Summercon 2025

Pre-Registration Unofficial Pre-PartY

Once again, Canal Bar is rolling out the red carpet, starting at 7pm, for the annual Pre-Registration Unofficial Pre-partY.

Where:
Canal Bar
270 3rd Ave, Brooklyn, NY 11215
Google Maps

When:
Thursday, July 10, 2025
7:00pm until late (they’re open until 4am—so pace yourself)

What’s happening:

  • Get your wristband: Skip the line Friday morning by picking up your registration wristband early.
  • Get your t-shirt: Claim your conference t-shirt before we run out of your size.
  • Get reconnected: This is your chance to catch up with the friends you haven’t seen since last Summercon (or longer).

This is Summercon’s unofficial but very real community hangout before the talks start. No agenda, no ceremony—just good company, cold drinks, and a lot of bad ideas brewing for the weekend.

See you at PUPPY.

AI Hackers: Past Present and Future of Autonomously Finding (and Exploiting) Vulnerabilities

Vlad Ionescu

In this talk we take a brief journey through time to understand how “AIs” have found security bugs from the beginning, up to today, and what the near future holds for attackers and responders alike. You will leave with an understanding of how traditional ML struggled to find impactful bugs, how you can use LLMs today to automate major parts of vulnerability research, and why all of this matters.

Stay Close to the Action at Summercon 2025

We’ve secured a limited block of rooms at the Ace Hotel Brooklyn for Summercon attendees, just minutes from the main venue. These rooms are available at a preferred group rate, but the block expires on June 18, 2025—and when they’re gone, they’re gone.

To book:

Book now to guarantee your stay among fellow hackers, speakers, and partygoers.

Summercon 2025 Media Guidelines for Credentialed Press

A Note from the Summercon Team

We’re glad you’re here.

Summercon exists to bring people together—researchers, engineers, hackers, policymakers, and yes, members of the press—to have the kinds of conversations that move the state of the art forward. That includes members of government and law enforcement who come not just to observe, but to engage.

We believe that the world is better when the people who shape it understand each other. The more clearly we can communicate what’s possible—offensively and defensively—the more honest our conversations become. And make no mistake: what you’ll hear at Summercon doesn’t always fit into neat, public-relations-approved soundbites. Some talks may be provocative. Some demos may raise eyebrows. That’s by design. To defend well, we have to understand how attacks really work.

If you’re a member of the media, you’re not just a recorder—you’re a bridge. And sometimes, to cross that bridge, you may need to drink a beer or three with a table full of hackers. That’s part of how trust forms here.

We ask that you respect the space and the people in it. These guidelines are meant to help.

📛 Press Credentials

  • To request press credentials, email [email protected] with your name, media affiliation, and any relevant contact details or special requests. We’ll do our best to accommodate, but it’s a busy conference—thanks in advance for your patience if we can’t.
  • Credentialed press will receive a clearly marked badge, along with a lanyard and/or high-visibility PRESS vest. Please wear it visibly at all times so attendees can easily identify you.
  • Your press status may also be noted in briefings or internal communications to help others understand who’s in the room.

📷 Photography & Video

  • Attendees who do not wish to be photographed will wear a “NO PHOTOS” lanyard or badge. Please respect this choice.
  • Do not photograph or film people without their knowledge and consent—even in group or candid shots.
  • Recording is prohibited in designated areas, including:
    • Speaker Green Room
    • CTF Spaces
    • Private or Staff-Only Zones

🗣️ Interview Ground Rules

Before you quote anyone, clarify with the person you wish to quote these terms:

  • On the record: Quote and attribute by name.
  • On background: Quote, but do not attribute by name or affiliation.
  • Off the record: Not for use or publication.

Consent must be explicit, not assumed—especially in a community where many work under pseudonyms or handle sensitive material.

🙈 Respect for Anonymity

  • Many attendees value discretion. Never publish names, photos, or affiliations without permission.
  • Avoid identifying details that could inadvertently “out” someone’s professional role or involvement.

🎥 Commercial Media Equipment & Video Village

  • Use of large gear (tripods, boom mics, lights, etc.) must be approved in advance.
  • We operate a Video Village to help capture and process talks with speaker permission. If you’re hoping to obtain official footage for publication or broadcast, we may be able to help—provided the speaker(s) consent to release.

Contact us before or during the event and we’ll do our best to coordinate access.

