 Let's go. Always leave the clicker here, please. Just a minute. I can already start. There we go. So this is about a little tool that I have developed for quite a long time, but I haven't actually really advertised it a lot. And lately, I've thought I should make it a bit more usable for more people and maybe make it a bit more well-known. So the thing is, you have web applications. So maybe you run a personal web page or a company web page or whatever, or a blog with one of these popular content management systems or other web applications. And yeah, sometimes they have security vulnerabilities. And then maybe you forgot to update them. And that's bad. And then you get hacked. And then, I don't know, then you have some JavaScript that's mining cryptocurrency. And you're sending spam and all these things. And maybe you're hosting phishing pages now, which you don't want. That's quite annoying. And maybe your web host will then tell you that, I don't know, he will shut down your web page. So you should better update. Or you should use WordPress. I'd like to say this. WordPress has kind of a bit of a bad reputation. I think WordPress is definitely the most secure content management system you can get because it has automatic updates. But let's assume you run a server for other users, which I actually do. And you want to know if your users update their web applications, because it's also annoying for you as a server, I mean, if you send spam or whatever. So you would like to check if your users actually update their web applications. And that's very unique 3WBS, which is the tool I developed for this. So this is kind of how it works. So you run it and give it a path. And then it will tell you, oh, it seems there's a Joomla version 3.9.11. And that has a known security vulnerability. And there's also a next cloud. And the media wiki also has known security vulnerabilities. So that's kind of how it works in the back end. That's the data that it has in this example media wiki. So I maintain this myself. People often are curious. And yeah, I manually do this. But it's not as much work as people think. So it knows that there's a safe version. And there are some older branches that are also safe versions. There's a vulnerability. And then there's some information how to detect the version. So if there's a file, default settings PHP that contains the variable vgversion, then that means there's a media wiki in that version. So it's actually 12 years old. So I've been doing this for quite some time. It's free software under a CC0 license, which means you can do with it whatever you want. It's written in Python, uses some string matching and regular expressions, which is a bit ugly, but there's no better way to do it. And then compares it to data about vulnerable versions. So please try it. And also, as I said, I tried to make it more usable. You can now install it via pip. But there's also some design decisions where I'm not really sure how to do it yet, particularly about the data and how to update that. If you're good at Python and want to discuss how to best do that or discuss improvements, please come to me, talk to me. And please try it out. Thanks. Thank you. So next up is Pocket Science Lab. Hello, good morning. My name is Mark. I'm a software developer. I'm talking about hardware, which may sound a little bit strange. But I'll explain that in a few seconds. Pocket Science Lab is a little hardware which lets you measure all kinds of things. And why I like to use it, you see here, this is my set. The little lab, which I have to get out of the boxes in the evening, play around with microcontrollers, and put it back into the boxes again when I'm done. Because this is also the table where my family eats breakfast, where my wife has a home office, where my son likes to play Legos, and where I like to play with hardware. I don't have much room to have an oscilloscope or stuff like that. And that's why I'm happy to have found this Pocket Science Lab device thing. You use it by connecting it to your computer or to your smartphone via USB. Wi-Fi connection is currently being developed. Hope to see that soon. You install software. I'll come to that later. And then you just connect things to the Pocket Science Lab with cables, with little pins. So if you like to play with Arduino's or ESP32's or things like that, you stay in your little pins and cables world, and it all connects together quite nicely. The software has different screens for the different use cases. It also has help screens. If you're clueless as me, you can just take a look at the help screen, and it tells you how to connect things, how you can measure things, or just what you can do with the device. You can get the software from the website, pslab.io. But you can also get the software for the phone. You can get it from Google Play Store or from Android. What can you do with it? You can substitute an oscilloscope, multimeter, or logic analyzer. Maybe if you're like me, you don't have much space. You just need a small device. Or you travel a lot, and you don't want to carry a lot of things with you. Then you can create test data with a wave generator. You have a programmer power source. Or you can just look at things by connecting sensors. And you can either display values from the sensors, or you can log it and analyze it later. I forgot to say I'm not a developer of the device. I'm only a user, and I'm happy to have found it. So if you like the device, if it looks interesting, just come to the First Asia assembly. It's in hall two. They have devices there. They have cables. They have sensors. You can play around with it. You can buy it if you want. You can maybe get tips how to build it yourself, because it's open hardware. You can build it yourself. The firmware is free. Everything is free. Yeah, they will be there until midnight, they told me. So if you like the device, I would like to take a look. Just go there and have a look. Thank you. Thank you. Next up is JmapLTTRS. Hi, I'm Daniel. So I originally got interested in this a couple of years back. I was trying to finally self-host my own email. And I was looking for an email client for Android so it provided a similar user experience to Gmail and I couldn't find any. So I thought, how hard can it be to write your own? That led me to look into email, which, in case you don't know, is the protocol most email clients use to fetch email from your server. So it turns out, IMAB is a little bit of a mess. It's an extensible protocol. And you need a bunch of server-side extensions to provide a good user experience. But as a client, you're also expected to deal with servers that don't have those extensions and that makes your client code quite bloated. Furthermore, IMAB doesn't use any of the well-established serialization formats like JSON or XML. So you cannot even use the stock library to pass the via format. Even if you get through all that mess, you still have to deal with mind-passing, which is another complicated thing. And also sending emails requires yet another protocol. So luckily, there's an alternative to that called JMAB. So what is JMAB? JMAB basically is IMAB with all the cool extensions. And it will also make the server deal with all the mind-passing. So as a client, you basically get the JSON structure with the email data that is essentially ready to display to the user. It's also stateless and doesn't require persistent TCP connection, because you may hate that mobile phone vendors preventing apps from keeping a persistent TCP connection in the background. But you just have to deal with that, and that's just how it is. So from a client developer's perspective, JMAB makes a lot of things a lot easier. However, it's still fully compatible to IMAB, so it can operate in the same data structure on the server. And you can just as well use an IMAB client and a JMAB client in parallel. And obviously, the server-to-server communication remains untouched as well. So that was what got interested me in JMAB, but it's not all what JMAB is. So JMAB really is a data synchronization protocol, more of a replacement for active sync than just for IMAB. And in the future, it will also be able to handle calendars, and contacts, and so on. So what JMAB isn't, it still has to deal with some of the legacy mess of IMAB and email, for example, like text emails with HTML emails. It won't provide a big noticeable difference for end users, because if you already have a well-functional JMAB client, you won't know the difference as a user. But from a client developer's perspective, this makes a lot of things a lot of easier. And yes, that's what I did. I wrote a client. That's really not a lot of code. It's based on a JMAB library that I've brought as well that essentially is a headless email client. So it handles everything an email client would normally do except for the UI, like sending emails, archiving emails, marking something as red, or flagging, unflagging. And the app itself is really limited, like no frills, no settings. I'm not planning to introduce any settings at all, because settings always invite feature creep, and I don't want that. It's heavily inspired by Gmail. The same backend in the end could potentially also power a command line client. So yeah, what can you do with it? You can retext emails. You can process emails, like marking something as red, or flagging, or marking it as important. You can write emails, and there's some light responding. Like you can respond to an email, and it will match the proper email IDs. But it won't quote the email. Unfortunately, the biggest hurdle if you want to try it, the only server software that supports this is Cyrus, and only the unstable Git version, DovCut, which I'm sure a lot of you are running, is interested, but hasn't started to work on it as we are running out of time. I'm still looking for people to help me out with this project, and I'm available on Congress if you want to meet, and here are some links that you might want to check out. Thank you. Thank you. Next up is BadgeMagic. Yes, hello. Okay, so this is really a great lightning talk session because we are early, right? Awesome. Good job, guys. So thank you very much for giving me the opportunity here to share a few updates about our project, BadgeMagic. So, right, it's a wireless project, and as we all know, wireless, that's magic. So, you can magically create text and clip arts on LED name batches using Bluetooth. That's what we're doing with the Badge here, okay? And yeah, you charge it through battery, through USB, so it's a batch, and it can be accessed through Bluetooth. What we are doing, developing an Android app, and also we are looking to develop more and more apps on all the other clients like desktop or iOS and so on. So, what's the story behind it? We found these cool batches everywhere, and everyone loves light and blinky things, and we see a lot of this here at the Congress, but like we had this app here, and this app is like mixed Chinese, it's colorful, even though the batch is just like one color, and there are a lot of issues with this, and a lot of people wanted to do new things with it. So, we thought, how can we develop an open source app? And we have a large community, but it's often like front end developers, or it's like people who know about server setups and so on, and not so many people who really like hack and decode things, but then we were really happy because we found this guy here, so on, yeah, on Hacker News and everywhere, so there was a guy who said like, let's