Talks

ABSTRACT
The FBI ran an encrypted app called Anom, intercepting all of its messages. The operation ended in the arrest of hundreds of criminals. But what happens now? Are apps that we all use, like Signal, under threat too? This talk will give a blistering dive into what the app was, how it worked, and what it means for all of our privacy now.

BIO
Joseph is the author of DARK WIRE, which tells the inside story of how the FBI secretly launched it's own encrypted messaging app to wiretap the world

ABSTRACT
Differential privacy (DP) has been hailed as the gold standard of privacy-preserving data analysis, by providing strong privacy guarantees while still enabling use of potentially sensitive data. Formally, DP gives a mathematically rigorous worst-case bound on the maximum amount of information that can be learned about an individual's data from the output of a computation. In the past two decades, the privacy community has developed DP algorithms that satisfy this privacy guarantee and allow for accurate data analysis for a wide variety of computational problems and application domains. We have also begun to see a number of high-profile deployments of DP systems in practice, both at large technology companies and government entities. Despite the promise and success of DP thus far, there are a number of critical challenges left to be addressed before DP can be easily deployed in practice, including: mapping the mathematical privacy guarantees onto protection against real-world threats, developing explanations of its guarantees and tradeoffs for non-technical users, integration with other privacy & security tools, preventing misuse, and more.

BIO
Dr. Rachel Cummings is an Associate Professor of Industrial Engineering and Operations Research and (by courtesy) Computer Science at Columbia University, where she is also a member of the Data Science Institute and co-chairs the Cybersecurity Research Center. She is also a Fellow at the Center for Democracy & Technology. Before joining Columbia, she was an Assistant Professor of Industrial and Systems Engineering and (by courtesy) Computer Science at the Georgia Institute of Technology, and she previously received her Ph.D. in Computing and Mathematical Sciences at the California Institute of Technology. Her research interests lie primarily in data privacy, with connections to machine learning, algorithmic economics, optimization, statistics, and public policy. Dr. Cummings is the recipient of numerous awards including an NSF CAREER award, a DARPA Young Faculty Award, a DARPA Director's Fellowship, an Early Career Impact Award, multiple industry research awards, a Provost’s Teaching Award, two doctoral dissertation awards, and Best Paper Awards at DISC 2014, CCS 2021, and SaTML 2023. Dr. Cummings also serves on the ACM U.S. Technology Policy Committee, the IEEE Standards Association, and the Future of Privacy Forum's Advisory Board.

ABSTRACT
Building an AI product for the everyday person is challenging - doing it in a privacy focused way is nearly impossible without support from the right people. I'll walk through the techniques we're using at Rabbit to secure customer data and provide people a choice as to where their data goes.

We'll cover the pipelines that
- Collect and Manage customer identity after they login to a site
- Log, Anonymize, and Process customer voice interactions
- Provide "just in time" access to customer data for personalized RAG-like models

As a community, I think we're well within our rights to demand control over the data we provide to companies. This talk aims to provide engineers with a list of ideas on "what right could look like", and general attendees a list of things that are possible, so they know its ok to ask for them. 

BIO
Matt Domko is the Head of Security at a (in)famous AI Walkie Talkie Manufacturer. Ex-This, Ex-That, he spends most of his free time tinkering with his lasercutter or 3d printers. 

ABSTRACT
There are many famous codes and ciphers still waiting to be solved, such as the encrypted Voynich manuscript and Edward Elgar's Dorabella cipher. All hold a special fascination. In this talk, prepare to be entertained and informed by Elonka Dunin and Klaus Schmeh, as we briefly discuss the encryption on Kryptos, the mysterious sculpture at the center of CIA Headquarters; NKrypt, an encrypted sculpture in Australia; an encrypted engraving on an early 20th century German silver cigarette case; details about the message attached to the leg of a WWII carrier pigeon that was found in an English chimney; an encrypted postcard by the owner of UK's Luton soccer team; and the intriguing encrypted messages created by the mysterious Henry Debosnys while awaiting his murder trial in New York in the late 1800s. 

BIO
Elonka Dunin is a crypto expert and co-leader of a group that is working to crack the final cipher on the Kryptos sculpture at CIA Headquarters. She maintains a website of the World’s most famous unsolved codes, and bestselling author Dan Brown named his character “Nola Kaye”, a scrambled form of “Elonka”, in his novel The Lost Symbol, after her.

Elonka was a member of the Board of Directors for the National Cryptologic Museum Foundation and General Manager and Executive Producer at Simutronics, making award-winning online and mobile games.