✍️ Content & Context

  • We encourage thoughtful, informed reporting. The talks here can be deeply technical, sometimes splashy, occasionally chaotic—but always rooted in real research.
  • Summercon isn’t a press release—it’s a dialogue. Coverage that captures the complexity and nuance of the material will always land better than clickbait.

📞 Questions?

If something isn’t clear, ask us directly. Staff in red shirts can help, or reach out anytime:
📧 [email protected]
📱 720-586-HACK

Colin Ahern

Colin Ahern was appointed by Governor Kathy Hochul in June 2022 as the first Chief Cyber Officer of New York State. In this role, he leads cross-agency efforts to protect New York State from cyber threats and led the development of the state’s first ever cybersecurity strategy. Before joining the state, he helped to stand up and lead New York City’s cyber defense agency and worked in cybersecurity in the financial services industry. He enlisted in the Army reserves after 9/11 and later served on two active duty deployments to Afghanistan as an Army officer. He ended his Army career as a company commander in the Army Cyber Brigade. He has taught at the Columbia University School of International and Public Affairs and the George C. Marshall European Center for Security Studies. He lives with his wife and 2 children in Brooklyn.

Building a Static Analyzer from Scratch

OMAR

Github Actions is increasingly becoming a popular tool for organizations to run CI and other automation tasks, and understandably so: they’re easy to use, composable, and have tons of available integrations. Like with any technology though, they come with security risks and concerns that can be easily overlooked.

Instead of dissecting common Github Actions vulnerabilities, we’ll talk about what makes them the perfect target for static analysis. We’ll talk about the principles behind great static analysis tools, then demonstrate these principles using the tool we wrote specifically to find vulnerabilities in Github Actions.

Cracking DePIN: Decentralized Devices, Centralized Disasters

Guanxing Wen

Decentralized Physical Infrastructure Networks (DePIN) are the latest Web3 hype machine — powering cloud phones, GPU edge nodes, and rendering clients that promise to reshape the internet and reward you in tokens while doing it. But behind all the buzzwords and blockchain dashboards, we found a whole lot of the same old IoT security sins — just with more centralization and a bigger attack surface.

This talk walks through our analysis of three leading DePIN platforms with thousands of globally deployed nodes and billions in market cap. Spoiler: one MQTT command can hijack 62,000+ GPU nodes into a mining botnet. Another lets you backdoor a user’s cloud phone via a backend config that nobody remembered was public. And a rendering client with a $2B market cap? One malicious link = remote shell. Fun times.

We’ll break down each exploit path — from BLE interfaces and path traversal to cloud service misconfigs and full remote compromise — with demos, technical details, and enough “wait, what?” moments to go around. This is the first public teardown of DePIN from the attacker’s perspective, and it paints a messy picture: centralized control, proprietary blobs, and zero disclosure processes hiding behind a token-incentive façade.

Decentralization sounds cool. But when your orchestrator pushes unsigned payloads to 60,000 nodes, it doesn’t matter how many tokens you’re holding. Without open code, real audits, and actual bug bounties, DePIN is sleepwalking into an IoT-style disaster — just with more crypto and bigger GPUs.

Bring your popcorn, and maybe cancel that DePIN investment.

Crash (Exploit) and Burn: How to Lose a Cyber War in 10 Procurement Cycles

Winnona Bernsen

Dive into the broken, bureaucratic, and bizarre world of 0day acquisition. Over the last year, I scraped all of CTFTime, combed through the iSoon leaks, and interviewed over 30 hackers, brokers, policy wonks, and current/former spooks to map how the U.S. and China really acquire offensive capabilities.

Spoiler: China is beating us – underpaying researchers, weaponizing youth Capture-the-Flag leagues, and using vulnerability disclosure laws to create a scary funnel of exploits into their intelligence apparatus. Meanwhile, U.S. agencies cling to stealth over speed, shovel cash at defense primes, and ghost vendors mid-contract.

This talk is a breakdown of China’s terrifyingly efficient cyber-industrial complex, the U.S.’s terrifying bureaucracy around bugs, and the weird vibes of being a VR firm in a geopolitical game of Go, sticking around even though it would probably be easier to ragequit and do smart contract auditing instead. As with any good talk, there will be recommendations at the end, both for governments and for vendors.

If you’ve ever written an exploit, sold one, defended against one, or just screamed into the void about how slow the government is, this talk’s for you.