 everybody can see us. What are you doing? I'm looking back. Oh yeah, a lot of stuff has happened this year. Yeah, we've traveled quite a bit. Dortmund and what not. Anyway, let the professionals get the mic. Konstanze, Nexus, Frank Rieger and Linus. Lauter. Applaus, Applaus, Applaus. Test, Test. Got to turn it on. I did turn it on. Oh, I turned it off. Welcome everybody to the CCC Year in Review 2017. This year we're not going to do a chronological take. Because that way it wouldn't make a lot of sense. So we tried to do this topic by topic. So we want to say thanks to our old location in Hamburg. That's what it looks like now after we're done with it. Yeah leaving such a location. That's emotional. Wir haben den 28 C3 in Berlin mit ungefähr die 28 C3. In Berlin würde der Main Hall in Hamburg fit sein. Von 3000 bis 6.000 bis 12.000 Menschen in ein paar Jahren. Das ist wirklich etwas, das wir froh sind. Herzlich willkommen. Ja, so eine Veranstaltung auf... Ja, diese Events werden größer und größer. Es ist nur möglich, weil wir viele Menschen unterstützen. Wir helfen auch als Angels. Es ist auch so ein bisschen der Kern, dass ein wiederes Chaos-Computer-Club funktioniert. Natürlich gibt es einen bestimmten Effekt, und wir reden später über ihn. Wir arbeiten nicht immer zusammen in einem superprofessionellen Weg, weil uns alle noch regular Leben, ein normaler Tag, und was wir tun, was die Menschen tun, und was die Menschen tun, ist, dass sie das Freitag machen. Wenn wir mit professionellen Lobby-Gruppen überlegen müssen, müssen wir wirklich darüber denken, wie wir solche Konflikte handeln können. Die Frage ist, in diesem Club, in diesen Events, wie wir eine Community kreieren, die immer noch zusammen ist, obwohl wir mehr und mehr werden. Unsere Interessen werden mehr divers, und es gibt verschiedene Motoren und die Community hier. Ich denke, wir werden das sehen in den nächsten paar Jahren, nicht nur in den Events, aber auch in der CCC. Besonders während unserer Zeit in Hamburg, haben wir viel gewohnt. Das war auf der Stelle, und wir sind wirklich glücklich über das. Alle der verschiedenen Teams, z.B. Kauspartnern, Chaos, Gottfathers und Mothers, dass wir Nubis, v.a. die Frauen zu diesen Events, und ich denke, das ist eine Sache, die wir alle betreffen, und wir brauchen Respekt. Wir brauchen Respekt, und ich denke, das ist auch ein Rund of applause. Wir haben die erste Viertel, die die dritte, auf einem professionellen Level, jeden Jahr, und jeden Jahr, und wir haben können, insbesondere auch, wenn es Limitierung gibt, für all das bereitstehen, wir haben, wir sind wirklich bereit, alle kinds of different needs. Und so, again, please, a round of applause for them. Wir haben das Lingo Team, ja, we have translations in different languages. Even for assigning. We also have a team, supporting autistic people. This has been an official for a while, but now it's an official service. And these teams really grow out of the community, and it's mostly self-organizing. It's not top-down. They don't need a lot of help from us, basically. And the number of angels at these events growing more and more is also something we are very proud of, that people think of themselves as active members of this community. And for example, the Young Hacker Day, we have kids and families, and we've created an open space for these structures, and that's really great as well. And this is a, yeah, a thank you to you guys. And we're obviously also very excited about the new playground that we now get to play on. Oh, yeah, really, we do. And as we can see with moving, there's a few things that you can change directly. I mean, obviously there's room for optimization. And even if it's just a typographic thing. All right. In this sense, this Congress is a better version. So please forgive us small bumps alongside the way. Those are all stuff that we want to improve on next year. So it's on everyone to make these things better that this year we didn't run so smoothly yet. So, I mean, not all stuff is unpacked. So, all right. Let's get back to the classics of this review. I mean, the CCC is a big, big family that's a lot bigger than the actual association or club. That is the core that deals with the financial stuff. And we want to quickly talk about this. As usual, the office in Hamburg supplied us with some crunching of numbers. And they are actually dealing with a couple of thousands of numbers. And these are the new members of the last 12 quarters of the past. And you can see how the structure is changing. You can see that in the beginning of the year there's usually a few less people signing up in comparison to the end of the year. And you can see that the club is growing continuously. Once again, this year we have a significant number of new members joining the club. And that is amazing to see that there's people and that the mass of people joining is growing. Oh, well, you have to explain the anomalies. Oh, you mean the general anomalies? Well, I don't know. I mean, it could be because, I mean, the next block is quite big. The office went on vacation in January, to be honest. I mean, you have to see it this way. We have also numbers of how many emails are being sent out by hand, not automated. And I have no idea how people are actually executing these tasks. Honestly, that serves some mad respect out there. Round of applause. And I mean, we heard at this event that there's a few new members, donating members. So please forgive us if the office sometimes is a bit slow. Right after the Congress, it's always a bit like, there's always a big pile of paper and I mean, going through that. And I mean, all of that is also obviously voluntary base. So please bear with us with stuff like that. I mean, they're not even that many people in Hamburg, so they're really busy. All right. So we tried to understand where the KS Computer Club is concentrated within Germany. And I mean, we have a few in clubs abroad and local groups. And these are called Alpha. And they're, that stands back in time to the beginning. And there's still Chaos Treffs, which is Chaos Meetup. And these local groups is where the KS Computer Club is happening throughout the entire year. This is where people get together, where people start projects, where they think about what we can do, where they come up with events, where they do initiatives, local press work, and yeah, normally create the social space, the hacker space that they fill with life. And that means that this is really the heart and the soul of the club. Not what we show to the outside, but what's happening in the local groups where people get together. You really have to say at this aspect, like when we're talking about this, the content-based work that's happening throughout the entire year is, and we will get back to that in the end, We usually have a block on the events that are being run throughout the year and they're really done by the local groups. They're organized by them. And this is also what really carries this Congress. This is what brings people together. And this is what basically makes possible that these kind of events, especially on this scale, also are possible to happen. And I mean, if you're here for the first place and you ask yourself, how is it going to continue, please check in your city if there's a local CCC group that gets together. Go meet them, get involved. They're usually super friendly and they usually have an open door day. Please check out the assemblies here. Get in touch with them already here on site with your local group. And I mean, we have this beautiful tradition that people at Congress get together that have never ever met before in real life. So that's just beautiful to see. Yeah, there's another round of applause for that. All right, we also have worldwide members, quite a few actually. They are spread out. Funny enough to the German speaking foreign countries, but also other additional countries where German is not the first language. If you look at the global map, you can see that we're basically everywhere. Look at this map where all of our members are being spread out. But next is, you want to explain the colours, right? This is not self-explanatory. The office mailed us that and we looked at it and we were thinking about it and we compared it to the list beforehand. And as darker as the colours that correlates to the number of members. So the white spaces are not spaces where we don't have members. It's just a place where there's a smaller number of members. And the grey ones is places where we have to seek members. So that's maybe an initiative, like a good way of what we're aiming for in the future to really fill out that map. So maybe just, you know, move abroad. All right, let's go into the topics now. So one of the main subjects where we had the most requests in the press department was two topics really. One of them was the whole complex around fake news, social bots and the net-stiggy, which is Germany's attempt at controlling hate speech. It's the network enforcement act where they're trying to work against hate speech online. And that was really hard, like those kind of requests about social bots and like a month, like I mean last year we already had that kind of flood of requests on the subject. And I mean like the DPA, the German news agency, probably tweeted something about social bots and I mean one of the, I mean this was a very big, big subject for our work all of the sudden. I mean like a couple months in one technique results report was done and we were like asked to evaluate that and there were public hearings and non-public hearings and the whole subject, I mean it doesn't even have that much meat to it like the straight Trojan horse for example from the technical aspects of things. But if you look at the situation that that kind of led to, I mean look at the date of this picture. You can just see his facial expression and how much we liked the subject. It's the 30th of January and I am only semi-good, mooted, happy and it's a bit just, I've been looked at with a bit of suspicion from the other experts on the panel. But I mean that also shows the role that the CCC has to play within these kind of hearings. And I mean we were a little upset how undata driven, how unfact driven the debate around this was. Like this year there was two lectures, oh I mean three, it's actually three. So three presentations on the subject. I think we are really showing how you can deal with this