The rest were less good for me personally. Either over-dramatic and shallow (with a sexy-sounding topic) or too procedural in topics I'm not an expert in.
Somehow it did not get much attention, but Signal president Meredith Whittaker (together with
Udbhav Tiwari) spoke about the risks and threats from AI-enabled systems.
Foundation workshop: Hands-on, how does the Internet work?
by Ingo Blechschmidt, is congress at its best. Getting a diverse set of people with various backgrounds and knowledge levels to
ARP spoof in a little over an hour is art.
Meredith's talk was extremely scripted, not very original and then she ducked out of taking any audience questions. Udbhav awkwardly stood there but seemed like he could have had much more to say. It was hard to watch.
Mona Wang's talk early on Day 2 wasn't recorded but was the polar opposite -- Original, off-the-cuff, engaging, and just fun to witness.
The Asahi talk was good, but the video switched waaaayyyyy too often between slide only -> slide + speaker -> stage -> only speaker. Made me kinda uncomfortable.
"Liberation of the Freebox", A slightly crazy Frenchman embarks on a quest to find exploit and write a complex exploit chain, using PrDoom and the Linux HFS+ driver to gain root privileges on his set-top box. All this in order to unlock the recording of somewhat rubbish TV channels such as TF1 and M6.
And he waited almost ten years and the retirement of the hardware to reveal it because he didn't want it to be patched.
If you are into hardware emulation "From silicon to Darude sand-storm" is fun.
Absolutely Cory Doctorow's, for the showmanship alone. Lovely background slides. The message itself might not resonate with everyone.
The talk "Look Up" about unencrypted data over DVB satellite links was also though provoking, both in presentation and in technical content. If there's that much data unencrypted over a mainstream IP link, imagine how much is still on legacy protocols in 2025.
I am not so much into videos but due to some extended interest in the matter I decided to watch the recording of that talk and I do not regret it. Much recommended to everyone who is interested in the state of the art of precision time synchronization over network. Also, in my opinion this talk is presented masterfully with most of the time actually spent on a convincing live demo.
Just for sheer geekery's sake probably the ISDN talk.
For OMG eye opening factor the FreeBSD jails talk (how the hell is this thing still so buggy?) and the talk on unencrypted satellite links
For excellent follow-along value and dedication to ridiculously pointless cause the Freebox talk. "Technically I don't own this box so instead of risking damaging it I'm going to take the extremely long and entertaining route around, somehow involving Doom WAD files"
Linus has said a lot of stuff over the years and not all of it was on the money. Still, he did a lot of good and I'm very grateful for it, Linux has been my daily driver for almost two decades now (basically from when I stopped using SGI because there was no point any more).
But bugs in large codebases will always be a thing, and even though the eyes looking at FreeBSD are very, very good eyes, indeed there are not enough of them. The more interesting thing here is that they picked a really hard target. If they had done the same with Linux I would expect the number of bugs to be quite a bit higher.
The Deutschlandticket talk was pretty cool. As Malcolm Tucker would say, "what a catastrofuck".
Miele washing machine hacking, very nice, I was going to say I'd be waiting to see someone integrate it into HA... and then looked up the Github repo and there's HA integration already there.
The biggest problem with ccc is that:
0. They are releasing too few tickets.
1. They are releasing the tickets too late.
3. Still not able to pay with card?
I live somewhat nearby, but can’t book or plan a visit because of this. I appreciate that they are releasing videos shortly afterwards though.
Ad too few tickets: I happen to live close by the venue (CCH in Hamburg) they fill up. And they do fill it up. That is the limiting factor.
Some person that wanted to get a ticket not getting one is bad, but what is worse is to have more visitors than you or the venue can safely handle. This and of course you still want it to work for the type of event you're doing, with multiple stages, parallel talks, ideally minimum walking distances, not a lot of extra tech to rent in terms of projection, sound etc.
To my knowledge the 3C congresses have been a story of growth and having to move to the next-bigger venue throughout the years.
You can pay with a card, but there is an additional 5 Euros fee (which is fair enough).
I booked a refundable hotel already in the summer, in case I won't get the tickets. But getting the ticket this year was relatively easy (though maybe I just got lucky).
There wasn't even enough assembly space this year, it was bursting at the seams. Sadly I think CCH is just too small for this conference. There's a much bigger conference space space down the street, but the rumor is that going back to Leipzig (where it was held during the renovation of CCH) is back in discussion. That place was too big though.
