Powered by

talks and workshops

Computer Science

Security

Interdisciplinary

Entrepreneurship

Reading Minds with Natural Language Processing

16.10.2021, 10:30 - 11:10

D1.2

Elliott Ash

Reading Minds with Natural Language Processing

Interdisciplinary - Talk (30 min)

16.10.2021, 10:30 - 11:10 in D1.2

Summary

This talk will introduce some recent lines of research in social science that apply natural language processing to analyze beliefs and attitudes using observational data. When do politicians use more emotion, rather than logic, in their rhetoric? When do judges use notions of economic efficiency, rather than fairness or justice, in their written opinions? What can language tell us about political views or social attitudes?

Founding a startup after ETH

16.10.2021, 11:20 - 12:15

E1.2

Thomas Schulz

Founding a startup after ETH

A journey into entrepreneurship

Entrepreneurship - Extended talk (45 min)

16.10.2021, 11:20 - 12:15 in E1.2

Summary

Founding a startup after ETH can be both very fulfilling and challenging. How do you go about finding an idea? How do you find early adopters to test your idea with? In this session, Thomas will tell you about his journey after ETH as a co-founder of CareerFairy and the daily challenges in scaling a startup from Zurich to the world.

Description

Founding a startup after ETH can be both very fulfilling and challenging. How do you go about finding an idea? How do you find early adopters to test your idea with? In this session, Thomas will tell you about his journey after ETH as a co-founder of CareerFairy and the daily challenges in scaling a startup from Zurich to the world.

How to create an online-marketplace with sustainably high margins?

16.10.2021, 12:40 - 13:35

E1.1

Willy Bischofberger

How to create an online-marketplace with sustainably high margins?

Example of marketplaces: job-offerings, used-cars, friends, apartment/houses, hotel-rooms, arts, furniture, ...

Entrepreneurship - Extended talk (45 min)

16.10.2021, 12:40 - 13:35 in E1.1

Summary

This presentation will answer the following questions: + What makes a marketplace attractive? + Marketplaces for which product/service are missing in the market? + How to break up an existing marketplace? + How to handle the initial population problem? + How to overcome the circumvention problem?

Description

Creating an online-marketplace means bringing together suppliers and customers (B2B, B2C or C2C). The leader in a marketplace typically enjoys sustainably high margins because of its natural monopoly position.There is still room for many more marketplaces. There are however many pitfalls. Let's talk about how to overcome them. Let's talk about them.

Passwords - a trigger topic

16.10.2021, 11:20 - 12:15

D1.2

Katja Dörlemann

Passwords - a trigger topic

Security - Extended talk (45 min)

16.10.2021, 11:20 - 12:15 in D1.2

Summary

Passwords are a tiresome topic: they need to be complex long, unique... Most of us are overwhelmed by it and react with annoyance and indifference to recommendations from security experts. Who can blame them? Nevertheless, passwords are extremely important for the protection of our data. In our lecture, we will get to the bottom of the "password" phenomenon and shed light on its development in the past, its relevance in the present and its blurry future.

Description

Passwords have always played an important role in protecting our data - probably even the most important. For most of us, the (working) day begins with entering a password to unlock the computer. But that's just the beginning. For all our online accounts, we need a password as well: email, online shops, social media, etc. Passwords protect our data and information on computers, mobile phones and any online platform from unauthorised access. Of course, platform providers, software manufacturers and the like also protect us duly and with the latest security technology. However, even the best measures are worthless as soon as our password falls into the wrong hands. The world of cybercrime has therefore been focussing more and more on the tapping of our login data for a long time. The presentation will get to the bottom of the password phenomenon and shed light on its development in the past, its relevance in the present and its blurry future.

How are climate change and computer sciences related?

16.10.2021, 12:40 - 13:35

D1.2

James Heim

How are climate change and computer sciences related?

What lessons from our fight against climate change are relevant for the future of computer sciences?

Interdisciplinary - Extended talk (45 min)

16.10.2021, 12:40 - 13:35 in D1.2

Summary

In the fight against global warming we are also dealing with various fundamental questions which are not expressions of climate change per se. Rather they are inherent to a technological development carried out in a faster and broader way than we are capable of managing. How can we advance our capabilities in computer sciences without making the same basic mistakes as we did with the use of fossil fuels?

