Talks

ABSTRACT
The FBI ran an encrypted app called Anom, intercepting all of its messages. The operation ended in the arrest of hundreds of criminals. But what happens now? Are apps that we all use, like Signal, under threat too? This talk will give a blistering dive into what the app was, how it worked, and what it means for all of our privacy now.

BIO
Joseph is the author of DARK WIRE, which tells the inside story of how the FBI secretly launched it's own encrypted messaging app to wiretap the world

ABSTRACT
Differential privacy (DP) has been hailed as the gold standard of privacy-preserving data analysis, by providing strong privacy guarantees while still enabling use of potentially sensitive data. Formally, DP gives a mathematically rigorous worst-case bound on the maximum amount of information that can be learned about an individual's data from the output of a computation. In the past two decades, the privacy community has developed DP algorithms that satisfy this privacy guarantee and allow for accurate data analysis for a wide variety of computational problems and application domains. We have also begun to see a number of high-profile deployments of DP systems in practice, both at large technology companies and government entities. Despite the promise and success of DP thus far, there are a number of critical challenges left to be addressed before DP can be easily deployed in practice, including: mapping the mathematical privacy guarantees onto protection against real-world threats, developing explanations of its guarantees and tradeoffs for non-technical users, integration with other privacy & security tools, preventing misuse, and more.

BIO
Dr. Rachel Cummings is an Associate Professor of Industrial Engineering and Operations Research and (by courtesy) Computer Science at Columbia University, where she is also a member of the Data Science Institute and co-chairs the Cybersecurity Research Center. She is also a Fellow at the Center for Democracy & Technology. Before joining Columbia, she was an Assistant Professor of Industrial and Systems Engineering and (by courtesy) Computer Science at the Georgia Institute of Technology, and she previously received her Ph.D. in Computing and Mathematical Sciences at the California Institute of Technology. Her research interests lie primarily in data privacy, with connections to machine learning, algorithmic economics, optimization, statistics, and public policy. Dr. Cummings is the recipient of numerous awards including an NSF CAREER award, a DARPA Young Faculty Award, a DARPA Director's Fellowship, an Early Career Impact Award, multiple industry research awards, a Provost’s Teaching Award, two doctoral dissertation awards, and Best Paper Awards at DISC 2014, CCS 2021, and SaTML 2023. Dr. Cummings also serves on the ACM U.S. Technology Policy Committee, the IEEE Standards Association, and the Future of Privacy Forum's Advisory Board.

ABSTRACT
Building an AI product for the everyday person is challenging - doing it in a privacy focused way is nearly impossible without support from the right people. I'll walk through the techniques we're using at Rabbit to secure customer data and provide people a choice as to where their data goes.

We'll cover the pipelines that
- Collect and Manage customer identity after they login to a site
- Log, Anonymize, and Process customer voice interactions
- Provide "just in time" access to customer data for personalized RAG-like models

As a community, I think we're well within our rights to demand control over the data we provide to companies. This talk aims to provide engineers with a list of ideas on "what right could look like", and general attendees a list of things that are possible, so they know its ok to ask for them. 

BIO
Matt Domko is the Head of Security at a (in)famous AI Walkie Talkie Manufacturer. Ex-This, Ex-That, he spends most of his free time tinkering with his lasercutter or 3d printers. 

ABSTRACT
There are many famous codes and ciphers still waiting to be solved, such as the encrypted Voynich manuscript and Edward Elgar's Dorabella cipher. All hold a special fascination. In this talk, prepare to be entertained and informed by Elonka Dunin and Klaus Schmeh, as we briefly discuss the encryption on Kryptos, the mysterious sculpture at the center of CIA Headquarters; NKrypt, an encrypted sculpture in Australia; an encrypted engraving on an early 20th century German silver cigarette case; details about the message attached to the leg of a WWII carrier pigeon that was found in an English chimney; an encrypted postcard by the owner of UK's Luton soccer team; and the intriguing encrypted messages created by the mysterious Henry Debosnys while awaiting his murder trial in New York in the late 1800s. 

BIO
Elonka Dunin is a crypto expert and co-leader of a group that is working to crack the final cipher on the Kryptos sculpture at CIA Headquarters. She maintains a website of the World’s most famous unsolved codes, and bestselling author Dan Brown named his character “Nola Kaye”, a scrambled form of “Elonka”, in his novel The Lost Symbol, after her.

Elonka was a member of the Board of Directors for the National Cryptologic Museum Foundation and General Manager and Executive Producer at Simutronics, making award-winning online and mobile games.

With Klaus she co-wrote the book “Codebreaking: A Practical Guide” (2020/2023)

Klaus Schmeh has written 15 books (mostly in German) about cryptography, as well as over 250 articles, 25 scientific papers, and 1500 blog posts. Klaus’s main fields of interest are codebreaking and the history of encryption.

Klaus is a popular speaker, known for his entertaining presentation style involving self-drawn cartoons, self-composed songs, and Lego models. He has lectured at hundreds of conferences, including the NSA Crypto History Symposium, DEF CON, and the RSA Conference. In his day job, Klaus works as a crypto expert for the global IT security company Eviden. 

ABSTRACT
As our social lives are highly intertwined with our online lives, people share a lot of information and create pictures and content that needs to be secured. In this talk I cover obscenity laws, revenge porn (non-consensual distribution of intimate images), stalking, catfishing and sextortion and how people can prevent information being leaked as well as how to recover from it.

BIO
ET is a cybersecurity professional who cares about digital privacy. They have helped people who have been affected by revenge pornography and help them put together a plan of action. I like to volunteer, I help with BSides Orlando, DEATHCon and DC407. 

ABSTRACT (9 August)
Welcome to the Gold Bug at the 11th annual Crypto & Privacy Village! This opening talk compliments the Gold Bug: Puzzle Panel on Day 2.

ABSTRACT (10 August)
Welcome to Day 2 of the Gold Bug at the 11th annual Crypto & Privacy Village! Join the Gold Bug Team for the latest updates, panel-exclusive hints, and more. This panel compliments the Gold Bug: Welcome on Day 1.

BIO
The Gold Bug Team 2024 at the Crypto & Privacy Village: 0xCryptok, tseven, llamaprincess, pleoxconfusa, Pascal-0x90, Delta_JRM, are the beloved puzzle-makers within Crypto & Privacy Village. We make a special effort to include accessible puzzles at all skill levels. It is our hope that anyone, from new puzzlers (even kids!) to seasoned puzzle hunters, can participate in and enjoy this contest.

The GoldBug team also runs Crypto & Privacy Village's Junior Cryptography at DC NextGen.

ABSTRACT
Data brokers, and in particular people-search sites, are a headache for those of us trying to keep our addresses off the internet… and an absolute nightmare for people who are targeted due to their identity, profession, or political beliefs. In this talk, I’ll present the results of a collaborative research project by Tall Poppy and Consumer Reports that evaluates paid people-search removal services. I’ll also discuss how data brokers harm people, what you can do to protect yourself, why it’s so difficult, and what we can do as individuals and at a policy/advocacy level to solve this pernicious privacy problem.

BIO
Yael Grauer is an investigative tech reporter. She currently works at Consumer Reports managing Security Planner, an easy-to-use guide to staying safer online. Yael has over a decade of experience covering privacy and security, digital freedom, hacking, and mass surveillance for various tech publications and has extensively researched the privacy and security (or lack thereof) of VPNs, street-level surveillance, and more. She’s been maintaining the Big Ass Data Broker Opt-Out List since 2017.

ABSTRACT
Expedient Digital Defense focuses on using free and readily available applications, or recommending paid-for commercial apps and tools that have proven records of credibility, to make our devices and online presence less harmful to us. We will follow a typical traveler in the United States, with some experiences drawn from overseas travel.

The talk stresses the value of Operational Security (OPSEC), and the mindset of seeing every piece of communication through the eyes of your adversary. The intent is to make people think twice before revealing anything considered sensitive, even if using the latest and greatest encryption. The surveillance economy and ever-present data collection in our modern world demand better awareness of how our digital world works. We’ll discuss examples like invasive social media collection, foreign influence on public perception, data insecurity putting users in danger, and advertising models based on location and click tracking.

