35C3 – Refreshing Memories: Lightning Talks Day 3

Video thumbnail (Frame 0) Video thumbnail (Frame 2819) Video thumbnail (Frame 5631) Video thumbnail (Frame 8931) Video thumbnail (Frame 13584) Video thumbnail (Frame 16380) Video thumbnail (Frame 18807) Video thumbnail (Frame 22474) Video thumbnail (Frame 26734) Video thumbnail (Frame 29242) Video thumbnail (Frame 34368) Video thumbnail (Frame 38358) Video thumbnail (Frame 42346) Video thumbnail (Frame 44751) Video thumbnail (Frame 47870) Video thumbnail (Frame 50846) Video thumbnail (Frame 56104) Video thumbnail (Frame 65458) Video thumbnail (Frame 73861) Video thumbnail (Frame 76383) Video thumbnail (Frame 79683) Video thumbnail (Frame 83445) Video thumbnail (Frame 89203) Video thumbnail (Frame 91634) Video thumbnail (Frame 94653) Video thumbnail (Frame 97047) Video thumbnail (Frame 99448) Video thumbnail (Frame 103299) Video thumbnail (Frame 105707) Video thumbnail (Frame 109412) Video thumbnail (Frame 113797) Video thumbnail (Frame 116543) Video thumbnail (Frame 119554) Video thumbnail (Frame 122578) Video thumbnail (Frame 125159) Video thumbnail (Frame 127778) Video thumbnail (Frame 130710) Video thumbnail (Frame 134916) Video thumbnail (Frame 137427) Video thumbnail (Frame 140602) Video thumbnail (Frame 143094) Video thumbnail (Frame 145514) Video thumbnail (Frame 148075) Video thumbnail (Frame 150854) Video thumbnail (Frame 158013) Video thumbnail (Frame 161112) Video thumbnail (Frame 165019) Video thumbnail (Frame 168035) Video thumbnail (Frame 171272) Video thumbnail (Frame 174105) Video thumbnail (Frame 176638) Video thumbnail (Frame 179033) Video thumbnail (Frame 181428) Video thumbnail (Frame 186914)
Video in TIB AV-Portal: 35C3 – Refreshing Memories: Lightning Talks Day 3

Formal Metadata

35C3 – Refreshing Memories: Lightning Talks Day 3
Title of Series
CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date
Multiple languages

Content Metadata

Subject Area
Lightning Talks are short lectures (almost) any congress participant may give! Bring your infectious enthusiasm to an audience with a short attention span! Discuss a program, system or technique! Pitch your projects and ideas or try to rally a crew of people to your party or assembly! Whatever you bring, make it quick!
Keywords CCC

Related Material

The following resource is accompanying material for the video
Video is cited by the following resource
Website SIMPL <Programmiersprache>
Software repository PHP LINUX
Android (robot) Source code
Time zone Relationalsystem USB <Schnittstelle> Client (computing) Absolute value Hand fan
LINUX WINDOWS <Programm> Graphical user interface
Weight PDF <Dateiformat>
Liste <Informatik> Set (mathematics) Point of sale
PDF <Dateiformat> Attribute grammar
Clef Attribute grammar
TOM Structural load
Value-added network
ODA HANS <Datenbanksystem> WINDOWS <Programm> Age of Empires
WINDOWS <Programm> Twitter
WINDOWS <Programm>
WINDOWS <Programm> Open set
Facebook Link (knot theory)
Mobile app Apple <Marke> Logic gate SIMPL <Programmiersprache>
Mobile app Uniform resource locator
Kara <Programmierung>
Clef Expression LINUX
Mapping Clef LINUX
Website Point cloud HTTP cookie
Money <Programm> Physical law
[Music] so welcome to the second lightning talk session I'm going to briefly explain how the session works for the audience and the speakers for all the speakers please sit in one of the front row so you can get on the stage quickly to deliver your talk you can do so by talking into the microphone that's very important so that people can hear you do not turn around to see your slides because then you can yeah you can't hear me even if I talk so you can see your slides down on the screen here maybe it could be that you are too small then just move it to the side and you can see them use the clicker to advance the slides stay calm talk loud and clearly so that everybody can hear your message finish on time which is very important because we have so many talks and we don't want to use more time than we allow to then get your applause and leave the stage yeah thanks but I'm not and I'm not going to leave yet I'm going to explain for the audience how to listen to lightning talks so it's pretty simple just be excellent to each other keep in mind all the announcement digests all the announcements I just made but also watch the time keeper the time keeper is right up here or you can see it on the screen up there which helps us to track the five minutes that every speaker has Alex would you take over good morning everybody with the last
talk yesterday with pedalin we tried we decided to try a more speaker friendly and more appreciative approach to cancelling a talk you know more of high four three two one our sounds we want to loud ate them out so we try to use some applause to stop the talk this is I think more awesome for the speakers and maybe for you as well for the speakers as long as the timekeepers in the green area you are in the first four minutes of your truck you have plenty of time when it goes up like this now you have only about one minute left when it starts turning yellow you have form it left these are the last 30 set seconds of your talk when they start to get red so if the red turns up something like Dustin you have not much time left so and we tried in your approach 5 4 3 2 1 I think this might work yeah I think so too because we noticed that most
speakers are already on their contact slide and when we bust them out it's not very nice so we just yeah send them away with an applause all right I think
that's it I'm going to mention the translation so a very awesome job by the translation team please give them a huge round of applause we we will have the German talks translated into English the English talks translated into German and also everything translated into French see the website up there so HTTPS c3 lingo torque for information on how to listen to these translated streams yeah well then I think we can start let's go with the first speaker [Music]
so good morning everyone thanks for being here so early I'm here to tell you about a little project that I'm working on Saturday I'm going to tell you it's a one-day
conference that I'm organizing in Berlin next year which is very soon and I'm going to tell you a little bit about what the conference is about which is the art programming language a little bit how I ended up organizing a conference and why I think it's interesting to you maybe it's philosophy which is open and open-source so let's
get started so our is now one of the main languages for data science and statistical programming it is a great tool for data visualization as well and it is free and open source it's supported by the our Foundation and it is widely use it's just celebrated its 25th year this year and it's used both in research and in industry companies like Google Airbnb you can find it just about anywhere and I'm Noah I'm from Berlin and how did I end up dedicating all of my free time some of my best friends free time some of their colleagues and some of people I just met through Twitter because I announced it a few weeks ago so it started with our ladies I've been organizing and our ladies meetup in Berlin for the past two years and our ladies is an effort by again the our community to try to promote women's involvement in our code to get more women to contribute to code and to be active and to feel like our is the language that in a community that is for them and we do that by offering meetups and mentorship programs and I've been really I think it's some of it's like my side project and it's still some of my best work I think over the last two years and along that I also started
volunteering so it looks a little bit like this I think it's really fun and if you are interested in our I highly recommend it's open for everyone only the organizational roles are reserved for women and a long around
that time but later I also started volunteering at forwards which is the task force by the our foundation to promote all sorts of diversity and inclusion not just for women so it's for LGBTQ plus it's for people with disabilities it's for different minority groups and we're really trying to do all sorts of work around that and this year I had the opportunity to get for the first time outside of my local bubble so other than slack and github I've only known our users around me and then maybe a few data science conferences and so I went to the European are using our user meetup in Budapest this year and they actually two years before that in 2016 organised the first Saturday event at Budapest and I was really inspired by the vibrant community and by meeting a lot of people that I only knew through slack and github thus far and a lot of
sub communities that are not location-based in the our ladies in our community and I really thought well if if you can do this in Budapest why can't you do it in Berlin I'm sure we have enough people who use our to create a similar conference so I thought why not that's organized Saturday signed up on github and that that's how I ended up doing that so why did I like so much the
idea of it so it's very much relates to my history with our ladies and forwards it's the philosophy behind Saturday so it's not let's just have another conference for our and it's not let's just have another event for people to come and share idea it's really about let's make sure that as many people as possible can come and share idea ideas so how do we do that we make sure that it's completely volunteer-run we are not-for-profit and if we will have any leftover money we reinvested into scholarships for the community or events like bringing speakers and so on it's low cost we cap it at a minimum wage and we try to make sure it's both for beginners and for advanced users and we really make a lot of efforts to include women minorities LGBTQ and people with disabilities how do we do that so we don't need to invent the wheel thankfully and this might be the interesting part for you there are a lot of resources about how to make sure that your events on your communities are suitable for as many people as possible and that you can use disk by annum focus group you can use the great resources from other conferences and I guess that's it this is our great organizing team if you're interested in more information and if you want to help us out then please be in touch [Applause] [Music]
bubbly sector information directive
yeah good morning lactic in one second so I will talk about the fancy topic public sector information and in case
anybody wants what that is that's basically the open data legislative for whole Europe which is at the moment right now negotiated in the coming weeks in Brussels and what does that do at a
Congress well basically ideally from the headaches of lakita Knudsen about the shoots in' or use public data protect private data is like one of the core fundamentals and I'm working at
Knowledge Foundation so we do a lot of like data stuff like a fact and start off energy sector which was recently launched and you can hack the code for Germany OTP or a year di and so what is
open data encasement nobody knows it's basically data you can freely use modify or shear by anyone for any purpose meaning also you can make a business out of it and this will you see here that
part is right now negotiated that's also like open data or data which should be open data held by like public institutions or government owned enterprises and that's the list what we
are demanding and to keep it short basically everything which is funded by public money should be also public good or in Germany there's a campaign by a big media which is called a work friendly he's good he's killed the other way around so that's standing on December I was in ETL shows devoting and right now the negotiation and what is import because also like in German in this legislative period we should get a new open data law at least that's like in the coalition contract and I want to illustrate that
why that is important on one example and that is like public transportation data which is like right now really bad set affair in Germany and why is that important because for example we want to increase mobility less co2 and it's a
big sector so that's the current state where it's green we have open data in the transportation sector here we learned lab tech and everything else is like not comfortable with 2018 I would
