ac",
"kind": "official",
"name": "Learning from South Korean Telco Breaches",
"slug": "learning-from-south-korean-telco-breaches",
"url": "https://api.events.ccc.de/congress/2025/event/272591e8-0754-5fa1-8472-50f00dab31ac/?format=api",
"track": "security",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "en",
"description": "This talk will cover the public information and experiments related to the South Korean telco breaches in 2025. This talk will cover SK Telecom's HSS breach (final results announced), KT's femtocell breach (investigation ongoing) and related operator billing fraud, and revisit Phrack report on KT and LG U+ breach. We also give a light on the detail regarding the implemented mitigation and diaster response of each operators.\r\n\r\nSK Telecom's HSS breach is attributed to a variant of BPFDoor malware, resulting leakage of critical operator data related to subscriber authentication and accounting. They replaced the SIM cards of all 23 million subscribers, and implemented additional mechanism to track the possible cloning of the SIM card. We analyze the aftermath and how it will effectively protect against the said attack.\r\n\r\nKT's femtocell and operator billing breach (investigation still ongoing as the time of writing) is attributed to the mismanagement of KT's femtocell, allowing an external attacker to mimick the behavior of KT's legitimate femtocell and use as a cellular interception device. This is a modern implementation of the remarkable research \"Weaponizing Femtocells\" back in 2012, and new cellular technologies like VoLTE have changed the possible attack vectors. We provide a possible theory on how the attack would be possible, based on the publicly available information and previous researches.\r\n\r\nFinally, we also cover the characteristics of South Korean mobile market and how the media caused the inaccurate analysis and FUD (fear, uncertainty, and doubt). In particular, how SMS-based 2FA is tied to personal authentication and how everything is strongly bound to the personal identity. Early media reports could be attributed to the information \"lost in translation\" and inaccurate information in English-language articles when the details of the breach were not widely shared. We try to correct the information (also in the official incidence report) and showcase how not to report the breach in general.",
"schedule_start": "2025-12-29T14:45:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-29T15:45:00+01:00"
},
{
"id": "0c6e2d25-7014-5aaf-9c6a-b4347f0ff85c",
"kind": "official",
"name": "Lessons from Building an Open-Architecture Secure Element",
"slug": "lessons-from-building-an-open-architecture-secure-element",
"url": "https://api.events.ccc.de/congress/2025/event/0c6e2d25-7014-5aaf-9c6a-b4347f0ff85c/?format=api",
"track": "hardware",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "en",
"description": "This talk shares our engineering experience from designing and implementing an open-architecture secure element — a type of chip that is traditionally closed and opaque. We’ll outline the practical consequences of choosing openness as part of the security model: how it affected hardware architecture, firmware design, verification, and development workflows.\r\nThe session dives into concrete technical areas including the secure boot chain, attestation and update flow, key storage isolation, and the testing and fuzzing infrastructure used to validate the design. It also covers the boundaries of openness — where third-party IP, export control, or certification requirements force certain blocks to remain closed — and how we document and mitigate those limits.\r\nWe’ll present anonymized examples of external security evaluations, show how responsible disclosure and transparent fixes improved resilience, and reflect on what “community-driven security” means in a hardware context. Attendees should leave with a clearer view of what it takes to make security verifiable at the silicon level — and why that process is never finished.",
"schedule_start": "2025-12-28T16:35:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-28T17:15:00+01:00"
},
{
"id": "760c1f6b-349e-5ee3-9eeb-4a0f20dc902a",
"kind": "official",
"name": "Liberating Bluetooth on the ESP32",
"slug": "liberating-bluetooth-on-the-esp32",
"url": "https://api.events.ccc.de/congress/2025/event/760c1f6b-349e-5ee3-9eeb-4a0f20dc902a/?format=api",
"track": "hardware",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "en",
"description": "The ESP32 has become an ubiquitous platform in the hacker and maker communities, powering everything from badges and sensors to mesh networks and custom routers. While its Wi-Fi stack has been the subject of previous reverse engineering efforts, its Bluetooth subsystem remains largely undocumented and closed source despite being present in millions of devices.\r\n\r\nThis talk presents a reverse engineering effort to document Espressif’s proprietary Bluetooth stack, with a focus on enabling low-level access for researchers, security analysts, and developers to improve existing affordable and open Bluetooth tooling.\r\n\r\nThe presentation covers the reverse engineering process itself, techniques and the publication of tooling to simplify the process of peripheral mapping, navigating broken memory references and symbol name recovery.\r\n\r\nThe core of the talk focuses on the internal workings of the Bluetooth peripheral. The reverse engineering effort led to the discovery of the peripheral architecture, it’s memory regions, interrupts and a little bit of information about other related peripherals.\r\n\r\nBy publishing open tooling, SVD files and other documentation, this work aims to empower researchers, hackers, and developers to build custom Bluetooth stacks, audit existing ones, and repurpose the ESP32 for novel applications. This may interest you if you care about transparency, low-level access, and collaborative tooling.",
"schedule_start": "2025-12-27T13:50:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-27T14:30:00+01:00"
},
{
"id": "11a7f79c-4ac5-5449-8fd4-6467ef2d6d2c",
"kind": "official",
"name": "Life on Hold: What Does True Solidarity Look Like Beyond Duldung, Camps, Deportation, and Payment Cards?",
"slug": "life-on-hold-what-does-true-solidarity-look-like-beyond-duldung-camps-deportation-and-payment-cards",
"url": "https://api.events.ccc.de/congress/2025/event/11a7f79c-4ac5-5449-8fd4-6467ef2d6d2c/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "en",
"description": "In this session, people share everyday experiences with a system that often systematically undermines human rights and dignity.\r\nWe don’t just talk about the obvious obstacles like the payment card or residency obligation, but also the invisible wounds: the constant fear of deportation, the psychological consequences of isolation, and the daily experience of hostility. We highlight the specific challenges of life in cramped camps on the outskirts of big cities, as well as the social control and visibility in rural communities.\r\nHowever, this talk is not just about naming problems. At its core is the urgent question: What does true solidarity really look like? How can support go beyond symbolic politics and short-term aid offers? This session is an invitation to shift perspectives, listen, and collaboratively develop concrete approaches for a more humane policy and a more solidaric coexistence.",
"schedule_start": "2025-12-27T19:15:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-27T20:15:00+01:00"
},
{
"id": "414813ee-69f4-56ee-a013-f887f26d91d6",
"kind": "official",
"name": "Light in the Dark(net)",
"slug": "light-in-the-dark-net",
"url": "https://api.events.ccc.de/congress/2025/event/414813ee-69f4-56ee-a013-f887f26d91d6/?format=api",
"track": "science",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "en",
"description": "Onion services can be considered one of the most controversial aspects of the Tor network, because they allow the anonymous hosting of services, which has enabled the creation of illegal services which are difficult for law enforcement to shut down. Defenders argue that this is a price worth paying to ensure free speech for people who could otherwise not speak up or run their own services. \r\n\r\nThis obviously raises the question what onion services are being actually used for in practice. Many researchers have tried to answer this question in the past. Based on their work we already know a few things: \r\n\r\n- 9% of all Websites on the Darknet are marketplaces [1]\r\n- 2.7% of all Websites on the Darknet are marketplaces [2]\r\n- 50% of all Websites on the Darknet are marketplaces [3]\r\n- 8.4% of all Websites on the Darknet are marketplaces [4]\r\n- 27% of all Websites on the Darknet are marketplaces [5]\r\n- 34.8% of all Websites on the Darknet are marketplaces [6]\r\n\r\nNo, this is not a copy and paste error, all of the above statements can be found in peer-reviewed scientific publications. All of these results are valid on their own and constitute valuable contributions to science, but it does not take an expert to notice the contradictions in their findings. \r\nThe reasons for these inconsistencies are the main topic of this talk. We will discuss the information available to researchers and the limitations originating from it. Challenges and current disagreements when it comes to interpreting available data will be addressed along with common misrepresentations of research results. We will highlight how the choice of data sources can predetermine the final result before a study has even begun, how minor changes to definitions can lead to completely different results and how important context is when interpreting data. \r\n\r\nArmed with this knowledge, we can tackle the challenge to find out what we know about the Darknet, what we might figure out in the future, what we can reasonably assume but will never be able to prove, and what we will (hopefully) never know. \r\n\r\n-----------------------------------------\r\nSources\r\n[1] https://doi.org/10.1049/iet-ifs.2015.0121\r\n[2] https://doi.org/10.1016/j.future.2024.03.025\r\n[3] https://doi.org/10.1145/3600160.3600167\r\n[4] https://doi.org/10.1109/INFOCOM53939.2023.10229057\r\n[5] https://doi.org/10.1109/ICDCSW.2014.20\r\n[6] https://doi.org/10.1080/00396338.2016.1142085",
"schedule_start": "2025-12-29T22:05:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-29T22:45:00+01:00"
},
{
"id": "860a362f-4666-5fe0-9f0a-8d26485f730e",
"kind": "official",
"name": "Lightning Talks - Tag 2",
"slug": "lightning-talks-tag-2",
"url": "https://api.events.ccc.de/congress/2025/event/860a362f-4666-5fe0-9f0a-8d26485f730e/?format=api",
"track": "ccc-community",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "de",
"description": "- **Lightning Talks Introduction**\r\n- **Chaos auf der Schiene: Die Wahrheit hinter den Verspätungen** — *poschi*\r\n- **EventFahrplan - The 39C3 Fahrplan App for Android** — *tbsprs*\r\n- **Quantum computing myths and reality** — *Moonlit*\r\n- **Return to attacker.com** — *Safi*\r\n- **Teilchendetektor im Keller? Ich habs gemacht. Die Theorie und der Bau einer Funkenkammer** — *Rosa*\r\n- **What's the most secure phone?** — *jiska*\r\n- **reverse engineering a cinema camera’s peripheral port** — *3nt3*\r\n- **Youth Hacking 4 Freedom: the European Free Software competition for teenagers** — *Ana Galan*\r\n- **From word clouds to Word Rain: A new text visualisation technique** — *Maria Skeppstedt*\r\n- **Spaß mit Brettspielen** — *Marco Bakera*\r\n- **Creative Commons Radio - I really didn't want to become a copyright activist!** — *Martin*\r\n- **lernOS für Dich - Selbstmanagement & persönliches Wissensmanagement leicht gemacht** — *Simon Dückert*\r\n- **Was man in Bluetooth Advertisements so alles findet** — *Paul*\r\n- **The Sorbus Computer** — *SvOlli*\r\n- **AI doesn’t have to slop - Introducing an open source alternative to big-tech AI agents** — *Kitty*\r\n- **Interoperability and the Digital Markets Act: collecting experiences from the community** — *Dario Presutti*\r\n- **Leveraging Security Twin for on-demand resilience assessment against high-impact attacks** — *Manuel Poisson*\r\n- **A seatbelt for innerHTML** — *Frederik Braun*\r\n- **Toxicframe - Ghost in the Switch: Vier Jahre Schweigen in der Netgate SG-2100** — *Wim Bonis*\r\n- **KI³Rat = Mensch x Daten x Dialog** — *ceryo / Jo Tiffe*\r\n- **iPod Nano Reverse Engineering** — *hug0*\r\n- **Interfaces For Society - Wenn Demokratie Auf Protokollen Läuft** — *Pauline Dimmek*\r\n- **Security problems with electronic invoices** — *Hanno Böck*",
"schedule_start": "2025-12-28T11:00:00+01:00",
"schedule_duration": "02:00:00",
"schedule_end": "2025-12-28T13:00:00+01:00"
},
{
"id": "7fe75d23-5966-5dca-a736-e7664a475be3",
"kind": "official",
"name": "Lightning Talks - Tag 3",
"slug": "lightning-talks-tag-3",
"url": "https://api.events.ccc.de/congress/2025/event/7fe75d23-5966-5dca-a736-e7664a475be3/?format=api",
"track": "ccc-community",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "de",
"description": "- **Lightning Talks Introduction**\r\n- **\"Oma, erzähl mir von der Zukunft\" oder: Wie wir weiter interessante Sachen machen, ohne den Planeten zu ruinieren 🌱** — *EstherD*\r\n- **Don't abuse the ecosystem: against overloading \"ecosystem'** — *michele*\r\n- **The Climatepoetry.org video tool** — *Magnus Ahltorp*\r\n- **Neo-Kolonialismus & Katzenbilder - Installation zur Lieferkette von GenAI** — *Rike*\r\n- **Build social inventories with StashSphere** — *Maximilian Güntner*\r\n- **Invitation to the Fermentation Camp \"Kvas 2026\"** — *algoldor*\r\n- **Stretching nginx to its limits: a music player in the config file** — *Eloy*\r\n- **2D Graphics Creation with Graphite - How to Build a Hackable Graphics Editor** — *Dennis Kobert*\r\n- **The Modulator: a Custom Controller for Live Music Performance** — *Jakob Kilian*\r\n- **Find hot electronic devices for cheap using Lock-In Thermography** — *Clemens Grünewald*\r\n- **Those Who Control** — *Andreas Haupt*\r\n- **SearchWing - Search&Rescue Drones** — *searchwing team*\r\n- **Reducing E-Waste With The Reverse Engineering Toolkit** — *Raaf*\r\n- **Genetic engineering with CRISPR/Cas9: how far are we today from biopunk?** — *Dmytro Danylchuk*\r\n- **Discovering the Orphan Source Village** — *Martin Hamilton*\r\n- **kicoil - generate planar coils in any shape for PCBs and ICs** — *jaseg*\r\n- **Trade Offer: Pentest Data for CTF Points** — *Sebastian*\r\n- **Soziologische Gabentheorie - Grundlage für die Bewertung von Social Media?** — *sozialwelten*\r\n- **Hacking ID3 MP3 Metadata** — *Danilo Erazo*\r\n- **ICANN HAZ .MEOW? How we're (trying to) make a TLD out of sheer audacity** — *dotMeow (Aris, Ela, LJ, Wordloc)*\r\n- **Shitty Robots** — *Neo*\r\n- **UNIX v4** — *aap*\r\n- **WissKomm Wiki - Bibliothek für Videos und Podcasts** — *TimBorgNetzWerk*\r\n- **Lightning** — *Vi*",
"schedule_start": "2025-12-29T11:00:00+01:00",
"schedule_duration": "02:00:00",
"schedule_end": "2025-12-29T13:00:00+01:00"
},
{
"id": "693e18d6-e777-596b-a21d-dd9e9f0282e6",
"kind": "official",
"name": "Live, Die, Repeat: The fight against data retention and boundless access to data",
"slug": "live-die-repeat-the-fight-against-data-retention-and-boundless-access-to-data",
"url": "https://api.events.ccc.de/congress/2025/event/693e18d6-e777-596b-a21d-dd9e9f0282e6/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "en",
"description": "The Specter of Data Retention is back in the political arena, both as a harmonized, EU-wide approach as well as being part of the coalition agreement of the new German national government. Other countries have already recently implemented new data retention laws, i.e. Belgium or Denmark. \r\nIn parallel, access to all types of stored data – and not only data stored under a data retention regime – by law enforcement has been radically reformed by groundbreaking new legislation, undermining both exiting national safeguards as well as protections implemented by businesses aiming for a higher standard in cyber security and data protection. \r\nThe talk will give an overview on recent developments for a harmonized “minimum” approach to data retention under the Polish and Danish EU presidency as well as the new German legislation currently under consideration. \r\nIt will introduce the upcoming international release mechanisms for stored data under the e-evidence legislation, the 2nd protocol to the EU cybercrime convention as well as future threats from the UN cybercrime convention. \r\nIt will address how a cross-border request for information works in practice, which types of data can be requested by whom, and who will be responsible for the few remaining safeguards – including an analysis of the threat model and potential “side channel” attacks by cybercrime to gain access to basically all data stored by and with service providers.",
"schedule_start": "2025-12-28T14:45:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-28T15:25:00+01:00"
},
{
"id": "34f3d9a6-9164-58df-81e6-51c112362a89",
"kind": "official",
"name": "Machine Vision – Vom Algorithmus zum Baumpilz im digitalen Metabolismus",
"slug": "machine-vision-vom-algorithmus-zum-baumpilz-im-digitalen-metabolismus",
"url": "https://api.events.ccc.de/congress/2025/event/34f3d9a6-9164-58df-81e6-51c112362a89/?format=api",
"track": "art-beauty",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "de",
"description": "Unmengen an Bilder werden Täglich in die Netzwerke hochgeladen. Doch nicht nur Menschen betrachten diese Bilder, auch Maschinen analysieren und „betrachten\" sie. Wie funktioniert dieses maschinelle „Sehen\" und wie wurde dieses den Computern beigebracht?\r\nDiese Lecture Performance gibt einen Überblick über die Entwicklung des maschinellen Sehens. Nach einem kurzen Einblick in die geschichtliche Entwicklung – von den ersten Ansätzen bis zu heutigen Anwendungen – betrachten wir, wie diese Technologien in unterschiedlichsten künstlerischen Arbeiten eingesetzt werden. Was reflektieren diese Arbeiten jenseits der reinen Anwendung von Machine Vision Algorithmen?\r\nAnhand der beiden Arbeiten \"Throwback Environment\" und \"Fomes Fomentarius Digitalis\" betrachten wir, wie Machine Vision in einem künstlerischen Feedbackloop genutzt worden ist und wie uns dies Perspektiven auf die Funktionsweise dieser Algorithmen eröffnet. Die Arbeiten machen sichtbar, was die Eingesetzten Alghorithmen sehen, in welchen Mustern sie operieren. Sie zeigen auch, wo ihre Grenzen liegen und was das ganze mit Baumpilzen zu tun hat.",
"schedule_start": "2025-12-28T22:05:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-28T22:45:00+01:00"
},
{
"id": "b98918cb-489e-5f5e-aa06-26753cb48418",
"kind": "official",
"name": "Making the Magic Leap past NVIDIA's secure bootchain and breaking some Tesla Autopilots along the way",
"slug": "making-the-magic-leap-past-nvidia-s-secure-bootchain-and-breaking-some-tesla-autopilots-along-the-way",
"url": "https://api.events.ccc.de/congress/2025/event/b98918cb-489e-5f5e-aa06-26753cb48418/?format=api",
"track": "security",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "en",
"description": "In mid 2024, a friend approached me about Magic Leap making their TX2 based XR headsets little more than a paperweight by disabling the mandatory activation servers. I morally dislike this, companies shouldn't turn functional devices into e-waste just because they want to sell newer devices.\r\n\r\nAfter obtaining one, and poking at the Fastboot implementation, I discovered it was based off NVIDIA's Fastboot implementation, which is source available. I found a vulnerability in the NVIDIA provided source code in how it unpacks SparseFS images (named sparsehax), and successfully blindly exploited the modified implementation on the Magic Leap One. I also found a vulnerability in it that allowed gaining persistence via how it loads the kernel DTB (named dtbhax).\r\n\r\nStill unsatisfied with this, I used fault injection to dump the BootROM from a Tegra X2 devkit.\r\n\r\nIn the BootROM I discovered a vulnerability in the USB recovery mode. Exploiting this vulnerability proved difficult due to only having access to memory from the perspective of the USB controller. I will explain what was tried, why it didn't work, and how I eventually got code execution at the highest privilege level via it. \r\n\r\nAs I will demonstrate, this exploit also functions on Tesla's autopilot hardware.",
"schedule_start": "2025-12-29T14:45:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-29T15:45:00+01:00"
