Author: Milly Kwok

It is once again time to submit your proposals for Summercon presentations.

We admit that we have a lot of latitude in how we schedule speakers, but generally presentations fall into two categories: short (25 minutes), and long (55 minutes).

We tend to favor technical presentations that are geared around offense, but we’re open to all good ideas. Please build in time for spirited Q&A. 

We invite you to review what we look for when selecting a presentation here, but here’s the quick summary:

1. Technical
2. Novel
3. Irreverent
4. Revels in the Journey
5. Sticks it to the Man
6. Engages the Audience
7. Fits into the Allocated Time

Please submit your proposals using our Google Form.

Summercon 2023 will take place once again at Littlefield in Brooklyn. Registration opens on March 1: get your tickets here!

While there isn’t enough time to shovel a bunch of money out for Summercon 2022 research, we are really excited about being able to fund new research. Thanks for being patient!

Research Grant Sponsors

Platinum Sponsors

Gold Sponsors

Silver Sponsors

Research Grant

Platinum Tier

Gold Tier

Silver Tier

Code Property Graphs & joern – simple, precise static code analysis

Claudiu-Vlad Ursache

This talk introduces `kotlin2cpg` – the newest addition to Joern, the platform for robust analysis of source code, byte code and binary code.

First, Code Property Graphs are discussed – what they are, how they look like, why they’re the ideal intermediate representation for cross-language code analysis.

Second, the capabilities of Joern are shown – the interactive shell, its scripting support and the CPGQL query language.

Third, `kotlin2cpg` is put under the microscope – its underlying components are discussed together with the challenges of building a new static analyzer on top of Joern.

There will be a step-by-step guide for building a CPGQL query for a previously-undisclosed bug in a fairly prominent Android application [DISCLOSURE COMING SOON].

Digital Forensics Unchained: Ripping Apart the Old School Rulebook

Emily Wicki

Though she doesn’t want to tell you that you’re doing forensics wrong, you probably are. Emily’s gonna set you straight on a few things, and we can’t wait to hear it.

The Debugging Uncertainty Principle

Jatin Kataria

In this talk, Jatin will be sharing learnings and tools built for investigating low frequency kernel crashes in FreeBSD and discuss how hardware features could be utilized for providing zero-cost triage information in production systems. This Heisenberg bug was initially assumed to be happening due to an interrupt stack corruption but turned out to be a CPU bug. Heisenberg bugs, known for their elusive and unpredictable nature, can be a challenge to identify and fix. Therefore, this bug was difficult to produce and hence remained a mystery for debug invariant FreeBSD builds where integrity checks are enabled throughout the kernel. In order to investigate the bug, Jatin built stack analyzer tools and configured Last Branch Record (LBR) on CPUs and integrated them into the FreeBSD kernel to get CPU control flow information during a page or general protection fault for zero
cost overhead.

Frankly, we’re stunned that this whole thing fits inside of 30 minutes, so listen carefully — it’s gonna go by at light speed!

Hacking the GameCube to Beat Nerds at Smash Bros for Charity

Dan “AltF4” Petro

This is the story of how an AI (SmashBot) can beat professional Melee players on a real Nintendo GameCube (a 22 year old console with no Internet connectivity) in front of an audience of tens of thousands of people who can all interact directly with the game remotely from their browser.

We’ll cover all the technical details behind the Melee speedrun marathon showcase, including gaining arbitrary code execution on the GameCube, all the tooling for writing complex payloads in the dead PowerPC ASM architecture, exfiltrating data off the console, and the custom-built hardware to facilitate it. All so that I can live vicariously through a robot in my fantasies of being a pro Melee player.

Oh, and bring your controller, because you can try to beat SmashBot yourself live on stage too!

Ice Ice Baby: Coppin’ RAM With DIY Cryo-Mechanical Robot

Ang Cui

We present the design and construction of a robot that reliably extracts contents of RAM of modern embedded devices at runtime. We discuss the practical engineering challenges and solutions of adapting the traditional cold-boot attack to non-removable DDR chips commonly found on modern embedded devices. Lastly, we present a practical guide to building your own cryo-mem rig from COTS parts for less than a thousand bucks.

