An Indiana electric lineman finds his quiet and ordinary daily life turned upside down after a close encounter with a UFO, spurring him to an obsessed cross-country quest for answers as a momentous event approaches.

Welcome at WHY2025!

A shared understanding of what time it is and the rate at which time progresses is essential in many areas of technology from industrial control to broadcast. There are two main ways of synchronizing time between multiple computers, Network Time Protocol (NTP) and Precision Time Protocol (PTP). NTP is sufficient for certificate validation, but when timing is crucial we need PTP. In this talk we will take a deep dive into PTP: what it is, how it works, and various ways to abuse it.

energizer for body and mind: hand-eye-coordination, left-and-right-side-of-the-brain-training, socializing, playing ... and lots of laughs :o)

In this workshop we will demonstrate the GNU Taler payment system. GNU Taler
is an open protocol implementing digital cash in FOSS. The
system is developed by a global community about to be deployed in
Europe

In our workshop, you will learn how to withdraw digital cash, pay online or in
person with improved usability and security. We will also explain how
to integrate GNU Taler into new applications and show some highlights of
ongoing developments and how you can participate.

An inside look at the challenges I faced while establishing security in a cloud-native environment within a fast-growing fintech company.

Web scraping continues to be a cornerstone of OSINT operations, particularly during Red Team engagements and external attack surface reconnaissance. Yet, as anti-bot technologies grow more sophisticated, traditional scraping methods based on direct HTTP requests are increasingly ineffective.
This talk takes a technical dive into browser-based scraping techniques that closely mimic real user behavior to evade detection, inspired by real-world mechanisms observed across major web platforms.

Some well meant amateurs got together and started creating a new way to get WHY2025 info out; we created the WHYcast!
Here's the story and of course all the beautiful blunders we've made.

Sometimes ago, I embarked on a journey into the world of electronics and FPGA technology with no
prior knowledge. What began as passion for retro gaming evolved into a quest for preservation via reverse engineering and FPGA-based emulation. This presentation will share my journey, highlighting the challenges of learning Verilog, the tools, the resources, and the lessons I learned along the way. By sharing my experiences I hope to inspire others to contribute to preservation of video games.

Workshop on the state of the development of harmonized standards for the CRA, especially those with a strong open source connection.

We present EntrySign, a cryptographic flaw in AMD’s microcode patch verification logic, including how we discovered the bug and how you can extend our results. EntrySign lets us execute arbitrary microcode on all AMD CPUs from Zen to Zen 5 and modify the behavior of x86 instructions. We will delve into the format of AMD microcode, how their patches are verified, how we were able to reverse engineer this process, and how we were able to access the key information required to defeat it.

Did you know that if you change a single bit from 1 to 0 (or vice versa) in the first 'g' of the domain name google.com (which is 01100111 in binary) you will end up with variety of valid "bitflip" domains like coogle.com, oogle.com, & woogle.com

So what happens if you generate and register a bunch of cheap bitfliped versions of popular cloud / Saas provider domains, point them to your VPS, log all incoming requests & then forget about the whole thing for two years?

WHY did I donate a kidney?
How did I donate a kidney?
You might want to donate a kidney!

WHY2025 contains a lot of activities and entertainment for the attendees. This presentation focuses on two of these activities, namely the CTF (Capture The Flag) and Secret Token Game. These activities focus on a wide range of visitors, including seasoned hackers, inspired newcomers and even the youngest generation. Want to try the CTF or search for some Secret Tokens? Join this talk for an introduction and background information.

This talk is a "no clip" deep dive through a genre of music. We'll start in 1990 and discover the genre as it was discovered by its creators. While traveling through time we'll try to answer the question: what is hardcore?
There will clips and mixes of revolutions and sub-genres. We'll learn how it's made and how to win the loudness war. Hardcore spawned a youth culture with lasting international adoption. From art to cheese, we'll cover it all. We'll learn the dance and end with a live set.

The classic Jeopardy! format, but now with hacker answers... can you give the right questions to them? You can join as a team or enjoy it from the audience!

Instructor @DoodleMe, @KnottyLola and will take you through some of the most basic concepts of Japanese rope bondage (Shibari). This is an 18+ workshop. Bring blanket & rope if you have it.

Security teams want to prevent incidents - but what if controlled breaking prevents catastrophic failures? Drawing from aviation safety, chaos engineering, and resilience design, discover why 'unbreakable' security comes from breaking things on purpose. Learn to transform incident culture from blame to learning, implement controlled failure practices, and build psychological safety that turns near-misses into competitive advantages.

Sad But Tribute is a four-piece Metallica tribute band from the Zaanstreek region of the Netherlands. Since their formation in 2019, they have built a reputation for their faithful and powerful renditions of Metallica’s legendary catalogue.

Container security is essential, but what happens when the bad guys get creative? In “9001 ways to break out of a container,” we’ll explore hackers' fascinating and terrifying techniques to escape containers. this talk will cover:

• Learn how attackers slip through the cracks to take over the Linux kernel by bypassing the eBPF validator
• Understand why “you want stars in the sky, not in your RBAC.”
• See the most common and overlooked weaknesses that make containers vulnerable.

Lightning talks are a 5 to 10 minute quick talk on an interesting subject. They can be with or without slides, and with or without proper preparation. if you weren't accepted in the main CfP, this is also a great opportunity to give an abridged version of your talk. These sessions will be available to sign up to later on, with details on the wiki: https://wiki.why2025.org/Lightning_Talks

Introduction workshop TIC-80 fantasy console & demoscene

This is a first introduction to quantum computers. We will discuss what makes quantum mechanics so special, and how it allows building fundamentally different algorithms. I’ll do a short live demo of how you can program a quantum computer yourself using the Python package Qiskit. Then, we will look at one of the most impactful applications: breaking widely used public-key cryptography like RSA, and how this will impact the cybersecurity sector.

Each night concludes with a Silent Disco in the Party Area. DJs Luna and Julian will keep the dancefloor alive into the early hours, pick up your headphones and choose your channel.

During World War II, the English mathematical genius Alan Turing tries to crack the German Enigma code with help from fellow mathematicians while attempting to come to terms with his troubled private life.

Solder together your own light sculpture with BlinkyTiles! BlinkyTiles are pentagonal circuit boards with an RGB LED on each board

Let's dive deep into the threat detection engineering topic and how does the detection engineer's job looks like in 2025. I work with threat researchers, detection engineering, and engineering managers, and we'll talk about it all: from query languages to tuning, from managing detections as code to content management, from maturity of processes to human skills augmentation.

Frank talks about AI, why it all of a sudden is everywhere and what it means.

This talk is a roller-coaster ride through a few years of experience in teaching the government about their obligations w.r.t. climate change. It details the procedural hacks they use, and ways to evade them. It also gives examples of elegantly designed cases with a potential of very high impact. Climate law is a domain of logic, language and social ethics, all available in the average hacker's toolbox. I'd argue the world needs our minds to lap up the debris left behind by our governments.

Generative Art is a form of art where the artist build a machine that autonomously produces artworks.
In this talk I'll introduce you to the wonderful world of computer generated art. Through live demo's and fiddling, you'll learn how you too can be an artist. I'll show plenty of examples using open source tools on how generative art can be an alternative path to learn to code.
Because sometimes, science and technology are simply beautiful.

As a technical person, you work with complicated and often important matters. Public speaking is essential to get your message across, be heard, and be valued. In this workshop, you will improve your public speaking skills. The workshop is based on the methods of Toastmasters International.

