Talks
the freshest artists from across the digital realm are coming to purplecon to drop their newest mixtapes, offering their limitless cosmic wisdom to you. reach out and take it. it's your destiny.
how to human in groups
if you’ve ever tried to convince your high school friends that being racist is kinda terrible, or your work friends that they should use a password manager, this talk is for you. changing people’s minds is hard. each group has its own version of what’s normal. this talk is about how to work with the brain tools we’ve got to make the computer tools we want.
sauramaia
sauramaia likes dinosaurs. they constantly invent things while knitting, like maths and physics lectures titled 'learning with sticks and strings', which never materialise, and fill their days moving post-it notes around at thoughtworks.
IAM confused: a deep dive into how permissions work
One of the hardest things to understand in the world of cloud computing has to be IAM - What is a role? What is a policy? How do I keep my engineers away from production systems? How do? The aim of this talk is to try and give some practical examples to help security teams understand whats going on, and how to use this to keep their infrastructure running smoothly and safely.
sera
9 Hunter at Pushpay. Please share your best cat pictures with me.
Embracing Empathy
Empathy is a personality trait which is not often discussed in the world of InfoSec. In an industry with highly authoritative technical personalities, curious technical explorers and fully transparent decision makers empathy is the odd one out, why care about what other people think or feel when you have the mandate to enforce policy/solutions/architecture/technology as you have funding and "because security". In this talk I will take you through how in my now near 20-year career predominately in the enterprise space I have tried to be anything BUT empathetic, the feeling of impostor syndrome I carried around for years as the way I worked and achieved results was not covered by any conference talks/certs/training/industry groups. And how through necessity I went from realizing that while my approach to InfoSec had always been classed as "pragmatic" it was empathetic. And that Empathy worked wonders in the most trying time of my career.
Shahn Harris
Shahn is a corporate infosec jerk who has been the cause and solution to a number of security related incidents since the the early 2000's.
*banging fists on table* STATE MACHINES STATE MACHINES
Writing software is hard. Really hard. Almost impossible one would say. We can see this from <infinite list of security issues here>. As we all are walking talking fleshy bug emitting machines that sometimes emit good code as a lucky side effect, we need all the help we can get to increase this luck factor. State machines help us to reason about our programs, how they work, how they wont work, and why they didn't work - and from there, how we can design programs to never fail at all. There are state machines all around us. Let me show you how we can use them in code for security and robustness. Area and assumed knowledge: Area - Secure software development. Assumptions - Some programming knowledge, but demos will be in Rust and C. I will not use advanced or tricky code for any demo to make it as accessible as possible.
William
William is a senior IDM tech debt collector for SUSE. When not upside down on a stick or flipping people on mats, they can be found getting Rusty and helping people with LDAP and code.
Against Lies, H*cking Lies
did you know that the more blue teamers are sent to handle a security incident, the worse that incident will be? using science and statistics to make decisions about how you run security is a great idea - 𝘪𝘧 you can interpret and represent your data accurately. but statistics is rife with potential pitfalls that can lead you to all kinds of false conclusions. with some help from planet earth's own blue team, we'll learn how to recognize and work around these problems to not only use your own data for good, but to also catch flawed analyses when you see them around you.
Anton Black
Anton aspires to speak clearly, concisely, humorously and precisely about something or other. He dabbles in Product Security at Atlassian, and enjoys playing the other kind of keyboard.
choose your own adventure: password reset
You build or are part of a team that has a thing on the web that does stuff for people. And those people would appreciate it if other people couldn't pretend to be them on your website doing their secret squirrel stuff. So, you decide to have people login in with a password. It'd be mighty nice of you to give people a way to recover their accounts when they misplace their passwords. Password reset flows are a choose your own adventure where the players just want to be able to secret squirrel again, and if you're in charge of one let's learn about some game overs everyone would like to avoid.
moss
moss enjoys working in highly regulated software industries, like healthcare and finance, caring for the quality of software. apple photos has decided that the best photos he takes are of software bugs in public places, and moss is slowly making peace with that.
Deploying Kubernetes Safer(ish)
Sometimes evil conglomerates, large companies and/or totally regular and normal individuals prefer to run Kubernetes themselves, instead of using a public cloud provider - perhaps they don't trust the InterGoogles, perhaps they want to experience the incessant joys of maintenance and upgrades themselves, or perhaps (THE REAL REASON) they wanted to justify their sweet, sweet devops stickers on their laptop. Sure, not trusting someone else's computer make sense in some threat models, the (sometimes overly-enthusiastic) DIY approach does mean they open themselves up to a whole host of other problems - Google probably does know how to deploy, manage and secure Kubernetes better than anyone else, since they kinda built it. They've probably even got better stickers. Unfortunately, setting it up is HARD. There's so many moving parts and the vaguely dodgy how-to posts on random blogs always seem to be a few versions behind - AND they feel like they get away with it by saying “Definitely probably don't do this in production, but it's totally fine to do for testing, what's the worst that could happen?*" This talk will take you through some of the parts of the kubernetes setup that are commonly ignored (“oh yeah we’ll definitely $100% get to that later”), or excluded from scripts you piped from curl to bash, or are pretty easy to accidentally get wrong if you didn’t know about this other thing that wasn’t made immediately obvious. If you’re an auditor, these are your super tasty critical severity fairy-bread tickets. If you’re a defender, these are the things that differentiate your totally awesome cluster of orchestrated hotness from a totally awesome cluster of orchestrated hot mess. If you’re an attacker who’s popped a shell and found themselves trapped in a container <strike>of emotions</strike>, these are the things that make you have a big sad when they’re done right.
