Pumpcon 2018 Speakers:

InfoSuck: The Art of Falling Forward.

There are hundreds of blogs, papers, tweets, etc that give the lowdown on "How to break into Infosec." There aren't any that help to guide these poor sheep past the offer letter. We're not allowed to talk about getting laid off or fired. We're told to not discuss our salaries with each other because its "impolite". We're discouraged from discussing these things for fear of being blacklisted or being thought of as "unprofessional", damaged goods. Well, fuck all that.

Why do you want to hear about this stuff from me?
I've been through all of it. I've been RIF'd (Reduced in Force) 3 times, fired once, managed out, re-org'd, etc and still figured out how to feed my family. You want to hear me talk about it because someone needs to let these poor n00bs know how to navigate an industry that preaches loyalty & attachment with one hand, then slaps you with the other when the balance sheets don't shake out. These are war stories about all the stuff we're not allowed to talk about in polite company. Do I have a little chip on my shoulder? Damn right. Will I name names? You betcha. Will I be sober during the talk? Probably not.

Sucker presenting:

Missed Connection: When Information and Physical Security Try to Mate

Bleep goes on a magical adventure through the land of connected physical security devices, brought on by a life-long interest in lock picking. The things Bleep finds are so bad it feels like 1995 all over again, and he's in his parents' basement listening to Music for the Jilted Generation. If it weren't for the fact that people are using these to lock their homes and their gun safes, this might even be funny. Consumers seem to think jamming everything into their smart phone is convenient, and the world of venture capital loves products that consumers will buy without thinking too hard about it. By piling on features like fingerprint-based unlocking, sharing your lock with guests and proximity-based control, these devices are very convenient. But who else is this convenient for? Of course, while consumer convenience increases, the effort put into securing these products decreases. You know the rest of this story. This talk will be a review of how many of these locks work, from a variety of vendors, large and small. Some topics covered include the ways that factories manage enrolling locks for later use with an app, how terrible these apps are universally, and some amazing API failures that allow you to unlock a padlock's shackle just by virtue of being nearby. As we review the various failures, suggested best practices will also be a part of the discussion. Hopefully somebody in the audience will take heed and try to make the world a slightly better place by not repeating these mistakes. Maybe there's an app for that.

Sucker presenting:
Bleep J. Blorpenburg

Browser as Botnet

When surfing the web, browsers download and execute arbitrary JavaScript code they receive from websites they visit. What if high-traffic websites served obfuscated code that secretly borrowed clock cycles from their client’s web browser as a means of distributed computing? In this talk I will present research on the topic of using web browsers as zero-configuration, trojan-less botnets. The presentation will include a brief history of botnets, followed by an overview of techniques to build and deploy command-and-control botnet clients that run in-browser. I will present exhaustive research that simulates the potential compute power of such a botnet using publicly available user-agent statistics and web traffic analytics from popular websites. What if Facebook or Google ran unnoticeably small “jobs” on your browser whenever you visited their websites? How much “free” compute could be leveraged from 2 billion users annually? With the rise of distributed computing, such a technique could be exploited to train or run machine learning models, mine a blockchain, or DDoS target servers. In this talk we will explore the idea that the design and function of the web browser presents an opportunity for inherent exploitation. We will discuss both the ethical and nefarious use of such browser-based botnets; How they may be used in the wild and what unique affordances such a technique presents. The preparation and research for this talk has been extensive as very little information on the subject currently exists. The talk will feature a live demo that includes deploying a password cracking botnet using conference attendee's mobile phone browsers. Here is a link to the research I have published as a result of this talk as well as a recording of the first version of the talk at radical networks.

As for why a group of hackers would care about this subject:
I've collected a ton of useful statistics from this research... Including 11,000 unique user-agent strings from over 250,000 IP addresses. I was able to seed 3.5 terrabytes of data *entirely* between unsuspected user's web browsers in 24 hours using webtorrents embedded in banner advertisements .

Sucker presenting:
Brannon Dorsey

Disinformation from an information security perspective

This presentation seeks to examine disinformation from an information security perspective. This presentation will define what disinformation is, and engage in an attack surface analysis of information content systems and examine how disinformation attacks fit into that analysis. Then the presentation will look at disinformation attacks through the lens of the confidentiality, integrity, and availability triad, and analyze how disinformation challenges that triad. The presentation will examine how disinformation attacks and more broadly attacks on information systems challenge an user’s relationship to information systems. Lastly, what are the possible solutions, mitigations, or are we just fucked?

Why do you think a bunch of hackers will care: How many shells to political power? How many zero days to shift beliefs on scientifically validated and accepted ideas? The merger and inseparability of information systems with social and political systems has created a distinct problem with no clear solution. How do we as hackers, engineers, and analysts build defenses for attacks on information content systems like Facebook, Twitter, et al? We can’t build defenses if we haven’t properly conceptualized and analyzed what attacks, and possibly defenses look like.

Sucker presenting:
sina kashefipour
Bio: Just a malware analyst interested in the intersection of political influence and technology.

PLUS Special Surprise Guests!!!