|Talk||Author Bio||Talk Description|
|"DNS and the Future of Authenticity" - indolering||Indolering is a usability engineer and focuses on security related usability research. He is a recent graduate, the lead usability engineer for the Namecoin project, and has a similar day job at EasyDNS.||DNS is the keystone of the internet, the interface that allows us to attach semantic meaning to the world’s largest distributed computing system. It is the basis of the most widely used remote function call interface: the web browser’s address bar. From the browser, to SSH, to email, the Domain Name System is what we use to bootstrap the identity of programs, servers, and people.
Yet this key/value data store from the 80’s is insecure and increasingly prone to censorship. We have had the tools needed to make DNS cryptographically verifiable and decentralized for some time but the initial implementations failed. Thankfully, after years of research and trial-and-error, we finally have practical and deployable solutions.
This talk covers the benefits a cryptographically verifiable domain name system and the state of decentralized DNS. It debunks common myths about DNSSEC and explains why it is vital to a decentralized DNS. It finishes with an overview of Namecoin, outlining past challenges that have stymied widespread adoption and potential solutions.
|"Getting into the Trust Store We Trust" - Ajit Hatti||Ajit Hatti is a Co-founder of “null -Open security community”, His work is focused on Infrastructure Security, providing Trusted Computing On Hostile Platforms & most of his papers are in social interest. Invented the widely exploited “Applanting” attack.
Previously worked on secure applications of Cryptography at Symantec Corporation. He has worked as an Engineer and Security Researcher with security companies like IBM-ISS, Bulelane, Zscaler in past.
He has previously presented his security research at BlackHat, NullCon, Ground Zero Summit & C0C0N
|It all starts with Trust Stores. Booting in to a trusted OS, managing sensitive information, establishing a secure channel for Communication across the networks or any transaction involving PKI.
Lets try and understand more about the Trust Stores, how do they work, how malwares and attackers (can) use different ways to manipulate the Trust Stores & what we can do to detect and secure such attempts.
|"Using Privacy and Crypto Tools" - Edmond Rogers (bigezy) & Shane Rogers (bust3r)||Edmond Rogers was actively involved as an industry participant in many research activities in ITI’s TCIPG Center, including work on NetAPT (the Network Access Policy Tool) and LZFuzz (Proprietary Protocol Fuzzing). Rogers was a security analyst for a fortune 500 investor-owned utility, where his responsibilities included cyber security of SCADA networks. Before that, he was a security manager and network architect for a transfer agent for 43% of all mutual funds. Rogers leverages his wealth of experience to assist ITI researchers in creating laboratory conditions that closely reflect real-world configurations.
Shane Rogers (no relation) is working toward his Master's in Computer Science as an ICSSP scholar at the University of Illinois at Urbana Champaign. He has worked as a research assistant for Information Trust Institute at UIUC focusing on OpenFlow enabled software defined networks and as an EO&T Systems Engineering Intern at Boeing Defense, Space, and Security. He is also the ACM chair of the Open Network Security Monitoring (@OpenNSM) group at UIUC and in his free time likes nothing better than answering questions from his family members about how to fix their smartphones. Have you tried turning it off and back on again?
|This talk will discuss tools you can use to ensure your privacy online. What options are available now to protect your privacy in your personal computing device and the cloud? We’ve all heard of tools like PGP and OTR, but we’ll show you some newer tools with which you may not be familiar. This will include the best way to encrypt your email, providing privacy in cloud storage, and managing encryption keys. We will also step through how to install these tools. From there we will also discuss how to keep your privacy intact showing ways to clean cookies and other tracking data that accumulates in your devices.|
|"Keynote: Crypto & Privacy Village" - Whitney Merrill (@wbm312), Justin Culbertson (@jus341), Peter Teoh (@pteoh), Tony Arcieri (@bascule), Jorge Lacoste (@lacosteaef), and Nadia Kayyali (@NadiaKayyali)||Whitney Merrill is an attorney and graduate student in computer science at the University of Illinois at Urbana-Champaign specializing in information security, computer crime, privacy, surveillance, and Internet law. Her current research focuses on Android privacy, digital forensics, and the legal and usability issues surrounding encryption. She is a member of the Illinois Security Lab, and in her spare time Whitney runs the Crypto & Privacy Village. She loves solving puzzles and recently staying up late creating them.
Justin, aka Neon, helps run the Crypto & Privacy Village from the website to puzzles. He is also a DC DarkNet Operative and a member of the defcoin community! Come say hi to get a taste of those decentralized, digital hacker coins.