Description

Climate change as well as other key phenomena of our modern times, such as strong population growth, erosion of privacy or overfishing of the oceans, are unintended consequences of the way we have been inventing and using technology. From a basic and sober point of view one can observe, that both climate change and modern computer sciences are manifestations of humanity’s fast and broad technological development. In the fight against global warming we are also dealing with fundamental questions such as “how?”, “how much?” or “how fast?”. Basic questions like these are not expressions of climate change per se, but are rather inherent to a technological development carried out faster and broader than we can manage. In other words: we are gaining new capabilities quicker than we are gaining abilities to deal with them. This basic and continually growing mismatch also pertains to computer sciences. Therefore the fundamental questions connected to climate change are also relevant for computer sciences. How can we advance our capabilities in computer sciences without making the same basic mistakes as we did with the use of fossil fuels?

Network Analytics with Big Data at Swisscom

16.10.2021, 13:00 - 16:00

D3.1

Thomas Graf

Eduard Bachmakov

Marco Tollini

Network Analytics with Big Data at Swisscom

Bringing much needed visibility into Networks for a closed Loop Operation

Computer Science - Workshop (3h)

16.10.2021, 13:00 - 16:00 in D3.1

Summary

IP networks are the nerve systems of today's society. We as a customer depend on it. Swisscom has a tall burden to ensure that its networks are ready to connect at any time when we need it. Network Analytics is the key to enable visibility and increase uptime and reliability by creating a digital twin for a closed loop operation. Within this workshop we explore the network from a Network Analytics perspective by looking into the raw collected network data, demonstrate how this data can be collected at large scale, being processed, correlated and presented and visualized for humans and consumed by machine learning for anomaly detection. This workshop will give you as student access to Swisscom's Network Analytics IETF interoperability lab where you learn and play with the data on the very latest code.

Description

IETF means innovation and collaboration at the same time. Swisscom is active at GROW, NETCONF and OPSAWG working groups. There we research with universities, network operators and vendors together to bring Network Analytics to the next level. In this context we reach out to new young talents interested to master this discipline, to continue transforming this industry from device to network monitoring. Our challenge. Your chance to make a difference. Networks are not designed for Big Data. Quite the opposite. 30-40 years ago, memory and computing power was scarce. The goal was to have only the minimum amount of information on each node in the network. Therefore, by default no information is exposed. We needed to query them. An even then, they only have some basic metrics about themselves. CLI and small data, plain text, are made for humans. API's and Big Data for software. With millions of routes in thousands of routing contexts and ten thousand of route-policies, to predict high availability, is for humans with CLI almost impossible. IETF, the standardization body of the Internet, understood that network monitoring and network orchestration need to become one. Netconf and Restconf as the API. YANG as the data modelling language.

The Road to Fair Machine Learning Models

16.10.2021, 12:40 - 13:35

E1.2

Christoph Bräunlich

The Road to Fair Machine Learning Models

Is it possible to create machine learning models that always treat people fairly? And how can we convince the public that we use fair models?

Interdisciplinary - Talk (30 min)

16.10.2021, 12:40 - 13:35 in E1.2

Summary

With the rise of AI, a growing population is afraid of the effects a highly automated world will have on individuals. Sometimes the fears are utopic but many have very good reasons for these concerns. Christoph Bräunlich, AI/ML specialist at BSI and member of the board of directors at SWISS INSIGHTS, will give examples of unfair models and how they can be modified to become fair. Furthermore he will present the ongoing work for the Data Fairness Label of SWISS INSIGHTS.

Description

A rider a person who delivers goods by bike has a bad day: She has a flat tire and gets a poor rating for the delivery. Therefore, the machine learning model gives a penalty for the delay. Maybe a second unfortunate event happens, hence the rider gets lower salary and cannot stay in the job anymore: In an extreme case an unfair model can destroy an existence. Is it possible to always look at all the relevant factors of a ML Model? Do we, as developers, get enough time in a business driven world to think about the consequences? Christoph will talk about the daily work of an ML engineer, the different factors that influence the decision making that influences the Models and how the working conditions of an ML engineer can lead to fairer models. As a tool to support data scientists and ML engineers. As a means to spread fair data and models, he will present the Data Fairness Label of SWISS INSIGHTS which is the only label with that concern currently available in Switzerland.

A way to avoid handshakes

16.10.2021, 15:25 - 16:20

E1.2

Maciej Jedrzejewski

A way to avoid handshakes

Another day in maintenance hell. How to keep away from tight coupling in your software?