say and when you're missing data you get second weird routing issue our like bodies can see here and that goes around
all over Europe so by the end of the day
or like in the long run we first have a human being on the mass before we have like public open data in the transportation sector and we want to change that and
there's actually hope so when we use open standards open software data there's a great example coming from
Finland which they created this platform just for Helsinki but it was open so it was modified before anybody else so there's like mirin which is a tiny town
in Italy at the epithet model like for just 15,000 euros and you have love life map where the buses are going and that was done by one developer because Helsinki was so awesome providing the platform is open sewers and tables data
standards so what that means basically you can move from like data shoveling by your hand to like industrial rollout and
that means like efficiency words like just also many think about what could be
done or across Europe when we have stand-ups and that's the directive should be the effort and it's not just
like this case transportation it's also like for a transparency when it comes to beneficial ownership of companies over
example of proper public broadcasting stations are doing that this can see the content are and use it later
so that's a detailed list I don't know
how much time we have basically what you should think about it how awesome it would be it'd be like public data as an infrastructure and what can be done with
it and so please bug your local politicians or whoever is in charge of it and local level and if you're interested contact us the slides are online they are linked because it's I think it'll be timely and I think that was from my side so we still have time for a Q&A [Applause] [Music]
and increase Christians right now yeah I
don't see any hands but we're always happy if we have bit short on time because yeah what's my pleasure yeah check you away next up is password
strength meters
okay good morning we are talking here to talk about passwords and it's it's 2018
and we can say that passwords are here to stay and we're going to see them for a long time now and we also can admit that passwords actually can be quite good considering it's like a knowledge-based a single factor
authentication mechanism but passwords are only quite good if we select suitable passwords and that brings us to the topic on how do we actually measure the strength of passwords this is a big topic it's called password strengths meters there a lot of them out there actually there has been some progress in the hacking community in the academic community but you are still a lot of debate of what strength meter is actually good at what is to be considered good I have two examples at the bottom on the left hand side you can see a github and this is the password strength meter that starts out with like a policy that is displayed in red and as you start typing this policy is kind of validated and if you match the policy it's made cream on the right hand side we can see GM X I try to try to create an account yesterday for emails and I started typing a password like one of the simplest ones I could make up like 1 to 8 the digits and actually the media made it quite green which is surprising that this is considered to be a strong password by G mix in 2018 now we are trying to improve on that so we are
proposing a new password strength meter we are planning to open source it like earlier next year and it's a fuzzy logic based approach that combines multiple indicators for a password strength so we can have like policy stuff in there like lengths and so on but we can also have like lists of like passwords we can have Levenstein distance and further combinations it's supposed to be really lightweight so that it can be integrated in every browser and every website but it's only an approach and we have to make sure that it is really good and this is where my colleague Nick hunter is going to ask for your help right so
basically there are a lot of things you can use in the password strength meter but when we thought about ways to
evaluate one we said oh we have a problem you see in in science a way to
evaluate a hypothesis is to do an experiment and that's why we need you so we're launching the password hacker contest with a goal of evaluating aspera strength by trying to break and we want to crowdsource your your knowledge to to help build new better strength meters what we did is we collected lists of human generated passwords from people with trust like our mothers etc so no unfair competition there and this contains a mix of weaker and stronger passwords we hashed them with a 512 and with a common salt to reduce the overhead of expensive machinery for more hashing and what we want from you is to work in teams or alone use your favorite tools do whatever you like and try try to break them what we want at the end is the plain text which is the proof that the passwords were broken and a short report saying how you did it and which passwords were easier to break and which were more difficult to break of course we offer some amazing prizes like Amazon gift cards a lot of surprise work like t-shirts polo shirts and so on I think but W 500 which is the the old IBM design so you can also use it as a break nerf guns and basically you can come at our office and take a lot of stuff that we don't need anymore we we ship freely a hold of Germany but we will really like to see you at our office in Darmstadt so what you can do now is go in on this address and there are instructions there there's the first batch of hashes and you can start hacking yep thank you very much
thank you next up would be Ned link and
go hello everyone good morning today I
want to talk to you about netting angle my name is Lauren and I'm very
interested in network stuff and if you take a look at the web servers around the world this is the kind of code you will see nowadays it's basically in this kind of example go web server this is just showing you a simple website and there's always a one big question if you're in reliable service how many numbers of sessions do we have how long are the durations of the sessions and what about the number of amount of traffic that is transferred for your on your web service there are couple solutions you can use and you can blow up the code completely and make it really hard to understand it if you want to make sure that the next person you are hire can also understand the business logic of your web server keep it simple and try to move the monitoring part away and there's one solution I can
offer you we add them all in a moment we have the web server in the user space and the UNIX kernel and the kernel space and the kernel itself has good some kind of tracking of sessions and why don't you use this kind of kind of API so you can use this for monitoring there is the
so called net link family the net link family is a socket based interface for users space processes to communicate with the internal kernel API and you can get various information about different kind of stuff in total at the moment there are 21 different sub sub groups that are based on internet link protocol for example yes net link route net crup crypto where you can change crypto settings in colonel crypto settings of your computer there's also Mettling XR x frm for IPSec stuff as a Linux and a lot of stuff as I'm most interested in networking I concentrate on net link and net filter and there are divided into three parts basically and a flock and of queue and contract maybe if you're worked with IP tails you heard of them and in go you can now basically use this by this binary based protocol to directly communicate with to kernel get information out there get a number of sessions how long they take how long they last and just use this information is already there and don't and don't have to blow up your own code and it's completely in a separate way so you don't have to blow up your your web server and it can be done in a quite easy way the byte stream that you get from the kernel via the socket is basically only a byte stream indifference to Mouse by streams the combination is the length type and value not the type value a type length and value so this is a little bit different to most protocols you may be you know and but it's basically all the same so you just have to take a look at the length check the type and then you have to value value can be anything can be from byte sequences to strings numbers integers times times everything what the kernel you can provide and for conversation going has a lot of features so you don't have to make sure so for example if you want to monitor your replication this is a quite simple example with IP tables you send everything through and a flock group 100 then you open the socket with analog open in this example I set a timeout for 30 seconds just to make sure that this will stop at 30 seconds otherwise it will run forever and then can get old and flock messages so you have a quite good overview and what is happening on your web server and you don't have to change your web server application this also works for different kind of models if you for example provide your web server in Java if you do something like this or a PHP so thank you for attention the most information most reliable information is to the main page and number seven net link you can try to get a github repo or check out the Linux kernel source if there are any questions I'm around just ping me I'm Florian and I'm happy to answer questions thank you
[Music] [Applause]
again okay hello everyone my name is
Frederick Albert of Quebec and I would like to present the freaking based project this year it's our I think seven Congress when we are around we have been starting with 27 C 3 it was very interesting for us to get involved and during the years basically build up with the community around food Bo and drinks I have to say that the last Congress 30 43 when we actually were inside compared to 33 seats even if we could I see us on a roof of the whole H was much better it was warmer and we had a warm water we have a big place where he could come and do stuff I know how many of you have been actually visiting through the became hiking base during the years can I just ask for the hands up who has popped him also it's starting to get in be happy with the place bit tight at the end of the Congress I have to say when people finally found us but this year it
got better we all go to that small overview of the year which we are just not finishing we have visited in the spring you know again this is the poster for the next year we have found out is a project that actually when we are invited and we can help you know kind of you know promoting project from local host it really kind of make it possible to kind of cover the expenses of the even for us we are a donation based group so kind of you know what we put in we put in if you support us good if you don't well we have to basically cover by ourselves we have been in fright cap and Belgium which was firmly run even where we didn't do extra crowdsourcing for a bigger kind of compiled yet for us which we have found out it's difficult after to cover so experience another one I don't know how many of you have been at a EMF it was my first one basically in gribbet on it was very nice we did a kitchen free environment because getting our stuff from Europe to the UK was with complicated caustic transportation but it worked quite file so it's good now
this year we did at 35 c3 it's where I am you can find us in the whole lot - between the door 2.6 2.7 as you can see this is already our first evening tasting and we are completely full so we have been actually really nicely surprised with the amount of people who are showing up and also with the dynamic of the group because I have to say it's really maybe like you know one of the first evens when we as a core group don't have to do so much and people actually doing this stuff they just come and use the place which is nice and we just Morris you know keep an eye that you know things are magically appearing photo shops you know which you know has to be used so this is very nice now we'll be finishing the Congress I
