Hacker Summer Camp 2024
In the sweltering heat of a 2024 Las Vegas summer, a place where the neon lights burn brighter than the desert sun, I embarked on a journey unlike any other. This wasn't a quest for ancient relics or lost civilizations, but a pilgrimage to the hacker summer camp, a gathering of the world's most ingenious minds in cybersecurity.
Here, amidst the flashing lights and the cacophony of slot machines, we sought to unearth vulnerabilities hidden within the digital sands, to secure the fortresses of cyberspace, and to forge connections in a realm where technology and intellect intersected.
Modern day Indy's, donning fedoras and looking for lost cultures and new vulnerabilities...
With so much on offer, it's very hard to ascertain what exactly is cool and hot this season, and that's something I annually struggle with, given the levels of talks we currently have. So here's my pick of stuff that excites me about Black Hat and DEFCON this year (disclaimer, there are many more, I just don't have enough time to fit them all in a post).
Black Hat
Keynotes, they are one thing I look forward to the most and also fill me with fear having done Black Hat's EU one the other year. They are not easy, they need to set the scene, inspire you and get you ready for the firehose of learning you are about to experience.
This year my friend Jen Easterly (CISA), Hans (ENISA), Felicity (NCSC) and Christina (AP) talk about something we are all talking about: hacking democracy and subverting the democratic process.
This is what I love about BH, the fact we get to talk about this with those heavily involved in protecting and thwarting attempts to do the ugly with our right of a free and fair democratic process.
I had the pleasure of spending time with Richard during the review process (hundreds of hours, 22 conference calls, lots of fun) and he truly knows his onions when it comes to AI and LLM security. Everyone and their dog is 'doing' AI right now and err yeah hmmm about that security thing....
Having just spent a week or so looking at a pretty nifty SSH exploit backdoor that used Golang, this talk resonates with me SO much. Reverse engineering Rust is hard, and Nicole and Juan delve deep into the the world of Rust malware and yeah those same cool features we love about the language, memory safety, aggressive compiler optimizations, borrowing, intricate types and traits translate into a perplexing tangle of code that surpasses even C++ in the complexity of its abstractions. It's no wonder adversaries have jumped on this train, and yet we aren't in a position to easily understand what they are doing. This is going to be a wild talk.
We need a James Kettle appreciation day I tell ya. The dude is a MACHINE and this year saw us accepting three Portswigger talks, as they are that good. I am truly in awe at how James works and how he approaches research. This will be off the scale.
'tis fine, we let copilot into our org as it has revolutionised our workflow. Said most and yet we haven't been that demanding of those building copilots. Michael's gonna shift the perception here and I guess we need it to burn before we heal right?
The p0 team have a special place in my heart. Love all of them, count many of them as a good friend and what they are doing is the work of the <insert your deity here>. Natalie's gonna show us what a decade of poking fingers into the eyes of adversaries looks like and I can't wait.
Gareth had an intimate relationship with XSS in the early days, some might say an unhealthy one but what a journey it has been. This time, he's been poking access control solutions really hard as we all know parsing bugs tend to bring the Internet down, right? (too soon?)
You did what to my face whilst hugging me? Come on, tell me people aren't putting backdoors in freely available models? Uhu they are and Vasillios, Jamie, Sa?yam and Chris are going to blast open the doors here as it's pretty wild.
Who doesn't like a good disinformation campaign right? I've been known to tear apart ISILs attempts during the early days and the power of a good PSYOPS campaign and the reach of the Internet today means the ROI is actually really attractive. Franky comes with receipts and having spent three decades at NATO, this talk is going to be fascinating.
2012, Glenn Wilkinson and I released Snoopy and did mass surveillance of hundreds of thousands of people in Vegas and London. It changed a lot, saw the introduction of MAC address randomisation and made it harder to do this level of Wi-Fi surveillance, at least we thought. Erik has gone further and now uses Wi-Fi positioning systems to do the same thing. I'm super keen about seeing this.
Some dork named Daniel will be holding a meetup where likeminded hardware/embedded freaks can chant together. Should be interesting no?
HD's BACK and he's abusing SSH, he's going to release a tool and 1990s me is happy as Dug Song with DSniff.
CANNOT WAIT (caps intentional, don't @ me kids)
领英推荐
Ma?l and Renée got me super excited about this research. Look, we all had this theory that OCG's have embraced a lot of digital tech and ideas and yeah the two of them went deep to uncover how much Chinese OCG's have. This is proper solid investigative research.
I'm very lucky to call Thomas a friend. The dude is phenomenal at doing research like this and when Apple do a hat tip, you know he's done good. Proper hardware hacking of Apple's new USB-C controller. Yes please, plug me in.
Transylvanian Quantum Hacking - I'll be honest and never thought I'd write that but Adrian and Sorin have come up with some pretty damn sweet ways to hack Quantum QPUs and having been privvy to the talk, this is fascinating.
My Swedish brother from another mother already did my fav Black Hat talk from 2023 but this year, and to use a term Swedes use Ingen ko p? isen about those creds just flying all over in the URI. Uhu, this is gonna be big.
Game hackers are l337 y0. Seriously, enterprise and industry could learn so much from the gaming industry when it comes to anti-abuse measures. Julien's talk is going to be one you should attend if you want to know how they stop gamers from doing the ugly.
This is something we've spent time on in the lab and it's hard as hell to detect, so Kazuki's research resonates with me as a backdoor in the UEFI OROM is not the place we want to be in, at all, like ever.
I have what some might call an obsession with MCUs and other bits of silicon, especially given how hard some of the vulns are to fix. Anders and Daniel's talk is going to be pretty epic as it showcases what happened and what will probably happen in this space. If semiconductor security is your think, then this will be amazing.
DEFCON
Jeff outgrew the strip, yup tis that popular now and rightly so. The vibe, the people, the talks, the villages, oh my it's just something you should attend.
I wanted to highlight a few villages that I think are pretty damn cool, namely
https://www.paymentvillage.org/ run by Leigh-Anne and Timur is just so cool and yes I will be there helping them with their epic hardware badge this year. Put it this way, if you want to truly understand how modern payment systems work, what EMV is, how to abuse track 1 and 2 in a secure and safe way, then go and see LAG and Timmy and come and learn how the global payment world works.
I consider Mark to be the Kenny G of Quantum. I don't know what that makes Victoria but the two of them have built one of the most impressive villages i've seen in the https://quantumvillage.org/
From speakers to experience to understanding Quantum circuits and itty bitty Qbits, this is the place to go to learn about all things Quantum.
https://defcon.org/policy/ is where govvies and others involved in shaping and implementing government policies all go and I really love the fact this is a thing now. Hacking isn't just about a reverse shell or JTAG but making things and people work in different ways and it's cool that such a village can exist at DEFCON
I will be there on a panel talking abhout the The Pall Mall Process and how we can go about tackling the proliferation and irresponsible use of commercial cyber intrusion capabilities.
And that's it. Like I said above, there are so many good talks that it would be impossible for me to list them all and not bore the hell out of you. If you do happen to see me and want to say hey, please do.
There's a war out there, old friend. A world war. And it's not about who's got the most bullets. It's about who controls the information. What we see and hear, how we work, what we think... it's all about the information!
Cosmos - Sneakers 1992