Summercon is one of the oldest hacker conventions, and the longest running such conference in America. It helped set a precedent for more modern “cons” such as H.O.P.E. and DEF CON, although it has remained smaller and more personal. Summercon has been hosted in cities such as Pittsburgh, St. Louis, Atlanta, New York, Washington, D.C., Austin, Las Vegas, and Amsterdam.
In case you couldn’t get in via Zoom, or just forgot to register (and now you can’t), we’re live on YouTube. Join us!
Want to help out? Since we’re a free event, we’ve decided to take a crack at defrayingsome of our expenses by hawking Summercon 2020 t-shirts. 25% of proceeds go to the Littlefield Relief Fund, 25% to Girls Who Code, and 50% to The Summercon Foundation to help replenish the endowment that we’ve had to tap into for Summercon 2020.
Just because Summercon 2020 is a remote event this year, we feel the need to remind everyone that we still have a code of conduct. So let’s refresh our memories, shall we?
Many years ago, Summercon published its first real code of conduct. This was kind of a landmark, since the Summercon has always prided itself on a certain amount of constructive chaos. That early code of conduct looked like this:
If you love anarchy, want to break things, set off fire alarms, or generally behave like a twelve year old, you probably should stay away–even if you are a twelve year old. Especially if you are a twelve year old. It’s not that kind of event, and we’re not those kind of people. Even though we’re a group of hackers, breaking the law is still illegal.
If you’re interested in meeting your peers in the security world, meeting some of the finest people you’ll ever know, putting names to faces, and learning about the latest trends in security analysis, we’d love to see you. Mingle, socialize, make lifelong friendships. That’s what we’re all about.
We still believe in that.
But the world has grown. And while we still love that constructive chaos, we’ve grown a lot, too. We want everyone to have a good time. And because not everyone knows what that means, we’ll be very clear:
Summercon is dedicated to providing a harassment-free conference experience for everyone, regardless of race, color, national origin, religion, age, sex, gender, sexual orientation, or disability. We do not tolerate harassment of conference participants in any form. Sexual language and imagery is not appropriate for conference talks or exhibitors. The conference reserves the right to eject anyone who engages in behavior that is threatening or patently offensive to the community, regardless of whether it occurs at the conference venue, parties, or online.
Conference participants violating our rules may be thrown out of the conference without a refund at the discretion of the conference organizers.
If you are being harassed, notice that someone else is being harassed, or have any other concerns, please contact a member of the conference staff immediately. Anyone wearing a red Summercon Staff shirt is empowered to intervene.
In case you don’t feel comfortable approaching a member of the staff, call us at 720 586-4225 (720 586-HACK) so that you can speak directly with the conference organizers about your concerns.
TL;DR: Not to be all heavy or anything, but top legal minds tell us we should say this: we reserve the right to eject anyone at any time for any reason at the sole discretion of the conference organizers. Have fun, everyone!
SATURDAY, JUNE 13, 2020
START OF BROADCAST
John Terrill and Mark Trumpbour
12:00pm – 12:15pm
12:15pm – 1:00pm
Sophia d’Antoine & Ian Roos
1:05pm – 1:50pm
Elizabeth Wharton & Suchi Pahi
1:55pm – 2:40pm
2:45pm – 3:30pm
3:35pm – 4:25pm
The LaBac Collective
4:30pm – 5:15pm
Brandon Edwards & Nick Freeman
5:20pm – 6:05pm
6:05pm – 6:20pm
A Stack of Busticati
6:20pm – 6:45pm
6:45pm – 7:00pm
END OF BROADCAST
NO SPONSORS THIS YEAR. SEE YOU IN 2021!
Bishop Fox is the largest private professional services firm focused on offensive security testing. Since 2005, the firm has provided security consulting services to the world’s leading organizations — working with over 25% of the Fortune 100 — to help secure their products, applications, networks, and cloud with penetration testing and security assessments. The company is headquartered in Phoenix, AZ and has offices in Atlanta, GA; San Francisco, CA; New York, NY; and Barcelona, Spain.