reverse engineer the LED name batches here using Bluetooth, and he really did it, he put up a blog post, and just like in the great Hacker spirit, then also put it here online on GitHub and shared his work, right? And as we often see here also at the Congress, there's so many cool ideas, but actually often the, like a lot of hackers have this spirit, I hacked it, it's working for me, it's working for my machine, here's the code, do what you want, and they move on. But for us, it's also really nice because we have conferences like the Foss Asia Summit or the OpenTalk Tech Summit in Berlin, and we want really like everyone to be able to use these batches. So what we did now is, we made a call in the community here that we're working with, for example, our many years in Singapore and Vietnam, and we built this awesome community here around the Foss Asia free and open source solutions, it's not just software, not also hardware, and we said, hey, now we have this hack, let's make an app for it. So we invited everyone and people showed up, right? So we have this app now, and yesterday I had some comments here of people who said, oh yeah, this really polished, it looks really like a nice thing, and of course it's on asteroid, it's on Play Store, we still like a lot of things to solve and make it smoother and so on, but like most of it works, and we also had it already at the camp, and yeah, really nice, you can have clip arts, you can have different directions to show the text and so on, and yeah, do a lot of things, you can make it slower, you can make it faster, and write all kinds of text. So some developments have happened in the recent months, for example, let's say you really make your badge and you create a lot, you make a clip art, and you know, you make it really nice and you wanna share it with your partner or with your friends and so on. So we implemented now export batches to one device, share your configuration, why not, import, export, then also a nice thing is that the original app doesn't have is drawing thing, so you can now have a drawing mode where you draw on the batch and then you can have it as a batch kind of feature, and there can be a lot of more things that we can do here as well. And of course, like as you can imagine, we had crashes. So we fixed a lot of crashes, interestingly, like most of the developers who joined were like from Vietnam and Malaysia and so on, and they don't use non-Latin scripts, yeah, so interestingly it was a Chinese origin, but we didn't support non-Latin scripts, so we started to do that, we fixed a lot in this direction also, so adding more and more scripts. So get in touch with us here on GitHub, on the channel, or join our CodeHeat contest, which we have, this is how we also invite more people to participate in our projects here at FOSSAsia. It's a coding contest where, for example, the winners could win a trip to the Singapore event in March every year. This is also like batch magic, we just added this project into this contest. Now the question is what is next, of course, talk to us. We have, like in hall two, in the decentralization cluster and assembly with FOSSAsia and we want to do a lot more things. For example, what you see here, I hope you can recognize this as this kind of small fan and these fans can have different words on it. Why not do this as a next fund project, maybe even add it here into the app where you can configure these fans? Why not do iOS? I personally don't use iOS, but interestingly here at the Congress, so many people use iOS, so I think we should have an iOS app and some people actually just started. So if you wanna join, just join us as well. And of course, we need the hardware to be open. We have a lot of open hardware projects in FOSSAsia with batch magic. Some people say, oh, that's too simple for me. I'm not interested, but maybe somebody is interested to join this and let's make really the hardware itself also open and that would be cool. Thank you very much. Join us in hall two. Thank you. Next up is Path Auditor. Auditor, there you go. Hi, everyone. My name is Siro. I usually like memory corruption bugs, but today in this talk, I want to talk to you about something a little bit else, a different class of vulnerabilities that I thought deserves a little bit more laugh and show you how you can find them yourself. Because in the end, as long as it gives you a shell, that's okay for us. So I will talk about privilege escalation bugs. So just imagine what happens if you have this. This is called run by some process, which is running its route on your Linux box and it's doing rename tempfubar to tempfubarex. So the first thing you might notice here is, well, this doesn't make any sense. You can't move a directory into itself. Like, how is that supposed to happen? But the fun part about this, this is actually a privilege escalation vulnerability. And to understand why, we will have to take a quick look at what the kernel is actually doing. So the kernel will get the syscall. It will take the first part argument first and we'll resolve it. So it goes to slash, then temp, foo, bar. It takes a reference to this file. It could be a file of the directory. The kernel doesn't know at this point. And then it goes on to the second one. And that's the same thing again, right? So you just slash, temp, foo. But on Linux, there are these things called simlinks. So what if a user can actually write to this directory and just replace this bar with a simlink at this point in time? Then the kernel will follow it. It will go to ETC, for example, and move the file that it got before and move it to a different directory. So if this is running as root, this is bad, right? Because just imagine a user can mess with this and move an arbitrary file to ETC cron, for example, and get it executed later as root. So there are two caveats to this that I want to mention, which is number one, rename only works with, if it's on the same file system, it will not move across paths and boundaries. So if temp is just a regular directory, it will work. If it's a temp of s, this case will not work. The other thing is temp is usually a sticky directory and simlinks are a little bit special in sticky directories, but this doesn't apply since we are two directories deep. In any case, you might wonder why I'm using such a complicated example because like this class of bug, there's such much better examples than this that are much easier to understand, but well, this was actually a real bug. There's a tool called Temporal, which is trying to delete all files in temp and was doing exactly this to find out if something is a mount point. So now we want to find these kind of issues at scale to get them fixed, right? So there's a very simple idea that works surprisingly well in practice, which is, well, we can just hook all the functions. What if we can just install hooks on every process on the system running as root, take every function in the libc, like open, rename, whatever it is, just hook the function and whenever you call it, you check the path. You see, you try to figure out, can this path be somehow messed with by a user because that might be unintended side consequences? Like there might be unintended side effects. Of course, it depends a little bit how the value is used, what the function call is in the end, but it's usually a bug if this happens. So we wrote this tool, me and the co-worker Marta, and you can try it out. It works like this. You build this library, libpath, auditory, it's called. You can use LDP reload. So the way it works is use LDP reload. This allows you to load the library into another process and then we can overwrite open, rename, and so on and then just check if the path could have a vulnerability like this and then afterwards, if it does, we just log it to syslog and then you will have afterwards to check out the syslog, find all the alerts and then look at them manually, but usually these are very fun because they always have these tricky side effects. For example, there was one case where a shell script was trying to cut a PID file so to check if the process is still live and kill it, but then if you cut an arbitrary file and follow Simlings, you might end up putting the content of the file into the arguments and the arguments are visible by every other process on the system so you would leak arbitrary files with this. So there's some really cool bugs in this. So long story short, you can find it on GitHub. If you have any questions, you can ping me on Twitter or it will be at the CTF area most of the time and I'm really sorry, I just noticed the build is broken. I will try to fix it as soon as possible, but in the meantime, you have to fix up the includes like you see on the bottom, just remove the third party mentioned and then everything should work out of the box. If not, just let me know and I can help you try to debug it. Thank you very much. Thank you. So next up is this talk. I'm interested how they spell it. I'd say Arschelotl, but let's see. Okay, my talk is about Axelotl, Axelotl. It's this small animal living in Mexico City, but it's nearly dying because of environmental issues. But Axelotl is also the encryption mechanism that is used in the Signal Messenger. It's actually renamed to double-rated at the moment, but Axelotl is also the app I'm programming. It's a cross-platform signal client. It works on nearly all operation platforms. It's written in GoLang with Vue.js, HTML, JavaScript, front-end, and you can send message, link signal desktop, create groups, send and receive attachments. Little history. It was developed by a developer that worked for a canonical during the Ubuntu touch three of them. In canonical, it's a little bit, it was difficult when I took on the maintenance of that because it wasn't documented build process and it wasn't also not supported by the standard way of writing apps for Ubuntu touch. So I took over. I included GoLang support for Ubuntu touch. I added database encryption, I added system notification. I still had the problem that on start of the app, the whole database was loaded in memory and so it was really unresponsive when you have 10,000 messages that are loaded. And also we got in contact with Open Whisper to support Ubuntu touch or an alternative push client to get push messages, but unfortunately, they only support Google and Apple. This summer, I decided to rewrite the front-end and rename it again. It improved a lot. We have a really responsive user interface now, but Open Whisper is still not interested in supporting alternative push clients. But if someone is interested, we can do a merge request on the signal server GitHub. GitHub, I think it's only a few hundred lines of code, so it would be possible to do it. Here are some screenshots. The first one is still as kumel app. This is how it works on Ubuntu touch, but I made it also working on Windows, on Raspberry Pi and everywhere, and you can register. And I still need some help because I want to package it and bring it to more people than you can use it. I need other people for the different systems to test it because I don't use Windows, for example, so it's always, I'm missing some OSs for testing. And I also need help in some decryption functions that are only in the Java code of the signal app, and I need to translate it to Golang to show, for example, profile images or prove the signal identity. That's it, you can try it. It's in the, since some days it's in the snap store, so you can install a snap package, or you can download