Among the topics discussed will be: The history of data protection in Europe. What does the GDPR protect? What are the principles of data protection? What is personal data? When can you process personal data legally? What is the difference between a Data Processor and a Data Controller? Do you need a Data Protection Officer? What are the rights of the data subjects? How to read a EU court verdict on data protection. Who is Max Schrems? Who is your Supervisory Authority and what do they do?

What could be more fun than gaining control over your dreamworld? Go to sleep, and find yourself doing things that would be impossible in the real world. Flying? No problem! You can be superman and have it feel more real than reality. Now if that's not a fun hacking project..

Zodra een presentatie gehouden wordt voor een groter publiek of wanneer een presentatie opgenomen wordt is het bijna een gegeven dat een microfoon gebruikt wordt. In deze presentatie laten we jullie zien welke problemen presentators hebben met microfoons, we geven tips hoe een hand microfoon vast gehouden hoort te worden en laten veel voorkomende problemen met hoofdmicrofoons zien. We geven je handvatten om de geluidskwaliteit van je presentatie zo goed mogelijk te laten zijn.

In the realm of cybersecurity, workplaces can be surprisingly unsafe, with a higher turnover of CISOs and alarming rates of misconduct. This talk explores the mechanisms behind this paradox, examining organizational dynamics, the pressures on CISOs, and the emergence of toxic behaviors. By analyzing real-world some very personal examples, we will uncover the root causes of these issues and provide practical solutions to foster a safer, more resilient cybersecurity culture.

As of August 1st, 2025, the EU’s Radio Equipment Directive enforces new cybersecurity requirements. For the first time, broad categories of everyday devices — not just critical infrastructure or niche tech — must meet mandatory security standards. This talk breaks down how we got here, why it matters, and what’s breaking in the process. We’ll look at the political and technical hurdles in rolling this out, what it means for manufacturers, and how it connects to the looming Cyber Resilience Act.

When presenting for a larger audience or when a presentation is recorded it is almost a given that a microphone is used. In this presentation we will show you common problems presenters have with microphones, we will give you tips on holding a hand microphone and show common problems with headsets. All this to give you tools to improve the audio quality of your presentation at the source which can be used at hacker events and everywhere else you will be using a microphone.

This talk will take you into a journey leading to the retrofit of a robotic tape library to enable it to accomodate hard drives in addition to the original media, from the reasons we did it to all the obstacles that needed to be overcome and how we did all that, pushing a little further the physical limits that make data storage increasingly problematic in a world where over 200TB is generated every second and must sometimes be retained for years (and possibly more).

RFID reverse engineering has seen significant advancements, yet a comprehensive overview of the field remains scattered across research and practitioner communities.
Here the authors presents a structured survey of existing RFID technologies, encryption protocols, and known attack methodologies. Take the opportunity to listen to both Kirils' practical experiences and the deep insights of Iceman when it comes to RFID hacking.

"The Roomba Rebellion" unveils a custom-built spy Roomba designed to infiltrate corporate environments. This weaponized cleaning bot conducts WiFi attacks, records audio, and captures visual data, turning a trusted device into an insider threat. We'll demonstrate its capabilities, explore the technical aspects of building this spy-bot, and learn to secure your enterprise against the next generation of physical-digital threats.

Are you a smartphone user worried about spyware, advanced actors, backdoors, zero-days or side-channel attacks? These routinely bypass end-to-end encryption through keyloggers, screen capture and compromised keys. Smartphones are part of complex ecosystems with dozens of hardware and software components and remain vulnerable despite vendor and political efforts.

We introduce a simple, offline, airgapped device to counter such threats.

Checkout www.qryptr.com and github.com/gappuser/qryptr

If you want to try something new, unusual, and technically creative, try high-altitude ballooning! In this short presentation, I'll share my experiences from a series of three high-altitude balloon projects. These projects included launching sensor payloads to altitudes about 25km and live HD video transmission from the stratosphere. You will learn how to prepare your payload, how to track its position and telemetry data using solutions, and even how to rescue a landed payload from a tall tree!

Let's learn about L2 isolation with VLANs and dive into basic network architecture with OPNsense. After playing a bit with IPv4, let's discuss unicorn-issues IPv6 for your homelab-ing. Then expanding with WireGuard for simple inter-machine networks. Continuing, we will take a look into Linux network namespaces and a few tricks you can do with your systems to bypass "security" - and also how to defend against it.

Anyone can learn to solder!
It is useful and fun.
This workshop is for kids of all ages (and anyone of any age).

We will learn this wonderful skill by making a blinky-badge kit,
so you can wear blinky-lights wherever you go.

Snake like on the Nokia 3310! But this time you program your own Battlesnake and let it make decisions on it's own to beat each level.

What is up with the beings with the visors going 'beep boop, this one is not a person'? Unit Δ-44203 explains how it built an electronic face, why it did so and what consequences it experienced in a world where everyone is supposed to show an identifiable face all the time. Warning: this talk may be cognitohazardous and end up causing shifts in self-identity.

Let's talk to people about negotiating consent before engaging in personal and physical interactions. Your browser does it with every web server, so why shouldn't you do the same with people? This sounds harder than it actually is. Using the HTTP protocol as a guide this I will talk you through how you could negotiate consent to engage with someone on a variety of levels: From 'GET Hug' all the way to 200 OK, but also how to deal with a 404 Consent not found response.

The SOHO Smashup is a famous category in the IoT focused edition of Pwn2Own. Contestants are challenged to exploit a router from the WAN side and then use that device to exploit a second device on the internal LAN. Last year, we took them up on this challenge and successfully demonstrated a 0day exploit chain against a QNAP router and pivoting to a TrueNAS system. In this presentation, we'll describe how we performed our research and the vulnerabilities we found.

Old technology is amazing! Have a look at an old electromechanical Pinball Machine, and try to understand how this works, without any (digital) electronics. Find out these machines have much in common with modern computers. Step by step it becomes clear how an old (1973) Pinball machine is "programmed".

We in Quantum Development (WIQD) is a growing community dedicated to promoting diversity, equity, and inclusion (DEI) in the quantum ecosystem. In this presentation, we will introduce WIQD’s mission and activities, share insights from our first Women’s Day Hackathon, and highlight why fostering an inclusive quantum community is essential for innovation and impact.

Have you ever thought that Mathematics is a boring science about multiplying matrices, calculating integrals and approximating functions? Well, you've been wrong.

Mathematics is much bigger than that and in this talk we are going to look at one of the foundational object in Topology - a manifold. And, most importantly, we won't need any formulas or calculations to introduce it.

(No prior knowledge of any level is required)

Calling all young coders! Become a WHY2025 badge wizard. If you've got some prior coding experience, join us to make your badge's screen light up with your own messages and drawings. Discover how to make buttons do cool things or react to sensors. This is a super fun, hands-on workshop to give your badge special powers. Get ready to code!

In 2017 I presented on DNA: The code of life. Since then there have been
many new developments, and I've learned how to explain the matter better. I
am submitting two talks this year, and this short one is 1) fun on its own
and 2) helps you appreciate the other talk ('reverse engineering the whole
source code of a bacterium') more

Open source has revolutioned so many parts of our lives, why hasn't the same happened in healthcare?This talk will showcase examples from both hardware and software (e-NABLE prothestics, OpenAPS, Nightscout, and more), explore the regulatory hurdles that are holding these and other projects back, then shift to looking at the future and charting a path for these projects. Join us to build a more transparent, accessible, and secure future for medical technology.

Synthercise is a beginner-friendly dance fitness class set to 8-bit music! Soundtrack is heavy on the 90s bangers and classic demoscene covers.