Peter Teoh leads the software security and compliance function for his current employer. He has worked in the tech industry since the last century in a variety of roles from network security, to data protection and privacy. Pete has been attending DEF CON since DC19 and was a speaker at DC22. In his spare time he hoards electronic gadgets and is an honorary cat lady.
Tony Arcieri works on the Platform Security Team at Square. These days he dabbles in cryptography. In the past he made the Celluloid actor framework for Ruby and the Reia programming language.
Jorge Lacoste swizzles bits and harvests blue smoke from ICs. This is his 6th DEF CON. Say hello if you see him. Jorge is also the principle designer of the first ever CPV electronic badge.
Nadia Kayyali got the opportunity to work with Crypto & Privacy Village as a member of EFF’s activism team. Nadia's work at EFF focuses on surveillance, national security policy, and the intersection of criminal justice, racial justice, and digital civil liberties issues. Nadia has given privacy trainings to a wide variety of audiences in the U.S., from artists to Black Lives Matter activists. Nadia previously served as the 2012 Bill of Rights Defense Committee Legal Fellow where they worked with grassroots groups to restrict the reach of overbroad national security policies. They earned their B.A. from UC Berkeley, where they majored in Cultural Anthropology and minored in Public Policy. They received their J.D. from UC Hastings.
|Welcome to the Crypto & Privacy Village. Come and learn all about the Village and the humans behind the scenes. We will announce some cool crypto puzzles we have planned and talk about our first electronic badge. Come and learn how you can participate and get involved.|
|"Keynote: Underhanded Crypto Contest" - Adam Caudill (@adamcaudill) & Taylor Hornby (@DefuseSec)||Adam Caudill is an independent security researcher and software developer with a primary focus on application security, secure communications, and cryptography. He is active in the open source community, writes on security and related topics, and is an advocate for user rights and privacy. His work has been cited by many media outlets and publications around the world, from CNN to Wired and countless others.
Taylor Hornby is a recent graduate and independent security researcher focusing on topics ranging from human usability to side channel information leakage. He has contributed to the open source community by performing both volunteer and paid security audits of popular code, as well as by creating developer-friendly security libraries.
|The Underhanded Crypto Contest is a research project to better document the state of the art in malicious crypto implementations and designs - and through that understand, lead to better training for reviewers and better detection of flaws, accidental or otherwise. Starting this year, the Underhanded Crypto Contest will be working closely with the Crypto & Privacy Village - this year we are running two short challenge contests; details available on underhandedcrypto.com. Starting next year, the winners of the main event will be announced here.|
|"Life of PII: A Day in the Life of Your Personally Identifiable Information" - Alisha Kloc||Alisha Kloc is a security and privacy engineer at Google, where she protects users’ data from unauthorized access and misuse. Before Google she built security systems for several governments as a security engineer at Boeing. She is passionate about data security and user privacy, and believes that more openness around and sharing of corporate privacy policies, practices, and procedures will help companies and users develop a much stronger sense of, and appreciation for, data privacy and security.||As privacy issues move into public awareness, it’s important for consumers to understand what companies, governments, and other entities are doing with their private data. What really happens after you click “Submit”? How well-protected is your data? How do companies keep it safe — from unscrupulous data collectors, from overreaching governments, from malicious actors or just plain overly-curious employees? With Google as an example, take a look at the lifecycle of an average consumer’s PII, or personally identifiable information, from its entry into a website to its deletion from the site’s servers. Learn how private data is currently protected, and find out what you can do to safeguard your data and encourage more companies to implement strong data privacy protections.|
|"Opening Backdoors: The Importance of Backdoor Research" - Adam Caudill||Adam Caudill is an independent security researcher and software developer with more than 15 years of experience. He primarily focuses on application security, secure communications, and cryptography, though also works with hardware, embedded systems, and related technologies. His research and writing has been cited by media outlets and publications around the world. Active blogger, open source contributor, and advocate for user privacy and protection. Adam is also the founder of the Underhanded Crypto Contest.||The world of security research is fraught with ethical dilemmas, and open research on how to backdoor and subvert systems certainly brings its fair share. Releasing code for an intentionally flawed encryption implementation or a design for a system that appears to be secure, but in fact allows an attacker to easily recover secret data - this pushes the limits of doing more harm than good, yet is critically important for defenders. Without solid research into how systems could be effectively and efficiently backdoored, defenders quickly fall behind, giving clever attackers a strong upper hand. Defenders, those charged with reviewing code and designs may be able to easily detect the cliched sending emails with credit card numbers, but how prepared are they for a better class of attacker? This talk seeks to cover both the need for the information gained, especially through events such as the Underhanded Crypto Contest, and the risks that it presents.|