it from the sources, build it yourself, or I have also the Windows build on GitHub, thanks a lot. Thank you. Next up is Congress Design on an Oscilloscope. Yes, hello, I'm Kwanten and I've brought our Congress Design to an Oscilloscope. So what do we have? We have this wonderful Congress design with the quacking characters from LeapTrack, and we have this Congress Design Generator, which is used to let these characters fall down and create cracks. And this is in our motto of the Congress and resource exhaustion. And I saw these cracks and these sharp outlines would be perfect on a vector display. Each significant outline burned into phosphors. So I decided to put it onto an oscilloscope. So what I need for that? Well, I need the path data of the outline in XY samples because an oscilloscope uses simply an apron beam to burn images on phosphor and you need an X axis to deflect the beam in the one direction and another axis for the other direction. And then I need a path to get this data out of the browser JavaScript into a oscilloscope because I'm not running on the same machine. So PaperJS is a library which all these generators built around. It's very nice, it's featureful, wonderful to create animations and it was really easy. You just need a for loop and go along the path and get all the points you need along the path. So I calculated I need maybe a thousand points so that is so long, I got longer heaven array of the points. So in the audio part, I use an audio output to put it onto a oscilloscope and there is a full feature web audio API in JavaScript. You have modular routing, input output nodes, effect nodes so you can basically mix music in your browser while you're mining bitcoins. And I don't notice it until now but it's kind of great but it's the other script but we are at resource exhaustion so it's maybe okay. And yes, it's very easy. Actually you create an audio buffer source, put in both channels and then they will pop out of your headphone jack. All you need to do left is to connect your oscilloscope to your headphone jack and you get in full the image. You see on the left side my laptop and the right side the oscilloscope. I've created a small amplification circuit not that important and they don't have a video now here but it's live so you can look at the oscilloscope live where the characters are falling and breaking apart. And you also see some distortions in the oscilloscope image because I don't care about the passes between the characters and all that like that. I will give another longer talk in German today at 1945 at the Karlsruhe stage. It's a non-recording stage so be sure to come around if you want to have a bit more background. I will explain how all these have a history, a bit more details and how you can implement it and give an outlook what you can also do with this wonderful combination of AverJS and that audio API. So today in 1945 in German, sadly. And if you have any questions, ask me, I am Quanden and you will find me at the Karlsruhe or you can ask me on Twitter at QuintusQuanten, call me up or have a look at the Wiki page. I don't know how it's named. I think it's photos on phosphor and there you can also find everything you need to get in touch with me. Thanks. Thank you. All right, next up is, are you ready to sustain it? This talk is going to be in German. Hello, congrats. I'm already too small for you on the screen. My talk is about sustainability in software. It's a very common term, sustainability. It's actually a clicker. From the forest economy, it's relatively old. Not a production or a European production, there's actually wood everywhere. Because wood has been a scarce resource for a very long time. The Phoenicians have wood from North Africa, the Venetians have wooded the Willebit and Croatia. Before the Romans, who was there in Mesopotamia, they had wooded the Lebanon, so wood was all over the place. Now you don't do that anymore. Now you pay attention to the fact that you take so much out of the forest every year, like you do in one year. That's the basic idea of sustainability. Among other things, the BITZ and Bäumekonferenz last year tried to transfer it to the software industry or IT. They invited natural and environmental associations and set up some sustainability criteria. The government is also taking care of the topic with a parliamentary member of parliament. Switzerland has similar, I think there are initiatives that are not everywhere, but more often, that set up sustainability criteria for each catalog. The Catholic Church has also taken care of sustainability. In hardware production it has also been changed. Now, what are the problems? When large organizations do things, the complexity of the organization changes into the result. It's called Conway. Parkinson says again, software always fills up all resources, needs everything, behaves like a gas, fills up the whole room. And technicians tend to find technical solutions great, especially when they are complicated. That's done on Norman, that's done on Stephen Crook, or Eric Evans in a book on physical literature. And complexity seems to be impressive and good to come. That's not good, if it's about the reduction of complexity, so things get easier. The whole thing is fed up of the possibility to do that, because the law of Moors brings about exponential growth for about 50 years. That means it was never reasonable to be save, because in a short time the hardware, the poorly programmed software, was still supported. That's already 25 years ago. Niklaus Wirt didn't like it at all. He presented a set of software explosions. It's also available in English, because the German foreman is unfortunately not digitized in the G.I. library at the spring exhibition. There is only the reference on the article, but not the article itself. The English, which he kept a year later, is available at Daniel Bernstein's website as a tolerated copy, probably. Also, Dijkstra has mentioned the problem. So, complexity as an adult is a problem. Software can only exist, because the hardware is incredibly accessible in its performance. Now, what can you do there? There are different small and individual organizations and individual people who are trying to show alternatives. But I think it only helps to take a radical step and to say that software has to come out without growth. That means that my today's software, which I find great and like to use, or which I have built or just build, has to be secure in the future, even if it can run on old hardware. And there is a pretty big time frame for five years. And funnily, the same criterion for the very new, blue angel for software, which also requires that software run on five-year-old systems. Because only then is it believable that this software can be used without growth of the basic hardware resources and does not require new hardware investments. That is the reason that software is the driver of hardware investments. I would like to talk about this topic in a discussion tonight. In the Vintage Computer Cluster, at 8 o'clock, who has time and desire to fight over this topic, to contribute something positive, to be destructive, to handle what always happens, I would be very interested if you come by. Your opinion tells me how can IT industry achieve zero growth. Thank you for your attention. A nice congrats and wash your hands. Thank you. So next up is Free Pascal. Hello, together. My name is Pascal Drakken. I am a developer of the Free Pascal compiler and I'd like to give you a quick overview of this open source cross-platform object Pascal compiler. Quick history. It was originally started by Florian Glemfel on age two, 1993, originally written in tour Pascal and targeted the Go 32 version one DOS extender. Thus, it was a 16-bit application generating 32-bit code. In 1995, the compiler was able to compile itself. Thus, became a 30-bit application as well. Soon after, the first ports to other operating systems like Linux and OS 2, as well as the first other CPU, namely the Motorola 68000, followed. In 2005, Free Pascal was the first open source compiler for Windows 64 because we had our own internal linker and assembler as the new binner tools weren't ready yet. Free Pascal is an open source compiler. The compiler and the tools are licensed as GPL version two or newer, while the RTL and the code library is licensed as LGPL version two with a static linking exception. This allows closed source applications to statically link against the RTL and the code library without violating the license. Free Pascal is a cross-platform compiler. We support various processor architectures. For example, x86 in 16, 32, and 64-bit flavors. ARM in 32 and 64-bit, PowerPC in 32 and 64-bit. The Motorola 68000. Our youngest target is the RISC-5, also with 32 and 64-bit support. And we also support AVR as an 8-bit target. And we also support the JVM as a back-end, which includes Android, and we have a WebAssembly back-end in development. And as a speciality, we have a Pascal to JavaScript transpiler in the form of the tool pass-to-js. We also support a variety of operating systems. This includes the big windows in 32 and 64-bit, Windows CE, or formerly called Windows Mobile. Also, Windows 3.11. We support various Unix-like systems, like Linux, Mac OS X, or nowadays Mac OS, as well as Free OpenNet and Dragonfly BSD. We support the Amiga likes, namely Amiga 3.x on the Motorola 68000, Amiga 4.x on the PowerPC, Morph OS, as well as ROS. We also support various other operating systems, like OS 2, DOS with and without a DOS extender, the Atari ST, Mac OS Classic, and various gaming platforms by Nintendo, namely Game Boy Advance, Nintendo DS, Nintendo Wii, and the Switch through a third-party developer. And we also support developing on bare-bone hardware, which is mostly used for the IVR and ARM. Free Pascal is an object Pascal compiler. We support various existing language dialects through a mode concept, which allows to select the language modes for a parallel compilation unit. We cover various existing dialects, like tour Pascal, Delphi, Mac Pascal, as well as the two Pascal standards, ESO Pascal and extended ESO Pascal. We also have two custom dialects that are similar to the tour Pascal and Delphi dialects, but have a few differences and restrictions. Free Pascal has a namespace module-like concept through units, which allows for fast compilation, which is also why C++ developers wanted. As the name says, this is an object-oriented programming language. We have virtual methods, interfaces, a class-meter type, something I really miss from C++ sometimes. We have extensive runtime type information, which is the basis for an IDE like GlassService to retrieve information about the running code at runtime. And we also support generics, which are a bit of a hybrid between C++ templates and C-sharp Java generics. If I've made you curious, give it a try. The current release is 3.04, and you can download it at freepascal.org for various platforms. I also suggest you to use the large-source IDE in version 2.06, which you can get at large-source-ide.org. You can also, if you have questions, talk to me on the congress. I should be recognized, I have no theory. But that's it, thank you very much. Thank you. Next up is the Telnet Challenge, aka Winkekartzen Challenge. It's going to be a German talk. Hello, my name is Dario. We are an assembly. You can see the foil down there. Yes, I'm so cool. We are an assembly that has been founded here at the congress and has been an assembly for three years. We met at 