Finally, the take-away is knowing the tools and tech available, and being able to select those which fit your needs, if at all. Most of the time, one mitigation isn't enough, and several need to be emplaced to achieve proper defense in depth, in case one solution fails. Even if no technical solutions are put in place, the user will have that "red team" mindset and awareness that calibrates better judgment over technical solutions, and promotes OPSEC and rational thinking for security rather than blindly depending on apps and gadgets. 

BIO
Grey Fox, the callsign assigned to him by a DHS colleague, recently retired from the U.S. military after 20 years of service as an intelligence analyst, language analyst, digital network intelligence targeter, cyberspace mission leader, and digital defense education program leader. Having deployed eight times supporting front line combat teams, his experience ranges from offensive cyberspace operations planning and execution to military information support operations. Along the way, Grey Fox acquired multiple creds, including GCTI, GASF, GAWN, and CWNA. He currently instructs Digital OPSEC at the U.S. Army Security Cooperation Officer course and the U.S. Air Force Research Lab, as well as SDR foundations and Wi-Fi hacking at the U.S. Army Signal School. 

ABSTRACT
On February 25, 1998, hip-hop group the Wu-Tang Clan made Grammy history… for all the wrong reasons. After losing in the Rap Album of the Year category, Wu-Tang member ODB stormed the stage, interrupting an acceptance speech to declare the now infamous phrase “Wu-Tang is for the children.” Anyone who has heard a song from Wu-Tang knows that despite ODB’s insistence, it is certainly not true. It appears that States may be taking this same approach when it comes to children's privacy and safety online. Despite these laws being for the protection of children, they often raise other unintended consequences. State legislatures around the country are debating new laws to protect children online. This year, Tennessee, Maryland, Virginia, Georgia, Utah, and Florida have passed legislation focused on children's privacy, usually through restrictions on social media use. While privacy advocates have championed these laws, they have been met with criticism and, in some instances, legal challenges. This is because in order to implement laws that apply to kids online, companies have to identify which users are kids—which requires the collection of sensitive personal information. Along with this privacy tension, there are First Amendment protection concerns that these laws limit online speech. This presentation will explore how youth privacy laws may not be protecting children in the ways that we hope by first discussing the attempts made by states to address youth privacy. Then, analyzing the unintended privacy consequences, focusing on how states are required to collect sensitive information that we are often trying to protect. Next, we will examine the First Amendment concerns using the example of the challenges to California’s Age Appropriate Design Code Act before finally discussing a path forward to protecting children. 

BIO
Anthony Hendricks is a legal problem solver and litigator at Crowe & Dunlevy, one of Oklahoma’s largest and oldest firms. At Crowe & Dunlevy, Anthony serves as founder and chair of the firm’s Cybersecurity and Data Privacy Practice Group. His legal practice focuses on data privacy compliance, regulatory enforcement and permitting, and other “bet-the-company” suits in the areas of cybersecurity, privacy, and other complex business litigation. Anthony is an adjunct professor who teaches Cybersecurity Law and Information Privacy courses at Oklahoma City University School of Law. He also hosts “Nothing About You Says Computer Technology,” a podcast on cybersecurity and data privacy viewed through the lens of diverse voices. Anthony has been nationally recognized for his legal skills. He has been selected as a member of the Lawyers of Color Hot List, a 40 under 40 attorney by the National Association of Black Lawyers, Oklahoma Magazine 40 under 40, and the Journal Record 40 under 40, and is listed by both Super Lawyers Magazine and Best Lawyers. Anthony is a former cybersecurity policy fellow in New America’s Cybersecurity Initiative. To learn more about Anthony’s current projects, upcoming speaking events or listen to the latest episodes of his podcast, visit www.anthonyjhendricks.com

ABSTRACT
I recently googled the meaning of “encryption” and found this definition on Wikipedia: “In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext.” Um…no, encoding produces code, enciphering produces ciphertext, encryption is more than just encoding, and so on. Given the jumbling together of historically very unique and significant terminology I set out to find the actual, historical definitions and try to find a way to teach and/or demonstrate the differences in the foundational forms of cryptography. But I quickly noticed that some of this terminology is so often mis-applied in our digital age that I wondered if maybe there has been an evolution of the meanings of these terms? I might not like it, but I’m open to that possibility. This very quickly led me to the conclusion that my research on this topic would make for an interesting talk and so here we are. I want to share the classical, historical forms of cryptography, discuss the etymology of the terminology, look at how the words apply today – and help the audience decide if the actual meanings even matter (or it’s just me). One important consideration is the tradeoff between keeping the data secret (security) and protecting the identity of individuals associated with the data (privacy). I hope you’ll join me in this journey to victory (or defeat) in the ongoing battle of preserving the classic goals and objectives of data security.

BIO
Jeff is a respected Information Security advocate, advisor, hacker, evangelist, mentor, teacher, international keynoter, speaker, former host of Security & Compliance Weekly, co-host on Paul's Security Weekly, Tribe of Hackers (TOH) contributor, including Red Team, Security Leaders, and Blue Team editions, and a member of the Cabal of the Curmudgeons. Jeff has over 40 years of experience working in all aspects of computer, network, and information security, including cryptography, risk management, vulnerability analysis, compliance assessment, forensic analysis and penetration testing. Certified National Security Agency Cryptanalyst. Designed and fielded the first software-based cryptosystem ever produced by NSA. Inventor of the "whiz" wheel, a cryptologic cipher wheel used by US Special Forces for over a decade currently on display at the National Cryptologic Museum. Honorary lifetime member of the Special Forces Association. Previously held security research, management and product development roles with the National Security Agency, the DoD and private-sector enterprises. Pioneering member of the first penetration testing "red team" at NSA. For the past twenty-eight years has been a pen tester, security architect, consultant, QSA, and PCI SME, providing consulting and advisory services to many of the nation's best known companies. 

ABSTRACT
In 2021 we could get access to all personal bank accounts at the largest bank in Norway by using a single page paper form sent by snailmail. In addition to stealing all their money, we could also see all account transactions for the last 10 years, with details. In 2024 we have done the same thing to another bank. Why didn't the banks learn the first time?

In this talk we'll explain what we did, lessons learned and why paper ID still is relevant and important to us all. 

BIO
Cecilie works as a consultant within security, privacy & AI technologies. She is a recognized expert in software testing with a specialization in abusability testing. With over 10 years of experience in the IT industry, Cecilie has developed into an authority in identifying and evaluating potential abuse scenarios and security vulnerabilities in various software products.

Per is the founder & organizer of PasswordsCon. He revealed the Linkedin breach in 2012 & got heavily involved in the Ashley Madison breach in 2015. He is featured alongside Brian Krebs & Troy Hunt in the 3-part documentary "The Ashley Madison Affair" on Hulu. 

ABSTRACT
As the adoption of GenAI tools has soared, security has done little to keep up. New classes of data, and especially vector data, is flooding into new and untested data stores. Vector databases are getting copies of health data, financial data, HR data, emails, and everything else, but they have no intrinsic security. What's worse, the vectors themselves can be reversed in embedding inversion attacks that turn those vectors back into faces, sentences, and even pictures. We discuss these new attacks and a new branch of cryptography, vector encryption, which allows for privacy preserving searches to happen over the encrypted vectors. We'll discuss the benefits, trade-offs, and current state of the field and the open source software we've built to meet the new need.

BIO
Patrick Walsh has more than 20 years of experience building security products and enterprise SaaS solutions. Most recently he ran an Engineering division at Oracle, delivering features and business results to the world’s largest companies. Patrick now leads IronCore Labs, a data privacy platform that helps businesses gain control of their data and meet increasingly stringent data protection needs. 

ABSTRACT

Cross-movement organizing for bodily autonomy is in dire need of OPSEC assistance. Hackers working within these grassroots circles are beyond their bandwidth, hardly able to keep up. Incident response, crisis management, investigations OPSEC--these methodologies are in high demand--and unfortunately they're skills that are rarely methodically taught, especially in activist circles. They're privileged skills, requiring hours of studying and practice. Infosec certs seek to qualify that, right? Well we call bullshit.