Computer Science - Extended talk (45 min)

16.10.2021, 15:25 - 16:20 in E1.2

Summary

When implementing a project we must always think about the consequences of our choices. Whenever we decide to go with tight coupling between elements in our software, there is a need to think about the future - what in case if we will need to scale? What if our project grows? All in all, it is all about the final success. Can we achieve it?

Description

Let's start from the end. There is a successful project. It was finished on time and end-users were extremely happy. More and more functionality came within the next releases. The dream has come true. Suddenly, small problems started to appear. Mark - our developer - spotted that it is quite complicated to extend one of the areas. He told that it might affect another module that reuses the problematic one. Within the next months, similar situations occurred. At the end of the year, more and more users started to report bugs. The entire development team tried to fix them - when one was fixed, the other 3 popped up. Each module fix affected another one. Two years later, the project has been closed due to high costs of maintenance. Was it possible to avoid this situation? You will find it out during my presentation.

Mixed Reality with Robots

16.10.2021, 12:40 - 13:35

D7.1

Patrick Misteli

Mixed Reality with Robots

Inviting our robotic counterparts into the world of mixed reality

Computer Science - Extended talk (45 min)

16.10.2021, 12:40 - 13:35 in D7.1

Summary

Augmented reality (AR) is becoming more and more common these days. Whether it's virtually putting the name of a mountain on its peak or showing a Pokemon in your backyard most people with a smartphone are familiar with the concept of AR by now. This parallel world of augmentation is growing more and more rapidly. With the robotics industry also growing, there is a huge potential in inviting our robotic counterparts to this world of AR. Join us to see how Microsoft is taking on this challenge and let's play fetch with a Boston Dynamic Spot in Mixed Reality

Build a Handheld Game Console

16.10.2021, 16:15 - 19:15

D3.3

Christian Walther

Radomir Dopieralski

Build a Handheld Game Console

Solder a game handheld, program it in Python, expand it with electronics

Interdisciplinary - Workshop (3h)

16.10.2021, 16:15 - 19:15 in D3.3

Summary

Become a full-stack game developer! Start by soldering your own pocket-sized console, and then program a game for it with CircuitPython. Then expand the hardware with various sensors and electronic components. Bring a laptop and a micro-USB cable, you will receive all the remaining parts and take them home with you. No prior experience with electronics required.

Description

The PewPew handheld game console was specifically designed as a simple system for learning game programming using Python. In an introduction to soldering, you will first assemble it from a kit. Then we will show you how to connect it to your computer and upload Python code to control its 8×8 pixel LED display and six buttons to create a simple video game. No knowledge of Python is required, but some experience with programming helps. Thanks to its expansion port, the PewPew also lets you experiment with additional electronics. We have a bunch of components for you such as colorful LEDs, knobs, light sensors, speakers, accelerometers – there will only be time to cover a few of them, but you will receive instructions on how to try more at home and make your games more interactive. You will need a laptop (Mac, Windows, Linux), best with the Mu editor already installed (it's also fine if you can't install it), and a micro-USB cable (make sure it's not a charging-only cable). All further tools and materials are provided.

Understanding the Brain: Machine Learning meets Neuroscience

16.10.2021, 11:20 - 12:15

D7.1

Marco Lehmann

Understanding the Brain: Machine Learning meets Neuroscience

Interdisciplinary - Extended talk (45 min)

16.10.2021, 11:20 - 12:15 in D7.1

Summary

Machine Learning and Brain Research are closely related fields: artificial neural networks were inspired by biology, and neuroscience is using machine learning to understand the brain. We start with an overview of the fascinating world of brain research and then explore the intersection between neuroscience and machine learning. By covering a few key results from theoretical neuroscience and from machine learning we point out similarities and differences between the brain and computers.

When hackers do good: The Future of Security Testing

16.10.2021, 14:35 - 15:15

D1.2

Reto Ischi

When hackers do good: The Future of Security Testing

Security - Talk (30 min)

16.10.2021, 14:35 - 15:15 in D1.2

Summary

More and more companies are relying on so-called "bug bounties": They challenge hackers from all over the world to break the security of their systems. Whoever finds a vulnerability is richly rewarded, depending on the severity. In his field report, Reto Ischi explains how a bug bounty program works and what he learned while implementing it. Using concrete examples, he shows how hackers can leverage the security mechanisms and thereby make a security product more reliable at in the end.

