Home-sliceGimme Yo' Talk!When does Kaminsky talk?The Fun StuffParking for PollutersRTFM!Wasn't me!Sponsors not Vendors


BayThreat is over for 2010! Follow us @BayThreat on Twitter to get the announcements for BayThreat 2011.
See ya next year!


In order to keep the ticket cost low, we rely on a few key sponsors to support us. Thanks to our sponsors:

VSS Monitoring, Inc.

Errata Security






2010 BayThreat Speakers

The Call For Papers for BayThreat is now closed. This is a running list of the presenters that will be speaking at BayThreat. There are two tracks, running two days each, plus an Activities track.

"Breaking Security"

Allen Gittelson
Dino Dai Zovi [PPT]
Chris Valasek
Ryan Smith
Julia Wolf
Michael Smith [PPT] [PodCast]
Neel Mehta
Shane Huntley
Drew Hintz
Dave Maynor
Brenda Larcom [PPT]
Daniel Peck
Nidhi Shah

Garrett Gee
Moxie Marlinspike
Billy Rios [PPT] [YouTube]

"Building Security"

Dan Kaminsky
Jeremiah Grossman [PPT]
Vinnie Liu
Ed Bellis
Gal Shpantzer
Steve Adegbite
Sam Bowne [PPT]
Anton Chuvakin
Allison Miller
Andy Steingreubl

Jim MacLeod [PPT]
Cory Scott [PPT]
Davi Ottenheimer

"5 Minutes of Lightning!"

Brian Keefer
Kartik Trivedi
Andy Steingruebl
Larry Malone - "T. Hazmap Open Source Crowd Sourced Radar Detector"

Lockpicking Village

Patrick Thomas

Allen Gittelson
The Secret Language
Synopsis: Ever feel an incredible connection with someone where they know your every thought? Ever get the sensation that you know what they’re thinking? Is it psychic? Is it mind reading? No, it’s The Secret Language. Join Hypnotist Allen Gittelson at the edge of possibility as you watch him hack minds. Amaze yourself in this exhilarating and interactive experience and gain a better understanding of the human mind. You will leave this presentation with your mind reeling about the future of information security.

Bio: While Allen Gittelson performs primarily in San Francisco, he has entertained thousands of people around the world in Europe, Australia, and Asia, as well as Las Vegas, and even places as exotic as Kentucky. He is a consultant and editor for other top performers due to his knowledge and expertise in the arts of hypnosis, mind reading, and communication. In the last 2 years, Allen served as editor and contributor to books that are some of the most widely acclaimed and recognized in his craft. Allen also has over a decade of broadcasting experience on radio in Cleveland, and has also been on KALW-FM in San Francisco, NPR (National Public Radio), and the INC (Indonesian News Channel). Allen’s performances are a unique and seamless blend of hypnosis, psychology, and mind reading. When people see his show in person, they often believe they are witnessing miracles. Allen has worked with some of the world’s most celebrated performers, including the honor of teaching at The Masters Ultimate Stage Hypnosis Seminar in Las Vegas with the late, great Dean of American Hypnotists, Ormond McGill. Allen also works the other side of his brain as a denizen of Silicon Valley by testing cutting edge technology as a computer engineer specializing in networking. He recently contributed a case study that appears in a landmark book for uber-geeks, “Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide.”

Brenda Larcom
Title: HAZOP Analysis Using This Funky Spreadsheet I Made in My Back Yard
Synopsis: You, or your inexperienced security minion, can find security flaws in architecture or design quickly and easily using HAZOP analysis. All you need is a sequential description of what the application does and a clear definition of the negative security outcomes & attackers you're trying to prevent from abusing the system. And, of course, this handy spreadsheet from http://www.octotrike.org/. This talk will include a quick rundown of getting the right data together, how to actually do HAZOP analysis, how to do HAZOP analysis in the Trike spreadsheet, the kind of results you'll get, and some effective ways to use those results. Experienced security analysts find more holes faster using this technique. The best part? After surprisingly little coaching, folks with minimal security experience can use this method to find about 80% of the design flaws experienced architecture security analysts find using ad hoc design reviews. And, it's repeatable and consistent, so after your minion takes the first pass, you can review and build on their work instead of having to redo the analysis from scratch to figure out whether they've missed anything.

