Talk/Event Schedule

Friday

Friday - 06:00 PDT

Friday - 07:00 PDT

Friday - 08:00 PDT

Friday - 09:00 PDT

Friday - 10:00 PDT

Friday - 11:00 PDT

Friday - 12:00 PDT

Friday - 13:00 PDT

Friday - 14:00 PDT

Friday - 15:00 PDT

Friday - 16:00 PDT

Friday - 17:00 PDT

Friday - 18:00 PDT

Friday - 19:00 PDT

Friday - 20:00 PDT

Friday - 21:00 PDT

Friday - 22:00 PDT

Friday - 23:00 PDT

Talk/Event Descriptions

CON - Friday - 10:00-17:59 PDT

This year, we are proud to introduce a brand new contest, designed to push your limits and awaken your curiosity.

The ? Cube Challenge is not for the faint-hearted. It is a multi-layered, complex puzzle that requires you to use all your hacking and analytical skills to solve it.

The cube is loaded with riddles and puzzles that must be solved one by one to progress further towards the ultimate goal.

This challenge is not just about solving a puzzle, it's about exploring your curiosity and pushing the boundaries of your knowledge.

It's about putting your hacker mindset to work and seeing how far you can go.

With each step, you'll be one step closer to unlocking the secrets of the ? Cube Challenge.We know that Defcon attendees are always looking for the next big challenge, and we have created the ? Cube Challenge with that in mind.

It is a contest that will test your limits, engage your creativity, and push your curiosity to the next level.So come and join us at Defcon 31 and take on the ultimate challenge! Who knows, you might just walk away with the title of ? Cub Champion and the admiration of your fellow hackers. Are you ready to take the challenge?

The above was totally written by ChatGPT. I don't want to give out too much information, but basically there is going to be a big cube like object that contestants will have to deconstruct to find the hidden awesomeness. I hope to have challenges spread across multiple domains, both online in a jeopardy style ctf as well as the physical puzzle of the cube which will be module in nature, with each physical puzzle tying to the next.

DC - Friday - 14:30-14:50 PDT

As a research in its early stages, this speech will delve into the exciting world of offensive geolocation. By leveraging inviolable physical laws, we can measure the time it takes for a signal to travel from an adversary to multiple network sensors, and use this information to accurately calculate their position. This technique is known as latency trilateration has never been used before in the cyber realm, and has significant implications for threat intelligence, sandbox evasion, and even malware self-geolocation. I will also discuss potential limitations and challenges of this approach, as well as its broader implications and potential future developments in this emerging field.

REFERENCES

Ben Du, Massimo Candela, Bradley Huffaker, Alex C. Snoeren, and kc claffy. 2020. RIPE IPmap active geolocation: mechanism and performance evaluation. SIGCOMM Comput. Commun. Rev. 50, 2 (April 2020), 3–10. https://doi.org/10.1145/3402413.3402415

CON - Friday - 10:00-17:59 PDT

DC - Friday - 15:30-16:15 PDT

Researches on RouterOS were mainly against jailbreak, Nova Message in IPC, and analysis of exploits in the wild. Especially researches against Nova Message have reported tons of post-auth vulnerabilities. However, the architecture design and the lower-layer objects, which are closely related to the functionality of Nova Binary, were being neglected due to their complexity, causing some details to be overlooked for a long time. Starting by introducing the mechanisms of the socket callback and the remote object, we will disclose more about the overlooked attack surface and implementations in RouterOS. Moreover, we will discuss how we, at the end of rarely visited trails, found the pre-auth RCE that existed for nine years and can exploit all active versions and the race condition in the remote object. We will also share our methodology and vulnerability patterns.

Delving into the design of the RouterOS, attendees will have a greater understanding of the overlooked attack surface and implementation of it and be able to review the system more reliably. Additionally, we will also share our open-source tools and methodology to facilitate researchers researching RouterOS, making it less obscure. , Ting-Yu Chen, aka NiNi, is a security researcher at DEVCORE and a member of the Balsn CTF team. He won the title of the "Master of Pwn" at Pwn2Own Toronto 2022 with the DEVCORE team. NiNi has also made notable achievements in CTF competitions, including placing 2nd and 3rd in DEF CON CTF 27 and 28 as a member of HITCON⚔BFKinesiS and HITCON⚔Balsn teams, respectively. NiNi is currently immersed in vulnerability research and reverse engineering, continuing to hone his skills. You can keep up with his latest discoveries and musings on Twitter via his handle @terrynini38514 or blog at http://blog.terrynini.tw/.

REFERENCES

• https://kirils.org/slides/2017-10-21_MT_Hacktivity_pub.pdf
• https://kirils.org/slides/2017-09-15_prez_15_MT_Balccon_pub.pdf
• https://mum.mikrotik.com/presentations/ID18/presentation_6149_1540240927.pdf
• https://medium.com/@maxi./finding-and-exploiting-cve-2018-7445-f3103f163cc1
• https://www.coresecurity.com/core-labs/advisories/mikrotik-routeros-smb-buffer-overflow
• https://www.irongeek.com/i.php?page=videos/derbycon8/track-4-15-bug-hunting-in-routeros-jacob-baines
• https://www.tenable.com/blog/tenable-research-advisory-multiple-vulnerabilities-discovered-in-mikrotiks-routeros
• https://www.tenable.com/security/research/tra-2018-21
• https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20presentations/DEFCON-27-Jacob-Baines-Help-Me-Vulnerabilities.-Youre-My-Only-Hope.pdf
• https://www.tenable.com/security/research/tra-2019-46
• https://medium.com/tenable-techblog/routeros-chain-to-root-f4e0b07c0b21
• https://margin.re/2022/06/pulling-mikrotik-into-the-limelight/
• https://github.com/cq674350529/pocs_slides
• https://www.youtube.com/watch?v=fkigIlDe6vs
• https://www.tenable.com/security/research/tra-2019-46
• https://community.arm.com/arm-community-blogs/b/architectures-and-processors-blog/posts/caches-and-self-modifying-code
• https://github.com/Cisco-Talos/Winbox_Protocol_Dissector
• https://github.com/BigNerd95/RouterOS-Backup-Tools
• https://github.com/BigNerd95/Chimay-Red
• https://github.com/BigNerd95/Chimay-Blue
• https://github.com/0ki/mikrotik-tools
• https://github.com/tenable/routeros

DC - Friday - 10:00-10:45 PDT

Less has been written about the guilt or innocence of those who accessed Uber’s AWS environment in October 2016 and triggered an incident response by emailing me and asking for payment. After we met them, my team and I did not consider those 19- and 20-year-old kids to be criminal actors and treated them as security researchers. Yet both also faced federal criminal charges.

