Author: summercon

A Note from the Summercon Team

We’re glad you’re here.

Summercon exists to bring people together—researchers, engineers, hackers, policymakers, and yes, members of the press—to have the kinds of conversations that move the state of the art forward. That includes members of government and law enforcement who come not just to observe, but to engage.

We believe that the world is better when the people who shape it understand each other. The more clearly we can communicate what’s possible—offensively and defensively—the more honest our conversations become. And make no mistake: what you’ll hear at Summercon doesn’t always fit into neat, public-relations-approved soundbites. Some talks may be provocative. Some demos may raise eyebrows. That’s by design. To defend well, we have to understand how attacks really work.

If you’re a member of the media, you’re not just a recorder—you’re a bridge. And sometimes, to cross that bridge, you may need to drink a beer or three with a table full of hackers. That’s part of how trust forms here.

We ask that you respect the space and the people in it. These guidelines are meant to help.

---

📛 Press Credentials

• To request press credentials, email [email protected] with your name, media affiliation, and any relevant contact details or special requests. We’ll do our best to accommodate, but it’s a busy conference—thanks in advance for your patience if we can’t.
• Credentialed press will receive a clearly marked badge, along with a lanyard and/or high-visibility PRESS vest. Please wear it visibly at all times so attendees can easily identify you.
• Your press status may also be noted in briefings or internal communications to help others understand who’s in the room.

📷 Photography & Video

• Attendees who do not wish to be photographed will wear a “NO PHOTOS” lanyard or badge. Please respect this choice.
• Do not photograph or film people without their knowledge and consent—even in group or candid shots.
• Recording is prohibited in designated areas, including:
  • Speaker Green Room
  • CTF Spaces
  • Private or Staff-Only Zones

🗣️ Interview Ground Rules

Before you quote anyone, clarify with the person you wish to quote these terms:

• On the record: Quote and attribute by name.
• On background: Quote, but do not attribute by name or affiliation.
• Off the record: Not for use or publication.

Consent must be explicit, not assumed—especially in a community where many work under pseudonyms or handle sensitive material.

🙈 Respect for Anonymity

• Many attendees value discretion. Never publish names, photos, or affiliations without permission.
• Avoid identifying details that could inadvertently “out” someone’s professional role or involvement.

🎥 Commercial Media Equipment & Video Village

• Use of large gear (tripods, boom mics, lights, etc.) must be approved in advance.
• We operate a Video Village to help capture and process talks with speaker permission. If you’re hoping to obtain official footage for publication or broadcast, we may be able to help—provided the speaker(s) consent to release.

Contact us before or during the event and we’ll do our best to coordinate access.

✍️ Content & Context

• We encourage thoughtful, informed reporting. The talks here can be deeply technical, sometimes splashy, occasionally chaotic—but always rooted in real research.
• Summercon isn’t a press release—it’s a dialogue. Coverage that captures the complexity and nuance of the material will always land better than clickbait.

📞 Questions?

If something isn’t clear, ask us directly. Staff in red shirts can help, or reach out anytime:
📧 [email protected]
📱 720-586-HACK

Colin Ahern was appointed by Governor Kathy Hochul in June 2022 as the first Chief Cyber Officer of New York State. In this role, he leads cross-agency efforts to protect New York State from cyber threats and led the development of the state’s first ever cybersecurity strategy. Before joining the state, he helped to stand up and lead New York City’s cyber defense agency and worked in cybersecurity in the financial services industry. He enlisted in the Army reserves after 9/11 and later served on two active duty deployments to Afghanistan as an Army officer. He ended his Army career as a company commander in the Army Cyber Brigade. He has taught at the Columbia University School of International and Public Affairs and the George C. Marshall European Center for Security Studies. He lives with his wife and 2 children in Brooklyn.

OMAR

Github Actions is increasingly becoming a popular tool for organizations to run CI and other automation tasks, and understandably so: they’re easy to use, composable, and have tons of available integrations. Like with any technology though, they come with security risks and concerns that can be easily overlooked.

Instead of dissecting common Github Actions vulnerabilities, we’ll talk about what makes them the perfect target for static analysis. We’ll talk about the principles behind great static analysis tools, then demonstrate these principles using the tool we wrote specifically to find vulnerabilities in Github Actions.

Guanxing Wen

Decentralized Physical Infrastructure Networks (DePIN) are the latest Web3 hype machine — powering cloud phones, GPU edge nodes, and rendering clients that promise to reshape the internet and reward you in tokens while doing it. But behind all the buzzwords and blockchain dashboards, we found a whole lot of the same old IoT security sins — just with more centralization and a bigger attack surface.

This talk walks through our analysis of three leading DePIN platforms with thousands of globally deployed nodes and billions in market cap. Spoiler: one MQTT command can hijack 62,000+ GPU nodes into a mining botnet. Another lets you backdoor a user’s cloud phone via a backend config that nobody remembered was public. And a rendering client with a $2B market cap? One malicious link = remote shell. Fun times.

We’ll break down each exploit path — from BLE interfaces and path traversal to cloud service misconfigs and full remote compromise — with demos, technical details, and enough “wait, what?” moments to go around. This is the first public teardown of DePIN from the attacker’s perspective, and it paints a messy picture: centralized control, proprietary blobs, and zero disclosure processes hiding behind a token-incentive façade.

