Presentations

Jennifer Hay, with Colin Ahern (moderator)

Jennifer Hay’s nearly 25 year career at the intersection of technology, security, and intelligence culminated with her as the last director of the Defense Digital Service before she resigned in protest this April in the face of DOGE. Hear from Jennifer’s unparalleled perspective on leading the rapid delivery of critical software and technology in some of the most austere and demanding environments, “hacking” the Pentagon, and how we move forward. Colin Ahern, New York State’s Chief Cyber Officer moderates.

OMAR

Github Actions is increasingly becoming a popular tool for organizations to run CI and other automation tasks, and understandably so: they’re easy to use, composable, and have tons of available integrations. Like with any technology though, they come with security risks and concerns that can be easily overlooked.

Instead of dissecting common Github Actions vulnerabilities, we’ll talk about what makes them the perfect target for static analysis. We’ll talk about the principles behind great static analysis tools, then demonstrate these principles using the tool we wrote specifically to find vulnerabilities in Github Actions.

Guanxing Wen

Decentralized Physical Infrastructure Networks (DePIN) are the latest Web3 hype machine — powering cloud phones, GPU edge nodes, and rendering clients that promise to reshape the internet and reward you in tokens while doing it. But behind all the buzzwords and blockchain dashboards, we found a whole lot of the same old IoT security sins — just with more centralization and a bigger attack surface.

This talk walks through our analysis of three leading DePIN platforms with thousands of globally deployed nodes and billions in market cap. Spoiler: one MQTT command can hijack 62,000+ GPU nodes into a mining botnet. Another lets you backdoor a user’s cloud phone via a backend config that nobody remembered was public. And a rendering client with a $2B market cap? One malicious link = remote shell. Fun times.

We’ll break down each exploit path — from BLE interfaces and path traversal to cloud service misconfigs and full remote compromise — with demos, technical details, and enough “wait, what?” moments to go around. This is the first public teardown of DePIN from the attacker’s perspective, and it paints a messy picture: centralized control, proprietary blobs, and zero disclosure processes hiding behind a token-incentive façade.

Decentralization sounds cool. But when your orchestrator pushes unsigned payloads to 60,000 nodes, it doesn’t matter how many tokens you’re holding. Without open code, real audits, and actual bug bounties, DePIN is sleepwalking into an IoT-style disaster — just with more crypto and bigger GPUs.

Bring your popcorn, and maybe cancel that DePIN investment.

Winnona Bernsen

Dive into the broken, bureaucratic, and bizarre world of 0day acquisition. Over the last year, I scraped all of CTFTime, combed through the iSoon leaks, and interviewed over 30 hackers, brokers, policy wonks, and current/former spooks to map how the U.S. and China really acquire offensive capabilities.

Spoiler: China is beating us – underpaying researchers, weaponizing youth Capture-the-Flag leagues, and using vulnerability disclosure laws to create a scary funnel of exploits into their intelligence apparatus. Meanwhile, U.S. agencies cling to stealth over speed, shovel cash at defense primes, and ghost vendors mid-contract.

This talk is a breakdown of China’s terrifyingly efficient cyber-industrial complex, the U.S.’s terrifying bureaucracy around bugs, and the weird vibes of being a VR firm in a geopolitical game of Go, sticking around even though it would probably be easier to ragequit and do smart contract auditing instead. As with any good talk, there will be recommendations at the end, both for governments and for vendors.

If you’ve ever written an exploit, sold one, defended against one, or just screamed into the void about how slow the government is, this talk’s for you.

Tom Ritter

Browser fingerprinting is the creepy party trick of the internet: change your VPN exit and clean your cookies and websites can still re-identify you. Is it as bad as it seems?

Well, we’ve got the receipts and we know just how unique fingerprinters think you are – and why.

More importantly, we’ll dig into what can actually be done about it when you’re the one on defense. Spoiler: “lie about everything” isn’t a viable strategy, unless you’re also cool with breaking your own browser. The hardest part of anti-fingerprinting isn’t figuring out how to make users less unique – it’s avoiding catastrophic, silent breakage of real-world sites, and even detecting when that breakage happens. Most fingerprinting defenses involve some combination of lying in APIs, randomizing outputs, and overriding user preferences – but every one of those approaches risks pissing off your users _and_ subtly breaking Google Meet.