James
This bloke’s a pentester working in the neon-lit, cyberpunk (and kawaii!) city of Tokyo, but he still calls Australia home. He's a tinkerer and enthusiast, the kind of guy with about nine concurrent projects with no really clear definition of what “finished” actually is. He's passionate about security, privacy and community, and has a bunch of acronyms on papers to substantiate his overall dubious claims.
a novice red teamer's guide to self help
advice and learnings from a newbie's first year: how to get better hacking yourself, hacking others, and defence against the se arts.
bl3ep
infosec fledgling. bad at writing biographies. claim to fame: fooled people into thinking im good at social engineering. defcon27 sectf #2
To Identity and Beyond!
It's unusual to develop applications that have no identity requirements nowadays. Whether it's securing access to resources, synchronising data between devices, or providing a customised experience, any new project will soon need that login form. While you might start out with a simple login form and a backend user directory, these soon grow into their own beasts, when requirements call for multi-factor authentication, or machine-to-machine authorisation functionality. These requirements and associated maintenance costs are often at odds with the desire to focus on building new features that actually bring your users value, or fixing bugs that currently bring them pain. In this talk, you will learn about OAuth, OpenID Connect, and JSON Web Tokens; where they came from, how they work, and how they can simplify your projects, from single-page apps to the APIs that drive them, and everything in between.
Ben Dechrai
Ben Dechrai is a technologist with a staunch focus on security and privacy. This started at the age of 11, when he wrote software to stop his parents from breaking the family PC, and resulted in his working as a developer advocate for Auth0. He enjoys helping developers find the joy of experimentation, from ethical skulduggery to subversive automation, and can be found on Twitter and Instagram at @bendechrai.
Risk management without slowing down
Most organisations start out relying on people and their expertise when making decisions, but this doesn't scale well and leads to bottlenecks and pain. Larger corporates rely on processes, controls and systems, but these can overwhelm smaller companies. I'd like to share some thoughts on how to set up lightweight risk management processes to empower teams to make informed decisions and not just rely on what the security person thinks of it.
Mikala Easte
I had brief ambitions of being a penetration tester, and then someone ranted at me about symptoms and root causes and now I am a risk management consultant. I mostly help organisations manage their cyber risk when it comes to software development, third parties and business continuity.
Incident Response Drills: How to play games and get good
Computers are exceptionally good at taking instructions and making very fast, very precise mistakes very reliably. Humans are conceptually similar but interpret their inputs and decide on courses of action based on experience. Preperation and rehearsal for messy, no-notice events that are definitely (hopefuly) not business as usual makes us more chill for when something (production) does go down due to novel (gremlins) issues. Incident Responders should practice for sensitive and time-critical events before they happen so they are able to return things to a safe and stable state with grace and aplomb. This talk is for team leaders or security program owners interested in the craft of using incident response exercises to develop their people. We will learn how these synthetic experiences can be devised against specific environments and standards with measurable outcomes. Finally we will cover ways to easily scale difficulty and iteratively improve your exercise program.
Kirk
Kirk is a Security Consultant at TSS Cyber in Canberra, joining the team after 10 years in Air Force ICT working on training exercises, drills and training programs for the military and non-profits. He has been a Dungeon Master for most of his life and found those skills are surprisingly trasnferable to his work and now thinks a lot about using games to improve teams and evaluate responses to crisis.
An Introduction to Ghidra
So the NSA made its internal reverse engineering toolkit open source in early 2019, which means everyone now has access to a THING for FREE. Sure... it has dark mode. A five minute overview on getting started for the overwhelmed and/or the lazy.
Helen
Protecting people from social media harassment.
In some ways, Twitter seems like it was designed from the ground up to be the perfect tool for harassment. Twitter’s own mechanisms that are supposed to protect users sometimes seem to be pretty inadequate to the task. So I decided to make a few of my own. Along the way, I got to grapple with some interesting challenges, including and especially how to build a tool safe enough for use by people who have been threatened online. In this talk I explore risks you have to consider, how you mitigate them, and the ethics of the decisions you end up making.
Tom Eastman
I'm a Python developer, DevOps consultant, system engineer (whatever that means), occasional security consultant and public speaker. I write words that control computers to tell other computers to build FAKE computers that run on DIFFERENT computers.
face your fearful foes to dodge a dark and dreary phishy fate
after a short stint with the malicious masterminds of our red team, i've seen the terrifying tactics that real attackers could use against you. it's dirty, underhanded, and quite brilliant, and it's only fair that we level the playing field a bit by sharing some of our secrets. in this talk we'll skip past basic tech-support scams and talk about lovingly hand-crafted "spear phishing" campaigns specifically targeting individuals based on publicly available information. who knew your gaming habits would be your downfall? and finally we'll talk about some things you can do to really ruin a fledgeling evil mastermind's day, and repurposing some strategies learned from a career in site reliability engineering to help create a psychologically safe environment where people aren't afraid to tell you when they make mistakes.
Brendan Shaklovitz
brendan shaklovitz has played various sysadmin and site reliability engineering roles, including sre for the security team, working on managing vulnerability scanning and endpoint monitoring systems. more recently, he's been working with the red team to do all the evil things shared in this talk and more.
Security confessions of a small country
We live in a small country. While geographically we're not a pip squeek, in terms of population we're really rather adorable. So how does being a small country affect our approach to security and how can we learn to love our little island thinking and use it as a superpower.
Laura Bell
Security cat herder, day dreamer and mom.