With Klaus she co-wrote the book “Codebreaking: A Practical Guide” (2020/2023)

Klaus Schmeh has written 15 books (mostly in German) about cryptography, as well as over 250 articles, 25 scientific papers, and 1500 blog posts. Klaus’s main fields of interest are codebreaking and the history of encryption.

Klaus is a popular speaker, known for his entertaining presentation style involving self-drawn cartoons, self-composed songs, and Lego models. He has lectured at hundreds of conferences, including the NSA Crypto History Symposium, DEF CON, and the RSA Conference. In his day job, Klaus works as a crypto expert for the global IT security company Eviden. 

ABSTRACT
As our social lives are highly intertwined with our online lives, people share a lot of information and create pictures and content that needs to be secured. In this talk I cover obscenity laws, revenge porn (non-consensual distribution of intimate images), stalking, catfishing and sextortion and how people can prevent information being leaked as well as how to recover from it.

BIO
ET is a cybersecurity professional who cares about digital privacy. They have helped people who have been affected by revenge pornography and help them put together a plan of action. I like to volunteer, I help with BSides Orlando, DEATHCon and DC407. 

ABSTRACT (9 August)
Welcome to the Gold Bug at the 11th annual Crypto & Privacy Village! This opening talk compliments the Gold Bug: Puzzle Panel on Day 2.

ABSTRACT (10 August)
Welcome to Day 2 of the Gold Bug at the 11th annual Crypto & Privacy Village! Join the Gold Bug Team for the latest updates, panel-exclusive hints, and more. This panel compliments the Gold Bug: Welcome on Day 1.

BIO
The Gold Bug Team 2024 at the Crypto & Privacy Village: 0xCryptok, tseven, llamaprincess, pleoxconfusa, Pascal-0x90, Delta_JRM, are the beloved puzzle-makers within Crypto & Privacy Village. We make a special effort to include accessible puzzles at all skill levels. It is our hope that anyone, from new puzzlers (even kids!) to seasoned puzzle hunters, can participate in and enjoy this contest.

The GoldBug team also runs Crypto & Privacy Village's Junior Cryptography at DC NextGen.

ABSTRACT
Data brokers, and in particular people-search sites, are a headache for those of us trying to keep our addresses off the internet… and an absolute nightmare for people who are targeted due to their identity, profession, or political beliefs. In this talk, I’ll present the results of a collaborative research project by Tall Poppy and Consumer Reports that evaluates paid people-search removal services. I’ll also discuss how data brokers harm people, what you can do to protect yourself, why it’s so difficult, and what we can do as individuals and at a policy/advocacy level to solve this pernicious privacy problem.

BIO
Yael Grauer is an investigative tech reporter. She currently works at Consumer Reports managing Security Planner, an easy-to-use guide to staying safer online. Yael has over a decade of experience covering privacy and security, digital freedom, hacking, and mass surveillance for various tech publications and has extensively researched the privacy and security (or lack thereof) of VPNs, street-level surveillance, and more. She’s been maintaining the Big Ass Data Broker Opt-Out List since 2017.

ABSTRACT
Expedient Digital Defense focuses on using free and readily available applications, or recommending paid-for commercial apps and tools that have proven records of credibility, to make our devices and online presence less harmful to us. We will follow a typical traveler in the United States, with some experiences drawn from overseas travel.

The talk stresses the value of Operational Security (OPSEC), and the mindset of seeing every piece of communication through the eyes of your adversary. The intent is to make people think twice before revealing anything considered sensitive, even if using the latest and greatest encryption. The surveillance economy and ever-present data collection in our modern world demand better awareness of how our digital world works. We’ll discuss examples like invasive social media collection, foreign influence on public perception, data insecurity putting users in danger, and advertising models based on location and click tracking.

Finally, the take-away is knowing the tools and tech available, and being able to select those which fit your needs, if at all. Most of the time, one mitigation isn't enough, and several need to be emplaced to achieve proper defense in depth, in case one solution fails. Even if no technical solutions are put in place, the user will have that "red team" mindset and awareness that calibrates better judgment over technical solutions, and promotes OPSEC and rational thinking for security rather than blindly depending on apps and gadgets. 

BIO
Grey Fox, the callsign assigned to him by a DHS colleague, recently retired from the U.S. military after 20 years of service as an intelligence analyst, language analyst, digital network intelligence targeter, cyberspace mission leader, and digital defense education program leader. Having deployed eight times supporting front line combat teams, his experience ranges from offensive cyberspace operations planning and execution to military information support operations. Along the way, Grey Fox acquired multiple creds, including GCTI, GASF, GAWN, and CWNA. He currently instructs Digital OPSEC at the U.S. Army Security Cooperation Officer course and the U.S. Air Force Research Lab, as well as SDR foundations and Wi-Fi hacking at the U.S. Army Signal School. 