subject from an academic standpoint driven by facts and numbers and actually deal with the subject of social thought. And this changed a bit throughout the years. The debate used to be, the debate has become more focused on scientific studies than maybe we should talk about. And the hysteria that was there initially has left the debate. The hysteria about Russian opinion robots that brought us Brexit and Trump and that thesis was a bit untenable. And there was one more thing we noticed in Germany and that was when the US Congress published and invited experts about Russian media manipulation. And that was a phenomenon we observed. We looked at this and said, honestly those few bottom Twitter won't have swung the election. Have you thought about targeted advertising, which is the business model of these anti-social networks? And we were the only ones saying this. And interestingly, this showed in the American Congress a few months later when it turned out that political ads were paid in rubles and these networks said, yes, seems legit, you can do that. And this topic of social bots seemed to miss the point a bit. Nonetheless, it's obvious that the loss of trust in politics and media that's summed up in the term fake news is a real problem. And it's also a real problem that interaction on the Internet is not the way it's supposed to be. And this network is currently failing to give us the interaction and the exchange that we were hoping it would bring us. And we are looking at this network in some horror, seeing how people interact with each other and observing how the German government reacts to this. And then we got into the debate about the Network Enforcement Act, where the German Minister of Justice Heiko Maas made a suggestion that fit perfectly with the rest of his unquantified remarks and that completely missed the core of the subject. This Network Enforcement Act contains exactly one sensible point and that is that sites that publish either generated content need to have somebody in Germany whom you can call. So a way to reach the operator when you have problems. But the rest of this act simply delegates the execution of law to the platform operators, which are the same ones who have these ads. And although the government didn't want to say whom they meant, they didn't want to name any networks. Two things about this were interesting. And I was amazed how large the, how many people protested and how many organizations teamed up to protest against this. But also how little this opposition was found in the debates in Parliament. They didn't seem to understand what the people out there were opposing. The reaction to this opposition was surprisingly small from the federal government. And just to show you how large the opposition was, Fokker tripped from the Digital Society, whom I called, and said the Chaos Communication Club has decided to join this coalition. And he said, oh brilliant, just one question Linus, if Facebook were to join the coalition, would you withdraw? And that's how brought this coalition opposing this law was. And that goes to show how manifold the criticism against this act was and how many different kinds of criticisms there were. In many different countries there were, but the German market seems to be so interesting that the details in technical and yeah, so Germany seems to be very special here. So basically by law, it is now stated that one has to post that certain posts have to be deleted after 24 hours if they violate free speech. So as a service provider, your discontent is reported and then you have to decide if this content has to be deleted or not. So there's two types of mistakes you can make. If I delete the post, but it would have been covered by free speech. Well, I just had to be sure I had to delete it. And if I say, you know, this is covered by free speech, I'm going to leave this up. But then a court rules that I made the wrong decision that it wasn't covered by free speech. Then there's hard penalties that can be spoken out against me. So deleting too little costs money, deleting too much doesn't cost money. So that no one here is interested in hateful posts, illegal activities, violence on the Internet that some weird people put out on the Internet. What's really prohibited by law, that's not free speech. But what really brings us forward as a society doesn't happen in the center of society. It's on the fringes in different shades of gray. And that's something we need to encourage. And it's not always about agreeing with each other. And we'd really like to keep this discourse going. And it doesn't mean that we were on the side of some crazy people who can't think of anything else to do with the Internet than spew hate. And this Network Enforcement Act, you know, it was called Facebook Act most of the time in the media. And so the irony of us talking about this and being asked for expert opinion, being the only ones in our society that don't use this sort of nonsense. Yeah, this seems like some sort of zoo. Yeah, so it's slightly ironic that the Cares Computer Club and friends of the Cares Computer Club are highly likely to not be on Facebook. So yeah, all of this was much to do about nothing. The government passed the Network Enforcement Act. It's now binding law and it's already been implemented. And how well this works, we could see only shortly after, because Russia copied the law exactly. And so they said, you know, well, this works pretty well. They can enforce their censorship measures with the exact wording of the German Act. So, you know, we're going to have to talk to the next German government about this. And what I'd like to point out is that what the government did, they said that the laws that we have in Germany aren't enforceable on the Internet. So, by our standards, that means that we say that our democratic structure has failed. And this sort of thinking is really scary. And, you know, we can see this in Russia how easily this is implemented. So that's something to think about. So, yeah, once more about Heikomass, the Minister of Justice of the Social Democratic Party. I really hope he won't get that post in a new government that might constitute itself soon. So I really feel he's responsible, even going beyond the Network Enforcement Act. It's really hard to within German political coalitions, when we have questions of surveillance and civil rights, there's really no more equilibrium. When we look at the Ministry of the Interior in many projects that we're going to talk about later, in working together with the Ministry of Justice, that there really wasn't anyone defending the Constitution and the basic rights in our Constitution. And that means I'm really disappointed in our Minister of Justice. The normalization of surveillance measures, not debating whether data can be retained at all, but just talking about how long and how much. That's really, yeah, a great example for me to show how it's all going downhill from here. Yeah, one more thing we noticed during the course of this debate is that the ad financed networks are trying to create new rules for themselves, for example Twitter. And what we see is that this isn't about a lawfully ruled state. By Twitter's rules they would have blocked Trump's account long ago. But now there's an exception that mentions the newsworthiness. You could call that the Trump anomaly. So Twitter said that, well, we have very clear community guidelines and if somebody, for example, insides violence on our platform, for example against North Korea, that's not in accordance with our community guidelines. But we're still going to leave it up because it is news related. So this discussion about Twitter is really related to the US and not to the Network Enforcement Act in Germany. But still, all platforms really reacted to political pressure, even YouTube, Facebook and Twitter. But for Twitter, the fact that they have this exception of newsworthiness is really interesting because that's really a marker for the year 2017, a distinctive feature. We have a president that has no respect whatsoever for all different forms of decency and who still surprises me with his political communication. And then on Twitter, of course, Trump is a problem, even internationally because he goes against the community guidelines and insides violence and post hate speech. So, yeah, we can sum up these rules. We don't like hate speech and post it inside violence, but if it brings licks, it's all right. So, yeah, when they were asked about it, Twitter said that there was a two-step change to the community guidelines. So, it wasn't just about text posts. It was also about hate symbols, for example, the swastika. Twitter doesn't differentiate between rules in Europe and rules in the US, which also means that the stronger free speech rules in the US also apply to Europe, which is different than Facebook, obviously. Yeah, do we stick to the ad networks? Yeah, what happens is that censorship and the removal of hate speech, the responsibility for that is thumbed on the corporations. So for them, of course, it's an incentive to automate that procedure because every job obviously costs money a lot more than some CPUs and some data center. Also, there's lots and lots of automatic detection of hate speech going on, which re-invites a discussion we had in the 90s, where we had people walking around with crossed-out swastikas or swastikas being thrown in a trash can, so clear statements against Nazis. And these people were all alone on the lists of police lists of offenders for the use of unconstitutional symbols. So we can see the same thing happening today on Facebook and Twitter, because the swastika, it's very easy for an algorithm to find. And the exact same thing is also, for example, we can see with Kurds in Turkey. So free speech on the big ad-base networks isn't enforced right now because as soon as you have images of people belonging to a Kurdish party, these posts get removed automatically. So what we have here is really a development of legitimized by the state the development of these corporations turning into the instruments of power to decide what can't or can't be said. And that's something that shouldn't happen. A good aspect is to see that in this whole debate on fake news that we experienced this year and witnessed this year, we are capable to move forward and go into subjects that the politics have slept on for many, many years but are we now trying to