|"How to Engineer a Cryptographic 'Front Door'" - Karl Koscher||Karl Koscher is a postdoctoral researcher at the University of California San Diego where he specializes in embedded systems security. In 2011, he and his collaborators were the first to demonstrate a complete remote compromise of a car over cellular, Bluetooth, and other channels. In addition to breaking systems, he also works on creating tools and technologies to enable developers to automatically find (and fix) potential security vulnerabilities in their embedded systems.||With technology companies embracing strong encryption, the US Government is now pushing for cryptographic “front doors” that would allow law enforcement to break encryption with a warrant. But is it even possible to build these “front doors” without introducing vulnerabilities that could be maliciously exploited? In this talk, I’ll sketch out a potential solution (and what I believe NSA/FBI wants to implement, based on their public statements) using public key cryptography, threshold secret sharing, and cryptographic hardware. I will also explain why “front doors” are still a bad and unworkable idea.|
|"Let's Talk about Let's Encrypt" - Bill Budington||William Budington is a Software Engineer at the EFF, where he works on Let's Encrypt as well as other technology projects. He's also a developer for SecureDrop, an anonymous document submission platform. As a crypto-enthusiast, he's taken part in the W3C Web Crypto Working Group and is excited to see the web grow as a platform for cryptographic applications. He loves hacker spaces and getting together with other techies to tinker, code, share, and build the technological commons.||Let's Encrypt is a new Certificate Authority. It will provide free X509 certificates in an automated way, with close to no deployment overhead. Currently, requesting and deploying X509 certificates is a tedious and costly process - both in terms of vendor and labor costs. Our studies show that it often takes between 1 to 3 hours to go thorough the entire process of setting up HTTPs on a webserver. Let's Encrypt will reduce that time to a matter of minutes for the initial setup, and mere seconds for renewals.|
|"Machine Learning and Manipulation" - Jennifer Helsby (redshiftzero)||Jennifer Helsby (@redshiftzero) is a researcher and scientist. She is currently a Data Science for Social Good fellow at the University of Chicago where she works on the application of data analysis and machine learning methods to problems with positive social impact. She also is a co-organizer of Cryptoparty Chicago, which teaches people about privacy issues and digital security practices. Before that, she completed a Ph.D. in Astrophysics at the Kavli Institute for Cosmological Physics at the University of Chicago where she did theoretical and computational work studying the large scale distribution of galaxies in the universe.||The wealth of data available in the modern age has enabled the use of machine learning methods and other data science methods in a range of new areas. Current applications include ranking items in social media feeds, optimizing advertisements, and surveillance and predictive policing by government and law enforcement. This talk will discuss some of the potential ethical and privacy issues associated with the widespread use of machine earning algorithms. Most suffer from a lack of transparency in their design and operation. Mass social engineering is feasible through the use of individualized messages crafted by adaptive algorithms. Subtle manipulation would be very difficult to detect by individuals but can have significant social impact. In addition, biases in input datasets used for training algorithms treated as impartial can systematize discrimination against certain populations. Faced with these challenges, some potential avenues for ameliorating these problems will be discussed, both in terms of policy and technology. As a community, we need to better understand and monitor the role of these methods in society in order to ensure that we build and support systems that are resistant to misuse.|
|"Beginner Crypto for Application Developers" - Justin Engler||Justin breaks into programs for a living. This includes both private and publicly-released work on open and closed source messaging and privacy applications. Justin has been breaking into programs for a living for 5 years, and has been doing IT and security work for over 10 years. He has previously spoken at DEFCON, Toorcon, Black Hat, and several regional conferences.||Are you a software application developer who wants to add secure storage or communication to your application, but you have no idea where to start? This talk will quickly lay out the basics of how to add crypto to your application in a straightforward manner. No math, no cryptonerd technobabble, just simple practical techniques to use and pitfalls to avoid.|