},
{
"id": "fb08402b-1b8c-533b-b1fc-6daaa4fdc60f",
"kind": "official",
"name": "Netzpolitik in der Schweiz: Zwischen Bodensee und Matterhorn",
"slug": "netzpolitik-in-der-schweiz-zwischen-bodensee-und-matterhorn",
"url": "https://api.events.ccc.de/congress/2025/event/fb08402b-1b8c-533b-b1fc-6daaa4fdc60f/?format=api",
"track": "ccc-community",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "de",
"description": "**Themen sind unter anderem:**\r\n\r\n\r\n**E-ID und E-Collecting:** Die netzpolitische Community hat nicht nur eine privatisierte E-ID verhindert sondern auch den Datenschutz als zentrales Prinzip verankert und einen beispielhaften Gesetzgebungsprozess begleitet. Das Gleiche haben wir bei E-Collecting vor, mit dem wir die direkte Demokratie der Schweiz auf ein neues Level heben wollen.\r\n\r\n\r\n**Elektronisches Gesundheitsdossier:** Was macht man, um eine Verschlechterung bei einem Produkt zu kaschieren? Richtig, man nimmt ein Rebranding vor. Und so heisst das E-PD nun E-GD.\r\n\r\n\r\n**Kabelaufklärung:** Im Dezember überraschte uns das Bundesverwaltungsgericht mit einem wegweisenden Urteil: Es beurteilte die Kabelaufklärung als nicht vereinbar mit der Bundesverfassung und der Europäischen Menschenrechtskonvention. Lässt das ganze aber 5 Jahr laufen.\r\n\r\n\r\n**What the VÜPF:** Wie die Schweiz zudem plant, das freie Internet weitgehend abzuschaffen. Wie der Stand der Verschärfung ist. Was wir und du dagegen tun können?\r\n\r\n\r\n**Plattformregulierung:** Ein Vorschlag zur Plattformregulierung wurde vom Bund ausgearbeitet - und nach der Verhängung von 39% Strafzoll still und heimlich in der Schublade versenkt. Doch der Bund fasste Mut - und wagt einen zaghaften Aufbruch.\r\n\r\n\r\n**KI-Regulierung & Leistungsschutzrecht:** Und wieso getraut sich der Bund, ein Leistungsschuzrecht einzuführen? Und mit der Motion «Gössi» KI-Sprachmodelle mit Schweizer Daten zu gefährden? (Spoiler: wegen der Verleger-Lobby)\r\n\r\n\r\n**Community in der Schweiz:** Winterkongress, Diversity und andere Aktivitäten.\r\n\r\n\r\nNach dem Vortrag sind alle interessierten Personen eingeladen, die [Diskussion in einer self-organized Session](https://events.ccc.de/congress/2025/hub/en/event/detail/treffen-der-netzpolitischen-community-der-sch_uoca) fortzusetzen. Es werden Aktivist:innen von verschiedenen Organisationen der Netzpolitik in der Schweiz anwesend sein.",
"schedule_start": "2025-12-29T19:15:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-29T19:55:00+01:00"
},
{
"id": "8ba2a160-c00d-56c4-a84e-afb1536bc48b",
"kind": "official",
"name": "Neue Chaos Events - InselChaos und Håck ma’s Castle plaudern aus dem Nähkästchen",
"slug": "neue-chaos-events-inselchaos-und-hack-ma-s-castle-plaudern-aus-dem-nahkastchen",
"url": "https://api.events.ccc.de/congress/2025/event/8ba2a160-c00d-56c4-a84e-afb1536bc48b/?format=api",
"track": "ccc-community",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "de",
"description": "**InselChaos**\r\nDer Port39 e.V. hatte den Traum, das Chaos nach MV zu holen und ein größeres Event an der Ostsee zu veranstalten. Gerade erst 3 Jahre alt, haben wir mit der Planung in kleinem Kreis begonnen. Eine Location musste gesucht, Inspirationen und Ideen gesammelt, bürokratische Hürden und sehr viele individuelle Probleme gelöst werden, bis es Anfang September soweit war, dass wir unsere Gäste begrüßen durften. In diesem Talk sprechen wir darüber, wie es ist, als kleiner Verein mit einem vierköpfigen Orga-Team ein ChaosEvent mit über 150 Gästen zu koordinieren, welche Schwierigkeiten wir dabei überwunden und vor allem, welche Learnings wir daraus gezogen haben, um es nächstes Mal noch besser zu machen.\u2028\r\n\r\n**Håck ma’s Castle**\r\nWir werden in unserem Talk, darüber sprechen, welche Methoden und Meetingmodi wir ausgetestet haben, gute wie aber auch schlechte Entscheidungen welche getroffen wurden. Vorallem aber auch über die Herausforderung, die es mit sich bringt, wenn sich Wesen noch nicht kennen und wir zuerst auf menschlicher Ebene auch zusammenkommen mussten, damit es inhaltlich auch besser klappt. \u2028\u2028Hard facts Håck ma's Castle:\r\n- 3 (+1) Tage Event\r\n- August 2024\r\n- mit Schloss\r\n- mit Camping\r\n- ~330 Wesen\r\n- inklusive 1 Schlosskatze *meow*\r\n- Orga verteilt in ganz Österreich und darüber hinaus:\r\n- metalab, realraum, C3W, CCC Salzburg, /dev/lol, SegFaultDragons, SegVault, IT-Syndikat, /usr/space, Gebärdenverse, female coders, chaos.jetzt etc.",
"schedule_start": "2025-12-28T12:15:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-28T13:15:00+01:00"
},
{
"id": "6a645194-deb6-5e96-b8ce-bb18774f1f14",
"kind": "official",
"name": "Neuroexploitation by Design: Wie Algorithmen in Glücksspielprodukten sich Wirkweisen des Reinforcement Learning und dopaminergen Belohnungssystems zunutze machen",
"slug": "neuroexploitation-by-design-wie-algorithmen-in-glucksspielprodukten-sich-wirkweisen-des-reinforcement-learning-und-dopaminergen-belohnungssystems-zunu",
"url": "https://api.events.ccc.de/congress/2025/event/6a645194-deb6-5e96-b8ce-bb18774f1f14/?format=api",
"track": "science",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "de",
"description": "In diesem Vortrag wird beleuchtet, wie moderne Glücksspielprodukte und glücksspielähnliche Spielmechaniken, etwa Lootboxen, gezielt psychologische und neurobiologische Lernprozesse ausnutzen, um Umsatz durch längeres Spielen und stärkere Interaktion zu generieren. Im Fokus stehen dabei Mechanismen des Verstärkungslernens (Reinforcement Learning) und deren Zusammenspiel mit dem dopaminergen Belohnungssystem. Anhand aktueller Forschungsergebnisse werden Designstrategien vorgestellt, die das Suchtpotenzial von Glücksspielen erhöhen können. Ziel des Vortrags ist es, ein wissenschaftlich fundiertes Verständnis dieser Dynamiken zu vermitteln, Risiken für Individuen und Gesellschaft aufzuzeigen und die Notwendigkeit von Regulierung und verantwortungsvollem Design zu diskutieren.",
"schedule_start": "2025-12-27T12:50:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-27T13:30:00+01:00"
},
{
"id": "f51a40a9-a8ba-55bb-875a-0907cb2d66cc",
"kind": "official",
"name": "Not an Impasse: Child Safety, Privacy, and Healing Together",
"slug": "not-an-impasse-child-safety-privacy-and-healing-together",
"url": "https://api.events.ccc.de/congress/2025/event/f51a40a9-a8ba-55bb-875a-0907cb2d66cc/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "en",
"description": "There is a path forward! Many, in fact. But the impasse framing seriously limits how policymakers, technologists, advocates, and our communities understand child sexual abuse (CSA). We need informed, principled, and bold alternatives to policing-driven tech solutions like client-side scanning and grooming classifiers. To effectively and humanely break the cycles of abuse that enables CSA in our communities, we have to think beyond criminalization. This talk will unpack how and why this impasse framing exists, how it constrains us from candidly engaging with the complexity of CSA. Drawing from scientific and clinical research and informed by transformative justice approaches, I detail what CSA is, how and why it happens offline and online, and why the status quo of detection and criminalization does not work. Ultimately, I argue that effective, humane, and collective interventions require protecting the safety and privacy of all those harmed by CSA, and that this creates a unique role for technologists to play.",
"schedule_start": "2025-12-27T14:45:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-27T15:45:00+01:00"
},
{
"id": "f8587f46-8a0e-58d7-8d1d-82928b8220e2",
"kind": "official",
"name": "Not To Be Trusted - A Fiasco in Android TEEs",
"slug": "not-to-be-trusted-a-fiasco-in-android-tees",
"url": "https://api.events.ccc.de/congress/2025/event/f8587f46-8a0e-58d7-8d1d-82928b8220e2/?format=api",
"track": "security",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "en",
"description": "We present novel insights into the current state of TEE security on \r\nAndroid focusing on two widespread issues: missing TA rollback \r\nprotection and a type confusion bug arising from the GlobalPlatform TEE \r\nInternal Core API specification.\r\nOur results demonstrate that these issues are so widespread that on most\r\n devices, attackers with code execution at N-EL1 (kernel) have a buffet \r\nof n-days to choose from to achieve code execution at S-EL0 (TA).\r\n\r\nFurther, we demonstrate how these issues can be weaponized to fully \r\ncompromise an Android device. We discuss how we exploit CVE-2023-32835, a\r\n type confusion bug in the keyinstall TA, on a fully updated Xiaomi \r\nRedmi Note 11.\r\nWhile the keyinstall TA shipped in the newest firmware version is not \r\nvulnerable anymore, the vulnerability remains triggerable due to missing\r\n rollback protections.\r\n\r\nTo further demonstrate how powerful code execution as a TA is, we'll \r\nexploit a vulnerability in the BeanPod TEE (used on Xiaomi Mediatek \r\nSoCs), to achieve code execution at S-EL3. Full privilege escalations in\r\n the TEE are rarely seen on stage, and we are targeting the BeanPod TEE \r\nwhich is based on the Fiasco micro kernel. This target has never been \r\npublicly exploited, to the best of our knowledge.\r\n\r\nOur work empowers security researchers by demonstrating how to regain control over \r\nvendor-locked TEEs, enabling deeper analysis of critical security \r\nmechanisms like mobile payments, DRM, and biometric authentication.",
"schedule_start": "2025-12-27T20:30:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-27T21:30:00+01:00"
},
{
"id": "1bbd6873-6f69-59a8-8eb2-926acc763d7e",
"kind": "official",
"name": "Of Boot Vectors and Double Glitches: Bypassing RP2350's Secure Boot",
"slug": "of-boot-vectors-and-double-glitches-bypassing-rp2350-s-secure-boot",
"url": "https://api.events.ccc.de/congress/2025/event/1bbd6873-6f69-59a8-8eb2-926acc763d7e/?format=api",
"track": "security",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "en",
"description": "The RP2350 is one of the first generally available microcontrollers with active security-features against fault-injection such as glitch-detectors, the redundancy co-processor, and other pieces to make FI attacks more difficult.\r\n\r\nBut security on paper often does not mean security in real-life. Luckily for us, Raspberry Pi also ran the RP2350 Hacking Challenge: A public bug bounty that has exactly these attacks in-scope. During the hacking challenge 5 different attacks were found on the secure-boot process - one of which was shown at 38C3 by Aedan Cullen.\r\n\r\nIn this talk, we talk about all successful attacks - including laser fault-injection, a reset glitch, and a double-glitch during execution of the bootrom - to show all the different ways in which a chip can be attacked.\r\n\r\nWe also talk about the awesomeness of an open security-ecosystem for chips: Raspberry Pi was very transparent on the findings, and worked with researchers to improve the new revision of the chip.",
"schedule_start": "2025-12-27T16:00:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-27T17:00:00+01:00"
},
{
"id": "a3655a3a-b74e-5714-ad79-77b0c803136b",
"kind": "official",
"name": "OpenAutoLab: photographic film processing machine. Fully automatic and DIY-friendly.",
"slug": "openautolab-photographic-film-processing-machine-fully-automatic-and-diy-friendly",
"url": "https://api.events.ccc.de/congress/2025/event/a3655a3a-b74e-5714-ad79-77b0c803136b/?format=api",
"track": "hardware",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "en",
"description": "The presentation starts with a short overview of analogue photography processes and motivation of some photographers to shoot film instead of using contemporary digital technology.\r\nIt covers ways to process the film starting from least involved, such as sending to specialized laboratory, and possible motivation to get a processing machine.\r\nExisting film processors are described with their features and deal-breakers for an end-user in 2025.\r\nThen the history of developing OpenAutoLab is given, together with important design decisions made during development and why alternative solutions were discarded.\r\nIn the end the process of building the machine (and sourcing the needed parts) is given with some motivation towards changing it to fit the needs of an individual photographer.",
"schedule_start": "2025-12-27T11:00:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-27T11:40:00+01:00"
},
{
"id": "0c8b0cb4-6cf9-5ff8-928a-0a0f49558c48",
"kind": "official",
"name": "Opening Ceremony",
"slug": "opening-ceremony",
"url": "https://api.events.ccc.de/congress/2025/event/0c8b0cb4-6cf9-5ff8-928a-0a0f49558c48/?format=api",
"track": "ccc-community",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "de",
"description": "Das Opening gibt euch die wichtigsten Infos für den Congress, stimmt euch ein und ... äh ... bis Späti!",
"schedule_start": "2025-12-27T10:30:00+01:00",
"schedule_duration": "00:30:00",
"schedule_end": "2025-12-27T11:00:00+01:00"
},
{
"id": "3aa9e859-d4b0-5e7d-8f5c-7741e6c9856e",
"kind": "official",
"name": "Opening pAMDora's box and unleashing a thousand paths on the journey to play Beatsaber custom songs",
"slug": "opening-pamdora-s-box-and-unleashing-a-thousand-paths-on-the-journey-to-play-beatsaber-custom-songs",
"url": "https://api.events.ccc.de/congress/2025/event/3aa9e859-d4b0-5e7d-8f5c-7741e6c9856e/?format=api",
"track": "security",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "en",
"description": "# BACKSTORY\r\n---------------\r\nSo here is the backstory of how it all started:\r\n- I bought a commercial gaming console\r\n- Then bought a VR headset (for this console) because of exclusive game\r\n- But also wanted to play beatsaber\r\n- I could, but builtin song selection was very limited\r\n- Custom songs exist (for example on steam), but not for this console\r\n- I didn't want to buy a second headset for steam\r\nThat's when i decided i want to hack this console so that i can port community created customs songs to the console and play them there with the VR headset i already have.\r\n\r\nInitially starting with an approach similar to the usual \"entrypoint through browser\", then go for kernel and call it a day, but quickly annoying hurdles blocked my way. For one, the Hypervisor makes your live just miserable with it's execute only kernel text blind exploitation. Other issues were that one needs to be on latest version to download the game, which exists only as digital purchase title, preventing me to share my efforts with others even if i can get it working on my console.\r\nThough, what finally put the nail in the coffin was when porting a kernel zeroday to the console failed because of heavy sandboxing, unreachable syscalls or even entirely stripped kernel functions. \r\nSome may call it \"skill issue\". Anyways, that's when i was full of it and decided to bring this thing down for good. \r\nEverybody does glitching nowadays and according to rumors people did have success on this thing with glitching before, so how hard can it really be, right? \r\n\r\nSo the question became: Is it possible to build a modchip, which glitches the board and lets me play beatsaber custom songs? \r\nStuff like that has been done on other consoles before (minus the beatsaber part :P) \r\n\r\nTurns out that when manufacturing produces chips with broken GPUs, they are sold as spinoff desktop mainboards (with disabled GPU) rather than thrown away. Which is great, because those mainboards are much cheaper, especially if you buy broken spinoff mainboards on ebay. \r\n\r\nSo on the journey to beatsaber custom songs, breaking this desktop mainboard became a huge chunk of the road. Because if i can glitch this and build a modchip for it, surely i can also do it for the console, right? I mean it's the exact same SoC afterall! \r\nBack when i started i didn't know i would be about to open pAMDoras box and discover so many bugs and hacks. \r\n\r\n# Actual talk description\r\n---------------\r\n**Disclaimer: This is not a console hacking talk!** \r\nThis talk is gonna be about breaking nearly every aspect of the AMD Platform Security Processor of the desktop mainboard with the same SoC as the console. While certainly usefuly for _several_ other AMD targets, unfortunately not every finding can directly be ported to the console. Still, it remains very useful nonetheless!\r\n\r\nNote: The final goal of custom songs on beatsaber has not been reached yet, this talk is presenting the current state of things.\r\n\r\nIn this talk you'll be taken on a ride on how everything started and how almost every aspect of the chip was broken. How bugs were discovered, what strategies were used to move along. \r\nNot only will several novel techniques be presented for applying existing physical attacks to targets where those couldn't really be applied before, but also completely new approaches are shared which bring a whole different perspective on glitching despite having lots of capacitors (which we don't really want to remove) and extremely powerfull mosfets (which smooth out crowbar attempts in a blink of an eye). \r\n\r\nBut that's not all! \r\nWhile trying to perform physical attacks on the hardware, the software would just start falling apart by itself. Which means, at least **6 unpatchable\\* bugs** were discovered, which are gonna be presented in the talk alongside with **5 zero-day exploits**. Getting EL3 code execution on the most secure core inside AMDs SoC? No Problem! \r\nApart from just bugs and exploits, many useful techniques and discovery strategies are shared which will provide an excellent knowedgle base and attack inspiration for following along or going for other targets.",
"schedule_start": "2025-12-27T14:45:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-27T15:45:00+01:00"
},
{
"id": "ad9fa823-820f-5846-825e-42e2b5934ef6",
"kind": "official",
"name": "Peep-Show für die Polizei. Staatliche Überwachung von Queers in Hamburger Toiletten bis 1980",
"slug": "peep-show-fur-die-polizei-staatliche-uberwachung-von-queers-in-hamburger-toiletten-bis-1980",
"url": "https://api.events.ccc.de/congress/2025/event/ad9fa823-820f-5846-825e-42e2b5934ef6/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "de",
"description": "In den 1970er Jahren nutzt die Hamburger Polizei auf zehn öffentlichen Herrentoiletten in der Wand eingelassene Spionspiegel, um zu beobachten welche Männer am Pissoir ihrer Meinung nach etwas zu lange nebeneinander stehen. In einem Überwachungszeitraum von gut 18 Jahren sprechen Hamburger Beamte mit Berufung auf ‚Jugendschutz‘ und ‚Sauberkeit‘ hunderte Hausverbote an öffentlichen Toiletten aus, nehmen Personalien auf und legen dabei illegalerweise ‚Rosa Listen‘ genannte Homosexuellenregister an. \r\nDie unfreiwillige Peep-Show endet im Sommer 1980, als die Polizei völlig indiskret die Teilnehmenden der ersten lesbisch-trans-schwulen Demonstration in Hamburg fotografiert um nach Selbstaussage „die Karteien aufzufrischen“. Ein anonymes Kollektiv zerschlägt die Überwachungsspiegel und bringt die illegale Polizeipraxis ans Licht der Öffentlichkeit.\r\nMit zwei Fragen tauchen wir in diesem Vortrag in die Aborte der Geschichte: Wie ist das polizeiliche Toilettenüberwachungssystem in Hamburg entstanden? Welche technischen und sozialen Lücken nutzten die Aktivist:innen für den Exploit dieses Systems? Und was hat das eigentlich mit heute zu tun?",
"schedule_start": "2025-12-29T23:00:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-30T00:00:00+01:00"
},
{
"id": "985ef663-e1f8-54d2-8e3e-f0c5beb512e2",
"kind": "official",
"name": "Persist, resist, stitch",
"slug": "persist-resist-stitch",
"url": "https://api.events.ccc.de/congress/2025/event/985ef663-e1f8-54d2-8e3e-f0c5beb512e2/?format=api",
"track": "art-beauty",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "en",