30, the first time, and put together a group at one of the free tables. And for three years, we are doing our own assembly to give the community a bit of something back to do something. What do we do? We do stickers, which are always very popular, and our stickers have the advantage that they are actually not advertising for anything, so for a hacker space or something, but they just say that Telnet is a clear text and you should tell the truth, but should get to the point quickly. These are the stickers of the last congress. The lowest one you can get from us. What we also offer, we buy a lot at Aliexpress. I always put all the stuff in here. And if someone really wants to do something here, but doesn't have any parts, they can have it with us, although we don't try to win with it, but only to support the people who want to build something now and don't want to wait for eternity to wait for the Aliexpress stuff. But we also offer you to advise how to build the stuff properly. So, if you have a problem, how can you connect a motor to a GPIO or something like that? You are right about that. What we also did, we bought quite a lot of light ions and glued them on a tonne. You can see them out there and that's why you find us. That's our warning sign to find us quickly. And the most interesting thing for everyone is that we do a challenge. We used to call it the angle cat challenge. Today we call it the telnet challenge. And who wins, we bring a cat to the angle that stands next to us, the winning T-shirt. Two years ago, there was the T-shirt with telnet clear text on it. Then there was the lower one. And now there is what I have on it, but in black. We have different sizes, you just have to bring the cat to the angle. Then it just comes to us when he wants to do that. That's a spoiler for the first and the last stage. So in the first stage you see a hot wire that you have to create. The last one is the cat in the background that you have to bring to the angle. And when he can do that, then he wins the T-shirt. We finance it all ourselves. You can give us donations and maybe get T-shirts too. To handle the long way of the challenge. I think the fastest. We already have beta tests behind us. We did it yesterday so you don't have to do it. Of course, as it is in the live test. And 10 people, so 10 groups have already made it. I think the fastest had something with 7 hours and 40 minutes, where some say they slept in between. So it doesn't matter to stay there all the time. You can see it as such a CTF to win practically a T-shirt. So that's it. I wanted to give a little more time for others. Thank you. Thank you. Next up is unconventional tactics for online campaigning. Hey there. My name is Lena Rieger and I am digital campaigner and designer for nonprofits across Europe. My topic today is unconventional tactics for digital campaigning. And to start with, I just have a question for you. Did any one of you take an online petition within the last year? Okay, nice. That's quite some engagement because online tradition may be the most important and most common tactic in online campaigning. But my question is, are there more ways to reach out to a target or maybe engage your supporter more? And there are plenty of them. And I'm just going to introduce a few of them today. So one thing you can do is to use localized data to personalize your issue more. Let's take the example of cyclist safety. If I give you the number of cyclist accidents for the whole country, let's say Germany, you might not be able to relate to that number because it's just too big. But if I break that down to your city, your region, maybe your neighborhood, you might be able to access this number and to relate to the topic. Simple implementation of this could look like just a simple online forum where the supporter types in his postcode. This form is connected to data about cyclist accidents. You provide the number of the accidents happening in the intermediate surrounding of the supporter. And the supporter is able to relate to that number and engages with your topic. We love engaged supporters because we can ask them for more. You could, for example, ask them to block your target's phone lines. So this tactic works like this. You have an engaged supporter. Of course, you provide the number of your target's office. Make sure that the target's office is staffed at that day. And then you provide a phone script where you can list arguments that your supporter could say to your target. Then you invite them to call your target's office. And of course, this tactic is way more effort for your supporter, but also the effect is so much higher than just writing an email or signing an online petition because the office of your target has to answer directly to that call. Another tactic, at busting your target's office. So at busting works quite well at conferences or events where a very specific target audience is in one place. So let's say you want to campaign for cycle safety at an automotive conference like ERR. What you do in advance, you prepare ads on Facebook and Google which are telling about your campaign, about your topic. And then you use IP targeting to show those messages, those ads, only in the block where the conference or the event is happening. So at the conference or participants of the conference, it will look like these ads are all over the internet. And for you, it's a really cheap way to get a message across to a very specific target audience. So last one is a sneaky one. You could spoof your target's website. This also works quite well with events and conferences because participants of conferences tend to Google the conference website to look at the program or to check the location. And with targeted ads and smart SEO, you can lead those participants to another website, your website that might look similar but has your message and your campaign on it. Yeah, of course it makes sense to always check the legal risks with those tactics. And I'm very happy to talk about this. Thank you. All the speakers are on time and we have like six minutes right now of free time. But we'll continue with the next talk. TSDB mal anders, it's going to be a German talk, I think. Guten Tag. Mein Name ist Zivilchen. Ich erzähle euch was über TSDB. Was ist das? Time series database. Relativ simpel ist halt eine Datenbank. Einfacher Key Value Store. Der Key an der Stelle ist im einen Zeitpunkt. Das heißt, es wird einen Wert zu einer bestimmten Uhrzeit abgespeichert. Und zu diesem Wert oder zu diesen Daten gibt es halt wenige oder keine Meterinformation. Und meist werden die Daten einmal geschrieben und danach nur noch gelesen. Klassischer Anwendungsfall dafür ist Monitoring. Jeder von euch kennt das. Webserver Anfragen pro Sekunde oder bei irgendeinem System, CPU Auslastung, RAM Auslastung, Festplattenverbrauch, was auch immer. Früher sah das so aus, das ist der Klassiker, das RID-Tool werden halt, wie man in der Grafik sieht, zu bestimmten Zeiten abgespeichert, wie viele Bits da pro Sekunde über die Leitung gegangen sind. Heutzutage gibt es das in Hübsch, ist aber immer noch das Gleiche. Ich sehe zu irgendeinem Zeitpunkt irgendein Wert. Was kann man damit machen, wenn es nicht um Monitoring geht? Ich habe ein Use Case aus der Industrie dabei. Stellt euch vor, euer Energiefersorger liefert euch nicht nur Strom, sondern ihr könnt euch aussuchen, wo der herkommt. Energiefersorger arbeiten grundsätzlich im 15-Minuten-Intervall bei allem, was die tun. Ihr kennt das sicher auch, die ganzen Smartmeter, die demnächst ausgerollt werden, erfassen euren Stromverbrauch im 15-Minuten-Intervall. Aber auch die internen Prozesse bei den Energiefersorgern arbeiten alle im 15-Minuten-Intervall. Es stand teilweise sogar mal im Gesetzestext drin. Und mit MS-Cons gibt es einen Industrie-IDI-Standard, der auch auf 15-Minuten-Basis arbeitet. Wenn ihr jetzt die Möglichkeit hättet, euch aussuchen, welches Kraftwerk euch in welche Reihenfolge beliefern soll, könnt ihr euch vorstellen, je nachdem, in welcher Reihenfolge ihr die anordnet, setzt sich euer Stromverbrauch unterschiedlich zusammen. Da die ganzen Daten im 15-Minuten-Intervall vorliegen, kann man die natürlich auch hübsch-graphisch aufbereiten und sich den Jahresverbrauch anschauen, wo man dann sieht, dass im Winter weniger Sonne ist als im Sommer. Und wenn man dann reinsumt, dann sieht man auch, dass tagsüber mehr Sonne als nachts ist. Während schöner Use Case. Ist aber immer noch relativ langweilig, komme zum kreativen Teil. Wer von euch war beim 34C3 und hat sich im Infrastructure-Review diese wunderhübsche Folie angesehen? Das ist das Dashboard vom Nock. Das ist der Internet-Traffic vom 34C3. Und das Nock hat sich damals gefragt, was zur Hölle ist da passiert? Und hat nach einigen Grügeln rausgefunden, das ist Morse Code. Das ist Morse Code für 34C3. Das ist jetzt zwei Jahre her. Letztes Jahr war jemand etwas, ja, hatte mehr Zeit. Aber da geht noch was. Das ist das Dashboard von Eventphone, vom POC. Ich weiß nicht, wer von euch das schon mal gesehen hat. Da reichbar unter dashboardeventphone.de. Der witzige Teil sind nicht die Sachen unten, sondern wenn man da oben den Mauszeiger hinhält. Weil das sind keine Bilder, sondern das sind time-serious Daten. Wie funktioniert das Ganze? Hier mal ein Beispiel, wie man den Pixel malt, man malt sich oder man generiert sich passende Metriken, startet die übereinander als Stack, färbt die passend ein bzw. sagt, dass die Farbe mal weg soll und dann hat man einfach ein Pixel. Um euch das mal an einem Beispiel zu zeigen, habe ich mir die Mühe gemacht und mal so ein paar Metriken generiert und die dann übereinander gestapelt und eingefärbt. Und weil das von Hand kein Spaß macht, könnt ihr euch den Code dafür runterladen, ihr werft da einfach ein Bild rein, kommt hübsche Bilder raus bzw. hübsche Grafen raus. Und ja, ich würde mich freuen, wenn wir auf dem Event jemanden finden, der zufällig Zugang zu einem etwas dickeren Internetanschluss hat und dem noch den Wunsch erfüllt, dass diesmal nicht gemorst wird. Vielen Dank. Let's go. Yeah, this year I've worked on my master thesis and I came along a lot of problems. And well, a lot of papers and articles focus on new results, but there's little reproduction. I had to reproduce something, but there was no source code. The technical details in the paper, let's say they were almost non-existent and the framework that was used was kind of, it was a known one, but it was really complicated. So basically I had to implement everything from scratch, which is not what should happen. So it cost me a lot of time. So what can be done better about it? Well, first, if you do any research, release your source code. It isn't that difficult and it helps everyone else a great way. Second, every little detail like hyperparameters, what other parameters are used documented in the paper and if that may be too long then in the appendices or some other way, but definitely documented, make it known to the people because it shouldn't require month-long tries and writing to the author to get somehow understanding what actually was done. It should be inferrable from the paper itself. So that should all you need to know. Third, use a common machine learning framework. For example, TensorFlow 2.0, there are others, but don't invent your own one. Maybe that's more intellectually challenging, but everyone else will hate you for it, so just don't do it and save everyone a lot of trouble and use a known one so they can get to work and use your results faster. Fourth, write