hope all goes well we hope to be between A+ you know so we can actually fund our project for the next year which are again you know community kind of based you know and open we would like to be at the camp of course that would be coordinated with orga very again we will do our tasting events workshop events you know kombucha making beef jerky making incubators etc we would like to do fermentation project fermentation mobile which already presented before which is basically you can imagine a food truck but plain thing which is legalized then can go to the different events where we can really kind of you know do workshops and stuff and I kind of I would say hire protected level so that is a project which I would like to lead and which support of the working base otherwise I believe we are open to invitations so if you talk to us just send us email food agreement of or you know just you write for a team base you will find us and you'll get response eventually sooner or later and we are interested to come to different happenings we have been an mr MCD we have been in the Balcon we have been in the new sign so different events we enjoy it it's something what we like to do and promote and we hope that more people get involved and supported these activities also in the Roma hackerspaces because during the years I have to say and it's my experience is my feel that taking care about yourself from the point of view the fruit drinks a bit of exercise it really helps especially for most of you who are sitting most of the day at behind the desk try to keep a bit a healthy in this side it really makes your life more easy I would like to
thank all of you for listening to what I have to say please come and visit us at the frickin base and that's all thank you again
these have this github is they'll
pronounce that correctly get a basket of you you see
hello I'm here to present ghetto verse which is a resource preparer research
project and open-source project for solving software engineering problems and free simple steps and these steps I'm going to present you so first step
is we collect a lot of data about your software project this can be a lot of
things we used JQ assistant for that it provides a neo4j graph database and with a lot of plugins where you can combine and link different data sources currently we support five different programming languages to version control systems and many other data sources like github issues maven build reports share unit test reports and then as a result we have a huge database with a lot of information about the software project and this is the data's worse for finding the solution to your problem and to help
this we utilize the data a lot of
visualizations available there are classical dashboards with three maps bar charts and all those classical stuff and more fancy visualizations on the right side and here for example you can see analysis for anti-pattern this is antler we find a lot of cyclic dependencies there for example and yeah these realizations as opposed to help
you to understand your problem which is
the last step because as you know understanding the problem is almost the same as having the solution once the ends to the problem the rest is rather easy and for this we provide a complex user interface for exploring and analyzing the visualized data and get a better understanding of the software project in general that's the point that I usually would give you a live demo which is not possible here so you have to do it yourself that's the official blood checked URL or just go to bittley's let's get it was gay you find cases and online demos you can use in the browser yeah and there are the three steps give it a try if you are working with software in some way and but
there's a fourth step you can contribute to it I'm currently it's a small broad check
with academic background but we hope to build an open-source community around it so you can contribute to any programming language because we are going to extend it to support more data sources with JQ assistant or more visualizations and a better user interface forgettable and as in 2018 we are going to apply for google Summer of Code next year so an amount resolved so if you are student there's a chance you can even get paid for this yeah thank you next up is Z Rock
okay hello everyone my name is Ervin and I would like to introduce you to a secret project as you can see on the
table here we try to support all kinds of devices especially everything kinds of test and measurement related you can see like multimeters or still a scope logic analyzers all kinds of stuff we currently support over 200 devices and the question is how do we do that if you
look at the software stack of our project you can see that the core component is lipstick rock it is a library that encapsulate all the drivers for all the devices we support and provides a unified API for all of them so you can access them having only one API to deal with and getting all the data from them below that you see like a lip USB lip serial port leap FTDI one and leap GPIB lillypilly and these are the libraries but we need to actually access the hardware below on top you have the lipstick client Vettes verse software actually it tries to communicate with your device's and display the data or process it in some way we will see in this in a minute of what actually is going on there but next to it you see valley particular decode library it's a library bitters kind of on the side of lipstick Rock it's providing protocol decoders which I will also talk about in a minute it's using Python and Libby Libby the first client
I would like to talk about is the obligatory arm command-line interface it's usable for acquiring data converting data decoding data essentially it's a very scriptable tool
so we can do some kind of test automation or whatever you like to do with it
another client we have is sea crock meter it is tailored for use of multimeters so you can have all kinds of multimeters and measure the data data log it whatever you want to do with it it is quite feature which already but currently needs a maintainer so if you feel interested please come to us and talk to us
another client but it's a relatively recent addition is as am you you it's um a program that tries to emulate a source measurement unit using a power supply and electronic load I haven't used it personally but I have I have heard it quite good so please give it a try a
very even more recent addition is the crock mini server it allows you to access all your devices supported through lipstick rock using a JSON interface for example here you can see node-red and interface to provide access to a power supply and electronic load finally we have pulse view which is
our most feature-rich and also the most popular client that we have it is available for example for Linux Windows OSX and Android actually so it's quite flexible in what we do with it and here you can see some standard set up you have two signals SCL SCA but have been acquired through some logic analyzer and we have added a protocol decoder for I square C to actually visualize visualize the data in some kind of meaningful way okay now this is pretty standard you can do that with any oscilloscope really I understand that but what we do is actually we go one step further and actually allow you to have protocol decoders written and Python that you can use to make even more sense of a data that you have in this example we have attached a DES version or seven real-time clock so you can actually see what the data means to the chip and what the data means to other chips that comes in and out of chip but it's on the bus so this is pretty cool because essentially allows you to have any oscilloscope that you have on your bench if we have a driver for it or any logic analyzer that you have to have all kinds of protocols but it doesn't usually support and we can have a driver for it and provide you of all the protocol decoders but you already have [Music] also what I would like to point out is that various the Cypress effects to development board available for less than ten dollars or ten ten euro here in Europe which you can use in combination with zig rock to actually have a 10 euro logic analyzer which is quite feature-rich and since we have currently over 100 protocols available you suddenly have all kinds of utilities available on your workbench for only 10 euros so that's quite popular and also the reason why the secret project is very popular in these kind of circles I would like to give you some examples of
what exactly we have also it's Army TM as a decoder oh I have to speed up ok which you can use to trace and have code
this is USB also of pcap output and what
it owns takeaway is that we try to be a unicorn we have lots of decoders and we can give you lots of opportunities if you want to contact us come to our assembly or come to Twitter Mastodon or just check nose Chad report on IRC
thank you very much [Applause]
[Music] [Applause]
and then next up is that Clark via
London on new it's going to be a German talk so you might want to check out the translation page on C Street lingo dog for translated streams yeah good morning
- were initializing massive auf Deutsch my name is either fighter ich bin meter vital and relevant feminist powerful are
confidential Spartanburg on each axle inves inves some tea Martin Schultz yeah I wrote realized he not Vida mala Madonna loser software I know hardware ana website or Abbas of Emma the hawkish Dawson scientists thoughts it's a mad at me but Rock'em trims intimate relation in charmville I was rivets fair and good Nora and Asian homogeneity phlogiston is Dustin we were hopin out noon nine how a fish is a snitched allowed then coats cos act that an owner give each second order the I'm Villagomez nuts are sue salmon is - after that which was gone for me ideas give her one solace each film flashy hurt you should clean your children on the air nation space and do middle median gained as Alice own fook-la s kept readers often vote yeah offers to in current name leash Yuen Tai Shan Shan basis of the Asia hardware Vasia Zell some dark avatar common hopped hunt yeah cooking pasta machine all youngest son by feel happen via inflicts adoptions Isha height in articles find rice each date Samajwadi fresh fruits long expedition as a whole fish Eastern translationally sawdust first we offer shoeless wrongful and as our siege to the herder on VR afflicts a privacy by design and privacy by default the agency shows article in Spanish they are insured scone for nog by felon feel joy sir fresh juices entry Hammond baton rothenburg disaster boo scared in deutschland and I know film are forgiven inform Pavan thus King Dharam das thought on antonyms and users and a user and a banana swept instace de Tottenham clarify that Ansari pass water power charge me she had seen the home disposes and relative clients postcode Pokemon Z Z a cooperative an ontology flyness owner named by the hunter named Candace tonality of toy avian in schism to Invalides give her office to Sir Francis million cost an order via port centers worldwide in Java zones axis yeah unfortunately that and take out Spanish leagues for shipping order of note box Tochigi in turn warehouse so adverse vassman an encounter order in our context Muslims in our I'm Shana via regular message to millions into that email for shaked without problem McLean taking on a miracle motivator gather for neutered and literally Facebook custom audiences is of now a undermine relations veto HST by ovation colleague harm darshan or Tyler for garage doors go for yeah that's common tool you can't naturally over over-regulate opticians of those cattle house reason the sift of a new origin as well finish the enlightened II system it nice at all our skin you couldn't about off period by the dividing of six period ionization by their officers Authority for in here shallots establishes order for infantry poor in fact in Johnston fans volition women event daddy tartan summit order the oxy spyridon Vinod alpha enterprising to meet super machine or square links missed hounds now that insured's off sister Harada bundesland on the Infiniti at us we exact who buscetta Candace again don't deliver the muslin austerity she hadn't as when we use our hands ever oatmeal a Ashenden can be a charity Shri Hanuman via the snitched songs via Mahon above any and I never marked missing vhat sphere that's come about signed us via our Spartan welcome back just an unbelievable or - lacy culture and up game when dot defiantly sure list which dish is free sources are exactly children Boston Massacre Fulton hoped at least we know retired Snellen Indian officers burdens it's insertion site not eval who to Technica Dita's alpha stain as a missionary or isn't the technique teams and mice insulative Klein Byzantine Florida in Stuttgart in baden-w??rttemberg Abba and Watson's and alloy to the pristine vicita and shaked as often and TCP dump or John's to us it's just only in Luton and big live you know exactly shield on moot least fitted a child's name in current us of an aluminum now as when he had some actual mission on a do it software energies yet samba Antony man our budget who exact escape my other hope nish was here pursuit on - chef Sevan a shellfish duster snitch Nogales entire voyage a snitch item it's hard country of Ananias whistleblower Selena of 61 come on inflation 9 Garmin kleiner tip Merkley student ina contact mukesh kite intelisano efficient beard and off look fun by mishima Allison or potent class Austin wish we had no taranga yeah dosmo it's called post mortem flag whiterabbott keeps non-reserved organization in home aimed right such an absolute rescission transition doesn't mean alloy to divest from tama Dartmouth's at sale in the 50m annuitant blurtin Ratish outshine have this animal that owned - ah mama optin oh when my fans Endora Veniamin embrasure resort on problem adventure or any such action dry season