During my talk I will review the extraordinary investigation done by my team at Uber and put it into the context of other historical cases we and I had worked on. Whether or not you consider them to be security researchers, there are many lessons to be learned related to the dynamics between researchers and companies and the dynamics between companies and the government.

AIV - Friday - 14:00-14:55 PDT

The 10 lessons are:

Lesson 1: Red Teaming AI systems means different things to different communities Lesson 2: AI Red Teaming is somewhere in the middle Lesson 3: AI Red Teaming is a shared responsibility with a different process Lesson 4: Red Teaming AI models is different from red teaming AI applications Lesson 5: There are novel security risks to look out for…. Lesson 6: …But do not forget traditional security Lesson 7: The goal of the AI Red Team is not to find all the different ways AI systems fail Lesson 8: You do not need to be a math whiz to red team AI system Lesson 9: AI Red Team needs a diverse set of skills in the team Lesson 10: There is so much to do before you start red teaming your AI system

ASV - Friday - 15:00-15:50 PDT

Pekoske leads a workforce of over 60,000 employees and is responsible for security operations at nearly 440 airports throughout the United States. TSA is also the lead federal agency for security of highways, railroads, mass transit systems and pipelines. Under his leadership, TSA improved transportation security through close partnerships and alliances, a culture of innovation, and development of a dedicated workforce.

During his tenure as TSA Administrator, Pekoske also served at the Department of Homeland Security as Acting Secretary from January 20 to February 2, 2021, and as the Senior Official Performing the Duties of Deputy Secretary from April to November 2019, and again from February to June 2021. At the Department, Pekoske helped lead a unified national effort to ensure the continued security of the United States, coordinating components with missions ranging from prevention and protection to recovery and response. He was also a commissioner on the Cyberspace Solarium Commission that developed a consensus on a strategic approach to defending the United States in cyberspace against attacks of significant consequence.

Before joining TSA, Pekoske was an executive in the government services industry, where he led teams that provided counterterrorism, security and intelligence support services to government agencies.

Pekoske served as the 26th Vice Commandant of the U.S. Coast Guard, culminating a Coast Guard career that included extensive operational and command experience. As the Vice Commandant, Pekoske was second in command, also serving as Chief Operating Officer and Component Acquisition Executive of the Coast Guard. He is a recognized expert in crisis management, strategic planning, innovation, and aviation, surface transportation and maritime security. In addition, he has been twice awarded the Homeland Security Distinguished Service Medal.

Pekoske holds a Master of Business Administration from the Massachusetts Institute of Technology, a Master of Public Administration from Columbia University and a Bachelor of Science from the U.S. Coast Guard Academy.

PLV - Friday - 15:00-16:50 PDT

Prior to working at Google, Camille led cyber diplomacy, technology policy, privacy, and technical policy areas like encryption and PNT as the Senior Policy Advisor for Cyber, Infrastructure & Resilience at the U.S. Department of Homeland Security. During her time at DHS, Camille led campaigns, international engagements, and policy development that bolstered national and international cyber resilience. Those policies include Presidential Policy Directive 41 (PPD – 41) on federal cyber incident coordination, supporting Privacy Shield negotiations, and the 2016 Cybersecurity National Action Plan (CNAP) which outlined 75 tasks to enhance cybersecurity awareness and protections, protect privacy, maintain public safety as well as economic and national security. Camille has also held leadership roles focused on cyber and technology on Capitol Hill, at Deloitte, and Cyveillance, an open-source threat intelligence company.

This panel will bring together representatives from governments around the world which are trying to address this challenge. Software risks are global risks, and this will be a unique opportunity to hear how different governments are approaching the issue of software resilience, and discuss how policymakers and the hacker community can to work together to overcome these collective challenges.

VMV - Friday - 10:30-11:25 PDT

DC - Friday - 12:30-13:15 PDT

In our research, we reviewed the pairing mechanism of NAS devices with the WD and Synology cloud platforms. To our surprise we discovered that devices authenticate to the cloud using a hardware identifier which is later used by users to remotely access their devices. Using this, we were able to impersonate any given NAS device and perform phishing attacks that yielded us admin rights on any targeted WD or Synology device.

In this talk, we will explain the pairing process of WD and Synology NAS. We will elaborate on the overall architecture of their cloud offering and focus on the vulnerabilities we found including ways to enumerate and impersonate all edge devices using certificate transparency log (CTL), and steal cloud proxy auth tokens. This enabled us to download every file saved on the NAS devices, alter or encrypt them, and bypass NAT/Firewall protection to achieve full remote code execution on all cloud-connected NAS (and to gain $$$ from Pwn2Own).

DC - Friday - 16:00-16:45 PDT

SEV - Friday - 17:15-17:59 PDT

ASV - Friday - 10:00-17:59 PDT

A-ISAC and Embry-Riddle Aeronautical University - Prescott

**Laptop Needed**

A variety of aviation infrastructure have been compromised. Immerse yourself into challenges where you are tasked with identifying attacks/attackers, stopping attacks, and restoring normal operations. As a participant your first step is to register ahead and read the rules at: https://aisac.cyberskyline.com/events/aisac-defcon and bring your own laptop to the venue. You can participate in the virtual challenges from Friday, but the more critical in-person challenges are only available at certain times during Village open hours!

PSV - Friday - 13:30-14:30 PDT

WS - Friday - 14:00-17:59 PDT

Raúl is the author of WiFiChallenge Lab, a 100% virtualized realistic lab designed for learning and practicing wifi hacking (presented in RootedCON 2022). He is also the creator of wifi_db, a script that parses Aircrack-ng captures into a SQLite database, extracting valuable information such as handshakes, MGT identities, interesting relations between APs, clients and their probes, WPS information, and a global view of all the APs seen. Additionally, he holds the OSCP and CRTP certifications.