4th party collections of Close Access Operations… and more
Here’s how David describes his presentation:
“My whole career I have been fascinated with proximity based attacks with vectors like WiFi or Bluetooth. In recent years companies and entrepreneurs have started selling hardware best used for operations to gain access to things close by. I’m in heaven for commercially available professional grade implants and other tools that require physical access. Come learn the lessons I did and what gaps exist as well.”
A tale of bots, fraud, 347,200 unused SIM cards and 474 iPhones
Sophia d’Antoine and Ian Roos
SIM Cards are clunky and take a while to swap out. That’s really frustrating, why don’t we build an array of activated SIM cards and a hardware device to swap the phone over to a new card quickly and easily. Kinda like a KVM but for SIM cards? Wow what a great idea – oh shoot it’s a fuzzer too? Could someone use this to build better SIM card malware? SIM Cards are a historically overlooked piece of equipment that have been unappreciated by mobile phone assailants for far too long. In this talk we explore SIM cards as an attack vector, delve into the quiet history of SIM exploitation, and take a look at future techniques for attacking this tragically forgotten piece of equipment.
Unmasking the Avengers
Elizabeth Wharton and Suchi Pahi
No longer solely for use by protestors or comic book characters, facial recognition algorithms are racing to adjust for the increased use of facial masks in public. Caught up between protests and COVID are cellular data and biometric data sets, shared with and utilized by law enforcement in often unintended ways. A growing number of public/private partnerships are providing law enforcement access to large data pools. Information that in some cases is incorrect. Your voice may be your password, but what happens when it’s your face and there’s a data breach or the data is wrong. We’ll take a deeper dive into how privately collected location sharing and facial recognition data is being increasingly leveraged by government and law enforcement.
Exploiting Sexual Exploitation: How to punch abusers in the virtual face
The LaBac Collective
Online sexual harassment is one of the most overlooked crimes on both the interwebs and irl. Victims need help, and way fewer resources exist to support them. From cyberstalking cases, to revenge porn posts to deepnude takedowns, LaBac helps victims of abuse defend and prevent targeted attacks.
This talk details our crew’s efforts to flip the table against online abusers. We will outline various tactics used against historical targets, such as technical attacks and policy exploits. We’ll also discuss how you can help punch these abusers in the virtual face.
Back to the Backdoor Factory
The Backdoor Factory was a classic tool that injected shellcode into downloaded binaries from a man-in-the-middle attack. We’ve spent a year completely rewriting this in Go as a set of binary modification libraries that you can use in your own code! Join us as we take a tour of the new Backdoor Factory and its expanded capabilities.
Wassenaar You Serious? A Fireside Chat About Exploit Regulation
Katie Moussouris with Ryan Naraine
Join Katie Moussouris and Ryan Naraine for a fireside chat about export controls rearing their ugly heads yet again. We’ll discuss a real-life scenario in which Katie nearly found herself facilitating an illegal international cyber arms deal or three in the Middle East, and how security researchers and even defense-oriented companies can find themselves in hot water when it comes to export control of cyber weapons.
Compendium of Container Escapes
Brandon Edwards and Nick Freeman
Containers are a hot topic, and there’s lots of technical nuance around their operation. In this presentation we will cover vectors and themes for container escapes, from incorrect engine operation, to misconfiguration, to good ol’ fashioned kernel exploitation. So if you’ve ever browsed syzbot output and thought “gee, this one looks easy to trigger, could I get out of a container with it?” (the answer is probably yes), tune in to our talk!
It’s the most important award bestowed by the information security community. When you’ve won a Pwnie, you’ll know you’ve earned it, because your peers, the people who really know infosec, fellow leaders and winners of this prestigious award, chose you.
Let’s kick off the summer security season by opening the Pwnies nominations!
As CEO of MedSec, Justine Bone leads a company that conducts vulnerability research on medical devices and health care systems. She has also served as the CISO of Dow Jones and the CSO of Bloomberg LP, among other security posts.