or member i harmed [Applause] [Music]
and we have one of the usual suspects
pork pickup so hi I just wanted to give a short update about pork pickup and on the
first few slides I have some overview for the people who don't know it yet my name is Thomas and let's see so quick the features of birth backup it's a backup tool and you usually use it on the command line so it has a CLI interface like our single like it or whatever but recently there were also some people working on the GUI so if you have non nerdy friends that rather click around then you can also use it now we have quite good architecture and platform and file system support and the main features are we are doing DITA application we are doing compression or ten decade and encryption and the usual way you use it you you you read the data from a locally mounted file system and then you store it to another local file system or you can also store it to a remote server over as his age and the one board will talk to another board on the remote side a nice feature is you can fuse mount your repositories your backup archives and ok if you have if you do not have a remote server it's no big problem there are some service providers meanwhile that offer such services like for example our sync dotnet or head snow and a new one is pork-based comm it has quite nice web interface and the port base guy is also programming this nice Greek client also if you don't want to rent a server you can just search for another node and you can do mutual backups they are encrypted so you don't have a big trust issue because the other guy won't be able to look into your backup another way to use it if you rather prefer to have something in the cloud maybe additionally to your local repository you can first create a local repository and then push this complete repository to the cloud for example using our clone and of course if you have your own server you can just use SSH the greeter will I mentioned is called Volta and it's implemented in Python and Qt currently it's tested on Linux and on Mac OS but it might be even possible in the future maybe to adapt it to Windows and as I said you can show it to your friends another tool is pork Matic it's basically a configuration layer on top of Borak so if you prefer a config file like any style you can use this tool and there are lots of other tools and scripts and integrations and we have a special community repository and if you search additional tools you can just look there in general it's a community project so if you are coding in Python or C or seitan join us please currently we are bit low on developers but you can also help if you can't code for example look after the docs or just test it we have a good test suit and using continuous integrate integration and for platform testing we use vagrant also we need support us for different platforms so if we for example Usenet bsd or something also come to us the current status is there is all steep stable release out since quite long I think you can find it in about every distribution and the currently release is 1.1 so this is the newest stuff and the next release maybe 2019 will mostly have code cleanups refactorings and some internal stuff and also a new repository compaction handling it will be separate not automatic like now and for a bigger changes on the bottom for the helium milestone we need more people because the crypto changes will be a lot of work and also the multi-threading changes are a lot of work we also need community supporters so for example if you can help people because they use bark yourself you can also help and look after github and the mailing list a security review would be also good we have some known issues but also somebody could look over the code and we also need more sponsors and donations because we do bounties using bounty sauce so I'm here at the Congress find me at paes164.com of the slides
visit the schedule and so on alright next up is to exam [Music] that's why I prefer PDFs so if you want to give a talk here you know you do best with PDF it's portable it's a document format okay let's go how's the TF place is a PDF
laughing - attention attention
what accounts could sort of expression they actually would see a gruesome swiftrage improvement yet if we hadn't that's what all announcements a goon vlog for this one there's no plea for Android on through early informatics better shouldn't under t1000 Princeton Haakon VII in Towson and that's why we'll move along this is in the Nets entry on of crops and houses bikini I'm for my mom you have to be on their harm tried house in ten months of sex and rice he's title of carbon to Korean this is the other ones first year in the thousands even the 1500 yen and are and that's where it's good off comes genuine factor to Corey Jensen that wouldn't quite correct through our bond diseases
yeah I know that 50,000 dine severe 20 have no issue in listen Julian Salam pop years is basically wrong in ovens one see thousands I can pop you does locked are on the sphere I'm from good service or compact eros template with Lamar in Woodson now for Jesus yeah it's fine 5000 Christian multiple choice quizzes opt was why the rx100 Isaac kind of comes in when via 13,000 pop co-signed on so the damage here at acu??a Farook severe and I ever Abba insights white housing food Sanjana migrants kinda close ones who seem Norman's to mix em you ever seen the on garden with queer Coates individual area codes yacon soup soy de Musique odeon by the Chiron are often close women are often hardened yes Ken because one dollar sign on the fasten dbvar 20 time on changing student on the close one online so ions itself you go being the synthesis guns
can oven juniors their conditions the night import photos will turn uncool no actually undress yet religion of consequence relying in most exciting guitar not this soon the art insight on here in the 2010 exam room that's this heart set on getting that tonight on between the harmone from Korea codes of data matrix codes give accidental failure booster and flexibilities in your template no more complete no implemented in our test the Dalton Bank no implement years he had some Postgres elements into enough toy and documenting scanner how oft to prevent in scanner VN I agree I mean item talk we at the metonic is the matter of Isaac install but incredibly software it was a Holocaust move it inside inside boom camera outlying platform through the online ionization site ended food housing section and we can be an web interface which was move over to some touch from sniffed unguarded the hardened unfiltered Hans it's a nice romantic harp finger closer concept integral innocently it has an indifferent fully Infiniti missus new concept for besonders compact a mathematic crew for when the stood small weddings Christian palatable choice beautiful men special my robots 5,000 zips and receive my height closer in to see me as transit ranch dollar when it was esteem up convicted government seemed to be destined Thunder is taking forums over this worked side ended 4,000 be shaved
ignorant self meter integral C 1 1 4 GB time through fluent in to mix em the hormones even being the problematic MacLean Scanlon Agnes kinda front and implemented in the web interface is its side unfunded CRS and 6.1 enough transition over a time when all the modules included soon with the NZ splat form implemented our Ganesha temptation our Piper chef Texas tournament iPad app so for DD time for a crew from Khufu in V understood snow Eddings our friend equals new phone on the image to owns an artist templates event on to our hotel mama we done lighting talk mean the SEMA and Richard Constituent Assembly for my
comment on this conundrum smartly alibi come on sign from one base ghost housing on the inspector in triggered flash guns or monument for notional soon
[Applause] [Music] [Applause]
all right next up is Yama
I reveal my attributes there's a if you click the left oh I I'm already supposed to click the link ok let's see what happens you have been owned no ok that's
that's a PDF right yes appear you can also just okay you can put it on food ok this work ok I want to introduce air mat to you it's an
open-source project in which you can privacy friendly secure and these centrally provide authentication and signing so for the user and the most central thing is the app that you see in the left side is from iOS and Android and the project is intended to authenticate and sign statements about yourself with attributes you collect on your own mobile phone so for example you see a login to Emma to our demo application that there's also in the Netherlands a few attributes from governments which you can collect and you can then later prove those that information to to others in a way that they can be sure that the information is correct but also that those people don't learn anything about your interactions online that's a key difference between how authentic ation is done nowadays for example when you click a log in with Google or a log in with Facebook link at this moment you have a user identity
provider and you want to look in on a web store for example at this but at the moment you first go to the web store that has a page that says I want to log in with Google so you go to your the identity provider to Google and then the identity provider reveals the login information to the web store so Google now knows what you're doing and that probably isn't maybe it's the problem if you want to order something but if you want to log in in your doctor's office for example you don't want all those companies collecting that information so what we want to provide as a different solution is that you collect all the statements that allow you to log in somewhere on your mobile phone so you first go to an identity provider you collect those statements then you reveal them to the web store without communicating with the identity provider anymore and you can do that again and again you don't need to contact that identity provider again to do another login or do another authentication so the security guarantees we have is that the the attributes the information in the app that it is authentic it's signed with a digital signature and it's well you can prove ownership there's a you need to prove knowledge of the air map pin so you need to fill in a pin code to say you have knowledge of that there's a secret key stored on your mobile phone that also says that you own those attributes so you have a two-factor authentication and the disclosures you do are also in another way and linkable we use their credentials an attribute based credential scheme called et mix which if you do two disclosures it's makes it unlink able so it's a multi show and linkable credential scheme and that makes that if you as long as you have attributes and that don't reveal anything about yourself for example if there's an attribute that says I'm over 18 or I'm a German citizen for example if you reveal those attributes to someone they can see that you're the same person two times so the attributes are not linkable as long as the attributes themselves are not identifiable and there's kind of automatic automatic that data minimization because you only reveal the attributes that he really needs to that the the one who's who approve in them two really needs to see so you only show relevant attributes you need to give your consent if you want to want your hand into so typical session goes you go to the website of the web store here you scan a QR code or you click on a link the air map then opens it as hey in this web store wants to know this in this information of you you then either consent or you don't and then go ahead proof those attributes without involving anyone except you and the one on the other side the webstore in this case we also do signatures so there's also in since the 90s it's also it's been a problem to give people access to to proper signature so you have to create a public key infrastructure and people have to collect their own signature have to manage their private keys we also with this have attribute based signature so you collect those attributes for example your government numbers BSN in Dutch and you can sign any message you want so for example here I can send to share data with my doctor you can sign that date sign that statement with an attribute and then we have proof that you have you have retrieved that attribute from from the government in this case so in the Netherlands we do this with a DP de you login with DP day and then you collect your your information it anyone can do this is the D central there are some more information about