Have you noticed that embedded hardware is getting harder to reverse? BGA chips, massively integrated packages, vertical stackups, encrypted firmware at rest, and a pinch of “no jtag or uart” has become standard fare. While these artifacts do not correlate to material improvements in device security, you can’t prove it because you can’t dump the firmware or debug the hardware. Skip the noise and change up the game. Sometimes it’s easier just to grabbing unencrypted firmware from live RAM. All you have to do is keep the chips at -50C on a running system, pull all the chips off on the same CPU instruction, slap it on an FPGA that sort of respects the DDR state machine without punching a whole in your device, or cause shorts due to condensation, and without freezing your eyebrows off. We’ll show you how to build a robot to do this in an afternoon for about a thousand dollars.

In Memoriam – a Video Presentation

Dear Aloria, we miss you so much. We know you wouldn’t want us to cry, but we can’t promise that we won’t.

Logic for Hackers: the case of incorrectness logic and adversarial reasoning

Julien Vanegue

Typical static analysis for program verification comes with an over-approximate flavor, which considers a superset of program behaviors to guarantee the absence of bugs. This is a problem as spurious behaviors can lead to false positives, the enemy of software developers and security auditors alike. In the last few years, a new kind of formal logic “incorrectness logic” (O’Hearn, POPL’20) introduced under-approximate program analysis, where every bug is guaranteed to be a true positive, at the expense of false negatives, therefore coming as a foundation for the theory of formal bug finding. Such methodology is applied at scale by large software vendors (e.g. Meta) and is more immediately usable in industrial CI/CD pipelines. This talk will introduce under-approximate reasoning to the Summercon crowd, and discuss a recent extension “adversarial logic” (Vanegue, SAS’22) extending incorrectness logic with explicit adversary to formalize the detection of exploit conditions in buggy programs.

Protect Yourself Before You Wreck Yourself

Samantha Davison & Jennifer Leggio

For legal and/or aesthetic reasons, the description of this presentation is not availble. But you won’t want to miss it!

Race Against the Machine: Consumers vs. Bots

Christine Fossaceca

Do you have any beef with online merchants? Maybe you weren’t able to buy a PS5 for months after they were released. Maybe there teardrops on your guitar because Ticketmaster didn’t let you get tickets to Taylor Swift’s Eras Tour. Or maybe you will be too far apart from the Cure because of the latest ticket scandal leaving you empty handed! The common denominator to consumer stress in online sales is directly tied to the uptick in botnets and the scalpers that use them.

Rebecca and Christine are going to shed light on the underground world of online resellers (scalpers) and the botnets they use to gain a competitive advantage when buying merchandise, such as sneakers, concert tickets, GPUs, and even NFTs, edging out legitimate consumers and profiting from the sales of products they didn’t design and music they didn’t create.

This talk will explain what botnets are, how scalpers build them and use them, and then recap some real world examples of botnets being seen in the wild. First we will talk about a cyber attack that no one even knew happened against the Shopify platform, when a scalper botnet broke a popular makeup website during the Shane Dawson and Jeffree Star Conspiracy makeup collection release. No, they didn’t break the internet, a botnet did. Next, Rebecca and Christine will evaluate the veracity of claims that Ticketmaster made in their Senate committee hearing, blaming their ticketing fiascos on “botnet attacks”, and ask the question, “Was the botnet truly scalpers or a just a convenient scapegoat?”

The Ransomware Hunting Team: A Band Of Misfits’ Improbable Crusade To Save The World From Cybercrime

Dan Golden & Renee Dudley

ProPublica journalists Renee Dudley and Daniel Golden, are the authors of “The Ransomware Hunting Team: A Band of Misfits’ Improbable Crusade to Save the World from Cyber-Crime,” published in October 2022 by Farrar Straus, & Giroux to critical acclaim. Among other plaudits, Amazon made it an editor’s choice for non-fiction, and the New York Times called it “brilliant.” In this presentation, Dan and Renee will take us through their narrative, descrive the hunt, talk about some of the moral dilemmas, and share some thoughts about the the future of malware.Book signing to follow; bring your copy or buy one at Summercon! https://us.macmillan.com/books/9780374603304/theransomwarehuntingteam

[REDACTED], a Presentation With an Elaborate Title

Dan Guido and/or [REDACTED}

Dan and the good folks at [REDACTED] have been working on [REDACTED]. and will discuss some of the outcomes of their [REDACTED]. This talk will [REDACTED] your [REDACTED].

