Author: summercon

With a little more than a month to go, it’s time to register for Summercon.

Some notes:

• We are currently restricted to an absurdly low number of in-person attendees at the Littlefield space. This is in coordination with NYC and New York State COVID restrictions. These regulations are evolving quickly, so more Littlefield tickets may be made available at a later date.
• If you do elect to attend at Littlefield, you’ll need to prove you’ve been vaccinated two weeks before Summercon, or that you’ve had a negative COVID test within three days of Summercon. If you don’t intend to meet either of these requirements, we ask that you not buy a Littlefield ticket. If you do intend to meet these requirements, but for some reason on gameday are unable to, we’ll refund your ticket (because we understand that life happens).
• Parklife will be open to the public, with a Summercon simulcast. Frankly, it might be nicer to be outside in the Parklife courtyard for the duration of Summercon.
• You can also register for the live stream. 

Choose your ticket at eventbrite here. 

While there isn’t enough time to shovel a bunch of money out for Summercon 2021 research, we are really excited about being able to fund new research. Thanks for being patient!

With the opening of the Summercon 2021 CFP, we thought we’d provide a few friendly tips for what we think makes a great Summercon presentation. These seven points represent the kinds of things that we are evaluating when we look at CFP proposals.

1. Technical
   • While we occasionally incorporate talks of a non-technical nature, almost every presentation that shows up at Summercon is deeply technical. They’re not sales pitches, and they’re not about righting societal wrongs. So if you’re planning on submitting a talk about why people should buy your company’s particular security snake oil, or why your company has the best culture (and you can too!), you’ll have more success somewhere else.
2. Novel
   • From time to time, in the interest of getting important content in front of the best audience in the world, we let people present something they’ve already shown at events of lesser stature. But we prefer totally new presentations instead of rehashed talks. New content has a better chance of getting shown on the Summercon stage.
3. Irreverent
   • While the presentations are technical, successful Summercon presentations get their point across is through non-traditional means. This is not the place to read slides. One memorable presentation used an Android-shaped piñata as a prop. Another invited participation through an AA-meeting style format. The sky’s the limit (within the limits of our code of conduct, of course).
4. Revels in the Journey
   • If you like talking about the trials and tribulations of research, we are all ears. Even though your final results may be super polished and look effortless, everyone knows you had at least three major setbacks and went down two totally worthless paths before you arrived at a good solution. Share those. People love that, especially our speaker selection committee.
5. Sticks it to The Man
   • Despite all the sponsorships, corporate attendance, and more buttoned-up nature of Summercon (see our Code of Conduct, which is totally reasonable, by the way), we are still, at heart, a hacker conference. Challenge authority. Show you’re not a patsy for The Man. Fight the Power.
6. Engages the Audience
   • Summercon speakers are a special breed, because Summercon attendees are a special breed. Prepare to have people call out your mistakes, heckle if you’re less than prepared, and generally push your buttons. Successful presentations channel this misplaced audience enthusiasm. We still fondly recall a choose-your-own-adventure presentation, where randomly selected audience members got to dictate the direction of the talk. Engage your audience, and they won’t turn on you. (This can be good life advice, too.)
7. Fits into the Allocated Time
   • We cannot overstate this: fill the time, generally 45 minutes of speaking with 10 minutes of Q&A. Our speaker selection committee has been around the block, so if you’re going to try to pretend that a six hour seminar fits into 55 minutes of speaking slot, it’s probably not going to get selected.

The Summercon 2021 CFP is now officially open!

We’re in a bit of a hurry, so if you have good ideas, you better send ’em over to us right away; [email protected].

It’s been a long, strange year. Since some of us are going to be in the same room together for the first time in eons and might have forgotten about the normal social contract that exists in shared spaces, we’d like to remind everyone of our Code of Conduct.

Many years ago, Summercon published its first real code of conduct. This was kind of a landmark, since the Summercon team has always prided itself on a certain amount of constructive chaos. That early code of conduct looked like this:

If you love anarchy, want to break things, set off fire alarms, or generally behave like a twelve year old, you probably should stay away–even if you are a twelve year old. Especially if you are a twelve year old. It’s not that kind of event, and we’re not those kind of people. Even though we’re a group of hackers, breaking the law is still illegal.

If you’re interested in meeting your peers in the security world, meeting some of the finest people you’ll ever know, putting names to faces, and learning about the latest trends in security analysis, we’d love to see you. Mingle, socialize, make lifelong friendships. That’s what we’re all about.