At the time when this took place in Berlin, in the Berlin Congress Center, which was rather small, there were only a few hundred seats available, and most of them had already been allocated before they even went on sale.
It was also a great excuse to spend New Year's Eve in Berlin.
Thank you, and happy to answer questions on that, it's been a crazy time!
Maybe of relevance to non-security people here:
1. Most of it is about AI investigating event data in general, not just SOC/IR: cyber, intel, fraud, SRE, and we're even messing with customer 360 & social media data
2. For anyone into vibes coding or building agents, I encourage jumping to the "self-writing AI" section where we're finding we are moving internally from vibes coding -> vibes engineering -> and finally now to eval-driven AI coding loops
And, for anyone in security, doing careful evals here has indeed strongly colored my view on the market :)
Hey, I just saw your talk and for someone who's not really up to date with the latest AI developments it's eye opening what you got going in SoC investigations.
I personally work as pentester and we're still doing a lot of manual work with AI simply as a better version of Google, but seeing the BOTS presentation I feel we can do better. Do you have any idea if anyone's working on something similar to Louie in pentesting space, or if Louie could work with pentesting workflows?
Companies like xbow and horizon are using agents that talk to symbolic tools to automate more red teaming flows for different domains, so very much so. As shown in my talk, modern models are quite capable, and they aren't doing investigation-level scenario depth, more like scans, so seems like becoming the new expectation that everyone can & will do.
Companies like trail of bits are more interesting to me here, because they historically do deeper analysis. A place to look there is the darpa cc x ai (?) competition that finished at blackhat last year.
If in the US, we may be looking for a pen testing partner on an upcoming agentic AI contract, so feel free to msg - Leo @ graphistry
I haven't seen all of them (which I wanted to see) yet, I had a lot of fun with various talks. Thus far, my favourite one was hands down [1], and I can explain why. I am not at all good with hardware, nor hardware designing i.e. I'm not the target audience for this talk.
However, the talk was beautiful. It went quick, was informative, good slides, very respectful Q&A (comms and quality-wise), and it had a message of DIY _and_ inspiring hope. It is easy to criticize X or say we need to do better with Y. These guys are doing it, and their journey and findings is completely open source (even though there was substantial financial risk involved). The hacker spirit 101.
One interesting detail: In previous years, Joscha Bach gave a talk on AI, consciousness, and related topics (see e.g. [0]). A similar talk was planned for this year as well, but after emails between him and Epstein were made public (see his comment on this in [1]), his talk was canceled. Instead, there appears to have been an event that critically addressed the situation [2]. Unfortunately it was not recorded. Did anyone attend? A discussion between Joscha and his critics would have been really interesting.
Well that discussion talk is not an open discourse about the situation...
He quoted what he believed was scientific evidence in a private conversation that became public, has comments on fashism being efficient are clearly anti-facist and believed to observe a gender stereotype. No matter if the facts were true, it should be possible to discuss such things (especially those you think are facts) in private without getting canceled. Even if they would play in to the hand of racism or sexism if made as public statements.
I found his appology a bit weak, but I also don't see his offense, despite the messages in public being offensive and possibly harmful.
If you are going to defend someone you have no or very distant association with like you stated in another reply. Maybe just maybe read what everyone else is talking about, in this chain it would be his email exchange with epstein. Thanks for making ME read that pseudo intellectual shit again so YOU don't have to.
"too many people, so many mass executions of the elderly and infirm make sense is the fundamental fact that everyone dies at some time .make it imporrisbole to ask so why not earilier. if the brain discards unused neurons, why shold socieity keep their equivalent."
"too many people, so many mass executions of the elderly and infirm make sense is the fundamental fact that everyone dies at some time .make it imporrisbole to ask so why not earilier. if the brain discards unused neurons, why shold socieity keep their equivalent
The radical idea of treating individuals in a society as cells and the society itself as a well-organized organism is fascism, or course. Probably the most efficient and rationally stringent way of governance, if someone could pull it off in a sustainable way; and if it is aggressive and expansive, its efficiency makes it a virus that everybody will want to stomp out. Fascism makes romantic doo-gooders like me very uncomfortable"
He dares to explore radical taboo ideas and concludes that it would be fascism, which he is not comfortable with.
So .. I see nothing where he is intolerant of anything. But you seem not tolerant for people daring to explore certain thoughts in general? Even if they reach the conclusion this is not the way to go.
(And maybe even an attempt at dissuading the other person of those concepts)
That's why I didn't want to quote anything because it's just deteriorating into a debate club about hypotheticals.