put on the agenda and are trying to move forward? Round of applause. We have this project, Chaos Does School, that last year had a talk that was very well received and they were back this year and I think I've heard really good stuff about it and we have, in the beginning of this year, starting from the Team Chaos Does School, we kind of also put our own efforts in and we generated demands of how a modern digital school is supposed to look like. Because if we look at what's actually going on with regards to smartbots, we literally have to explain to teachers how they function in their core simple functionalities and you really have to pay attention that they might not get on them with whiteboard markers. So digital education for teachers, for people who are training to become teachers, we really see, we can see what happens when you sleep on your education policies and when you sleep on the education of teachers and you really have to get a feeling for what we used to have with newspaper articles that we kind of did that fact check but on the internet all of a sudden these news come in faster and we kind of don't do this and starting there, it's important, we really, it's really important to start with school education, with high school education and if you start with high school education you have to start with the education of teachers and professionals who are teaching and that means that you have on a federal state level have to get people in influential positions to really start executing this on a political level Germany is a decent place state so education is a decision based on federal state and it's like every once in a while people come up to us and address us and they ask us so what do you want to say about this and our usual response is like well the politics really need to wake up there is this thing called the internet this is not a subject that needs to be pushed into computer science in a course for half a year this is a subject that needs to be part of every subject being taught in school this is a very fundamental thing going into every aspect of life round of applause and obviously this is not reached school and that in history there is that articles from the internet are being read that you have to deal about in ethics and philosophy what does internet do with society within language classes you have to like how can you not like access relation software and dictionaries from online like there is so much internet online that's useful for students what we did was we wrote down demands so that we can get students to become active aware members they don't need to necessarily know how to program but they need to start understanding how the internet functions and how these structures work and integrate that within subjects all of the subjects and that's what matters and we need to back up teachers and go into the universities and have that being part of the academic agenda and curriculum so that teachers can get help and get people in touch with people like chaos just school get them in touch with independent groups like us who are not advertise driven who are not big companies in the US it's very common that you decide between Facebook and Google and we don't want that in Germany it needs to be clear that digitalization is something that is an individual development and that's something that we need to separate from commercial structures especially when it comes to the level of high schools a round of applause and we have the hope that with our demands we at least reach the one or other person and maybe even get a ball rolling somewhere I mean you really realize that the other day you realize that it was a very important project for me that chaos just school and I just admire see this project growing every year and at the same time I ask myself what is it? what is it that in 2017 we as the CCC have to get our voluntary people to spend their free time to go into the schools to do a day of media competence how do we still need to get that out of our voluntary resources from the brilliant people that work with us in 2017 I mean this discussion has been in the past year we had this discussion was a question like one of the questions whether or not we should still keep the internet and the existence of internet a secret and then you have the philology association and they go and they are like oh you should just pick up a book for a change and when you think about these schools that we kind of put money in as a society and we kind of think of and their overall goals to generate resourceful active members for our future societies that need to move all of us forward how can we think about keeping the internet secret from us from them from the first grade on you need to do what chaos does school in very motivated it's really not what voluntary work is supposed to do it's not supposed to pick up the pieces from where politics and politicians fail society on a daily basis round of applause but thank you chaos does school we really need you guys I really want to summarize that it's really bitter and just hard to see that I mean it's really gone crazy last year like all of this sudden that chaos does school can do a thousand times more than what our education politics manages to do in the past 14 years round of applause for that from the audience I'd like to take this moment to mention that chaos does school is not alone I mean there's like whoever was at one of these events from Jugendhackt or Koda Dojos like there there's obviously more than just chaos does school and the multiple crypto parties I mean it's a whole scene by now that is like organizing this regularly even for also education for grownups for just people who want to get informed like beyond sometimes even state help this like a scene that has grown that publicly takes on this issue like there's a talk from yesterday that chaos does school did yesterday like that it was so well received and they got such great feedback round of applause from the audience coming in now and please don't forget that planning of these kind of education bureaucracy is done by people who think that they should mainly learn how to handle Microsoft Office software I mean like I was honestly a bit of a shock to really show the extent of this I'm sorry that we have to keep writing this but the time window of when there's sort of developments that happened between people that had the first own computers and then had internet access to smart phones the people that experienced that kind of transition and change and had the possibility to understand how these changes are interconnected and how they're changing it's so normal for you guys because you've seen the development of these things and where all of that came from like how that computer actually works like that time window is so tiny and the tiny humans that are growing now they're just getting this lighting board that's looking at them and they can just swipe left and right and somebody needs to explain to them what this is that they don't think they need to understand that it's not just a magical thing and they need to we need to take the power away from the people who program these machines for them they need to start understanding these machines and there's a big round of applause for that last statement all right let's get back to other subjects like our central competences Hacking obviously is our daily bread I almost said I actually did we're a hacking group we're a hacker club we're gonna stay that way and we're gonna hack other hackers and in this case the state so the state run Trojan horse has been a long lasting subject for us for us for years now we have been pushing our ideas into what's going on there and I mean like it's been a very exhausting kind of process and this time around we were invited to give our statement oh no the statement was on the 31st of May and on the 29th of May I got the invitation that kindly asked me to show up on Wednesday on the 31st of May to show up for a change in the law blah blah blah blah and I mean this is about in a very long STPO novella I mean this has been going through all the justice committees in the last minute they had all of a sudden tried to implement and include a state run Trojan horse like this is something that they did last minute kind of like a Houdini I mean everybody kind of agreed that for many years this is what they were trying to get to agree upon and they were like oh great like it's now end of legislation is coming up and I mean it's great now we need to push this, we need to make the decision on this because otherwise this is not going to happen because I mean the governmental elections are coming up and this is the moment so STPO is the official process order of how law is being executed okay so all of a sudden like let's push this because legislation and those elections so all of a sudden they come up with a formulation and hand it down to the parliament itself and this is how they need to and are supposed to formulate the law and I mean it's great that the executive is helping the legislative that's wonderful with helping them out with the formulation and this is what it meant for us last minute statements of course we're going to thankfully and happily come and take part in this so the implementation of a state-run Trojan horse basically looks like paragraph 104 changing word number B5 he's literally listing the actual law now and it's really hard to translate that because he's going very fast so for anybody interested read up on what they were trying to implement in his twitter and look for that tweet okay so the introduction of these new cuts on our fundamental rights are being handed to you as a diff basically so that you don't understand them within the context like you literally get the pieces that were changed you basically better get a diff with comments but without any context the problem with this is that not even the members of the parliament are getting the full context of this and they're reading all of this so the moment when we found out about this we marched towards parliament to the parties and we were like what the heck you can't really be serious about this we've been working on this for a couple years now normally you have recursive rounds you discuss stuff and then this party informally gives their opinion so happened this time around and all of a sudden this was just done kind of like style of the US Americans just last minute without