In his free time, Raúl dedicates himself to programming hacking and cybersecurity tools. He also maintains his own micro-datacenter consisting of multiple servers and services where he continually learns and practices new technologies.

Skill Level: Intermediate

Prerequisites for students:
- All participants in participating in this workshop must have a basic understanding of Linux, 802.11 protocol and Wireshark. - Must have prior knowledge of WiFi attacks on Open, WEP, and WPA2-PSK networks.

Materials or Equipment students will need to bring to participate: - Participants must have access to a computer with a reliable internet connection and a virtualization software such as VirtualBox or VMware.

CON - Friday - 10:00-16:59 PDT

Adversary Village is a community-driven initiative that prioritizes adversary simulation, emulation, breach and attack simulation, adversary tactics, offensive/adversary tradecraft, philosophy, and purple teaming.

Our objective is to establish a Capture the Flag competition dedicated to adversary simulation, purple teaming and knowledge sharing. Adversary Wars offers unique opportunities for “adversaries” aka participants to simulate attacks, explore new attack vectors, gain insights into threat actor profiles, master TTPs, and refine offensive tradecraft. With a range of adversary simulation exercises at different difficulty levels, this CTF promises real-world attack simulation scenarios and challenges.

Previous versions of the Adversary Wars CTF were hosted as part of Adversary Village, during DEF CON 29 and DEF CON 30. We are excited to be back at DEF CON as an official contest this year. Adversary Wars CTF will be located in the contest area for DEF CON 31.​

AIV - Friday - 11:00-11:15 PDT

AIV - Friday - 10:00-17:59 PDT

This exercise, first of its kind, will allow the best and brightest minds in the security industry to join diverse voices new and veteran to the AI scene in pursuit of making AI and machine learning safer.

AIV - Friday - 10:15-10:59 PDT

AIV - Friday - 10:00-10:10 PDT

RTV - Friday - 13:00-13:59 PDT

APV - Friday - 13:00-14:59 PDT

HRV - Friday - 13:00-13:59 PDT

RTV - Friday - 12:00-13:59 PDT

ICSV - Friday - 16:30-16:59 PDT

WS - Friday - 09:00-12:59 PDT

The workshop will start by presenting hacking for good, insights on the Android bug bounty, then it will cover the basic concepts of Android applications, walk you through industry standard tools and techniques and then let you experiment on your own with our Android reverse engineering CTF!

Come and hack with us!

The workshop requires no prior knowledge of Android or reverse engineering.

Skill Level: Beginner to Intermediate

Prerequisites for students:
- Before the workshop, students should follow the setup instructions to ensure they can start working on the CTFs in the workshop: https://tinyurl.com/aah-setup - There is no pre-required knowledge.

Materials or Equipment students will need to bring to participate: - Laptop with 20+ GB free hard disk space 4+ GB RAM - Mac. Windows 7/8 , Ubuntu 12.x + (64 bit Operating System), - ADB

• apktool
• Python & pip
• JDK
• jadx
• Burp Suite
• Wireshark
• Frida
• Ghidra
• Administrative access on your laptop

APV - Friday - 10:00-10:59 PDT

Since the late 90’s Chris has been deeply involved with security R&D, consulting, and advisory services in his quest to protect and defend businesses and individuals against various types of attack. Prior to that he jumped out of planes for a living, visiting all sorts of interesting countries and cultures while doing his best to avoid getting shot at too often. (Before that, he managed to get various computers confiscated by several European entities.)

He’s considered one of the world’s foremost experts on counter threat intelligence and vulnerability research within the Information Security industry. He’s also gotten a name for himself in the transportation arena, basically anything with wings, wheels, tracks, tyres, fins, props or paddles has been the target for research for the last 15 years. (To interesting effect.)

So, what do we do? Piecemeal solutions, buy more empty promises, or can we take a step back, breath and talk about the hoomans in the equation?

Let’s explore some of the tech challenges, and a more human centric approach to solving things. I promise we’ll have exploits, hacks, and tasers, but we’re going to throw in communication, collaboration, cooperation, and maybe a shout out on all of US going out to the greater village community and bringing us all a little closer together. After all, we’re ALL in this together, it might be nice to start acting like it.

BICV - Friday - 16:00-16:50 PDT

Prerequisites: Basic understanding of computer networks, cyber security concepts, command line interface, and operating systems.

Tools Covered:

• Nmap
• Theharvester
• Wireshark
• Nessus
• Metasploit

ASV - Friday - 10:00-17:59 PDT

Boeing

**Laptop Needed**

Boeing will be hosting an ARINC 615a dataload CTF broken into two major modules. The first module will focus on decomposing and analyzing a PCAP capture of a simulated dataload between an airplane dataload server and an avionics component. The second module will allow participants to execute a dataload against simulated avionics to help improve understanding and awareness of how software is loaded onto airplanes. Additionally, Boeing is aiming to increase its cyber outreach into the STEM community by offering an additional challenge centered on an operational system and the impact of that system on the overall airplane. The challenge will walk participants through how the operational system functions, how it can be negatively impacted, the results of tampering with the system while it’s in flight, and how the system can secured via CIA and PKI.

CPV - Friday - 12:00-12:30 PDT

BICV - Friday - 13:00-13:50 PDT

Currently, Fatou is a government contractor working as a Cyber Crime Data Scientist. She is also an Assistant Professor of Cybersecurity and Director of the Cybersecurity Labs at Capitol Technology University.

Fatou is also the founder of Datacation LLC — with a mission to increase cyber education particularly in low-income neighborhoods. Fatou is a Certified Ethical Hacker and currently holds the AWS Machine Learning Specialty Certification.

ASV - Friday - 10:00-17:59 PDT

AIAA

We have added a special feature to this year’s activities during DEF CON 31. This will be on Friday and Saturday from 11AM - 5PM.

Our friends at AIAA are helping us host “Ask Me Anything” sessions on Friday and Saturday. It’s an opportunity to meet Aerospace Village members and partners who are experts in the field. Bring your questions about getting into cybersecurity, aviation, space, likes/dislikes, you name it!