"description": "Working with textile mediums like yarn, thread, and floss is generally seen as a feminine hobby and as thus is usually classified as craft, not art. And crafting is something people, maybe even people usually seen as a bit boring, do in their free time to unwind. Most of us have grown up with the image of the loving grandmother knitting socks for the family, an act of care that was never considered anything special.\r\nThe patriarchal society’s tendency to underestimate anything considered feminine and, inextricably connected to this, domestic is an ongoing struggle. But being underestimated also provides a cover and with it the opportunity for subversion and resistance.\r\nAs global powers are cycling back to despotism and opression, let me take you back in time to show you how people used textile crafts to organise resistance and shape movements. Like the quilts that were designed and sewn to help enslaved people in the US escape slavery and navigate the Underground Railroad from the 1780s on, or the knitted garments that carried information about the Nazis to help resistance in occupied Europe during World War II, or the cross stitches by a prisoner of war that had Nazis unknowingly display art saying “Fuck Hitler”.\r\nTextile crafts have been used by marginalised and disenfranchised people to protest, to organise, and to persist for centuries. This tradition found a new rise in what is now called “craftivism” and is using the internet to build bigger communities spanning the world. These communities also come together to help, often quite tangibly by creating specific items like the home-sewn masks during early Covid19. In addition, crafting has scientifically-proven benefits for one’s mental health.\r\nTaking up the increasingly popular quote \"When the world is too scary, too loud, too much: Stop consuming, start creating\", this talk shows how the skills to create have enabled and will enable people to resist and to persist.",
"schedule_start": "2025-12-28T16:35:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-28T17:15:00+01:00"
},
{
"id": "cb8cd10b-f5d1-597d-a5c4-3cbd914fa6aa",
"kind": "official",
"name": "Power Cycle B7 oder Warum kauft man eine Zeche?",
"slug": "power-cycle-b7-oder-warum-kauft-man-eine-zeche",
"url": "https://api.events.ccc.de/congress/2025/event/cb8cd10b-f5d1-597d-a5c4-3cbd914fa6aa/?format=api",
"track": "ccc-community",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "de",
"description": "Wir – Mitglieder des Recklinghäuser Chaostreffs c3RE – haben gemeinsam mit einigen weiteren Menschen einen weiteren Verein gegründet, den Blumenthal7 e.V. \r\nDas Ziel ist, ein altes Steinkohlebergwerk zu kaufen, zu erhalten, zu renovieren und vielen Menschen als Raum für Chaos, Kreativität und Happenings zugänglich zu machen.",
"schedule_start": "2025-12-28T14:45:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-28T15:25:00+01:00"
},
{
"id": "d4b2186b-a1a9-521e-ac91-5dfe6deb2782",
"kind": "official",
"name": "Power Cycles statt Burnout – Wie Einflussnahme nicht verpufft",
"slug": "power-cycles-statt-burnout-wie-einflussnahme-nicht-verpufft",
"url": "https://api.events.ccc.de/congress/2025/event/d4b2186b-a1a9-521e-ac91-5dfe6deb2782/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "de",
"description": "Ziel des Talks ist es, ein realistisches Bild davon zu vermitteln, wie parlamentarische Entscheidungsfindung funktioniert – und praktische Hinweise zu geben, wie man Einfluss nehmen kann, ohne dabei Ressourcen zu verschwenden.\r\n\r\nWie bringt man politische Prozesse in Bewegung? Was passiert eigentlich mit einer Mail, wenn sie an einen Abgeordneten geht? Und wie unterscheidet sich konstruktive Interessenvertretung von übergriffigem Lobbyismus?\r\n\r\nIn diesem Talk berichten Anna Kassautzki (Mitglied des Bundestags von 2021 bis 2025, stellvertretende Vorsitzende des Digitalausschusses 20. LP) und Rahel Becker (ehemalige wissenschaftliche Mitarbeiterin Digitales) aus der Innenperspektive parlamentarischer Arbeit.\r\n\r\nChatkontrolle, Data Act, Recht auf Open Data, DSGVO, es gab viel zu verhandeln in der letzten Legislaturperiode. Anna und Rahel waren mittendrin und geben einen Einblick in die hektische - teils absurde Kommunikation mit Interessenvertretungen. Dabei liegt der Fokus immer auf der Frage: Welche Strategien braucht es, damit zivilgesellschaftliche Arbeit nicht verpufft?\r\n\r\nZugleich geht es um die strukturellen Fragen:\r\nWo sind die Flaschenhälse für politischen Fortschritt? Wie priorisieren Abgeordnete in einem überfüllten Kalender? Und welche Hebel kann die (digitale) Zivilgesellschaft sinnvoll nutzen, um Gehör zu finden?\r\n\r\nDenn gerade in Zeiten massiver digitalpolitischer Herausforderungen ist informierte, strategische Beteiligung notwendiger denn je. Ein Vortrag für alle, die sich in politische Prozesse einmischen wollen.",
"schedule_start": "2025-12-28T21:05:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-28T21:45:00+01:00"
},
{
"id": "7f6e6dff-5f85-5c03-8f07-373b3acce367",
"kind": "official",
"name": "Programmierte Kriegsverbrechen? Über KI-Systeme im Kriegseinsatz in Gaza und warum IT-Fachleute sich dazu äußern müssen",
"slug": "programmierte-kriegsverbrechen-uber-ki-systeme-im-kriegseinsatz-in-gaza-und-warum-it-fachleute-sich-dazu-auern-mussen",
"url": "https://api.events.ccc.de/congress/2025/event/7f6e6dff-5f85-5c03-8f07-373b3acce367/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "de",
"description": "Das Thema „KI in der Militärtechnik“ und die Beziehung zwischen Mensch und Maschine ist seit Jahrzehnten ein Thema in der Friedensbewegung, der Konfliktforschung, der Philosophie, den Sozialwissenschaften und den kritischen Data & Algorithm Studies. Doch in den letzten Jahren wurden Waffensysteme mit KI-Komponenten entwickelt und auch praktisch in bewaffneten Konflikten eingesetzt. Dabei reicht die Anwendung von Drohnensteuerung über optische Zielerfassung bis hin zur logistischen Zielauswahl. Am Beispiel KI-gestützter Zielwahlsysteme, die vom israelischen Militär seit Mai 2021 und insbesondere jetzt im Genozid in Gaza eingesetzt werden, können die aktuellen technischen Entwicklungen aufgezeigt und analysiert werden. Im Fokus dieses Talks stehen vier KI-unterstützte Systeme: Das System Gospel zur militärischen Bewertung von Gebäuden, das System Lavender zur militärischen Bewertung von Personen, das System Where's Daddy? zur Zeitplanung von Angriffen und ein experimentelles System auf Basis großer Sprachmodelle zur Erkennung militärisch relevanter Nachrichten in palästinensischen Kommunikationsdaten.\r\n\r\nAuf Basis der Aussagen von Whistleblower:innen des israelischen Militärs und Angestellten beteiligter Unternehmen wie Amazon, Google oder Microsoft sowie internen Dokumenten, die durch investigative Recherchen von mehreren internationalen Teams von Journalist:innen veröffentlicht wurden, können die Systeme und Designentscheidungen technisch detailliert beschrieben, kritisch analysiert sowie die militärischen und gesellschaftlichen Implikationen herausgearbeitet und diskutiert werden. Dabei entstehen auch Fragen bezüglich Verantwortungsverlagerung durch KI, Umgehung und Bruch des humanitären Völkerrechts sowie die grundsätzliche Rolle von automatisierter Kriegsführung.\r\n\r\nAm Schluss geht der Vortrag noch auf die Verantwortung von IT-Fachleuten ein, die ja das Wissen und Verständnis dieser Systeme mitbringen und daher überhaupt erst problematisieren können, wenn Systeme erweiterte oder gänzlich andere Funktionen erfüllen, als öffentlich und politisch oft kommuniziert und diskutiert wird. Überlegungen zu Handlungsoptionen und Auswegen leiten zuletzt die Diskussion ein.",
"schedule_start": "2025-12-29T14:45:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-29T15:45:00+01:00"
},
{
"id": "d08f6f41-a731-57f7-ba40-8f38464f2dcd",
"kind": "official",
"name": "Prometheus: Reverse-Engineering Overwatch",
"slug": "prometheus-reverse-engineering-overwatch",
"url": "https://api.events.ccc.de/congress/2025/event/d08f6f41-a731-57f7-ba40-8f38464f2dcd/?format=api",
"track": "hardware",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "en",
"description": "Hey you! Yes you! Do you want to pay for a game which gets forcibly taken away from you after only six years? Do you want to buy lootboxes in order to unlock cosmetics faster in the game you „own“?\r\n\r\nOverwatch 1 was released in 2016 to critical acclaim and millions of sales globally. It has permanently changed the hero-shooter landscape which was in much need of a fresh new game and playstyle. After a few hard years plagued with infrequent updates, long overdue hero nerfs / reworks and broken promises, Overwatch 1 was finally taken offline on October 3, 2022.\r\n\r\nEver since I started playing Overwatch I was fascinated by the game and it’s proprietary engine, Tank. Not much is known about it, only that core components were reused from the cancelled Blizzard IP, Titan. It’s a shame that this game (engine) is not getting the recognition it deserves. From the entity-component architecture to the deterministic graph based scripting engine which handles (almost) everything which happens ingame, it is a truly refreshing take on networking and game programming rarely seen in games. So, considering this, building a game server from scratch can’t be that hard, riiiight?\r\n\r\nJoin me in this documentation of my gradual descent into madness while I (jokingly) roast Overwatch developers for code which they probably do not even remember that theyve written 10+ years ago :)\r\n\r\nAll research presented in this talk was done on the first archived, still publicly available version which I could find, 0.8.0.0 Beta (0.8.24919), which got uploaded to archive.org.",
"schedule_start": "2025-12-28T20:10:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-28T20:50:00+01:00"
},
{
"id": "a19d5bca-7949-5353-abaf-1c43655f7c26",
"kind": "official",
"name": "Protecting the network data of one billion people: Breaking network crypto in popular Chinese mobile apps",
"slug": "protecting-the-network-data-of-one-billion-people-breaking-network-crypto-in-popular-chinese-mobile-apps",
"url": "https://api.events.ccc.de/congress/2025/event/a19d5bca-7949-5353-abaf-1c43655f7c26/?format=api",
"track": "security",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "en",
"description": "TLS is not as universal as we might think. Applications with hundreds of millions of active users continue to use insecure, home-rolled proprietary network encryption to protect sensitive user data. This talk demonstrates that this is a widespread and systemic issue affecting a large portion of the most popular applications in the world. These issues are particularly concentrated in mobile applications developed in China, which have been overlooked by the global security community despite their massive popularity and influence.\r\n\r\nWe found that 47.6% of top Mi Store applications used proprietary network cryptography without any additional encryption, compared to only 3.51% of top Google Play Store applications. We analyzed the most popular of these protocols, including cryptosystems designed by Alibaba, iQIYI, Kuaishou, and Tencent. Of the top 9 protocol families, we discovered vulnerabilities in 8 that allowed network eavesdroppers to decrypt underlying data. We also discovered additional vulnerabilities in several other protocols used by apps with hundreds of millions of users.\r\n\r\nThrough the vulnerabilities fixed as a result of this work, this research has directly improved the network security of up to one billion people. However, there were hundreds more proprietary protocols used by popular applications that we discovered. Verifying all of their security through manual reverse-engineering and vulnerability reporting is not feasible at this scale. What can we do as a community to fix this systemic issue and prevent such failures from occurring in the future?",
"schedule_start": "2025-12-28T11:00:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-28T12:00:00+01:00"
},
{
"id": "35e68e53-852a-56a2-8b3c-1bc27ce7fbb0",
"kind": "official",
"name": "PRÜF",
"slug": "pruf",
"url": "https://api.events.ccc.de/congress/2025/event/35e68e53-852a-56a2-8b3c-1bc27ce7fbb0/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "de",
"description": "Wir haben eine Forderung: „Alle Parteien, die vom Verfassungsschutz als rechtsextremer Verdachtsfall oder gesichert rechtsextrem eingestuft werden, sollen durch das Bundesverfassungsgericht überprüft werden.“ Wir demonstrieren so lange, bis der Bundesrat die Prüfung formal beantragt hat. PRÜF-Demos. Bald in allen Landeshauptstädten. Am 2. Samstag. Jeden Monat.\r\n\r\nWarum beim Schutz der Demokratie nicht mal einen Ansatz wählen, der so noch nicht probiert wurde? Nicht auf die anderen gucken, sondern auf uns? Auf das gemeinsame? Auf Spaß? Das nutzen, was wir haben und was wir können? Wir haben das Grundgesetz, dessen Stärken eingesetzt werden müssen. Wir haben uns, Millionen Menschen, die wir uns organisieren können. Wir haben Ideen, wir haben Geld, wir haben Macht, wir haben Wissen. Bisher haben wir nicht einmal ansatzweise unsere Möglichkeiten ausgeschöpft und es wäre absurd, wenn wir das nicht schaffen würden, die Freiheitliche Demokratische Grundordnung zu schützen.\r\n\r\nVortrag kann Spuren von Prüfen enthalten.",
"schedule_start": "2025-12-30T00:15:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-30T00:55:00+01:00"
},
{
"id": "4435af8f-b96a-5593-be42-47a04ba5f47e",
"kind": "official",
"name": "Pwn2Roll: Who Needs a 595€ Remote When You Have wheelchair.py?",
"slug": "pwn2roll-who-needs-a-599-remote-when-you-have-wheelchair-py",
"url": "https://api.events.ccc.de/congress/2025/event/4435af8f-b96a-5593-be42-47a04ba5f47e/?format=api",
"track": "hardware",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "en",
"description": "This talk depicts the reverse engineering of a popular electric wheelchair drive system - the Alber e-motion M25: a several thousand euro assistive device that treats mobility like a SaaS subscription. Through Android app reverse engineering, proprietary Bluetooth protocol analysis, hours of staring at hex dumps (instead of the void), and good old-fashioned packet sniffing, we'll expose how manufacturers artificially limit essential features and monetize basic human mobility.\r\n\r\nWhat you'll learn:\r\n\r\n- how a 22-character QR code sticker, labeled as \"Cyber Security Key\", becomes AES encryption\r\n- why your 6000€ wheelchair drive includes an app with Google Play Billing integration for features the hardware already supports\r\n- the internals, possibilities and features of electronics worth 30€ cosplaying as a 595€ medical device\r\n- the technical implementation of the \"pay 99.99€ or stay slow\" speed limiter (6 km/h vs 8.5 km/h)\r\n- how nearly 2000€ in hardware and app features can be replaced by a few hundred lines of Python\r\n- why the 8000€ even more premium (self-driving) variant is literally identical hardware with a different Boolean flag and firmware plus another (pricier) remote\r\n\r\nWe'll cover the complete methodology: from initial reconnaissance, sniffing and decrypting packets to reverse-engineer the proprietary communication protocol, to PoCs of Python replacements, tools, techniques, and ethical considerations of reverse engineering medical devices.\r\n\r\nThis is a story about artificial scarcity, exploitative DRM, ethics and industry power, and how hacker-minded creatures should react and act to this.\r\n\r\nThis talk will be simultaneously interpretated into German sign language (Deutsche Gebärdensprache aka. DGS).",
"schedule_start": "2025-12-27T17:15:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-27T18:15:00+01:00"
},
{
"id": "28fc102e-a38e-51b2-a48b-530b0d0e49a9",
"kind": "official",
"name": "Race conditions, transactions and free parking",
"slug": "race-conditions-transactions-and-free-parking",
"url": "https://api.events.ccc.de/congress/2025/event/28fc102e-a38e-51b2-a48b-530b0d0e49a9/?format=api",
"track": "security",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "en",
"description": "After the [Air France-KLM dataleak](https://media.ccc.de/v/37c3-lightningtalks-58027-air-france-klm-6-char-short-code) I kept repeating this was not a real hack, and confessed I always wanted to hack a system based on triggering race conditions because the lack of proper transactions.\r\nThis was way easier than expected. In this talk I will show how just adding `$ seq 0 9 | xargs -I@ -P10 ..` can break some systems, and how to write safe database transactions that prevent abuse.\r\n\r\nIn this talk I will explain what race conditions are. Many examples of how and why code will fail. How to properly create a database transaction. The result of abusing this in real life (e.g. free parking).",
"schedule_start": "2025-12-29T21:05:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-29T21:45:00+01:00"
},
{
"id": "372f7089-b6ae-50ed-bc35-f60c5e9fd6e1",
"kind": "official",
"name": "Recharge your batteries with us - an empowering journey through the energy transition",
"slug": "recharge-your-batteries-with-us-an-empowering-journey-through-the-energy-transition",
"url": "https://api.events.ccc.de/congress/2025/event/372f7089-b6ae-50ed-bc35-f60c5e9fd6e1/?format=api",
"track": "science",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "en",
"description": "A committed energy activist and an award-winning solar cell researcher take you on a lively, motivating and sometimes funny journey:\r\n\r\n- to electricity rebels from the Black Forest,\r\n- to heat pumps that supply entire neighborhoods,\r\n- to new solar technologies,\r\n- to wind turbines with history,\r\n- and to politicians who were too pessimistic.\r\n\r\nWhat is already going really well? What can you emulate? Where is it worth getting involved?\r\nWe'll show you – in an easy-to-understand, cheerful way.\r\nTo stay motivated for an adventure as big as the energy transition, we need more than just facts and figures. We need momentum, optimism, and the human energy that keep the power cycles turning.\r\nCome by! Let’s recharge together and celebrate the successes of the energy transition.",
"schedule_start": "2025-12-28T20:10:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-28T20:50:00+01:00"
},
{
"id": "718be695-c840-5eed-9c67-b8d5089f8042",
"kind": "official",
"name": "RedScout42 – Zur digitalen Wohnungsfrage",
"slug": "redscout42-zur-digitalen-wohnungsfrage",
"url": "https://api.events.ccc.de/congress/2025/event/718be695-c840-5eed-9c67-b8d5089f8042/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "de",
"description": "In unserem Vortrag zeigen wir, wie Immoscout & Co. mit einem ausgeklügelten technischen System Monopolprofite generiert, die Mieten in die Höhe treibt und ein Vermieterparadies aufgebaut hat, das die Mieter:innen in den Wahnsinn treibt. \r\n\r\nWir bleiben aber nicht bei der Kritik stehen, sondern zeigen, wie durch die Vergesellschaftung von Plattformen der Daseinsvorsorge ein Werkzeug entstehen kann, das den Mittellosen auf dem Wohnungsmarkt hilft. Vermieter in ihre Schranken zu weisen und Markttransparenz für alle statt nur für die Besitzenden zu schaffen.",
"schedule_start": "2025-12-27T14:45:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-27T15:25:00+01:00"
},
{
"id": "c553ee23-bc27-585a-b8d0-d8fee999e75a",
"kind": "official",
"name": "Reverse engineering the Pixel TitanM2 firmware",
"slug": "reverse-engineering-the-pixel-titanm2-firmware",
"url": "https://api.events.ccc.de/congress/2025/event/c553ee23-bc27-585a-b8d0-d8fee999e75a/?format=api",
"track": "hardware",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "en",
"description": "I will discuss the problems encountered while reverse engineering and simulating the firmware for the TitanM2 security chip, found in the Google Pixel phones. I'll discuss how to obtain the firmware. Talk about the problems reverse engineering this particular binary. I show how you can easily extend ghidra with new instructions to get a full decompilation. Also, I wrote a Risc-V simulator in python for running the titanM2 firmware.",
"schedule_start": "2025-12-28T23:55:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-29T00:35:00+01:00"
},
{
"id": "1627c5c1-db61-5117-aa41-991850cc20a8",
"kind": "official",
"name": "Rowhammer in the Wild: Large-Scale Insights from FlippyR.AM",
"slug": "rowhammer-in-the-wild-large-scale-insights-from-flippyr-am",
"url": "https://api.events.ccc.de/congress/2025/event/1627c5c1-db61-5117-aa41-991850cc20a8/?format=api",
"track": "security",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "en",