No browser has performed as detailed a fingerprinting study as ours, and no one but a browser can. Find out why things are both not as bad as you thought they were and much worse. Come for the scary graphs showing how unique people are. Stay for the spicy takes on perverse incentives for browsers…

Audience-driven tangents can include: why it’s harder to exploit Tor Browser than Firefox, what are other browsers doing, ranting about browser fingerprinting sites like browserleaks or panopticlick, and why you shouldn’t enable Tor’s stricter fingerprinting protections that are present in Firefox.

Thomas Wilson

Making apps for TVs is hard, so what happens if you install one without running a single line of code? In this talk, we’ll walk through the process of exploring Samsung’s Tizen platform, focusing on low-friction ways to find bugs in the app install surface. Along the way, we’ll look at the surprisingly simple package that gave us shell access, how we broke out of Samsung’s official emulator, and what’s left to uncover. In an environment where even the emulator denies you a shell, we’re taking back the console.

J. Gdanski

The FOSS/Privacy communities are on a mission, but what if the mission is doomed for no reason other than our inability to get out of our own way? Until the tools that are necessary for us to have both freedom and privacy are ubiquitous and easy to use we have already lost the fight.

We will review examples of what we are doing wrong, show some examples of what we are doing right, and perhaps plot a path towards a brighter future.

Caleb Gross

We often hear about the risks of S3 buckets that are accidentally made publicly readable (leaked spreadsheets, source code), but what happens when you can also write to those buckets? Sure, you could deface the occasional static site, but let’s think bigger. Why not treat those buckets as free infrastructure and build your own backup service? Hold on, you say—that’s probably unreliable, right? Won’t admins simply delete our files upon discovering them? Perhaps we can mitigate that by using multiple buckets for redundancy! Hmm, this is starting to sound familiar…

Enter RABID: Redundant Array of Buckets of Independent Data. Think RAID, but instead of disks, we’re using exposed bucket storage. Slice a file into chunks, scatter them across dozens of targets, and replicate just enough times to shrug off cleanup scripts. One bucket vanishes? The other replicas still have your back.

This talk explores how parasitic storage holds up in a truly hostile cloud environment. We’ll outline the core challenges with decentralized storage: placing chunks without central coordination and embedding lightweight metadata pointers for rapid lookup. You’ll see how classic RAID concepts and erasure-coding theory translate (and sometimes break) when “drives” can be deleted at any moment. We’ll also touch on parasitic computing, opportunistic caching, and then bring the conversation back to defenders: bucket policies and automated scanners designed to root out rogue backups before they become a problem.

Whether you’re an admin hardening your cloud perimeter, a blue-teamer justifying investment in continuous audits, or a red-teamer looking to push the limits of misconfiguration exploits, you’ll leave with concrete tactics and a newfound respect for just how RABID cloud storage can get.

Mark Griffin

Time-Traveling Debugging (TTD) is so much more than just adding an undo button to your normal debugger, but without the appropriate tools and mindset, we risk approaching TTD thinking like Marty McFly instead of a four-dimensional super-alien.

This talk will focus on unlocking the true power of TTD through scripting and clarifying visuals. We’ll start by giving a brief technical foundation of what TTD really is and how it works, what the tooling is available on different platforms, and the basics of how you can get started experimenting with it.

Then we’ll move on to the meat of the talk: sharing some of the power user workflows and tools that help us wrap our heads around the capabilities of TTD. We’ll dive into some of our favorite visuals that can help us understand what’s going on when debugging, giving us liberation instead of feeling like we’re stuck building a ship in a bottle with standard debugging tools. We’ll also show how little improvements really add up in terms of ergonomics and speed when debugging or reversing code, and spending a little extra time scripting or getting to know one’s tools can really pay off.

But we’ll also share the downsides and hardships of a potential time-traveler: the platform-specific nonsense, inconvenient APIs and workflows, and the difficulty having to script and debug our own tools… but by the end of the talk we’ll see the beginnings of tooling that can help us understand code like a planeswalker, saving our time, even if it can’t save our timeline.