• A chance to ask all your questions, get their perspective, and hear some great stories.
• A low-key sharing of experiences and a way to make new friends without having to make small talk.
• Note: This is NOT a recruiting activity. Ask career questions if you have them, but think of this more as a chance for general "speed mentoring."

DC - Friday - 20:00-21:59 PDT

AIV - Friday - 12:00-12:25 PDT

DL - Friday - 14:00-15:55 PDT

CPV - Friday - 13:00-13:45 PDT

In this talk, we will examine different types of vulnerabilities in the SSI space, walk through examples of potential attacks, and discuss the potential consequences of the technology. Additionally, we will explore potential solutions to mitigate the risks associated with these vulnerabilities. We will discuss best practices for trust, cryptographic techniques, and security protocols that one can use in decentralized identity systems.

CLV - Friday - 12:30-12:59 PDT

Kat's research philosophy directs her attention to where design flaws and misconfigurations are most probable. This guiding principle leads her research to the intersection of technologies, particularly the convergence of cloud security and application security and where the OS-layer interfaces with higher-level abstractions.

Kat has presented at various conferences including the SANS CloudSecNext Summit and fwd:CloudSec on topics such as privilege escalation in GCP, and bug-hunting in the cloud. In addition to her work at Vectra AI, she is a member of IAN Faculty and the Lead Author of the SANS SEC549 - Enterprise Cloud Security Architecture and currently holds multiple GIAC certifications. You can find her on the internet as @nightmareJS

• User-Friendly Interface: Since the DeRF is hosted in Google Cloud, End Users can invoke attacks through the cloud console UI without the need to install software or use the CLI.
• Accessibility for Non-Security Professionals: The DeRF caters to a broad audience of End Users, including Engineering, Sales, Support Staff or automated processes.
• Robust OpSec: Long-Lived Credentials are not passed between operators, instead access to the DeRF and its attack techniques are controlled through GCP IAM Role-Based Access Control (RBAC)
• Extensibility at its Core: Attack sequences are written in YAML, enabling easy configuration of new techniques.
• Turn-Key deployment: Deploying (and destroying!) the DeRF is a fully automated process, completed in under 3 minutes.

During this demo, we will guide you through the straightforward and automated deployment process for the DeRF. We'll demonstrate how to invoke pre-configured attack techniques and illustrate how you can customize the framework to align with your internal attacker profile. By deploying the DeRF within your organization you can easily spin up attacker simulations, to augment training or automate the testing of detection capabilities.

CON - Friday - 10:00-17:59 PDT

We hope to continue the engagement with the hacking community to demonstrate security implications of autonomous driving system design decisions through hands-on challenges, increase the awareness of potential risks in security professionals, and encourage them to propose defense solutions and tools to detect such risks.​

CLV - Friday - 13:25-14:05 PDT

There is a difference between security in the pipeline and security of the pipeline. As a security consultant/pentester we saw both ends and came across these environments either in assumed breach, configuration review or SDL assessment.

In this talk, we take a look at the later and review the security controls for Azure DevOps (although can be used for other cloud providers as well) that can help in mitigating attacks and the blast radius of a breach. There will be also some resources shared where to go after the talk.

DC - Friday - 12:30-13:15 PDT

Along with this presentation, we provide a C library for making microcode changes and documentation on the reverse-engineered microcode.

We show that vendor updates to the microcode, which cannot be verified by the user, impose a security risk by demonstrating how a Linux system can be compromised through a backdoor within a CPU core's microcode.

REFERENCES:
Intel TXE POC:
https://github.com/chip-red-pill/IntelTXE-PoC Exploit used to gain Red Unlock.

uCodeDisam

https://github.com/chip-red-pill/uCodeDisasm First research (to the best of our knowledge) allowing for dumping microcode ROM as well as a publicly available disassembler for Intel's microcode.

Undocumented x86 instructions to control the CPU at the micro-architecture level in modern Intel processors: https://github.com/chip-red-pill/udbgInstr https://github.com/chip-red-pill/udbgInstr/blob/main/paper/undocumented_x86_insts_for_uarch_control.pdf From the research above, two undocumented instructions intended for debug perpuse at Intel were found. This layed the groundwork for us to experiment and test the behavior of microcode operations.

Custom Processing Unit:
https://github.com/pietroborrello/CustomProcessingUnit Custom Processing Unit is the first dynamic analysis framework able to hook, patch and trace microcode from a UEFI application

RFV - Friday - 16:00-16:20 PDT

This project intended to accomplish the following:

1. Use modern/actively supported and hot-swappable CoTS equipment that can easily be replaced.
2. The operator can't enter a comms blackhole while connected to the device.
3. Egress method for notifications, reducing the need to check for card reads while in the middle of an operation.
4. Simplified WebGUI that only displays Bit Length, Facility Code, and Card Number. Option to download the complete data set (e.g., BL, FC, CC, HEX, BIN).
5. Error handling, so the device doesn't log bad reads, EMI, etc.
6. Easy configuration and reset functionality for team use.

CON - Friday - 10:00-17:59 PDT

The vulnerable network services will include real world vulnerable services where a competitor can adopt off the shelf proof-of-concepts vulnerabilities from an offensive security resource (ex: Metasploit Framework, exploit-db, packetstorm, etc…) into their bot to achieve access to said vulnerable services. Additionally, custom built vulnerable services informed by OWASP Top 10 security bugs as well as CVEs will influence challenge development resulting in a competitor to have the experience of reverse engineering new applications to identify vulnerabilities based on historically significant pain points in Software Engineering as well as infamous historical CVEs. Battle of The Bots will give competitors of all skill levels an opportunity to develop proof-of-concept exploits. Network services will be developed in a variety of compiled and interpreted languages with varying associated vulnerabilities and points. The variety of languages will provide opportunities for those less experienced with reverse engineering to analyze vulnerable Python code to find hidden API endpoints that lead to shell execution for example, rather than reverse engineer compiled binaries.

Finally, the BOTBs team will be capturing network traffic from the competition environment to later be shared with the wider community. The BOTBs team believes that this unique dataset of network service attacks can act as a unique resource for academic researchers, SOC analysts assessing their defenses and training events where having attack data for SIEM analysis. The data will be released under the Apache 2.0 License and hosted publicly on a yet to be determined platform.