Description

A bug bounty program is a company's official permission to search for bugs and vulnerabilities in its systems or products. Even the US Department of Defense calls for hacking the Pentagon. Reto Ischi reports about his experiences from setting up and running such a Bug Bounty Program. Whoever manages to bypass the protective functions of a web application firewall receives up to $5'000, depending on the severity. The idea for the bounty program came about after a "successful" penetration test: despite high fixed costs, the testers had found no security holes. Many would have seen this as a success, but Reto Ischi, the development team lead of Airlock Gateway, was not satisfied with this result. He set out to find the world's best hackers and found many in Eastern Europe and Asia. They are always finding new ways to trick the WAF, helping to improve the product quickly and continuously. In this talk, you won't just learn how a WAF works. The field report explains how a bug bounty program works and what were the challenges. It is peppered with anecdotes from the everyday life of an application security professional.

What comes after our smartphones? Spatial computing.

16.10.2021, 13:45 - 14:25

E1.1

Daniel Neubig

What comes after our smartphones? Spatial computing.

Computer Science - Talk (30 min)

16.10.2021, 13:45 - 14:25 in E1.1

Summary

Mobile is already outdated. Instead, Spatial computing allows us to interact with real world objects in the surrounding space of the user and rely on context sensitive situations. In this talk, Daniel Neubig will discuss the learnings and challenges we had, during bringing a new software and Augmented Reality App to construction sites.

Description

Mobile is already outdated. Instead, combining all the new hype technologies is rapidly transforming the way, how we think about software: Instead of using an app, we experience smart extensions of everyday objects and interact with voice, gestures and gaze. The autonomous, distributed systems adapt to the current intention of users and provide the relevant information or features. In this talk, Daniel Neubig will show how the combination of various modern approaches merge into a new era: Spatial computing allows us to interact with real world objects in the surrounding space of the user and rely on context sensitive situations. You can use e.g. Augmented Reality glasses or tablets to visualize the virtual content, that is bound to a product or to a specific place. Spatial computing solutions are rethinking every aspect of software: how users interact, how software architecture and features are designed and what impact software has on the society and how to remain safe and secure. The talk will discuss the learnings and challenges we had, during creating a new software for construction sites that uses Localization, AI, AR and Cloud Computing to assist all employees to communicate more efficiently and always have access to planning data of the BIM model and benefit from localization on the 2D plan.

Enterprise Recovery

16.10.2021, 10:30 - 11:10

D7.1

Frank Walter

Judith Mächler

Enterprise Recovery

Helping Organizations Recover From Large-Scale Destructive Cyber Attacks

Security - Talk (30 min)

16.10.2021, 10:30 - 11:10 in D7.1

Summary

Countless organizations across all sectors have been hit by large-scale and destructive cyber attacks, for example involving ransomware. Increasingly sophisticated attacks occur more frequently, and attackers are leveraging capabilities previously only known to nation states. Many of these cases have shown such cyber attacks can very quickly evolve into ‘extreme loss of technology’ crisis scenarios for organizations that are not just a nuisance, but that are actually threatening the very existence of a particular organization. Regular recovery measures typically employed by organizations, such as classical Business Continuity Management and IT Disaster Recovery, have become ineffective in the light of such attacks. In addition, the increasing digitization and connectivity is further contributing to a greater attack surface. The common denominator of many of these catastrophic cyber attacks is that the attackers have commercialized their operating model, that they are highly professional, and that they actively seek to disable the attacked organization's defences in order to maximize the attack’s impact. In our talk, we will explore how organizations can adapt and improve their ability to recover from such catastrophic cyber attacks by developing an enterprise-wide recovery strategy and plan for their organization by preparing along five pillars that are critical to successful ‘Enterprise Recovery’ following catastrophic cyber attacks.

Achieve 99.999% Service Availability Like a Pro (-■_■)

16.10.2021, 13:00 - 16:00

D5.3

Benjamin Bürgisser

Jakob Beckmann

Achieve 99.999% Service Availability Like a Pro (-■_■)

Computer Science - Workshop (3h)

16.10.2021, 13:00 - 16:00 in D5.3

Summary

Have you also been wondering how large organizations such as Facebook or Netflix can provide their services to their customers 24 hours per day, 365 days a year, without any crashes and downtimes? Moreover, they manage to do this while software engineering is becoming more complex every day. Many large companies adopt Kubernetes to achieve highly available applications that can dynamically scale based on the needs of the customers. However, these applications and Kubernetes itself need to be monitored in order to ensure their smooth operation and security. During this workshop you will: - learn what Kubernetes is, and why it has become so popular over the last few years - understand how to prepare your infrastructure for monitoring applications via metrics - visualize and manage information about your applications with Grafana, Prometheus, and Cortex - set up alerting with Alertmanager - learn how you will operate software in your future job

Public Money? Public Code!