sneaking it in through a backdoor basically the changes of the law and the social democrats basically refuse to discuss this with us and I mean like the justice ministry didn't say anything against this I mean what do you mean against this I mean that's where the formulation helping came from I mean what happened there was is the worst case scenario in the parliamentary democracy that we've witnessed Linus mentioned in the beginning that we've been fighting about this state run Trojan horse for like 10 years we remember um two two prosecutions on a constitutional law ground and the second ruling over the course of these 10 years it was very clear that state run hacking and state run Trojan horses are in connection to terrorism but what we have here in the change of the law a broadening of this law that goes much much much further than having something against terrorism like it takes into account everything like like for fitting documents like very little offences so for they were trying to basically get in by another another they were trying to push this through the back door and the people the experts who could have could have contributed to this got a time frame that was completely ridiculous and we've we've had a landslide without parallel how how it's allowed to hack our computers and just to stress this point they've been coming to us for years yeah, it's only terrible terrorist and of course we have to protect the privacy but this is no longer the case and we're looking forward to fighting this in front of the constitutional court because there are going to be so many complaints against this and several of them aber wir lassen es ja mit uns machen haben dann in anderthalb Tagen Zeit 20 Seiten formuliert Konstanz und Frank haben wir formuliert some some thoughts on this in Konstanz and Frank helped me out a lot wie geht es da davon aus das weil natürlich alle Unterstellungen haben immer auch auf cct.de und wir haben natürlich inhaltlich neue Schwerpunkte gesetzt denn die hat sich verändert wir haben früher sehr intensiv wir haben früher sehr intensiv wir haben früher sehr intensiv Privacy, die wir talked about a lot und Preventing Hacking und was die Personal wir haben vier Jahre Snowden hinter uns wir haben vier Jahre Snowden hinter uns der IT Security Markt der Einer ist wenn wir über Explosions das Handel von Sicherheitslücken reden wenn er sich dort mit Scheuern wenn es Auch wenn es ein wenig Zeit war, dass wir in der Debatte gewechselt haben. Und diese Dinge sind mit uns gemacht. Das ist ein Wetter von der Federal-Data-Protektion-Officer, die ihr Punkt des Zusatzes zu der Arbeitsgruppe hat. Ungefährlich hat die Ministerin die Frage mir für einen Kommentar auf das Wetter gewechselt. Ich war nur über die Medien auf dem 17. Mai informiert. So, der Federal Data Protection Officer fand out about this in the media, and that media was netzpolitik.org, where this proposed change of law was leaked. And in light of the considerable privacy implications of this, I cannot understand how I was given such a short time frame to add my comments and therefore I have to restrict myself to certain corner points. At least, we were very surprised by these strongest words that our Federal Data Protection Officer was able to find, which is very unusual, or you could say that it was so terrible that even the Data Protection Officer said something. Wir haben ja schon ungefähr gesagt, dass wir das für einen mildschweren Skandal halten. Wir haben den entire Parlamentarien-Prozess gebeten, und dann haben sie nicht mehr die Hälfte, um diesen Tweet zu halten. Aber sie haben es geliefertet. Ich weiß nicht, was das Marketing-Agentie der Partei hat, aber das war eine tolle Antwort von uns. So, was man dazu noch sagen muss, wir reden hier von Ende Mai. Und was faszinierend war, war, dass die Konnexion zwischen, dass du durch diesen Träger-Horst, und dass du dich über die Russland-Cyberin-Syberin wirst, komplett missen. Und das Monat von 1er Krei in Mai war auch das Monat von 1er Krei. Und das konnte man nicht connectieren. Aber wir werden das später machen. Aber sie haben versucht, die Debatte wegzumachen. Sie haben es nicht gescheitert. Und natürlich haben wir dieses hohe Beispiel in den Städten und Legislaturen gescheitert, und wir waren sehr glücklich, dass die Städte des Hessens zusammengetan haben. So many local initiatives of the CCC gathering to protest this. The CCC's press team tends to deal with federal politics most of the time, but it was great to see that we can work together on this. And that we can, that there are topics that simply concern certain federal states that can still be supported by press releases. And we're going to keep track of this and trying to prevent this state trojan from entering more state laws. Because somebody has to clean up behind this by submitting constitutional complaints and we don't have unlimited capacity. We tried this in Hess and they are very active and we are quite proud of them. We need to hurry a bit. I'm going to say very little about this very quickly. There was one debate during Republika in Berlin, where the then Minister of the Interior Thomas de Muzir joined the debate. And you know this is the minister who did the net political discourse in his first term of office. And of course all of this has been forgotten. Also the papers that resulted out of these dialogues that showed a bit more balanced view on net regulation. First of all he gave a very boring talk before the actual discussion, but he did allow discussion about the kind of surveillance that he has to answer for. Especially data retention, that is a result of his term of office, but also biometric data and how we talk about simply retaining data by default. And how much he pushed that agenda. Also ich persönlich habe diese Diskussion als wenig fruchtvoll. I found the debate was not very productive. I miss this echo because there isn't a lot of debate within the political coalition. This may change with the new government, because it's no longer going to be a grand coalition, but simply a coalition of the conservatives and social democrats. I'm not very thrilled about the fact that the leader of the opposition is now the right wing AFD party. I mean a lot of this was connected to the refugee crisis in a horrible way, because I thought it was awful that the established parties were trying to be overwhelmed by this right wing discourse. And we're going to have to work against this. It's not going to get any better. But let's talk about something positive for a change. I would like to show you this brochure as an example. This brochure comes from the Swiss Care Communication Club. It's been downloaded heaps of times and it proves how much demand there is. Even if the politics doesn't reflect us, but this kind of digital literacy or digital emancipation is something that we think is very important. We hope that these offers by the CCC make digital know how more accessible will be something that we get more of in the future. And thank you very much to the Swiss CCC. What we mustn't forget is that protesting all of these awful decisions can also be quite fun, otherwise it would be pretty boring. So the stuff happening at Südkreuz area in Berlin, where the government is trying to establish mass surveillance in people's everyday lives with a public test. So there is a facial recognition going on there and that's fed into some sort of system and people could sign up for that. And there was a really nice protest against this, modern one even, where people wearing all sorts of masks and holding out signs showed up. So yeah, these were different protests, these were different days. So we had Spiderman costumes with masks. You can't see them here, but it was great, it was colourful. So we arrived during the break and because the minister showed up there two times for looking at this. And the people just went up and down the escalators and yeah, it was a lot of fun. I think that's just something we need from time to time to not fall into some kind of hole. Because our minister of the interior said on camera that he didn't just wish for the sort of surveillance to be widespread, but also to introduce this in all of Germany's various states. So we can see here that he's equating facial recognition surveillance with other kinds of surveillance and I really feel that the meaning about this, the popular opinion has changed. When I think back of my first congress where there was a study of biometric surveillance, back then we still had information put out by the government. We had access to the study, we could read it even though some addendums weren't made public. But now there are no numbers available anymore. And when we look at the statements being made by politicians, we can really see that they're not even trying to explain how this should work on a technical level. And the request for free information where we got a lot of paper back, but the main elements and the cause of these projects weren't made public. And again, this is an unwillingness to lead a public discourse when people can't really see what this is all about, but we just get some small press releases from the ministry. And this isn't adequate at all and that leads us into some sort of Trump propaganda sort of style where we can't even figure out whether something is right or wrong, where we can't even really figure out what's going on when we talk about national security, fiscal interest, because of course there's private corporations involved here. So, yeah, this unwillingness really, we need to fight that and I want to fight that. Ich glaube, ich wirke etwas verbiestert, aber wir hatten durchaus auch... Ich glaube, ich habe etwas angreifert, aber wir haben wirklich Spaß an diesen Prozessen, so das ist was, was ich möchte. Wir versuchen halt irgendwie... Ja, diese Unwillingness auf der Seite der Politiker, wie wir sagen, wir werden nichts mehr sagen. Das ist eines der Großprojekte davon... Ja, wirklich... ...some other project where we can really see that is the NSA Inquiry Committee. Oh, wait, I still have to say something about the station at Südkreuz. Ja, also dieser BND-Untersuch... Okay, go ahead. The NSA BND Committee of Inquiry... ...was irgendwie da sinnvoll bewegt wurde, I don't know, what really happened there came from the media, by which I mean Edward Snowden. And so this style of unwillingness to engage in discourse really permeates throughout all levels of government right