This is a summary my experience at 2021's rc3 (remote chaos experience). In the first parts, I'll share takeaways and resources from talks that I've seen. The second part describes how this online conference works, and some of my experiences and highlights outside of the talks.

Julian Assange and Wikileaks

If you sejust watch one talk, make it this one.

When Wikileaks bumped into the CIA: Operation Kudo exposed

Andy crticises the good and bad from a recent Yahoo article and reconstructs the surveillance of Assange in London, sharing evidence from ongoing trials.

My favourite talks

(Roughly ORDER BY date DESC)

R3S Infrastructure Review

This in not the main infrastructure review, but the one just for the R3S stage. It's impressive to see the efforts involved in running a stage - in this is just 1 of 8!
  • 1.300 hours of work (that's about 1 year for 1 person), 10 people core group + 40 volunteers (angels)
  • 28:12h over 37 talks
    • 10 Pre-recorded
    • 8 live remote
    • 19 live in person / on stage
  • Up to 1.400 concurrent views
  • Coding: 34 kLOC config and 25kLOC OBS customization

Inside Bundestag

In German

Anke Domscheid-Berg ist Aktivistin Netzpolitikerin. Sie war Bundestagsabgeordnete für Die LINKE in der Opposition in der vergangenen Legislaturperiode. Im Talk teilt Sie ihre Arbeit im Bereich Digitalisierung des Bundestags und in der Oppositionsarbeit. Außderdem legt sie ihre Transparenzbestrebungen da, und wie sie mit der Zivilgesellschaft und dem CCC zusammenarbeitet.

Ihr Appell: NetpolitikerInnen aller Länder, vereinigt Euch! Die Differenzen zwischen Parteigrenzen seien oft geringer als den Widerstand innerhalb der eigenen Franktion wenn es darum geht, den ParteikollegInnen der Technik, digitalen Arbeitsweise und Tech-Politik-Themen zu vermitteln.

Cyberpunk 2022 - wo Brain-Computer-Interfaces auf Grundrechte treffen

In German


KOALitionsvertragsAnalyse: Mit Tools & Methoden dem Ampel-Vertrag auf den Zahn fühlen

In German

The speaker applies concept from software design, text mining and software architecture to the analysis of the coalition treaty (Koalitionsvertrag). Insights on the actual content (the coaltion treaty) are more a side note at the end. However, the topic serves more as an opportunity to learn about a wide range of techniques and tools like techniques and visualizations like word clouds, timelines, SMART goals, object modelling, C4 object models and many more. The unique idea here is applying these techniques to a topic where you wouldn't expect them. This shift of mind creates an interesting learning experience, making it a fun and engaging talk to watch.

What is Algorave?

History and definition of algorave, with many cool samples, from toplap in Berlin.
I've been to algoraves, i.e. live coding music performances, in Barcelona. It was great to see the variety of different styles, music genres, tools and languages in this introductory talk.

Tech Dominatrix. Device control as a fetish.

Device control as a fetish. Makes you realize the depth of the internet and society, with niches for every interest. It's human dreams and wishes after all, and technology creates spaces for everyone.

Deine Software, die Sicherheitslücken und ich

In German
Mit Lillith und Karl von zerforschung und Linus Neumann.
Zerforschung ist ein Kollektiv von jungen HackerInnen, die in 2021 viele Sicherheitslücken aufgedeckt haben. Mediale Aufmerksamkeit haben vor Allem Datenlecks in Corona-Testzentren erhalten. Lillith wurde von der CDU verklagt, nachdem sie im Responsible-Disclosure-Verfahren eine Sicherheitslücke meldete. Nach diesem Einschüchterungsversuch verweigerte der CCC die Zusammenarbeit mit der CDU, und eine Welle von Full-Disclosures (Veröffentlichungen von Sicherheitslücken ohne vorherige Ankündigung) folgten.

Im Talk geht es darum, wie SicherheitsforscherInnen mit gefundenen Schwachstellen umgehen sollten - ethisch korrekt, aber auch zum Selbstschutz.

Der Talk wurde vorproduziert, und hat daher eher den Charakter eines YouTube-Videos: Unterhaltsam, gutes Tempo, klar artikuliert, einfach zu folgen.