"description": "This will be a followup talk after our talk \"Ten Years of Rowhammer: A Retrospect (and Path to the Future)\" at 38C3.\r\nIn the talk last year we gave an overview of the current state of Rowhammer and highlighted that there are no large-scale prevalence studies.\r\nWe wanted to change that and asked the audience to participate in our large-scale study on Rowhammer prevalence.\r\n\r\nWe performed the large-scale study on Rowhammer prevalence thanks to many volunteers supporting our study by measuring their systems.\r\nIn total, we collected 1006 datasets on 822 different systems (some systems were measured multiple times).\r\nWe show that 126 of them (12.5%) are affected by Rowhammer with our fully-automated setup.\r\nThis should be seen as a lower bound, since the preconditions required for effective tools failed on ~50% of the systems.\r\nAmong many other insights, we learned that the fully-automated reverse-engineering of DRAM addressing functions is still an open problem and we assume the actual number of affected systems to be higher as the 12.5% we measured in our study.\r\n\r\nNow, one year after our talk at the 38C3, we want to give an update on the current state of Rowhammer, since multiple new insights were published in the last year:\r\nThe first reliable Rowhammer exploit on DDR5, a JavaScript implementation of Rowhammer that works on current DDR4 systems, and an ECC bypass on DDR4, just to name a few.\r\nAdditionally, we want to present the results of our large-scale study on Rowhammer prevalence which was supported by the audience from last year's talk.",
"schedule_start": "2025-12-29T23:00:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-29T23:40:00+01:00"
},
{
"id": "2b5a6a8e-327e-594d-8f92-b91201d18a02",
"kind": "official",
"name": "Schlechte Karten - IT-Sicherheit im Jahr null der ePA für alle",
"slug": "schlechte-karten-it-sicherheit-im-jahr-null-der-epa-fur-alle",
"url": "https://api.events.ccc.de/congress/2025/event/2b5a6a8e-327e-594d-8f92-b91201d18a02/?format=api",
"track": "security",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "de",
"description": "Zum letzten Chaos Communication Congress konnten Martin Tschirsich und Bianca Kastl eine Ansammlung größerer und kleiner Sicherheitsprobleme in der elektronischen Patientenakte für alle aufzuzeigen – sei es in der Ausgabe von Identifikationsmitteln, in Systemen in der Telematikinfrastruktur oder in angebundenen Systemen. All diese Probleme kumulierten in einem veränderten und reduzierten Rollout der ePA für alle in den Modellregionen Anfang 2025, bei dem bereits erste Maßnahmen zur Schadensminimierung unternommen wurden. \r\nEnde April 2025 wurde die ePA für alle dann auch wirklich für alle deutschlandweit bereitgestellt – allerdings traten am gleichen Tag die scheinbar sicher gelösten Sicherheitslücken im Zugangsmanagement wieder zu Tage und wurden alsbald wieder nur provisorisch abgedichtet.\r\n\r\nDieser Talk will etwas zurückblicken auf die Geschichte und die Ursachen dieser Sicherheitsprobleme der ePA für alle. Als «eines der größten IT-Projekte der Bundesrepublik» steht die ePA sinnbildlich für den digitalpolitischen Umgang mit Sicherheitsversprechen und interessensgetriebenen Anforderungen über die Köpfe von Patient*innen oder Bürger*innen hinweg. \r\n\r\nDabei geht es nicht nur um technische Probleme und deren Behebungsversuche, sondern auch um die strukturellen Ursachen, die große digitale Vorhaben immer wieder in manchen Bereichen scheitern lassen. Diese tiefergehende Betrachtung kann uns dabei helfen, die Ursachen für schlechte IT-Sicherheit auch bei zukünftigen digitalpolitischen Vorhaben in Deutschland besser zu verstehen. Nicht für die ePA für alle und Anwendungen im Bereich der Telematikinfrastruktur, sondern auch weit darüber hinaus.\r\n\r\nTiefergehende Analyse und Nachwirkungen zu 38C3 „Konnte bisher noch nie gehackt werden“: Die elektronische Patientenakte kommt - jetzt für alle!",
"schedule_start": "2025-12-29T17:15:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-29T18:15:00+01:00"
},
{
"id": "a481eb2e-8b78-5f97-bfee-a47d1a271010",
"kind": "official",
"name": "Security Nightmares",
"slug": "security-nightmares",
"url": "https://api.events.ccc.de/congress/2025/event/a481eb2e-8b78-5f97-bfee-a47d1a271010/?format=api",
"track": "ccc-community",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "de",
"description": "Wir wagen auch den IT-Security-Ausblick auf das Jahr 2026. Der ist wie immer mit Vorsicht zu genießen.",
"schedule_start": "2025-12-30T14:45:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-30T15:45:00+01:00"
},
{
"id": "0cd9234b-1abb-5fa2-85a9-af1ec76569bb",
"kind": "official",
"name": "Security of Cardiac Implantable Electronic Devices",
"slug": "security-of-cardiac-implantable-electronic-devices",
"url": "https://api.events.ccc.de/congress/2025/event/0cd9234b-1abb-5fa2-85a9-af1ec76569bb/?format=api",
"track": "security",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "en",
"description": "CIEDs may adversely affect patients implanted with such devices should their security be compromised. Although some efforts to secure these devices can be noted, it has quite often been lacking and may thus enable patient harm or data confidentiality compromise by malicious actors. Given the vast consequences of security vulnerabilities within this industry, the author aims to provide insight into the challenges associated with designing security architectures for such platforms, as well as possible methodology of researching these devices safely even when lacking manufacturer cooperation and access to device programmers. \r\n\r\nData collected by CIEDs and transmitted through remote monitoring is an additional concern for patients. Whilst research has shown that most manufacturers do respond in a timely and comprehensive fashion to GDPR requests, immediate data access is not yet possible and requires the patient to reach out to their doctors to obtain the requisite (event) data. A proposed solution is presented on how a patient communicator may be designed to allow patients interested in their autonomy to perform limited device interrogation in a safe and secure manner.",
"schedule_start": "2025-12-30T12:50:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-30T13:30:00+01:00"
},
{
"id": "f33636a7-e2a3-5925-87e3-1ba270e73ff5",
"kind": "official",
"name": "selbstverständlich antifaschistisch! Aktuelle Informationen zu den Verfahren im Budapest-Komplex - von family & friends Hamburg",
"slug": "selbstverstandlich-antifaschistisch-aktuelle-informationen-zu-den-verfahren-im-budapest-komplex-von-family-friends-hamburg",
"url": "https://api.events.ccc.de/congress/2025/event/f33636a7-e2a3-5925-87e3-1ba270e73ff5/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "de",
"description": "Am 26. September wurde gegen Hanna vor dem OLG München das erste Urteil gegen eine der Antifaschist*innen im Rahmen des Budapest-Komplexes gefällt: 5 Jahre für ein lediglich auf Indizien basierendes Urteil. Dem Mordvorwurf der Staatsanwaltschaft wurde nicht entsprochen, behauptet wurde aber die Existenz einer gewalttätigen „kriminellen Vereinigung“.\r\nAm 12. Januar 2026 wird nun vor dem OLG Düsseldorf der Prozess gegen Nele, Emmi, Paula, Luca, Moritz und Clara, die seit Januar in verschiedenen Gefängnissen in U-Haft sitzen, eröffnet. Die Anklage konstruiert auch hier eine kriminelle Vereinigung nach §129 und enthält den Vorwurf des versuchten Mordes. Die Verfahren in dieser Weise zu verfolgen, lässt vor allem auf ein hohes Ausforschungs- und Einschüchterungsinteresse schließen.\r\nZaid, gegen den ein europäischer Haftbefehl aus Ungarn vorliegt, war Anfang Mai unter Meldeauflagen entlassen worden; aufgrund seiner nicht-deutschen Staatsangehörigkeit hatte der Generalbundesanwalt keine Anklage gegen ihn erhoben. Da er in Deutschland nach wie vor von einer Überstellung nach Ungarn bedroht ist, hält er sich seit Oktober 2025 in Paris auf. Er ist gegen Auflagen auf freiem Fuß.\r\nEin weiteres Verfahren im Budapest- Komplex wird in Dresden zusammen mit Vorwürfen aus dem Antifa Ost Verfahren verhandelt. Der Prozess gegen Tobi, Johann, Thomas (Nanuk), Paul und zwei weitere Personen wird bereits im November beginnen.\r\nIn Budapest sitzt Maja – entgegen einer einstweiligen Verfügung des BVerfG und festgestellt rechtswidrig im Juni 2024 nach Ungarn überstellt - weiterhin in Isolationshaft; der Prozess soll erst im Januar fortgeführt werden und voraussichtlich mit dem Urteil am 22.01. zu Ende gehen.\r\nMit den Prozessen im Budapest-Komplex wird ein Exempel statuiert – nicht nur gegen Einzelne, sondern gegen antifaschistische Praxis insgesamt. Die Behauptung einer kriminellen Vereinigung mit Mordabsichten stellt eine absurde juristische Eskalation des staatlichen Vorgehens gegen Antifaschist*innen dar und steht in keinem Verhältnis zu den verhandelten Vorkommnissen.\r\nMit dieser Prozesswelle und den Repressionen gegen Freund*innen und Angehörige wird antifaschistisches Engagement massiv kriminalisiert und ein verzerrtes Bild von politischem Widerstand gezeichnet – während gleichzeitig rechte Gewalt europaweit zunimmt und faschistische Parteien erstarken. Wir sehen, dass Angriffe auf Rechtsstaatlichkeit und Zivilgesellschaf immer weiter zunehmen. Die Art und Weise, wie gegen die Antifas im Budapest-Komplex vorgegangen wird, ist ein Vorgeschmack darauf, wie politische Opposition in einer autoritäreren Zukunft behandelt werden könnte. Wir sind alle von der rechtsautoritären Entwicklung, von Faschisierung betroffen. Die Kriminalisierung von Antifas als „terroristische Vereinigung\" ist Teil einer (weltweiten) Entdemokratisierung und Zersetzung von Rechtsstaatlichkeit.",
"schedule_start": "2025-12-28T13:30:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-28T14:30:00+01:00"
},
{
"id": "032fdd30-9488-55b8-968c-dbce19a3f446",
"kind": "official",
"name": "Set-top box Hacking: freeing the 'Freebox'",
"slug": "set-top-box-hacking-freeing-the-freebox",
"url": "https://api.events.ccc.de/congress/2025/event/032fdd30-9488-55b8-968c-dbce19a3f446/?format=api",
"track": "security",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "en",
"description": "The Freebox HD is a set-top box with media player capabilities designed and built by the French ISP 'Free' in 2006, and distributed to customers since (including me). It is still in use and will be maintained until the end of 2025.\r\n\r\nWhen I got it, I wanted to run homebrew software on it, so I decided to reverse engineer it. The initial goal was to get arbitrary code execution. The Freebox HD being largely undocumented, this talk shows the full process of reverse engineering it from scratch:\r\n* Initial visual inspection\r\n* Disassembly and inspection of the insides\r\n* Attack surface analysis and choice of the target\r\n* Search and exploitation of a vulnerability in PrBoom (a Doom source port running on the Freebox HD)\r\n* Analysis of the Linux system running on the Freebox HD\r\n* Search and exploitation of a Linux kernel exploit to escape the sandbox and gain root privileges\r\n* Decryption and dump of the firmware\r\n* Analysis of the Linux system and the programs of the Freebox HD\r\n* Playing with the remote control capabilities\r\n* Reverse engineering of the private networks of the ISP\r\n\r\nThe two exploits used to gain full root access were both discovered for this specific hack, which makes them 0-day exploits.\r\n\r\nThe analysis leads to some interesting discoveries about the device itself, but also the ISP, how their technical support works and accesses the devices remotely, and much more!",
"schedule_start": "2025-12-29T17:15:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-29T18:15:00+01:00"
},
{
"id": "f392f7c4-841b-5922-8fdf-ff8eb8150825",
"kind": "official",
"name": "Shit for Future: turning human shit into a climate solution",
"slug": "shit-for-future-turning-human-shit-into-a-climate-solution",
"url": "https://api.events.ccc.de/congress/2025/event/f392f7c4-841b-5922-8fdf-ff8eb8150825/?format=api",
"track": "science",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "en",
"description": "Today’s science mostly follows worn-out pathways and lack big discoveries and innovations. Scientists often don’t want to take a risk because the competition for a permanent position in academia is so high, which pressures them into conservative research topics supported by their supervisors. Even when science provides helpful solutions for urgent problems, the knowledge mostly ends up in libraries, written in papers that nobody understands. I want to show that it is worthwhile to follow research ideas that are unconventional, upset your boss af and explore topics that are unpopular like working with shit. I hope that sharing stories of how a funny idea turned into a solution encourage others to start making impact in their environment.",
"schedule_start": "2025-12-29T13:50:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-29T14:30:00+01:00"
},
{
"id": "e6837a00-672c-532b-9bfa-319453667c03",
"kind": "official",
"name": "Skynet Starter Kit: From Embodied AI Jailbreak to Remote Takeover of Humanoid Robots",
"slug": "skynet-starter-kit-from-embodied-ai-jailbreak-to-remote-takeover-of-humanoid-robots",
"url": "https://api.events.ccc.de/congress/2025/event/e6837a00-672c-532b-9bfa-319453667c03/?format=api",
"track": "security",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "en",
"description": "Unitree is among the highest-volume makers of commercial robots, and their newest humanoid platforms ship with multiple control stacks and on-device AI agents. If the widespread, intrusive presence of these robots in our lives is inevitable, should we take the initiative to ensure they are completely under our control? What paths might attackers use to compromise these robots, and to what extent could they threaten the physical world?\r\n\r\nIn this talk, we first map the complete attack surface of Unitree humanoids, covering hardware interfaces, near-field radios and Internet-accessible channels. We demonstrate how a local attacker can hijack a robot by exploiting vulnerabilities in short-range radio communications (Bluetooth, LoRa) and local Wi-Fi. We also present a fun exploit of the embodied AI in the humanoid: With a single spoken/text sentence, we jailbreak the on-device LLM Agent and pivot to root-priviledged remote code execution. Combined with a flaw in the cloud management service, this forms a full path to gain complete control over any Unitree robot connected to the Internet, obtaining root shell, camera livestreaming, and speaker control.\r\n\r\nTo achieve this, we combined hardware inspection, firmware extraction, software-defined radio tooling, and deobfuscation of customized, VM-based protected binaries. This reverse engineering breakthrough also allowed us to understand the overall control logic, patch decision points, and unlock advanced robotic movements that were deliberately disabled on consumer models like G1 AIR. \r\n\r\nTakeaways. Modern humanoids are networked, AI-powered cyber-physical systems; weaknesses across radios, cloud services, and on-device agents could allow attackers to remotely hijack robot operations, extract sensitive data or camera livestreams, or even weaponize the physical capabilities. As robotics continue their transition from controlled environments to everyday applications, our work highlights the urgent need for security-by-design in this emerging technology landscape.",
"schedule_start": "2025-12-28T12:15:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-28T13:15:00+01:00"
},
{
"id": "f1e6f4e2-875f-573c-9e68-8dfd52e29225",
"kind": "official",
"name": "Spectre in the real world: Leaking your private data from the cloud with CPU vulnerabilities",
"slug": "spectre-in-the-real-world-leaking-your-private-data-from-the-cloud-with-cpu-vulnerabilities",
"url": "https://api.events.ccc.de/congress/2025/event/f1e6f4e2-875f-573c-9e68-8dfd52e29225/?format=api",
"track": "security",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "en",
"description": "Seven years ago, Spectre and Meltdown were announced. These two vulnerabilities showed that instructions executed by the CPU might accidentally access secret data. This secret data can contain files cached from disk, cryptographic keys, private information, or anything else that might be stored in memory. An attacker can use Spectre to learn the value of that secret data, even though the attacker is not supposed to have access to it. \r\n\r\nEven though this sounds problematic, there is a reason why these type of vulnerabilities haven't had a significant real-world impact. Mitigations make it much harder to pull off, and an attacker needs a form of remote code execution anyway to trigger the relevant CPU instructions. If an attacker can already execute arbitrary code, then Spectre is probably not what you should be worried about. For regular users, these CPU vulnerabilities are likely not that much of a threat.\r\n\r\nHowever, that is not the case for public cloud providers. Their business model is to provide *remote code execution as a service*, and to rent out shared hardware resources as efficiently as possible. Customers run their system in an seemingly isolated virtual machine on top of shared physical hardware. Because customers can run anything they want on these systems, public cloud providers must treat these workloads as untrusted. They have to assume the worst case scenario, i.e. that an attacker is deliberately trying violate the confidentiality, integrity or availability of their systems, and, by extension, their customers' systems. For transient execution vulnerabilities like Spectre, that means that they enable all reasonable mitigations, and some more.\r\n\r\nIn this talk, we show that transient execution attacks can be used on real-world systems, despite the deployed software mitigations. We demonstrate this by silently leaking secret data from another virtual machine at a major global cloud provider, defeating virtual machine isolation without leaving a trace. Additionally, we'll discuss our coordinated disclosure process, the currently deployed mitigations and how future mitigations could address the issue.",
"schedule_start": "2025-12-30T00:15:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-30T00:55:00+01:00"
},
{
"id": "d1a92d77-d8c6-524e-ba32-d2e9547723e0",
"kind": "official",
"name": "Suing spyware in Europe: news from the front!",
"slug": "suing-spyware-in-europe-news-from-the-front",
"url": "https://api.events.ccc.de/congress/2025/event/d1a92d77-d8c6-524e-ba32-d2e9547723e0/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "en",
"description": "Despite the European Parliament’s PEGA investigation in 2023, spyware scandals in Europe continue to grow, with little real action to stop or address them. Many EU countries were — or still are — clients of the world’s major spyware companies. As a result, nothing changes except the number of victims targeted by these technologies. Worst, offices or clients in the EU is useful for spyware companies' sales pitch. So, the EU is a growing hub for this ominous ecosystem! With no real political will to act, members of the PEGA investigation say the only hope for change is to take these cases to court — and that’s exactly the path we’ve chosen!\r\n\r\nIrídia’s case is one of the flagship cases in the EU, both for its depth and for what it has achieved so far. We will review the current status and implications of the case, examining issues that range from state responsibility to the role of the spyware company behind Pegasus — in its creation, sale, and export — which maintains a strong presence within the EU.\r\n\r\nAfter that, we will take a step back to look at what is happening across Europe. We will highlight the most significant cases currently moving forward, as well as some of the PEGA coalition’s strategies for driving accountability, strengthening safeguards, and ensuring remedies. The coalition’s mission goes beyond legal action — it aims to prevent the devastating impact of spyware and push for systemic change.",
"schedule_start": "2025-12-28T12:15:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-28T13:15:00+01:00"
},
{
"id": "e5377df9-07f4-5c8c-b510-8f64e58d95e3",
"kind": "official",
"name": "Supplements und Social Media – wenn der Online-Hype zur realen Gesundheitsgefahr wird",
"slug": "supplements-und-social-media-wenn-der-online-hype-zur-realen-gesundheitsgefahr-wird",
"url": "https://api.events.ccc.de/congress/2025/event/e5377df9-07f4-5c8c-b510-8f64e58d95e3/?format=api",
"track": "science",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "de",