now. All right, two things. I really, really encourage you to read this long, very long report, committee report. And we even have one that isn't blacked out at netspolitik.org. So we can't really understand all of it, because some of it refers to secret information, but still it's a good start to inform yourself about what was going on. And of course the pictures of Merkel being invited as a witness. And again, Mr. Ströbele, yesterday, he really made this clear that this, you know, this probably won't have any consequences on a political level. You know, mass surveillance, the Social Democrats and the Christian Democrats, they're just, you know, like, we don't care. So, yeah, just again, as an example, following the revelations of Edward Snowden and mass surveillance, there's cases at the EU Human Rights Court. And some of these cases were heard together at the court, which increased media attention. And I don't have any doubts about the EU Human Rights Court deciding in our favor. But again, the documentation of the British spokesperson there, how they explained how mass surveillance is explained. And their documentation for mass surveillance is different from ours. So they're not even talking about data retention, data collection anymore. So, from the US we know, you know, they're going to collect a lot of data to find something. But the British person said that we need this growing pile of data, because we want to keep working with that data. We don't just want to find something, but we also want to increase that surveillance. Okay, we don't have that much time. Überraschung hat mir nicht so viel Zeit. What a surprise. Yeah, so there's a lot more to be said about that. There's also a recording online. And we're going to keep you informed. And I really don't have any doubts that this sort of mass surveillance doesn't go along with EU human rights. Eine schöne Illustration, was passiert, wenn die Geheimnien zuvor sich hin? Yeah, a nice example of what happens when... ...there's no public overwatch over intelligence services is WannaCry. Here we see patients' data being centrally monitored. Und, of course, it's really bad when you get a crypto locker, that also uses some technical measures to permeate your whole network, which also led to the info monitors of the Deutsche Bahn, German Railway, not being that readable. And then they got out the old wooden signs and really wrote by hand. The next train is going to... And so, you know, it wasn't all bad. And that's WannaCry. Ergerlich natürlich. Bleiben wir nochmal bei den Krankenhäusern. So, yeah, what's really annoying, let's talk about hospitals again. Where we get the first news reports out of Great Britain. At least I got the first ones out of Great Britain. Krankenhäuser auf einmal wieder mit Stiftung. Hospitals were hit by this attack and they had to work with pen and paper again. And so, WannaCry struck hospitals, logistics, industrial production facilities. And of course all of these applications share a similarity. They're niche software. And what we mean by this is software that has a very specific field of application. It's written by very specific, small to middle-sized software companies. And it's all about very specialized handmade software for dedicated applications. For example, the computer that runs an MRT scanner. And so a money printing machine like an MRT scanner. That has to be run every day. And so you can't always, you know, turn it off and turn it on again just to install a new update. So, there's very few customers and they're being used 24-7. So, they're not constantly updated. Because the developer says, you know, we wrote the software and we can't just update it. So please run it on Windows XP. And of course Windows XP isn't officially supported anymore. But we, it's just, it's not end of life, it's end of patches. But yeah, I just want to point out the problem that exists. And we need to handle that. People need to handle that. You can't just, you know, hindsight is 20-20. You can't just say like, oh, hospitals have acted foolishly. So the weakness, the loophole that allowed WannaCry was, as I mentioned, the SMB shares. And that was a zero-day vulnerability that the NSA sat on for years. And so, if I get the chronological order right, starting in August, the shadow brokers stole all of those tools from the NSA. And so it was very clear that the knowledge of this vulnerability was out. Was not just with the NSA, but with an unknown group. So Microsoft patched this vulnerability called Eternal Blue in March. So since March, this update was out. But only in April, the shadow brokers released the vulnerability. So, that could have happened every day, but even the shadow brokers had the ethical limitation. Well, one month after Microsoft rolled out the patch, now we're going to make this vulnerability public. So the NSA had this vulnerability for years and never had the same ethical limits. So, the NSA, it's not about ethics, it's about rules. So, of course, they didn't follow their written rules. So it's not about ethical questions. And as a result, we can say that WannaCry is just part of the disaster that the NSA allowed to happen and exist for years. I mean, this discussion, I mean, I have two more things about this. I mean, I think this discussion changed a bit because there's so many health organizations and facility organizations that were involved in this. There was so many, I mean, when it started in Great Britain, it was very clear that it was about life and death and health of people. And I think that really changed the discourse. But again, also what I recognize is, it's also a lot about money. And it was very clear the damages, the cost of damages, 4.8 billion. It was very interesting how the political media coverage all of this had changed. I mean, interesting also is the discussion, the media discussion has shifted towards CITES. There's a public office that is in charge of security that is mainly dealing with system and machine hacking. And the question whether this office is going to publicize the exploits and vulnerability story if they're going to make them publicly available. And that's going to be interested to see in the upcoming month how this is going to be discussed. I think this is the discussion that we're going to have in Germany and want to see now. And I think that's the next subject for us, which is the security of devices with regards to botnets on IoT devices and routers. I mean, all of this has been a big subject for all of us. I mean, the collateral damage that happens between people. What was it? It was micro servers. I don't really remember really. Anyways, the point here being that devices that are outside are being unsecure. We have old software on these devices. Producers of the devices don't really care. It's not really clear who's responsible. I mean, ultimately as the producer of the device. I mean, like, if you want to kind of spark this discussion of whose responsibility is it to maintain security. The telecom router had political representation because it caused for the politicians to really start talking about lengthy Hearings from the Ministry of the Innerer, as well as the Economic Ministry. And the results of this hearing is a working group is called RouterTR. And they are supposed to release a technical rule for plaster routers. And it's usually happening in Bonn in the rooms of the Innerer Ministry. Linus went there once. He regularly goes there actually. The goal of this is to create some sort of official stamp and validation that this router is in compliance with technical up-to-date standards that at the moment is completely senseless. But interestingly enough, how reluctant people are to write down security standards that are actually ... And it's really interesting how it's really hot for people themselves to create routers that are in compliance with security measurements. Normal people are not allowed to put firmware on their own routers. And there's a lot of lobbyism that happens. And that sabotage ... And it goes to the point that officials are being sabotaged and we just kind of ... I'm sorry, but you can't deal with it like that. And what then leads to things like our network is safe and the whole room is laughing. And then statements such as, is that kind of like our retirement funds are safe? Yeah, kind of like that. And I mean like, they think that there should be like a life-date, and there should be a sticker on there up to which point is there going to be security updates. There's a round of applause for the demands of that. And this kind of position is something that we had a couple of years ago and we wanted to narrow it down to something that everybody understands, like IT security, so that you can be explainable to grandma. I mean, like every Apple has a date of best before, so why not technical software? Hardware. And like, if we put that on the routers, they're obviously not safe anymore. And I mean like ... And I mean, that's obviously not just a problem concerning routers. I mean, like this is something that we're demanding for every technical hardware, especially when we look at IoT, where there's no best before dates. And like a lot of stuff is being done with like a quick thread and like under hot wheels. And there's no concern of that electronic garbage that's being created, all the bugs that are in these products. And I think it's really important that we have regulatory measurements that secure that this is not being put out in the world and that this really weird strange IP camera that then kills the whole Internet because it uses a standard password. And I mean, we've seen this. We've crossed this border. We seriously have infrastructure problems because some garbage product is out there and nobody takes care of it. And interestingly enough, there was this hearing that I went to in the Committee of Traffic. And I mean, like our infrastructure is really in danger because we have so much garbage in there. If you look at the media reports on this and what comes back from journalists when something's broken, when something exploded or some sort of infrastructure broke down, it's interesting how suppliers have that attitude that they just expect somebody who finds a gap that they are bringing notice and then they'll resolve that issue. And I think that's something we really need to work on. You can't rely on problems being reported once there's already a run ruled out. And