MIV - Friday - 14:30-15:30 PDT

This workshop explores a framework for a better understanding of how we as technologists can develop messages that get attention, get noticed, and get results without “dumbing down” or sacrificing technical acuity. Basically, being the Nerds that Talk Good.

The solution to misinformation, especially machine-generated misinformation, is not solely a bot vs. bot problem. Understanding why messages take hold in the first place and leveraging our human heart, mind, and gut-level responses to stories can make us better communicators as technologists—which can help authentic and trustworthy content rise above the machines.

Leveraging the MessageDeck—a novel, nontechnical, hands-on card-based approach—, participants will be coached to discover the higher-order motivations and objectives necessary for their communications and content to be trusted and believed. The model also serves as a framework to develop an informed, skeptical awareness when receiving information.

The model was developed after 25 years in arts and entertainment, hardcore IT and cybersecurity, and government communications and is being presented with none of that boring nonsense. We’ll get together, play some cards, spark some conversations, and out of it will come a messaging platform that will recapture the public sphere for good.

Participants will also have an opportunity to contribute to a Misinformation Village Messaging Platform—a set of hallmark messages that can be adopted by the broader community. By discovering these authentic messages, we build cohesion and consistency across the misinformation awareness movement.

Samples of the MessageDeck will be available as supplies last to any who want them, but the strength of the approach lies in its flexibility to be used explicitly or to inform other facilitated conversations. So we will also have an opportunity to explore other ways to apply it to the work of others.

BICV - Friday - 10:00-10:50 PDT

He consults with several institutions and think tanks as a futurist, developing reasonable calculations of future events to both inspire creative endeavors for humanity and avoid or mitigate calamity.

John consults with a select group of entities about computer security and has appeared on the cover of magazines like Wired and on news programs like 60 minutes for his exploits and expert commentary on the hacker world.

John also develops narrative film and documentary projects about sci-fi and technology exploring the thematics of freedom and revolution. He also works on developing technologies to help in spreading and maintaining free speech and democracy for humans world wide.

John currently is consulting for entities like MoMa , Vision 2030 Futurist Collective, and [ redacted ] on security futures while developing a new film project for 2023 (Don’t Talk To Trees).

He will be talking about great hacks from history including his own! He will talk about his journey in security and how security has evolved over the years, his theories on security going into the future and how to stay flexible in reference to new platforms and attack vectors. He will discuss all the avenues security can bring an up and coming Hacker career wise as well!

SOC - Friday - 18:00-01:59 PDT

The event will break into three sections throughout the night:

“Mild”
6:00 pm - 8:00pm
Networking - Light music, Food and Drinks

“Medium”
8:00pm - 10:00pm
Nerdcore HipHop Showcase

“Hot”
10:00pm - Until (2:00 am)
DJ Stage Set by DJ Roma of the DC Metro Area.

CON - Friday - 12:00-16:59 PDT

PLV - Friday - 15:00-15:50 PDT

SOC - Friday - 20:30-22:59 PDT

DEF CON badge required for entry.

In event of rain/weather cancellation, the backup location for this party is "Flamingo - Upstairs - Eldorado Ballroom".

CON - Friday - 10:30-17:59 PDT

The CTF challenges contestants to leverage diverse cyber defense skills, including Incident Response, Forensics, Malware Analysis, Threat Intelligence, and Threat Hunting, to be the first team or individual to answer or solve the challenges presented.

The BTV crew developed the CTF to allow anyone, regardless of skill or knowledge, to participate, aiming to sharpen their cyber defense skills. We believe in the idea of choosing your adventure. As a result, participants can download a copy of the required evidence (logs, packets, etc.) or log into any of the 3 SIEMs we provide to hunt on.

If you are new to cyber defense, we highly recommend participating in the Blue Team Village Obsidian stations. They will cover many of the topics on the CTF and will help you along the way!

BTV - Friday - 10:00-10:30 PDT

Blue Team Village Opening Ceremony

SOC - Friday - 14:00-15:59 PDT

ASV - Friday - 10:00-17:59 PDT

Aerospace Village

Bricks in the Air is a hands-on demo to teach the basics of low level protocols seen in aviation. The demo uses the I2C protocol and does not reveal actual security vulnerabilities in avionics or other systems in aviation. The attendees are not required to have any prerequisite knowledge. No equipment is needed for attendees.

DL - Friday - 12:00-13:55 PDT

PHV - Friday - 09:00-17:59 PDT

RTV - Friday - 12:00-14:59 PDT

VMV - Friday - 14:30-15:20 PDT

PLV - Friday - 10:00-11:50 PDT

BHV - Friday - 16:00-16:30 PDT

CON - Friday - 10:30-17:59 PDT

CON - Friday - 10:00-17:59 PDT

With the largest collection of hackers in one area, there's no better way to understand the security state of an industry without bringing it to security professionals to break. Over the past 9 years, the Car Hacking Village has been the focal point of interest for new hackers entering the automotive industry to learn, be a part of and actually test out automotive technologies. Our contest at the village, in combination with many automotive OEMs, Suppliers, etc., is used to give people first hand experience on cutting edge and at times expensive technologies. We plan to use this event to keep drawing attention to the automotive security industry through hands-on challenges.

BICV - Friday - 15:00-15:50 PDT

This workshop is for individuals that are involved in or initiating cyber workforce development programs. It involves best practices and techniques for managing an effective and sustainable program.

DC - Friday - 16:30-17:15 PDT

In his free time, Bug Bounties and security research keep Aapo motivated and learning. His work in PKI and TLS has resulting in multiple CVEs from vendors such as Microsoft and Apple. Outside work and research Aapos passion is in the community. He takes part in organizing local security meetups and coaches the Finnish national youth CTF team to the yearly European Cybersecurity Challenge competition.

TLS allows communicating parties to uniquely authenticate each other by validating each other's certificate. However, many TLS libraries and frameworks have insecure default settings or allow for the developers to skip important aspects of certificate validation in their client implementations.

This talk explores issues in TLS client certificate validation and the underlying reasons why developers still fail to implement TLS correctly. Most importantly, we hack all the things with a new TLS mitm tool: certmitm.

certmitm automatically discovers and exploits insecure certificate validation vulnerabilities in TLS clients. Let's use the tool to hack iOS, Windows 11 and more while we deep dive into the world of insecure TLS certificate validation.

