Last day at the Chaos Communication Congress: Faces were long, dark circles under the eyes were large and lack of sleep was at its peak. But before 38C3 ended the evening, there were still several lectures left on the program – including some annual classics like Security Nightmares. But the morning was already filled with further conversations on security topics. For example, Florian Adamski, Martin Heckel, and Daniel Gruss proposed a ten-year retrospective of Rowhammer – an attack technique that targets RAM.
Advertisement
Occupied tenant by mistake
Dutch security researcher Vaisha Bernard wanted to run phishing tests for her clients. To get test emails past Microsoft’s Exchange Online spam and phishing filters, he had to enter extensive permission lists for multiple “tenants”, i.e. customer instances. This couldn’t be done automatically through PowerShell due to various errors in Microsoft’s API, so the inventor decided to find another way.
Which he found confusing and disturbing. Their requests for technical support were answered by a Chinese call center with the obscure company name “Vicresoft” and, worse, their home-grown Powershell script suddenly modified the allowed list of foreign tenants. And even more: the hacker could freely search for their data such as emails, team messages or files on OneDrive and even steal them using an export function. This was worth a five-figure reward to the Microsoft Security Response Center (MSRC), and the security gap has been closed for almost a year.
Security nightmares were also coming in 2024
In the not entirely serious IT Security Nightmare review, Security Nightmare, Constanze Kurz and Ron take a look at the past year through an IT security lens. Ron, a computer scientist and CCC speaker and Internet addict who has an irrational fear of robotic lawn mowers, tried to predict the year’s incident security trends for 2024 from all the CVE reports he’s read – of course. This allowed him to boldly predict what might happen in the next year.
Looking back, ten years ago it was all about securing cloud services, but now there are passkeys. He also talked about autonomous vehicles, AirPods, generative AI, and the painful design of Duolingo app icons in the context of nudging. It was about the federal government’s state trojan schemes and US sanctions against such software providers. Speakers also discussed the XZ backdoor, the CrowdStrike outage, the US Kaspersky ban, and the Microsoft recall debacle. Both also brought with them statistics: For example, Americans will lose $5.6 billion to crypto scams in 2024.
38C3: Cloaking, Identity Theft & Co. – The Technology Behind Russian DisinformationFor 2025, they see threats in AI’s hunger for energy, discuss the idea of ​​cyber military service for computer science students and call for a trend towards on-premise hosting.
Numbers and interesting facts about the 38C3
Various 38C3 teams documented facts and figures about Congress in the infrastructure review: everything from power consumption, network bandwidth usage, truck tonnage to the number of sandwiches (7,000!) served to the many helping hands the angels served. It is said. The trend this year was to have multiple teams Submissions for Infrastructure Review In the marketing language of listed companies.
The self-proclaimed “c3Stadtwerke” provided the necessary energy by laying over 22,000 meters of cable. Overall, the 38C3 consumed a total of six megawatts of power. The speakers smiled and said that this would correspond to the consumption of 230 households or five Bitcoin transactions. The NOC (Network Operations Center) had to deal with “IPv6 madness” for some time, but was able to provide the network and WLAN before the start of the Congress. The congress had an Internet connection with a total bandwidth of 300 Gbits/s, of which the 38C3 viewers used “only” 40 Gbits/s. The Phone Operations Center (POC) used 56 DECT antennas to access the congressional telephone network, where 4,200 DECT handheld telephones were registered (3,500 of them at the same time). This year, in addition to DECT and SIP, there was also ISDN – if you do not trust the network or WLAN, you can also dial via PPP, use BTX or access one of the 29 BBS mailboxes Can reach.
The first challenge for the video team (VOC) was to get the necessary technology to CCH in Hamburg – seven logistics companies canceled delivery orders. There were problems on site interacting with the sound technology in the building. The VOC and CCH team were initially able to fix the problems before the opening, but cracks began to appear regularly on the audio track from the first night onwards. Due to this there was a backlog in the publication of lectures. media.ccc.dVOC invested over 720 hours filming the lectures and producing content with 22 cameras, using 260 video angels. Talking about the angels, Heaven, the volunteer headquarters, reported that more than 3,400 angels worked at least two-hour shifts. There were over 6,600 shifts, which is equivalent to a total of 4 years of work.
Humor was shown not only by 38C3’s organizing committees, but also by several projects at the meetings. For example, as shown in the following video, the Aalen Chopping Plant brought everyday Swabian culture to the northern German Hanseatic city.
38C3 is finished – content and topics remain
The 38C3 had a lot of key inputs, a colorful assembly, and a lot of cat ears. After four days it was time to move back from “illegal instructions” to “legal constructions”. Although the Congress has ended, those interested can still watch most of the lectures: they are available in the Media Library on the Congress website record Offered.
Recommended Editorial Content
With your consent, an external YouTube video (Google Ireland Limited) will be loaded here.
Always load YouTube videos
Finally, our short video documentary about the 38C3
(CKU)
Austrian police are only allowed to search cell phones with a court order, unless…