Bio: Brenda Larcom is a Senior Security Associate at Stach & Liu, a security consulting firm providing IT security services to the Fortune 1000 and global financial institutions as well as U.S. and foreign governments. Her employers over the past 15 years include Verio, Cray, Amazon, IOActive, Intel and Zscaler. Brenda is a co-founder and the lead developer for Trike (http://www.octotrike.org/), an open source threat modeling methodology and tool which partially automates the art of security analysis. Brenda is a regular speaker at industry conferences; past venues include ToorCon, ShmooCon, and MiniMetricon.

Michael Smith

Title: Distributed Denial of Service: War Stories from the Cloud Front
Abstract: Due to the rise of large-scale botnets, Distributed Denial of Service (DDoS) is making a resurgence, both in attacker capabilities and the impact on target organizations. This presentation is an overview of DDoS attacker capabilities and techniques, defenses against attacks, and lessons learned from responding to numerous DDoS attacks.
The session will cover a very brief description of the Akamai distributed network and a discussion of the history of Akamai's involvement with DDoS mitigation. The session will then dive into the following areas: threat capabilities and tactics, failure patterns during a DDoS attack, preparation prior to an attack, example timelines associated with the July 4th, 2009 attack, and the active response to an ongoing, targeted DDoS attack. Each area will focus on lessons learned that organizations can reproduce in their own environment.

Bio: Michael Smith serves as Akamai’s Security Evangelist and is the customer-facing ambassador from the Information Security Team, helping customers to understand both the internal security program and the unique security features and capabilities of the Akamai product portfolio and cloud-based solutions. Mr Smith fulfils a cross-functional role as a liaison between security, sales, product management, compliance, engineering, professional services, and marketing.
Prior to joining Akamai, Mr Smith served as an embedded security engineer, security officer for a managed service provider, and security assessment team lead. He is an adjunct professor for Carnegie Mellon University and teaches through the non-profit Potomac Forum.

David Maynor
Cheat codes for the mobile user.
Abstract: Being a smartphone user I found myself bored and ended up downloading a game. In my youth I was quiet the gamer so I assumed I would blow through the game with no problem. I quickly died. I quickly died over and over again. This won't do I thought. I entered the Konami code (Up,Up,Down,Down,Left,Right,Left,Right,B,A,B,A,Select,Start) and nothing happened.
I was stuck with a hard choice: I could either learn to play the game or learn to cheat. I chose the more honorable route: I was going to cheat. This is my story. It involves rooting and jailbreaking, gdb, IDA Pro, small men running across fields, hex, and Robocop.

Bio: David Maynor is a founder of Errata Security and serves as the Chief Technical Officer. Mr. Maynor is responsible for day-to-day technical decisions of Errata Security and also employs a strong background in reverse engineering and exploit development to produce Hacker Eye View reports. Mr. Maynor has previously been the Senior Researcher for Secureworks and a research engineer with the ISS Xforce R&D team where his primary responsibilities included reverse engineering high risk applications, researching new evasion techniques for security tools, and researching new threats before they become widespread. Before ISS, Maynor spent the 3 years at Georgia Institute of Technology (GaTech), with the last two years as a part of the information security group as an application developer to help make the sheer size and magnitude of security incidents on campus manageable. Before that, Maynor contracted with a variety of different companies in a widespread of industries ranging from digital Tdevelopment to protection of top 25 websites to security consulting and penetration testing to online banking and ISPs.

Jeremiah Grossman
Website Security Statistics: 3 years and 10 reports -- what have learned?
Synopsis: Over last several years WhiteHat Security has measured a myriad of website security aspects including vulnerability prevalence, impact of languages & frameworks, industry comparison, and analyzed what possibly makes a site with zero open issues different from the rest. We’ve learned a lot from the metric collection process, but also a great deal from feedback on how others use our data on a daily basis. As 2010 comes to a close it is a perfect time to look back and identify the lessons learned. Understanding what these metrics have taught us and how our actions going forward may be changed is key to improvement.

Bio: Jeremiah Grossman, founder and CTO, WhiteHat Security, is a world-renowned Web security expert. A co-founder of the Web Application Security Consortium (WASC), he was named to InfoWorld's Top 25 CTOs in 2007 and is frequently quoted by business and technical media. He has authored dozens of articles and whitepapers, is credited with the discovery of many cutting-edge attack and defensive techniques, and is a co-author of "XSS Attacks: Cross Site Scripting Exploits and Defense." Grossman is also an influential blogger who offers insight and encourages open dialogue regarding Web security research and trends. Prior to WhiteHat, Grossman was an information security officer at Yahoo!