If you've never tried dance fitness, it's a workout you don't notice you're doing. You don't have to think of yourself as fit, or a dancer, to enjoy doing it. Wear loose comfortable clothing, trainers, and stay hydrated :)

In a context of technological integration, OT is getting more and more a green field for attackers and illegal activities. This phenomena is the natural result of the absence of mutual understanding and collaboration between IT and OT sectors that looking one each other as a totally unrelated entities.
In this talk we'll explore some OT technologies trying to understand and highlight some of the most relevant aspects of the OT security and we'll have a look to a couple of real incidents in this

We have spend the last years making our own mate ice tea, called HolyMate. We want to share our experiences making a lot of ice tea on a 'small' scale (700+ litre), and explain the process. Hopefully this will inspire you to try it out for yourself, and make your own mate ice tea.

8 years ago at SHA2017, the horusscenario was presented. A Theoretical attack through PV-installations to take down the european energy grid. Since that day, a lot of things have changed, both for the better and for the worse.
During the session, we will look back into the horusscenario with today's knowledge and revisit if the attack is still feasible. (Spoiler: I was right... and it has mainly gotten worse since then...)

Enter your Battlesnake into this battle royale and win prizes (maybe?)! Program your own Battlesnake in any language you like and watch it battle other people's snakes. Fun, low-stakes competitive programming for every experience level.

Cyber Saiyan community has designed and developed a special gadget for WHY2025

The badge was designed to recall the dragon spheres, and will be an updated version of RomHack Camp 2022, both in term of design and features:
- single core ESP32-C3 SOC
- WiFi and Bluetooth 5
- 7 RGB leds in the front
- TFT display
- an updated firmware

During the talk we will present the hardware design and the firmware so anyone can try to summon Shenron :)

"De ‘O’ in OT – Operationeel, Onmisbaar, Onbeschermd?"
Operational Technology (OT) is de ruggengraat van industrie en kritieke infrastructuur, maar blijft vaak onbeschermd. Traditionele IT-security werkt niet in OT, waar continuïteit essentieel is en stilstand geen optie. Hoe beschermen we OT zonder operaties te verstoren? In deze sessie bespreken we dreigingen, regelgeving (NIS2, CRA) en strategieën om OT echt veilig te maken. OT is onmisbaar – laten we zorgen dat het beschermd blijft.

CubeSats are small satellites comprised of 10x10x10cm "units" and range in size from very small 1U or smaller PocketQubes to 24U beasts. What can be achieved with such a satellite platform and why?

I will go in to a brief history with examples from customers and amateur radio CubeSats.

What aircraft have been in Moscow and New York within 24 hours of each other? How many helicopters normally patrol this border? At Bellingcat, a Dutch investigative non-profit, we publish open-source journalism using open-source software tools. In this presentation, I'll talk about a new tool I've been building for querying airplane data, and the broader journalistic context of this data, which has become increasingly important for tracking oligarchs, deportations and conflict.

Developing applications on Embedded Linux and Microcontrollers is a slow process. The various different languages and libraries can make it difficult to oversee the bigger picture. In addition, the development flow wildly diverges between platforms, making entering a new project or RTOS a big undertaking.

Now, you can create Embedded Linux and Microcontroller applications using Swift - a fast, modern, cross-platform ecosystem with thread- and memory safety.

Since the start of the war, our community has risen to help Ukraine in many different ways. This talk explains what happens when your friends find themselves in a war and ask for help. Luckily, even though it can be overwhelming, everyone can do something. This talk shows you how.

Since 2020, EICAS evolved from an idea without collection, location or money into a full-fledged, officially-recognized museum for modern and contemporary art in Deventer, the Netherlands.

Anyone can learn to solder!
And anyone can learn to make music, sound (and noise!) with computer chips!
All participants will easily learn all of this by making an ArduTouch music synthesizer from a kit.
For total beginners.

This presentation will go over the sega Saturns hardware including the dual SH2s, SCU and VDP and the history on why it became so complex like the beginning of the Saturns conseption where it first went wrong.

I plan this presentation to be for hackers interested in such weird hardware like myself

Communication is an underrated skill. To get things done within cybersecurity, we need to be able to convey complex concepts to people without the same technical knowledge or background. But differences in experience, neurology, and cultural contexts creates potential for good ideas to get lost in misunderstandings. This workshop introduces a MITRE-inspired, neurodivergent-lead approach to teach ways to frame problems, information, and solutions in ways more suited to your audience.

Do you want to help create educational material about free software that can be used by teachers, professors, lecturers and software freedom activists around the world? Come to this workshop and together, we’ll come up with specific messaging, create educational materials, and discuss how to spread them. Whether you are a student or an educator yourself, or you have experience with free software activism in any way, your educational knowledge is valuable and can aid free software activism.

Compromising a well-protected enterprise used to require careful planning, proper resources, and ability to execute. Not anymore! Enter AI.

From Initial Access to Impact and Exfiltration. AI is happy to oblige the attacker. In this talk we will demonstrate access-to-impact AI vulnerability chains in most flagship enterprise AI assistants: ChatGPT, Gemini, Copilot, Einstein, and their custom agent . Some require one bad click by the victim, others work with no user interaction – 0click attacks.

Everybody talks about cryptography, but only a few understand what it means. This interactive session will explain the very basics of cryptography and will leave the attendants with more confidence why to use cryptography.

Gosling is a Tor onionservice-based protocol and Rust reference-implementation which allows developers to build privacy-preserving p2p applications with the following properties:
- persistent authenticated peer identity
- end-to-end encrypted
- anonymity
- metadata resistance
- decentralisation
- real-time communication

This talk will go over the complexities involved in combining all of these properties (with a focus on metadata resistance) and describe how Gosling solves these problems.

Celebrate 40 years of legendary hacking with Phrack! We’re dropping a special anniversary release packed with cutting-edge research, underground insights, and tributes to decades of digital rebellion. Don’t miss this milestone issue—crafted by hackers, for hackers. Grab your copy, meet the crew, and honor the zine that defined an era. #Phrack72 #WHY2025 #HackThePlanet

Meet us later at the release party by the Milliways village for some beer (while it lasts) & snacks!

@DoodleMe, @KnottyLola and team will take you through some further concepts of Japanese rope bondage (Shibari). This is an 18+ workshop. Bring blanket & rope if you have it. Follow up to Shibari 101, but having attended 101 is not required.

We all live in a fair democracy 🎶 ... or do we?

No, we live in a world where the major corporations decide how we interact with digital systems and digital systems govern the world. That's corporatocracy - a system in which corporations, rather than elected officials, have major influence over decision-making, laws, and societal direction. And they are not on our side.

BadgeHub is a Badge Application Website that enables Badge Enthousiasts to share Badge Apps.
In this talk, we first explain what BadgeHub is and what you can do with it.
After that, we go into all the technical details and difficult decisions that went into building BadgeHub with PostgreSQL, Node.js and Vite. We will talk about Infra, Frameworks, Databases, Backend and Frontend.

The MCH2022 Badge is an wonderful piece of hardware, with a great screen, a dual-core ESP32 CPU, and an Lattice FPGA to act as a co-processor. What if we could use the power of the FPGA to render 3D graphics? In this talk I'll take you through the basics of 3D rendering, the challenges of doing this on the Badge, and how I made the little Lattice produce pretty polygons.

How noticing a vulnerability in a website has led to a foreign government threatening to revoke my permission to publicly discuss the existence of an abstract vulnerability class.

Permission to Land takes you straight back to the golden age of rock. With big hair, screaming guitar solos, powerhouse vocals, and a stage presence straight out of the 1980s, this band pays tribute to rock icons like Bon Jovi, Queen, Guns N’ Roses, Whitesnake, Alice Cooper, and Aerosmith.