"description": "Der Markt für Nahrungsergänzungsmittel boomt seit Jahren. Dafür sorgen unter anderem verschiedenste Influencer, die die Präparate in den sozialen Medien bewerben. Statt nur Produkte der großen Player in diesem Bereich anzupreisen, wie More Nutrition, ESN oder Holy Energy, haben einige Influencer mittlerweile sogar ihre eigenen Nahrungsergänzungsmittelmarken auf den Markt gebracht.\r\n\r\nVersprochen wird dabei vieles: Pre-Workout-Booster sollen die Leistung beim Krafttraining erhöhen und blitzschnell zum Traumkörper verhelfen, während Gaming-Booster Wachheit und eine Top-Performance beim Zocken versprechen. Wieder andere Kapseln oder auch Gummibärchen sollen für eine makellose Haut oder einen ruhigen Schlaf sorgen. Manche Präparate können angeblich sogar Krankheiten vorbeugen oder heilen.\r\n\r\nDoch was steckt tatsächlich in diesen Mitteln, die online regelrecht gehypt werden? Rein rechtlich handelt es sich um Lebensmittel, was wiederum bedeutet, dass sie ohne behördliche Zulassung auf den Markt gebracht werden dürfen. Es genügt schon, wenn der Unternehmer für die Sicherheit garantiert. Die Hürden für einen Marktzutritt sind damit denkbar niedrig, während gleichzeitig Gewinnmargen locken, die sogar den illegalen Drogenhandel übertreffen.\r\n\r\nDas Ergebnis zeigt sich in den Berichten der amtlichen Lebensmittelüberwachung: Bei den Proben, die das Niedersächsische Landesamt für Verbraucherschutz und Lebensmittelsicherheit im Jahr 2024 untersucht hat, entsprachen rund neun von zehn Proben (89 %) nicht den rechtlichen Vorgaben. Neben Mängeln bei der Kennzeichnung und Bewerbung, wodurch Verbraucher viel Geld für wirkungslose Pulver ausgeben, ist die stoffliche Zusammensetzung der Produkte besonders kritisch. So kann beispielsweise die Einnahme von überdosierten Vitamin-D-Präparaten zu Störungen des Calciumstoffwechsels führen (sog. Hypercalcämien). Vermeintlich harmlose pflanzliche Präparate, wie Kurkuma oder Ashwaganda, können zu Leberschäden bis hin zum Leberversagen führen. Besonders brisant ist dabei, dass die Wahrscheinlichkeit für die Erforderlichkeit einer Lebertransplantation oder den Tod des Patienten höher ist als bei Leberschäden durch Arzneimittel (83 vs. 66 %). Es kommen also Menschen durch die Einnahme von Präparaten zu Schaden, mit deren Hilfe sie ihrer Gesundheit eigentlich etwas Gutes tun wollten.\r\n\r\nDer Vortrag beleuchtet daher die aktuelle Marktsituation unter besonderer Berücksichtigung des Influencer-Marketings kritisch, erklärt den Unterschied zwischen Nahrungsergänzungs- und Arzneimitteln und stellt die rechtlichen Rahmenbedingungen für das Inverkehrbringen und die Bewerbung von Nahrungsergänzungsmitteln dar. Zudem wird aufgezeigt, warum ein ausreichender Verbraucherschutz durch die aktuellen Möglichkeiten des Lebensmittelrechts insbesondere im Internet nicht gewährleistet werden kann, wo Handlungsbedarf für die Politik besteht und wie man sich selbst vor fragwürdigen Produkten schützen kann.",
"schedule_start": "2025-12-29T14:45:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-29T15:45:00+01:00"
},
{
"id": "cd3af7ee-3204-5404-8714-f18d33f08bd8",
"kind": "official",
"name": "Teckids – eine verstehbare (digitale) Welt",
"slug": "teckids-eine-verstehbare-digitale-welt",
"url": "https://api.events.ccc.de/congress/2025/event/cd3af7ee-3204-5404-8714-f18d33f08bd8/?format=api",
"track": "ccc-community",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "de",
"description": "Bei Teckids geht es nicht \"nur\" um Technikbasteln und Programmieren mit Kindern, sondern darum, mit anderen, für andere, bei Events und gesellschaftlich aktiv zu werden.\r\n\r\nIn letzter Zeit haben wir viele Projekte dafür unternommen. Unter anderem haben wir den neuen Themen-Slot \"Jung und überwacht\" bei den BigBrotherAwards 2025 gestaltet und bereiten Jugendthemen für das nächste Jahr vor. Zum zweiten Mal laden wir beim 39c3 Kinder beim Fairydust-Türöffner-Tag \"hinter die Kulissen\" der Chaos-Teams ein.\r\n\r\nUnser Slogan mit dem etwas merkwürdigen Wort \"Verstehbarkeit\" steht dafür, dass alle nicht nur die Fähigkeiten, sondern auch das Recht behalten sollen, mit ihrer Technik zu machen, was sie wollen, und alles zu hinterfragen und zu verstehen. Dafür wollen wir noch mehr junge Menschen und auch Erwachsene erreichen.",
"schedule_start": "2025-12-29T12:50:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-29T13:30:00+01:00"
},
{
"id": "72f2a9b5-f646-584a-a3f1-e700657736a5",
"kind": "official",
"name": "Textiles 101: Fast Fiber Transform",
"slug": "textiles-101-fast-fiber-transform",
"url": "https://api.events.ccc.de/congress/2025/event/72f2a9b5-f646-584a-a3f1-e700657736a5/?format=api",
"track": "hardware",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "en",
"description": "Textiles play an integral part in our daily lives. If you’re reading this, chances are you’re wearing clothes or have some form of fabric within arm’s reach. Yet despite how common and essential textiles are, few of us know how they actually come to be. How do we go from a plant, animal, or synthetic polymer to a fully finished piece of clothing?\r\n\r\nThis talk unravels the full transformation pipeline of textiles: starting with fibers and their properties, then spinning them into yarn, turning that yarn into textiles through weaving, knitting, crochet, braiding, knotting, and other techniques, and finally finishing them through printing, embroidery, dyeing, or bleaching.\r\nAlong the way, you’ll learn why your “100% cotton” garments can feel completely different despite being made of the same fiber, how structure matters just as much as material, and what environmental impact different choices have.\r\n\r\nWhether you want to make your own textiles, hack existing ones, or finally understand why that wool sweater you washed too hot is now tiny, this talk is a crash course in most things textile, and a reminder that you don’t need industrial machinery or fast fashion to create something on your own.",
"schedule_start": "2025-12-28T22:05:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-28T22:45:00+01:00"
},
{
"id": "d921f5af-9d6b-5ff3-8fe8-147467b23c65",
"kind": "official",
"name": "The Angry Path to Zen: AMD Zen Microcode Tools and Insights",
"slug": "the-angry-path-to-zen-amd-zen-microcode-tools-and-insights",
"url": "https://api.events.ccc.de/congress/2025/event/d921f5af-9d6b-5ff3-8fe8-147467b23c65/?format=api",
"track": "security",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "en",
"description": "Modern CPUs often translate the complex, user visible instruction set like x86_64 into a simpler, less feature rich internal instruction set. For simple instructions this translation is done by a fast path decoding unit. However some instructions, like `wrmsr` or `rdrand` are too complex to decode that way. These instructions instead are translated using a microcode decoder that can act almost like an execution engine. The microcode decoder still emits internal instructions into the pipeline, but allows for features like conditional branches and calls & returns. All of this logic happens during a single x86_64 instruction and is usually hidden from the outside world. At least since AMD K8, launched in 2003, AMD CPUs allowed updating this microcode to fix bugs made in the original implementation. \r\n\r\nBuilding on our [previous](https://media.ccc.de/v/34c3-9058-everything_you_want_to_know_about_x86_microcode_but_might_have_been_afraid_to_ask) [experience](https://media.ccc.de/v/35c3-9614-inside_the_amd_microcode_rom) with AMD K8 & K10 microcode and [EntrySign](https://bughunters.google.com/blog/5424842357473280/zen-and-the-art-of-microcode-hacking) [published](https://media.ccc.de/v/why2025-156-entrysign-create-your-own-x86-microcode-for-fun-and-profit) earlier this year, we took a closer look at AMD Zen 1-5 CPUs. We build on top of [Zentool](https://github.com/google/security-research/tree/master/pocs/cpus/entrysign/zentool) to understand more instructions and created a set of tools to easily create microcode patches as well as apply them on CPUs. We can modify the behavior of instructions and observe some usually not visible internal state by supplying our own microcode update.\r\n\r\nLike on K8, we extracted the physical ROM on the CPU using an electron microscope to read the hardcoded microcode on a Zen 1 CPU. Using the understanding of the microcode encoding we could then start disassembling the contents and understand how some instructions are implemented. While there are still a lot of things we don't understand, we could follow control flow and analyze algorithms like the XXTEA decryption of the microcode update.\r\n\r\nTo start off this work, we implemented a set of tools that allow easy testing of microcode updates without the need for a fully featured OS. That way we can run timing tests with low noise and don't risk data corruption if we corrupt a vital instruction. To continue our naming scheme from our work on K8 we dubbed this the AngryTools, all of them available on [GitHub](https://github.com/AngryUEFI). The core components are a UEFI application running from RAM, AngryUEFI, and a Python framework for test writing on a client computer, AngryCAT. AngryUEFI starts on the test system and waits for AngryCAT tests supplied via TCP. These tests usually consist of a microcode update that gets loaded on the target CPU core and a buffer with x64 instructions that get run afterwards. AngryUEFI then sends back information about the test execution. AngryUEFI also recovers most faults caused by invalid microcode, often even allowing reuse of a CPU core after a failed test run. We also added some syscall-like interfaces to support more complex data collection like [IBS](https://reflexive.space/zen2-ibs/).\r\n\r\nTo make it easier to write custom microcode updates we also implemented [ZenUtils](https://github.com/AngryUEFI/ZenUtils), a set of Python tools. So far we support single line assembly and disassembly based on architecture specification for Zen 1 & 2 with limited support for other Zen architectures. We also include a macro assembler that can create a full microcode update from an assembly-like input file. Later we will also extend ZenUtils with utilities to sign and en/decrypt microcode updates. Currently we rely on Zentool for these tasks.\r\n\r\nWe also show some basic examples of how microcode programs work, from a simple CString strlen implementation in a single x64 instruction to a [subleq](https://esolangs.org/wiki/Subleq) VM implemented entirely in microcode. These show off the basics of microcode programming, like memory loads & stores, arithmetic and conditional branches. We are also currently looking at other examples and more complex programs.\r\n\r\nWe hope this talk shows you how to start throwing random bits at your own AMD Zen CPU to figure out what each bit does and help us in further understanding the instruction set. We welcome improvements to the tooling and even entirely new tools to help analyze microcode updates and the ROM.\r\n\r\nIf you are already familiar with EntrySign, we only cover the very basics of it and focus more on what we learned after having a foothold in the microcode.",
"schedule_start": "2025-12-29T20:10:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-29T20:50:00+01:00"
},
{
"id": "7c12c5be-5414-5673-a856-697a3889f824",
"kind": "official",
"name": "The art of text (rendering)",
"slug": "the-art-of-text-rendering",
"url": "https://api.events.ccc.de/congress/2025/event/7c12c5be-5414-5673-a856-697a3889f824/?format=api",
"track": "art-beauty",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "en",
"description": "Text is everywhere in our modern digital life and yet, no one really pay attention to how it is rendered on a screen. Maybe this is a sign that problem has been solved. But it isn't. A few people are still looking at the best way to display text on any devices & any languages. This talk is based on a lesson I gave at SIGGRAPH a few years ago (https://www.slideshare.net/slideshow/siggraph-2018-digital-typography/110385070) to explain rendering techniques and concepts.",
"schedule_start": "2025-12-27T11:00:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-27T11:40:00+01:00"
},
{
"id": "44d1ae6d-febc-5035-8379-d2030e7f59a2",
"kind": "official",
"name": "The Eyes of Photon Science: Imaging, Simulation and the Quest to Make the Invisible Visible",
"slug": "the-eyes-of-photon-science-imaging-simulation-and-the-quest-to-make-the-invisible-visible",
"url": "https://api.events.ccc.de/congress/2025/event/44d1ae6d-febc-5035-8379-d2030e7f59a2/?format=api",
"track": "science",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "en",
"description": "X-ray imaging detectors have come a long way in the last 15 years, turning ideas that once seemed impossible into realities. Imaging detectors in photon science are more than just high-speed cameras. They are complex systems operating at the limits of what’s physically measurable. Understanding how they behave before, during, and after experiments is essential to advancing both the technology and the science it enables.\r\n\r\nIn this talk, I’ll take you inside the world of detector simulation and performance modelling. I’ll explore how tools like Monte Carlo simulations, sensor response models, and system-level performance evaluations are used to:\r\n\r\n- Predict detector behaviour in extreme conditions (such as MHz X-ray bursts), and\r\n- identify critical performance bottlenecks before production.\r\n\r\nBy linking imaging technology with simulation and modelling, we can better interpret experimental data and design the next generation of scientific cameras. Beyond the technical aspects, this talk reflects on the broader theme of how we “see” though technology, what it means to make the invisible visible, and how simulation changes not only how we build instruments, but also how we understand them.",
"schedule_start": "2025-12-27T23:00:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-27T23:40:00+01:00"
},
{
"id": "958d3055-3929-56b8-b71c-25b3a64f1902",
"kind": "official",
"name": "The Heartbreak Machine: Nazis in the Echo Chamber",
"slug": "the-heartbreak-machine-nazis-in-the-echo-chamber",
"url": "https://api.events.ccc.de/congress/2025/event/958d3055-3929-56b8-b71c-25b3a64f1902/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "de",
"description": "Monatelang tauchte Martha in die verborgene Welt von WhiteDate, WhiteChild und WhiteDeal ein, drei Plattformen, die von einer Rechtsextremistin aus Deutschland betrieben werden. Sie glaubt an die Verschwörung einer weißen Vorherrschaft und einer „rassisch reinen“ weißen Gemeinschaft. Was als Neugier begann, entwickelte sich schnell zu einem Experiment über menschliches Verhalten, Technologie und Absurdität.\u2028\u2028Martha infiltrierte das Portal mit „realistischen“ KI-Chatbots. Die Bots waren so überzeugend, dass sie die Überprüfungen umgingen und sogar als „weiß“ verifiziert worden. Durch die Gespräche und Recherche von digitalen Spuren dieser Gemeinschaft, die sich in Sicherheit wähnte, konnte sie Nutzer identifizieren. \r\n\u2028Gemeinsam mit Reporter:innen der „Die Zeit“ konnten wir die Person hinter der Plattform enttarnen und ihre Radikalisierung von einer erfolgreichen Pianistin zu einer Szene-Unternehmerin nachzeichnen. Um ihr Dating-Portal hat sie ein Netzwerk von Websites aufgebaut, dass seinen Nutzern Liebe, Treue und Tradition vermarktet. WhiteDate verspricht romantische Beziehungen, WhiteChild propagiert Familien- und Abstammungsideale und WhiteDeal ermöglicht berufliches Networking und „gegenseitige Unterstützung“ unter einem rassistischen Weltbild. Gemeinsam zeigen sie, wie Ideologie und Einsamkeit auf bizarre Weise miteinander verwoben sein können.\u2028\u2028Nach monatelanger Beobachtung, klassischer OSINT-Recherche, automatisierter Gesprächsanalyse und Web-Scraping haben wir herausgefunden, wer hinter diesen Plattformen steckt und wie ihre Infrastruktur funktioniert. Dabei deckten wir die Widersprüche und Absurditäten extremistischer Gemeinschaften auf, verdeutlichten ihre Anfälligkeit für technologische Eingriffe und brachten sogar den einen oder anderen Nazi zum Weinen.\u2028\u2028Dieser Vortrag erzählt von Beobachtung, Schabernack und Einblicken in die digitale Welt extremistischer Gruppen. Er zeigt, wie Algorithmen, KI-Personas und investigatives Denken Hass entlarven, seine Narrative hinterfragen und seine Echokammern aufbrechen können. Wir zeigen, wie Technologie im Kampf gegen Extremismus eingesetzt werden kann.",
"schedule_start": "2025-12-29T21:45:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-29T22:45:00+01:00"
},
{
"id": "973af772-1dae-58a1-b979-ea890cbdfe09",
"kind": "official",
"name": "The Last of Us - Fighting the EU Surveillance Law Apocalypse",
"slug": "the-last-of-us-fighting-the-eu-surveillance-law-apocalypse",
"url": "https://api.events.ccc.de/congress/2025/event/973af772-1dae-58a1-b979-ea890cbdfe09/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "en",
"description": "Admidst its current push to remove the rules that have protected the EU's environment, consumer and fundamental rights, there is one area the European Commission happily calls for more regulation: Internal security. The recent \"ProtectEU\" Internal Security Strategy does little to protect Europeans, and instead foresees attacks on encryption, the re-introduction of mandatory data retention and the strengthening of Europol and Frontex, the main agents of the EU's oppressive law enforcement infrastructure. In this talk, we will introduce the strategy and its main pillars, explain its political and legal contexts, and take a look at what it would mean for our fundamental rights, access to encryption, and IT security if enacted. But not all hope is lost (yet), and together we want to chart pathways to meaningful resistance. To do so, we will help understand the maze of the EU's lawmaking process and identify pressure points. We will then look back at past fights, lessons learned and new opportunities to act in solidarity against a surveillance agenda that is truly apocalyptic.",
"schedule_start": "2025-12-29T17:15:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-29T18:15:00+01:00"
},
{
"id": "ce60f89c-fcdb-577f-89c2-5beb11b88ca7",
"kind": "official",
"name": "The Maybe Talent Show",
"slug": "the-maybe-talent-show",
"url": "https://api.events.ccc.de/congress/2025/event/ce60f89c-fcdb-577f-89c2-5beb11b88ca7/?format=api",
"track": "entertainment",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "en",
"description": "The show is an open format that gives people the space to show themselves, be visible and make themselves vulnerable. We bring a queer format that celebrates people for simply being humans to Hamburgs neighborhood pubs, autonomous stages and other easily accessible spaces. In doing so it's explicitly anti-capitalist, builds communities and unlikely alliances.\r\nNot just in the hacker/CCC community we applaud the cool things people can do: The big stage is often reserved for outstanding achievements; attention and social credits usually go to those who already have the network and skills. While we consider celebrating success to be absolutely necessary, we see the need to give people space to try things out, to fail publicly without having to be ashamed, and to celebrate Imperfection. Stage presence comes from trying on stage, and the Maybe Talent Show is the place where this is possible for everyone. Inclusive, hilarious and without making fun of anyone. Promise.",
"schedule_start": "2025-12-28T23:00:00+01:00",
"schedule_duration": "01:30:00",
"schedule_end": "2025-12-29T00:30:00+01:00"
},
{
"id": "dcf9ec1c-9755-5757-8f1d-91ec6e0f0661",
"kind": "official",
"name": "The Museum of Care: Open-Source Survival Kit Collection",
"slug": "the-museum-of-care-open-source-survival-kit-collection",
"url": "https://api.events.ccc.de/congress/2025/event/dcf9ec1c-9755-5757-8f1d-91ec6e0f0661/?format=api",
"track": "art-beauty",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "en",