Sub 1 Ghz and other radio/side channel attacks

Harri Hursti

Sub 1 GHz attacks are nothing new and SDRs made those a long time ago accessible. Flipper Zero blew this family of attacks into the mainstream consciousness as easy to use and almost no skills required cheap tools. Jailbreaking Quansheng UV-K5 brings in a $20 radio transceiver from 18MHz to 1.3 GHz, so where are we heading?

This Year in Crypto

Nick Sullivan

We swear we have an abstract for this lying around somewhere — but it’s Nick, so you know you’re good.

Tried and True Security Beliefs/Best Practices… Are Wrong

Mudge

Charming, irreverant, and always controversial, Mudge has hot takes. Get ready for a deep cut on so-called “best practices” It’s an honor to welcome him to the Summercon stage.

Why can’t we be friends? Solving the social challenges of application security

Christopher Surage

Application security remains a difficult challenge for organizations to solve. Year after year we are constantly bombarded with new vulnerabilities in products and libraries which we all use. Much of the focus with improving application security revolves around the technical aspects yet the social aspects are widely ignored. This presentation is about the social challenges of application security which security practitioners don’t address, and provide some solutions to those challenges.

Grab Bag with wrappers, cookies, ELFs and injections

John Viega & Brandon Edwards

John and Brandon share a bunch of novel crap they’ve done recently, all of which is either open source, or about to be.

cDc Announcement

Our friends from the Cult of the Dead Cow have a quick announcement. We’re as curious as you are!

Ang Cui

Dr. Ang Cui is the Founder and Chief Scientist of Red Balloon Security, a leading cybersecurity provider and research firm that specializes in the protection of embedded devices across all industries. Ang received his PhD in Computer Science from Columbia University in 2015 and was part of the Intrusion Detection Systems Lab. His doctoral dissertation, titled “Embedded System Security: A Software-based Approach”, focused exclusively on scientific inquiries concerning the exploitation and defense of embedded systems.

Ang is the creator of Firmware Reverse Analysis Konsole (FRAK) and the inventor of Software Symbiote technology, both of which enable pioneering firmware analysis and defense for embedded devices. Since founding Red Balloon Security, backed by Bain Capital Ventures, Ang continues to research and develop new technologies to defend embedded systems against exploitation. He has led development of a portfolio of embedded security solutions to harden device firmware and provide continuous runtime protection and monitoring of device firmware.

Over the course of his research, he has uncovered numerous, critical vulnerabilities within ubiquitous embedded devices such as Cisco routers, HP printers, and Cisco IP phones as well as led research efforts uncovering vulnerabilities on aerospace infrastructure, building automation systems, electrical grid devices, telecommunications equipment, and ATMs. Ang has received various awards on his work on reverse engineering commercial devices and is also the recipient of the Symantec Graduate Fellowship and selected as a DARPA Riser in 2015.

Ang is passionate about creating a team of outstanding researchers, engineers, and executives whose best ideas are enabled by innovation, creativity, and autonomy to solve the most pressing challenges.

According to Wikipedia, Dr. Cui is the Duke of Space!

As of 2023, he also has the longest Summercon bio.

Samantha Davison

@sam_e_davison

Sam Davison is a Security, Privacy, and Trust & Safety leader. She recently joined as the Head of Security at an E-Commerce company. Prior to her current role, Davison served as Director of Trust & Privacy Engineering at Robinhood, building and leading all consumer-facing security, privacy, and trust & safety engineering in addition to offensive security and intelligence functions. Davison has held leadership roles at the Krebs Stamos Group, Lyft, Snap Inc., and Uber where she led efforts with a particular emphasis on behavioral engineering, offensive security, and content moderation. Before working in Silicon Valley, she conducted extensive research on the efficacy of security engagement and co-led a consulting firm that built behavioral-based programs for 15+ Fortune 500 companies. Davison has volunteered throughout her career, lending her expertise to survivors of domestic abuse and election protection efforts.

Renee Dudley

Renee Dudley is a technology reporter at ProPublica. Previously, as an investigative reporter at Reuters, she was named a 2017 Pulitzer Prize finalist for her work uncovering systematic cheating on college admissions tests. She started her career at daily newspapers in South Carolina and New England, and has won numerous journalism honors, including the Eugene S. Pulliam First Amendment Award.

Brandon Edwards

You never see Brandon Edwards and Dr. Raid together. We assume those two have some beef. Weird, they’re both such nice people.

Christine Fossaceca

Christine Fossaceca is an iOS reverse engineer and cybersecurity podcaster, co-creator of HerHax Podcast. She has worked in infosec for 7 years. Christine has the unique interests in both cybersecurity and pop culture to be able to speak to the impact of botnets on consumers.