16.10.2021, 14:35 - 15:15

D7.1

Alexander Pitsch

Public Money? Public Code!

A campaign by the Free Software Foundation Europe

Interdisciplinary - Talk (30 min)

16.10.2021, 14:35 - 15:15 in D7.1

Summary

Why is software created using taxpayers’ money not released as Free Software?

Description

The goal of the talk is to present the Public Money? Public Code! campaign of the Free Software Foundation Europe. It will quickly recap what free software is, why software procured/developed by the public sector should be released under a free software license and what the recent developments in that area have been in Switzerland.

Digital Identity – next generation

16.10.2021, 10:30 - 11:10

E1.2

Thomas Grotehen

Digital Identity – next generation

Security - Talk (30 min)

16.10.2021, 10:30 - 11:10 in E1.2

Summary

«The Internet was built without a way to know who and what you are connecting to. This limits what we can do with it and exposes us to growing dangers. If we do nothing, we will face rapidly proliferating episodes of theft and deception that will cumulatively erode public trust in the Internet” — Kim Cameron, 2005 then Microsoft Chief Identity Architect. This prognosis has become true in many aspects of today’s digital life. Loud calls for more privacy, minimization, and data avoidance are a reaction to repeated cases of identity misuse and the ever-growing mining for our identity data. To address these problems (while allowing to fulfill legitimate requirements) is the promise of the concept of “Self Sovereign Identity (SSI)”. The talk will cover —the concept, and the blockchain-based architecture, —the potential impact on business and society, as well as —some real use-cases.

How To Fail

16.10.2021, 14:35 - 15:15

E1.1

Jonas Dischl

How To Fail

The Human Factor in Real World Data Science Project

Computer Science - Talk (30 min)

16.10.2021, 14:35 - 15:15 in E1.1

Summary

With the experience of 15 years and over 75 projects in data analytics & AI, I can tell numerous stories why some projects really failed to reach production stage and create added value. It is not the fanciest algorithm that wins – it is the understanding of common pitfalls and human behaviour/ biases on both the data scientist and client side. Let me tell you what I have learned and do not repeat the same mistakes others have already done for you.

Building Secure Bluetooth IoT Products

16.10.2021, 14:35 - 15:15

E1.2

Derek Yu

Building Secure Bluetooth IoT Products

Security - Talk (30 min)

16.10.2021, 14:35 - 15:15 in E1.2

Summary

Bluetooth's pervasive adoption has made it the go-to communication standard in the last mile of many IoT solutions. With the surge of cyberattacks and users' elevated privacy awareness, most vendors recognize IoT security as a critical factor of business success. Based on real-world Bluetooth-based IoT products in the industrial and Medtech sector, we present various security design choices, including authentication, access control, end-to-end encryption, IP protection, and data privacy. We further discuss how vendors make pragmatic decisions based on application-specific constraints, such as user experience, compliance, power efficiency, and ecosystem interoperability.

What's needed to sell 50'000 tickets online in 10 Minutes

16.10.2021, 13:45 - 14:25

D1.2

Amelia Zgraggen

What's needed to sell 50'000 tickets online in 10 Minutes

Technical and Security design for online Credit Card Transactions

Interdisciplinary - Talk (30 min)

16.10.2021, 13:45 - 14:25 in D1.2

Summary

What's needed to sell 50'000 tickets online in 10 Minutes.

Description

Online credit card transactions are growing quickly, especially in this changed Covid-19 world. What are the steps in an online credit card transaction, and how many different players are involved? I will discuss the technical and security concerns for handling and processing credit card transactions, and how we make it easier for card holders to safely securely go shopping online.

Tracking Ecosystem Trends: Profiling, Microtargeting, Biometric Tracking, Political Manipulation ... Where Do We Stand?

16.10.2021, 15:25 - 16:20

D7.1

Robert Würgler

Tracking Ecosystem Trends: Profiling, Microtargeting, Biometric Tracking, Political Manipulation ... Where Do We Stand?

Profiling me, knowing me, manipulating me? A discourse on a tightrope walk between usefulness and ignored risks.