The infosec cert industry is an unregulated, duct-taped attempt to verify who's skilled and who isn't; who's right for the job and who's not. Unfortunately for the world at large, these certs value the protection of corporate networks, rarely human ones. Humans are the practical assets of the infosec certification pipeline to continuous corporate protection. Their movements surveilled is the product. The lack of bodily autonomy, the disownership of one's one body, that's the consequence.

So we made a cert to flip that narrative; we made a program for people to become educated, skilled, and trained in the ways of spreading their learnings within their communities. We're training human rights defenders, abortion access orgs, trans advocacy orgs, sex worker rights activists. We're training firsthand the people who understand what it means to have agency of their own body criminalized by the state. We teach a blend of hands on skills with privacy technology, encryption fundamentals, OSINT skills. But we don't just stop at the tech stuff. We teach internet policy literacy, financial literacy and the privacy aspects of business licensing, navigating crisis from a somatic point of view. Other activists will attest to how crucial those skills are to be taught alongside the tech stuff. As far as we know, no other cert in the game is doing that.

We're setting people up to become digital security community organizers. They're out there flashing custom ROMs, running help desks, managing multilayered backup games for communities of dozens. They're hustling institutions, putting themselves inside the industries that led to criminalization creep like abortion bans. Digital security community organizers is what we need more of. So, this is cert is attempting to do that. Digital Security Community Organizer Certification, or DISCO cert for short, is a project by Digital Defense Fund and Hacking//Hustling, in collaboration from spring 2022 to spring 2023, and hopefully more into the future. At DEFCON we hope to not only reveal our process of thinking, our methodologies of teaching, but to also recruit other hackers to join these fights, to inspire further cross movement coordination. Let our liberation spread like a virus.

BIO

Blunt is a sex worker, community organizer, public health tech researcher and co-founder of Hacking//Hustling. She enjoys watching her community thrive and making men

Daly has too many hats. She's a technologist, hacker, educator, organizer, privacy and security consultant, writer, artist, and witch.

ABSTRACT

Last year a framework and tool for cryptographic attacks called cryptosploit was introduced. In this workshop we will demo the capabilities and the underlying philosophy as well as new commands. This will include the flexibility of mixing and matching attack code with oracles and new commands to import and export cryptographic keys. In particular, we will demonstrate how after a successful attack on a public key, we will be able to export the private key corresponding to the certificate.

BIO

Matt Cheung started developing his interest in cryptography during an internship in 2011. He worked on implementation of a secure multi-party protocol by adding elliptic curve support to an existing secure text pattern matching protocol. Implementation weaknesses were not a priority and this concerned Matt. This concern prompted him to learn about cryptographic attacks from Dan Boneh's crypto 1 course offered on Coursera and the Matasano/cryptopals challenges. From this experience he has given workshops at the Boston Application Security Conference, BSidesLV, DEF CON, and the Crypto and Privacy Village.

ABSTRACT

Decentralized identity systems based on W3C Decentralized Identifiers and Verifiable Credentials are becoming increasingly popular for their promises of improved security, privacy, and user control in identity management. Impactful deployments are coming: from the US DHS for worker authorization and soon passports, multiple DMVs for driver's licenses, the EU for university degree credentials, and much more in both public and private sectors. However, as with any technology, these systems are not immune to vulnerabilities and attacks, both on the ideologies of decentralization and self-sovereignty and vulnerabilities in implemented systems.

In this talk, we will examine different types of vulnerabilities in the SSI space, walk through examples of potential attacks, and discuss the potential consequences of the technology. Additionally, we will explore potential solutions to mitigate the risks associated with these vulnerabilities. We will discuss best practices for trust, cryptographic techniques, and security protocols that one can use in decentralized identity systems.

BIO

Gabe Cohen is an engineer and standards architect at Block. For the past five years, he has focused on developing and deploying Decentralized Identity and Verifiable Credentials Systems. He is focused on decentralization in practice and at scale to return data, privacy, and digital sovereignty to the world.

Brent Zundel is a principal cryptography engineer at Gen, where he is helping to architect solutions for digital identity capabilities that will fit alongside Gen’s Norton and Avast security products. He got his start working on consensus algorithms and token-design in the self-sovereign identity space at Evernym, with Sovrin and Hyperledger Indy. He believes strongly in the need to provide individuals with the ability to manage their own personal information and thinks ZKPs could play a critical role in accomplishing that.

Brent has also been deeply involved with efforts to standardize data models and protocols related to decentralized identity: at W3C where he chairs the Verifiable Credentials and Decentralized Identifiers Working Groups; at DIF where he serves on the Steering Committee, chairs the Applied Cryptography Working Group, and is an editor of the Presentation Exchange specification; and at IETF where he works on JSON Web Proofs, Selective-Disclosure JWTs, and the BBS cryptosuite.

Outside of work, Brent likes to try to makes things, raise his kids, read books, and eat chocolate.

ABSTRACT

States have quietly been taking the lead in addressing privacy. Despite this lack of attention, state lawmakers can potentially transform Americans' lives when it comes to data privacy. So far, legislators in more than 20 states have introduced comprehensive data privacy bills and other privacy laws focused on social media, healthcare data, and protections for children, with little to no fanfare.

Even more states will soon join them in debating privacy laws. While only six states have passed comprehensive privacy laws, it shouldn’t dampen expectations for this year. This is because history and public sentiment are on the side of states, and 2023 should be a big year for state data privacy.

What makes 2023 different? The debate surrounding state privacy is eerily similar to the process of states passing 50 different breach notification laws in the early 2000s. And these similarities point to 2023 being a leap forward for these efforts. But more importantly, Americans’ views on privacy have been evolving, creating an environment ripe for these laws.

This presentation will provide an update on the pending state privacy laws. Next, we will examine changing public sentiment around privacy and how it impacts the debate surrounding state privacy laws. Then we will explore how every state was able to previously pass breach notification laws and how history may be repeating itself.

The talk will then outline how this changing privacy reality impacts consumers and businesses. Finally, we talk about the next steps for state privacy laws and how the public can shape the direction of these laws.

BIO

Anthony Hendricks is a legal problem solver and litigator at Crowe & Dunlevy, one of Oklahoma’s largest and oldest firms. At Crowe & Dunlevy, Anthony serves as founder and chair of the firm’s Cybersecurity and Data Privacy Practice Group. His legal practice focuses on data privacy compliance, regulatory enforcement and permitting, and other “bet-the-company” suits in the areas of data security, privacy, and other complex business litigation. Anthony is an adjunct professor who teaches Cybersecurity Law and Information Privacy courses at Oklahoma City University School of Law. He also hosts “Nothing About You Says Computer Technology,” a weekly podcast on cybersecurity and data privacy viewed through the lens of diverse voices. To learn more about Anthony’s current projects and upcoming speaking events, or listen to the latest episodes of his podcast, visit www.anthonyjhendricks.com

ABSTRACT

Panel Aims and Goals:
1. Inform the audience about the challenges involved in cryptographic key management which is at risk with the quantum threat.
2. Discuss the risks involved and the compliance required by many industries, discuss how this has affected their business directions, conversations with customers, etc.
3. Discover the impact of PQC on key management, what are the techniques and strategies people are/should use?
4. Open the discussion towards the audience with Q&As.

BIO

Panelists:
- Sofi Celi, Cryptography Researcher, Brave Software
- Mark Carney, Co-Founder, Quantum Village
- Sandra Guasch Castello, Senior Privacy Engineer, SandboxAQ
- Deirdre Connolly, Cryptographic Engineer, Zcash Foundation
- Ryan Hurst, Head of Product - Core Security Foundation, Google
- James Howe (Panel Host), Senior Research Scientist, SandboxAQ

ABSTRACT

Edtech makes the news regularly for fines or issues, but rarely does anyone offer constructive and realistic advice for those in the system: families, students or even the few educators with ethics. This short overview will explain why edtech privacy has so many issues - I used to work in schools as a DPO and saw the problems- and will offer constructive advice on how to ask the right questions and, possibly, foster good practice. This is perhaps a call for more direct action from tech and privacy pros to offer more easily applicable advice that works in cash and time strapped schools who don’t like families to be empowered and ask questions.