REFERENCES

My previous TLS talks:
HelSec 20 - Practical attacks against modern TLS implementations - Aapo Oksman: https://www.youtube.com/watch?v=NCm16vLfD60

Disobey 2023 - Your connection is not private Exploiting insecure certificate validation in TLS clients - Aapo Oksman: https://www.youtube.com/watch?v=vZvL6ZRiKls

Moxie Marlinspikes work in SSL/TLS:
DEF CON 17 - Moxie Marlinspike - More Tricks for Defeating SSL: https://www.youtube.com/watch?v=5dhSN9aEljg DEF CON 19 - Moxie Marlinspike - SSL And The Future Of Authenticity: https://www.youtube.com/watch?v=UawS3_iuHoA

Scientific publications:
Georgiev, Martin, et al. "The most dangerous code in the world: validating SSL certificates in non-browser software." Proceedings of the 2012 ACM conference on Computer and communications security. 2012. Akhawe, Devdatta, et al. "Here's my cert, so trust me, maybe? Understanding TLS errors on the web." Proceedings of the 22nd international conference on World Wide Web. 2013. Huang, Lin Shung, et al. "Analyzing forged SSL certificates in the wild." 2014 IEEE Symposium on Security and Privacy. IEEE, 2014.

Sivakorn, Suphannee, et al. "HVLearn: Automated black-box analysis of hostname verification in SSL/TLS implementations." 2017 IEEE Symposium on Security and Privacy (SP). IEEE, 2017. Alghamdi, Khalid, et al. "Iotverif: An automated tool to verify ssl/tls certificate validation in android mqtt client applications." Proceedings of the Eighth ACM Conference on data and application security and privacy. 2018.

CPV - Friday - 11:00-11:30 PDT

CPV - Friday - 16:00-16:45 PDT

DC - Friday - 11:30-12:15 PDT

REFERENCES

The content we will present was generated by the speakers. Tiffany will present anonymized case studies from the “Citizen Clinic” at UC Berkeley and Austin will share case studies his organization has generated regarding human trafficking. Our only bibliographic reference at this moment is a reference to open source/free software tools we use at UC Berkeley. We will also reference a tool to make VPNs safer created by Berkeley’s students called “Ghost Prtcl.”

CPV - Friday - 14:00-14:30 PDT

CLV - Friday - 10:10-10:50 PDT

CON - Friday - 10:00-17:59 PDT

Our CTF is a three days jeopardy style contest where we have a bunch of challenges hosted across multiple Cloud providers across multiple categories of difficulty.

You can register as teams or go solo, use hints or stay away from them, in the end it will be all for glory or nothing. Plus the prizes. Did we not mention the prizes? :D

CON - Friday - 10:00-17:59 PDT

Learn to see web applications and services from an attacker's perspective. CMD+CTRL is a hacking game designed to teach the fundamentals of web application security. Explore vulnerable web applications, discover security flaws, and exploit those flaws to earn points and climb up the scoreboard. After attacking an application for yourself, you'll have a better understanding of the vulnerabilities that put real applications at risk - and you'll be better prepared to find and fix those vulnerabilities in your own code.

At DEF CON 31: We will be debuting our latest Cyber Range, which focuses on exploiting a modern health record management system, dubbed ShadowHealth. Inspired by the latest trends and real world exploits, try your hands exploiting: SSRF, Log4Shell, reverse engineering, local privilege escalation, password cracking, XXS, and so much more! With over 35 challenges do you think you can complete them all?

CMD+CTRL will have two different games happening: free play, and the competition. Both require a code to join, and the best way to get a code is to go to the CMD+CTRL booth in the contest area. Codes to join free play may be given in Discord, on Thursday. Questions and such will also only be answered at the booth; Discord will not be staffed this year, aside from free play codes on Thursday. Once you have a code, you can play online, from anywhere -- you do not have to be in the contest area.

CON - Friday - 10:00-11:59 PDT

Learn to see web applications and services from an attacker's perspective. CMD+CTRL is a hacking game designed to teach the fundamentals of web application security. Explore vulnerable web applications, discover security flaws, and exploit those flaws to earn points and climb up the scoreboard. After attacking an application for yourself, you'll have a better understanding of the vulnerabilities that put real applications at risk - and you'll be better prepared to find and fix those vulnerabilities in your own code.

At DEF CON 31: We will be debuting our latest Cyber Range, which focuses on exploiting a modern health record management system, dubbed ShadowHealth. Inspired by the latest trends and real world exploits, try your hands exploiting: SSRF, Log4Shell, reverse engineering, local privilege escalation, password cracking, XXS, and so much more! With over 35 challenges do you think you can complete them all?

CMD+CTRL will have two different games happening: free play, and the competition. Both require a code to join, and the best way to get a code is to go to the CMD+CTRL booth in the contest area. Codes to join free play may be given in Discord, on Thursday. Questions and such will also only be answered at the booth; Discord will not be staffed this year, aside from free play codes on Thursday. Once you have a code, you can play online, from anywhere -- you do not have to be in the contest area.

DL - Friday - 12:00-13:55 PDT

DC - Friday - 15:00-15:45 PDT

For 14 years, Paz led multidisciplinary systems development as a systems engineer in the aerospace industry. At home, Paz explores ideas he finds interesting.

In 2019 he published a work on a body-tracking device that records keystrokes on a safe's keypad in Hakin9 Magazine. In 2021 he developed software that used a GPU as a digital radio transmitter and presented his work at DEF CON 29. In 2015 and 2019 he launched weather balloons with elementary school pupils.

In this talk, I present a simulation framework for the most popular radiosonde model. It enables an attacker to generate radiosonde messages or alter logged messages for retransmission. I also present simulations of a jamming attack and a spoofing attack on a sounding receiver:

During a jamming attack, the receiver is unable to receive transmissions from active radiosondes.

During a spoofing attack, the transmitter sends fake radiosonde messages to a target receiver, identifying as an active radiosonde.

I'll talk about the shortcomings of the military variant of the radiosonde model and suggest a simple way to cope with spoofing attacks.