This documentary by Simon Klose follows award-winning Swedish journalist My Vingren when she goes undercover to infiltrate online far-right groups. With the help of the people who led to Donald Trump’s Twitter account being shut down and who were sued by Elon Musk, she digs deep into the Scandinavian underground of Nazi influencers. They show a light on how these groups radicalize people using social media and how big platforms profit from their lies and hate spreading.

87 minutes

The classic Jeopardy! format, but now with hacker answers... can you give the right questions to them? You can join as a team or enjoy it from the audience!

Enter the fascinating world of corruption, chicanery, low-tech fraud, and forensic tools that uncover it. The story is told through the eyes of a Russian election official who has participated in campaigns of all levels in the past 4 years and fought for justice (mostly unsuccessfully). Watch a demo how to tamper with a security bag and learn how to use statistics to detect ballot stuffing [1]. See the obstacles faced by Russians wanting a change. See how the government “wins” the elections.

A showcase of creative Web of Things use cases - hoping to combat reliance on cloud services and "Works with Alexa" in the realm of Internet of Things

For over 23 years, the Dutch National Cyber Security Centre (NCSC) and its predecessors - GOVCERT.NL and CERT-RO - have been publishing security advisories to help protect Dutch digital infrastructure. Over the decades, this advisory service has evolved significantly in scope, scale, and approach. From the tooling and processes used, to the volume of vulnerabilities handled, the format of our advisories, and our audience - nearly every aspect of our work has changed and keeps changing.

The hacker ethic teaches us that information should be free. So why do governments still keep so much of it inaccessible and out of reach? In this talk, we'll break down the barriers to digital transparency, show how hackers can help open up the government, and lay out a vision for a more democratic, accountable and open state.

Artist and His Sustainable Pyro-Musical Orchestra

Since the days of the cavemen, fire and lightning have fascinated humanity as top entertainment. Now, Deventer-based artist Uwe Dobberstein harnesses these primal forces to create musical symphonies. His mind-blowing live shows feature crackling Tesla coils, towering flames, and explosive bursts—all coming together in harmonies and rhythmic patterns. Symphony of Fire tames nature itself.

Archives are vulnerable. Modern archival methods are robust, but no archive or institute alone can withstand the threats we are currently facing. Safeguarding Research & Culture (SRC) is creating an alternative infrastructure for archiving and disseminating of cultural heritage & scientific knowledge. We focus on publicly available material under threat of being deleted or altered. We preserve this data using open standards, open-source software, distributed storage and your help!

Each night concludes with a Silent Disco in the Party Area. Various DJs will keep the dancefloor alive into the early hours, pick up your headphones and choose your channel.

A security pro finds his past returning to haunt him when he and his unique team are tasked with retrieving a particularly important item.

FreeSewing is the leading open-source library for parametric sewing patterns and combines sewing patterns with code; instead of drafting patterns on paper (hardly an easy task!), you can now enter the measurements of your body into the platform to get a sewing pattern that fits YOU. In this talk, I will introduce you to FreeSewing, the sewing world as a whole and FreeSewing's role in it, and I will show a peek under the hood of a FreeSewing pattern.

This talk is based on my experience working for Comcast/Sky Group in WLAN (802.11) standardisation. It follows the trajectory from environmental laws through to technical regulations and finally in to technical standards, patents and technologies. The talk argues that well-enforced norms and regulations remain a good way of incentivising socially and globally desirable outcomes, while explaining how technical regulations and standardisation work in practice from the industry insider perspective.

What if we could harness the power of perfumery for a better future? In this workshop, we’ll show you how to hack the world of perfume using simple tools, shared knowledge, and a bit of help from AI. You’ll leave with your own small perfume and maybe some new ideas about how smell connects to how we see the world.

Experimental archeology to understand the development of woodwind instruments. What I learned about woodwind instruments by using a spoon drill to make a bore and a whip lathe to reinvent medieval woodturning.

I will discuss cylindrical and conical bores, why they are different in a musical sense and why the technology of the times favours one over the other.

I will also link some peculiar instruments to the medieval education system of the guilds.

Economic models are increasingly challenged for destroying our planet. But it is not easy to design a sustainable alternative. In a follow-up on my OHM talk "hacking for bankers", I would like to present a few realistic currencies that we can use to move away from the unsustainable path that we are currently walking. We could build a profitable yet sustainable grassroots movement.

A workshop in which you can construct your own huggable plush sea defence structure

From (political) climate change to people marrying AI chatbots. The world can be a scary place.

This talk will be a comprehensive guide to anxiety. We’ll go through the basics of neuroscience and causes of anxiety, look at the effects of the neurodivergent brain on anxiety and you will be provided with tools backed by science to implement directly into your daily life!

This is an English spoken talk about the Dutch language, from a Dutch linguist's point of view. Some grammar and quirks of the language are illustrated using theory and examples, as well as a small "bluff your way into Dutch"

Modern UI/UX design is rooted in centuries-old geometry. This talk explores how historic tools—from Greek constructions to Bézier curves— is still broadly used to solve real problems today. Through demos and visual examples, we’ll uncover practical, eye-opening methods that blend math, art, and design. No technical background needed—just curiosity. Prepare to rethink how we build and understand the visual world.

As tinker and software geek robotics is a brilliant field. Finally a field that combines the beautiful creations coming out of your FDM printer and the results of multiple cups of coffee turned into (almost) working software. However where do you get started and how does it actually work? This talk is about all these questions and the corresponding answers that I found during my journey to build my first hexapod robot. From designs to simulation, custom pcbs to finally a walking robot.

The EMF Explorer Badge is an electromagnetic field sensing circuit that lets you listen to the world of hidden electromagnetic frequencies around you. Learn more about the electronics world by exploring the sounds they make! The EMF badge also serves as a piece of wearable art and can be worn on a lanyard for extra bling.

You know those people that take a balloon, inflate it and after some twisting, turning, and some squicky noises they end up with a balloon creature?

You could be one!

Because, baloon folding isn't that hard, actually.

I have the balloons, instructions and will actually try to teach during this workshop as well.

Are you an adult and know how to do this, I could sure use some help to survive the chaos ;)

Laguages spoke: Dutch, English
Spoken poorly: German
Barely spoken: French

Quantum cryptography is unbreakable in principle, but its real implementations have vulnerabilities arising from equipment imperfections. Certification standards [1] and accredited labs are being established that can test commercial products for these flaws. I explain how we have analysed a commercial quantum key distribution system for loopholes, patched them, and designed tests for the certification lab [2]. I show some attacks, countermeasures, and the testbenches in this lab.

We developed an open-source low-field MRI and got the clinical certification started! The aim is to create a reference technology for healthcare – which comes with its own complex questions.

PLOT4AI 2.0 is a pioneering open source AI threat modeling tool that provides a structured, lifecycle-based approach to AI risk identification. With over 100 AI-specific risk sources across eight categories, it aligns with the EU AI Act and supports trustworthy AI development and deployment. In this talk, the author will present the story of this internationally recognized tool, first published in 2022, and will introduce its new, expanded 2.0 version. More info @ https://plot4.ai/

AI is everywhere and where it isn't today, it most likely will be tomorrow. But jumping on the hype train and adding AI often does not sufficiently consider security. This talk walks you through cases of AI failures, how they've come about, and how they could have been avoided. We're also going over some projections of spectacular AI failures we're likely to see going forward.

Birdsong is all around us, but is there a deeper meaning? Can computer analysis help us decipher these hidden patterns in our own backyards? This talk charts my journey exploring the world of open source projects for bird (and bat!) audio identification, some of the systems I've operated, and the data art pieces I've created from the results. From the science of migration, to machine learning models and data visualization, to bioethics, there's something for every hacker to be inspired by.