there's no take on responsibility. You go out in the world and when I buy a car and there's an accident that happens because the car doesn't work. You see, the producer of the car is responsible. And when it comes to software, we don't have this. A round of applause. I mean, this is an old know and truth. There's two ways of selling something without having any responsibility for it. One of them is drugs and the other software and both of the producers are calling their client base a user. A round of applause for that. Interestingly enough, we have, especially when it comes to the routers, we have unexpected comrades and people joining our fight and they were supporting us. One of them is people like from the Bundesnetzagentur, who are thinking about how can we stabilize the internet if we have 10 million unmaintained products joining that internet. So, we're supposed to insure these. So, insurances and the other interesting party that is on our side in this case. And the subject IPv6 is coming up and the official for information and security were like their response to that was, oh, we're not going to think about that for now. So, just to quickly show that we are also like to travel, there were statements that were given in the EU Parliament on the democratic discourse. So, how are we going to as a society interact with how the discourse slipping and what are ways to bring it back and react. And of course the subject that we just were talking about, want to cry, what are our lesson learned of internet of things and who's responsible and who's going to take legal responsibility with these kind of things. And especially after the German Parliament and government with the democratic principles is breaking with these democratic principles. It was very interesting to be sitting in a parliament that really takes its time, that has a lot of professionals and is interested in making some sort of change and that was really nice for a change to experience that. I mean, it's always a bit difficult for us. We sometimes like to go to commissions and committees, but of course this is hard because a few we obviously know the parliament and the municipal parliament is better than the European scale. But to be honest like when I was there and I think Linus can agrees with me that it's not as ritualized. My impression was that there was more interest and more honest interest and more dialogue. But you can say all in all Europe is positive with certain regards, especially when it comes to regulations of net politics and digital aspects. I mean, some of it is still changing. Some of you might have listened to the IE Privacy Lecture on the first day that was dealing with official release of data security. And I mean, everyone's in a while we really should look to Brussels. There's a few regulations that are coming from the EU base that we really need to look at and that they're going to change stuff for the better. And we should really look at the fact that these changes from Brussels are in our sense and our idea. And there's obviously also the EDIRI, the European Digital Rights Institution and they obviously, they try to do that on the EU level and like it's their great partner and a great NGO that we want to support and that's why I think we should mention them here. There's a round of applause from the audience from this. I think that really fits the European kind of context. So one of the things that where we kind of are very thankful that Europe exists and that's net neutrality. This year round we were dealing with that a lot. I mean in the beginning there was the stream on that the telecom ruled made available and I mean especially when it comes to net neutrality we dealt with stuff like that. And in Europe we have a special case and we have a beautiful case where net neutrality is part of EU regulation. And if I understand this correctly it's supposed to be executed directly. So it's something like the USA where all of a sudden you have somebody that puts a new person in the FCC and you've got a council of five people that are overthrowing fundamental rules and in the EU we are actually quite lucky and the dismantlement of net neutrality we're far away from and I mean it's obviously giving us headaches here as well. Even if only European companies are having to take a backseat in the US for example. I mean what a lot of people don't realize is that the disadvantage of some is always the disadvantagement of many. And like it's of course also if you block a VoIP supplier and that's a bittersweet present that the telecom has given us with stream on and I mean you're standing there so if they are capable to give them unlimited streaming with the prices that they pay and if only the offerings for big bandwidth or big streaming companies then I don't understand why this inclusive volume can't be made available for all data. So basically telecoms stream one offers unlimited data streaming for certain suppliers. We're going to take more action in this field of work and this subject because obviously there's another one like Vodafone Parse where it's also zero rating and we're going to issue a statement that we're going to make publicly available probably sometimes around the end of January. We want to position ourselves in this kind of discussion and the FCC discussion and decision in the US is going to start an interesting debate in the EU. I do think that we can position ourselves in a very different light and I do think that in Europe it seems to be possible and the Bundesnetzagentur definitely is looking at the streaming made available by Vodafone and Telecom as being against our version of net neutrality. Another subject that we should be looking forward to in the future in the EU is also to be honest in Germany we have a law that actually deals with data retention and this law is not being executed thankfully due to a ruling of a court in Nordrhein-Westfalen that again made that ruling based on the European Court of Law und that data retention without reason is not allowed and should not be made possible and this obviously is in compliance with our idea about this and this also is in line with what other courts have decided within Germany but the point that I'm trying to make here is that we really have to look at the timeline in 2015 our legislation our parliament wanted to do a new attempt at data retention and introduced data retention and there was a law that was signed and that was supposed to go into action and actually did went into action in June this year in July and then last year about a year after we kind of very we got the ruling from the European High Court unlimited data retention without any suspicion is not lawful and then it was very clear that Germany is the only state in Europe the only country in Europe that at the moment is being in compliance with European legislation and European laws because our parliament said that's not possible we can't let this be happening and we need to be compliance with European law and then they said oh no we'll do it anyways so they really tried on the first of July to introduce data retention and which obviously caused a lot of complaints and there was so one of the complaints filed and the lawful measurements was frozen but at the moment the state that it's in is that the law is signed is being executed so this law is there but I think we need to really work on this because this law is a law that is violating the European Constitution and that's really not a joke like you I mean the way that we live within this European Union it's based on ethical moral and fundamental rights of what means to be human and I think we need to really work on really dismantling this law I mean I think for now it's kind of this attitude of well we're not executing it thanks to the EU data retention is not happening in Germany but at the same time the law itself is still in place it's there there's a round of applause from the audience I think we covered quite a bit about hearings and judiciary practices and statements and of course we're the KS Computer Club so it's also about the fun on the machines so now it's the fun part so there's a few stuff and we want to show you some examples how can you deal with security gaps and we just want to do it with iterate through this on the base of two to three examples so we didn't include everything that we did we just want to kind of show how different produces react towards gaps that are being uncovered I mean a lot of times what happens that some of us addresses us sometimes I took on this responsibility and what happens then is I just go into call them up and I'm like hey hi my name is Linus Neumann from the KS Computer Club and the responses I get they vary one of my most joyful ones was literally shit I never thought I'd get a call like this there's a big laughter and a big round of applause for that so but I mean that was I mean admittedly it's the most fun when you get the when you add the sentence you probably know why I'm calling what happened to me once time is the response was like how do I know this is true I mean like anybody could give me like a call I mean like look at the attached exploit on the telephone I mean like a lot of times you have that situation where you're like I think that you have a problem and would like to help you out and solve you this problem I think one of the elastic search clusters were all car sharing bike sharing vehicles were being tracked and capable to be tracked and I mean that was closed and we gave them like a really short time to fix this and they kept to what we asked for and look at this like one of the system this is an a system where officials where you register and you go for your passports and stuff like that in Germany where you could file for appointments I mean we blacked that out but you could basically access all the database behind this you could look at all the appointments made what the appointments were made for and I mean obviously this was one of the things that we were really shocked by because that was obviously a vulnerability that was there for a long time on the other hand the producer of this literally fixed it within two minutes it was an SQL injection and I told them please go into that PHP file please change take that parameter and you're obviously handing that to the database and that's what it's called a guy who's running it is like oh I looked at that shit we usually do prepare statements how