this we're an open source project you can see in our github the course in written in go we're transitioning for the server part to go as well it's a Java server at this moment you can see some more information if you want to join a slack in which we communicate about this you can ask for an invite and a well you can download the app please do so
[Applause] [Music]
last talk before the break it's going to be in German punch a home via triathlon
wikibooks Hospital Tom yeah hello Evelyn
uma my tie latest internet source talking on understand Medina platform
from Vicki box prepared and as I get nurse had in the here to spoil surance the in hook form following the Vicki box dead site in henan the speak
epoch capacity of the item is matter finished freaks can dust superhuman okay doffing path what miss he is
inmates on this new part is designed for known some design at a steel design factors months to then the hopeful mathematic first English we were playing on that sofa vent and behind abetted the median builder hum dissemination satellite or on leash dog of statement sauce definite zones box known survivor on demonology patently of video sign this was Vicki bookplates go hurts a dining outside so CLO does now under the lien platform Yoganathan and after avid motive multimedia ger abated on women's it gives initially in high
totally abuse on and off government is a layer of fire for football sue Martin on the organizers own sports as a transparent undemocratic to harden whom Sanitas cancer that gave into next MIDI
notes at Sian raised so hereafter not house and notes of Isaiah low Antoinette 7000 by matter finished freaks and afters both water intrusion missus or 10,000 my haven't a girl on the SPO yet
Cielo insisting worst English invention laws had such a Brandon let's jnana-yoga doctrine for it??d vision it's also denotes Akopian tres Nava often barely known moons definite man exhibition stand order you know voluminous wikibook our skilled work time commoditized fortune we have alternative it through convincing then advisers Artois and lyrically I shuffle the spoken is often the big vertical movement into finding the Froggers nor the album Hamid affiliates why haven't evolved our manager in 50 Viki articulate respond or contraband and boo-yeah cancer emphasis need some iron
Hamby as fu the Manchus markup for officer Rhoads and Aladdin's convey this being nice and far corner hyung's to leap and off event invite us for years target and as also internal too much plain PDF for in via definition one order of media nanostation azimuth EMF it's wiser some and on the gambia of no fighter dependencies nationally article in height gives it Madison warden pumpkin diameter thus is the angle he book and Allah undergone pointers into dependencies this is greener dr. maschwitz in tempe comedian that Hein also hopes to his videos on beta this gay but only the acres and Tyler was articulately and Alan are chicken we defer Bennett van won't indecent highest Viet Minh Tyler phone in other words it man the article visi has been quite exfoliant recent convert here at via in an insertion format and she is an expert yet we are not done to move to some graffiti and that's cancer
this team is an app it's the same as of make passiert various version or asteroids off of Nami tansy dozen homes Oh hours we have on the wiki platform I am pastor that's what net switch to the person that's all anesthesia export env don DET his nautical owned Bahama of Nova and literary owns an auto on automata chinoiserie game can thank Rosco nervous cancer and often browser law firm doesn't sue Kennish Wonderland's Biden platform the decision better for I'll owned than at which offers of ang bayan thus being is the seal be inside informative finished freaks in iterative episode zones were few and de metrio compatible is of the ambassador's with and in Denton Plymouth en current advisor export August and two-finger and must be evokes V entire shoe industry needs to feel portholes and under harm you know
Vania mittens on contact calm world would have a here under a human heart wizard of the endless yet unfortunate for divine dad Vikram that platform when take insurance industry owns for I'm escaped here the email addresses phone zero eigen mile when year or grad a few days in Phyllis's export project interfered Oda own was in the nephron recent site owned and the Elantra society owns Kentuckian and Johnston Ghana or here of M congressman Finnegan's Mountains AHA fish and their ideas and assembly or roof 24 Han yang
next up is open H and we already have
the slides on the screen so we can just go ahead
hi everyone and we're a small part of the open edge development team we are
doing a we we implementation of Age of Empires - I'm Jonas and I'm Michael so
what we are doing we are we have been
developing a free engine clone for H of M pursue the conquerors expansion we
started in 2013 and since then we have been doing it our game requires the original game assets so you have to like own a copy of the original game but we have been writing a completely new engine with unlimited possibilities for modding and so on the original game engine is quite limited starting this effect that it only runs on Windows it's a short overview of the technology which we are using the engine core is written in C++ but there is an extensive interface to core most of the engine features from Python 3 we are using size and as clue and see Meg of G or Vulcan isn't even mentioned here STR QT and we have our own data description language neon but more on that later so on this
is what it's currently looking like and
in the last year we have had three main advancements VTech wrote new render then we've got a new world simulation engine which is completely event-driven which was done by tomato and we have a new modding API which was designed by heinessen all of those advancements are mostly in the background so there is little stuff which is actually visible which has changed in the last year but now we are ready to integrate everything together and basically finish the game so the new central component of the engine is an entity component based and this is the game and entity which has
abilities abilities are now in green and
boney boney are things like the unit is standing on a hill and therefore has more attack damage or in the abilities are permanent things entity can do for
example exist move die attack whatever in practice in our own description language this in a simplified way is a villager that just exists with 25 HP and can move and die the definitions of move die attack are not here now but with that way it's possible that any entity can do everything and so tweeze for example can train new units or animals can convert villagers or well relics can even start to chop wood if you like so this API overview here is the whole thing that is able to simulates age of vampires to the Queen boxes are again all the abilities we have new things like actual inventory management so the monk transporting ala relic is implemented properly and not a new unit that is a combination of the garlic in the monk for example and our system supports nonlinear attack trees so you have kind of arbitrary conditions chained together for advancements in discoveries for your technologies and
this is implemented the following way so a technology is again just an entity and the entity the technology has the most important parameter the updates all at the bottom which is a set of patches petrus are a special feature of our neon language that allow to change values on
the fly in the database so in this case the update is on line 9 which is the more HP patch that updates villager live by adding 15 new health points so whenever this technology is activated then the database is updated with the
same trick we can do things like attack and defense so that for example ranged attacks and ranged armor are matched up and produce the correct amount of damage
and we can do very complicated things like transforming the trebuchet into a packed and unpacked and the whole thing is fed into the event engine as I said which basically is a history of everything in the game in past and the future and what the engine and what the what the client only does is playback that view so it's just a snapshot so next is funny new things like data conversion and that was it already join us and help us developer to
[Applause] [Music] thank you next up this crypto payments
in hyperinflation countries and beyond
[Music] hello everyone thanks for being here my name is Felix I'm from the - Embassy
Thailand and for the last couple of months we were very busy basically trying to bring cryptocurrencies from a high level talk to street-level reality and it's really a challenge and I want to share some experiences with you also experiences the other teams had on the example of - so cryptocurrencies basically have been the most famous use case since we talked about blockchain since we talked about Bitcoin but still almost 10 years later nobody basically sees any option to pay with cryptocurrencies in the real world and it's really a challenge to do that right you were always talking about the freedom of banking system at the same time so many cryptocurrencies are there at the moment and I just read a new study saying more than 60% of all these tokens are basically cryptocurrencies compared to any other utility token or something so for the example of - you
can see quite a big increase of acceptances worldwide so we had reserved with 500 this year and up to 4500 if you look at Bitcoin numbers and all other currencies it's not that much higher actually or even even worse it's very hard to get good statistics because there are some maps you can register your company your company if you accept bitcoins or whatever other currency but it's not really that you can go anywhere and get a proper number of how many how many crypto currencies acceptances are in the world so far - especially Venezuela turned out to be use case number one if you look at it it makes total sense Venezuela has an inflation rate of 1.4 million percent for this year so people are really struggling if you go in the morning buy some eggs you need some money if you go in the evening you need to quite much more money so - managed to get really growing and healthy ecosystem in Venezuela