|"Breaking RSA - new cryptography for a post-quantum world" - Jennifer Katherine Fernick||Jennifer Katherine Fernick is security researcher and PhD candidate in Cryptography & Quantum Information at the Institute for Quantum Computing at the University of Waterloo. Her research involves cryptology and quantum computation - specifically, in looking for cryptographic algorithms that will be resistant to cryptanalytic attacks from adversaries with access to quantum computers. She is a founding member of the European Telecommunications Standards Institute's industry specification group on Quantum-Safe Cryptography, which aims to find and standardize quantum-resistant alternatives to our current cryptographic infrastructure. Previously, she has studied for a Master of Engineering in Systems Design Engineering and holds a BSc in Cognitive Science & Artificial Intelligence.||As we move into a new paradigm of computation, almost all of our assumptions about the security of our current cryptosystems are wrong. Large-scale quantum computers are known to be able to execute algorithms capable of efficient factoring and discrete logarithm computations. Unfortunately, most of the public-key cryptography widely used on the Internet today - including RSA and Elliptic Curve Cryptography - is based on the presumed hardness of these exact problems. In this talk, I introduce quantum computation and the practical realities it will have on popular cryptosystems - both technically, as well as from the perspective of a variety of use cases. From here, I introduce the new mathematics we're currently building to replace RSA in a post-quantum world, and the entirely new cryptanalytic tools we'll need to use to construct it.|
|"Should we trust crypto frameworks? A story about CVE-2015-2141." - Anton Karpov||Anton has worked in the information security industry since 2000. He began his career as a Penetration Tester and ISO 27002 Auditor in security consultancy and later became one of the first Certified PCI DSS Auditors in Russia. In 2009 Anton joined the Global Information Security team at Barclays Bank, where he was a member of the Security Assessment and Penetration Testing teams. Anton joined Yandex in 2011 as Chief Information Security Officer, where he built and now manages the Information Security Department.||The presentation will cover details of a bug (CVE-2015-2141) I found in the Rabin-Williams (RW) digital signature system implementation in the well-known Crypto++ (http://cryptopp.com) framework. The bug is misuse of "blinding" technique that should prevent timing attacks but results in an ability to recover a private key having only two signatures of one message.|
|"Where are the privacy-preserving services for the masses?" - Hadi Asghari||Hadi Asghari is an assistant professor at Delft University of Technology in the Netherlands and a visiting fellow at Princeton's Center for Information Technology Policy (CITP) starting this fall. His research focuses on the economics of cybersecurity and online privacy. Prior to moving to the Netherlands, he worked as a software and network engineer in Iran.||We seldom see incremental trade-offs offered between privacy and other qualities in online services. Many markets are dominated by large firms offering services for "free" and in exchange for personal data. There are less popular offerings in the other extreme, providing privacy and anonymity in exchange for lower performance and convenience. Offerings in between the two extremes are not common, despite post-Snowden surveys showing that a third of consumers find privacy very important. The absence of services to fill this market gap is puzzling. I hypothesize that a number of fundamental economic reasons make it hard for commercial, privacy-enhanced services to compete with the two extremes on scale. These include: difficulty in trusting privacy claims, the usefulness of data in designing and securing services, network effects, and the high value of targeted ads. In economic terms these induce market failures and if proven have regulatory consequences, for instance with regards to competition law. I am embarking on new research in this area, and would like to present the idea to privacy enthusiasts, coders, and entrepreneurs producing privacy-preserving services to receive input for my research.|
|"Breaking CBC, or Randomness Never Was Happiness" - Dr. Albert H. Carlson (ECCSmith) & Patrick Doherty||Dr. Albert Carlson began his hacking career soon after he began taking programming courses in High School in Chicago in 1975. Upon completion of his BSCompEng degree from the University of Illinois at Urbana in 1981, he joined the US Army as a Military Intelligence Officer specializing in Electronic Warfare and Cryptography. Retiring due to injury, he then began a 25 year career in engineering that included work in consumer, military, and designing utility substation security systems.
Dr. Carlson returned to school at the University of Idaho in 2002. There he completed his Master’s degree and PhD, both in Computer Science and specializing in Advance Set Theory and Cryptography. His dissertation, accepted in June of 2012, had as its’ subject: applying Set Theoretic Estimation to decryption.
In 2013 Dr. Carlson joined the faculty of Fontbonne University on the staff of the Math and Computer Science department. His research team studies the use of patterns in natural language and how they relate to set and information based attacks on ciphers. Dr. Carlson’s research interests include: cryptography, set theoretic estimation, natural language, patterns in language, physical security, critical infrastructure protection, and hardware security.
Patrick Doherty is a senior at Fontbonne University and will graduate in December of 2015. He is majoring in Computer science and plans on earning a graduate degree in the same field. He is the Project manager for the Research team.
|Hiding patterns in encrypted messages to make the transmission look like random symbols is the goal of cryptography. However, all ciphers do not completely disguise those patterns, making decryption possible. In response to this problem, modes were introduced to break up patterns and to increase the “randomness” of an encrypted message. In the case of Cipher Block Chaining mode (CBC) the randomizing material is the cipher text from the preceding block. CBC uses a “feed forward” algorithm and a regular structure that provides attackable data. In fact, there is so much information in the structure and associated data that CBC wrapped around ANY cipher can be efficiently broken.