Learn Arduino and electronics using TV-B-Gone as an example project

You've probably heard lots about Arduino. But if you don't know what it is, or how you can use it to do all sorts of cool things, then this fun and easy workshop is for you. As an example project, we'll be creating a TV-B-Gone remote control out of an Arduino you can take home with you.

Build up for the NPO 1 radioshow Dijkstra & Evenblij - Ter Plekke from 14:00 - 19:00.

Nothing to do here at that moment.

Challenge the Cyber is a foundation that actively fosters security skills in young hackers (<25 y). In this talk a couple of our (former) participants will share their experience and talk about the varieties of events that the foundation runs throughout the year and how you can prepare and participate. This includes the yearly CTF, a Cyber bootcamp, recurring training events with CTF team Superflat and the participation at the European Cybersecurity Challenge.

Fruit machines are everywhere.....and they contain cash. This is a talk about the efforts people go to to steal cash from the machines, and what can go wrong when the engineers creating them make mistakes.

De Tweede Kamerverkiezingen komen eraan en de digitale vraagstukken liggen op tafel. Wat moet het volgende kabinet doen op het gebied van cyberveiligheid, AI, privacy en digitale autonomie? Welke keuzes zijn écht nodig, en wie durft ze te maken?

In this WHY2025 session, we aim to explore advanced forensic recovery techniques for Synology Disk Station Manager (DSM). We’ll analyze how DSM handles data at the system/OS level, uncover hidden artifacts, and leverage undocumented features crucial to digital forensics. Our findings, detailed in an accompanying whitepaper, guide attendees through best practices and highlight previously unknown methods for evidence collection.

So you have a new microcontroller, how do you get started programming it?

This is going to be the talk I wished already existed when I first got into microcontroller programming.

The European electricity network has become a ‘smart grid.’ This offers many opportunities for sustainability but also makes our energy system more vulnerable to digital attacks. DIVD has been conducting research into vulnerabilities in charging stations, solar panel inverters, home batteries, and Energy Management Systems. In this talk, we will demonstrate how we could have generated power outages using these zero-days and how we prevent this by disclosing them responsibly.

To understand the inner workings of Kubernetes and to prepare for the K8s certification exams, I decided to create a K8s cluster from scratch, the hard way, on premises (“de meterkast”) on virtual machines all using Alpine Linux. This talk is how I tried to do it, how I succeeded, failed and added a CEPH cluster and ETCD cluster along the way. It includes a lot of technical details, but if there is one thing that you should learn during this talk, it’s not about K8s at all: Containers are not VM

Pianist, Film Composer and Multi-Instrumentalist from The Netherlands.

He spends his time between a church in Holland and an apartment in Paris.

It is well known that humans are the weakest link in information security.
Social engineering has emerged as a means to influence and manipulate individuals to achieve desired outcomes. In this presentation, we delve into the realm of social engineering, exploring the art of behavior alteration, manipulation and persuasive communication.

ORM's and/or developers don't understand databases, transactions, or concurrency.

Building entrance systems for prisons, hospitals an tv studio's should be secure. But is this really the case?
After "Knock knock who's there 1.0" at MCH2022, we will again look at some high-tech lockpicking, this time at more sensitive locations. The responsible disclosure is a tale of it's own! And why exactly is a 3-letter agency in the US interested in the disclosure?

I developed a 100% open-source (Quad core A7, 512MB RAM) Linux-enabled Flipper module for WiFi pentesting and ethical hacking!

Game randomizers can breathe fresh air into your favorite video games by changing where things are, what enemies you fight, or even what the win conditions are. But how do they work? Let's embrace chaos and learn about them!

A Domain-Specific Language is a computer language that’s made and suitable for a specific domain — dûh. But what happens when that domains is inhabited and operated by people that are – gasp! – not developers?! This is when a DSL has the opportunity to shine, and even outshine generic AI.

It started with a simple idea in 2016: make the state of security of our government transparent/public. The simple idea has become national government policy. Using transparency we've helped fix tons of security issues, reduce costs and increased control on IT. This year we've rolled out in Belgium and started measuring accessibility of websites in the same fashion. Learn how we've achieved extreme impact with a minimal budget and keep on doing so. Security and accessibility must be commodities.

IPv6 has been talked about a lot since a very long time. It never really caught on... or did it? Where are we right now? What can you do about it?

You’ve released your code under a free license, but your project runs on proprietary platforms like Slack, GitHub, Notion, or Zoom. What’s the harm? In this talk, we’ll explore how relying on closed tools contradicts open source values, excludes contributors, locks your community into corporate ecosystems, and drives away idealistic contributors who care deeply about freedom. We’ll also tackle common justifications, like convenience or popularity, and show how they often mask deeper trade-offs.

Knitting Our Internet is an interactive journey through the history of the Internet, and a collective rethinking of its future.

The activity consists of a face-to-face workshop, providing tangible and simple examples about how the Internet works, simultaneously questioning the very essence of today’s mainstream social networks. Its main purpose is to expose the critical limits of surveillance capitalism, centralization, and its environmental impact.

Any even remotely advanced tasks on unixoid systems will inevitably lead to an encounter with one of the systems oldest components: The shell. An ancient artefact that is in equal parts being feared, mystified, or possibly even glorified.

A trip back into memory lane to the Dutch hacking scene 35 years ago, talking about black hat and white hat hackers, emerging laws and hackers abroad.

Warning: This is in dutch

Frank Evenblij en Els Knaapen (vervanging Erik Dijkstra) nemen het nieuws van de afgelopen week door. Dat doen ze vanaf een plek ergens in Nederland die in het nieuws is geweest. Met live gasten, diverse rubrieken en verrassende onderwerpen.

Frank Evenblij and Els Knaapen review the news of the past week. They do this from a location somewhere in the Netherlands that has been in the news. With live guests, various sections and surprising topics.

A brief retrospective over the past 16 years of organized voluntary repair initiatives and a look at the breakthroughs for the right to repair movement

Love reverse engineering? You'd be right since you always find something interesting! In this talk we're going to study absolutely every byte of the DNA source of a real bacterium. And in doing so, we'll find bootstrapping code, genes, duplicate genes, anti-viral defense mechanisms, idiomatic/non-idiomatic/borrowed code & much more. It helps if you've also visited the companion talk on DNA, but this presentation is broadly accessible even without prior knowledge.

An open invite rope jam for people with an interest in Shibari or those who attended our previous workshops. You're welcome to tie, be tied, switch or just observe. This is an 18+ workshop. Bring blanket & rope if you have it.

Ambrassband, short for Antifascistische Militante Brassband, is a twelve-piece collective rooted in Antwerp’s squatter and punk scenes. Founded by Gregor Engelen (also of Antwerp Gipsy-Ska Orchestra), the group mixes Balkan gypsy music, klezmer, and punk energy into a politically charged whirlwind of sound.

Lightning talks are a 5 to 10 minute quick talk on an interesting subject. They can be with or without slides, and with or without proper preparation. if you weren't accepted in the main CfP, this is also a great opportunity to give an abridged version of your talk. These sessions will be available to sign up to later on, with details on the wiki: https://wiki.why2025.org/Lightning_Talks

During the first Pwn2Own Automotive, organised by ZDI in Tokyo in January 2024, Computest Sector 7 successfully demonstrated exploits for vulnerabilities in three different EV-chargers. All three could be exploited to execute arbitrary code on the charger, with the only prerequisite being close enough to connect to Bluetooth.

Why limit yourself to Ethernet and Wi-Fi when every wire in your house can carry packets? This talk explores alternative physical networking technologies that exist but are often overlooked. From Powerline Networking (HomePlug AV/AV2) to MoCA over coaxial cables, we’ll dive into how these systems work, their encryption and security models, known exploits, and the inherent risks of non-switched cable mediums.