the fuck did that happen thank you so much for the call it is fixed in this second so while we were on the phone with him like that is something where you're like props where props is due that was I mean like seeing in that situation you also like it's one of those moments where you prevent at least when people fix it that quickly I mean like there's other situations where you have to take different attitudes towards this I mean I think the thing that we forget here is what the name of the database means I mean there's other scenarios where obviously the attitude towards what we find out is different I mean this is from last year the German train company has done like they do digitalization and they want to digitize everything so that means that you can also go on to the internet while you're on the train just like in any other state of in the world and in order to do that the train company just bought something and they were like oh we gotta do wifi it's gotta go quick so I found out that that went to George's and he let it slip that it's like was kind of one of like a hot fix thing so there's a company called iComera and that's up there in Scandinavia and it's like the world leader oh that's what they thought oh that's just you know shop there because there's like three people who do it well I found a scale like that and then when you go onto the landing page you can very easily understand who's getting on the wifi where that person is where they're logged in like all sorts of information that you could just kind of scrape from that they did get rid of that by including jason p endpoints and that was then kind of good but up until this year happened and then this year we realized they just opened it up again and like it's very simple it was just opened back up so we then took the same javascript and this time around did publish a press report press release and which they then responded to yeah we closed it two days later we issued the next press release no you did not you actually opened up a new vulnerability so it's basically like you're picking up pieces from a project that's more than 110 million euros that they bought from a world leading company that is not capable to solve these security issues properly and the producer der fand das eigentlich ganz ok, dass das so ist und der Produzent war eigentlich so es ist eigentlich gut dass es so ist, weil alles einfach kompliziert ist so basically just wanted to leave that solution because it's a lot more simple to keep it open but I mean like who cares about the clients who are on the users on the train and who didn't notify the German train company before because companies are more and more relying on the fact that a month before something like that is being publicized they are being notified and they get time to actually close these kind of gaps and I mean there's a story with the banking apps and we had this we then have to listen to them in these gaps and I mean like it's stupid to have the app that we generate the tons for then doing banking and I mean like there was a guy from a bank that then were like oh I mean like you should have just notified us and I mean like we actually did we notified you two years beforehand and I mean like factually speaking the train knew like the German train company knew for 110 million euros they buy Wi-Fi and then if they don't do it right how about you don't turn it on on the day one and you just push it back for another month and you explain to the board why you have to do that like how the heck do you rule out something that is so full of flaws there's a big round of applause for that and the first example of this portal will if you do this for the first time then it makes sense to responsibly disclose but in this case there's not a massive risk of data getting lost at scale of users being exposed immediately and being in grave danger and this is where users' Interests have to take a step back from users' Interests and as I said earlier we're doing part of the communication for people to come up to us and say can you help us some say yeah it might be that could you and would you and could you help me when I talk to the manufacturer who knows how they're going to react and ask us to help in communication especially with the examples I just showed you those were generated from the club from without the club and we supported them we like to do so and as it happened similarly came from a Jugendhakt where some teenagers participating in Jugendhakt und they might need my advice and we know that this kind of situation doesn't always end very well if we look back at the Hack of 2D4Z the German Facebook clones from a few years back and so I wrote a guest post on the Jugendhakt blog about our recommendations in dealing with manufacturers where I offered my support and I traveled across Germany and extinguished some fires where very young people found some very big flaws and we ensured that those got fixed and this is a lot of fun it's a lot of fun for everyone involved the manufacturers just don't know how to show it it's more than inward joy no but honestly the manufacturers of course nobody likes to have people stepping on their toes but for these young people after you've sat down to table and after I've told them you're not going to I cannot imagine that you want to threaten a child I cannot imagine you mean what you just said and then you you're usually able to reinterpret the situation into an internship or into an apprenticeship but there are different examples in of how manufacturers deal with these problems there's a lot of variation ja hervorliebenswerte Beispiele herausstanden and we want to show you some of the most remarkable examples one of them from this year but maybe last year we told you things about one messenger that offered secure communication but didn't really understand what secure communication means encryption and had none at all I didn't hear back from them but a few months ago they came up to me and said this is true and they had rewritten all their software and asked us to update our communications so we did and said the manufacturer said next we were unable to test it and there was some back and forth and they considered our blog post hate speech and thought they might need to sue us I haven't heard back from them yet I'm eager to see how this develops but they are now certified secure they found a company that certifies that the software now is secure until August 2018 don't laugh, it's not funny it's actually we redacted the name of the issuing company but anyone want to guess we may be able to guess it but we redacted it because you can't read it or you can read it so jetzt kann man sich ja googeln die bewerben ja diese Zertifikat also wenn am Ende ein Zertifikat ist also es gab dieses Geschäftsmodell früher schon mal es hieß Ablasshandel also es gibt die Zertifikat also es gibt die Zertifikat also es gibt die Zertifikat dieses Geschäftsmodell früher schon mal es hieß Ablasshandel und dieses Geschäftsmodell ist nicht neu es war im Mittelalter hat man dafür aber wesentlich noch so eine schöne handgemalte Urkunde aber in den um die Details des Wortprocessing zu kümmern die Zertifik die Zertifik ein schönes illustratives Beispiel ein schönes illustratives Beispiel und die zuständigen Leute sind und es fühlt sich wie die Menschen in der Fahrt um die Kommuhrung zu gehen und uns die Zerstifiken nicht erzielen aber man muss sagen vielleicht hätte der Hersteller das günstiger haben können aber vielleicht hätte das Manövator gesagt das wäre noch besser ich würde diese Zerste rübergeben sie könnten die Zerste nur einigen und dann auf dem Produkt ja vor took me nicht mehr bewusst war, dass wir den neuen biliyor extra folie hatten. Wir haben auch CDU nach geht zum. We also sender die Statement von den ältronisch hinterherbedingt nach.'' Die Kartenseur favorite enable und die sehr wenige Pläne, in denen man sie auch benutzen kann. Die Große Koalition hatte eine gute Idee, dass sie das zu füllen mussten. Das Tote fährt nicht rein, aber vielleicht können wir es verpflichten. Wir können es nicht rein, aber vielleicht können wir die Menschen rein. Das ist jetzt auch ein Gesetz geworden. Das kann sich selbst entscheiden, ob diese EID-Karte aktiviert wird. Man kann auch nicht mehr fragen, ob man eine neue EID-Karte ermöglicht. Da brauche ich nicht einmal eine Kristallkugel für. Ich brauche nicht einmal eine Kristallkugel, um zu sagen, dass niemand das benutzt. Es gibt keine Applikationen für das. Natürlich haben sie versucht, dass sie das Teil der Applikationen zu entwickeln. Aber das ist nicht das, was ich mit dem Thema gesprochen habe. Der große Klopps in diesem Gesetz war, bei der Einführung der WD, dass diese Daten nicht zentral gesammelt werden. Die Biometrics waren im Passport entdeckt. Wir haben uns vermisst, dass es nicht ein zentral biometric Database wäre. Aber das ist natürlich ein Problem. Sondern, wenn man automatisch Fasereignisse an Südkreuzstationen in Berlin hat. Das bedeutet, dass wir uns sehr erstaunlich waren, wenn wir dieses Gesetz verabschiedet haben, dass alle Federal-Agenzien jetzt zentral besucht werden können. Wir haben uns vermisst, dass diese Biometric Data nicht ein Debatt für sich war. Es war nicht so wertvoller als eine Debatte. Es war ein Delay in diesem... ...im Grunde des Gesetzes. In dem Ende des Parlaments In dem Ende des Parlaments wurde die Situation besser gemacht. Natürlich war es Kritik, aber keine Reaktion, keine Form. Wir haben jetzt diese automatisierte Aktion. Der Protokolling ist auf der Seite der Aktionen, also es ist unmöglich zu wissen, wer da accessiert. Es könnte ein Shadow-Database sein, wo nicht mehr Protokolling gibt. Es ist möglich, dass es sämtliche Aktionen gibt, aber wir können keine sämtliche Aktionen haben, denn das wäre zu viel Effekt. Es ist wirklich, wirklich gefährlich zu denken, was das zu ermöglichen wird. Und die Law öffnet, um die EID-Aktionen, wie möglich, oder wie es möglich ist, um die EID-Aktionen zu ermöglichen. Und diese EID-Aktion ist mit all den Passport- und ID-Karten und die Frage, wie kriegt man diesen Chip da eigentlich tot? Für Jahre, haben die Leute gewohnt, wie man diesen Chip killen kann. Und Central-Database sind auch ein Teil einer anderen Debatte. Ich meine, nicht alle brauchen eine neue ID-Karte all der Zeit, aber Passport ist eine Sache. Der Rechtsprecher, das ist in Kontravention der Law, und das ist der Passport. Und am 7. April, der