We still believe in that.

But the world has grown. And while we still love that constructive chaos, we’ve grown a lot, too. We want everyone to have a good time. And because not everyone knows what that means, we’ll be very clear:

Summercon is dedicated to providing a harassment-free conference experience for everyone, regardless of race, color, national origin, religion, age, sex, gender, sexual orientation, or disability. We do not tolerate harassment of conference participants in any form. Sexual language and imagery is not appropriate for conference talks or exhibitors. The conference reserves the right to eject anyone who engages in behavior that is threatening or patently offensive to the community, regardless of whether it occurs at the conference venue, parties, or online.

Conference participants violating our rules may be thrown out of the conference without a refund at the discretion of the conference organizers.

If you are being harassed, notice that someone else is being harassed, or have any other concerns, please contact a member of the conference staff immediately. Anyone wearing a red Summercon Staff shirt is empowered to intervene.

In case you don’t feel comfortable approaching a member of the staff, call us at 720 586-4225 (720 586-HACK) so that you can speak directly with the conference organizers about your concerns.

TL;DR: Not to be all heavy or anything, but top legal minds tell us we should say this: we reserve the right to eject anyone at any time for any reason at the sole discretion of the conference organizers.

Thanks for listening. Sorry if this harshes anyone’s mellow, but it’s easier to have a good time when everyone knows the ground rules. Have fun, everyone!

This is happening. We are back. In careful coordination with local and state authorities, Summercon 2021 will be a hybrid in-person/virtual event on July 9-10. We’ll once again be at Littlefield (capacity limited), with live simulcast at Parklife and on your favorite internet streaming platforms.

It’s less than 10 weeks away, and frankly none of us thought we’d be allowed to be in the same room ever again, so we’re frantic with excitement about seeing you all again! Stay tuned for updates!

2021 sponsors

Atredis Partners is a research-driven Information Security consultancy. We deliver advanced penetration testing, embedded security research, and cutting edge risk management. Our team is made up of some of the most respected hackers in the information security industry, and we thrive on hacking complicated targets, on time and under budget. Our HQ also happens to be in the birth city of SummerCon, but we’re pretty sure the Best Western in North Saint Louis burned down years ago.

Based in New York City, Flatiron Health is a healthcare technology and services company focused on accelerating cancer research and improving patient care. The company’s platform enables cancer researchers and care providers to learn from the experience of every patient.

The Goldman Sachs Group, Inc. is a leading global financial institution that delivers a broad range of financial services across investment banking, securities, investment management and consumer banking to a large and diversified client base that includes corporations, financial institutions, governments and individuals.

The 21st century has been defined by the stark rise in digital threats, and Goldman Sachs’ cybersecurity analysts are on the front lines of this modern battle. Our teams protect the firm’s clients and the integrity of Goldman Sachs in both an advisory and engineering capacity. Our cybersecurity experts are software architects who develop and implement solutions to monitor and manage cybersecurity risks; security advisors who understand technology at a deep level and help educate the firm’s thousands of engineers on how to implement solutions with security by design; threat analysts who analyze, detect, and respond to cybersecurity threats; and pen testers who identify vulnerabilities before they can be exploited by attackers.

MongoDB is a general purpose, document-based, distributed database built for modern application developers and for the cloud era.

Headquartered in New York, with offices across North America, Europe, and Asia-Pacific, and a workforce that is now mostly remote, we are close to where you do business. MongoDB has more than 26,800 customers in more than 100 countries. The MongoDB database platform has been downloaded over 175 million times and there have been more than 1.5 million MongoDB University registrations.

No database makes you more productive.

Red Balloon Security was founded by Dr. Ang Cui out of Columbia University’s Intrusion Detection Systems Lab in 2011 with its pioneering technology, Symbiote Defense. Today, its R&D has expanded to a team of world-class researchers and developers who continue to publish seminal research papers on embedded security and intrusion detection.

Since its inception, the team at Red Balloon has partnered with the U.S. Department of Defense and Department of Homeland Security, performing on funded research activities and deploying its defensive technologies on a range of critical embedded systems. The company has also ethically disclosed vulnerabilities in hundreds of millions of embedded devices and continues to advance the state of embedded device security as part of its mission.

Most companies find out way too late that they’ve been breached. Thinkst Canary fixes this. They deploy in under 5 minutes and require almost 0 ongoing admin overhead. Find out why they are deployed and loved on all 7 continents!