I found that there was very little transparency around what data was shared, schools rarely map what is shared and you have accounts created for you even if you never log in. Edtech has made school like a bad boss who you are forced to work for over ten years and then they share all the horrid write ups and unfair info about you with every new job you try to get. It is a lurking data protection and safety issue for millions of young people as they grow and find themselves profiled before they reach 18. And with no way of getting that data removed because they don’t know where it went. So this offers some guidance on the questions to ask, the actions to take and explains why schools do this.

BIO

I was a language teacher then I began tech training, now I run security awareness and yell into the void repeatedly about edtech, car privacy and harm reduction. I also love shopping at target and dogs with floppy ears. I can see solutions but I need people to listen.

ABSTRACT

Revoking certificates in the Web PKI remains a problem that isn’t fully solved. We analyze the privacy, performance, reliability, and deployability of traditional solutions of CRLs and OCSP, and compare them to alternate solutions such as OCSP Stapling, short-lived certificates or browser vendor operated services.

BIO

Matthew McPherrin is an engineer working on certificate authorities, security architecture, and infrastructure security.

ABSTRACT

In this talk, we will explore the critical intersection of climate change and its potential ramifications for security and privacy. As the global climate crisis escalates, it poses multifaceted challenges that extend beyond environmental concerns. Our aim is to shed light on the often overlooked consequences of climate change, examining how it may disrupt established systems and infringe upon our personal security and privacy.

By understanding these implications, we can better prepare ourselves and society for the unprecedented security and privacy challenges that lie ahead. We will delve into this uncharted territory and consider the ways in which climate change intertwines with security and privacy concerns together.

BIO

Chloé Messdaghi is an accomplished security executive, CEO & Founder of Global Secure Partners, known for advising and developing solutions that have improved security teams and the industry. A sought-after public speaker and trusted source for national and sector reporters, her work has been featured in numerous outlets, and she has been recognized as a Power Player in Cybersecurity by Business Insider and SC Media.

Chloé is also dedicated to various charitable causes, demonstrating her commitment to driving positive change.

ABSTRACT

Domain fronting is a technique for internet connection obfuscation and also internet censorship circumvention that uses different domain names in different communication layers of an HTTPS connection to discreetly connect to a different target domain than is discernible to third parties monitoring the traffic. Domain fronting involves using different domain names in the DNS/SNI headers of the visible HTTPS packet and the Host header of the encrypted HTTP packet. If both domains are served from the same Content Delivery Network (CDN), then the CDN may proxy the request to the address specified in the HTTP header after unwrapping the TLS encrypted HTTPS payload. As a result, connection monitoring outside the CDN server network will not be able to ascertain where the connection packets are ultimately going to or coming from.

This paper explores and expands upon methodologies for identifying viable domain fronting proxies within the CloudFlare and Microsoft Azure Content Delivery Networks (CDNs). Despite claims by Microsoft to block domain fronting behavior on all Azure products, our research successfully identified 14 Azure edge servers on 6 Microsoft domains that successfully proxied domain fronted traffic. Comparably, the CloudFlare CDN yielded over 2000 viable proxies among the 30 domains tested, with an average of 6.61 viable proxies per domain (excluding outliers). Unlike similar research conducted in 2017-2018 by penetration testers Vincent Yiu and Raphael Mudge, no consistent pattern was found between a domain's DNS record and its ability to proxy fronted traffic. As an example, the domain huffingtonpost.com contains a different CDN address in its DNS records but still exhibited three subdomains as proxy-willing CloudFlare edge servers.

In response to these findings, this paper presents a methodology, subdomain enumeration using brute force scripting, as a more effective method of identifying domain fronting proxies within popular CDNs. Additionally, the domainfuzzer.py application developed as part of this study plays a crucial role in the analysis of viable domain fronting proxies within a CDN. By providing a user-friendly tool, domainfuzzer.py enables non-technical users to identify CDN edge servers capable of proxying domain fronted traffic. For more technical users, this methodology can easily be adapted to any CDN, empowering users to build their own domainfuzzer.py for use on a CDN of their choosing, should they be so motivated.

BIO

Charles Miller, M.S. - Recent graduate of UMBC's Master's of Science in Information Systems with a focus in Cyber Security. Even more recent member of the CrowdStrike Falcon Complete Team.

Dr. Michael Scott Brown - Graduate Program Director of the Online Masters in Information Systems at the University of Maryland Baltimore County. Dr. Brown holds the rank of Professor of Practice.

Dr. Michael Pelosi - Associate Professor of Computer Science, Texas A&M University Texarkana

ABSTRACT

Cryptographic algorithms often involve various mathematical operations. Sometimes these mathematical operations are implemented by developers themselves, and sometimes by calling functions in third-party algorithm libraries. However, the implementation of many mathematical operations is not rigorous and even contains some errors. When these issues arise in cryptography projects, they may introduce security risks.

This talk will discuss these issues and illustrate some of them through specific CVE vulnerabilities. Given that such security issues still occur frequently today, this talk is also intended to draw the attention of both the developers who worked on the mathematical part and the developers who worked on the cryptographic part, so as to reduce the occurrence of such issues.

BIO

Bing Shi is a security engineer at the crypto & privacy team of Alibaba Group, before that he studied at the University of Chinese Academy of Sciences. His research areas include cryptanalysis and software security, especially the intersection of the two, such as mining cryptographic vulnerabilities.

In addition, he is also an active member of the CTF community, he was a former member of the academic team Never Stop Exploiting, and now he mainly participates CTFs as a member of Water Paddler, focusing on cryptography and reverse engineering challenges.

ABSTRACT

Since 2012, an organisation named Cicada 3301 progressively released a series of puzzles, the most recent of which has never been solved. We're giving a concise overview of the puzzle’s more than 40 stages, up to and including the current unsolved step: Liber Primus. Get up to speed on 11 years of progress in 40 minutes.

BIO

The speakers are a dynamic group of individuals who are united by their passion for solving the intricate series of cryptographic puzzles released by the enigmatic Cicada 3301.

Taiiwo, a founding member of CicadaSolvers with a technical background, brings a pragmatic and sceptical approach to problem-solving, aiming to preserve the puzzle’s impact on the lives of others.

Artorias, the creator of CicadaSolvers.com, co-host of the CicadaCast podcast, and avid puzzle historian, diligently documents the enigma of Cicada 3301 while unravelling its interconnected topics.

Puck, a young and enthusiastic computer science major, originally found his passion for cryptography and cybersecurity through CicadaSolvers. Now he helps organise the community’s solving efforts and events, inspiring others to follow in his footsteps.

TheClockworkBird, with a background in anthropology and teaching, creates inclusive spaces where individuals of all skill levels and interests can engage with the puzzle’s art, literature, and philosophy.

Together, this group embodies the future of collaborative puzzle-solving, leveraging their diverse expertise to unravel the mysteries of 3301 and make a profound impact on the puzzle-solving community.

ABSTRACT

MD5 collisions take us 15 years back, to a time when Beyoncé released “Single Ladies,” Obama was elected president, and MD5 collisions were first used to spoof certificates in the infamous RapidSSL attack. Back then, researchers used MD5 collisions to forge SSL certificate signatures, allowing them to carry out TLS MITM attacks. This research was one of the main reasons why the use of MD5 was phased out, and is considered insecure today.

But MD5 did not completely disappear. A few months ago, Microsoft patched a critical vulnerability in the CryptoAPI library (CVE-2022-34689). The fact that it was reported by the NSA and the NCSC, combined with its high severity led us to patch-diff and analyze it. We found that MD5 was used to compute certificate thumbprints. The bug was in the assumption that these thumbprints are unique - an assumption that can be broken by computing MD5 collisions, making them relevant again.