Decentralization sounds cool. But when your orchestrator pushes unsigned payloads to 60,000 nodes, it doesn’t matter how many tokens you’re holding. Without open code, real audits, and actual bug bounties, DePIN is sleepwalking into an IoT-style disaster — just with more crypto and bigger GPUs.

Bring your popcorn, and maybe cancel that DePIN investment.

Winnona Bernsen

Dive into the broken, bureaucratic, and bizarre world of 0day acquisition. Over the last year, I scraped all of CTFTime, combed through the iSoon leaks, and interviewed over 30 hackers, brokers, policy wonks, and current/former spooks to map how the U.S. and China really acquire offensive capabilities.

Spoiler: China is beating us – underpaying researchers, weaponizing youth Capture-the-Flag leagues, and using vulnerability disclosure laws to create a scary funnel of exploits into their intelligence apparatus. Meanwhile, U.S. agencies cling to stealth over speed, shovel cash at defense primes, and ghost vendors mid-contract.

This talk is a breakdown of China’s terrifyingly efficient cyber-industrial complex, the U.S.’s terrifying bureaucracy around bugs, and the weird vibes of being a VR firm in a geopolitical game of Go, sticking around even though it would probably be easier to ragequit and do smart contract auditing instead. As with any good talk, there will be recommendations at the end, both for governments and for vendors.

If you’ve ever written an exploit, sold one, defended against one, or just screamed into the void about how slow the government is, this talk’s for you.

Tom Ritter

Browser fingerprinting is the creepy party trick of the internet: change your VPN exit and clean your cookies and websites can still re-identify you. Is it as bad as it seems?

Well, we’ve got the receipts and we know just how unique fingerprinters think you are – and why.

More importantly, we’ll dig into what can actually be done about it when you’re the one on defense. Spoiler: “lie about everything” isn’t a viable strategy, unless you’re also cool with breaking your own browser. The hardest part of anti-fingerprinting isn’t figuring out how to make users less unique – it’s avoiding catastrophic, silent breakage of real-world sites, and even detecting when that breakage happens. Most fingerprinting defenses involve some combination of lying in APIs, randomizing outputs, and overriding user preferences – but every one of those approaches risks pissing off your users _and_ subtly breaking Google Meet.

No browser has performed as detailed a fingerprinting study as ours, and no one but a browser can. Find out why things are both not as bad as you thought they were and much worse. Come for the scary graphs showing how unique people are. Stay for the spicy takes on perverse incentives for browsers…

Audience-driven tangents can include: why it’s harder to exploit Tor Browser than Firefox, what are other browsers doing, ranting about browser fingerprinting sites like browserleaks or panopticlick, and why you shouldn’t enable Tor’s stricter fingerprinting protections that are present in Firefox.

Thomas Wilson

Making apps for TVs is hard, so what happens if you install one without running a single line of code? In this talk, we’ll walk through the process of exploring Samsung’s Tizen platform, focusing on low-friction ways to find bugs in the app install surface. Along the way, we’ll look at the surprisingly simple package that gave us shell access, how we broke out of Samsung’s official emulator, and what’s left to uncover. In an environment where even the emulator denies you a shell, we’re taking back the console.

Jennifer Hay, with Colin Ahern (moderator)

Jennifer Hay’s nearly 25 year career at the intersection of technology, security, and intelligence culminated with her as the last director of the Defense Digital Service before she resigned in protest this April in the face of DOGE. Hear from Jennifer’s unparalleled perspective on leading the rapid delivery of critical software and technology in some of the most austere and demanding environments, “hacking” the Pentagon, and how we move forward. Colin Ahern, New York State’s Chief Cyber Officer moderates.

J. Gdanski

The FOSS/Privacy communities are on a mission, but what if the mission is doomed for no reason other than our inability to get out of our own way? Until the tools that are necessary for us to have both freedom and privacy are ubiquitous and easy to use we have already lost the fight.

We will review examples of what we are doing wrong, show some examples of what we are doing right, and perhaps plot a path towards a brighter future.

Caleb Gross

We often hear about the risks of S3 buckets that are accidentally made publicly readable (leaked spreadsheets, source code), but what happens when you can also write to those buckets? Sure, you could deface the occasional static site, but let’s think bigger. Why not treat those buckets as free infrastructure and build your own backup service? Hold on, you say—that’s probably unreliable, right? Won’t admins simply delete our files upon discovering them? Perhaps we can mitigate that by using multiple buckets for redundancy! Hmm, this is starting to sound familiar…

Enter RABID: Redundant Array of Buckets of Independent Data. Think RAID, but instead of disks, we’re using exposed bucket storage. Slice a file into chunks, scatter them across dozens of targets, and replicate just enough times to shrug off cleanup scripts. One bucket vanishes? The other replicas still have your back.

This talk explores how parasitic storage holds up in a truly hostile cloud environment. We’ll outline the core challenges with decentralized storage: placing chunks without central coordination and embedding lightweight metadata pointers for rapid lookup. You’ll see how classic RAID concepts and erasure-coding theory translate (and sometimes break) when “drives” can be deleted at any moment. We’ll also touch on parasitic computing, opportunistic caching, and then bring the conversation back to defenders: bucket policies and automated scanners designed to root out rogue backups before they become a problem.

Whether you’re an admin hardening your cloud perimeter, a blue-teamer justifying investment in continuous audits, or a red-teamer looking to push the limits of misconfiguration exploits, you’ll leave with concrete tactics and a newfound respect for just how RABID cloud storage can get.