EU-Grenzkodex, die europäische Bordekodex, hat sich verändert. Jetzt, die biometrische Daten haben sich gegen zentrale Daten redet, wenn man über die Schengenborderung und mit der Law-Enforcement-Database korrekt hat, um Terrorismus abzurufen. Diese Daten werden von den Dokumenten redet und werden irgendwo in den restlichen Staaten sendet. Aber die deutsche Law, die Daten zur Überprüfung der Gültig-Karten werden verwendet, um die Identität der Behörde der Dokumenten zu ververkennen. Wir haben uns gezwungen, um den ganzen Tag zu erklären, dass es viele Werte gibt, die das Schiff erzielt. Es ist nicht durch die Manufacturer, sondern es gibt sehr handige Devices. Ich habe etwas mitgebracht. Es gibt Manufacturer auf dem Markt, die so etwas produzieren. Es ist ein sehr wichtiges Device für die Identität der Dokumenten. Man kann sie in Hackerspaces sehen. Es ist die mobile Version der oft induktive Stove. Ich muss das erst mal anschließen. Wir können damit mit Sicherheit zeigen, dass wir in die Mikrowelle hier keine Brandlöcher sind. Wir werden, wie erwartet, in die Mikrowelle keine Brandlöcher sind. Diese Induktionskochfelder senden so kleine Impulse. Diese Induktionskochfelder senden Impulse von 2.000 Watt raus. Es ist sehr experimentant. Es ist sehr experimentant. Ich stelle das mal auf Maximum. Das sollte reichen. Der Krach ist normal. Das Geräusch ist normal. Alles, was man machen muss, das geht auch relativ schnell. Es geht sehr schnell. Magisch. Es ist Bar Damsel. Es ist Bar Damsel. Und der Drill-Test. Es ist Bar Damsel. Und es sollte altersd recipes beendet werden. Es sieht das genau aus, das auch noch anders aus. Es funktioniert als Und weil wir von unserem Minister der Interior und der Zukunft noch andere Ideen erwarten müssen, ist das vielleicht noch etwas, das wir uns überlegen wollen. Dann gab es noch ein Thema, das hier in Deutschland der G20-Summit war. Wir redet dann auch der Chaos-Computer-Club so an dem Punkt, wo er sagt, okay, es gibt irgendein... Wir haben uns als Chaos-Computer-Club eine Asociation von Hackers, aber wo wir den Punkt der... Was können wir eigentlich tun? Was können die Leute mit diesem Klub associieren? Und als wir über Generalpolitische Aktivismus reden, sehen wir, dass es verschiedene Gruppen im Klub finden, die sich dann sagen, wir machen etwas. Es gibt verschiedene Gruppen im Klub, die vielleicht zusammengehen und etwas tun, das zu was. Und das Berlin-Grupp, ja, da waren wir, wie man es so angreift, dieses Meeting in Hamburg. Und es war nicht alles, was in Berlin gemacht wurde. Wir hatten das G23-Summit in Berlin. Ein kleiner Event mit vielen schönen Leuten, die einen Monat vor dem G20-Summit in Hamburg meet. Es war ein bisschen ein Netzwerk, ein bisschen eine Veranstaltung. Und auch bei dem G20-Summit itself, Teil des CCC, war ein Medienzentrum in der Stadt, ein unabhängiger Medienzentrum, zusammen mit dem Freitag-Media-Zentrum, das Live-Streams und Möglichkeiten für Journalisten von all over the world zu arbeiten. Ich denke, das ist auch das insbesondere Chaos-Computer-Klub. Ich fühle mich wirklich, dass dieses Aktivismus auch für die CCC steht. Es sind wirklich Leute, die so sehr hart arbeiten, sich selbst an Risken und was wir bestmöglich machen, die Infrastruktur zu bauen. Und das ist toll. Das ist nur ein Beispiel. Also, ein Beispiel. Die Leute von der Klub, die jährlich all throughout the year zu support different events, especially the VOC, our video group for all sorts of different political events. We as hackers have the opportunity to make a difference, to engage to bring a connection to places that need it. And that is one aspect where the CCC really is able to make a difference because other organizations and associations are quite helpless sometimes. Helpless organizations, that brings us right to the German Federal Election 2017, where to look at an election software. And leading up to that, this project was brought us by Kai Biermann from the German news site online. He said, I've got this student here and he sort of hacked the Hesse election. And we said, alright, let's have a look at this. And working together with Martin Scheersich, the student from Darmstadt, we looked at this and found that, this is quite nice, but before we make this public, let's see what else we can find. And then at the end we had a 23-page report, where we listed every vulnerability that we found, listed, gave all the details and explained various attack scenarios for attacking this election software. And so this hack that Martin did to, in which he could have manipulated all of the Hesse election results centrally, we were like, ah, this would be nice if we could do this on the federal level. And so working together with Thorsten Schröder, we dug a little deeper and I'm gonna skip a few details here because we had a talk on this yesterday. You can see and listen to that on media.ccde. Anders Vock. Great recording, thanks to the Vock again, Video Operations Center. And we're very proud to having used the lack of updates and lack of encryption. In Anlehnung an die Quellen, something we call Quellen, Toil der Kommunikationsmanipulation. So source telecommunications manipulation, play on words about surveillance of telecommunication. So, as always, we as the CCC approached the vendor. Kai Biermann was very helpful and facilitated the communication. And it truly was a clay pigeon shooting. So it was quite easy for us to find these vulnerabilities. And we always, yeah, we showed them what to do and told them about signed updates. But, yeah, it all fell over again and it was just back and forth, back and forth over multiple releases. And on the 19. September we realized that the vendor isn't able to provide an update mechanism and so we just released our own security fix as open source. Ja, so, I mean, it's about the federal elections. So, you know, yesterday we also pointed out that we have some sort of responsibility there. We wanted to vote also. I mean, you only wanted to give one vote. Ja, so, it might have gotten through that our cooperation depends on how well we can work together with a vendor, a software vendor. And the, yeah, the developers here didn't just screw up the technical side because, of course, our sort of little open source update mechanism gift, it was pretty clear that they wouldn't implement that. And they said, well, you know, if the updates are the problem, then there's just not going to be any updates anymore. And so a few days before the federal election they just stopped all updates. They publicly stated there won't be any online updates anymore. And said that if you wanted to update the software you should contact the counselor. So, ja, so, this is an update mechanism that is in need of a special counselor which just isn't acceptable. So a few days before the federal election all versions of the software still were critically vulnerable. And they wouldn't be fixed. We knew that. And so from the various voting stations we heard that well, we're using, you know, you've in your report, you've talked about 2017 software being vulnerable. But we still use one from 2015. So is that affected as well? Ja, just send shivers down our spine. So, of course we also this was a lot of work writing the patches ourselves. And we made some demands as well. So, these demands concerning voting software, voting computers. So nach dem Wahllassistenzsystem. Also, dieses Primar. Wir waren nicht nur gegen Voting-Maschinen, Voting-Computers. Wir waren auch über Assistent-Voting-Maschinen. So, für uns Security und Dependency sind sehr wichtig mit diesen Maschinen. Also, wir sehen das nicht in der Software. Und das Software, das in den Elections ist, kann nicht ein Secret sein. Es muss kein Secret sein. Und es ist ein Rund of applause für das. Ja. Das heißt, wir brauchen also nicht nur Open Source Software. Wir brauchen nicht nur Open Source Software. Aber in den Election Offices all throughout the election process we need auditing. We need access to the software. We need source code being published. And these demands, especially the demand for Open Source Software within this realm got a great response on an an international level. Because that really struck a nerve in the US. The same problem exists in the US, but it's a lot more severe. And so the big bad Cyber Russian was looming at the door. Due to this international collaboration we're hopeful that until the next federal election rolls around we're gonna have our demands met. Yeah, and a lot of people signed this campaign. And we also want to mention a response by the federal election officer. And we also want to mention the election officer. Just because no one ever looked at a certain software doesn't mean that it's better. The election officer said, well, we also use Microsoft Office. So, yeah, there's still a lot of work to do there. Das ist so sad, because it really would be possible to account all of Germany's federal election using Open Source Software and having Open Source Software all throughout that process. And then we could just be like, you know, get pull, countvotes.py And all we have today is, you know, a huge waste of resources and money and that gives us intransparency and vulnerability. And it would be so nice to use these public funds and public software to realize an election. And I really don't understand why that doesn't happen. Regarding this, every time you ask on the state level, they always say that, you know, we have security by obscurity as every computer scientist knows. So, the FTP Liberal Party of Germany had this nice election slogan, which we modified slightly. So, we have to think first, digital second. It's what it says. We're coming to a close, almost. As mentioned before, there's lots of local events within the Chaos Computer Club community. And we have to sort of, that was like scrolling here, trying to give you an overview of everything that happened throughout the year. And, you know, we probably missed a few. But on events.ccc.de there's always the whole list. I'm just gonna, you know, run it again. It was so nice. You know, the question, where's the next event? There's the website I just mentioned. There's blog posts. And these events are much smaller than Congress. But they're really, really nice. And they're great opportunities to get in touch with people, get to know people, and so, I really want to encourage you to check out those local events and participate there. And that is it for today. Thanks very much.