BEGIN:VCALENDAR VERSION:2.0 PRODID:-//pretalx//cfp.dragonsec.si// BEGIN:VTIMEZONE TZID:CET BEGIN:STANDARD DTSTART:20001029T040000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10 TZNAME:CET TZOFFSETFROM:+0200 TZOFFSETTO:+0100 END:STANDARD BEGIN:DAYLIGHT DTSTART:20000326T030000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3 TZNAME:CEST TZOFFSETFROM:+0100 TZOFFSETTO:+0200 END:DAYLIGHT END:VTIMEZONE BEGIN:VEVENT UID:pretalx-dctf26-R8ZTV9@cfp.dragonsec.si DTSTART;TZID=CET:20260321T100000 DTEND;TZID=CET:20260321T102500 DESCRIPTION:Most infrastructure is built to be used\; CTF infrastructure is built to be abused. When your user base consists of hundreds of hackers a rmed with weaponized 1-days and a competitive drive to bypass your guardra ils\, "standard" scalability and security models fall apart.\n\nDrawing fr om two years of organizing on-site jeopardy competitions for several hundr ed participants\, this talk deconstructs the unique intersection of high-c oncurrency DevOps and aggressive hardening. We will explore the "war stori es" of managing real-time exploits\, mitigating flag-sharing\, and maintai ning a satisfactory user experience in this unique and challenging environ ment. DTSTAMP:20260501T083329Z LOCATION:PA SUMMARY:Don't let them break you: a CTF infrastructure whitepaper - Rok Št ular URL:https://cfp.dragonsec.si/dctf26/talk/R8ZTV9/ END:VEVENT BEGIN:VEVENT UID:pretalx-dctf26-YARFSQ@cfp.dragonsec.si DTSTART;TZID=CET:20260321T103000 DTEND;TZID=CET:20260321T105500 DESCRIPTION:What is our responsiblity to the public\, when it comes to talk ing about INFOSEC. Do we need to dazzle people with our tech brilliance? D o we need to show them how cool and nerdy we are? Do we need to scare the bejesus out of them? Probably\, none of the above. Join me in this informa l session and we can talk about it :). DTSTAMP:20260501T083329Z LOCATION:PA SUMMARY:How do we effectively communicate about INFOSEC? - David Modic URL:https://cfp.dragonsec.si/dctf26/talk/YARFSQ/ END:VEVENT BEGIN:VEVENT UID:pretalx-dctf26-33KECY@cfp.dragonsec.si DTSTART;TZID=CET:20260321T113000 DTEND;TZID=CET:20260321T115500 DESCRIPTION:This session addresses the gap between theoretical knowledge an d practical offensive security skills by presenting a hands-on training me thodology based on realistic lab environments. It focuses on core techniqu es such as enumeration\, exploitation\, and post-exploitation\, emphasizin g the ability to chain vulnerabilities into complete attack paths. Drawing from recent penetration testing experience\, it highlights how legacy sys tems and misconfigurations continue to expose modern infrastructures to co mpromise. DTSTAMP:20260501T083329Z LOCATION:PA SUMMARY:From Beginner to Pro Hacker: Practical Approach to Offensive Securi ty Training - Žan Urbančič\, Danijela Šantak URL:https://cfp.dragonsec.si/dctf26/talk/33KECY/ END:VEVENT BEGIN:VEVENT UID:pretalx-dctf26-NZGV7M@cfp.dragonsec.si DTSTART;TZID=CET:20260321T120000 DTEND;TZID=CET:20260321T125000 DESCRIPTION:This lecture presents an overview of the key EU product directi ves governing electronic and electrical equipment: the Low Voltage Directi ve (2014/35/EU)\, the Electromagnetic Compatibility Directive (2014/30/EU) \, and the Radio Equipment Directive (2014/53/EU). It outlines their essen tial requirements\, conformity assessment procedures\, and the role of har monised standards in achieving CE marking.\nSpecial attention is given to cybersecurity obligations introduced under the Radio Equipment Directive t hrough Delegated Regulation (EU) 2022/30. The lecture explains how cyberse curity\, network protection\, and personal data safeguards are now formal compliance requirements for connected and radio-enabled devices\, and how these requirements impact design\, risk assessment\, technical documentati on\, and lifecycle management.\nThe session highlights the interaction bet ween electrical safety\, EMC\, and cybersecurity within a unified complian ce strategy for modern electronic products. DTSTAMP:20260501T083329Z LOCATION:PA SUMMARY:Compliance of Electronic Products in the EU: From Electrical Safety and EMC to Cybersecurity under RED - Marko Jankovec URL:https://cfp.dragonsec.si/dctf26/talk/NZGV7M/ END:VEVENT BEGIN:VEVENT UID:pretalx-dctf26-PLTQ8Z@cfp.dragonsec.si DTSTART;TZID=CET:20260321T143000 DTEND;TZID=CET:20260321T145500 DESCRIPTION:Mid-2000s videogames are a great target for finding RCE exploit s. They were written in a different era\, when things like ASLR and DEP we re still seen as useless luxuries that just tank performance. Besides\, wh o is gonna go through the effort to set up a fuzzer for these ancient game s?