so that we can basically say if you have the hyperinflation country cryptocurrency is a fabulous use case right and there's not only Venezuela we have turkey with some some countries in Africa there's more and more countries coming up but this totally makes sense but of course for me I mean from business perspective would be very sad to say we focus only on the hyperinflation countries we want to go beyond that right of course you have to have everything in place you have to have the regulator's you have to have texts you have to pay your taxes you have to do everything and if you talk to merchants and that's especially the point you will find out they have many questions and the most important thing they don't really care for cryptocurrencies what they care for is a simple solution which fits into their business process and they don't want to have any investment right for additional software for additional hardware for additional stuff training so that's why we go to the merchants we try to really understand what they want and how we can help them setting up a system and afterwards also giving support to them and answering questions right because if you start with crypto payments and you really go to the street level there will be more and more things and questions popping up from Texas to regulations to how to integrate it into POS systems so there's many many things and it's ongoing questions right one other thing is we started with the low-hanging fruits for us in Thailand going to every single Bitcoin shop there right who claims to accept Bitcoin has a sticker on the door just realizing everybody just forgot it right so we go we went into these stores and people look at us say be what so they they don't even know what Bitcoin was right because the stuff in there they forgot it already a long time so that's why I say it's really important to give them ongoing support and to help them basically solve a problem and the biggest problem they have is they want to make business right this is what they really care for they want to have visibility they want to sell their products they want to get more customers and at the end of the day they want to get happy customers because happy customers will come back in their stores right so that's why our approach for the example of Thailand and also vanilla is going but in that direction is growing healthy ecosystems that means you have to have to the whole set of things together one thing is the exchanges you have to get your your money back you have to manage a cash flow as a merchant right so basically you have to choose do I want to keep my cryptocurrency for speculative reasons or will I sell it instantly when I get it right you have to have the payment providers you have to have of course you have to pay your taxes at the end of the day just to one side and the other side is the customers coming in right you need to a community coming and paying with that stuff only huddling is really not paying with it right so you need people who come in stores help and all that so at the end of the day it all boils down to sustainable ecosystems
thank you why I'm here for questions
thank you
next up is Park on
good morning I'm Jelena from Balkan orga
team I'm here to present our conference
small hacking event that's happening in Serbia Novi Sad so for the next year it will be seven times seven times the three organize this event it's welcome computer congress the dates has already set up so it will be second week in September 13 14 15 September Novi Sad so remember it what exactly is Balkan we got an idea 10 years ago and CCC to start organizing small conference in Serbia because there's a lot of students in Novi Sad there's a big Technical University I want to we wanted to share with them
this experience that we have here and we want to introduce the young people from that Balkan region with the hacking culture so that's the reason why we started organizing this and now it starts to being annual event we are doing with that we are saying just for fun because we have a lot of fun there so here you I think you to join us next year if you weren't there yet so this is the important dates the place is not Asad Serbia and the CFP will be open from February somewhere and the complete list of speakers will be somewhere end of July and yes we also have the CTF we
are organizing every years so if you are not able to come you can also join playing the city else and have fun with us and who was this year's with us we
got some also famous speakers Travis Wood Pete was a couple of times in on Balkan virus from us Mitch Altman was there also with soldiering more then Rob from us so there is a long list so if you are interesting what we are doing previous year's you can also check our website and there is a complete archive with the videos that you can watch so that you know what how it looks like and what's
important yes we have there a lot of fun we have some let's say that's tradition on second day we in the evening we have rakia tasting or rocky alex so if you don't know what rocky i want to try different sorts of rakia you're welcome to come also if you want to try here i key on our balcony assembly you can come and try it just in advance to be prepared what you can expect so i'm just
informing you so balkan why now aside it's our hometown so we started organizing there but now assad is on the list of Lonely Planet I think somewhere in the top 10 to visit next year so it's a nice city cheap food is very good incredible you can ask other people's who already visit us how its food and how it's a cheap accommodation and the travel is very easy to come because it's only one hour from Belgrade Airport so it's very easy or three hours from Budapest so you can choose it if
you have questions what we are doing and why we are doing that you can also send us an email we are responsive very quickly and you can also visit our website or you can track it as on the Twitter also here on Balkan assembly here near in the cows mess hall you can find us we have some stickers we have some cool stickers also this year and also some flyers so you can come or you can just talk to see what we have also what we have we try to bring there also hacking community to build a community we also have hiking space area so if you are from some hackerspaces you can organize like um gods also some assembly so it will be nice to join us because we also have some blinking stuff and we want to bring it more and more to make it more shiny so remember next September 13 14 15 please come join us to have a lot of fun thank you thank you now next up is
exploiting WPS PBC on Windows Tim all right hi guys my name is Jorge I'm the author of Wi-Fi feature or Wi-Fi surgeon open source rogue access point framework
so today we're going to talk about exploiting WH PVC on Windows 10 this is a Wi-Fi Association attack how many of you know the Karma attack please raise your hands okay I see some hands so karma is a very popular Association technique what it basically does is getting money in the middle for the attacker but there are others in this talk we're going to talk about one attack by exploiting WPS PPC that actually achieves the same result money in the middle over Wi-Fi so WPS PPC I
guess most of you already know it it's a feature that allows you to associate a device with an access point very easily just by pushing a button on the access point side and then another button on the device side it doesn't matter the order right you can push the the device first and then you can push the button on the access point later but you need to do that within 120 seconds so other no other authentication mechanisms in place this is how WPS PPC
words so you see this is the station it could be a laptop it could be a mobile device you push a virtual button there then within 120 seconds you need to push the button on the access point and these two the association happens and the station is now connected to the access point what's the problem here the problem is that someone can push the button faster than the than the operator of the access point right so it will achieve a man in the middle position because the station will connect to the rogue access point instead so this is a way to achieve a man the middle attack over WPS BBC in order for this to happen of course the victim needs to push the virtual button on his station the thing is that even if you don't use WPS BBC actively you are still vulnerable on Windows 10 and let's see why this happens the problem with Windows 10 is that if you select the WPS Network then you automatically the Windows 10 pushes the WPS BBC virtual button for you even if you are not actively using it you are eventually so
this is actually usability over security feature that Microsoft introduced for another usability over security feature which is WPS BBC how can we exploit this
first I will show four steps right so the first step is that let's say that the victim is connected to a wpa wpa2 network we do nothing here everything that the victim is happy of course the victim uses a Windows 10 laptop so what we're going to do first is disconnect the victim from the network we can do that we are common methods we can craft the authentication frames for example we can leverage jamming techniques there are many ways to do that so we want to disconnect the victim from the network that is currently connected to as soon
as we do that the victim we expect the victim to manually click on the network to re-establish the lost connection but at the same time we advertise the same network same SSID with a random password if it's a wpa2 password but this time we also offer WPS PPC capabilities so can you guess what will happen the victim will click on the network and the virtual WPS button will get post from his side so what what we need to do now we simply press the button from our side as well and the victim will eventually connect to our rogue access point the victim will probably have the impression of the auto connect feature do you know the other connect features the feature what would you go back to work and you see that your device is connected automatically to the network even if you had to to do it like a week ago this is the other connect feature so that it will give the impression to the victim that it not connected because of this feature so what is fun about this is that the
network can be closed it will have the same SSID it will be wpa2 protected you will just click on the network that you want to connect but still you will connect to a different one and again the problem here is that Microsoft has let's say tied clicking on a network with pushing the WPS BBC button on the client side this hasn't been disclosed before it's the first time that I'm disclosing this and you can do this attack by using the latest version of Wi-Fi feature we're gonna put an update soon so you will be able to do this attack for your penetration testing thank you very much
thank you
[Applause] now next up this human connection free and open source social network for active citizenship
okay hello everyone my name is Robert I am one of the developers of human
connection which is a free and open-source social network for active citizenship now I want to highlight a
problem let's say you are a user of social network for example Facebook Twitter YouTube and you use the social network as a primary source of information then you are not in control of your newsfeed anymore why Facebook YouTube are private companies the source code is closed source and the algorithm determines what information you will see what content you see if they run ads also what ads you see and that's why I
demand that social networks should be free and open-source software the definition of free software the users control the program non-free software is if the program controls the user that is the case for Facebook YouTube and Twitter therefore we are developing a
free and open-source social network which is funded by donations and we are
almost sustainable we need 30k per month for a team of 10 10 people and I'm showing you this chart because I want to show that this works this market let's say for the nation from that software also I want to highlight that free software is it is very important that free software is funded by donations why Facebook and YouTube have their advertising customers and they will probably implement features that are not in the interest of the users right free software is community driven and since the users control the program features should always be in line with the interests of the user so Facebook Senate will show you ads that's definitely not in your interest Facebook will collect your data it's also not in your interests whereas free software will not do that human connection is free and open source software we will not send show you any ads and also we are not collecting your data or if we do we do it on certain certain purpose and you can see our open source code on github and see how it works so we are currently in a technology transition you can check out our current staging environments it's called Nitro you can see and link on the right side you can also see the login credentials on the right side you can go there right now and try it out since we are in a technology transition I will tell you what we are using for this vision we are using vgs in the front-end and we're using nodejs on the backend side both parties communicate through graph QL as an interface and on the backend side we're using neo4j as the primary database the former version we have 4000 users and 2300 of them are active donators yes and