REFERENCES

Vredenbregt L., "How many weather balloons are out there? Hundreds, it turns out", https://abcnews.go.com/Politics/weather-balloons-hundreds-turns/story?id=97082985, Feb 13, 2023. Dudley I., "Weather balloons and rocket science", https://www.vandenberg.spaceforce.mil/News/Features/Display/Article/737270/weather-balloons-and-rocket-science/ bazjo, "RS41 Decoding", https://github.com/bazjo/RS41_Decoding rs1729, "RS", https://github.com/rs1729/RS projecthorus, "radiosonde_auto_rx", https://github.com/projecthorus/radiosonde_auto_rx sondehub, https://github.com/projecthorus/radiosonde_auto_rx "Upper-air Observations Program", https://www.weather.gov/upperair/ Mass C., "Wind Shear: When the Atmospheric Seems to be Tearing Itself Apart", https://cliffmass.blogspot.com/2017/05/wind-shear-when-atmospheric-seems-to-be.html Jessop M., "Top Radiosonde types", https://twitter.com/vk5qi/status/1170215238978830339 Lada B., "3 weather obstacles that SpaceX faces when launching rockets into space", https://www.accuweather.com/en/space-news/types-of-weather-that-can-delay-a-spacex-rocket-launch/352407 Nasa, "Falcon 9 Crew Dragon Launch Weather Criteria", FS-2020-05-568-KSC, www.nasa.gov Frielingsdorf J., "An Open-Source Documentation and Implementation of the Vaisala RS41 Data Preparation Algorithms", WMO Technical Conference on Meteorological and Environmental Instruments and Methods of Observation, Oct. 11, 2022 Cadence PCB Solutions, "What is Signal to Noise Ratio and How to calculate it?", https://resources.pcb.cadence.com/blog/2020-what-is-signal-to-noise-ratio-and-how-to-calculate-it Vaisala, "Vaisala Radiosonde RS41-SGP Data Sheet", www.vaisala.com, B211444EN-E, 2017 Vaisala, "Vaisala Radiosonde RS41-SG Data Sheet", www.vaisala.com, B211321EN-K, 2020 Vaisala, "Vaisala Radiosonde RS41-SGM Data Sheet", www.vaisala.com, B211448EN-E, 2017

DC - Friday - 10:00-10:45 PDT

In both cases, an efficient file system separation should be provided. On one hand, each container should be able to access system files and write changes that will not affect the host. On the other, copying the entire main volume on each container launch will be storage-inefficient and not practical.

In this presentation, we will cover the basics of windows containers, break down its file system isolation framework, reverse-engineer its main mini-filter driver, and see how it can be utilized and manipulated by an actor to bypass EDR products in multiple domains. Eventually, we will provide an open-source tool based on these findings.

This technology caught my attention for several reasons:

• Containers and virtualization solutions are everywhere, and their internal workings are not well documented.
• Actors often search for ways to escape containers. The idea of intentionally entering into one in order to evade security products has yet to be explored.
• This framework doesn't require any prerequisites and comes as default in every modern Windows image! (the part which we will abuse, at least).

  REFERENCES

• https://googleprojectzero.blogspot.com/2021/04/who-contains-containers.html
• https://unit42.paloaltonetworks.com/what-i-learned-from-reverse-engineering-windows-containers/
• https://research.checkpoint.com/2021/playing-in-the-windows-sandbox/
• https://www.amazon.com/Windows-Kernel-Programming-Pavel-Yosifovich/dp/1977593372
• https://learn.microsoft.com/en-us/virtualization/windowscontainers/about/
• https://habr.com/en/company/acronis/blog/536018/

DC - Friday - 10:00-17:59 PDT

CPV - Friday - 10:00-10:05 PDT

CON - Friday - 10:00-17:59 PDT

We're preparing hashes from easy to hard, so there'll be something for you if you want to compete casually as a Street team, or go all out in Pro.

Where we're going, we don't need roads. Purely a penchant for puzzles, perhaps a plethora of processors.

Check out past years' contests at https://contest.korelogic.com/ , and the Password Village at https://passwordvillage.org/

IOTV - Friday - 10:00-17:59 PDT

Bring a laptop, your favorite intercepting proxy, and a lot of caffeine.

RCV - Friday - 15:45-16:30 PDT

BTV - Friday - 10:30-11:30 PDT

Part I: Introduction to Cyber Threat Hunting: A brief introduction to Cyber Threat Hunting Part II: Threat Hunting Methodologies: A look into hunting methodologies

Introduction to Cyber Threat Hunting & Threat Hunting Methodologies

BTV - Friday - 11:30-12:30 PDT

SamunoskeX has attended DEFCON Events since DC26.

Can we find activity within the corporate network that might be suspicious?

SOC - Friday - 20:00-23:59 PDT

What is dead shall rise again! Come do a hacktivism with cDc, as we launch a THING that will once again change the world, with the style and chaos that only the herd can bring. Let us bless you with a revolutionary communications system that will disrupt the balance of power.

It’s time to TAKE BACK CONTROL.

Recommended (but not required) dress code- y2k 31337 Haxxor threads. Think Zero Cool and Acid Burn meet Max Headroom and Franken Gibe. There is no contest, but the Bovine Mother is watching, so make her proud.

The herd hath spoken. Oomen.

• 20:00 - 20:45 -- Miss Jackalope
• 20:45 - 21:30 -- DotorNot
• 21:30 - 22:15 -- cDc/Veilid
• 22:15 - 22:45 -- Rocky Rivera + DJ Roza
• 22:45 - 23:30 -- EVA
• 23:30 - 00:00 -- DJ McGrew

MIV - Friday - 11:00-11:30 PDT

BHV - Friday - 17:20-17:59 PDT

BICV - Friday - 11:00-11:50 PDT

PLV - Friday - 14:00-14:50 PDT

The panel will discuss challenges to developing actionable maritime cyber policy, the technical realities behind maritime cybersecurity, review existing US and international programs, and discuss how the global ecosystem could harmonize these policies to push the maritime ecosystem towards a more secure state. There will also be time for questions and broader discussion/audience engagement.

