1.2 dctf26 2026-03-21 2026-03-22 2 00:05 https://cfp.dragonsec.si https://cfp.dragonsec.si/media/dctf26/img/dctf26_flag_QEcvmdN.png Europe/Ljubljana PA Talk 2026-03-21T10:00:00+01:00 10:00 00:25 Most infrastructure is built to be used; CTF infrastructure is built to be abused. When your user base consists of hundreds of hackers armed with weaponized 1-days and a competitive drive to bypass your guardrails, "standard" scalability and security models fall apart. Drawing from two years of organizing on-site jeopardy competitions for several hundred participants, this talk deconstructs the unique intersection of high-concurrency DevOps and aggressive hardening. We will explore the "war stories" of managing real-time exploits, mitigating flag-sharing, and maintaining a satisfactory user experience in this unique and challenging environment. dctf26-28-don-t-let-them-break-you-a-ctf-infrastructure-whitepaper Rok Štular en false https://cfp.dragonsec.si/dctf26/talk/R8ZTV9/ https://cfp.dragonsec.si/dctf26/talk/R8ZTV9/feedback/ PA Talk 2026-03-21T10:30:00+01:00 10:30 00:25 What is our responsiblity to the public, when it comes to talking about INFOSEC. Do we need to dazzle people with our tech brilliance? Do we need to show them how cool and nerdy we are? Do we need to scare the bejesus out of them? Probably, none of the above. Join me in this informal session and we can talk about it :). dctf26-23-how-do-we-effectively-communicate-about-infosec- /media/dctf26/submissions/YARFSQ/311604688_661737755313270_3392773489265245707_n_C2duqzI.jpg David Modic en I will talk about some recent experiences and about how, in our field, we seem to be constantly going for shock and awe, rather than lowering the blood pressure of everyman. We should also discuss people skills, when it comes to voncersing with fellow humans. false https://cfp.dragonsec.si/dctf26/talk/YARFSQ/ https://cfp.dragonsec.si/dctf26/talk/YARFSQ/feedback/ PA Talk 2026-03-21T11:30:00+01:00 11:30 00:25 This session addresses the gap between theoretical knowledge and practical offensive security skills by presenting a hands-on training methodology based on realistic lab environments. It focuses on core techniques such as enumeration, exploitation, and post-exploitation, emphasizing the ability to chain vulnerabilities into complete attack paths. Drawing from recent penetration testing experience, it highlights how legacy systems and misconfigurations continue to expose modern infrastructures to compromise. dctf26-36-from-beginner-to-pro-hacker-practical-approach-to-offensive-security-training /media/dctf26/submissions/33KECY/CYBER-SEC_GNFwbzQ.png Žan UrbančičDanijela Šantak en Transitioning from theoretical knowledge to practical offensive security skills remains a significant challenge for many learners. While concepts are widely documented, the ability to apply them in realistic environments is often missing. This session presents a methodology for developing hands-on skills through controlled lab environments that simulate real-world infrastructures. The focus is on core offensive techniques, including enumeration, vulnerability identification, exploitation, and post-exploitation, with an emphasis on chaining weaknesses into meaningful attack paths. Drawing from recent penetration testing experience, including the discovery of vulnerabilities, the session highlights how legacy systems and misconfigurations continue to introduce exploitable conditions in modern networks. false https://cfp.dragonsec.si/dctf26/talk/33KECY/ https://cfp.dragonsec.si/dctf26/talk/33KECY/feedback/ PA Lecture 2026-03-21T12:00:00+01:00 12:00 00:50 This lecture presents an overview of the key EU product directives governing electronic and electrical equipment: the Low Voltage Directive (2014/35/EU), the Electromagnetic Compatibility Directive (2014/30/EU), and the Radio Equipment Directive (2014/53/EU). It outlines their essential requirements, conformity assessment procedures, and the role of harmonised standards in achieving CE marking. Special attention is given to cybersecurity obligations introduced under the Radio Equipment Directive through Delegated Regulation (EU) 2022/30. The lecture explains how cybersecurity, network protection, and personal data safeguards are now formal compliance requirements for connected and radio-enabled devices, and how these requirements impact design, risk assessment, technical documentation, and lifecycle management. The session highlights the interaction between electrical safety, EMC, and cybersecurity within a unified compliance strategy for modern electronic products. dctf26-25-compliance-of-electronic-products-in-the-eu-from-electrical-safety-and-emc-to-cybersecurity-under-red Marko Jankovec en false https://cfp.dragonsec.si/dctf26/talk/NZGV7M/ https://cfp.dragonsec.si/dctf26/talk/NZGV7M/feedback/ PA Talk 2026-03-21T14:30:00+01:00 14:30 00:25 Mid-2000s videogames are a great target for finding RCE exploits. They were written in a different era, when things like ASLR and DEP were still seen as useless luxuries that just tank performance. Besides, who is gonna go through the effort to set up a fuzzer for these ancient games? In this talk we'll pick a classic 2000's game, go over the process of fuzzing the game's server with a very fancy snapshot fuzzer, and fuzzing the client with the dumbest possible bit-flipper I could write in an hour. Both of these approaches lead to bugs that we'll exploit for remote code execution. dctf26-29-zero-to-rce-in-a-weekend-fuzzing-old-games-for-memory-corruption Rick de Jager en true https://cfp.dragonsec.si/dctf26/talk/PLTQ8Z/ https://cfp.dragonsec.si/dctf26/talk/PLTQ8Z/feedback/ PA Talk 2026-03-21T15:00:00+01:00 15:00 00:25 A Zero Knowledge Virtual Machine verifier should be faithful to one thing above all else: its public claims. That is, the proof of a statement should depend on the statement itself. As it turns out, this is not always the case, which can lead to disastrous consequences. In this talk, we will take a journey through six systems where we discovered critical vulnerabilities caused by such issues. Learn how a subtle ordering bug or a tiny omission can let an attacker bypass the cryptography entirely and prove mathematically impossible statements. dctf26-24-unfaithful-claims-breaking-6-zkvms Andraž Strgar en false https://cfp.dragonsec.si/dctf26/talk/9LETXX/ https://cfp.dragonsec.si/dctf26/talk/9LETXX/feedback/ PA Talk 2026-03-21T15:30:00+01:00 15:30 00:25 Anonymous credentials are a critical building block for privacy-preserving systems, from EU digital wallets to privacy-respecting authentication schemes. At the IETF, however, they address efficient rate limiting in the presence of CAPTCHA-based human verification. Current rate limiting systems use blind signatures or OPRFs to issue batches of rate-limiting tokens post-CAPTCHA. While cryptographically sound, this approach incurs communication complexity linear in the number of tokens issued, a significant bottleneck when handling large token batches. The talk presents two proposals to reduce the token issuance to constant-size communication regardless of batch size, and shows how to combine them to get parallel, revocable tokens The talk will cover the cryptographic foundations, discuss trade-offs between revocation expressiveness and issuance efficiency, and examine deployment challenges. We'll also explore an interesting secondary application: extending rate limiting to adaptive systems (LLMs, bots) that must solve CAPTCHAs, where the same credential mechanism enables fine-grained behavioral constraints beyond simple token budgets. dctf26-27-anonymous-credentials-for-next-generation-rate-limiting-from-linear-to-constant-size-issuance Lena Heimberger en false https://cfp.dragonsec.si/dctf26/talk/QWPGK3/ https://cfp.dragonsec.si/dctf26/talk/QWPGK3/feedback/ PA Lecture 2026-03-21T16:30:00+01:00 16:30 00:50 In the real world, computer exploits are often simple: Logic bugs, forgotten bounds checks, or less-adept users typing their passwords into sketchy websites. But what if we had a world full of flawless code, Rust-only programs, and completely security-aware end users? Unfortunately, we still would not be secure. Modern systems leak information in many ways, including performance optimizations or unavoidable limitations in hard- or software. Execution time, memory access patterns, power usage, and other indirect effects can allow attackers to infer information and extract secrets, even from correctly implemented systems. In this talk, we look at examples of different attacks exploiting behavior of the CPU architecture, microarchitecture, the Linux kernel code, and common applications that are running on your machine _right now_. We will see that many side channels are caused by important performance optimizations, making them fundamentally difficult to eliminate. This talk aims to demystify side channels and give an intuition on how they work, where they appear, and why even "correct" code is not necessarily secure. dctf26-26-when-correct-code-leaks-secrets-side-channels-explained Hannes Weissteiner en false https://cfp.dragonsec.si/dctf26/talk/TNAZ7R/ https://cfp.dragonsec.si/dctf26/talk/TNAZ7R/feedback/ PA Talk 2026-03-21T17:30:00+01:00 17:30 00:25 I mean, let's be real, a fully modular kernel? sounds awesome, you know what's not so awesome? Trying to think of a security architecture for it! dctf26-31-how-can-one-do-security-in-a-fully-modular-kernel- Andraž Rotar en This talk will cover some of the classic methods of security when it comes to kernels and operating systems, then it will throw those backward ideas out of the window because basically none of them are compatible with my idea of a fully modular kernel! but then you might ask, a fully modular kernel? Well i've been working on this "side" project in my free time for quite a while, it's a custom kernel where (almost) all components of the kernel are loadable modules, that means you can switch out parts of your kernel whenever you want! Which sounds perfectly awesome, but just so happens to be a security nightmare! In any other currently popular operating system allowing any user to load kernel modules is a terrible idea, but maybe it doesn't have to be in my custom kernel? true https://cfp.dragonsec.si/dctf26/talk/9EU38Y/ https://cfp.dragonsec.si/dctf26/talk/9EU38Y/feedback/ PA Talk 2026-03-21T18:00:00+01:00 18:00 00:25 What does cybersecurity look like in practice? This lecture shows how Capture the Flag challenges build practical SOC skills, analytical thinking, and teamwork under pressure. dctf26-38-capture-the-flag-in-soc /media/dctf26/submissions/ULRU9Q/Actual_IT_GROUP_hor_rgb_300dpi_FCY0q42.jpg Peter HutinskiPeter PavkovičMatic Šebjan Ogrizek en What does cybersecurity look like in practice? Through the Capture the Flag approach, the lecture will show how threat detection, incident analysis, and finding the right answers under time pressure take place in a SOC environment. Participants will learn why these types of challenges are important for developing practical skills, analytical thinking, and effective teamwork. false https://cfp.dragonsec.si/dctf26/talk/ULRU9Q/ https://cfp.dragonsec.si/dctf26/talk/ULRU9Q/feedback/