To extend your "full" quote: "The radical idea of treating individuals in a society as cells and the society itself as a well-Organized organism is fascism, or course. Probably the most efficient and rationally stringent way of governance, if someone could pull it off in a sustainable way… I rather like the treatment Fascism gets in the Amazon Series ‘The Man in the High Castle’, which explores what would have happened if the Germans and Japanese had won the war: A society that tries to function as a brutal and ruthlessly efficient machine, eliminating all social and evolutionary slack. It is very dark, but not a flat caricature of pointless evil for its own sake."
Let's stay away from killing people how about the misogyny?:
"You cannot learn what does not attract your attention. Women tend to find abstract systems, conflicts and mechanisms intrinsically boring."
"Let's stay away from killing people how about the misogyny?:
"You cannot learn what does not attract your attention. Women tend to find abstract systems, conflicts and mechanisms intrinsically boring.""
I am not an expert, but that is not misogyny in my book. Not sure about the part about conflicts, but in general it matches my observation as well, women tend to find abstract things boring. That does not say ALL women are like this, or ALL men like abstract things, but on average this is the trend. And when you compare the ratio of men / women who go into in the abstract scientific field, it seems backed up by real world data (also when accounting for existing sexism in the field).
In general, Joshua is indeed a weird guy, the main thing I remember from him as a guest from a alternativlos podcast is:
He always was exited for AGI to finally have someone smart enough to talk to.
Well, I don't subscribe to that, nor his openness for certain other positions, but he is definitely not a fascist. And I believe I am sort of an expert here, as I exposed and confronted quite some of those who tried to infiltrate alternative groups I am part of. (Also I live in saxony. I know cryptonazi talk.) So yes, I do see some signs that are worth debating. Giving him a chance to clarify and reconsider.
But canceling and blocking him will just push him to that side for good. And that would be a shame.
To add some context and to spare readers who, like me, know nothing about Joscha Bach and only little about Epstein from having to go through all the linked material:
The allegations do not appear to involve abuse or moral complicity with Epstein. Instead, they seem to focus on emails Bach exchanged with Epstein concerning IQ, race, and possibly sex. Bach denies these allegations of racism and sexism.
That is at least how I understand the material based on the provided links.
"The main part of the workshop consists of a moderated deliberative discussion with the audience."
I think it is a bit ironic, that Joshua got canceled because of a private conversation - and the debate about it is not recorded, so .. in effect people are more free to express their opinions without getting canceled.
Disapointing to me. Joshua seems to have points of views I find debatable (I don't know much about him) But canceling to not have to stand his opinions? That is very much against the hacker spirit to me and he is a smart guy who knows a lot about AI.
In my dayjob I often run the tech for events, nearly once a week. In my experience known recording/publication tend to make discussions worse and not better than closed room discussions — especially if the topic is controversial. I'd love it if that wasn't the case, but that is not what I observed.
That is because with published recordings it often becomes purely performative, where people aren't actually interested in honestly engaging with each others thoughts, but instead (ab)using the recording as a stage to make a public statement. It essentially becomes a thinly veiled PR battle with multiple actors trying to control the narrative and the ones that prepared well (so not the general audience) tend to dominate the discussion. In my experience that is the opposite of a good discourse.
In the latter case the audience is only the audience that is already present and they are part of the discussion, if everything goes well a feeling of "we need to resolve this issue" is established, with a collective feeling emerging in the room. There is no guarantee that this happens and that there is a result, but in my experience (with well over 400 events) the tendency speaks for the closed room, especially with touchy subjects.
"the tendency speaks for the closed room, especially with touchy subjects."
I do agree to that
I just would have prefered a closed room debate with him invited to adress those issues, not the cancel mentality and then speaking in a close room about him.
"All of the people I know who were friends with this sociopathic child-trafficking pedophile told me he was reformed now" is certainly something to put out there.
> I assume you've spotted the pattern by now: the US trade representative has forced every one of its trading partners to adopt anticircumvention law, to facilitate the extraction of their own people's data and money by American firms. But of course, that only raises a further question: Why would every other country in the world agree to let America steal its own people's money and data, and block its domestic tech sector from making interoperable products that would prevent this theft?
> Here's an anecdote that unravels this riddle: many years ago, in the years before Viktor Orban rose to power, I used to guest-lecture at a summer PhD program in political science at Budapest's Central European University. And one summer, after I'd lectured to my students about anticircumvention law, one of them approached me.