We show that by using the blocks of the CBC algorithm both linear and non-linear encryptions using CBC can be broken. Further, we show that no linear cipher (such as a permutation or XOR cipher) is safe when used in conjunction with the mode and that non-linear ciphers (such as AES) are also vulnerable. Using the Birthday Paradox to predict how much data is needed to allow for decryption. This talk will demonstrate the break and show the mathematical background of the attack.
|"WORKSHOP: How Do I Tails? A Beginner's Guide to Anonymous Computing" - Forrest (Forbo)||Forbo is a penetration tester with a background in network and systems administration. An EFF member and volunteer, he helped people to learn about privacy protecting technologies at last year's Crypto & Privacy Village. When he's not protesting the NSA's mass surveillance, he pretends to be a DJ mixing bumpity-bumpity-boom computer music, particularly trance, breaks, and drum & bass.||Tails is The Amnesic Incognito Live System. Think of it as 'private browsing on steroids'. It is a fully bootable Debian-based distro that is designed from the ground up to protect your anonymity and privacy. All traffic is routed through Tor by default. In addition to many basic applications, it includes utilities designed to prevent information leaks.
It is used by whistleblowers, journalists & their sources, political activists living under oppressive regimes, victims of domestic abuse and many more. Edward Snowden, Glenn Greenwald and Laura Poitras all used it throughout the process of bringing the NSA's overreach to light, and continue to use it today.
In this workshop, we will be covering more fully what Tails is, what it is used for, how to get your own copy up & going, as well as special considerations to take when it comes to operational security. Step-by-step instructions for creating your own bootable copy will be provided for your convenience.'
|"What is Bitcoin Tumbling and why do it?" - Sean Thomas Jones||Sean Thomas Jones is an accomplished information security professional and father of three. He has many years of experience securing and defending networks and hardening applications by using best practices, tools and technologies. Sean recently won the World Championship Title Belt in Spaghetti Monster Wrestling by defeating his children in the royal rumble. Along with this Championship, Sean also holds the SANS/GIAC Incident Handler, Intrusion Analysis and Web Application Penetration Tester Certifications along with the ITIL Foundation Certification. He practices his craft as a Cyber Crime Researcher at AlertLogic in Texas, which is affectionately called "GOD's Country" or the Lone Star State" and owes his success to his wonderful and patient wife.||Bitcoin and other crypto-currencies have become a very big deal since its inception in January 2009 when the very first transaction was recorded to the blockchain. Since this time multiple other crypto-currencies have come into existence, an entire crypto-currency market has been created and the technology is making waves in the overall economy.
As with all technology it can be used for good or bad and Bitcoin is no different. The technology has grown in popularity and many people desire to use it in a secure, anonymous manner that would make it difficult to identify them. One option would be the use of a Bitcoin Tumbler. This tool was created because every Bitcoin transaction is written to a public ledger called the blockchain. Anyone can track Bitcoins as they are transferred between addresses.
When used properly the process of tumbling Bitcoin may increase your chances of remaining anonymous. This tool is useful to people looking to maintain their privacy, those who may be in restrictive countries or someone looking to make a purchase without it being tracked back to them. It also may be used to launder stolen Bitcoins, make illegal purchases or avoid leaving the paper trail found with traditional currencies.
|"The design and implementation of a white-listed, end to end encrypted status application" - David Dahl||David Dahl is the director of the Crypton project at SpiderOak. Crypton is a end to end encrypted application framework for mobile and desktop applications. In a previous life, David was a Senior Privacy Engineer at Mozilla Corporation where he helped edit the W3C Web Crypto API specification and created the Web Console in Firefox. Before this episode, he was a Software Engineer at Industrial Light & Magic working on the artists' knowledge base. He hacks on Zero-Knowledge software in his bunker somewhere in the Middle-West.||The design and implementation of a white-listed, end to end encrypted status application, or how we can have nice (private social network) things. The general line about privacy and social networking goes like this: "You can either have an easy to use and very social system with ads and data-mining or you can use GPG and like it". While there are many technical hurdles to overcome, the burden for a designer of a "private Twitter" or "private Facebook Wall" lies chiefly with user experience that rises above that of all of the difficult to use privacy tools we depend on today. In this talk, the code, frameworks, data structures, database queries and front-end UX will be examined, discussed and demoed in a working "Twitter-like" status update application.|
|"The Death of Privacy" - Stealth||Involved in computers since the dark ages (before WWW). The first computer I hacked was an IBM 1130 mainframe. Designed and built my first personal computer running CPM on a Z80 in the late 70s. Built large scale WANs for Fortune 500 companies during the 80s. Developed eCommerce sites and managed web developers during the 90s. Since 2000 I have been an Information security and computer forensics expert and have acquired a lifetime of experience to share in many aspects of the tech industry. .A Defcon goon for 22 years and longtime privacy advocate.||How did we let it get this bad and what you can do to get some of yours back.