ABSTRACT
On February 25, 1998, hip-hop group the Wu-Tang Clan made Grammy history… for all the wrong reasons. After losing in the Rap Album of the Year category, Wu-Tang member ODB stormed the stage, interrupting an acceptance speech to declare the now infamous phrase “Wu-Tang is for the children.” Anyone who has heard a song from Wu-Tang knows that despite ODB’s insistence, it is certainly not true. It appears that States may be taking this same approach when it comes to children's privacy and safety online. Despite these laws being for the protection of children, they often raise other unintended consequences. State legislatures around the country are debating new laws to protect children online. This year, Tennessee, Maryland, Virginia, Georgia, Utah, and Florida have passed legislation focused on children's privacy, usually through restrictions on social media use. While privacy advocates have championed these laws, they have been met with criticism and, in some instances, legal challenges. This is because in order to implement laws that apply to kids online, companies have to identify which users are kids—which requires the collection of sensitive personal information. Along with this privacy tension, there are First Amendment protection concerns that these laws limit online speech. This presentation will explore how youth privacy laws may not be protecting children in the ways that we hope by first discussing the attempts made by states to address youth privacy. Then, analyzing the unintended privacy consequences, focusing on how states are required to collect sensitive information that we are often trying to protect. Next, we will examine the First Amendment concerns using the example of the challenges to California’s Age Appropriate Design Code Act before finally discussing a path forward to protecting children. 

BIO
Anthony Hendricks is a legal problem solver and litigator at Crowe & Dunlevy, one of Oklahoma’s largest and oldest firms. At Crowe & Dunlevy, Anthony serves as founder and chair of the firm’s Cybersecurity and Data Privacy Practice Group. His legal practice focuses on data privacy compliance, regulatory enforcement and permitting, and other “bet-the-company” suits in the areas of cybersecurity, privacy, and other complex business litigation. Anthony is an adjunct professor who teaches Cybersecurity Law and Information Privacy courses at Oklahoma City University School of Law. He also hosts “Nothing About You Says Computer Technology,” a podcast on cybersecurity and data privacy viewed through the lens of diverse voices. Anthony has been nationally recognized for his legal skills. He has been selected as a member of the Lawyers of Color Hot List, a 40 under 40 attorney by the National Association of Black Lawyers, Oklahoma Magazine 40 under 40, and the Journal Record 40 under 40, and is listed by both Super Lawyers Magazine and Best Lawyers. Anthony is a former cybersecurity policy fellow in New America’s Cybersecurity Initiative. To learn more about Anthony’s current projects, upcoming speaking events or listen to the latest episodes of his podcast, visit www.anthonyjhendricks.com

ABSTRACT
I recently googled the meaning of “encryption” and found this definition on Wikipedia: “In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext.” Um…no, encoding produces code, enciphering produces ciphertext, encryption is more than just encoding, and so on. Given the jumbling together of historically very unique and significant terminology I set out to find the actual, historical definitions and try to find a way to teach and/or demonstrate the differences in the foundational forms of cryptography. But I quickly noticed that some of this terminology is so often mis-applied in our digital age that I wondered if maybe there has been an evolution of the meanings of these terms? I might not like it, but I’m open to that possibility. This very quickly led me to the conclusion that my research on this topic would make for an interesting talk and so here we are. I want to share the classical, historical forms of cryptography, discuss the etymology of the terminology, look at how the words apply today – and help the audience decide if the actual meanings even matter (or it’s just me). One important consideration is the tradeoff between keeping the data secret (security) and protecting the identity of individuals associated with the data (privacy). I hope you’ll join me in this journey to victory (or defeat) in the ongoing battle of preserving the classic goals and objectives of data security.