Passkeys are a new way to log in without passwords. They solve a lot of the traditional security risks associated with passwords. But passkeys are only secure if implemented well. When implemented incorrectly, they lead to new attack vectors that hackers can exploit.

Things are broken and they dance around. Which things and how broken they are in security? We've been fixing cyber for years, but there are more and more issues, more ways to break things. Come to this interactive session and share what frustrates you the most about security.

Digital money everywhere, all the time, all at once... isn't it getting a little boring? In this talk you will learn how GNU Taler, a privacy-focused payment system, leverages the properties of digital tokens and blind signatures to enable a wide array of use cases such as discount coupons, subscriptions, and tax-deductible donation receipts; all while preserving untraceability in customer-to-merchant transactions.

The classic Jeopardy! format, but now with hacker answers... can you give the right questions to them? You can join as a team or enjoy it from the audience!

So, it is 2025 and mailservers are getting more and more replaced by cloud-based solutions, which promise to be easy and secure... But what if you can just do it yourself? Hosting your private message server and applying common modern mailserver security practices on your own? This talk wants to introduce a few common software solutions and introduce multiplie techniques from an operators toolbox.

Prins S. en De Geit is one of the most exciting acts in the Dutch music scene today. This trio from The Hague — fronted by Scott Beekhuizen, with Marne Miesen on bass and Daniel Ortgiess producing — creates infectious electro-punk-pop with sharp lyrics and unrestrained energy.

Smart devices are deeply embedded in the physical world—they can see, hear, and control things around us, often with zero real limits. When they’re hacked, it’s not just your data on the line—it’s your safety, privacy, and environment. In this talk, I’ll share some new ideas for putting a layer of access control between these devices and the real world, so we stop giving them a blank check.

Zero Trust (ZT) is a security paradigm gaining traction and popularity.
In the talk I will show how ZT is the progression of many security ideas that you may already be familiar with, and how you can rebrand and review what you are already doing to show that you are making progress.

The WHY2025 Capture the Flag competition (CTF) has multiple lockpicking challenges as part of the CTF. Successfully picking these locks gives you one of the flags. To be able to create a solid CTF challenge out of an ordinary lock we had to come up with some kind of solution. We used our past experiences in CTFs as inspiration to see how we could do it better. This talk shows the concepts we came up with and which are currently used in the WHY2025 CTF.

Artist and His Sustainable Pyro-Musical Orchestra

Since the days of the cavemen, fire and lightning have fascinated humanity as top entertainment. Now, Deventer-based artist Uwe Dobberstein harnesses these primal forces to create musical symphonies. His mind-blowing live shows feature crackling Tesla coils, towering flames, and explosive bursts—all coming together in harmonies and rhythmic patterns. Symphony of Fire tames nature itself.

Each night concludes with a Silent Disco in the Party Area. Various DJs will keep the dancefloor alive into the early hours, pick up your headphones and choose your channel.

A young man finds a back door into a military central computer in which reality is confused with game-playing, possibly starting World War III.

Fuzzing is one of the most effective ways to find elusive software vulnerabilities. Despite years of research, general purpose fuzzers such as AFL++ and Libfuzzer struggle to mutate complex data structures effectively, preventing them from exploring deep functionality. Grammar fuzzing, an alternative fuzzing strategy is much more effective but complex to setup and run. Autarkie abstracts away all complexity and and surpasses all other grammar fuzzers in performance while offering novel features.

The need for digital sovereignty has always been great, but now there is an autocrat in the White house that is fighting everything he deems “Woke”. This renders USA Big Tech that is run by billionaires that have sworn loyalty to this new King unsuitable for use in education. In this presentation we'll present the WHY for the FOSS stack for schools, our plan how to get there, and the progress we have made so far on our pilot schools.

In my lecture I want to address the consequences of a new way of working within Europe in which we set societal and legal standards. The recent standardization process of the EU AI Act shows that standards are transforming from voluntary guidelines to legal instruments. This standardization is accompanied by a greater awareness of the possibilities of AI techniques.
This development raises questions about democratic governance and the constitutional balance within the European legislative framew

We use it every day, but how does it really work? USB has been around for almost 30 years and it evolved into really universal interface that even extended from the world of computers into the world of extra low voltage electric distribution. In this talk, I will present the basic ideas of the interface with focus on physical layer.

energizer for body and mind: hand-eye-coordination, left-and-right-side-of-the-brain-training, socializing, playing ... and lots of laughs :o)

You know those people that take a balloon, inflate it and after some twisting, turning, and some squicky noises they end up with a balloon creature?

You could be one!

Because, baloon folding isn't that hard, actually.

I have the balloons, instructions and will actually try to teach during this workshop as well.

Are you an adult and know how to do this, I could sure use some help to survive the chaos ;)

Laguages spoke: Dutch, English
Spoken poorly: German
Barely spoken: French

ZenDiS, the Zentrum Digitale Souveränität in Germany, is at the forefront of loosening the grip the US tech industry (and, via the CLOUD act, the US government) has over the European governments by providing open source solutions for the public sector. Do we do it alone? No! The french and the dutch governments are also onboard and we welcome more countries into our fold!

When embedded into JavaScript, WebAssembly modules can be "sandboxed" by defining a limited set of imports. It turns out that an obscure "feature" allows us to craft an exploit which bypasses this barrier, enabling us to run arbitrary JavaScript code from within a malicious WASM module. All within spec... by accident?

RAdio-frequency Detection And Ranging (RADAR) aims at using electromagnetic signals for detecting target location and motion. We demonstrate in this talk various RADAR architectures using dual-channel coherent Software Defined Radio (SDR) receivers and the associated signal processing techniques relying heavily on cross-correlations. Embedded systems are tackled, with a Raspberry Pi providing enough computational power for recording and post-processing.

The story of the Weakpass project, from its origins to its evolution and impact. It will showcase practical use cases and tools built around Weakpass, focusing on applications like password cracking and testing.

In this 90 min workshop, you will build and test your own propane flamethrower. You can buy a kit from us or bring your own parts. We will use a tried-and-tested design. We will start with the theory and principles behind propane flame effects, followed by how to play safely with big flames. The second part is the guided, hands-on, step-by-step process of building your own. At the end, we will test the flamethrowers in a nearby area.

WHY2025 is the 10th edition of this series of events! Time for a history lesson!

An insight into the events leading up to and during the fight to preserve XS4ALL in 2019

Serendiep is a 42m inland cargo barge with a theatre, a fablab and an art/science labyrinth on board. It's being converted to electric propulsion using second hand EV parts and hardware from openinverter. The ultimate goal is to harvest all the energy needed from solar panels mounted on the hatches covering the cargo hold.

The story of the Weakpass project, from its origins to its evolution and impact. It will showcase practical use cases and tools built around Weakpass, focusing on applications like password cracking and testing.

Ever received a phishing simulation so painfully obvious it offended your intelligence? This talk is for you.

Join us as we turn the tables on corporate security theater and show how you can phish back, with humor, skill, and plausible deniability. Learn how to fingerprint your company’s phishing campaigns, spoof the spoofers, and maybe even get your CISO to click a link labeled “Definitely Not Malware.exe.”

This talk is part satire, part technical walkthrough, and all rebellion.

Pwn2Own Ireland added a new target in the smarthome category: the Aeotec Smart Hub. We assumed this target would be an easy win. However, getting the firmware of this device turned out te be a lot harder than anticipated. First, we had to modify the board to dump the encrypted flash. Then, we abused a secure boot flaw to get the decryption key. This process took so long, we had no time left to look for vulnerabilities, but our approach may be interesting for others looking at similar targets.