source code in package form. For example, in Python, which is used very often in machine learning, it's very easy. There's like the Python package index, so just prepare your things for that so you can upload it after you hand it in your publication so others can simply install it and have all the required dependencies in one command and don't need to search around and try to find how this thing can be run. So only the data sets, which are too large to put in as an dependencies, have to be downloaded manually, but everything else will be ready. And five, follow clean code rules. So, I mean, we all know this thing, we write something in school and then years later we can read it ourselves. Well, in source code, while it's written with a machine, you can see the letters, but you don't necessarily understand them anymore. So just write cleanly, search in the favorite search engine and just follow that. It isn't that difficult. And maybe follow a pledge, hold yourself and others to these five rules. And if you're a journal editor or know someone who is, maybe don't accept publications that don't fulfill these five points. And if enough journals would follow that, then it would be adopted in mass very fast. So I think that saves a lot of people a lot of time and doesn't take too much time from you. Thank you. Thank you. So next up is accessibility for adult autistics and at larger events. Nope. So, there we go. Ah, okay. Hello. So it's about accessibility for autistics at large events. Children are not my department, so it's only for adults. The first thing I would like to encourage, oh, why do I need that? Maybe we don't have autistics. You probably do. And considering accessibility helps everyone. Like a person in a wheelchair needs an elevator to get to the third floor, but everybody is happy to get to the third floor with an elevator when they're sick, for instance. So we are all disabled sometimes and it helps the quality of your event if you consider those things. Tolerate odd behavior and make policies to tolerate odd behavior. Just don't force people to be all the same. You know that, but make policies. Allow people to leave the room at any time. Some people want to smoke, some people want to pee, and some people want to be alone for a moment. Make it allowed. Don't force people into the party. Often autistics have trouble with sensory simulation and social situations. Also, they know what is best for them. It's good to give people a chance to be alone, but also to give people a chance to be in a group in a way that's not over-stimulating. For instance, here we have the quiet cube, which is like a quieter hug center where people can participate in the Congress, but not be too overwhelmed. Be predictable with your schedule. For instance, like this, indicate when there are the social times so people can plan their stay and leave when they need. Autistics often really like to plan. School year medical stuff, in a nutshell. Problems with autistics is that they are overwhelmed. There is too much information they are going, and so that happens a lot to autistics and quite intensely. That don't mean to be very angry, like to appear like in a rage, and shutdowns mean to not talk, to look unconscious or asleep. Those things happen. Don't unnecessarily touch people. If you know that they are autistic, because touch can also be overwhelming and have a place where people can calm down. This is a bonus level. If you want to be all creatures welcome event, you can print cards for people who cannot talk at the moment. It makes them feel more invited. Those cards might not fit everybody, but it's a good sign to tell them that they are invited. If you want to talk more, you can contact C3Otty or me, or come to the QuietCube and ask. We're happy to help. Thank you. Thank you. So next up is going to be disruption, tolerant networking. We are also disruption tolerant here. Delay tolerant, especially. All right, go ahead. Hi. Have you pressed the black button? What? Wait a minute. No, no. So. That's good. Okay, so some delay as for the topic. So today I'm going to give you a brief introduction into the world of delay or disruption tolerant networking and put away all this with the DTN7 software or DTN7 Go to be precisely. Even today we have a lot of situation where you don't have some reliable uplink. For example, your internet access is blocked or you don't have any infrastructure, for example, in disaster scenarios. Also, you have transmissions from rural areas, for example, for your sensor network, or if you have the digital GIPFIL somewhere in Brandenburg. Furthermore, perhaps you're somewhere in deep space so you can't plug in your internet. The typical solution is some wireless mesh networking, but even nowadays there are situations where your mesh network doesn't fulfill your purpose, doesn't help you. So here we have the picture of the typical mesh network as in your fry phone community. So if you want to establish a connection from the left to the right node, your routing algorithm just determines the path, for example, the dotted one, and you can exchange packets. However, for TCP, for example, you need the round trip so you have to send packets forth and back, forth and back. If your nodes are very far away from each other, this could take some time, for example, because you have such low bandwidth. Furthermore, if your link breaks down, for example, like here, TCP doesn't work nicely anymore because TCP isn't designed for partition networks. Yeah, in real life, you don't have those connected components. For example, if you're in a disaster scenario and you're somewhere outside with your smartphone, you're in your group with your peer group with your people, and you just have small mesh networks for yourself, but you cannot connect to the other ones. So it's always just small groups. Furthermore, people are switching between these groups. So you have some kind of mobility in those. So we have some network where you don't want any end-to-end connection, you don't want extra network round trips or extra packets, and well, it must also work if it's not really connected and the nodes are moving. So that's where we're coming to delay or disruption-tolerant networking. In DTN, packets are transmitted hop-by-hop in a store-carry-forward manner. So packets are just exchanged from node to node when they're meeting. For example, opportunistically, because they're just passing by or it's scheduled, for example, for satellites in space. This looks like here in this example, we have these two groups as before, and the upper node wants to transmit some data to the lower one. Now, the upper node creates a package and it owns this package now, it has it, and it will transmit it to its neighboring nodes in this time in the same component. Now the node from the downer component moves up because it has some kind of ability, gets a package, moves back, and now it's delivered. So this is not really possible with the internal protocol and TCP, especially TCP. So there are other protocols, for example, the bundle protocol, and there's currently an ITF draft, DTN, BP-BIS-17, which just describes such an architecture. It aims to obsolete this old RFC 5050. So there you have the package looking like this one. You have the primary block with your meter data, like in your IP header, and then you have canonical other blocks. At the end, you have a payload block where your payload is there, obviously, in this case, hello363, and you can have other blocks, for example, a hop count block, which is the same like a hop count in the current version of the internet protocol. So you can just extend your bundles of transport. All these is implemented in our software we're going to present here. It's DTN 7 Go, and it's obviously implementation of this delay drawing networking with the bundle protocol. It's also a router, and it has an interface to be programmed for or to be received packages. Those bundles, as shown earlier, like the packages, can be exchanged over different protocols, like TCP-based or the physical layer of Lora. So we have small antennas where you can exchange the packets. Everything else is possible with an interface for this. Furthermore, before I just saw a sets you package exchange from node to node, but if you have a huge network, you want to have some kind of intelligent routing. So we have different routing algorithms as shown there. Furthermore, you can create these packages with our API or just use our software as a library. That's it. Thanks. Thank you. Next up is Tesla Radar. Hello, my name is Martin, and I'm talking about Tesla Radar in a very brief talk today. First, a little bit of an introduction about myself. My name is Martin, and I'm known for Bluetooth security research. And that is so long ago that I think most of you won't even remember. I'm having a hard time remembering this, too. And this is my 21st consecutive Congress. And of course, I'm a Model 3 owner, and that's why I came into this research. So what's the issue? Some Tesla Model 3, some Tesla models always transmit a unique ID via Bluetooth low energy. This is most known the Model 3 and most likely also upcoming models like the Model Y that implement the so-called phone key feature. This is a keyless go kind of technology that doesn't require a key fob, but uses your own mobile in order to unlock the car and allows you to drive the car without a key. And this ID that is transmitted continuously is required for this phone key feature. So the thing is that this ID does not change over time, and you cannot turn it off. So it's a beacon you're driving around that everybody else is able to spot and can locate. So anyone can track vehicles without effort, and this is, at least in Europe, a privacy issue. And that could facilitate car theft, car crashing. I don't know if you know what that is. A friend brought that up to me. That's when people wait with their cars at intersections and wait for a well-insured car to come around the corner, which has no right of way, and they just enter the intersection, and the car crashes into their car, and they make some money out of that. So that could be facilitated with that as well. Of course, speed measurement is something you can use it for, and worst of all, is that it facilitates automated personal observation. So the situation at the moment is I wrote a letter to Tesla and told them that I believe this is a privacy issue, and they replied back very friendly and very professionally that they see that differently, and they say that, because there's so many automated license plate readers around in the country anyways, so it doesn't really make a big difference if they would randomize any identifiers with their cars. So ALPR, that's this license plate reader technology, that is an argument for the USA. It's a lazy excuse, some would say, but in Europe there's at least the GDPR. So if only there was an app for that, I thought, and there was no app that helped addressing this issue. So I did this Android app, which is called Tesla Radar, and it's a little bit like Pokemon Go. It has the intention to raise awareness for the issue by spotting all these Teslas that you find when you wander around with this app, and it transmits it back to the server where a heat map is generated out of the locations of the detected cars, and of course there's gamification in the app, and of course this should lead to a situation where Tesla fixes the issue eventually. So please consider to install the app, share your data with the service, collect Radar score, and enjoy gamification. And please, please pay attention to the ads. It's a free app, but it's ad supported, and you don't have to be really interested in anything you see. Just give it a try clicking on it. So if you're still not convinced that you should go for the app, you're in very good company. The guy you see there is Thomas from the Netherlands. He's an electronics engineer, and he took it to the next level, in my opinion. He installed a Tesla Radar station next to a highway in the Netherlands, and he's leading the rankings from then on. So he's spotted by himself like 2,000 unique cars in about one month time. And finally, that's the thank you. You see, it's already 16 different countries, 4,700 and a little bit different cars that have been spotted, and I would be really thankful if you joined in. Find me afterwards, I have stickers, and I will most likely hang around the Telnet assembly, and if you want to talk to me, find me there. Thank you. Thank you. Next up is open source licenses. My name is Hong Fu Tang. I'm speaking on behalf of the open source initiative. So I thought I'd start with a very quick English version of Chappity, as I couldn't play last night, a Privation 1000, OSI. What is open source initiative? OSD, what is open source definition? So open source initiative is a global non-profit organization that looks after the open source definition. We are also the community recognized body for reviewing and approving open source licenses. Open source definition. This is a document that published by us to determine whether a software license can be labeled as the open source certification mark, or we call it OSI certify. This open source definition was originally derived from the DBN Free Software Guidelines. So open source doesn't just mean access to the source code, but also the distribution terms of open source software must comply with the following criteria that you can file on our website. OpenSource.org, GPL, MIT, Apache License, Mozilla Public License, these are very popular open source license were approved by the OSI, but these are not all. If you go to our website, you will find close to 100 other open source approved licenses. The core purpose of the license review process is to provide software freedom and to ensure that any approved open source license comply again with the open source definition. Some interesting fact about the process. All the licenses must go through a public review process. There is a community discussion on every single license on a mailing list and the decision process normally takes up to 60 days and an extra 30 days if there is a submission of a revised version. How to submit a request? You need to understand the open source definition and ensure that your license complies with it. Identify the submission type, ensure you have an appropriate standing to submit a short request, join the license review mailing list and submit a formal request by just sending an email to that list. Go to opensource.org-approval for all the details. Or you can also find me at the end. If you have a question, I am at the Dritico de-centralization in hall two where all the colorful Asian-looking tables are. Or you can also send me physical mails. I love them. And if you vote on your address, I will reply within the Congress. So that's it. Thank you very much. All right, thank you. Next up is Soldering Workshops. Hi. Okay, so my first slide is where the hardware hacking area is. It's basically across the hall, right towards the bathroom on the left side if you go on the main door. So how do I switch slides? Okay, so what is the hardware hacking area for? We basically have over 100 soldering irons, 30 of which are just dedicated to people wanting to solder anytime they want. You can bring whatever you want to solder. If you didn't bring anything to Congress that you want to solder, we also are selling kits mostly between about noon and five every day. And I also made a badge this year that is in my pocket. Basically this little soldering kit and it's by donation. And the donations will determine what my budget is next year. So if you think 600 isn't enough for Congress, donate more than what you think it's worth because that will determine how many I get to make next year. Because I'm not rich. Okay, so I'm also teaching a number of workshops and my workshop that I'm doing tonight, tomorrow and the next day is an introduction to Arduino soldering and programming. And it's basically one hour of soldering for surface mount and through hole soldering and then one hour of learning digital input, analog input, analog output. And my goal is to stay there until everybody's shield works. And you sign up between three and five today or tomorrow albeit the hardware hacking area. My other workshop that I'm doing tomorrow night is building this toy, which you can see what they're doing on the video. The one labeled recharge, you basically push it and it's to recharge yourself. So to take a moment to just relax. It was designed because a person in my hardware hacking space has a very anxious girlfriend who needs to constantly remember to just take a moment to calm down before giving a speech and so on. The other one is just a toy where if you push it with the right tempo it will change directions or get brighter. And that's just to learn through hole soldering and that's the slide in case the video didn't work. This is surface mount for terrified beginners. It's taught 10 different times during Congress. There's a sign up sheet at the end of the kit sales area in the hardware hacking area. If you wanna take that workshop, there are still spaces left. This is sold out. There are still spaces for this workshop where you build a Ardu Synth that's taught by Mitch Altman. So the first two workshops that I talked about with the recharge in the heart or the intro to Arduino, that's my workshop, the rest are just other people's. This is where you build a music synthesizer and there's still a few spots left. The Maker Bueno is sold out. I believe this one may have a couple spots left and basically you build your own Geiger counter. There's an air quality monitor workshop and all of the information on how to sign up for the workshops given by other people are on the hardware hacking area website, Wiki, and then follow all of their directions on how to get the kit and sign up. And then there's two FPGA workshops. One is to build a stopwatch and I believe it is free and it's tonight and you borrow the materials, which is how it can be free because these are not cheap kits. If you wanna buy the kit, you have to talk to the workshop giver. And then there's also this FPGA in your USB port workshop and that's all. Thank you. And next up is exciting developments around Linux on phones, very tiny. Thank you. So my name is Jan, I'm from the Ubipods project, so obviously I am not an independent source on this topic, but I wanted to use this opportunity to spread my propaganda anyways. So Linux on phones, why even bother? Yeah, because Android is not great. There's many other reasons. I talked about this last year, but this year I would just want to quickly remind you of some of the projects that are exciting right now. This is my personal opinion, so we won't target all the projects they are in this area because there's a lot going on actually, but I just want to remind you of some of the things that are going to be interesting next year. First one, obviously, since I'm from Ubipods, is Ubuntu Touch. Ubuntu Touch started out as the official version for phones from Ubuntu, from Canonico. It was moved to a community project which is Ubipods two years ago. And it's still going strong, and I think that's an exciting one to watch. Next one, obviously, I have to talk about KDE Plasma, which is an adaption of, yeah, Plasma Mobile, which is an adaption of KDE Plasma for mobile devices. Very exciting. It's not entirely meant for daily use yet, but they are really getting there. It's really amazing what they are achieving in fairly short time, and it's going to be very, very interesting, I think. Post-market OS, it's a little different. They have some different architectural approaches, but they are truly amazing in what they do. They really challenge what everybody is doing, and their focus is on improving the longevity of phones. So you can really use a phone that is 10 years old, and it runs just fine. It's based on Alpine Linux, which is very, very lightweight. So it works amazingly on really old hardware as well. Also not meant for daily use yet, but we might see this change this year, or at least in the next two years maybe. So let's talk some hardware. Very exciting is the Pine Phone. The Pine Phone is a company that originally made kind of a Raspberry Pi clone, but they then moved on and made a laptop and made a phone. Now I'm making a phone, and it's starting to ship now. It comes in at $150, it's free hardware. It's very exciting, I think. And it's actual Linux on there, and the software is provided by open source communities. So it's very non-corporate, I think, as non-corporate as it gets. If you want corporate, this might also be something interesting for you. So this is an up-and-coming German startup. They are trying to make a phone entirely in the EU, I think mostly in Germany, actually. And they are experimenting with different alternative or mobile operating systems as well. So here you see Ubuntu Touch running on the prototype. So how do I install if I don't want to buy an expensive device? Because most of the supported ones are actually fairly old, so they are available on the cheap. So this is the Ubipods installer. Ubipods fairly early on said, okay, we need to make it as easy as possible to install on third-party hardware so you can just pick up a Nexus 5 used for like 50 euros on eBay, and then run the installer. So the installer tries to make it as easy as possible so your grandma could install Ubuntu Touch on her device, herself without you looking over her shoulder. That's the goal, really. And now we're working on getting other operating systems in there. So if there's someone in the audience who's maintaining any Android alternative or even an Android derivative that needs to be easier to install, hit me up or go to github.com slash e-reports, slash e-reports installer and contribute your installation instructions there. We created a config file format to make it really easy to describe what needs to happen, what the installer needs to do to install on the device. So you just have to activate developer mode and the rest happens automatically, basically. So that's it. Here are the links that we talked about. On the other side, you see how to get in touch. Yeah, it's gonna be really interesting to see what happens with all of this with Linux on mobile devices. So yeah, take care, thanks. Thank you. All right, next up is hacking ecology. Let's go. Yeah, hi, I'm Mario and welcome by hacking ecology part two. In the last year, we had a talk by Theodor, who had a talk in the same title. And afterwards, the question is, how can hackers and hackers contribute to different environmental projects? And this year, we've included four very specific projects. The first is Veeded. It's just about visualizing data. A lot of data is available on the Internet, for example, from NASA, from the World Bank, from the UN, from various weather services. But they're hard to get rid of because there are different data formats, different websites, and different data banks. And here we can