Over the years our individual freedoms and personal privacy rights have steadily been eroded. But it is not just the fault of the government or the NSA. Many of our own choices and changes in cultural norms have helped make this happen. In this talk I will explore how things got out of hand and why. While it may be too late to go back to that age of innocence, we can face the future better informed and prepared to protect our security and reclaim our rights to personal privacy.
|"CrypTag: Building Encrypted, Taggable, Searchable Zero-knowledge Systems" - Steven Phillips||Steven Phillips is a Philosopher and computer programmer. He studied Philosophy and mathematics at UC Santa Barbara before co-founding the cleverly-named Santa Barbara Hackerspace in 2010. In 2012, after heeding the warnings of Jacob Appelbaum and Julian Assange of an ever-growing surveillance state, he co-founded The Cloak Project ("TCP" for short) with AJ Bahnken. TCP has since produced the secure chat programs LanChat and Cloakcast, as well as cryptographic utility libraries written in the Go programming language.
Steven is passionate about human Greatness, social justice, democratizing forces, and revolutionary projects.
|Internet users should be able to access their data from anywhere without having to trust the web applications and cloud services storing that data.
But there's a problem. Zero-knowledge storage systems are often impractical for web apps because they can't perform often-essential functionality on behalf of the user, such as search, since they don't have the password to decrypt that data in order to search it, and you can't search encrypted data. Or can you?
This presentation introduces CrypTag, a library that enables Go programmers to easily build applications that store encrypted user data that users can tag and securely, efficiently, remotely search by those tags without revealing anything about the nature of said data to the party storing it. That is, CrypTag is a library for easily creating encrypted, taggable, searchable zero-knowledge systems.
This talk covers the tricks behind how CrypTag works, the pros and cons of using CrypTag versus alternatives, includes a live demo of a useful open source CrypTag-based program, and is suitable for anyone who knows what a server is and is excited about leveraging encryption to help everyday users and geeks alike.
|"Making Email Dark" - Ladar Levison & Fred Nixon||Ladar Levison is the Owner and Operator of Lavabit, LLC, an email service founded in 2004 (and originally named Nerdshack), Lavabit has always been focused on protecting the privacy of its user's communications. Levison created Lavabit because he believes that privacy is a fundamental, inalienable right, and a prerequisite for afunctioning, free and fair democratic society. This led Lavabit to reach, at its peak, over 410,000 users. Then, on August 8, 2013, and in response to a court decision which required Lavabit to surrender its TLS private key, Levison made the bold decision to suspend operations, and refuse to remain silent, and "complicit in crimes against the American people." Since then Levison has been vigorously defending the right to speak freely, and privately on the Internet. As the principal force behind the Dark Mail Initiative, Levison has also been working on a technical solution for the problem of email privacy.
Fred Nixon is a developer, based in Atlanta, and working to implement the Dark Internet Mail Environment. Fred has worked for Mindspring, Earthlink, and General Electric in Research and Development, creating scalable, distributed systems for communications and core ISP services. He is an advocate for speech and privacy rights, and the technology to support those rights for everyone.
|This talk will focus on the Dark Internet Mail Environment (DIME), a standards based, collaborative effort to create an elegant technical solution which is capable of protecting the privacy of email. DIME is focused on making the end-to-end encryption of email messages automatic, provides for message confidentiality, author verification, and minimizes the leakage of metadata. The DIME standards dramatically reduce the amount of trust individual users must place in service providers. The new standards, which we hope will someday succeed OpenPGP, have been designed to resist manipulation by advanced persistent threats. During this short presentation, we will provide a compressed discussion of the DIME standards, followed by a project update, where we hope to showcase the DIME implementation effort.|
|"STDs are the least of your worries when Cyber Cancer Prognosis is imminent" - Chris Brown (BigBiz)||Mr. Brown has been a Info/Cyber Security Instructor since 2004 and in the IT business since 1997. Currently traveling and teaching as a Sr. Technical Instructor for FireEye, he has previously taught for ArcSight (Pre-HP acquisition), Dept of Army Europe, contract trained for Microsoft, HP, Comptia and ISC2. Mr. Brown has also worked various Cyber Security Analyst and InfoSecurity positions for Northrop Grumman, Raytheon, DRS and a few other defense contractors. Mr. Brown has traveled extensively both on a domestic and international level and has seen the good, the bad and the ugly regarding a broad range of topics that relate to crypto, privacy, intrusion-problem set actors and detection & defense TTPs/SOPs that work and haven't worked.||Crypto and privacy are BIG concerns when dealing with any type of threat but when dealing with STDs (we refuse to acknowledge APT - anyone who mentions advanced persistent threats shall be thrown out of the talk ;>)|
|"Protecting global email - status & the road ahead" - Per Thorsheim||Above average interested in Passwords. The guy who has convinced the Norwegian government to recommend (& soon standardize) the use of RFC 3207 STARTTLS, as the first country in the world to do so.||In the spring of 2014 starttls.info was launched. A simple service to measure and grade the RFC 3207 STARTTLS support of the mailservers for any given domain, it was quickly embraced by ACLU and EFF. Used as a reference site, major service providers around the world were persuaded very quickly to implemented support for RFC 3207.