It's 2023, and you don't need to be a government anymore (or own hundreds of PlayStations) to calculate your own MD5 collisions. By creating two MD5-identical certificates, attackers can bypass validation checks in CryptoAPI, spoof their identity and pretend to be anyone they want. In this talk, we will take the dust off of the old MD5 collision tools and demonstrate how we used them to exploit this vulnerability.

BIO

Tomer is a security researcher at Akamai. In his daily job, he conducts research ranging from vulnerability research to OS internals. Before joining Akamai, Tomer worked as a security researcher in the EDR field where he found and exploited several CVEs in the wild.

Yoni is an experienced low-level developer and researcher at Akamai. For the past few years, he's been writing drivers (and consequently, debugging blue screens and kernel panics) at Guardicore (acquired by Akamai). His passions are OS internals, mathematics and cryptography, and you can easily get him to talk about them for hours.

ABSTRACT

There is something profoundly deficient with the mercenary hunting activities in the cyber threat intelligence community. The lack of information sharing is the biggest ally of spyware makers like NSO, Intellexa or QuadDreams. The purpose of this presentation is to create awareness around this problem, that is solely benefiting these mercenary companies.

Commercial spyware developed and many times operated by these mercenaries, such as mobile spyware, poses a problem for journalists, civil society activists, political opponents or anyone that crosses paths with unscrupulous governments. Commercial companies like Google, Microsoft, Meta, Cisco along with non-profit organizations like Citizen Lab have been publishing reports about them, but they often lack technical details - Many times a reader may have to refer to multiple disclosures from different intelligence sources to piece together a single attack. Additionally, most reports usually provide just enough indicators of compromise that could allow a current campaign to be identified on the wire, but no actual samples are made available to allow third party verification and continued research.

In this presentation we will start by showing several examples of such reports, in an attempt to demystify concerns such as, keeping the victims' privacy or prevention of the proliferation. Then we will present Cytrox’s ALIEN/PREDATOR family of implants in-depth technical analysis as a use case. We will show how challenging it is to hunt, track and research without the samples. We also demonstrate that a third party analysis may aid in uncovering additional details or even slight mistakes in previously disclosed analyses. The lack of proper technical information sharing makes it a very niche subject which only benefits these operators, by limiting the amount of researchers that can investigate the subject. The presentation will conclude with the advantages and disadvantages of sharing more information about these kinds of threat actors.

BIO

Vitor Ventura is a Cisco Talos security researcher and manager of the EMEA and Asia Outreach team. As a researcher, he investigated and published various articles on emerging threats. Most of the day Vitor is hunting for threats, reversing them but also looking for the geopolitical and/or economic context that better suits them. Vitor is a regular speaker in conferences, like LabsCon, VirusBulletin, NorthSec, Recon, Recon Brx, AVAR, Defcon’s Crypto and Privacy Village, BSides Lisbon, Bsides London, etc. Prior to that he was IBM X-Force IRIS European manager where he was the lead responder on several high profile organizations affected by the WannaCry and NotPetya infections. Before that he did penetration testing at IBM X-Force Red, where Vitor led flagship projects like Connected Car assessments and ICS security assessments, custom mobile devices among other IoT security projects. Vitor holds a BSc in Computer Science and multiple security related certifications like GREM (GIAC Reverse Engineer Malware), CISM (Certified Information Security Manager).

Asheer Malhotra is a threat researcher specializing in threat intelligence, malware analysis, detection technologies and threat disclosures within Cisco Talos. He has been researching malware threats for about a decade now at FireEye, Intel, McAfee and now at Talos. His key focus is tracking nation state attacks (APTs) across the world. Asheer holds an M.S in Computer Science with a focus on Cyber Security.

ABSTRACT
It’s a given that the use of cryptography is a good thing to protect confidentiality and privacy of one’s online activities. However, there are a variety of pieces of information and metadata that can still be useful to attribute the individual using the crypto. This talk will cover OPSEC concerns with using crypto (and when not to use it). Additionally, a tool for random generation of self-signed certs will be discussed.

BIO
John Bambenek is Manager of Threat Systems at Fidelis Cybersecurity and an incident handler with the Internet Storm Center. He has been engaged in security for 15 years researching security threats. He is a published author of several articles, book chapters and one book. He has contributed to IT security courses and certification exams covering such subjects as penetration testing, reverse engineering malware, forensics, and network security. He has participated in many incident investigations spanning the globe. He speaks at conferences around the world and runs several private intelligence groups focusing on takedowns and disruption of criminal entities. @bambenek

ABSTRACT
Blue Coat Systems is a large network and cloud security company who counts many of the world's most important companies as its clients. Among its product offerings are a range of appliances collectively called the Advanced Threat Protection suite, which include a standalone SSL man-in-the-middle decryption device known as SSL Visibility (SSL-V). Both the company and this particular product have been much maligned, but SSL-V has become a vital and important tool in the incident responder kit. This presentation will attempt to bring clarity to the many misconceptions about SSL Visibility, including how it works, what it can and can't do, and why SSL-V isn't as scary as some people make it out to be.

BIO
Andrew Brandt (Spike) is the Director of Threat Research at Blue Coat Systems. He is a former editor and columnist for a large consumer tech publication and Internet privacy expert who found his way into the world of malware analysis and network forensics from investigative journalism. In his day job, he infects computers with malware in order to observe their behavior and retrospectively learn about the communications methods and control networks criminals use to manage infected hosts. @threatresearch

ABSTRACT
Get the latest information about how the law is racing to catch up with technological change from staffers at the Electronic Frontier Foundation, the nation’s premiere digital civil liberties group fighting for freedom and privacy in the computer age. This session will include updates on current EFF issues such as surveillance online, encryption (and backdoors), and fighting efforts to use intellectual property claims to shut down free speech and halt innovation, discussion of our technology project to protect privacy and speech online, updates on cases and legislation affecting security research, and much more. Half the session will be given over to question-and-answer, so it's your chance to ask EFF questions about the law and technology issues that are important to you.

BIO
KURT OPSAHL is the Deputy Executive Director and General Counsel of the Electronic Frontier Foundation. In addition to representing clients on civil liberties, free speech and privacy law, Opsahl counsels on EFF projects and initiatives. Opsahl is the lead attorney on the Coders' Rights Project. Before joining EFF, Opsahl worked at Perkins Coie, where he represented technology clients with respect to intellectual property, privacy, defamation, and other online liability matters, including working on Kelly v. Arribasoft, MGM v. Grokster and CoStar v. LoopNet. For his work responding to government subpoenas, Opsahl is proud to have been called a "rabid dog" by the Department of Justice. Prior to Perkins, Opsahl was a research fellow to Professor Pamela Samuelson at the U.C. Berkeley School of Information Management & Systems. Opsahl received his law degree from Boalt Hall, and undergraduate degree from U.C. Santa Cruz. Opsahl co-authored "Electronic Media and Privacy Law Handbook." In 2007, Opsahl was named as one of the "Attorneys of the Year" by California Lawyer magazine for his work on the O'Grady v. Superior Court appeal. In 2014, Opsahl was elected to the USENIX Board of Directors.

NATE CARDOZO is a Senior Staff Attorney on the Electronic Frontier Foundation’s digital civil liberties team. In addition to his focus on free speech and privacy litigation, Nate works on EFF's Who Has Your Back? report and Coders' Rights Project. Nate has projects involving cryptography and the law, automotive privacy, government transparency, hardware hacking rights, anonymous speech, electronic privacy law reform, Freedom of Information Act litigation, and resisting the expansion of the surveillance state. A 2009-2010 EFF Open Government Legal Fellow, Nate spent two years in private practice before returning to his senses and to EFF in 2012. Nate has a B.A. in Anthropology and Politics from U.C. Santa Cruz and a J.D. from U.C. Hastings where he has taught first-year legal writing and moot court. He brews his own beer, has been to India four times, and watches too much Bollywood.

ANDREW CROCKER is a staff attorney on the Electronic Frontier Foundation’s civil liberties team. He focuses on EFF’s national security and privacy docket, as well as the Coders' Rights Project. While in law school, Andrew worked at the Berkman Center for Internet and Society, the American Civil Liberties Union’s Speech, Privacy, and Technology Project, and the Center for Democracy and Technology. He received his undergraduate and law degrees from Harvard University and an M.F.A. in creative writing from New York University. His interests include Boggle and donuts.