Interdisciplinary - Extended talk (45 min)

16.10.2021, 15:25 - 16:20 in D7.1

Summary

When the storming of the US Capitol was reported earlier this year, some media made a vague allusion to microtargeting. Meanwhile, on the other end of the spectrum, marketers talk of an "atomic bomb". They fear that targeting will be made more difficult after one of the world's largest corporation announced that IDFA would soon be opt-in. Some users are probably not aware of tracking and profiling with IDs like IDFA, AAID, and more conventional cookies or fingerprinting. Perhaps they have not yet become cognisant of the "explosives" in their pockets. An '"explosive" analogy may raise some questions: What, if any, is the manipulative potential of psychometric targeting? Could it even promote extremism? Or is it merely used for harmless advertising? After a brief review of tracking and profiling methods, this talk intends to discuss tracking tech trends that followed regulatory measures worldwide.

Description

Some of the trends worth discussing may include: There seems to be a growing concern that manipulative effects may be underestimated. In contrast, the question is increasingly being raised as to whether targeted ads are as effective as marketers make us believe. For example, the author of "Subprime Attention Crisis" thinks that "digital advertising is at risk of collapsing". If he were right, what would that mean for free services some of us came to rely on? With third party cookies or other identifiers being deprecated by some vendors, marketers now talk about zero, first, second and third party data. Buzzwords? Finally, discussions about biometric tracking, especially face recognition, have intensified. A renowned magazine headlined what appears to be a simple question, but probably isn't: "What happens when our faces are tracked everywhere we go?" We can only delve into a small part of a wide range of social issues around the tracking ecosystem. For example, how (un)important or harmful (harmless) is comprehensive behavioural profiling, or what do we (not) want to do about it.

Attacking and Defending Web Applications 2.0

16.10.2021, 16:15 - 19:15

E41

Leonardo Galli

Attacking and Defending Web Applications 2.0

The Best Offense is a Strong Defense

Security - Workshop (3h)

16.10.2021, 16:15 - 19:15 in E41

Summary

A lot has changed since the invention of the internet and the world wide web. It has become essentially impossible to imagine a setting where no web applications — such as webshops, messaging applications or social media sites — exist. With that omnipresence, it becomes increasingly important to consider security in an online world. Web applications are no longer the static pages they once were, and this opens the doors to a plethora of attacks that could endanger a business or its users. After an introduction with an overview of some common vulnerabilities in webapps, we intend to give participants some insight into practical attacks and vulnerabilities through a gamified experience. Several small teams will attack each other, while trying to defend their own team website. Don't panic, no real websites will be harmed in the process. This will just be a toy website provided by us, without any legal ramifications. Our beloved workshop is back and it will be twice as big, twice as fun and twice as buggy! While the first half of the workshop will be very similar to last year, the second half contains a completely new challenge. However, we recommend that participants from last year give others a chance to register first ;) Prerequisites An interest in cyber security, some minor programming experience and a computer to work from. We will take care of the necessary infrastructure and vulnerable web application. Disclaimer:We only condone the use of this knowledge for ethical hacking within a legal framework. Any malicious use of knowledge and experience obtained through this workshop is your own responsibility.

Description

Part I: Introduction to Web Security (ca. 1h) In the first part of the talk, attendees will be introduced to the world of web apps with an overwhelming focus on their security. First, we will give an overview of the most common technologies used throughout modern web apps, such as Python + Flask, PHP, MySQL, etc. Next, attendees will receive a brief but broad introduction into many different types of vulnerabilities and ways to exploit them. Starting at one of the - if not the - most well known vulnerability, an SQL injection, and ending with some rather exotic - although still very relevant - ones, such as Server Side Request Forgery (SSRF) or broken JSON Web Tokens (JWT). Part II: Attack and Defense (ca. 2h) The second part focuses on putting the skills learned in the first part to practical use. Initially, attendees will be divided into small team. Every team will have a server assigned, with a small toy web app running. The web app is the same for every team and has multiple vulnerabilities that can be exploited in various ways. The goal is to first identify the vulnerabilities, then patch them on your server, while simultaneously exploiting all other servers. To get points for exploiting, attendees will have to retrieve something (usually called a flag) stored on the other server, for example in the database. Like in real web apps, the flag will continuously change and hence the exploit is not a one time set and forget affair, but rather a task of - at least somewhat - automation. Teams have both physical as well as networked root access to their server. The source code is available through a Git server running for every team, which will also automatically build and deploy any updates to the code. Furthermore, we will provide helper software to ease the automation of exploits. Additionally, every team will have an interface for viewing a complete dump of all traffic coming and going to their server, allowing them to quickly react to exploits and even attempt to steal them. Lastly, a member of flagbot, the ETH students' CTF team and the organizer behind this event, will be assigned to every team, helping out in every way they can - without actively attacking or defending. Following a short introduction explaining the above in a bit more detail, we will kickoff the event, running for 2 hours. After it ended, we will briefly discuss intended solutions as well as any creative exploits or unintended bugs we saw. Additionally, we will be answering any questions that might arise. Lastly, the network dumps of the whole event will be published online to dissect and take a look at. About Flagbot “Flagbot”; is ETH's Capture The Flag team. Every weekend we take part in online (and sometimes onsite) hacking competitions around the world, and we offer students the thrills of being part of one of the top ranking teams fighting tooth and nail against other passionate hackers to get the latest flag. In 2019 and 2020 we ranked first in Switzerland and 47th worldwide in 2020. Furthermore, every Monday we provide lectures on modern hacking topics and techniques to get new members up to speed. Amongst other things, last year we organized our first big event (BjörnCTF), and organized many collaborations with EPFL's CTF team.