help, by building a good visualization tool in the web, with which data can be easily visualized and made visible. Because basically, it's like there are a lot of complicated trends in the world. For example, the rising temperature through climate change, but also our rising energy consumption with all energy carriers, or also the distribution rates. The second project is Snooze Against the Machine. And you may all know that. Actually, you wanted to do something for the environment, for social projects, against the capitalist society of defense. You wanted the revolution, but sometimes you just wanted to sleep. Luckily, that's no longer a contradiction, but what we want to do here is to develop an easy app, where every time you press the snooze button, you'll be spending, and that's an organization of your choice. You can choose freely which contracts and organizations also inform about the health risks of snoozing, so relatively straightforward project. And ideally, we would combine the whole thing with voice commands that you don't have to stand up anymore to press the snooze button tomorrow, but you just have to shut up and take my money, say, it's off, it's spending money, and you can sleep in peace with a good conscience. Okay, the third project, it's about root surgery. That's what my colleagues in the research do. They know very, very little about the underground. How do plants grow underground? And at the same time, soil is one of the largest nitrogen sinks in the world. And what we want to do is to monitor this root growth somehow. And what you do is a kind of transparent tube, leave a nitrogen near the ground and build a scanner layer that turns once a day, and the root growth around these tubes scans. There are such devices, it costs 20,000 euros and they don't work well. And it's actually a very simple project. We want to use a mobile document scanner to separate the screws. I brought that with me. Maybe someone knows how to use microcontrollers with 3D printing, then the person can help with this project here. And the fourth project, we actually want to communicate with each other. The main problem here is that a lot of re-kits die every year in the mill of large mill machines, because these animals just duck away and don't run away in this young stadium. And then they guess, when they have enough in the mill, because they are not away. This project already exists for wildfires. What you do is to use drones with infrared cameras to find these animals. And what is currently missing is just a navigation app that can be directed and navigated by the ground team. That can be said, Person XY runs to point P, 30 meters north-east, did the animal find it or not, to just save these animals there. Also a relatively simple straightforward app, where we personally can't help, but maybe someone has an interest in you and wants to participate there. If you basically have one of these projects interested, then please come by. We have reserved a small space in Vicky Packer tomorrow at 9 o'clock in the Vicky Packer library. And if you see this talk online, then you can also contact us via e-mail. Maybe later as a video recording, just write to us. We are happy if people come from you and want to help us. I find that all very exciting projects. Thank you. Thank you. Thank you. Next up is make peace time, make peace with accounting, make peace time with accounting. Wait a minute, where is it? There we go. Make peace and time with accounting. Hello everyone. All right, so my name is Luis and my day job is programming, but I'm tracking my finances with NewCash since late 2016. And NewCash is an accounting software that has been developed since the late 90s, so it's pretty mature. And it's a free hasn't free speech and free hasn't free beer. And it works in about any operating system. And for the accountants here, NewCash uses the voluntary accounting, which I'm going to define a little bit next. So accounting lets you track money movements across accounts. And accounts can be, for example, your bank account, your checking or savings account, or a retirement account if you're in the US, or life insurance if you're in France, and I'm sure Germany has something similar. Or an account can represent where money is coming from, for example, your salary, or salaries if you work in different companies, or tips, or wages, any kind of wages. And our accounts can represent where money is going to, for example, food, transportation, services, for example, your fund bills, internet bills, any kind of bills. Or accounts can also represent how much money you owe, so any kind of debt, a student loan, or taxes you'll have to pay at a later date. And an accounting book is a collection of such accounts. So an accounting book centralizes all those accounts. And accounts let you categorize your finances. And centralizing and categorizing your finances has a lot of benefits. So, for example, I think one of the most obvious ones is to be able to track how you're spending your money. For example, one thing I like to do is to sort recurring expenses from non-recurring expenses, right? So recurring expenses are going to be bills that are going to be likely paid automatically every month. For example, my fund bill, streaming services, internet bill, electricity, whatever, from other expenses. For example, traveling to CCC is something I do, like, you know, it's a one-off operation. And doing that may help you compress your budget. So, you know, like, how much money you're spending every month? By knowing how you're spending it, you can maybe like, you know, spend less. Or like, you know, a way, you know, oh, I'm spending this much for streaming, or like, but do I really like watch this many movies every month or something like this, right? Or do I need to pay this much for my fund bill? Doing accounting can also help you, like, spot hidden fees. For example, like banks, especially in the U.S., really like hidden fees. Like, you pay for something, and they'll add up a fee on top of it, and they won't tell you, right? And by doing accounting, you can spot that very easily. And something I like to do, for example, is, you know, at the end of the year, you go see a banker and tell him, oh, there is so much I spent as fees with your bank. Can you do something about it? You know, it's like, it gives you that power. Doing accounting also lets you catch mistakes very easily. For example, that happened to me, I made a check, and six months later, it was cashed out for a completely different sum, much bigger sum. And I would never code that without doing accounting, because I would have forgot about it. I was like, I would have said, oh, that must be the right amount. Or also, missed reimbursements, right? You like, loan some money to someone or something. By doing accounting, you can, remember, you can see that you've given money out, or you can also do that to track how much money insurances are supposed to give you back. And overall, doing that can reduce anxiety about your financial situation. And that's why I'm saying, you can make peace by doing accounting. And a lot of things, real money, can be very anxiety inducing. For example, that can create a lot of anxiety. Taxes can create a lot of anxiety. And doing accounting really helps with that. Also, you can save time with accounting because by having all your financial information categorized and centralized, you know any amount you might need for any kind of computation or projection on your finances. For example, taxes are very complicated in the US, and knowing all your different kind of income, whether they're salary or interest or dividends, or tips that really helps you project and compute taxes, even though we have software to help you with that. There's other benefits that are not coming from centralization or categorization. One thing that I like about accounting is, for example, you can actually make banks compete with each other. You don't have to trust what people usually do is that one bank and that bank has some features to do that categorization thing. By doing it yourself, you can really have banks compete with each other. They have more interesting rates or fees. And you can also not trust a single entity with all your financial information. Once something that your bank cannot do is track your cash expenses, right? You just get money from the ATM, spend it. The bank doesn't know how you're spending it. Cash is anonymous and it's a really powerful thing. But you might want to track it with accounting. You can also track checks. Checks are still not being used anymore, but oftentimes it happens. You have to use them. And it's really annoying when you make a check and then it's not cashed out for six months. You can track that with accounting and you're not surprised when a check is being cashed out. Doing accounting is a great first step towards running personal or business finances. It's especially a great for running non-profit organizations or small businesses. It will also help you understand economy and politics. It's a great step towards that. There is also a few bad reasons for I think not doing it. One is that accounting only serves rich people. I don't think that's true. I think that middle-class people, people with less income will also benefit a lot from accounting and from being able to see how they're spending their money and can plan for future projects better. It's boring and takes so much time. That's completely true, but I think you're gonna get that time back by doing that, by having more money for projects. And I don't think I'm gonna have time for the last one, but X does it for me. Maybe you wanna reconsider that. If X works for you, maybe you keep it, but you always have a conflict of interest with anyone handing your finances because they want your money, but you also want your money. And doing accounting yourself helps you resolve that conflict of interest. No one can manage your money better than yourself. And that's it. I will help you set up new cash at Congress, so feel free to contact me and tomorrow I'll explain how development really works. Thank you. Thank you. As long as we are not over time, we can arrange something with the countdown. So next up is Duocrocy Dunwell. So, hi. I am Merlin, and I am a board member of Hackerspace Hengent, and I am going to talk about how we manage our community. So the first version of Hackerspace Hengent started 10 years ago, and we had only two rules. Be excellent to each other and decide everything by consensus. We thought common sense would solve all other problems, but we were incredibly wrong. After four years, our Hackerspace was on the brink of destruction because of internal conflict. A lot of people were leaving for other Hackerspaces, and there were even talks about forking the Hackerspace and stuff like that. So as a last-ditch effort, we started the Hackerspace workshops. Basically, workshops to create a system for our Hackerspace, for our community, that gets the best out of people. So, as a result, we created the Hackerspace Blueprint. This is a small book that explains how our community works and how we solve problems, and it's available online for free. It's also open source, and I hope that if you're interested, that you go to the URL, hackerspace.design, and that you read it in and that you can maybe use some of the IDs to solve problems in your own communities. This is the most important slide in my entire presentation, hackerspace.design. Go there in your browser and read the book. So, I'm now