DR. JEREMY GILIULA is a Staff Technologist at the Electronic Frontier Foundation where he focuses on a wide variety of tech policy topics including net neutrality, big data, mobile privacy, and privacy issues associated with drones and autonomous vehicles. At a young age Jeremy was sidetracked from his ultimate goal of protecting digital civil liberties by the allure of building and programming robots. He went to Caltech for undergrad, where he spent four years participating in the DARPA Grand Challenge, a competition to create a vehicle capable of traversing the desert autonomously. He then got his PhD in computer science from Stanford University, where his research focused on the design and analysis of algorithms for guaranteeing the safety of systems that employ machine learning and other AI techniques in an online fashion.

EVA GALPERIN is EFFs Global Policy Analyst, and has been instrumental in highlighting government malware designed to spy upon activists around the world. A lifelong geek, Eva misspent her youth working as a Systems Administrator all over Silicon Valley. Since then, she has seen the error of her ways and earned degrees in Political Science and International Relations from SFSU. She comes to EFF from the US-China Policy Institute, where she researched Chinese energy policy, helped to organize conferences, and attempted to make use of her rudimentary Mandarin skills.

KATITZA RODRIGUEZ is EFF's international rights director. She concentrates on comparative policy of international privacy issues, with special emphasis on law enforcement, government surveillance, and cross border data flows. Her work in EFF's International Program also focuses on cybersecurity at the intersection of human rights. Katitza also manages EFF's growing Latin American programs. She is an advisor to the UN Internet Governance Forum (2009-2010), and a member of the Advisory Board of Privacy International. Before joining EFF, Katitza was director of the international privacy program at the Electronic Privacy Information Center in Washington D.C., where amongst other things, she worked on The Privacy and Human Rights Report, an international survey of privacy law and developments. Katitza is well known to many in global civil society and in international policy venues for her work at the U.N. Internet Governance Forum and her pivotal role in the creation and ongoing success of the Civil Society Information Society Advisory Council at the Organisation for Economic Co-operation and Development, for which she served as the civil society liaison while at EPIC from 2008 to March 2010. Katitza holds a Bachelor of Law degree from the University of Lima, Peru. Katitza's twitter handle is @txitua.

Social media links if provided: @EFF

ABSTRACT
PKI is weak. One reason is that revocation methods all have failure modes. Direct revocation, Cert Revocation Lists, OCSP (online certificate status protocol predominant on iOS), and now Short Lived Cert's and Certificate Transparency, this presentation will spell out how revocation works, what protocols handle this, and how you can use revocation techniques to improve your security or conduct pen testing. Attendees will walk away with a greater understanding of PKI’s weaknesses, and actionable techniques to wield PKI with greater force and effect. Useful for the general public interested in PKI, and also pen testers and auditors.

BIO
Mat (aka cryptofile) is a privacy advocate and all around software security guy. Former cisco red teamer, Fortifier, Cigitalist and TMobster. From April 2013 to April 2016, he ran the trust store on a large global set of web clients for the Fruit Company prodsec team. cryptofile self-identifies with *nix and the Alexis Park era cons. @cl0kd

PrivacyGeek is a privacy advocate, penetration tester, and countersurveillance advisor. He used to manage global security for the world’s largest financial transaction hub, was a forensics expert witness on several high-profile cases, currently works on large-scale security automation projects and occasionally does talks on Big Data security. PrivacyGeek encourages others to start and support more groups like the EFF to protect different aspects of the Internet and human-rights long-term. @treyblalock

ABSTRACT
The Matasano Challenges were a set of challenges designed to increase understanding of weaknesses in implementations of cryptosystems. In this workshop we will work through a selection of challenges that will give exposure to a variety of attacks. The goal of this workshop is to allow participants to more carefully consider decisions when designing systems that use cryptography as well as how to assess other systems. * Participation in this workshop will require some programming skills to conduct the attacks. * Participants should have a laptop with a development environment for the language of their choice. They should also have burp suite or another MITM proxy of their choice.

BIO
Matt developed his interest and skills in cryptography during graduate work in Mathematics and Computer Science. During this time he had an internship at HRL Laboratories LLC working on implementing elliptic curve support for a Secure (in the honest-but-curious model) Two-Party Computation protocol. From there he implemented the version secure in the malicious model. He currently works as a QA engineer at Veracode, but continues to learn about cryptography in his spare time. @nullpsifer

ABSTRACT
There's been a lot happening in the world of elliptic curve cryptography lately: new IETF-approved curves for use in protocols like TLS, Juniper's Dual_EC_DRBG getting its points swapped in the wild, and new advances in isogeny-based crypto that may keep some form of ECC alive in a post-quantum world. In this talk we'll touch on these topics as we get a broad look at the current state of curves in modern cryptography.

BIO
Deirdre Connolly is a self-taught cryptography enthusiast and a senior software engineer at Brightcove, where she drives application security. She has a BS in Electrical Engineering and Computer Science from MIT. @durumcrustulum

ABSTRACT
The Underhanded Crypto Contest is an annual competition that brings out the best ways of subtly inserting weaknesses into cryptography protocols and software. By understanding how adversarially-crafted weaknesses go unnoticed, we get better at discovering these errors in our designs and code. In this talk we present the technical details of the best one or two contest entries.

BIO
Taylor is known for his carefully-written security tools, including a side-channel-free password generator and a cryptography library for PHP. He regularly contributes to a number of open source projects by security auditing and reviewing source code. As a recent graduate of the University of Calgary, his research is focused on exploit defense mechanisms and side-channel attacks. In his spare time, he enjoys studying physics from a computer science perspective and is an organizer of the Underhanded Crypto Contest.

Adam Caudill is a security consultant with over 15 years of experience in security and software development; with a focus on application security, secure communications, and cryptography. Active blogger, open source contributor, and advocate for user privacy and protection. His work has been cited by many media outlets and publications around the world, from CNN to Wired and countless others.

Social media links if provided: @UnderCrypto

ABSTRACT
The new(ish) JOSE standard is growing rapidly in popularity. Many people are excited to adopt the new standard and use it to build interesting and new things with JWT! Let's get everyone up to speed on JWT's, talk about the do's and don't regarding JWTs, review some JWT uses, and use JWT's effectively.

BIO
Evan Johnson is a security systems engineer at CloudFlare. He loves breaking things and can distinguish diet pepsi from diet coke by taste. @ejcx_

ABSTRACT
Do you truly love your users and wrap them in the warm, confidential arms of forward-secrecy ciphersuites? Or do you uncaringly shove their fragile, unencrypted data out into the cold, transparent tubes, shivering and naked as it wanders across a hostile Internet?

For too long the practice of serving non-sensitive websites over HTTPS has been viewed as unnecessary, costly, and a waste of cycles. Fortunately, the once-plausible criticisms have been challenged and are falling away. Choosing to implement HTTPS is now a matter of principle and it should be fully embraced as the default transfer method for all web traffic.

BIO
J.J. is a resident of Utah and wants to help make the Internet a safer place for everyone. After speaking at Utah's 2015 SAINTCON on the importance of HTTPS he decided to extend his interest in secure communications beyond the Con and commit to advocating for widespread HTTPS adoption. He created SecureUtah.org to serve as an information resource as well as a public tracker of which prominent Utah websites implement HTTPS correctly. His goal is to work with and convince every website to switch entirely to HTTPS and to inspire advocates in other states to champion the cause in their communities. @SecureUtah

ABSTRCT
Uh-oh - your startup just made headlines, but not for the reason you wanted: one of your employees has been accused of stealing a customer’s PII! Surely you can get to the bottom of the situation by checking your security logs… right? Right? Probably not, in fact. Most security logs don’t contain enough information to determine the crucial facts of a user data privacy issue: the “who”, “whom”, “what”, “where”, “when”, and “why” of user data accesses. Without all these pieces of information, as well as signals and alerts that make use of them, you can’t reconstruct the activity and motivations of your employees when they’re accessing user data. Find out how to supercharge your data access logging and ensure your users’ data is well-protected.