> They had been the information minister of a Central American nation during the CAFTA negotiations, and one day, they'd received a phone-call from their trade negotiator, calling from the CAFTA bargaining table. The negotiator said, "You know how you told me not to give the Americans anticircumvention under any circumstances? Well, they're saying that they won't take our coffee unless we give them anticircumvention. And I'm sorry, but we just can't lose the US coffee market. Our economy would collapse. So we're going to give them anticircumvention. I'm really sorry."
> That's it. That's why every government in the world allowed US Big Tech companies to declare open season on their people's private data and ready cash.
> The alternative was tariffs. Well, I don't know if you've heard, but we've got tariffs now!
> I mean, if someone threatens to burn your house down unless you follow their orders, and then they burn your house down anyway, you don't have to keep following their orders. So…Happy Liberation Day?
I’d argue that what you're experiencing isn't the Network Effect anymore, but rather Vendor Lock-in.
The Network Effect implies the platform gets better for you as more people join. If they are deleting your content, the network is no longer serving you—it’s just holding you hostage. This is enshitification as it best. (this ironie with a cory doctorow link)
At this stage, it’s just a walled garden. Staying because 'everyone is here' while being silenced is learned helplessness.
You're voluntarily staying in a walled garden that refuses to let you speak.
I agree with you, but perhaps walled garden and network effects are not mutually exclusive. I.e. if I leave the garden, I'm losing value of being able to reach many people I care about.
It has some long tradition placing those visibly on the podium. As the story goes, the idea is that you can immediately see if the video stream freezes up (because the cat in the video suddenly stops waving). You wouldn't immediately catch that in between talks (when you have some time to fix the issue) if the camera was just pointed at an empty stage with no movement. I think at 30C3 or so, I saw one that was placed so that it would repeatedly knock on the microphone as well.
Anyway, the waving cat has become a bit of a meme by itself and mascot of the VOC, hence also the (animated) icon in video player.
It is a Maneki-neko (beckoning cat / Winkekatze). The video team started putting them on podiums so they could see when a stream was frozen. So it became kind of a mascot.
What would be strange are hackers that are fascist. Fascism demands surrender to power and obedience, which is antithetical to the hacker sprit. Questioning systems, equalizing power imbalances is the hacker spirit.
There's plenty of European technologists who feel completely alienated from most stuff around c3 and hacker spaces because, believe it or not, most members there do tend to adhere to radical left-wing ideologies. This usually invites a whole grab bag of problems, if one has more right-wing beliefs and tries to engage.
I will concede to you that it did not used to be this bad. But it is now. Chalking this issue up to a 'long tradition' is like saying: "Community X has a long tradition of radicalization, so it's a-ok!"
Fighting fascism is required of every person who wants to keep a working democracy, regardless of your fiscal policy ideas or how egoistical you want your government to represent you.
Democracy is what allows you to remove bad leaders/parties without having to fight a bloody revolution. Fascism yearns to remove that possibility. Hence anti-fascism being needed.
That being said: Which part of the talk did you find especially extremist?
This "anti-fascism" talk sounds all nice and noble. But we all know that actual left-wing extremists have taken over the term now and most members are terrorist-adjacent. The irony is that antifa and other such "anti-fascists" are way more fascistic than their hypothetical and currently non-existent "fascists".
Unfortunately, the congress is getting worse and worse every year. There are fewer and fewer interesting and technical topics. "It used to be better" moment.
Every of the lightning talks itself had about 20 short different topics,
And as I wrote these were examples, you didn't expect someone to re-enumerate them here all to refute your statement. You can easily find them yourself.
Have look at this page, where others listed their favorites, there are many more.
But I don't think from your reply you didn't look at the list of sessions yourself.
As someone who has been following the congress for twenty years (and if I couldn't be there, I watched streams and recordings), I have to say once again that it used to be better. The selection of topics was broader and more interesting. About fifteen years ago, politics entered the picture, and over the years it has become more and more prevalent. Strange people began to appear, and about ten years ago, this event ceased to be a cozy meeting place for hackers and geeks. I am very sad about that.
I attended 7 talks.
My favourite talk by far was hacking the GPG. Brilliant, really: https://media.ccc.de/v/39c3-to-sign-or-not-to-sign-practical...
The "In-house electronics manufacturing from scratch" was a very inspiring talk: https://media.ccc.de/v/39c3-in-house-electronics-manufacturi...
The rest were less good for me personally. Either over-dramatic and shallow (with a sexy-sounding topic) or too procedural in topics I'm not an expert in.
reply