BIO
Jeff is a respected Information Security advocate, advisor, hacker, evangelist, mentor, teacher, international keynoter, speaker, former host of Security & Compliance Weekly, co-host on Paul's Security Weekly, Tribe of Hackers (TOH) contributor, including Red Team, Security Leaders, and Blue Team editions, and a member of the Cabal of the Curmudgeons. Jeff has over 40 years of experience working in all aspects of computer, network, and information security, including cryptography, risk management, vulnerability analysis, compliance assessment, forensic analysis and penetration testing. Certified National Security Agency Cryptanalyst. Designed and fielded the first software-based cryptosystem ever produced by NSA. Inventor of the "whiz" wheel, a cryptologic cipher wheel used by US Special Forces for over a decade currently on display at the National Cryptologic Museum. Honorary lifetime member of the Special Forces Association. Previously held security research, management and product development roles with the National Security Agency, the DoD and private-sector enterprises. Pioneering member of the first penetration testing "red team" at NSA. For the past twenty-eight years has been a pen tester, security architect, consultant, QSA, and PCI SME, providing consulting and advisory services to many of the nation's best known companies. 

ABSTRACT
In 2021 we could get access to all personal bank accounts at the largest bank in Norway by using a single page paper form sent by snailmail. In addition to stealing all their money, we could also see all account transactions for the last 10 years, with details. In 2024 we have done the same thing to another bank. Why didn't the banks learn the first time?

In this talk we'll explain what we did, lessons learned and why paper ID still is relevant and important to us all. 

BIO
Cecilie works as a consultant within security, privacy & AI technologies. She is a recognized expert in software testing with a specialization in abusability testing. With over 10 years of experience in the IT industry, Cecilie has developed into an authority in identifying and evaluating potential abuse scenarios and security vulnerabilities in various software products.

Per is the founder & organizer of PasswordsCon. He revealed the Linkedin breach in 2012 & got heavily involved in the Ashley Madison breach in 2015. He is featured alongside Brian Krebs & Troy Hunt in the 3-part documentary "The Ashley Madison Affair" on Hulu. 

ABSTRACT
As the adoption of GenAI tools has soared, security has done little to keep up. New classes of data, and especially vector data, is flooding into new and untested data stores. Vector databases are getting copies of health data, financial data, HR data, emails, and everything else, but they have no intrinsic security. What's worse, the vectors themselves can be reversed in embedding inversion attacks that turn those vectors back into faces, sentences, and even pictures. We discuss these new attacks and a new branch of cryptography, vector encryption, which allows for privacy preserving searches to happen over the encrypted vectors. We'll discuss the benefits, trade-offs, and current state of the field and the open source software we've built to meet the new need.

BIO
Patrick Walsh has more than 20 years of experience building security products and enterprise SaaS solutions. Most recently he ran an Engineering division at Oracle, delivering features and business results to the world’s largest companies. Patrick now leads IronCore Labs, a data privacy platform that helps businesses gain control of their data and meet increasingly stringent data protection needs. 

ABSTRACT

Cross-movement organizing for bodily autonomy is in dire need of OPSEC assistance. Hackers working within these grassroots circles are beyond their bandwidth, hardly able to keep up. Incident response, crisis management, investigations OPSEC--these methodologies are in high demand--and unfortunately they're skills that are rarely methodically taught, especially in activist circles. They're privileged skills, requiring hours of studying and practice. Infosec certs seek to qualify that, right? Well we call bullshit.

The infosec cert industry is an unregulated, duct-taped attempt to verify who's skilled and who isn't; who's right for the job and who's not. Unfortunately for the world at large, these certs value the protection of corporate networks, rarely human ones. Humans are the practical assets of the infosec certification pipeline to continuous corporate protection. Their movements surveilled is the product. The lack of bodily autonomy, the disownership of one's one body, that's the consequence.

So we made a cert to flip that narrative; we made a program for people to become educated, skilled, and trained in the ways of spreading their learnings within their communities. We're training human rights defenders, abortion access orgs, trans advocacy orgs, sex worker rights activists. We're training firsthand the people who understand what it means to have agency of their own body criminalized by the state. We teach a blend of hands on skills with privacy technology, encryption fundamentals, OSINT skills. But we don't just stop at the tech stuff. We teach internet policy literacy, financial literacy and the privacy aspects of business licensing, navigating crisis from a somatic point of view. Other activists will attest to how crucial those skills are to be taught alongside the tech stuff. As far as we know, no other cert in the game is doing that.

We're setting people up to become digital security community organizers. They're out there flashing custom ROMs, running help desks, managing multilayered backup games for communities of dozens. They're hustling institutions, putting themselves inside the industries that led to criminalization creep like abortion bans. Digital security community organizers is what we need more of. So, this is cert is attempting to do that. Digital Security Community Organizer Certification, or DISCO cert for short, is a project by Digital Defense Fund and Hacking//Hustling, in collaboration from spring 2022 to spring 2023, and hopefully more into the future. At DEFCON we hope to not only reveal our process of thinking, our methodologies of teaching, but to also recruit other hackers to join these fights, to inspire further cross movement coordination. Let our liberation spread like a virus.

BIO

Blunt is a sex worker, community organizer, public health tech researcher and co-founder of Hacking//Hustling. She enjoys watching her community thrive and making men

Daly has too many hats. She's a technologist, hacker, educator, organizer, privacy and security consultant, writer, artist, and witch.

ABSTRACT

Last year a framework and tool for cryptographic attacks called cryptosploit was introduced. In this workshop we will demo the capabilities and the underlying philosophy as well as new commands. This will include the flexibility of mixing and matching attack code with oracles and new commands to import and export cryptographic keys. In particular, we will demonstrate how after a successful attack on a public key, we will be able to export the private key corresponding to the certificate.

BIO

Matt Cheung started developing his interest in cryptography during an internship in 2011. He worked on implementation of a secure multi-party protocol by adding elliptic curve support to an existing secure text pattern matching protocol. Implementation weaknesses were not a priority and this concerned Matt. This concern prompted him to learn about cryptographic attacks from Dan Boneh's crypto 1 course offered on Coursera and the Matasano/cryptopals challenges. From this experience he has given workshops at the Boston Application Security Conference, BSidesLV, DEF CON, and the Crypto and Privacy Village.

ABSTRACT

Decentralized identity systems based on W3C Decentralized Identifiers and Verifiable Credentials are becoming increasingly popular for their promises of improved security, privacy, and user control in identity management. Impactful deployments are coming: from the US DHS for worker authorization and soon passports, multiple DMVs for driver's licenses, the EU for university degree credentials, and much more in both public and private sectors. However, as with any technology, these systems are not immune to vulnerabilities and attacks, both on the ideologies of decentralization and self-sovereignty and vulnerabilities in implemented systems.

In this talk, we will examine different types of vulnerabilities in the SSI space, walk through examples of potential attacks, and discuss the potential consequences of the technology. Additionally, we will explore potential solutions to mitigate the risks associated with these vulnerabilities. We will discuss best practices for trust, cryptographic techniques, and security protocols that one can use in decentralized identity systems.

BIO

Gabe Cohen is an engineer and standards architect at Block. For the past five years, he has focused on developing and deploying Decentralized Identity and Verifiable Credentials Systems. He is focused on decentralization in practice and at scale to return data, privacy, and digital sovereignty to the world.

Brent Zundel is a principal cryptography engineer at Gen, where he is helping to architect solutions for digital identity capabilities that will fit alongside Gen’s Norton and Avast security products. He got his start working on consensus algorithms and token-design in the self-sovereign identity space at Evernym, with Sovrin and Hyperledger Indy. He believes strongly in the need to provide individuals with the ability to manage their own personal information and thinks ZKPs could play a critical role in accomplishing that.

Brent has also been deeply involved with efforts to standardize data models and protocols related to decentralized identity: at W3C where he chairs the Verifiable Credentials and Decentralized Identifiers Working Groups; at DIF where he serves on the Steering Committee, chairs the Applied Cryptography Working Group, and is an editor of the Presentation Exchange specification; and at IETF where he works on JSON Web Proofs, Selective-Disclosure JWTs, and the BBS cryptosuite.

Outside of work, Brent likes to try to makes things, raise his kids, read books, and eat chocolate.

ABSTRACT

States have quietly been taking the lead in addressing privacy. Despite this lack of attention, state lawmakers can potentially transform Americans' lives when it comes to data privacy. So far, legislators in more than 20 states have introduced comprehensive data privacy bills and other privacy laws focused on social media, healthcare data, and protections for children, with little to no fanfare.

Even more states will soon join them in debating privacy laws. While only six states have passed comprehensive privacy laws, it shouldn’t dampen expectations for this year. This is because history and public sentiment are on the side of states, and 2023 should be a big year for state data privacy.

What makes 2023 different? The debate surrounding state privacy is eerily similar to the process of states passing 50 different breach notification laws in the early 2000s. And these similarities point to 2023 being a leap forward for these efforts. But more importantly, Americans’ views on privacy have been evolving, creating an environment ripe for these laws.

This presentation will provide an update on the pending state privacy laws. Next, we will examine changing public sentiment around privacy and how it impacts the debate surrounding state privacy laws. Then we will explore how every state was able to previously pass breach notification laws and how history may be repeating itself.

The talk will then outline how this changing privacy reality impacts consumers and businesses. Finally, we talk about the next steps for state privacy laws and how the public can shape the direction of these laws.

BIO

Anthony Hendricks is a legal problem solver and litigator at Crowe & Dunlevy, one of Oklahoma’s largest and oldest firms. At Crowe & Dunlevy, Anthony serves as founder and chair of the firm’s Cybersecurity and Data Privacy Practice Group. His legal practice focuses on data privacy compliance, regulatory enforcement and permitting, and other “bet-the-company” suits in the areas of data security, privacy, and other complex business litigation. Anthony is an adjunct professor who teaches Cybersecurity Law and Information Privacy courses at Oklahoma City University School of Law. He also hosts “Nothing About You Says Computer Technology,” a weekly podcast on cybersecurity and data privacy viewed through the lens of diverse voices. To learn more about Anthony’s current projects and upcoming speaking events, or listen to the latest episodes of his podcast, visit www.anthonyjhendricks.com

ABSTRACT

Panel Aims and Goals:
1. Inform the audience about the challenges involved in cryptographic key management which is at risk with the quantum threat.
2. Discuss the risks involved and the compliance required by many industries, discuss how this has affected their business directions, conversations with customers, etc.
3. Discover the impact of PQC on key management, what are the techniques and strategies people are/should use?
4. Open the discussion towards the audience with Q&As.

BIO

Panelists:
- Sofi Celi, Cryptography Researcher, Brave Software
- Mark Carney, Co-Founder, Quantum Village
- Sandra Guasch Castello, Senior Privacy Engineer, SandboxAQ
- Deirdre Connolly, Cryptographic Engineer, Zcash Foundation
- Ryan Hurst, Head of Product - Core Security Foundation, Google
- James Howe (Panel Host), Senior Research Scientist, SandboxAQ

ABSTRACT

Edtech makes the news regularly for fines or issues, but rarely does anyone offer constructive and realistic advice for those in the system: families, students or even the few educators with ethics. This short overview will explain why edtech privacy has so many issues - I used to work in schools as a DPO and saw the problems- and will offer constructive advice on how to ask the right questions and, possibly, foster good practice. This is perhaps a call for more direct action from tech and privacy pros to offer more easily applicable advice that works in cash and time strapped schools who don’t like families to be empowered and ask questions.

I found that there was very little transparency around what data was shared, schools rarely map what is shared and you have accounts created for you even if you never log in. Edtech has made school like a bad boss who you are forced to work for over ten years and then they share all the horrid write ups and unfair info about you with every new job you try to get. It is a lurking data protection and safety issue for millions of young people as they grow and find themselves profiled before they reach 18. And with no way of getting that data removed because they don’t know where it went. So this offers some guidance on the questions to ask, the actions to take and explains why schools do this.

BIO

I was a language teacher then I began tech training, now I run security awareness and yell into the void repeatedly about edtech, car privacy and harm reduction. I also love shopping at target and dogs with floppy ears. I can see solutions but I need people to listen.

ABSTRACT

Revoking certificates in the Web PKI remains a problem that isn’t fully solved. We analyze the privacy, performance, reliability, and deployability of traditional solutions of CRLs and OCSP, and compare them to alternate solutions such as OCSP Stapling, short-lived certificates or browser vendor operated services.

BIO

Matthew McPherrin is an engineer working on certificate authorities, security architecture, and infrastructure security.

ABSTRACT

In this talk, we will explore the critical intersection of climate change and its potential ramifications for security and privacy. As the global climate crisis escalates, it poses multifaceted challenges that extend beyond environmental concerns. Our aim is to shed light on the often overlooked consequences of climate change, examining how it may disrupt established systems and infringe upon our personal security and privacy.

By understanding these implications, we can better prepare ourselves and society for the unprecedented security and privacy challenges that lie ahead. We will delve into this uncharted territory and consider the ways in which climate change intertwines with security and privacy concerns together.

BIO

Chloé Messdaghi is an accomplished security executive, CEO & Founder of Global Secure Partners, known for advising and developing solutions that have improved security teams and the industry. A sought-after public speaker and trusted source for national and sector reporters, her work has been featured in numerous outlets, and she has been recognized as a Power Player in Cybersecurity by Business Insider and SC Media.

Chloé is also dedicated to various charitable causes, demonstrating her commitment to driving positive change.

ABSTRACT

Domain fronting is a technique for internet connection obfuscation and also internet censorship circumvention that uses different domain names in different communication layers of an HTTPS connection to discreetly connect to a different target domain than is discernible to third parties monitoring the traffic. Domain fronting involves using different domain names in the DNS/SNI headers of the visible HTTPS packet and the Host header of the encrypted HTTP packet. If both domains are served from the same Content Delivery Network (CDN), then the CDN may proxy the request to the address specified in the HTTP header after unwrapping the TLS encrypted HTTPS payload. As a result, connection monitoring outside the CDN server network will not be able to ascertain where the connection packets are ultimately going to or coming from.

This paper explores and expands upon methodologies for identifying viable domain fronting proxies within the CloudFlare and Microsoft Azure Content Delivery Networks (CDNs). Despite claims by Microsoft to block domain fronting behavior on all Azure products, our research successfully identified 14 Azure edge servers on 6 Microsoft domains that successfully proxied domain fronted traffic. Comparably, the CloudFlare CDN yielded over 2000 viable proxies among the 30 domains tested, with an average of 6.61 viable proxies per domain (excluding outliers). Unlike similar research conducted in 2017-2018 by penetration testers Vincent Yiu and Raphael Mudge, no consistent pattern was found between a domain's DNS record and its ability to proxy fronted traffic. As an example, the domain huffingtonpost.com contains a different CDN address in its DNS records but still exhibited three subdomains as proxy-willing CloudFlare edge servers.

In response to these findings, this paper presents a methodology, subdomain enumeration using brute force scripting, as a more effective method of identifying domain fronting proxies within popular CDNs. Additionally, the domainfuzzer.py application developed as part of this study plays a crucial role in the analysis of viable domain fronting proxies within a CDN. By providing a user-friendly tool, domainfuzzer.py enables non-technical users to identify CDN edge servers capable of proxying domain fronted traffic. For more technical users, this methodology can easily be adapted to any CDN, empowering users to build their own domainfuzzer.py for use on a CDN of their choosing, should they be so motivated.

BIO

Charles Miller, M.S. - Recent graduate of UMBC's Master's of Science in Information Systems with a focus in Cyber Security. Even more recent member of the CrowdStrike Falcon Complete Team.

Dr. Michael Scott Brown - Graduate Program Director of the Online Masters in Information Systems at the University of Maryland Baltimore County. Dr. Brown holds the rank of Professor of Practice.

Dr. Michael Pelosi - Associate Professor of Computer Science, Texas A&M University Texarkana

ABSTRACT

Cryptographic algorithms often involve various mathematical operations. Sometimes these mathematical operations are implemented by developers themselves, and sometimes by calling functions in third-party algorithm libraries. However, the implementation of many mathematical operations is not rigorous and even contains some errors. When these issues arise in cryptography projects, they may introduce security risks.

This talk will discuss these issues and illustrate some of them through specific CVE vulnerabilities. Given that such security issues still occur frequently today, this talk is also intended to draw the attention of both the developers who worked on the mathematical part and the developers who worked on the cryptographic part, so as to reduce the occurrence of such issues.

BIO

Bing Shi is a security engineer at the crypto & privacy team of Alibaba Group, before that he studied at the University of Chinese Academy of Sciences. His research areas include cryptanalysis and software security, especially the intersection of the two, such as mining cryptographic vulnerabilities.

In addition, he is also an active member of the CTF community, he was a former member of the academic team Never Stop Exploiting, and now he mainly participates CTFs as a member of Water Paddler, focusing on cryptography and reverse engineering challenges.

ABSTRACT

Since 2012, an organisation named Cicada 3301 progressively released a series of puzzles, the most recent of which has never been solved. We're giving a concise overview of the puzzle’s more than 40 stages, up to and including the current unsolved step: Liber Primus. Get up to speed on 11 years of progress in 40 minutes.

BIO

The speakers are a dynamic group of individuals who are united by their passion for solving the intricate series of cryptographic puzzles released by the enigmatic Cicada 3301.

Taiiwo, a founding member of CicadaSolvers with a technical background, brings a pragmatic and sceptical approach to problem-solving, aiming to preserve the puzzle’s impact on the lives of others.

Artorias, the creator of CicadaSolvers.com, co-host of the CicadaCast podcast, and avid puzzle historian, diligently documents the enigma of Cicada 3301 while unravelling its interconnected topics.

Puck, a young and enthusiastic computer science major, originally found his passion for cryptography and cybersecurity through CicadaSolvers. Now he helps organise the community’s solving efforts and events, inspiring others to follow in his footsteps.

TheClockworkBird, with a background in anthropology and teaching, creates inclusive spaces where individuals of all skill levels and interests can engage with the puzzle’s art, literature, and philosophy.

Together, this group embodies the future of collaborative puzzle-solving, leveraging their diverse expertise to unravel the mysteries of 3301 and make a profound impact on the puzzle-solving community.