BIO
Alisha Kloc has worked in the security and privacy industry for over seven years, most recently at Google where she works hard to protect users’ data. She is passionate about data security and user privacy, and believes in combining technology, policy, and culture to ensure users’ protection.

ABSTRACT
Privacy by design is (still) hot topic at the moment. Why? Data privacy has become one of the customers basic assumptions and they are aware to demand evidence how you doing it. Privacy by design is not that difficult, if you have a bit of common sense and creativity. This presentation will give you a new way of thinking how to build privacy into whatever design you may have, through simple house example, layered approach thinking, humour and audience participation.

BIO
Petri Koivisto is a different kind of privacy/security enabler aiming to be something with fancy title like DPO/CISO. My mission is to make you look awesome in privacy/infosec. @petriokoivisto

ABSTRACT
Password is the oldest and the most widely used pillar of authentication, and is still being the core of approximately 80% of authentication events in the 21st century Internet. As the data on the Web becomes more valuable, more sophisticated attacks on authentication are being developed. The good thing is that crypto community tries to keep up with the continuously increasing threat surface and provides more advanced authentication techniques with higher security guarantees. However, password is still a solid building block in each of them: the first part of most two-factor authentication schemes is a password challenge, to generate one-time token, you enter a password, to use a hardware device - you enter a password in the device. But is verifying passwords secure? By communicating a password to a verifying party you leak at least some of the password information. Given the long history of password-based authentication schemes we can clearly see that it is rather challenging even to properly implement password verification. The presentation gives an overview of the evolution of password-based authentication schemes and provides comparison between two of the latest ones: socialist millionaires’ protocol and SPAKE2.

BIO
Ignat is a security engineer at CloudFlare working mostly on platform and hardware security. Ignat’s interests are cryptography, hacking, and low-level programming. Before CloudFlare, Ignat worked as senior security engineer for Samsung Electronics’ Mobile Communications Division. His solutions may be found in many older Samsung smart phones and tablets. Ignat started his career as a security researcher in the Ukrainian government’s communications services. @secumod

ABSTRACT
Mobile messaging applications have recently switched to end-to-end encryption. With debates at the government level to ask for backdoors, those tools are perceived as unbreakable. Yet, most of the implementations trust the contact information stored in the smartphone. Given that end-users hardly know a few phone numbers and that modifying contacts is easy, we will introduce a new type of attack: Man In The Contacts (MITC). Without studying any cryptography, we will examine how WhatsApp, Telegram and Signal behave when an Android application is tampering with the contacts in background. For some scenarios, the end-user can be fooled in talking to the wrong person and a MITM proxy can be implemented. Finally, we will discuss about countermeasures both at the technical and usability levels.

BIO
Jeremy Matos has been working in building secure software over the last 10 years. With an initial academic background as a developer, he was involved in designing and implementing a two-factor authentication product with challenging threat models, particularly when delivering a public mobile application. As a consultant he helped in the security requirements definition and implementation, including cryptographic protocols, for applications where the insider is the enemy. He also led code reviews and security validation activities for companies exposed to reputation damage. In addition, he participated in research projects to mitigate Man-In-The-Browser and Man-In-The-Mobile attacks. @SecuringApps

ABSTRACT
A basic understanding of cyphers and cryptography is part of a solid foundation for anyone in the InfoSec field. Today we use crypto without much second thought, but cryptography, or the use of ciphers and codes to protect secrets, has been around for thousands of years. Until the early 20th century, encryption was done with pen and paper or simple mechanical devices. My Tabletop Cryptography talk is about the history of cryptography and cryptanalysis as well as fun with examples of crypto-puzzles that can all be completed without the use of modern infernal computing devices.

BIO
Husband, father, infosec geek. @nibb13

ABSTRACT
PCI DSS allows hashing as a technique for tokenizing or protecting stored cardholder data, calling hashes “irreversible”. Interestingly PCI does not require using salts or other advanced hashing techniques to strengthen these hashes. Using oclHashcat with a custom patch of our own, a list of valid IINs, and a GPU cracking rig we will show how to reverse the supposedly irreversible one-way hashes of payment card numbers, ultimately demonstrating that we can completely crack a “PCI Compliant” database of hashed PANs in a few hours.

BIO
qu0rum started life as a developer during the dot com boom and quickly realized that writing secure code is a lot harder than breaking other people’s code so he hooked up with a security consulting company and got into penetration testing back before that was a popular thing to do. 15 years later he has handed off the day-to-day pen testing responsibilities to a new generation of testers and spends most of his time working with clients’ executives, convincing them that they should have someone test their security and figuring out what their testing programs should look like, but he’s still breaking stuff and writing about it in a desperate attempt to save the world from its own horrible code.

As his straight-laced corporate alter-ego, qu0rum has presented at a number of information security conferences including Black Hat Briefings USA, RSA Conference, Infosec World, the ISSA Conference, Computerworld Expo, and at United States Secret Service Electronic Crimes Task Force meetings. His commentary has been featured in television and print information security news, including CBS Evening News, NBC News, CNN Money, USA Today, CSO Magazine, Secure Computing Magazine, Network Computing Magazine, and CRN. @qu0rum

ABSTRACT
Exploiting social media sites for command-and-control (C2) has been growing in popularity in the past few years. But both Good and Bad guys have privacy concerns about their communication methods. Discoverable encryption may not always be the answer. By using image stenography we hide command-and-control messages in plain sight within digital images posted to the social media site Instagram. In this presentation, we will demo Instegogram as well as discuss how to detect and prevent it.

BIO
Amanda absolutely loves malware. She works as a Malware Researcher at Endgame who focuses on dynamic behavior detection both on Windows and OSX platforms. @_Amanda_33

Hyrum Anderson is a data scientist at Endgame who researches problems in adversarial machine learning and deploys solutions for large scale malware classification. He received a PhD in signal processing and machine learning from the University of Washington. @drhyrum

Daniel Grant is a data scientist at Endgame focusing on behavioral analysis and anomaly detection. He received a MS in Operations Research from Georgia Tech and likes building things that find bad guys when they are being sneaky.

ABSTRACT
Today we use cryptography in almost everywhere. From surfing the web over
https, to working remotely over ssh. However, many of us do not appreciate
the subtleties of crypto primitives, and the lack of correct and updated
resources leads to design and development of vulnerable applications. In
this talk, we cover the building block of modern crypto, and how to develop
secure applications in Python.

BIO
Amirali Sanatinia is a Computer Science PhD candidate at Northeastern
University, and holds a Bachelors degree in CS from St Andrews University.
His research focuses on cyber security and privacy, and was covered by
venues such as MIT Technology Review and ACM Tech News. He is also the
OWASP Boston NEU Student chapter founder and leader.
http://www.ccs.neu.edu/home/amirali

ABSTRACT
If your company develop mobile or desktop apps you probably know that in the modern world they should be digitally signed. When you try to solve a problem of code signing in big environments, you'll face a lot of difficulties: signing keys access management (especially in Continuous Integration), malware signing prevention and pitfails like SHA-1 deprecation. We successfully implemented a custom CodeSigning-As-A-Service solution capable of signing executables running on Android, iOS, Windows (usermode code, kernel drivers, installation packages etc.), Java apps and applets and solving all mentioned problems.

BIO
Evgeny Sidorov is an Information Security Officer at the major Russian search engine company Yandex. Evgeny works in the Application Security Engineering Team and is responsible for developing and embedding various defence techniques in web and mobile applications. He finished his Master degree in applied mathematics at the Institute of Cryptography, Telecommunications and Computer Science of Moscow.

Formely a software engineer Eldar Zaitov switched to information security in 2010, made pentesting for major Russian banks and companies. Was one of the initial members of CTF team More Smoked Leet Chicken, participated in DEF CON CTF finals. In 2012 joined Application Security Engineering Team at Yandex. Presented some information security talks at ZeroNights and YaC. Eldar is a maintainer of CTFtime.org.