"description": "We think humanity could already be living in a society of abundance and communal luxury. We have the technologies to produce enough for everyone to have everything. The issue isn't technological but social. This is why we need a Museum (of Care): museums are among the few places that create, distribute, and preserve what a society values.\r\n\r\nWhat will be at the session:\r\nWe'll tell in more detail about the concept of the Museum of Care on abandoned ships (of which, according to Maritime Foundation data, there are more than 4,500 in the world). We'll talk about the halls of our museum: the Hall of Giants and other emerging spaces. Projects we're building—spirulina farms, 3D printers—in Saint Vincent (Caribbean) and Kibera Art District, Nairobi Kenya, Playground designed that communities can construct with nearly no resources. Can we actually build a nomadic museum proud not of its unique exhibits but of how easily they spread and get replicated?\r\n\r\nThen we will move to an open conversation about what poetic technologies are and how they differ from bureaucratic ones. Some people may have read David Graeber's book The Utopia of Rules; here you can download his other texts that are less widely known or not yet published. We would very much like to explore the question of poetic and bureaucratic technologies together with you. To facilitate this discussion, the David Graeber Institute has invited Alistair Parvin, creator of the Wiki House project, to join Nika Dubrovsky in conversation.\r\n\r\nThe discussion continues in the format of a Visual Assembly—focused on building a distributed, non-hierarchical, genuinely open University with different ideas of funding and knowledge production. This is the very beginning of the process so all input is very much welcome. We'd welcome any ideas, critiques, or proposals for collaboration.",
"schedule_start": "2025-12-29T11:00:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-29T11:40:00+01:00"
},
{
"id": "f7806034-b88e-559b-9c11-7ce6ffc72a82",
"kind": "official",
"name": "There is NO WAY we ended up getting arrested for this (Malta edition)",
"slug": "there-is-no-way-we-ended-up-getting-arrested-for-this-malta-edition",
"url": "https://api.events.ccc.de/congress/2025/event/f7806034-b88e-559b-9c11-7ce6ffc72a82/?format=api",
"track": "security",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "en",
"description": "The talk goes through the full journey,\r\n\r\n1. The talk describes in more detail how the arrests were carried out on November 12th, 2022 including the confiscation of all computer equipment, the time spent in a cell and the interrogation before being released.\r\n2. How the decision was made to go to the media 5 months later, the consequences of that and why it was beneficial.\r\n3. The later fallout including the university disassociating itself from the students + even disallowing one of the students to tutor at the university\r\n4. How this led to a pause in Malta's participation in the European Cyber Security Challenge with one specific meeting involving the national IT agency and the 3 students.\r\n5. mentions of a grant of a pardon after the prime minister visited the office of a student\r\n6. The start of the initial court sessions and the outcomes from that.\r\n7. A super interesting meeting where the justice minister told the students that even though they'll be given a pardon -- if this happens again they will be arrested again.\r\n8. What it meant to get a pardon and how that technically still hasn't ended our situation in court yet.",
"schedule_start": "2025-12-29T16:00:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-29T17:00:00+01:00"
},
{
"id": "0cc2fd2c-93de-5cb0-b10d-56e901b4acc4",
"kind": "official",
"name": "The Small Packet of Bits That Can Save (or Destabilize) a City",
"slug": "the-small-packet-of-bits-that-can-save-or-destabilize-a-city",
"url": "https://api.events.ccc.de/congress/2025/event/0cc2fd2c-93de-5cb0-b10d-56e901b4acc4/?format=api",
"track": "security",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "en",
"description": "In this talk, we’ll begin by contextualizing the importance of the seismic alert in Mexico City, a system born from the devastating 1985 earthquake. We’ll examine how it was designed, how it works, and why it carries such a deep psychological impact.\r\n\r\nFrom there, we’ll explore the history and design of Weather Radio and the SAME protocol, looking at how messages are transmitted and encoded through this technology, and how it was later adapted for SASMEX. \r\n\r\nI’ll also share my personal experience building compatible receivers, from early open-source experiments that inspired local manufacturers to create government-certified devices, to developing a receiver as part of my undergraduate thesis.\r\n\r\nWe’ll analyze how simplicity, one of the key strengths of these systems, also introduces certain risks, and how these trade-offs emerge when dealing with accessibility, interoperability, and security in system design.\r\n\r\nFinally, I’ll demonstrate how to receive, decode, and encode these alert messages, and discuss how, with the right equipment, it’s possible to generate such alert signals.",
"schedule_start": "2025-12-28T23:55:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-29T00:35:00+01:00"
},
{
"id": "f7a3c3ba-a9d0-5aab-bf31-f63a034a8d22",
"kind": "official",
"name": "The Spectrum - Hackspace Beyond Hacking",
"slug": "the-spectrum-hackspace-beyond-hacking",
"url": "https://api.events.ccc.de/congress/2025/event/f7a3c3ba-a9d0-5aab-bf31-f63a034a8d22/?format=api",
"track": "ccc-community",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "en",
"description": "The Spectrum is a new queer-feminist, intersectional and transdisciplinary hackspace centering FLINTA+, creatures with disabilities, and other marginalized communities founded in 2025. We see hacking as more than code and machines—it’s a way of exploring the world through curiosity, play, and care. By taking things, systems, and ideas apart, we uncover new perspectives and possibilities for change. Our space is built around awareness, inclusion, and open access to knowledge. We aim to create an environment where everyone can learn, share, and experiment freely—without the constraints of “normality.” From art and music to activism and technology, The Spectrum brings together diverse disciplines and beings to co-create, collaborate, and imagine better futures.\r\n\r\nAt 39C3, we want to share our experiences of building such a space: how awareness work and accessibility can shape community dynamics, what transdisciplinary hacking can look like, and how centering marginalized perspectives transforms collective creation. Join us to explore what it means to hack not only systems, but also art, expectations, and realities.\r\n\r\nhttps://the-spectrum.space/en/",
"schedule_start": "2025-12-29T22:05:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-29T22:45:00+01:00"
},
{
"id": "bc5b663a-1e48-5525-afbd-1e6895b71db0",
"kind": "official",
"name": "Throwing your rights under the Omnibus - how the EU's reform agenda threatens to erase a decade of digital rights",
"slug": "throwing-your-rights-under-the-omnibus-how-the-eu-s-reform-agenda-threatens-to-erase-a-decade-of-digital-rights",
"url": "https://api.events.ccc.de/congress/2025/event/bc5b663a-1e48-5525-afbd-1e6895b71db0/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "en",
"description": "The new EU Commission has an agenda. What started with the report of former European Central Bank chief Mario Draghi on Europe's \"competitiveness\" has quickly turned into \"getting rid of bureaucracy\", then into \"simplification\", and finally open \"deregulation\". What this means is that a large number of European laws that were adopted in the last decade to ensure sustanabiliy, protect human rights along the whole supply chain, or to ensure our digital rights, are watered down, and core elements are scrapped. \r\n\r\nIn terms of the EU's digital rulebook, it has already started in May with the deletion of a core compliance element in the General Data Protection Regulation (GDPR) - the obligation to keep records of your processing activities. While it sounds harmless - all the other rights and obligations still appy - it means that companies have no clue anymore what personal data they process, for which purposes, and how. \r\n\r\nA much larger revision has been proposed on 19th November 2025, with the \"omnibus\" legislation dubbed \"Digital Simplification Package\". This will affect rules on data protection, data governance, AI, obligations to report cybersecurity incidents, and protections against cookies and other tracking technologies. Furthermore, the EU's net neutrality rules are scheduled to be opened for reform in December by the so called Digital Networks Act.\r\n\r\nIn this talk we discuss what to expect from the new EU agenda, who is driving it and how to resists. Our goal is to leave you better informed and equipped to fight back against this deregulatory trend. This talk may contain hope.",
"schedule_start": "2025-12-27T21:45:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-27T22:45:00+01:00"
},
{
"id": "e448ef16-47cf-57ad-9fbd-a5f91aa4aa3b",
"kind": "official",
"name": "To sign or not to sign: Practical vulnerabilities in GPG & friends",
"slug": "to-sign-or-not-to-sign-practical-vulnerabilities-i",
"url": "https://api.events.ccc.de/congress/2025/event/e448ef16-47cf-57ad-9fbd-a5f91aa4aa3b/?format=api",
"track": "security",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "en",
"description": "Beyond the underlying mathematics of cryptographic algorithms, there is a whole other layer of implementation code, assigning meaning to the processed data. For example, a signature verification operation both needs robust cryptography **and** assurance that the verified data is indeed the same as was passed into the signing operation. To facilitate the second part, software such as *GnuPG* implement parsing and processing code of a standardized format. Especially when implementing a feature rich and evolving standard, there is the risk of ambivalent specification, and classical implementation bugs.\r\n\r\nThe impact of the vulnerabilities we found reaches from various signature verification bypasses, breaking encryption in transit and encryption at rest, undermining key signatures, to exploitable memory corruption vulnerabilities.",
"schedule_start": "2025-12-27T17:15:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-27T18:15:00+01:00"
},
{
"id": "cc2dc346-c1fc-58ad-a723-8472c9a8e5d1",
"kind": "official",
"name": "Transkultureller Hack auf die klassische Musikszene – Vortrag und Konzert",
"slug": "transkultureller-hack-auf-die-klassische-musikszene-vortrag-und-konzert",
"url": "https://api.events.ccc.de/congress/2025/event/cc2dc346-c1fc-58ad-a723-8472c9a8e5d1/?format=api",
"track": "art-beauty",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "de",
"description": "Das transkulturelle Bridges Kammerorchester hackt die klassische Musikszene: es bringt Musizierende mit und ohne Flucht- und Migrationsbiografie zusammen und integriert Instrumente und Musikstile in die europäische Orchestertradition, die dort traditionell nicht vorgesehen sind. Neben klassischen Orchesterinstrumenten spielen Instrumente wie Oud, Tar, Tiple, Kaval, Kamanche, Shudraga, Daf und Riq zentrale Rollen.\r\n\r\nIhre Musik komponieren die Orchestermitglieder überwiegend selbst. Auch das ist ein Hack auf die klassische Musikszene, die bisher überwiegend Werke verstorbener männlicher Komponisten interpretiert. So steht die Musik des Bridges Kammerorchester für Vielfalt und Selbstbestimmung und macht die Diversität der in Deutschland lebenden Gesellschaft hörbar. \r\nIm Vortrag zeigen Mitglieder des Bridges Kammerorchesters anhand von Erfahrungen und Hörbeispielen – live und per Video – wie sie die klassische Musikszene hacken. Sie geben Einblicke in ihren kollektiven, heterogenen Kompositionsprozess, berichten von Freiheiten, Herausforderungen und Erfahrungen mit Publikum und Veranstaltern. Persönliche Migrationsgeschichten verdeutlichen, wie diese die musikalische Perspektive und Identität des Orchesters prägen. Anschließend folgt ein Konzert, das die Vielfalt ihrer Musik erlebbar macht.\r\n\r\n*Eine Aufzeichnung dieser Session ist verfügbar [auf dem YouTube-Kanal von Bridges](https://youtu.be/R0kzNxpKaJQ).*",
"schedule_start": "2025-12-29T19:15:00+01:00",
"schedule_duration": "01:30:00",
"schedule_end": "2025-12-29T20:45:00+01:00"
},
{
"id": "f3ecee56-19f5-5c45-b5ec-799f710e0388",
"kind": "official",
"name": "Trump government demands access to European police databases and biometrics",
"slug": "trump-government-demands-access-to-european-police-databases-and-biometrics",
"url": "https://api.events.ccc.de/congress/2025/event/f3ecee56-19f5-5c45-b5ec-799f710e0388/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "en",
"description": "The US demand is unprecedented: even EU member states do not grant each other such extensive direct database access – normally the exchange takes place via the \"hit/no-hit principle\" with a subsequent request for further data. This is how it works, for example, in the Prüm Treaty among all Schengen states, which has so far covered fingerprints and DNA data and is now also being extended to facial images.\r\n\r\nThe EBSP could practically affect anyone who falls under the jurisdiction of border authorities: from passport controls to deportation proceedings. Under the US autocrat Donald Trump, this is a particular problem, as his militia-like immigration authority ICE is already using data from various sources to brutally persecute migrants – direct access to police data from VWP partners could massively strengthen this surveillance apparatus. Germany alone might give access to facial images of 5.5 million people and fingerprints of a similar dimension.\r\n\r\nThe USA has already tightened the Visa Waiver Programme several times, for instance in 2006 through the introduction of biometric passports and in 2008 through the ESTA pre-registration requirement. In addition, there were bilateral agreements for the exchange of fingerprints and DNA profiles – however, these may only be transmitted in individual cases involving serious crime.\r\n\r\nExisting treaties such as the EU-US Police Framework Agreement are not applicable to the \"Enhanced Border Security Partnership\", as it applies exclusively to law enforcement purposes. It is also questionable how the planned data transfer is supposed to be compatible with the strict data protection rules of the GDPR. The EU Commission therefore wants to negotiate a framework agreement on the EBSP that would apply to all member states. Time is running short: the US government has set VWP states a deadline of 31 December 2026. Some already agreed on a bilateral level.",
"schedule_start": "2025-12-28T20:10:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-28T20:50:00+01:00"
},
{
"id": "0fdda2f0-88c1-518f-858f-fd41d48325f4",
"kind": "official",
"name": "Über europäische Grenzen hinweg auf klinischen Daten rechnen - aber sicher!",
"slug": "uber-europaische-grenzen-hinweg-auf-klinischen-daten-rechnen-aber-sicher",
"url": "https://api.events.ccc.de/congress/2025/event/0fdda2f0-88c1-518f-858f-fd41d48325f4/?format=api",
"track": "science",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "de",
"description": "**Klinische Forschung 101:** Warum sind \"multizentrische\" klinische Studien der Goldstandard und wie läuft das ab? Welche Daten werden da gesammelt und wie funktioniert in der Praxis der Datenaustausch? Was sagt die DSGVO dazu?\r\n\r\n**Sicheres verteiltes Rechnen 101:** Wie kann man in verschlüsselten peer-to-peer Netzwerken gemeinsam auf verteilten Daten rechnen, ohne die Eingabedaten untereinander austauschen zu müssen? Was sind technische Vor- und Nachteile? Was ändert das an den Rollen der Akteure im System?\r\n\r\n**Der Prototyp in Deutschland 2019:** Das LMU Klinikum in München kooperiert mit der Charité in Berlin und der TU München. Zum ersten Mal gelingt das gemeinsame Rechnen auf verteilten Patient:innendaten. Diverse lessons were learned.\r\n\r\n**Die erste europäische Studie 2024:** Das LMU Klinikum in München kooperiert mit der Policlinico Universitario Fondazione Agostino Gemelli in Rom. Aus der Pilotstudie ergibt sich auch ein DSGVO-konformer Blueprint und eine wiederverwendbare Architektur.\r\n\r\n**Fazit und Ausblick:** Sicheres verteiltes Rechnen in der Wissenschaft und darüber hinaus.",
"schedule_start": "2025-12-28T15:40:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-28T16:20:00+01:00"
},
{
"id": "341961a3-599d-52b9-8262-34c1757c9698",
"kind": "official",
"name": "Unnecessarily Complicated Kitchen – Die Wissenschaft des guten Geschmacks",
"slug": "unnecessarily-complicated-kitchen-die-wissenschaft-des-guten-geschmacks",
"url": "https://api.events.ccc.de/congress/2025/event/341961a3-599d-52b9-8262-34c1757c9698/?format=api",
"track": "entertainment",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "de",
"description": "Willkommen in der „Unnecessarily Complicated Kitchen“ – einer Küche, in der Naturwissenschaft, Technik und kulinarisches Chaos aufeinandertreffen.\r\nWir sezieren das Kochen aus der Perspektive von Hacker*innen: Warum Hitzeübertragung ein deinen Tschunk kühlt, warum Emulsionen wie BGP funktionieren und wie sich die Kunst des Abschmeckens in Datenpunkten erklären lässt.\r\n\r\nIn diesem Talk verbinden wir naturwissenschaftliche Experimente mit kulinarischer Praxis. Wir erhitzen, rühren, messen und analysieren – live auf der Bühne. Dabei übersetzen wir Physik und Chemie in Geschmack, Textur und Aha-Momente.\r\nKochen wird so zum Laborversuch, zum Hack, zum Reverse Engineering des guten Geschmacks.\r\n\r\nIch zeige, dass hinter jeder gelungenen Marinade ein Protokoll steckt, hinter jeder Soße ein Algorithmus – und dass man auch in der Küche mit Trial & Error, Open Source und einer Prise Chaos zu erstaunlichen Ergebnissen kommt.\r\n\r\nAm Ende steht nicht nur Erkenntnis, sondern auch Genuss: Denn wer versteht, warum etwas schmeckt, kann die Regeln brechen – und sie dabei besser würzen.",
"schedule_start": "2025-12-28T00:20:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-28T01:20:00+01:00"
},
{
"id": "62a4c15d-6efb-5d85-b41d-5363e08ebeae",
"kind": "official",
"name": "Variable Fonts — It Was Never About File Size",
"slug": "variable-fonts-it-was-never-about-file-size",
"url": "https://api.events.ccc.de/congress/2025/event/62a4c15d-6efb-5d85-b41d-5363e08ebeae/?format=api",
"track": "art-beauty",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "en",
"description": "When the OpenType 1.8 specification introduced variable fonts in 2016, the idea was simple: combine all weights and styles of a font family into one file and save file size and therefore bandwidth. Yet in 2025, variable fonts have become a platform for artistic and technical exploration far beyond their initial goal.\r\n\r\nThis talk follows that transformation from the inside. It starts with a short history of flexible font technologies — Adobe’s Multiple Master and Apple’s TrueType GX formats of the 1990s (I am just mentioning the company names as they were the publishers of these technologies) — and how they failed to become standards. It then shows why variable fonts succeeded: many designers today are more tech savvy and know some basic HTML, CSS and maybe even some JavaScript. And at the same time all major browsers and almost all design apps support variable fonts by now.\r\n\r\nFrom there, I present a series of first-hand projects where typography met code:\r\n– TypoLabs (2017), whose identity used a custom variable font animating between extremes of weight and width → the variable font family became the (probably forever) unpublished variable font family Denman;\r\n– Marjoree (2024), a pair of variable pattern fonts based on hexagonal and pentagonal tilings that explore legibility and repetition;\r\n– Kario (2025), a duplex variable font powering the 39C3 identity, with uniwidth weights, optical-size adjustments, and typographic Easter eggs;\r\n– and Bronco (2017?), an experiment using the arbitrary-axis model for interpolation to escape the cube-shaped multiple master design space of traditional variable fonts.\r\n\r\nThe talk then moves from history to speculation. Early head-tracking experiments once tried to adjust a variable font’s optical size based on reader position — producing total chaos as text reshaped itself while being read. On the other hand this playful chaos marks the moment when things become truly interesting: connecting a font axis to live data, to mouse movement, to sound, to network input — anything that makes type responsive and alive. That’s the kind of misbehavior I want to talk about — not breaking for the sake of breaking, but using technology the “wrong” way to see what happens.\r\n\r\nThe talk will mix images, a lot of short videos, and a bit of behind-the-scenes insight into font development. It’s about what happens when design tools meet code, and how that intersection keeps typography alive and unpredictable.\r\n\r\nLink list of variable font experiments:\r\nhttps://kario.showmefonts.com/\r\nhttps://marjoree.showmefonts.com/\r\nhttps://www.bronco.varfont.com/\r\nhttps://www.denman.varfont.com/\r\nhttps://www.seraphs.varfont.com/ \r\n+ 39C3 visual identity",