This talk will summarize the history & current status of worldwide RFC3207 adoption. It will also look at upcoming solutions that will further enhance the security of email and keep the bad guys from unlawfully intercepting & monitoring your private communication.
|"Engineering Responsible Data Governance - A Privacy by Design Primer" - Steven F. Fox||Steven F. Fox is an infosec polymath – bringing a cross-disciplinary, international perspective to the practice of information security; combining his security architecture/engineering, consulting, an IT Audit and systems engineering expertise with principles from behavioral/organizational psychology to address security challenges. He is a blogger covering IT Governance, Risk Management and IT-Business fusion topics. He also volunteers his time to the Ponemon Institute and Circle City Con.||The data “gate keepers” – companies that gather and process data using technologies ranging from mobile/wearable devices to Big Data – have the opportunity to be the guardians of privacy. This role can be realized only through the work of practitioners that can design for data security and privacy. While RSA Conference sparked the vision in my minds of management, this session calls upon the DefCon community to make it happen.
This talk uses case studies to explore Privacy by Design (PbD), a systems engineering approach that accounts for privacy throughout a lifecycle. Attendees will learn how to apply the seven principles of PbD to account for privacy concerns while delivering on a system’s business requirements. They will also learn how to become trusted advisors to organization working to integrate PbD into their development programs.
|"Modern Crypto: 15 Years of Advancement in Cryptography" - Steve Weis||Steve Weis is a software engineer at Facebook, where he most recently helped release support for PGP. Previously, Steve was co-founder & CTO of PrivateCore, a security startup acquired by Facebook in 2014. In the past, Steve was a technical director at AppDirect and a member of the applied security group at Google.
While at Google, Steve created Google 2-step verification and the Keyczar cryptographic library. Steve received a PhD in computer science from MIT where he was advised by Ron Rivest. Steve's interests include cryptography, security, theoretical computer science, and entrepreneurship.
|This talk presents a general introduction to some of the most interesting developments in cryptography from 2000 onward. We'll present a high-level explanation of recent crypto developments, what applications they may enable, and how they may become more important in the coming years.
Topics may include modern elliptic curves, pairing-based cryptography, fully homomorphic cryptography, functional cryptography, obfuscation, and post-quantum cryptography.