probably you have heard about similar initiatives like that you probably know Mastodon you probably know diaspora and there are many more and it's we want to collaborate with these we there's good news there's a w3c standard which is called activity pub it's a like a language how different social networks can communicate with each other that is they can exchange content and from the user perspective it's it doesn't really matter which social network you should join well that's the dream and we are not implementing it yet but we are intended to do so and we have bi-weekly meetings with other social networks including connector we change and even next cloud they all are interested in implementing activity pub and we're trying to learn get familiar with it and eventually implement it if you want you can join us use the chat for our let's say we call it the open apps ecosystem the network of the networks and we are also having a weekly meeting for the open source community and that's the link on the right side we have weekly meetings and we try our best to onboard open source contributors we do Patrick programming's we do video conferences feel free to
join us that's all I have thank you very much thank you next up this iOS privacy
hi so quickly if you want about me Who I
am I am both the Apple guy at sir gates security company but I'm also activist and politician and things like refugees and and they trying to save a forest for a mean environment for a mean energy company so a build a sample app called
my privacy where I'm going into it's a very simple simple simple app where I'm showing you the different stuff that are important on iOS and that developers should do and that users should also look at and it's things like the contacts API to kill in their API location and the ID ID era and surprising enough Siri I was surprised the first time that I was researching on this because Siri turned out to be
something that was appearing in by default for every app so it's simple it's a opt-out it's and the app is in settings Siri but and Syrian search is not always in the settings app it's so a bit confusing and it says as you can see over there on the on the screenshot it says that it's it may learn makes a decision based on how you use the app I was wondering what it actually means it based that's basically what they mean as shortcuts obsessions which is a good thing but at the same time also kind of a pain in the ass as user the most of the stuff actually all the stuff is of Siri is on device so it's good to know the the speed speak to text now is not on device so that's something you should
know the gist of all the stuff on iOS in terms of privacy is that it all goes through a set of permissions you get for the photos it's kind of the same as for the events or the contacts it's it's a lot of time just an enum which gives you if it's all arise denied or if it's not yet asked if it's restricted to you're out of luck because it's mean it's either parental settings or something and something else in an enterprise the Hat the app will crashed luckily if you haven't done this which is adding what's
called a description you use such description this is something which is going to be shown to the user this is that's to visualize your photos on a map and it's also going to be checked by Apple it should be checked at least in the review process that you were telling to your users what you are actually doing with it so please tell the users what you are actually doing with it and don't don't lie on new users so there's a bunch of
those which are basically in a in your info.plist it's start they all start with privacy and you have to explain whatever you're going to do with calendars or Bluetooth or whatever you
can also ask again that's something good to know by calling this URL which is basically the open settings URL string it's not gonna pop up the the permission settings and anymore but it's gonna be a the users going to be able to land up in this page which is basically in the in
the privacy over there so you have to
always check the authorization status obviously and there are ways that you
can retrieve data from for example from a metadata for if you get for example the the location over there so this is going way too fast please use the Pickers that's very important because if you don't use the Pickers then the people will have to add gift access to the full thing also if you want to be a good developer please only pick up a cell a set of data and don't take everything else because that's what a bad developer would do and that's take a lot of information that's why the ugly
developer would you take all the information for all the server uploaded on the thing so please don't be that guy
have a good karma and just also you
don't need to ask the permissions a lot of time you can use against the picker there's something else on the contacts API as well you where you can only have one of the Pickers also the contacts
have a location even if they don't have a latitude longitude because if they have a postal address you can retrieve this and so with like geocoding so this is something to know you can also the
other thing that I wanted you to know is that the location API is interesting because map kids already knows where I even though I didn't allow him to tell him you might think it's because of region settings but it's not it's most probably the IP address I would prefer if they actually asked me before they centralized this map on where I am
on the location API when you request the authorization you have to use and when
in user always please do not directly ask the full monty ask first this and then you would be able to avoid this guy
because the second time you will ask you will have only dis and that's basically
I'm running out of time there is something on the calendars which is taking all the thing if you want to know
more about this just get in touch with me I will be happy to show you this
right next up is three area network
hello my name is Ingo I wanted to share
an experiment with you and it earlier this year it's called 10 3 area network and when I put up this presentation I basically said well it's actually a bunch of holiday images to share with you but before I do that what is
capacitive coupling there is technique to transmit or transfer information through capacitive coupling which means you have information you go into something you encoded you amplify that you send it into a biological conductor like a human being human being is a very good conductor like a capacitor has very low resistance in internally and a skin which is high resistance so it does capacitive coupled to another part of the body or another body then you can take this information out and decode it and get information back that works with humans that also works with plants so what I did at the diner con digital
natural naturalist conference in 2018 in Phuket in Thailand is I wanted to try out capacitive coupling devices are built for a textiles in the first case but the experiment was to use it on trees and if possible to use it to send information from one tree to another and then use the jungle as a network and send one bit of information from one side of the channel to the other side of the channel so I wanted to try it out if it works at all that was the first
experiment I just stuck these capacitive plates on some plants and you see my face it didn't really work I don't know if you see the oscilloscope it's a bit of very very low signals that was the
second attempt I wrapped around capacitive electrode around the tree and it worked much better you see that in the signal picked up very good signal so I can decode information again what
could I do I could transmit data for five point four meters from one tree to the bottom of the tree
that is how the schematics looks like
the transmitter is simple resonant circuit transmitting a Kara wave of 300 kilohertz receivers basic radio stop amplifying and filtering basically that
is how it looks on a tree left is the transmitter with a sensor it transmits the data over the tree picked up by another part of the tree on the right side and sent to a computer set the data is sent over serial to a computer to read out that some details what it can
what would implementation can do is implement on-off keying the next step
was the costume town tree area network
for tree huggers so how do we pick up information from trees we can hack the tree it does capacitive couple from the tree to the human body we can then get the data out of the human body and that's what we did we decoded
information we don't understand what it says so the scientist is reading the signal from the probe from the human probe getting the data from the tree right so if you want to try that out
yourself everything is up on github and on my web page try it out have fun thank you very much thank you
[Music] next up is gnu/linux improved yeah hello
my name is Tim Hans and as you have seen
two talks ago it is very hard to make the security right in iOS and Linux is not a problem here because all the features aren't there exactly so and I think that is wrong and 2018 OS should be able to restrict applications from modifying each other's data and restrict applications from spying the users habits so yeah situation is that all applications have the same permissions USB drivers are fetched automatically Xbox is a whole security nightmare and processors can read any data in home user and also their interfaces it doesn't need to be exposed to each application you are running so there are a few developments yeah we always have
the ability to make UNIX POSIX users groups we have up our movi f as in Linux we have KVM we have namespaces we have USB guard dock Express there are some Linux distribution projects like cubes OS or subgraph OS which are trying to improve the security as well so I have still some questions left for example do you remember that there is a policy in Debian that there has to be a man page for every UNIX command on the system so also why do we still have XDM why do we have still those graphical display managers so it it doesn't make sense to have a graphical display manager if you don't have to switch the the display resolution in in the display manager if you don't if in that that's the case with new Weiland and new frame buffers so the kernel all already runs at a at a reasonably disparate resolution so we don't have to we don't have to do this for for proper login so also there are things in the Linux world so why do I have to become an expert to get a new PG key layout I mean this is an application thing that we reasonably why why do I have to be an expert to get an authentication key so I would like to make a first start by creating a small but functional based system that actually boots up without taking resources from Seche us are like most like thing is if FreeBSD things are doing adding an up-armored profile at a package manager that can be used to install apps create a quick and dirty installer push the thing on separate Quetelet instance for backtracking and building and yeah i would like to discuss those ideas with you so let us meet at 11:30 today in lecture room m1 and you see I have a few bucks and in my slides I also have a I have created an improved matrix channel as 35c 3 Linux improved where you can meet me there will be an email address Linux improved if not called a year where you can contact me and you can meet me at the meteor lab in Vienna if you want to discuss details and I think that's it thank you next up is
navigating in Linux kernel security area
hello my name is Alexander Popov I'm the
Linux kernel developer and security researcher and I want to tell you about navigating in the Linux kernel security area Linux kernel security is very