Anton Chuvakin
"You Got That SIEM. How What Do You Do?"
Synopsis: Many who acquired SIEM tools have realized that they are not ready to use many of the advanced correlation features, despite promises that "they are easy to use." So, what should you do to achieve success with SIEM? What logs should you collect? Correlate? Review? How do you use log management as a step before SIEM? What process absolutely must be built before SIEM purchase becomes successful.Here you can learn from the experience of those who did not have the benefit of learning from other's mistakes. Also, learn a few tips on how to "operationalize" that SIEM purchase you've made. And laugh at some hilarious stories of "SIEM FAIL" of course!

Bio: Dr. Anton Chuvakin is a recognized security expert in the field of log management, SIEM and PCI DSS compliance. He is an author of books "Security Warrior" and "PCI Compliance" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and others. Anton has published dozens of papers on log management, SIEM, correlation, security data analysis, PCI DSS, security management. His blog "Security Warrior" is one of the most popular in the industry. In addition, Anton teaches classes and presents at many security conferences across the world; he recently addressed audiences in United States, UK, Singapore, Spain, Russia and other countries. He works on emerging security standards and serves on advisory boards of several security start-ups. Currently, Anton is running his own security consulting practice, focusing on logging, SIEM and PCI DSS compliance for security vendors and Fortune 500 organizations. Dr. Anton Chuvakin was formerly a Director of PCI Compliance Solutions at Qualys. Previously, Anton worked at LogLogic as a Chief Logging Evangelist, tasked with educating the world about the importance of logging for security, compliance and operations. Before LogLogic, Anton was employed by a security vendor in a strategic product management role. Anton earned his Ph.D. degree from Stony Brook University.

Ed Bellis
Open Standards & Automation: Breaking the Vulnerability Wheel of Pain
Synopsis: Vulnerability management has become a painful repeating process of assessing, reporting, prioritizing and mitigating. Coined as the Hamster Wheel of Pain by Andy Jaquith, this process often includes teams of people slogging through a pile of spreadsheets trying to figure out what's real, what's important, and what was missed. By the time a security team gets through one spin of the hamster wheel they are already behind and the findings are piling up! By combining standards such as SCAP and the WASC Threat Classification with automation and workflow, teams can break out of the wheel of pain and make vulnerability management a viable effort across all layers of the stack.

Bio: Ed Bellis is the CEO of HoneyApps Inc, a vulnerability management Software as a Service that centralizes, correlates, prioritizes and automates the entire stack of security vulnerabilities and remediation workflow. Prior to HoneyApps, Ed served as the Chief Information Security Officer for Orbitz, the well known online travel agency where he built and led the information security program and personnel for over 6 years. Ed has over 18 years experience in information security and technology.
He is a frequent speaker at information security events across North America and Europe. Past talks have included venues such as IANS Security Forum, SaaScon, AppSec DC, BlackHat, CSO Perspectives, MIS Institute, and several others. Additionally, Ed is a contributing author to the book Beautiful Security by O’Reilly and a blogger on CSO Online.

Dino Dai Zovi
Hacking at Mach 2!
Abstract: If Mac OS X and iOS were turduckens, Mach would be the chicken. Together with the top-half of BSD and other layers like IOKit, it forms the lowest-level layer of the 'xnu' kernel used by Mac OS X and iOS. While most of the Mach interfaces are hidden under the Cocoa APIs, they are still accessible and used to implement many of Mac OS X and iOS's interesting features. This talk will describe some of the fun to be had at this layer, including bug hunting, process injection, and Mach-based rootkits.

Bio: Dino Dai Zovi, Principal, Trail of Bits | http://trailofbits.com/
Dino Dai Zovi, currently an independent security consultant and researcher, has been working in information security for over 9 years with experience in red teaming, penetration testing, software security, and information security management. Mr. Dai Zovi is also a regular speaker at information security conferences having presented his independent research on memory corruption exploitation techniques, 802.11 wireless client attacks, and Intel VT-x virtualization rootkits over the last 10 years at conferences around the world including DEFCON, BlackHat, and CanSecWest. He is a co-author of the books "The Mac Hacker's Handbook" (Wiley, 2009) and “The Art of Software Security Testing” (Addison-Wesley, 2006). In 2008, eWEEK named him one of the 15 Most Influential People in Security. He is perhaps best known in the information security and Mac communities for winning the first PWN2OWN contest at CanSecWest 2007.