I’m the olympic CTF coach and we’re bringing the gold back from Tokyo.
Brandon Edwards is a hacker, Summercon attendee and occasional speaker, who works on a team hacking and hardening Linux at Capsule8. He’s excited and honored to be involved in presenting this year, to be part of carrying Summercon onward through the pandemic.
Nick is part of the Capsule8 research team, where he finds new and unusual ways to misuse (and detect misuse) of Linux systems.
The Labac Collective
LaBac is a hacker collective combatting tech-enabled abuse. LaBac serves on the NYC Cyber Sexual Assault Taskforce, a city-wide initiative dedicated to fighting online sexual exploitation. The LaBac collective curates the Museum of Modern Malware at DEFCON.
David Maynor leads the Centurylink Black Lotus Labs Analysis team. Mr. Maynor builds relationships with key organization and intelligence partners, proactively hunting for and disrupting advanced adversaries. Mr. Maynor is an entrepreneur and technical expert with over 20 years experience in research, systems, offensive consulting, and a variety of other security related positions in the private sector.
Katie Moussouris is the founder and CEO of, Luta Security, a company specializing in creating robust vulnerability disclosure and bug bounty programs. Ms. Moussouris has testified as an expert on bug bounties and the labor market for security research for the US Senate, and has also been called upon for European Parliament hearings on dual-use technology. She created Microsoft’s and the Pentagon’s first bug bounty programs. She was later invited by the US State Department to help renegotiate the Wassenaar Arrangement, during which she successfully helped change the export control language to include technical exemptions for vulnerability disclosure and incident response. She is a coauthor of an economic research paper on the labor market for bugs, published as a book chapter by MIT Press in 2017, and presented on the first system dynamics model of the vulnerability economy and exploit market in 2015, as part of her academic work as a visiting scholar at MIT Sloan School. She is also an author and co-editor of standards ISO 29147 Vulnerability disclosure and ISO 30111 Vulnerability handling processes.
Suchi Pahi is a data privacy and cybersecurity lawyer. She was supposed to be a doctor but instead wound up in law school arguing about the CFAA. After years of cybersecurity firefighting on behalf of clients at a law firm, Suchi is currently Director of Privacy and Business Affairs at Rally Health, Inc.
Security researcher at Margin Research.
Internally: screaming about security.
Externally screaming about security.
Eternal caffeine addict and literally ran out of coffee this morning.
Elizabeth (Liz) Wharton is a technology-focused business and public policy attorney who has advised researchers, startups, and policymakers at the federal, state, and local level. She is the Chief of Staff at SCYTHE as well as a member of the Technology & Innovation Council with Business Executives for National Security and a member of the DEFCON CFP Review Board. In addition to serving as the former technology attorney for the World’s Busiest Airport, she also hosted the “Buzz Off with Lawyer Liz” podcast.
We tried to hold out as long as we could, but due to the realities of the COVID-19 pandemic and its impacts on our beloved New York City, there is simply no responsible way that we can squeeze everyone into Littlefield for Summercon 2020. (We also don’t expect state and local authorities to permit any gatherings of more than 50 people.) So we’re forced to pull the plug on our in-person event.
From a logistical perspective, this means that we’re working with EventBrite to issue full refunds to everyone who bought a ticket. You will see a refund in a few days. Thanks for being patient, and sorry it took us so long to initiate this process. We are, at heart, optimists, and thought we might be able to do this after all. We were wrong.
But just because we can’t be together doesn’t mean we can’t get together. We’ll be announcing details in the next few days of a grand, chaotic, true-to-our-roots virtual event. So even though the novel coronavirus doesn’t want us to come assemble in Brooklyn this year, we’ll still do something exciting, occasionally ridiculous, funny, weird, and memorable. In short, it will be Summercon.
It will also be free. Free (as in beer).
And then onto next year. Once the coast is clear, we’ are committed to gathering at Littlefield again, where we will think back to these profoundly weird times and remember just how insane it got in New York. Until that day, we’ll see you at Virtual Summercon 2020!