"schedule_start": "2025-12-28T17:35:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-28T18:15:00+01:00"
},
{
"id": "6a747cc1-1320-5027-b7f9-050a6f3b2134",
"kind": "official",
"name": "Verlorene Domains, offene Türen - Was alte Behördendomains verraten",
"slug": "verlorene-domains-offene-turen-was-alte-behordendomains-verraten",
"url": "https://api.events.ccc.de/congress/2025/event/6a747cc1-1320-5027-b7f9-050a6f3b2134/?format=api",
"track": "security",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "de",
"description": "Im Rahmen der Untersuchung zeigten sich nicht nur Fehlkonfigurationen, sondern auch Phänomene wie Bitsquatting und Typoquatting innerhalb der Verwaltungsnetze. Mit dem Betrieb eines DNS-Servers und dem Erwerb von bund.ee (naher Typosquatting/Bitquatting zu bund.de) konnten u.a. zahlreiche DNS-Anfragen von Servern des Bundesministerium des Innern (BMI) und weiterer Einrichtungen des Bundes empfangen werden.\r\n\r\nDer Vortrag beleuchtet die technischen und organisatorischen Schwachstellen, die hinter solchen Vorgängen stehen - und zeigt, wie DNS-Details Einblicke in die IT-Infrastruktur des Staates ermöglichen können. Abgerundet wird das Ganze durch praktische Beispiele, Datenanalysen und Empfehlungen, wie sich ähnliche Vorfälle künftig vermeiden lassen.\r\n\r\nIn anderen Ländern sind gov-Domains als TLDs längst üblich (bspw. gov.uk) - in Deutschland ist bund.de oder gov.de allerdings nicht so verbreitet wie man glaubt, unter anderem da Bundesministerien eigene Domains nutzen oder nach Regierungsbildung umbenannt werden.",
"schedule_start": "2025-12-28T21:05:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-28T21:45:00+01:00"
},
{
"id": "4972548a-618e-56a1-8328-3abe474a31ab",
"kind": "official",
"name": "Verschlüsselung brechen durch physischen Zugriff - Smartphone Beschlagnahme durch Polizei",
"slug": "verschlusselung-brechen-durch-physischen-zugriff-smartphone-beschlagnahme-durch-polizei",
"url": "https://api.events.ccc.de/congress/2025/event/4972548a-618e-56a1-8328-3abe474a31ab/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "de",
"description": "Staatstrojaner, Chat-Kontrolle, Wanzen. Die Mittel staatlicher Überwachung sind vielfältig und teilweise technisch sehr komplex. Dabei ist es leicht, den Überblick zu verlieren. Ein relativ profanes Mittel, das Polizeibehörden in Deutschland hunderttausendfach anwenden, ist die Beschlagnahme von Smartphones und Laptops sowie das Auslesen ihrer Daten. Genaue Statistiken gibt es nicht. Es dürften jedoch mehr Fälle sein als bei der einfachen Telekommunikationsüberwachung. Allein in Sachsen-Anhalt waren es innerhalb von fünf Jahren 13.000 Smartphones. \r\n\r\nAuch bei leichten Straftaten und Ordnungswidrigkeiten beschlagnahmt die Polizei regelmäßig Datenträger - insbesondere Smartphones und Laptops - etwa beim Verdacht einer Beleidigung oder bei der Handynutzung im Straßenverkehr. Oft werden auch Hausdurchsuchungen durchgeführt und dabei alle technischen Geräte beschlagnahmt und durchsucht. Die Verfassungsmäßigkeit dieser polizeilichen Praxis ist sehr zweifelhaft. Das Bundesinnenministerium plante in der letzten Legislatur sogar, die Kompetenzen der Polizei auszuweiten wodurch auch heimliche Hausdurchsuchungen möglich werden sollten. Damit könnte die Polizei heimlich Staatrojaner installieren oder sog. Evil-Maid-Angriffe vorbereiten. Die Strafverfolgungsbehörden stützen sich auf die Beschlagnahmevorschriften der §§ 94 ff. Strafprozessordnung, die seit 1877 im Wesentlichen unverändert geblieben sind und in ihrem Wortlaut weder die Möglichkeit eines Datenzugriffs noch die Modalitäten und Grenzen einer Datenauswertung regeln. Auch wird die Maßnahme nicht auf Straftaten einer gewissen Schwere begrenzt und es fehlen Vorgaben zum Schutz besonders sensibler Daten, die etwa in den Kernbereich der persönlichen Lebensführung fallen. Im Rahmen einer Durchsuchung ermöglicht es der §§ 110 Strafprozessordnung eine vorläufige Sicherung und Durchsicht der Speichermedien. Auch diese Vorschrift reicht nicht aus, um Grundrechte angemessen zu schützen, da mit der kompletten Ausforschung des gesamten Datenbestandes ein gravierender Grundrechtseingriff in die Privatsphäre der Betroffenen verbunden ist und gesetzlich keine angemessenen Grenzen gesetzt werden.\r\n\r\nGerade auf Smartphones befinden sich oft höchstpersönliche Daten wie Chats mit der Familie oder dem*der Partner*in, Fotos, Kontakte, Standortdaten und Dating-Apps. Darüber hinaus sind die Geräte regelmäßig mit Cloud-Diensten und anderen Datenträgern verbunden. Auf all diese Daten können Polizeibehörden dann zugreifen.\r\nMöglich wird das durch Software von Firmen wie Cellebrite, MSAB oder Magnet. Diese nutzen Sicherheitslücken aus, um die Verschlüsselung von Smartphones zu knacken. Wie auch bei Sicherheitslücken für Staatstrojaner sind die Sicherheitslücken, die diese Firmen ausnutzen, den Herstellern nicht bekannt. Damit unterstützen deutsche Behörden ein System, dass die Geräte aller unsicher macht. Auch die Bitlocker-Verschlüsselung von Windows-Computern lässt sich oft umgehen. Dies ermöglicht den Strafverfolgungsbehörden den freien und unbeschränkten Zugang zu allen persönlichen Daten, ohne angemessene gesetzliche oder gerichtliche Kontrolle und Überprüfung. Auch für die betroffenen Personen wird nicht erkennbar, in welchem Ausmaß Daten durchsucht und ausgewertet wurden. Im Vortrag wird der aktuelle Stand und die Probleme von Verschlüsselung von Windows und Linux Computern sowie Android und iOS Smartphones erläutert. \r\n\r\nAm Beispiel des Journalisten Hendrik Torners, dessen Smartphone beschlagnahmt wurde, nachdem er eine polizeiliche Maßnahme nach einer Klimademonstration beobachtet hatte und nun im Rahmen einer Verfassungsbeschwerde dagegen vorgeht, sowie weiterer öffentlich diskutierter Fälle wie #Pimmelgate besprechen die Vortragenden die technischen und juristischen Hintergründe.",
"schedule_start": "2025-12-30T00:15:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-30T00:55:00+01:00"
},
{
"id": "11ede3bc-662b-580b-9ecb-e84edabee369",
"kind": "official",
"name": "Von Fuzzern zu Agenten: Entwicklung eines Cyber Reasoning Systems für die AIxCC",
"slug": "von-fuzzern-zu-agenten-entwicklung-eines-cyber-reasoning-systems-fur-die-aixcc",
"url": "https://api.events.ccc.de/congress/2025/event/11ede3bc-662b-580b-9ecb-e84edabee369/?format=api",
"track": "security",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "de",
"description": "Die AIxCC (DARPA’s AI Cyber Challenge) ist ein zweijähriger Wettbewerb, dessen Ziel es war, die Möglichkeiten der automatisierten Erkennung und Behebung von Sicherheitslücken zu verbessern.\r\nDabei sollte ein autonomes, in sich geschlossenes System entwickelt werden, das Software analysiert, Schwachstellen erkennt, diese mithilfe von Reproducern nachweist und anschließend sichere Patches erzeugt.\r\n\r\nUnser Team hat sich diesem globalen Experiment angeschlossen und ein eigenes Cyber Reasoning System (CRS) von Grund auf neu entwickelt. Dazu haben wir mehrere Agenten entwickelt. Unser System profitierte von der Kombination klassischer Techniken wie Fuzzing mit modernen Large Language Models (LLMs). Die Synergie zwischen diesen Ansätzen erwies sich als leistungsfähiger als jede der beiden Techniken für sich allein, sodass unser CRS Software auf eine Weise untersuchen und patchen konnte, wie es weder Fuzzing noch LLMs allein leisten konnten.\r\n\r\nIn diesem Vortrag werden wir:\r\n- das Konzept und die Ziele hinter AIxCC erläutern\r\n- durchgehen, wie ein CRS tatsächlich funktioniert und wie wir unseres entwickelt haben\r\n- zeigen, wie LLMs traditionelle Fuzzing- und Analyse-Techniken unterstützen können\r\n- Beobachtungen zu den Strategien der Finalisten-Teams teilen",
"schedule_start": "2025-12-29T23:00:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-30T00:00:00+01:00"
},
{
"id": "8d964e8f-4853-5ca9-8a0e-6afc215dae7d",
"kind": "official",
"name": "Von Groschen und SpurLos - GNU Taler auch auf eurem Event!",
"slug": "von-groschen-und-spurlos-gnu-taler-auch-auf-eurem-event",
"url": "https://api.events.ccc.de/congress/2025/event/8d964e8f-4853-5ca9-8a0e-6afc215dae7d/?format=api",
"track": "ccc-community",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "de",
"description": "Anonymes Bezahlen ganz ohne Bargeld? Digitales Bezahlen ohne Gebühren auf jede einzelne Transaktion? Keine zentrale Datensammelei bei US-amerikanischen Zahlungsanbietern, und trotzdem keine Blockchain?\r\n\r\nGeht nicht? Geht doch! Schon auf mehreren Veranstaltungen wurde [GNU Taler](https://www.taler.net/) erfolgreich als lokales Event-Bezahlsystem eingesetzt: Sämtliche Zahlungen beim [LUG Camp 2024](https://lugcamp.wuplug.org/) wurden dank GNU Taler ausschließlich digital durchgeführt. Ebenso wurde mehr als ein Viertel des Umsatzes bei den [Datenspuren 2025](https://datenspuren.de/2025/) mit GNU Taler digital abgewickelt.\r\n\r\nWährend die GLS Bank im Rahmen des EU-geförderten Projekts NGI Taler ein [deutschlandweites Angebot](https://www.gls.de/taler) vorbereitet, hatten unsere Besucher*innen bereits jetzt die Gelegenheit, anonymes digitales Bezahlen in der echten Welt zu testen. Das positive Feedback und der reibungslose Ablauf haben uns gezeigt: GNU Taler ist einsatzbereit und kommt in der Community super an!\r\n\r\nDeshalb wollen wir unsere Erfahrungen mit GNU Taler als Eventbezahlsystem gerne an Orgateams von anderen (Chaos-)Veranstaltungen weitergeben. Nach einer Einführung zur Funktionsweise von GNU Taler berichten wir von der praktischen Umsetzung beim LUGCamp und bei den Datenspuren und geben Tipps für alle, die GNU Taler auch bei ihrem nächsten Event anbieten wollen.",
"schedule_start": "2025-12-30T13:50:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-30T14:30:00+01:00"
},
{
"id": "75dadf9f-5f43-5cc5-b344-b0d402af7092",
"kind": "official",
"name": "Von wegen Eisblumen! Wie man mit Code, Satelliten und Schiffsexpeditionen die bunte Welt des arktischen Phytoplanktons sichtbar macht",
"slug": "von-wegen-eisblumen-wie-man-mit-code-satelliten-und-schiffsexpeditionen-die-bunte-welt-des-arktischen-phytoplanktons-sichtbar-macht",
"url": "https://api.events.ccc.de/congress/2025/event/75dadf9f-5f43-5cc5-b344-b0d402af7092/?format=api",
"track": "science",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "de",
"description": "Im Arktischen Ozean wird immer deutlicher, wie stark die globale Erwärmung den Rückgang des Meereises und das marine Ökosystem beeinflussen. Winzige Organismen, das Phytoplankton, bilden die Grundlage des Nahrungsnetzes durch den Aufbau von Biomasse und spielen so eine zentrale Rolle im globalen Kohlenstoffkreislauf. Dabei werden sie in der Arktis stark von den jahreszeitlichen Schwankungen der Polarnacht/-tag, der Meereisausdehnung und der sich verändernden Umwelt beeinflusst. Doch das Phytoplankton ist nicht nur ökologisch bedeutsam, sondern auch erstaunlich vielfältig und farbenfroh – wie eine bunte Blumenwiese im Ozean! \r\nSpannend bleiben dabei auch die Fragen, was die Vielfalt des Phytoplanktons ausmacht, wie diese eine Anpassung an die Umweltveränderungen ermöglicht und wie sich das arktische Ökosystem unter verschiedenen Klimawandelszenarien entwickeln könnte.\r\nDieser Vortrag lädt euch ein, in die eisigen Welten des arktischen Ozeans einzutauchen, um dem grundlegenden Baustein des arktischen Ökosystems, dem Phytoplankton, auf den Grund zu gehen.",
"schedule_start": "2025-12-29T16:00:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-29T17:00:00+01:00"
},
{
"id": "b51eb883-55db-5e30-9685-f7726b4da4d1",
"kind": "official",
"name": "Watch Your Kids: Inside a Children's Smartwatch",
"slug": "watch-your-kids-inside-a-children-s-smartwatch",
"url": "https://api.events.ccc.de/congress/2025/event/b51eb883-55db-5e30-9685-f7726b4da4d1/?format=api",
"track": "security",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "en",
"description": "Smartwatches for children have entered the mainstream: Advertised on the subway and sold by your cell provider, manufacturers are charging premium prices comparable to an entry-level Apple watch.\r\n\r\nIn exchange, parents are promised peace of mind: A safe, gentle introduction into the world of technology — and a way to call, text, and locate their child at any time.\r\n\r\nBut how much are the vendor's promises of safety, privacy, GDPR compliance, apps made in Europe and cloud servers in Germany actually worth?\r\n\r\nWe take you along the process of hacking one of the most popular children's watches out there, from gaining initial access to running our own code on the watch. Along the way, we find critical security issues at every turn. Our PoC attacks allow us to read and write messages, virtually abduct arbitrary children, and take control over any given watch.\r\n\r\nFinally, we'll also talk about disclosure, funny ideas of what passes as a security fix, and how we can use what we found to build something better.",
"schedule_start": "2025-12-29T13:50:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-29T14:30:00+01:00"
},
{
"id": "94c5aafc-0742-500b-92bd-ca6f2ceb37a1",
"kind": "official",
"name": "Wer hat Angst vor dem Neutralitätsgebot?",
"slug": "wer-hat-angst-vor-dem-neutralitatsgebot",
"url": "https://api.events.ccc.de/congress/2025/event/94c5aafc-0742-500b-92bd-ca6f2ceb37a1/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "de",
"description": "„Neutralität“ wird zum neuen Kampfbegriff: Weil sie gegen die menschenfeindliche Politik von Friedrich Merz protestieren, wirft die CDU Gruppen wie Omas gegen Rechts, Greenpeace und Correctiv vor, nicht neutral zu sein. Unter Berufung auf ein angeblich verletztes Neutralitätsgebot werden staatliche Förderungen gestrichen und NGOs geraten unter Beobachtung des Verfassungsschutzes.\r\nJulia Klöckner verbietet im Namen der „Neutralität“ Palestine-Shirts, Anstecknadeln und Regenbogenflaggen im Parlament. Die AfD fordert dazu auf, Lehrkräfte zu melden, die sich gegen Rechtsextremismus einsetzen oder entsprechende Positionen innerhalb der AfD kritisieren.\r\nDoch was steckt dahinter?\r\nWas bedeutet das sogenannte Neutralitätsgebot – und für wen gilt es überhaupt?\r\nUnd für wen gilt es nicht?\r\nZivilcourage kann nicht neutral sein – und soll es auch nicht sein. Genauso wie AfD-Hetze gegen Migrant*innen nicht „neutral“ ist, ist die Kritik menschenfeindlicher Äußerungen nicht nur legitim, sondern Pflicht demokratischer Bürger*innen. Das Beschwören eines „Neutralitätsgebots“ für NGOs ist ein durchschaubarer, aber gefährlicher Versuch, sie der eigenen Position zu unterwerfen.\r\nDie Rechtsanwältinnen Vivian Kube und Hannah Vos erklären den verfassungsrechtlichen Hintergrund, zeigen die autoritären Strategien hinter dem Ruf nach „Neutralität“ auf und geben Tipps, wie man sich dagegen wehren kann.\r\nSie engagieren sich im Projekt Gegenrechtschutz, um demokratische Prinzipien und Betroffene vor rechtlichen Angriffen zu verteidigen.",
"schedule_start": "2025-12-29T13:50:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-29T14:30:00+01:00"
},
{
"id": "1e0b17f8-d1e2-5d75-b052-811b8f722b38",
"kind": "official",
"name": "Wer liegt hier wem auf der Tasche? Genug mit dem Bürgergeld-Fetisch. Stürmt die Paläste!",
"slug": "wer-liegt-hier-wem-auf-der-tasche-genug-mit-dem-burgergeld-fetisch-sturmt-die-palaste",
"url": "https://api.events.ccc.de/congress/2025/event/1e0b17f8-d1e2-5d75-b052-811b8f722b38/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "de",
"description": "Die neue Grundsicherung trumpft Hartz IV in seiner Grausamkeit und ist ein Damoklesschwert über Erwerbslosen und allen, die Lohnarbeit machen. Zugleich nimmt die Zahl der Milliardäre und Mulitmillionäre stetig zu. Finanzbetrug durch Überreiche wird mehr oder weniger tatenlos zugesehen, während das Phantom des Bürgergeld-Totalverweigerers seit Jahren durch die Medien getrieben wird. \r\n\r\nWie der Angriff auf den Sozialstaat sich auf die Betroffenen in der Praxis auswirkt und was wir als Zivilgesellschaft tun können, um nicht nur tatenlos zusehen zu müssen, darum geht es in diesem Talk.",
"schedule_start": "2025-12-29T17:15:00+01:00",
"schedule_duration": "01:00:00",
"schedule_end": "2025-12-29T18:15:00+01:00"
},
{
"id": "d397c338-c631-5a03-a335-e3043d49188c",
"kind": "official",
"name": "We, the EU, and 1064 Danes decided to look into YouTube: A story about how the EU gave us a law, 1064 Danes gave us their YouTube histories, and reality gave us a headache",
"slug": "we-the-eu-and-1064-danes-decided-to-look-into-youtube-a-story-about-how-the-eu-gave-us-a-law-1064-danes-gave-us-their-youtube-histories-and-reality-ga",
"url": "https://api.events.ccc.de/congress/2025/event/d397c338-c631-5a03-a335-e3043d49188c/?format=api",
"track": "science",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "en",
"description": "**Talk Description**\r\nIn this talk, we explore what happens when the European Union’s data access laws meet the practical realities of platform research. The talk opens with a shared introduction, where David and LK set the stage: why social media platforms like YouTube matter for democracy and what the EU has done to make them more transparent.\r\n\r\nLK will then provide a short introduction into the legally mandated ways we can currently use to access platform data: from the GDPR’s right of access, the research data access provisions in the DSA, to the portability obligations into the DMA. But access is not the same as insight, a lesson David learned the hard way. Along with his team he invited over a thousand Danes to make use of their GDPR-right to their own data and donate their YouTube watch histories, searches, subscriptions and comments. Using the DSA, the team then obtained meta-data on the millions of videos the data donors had interacted with. The goal: Seeing what the digital data traces YouTube collects from its users can tell us about the platform’s effect on people’s lives and society. Are the data carrying indicators of polarization, loneliness, political extremism or any of the numerous other ails of society that YouTube has been suspected to cause? However, the data are difficult to get a hold of, messy, not properly annotated, and parsing them requires an almost archeological mindset. Together, we will peek behind the Youtube curtain, shine a light on what platform data actually looks like, and sketch out what can and cannot be learned from them. \r\n\r\nAll around Europe, researchers are currently facing similar challenges, parsing cryptic user and platform data from Facebook and TikTok to porn sites and Zalando. The platforms implement the data access laws to achieve minimal compliance but not to provide meaningful transparency. Data gathered by the DSA40 Data Access Collaboratory shows that application forms vary widely, researchers are rejected for non-compliant reasons, and applications artificially stalled. Other researchers have shown that the data received through some of the APIs is incomplete and inaccurate. In short: there is a lot of space for improvement. But we do not need to wait for investigations into platform compliance to conclude.. The basic conditions for democratic oversight have been set, which means that theoretically various legal ways into the platforms exist for citizens, researchers and civil society. The question that remains is which levers to use to practically realise as much of this potential as possible. \r\n\r\n**About the Presenters**\r\nDavid Wegmann is a PhD student at Aarhus University, Denmark. He researches social media and its societal effects using data science. As part of DATALAB, he led the analysis of donated data for “Data donation as a method for investigating trends and challenges in digital media landscapes at national scale: The Danish population’s use of YouTube as an illustrative case” by Bechmann and colleagues (2025).\r\n\r\nLK Seiling coordinates the DSA40 Data Access Collaboratory, where they research the implementation of the DSA’s data access provisions. At the Weizenbaum Institute Berlin, they are also looking into research engineering and data access as well as technologically mediated risks for individuals, society, and science.",
"schedule_start": "2025-12-30T13:50:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-30T14:30:00+01:00"
},
{
"id": "4914b889-5003-561f-90a8-5371fc09a946",
"kind": "official",
"name": "What Makes Bike-Sharing Work? Insights from 43 Million Kilometers of European Cycling Data",
"slug": "what-makes-bike-sharing-work-insights-from-43-million-kilometers-of-european-cycling-data",