An Introduction to Fuzzing and a direct application to the real world

16.10.2021, 11:20 - 12:15

E1.1

Leonardo Galli

An Introduction to Fuzzing and a direct application to the real world

Security - Extended talk (45 min)

16.10.2021, 11:20 - 12:15 in E1.1

Summary

Are you getting tired of people reporting security issues in your software? Do you think checking the bounds of your buffers is too much work? You want to find bugs in "your" software, but accidentally "misplaced" the source code? Or maybe, the source code was found again, but nobody understands what it is doing? The answer to all of the above questions - and more - is fuzzing! In essence, fuzzing tries to - intelligently and automatically - find bugs in software. In this talk, you will first get to know how fuzzing actually accomplishes that and how to use it for finding bugs. As a direct application of the first part, I will then go over the process of taking the iPhone boot loader, making it runnable on linux and finally being able to fuzz it.

Description

Initiatives such as Google's OSS-Fuzz or go's first party fuzz support have made great headway for making fuzzing more accessible. New security issues are uncovered almost daily thanks to advanced fuzzers and their usage across many projects. However, many developers have never heard of fuzzing let alone used it before. In the first section of the talk, I will give an introduction to fuzzing, in particular how it works both in theory and practice, different types of fuzzing and how you can use it effectively to find bugs. I will showcase some common tools that are used, alongside useful tricks to overcome typical problems. Additionally, you will learn how to fuzz software with or without source code, software running on different architectures (such as aarch64) and even go programs. In the end, you will - hopefully - see that fuzzing your code takes little additional effort, but can greatly help in finding security issues or even more traditional bugs. In the second section, I will describe the process of fuzzing a more complicated target, the iPhone boot loader, in more detail. As the first piece of code running, when an iPhone boots, the boot loader's main responsibility is initialization of critical hardware and parsing and validating the actual OS images. Since the parsing and validation logic is quite complicated, it makes a great target to start fuzzing. Before I could start with that however, I had to understand how the boot loader achieves its functionality. Finally, I could then make it runnable under linux and you will also learn, how I worked on improving the fuzzing speed.

Unplanned Side Effects

16.10.2021, 13:45 - 14:25

E1.2

Michael Batel

Unplanned Side Effects

How IT is enabling a revolution or missing its chances for Project Management

Entrepreneurship - Talk (30 min)

16.10.2021, 13:45 - 14:25 in E1.2

Summary

From the Pyramids of Giza to the Gotthard Tunnel, the world of Project Management has always been stably classical, and then IT came along! With the special characteristic of software as a project delivery result, the possibility of a disruptively new approach opens up - Agile Project Management. Is IT taking advantage of its opportunities to revolutionize Project Management or are agile projects doomed to fail? We explore this question by comparing two major projects from the old and new world.

Why "Everything as Code" changes everything

16.10.2021, 10:30 - 11:10

E1.1

Matthias Geel

Why "Everything as Code" changes everything

Computer Science - Talk (30 min)

16.10.2021, 10:30 - 11:10 in E1.1

Summary

Infrastructure as code, a technique that treats infrastructure configuration the same way as code, has become widely adopted and is considered best practice to manage highly dynamic infrastructure, especially in the cloud. But the “as code” paradigm does not have to stop with infrastructure. Whether it is security policies, network rules, deployment pipelines, documentation or even architectural diagrams, the ability to express all elements of an IT system as code allows system engineers to apply established principles of software development (e.g. source control, reproducibility, maintainability, etc.) to literally all aspects of a software system. This talk introduces the principles of “Everything as code”, explains the fundamental ideas behind the approach and illustrates its many applications based on real-world examples from industry and the open source community. It also highlights the skill set that every computer scientist should acquire in order to participate in that paradigm shift.

