The rest were less good for me personally. Either over-dramatic and shallow (with a sexy-sounding topic) or too procedural in topics I'm not an expert in.
Somehow it did not get much attention, but Signal president Meredith Whittaker (together with
Udbhav Tiwari) spoke about the risks and threats from AI-enabled systems.
Foundation workshop: Hands-on, how does the Internet work?
by Ingo Blechschmidt, is congress at its best. Getting a diverse set of people with various backgrounds and knowledge levels to
ARP spoof in a little over an hour is art.
Meredith's talk was extremely scripted, not very original and then she ducked out of taking any audience questions. Udbhav awkwardly stood there but seemed like he could have had much more to say. It was hard to watch.
Mona Wang's talk early on Day 2 wasn't recorded but was the polar opposite -- Original, off-the-cuff, engaging, and just fun to witness.
The Asahi talk was good, but the video switched waaaayyyyy too often between slide only -> slide + speaker -> stage -> only speaker. Made me kinda uncomfortable.
"Liberation of the Freebox", A slightly crazy Frenchman embarks on a quest to find exploit and write a complex exploit chain, using PrDoom and the Linux HFS+ driver to gain root privileges on his set-top box. All this in order to unlock the recording of somewhat rubbish TV channels such as TF1 and M6.
And he waited almost ten years and the retirement of the hardware to reveal it because he didn't want it to be patched.
If you are into hardware emulation "From silicon to Darude sand-storm" is fun.
Absolutely Cory Doctorow's, for the showmanship alone. Lovely background slides. The message itself might not resonate with everyone.
The talk "Look Up" about unencrypted data over DVB satellite links was also though provoking, both in presentation and in technical content. If there's that much data unencrypted over a mainstream IP link, imagine how much is still on legacy protocols in 2025.
I am not so much into videos but due to some extended interest in the matter I decided to watch the recording of that talk and I do not regret it. Much recommended to everyone who is interested in the state of the art of precision time synchronization over network. Also, in my opinion this talk is presented masterfully with most of the time actually spent on a convincing live demo.
Just for sheer geekery's sake probably the ISDN talk.
For OMG eye opening factor the FreeBSD jails talk (how the hell is this thing still so buggy?) and the talk on unencrypted satellite links
For excellent follow-along value and dedication to ridiculously pointless cause the Freebox talk. "Technically I don't own this box so instead of risking damaging it I'm going to take the extremely long and entertaining route around, somehow involving Doom WAD files"
Linus has said a lot of stuff over the years and not all of it was on the money. Still, he did a lot of good and I'm very grateful for it, Linux has been my daily driver for almost two decades now (basically from when I stopped using SGI because there was no point any more).
But bugs in large codebases will always be a thing, and even though the eyes looking at FreeBSD are very, very good eyes, indeed there are not enough of them. The more interesting thing here is that they picked a really hard target. If they had done the same with Linux I would expect the number of bugs to be quite a bit higher.
The biggest problem with ccc is that:
0. They are releasing too few tickets.
1. They are releasing the tickets too late.
3. Still not able to pay with card?
I live somewhat nearby, but can’t book or plan a visit because of this. I appreciate that they are releasing videos shortly afterwards though.
Ad too few tickets: I happen to live close by the venue (CCH in Hamburg) they fill up. And they do fill it up. That is the limiting factor.
Some person that wanted to get a ticket not getting one is bad, but what is worse is to have more visitors than you or the venue can safely handle. This and of course you still want it to work for the type of event you're doing, with multiple stages, parallel talks, ideally minimum walking distances, not a lot of extra tech to rent in terms of projection, sound etc.
To my knowledge the 3C congresses have been a story of growth and having to move to the next-bigger venue throughout the years.
You can pay with a card, but there is an additional 5 Euros fee (which is fair enough).
I booked a refundable hotel already in the summer, in case I won't get the tickets. But getting the ticket this year was relatively easy (though maybe I just got lucky).
There wasn't even enough assembly space this year, it was bursting at the seams. Sadly I think CCH is just too small for this conference. There's a much bigger conference space space down the street, but the rumor is that going back to Leipzig (where it was held during the renovation of CCH) is back in discussion. That place was too big though.
At the time when this took place in Berlin, in the Berlin Congress Center, which was rather small, there were only a few hundred seats available, and most of them had already been allocated before they even went on sale.
It was also a great excuse to spend New Year's Eve in Berlin.
The Deutschlandticket talk was pretty cool. As Malcolm Tucker would say, "what a catastrofuck".
Miele washing machine hacking, very nice, I was going to say I'd be waiting to see someone integrate it into HA... and then looked up the Github repo and there's HA integration already there.
Thank you, and happy to answer questions on that, it's been a crazy time!
Maybe of relevance to non-security people here:
1. Most of it is about AI investigating event data in general, not just SOC/IR: cyber, intel, fraud, SRE, and we're even messing with customer 360 & social media data
2. For anyone into vibes coding or building agents, I encourage jumping to the "self-writing AI" section where we're finding we are moving internally from vibes coding -> vibes engineering -> and finally now to eval-driven AI coding loops
And, for anyone in security, doing careful evals here has indeed strongly colored my view on the market :)
Hey, I just saw your talk and for someone who's not really up to date with the latest AI developments it's eye opening what you got going in SoC investigations.
I personally work as pentester and we're still doing a lot of manual work with AI simply as a better version of Google, but seeing the BOTS presentation I feel we can do better. Do you have any idea if anyone's working on something similar to Louie in pentesting space, or if Louie could work with pentesting workflows?
Companies like xbow and horizon are using agents that talk to symbolic tools to automate more red teaming flows for different domains, so very much so. As shown in my talk, modern models are quite capable, and they aren't doing investigation-level scenario depth, more like scans, so seems like becoming the new expectation that everyone can & will do.
Companies like trail of bits are more interesting to me here, because they historically do deeper analysis. A place to look there is the darpa cc x ai (?) competition that finished at blackhat last year.
If in the US, we may be looking for a pen testing partner on an upcoming agentic AI contract, so feel free to msg - Leo @ graphistry
I attended 7 talks.
My favourite talk by far was hacking the GPG. Brilliant, really: https://media.ccc.de/v/39c3-to-sign-or-not-to-sign-practical...
The "In-house electronics manufacturing from scratch" was a very inspiring talk: https://media.ccc.de/v/39c3-in-house-electronics-manufacturi...
The rest were less good for me personally. Either over-dramatic and shallow (with a sexy-sounding topic) or too procedural in topics I'm not an expert in.