Hacker Summer Camp 2018

August. When Europe goes on holiday, the UK suffers a heatwave (anything over 26 celcius) and many descend into Las Vegas to pay obscene amounts for drinks, coffee and spend time learning, scheming, tinkering, socialising and generally getting up to no good at Blackhat and Defcon.

It's a rite of passage for many hackers, criminals, law enforcement agents, intelligence agents and anyone else keen on infosec and the world of hacking, and I'm painfully aware that I've not had a chance to write up my personal talk choices for this years event. This years USA selection process was hard. I've said it before, the Review Board spend a considerable amount of time reviewing each submission, chatting about them on the hour long calls and determining who gets through. I spent over 20 hours on conference calls for each of the tracks I was involved in.

The best part of this is I'm the dumbest guy in the room. Literally, spending hours speaking to people I respect and look up to is a huge perk of this job. You get to understand different views from many who've been there and done it. We joked, we argued, we arm restled and in the end chose what we felt was the cream of the crop. Let me drive home one key point: there was more than enough content to make a second Blackhat USA conference. Seriously, there level of work and submissions was impressive and that's a good sign for our industry.

So with me getting ready to escape the heat of Europe and head into the desert, who am I looking forward to seeing? (again, personal choice, not the views of blah blah, you get know what I mean!)

Our Keynote Speaker

I'm excited, seriously, that Parisa Tabriz (Director of Engineering at Google, also a key figure in ensuring Google Chrome remains safe, so yeah, no mean feat there) is keynoting this year. I'm a big fan of Parisa and what she has plans on talking about will resonate with many in the audience

"So, how do you actually make technology in complex landscapes safer, at scale?"

A good question and one I'm personally heavily involved in with Santander. This will set the stage for everyone and Parisa comes at this from experience, so if you are coming, grab a good seat early.

Briefings

The cool thing about the Review Board job is that you get to see the trends in computer security research. From the web app layer being really popular years ago (now a baron wasteland) to the rise of complex hardware bugs in CPU's now coming at us like buses. It's fascinating to see what the community spends their time on and how those ideas come to fruition.

Firstly Mr Beer has one of those brains you wish you'd have. His ability to find bugs is second to none and as such, works for Google finding them. What I like about his talk is that iOS is a solid OS and in recent years, efforts by Apple have made it harder to find serious flaws (not impossible but harder). Ian's efforts here delve into his process and it should be a huge learning process for anyone involved in the same field. I'll be there, trying to understand where I went wrong.

Hang on, let's get this right?. Joe and Nicolas both work for Microsoft and want to explain how people can find bugs and make lots of cash in the process? This is a significant shift in approach and I applaud Microsoft for adopting this (one could argue that it does benefit them and yes it does, but it also benefits the bug hunter and the end user, so win win right?).

Not much else to say here, this will be a busy talk.

Machine Learn ALL THE TINGS!

If you can imagine how many submissions we had to go through where it was ML/AI $ just because, well why not? Machine Learning is all the rage and I'm sure many of you have been inundated by account managers professing why their solution will solve all your IT issues. Thing is, as Raffael will explain, not all should be trusted. This tak has the potential to be used as a reference talk in years to come. I'll be in the front row.

When Rowhammer came out, I'm sure I wasn't alone when I muttered 'ok, wow, i mean....'. It was that good. Google's Project Zero (Mark and Thomas (Halvar) wrote a great blog post explaining what they did and their insight and generally this was the start of bugs where fixing it was a lot harder than many thought. This talk should be super fascinating.

I like Chris and Charlie. They are my Eminem in of Infosec. They bring about a way of explaining their work that appeals to many non-hacker types and that speaks volumes to me. This talk isn't about pwning a car, but their work in making sure it is safe. Yes please, just no dodgy tracksuits guys.

One of the things I look for in a talk is something the attendee can walk away with and use the following day at work. This talk has it in abundance. How did tech giants like Google, Microsoft and Apple deal with Meltdown and Spectre? what did they do right and badly? What can you learn from this?

With everyone getting popped like mad and more serious vulns coming out on a more regular basis, this talk should be a belter.

You had me at ATM's (funny that, considering my day job).

Thomas is one chap I am increasingly in awe of. I saw his talk at CCC over Christmas and the way he describes his process is both enlightening and inspiring. I've been privy to his research and whilst this is for ICS, anyone interested in hardware hacking will learn lots. Go and attend and take notes!

I headed up this years Community track and I couldnt have been more honoured to do so. This is an area of our industry we dont talk about enough, and it was high time to change that. PTSD is real, I know many who suffer from it and Joe's talk, for me, cannot come sooner.

When you hear your mum talk about bots, you know our world is very much becoming normal. Bots this, bot's that, DAMN RUSSIANS...

Jordan and Olabode's talk delve into the ugly world of Twitter bots and how PSYOPS and disinformation campaigns are now more frequently used then ever before.

Holy crap, something new in the Web app world! Who doesn't use caching servers when dealing with large amounts of data? This is some solid work by Louis, backed up with facts and I will be there like a fanboi.

Firstly, winning Pwn2Own is not easy, especially with zero clicks. Marco, Muqing and Tianyi did just that in 2017 and for that reason alone, this talk will be fascinating (I mean they could have made so much more selling this to someone like NSO group but didn't)

My boy Pat. Not only does he present incredibly well (amazing slides, articulates well), but his research is top notch. This talk will be entertaining and educational.

Anything that sheds light on Mobile Point of Sale (mPOS) terminals gets a thumbs up from me. Leigh-Anne is a rising star in Infosec and her and Tim have put some serious effort into this, so it should be a great talk.

This talk, where do you start? Processors have taken a beating recently and then Christopher comes along and slaps them. This talk generated a lot of good chatter in our review call and will be fascinating to watch. Go and attend and work out how the hell you defend against this.

Here's the thing. Many come to Vegas to get utterly battered at the free booze events. Substance abuse in Infosec is bad, I've lost a fair few friends due to it and it's more widespread than many want to admit. Jamie's personal experience here is welcome and the more we do to shed light on this ugly side, the better.

And on the back of substance abuse, another ugly side of this. Some of our 'rockstars' were anything but. Makenzie's message will be key for anyone hosting an event, how do you stop this and support others?

I loved Duo when this came out, bug was cool and it affected so many, so glad Kelby will be doing a deep dive into SAML and SSO.

Lawrence suprised me with this one. It comes at it from a different angle and I like that. We talk about supply-chain issues (and rightly so, they are huge and will only get worse). What Lawrence does right here is that he spoke to people in both developed and developing countries and about corruption and other old-school tactics that can, and are, used today in IT. This should be enlightening.

My final talk recommendation, and a subject I love. Altaf and Ravishankar know their LTE and this research is bloody impressive. From a privacy perspective, LTE was billed as more secure, well...

There are many many more talks that excite me, but I'm also realistic that it's not feasible to include all in this article. I'm really looking forward to trying to see all of them, but as with all things Vegas, a timetable and schedule means nothing in Las Vegas.

See you in Sin City