\n\nIn this talk we'll pick a classic 2000's game\, go over the process of fuzzing the game's server with a very fancy snapshot fuzzer\, and fuzzi ng the client with the dumbest possible bit-flipper I could write in an ho ur. Both of these approaches lead to bugs that we'll exploit for remote co de execution. DTSTAMP:20260501T083329Z LOCATION:PA SUMMARY:Zero to RCE in a Weekend: Fuzzing Old Games for Memory Corruption - Rick de Jager URL:https://cfp.dragonsec.si/dctf26/talk/PLTQ8Z/ END:VEVENT BEGIN:VEVENT UID:pretalx-dctf26-9LETXX@cfp.dragonsec.si DTSTART;TZID=CET:20260321T150000 DTEND;TZID=CET:20260321T152500 DESCRIPTION:A Zero Knowledge Virtual Machine verifier should be faithful to one thing above all else: its public claims. That is\, the proof of a sta tement should depend on the statement itself. As it turns out\, this is no t always the case\, which can lead to disastrous consequences. In this tal k\, we will take a journey through six systems where we discovered critica l vulnerabilities caused by such issues. Learn how a subtle ordering bug o r a tiny omission can let an attacker bypass the cryptography entirely and prove mathematically impossible statements. DTSTAMP:20260501T083329Z LOCATION:PA SUMMARY:Unfaithful Claims: Breaking 6 zkVMs - Andraž Strgar URL:https://cfp.dragonsec.si/dctf26/talk/9LETXX/ END:VEVENT BEGIN:VEVENT UID:pretalx-dctf26-QWPGK3@cfp.dragonsec.si DTSTART;TZID=CET:20260321T153000 DTEND;TZID=CET:20260321T155500 DESCRIPTION:Anonymous credentials are a critical building block for privacy -preserving systems\, from EU digital wallets to privacy-respecting authen tication schemes. At the IETF\, however\, they address efficient rate limi ting in the presence of CAPTCHA-based human verification.\nCurrent rate li miting systems use blind signatures or OPRFs to issue batches of rate-limi ting tokens post-CAPTCHA. While cryptographically sound\, this approach in curs communication complexity linear in the number of tokens issued\, a si gnificant bottleneck when handling large token batches.\nThe talk presents two proposals to reduce the token issuance to constant-size communication regardless of batch size\, and shows how to combine them to get parallel\ , revocable tokens \nThe talk will cover the cryptographic foundations\, d iscuss trade-offs between revocation expressiveness and issuance efficienc y\, and examine deployment challenges. We'll also explore an interesting s econdary application: extending rate limiting to adaptive systems (LLMs\, bots) that must solve CAPTCHAs\, where the same credential mechanism enabl es fine-grained behavioral constraints beyond simple token budgets. DTSTAMP:20260501T083329Z LOCATION:PA SUMMARY:Anonymous Credentials for Next-Generation Rate Limiting: From Linea r to Constant-Size Issuance - Lena Heimberger URL:https://cfp.dragonsec.si/dctf26/talk/QWPGK3/ END:VEVENT BEGIN:VEVENT UID:pretalx-dctf26-TNAZ7R@cfp.dragonsec.si DTSTART;TZID=CET:20260321T163000 DTEND;TZID=CET:20260321T172000 DESCRIPTION:In the real world\, computer exploits are often simple: Logic b ugs\, forgotten bounds checks\, or less-adept users typing their passwords into sketchy websites.\nBut what if we had a world full of flawless code\ , Rust-only programs\, and completely security-aware end users?\n\nUnfortu nately\, we still would not be secure.\nModern systems leak information in many ways\, including performance optimizations or unavoidable limitation s in hard- or software.\nExecution time\, memory access patterns\, power u sage\, and other indirect effects can allow attackers to infer information and extract secrets\, even from correctly implemented systems.\n\nIn this talk\, we look at examples of different attacks exploiting behavior of th e CPU architecture\, microarchitecture\, the Linux kernel code\, and commo n applications that are running on your machine _right now_.\nWe will see that many side channels are caused by important performance optimizations\ , making them fundamentally difficult to eliminate.\n\nThis talk aims to d emystify side channels and give an intuition on how they work\, where they appear\, and why even "correct" code is not necessarily secure. DTSTAMP:20260501T083329Z LOCATION:PA SUMMARY:When Correct Code leaks Secrets: Side Channels Explained - Hannes W eissteiner URL:https://cfp.dragonsec.si/dctf26/talk/TNAZ7R/ END:VEVENT BEGIN:VEVENT UID:pretalx-dctf26-9EU38Y@cfp.dragonsec.si DTSTART;TZID=CET:20260321T173000 DTEND;TZID=CET:20260321T175500 DESCRIPTION:I mean\, let's be real\, a fully modular kernel? sounds awesome \, you know what's not so awesome? Trying to think of a security architect ure for it! DTSTAMP:20260501T083329Z LOCATION:PA SUMMARY:How can one do security in a fully modular kernel? - Andraž Rotar URL:https://cfp.dragonsec.si/dctf26/talk/9EU38Y/ END:VEVENT BEGIN:VEVENT UID:pretalx-dctf26-ULRU9Q@cfp.dragonsec.si DTSTART;TZID=CET:20260321T180000 DTEND;TZID=CET:20260321T182500 DESCRIPTION:What does cybersecurity look like in practice? This lecture sho ws how Capture the Flag challenges build practical SOC skills\, analytical thinking\, and teamwork under pressure. DTSTAMP:20260501T083329Z LOCATION:PA SUMMARY:Capture the Flag in SOC - Peter Hutinski\, Peter Pavkovič\, Matic Šebjan Ogrizek URL:https://cfp.dragonsec.si/dctf26/talk/ULRU9Q/ END:VEVENT END:VCALENDAR