complex area there are various key concepts there there are vulnerability classes exploitation techniques web detection means and various defenses some of them are in the Linux kernel mainline some of them are still out of tree some of them are commercial some differ defensive technologists need special hardware or to work and all these items have complex complex relations between each other and it would really it would be really great to have some graphical representation to navigate for easier navigation in the documentation so I created such a map it is available at the github it appear AIT's the key concepts which I already described and the connection between nodes represents some kind of relation this map is about the Linux kernel self protection it is not about cutting the attack surface so this is a map it is very complex you I guess you can't see anything but I want to show some part of it so the RAM those are vulnerable 'nor ability classes stack depth overflow initialized variables usage information exposure they have cwe common weakness enumeration numbers for
easier search and throw is a pecks memories technique feature from jar security which provides some mitigations against those kinds of attacks against those guys kinds of vulnerabilities and there is and stay click port which I prepared for the Linux kernel mainline it is in it has merged into kernel 4.20 and there is a game sin debugging mechanism it is not for protecting you in production it is for debugging and we can combine such technologies enable
them and fast the kernel to find the bugs and zero days and I really hope you
are interested and I encourage you to experiment with your kernel and read those information sources there are there is a really nice list of jar security features there is a Linux kernel security documentation in the main line which is a really nice document describing the whole picture of Linux kernel security which tasks the hell which goals we need to achieve there is a list of recommended recommended kernel settings from kernel self protection project which can if you enable them your kernel can be more secure and there is a mitigation checklist which shows the current progress in upstreaming jar security features into Linux kernel mainline and to Android Open Source project then and it is really not very funny to search in your config file for the hardening options enabling them and so on so let's computer's do their job and I created a script which can check your kernel config file against the hardening recommendations and you can just run it with your config file see the recommendations and if and then go to the map and see where in the documentation you should read about this particular feature so thanks for your
attention you can catch me here at the Congress you can write me emails Linux kernel developers really like plaintext emails and the main point Android the Congress
thank you now next up this past the
cookie and pivot to the clouds
hello everybody my name is Johan and we
security engineer and professional
penetration tester and today I want to talk about pass the cookie which is an attack technique that I've been using for a long time and I want to kind of share it it's not really totally novel but I think we need to talk more about this to protect infrastructure better so what a cookies I think we don't have to talk about that much everybody knows
about cookies they are used for security for authentication it's establishing a session between a client and the web server and it usually is a single key to the kingdom which means if you steal the cookie then you get access to the web application there was a lot of talk about four five years ago with Firesheep that was really really good but we kind of the entire industry stepped up and we kind of deployed SSL much more widely which is very very good and everybody should use that but what I want to talk about now is sort of other technique somebody might deploy or leverage to steal your authentication cookies so think about it a cookie might be the single key who here uses AWS or Microsoft Azure a cookie might be the single key to your entire data virtual datacenter so if you have like a data center building you imagine right the cookie is the key to that building or personally if you have cryptocurrency your finances right or Facebook the cookie might be the authentication coke token to get an attacker in so what is
past the cookie so if you can tell it's very much similar if you familiar with past the hash is the same concept you have the token you pass it and you pivot through the environment so an attacker might be after valuable assets valuable host injuring infrastructure where there might be powerful cookies available and I said I've used this many many times during adversarial emulation to achieve mission objective so how can you kind of
gather the cookie in the first place so pass the cookie is sort of an a post exploitation technique which means the hosts that we talk about is already compromised so imagine phishing attack there's a beachhead established in the organization and the company that and then the app he restarts pivoting through the environment right maybe even compromise the domain controller so that point you have full capabilities within the company but they still have not pivoted what I call the pivot to the cloud so now we can go find an administrator of the subscription or the AWS account compromise that machine and then they can pass the cookie they steal the cookie using some of these techniques here and then the pass the cookie to pivot to the cloud infrastructure the one thing I want to point out is process them which is sort of the very very simple tool but cookies are not just stored in process processes of browsers right or on the disk from a browser perspective cookies you can also find any other applications to do authentication so somebody might use process them to kind of dump all the processes in the machine and look for cookies so yeah and then how do you pass the cookie in the past like four five years ago right you had to install some extensions and so on now it's really simple you use the developer console you just go in the console and set the cookie for days even UI like chrome has a nice UI to set the cookie yeah I want to point out cookie crimes which I just right now I work at a place where we have a lot of Mac's so I had to look for techniques on how to do this on a Mac and there's great research done and there's something called cookie crimes that uses headless chrome to allow you to steal the cookies so here's a simple
example how you might cover my skin up but you go to the github web page refresh there's no cookies you're not authenticated there's a single cookie called user session you paste it in refresh the page and you're logged in and now let's move this to the
cloud just sort of really what I want to kind of highlight is the organization might have or Google Cloud compute for instance another like one of the three big cloud infrastructure providers write an adversary might have stole two compromised the administrator and then they steal a cookie and pave it into the cloud so sort of a three-step process sort of part of my own like work I started building out this cheat sheet for myself so I thought I'd share that which kind of cookies you might be interested in depending on the client you work with and always make sure that you have for any of this kind of work right that's so if some I've put it in the very beginning as well so here you can see a sample of interesting web pages and the cookies that you can steal or that somebody might steal an adversary might steal to authenticate and similarly the breach talking about detections right there's things that we kind of have to do is like monitor for process dumps monitor for access and homilies monitor for unusual activity on websites and i want to move forward and talk about mitigations also right deleting cookies on the machine regularly is very important delete the session cookies right if you this is one thing I want to highlight life if you are not the only administrator on your machine it is not your machine anything on its own it belongs to everybody else or any other administrator on the machine also right that is very very important especially if you work in a company never use a company laptop to perform work thank you
thank you next up is more on drugs
[Music] [Music] [Applause] hello the full title of the talk is war on drugs and doing 50 years of fake news
and propaganda you need to decide for yourself what do you want to do what is your core set of values and me personally I am pro-choice freedom and education there are many different
scientific research this is about the fat the fat and sugar the sugar industry
blamed fat you eat fat you become fat but this is not true you need to provide fat to your body because it's a part of a healthy balanced diet this is the
cigarette advertisement from 50 years ago of course your doctors smoke camels
the Marlboro guy who was advertising cigarettes he died from lung cancer and
this is probably one of the most important quotes that 50 years ago then the Nixon presidential election and
basically you cannot make it illegal to be against war so what they did to keep
the war in Vietnam going they criminalized the drugs the war on drugs is a direct consequence of war in Vietnam they couldn't keep up with the peace movements so they had to find a way to put them into prison and then we
have a private prison system the moment you make money from putting people into prison you just you are incentivized to keep the system going and this is
basically a vicious circle it is a complete and I'm encourage you to just think follow the money if you do not know what's going on just follow the money
and all these pervert incentives create a situation when judges are bribed by the prison system to put children into jail however now we have a little change
in the law because of the Internet Internet allows us to communicate freely this is the legal map of cannabis in the u.s. in many states cannabis is illegal or legal for medicinal purposes it is changing rapidly
the human perception is also changing in
the United Kingdom and the medical cannabis was legalized first of November
in Mexico it is also changing in South
Africa it is changing it is pretty much becoming legal so this is just the cannabis okay this is about the business
model of pharmaceutical industry they get money if you are hooked on their legal drugs and they don't have
incentives to use the drugs that are actually helping people this is the ketamine that is testing for depression
MDMA for PTSD epsilon siding for people
who have terminal diseases and they know they will die but using psychedelic such as psilocybin allows them to become more okay with death like okay I am dying but this is only my body my soul will survive so it is they are reducing the data anxiety and this is like a second level research that we we already know that psilocybin is effective so now we are testing which type of music for this type of treatment so this playlist is amazing highly recommended books about the DMT this is
this is a metaphor that we have the telescope to look into the Stars we have the microscope to look into a very very small objects but we are still looking for the microscope I cross scope for the
brain so here it is of a scientific research of scanning the brain various connections in the brain
here is the wiki where self-medication
psychedelic retreats and this is
probably if you want to stay connected psychedelic community you can meet with like-minded people you can learn more and always do your own research thank
you thank you thank you thank you
now the next talk is not going to be a
talk but rather an experiment and one of the rare occasions where we surrender our hardware to someone else this is the last event in this session so if you're not comfortable with any of this you can just leave without missing out on anything yeah I don't know I just I just
go away and let them do their work [Music] [Applause] [Music] [Applause] [Applause] [Applause] [Applause] [Music] [Applause] [Applause] [Applause] all right thanks so big round of applause for these guys and let's the end of our session today thank you for
being here thanks to all the speakers who participated and a big round of applause for everybody who stood on the stage here for the translation team who
did an awesome job translating the
lighting [Applause] [Music] [Music]