Dan Golden

Daniel Golden, a senior editor and reporter at ProPublica, has won a Pulitzer Prize and three George Polk Awards. He is the bestselling author of The Price of Admission: How America’s Ruling Class Buys Its Way into Elite Colleges—and Who Gets Left Outside the Gates and Spy Schools: How the CIA, FBI, and Foreign Intelligence Secretly Exploit America’s Universities.

Dan Guido

[REDACTED]

Harri Hursti

Harri Hursti is a world-renowned data security expert, internet visionary, and serial entrepreneur. He began his career as the prodigy behind the first commercial, public email and online forum system in Scandinavia, founded his first company at the age of 13, and went on to co-found EUnet-Finland in his mid- 20s. Today, Harri continues to innovate and find solutions to the world’s most vexing problems. He is considered an authority on uncovering critical problems in electronic voting systems worldwide, but is clearly interested in a wide scope of hacking-related topics.

Jatin Kataria

Jatin Kataria is a security researcher focusing on defensive system technologies. His main security research interests are hardware
security extensions, bootloaders, OS, system services, program and binary analyses. Playing both the role of cat and mouse, he tires of n-days easily and is always looking for new and exciting ELF shenanigans, caching complications, and the Fedex guy who lost his engagement ring.

Jennifer Leggio

@mediaphyter

Jennifer Leggio is a marketing, operational strategy, and communications leader, and a board and VC advisor, with over 23 years of leading high-performing, creative, and data-driven teams. She has held leadership roles at some of the world’s most impactful cybersecurity companies, notably Fortinet, Sourcefire, Flashpoint, and Claroty. She is currently Chief Marketing Officer at Netography. Jennifer has been a frequent speaker, including DEF CON, RSA Conference, Gartner Security Summit, Hack in the Box, and SXSW Interactive, and formerly wrote for ZDNet and Forbes. In her personal time, she immerses herself in creative writing, comedy, and, of all things, horror movies. Jennifer was recognized in 2019 by SC Media as a fierce advocate of ethical marketing programs that focus on facts rather than fear to protect security researchers. She continues to speak out boldly against marketers who use fear, uncertainty, and doubt to try to advance business in the security industry

Mudge

It will probably save you a lot of time to just read this.

Dan “AltF4” Petro

By day, Dan is a Senior Security Engineer at Bishop Fox, focusing on capability development in attack surface discovery. By night, Dan helps out with security at Project Slippi and is the mad scientist of the Melee world, hunting cheaters and banning them.

Nick Sullivan

Nick Sullivan is a technologist known for his expertise in security and cryptography. He has spent time at Apple Inc., making significant contributions to security technologies used in the iPhone and other core systems. Later, as Head of Research at Cloudflare, he played a crucial role in enhancing the company’s encryption and secure network protocols while helping the company publish dozens of peer-reviewed papers and RFCs. Nick is not only a frequent speaker at global tech and security conferences but also volunteers his time on internet standards committees and as a reviewer for academic security conferences, underscoring his commitment to knowledge sharing and collaboration.

Christopher Surage

Christopher Surage is an application security engineer currently working in the financial industry. He has been working in application security for the last 10 years in a variety of industries (finance, consulting, technology). He enjoys learning about different technologies and the potential security implications of their usage. He also enjoys learning how things work.

Claudiu-Vlad Ursache

Claudiu-Vlad a core developer on the code analysis platform Joern, author of kotlin2cpg. he has been an engineer for 15 years, switched to security three years ago focusing on static analysis. When it comes to research work – he’s managed to break into consumer-grade routers (and spoke about it at No Hat Conference 2021), and more recently found vulnerabilities in Android apps of prominent publications.

Julien Vanegue

Julien Vanegue is a security researcher living in New York City who enjoys applying his logic knowledge to offense and defense.

John Viega

John Viega has done a bunch of things that people either loved or hated. He co-developed the most common cipher mode (AES-GCM), wrote the first book for developers on security, did the first two static analysis tools for security, and, before he discovered security, wrote the Mailman mailing list manager. He is co-founder and CEO of Crash Override, and was co-founder and CEO of Capsule8 prior to that.

Emily Wicki

Emily is a prominent member of the NYC digital forensics community, works for a very famous financial institution, and, in her spare time, helps Summercon wrangle sponsors.