MISC - Friday - 06:00-06:59 PDT

CON - Friday - 10:00-16:30 PDT

DC - Friday - 14:30-14:50 PDT

SOC - Friday - 16:00-18:59 PDT

Join us and meet your fellow ATL hackers!

CON - Friday - 10:00-19:59 PDT

A scoreboard tracks the teams’ current and final scores. In the event of a tie, the first team to achieve the score wins that tie.​

MISC - Friday - 11:00-17:59 PDT

MISC - Friday - 14:00-15:59 PDT

Stop by our booth, learn what threat modeling is, and get some practice with an introductory non-technical scenario.

CON - Friday - 10:00-17:59 PDT

As part of our challenge we will present contestants with the exact same design and compare the outputs they produce against a number of categories in order to identify a winner and crown DEF CON’s Next Top Threat Model(er).

SOC - Friday - 10:00-17:59 PDT

MISC - Friday - 10:00-16:59 PDT

We'll keep accepting drives until we reach capacity (usually late Friday or early Saturday).  Then we copy and copy all the things until we just can't copy any more - first come, first served.  We run around the clock until we run out of time on Sunday morning with the last possible pickup being before 11:00am on Sunday.

Most of the drive information can be found [here](https://dcddv.org/dc31-drive-info). If you have questions that have not yet been answered, you can email [info@dcddv.org](mailto:info@dcddv.org), or visit the [DEF CON Forums](https://forum.defcon.org/node/244903).

PHV - Friday - 11:00-11:50 PDT

QTV - Friday - 17:15-17:59 PDT

for each talk: Opening - Bob introduces the topic 5 mins - speaker FOR the proposition 5 mins - speaker AGAINST the proposition ~10mins - rebuttals ~15mins - audience questions/comments 5 minis Vote & results and wrap up.

QTV - Friday - 16:00-16:45 PDT

PSV - Friday - 15:30-16:30 PDT

SOC - Friday - 16:00-18:59 PDT

"VrijMiBo/Friday afternoon Drink" at DEF CON is a perfect moment to talk about what your favorite thing is at DefCon, show your cool handmade badges, impress other hackers about your latest hacks, make new friends, gossip about your boss and show your cat or dog pictures.

Vrijdag Middag Borrel, Freitag Mittags Getränk, Apéritif du vendredi après-midi, trago de viernes por la tarde.

CON - Friday - 10:00-17:59 PDT

Come visit the DEF CON Scavenger Hunt table in the contest area and get a list, register your team of 1 to 5 players, and gather or accomplish as many items from the list as you can. Items are submitted at the table, better than average submissions shall be awarded bonus points. The team who turns in the most points by Sunday at noon will win the admiration of your like-minded peers.

The DEF CON Scavenger Hunt is one of the longest running contests at DEF CON, visit https://defconscavhunt.com for a history lesson.

If you capture pictures or video of items from our list, or have in the past, please send them to us via email scavlist@gmail.com.

--

The scavenger hunt list is open to interpretation and we are not responsible for how list items are interpreted. We have had a number of pre-teens and teenagers play the scavenger hunt over the years, primarily with their parents but occasionally alone. The team that won at DC24 included a teenager with their parents. Parental Guidance Recommended.

CON - Friday - 10:00-17:59 PDT

--

Rated PG-13.

MISC - Friday - 06:00-11:59 PDT

Defcon.run is an evolution of the now long running Defcon 4x5K running event. But now it's bigger and more fun! Due to stupendous growth, we’ve been forced to change up the format. This year's activity will look to match up folks for fun runs, and rucks (!), in smaller distributed groups around Las Vegas. It’s the same old event but at a distributed scale! Show up in the morning to beat the heat, go for a run with folks, have a good time!

We’ll have a full set of routes for people to choose from from simple 5Ks to more ambitious distances.

You can register to log your distance, we'll have a leader board, and shenanigans! Full Information at https://defcon.run

Interested parties should rally at Harrah's Goldfield at 06:00, but be sure to check [defcon.run](https://defcon.run) for any updates.

DC - Friday - 12:30-13:15 PDT

With a background in the Ministry of Defense and the Israeli Defense Forces (IDF), Omer has honed his skills in network research, including a deep understanding of Windows internals and Linux kernel components.

In addition to his professional pursuits, Omer is a passionate technology and science enthusiast who is always eager to explore emerging trends and innovations in these fields.

Among his recent discoveries are the PrintDemon vulnerabilities in the Windows Spooler mechanism which were a candidate in the best privilege escalation of Pwnie awards and several research studies on Iranian APT campaigns. He presented his research at DEF CON (28-30), BlackHat USA, ReCon, Sector, Confidence, Security Fest and HackCon conferences.

We wondered if we could achieve similar capabilities running as an unprivileged user without possessing a rough certificate, instead we aimed to turn the original Windows Defender process to our full control.

In this talk we will deep dive into Windows Defender architecture, the signature database format and the update process, with a focus on the security verification logic. We will explain how an attacker can completely compromise any Windows agent or server, including those used by enterprises, by exploiting a powerful 0day vulnerability that even we didn't expect to discover.

We will demonstrate Defender-Pretender, a tool we developed to achieve neutralization of the EDR. allowing any already known malicious code to run Fully Un-Detected. It can also force Defender to delete admin’s data. OS and driver files, resulting in an unrecoverable OS. We will also explain how an attacker can alter Defender's detection and mitigation logic.

DC - Friday - 11:00-11:45 PDT

Viasat will share the story of how it responded and performed a rapid forensic on several impacted terminals to determine within 36 hours that the terminal flash memory had been overwritten with a distinctive pattern in the attack. This presentation will explain details around the forensic analysis as well as the process of reverse engineering the malicious toolkit to verify it would produce the observed flash memory effects. Viasat will also share technical details of over-the-air network attacks that were used to attack the KA-SAT network.

APV - Friday - 11:00-12:59 PDT

The entire workshop will be delivered as bite-sized hands-on exercises where increasingly advanced threats are presented and you get to defend.

We'll explore techniques allowing cooperation with packages thatintend to steal your secrets and mess with built-in functionality of JavaScript via prototype-poisoning. Another part of the workshop will focus on using tools to isolate code and scale the defensive coding practice up for larger codebases.

PLV - Friday - 17:00-17:50 PDT