Learning: Be careful with public GraphQL endpoints for single-page apps. With Gorillas and Flink (German), Zerforschung describes two case studies that reveal problematic areas of the data access layer:
  1. Introspection and the self-describing nature of GraphQL might leak insights to attackers, making it easier to discover valuable data to extract
  2. API endpoints are publicly available, and access tokens available in the app binary or web app's plain text

Missing authorization and/or gaps in access control lists seem to be the a common weakness, leading to sensitive data becomes available. In the cases presented, researchers were able to extract the following data from the world-readable, public endpoint
  1. Security configuration, e.g. 3rd party API secrets
  2. Employee PII
  3. PII and transactional data from other customers

Catching NSO Group's Pegasus spyware

  • MVT: Forensics tool to catch

Let's review code together

In German

How to learn and have fun together by running a code reading club

ADS-B & AIS - Open Data is in the air

Like Flightradar but Open Source: Catches radio signals from airplanes and boats that broadcast their position, and visualizes them on a map.
With multiple base stations, signal can be triangulated to improve results.
Over 6 years in the making.
Other projects like this exist. Volunteers share ADSB data internationally. Interesting use cases on top of this, like a tracker for planes from dictatorships.

Attendee experience

While not trying to replace an in-person congress, rc3 replicates the experience online as much as possible.

The conference does not happen in a single place but consists of many different streams, platforms and websites:
  • The main conference program are talks and performances on 8 stages, curated individually but centrally available via the conference program fahrplan and the server
  • is the main event space to meet other participants and discover self-organized parts of the event: 2D world, assembly directory and (another version of) fahrplan
  • Eventphone, a DECT/SIP telephone network
  • Chat and Q&A on IRC and Rocket.Chat, or using hashtags on Mastodon and Twitter

The ccc events are truly distributed, crowdsourced and in nature and by design. Therefore, it's not easy to keep a tab on everything that's happening or discover everything that's out there. With remote, even more so. The event constantly changes, as the world maps are improved, information material added, new initiatives spawn.

The 2D world is a workadventure instance. Like in a 16bit role-playing game, you chose an avatar and start walking around.
From the main lobby, the Fairy Dusk Bay, you get to different islands that serve as overview maps for assemblies, regional CCCs etc. . The islands can be giant, and there are easily 100+ community-organized rooms, some giant by itself.

You can talk to anyone by just walking up to their avatar. There are also designated areas for group conversations (over jitsi). This makes it easy to meet new people, be it just for a quick chat or +1h of conversation. It's the culture of CCC that everyone is open, friendly, curious and happy to nerd out on any given topic.

It's very easy to get lost or hit a dead end. But many maps are just beautifully designed and carefully crafted. Some elements are recreations of recurring themes from physical congress, others are imagined utopias only possible in this virtual space.

Because all happens in the browser, many places/elements will open a side window. This could be a video or music stream, a jitsi group call, an etherpad/whiteboard or any other content, really.There is so much to discover: Games, museums, music, cinema screenings, fireworks, etc etc. This walkthrough of the haecksen asssembly gives you an idea.

My highlights (or just noticeable moments):
  • A Fireside chat at Sendezentrum, chatting about bass guitars, online music peforming, remote podcasting, beer, what makes a good conversation, mate, independence movements, and of course: podcast recommendations - Bleepy Toys,, Binärgewitter and Darknet Diaries
  • I found warpzone, the hackerspace of my hometown that I visited once or twice, around 2011, when it was created. I left quickly, both as I had problems with the jitsi settings, and also as the conversation was around Jira vs Github issues and other work-related topics - way past 2am! I wanted to visit again at another point in time, but couldn't find the assembly anymore
  • Getting stuck in irish assembly. About 40 people got stuck there, because the exit wasn't configured correctly. Being so crowded, it was unavoidable to bump into others.

The jurrassic park-inspired gate in one of the overview worlds
The OpenStreetMap assembly was beautifully styled - as a map, of course
In the 2D world, you can talk to anyone by just walking up to their avatar. To avoid too much chaos, the main lobby and islands are "slient zones" otherwise explicitly noted.
I had a nice evening at the Sendezentrum campfire

Other tinkering

All the inspiration at rc3 makes you want to build and experiment. Some things I did: