| Title | Regrets |
| Abstract | This talk will be on the regrets from building Docker. Recently I have been working a level abstraction above Docker (ie. Kubernetes) and I have a lot of regrets about the way Docker was designed based off seeing how people without a background of Linux primitives use the tool. This talk will cover all the design regrets of Docker and how they are being propagated into other tools causing them to not be as secure as they could be. Join me as I go through all the regrets of software that is now sadly everywhere... |
| Location | Fri 16 0915 @ The Michael Fowler Centre |
| Duration | 30 mins |
| Name | Jessie Frazelle |
| Origin | US |
| Bio | Software engineer, hacker, containerizer, haver of regrets about softwarez. |
| Title | vmpklōn – Creation of a VMProtect Clone |
| Abstract | This talk will discuss our research into VMProtect virtualization technology, which ultimately led to the creation of a VMProtect clone. VMProtect is a commercial-grade software protection platform which greatly increases the difficulty in reverse engineering samples. One feature of VMProtect is instruction virtualization, where original x86 instructions are transformed into a VMProtect-style virtualization. This talk will cover stack based virtual machines, VMProtect basics, writing a disassembler, recovery of x86 translations, and creation of a VMProtect clone. |
| Location | Fri 16 0945 @ The Michael Fowler Centre |
| Duration | 30 mins |
| Name | Jon Erickson |
| Origin | USA |
| Bio | Jon Erickson is a senior staff reverse engineer within the Flare team at FireEye. Before joining FireEye, Jon made the rounds with various government contractors and before that served in the United States Air Force. Jon has worked in the security industry for more than 15 years and has a master’s degree from George Mason University. Jon has spoken at numerous conferences including Blackhat Asia, CodeBlue, and SyScan 360. He’s contributed to a number of CVE’s and continuously works to help new security researchers better themselves within the field. |
| Title | Apathy and Arsenic: a Victorian Era lesson on fighting the surveillance state |
| Abstract | What does expensive Victorian era wallpaper have in common with a Cambridge Analytica Facebook quiz?
Why is the GDPR like a trip to a seaside resort? How could a cryptoparty have anything to do with a rare book in a library in Michigan? attacus - historian, privacy advocate, and penetration tester - walks you through a two hundred year old method for fighting the surveillance state, based on the advocacy led by 19th century scientists to abolish the domestic use of arsenic. You will learn about the tireless efforts used by anti-arsenic activists to change the public perception of arsenic, Cory Doctorow's theory of Peak Indifference, the lives ruined by data breaches, and how to sustain the recent public shift from ""I have nothing to hide"" to ""I value my privacy"". This session will offer suggestions for developers and other interested folks on how to gather data ethically, how to behave when a data breach occurs, and how to help everyday people have more power over their own information. Come along and enjoy a plate of biscuits while you take in stories of murder, mismanagement, and mendacity, and learn how to keep up the fight against mass surveillance now that the tide is turning. |
| Location | Fri 16 1100 @ The Michael Fowler Centre |
| Duration | 30 mins |
| Name | attacus |
| Origin | Melborne, Australia |
| Bio | The deposed monarchs of Neverwas had a nearly foolproof plan for regaining their thrones: present a child whom not even the most fanatical anarcho-syndicalist could deny looked absolutely rockin' in a tiara. While they achieved this goal, attacus quests after knowledge rather than the crown. Since she became a pentester she has accepted that she will never be able to find the Grail. In spite of this, attacus continues to seek after strange and hermeutic secrets. She knows more about historical assholes than Hieronymous Bosch. |
| Title | Introducing "moriarty", a tool for automated smart contract symbolic execution vulnerability discovery and exploit synthesis |
| Abstract | "In the grim future of 2018, there is only war... and the cypherpunks won. if Timothy May was actually dead he'd be cackling in his grave by now. Bitcoin billionaires, smart contracts, end-to-end encryption, onion routing, obscure darkweb forums full of Bulgarian fraud pimps touting their latest autoshop software... it's certainly an exciting time to be alive.
Ethereum is a cryptocurrency designed for the execution of ""smart contracts"", where code controls the flow of finance from one account to another. Putting programs in direct control of millions of non-repudible crypto-dollars... what could possibly go wrong?
"Moriarty"" is a tool for the vulnerability analysis of ethereum smart contracts, where only one vulnerability actually counts --- stealing cold hard cash. Using the dark arts of symbolic execution, Moriarty can automatically find vulnerabilities and synthesise exploits ""on the fly"". Additionally, Moriarty sweeps the entire ethereum blockchain & contract space in order of potential income to maximise profit, in a purely proof-of-concept kind of way.
This presentation will discuss the engineering of such a tool from first principles, along with tips, tricks and optimizations as yet unknown in ""other"" more generic symbolic execution frameworks. As we used to say back in the day, ""for information reasons only"". |
| Location | Fri 16 1130 @ The Michael Fowler Centre |
| Duration | 30 mins |
| Name | Caleb "alhazred" Anderson |
| Origin | Melborne, Australia |
| Bio | Alhazred's name is a killing word. He enjoys long walks on the beach, the bellows breath of cinnamon, subtle aldehydes ... acids ... performance poetry and collecting HR complaints. In his spare time he works for Context Information Security as a sort-of kind-of foreman, cracking the spiked whip deep within the infosec mines. He was recently promoted from lead consultant to lead consultant. |
| Title | Feeding the Beast: Network Insurgency |
| Abstract | There's a metric bucketload of cool technology and awesome tools out there to support red team engagements, both physical and digital. But what about the *people* on the red team? Can you actually train someone to think and act like an adversary, rather than relying on 'experience', Twitter poopposting, or CEH/CISSP? Can you distil how different approaches refine and improve the way they think and act, rather than just their technical skills? Short answer: Yes! Long answer: Yeeeeeeesssss! (also with 30 minutes of talking) Red Teams wanting to boost their capabilities and simulating more realistic and effective adversaries will be introduced to using F3EAD - a US Special Operations Forces targeting methodology – as a framework for training and engagement. F3EAD is a targeting methodology developed to support counter insurgency operations characterised by complex environments and rapidly-moving adversaries. On a more abstract level, it is designed to allow a large, slow-moving organisation with cumbersome decision-making processes to act/react far more rapidly when confronted by an agile, quick enemy. Although relevant from a Blue Team perspective (threat hunting), it can also be adapted for Red Teams to build a simple, effective framework to conduct engagements with. It's not prescriptive, nor does it encourage ticking boxes for the sake of it, rather it emphasises adaptive and flexible engagement. |
| Location | Fri 16 1201 @ The Michael Fowler Centre |
| Duration | 30 mins |
| Name | syngularity0 |
| Origin | AU |
| Bio | Organiser of SecTalks Canberra, consumer of energy drinks, slayer of digital dragons. Really bad at computers. |
| Title | Lessons from game consoles and the coming security apocalypse |
| Abstract | There are few computing devices that are more attacked on an ongoing basis than game consoles. People want to cheat to win, want to prove their cred, and want to play free games. Over the years, I've seen some interesting things, and have come to the conclusion that computing in general needs to make some serious changes in order to stay viable in the future |
| Location | Fri 16 1345 @ The Michael Fowler Centre |
| Duration | 30 mins |
| Name | Boyd Multerer |
| Origin | Wellington (Formerly USA) |
| Bio | TBD |
| Title | Living w/o the Land - Active Directory attacks from Linux |
| Abstract | Powershell and C# has been the new hotness for 5-6 years now, but with all the AI this and Machine Learning that, one rarely wants to throw that much of your toolkit on disk or even in-memory. Time to head back to the network! This talk will be detailing how directly or via pivots, one can do many of the same recon and attacks against Active Directory with existing tools, and more easily, a new tool. |
| Location | Fri 16 1415 @ The Michael Fowler Centre |
| Duration | 45 mins |
| Name | Mubix |
| Origin | US |
| Bio | Mubix (Rob Fuller) is a Senior Red Teamer. His professional experience starts from his time on active duty as United States Marine. He has worked with devices and software that run gambit in the security realm. He has a few certifications, but the titles that he holds above the rest is FATHER, HUSBAND and United States Marine. |
| Title | Ghosts in the Browser: Backdooring with service workers |
| Abstract | Service workers are all the rage for progressive web apps nowadays. This talk will take a look at Service Workers from a different perspective. We'll talk about ways to abuse them by exploiting XSS issues. We'll cover how to create a pseudo browser backdoor with service workers as well as some of its limitations. The talk will include demos as demonstration of the attacks, and will introduce various defence mechanisms against them. |
| Location | Fri 16 1500 @ The Michael Fowler Centre |
| Duration | 30 mins |
| Name | Claudio Contin & Emmanuel Law |
| Origin | NZ & US |
| Bio | Claudio is a security consultant with ZX Security in Wellington. Before working in security, he spent several years developing web applications. He made small contributions to BEeF framework (http://beefproject.com/) and Gophish (https://getgophish.com/) open source projects.
Emmanuel Law (@libnex) used to be a consultant in Wellington. He's now a security engineer in the Bay Area. |
| Title | Mayday, Mayday, Mayday - Safe Harbor, no more |
| Abstract | CONTENT WARNING: THIS TALK TOUCHES ON SOME VERY SENSITIVE ISSUES, AN INTRO TO THE TALK WILL COVER POSSIBLE TRIGGERS & TOPICS. You get your e-mail with Google, you host your code on Github, you run your cluster with Amazon Web Services, you deliver content through Cloudflare and you receive your payments through Stripe and what’s the one thing all of these companies have in common? They were founded in the United States. What would happen if you suddenly lost your livelihood because of legislation that another country passed? Would your company be able to survive a legislation change that prevented you from using these services? I’ll be talking about the current state of internet legislation, the importance of legislation like Section 230 (Safe Harbor) of the Communication & Decency Act and the ramifications that recently passed legislation is having on the sex and technology industry. |
| Location | Fri 16 1530 @ The Michael Fowler Centre |
| Duration | 30 mins |
| Name | Eliza Sorensen (@zemmiph0bia) |
| Origin | AU |
| Bio | Eliza is a co-founder of Assembly Four, which created sex worker friendly social network Switter.at and inclusive sex worker advertising platform Tryst.link. |
| Title | DHCP is hard |
| Abstract | DHCP is a 25 years old network protocol supported by almost every network capable device in existence. However, even the most popular implementations of this protocol still contain exploitable vulnerabilities such as OOB writes, use-after-frees or command injections.
In this talk I'm going to discuss the attack surface provided by the protocol, highlight a number of vulnerabilities I discovered while looking at popular DHCP implementations and try to find reasons why writing a safe implementation of such a seemingly simple protocol is such a hard task. The presentation ends with a deep dive into the exploitation of one of the discovered bugs and a live demo. |
| Location | Fri 16 1645 @ The Michael Fowler Centre |
| Duration | 30 mins |
| Name | Felix Wilhelm |
| Origin | DE |
| Bio | Felix Wilhelm is a Security Engineer at Google focusing on cloud and virtualization security. He has discovered vulnerabilities in widely used products ranging from hypervisors and open source network daemons to enterprise software and security appliances. He has presented his research at numerous security conferences including Infiltrate, Syscan, Blackhat, Troopers, HITB and 44Con. |
| Title | Getting Buzzed on Buzzwords: Using Cloud & Big Data to Pentest at Scale |
| Abstract | You’ve heard about cloud, big data, server-less infrastructure, web scale, and other buzzwords that cause VCs to throw money at people - but how does this help you? If you’re getting bored going over the same checklist in your pentests then you’re missing out on what some of these new technologies can offer you. Using some of the newer cloud technologies not only can you automate all of your workflows, but you can do so with almost zero maintenance at a low cost with almost infinite scalability! This talk will show you how to blow conventional pentesters out of the water using some cool new technologies along with a little bit of trickery.
Some of the topics we’ll go over include: * Cheap and scalable rainbow tables with BigQuery, 5TB in 10 seconds * SQS & Lambda, like Burp Intruder but 10K QPS * Scalable GPU Clusters on the cheap with Spot Instances and Elastic Beanstalk * Cloud exit nodes, rotating IPs via Elastic Beanstalk and nano instances * Cost effective fuzzing with Elastic Beanstalk and Spot Instances |
| Location | Fri 16 1715 @ The Michael Fowler Centre |
| Duration | 30 mins |
| Name | moloch & mandatory |
| Origin | US / AU |
| Bio | Mandatory - Security Engineer with a passion for web and internet security. Moloch - I like computers. |
| Title | Securing a World of Physically Capable Computers |
| Abstract | Computer security is no longer about data; it’s about life and property. This change makes an enormous difference, and will shake up our industry in many ways. First, data authentication and integrity will become more important than confidentiality. And second, our largely regulation-free Internet will become a thing of the past. Soon we will no longer have a choice between government regulation and no government regulation. Our choice is between smart government regulation and stupid government regulation. Given this future, it’s vital that we look back at what we’ve learned from past attempts to secure these systems, and forward at what technologies, laws, regulations, economic incentives, and social norms we need to secure them in the future. |
| Location | Fri 16 1745 @ The Michael Fowler Centre |
| Duration | 45 mins |
| Name | Bruce Schneier |
| Origin | US |
| Bio | Bruce Schneier is an internationally renowned security technologist, called a "security guru" by the Economist. He is the author of 14 books -- including the New York Times best-seller Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World -- as well as hundreds of articles, essays, and academic papers. His influential newsletter "Crypto-Gram" and blog "Schneier on Security" are read by over 250,000 people. Schneier is a fellow at the Berkman Klein Center for Internet and Society at Harvard University; a Lecturer in Public Policy at the Harvard Kennedy School; a board member of the Electronic Frontier Foundation, AccessNow, and the Tor Project; and an advisory board member of EPIC and VerifiedVoting.org. He is also a special advisor to IBM Security and the Chief Technology Officer of IBM Resilient. |
| Title | Moving Fast and Securing Things |
| Abstract | In a world where autonomy flourishes, a perpetual stream of new ideas gets executed. As the manifestations of dreams move into our beautiful world, how can we ensure that the safety of its inhabitants is not compromised for progress? How do we create a process that recognizes the unique humanity of builders, makers, and coders? How do we enforce security without spiraling into a dystopian authoritarian force with a boot on the neck of valiant developers everywhere?
At Slack, we’re certainly not perfect. And we recognize that as they are not yet full cyborgs, our human developers are going to make mistakes. Learn about the ways that we set our security teams up for success while still getting cool new stuff out the door as fast as our teams can dream it up...err, and write the code, QA test it, build it and ship it. But still. It’s a fast process. And we want to secure it. “Process” is often seen as a antithetical to the fast-moving nature of startups; security processes, in particular, can be regarded as a direct impediment to shipping cool features. On the other hand, the security of an organization and its users shouldn’t be disregarded for the sake of speed. Striking a balance between security and nimble development is a vital aspect of an application security team. At Slack, we have implemented a secure development process which has both accelerated development and allowed us to scale our small team to cover the features of a rapidly growing engineering organization. This presentation will illuminate both our Secure Development Lifecycle (SDL) process and the tooling that we have open-sourced, as well as provide analysis of how the process has worked thus far, and where we'd like to take it. We'll discuss our deployment of a flexible framework for security reviews, including a lightweight self-service assessment tool, a checklist generator, and most importantly a messaging process that meets people where they are already working. We’ll show how it’s possible to encourage a security mindset among developers, while avoiding an adversarial relationship. |
| Location | Sat 17 0900 @ The Michael Fowler Centre |
| Duration | 30 mins |
| Name | Kelly Ann |
| Origin | US |
| Bio | Kelly Ann is a security engineer on the Product Security team at Slack, where she works on vulnerability assessments of Slack features, as well as educational materials for security best practices for developers. Before joining Slack, Kelly was a penetration tester at NCC Group, and she was previously an eco-pirate protecting endangered species.
Prior to studying Web Application Development and Penetration Testing, Kelly worked in Intelligence and Investigations for nearly 15 years, working undercover and coordinating covert operations enforcing environmental and animal welfare legislation. Her experience in Operational and Information Security led her to spend four years with Sea Shepherd, mostly on the flagship. Her proudest accomplishment is crafting the media strategy that forced former NZ PM John Key to hold a press conference denouncing the Japanese whaling fleet in which he is clearly miserable that he has been forced to do so. She held the highest level security clearance, working with confidential sources and evading high-tech tracking by state actors, poachers in Antarctica, and pirates in Somali waters. She led a complex 16-month covert campaign involving multiple ships spanning the globe, navigating international waters and international diplomacy, developing and implementing all security procedures and protocols, and most importantly, maintaining the safety of all ships and crew. Kelly holds degrees in both Media & Communications Strategy and Gender Studies and graduated from Hackbright Academy. She teaches operational and information security workshops with civil liberties organizations, and has won first place in a social engineering Capture the Flag hosted by Women in Security and Privacy (WISP). |
| Title | Cyber defence exercises - how to make it cool? |
| Abstract | Technical cyber defence exercises are typically conducted in a Cyber Range, hosting hundreds of servers, workstations, network devices, etc. Usually the setup is replicating a typical office environment with mailservers, fileservers, webservers, workstations and other typical business IT infrastructure. Soon this type of exercise might get boring and people might lose the motivation to participate year by year. What about making the exercise environment bit more fancy by integrating some special systems like Power Grid, Mobile Networks, drones, cars etc? What are the main challenges setting up these systems? What additional skills it would train? What are the attack vectors? How to visualise these systems to the wider audiences? How to keep balance between the learning curve and showcase. How to scale special systems and how to avoid just toys. NATO CCDCOE has conducted the largest technical international life fire cyber defence exercise Locked Shield for almost 10 years whereby in recent years several dedicated special systems have given a totally new look and feel to the exercise. |
| Location | Sat 17 0930 @ The Michael Fowler Centre |
| Duration | 30 mins |
| Name | Raimo Peterson |
| Origin | EE |
| Bio | Raimo Peterson is Chief of the Technology Branch at the NATO Cooperative Cyber Defence Centre of Excellence (NATO CCD COE). Before his current assignment, he held diverse IT security management, leadership and expert positions for Siemens in Germany, South-Africa and Estonia. He has worked on large international IT security projects for the telecommunication industry and for the public sector. In his current position, Raimo leads a group of researchers focusing on technical aspects of cyber defence, especially on monitoring, penetration testing, malware analysis, digital forensics and inductrial control systems. Raimo holds a Diploma in Telecommunications from the Tallinn Technical University. Besides the leadership tasks, in current position Raimo Peterson has been driving the development of the critical infrastructure systems and integrating them into the cyber range and cyber defence exercises |
| Title | Getting Shells from JavaScript: offensive JavaScript techniques for red teamers |
| Abstract | AppSec is often very heavily focused on pre-exploitation. Frameworks like BeEF break this norm a little and can be used as tools to move laterally from the browser, to implant malware on adjacent machines. Unfortunately, performing network reconnaissance with JavaScript becomes tricky if the victim doesn't keep the tab open for long. This presentation will discuss relatively new features of JavaScript that have made it easier for sophisticated threat actors to craft JavaScript payloads that target internal network vulnerabilities. We'll also show new reconnaissance techniques traditionally used by red teams, post-malware implant, that can be used to get a foothold onto a network from a browser, pre-malware implant. This presentation will thread together the following techniques to highlight how HTML and JavaScript are more dangerous than ever:
We'll also show some real examples of this, crafting external payloads that target internal assets at large companies, and we'll show how responsible disclosure for intranet facing bugs typically gets resolved. |
| Location | Sat 17 1045 @ The Michael Fowler Centre |
| Duration | 45 mins |
| Name | Dylan Ayrey and Christian 'xntrik' Frichot |
| Origin | AU |
| Bio | Dylan is a security engineer, who in his free time authors lots of open source projects, such as truffleHog. He graduated college in 2015 and has been working in security ever since. Dylan has presented on a number of topics from lingering TLS certificate issues, to finding secrets, at conferences such as Toorcon, DEFCON, BSidesSF. Christian 'xntrik' Frichot is an application security person who spends his free time trying to avoid computers. Currently working to secure self-driving cars in SF, Christian used to contribute a lot to BeEF, and has helped put together words for The Browser Hacker's Handbook. He's also been fortunate enough to present at wonderful events such as Kiwicon, DEFCON, CactusCon & BSidesSF |
| Title | Overwatch Cyber-Espionage Tool |
| Abstract | In the last few years we have seen a number of classified documents leaked from Wikileaks. This includes the data dump from the CIA’s entire hacking arsenal, which has been named “Vault 7”. With parts of the dumps redacted and without access to the code base this will apparently make it harder for would-be hackers and governments to mimic the agency’s tool's. So being a would be hacker and always dreaming and wanting my own cyber espionage weapon. This one quote from Charlie Miller constantly ringing in my ears “The difference between script kiddies and professionals is the difference between merely using other people's tools and writing your own." I will present and demonstrate how I tried to develop my own cyber espionage weapon using “Vault 7” leaks as a development base. I will discuss and demonstrate the development life cycle and how the “Vault 7” leaks helped me determine possible code base and testing metrics. I will show how the leaks allowed me to plan and begin my journey into my own personal cyber espionage weapon. During my presentation I will discuss my requirements and how I tested my new toy in my lab environment (Family & Friends) and then in real world Red Team Assessments, discussing the lessons learnt from real world testing. I will then take the plunge into the dark abyss and after talking the talk. I will walk the walk and demonstrate live, my new espionage weapon. |
| Location | Sat 17 1130 @ The Michael Fowler Centre |
| Duration | 45 mins |
| Name | Wayne |
| Origin | AU |
| Bio | Wayne has conducted security assessments for a range of leading Australian and international organisations. Wayne has unique expertise in Red Team Assessments, Physical, Digital and Social and has presented to a number of organisations and government departments on the current and future state of the security landscape in Australia and overseas. |
| Title | Tracing the Watchers: practical tooling |
| Abstract | Everyone knows that listening to the police scanner is legal.* Less well known: every time a radio transmits, encrypted or not, it broadcasts its location to anyone who is listening properly. We know governments use this technique extensively (protip: don't use a satphone in a warzone). In the year 2038, this power devolves to the people. This is a practical introduction, with released code, of a system for publishing realtime multilateration fixes on a map, for a live public safety radio system. Stingray is so 2018. *(in the US, your mileage (kilometerage?) will vary in other countries) |
| Location | Sat 17 1330 @ The Michael Fowler Centre |
| Duration | 30 mins |
| Name | Paul McMillan |
| Origin | US |
| Bio | Paul McMillan secures clouds for a living. In his spare time, he enjoys cocktails and solving impossible problems. |
| Title | Arbitrary code execution, I choose you! |
| Abstract | Did you hear about the arbitrary code execution hardware vulnerability in the Nintendo Switch discovered earlier in the year ? Pretty major fail by Nintendo, huh? In this talk we’re going to delve into this vulnerability in more detail and look at some other notorious home console security fails over the years from Nintendo, Sega, et al. |
| Location | Sat 17 1400 @ The Michael Fowler Centre |
| Duration | 15 mins |
| Name | Sarah Young |
| Origin | AU |
| Bio | Sarah is a security architect based in Melbourne who has previously lived and worked in New Zealand, the UK and Europe. In her current role, Sarah helps enterprises move their stuff into the cloud securely. She spends most of her spare time speaking at security conferences in various parts of the world, eating hipster brunches and/or high teas and spending a disproportionate amount of her income on travel. She is still holding out hope that - despite the obvious blockers - either Justin Trudeau or Prince Harry will become her husband one day. |
| Title | Mūrere me te haumarutanga |
| Abstract | In Kiwicon's first ever father and son bilingual presentation, we will attempt to introduce some of the te reo Māori words for infosec concepts as well as explaining how/why those words were chosen. |
| Location | Sat 17 1415 @ The Michael Fowler Centre |
| Duration | 15 mins |
| Name | Chris Cormack |
| Origin | NZ |
| Bio | ${ ./sharrow-bio --generate } |
| Title | Red Cell - Mimicking Threat Actors for Realistic Responses |
| Abstract | Many organisations make use of offensive security exercises to test their security posture - including Google. As part of testing of Google’s Detection and Response capability, engineers undertake a variation of this testing, mimicking the behavior and techniques of real-world, highly sophisticated adversaries. This talk discusses Google’s approach to these exercises, why they’re important, and how other organisations can benefit from this approach. |
| Location | Sat 17 1430 @ The Michael Fowler Centre |
| Duration | 15 mins |
| Name | Brendan Jamieson |
| Origin | NZ |
| Bio | Brendan Jamieson (@hyprwired) is a Security Engineer at Google, working as part of Sydney’s Detection and Response team. He spends his days developing and maintaining signals, tools, and infrastructure used by the Detection Team, and hunting for sophisticated actors. Prior to Google, he worked as a Senior Security Consultant at Insomnia Security in New Zealand. |
| Title | Set Theory for Hackers |
| Abstract | Why is your anti-phishing training largely pointless, but some parts of it essential? Why is your network a noxious swamp? Why is remote attestation in all its forms doomed? It's basic maths. |
| Location | Sat 17 1445 @ The Michael Fowler Centre |
| Duration | 15 mins |
| Name | pruby |
| Origin | NZ |
| Bio | Way back in the sands of time, pruby remembers innocent days of actually building things, when he ended the day with another Rube Goldberg machine for his commercial overlords, and colleagues were full of optimistic hope. Enough nostalgia Tim, get back to driving your wrecking ball. |
| Title | Hacking and the law: The year is actually still 1998 |
| Abstract | A short précis on the interaction between NZ law and hacking. The theme of the conference is twenty years into the future. The main premise of this talk is that our legal system is still playing catch up, and is stuck at least 20 years in the past. |
| Location | Sat 17 1500 @ The Michael Fowler Centre |
| Duration | 15 mins |
| Name | Felix Geiringer |
| Origin | NZ |
| Bio | Felix Geiringer is an experienced barrister. He is based in Wellington and known for doing a lot of high profile cases. He recently acted for Nicky Hager's in his case against the NZ Police. |
| Title | Digital identity: decentralised and self-sovereign |
| Abstract | It's 2038, and technology has become ubiquitous, and seamlessly interwoven with human existence. Authentication is a solved problem, your identity is something you control. Definitely gone are the days in which you remembered passwords of increasing complexity in a race against identity thieves, just so you could convince a remote party that a record in their database was in fact about you, every day anew. There aren't many at the pub anymore who ""get"" jokes about SMS for 2FA, either. The last instance of classical identity theft was decades ago, and machine-learning-backed continuous authentication has even rendered the $5 wrench insufficient. The most recent iterations of the Privacy Act, and the GDPR have finally put the nail in the coffin of data-as-an-asset, especially when relating to the identities of people and machines. Data have been a huge liability since the late 2010s already, and it was only getting worse as autonomous vehicles took to the roads, our homes became electrified with IoT, and artificial intelligences had made industry 4.0 their own. Digital and physical identities had long merged, and any number of factors would come into play whenever you were identified in any given context, virtually, or in meatspace. People no longer had their bank accounts compromised, or phone contracts taken over; Now it was their whole existence on the line. At times there were glimpses of hope around externalizing identity storage to distributed ledgers, such as ""the blockchain"", hypermeshes, and quantum meta-coils, but those just brought their own sets of problems. What people were quick to realise was that ""data on the blockchain"" were like herpes (not many people at the pub will remember this joke nowadays, either), and nobody felt comfortable with leaving an indelible trail of themselves out there. ""We won't put *actual* data on there"", they said. ""It'll be fun"", they said. But similar to how there used to be a time when you were worried about employers seeing those party photos on social media, people felt like their own identities were not something that belonged to them anymore, given the way in which distributed ledger technology essentially required system-wide consensus on each and every identity statement you ever wanted to make, not make, change, or remove. Market research has shown that people want sovereignty in being able to identify however they would like in any given context, without the risk to presuppose your identity in one context through choices you've made in another. Furthermore, it became obvious that any concept of centralized (consented, albeit distributed) trust to suit all needs was only ever an illusion, and a shift of the problem into other spheres. Nobody doubts the authority of the several central instances, such as the smart contract handing out your universal base income. Especially if the choice to trust them is yours alone. But your identity is actually fluid, and so much more than any one of those representations of yourself. In this short presentation, I offer an alternative approach to decentralized digital identity I've been involved with (since the late 2010s). We use all the same cutting-edge crypto as everyone else, but we're leaving it up to each and everyone who consumes data to decide whom they'd like to trust. And because the only central entity that ever deals with all your data is yourself, we're placing full control over your identity back into your own hands." |
| Location | Sat 17 1515 @ The Michael Fowler Centre |
| Duration | 15 mins |
| Name | Martin Krafft |
| Origin | DE |
| Bio | Martin treasures his (and your) privacy, and believes that decentralisation is the next industrial revolution (that is if machine learning ever properly manages to claim 4.0). He loves blockchain, but doesn't regard it as the holy grail. He actually finds projects such as Scuttlebutt much more exciting, and hopes that his girls will grow up in a peer-to-peer digital world, in control of their privacy. He's currently focusing his energy on shaking up the digital identity space currently inhabited by countless BaaS approaches ("blockchain as a solution"). |
| Title | The day the carnival came to town |
| Abstract | The mid-2018 attempted speaking visit by members the Canadian alt-right caused Twitter discussions among tens of thousands of accounts. This talk shows the unfolding patterns of influence, identifies features that caused NZers at the time to go "this is not normal", and draws some lessons on how to resist future offshore influence campaigns. |
| Location | Sat 17 1530 @ The Michael Fowler Centre |
| Duration | 15 mins |
| Name | David Hood |
| Origin | NZ |
| Bio | David Hood is a software trainer and data analyst. To get a sense of him, look at thoughtfulnz on Twitter |
| Title | ScRooters - disrupting the electric scooter market |
| Abstract | Electric scooter companies have started cropping up all over the US. Competing largely on brand recognition and how many scooters you can fit in a small chunk of public space, are there actually more meaningful differences between the multiple companies all apparently trying to do the same thing? Shocking nobody, the answer is yes. This presentation will explore the APIs provided by multiple vendors, using them to leak information that gives significant insight into the competitive abilities and success of each company. It'll also explore cases where they're probably providing far more information than they should do, including the ability to figure out where people who work for the US government live. And, of course, it'll include an examination of the network and physical security of the devices and discuss whether all the vendors are equivalently competent (spoiler: they're not) |
| Location | Sat 17 1545 @ The Michael Fowler Centre |
| Duration | 15 mins |
| Name | Matthew Garrett |
| Origin | GB |
| Bio | The important thing that I want people to know about me is that I trust sharrow to write me a bio. |
| Title | Testastretta Operetta |
| Abstract | "Computers are responsible for everything. EVERYTHING. Power plants? Computers. Makin' juice? Also computers. That deep sadness inside IT jerks? 100% computers. Computers are also responsible for hosing gasoline down the throats of Bologna's bright red flagship motorcycles, but does this technology actually improve security? And what does it mean for those of us throwing wrenches at this garbage? This talk is an introduction to the wonderful world of automotive hacking. I've managed to get my filthy mitts on three generations of Testastretta powered Ducati superbike and this talk is going to take a look at the digital voodoo that makes them tick, as well as how the security has progressed over the years. We'll look into the components that make a modern motorcycle go and how to bit-smith them to your nefarious gear-head needs. The talk will cover the various ECU firmware, how the components communicate, how to find 'em, how to reverse 'em and a bunch of fun networking stuff ALA CANBUS and KWP2000. Witness digital sacrifices to the gods of speed in the pursuit of phenomenal cosmic power. Observe the wonders of firmware extraction, protocol reversing and budget-constrained performance tuning. You'll learn about the tools and techniques needed to hack your own automotive junk, precious horsepower will be unlocked and tuning with a hex editor will become second nature. Honest." |
| Location | Sat 17 1645 @ The Michael Fowler Centre |
| Duration | 30 mins |
| Name | DoI |
| Origin | NZ |
| Bio | DoI is a creature of meat and bone. A pathetic bag of flesh who refuses to cease his meddling. Security consultant bio-automata @ Pulse Security by day, automotive necromancer by night. |
| Title | Server Room Selfies: When physical security goes wrong |
| Abstract | What if someone could just walk in off the street and physically help themselves to your organisation's most prized assets and information? Physical security is a crucial part of information security, and yet many organisations are blissfully unaware of how vulnerable they are. This talk will cover a few physical security engagements I was involved in - the vulnerabilities we found, some of the tools and techniques we used to exploit them, and the impact this had on the target organisations. Featuring some fairly ridiculous door bypass strategies, a bunch of complete flukes, and a fair bit of nearly getting caught. |
| Location | Sat 17 1715 @ The Michael Fowler Centre |
| Duration | 30 mins |
| Name | Logan Woods |
| Origin | NZ |
| Bio | Logan is a Security Consultant at Aura Information Security. His speciality is being places he shouldn't, whether it's by picking locks, hiding in toilets, or just outright lying to people. |