39C3: CCC hackers demand federal data security games against ransomware

Contents

In the exhibition halls of Hamburg, Tuesday saw the usual mix of technological optimism and pessimism typical of the year's end. But as Ron Fulda and Constanze Kurz took the stage at the 39th Chaos Communication Congress (39C3), the remaining optimism gave way to a grim and terrifying assessment of digital failure. Under the title "Security Nightmares," the veteran hackers sketched a picture of IT security that oscillated between state megalomania and the looming threat of "enshittification" by AI. A hook: In the face of the ongoing ransomware threat, the duo from the Chaos Computer Club (CCC) called for backup competitions in the style of major sporting events.

Crystal Ball 2026: From Cyberdome to Backup Medals

The glance into the near future, traditionally sharpened by a lot of hacker irony, was characterized by increasing automation – both in attack and defense. Kurz referred to the key points paper for a "Cyberdome." The idea, overheard by Federal Minister of the Interior Alexander Dobrindt (CSU) in Israel, is intended to lead to a realization concept in 2026. The goal sounds like science fiction: a digital shield for the economy and society that automatically repels "computer attacks."

The hacker community remains skeptical. When technology fails, only the classic IT virtue helps: backup. "We are calling for the Federal Data Security Games," explained Fulda, referring to countless failed recovery attempts in administration and industry: "In the end, a good backup is the last level of defense." The topic needs to be framed positively, moving away from "Backup Hunger Games" towards a culture of success. Those who can prove that they can successfully restore their data should receive medals or at least certificates of participation and educational leave. The state of the digital world is partly absurd: for example, there is a legal obligation to choose browsers freely in the operating system. However, there is no obligation to select whether data should be stored locally, in one's own cloud, or on this planet at all.

For 2026, Kurz and Fulda also predict a new escalation level of AI integration. It's no longer just about spying on user behavior for advertising. With "Agentic Add-ons" – autonomously acting bots – enshittification reaches a new level. Fulda joked about "counter-interfaces" and open standards for bribing such AI agents.

At the same time, a massive resource problem looms. While the energy and water consumption of data centers is already being discussed, RAM consumption could become a major annoyance for consumers in 2026, it was said. A return to lean, efficient software would be desirable, but with the trend towards Vibe Coding – assembling source code by non-programmers using AI – it is hardly compatible.

Looking Back: From Hello Barbie to Bitcoin Robbery

To understand the absurdity of the present, Fulda and Kurz believe it is worth remembering 2015. Ten years ago, the world of IT security was still different, although the seeds of today's problems were already visible. At that time, people marveled at the first cyber bank robbery of one billion dollars – a sum that now seems almost modest in the face of crypto scams. Fulda emphasized: "That was still before the big Bitcoin hype."

A highlight of the retrospective was the networked doll "Hello Barbie." Once reviled as a security disaster for the nursery, Fulda drew a parallel to today's AI systems like ChatGPT. Barbie also had a backend that was live for years. Furthermore, according to the hackers, the toy raised the question of whether toy manufacturers are obliged to report child abuse if the doll becomes aware of it. Today, the debate revolves around chat logs in cases of suicide and AI hallucinations, Fulda explained: "If the AI says: 'This is getting too tough for me, I'll hand it over to a human,' and then no one answers the phone – that's the reality we've arrived at."

State surveillance was also a constant topic in 2015. The major leak at Hacking Team occupied the community for a long time. Kurz recalled the nights she spent working on it. With helpers, she wanted to find proof in the data chaos that the Federal Criminal Police Office (BKA) was also a customer of the Italian trojan maker. While the tinkerers were still trembling about disinformation campaigns in the US election campaign back then, the current situation appears significantly bleaker. Fulda dryly remarked: "Today, we'll be happy if there's still an election campaign in three years."

Internet Normality Update 2025: AI Slop Takes Over

In the here and now, IT security has reached a critical point. The statistics presented by Fulda speak volumes: 119 new security vulnerabilities per day, an increase of 24 percent compared to the previous year. At the same time, only 44 percent of Germans have a "secure password." The consequences are fatal. In 2024, England saw the first documented "ransomware death", as an attack on a blood donation service provider paralyzed medical care. "The indirect deaths were never counted," Kurz added grimly.

The panelists expressed particular annoyance at the state of the internet. Around 20 percent of the most popular YouTube content now consists of "AI Slop." This low-quality, AI-generated content still generates millions in revenue. On TikTok, the share is 20 percent. "Is there anyone left with a normal face" on social networks?, Kurz asked disappointed. As more and more software is "clicked together" by people who have never learned the essence of programming, professionals often have to clean up the mess. Fulda provided another example: "If you use AI in a law firm, you'll need more lawyers afterwards to get rid of the unwanted processes."

Are the Hacker Paragraphs Falling?

The military – chat of the "Houthi group" with insider knowledge of Opsec leaked – and industry were also not spared in the face of high zero-day waves and genuine cloud outages. The severe cyberattack on Jaguar Land Rover in February led to weeks of factory closures and damage of around 2.2 billion euros. Meanwhile, the "Infinity Crypto Wars" are raging in the background. The British government demanded access to iCloud data, prompting Apple to disable "Advanced Data Protection" for new customers in the UK. Kurz knows: "The committees that write the wish lists for surveillance now have very successful access to lawmakers."

Despite the many sleepless nights, there was a tentative glimmer of hope at the end. After almost 17 years of political debate and a corresponding promise in the coalition agreement of the current government under Friedrich Merz (CDU), the "right to IT security research" finally seems within reach. "It's actually supposed to happen now," Kurz said, not quite believing the political announcements regarding the amendment of the hacker paragraphs. In a world where North Korean IT employees can only be identified by their keyboard delays, such a step would be at least a small consolation prize for the local hackers in their elite sports competitions. (nen)