ABSTRACT

MD5 collisions take us 15 years back, to a time when Beyoncé released “Single Ladies,” Obama was elected president, and MD5 collisions were first used to spoof certificates in the infamous RapidSSL attack. Back then, researchers used MD5 collisions to forge SSL certificate signatures, allowing them to carry out TLS MITM attacks. This research was one of the main reasons why the use of MD5 was phased out, and is considered insecure today.

But MD5 did not completely disappear. A few months ago, Microsoft patched a critical vulnerability in the CryptoAPI library (CVE-2022-34689). The fact that it was reported by the NSA and the NCSC, combined with its high severity led us to patch-diff and analyze it. We found that MD5 was used to compute certificate thumbprints. The bug was in the assumption that these thumbprints are unique - an assumption that can be broken by computing MD5 collisions, making them relevant again.

It's 2023, and you don't need to be a government anymore (or own hundreds of PlayStations) to calculate your own MD5 collisions. By creating two MD5-identical certificates, attackers can bypass validation checks in CryptoAPI, spoof their identity and pretend to be anyone they want. In this talk, we will take the dust off of the old MD5 collision tools and demonstrate how we used them to exploit this vulnerability.

BIO

Tomer is a security researcher at Akamai. In his daily job, he conducts research ranging from vulnerability research to OS internals. Before joining Akamai, Tomer worked as a security researcher in the EDR field where he found and exploited several CVEs in the wild.

Yoni is an experienced low-level developer and researcher at Akamai. For the past few years, he's been writing drivers (and consequently, debugging blue screens and kernel panics) at Guardicore (acquired by Akamai). His passions are OS internals, mathematics and cryptography, and you can easily get him to talk about them for hours.

ABSTRACT

There is something profoundly deficient with the mercenary hunting activities in the cyber threat intelligence community. The lack of information sharing is the biggest ally of spyware makers like NSO, Intellexa or QuadDreams. The purpose of this presentation is to create awareness around this problem, that is solely benefiting these mercenary companies.

Commercial spyware developed and many times operated by these mercenaries, such as mobile spyware, poses a problem for journalists, civil society activists, political opponents or anyone that crosses paths with unscrupulous governments. Commercial companies like Google, Microsoft, Meta, Cisco along with non-profit organizations like Citizen Lab have been publishing reports about them, but they often lack technical details - Many times a reader may have to refer to multiple disclosures from different intelligence sources to piece together a single attack. Additionally, most reports usually provide just enough indicators of compromise that could allow a current campaign to be identified on the wire, but no actual samples are made available to allow third party verification and continued research.

In this presentation we will start by showing several examples of such reports, in an attempt to demystify concerns such as, keeping the victims' privacy or prevention of the proliferation. Then we will present Cytrox’s ALIEN/PREDATOR family of implants in-depth technical analysis as a use case. We will show how challenging it is to hunt, track and research without the samples. We also demonstrate that a third party analysis may aid in uncovering additional details or even slight mistakes in previously disclosed analyses. The lack of proper technical information sharing makes it a very niche subject which only benefits these operators, by limiting the amount of researchers that can investigate the subject. The presentation will conclude with the advantages and disadvantages of sharing more information about these kinds of threat actors.

BIO

Vitor Ventura is a Cisco Talos security researcher and manager of the EMEA and Asia Outreach team. As a researcher, he investigated and published various articles on emerging threats. Most of the day Vitor is hunting for threats, reversing them but also looking for the geopolitical and/or economic context that better suits them. Vitor is a regular speaker in conferences, like LabsCon, VirusBulletin, NorthSec, Recon, Recon Brx, AVAR, Defcon’s Crypto and Privacy Village, BSides Lisbon, Bsides London, etc. Prior to that he was IBM X-Force IRIS European manager where he was the lead responder on several high profile organizations affected by the WannaCry and NotPetya infections. Before that he did penetration testing at IBM X-Force Red, where Vitor led flagship projects like Connected Car assessments and ICS security assessments, custom mobile devices among other IoT security projects. Vitor holds a BSc in Computer Science and multiple security related certifications like GREM (GIAC Reverse Engineer Malware), CISM (Certified Information Security Manager).

Asheer Malhotra is a threat researcher specializing in threat intelligence, malware analysis, detection technologies and threat disclosures within Cisco Talos. He has been researching malware threats for about a decade now at FireEye, Intel, McAfee and now at Talos. His key focus is tracking nation state attacks (APTs) across the world. Asheer holds an M.S in Computer Science with a focus on Cyber Security.