going to talk about, we've been using the system for six years and what are some of the lessons learned. The first thing is a duocracy. Specifically about a duocracy is that you do not need the opinion of everyone who is affected by your action. If you are the person who does something, then you are the person who decides how it should be done. Even if you're not the most competent person, even if what you are going to do is not the best solution, you can still decide to do that without getting the opinion of everyone else. The second thing is interpersonal conflict. This is a big issue in communities. This is one of the main reasons why communities explode. We as human beings have this natural tendency to try to ignore interpersonal conflict as long as it doesn't involve us ourselves. But this is a really bad thing because we hope that interpersonal conflict will solve itself, but it almost never does. So how do you actually solve this? The first thing is that you have to have people responsible to monitor and solve interpersonal conflict. Literally assign people them. In our hacker space, this is the role of the board. The second thing is that if interpersonal conflict happens, first use the private talk pattern. Talk with the individuals privately and discuss the issues directly and without blame. And then after you've talked with everybody, take them, put them together and have also a private conversation with all the involved parties and moderate it. We've been doing this for six years and every single time when we tried it, it actually succeeded in solving the issues. But it's very important that you make people responsible to do this, otherwise nobody will. The second thing is rules and loopholes. So one of the issues with being a hacker is that you're incredibly good at finding loopholes. So running a hacker community using rules is an incredibly bad idea. What's better is to actually motivate people to do the right thing. Create a culture where everybody works in the best interest of the hacker space, not because they're forced to, but because they actually want to. If you see people who are not doing that, you can talk to them, you can coach them. And if they refuse to actually do that, just kick them out. These kind of people, whatever they contribute to your hacker space, they will take away more than they contribute. The third thing is meetings. Meetings is also a really big issue in a democracy because meetings give power to the people with opinions. And we do not want that. We want to give power to the people who actually do stuff. So the best meeting is no meeting. Do as little meetings as possible. Thanks, this is the second most important slide in my presentation because it has the URL again. Go to hackerspace.design, send me an email. If you want to talk to me in person, you can also come to the HSBE assembly. And I think tomorrow I will do a much longer talk in the assembly to explain more parts of the hacker space blueprint. Thank you. Thank you. Next up is open laser tag. Hi, I'm Florian. I'm Jules. I'm Jules. We are building an open source laser tag system. For those of you who don't know what laser tag is, it's like catching each other but with light. It's the same technology like in your TV remote. And after playing laser tag with some friends, we sat together in Berlin at the Spree and thought, well, this can't be so hard to do this ourselves. And then we searched on the internet if other people already did it. And of course there were lots. And most of them did it in really complicated ways. And so we thought, okay, this is too hard for us, so we have to do it simpler. And so we went for the journey to build a simple open laser tag system. Yeah, and we got some ideas about our system what we wanted to achieve. It should be cheap because we want to build a lot of taggers and give them to our friends to play with them. And the technology should be accessible and flexible. And that's a system design we came up with. Yeah, starting at the bottom you see the tagger, which is basically the infrared communications hardware. And on top of the tagger, there is some Bluetooth. So the tagger is containing ESP32 and some infrared components. And they communicate via Bluetooth with your smartphone. For now we have an Android app only, so we need somebody to do iOS stuff. And the app does most of the logic part while the tagger is only basically a transmission layer. And on top of all of that, they're sitting in the server, which is communicating between all the different players. Yeah, that's how our first prototyping looked like. That's ESP32 you see here. And only what you else need for a tagger is this microcontroller and infrared LED and infrared receiver. And lens to focus infrared because you don't want to have white-spread infrared beam like in your TV remote. But you want a very focused light stream to make it harder, of course, to hit with your light. That was our next prototype built out of PVC tubes. And you see the lens on the right picture. And on top of this black thing is the infrared receiver. And what I can say also about this, there's no PCB involved in this. So you don't have to, you just can buy the components and put them together. And you have a tagger. And our newer designs of a tagger casing look like this. So they are 3D printed and more custom-made. Yeah, and that's where we are in the moment from the hardware side. The software side of the tagger is also pretty far. So you can actually tag someone and he will get hit and we'll get a notification. And yeah, that's how far we are today. And now we can say where you can meet us. Yeah, what still is missing is the game logic. So we can't play a game right now, but the technology works. So yeah, if you want to contact us, there's our GitHub repository and our Twitter handle. And you can find us for the next half an hour outside of the lecturing hall here at the LED Palm Tree. We will be waiting for other hackers who want to play laser tech. We actually have a pile of hardware in parts so we can actually build stuff today. Yeah, and we also asked for a workshop slot and at an open hardware hacking area. But we didn't get a time slot yet, so we will maybe post it on Twitter if you're interested in building your own tagger, come to there or meet us in the next half an hour at the LED Palm Tree. So yeah, thank you. Thank you. Thank you. And next up is binary analysis course. Thank you. Today I would like to talk with you about a program I've been developing, not in the sense of code, but as a course. So the table of contents. It has three topics. Who am I? Just a short introduction about myself. What is it and how can you access it? So first of all, something about myself. My name is Max Kerst. I go by the name of Libra as a nickname. I'm the administrator or one of the administrators of the malware research group on Telegram, which I have talked to model. I'm currently working as a threat intelligence analyst. I previously worked as an Android malware analyst. I made some tooling for that, and I read blogs on my own website about which this talk is. So what is this binary analysis course? So it's a free online course that uses free and open source tooling. Nowadays you have a lot of guides and help lines, especially for paid tooling, which is perfectly fine in corporate environments, but especially if you're starting out as a student or you're just new to the field, you don't want to spend so much money just to see if it fits you. There are great open source tools out there which work for free. And this course uses them and focuses on them so you have a low level entry. So it has a really heavy focus on the how and the why stuff works. It doesn't jump to conclusions. You get explained every step of the way. And if you know something already, then you can just skip that part and move on. So the step-by-step approach is used in every article where you get a sense of how it works, why it works, meaning you can repeat experiments that are being done in the course on other binaries you find yourself, see if you have challenges you later on participate in, or anything else you want to put your hands on. So as a last kind of unique part of the course, it does not contain images. I think the images are great to use in some cases. But it focuses me to clearly explain everything I want to in text, making it also easier for people to search back later on. Maybe you read an article and half a year later you think back, oh, I read about this on this side and it was somewhere in this article. If you have stuff in images or in videos, it's really hard to find something back. But if it's fully written out in text, you can use the search function of your browser or any text editor you loaded my website in, and you can find things back. So some of the topics that are covered, they start from the basics, starting from CPU architecture, how does it work, why does it work, moving on to assembly language, as it's a core concept you need to know. You will also learn how to write some assembly and compile that to get a different view of what is the difference between compiled and decompiled code, or disassembled rather. You have multiple analysis methods for multiple file types. It ranges from a Linux DDoL spot that I analyzed to a browser plug-in to mage card JavaScript. So the malware analysis in there is also for a variety of platforms. Like I said, it's based for the browser for Linux. There's stuff for Windows coming on. But there's also more because you can read my articles and you can read the analysis, which I hope is really enjoyable. At least I think writing them is. But the question is, how do you continue then? Because I found some cool sample that I wrote about, but it's not as much fun to just keep on replicating the same sample. So what is also focused within the course is how do you actually find new samples? Where do you find interesting samples? And if you're searching for something really specific, where do you find this? Let's say you want a really specific version of a mirai, then you need to search for this somewhere somehow and you want to find it. And additionally, recognizing structures and patterns is really important as they also come back into any language you use. If you have a specific type of obfuscation, you can view this in decompiled assembly code, like Pseudo-C. Or you can see it in JavaScript, in C-sharp. In any language you come back to, you'll see certain structures and patterns, like a for loop or while loop. So they're also discussed in great detail. So how can you access it? Well, it's on my website, which is on the screen right now. You can take a picture, wait until the talk is uploaded, or remember it. I do tend to publish roughly at least one article a month, based on how lengthy they are. I publish announcements on Twitter beforehand, and also when something new comes out. So if you follow me on Twitter, you'll also be up to date on that. Additionally, if you have feedback, suggestions, or IDs, my Twitter DMs are always open. You can just send me a message, and we can discuss anything. After this, I'll also be somewhere around here in the area, probably just outside the exit of the board room. So feel free to hit me up. All right, thank you. Thank you. So that concludes today's session. Please give a big round of applause for all of the speakers who were here on stage today. And also for having to deal with 24 speakers from different countries. A big round of applause for the translation team, please.