"url": "https://api.events.ccc.de/congress/2025/event/4914b889-5003-561f-90a8-5371fc09a946/?format=api",
"track": "science",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "en",
"description": "We are Felix, Georg, and Martin - each of us working professionally in different research and data areas, ranging from the future of mobility to computational fluid dynamics and machine learning. What unites us is our shared interest in **quantitative traffic analyses**. Building on earlier small-scale studies focused on individual cities, we set out to launch a project that captures shared bike system data across Europe - from regular bikes to e-bikes.\r\n\r\nIn our study, which led to an **[open-access scientific publication](https://doi.org/10.1007/s11116-025-10661-2)**, we scraped shared bike data across Europe at a **minute-by-minute level** over many months, accumulating **more than 43 million records**. We analyze **behavioural and systemic patterns** to understand what makes a bike-sharing system useful and successful within a city. As such, this evidence-based research fits very well with the **39C3 Science track** and the theme of \"**Power Cycles**\" as we dissect the complex energy and usage cycles that define urban mobility and sustainable futures for everyone. We bridge the gap between urban planning, socioeconomics, and technology by applying statistical modeling and engineering knowledge to a large-scale mined dataset. Join us to learn whether right-wing politics stall sustainable mobility, or which climate e-bikes feel most comfortable in!\r\n\r\nWe love going the extra mile and therefore provide a live, interactive demo that everyone can use to explore and understand traffic flows: [bikesharingflowmap.de](https://bikesharingflowmap.de/). Therefore, attendees will be able to play with the data in a self-service way. We also provide all code on GitHub and the complete dataset on HuggingFace. And, of course, we will also discuss how both bike-sharing operators and our boss reacted when we told them about the dataset we already had collected (spoiler: lawyers were involved, yet it’s still available for downloads…).",
"schedule_start": "2025-12-29T12:50:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-29T13:30:00+01:00"
},
{
"id": "ba5269c3-88f7-50e8-b12c-63510ee697e8",
"kind": "official",
"name": "What You Hack Is What You Mean: 35 Years of Wiring Sense into Text",
"slug": "what-you-hack-is-what-you-mean-35-years-of-wiring-sense-into-text",
"url": "https://api.events.ccc.de/congress/2025/event/ba5269c3-88f7-50e8-b12c-63510ee697e8/?format=api",
"track": "art-beauty",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "en",
"description": "Computers can’t do much without encoding. They need ways to turn bytes into symbols, words, and meaning — to make text readable for both humans and machines. But encoding isn’t just for machines. Humans also encode: we describe, structure, and translate our thoughts into text. And while the number of text formats seems endless (and keeps growing), that’s not a bug — it’s a feature. Diversity in encoding is how we learn what works and what doesn’t.\r\n\r\nLong before ASCII tables or Unicode, text encoding already existed — in alphabets, printing presses, and typographic systems. Every technology of writing has been a way of hacking language into matter: from clay tablets to lead letters, from code pages to Markdown. Each era brings new formats and new constraints — and with them, new genres, new rules, new cultural codes. Think of poetry and protocol manuals, fairy tales and README files, the Hacker Bible itself — all shaped by the tools and conventions that carry them.\r\n\r\nSo here’s the question: can we encode not only what we see, but what we mean? Can we capture a poem’s rhythm, a play’s voices, or the alternate endings of a story — and do it in a way that’s open, remixable, and machine-readable?\r\n\r\nTurns out, yes — and the solution has existed since 1988. It’s called the Text Encoding Initiative (TEI), a long-running open-source standard that lets you describe the structure, semantics, and context of texts using XML. You can think of it as a humanities fork of hypertext — an extensible markup language for everything from medieval manuscripts to memes.\r\n\r\nTEI is more than a format: it’s a collaborative, living standard maintained by an international community of researchers, librarians, and digital humanists. It evolves with the world — adding elements for new text types (like social media posts) and for changing cultural realities (like non-binary gender markers). It embodies open science principles and keeps publishing in the hands of its creators.\r\n\r\nYou don’t need a publisher, a platform, or a big server farm. Just an XML-aware text editor, a few lines of CSS, and maybe a Git repo. From there, you can transform your encoded text into websites, PDFs, e-books — or share it directly in its raw, readable, hackable form. It’s sustainable, transparent, and low-energy. It even challenges the academic prestige economy by making every individual contribution visible — from editors to annotators to script writers.\r\n\r\nIn this talk, we’ll look at text as code and code as culture, from alphabets to XML, and explore how TEI can be a tool for hacking not machines but meaning itself. We’ll end with a practical example: a TEI-encoded page of the first Hacker Bible — because our own history also deserves to be archived, shared, and forked.",
"schedule_start": "2025-12-30T11:55:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-30T12:35:00+01:00"
},
{
"id": "d304dbd5-b055-5742-a134-417b0adbfa14",
"kind": "official",
"name": "When 8 Bits is Overkill: Making Blinkenlights with a 1-bit CPU",
"slug": "when-8-bits-is-overkill-making-blinkenlights-with-a-1-bit-cpu",
"url": "https://api.events.ccc.de/congress/2025/event/d304dbd5-b055-5742-a134-417b0adbfa14/?format=api",
"track": "hardware",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "en",
"description": "In the late seventies, Motorola created a very cheap CPU, intended to replace logic circuits made from electromechanical relays. The resulting IC is so minimalistic that it can hardly be recognized as a CPU: Its data bus is just a single bit wide, it has no program counter, and the address bus isn't connected to the cpu at all. Yet, with just a few support components, and some clever programming, it can be made to do all sorts of things.\r\n\r\nWe'll explore hardware design and programming by taking a look at my implementation of Conway's Game of Life, and answer the question of how one can address 512 words of memory, as well as some other peripherals, using just four bits of address space.\r\n\r\nOutline:\r\n* History and theory of operation of the mc14500 \r\n* Writing programs that process one bit at a time\r\n* A closer look at the hardware I built, including its wacky peripherals\r\n* Demonstration\r\n* Q&A",
"schedule_start": "2025-12-29T13:50:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-29T14:30:00+01:00"
},
{
"id": "9c5f59ba-255e-5446-9b31-13eebef85810",
"kind": "official",
"name": "When Vibe Scammers Met Vibe Hackers: Pwning PhaaS with Their Own Weapons",
"slug": "when-vibe-scammers-met-vibe-hackers-pwning-phaas-with-their-own-weapons",
"url": "https://api.events.ccc.de/congress/2025/event/9c5f59ba-255e-5446-9b31-13eebef85810/?format=api",
"track": "security",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "en",
"description": "Our journey began with a simple question: why are so many people losing money to fake convenience store delivery websites? The answer led us through two distinct criminal architectures, both exhibiting characteristics of large language model–assisted development.\r\n\r\nCase 1 ran on PHP with backup artifacts exposing implementation details and query manipulation opportunities. The installation package itself contained pre-existing access mechanisms—whether this was developer insurance or criminal-on-criminal sabotage remains unclear. We leveraged initial access to bypass security restrictions using protocol-level manipulation and extracted gigabytes of operational data.\r\n\r\nCase 2 featured authentication bypass vulnerabilities that granted direct administrative access. The backend structure revealed copy-pasted code patterns without proper security implementation.\r\n\r\nThroughout both systems, we observed telltale signs of AI-generated code: verbose documentation in unexpected languages, inconsistent coding patterns, textbook-like naming conventions, and theoretical security implementations. Even the UI revealed LLM fingerprints—overly polished component layouts, placeholder text patterns, and design choices that felt distinctly \"tutorial-like.\" These weren't experienced developers—they were operators deploying what LLMs gave them without understanding the internals.\r\n\r\nThe irony? We used AI extensively too: for data parsing, pattern recognition, attack surface mapping, and intelligence queries. The difference was intentionality—we understood what the output meant.\r\n\r\nUsing open-source intelligence platforms and carefully crafted fingerprints, we mapped over a hundred active domains following similar patterns. Each one shared the same architecture, the same weaknesses, the same developer mistakes. This repeatability became our advantage. When scammers can redeploy infrastructure in days, you don't attack individual sites—you automate the entire reconnaissance-to-evidence pipeline.\r\n\r\nThis talk demonstrates practical techniques for mass-scale fraud infrastructure fingerprinting, operational security considerations when investigating active criminal operations, and methods to recognize AI-generated code patterns that reveal threat actor sophistication. We'll discuss the ethical boundaries of counter-fraud operations and evidence preservation for law enforcement, along with automation strategies for sustainable threat intelligence when adversaries rebuild faster than you can report. The demonstration will show how to go from a single suspicious domain to a network map of 100+ sites and thousands of victim records—using tools available to any researcher.\r\n\r\nThis isn't a story about elite hackers versus criminal masterminds. It's about two groups equally reliant on AI vibing their way through technical problems—one for fraud, one for justice. The skill barrier has collapsed. The question now is: who has better context, better ethics, and better coffee?",
"schedule_start": "2025-12-28T23:00:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-28T23:40:00+01:00"
},
{
"id": "64ec3662-a77a-51c1-98fc-65f995f49912",
"kind": "official",
"name": "Who cares about the Baltic Jammer? – Terrestrial Navigation in the Baltic Sea Region",
"slug": "who-cares-about-the-baltic-jammer-terrestrial-navigation-in-the-baltic-sea-region",
"url": "https://api.events.ccc.de/congress/2025/event/64ec3662-a77a-51c1-98fc-65f995f49912/?format=api",
"track": "security",
"assembly": "ccc",
"room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
"location": null,
"language": "en",
"description": "Since 2017, our team at DLR and partners across Europe have been working on an alternative to satellite navigation: **R-Mode**, a backup system based on terrestrial transmitters. Our main testbed spans the Baltic Sea — a region now infamous for GNSS jamming and spoofing.\r\n\r\nWe’ll start by showing what GNSS interference actually means in practice: aircraft losing navigation data, ships switching to manual control, and entire regions facing timing outages — such as the recent disruption of telecommunications in Gdańsk during Easter 2025.\r\n\r\nThen we’ll take you behind the scenes of building R-Mode: designing signals that can coexist with legacy systems, installing transmitters along the coast, and testing shipborne receivers in rough conditions. We’ll share personal moments — like the first time we received a stable position fix in the middle of the Baltic.\r\n\r\nFinally, we’ll talk about perception and politics: how a “research curiosity” became a critical infrastructure project, why ESA now wants to build a *satellite* backup (with the same vulnerabilities), and how it feels when your civilian open-source navigation system suddenly becomes strategically relevant.",
"schedule_start": "2025-12-27T12:50:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-27T13:30:00+01:00"
},
{
"id": "9bdb9e0b-10c1-5543-81f5-d51da1c86367",
"kind": "official",
"name": "Who runs the www? WSIS+20 and the future of Internet governance",
"slug": "who-runs-the-www-wsis20-and-the-future-of-internet",
"url": "https://api.events.ccc.de/congress/2025/event/9bdb9e0b-10c1-5543-81f5-d51da1c86367/?format=api",
"track": "ethics-society-politics",
"assembly": "ccc",
"room": "7202df07-050c-552f-8318-992f94e40ef0",
"location": null,
"language": "en",
"description": "The starting point is the UN’s WSIS+20 review process, which negotiated the future of the Internet Governance Forum and the roles of stakeholders within it. Against this backdrop, the talk traces the origins of the so-called multistakeholder approach and examines how it works in practice and where its limits lie.\r\n\r\nWhat role do technical standardization organizations such as the IETF, ICANN, ITU or the W3C play in an increasingly geopolitical environment? Who sets the rules, who defines the standards, and who is left out of these processes?\r\n\r\nThe aim of the talk is to make the connections between technology and international politics visible and to explain why Internet governance matters to everyone interested in an open, global, and interoperable Internet.",
"schedule_start": "2025-12-30T12:50:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-30T13:30:00+01:00"
},
{
"id": "1511188c-92ca-5002-b411-591b5f848e14",
"kind": "official",
"name": "Wie wir alte Flipperautomaten am Leben erhalten",
"slug": "wie-wir-alte-flipperautomaten-am-leben-erhalten",
"url": "https://api.events.ccc.de/congress/2025/event/1511188c-92ca-5002-b411-591b5f848e14/?format=api",
"track": "hardware",
"assembly": "ccc",
"room": "62251a07-13e4-5a72-bb3c-8528416ee0f2",
"location": null,
"language": "de",
"description": "Der Vortrag gibt einen Einblick in die verschiedenen Generationen von Flippern und deren Technik. Angefangen von elektromechanischen Geräten aus den frühen Sechzigern, über erste Prozessorsteuerungen, bis hin zu modernsten computergesteuerten Automaten mit Bussystemen. Jede Generation hat ihre technischen Eigenheiten, ihre typischen Fehlermuster und Schwachstellen. \r\nIn öffentlichen Räumen sind heutzutage kaum mehr Flipper anzutreffen. Das liegt insbesondere daran, dass deren Wartung aufwändig ist, weil durch die mechanische Beanspruchung häufig Fehler auftreten. Bereits kleinste technische Probleme können den Spielspaß zunichte machen.\r\nDas Finden und Beheben von Fehlern erfordert viel Erfahrung – und manchmal Kreativität, insbesondere wenn alte Bauteile nicht mehr verfügbar sind oder kaum Dokumentation vorhanden ist. Technisch ist Sachverstand auf vielen Ebenen erforderlich, vom Schaltplanlesen über Löten und elektronische Messtechnik, bis hin zu mechanischem Know-how.\r\nDie Community der Flipper-Enthusiasten ist allerdings groß und kooperativ, sodass auch private Sammler ihre Flipper am Laufen halten können.",
"schedule_start": "2025-12-28T21:05:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-28T21:45:00+01:00"
},
{
"id": "d92af8c4-40fb-54e2-9535-bcc683f4a010",
"kind": "official",
"name": "Xous: A Pure-Rust Rethink of the Embedded Operating System",
"slug": "xous-a-pure-rust-rethink-of-the-embedded-operating-system",
"url": "https://api.events.ccc.de/congress/2025/event/d92af8c4-40fb-54e2-9535-bcc683f4a010/?format=api",
"track": "hardware",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "en",
"description": "The world is full of small, Internet-of-Things (IoT) gadgets running embedded operating systems. These devices generally fall into two categories: larger devices running a full operating system using an MMU which generally means Linux, or smaller devices running without an MMU using operating systems like Zephyr, chibios, or rt-thread, or run with no operating system at all. The software that underpins these projects is written in C with coarse hardware memory protection at best. As a result, these embedded OSes lack the security guarantees and/or ergonomics offered by modern languages and best practices.\r\n\r\nThe Xous microkernel borrows concepts from heavier operating systems to modernize the embedded space. The open source OS is written in pure Rust with minimal dependencies and an emphasis on modularity and simplicity, such that a technically-savvy individual can audit the code base in a reasonable period of time. This talk covers three novel aspects of the OS: its incorporation of hardware memory virtualization, its pure-Rust standard library, and its message passing architecture.\r\n\r\nDesktop OSes such as Linux require a hardware MMU to virtualize memory. We explain how ARM has tricked us into accepting that MMUs are hardware-intensive features only to be found on more expensive “application” CPUs, thus creating a vicious cycle where cheaper devices are forced to be less safe. Thanks to the open nature of RISC-V, we are able to break ARM’s yoke and incorporate well-established MMU-based memory protection into embedded hardware, giving us security-first features such as process isolation and encrypted swap memory. In order to make Xous on real hardware more accessible, we introduce the Baochip-1x, an affordable, mostly-open RTL 22nm SoC configured expressly for the purpose of running Xous. The Baochip-1x features a Vexriscv CPU running at 400MHz, 2MiB of SRAM, 4MiB of nonvolatile RRAM, and a quad-core RV32E-derivative I/O accelerator called the “BIO”, based on the PicoRV clocked at 800MHz.\r\n\r\nMost Rust targets delegate crucial tasks such as memory allocation, networking, and threading to the underlying operating system’s C standard library. We want strong memory safety guarantees all the way down to the memory allocator and task scheduler, so for Xous we implemented our standard library in pure Rust. Adhering to pure Rust also makes cross-compilation and cross-platform development a breeze, since there are no special compiler or linker concerns. We will show you how to raise the standard for “Pure Rust” by implementing a custom libstd.\r\n\r\nXous combines the power of page-based virtual memory and Rust’s strong borrow-checker semantics to create a safe and efficient method for asynchronous message passing between processes. This inter-process communication model allows for easy separation of different tasks while keeping the core kernel small. This process maps well onto the Rust \"Borrow / Mutable Borrow / Move\" concept and treats object passing as an IPC primitive. We will demonstrate how this works natively and give examples of how to map common programming algorithms to shuttle data safely between processes, as well as give examples of how we implement features such as scheduling and synchronization primitive entirely in user space.\r\n\r\nWe conclude with a short demo of Xous running on the Baochip-1x, bringing Xous from the realm of emulation and FPGAs into everyday-user accessible physical silicon.",
"schedule_start": "2025-12-28T23:00:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-28T23:40:00+01:00"
},
{
"id": "926c987a-2dd9-54f6-9a3a-45222dc9c4b7",
"kind": "official",
"name": "Zentrum für Politische Schönheit: Ein Jahr Adenauer SRP+ und der Walter Lübcke Memorial Park",
"slug": "zps-ein-jahr-adenauer-srp-und-mehr",
"url": "https://api.events.ccc.de/congress/2025/event/926c987a-2dd9-54f6-9a3a-45222dc9c4b7/?format=api",
"track": "art-beauty",
"assembly": "ccc",
"room": "ba692ba3-421b-5371-8309-60acc34a3c05",
"location": null,
"language": "en",
"description": "Es ist genau ein Jahr her, dass der Adenauer SRP+ in der Halle des 38C3 stand. Damals war er noch eine Baustelle, aber schon bald machte er sich auf den Weg, um Geschichte zu schreiben. Wir nehmen euch mit auf eine Reise: von Blockade über Protest, von Sommerinterviews bis zu Polizeischikanen lassen wir ein Jahr Adenauer SRP+ Revue passieren. Das könnte lustig werden.\r\nAußerdem: alles zum Walter Lübcke-Memorial-Park, den wir gerade direkt vor die CDU-Zentrale gebaut haben.\r\n\r\nOwei owei: Das wird viel für 40 Minuten.",
"schedule_start": "2025-12-27T11:55:00+01:00",
"schedule_duration": "00:40:00",
"schedule_end": "2025-12-27T12:35:00+01:00"
}
]