|"CFSSL: the evolution of a PKI toolkit" - Nick Sullivan||Nick Sullivan is a cryptography and security enthusiast. He founded and built the security team at CloudFlare, one of the world's leading web security companies. He is a digital rights management pioneer in his work building Apple’s multi-billion dollar iTunes store. He holds an MSc in Cryptography and a BMath in Pure Mathematics.||In July 2014, CloudFlare released CFSSL, an open source toolkit for TLS and PKI written in Go. CFSSL can be used as a lightweight certificate authority (CA), a certificate chain bundler--and now--a TLS configuration scanner. One year later, CloudFlare is excited to announce CFSSL 1.1 and cfssl.org, the home on the web for the CFSSL development team. This presentation will cover the challenges of the project and how it evolved from an internal tool for CloudFlare's Railgun product into a software library used by several high-profile organizations including the "Let's Encrypt" project.|
|"IMSI Catcher Counter-Surveillance" - Freddy Martinez||Freddy studied graduate level physics now works as a Linux SysAdmin. His current focus is on privacy/digital rights, free and open source projects, and FOIA work including multiple lawsuits against the City of Chicago.||This talk will address how activists can detect IMSI Catchers around political protests and how to do some practical counter-surveillance. We will very briefly discuss the capabilities of IMSI catchers and then launch into a discussion about detection and evasion. In the talk we will describe practical (cheap / off the shelf) solutions that we have actually used in various scenarios. Lastly we will describe future work in this area.|
|"Hacking Quantum Cryptography" - Marina (bt3)||Marina is an information security engineer at Yelp, in San Francisco. She finished her PhD in Physics last year, at the University of Stony Brook in New York. During graduate school she researched theoretical and computational Physics at several national laboratories, such as NASA Goddard Space Center, Los Alamos National Laboratory, and Brookhaven National Laboratory. She is an avid CTF player and her first computer was a 386, when she was 5 years-old.||Alice and Bob’s quest through the fascinating quantum mechanics world as a way to avoid archvilainess Eve eavesdropping. In 1994, Peter Shor showed that many of the cryptosystems used today can be broken using a quantum computer. This idea will be explained together with a short overview of qubit systems. Next, we will see how quantum computing gives rise to the possibility of quantum key distribution with unparalleled security. We will end with a brief discussion on post-quantum cryptography concepts.|
|"Teaching Privacy Using Red Team Strategies: An Undergraduate General Education Curriculum" - Robert Olson (nerdprof)||Robert Olson is currently an instructor in the Department of Computer and Information Sciences at the State University of New York at Fredonia, where he teaches courses in security, data mining, and programming. He holds two graduate degrees in Interdisciplinary Studies (Cognitive Science) and Management Information Systems as well as several professional certifications. He has spoken at the Def Con 22 Crypto / Privacy Village, BSides Rochester, and several academic conferences. Most recently, his research has been focused on designing penetration testing agents and exploring new ideas in privacy protecting network protocols.||Privacy is very important concept that, unfortunately, many undergraduate students don’t encounter frequently in their chosen courses of study. Often, when it is discussed, it’s discussed using a deeply philosophical approach to which students may have a difficult time connecting. This approach also often fails to connect privacy with many of the important technical nuances that can have a significant impact on modern privacy debates.
This talk will discuss an alternative approach used in a Spring 2015 undergraduate general education course titled Hacking, Surveillance, and Privacy. The goal of this class was to take a technical approach to teaching privacy concepts in order to ensure students would understand the technical details of modern privacy debates in an addition to the philosophical concepts.
Students were given hands-on experiences with penetration testing tools so that they might better understand how computer security impacts privacy while seeing first-hand how their privacy might be violated. Students were exposed to data-mining techniques so that they might understand the privacy implications of large-scale data collection. Finally, students were exposed to privacy tools so that they might understand the challenges in protecting one’s privacy against modern threats.
|"Skip, Freak, and Logjam: Moving past a legacy of weakness in TLS" - Karthikeyan Bhargavan||Karthik is a researcher at INRIA, the French national lab for computer science. He is based in Paris where he leads a team called Prosecco (“programming securely with cryptography”) and is the principal investigator of an ERC starting grant on provably secure implementations of cryptographic protocols. Karthik and his colleagues develop new programming languages like F* (fstar-lang.org) and use them to build and verify protocols like TLS (milts.org).
Along the way, they sometimes find and disclose implementation bugs and protocol flaws like Triple Handshake (secure-resumption.com), FREAK (smacktls.com), and Logjam (weakdh.org). Partly as a consequence of these attacks, and partly motivated by stronger security theorems for the web, Karthik is loosely involved with the TLS working group in the design on TLS 1.3. Karthik was trained at IIT New Delhi and the University of Pennsylvania. Before coming to Paris in 2009, he worked as a researcher at Microsoft Research in Cambridge, England for several years.
|The Transport Layer Security (TLS) protocol suffers from legacy bloat: after 20 years of evolution, it features many versions, extensions, and ciphersuites, some of which are obsolete and known to be insecure. Implementations and deployments of TLS deal with this complexity by implementing composite state machines that allow new and old features to coexist for interoperability, while waiting for deprecated features to be disabled over time. Getting this composition right is tricky, and any flaw can result in a serious attack that bypasses the expected security of TLS.
This talk will discuss three recent vulnerabilities discovered in our group: SKIP uses state machine flaws in Oracle’s JSSE to hijack TLS connections between a Java client and any web server; FREAK uses legacy support for export-grade RSA cipher suites to break into connections between mainstream browsers and 25% of the web; Logjam exploits a protocol flaw to confuse DHE key exchanges into using export-grade Diffie-Hellman groups. These attacks rely on a combination of protocol-level weaknesses, implementation bugs, and weak cryptography. The talk will advocate principled methods to avoid such weaknesses in the future, such as software verification and new robust designs for new protocols like TLS 1.3.