ABSTRACT
In this session the CSO of a major tech company (Facebook) will interview these (2-4) Congresscritters on their views on encryption, balancing different ideas of security, and the future of the Internet as a tool for oppression or freedom.

BIO
Alex discovered DEF CON 5 at the ripe old age of 18 (his dad rented the room). Since then, he broke a lot of things, built a company to foster security research, and fought on the front lines of a transforming industry. He's currently “bought-in” as the Chief Security Officer at Facebook, dedicated to protecting the billions of people who use its products and to ensuring a safe future for the open and connected world. @alexstamos

Rep. Eric Swalwell (D-CA 15th) https://swalwell.house.gov/about @RepSwalwell

Rep. Will Hurd (R-TX 23rd) https://hurd.house.gov/about/full-biography @HurdOnTheHill

ABSTRACT
Ashley Madison, the dating site promoting adultery in their slogan “Life is short. Have an affair.” got hacked in July 2015. Millions of customers’ most intimate details were released in August 2015 by the hackers, after the service owners refused to close down business. As the biggest public breach of sensitive personal information ever, there are many lessons to be learned in terms of data protection, hacktivism, crisis management, media handling, and pitfalls that must be avoided. All this told from a very personal perspective, and with a background story showing the real value of good security & privacy for all.

BIO
Per Thorsheim is the founder of PasswordsCon. Among other things he revealed Linkein were hacked in 2012, confirmed the Ashley Madison leaks in 2015, and played a role in making the major webmail providers implement RFC 3207 STARTTLS support to better protect your privacy. He does training for news reporters on digital security & privacy, source protection and reader/customer privacy. @thorsheim

ABSTRACT
“Get over it!” as Scott McNeeley said years ago about the end of privacy as we knew it is not the best advice. Only by understanding why it is gone and never coming back can we have a shot at rethinking what privacy means in the context of our evolving humanity. Richard Thieme provides a historical and social context for some of that rethinking. He goes both deep and wide and challenges contemporary discussions of privacy to get real and stop using a 20th century framework. Our technologies have changed everything, including us. We humans are loosely bounded systems of energy and information. We interact with other similar systems, both organic and inorganic, "natural" and "artificial." These “differently sentient systems” all consist of nodes in intersecting networks extending in several dimensions. We have always known we were like cells in a body, but we emphasized “cell-ness.” Now we have to emphasize “body-ness” and re-imagine who we have become. What we see depends on the level of abstraction at which we choose to look. Patterns extracted from data are either meta-data or just more data, depending on the level of scrutiny. The boundaries we like to imagine around our identities, our psyches, our "private internal spaces," are violated in both directions, in and out, by symbolic data that, when aggregated, constitutes “us.” It's like orange juice, broken down into different states before recombination as new juice; it is reconstituted by others but still constitutes “us,” and we are known by others more deeply in recombination than we know ourselves.
To understand privacy - even what we mean by “individual human beings” who want it - requires a contrary opinion. Privacy is honored in lip service, but not in the marketplace, where it is violated or taken away or eroded every day. To confront the challenges generated by technological change, we have to know what is happening so we can re-imagine what we mean by privacy, security, and identity. We can't say what we can't think. We need new language to articulate our experience and grasp the nature of the context in which we live. Then we can take the abstractions of data analytics and Big Data down to our level. The weakest link in discussions of privacy is the definition of privacy, and the definition of privacy is not what we think. But pursue the real at your peril: Buddhists call enlightenment a “nightmare in daylight.” Yet when the screaming stops, it is enlightenment, still, after all. That clarity, that state of being, is the goal of this presentation.

BIO
Richard Thieme is an author and professional speaker focused on the challenges posed by new technologies and the future, how to redesign ourselves to meet these challenges, and creativity in response to radical change. ”His column, "Islands in the Clickstream," was distributed to subscribers in sixty countries before collection as a book in 2004. When a friend at the National Security Agency said after they worked together on ethics and intelligence issues, "The only way you can tell the truth is through fiction," he returned to writing short stories, 19 of which are collected in “Mind Games.” His latest works include the stunning novel “FOAM,” (Exurban Press September 2015) and "A Richard Thieme Reader" (Exurban Press 2016) in 5 volumes of collected fiction and non-fiction on Kindle. He is also co-author of the critically extolled “UFOs and Government: A Historical Inquiry,” a 5-year research project using material exclusively from government documents and other primary sources, now in 65 university libraries. @neuralcowboy

ABSTRACT
This workshop introduces real-world uses of text-based steganography to cloak your communications from the omnipresent web of machines and their human collaborators. Attendees will learn techniques to simply and repeatably bypass DLP controls and defeat data whitelisting enforced by Multi Level Security (MLS) devices. You will also learn methods for generating social engineering attacks against SecOps analysts and censors who may review your communications, plus techniques to counter frequency analysis attacks against your cloaked communications. All of this is accomplished using only simple Python scripts and text-based ciphers of your choosing. Attendees will then use the toolset to generate their own custom ciphers and social engineering attacks as we work through scenarios together.

BIO
TryCatchHCF / Joe Gervais is the Principal InfoSec Engineer & Lead Pentester at LifeLock, and author of the Cloakify exfiltration toolset. He has 25+ years of security- and software engineering experience, mostly in US gov't/DoD sectors, and served as an Intelligence Analyst and Counterintelligence Specialist in the United States Marine Corps. Education includes a bachelors degree in Cognitive Science, and a masters degree in Information Assurance. https://github.com/TryCatchHCF

ABSTRACT
Learn cryptography, or at least why you should stay away from it, the fun way! By breaking some yourself, live. After doing hash extension and CBC padding oracles the past years, today we'll implement one of the evergreens of crypto attacks: the Bleichenbacher '06 e=3 RSA signature forgery. Bleichenbacher '06 is a common attack against RSA that allows an attacker to fake a signature. It broke Firefox, then GnuTLS, then again Firefox (BERserk), then python-rsa... And who knows next. You'll learn how it works, how to mount it, and then attack real world implementations with your own code. The session is 100% hands-on, with very little material (basically just docs, a target server implementation, and some client boilerplate). I'll explain the crypto and attack basics and then proceed to code the exploit live, along with the audience, stopping often to analyze and compare outputs and milestones. No slides, just cold hard code and data produced along the way. No cryptography experience needed at all. Bring your laptop and Python chops.

BIO
Filippo Valsorda (@FiloSottile) is a systems and cryptography engineer at CloudFlare, where he kicked DNSSEC until it became something deployable. Nevertheless, he's probably best known for making popular online vulnerability tests, including the original Heartbleed test. He’s really supposed to implement cryptosystems, not break them, but you know how it is.

ABSTRACT
Lately, several backdoors in cryptographic constructions, protocols and implementations have been surfacing in the wild: Dual-EC in RSA's B-Safe product, a modified Dual-EC in Juniper's operating system ScreenOS and a non-prime modulus in the open-source tool socat. Many papers have already discussed the fragility of cryptographic constructions not using nothing-up-my-sleeve numbers, as well as how such numbers can be safely picked. However, the question of how to introduce a backdoor in an already secure, safe and easy to audit implementation has so far rarely been researched (in the public).

BIO
David Wong is a Security Consultant at the Cryptography Services team of NCC Group. He has been working in Security for over a year now, being part of several publicly funded open source audits such as the OpenSSL and the Let's Encrypt ones. He has conducted research in many domains in cryptography, publishing whitepapers as well as writing numerous editions of the Cryptography Services private bulletin. He has been a trainer for cryptography courses at BlackHat US 2015 and BlackHat US 2016. @lyon01_david

ABSTRACT
We describe the great contract bridge scandal of 2015 on which the top world top pairs were found to cheat by illegal information transfer. We describe the inaccurate accusation against one of the pairs (Mr. Lotan Fisher and Mr. Ron Schwartz). We describe our statistical efforts to prove lack of sufficient evidence for conviction beyond reasonable doubt. We describe our discovery of the real code in which information is transferred and means to discover it.

BIO
Nezer is a researcher in the IT faculty university of Jyväskylä, Finland and computer science faculty member in College of Management, Israel. http://www.scipio.org/