The most common configurations seen in scanning domain names with Internet.nl, e.g. those found in biannual governmental measurements.

AI is ubiquitous. Where it isn't now, it will probably be soon, in software and operating systems. More often the usage guidelines are also unilaterally changed to companies utilising our data to train their models. While I've previously focused on building safer AI, now I also teach people how to hack them and build playgrounds for people to experiment. In this workshop I bring my hackable AI apps for people to play around with and hack so we may all learn new and necessary skills. Come play!

By 2025, an estimated 1.1 billion women globally will enter menopause, a natural, but misunderstood phase of life. This talk will address the stigma, myths, and misinformation surrounding menopause, focusing on the mental, physical, social, and economic challenges women face. It will also explore the struggles of LGBTQ+ individuals, often overlooked in discussions. The goal is to close the knowledge gap, empower women to advocate for their health, and foster a culture of support and inclusivity.

Ben jij tussen de 8 en 14 jaar en wil je leren hoe je technologie kunt gebruiken om zelf een slim huis, inbraakalarm of weerstation te bouwen? Dan is deze CoderDojo workshop echt iets voor jou!

Tijdens deze workshop ga je aan de slag met Codecraft, een blok-gebaseerde programmeertaal (zoals Scratch, maar dan krachtiger!). Hiermee programmeer je een Arduino-microcontroller en verbind je allerlei Seeed Grove-sensoren om de temperatuur te meten of inbrekers te detecteren.

For a good decade now, containerisation has been a popular solution: Addressing issues such as security, fault tolerance, and scalability, it has turned into a mainstay in IT. Though with a technology that ubiquitous, it does deserve investigation whether it has been put to good use or rather pressed into service.

Start your Monday right with the Jane Blondas WORK-OUT Show. Inspired by the iconic workout craze of the 1980s, this performance invites you to dance, sweat, and shine on the festival floor. Expect high energy, surprises, and plenty of audience participation.

Lightning talks are a 5 to 10 minute quick talk on an interesting subject. They can be with or without slides, and with or without proper preparation. if you weren't accepted in the main CfP, this is also a great opportunity to give an abridged version of your talk. These sessions will be available to sign up to later on, with details on the wiki: https://wiki.why2025.org/Lightning_Talks

TETRA is a European standard for trunked radio used globally by police, military and civilian parties alike. In the past, we already published the hitherto secret inner workings of TETRA and on several of its severe security issues.

We're now back to discuss the last crucial part of TETRA security - its optional (and costly) end-to-end encryption, reserved for the most sensitive use cases. We'll discuss in detail how we obtained and analyzed those elusive algorithms, and what we found.

Through a personal journey of self-discovery and experimentation, I share my experiences with managing their online presence in a way that prioritises data protection and show how to leverage threat modelling, the GDPR and other tools to take control over your digital footprint.

Adversary-in-the-Middle (AiTM) phishing kits have matured into full-service SaaS platforms. This talk dives into the infrastructure, control panels, and sellers behind modern AiTM attacks. From Dockerized environments to Telegram bot-based UIs, we unpack how these platforms operate, scale, and monetize. We also highlight how this SaaS model is spreading. Expect a technical walkthrough of the ecosystem fueling today’s phishing economy.

I (hopefully) will have cycled from my home city of Mannheim all the way to the WHY camping grounds (>500km) in one go.
I will report how I approached the whole endeavour, how I prepared, what the challenges were and what the hard part was.
If I happen to not make it, I will describe how, why and what I should have done better.

Placeholder for WHY2025 Infrastructure Review... various *OC teams will present about the infrastructure they have built for WHY2025.

At least Team:NOC will join; previously also Team:Nuts (Power), Team:POC and Team:VOC have joined.

In this 90 min workshop, you will build and test your own propane flamethrower. You can buy a kit from us or bring your own parts. We will use a tried-and-tested design. We will start with the theory and principles behind propane flame effects, followed by how to play safely with big flames. The second part is the guided, hands-on, step-by-step process of building your own. At the end, we will test the flamethrowers in a nearby area.

You want to learn more about Linux permissions? This is the talk for you. Let's learn about the basic UID/GID concepts in Linux and expand into more complex ACLs. Then escalating on the "everything-is-a-file" concept and applying the learned security logic onto program behavior using SELinux or AppArmor.

Over the past few years, I’ve been casually poking around and stumbling upon exposed data and insecure infrastructure all across the telco ecosystem. From unsecured debug portals to full backend access, the leaks themselves might seem technically boring.

In this talk, I’ll walk through a handful of real-world cases, showing how misconfigurations, sloppy code, and forgotten interfaces can lead to serious exposures.

In a world of relentless cyber-threats, MIAUW (Methodology for Information Security Assessment with Audit Value) turns every pentest into a high-impact, traceable mission. This session reveals how its storyline-driven playbook fuses technical exploitation, legal rigor and forensic reporting into a reusable blueprint that regulators love and attackers fear. Expect war-stories, live-demo snippets, and a roadmap to weaponize compliance while clawing back control over risk.

In 2017 (just before SHA2017) the Dutch healthcare sector came together to create Stichting Z-CERT, the Zorg Computer Emergency Response Team. A nonprofit to protect and advise the Dutch Healthcare sector. What started as a small startup has now grown into a scaleup with the ambitions to match.
A lot has changed in the 3 years since the last talk about Z-CERT. In this talk we will:
- Tell who we are
- Show what we do
- Give a little peak behind the curtain how we do that

live-bootstrap is a worthy attempt to provide a reproducible, automatic, complete end-to-end bootstrap from a minimal number of binary seeds to a supported fully functioning operating system. Although it is starts with a minimal binary seed of only 280 bytes it also depends on a lot of other sources. What are those sources exactly and how can we review these to make sure that live-bootstrap can be trusted?

My experience of contributing to an open-source project for the first time and the juicy details (maths) of the geometry of the Sferical lamps (the ones that hang in Heaven / Silent Lounge)

Learn how to build end-to-end encrypted social apps including the newly released Bitchat using Nostr and MLS (Messaging Layer Security). We'll go from Nostr basics through to encrypted groups, explore the open source libraries and apps already in production, and show how to build your own. Includes live coding demonstrating how to create secure, private social tools that actually scale. You'll leave knowing how to build real e2e apps using tested, working tools.

It's hard for a platform to have meaningful, useful ratings/reviews without both
substantially Knowing Your Customer, engineering to detect manipulated reviews,
and responding in a nuanced way -- to increase a fraudster's costs,
and not just train them to hide better. Lots of examples of diverse
platforms not doing a very good job of this. (I'll also talk about how this
knowledge sometimes leads platforms try to manipulate their own
customers to maximize their sales).

During this talk we look at hardware and firmware reverse engineering, but also at corporate intimidation tactics and how to respond ethically as a security researcher.
Leveraging the hard-coded AES keys, outdated software, and lots and lots of custom code we found, we were able to install "custom code" on some phones and access global customer configuration data by exploiting Yealink's global cloud provisioning service (RPS).

In 2017 a large corporation announced that they wanted to build a € 50 million theme park in a small forest that I had known from my childhood, thus replacing the future of our children with simple entertainment. An overwhelming feeling of injustice came over us. We created a plan, and we stuck to it. We drew a line in the sand.
Fatalism can be your greatest enemy, but it doesn’t have to be. Welcome to the rebellion.

In a professional team, you might consider yourself a bass player: you keep the music flowing, try to be not too obvious, but all the time making sure that everyone can play their part. Within the realm of IT, there is a great number of bass players. They carry the music for all organizations. There is great power in this role, and as we all know: with great power comes great responsibility. In this presentation, we will be looking into the ethics of bass playing.