Rapid Prototyping

16.10.2021, 12:00 - 14:00

D5.1

Emily Hawkins

Rapid Prototyping

Entrepreneurship - Workshop (2h)

16.10.2021, 12:00 - 14:00 in D5.1

Summary

Learn about how to find the right solution & build the right product in this Interactive Workshop.

Description

Lots of products fail if they are not solving the right problem or if they are trying to solve a problem but in the wrong way. In this interactive workshop, we will look briefly at the purpose of ‘Discovery’ in the context of software development and focus on how to find creative solutions to problems. There are many frameworks and tools you can use to discover both more about the problems or underserved needs and to learn more about what great solutions could be to these. In this session, we’ll look at rapid prototyping as a tool to jumpstart the ideation process, cast the net wide and ultimately come up with possible solutions to then take into validation with customers or users. Join us in our quest to find solutions for interesting problems. You will work in small teams, faced with a problem and get hands-on practice with a valuable discovery tool, learning how you could employ it in other situations and finding how you can work with others to generate ideas, build on top of each other’s thoughts and converge to a first solution.

Threat Hunting and Campaign Tracking

16.10.2021, 15:25 - 16:20

D1.2

Chi En (Ashley) Shen

Threat Hunting and Campaign Tracking

Security - Extended talk (45 min)

16.10.2021, 15:25 - 16:20 in D1.2

Summary

Defending against cyber criminals is a common topic among organizations across various sectors. Traditional passive monitoring has no longer met the needs of defending against emerging threats. Threat hunting has been gradually introduced by many companies to look for threats hiding in the environment. To understand threat actor’s tactics, technique and procedure, campaign tracking is an important approach to accomplish actor profiling, monitoring and performing attribution. In this talk, I will talk about some threat hunting techniques to discover attackers in reconnaissance and weaponization stages and what should be considered for campaign tracking.

Practical guide to a compliant AI implementation

16.10.2021, 15:25 - 16:20

E1.1

Ilya Vasilenko

Practical guide to a compliant AI implementation

Practical tips for AI software engineers and data scientists

Computer Science - Extended talk (45 min)

16.10.2021, 15:25 - 16:20 in E1.1

Summary

As a software engineer or a data scientist, how to ensure (1) your users believe that your AI software is trustful, (2) your customers stay with your AI service over a longer period of time, (3) you fulfil a ton of requirements from laws and regulations that keep growing and growing every year? Let's look at some practical tips!

Description

AI technologies are great. But they also bring big risks when mismanaged - just look back at the impact of Cambridge Analytica or alike. Users and customers want to trust services, they want a reliable partner. On the other hand, the industry has to be able to innovate and move fast. And we should not forget the formal component - laws and regulations impose constraints and require a lot of bureaucratic work. How to combine all these elements? The answer is in clear and practical guidelines which help on a daily basis. These guidelines are based on interpreting a very complex and vague legal landscape, they include industry best practices, business requirements and user expectations. These guidelines should be short and clear. Let's have a look in this talk what they may look like.

Innovate on Layer 8

16.10.2021, 11:20 - 12:15

D7.1

Sarah Mühlemann

Innovate on Layer 8

Security - Talk (30 min)

16.10.2021, 11:20 - 12:15 in D7.1

Summary

While the way we handle cyber threats such as cyberattacks or disinformation has advanced significantly in recent years, we still heavily focus on technology, although many of these threats rely on and exploit human factors. Only few people are engaged in finding truly human-centered solutions and in creating motivating learning opportunities that empower people to effectively deal with such challenges in their private and professional life. Thus, we clearly need more innovators that focus on the human side of things! Since high school, I’ve been creating gamified cyber awareness modules, and lately I've also been engaged in making valuable expertise and qualitative products in this niche more broadly available. Based on examples and experiences, I will show you what innovating on layer 8 can look like, why it is exciting for people with various backgrounds/interests and what challenges you might be facing.

Description

In this talk, layer 8 is addressed in regard to human-relevant cyber threats such as social engineering attacks or disinformation. Everyone is welcome - also non-CS students!