Randori is your trusted adversary. Our unified attack surface management (ASM) & continuous automated red teaming (CART) platform unlocks the attacker’s perspective helping defenders continuously identify gaps, test their defenses, and bring clarity to cyber risk. Learn more at randori.com.

IncludeSec does the hacks all day, every day 800+ assessments since 2011. We do software and hardware security assessments in over 28 programming languages. We’ve hacked everything from Python and C to Java and Haskell….whatever tech you’ve got, we’ve hacked it before!

Gemini builds crypto products that are simple, elegant, and secure. Whether you are an individual or an institution, Gemini wants to help you buy, sell, and store your bitcoin and cryptocurrency

Data Theorem is a leading provider of modern application security. Its core mission is to analyze and secure any modern application anytime, anywhere. The Data Theorem Analyzer Engine continuously analyzes APIs, Web, Mobile, and Cloud applications in search of security flaws and data privacy gaps. Data Theorem products help organizations prevent AppSec data breaches. The company has detected more than 1 billion application eavesdropping incidents and currently secures more than 8,000 modern applications for its Enterprise customers around the world. Data Theorem is headquartered in Palo Alto, Calif., with offices in New York and Paris.

Tevora is a specialized management consultancy focused on cyber security, risk and compliance services. From our offices in California and New York, we service national and international companies, institutions and governments.

We take a long-term outlook and proactive approach to help clients develop and implement strategies that keep their organizations compliant and their brands safe.

John Terrill and Mark Trumpbour

It’s a Summercon tradition: we tell you how we spent the money.

Keeping conferences alive during a pandemic is no small feat. John and Mark will tell you all about the horrible things they did to keep Summercon afloat during the dark days of the past year. This is a story of sweat, tears, devotion, and redemption. Hopefully one of them will sing “I Will Always Love You” to remind us all of their undying love for the hacking community.

FRIDAY, July 9

START OF SHENANIGANS

10:00am

OPENING REMARKS AND FINANCIAL REPORT

John Terrill and Mark Trumpbour

10:45am – 11:00am

ADVERSARY-BASED THREAT MODELING AND RISK ANALYSIS

Julian Cohen

11:00am – 12:00pm

WHO OWNS YOUR KERNEL?

Sophia d’Antoine and Ian Roos

12:00pm – 1:00pm

Lunch

1:00pm – 2:30pm

EXPLORING THE INSANE WORLD OF AIRLINE GDS SYSTEMS

Idan Warsawski

2:30pm – 3:30pm

HOW LOW-TECH HACKERS HACK YOUR APIs IN 15 MINUTES OR LESS

Himanshu Dwivedi

3:30pm – 4:30pm

DEEPER FAKES FOR REAL FRIENDSHIP

Ang Cui & Hans Wu

4:30pm – 5:30pm

PWNIES AWARDS SEASON KICK-OFF

Pwnies Team

5:30pm – 6:00pm

HAPPY HOUR presented by GEMINI

6:00pm – 7:00pm

END OF SHENANIGANS

7:00pm

SATURDAY, July 10

START OF SHENANIGANS

10:00am

BRIEF REMARKS, RECOLLECTIONS OF THE PREVIOUS DAY, AND APOLOGIES

John Terrill and Mark Trumpbour

10:45am – 11:00am

WHAT CAN WE KNOW ABOUT WINDOWS SOURCE CODE?

Geoff Chappell

11:00am – 12:00pm

HOW A DEATH WISH BECOMES A PART OF PREFERRED QUALITIES FOR AN ELECTION AUDITOR?

Harri Hursti

12:00pm – 1:00pm

Lunch

1:00pm – 2:00pm

DR. STRANGECODE, OR: HOW I LEARNED TO STOP WORRYING AND TO LOVE THE CLOUD

Dino Dai Zovi

2:00pm – 3:00pm

BUREAUCRACY HACKING: LESSONS FROM THE NATIONAL SECURITY COUNCIL

Joshua Steinman

3:00pm – 4:00pm

SOME SECURITY OBSERVATIONS ON GO

Brandon Edwards and Pete Markowsky

4:00pm – 5:00pm

CLOSING CEREMONIES & TRADITIONAL FLIP CUP

Mark & Crew

5:00pm – 6:00pm

HAPPY HOUR presented by RANDORI

6:00pm – 7:00pm

END OF SHENANIGANS

7:00pm