You've maybee seen the raking robot that got a CEH (Certified Estetisch Harker) certificate, the Telex linked to Twitter/Telegram or the ASCII foto booth. They are all made by me. If this talk gets accepted I will do a deep dive on these three contraptions and what I learned building them.

Transient execution CPU vulnerabilities, like Spectre, have been making headlines since 2018. However, their most common critique is that these types of vulnerabilities are not really practical. Even though it is cool to leak /etc/shadow with a CPU bug, it has limited real-world impact. In this talk, we take Spectre out for a walk and let it see the clouds, by leaking memory across virtual machine boundaries at a public cloud provider, bypassing mitigations against these types of attacks.

TRIGGRRD is an improvisational collective pushing the boundaries of beats and bass. Every show is unique, built on raw energy and spontaneous creativity. Expect unpredictability, exploration, and a live experience that evolves moment by moment.

This talk will enable you to lead architecture conversations and discuss their security options through an informal diagramming technique. I will use examples such as key/encryption architectures, DevOps, and even your home music system.

Modern software development and operations heavily relies on third-party applications, libraries, containers etc.
This presentation will showcase how dev, ops, but also security management can be transparent about dependency versioning and known vulnerabilities, while also staying on track with updates.
It will show demos of Open Source Standards like SBOM and Frameworks like Dependency-Check, Dependency-Track and Renovate that can help automate the sadness of today's supply chain issues.

This talk introduces participants to the Bosch BMI270 (inertial sensor) and BME690 (environmental sensor) on the WHY2025 Hackathon Badge. After a brief overview of MEMS technology and how these tiny sensors are made and used, we’ll dive into a hands-on session showing how to read sensor data using MicroPython — so you can start experimenting right away.

The Light and Music entertainment platform Lightupyourbanjo began in 2010 when “Cash-a-billy with a Bluegrass bite” band Ed and the Fretmen wanted to have better lights on their banjo. They developed banjo lights with addressable LEDs for in and outside mounting showing interactive animations, written in C++ supporting the songs, and wrote songs to support the lights. In 2025 the Lightupyourbanjo bands will be fighting the darkness with the new O4 model build into their 3 banjos.

Afturmath closes the live music program with an immersive journey of sound and light. Combining modular synthesizers, lasers, and abstract video synthesis, Afturmath crafts dense, evolving sonic landscapes that invite you to lose yourself in the experience.

Learn how to program and light up LED strips.
It's super easy and fun to make your life trippy and beautiful.
For total beginners.
Make your life trippy and beautiful!

Our digital communities are controlled by corporate platforms that surveil, manipulate, and arbitrarily deplatform us. We need a Bill of Digital Rights—ensuring privacy, ownership, algorithmic control, and self-governance. This talk lays out the Four Freedoms for Social Media and how open protocols like ATProtocol, ActivityPub, and Nostr make them possible. The future of social media must serve communities, not corporations—and we must demand it.

I used CircuitPython (but could have also used MicroPython as well, so this is not about A vs. B) to implement various smart-home related projects. I will present some of my projects and also dive into what Python has to offer for (personal, not corporate-style) embedded devices (and the development process).

TIC-80 fantasy console Byte Jam is a friendly competition to livecode a demo in a relaxed atmosphere.

Each night concludes with a Silent Disco in the Party Area. DJs Luna and Julian will keep the dancefloor alive into the early hours, pick up your headphones and choose your channel.

A troubled child summons the courage to help a friendly alien escape from Earth and return to his home planet.

As everybody knows, "L" in IoT stands for long-term support.
I'll take you on a tour of my technical adventure where I revived an abandoned IoT "AI" translator and gave it a new life, 2025-style.
Through deciphering peculiar protocols and formats, reverse engineering firmware and software and doing the necessary research to write new software, we'll see how curiosity and persistence can help you overcome the most obscure technical challenges.

INgrid = Energy Recycling company (Energie Maatschappij)

We got bunch (about) 20 old solar panels lying around.
Also battery's and all stuff needed to run a super small kitchen (if Sunny)
We also have a hometrainer that supplies energy.

The workshop will be about finding ways to still use all this Energy, which was all state of the art only 10 years ago, and is now already garbage/trash/worthless????

Wikipedia tells us that low-background steel is steel produced before the detonation of the first nuclear bombs. Yep, you guessed it, this is a talk about Large Language Models. LLM outputs have quickly spread like radionuclides, threatening everything from the scientific record to the existence of the Internet as we know it. In this talk I'll discuss practical small web approaches that we can use to build a new Internet that doesn't suck quite so badly. There will also be memes ;-)

A team of Dutch scientist and cloud engineers is working on Ecofed: European Cloud Services in an Open Federated Ecosystem. The objective and scope of the ECOFED project are to develop a technical framework for a more open and integrated cloud usage model. This framework will enable multiple clouds from various providers to function as a single, cohesive system, offering a European alternative to hyperscaler clouds. In this open cloud ecosystem, users can easily switch between different clouds.

Rust is an up-and-coming, safe and performant programming language with some very funky, novel features. Learn about Rust and write your first simple Rust program.

Experiences from a hacker working at the Election Council of The Netherlands.

Are you interested in maps? Are you searching for a FLOSS mapping navigation? Do you need geodata? Do you need a map on your site? Do you want to help creating maps from your local environment or from vulnerable places? Then, you have come to the right talk! This talks gives a broad overview of OpenStreetMap, the community and how to get started with it.

This talk hopes to provide listeners with insights into the historical background & current state of scientific understanding of the biological & psychological basics of how psychedelics affect human brains. An outlook of where the 'renaissance of psychedelic science' may take humankind will further be connected to the current state of psychiatric drug approvals & clinical research. This talk will attempt to address every level, from those with no prior experience to seasoned psychonauts.

What happens when an attacker controls time on a Linux system? This talk looks at how system clocks work, and what breaks when they’re manipulated. From bypassing delays to triggering subtle logic errors, we’ll explore how unstable time can subvert assumptions, break security controls, and cause software to behave in unexpected or unsafe ways.

This talk will take you along with a deep dive on how the internet works at its core and how you can participate yourself. You'll learn all about BGP, AS- numbers, IP-prefixes and more.

This is NOT an introductory talk about ISMS (Information-Security-Management)! It is about my experiences and reflections about real-life issues when deploying an ISMS. There will be a section dedicated to 'hacking' an ISMS, though.

The presumed audiences are:
- individuals working in the realm of IS-/IT-security management
- hackers working in environments that expose them to ISMS-related TODOs (I'll try to put these things into context!)
- anyone trying to understand this ISMS-nonsense

How do you scale up victim notifications from a couple of hundreds, to thousands, to millions to billions of stolen credentials?

The Dutch Electoral Council builds its new software-to-be, with a small in-house team, open source and in public. We call her Abacus. In this talk we'll go in depth on the technical and management side of our project. We invite you to join and check out our work! Our talk contains actual code written in Rust.

Zero Trust (ZT) has evolved from pure network access to hype. ZT Everywhere has become a buzzword. If you ask about it during product presentations, the sales person sometimes runs out of the meeting.

After some internal evaluation and a journalists inquiry on the possibility of chinese state actors having access to camera footage, Muncipality the Hague decided to do a security test focused on an APT threat on their traffic camera infrastructure. During the session we will show how the team approached this project, how some of the cinematic scenarios of causing traffic jams and using the camera's for espionage were possible in real life and what lessons were learned from the project.

The goodbye and look back on the camp. The thank you, the funny stories. All of them.