Daniel Peck and Nidhi Shah
Future Proofing The Botnet
Abstract: For as long as the security community has been around we've discussed advanced attack techniques that aren't used as part of mainstream attacks until years after, but post compromise behavior/detection is still mostly about the challenges now instead of those of the future. Its time to change that, botnet nodes and command and control traffic are a part of the everyday life systems and their sophistication is rising. In this session we'll look at current and (potentially) next generation approaches to bot herding, exploring new command and control systems that uses social networks and other open technologies for communication methods, encryption, and a "set it and forget it" method for C&C.

Bio: Daniel Peck is a Research Scientist for Barracuda Labs. With experience attacking and defending critical systems of all sorts, from power plants to major financial institutions, he develops new attack strategies that are implemented as protection in Barracuda Networks product and service lines. Notable research includes Caffeine Monkey, a tool for behavioral analysis of malicious javascript and exploiting network card vulnerabilities in control system field devices.

Nidhi Shah is a Research Scientist for Barracuda Labs. Where she is focused on automated web malware detection and prevention. Prior to working for Barracuda, Nidhi worked as a R&D engineer for SPI Labs. Her research areas include Web application security, binary program analysis, threat analysis for emerging technologies and obfuscation. Nidhi earned her master's degree from Georgia Tech in Computer Engineering.

Garrett Gee
Building a Portable Security Environment with BinPack
Synopsis: Portable environments are extremely useful in several scenarios. From an emergency repair kit, to performing penetration tests, a portable environment should provide everything you need to get the job done without excessive software management overheard. I will cover the existing landscape of portable environments, and show how anyone can create their own customized environment with BinPack.

Bio: Garrett Gee is a penetration tester, researcher, and entrepreneur. He has been in the information security industry for the last 12 years, and is an active member of the community. He is an OWASP chapter leader, and has authored several tools. In 2001 he developed the first bootable live cd for penetration testing and forensics called PLAC. He has appeared on several news venues such as 60 Minutes, ABC News, and The Washington Post.

Gal Shpantzer
Security Domination via Hard Drive Isolation
Synopsis:Every organization is a reluctant participant in the malware arms-race, investing untold blood and treasure in securing the essentially unsecurable: Commercial general-purpose, fat-client endpoints that are simply inappropriate for certain high-risk business processes. This talk goes through this problem and proposes an alternative approach to the one-size-fits-all desktop. SANS.edu grad students call this approach ROBAM, while Gartner calls it Trusted Portable Personality Devices.
You will learn how leading government, financial and emergency response sector organizations are improving security while simultaneously extending remote access and mobility to administrators as well as end users. Several specific use-cases, pitfalls and gotchas are outlined and analyzed in this talk.

Bio: Gal Shpantzer is a trusted advisor to CSOs of Fortune 500 corporations, technology startups, large universities and non-profits/NGOs. Gal has been involved in multiple SANS Institute projects, including co-editing the SANS Newsbites from 2002-2008, revising the E-Warfare course and presenting SANS@Night talks on cyberstalking, CAPTCHAs and endpoint security. In 2009, Gal founded the privacy subgroup of the NIST Smart Grid cybersecurity task group, resulting in the privacy chapter of NIST IR 7628. He is a co-author of the Managing Mobile Device Security chapter in the 6th ed. Vol 4 of the Information Security Management Handbook (2010). Most recently Gal collaborated with Dr. Christophe Veltsos (@DrInfosec) to present the Security Outliers project at RSA and CSI. He is particularly proud of his ongoing contributions to productive snark in the community, including the Shpantzer Coma Scale of Vendor Lameness and FUD (SCSoVLF) and ridiculous themes for most excellent conferences such as BSides, DojoCon and Baythreat.

Cory Scott
Improving Application Security After an Incident
Synopsis: When an enterprise suffers an application security incident, a whirlwind of activity takes place to triage the immediate problem. Application and security teams work side-by-side to identify the damage, implement a quick fix to prevent further losses, and perform a root-cause analysis to determine why the vulnerability existed in the first place. Savvy information security teams can leverage the root-cause analysis as a catalyst to enhance the assessment of applications and improve an inconsistent and underdeveloped application security program. However, more often than not, these fledgling improvements can get crushed under the inertia of the organization. It can be difficult to shift people's attention from the "quick-fix" to "fix-the-root-cause" once the initial damage has been mitigated. The complexities of implementing an application security program can frustrate even experienced practitioners and the difficulty in establishing a business case can create stall-out, due to the large costs that many of these initiatives carry. I will share some experiences, strategies, and approaches to overcome these challenges and introduce sustainable and measurable improvements into your application security program after an incident has occurred.

Bio: Cory Scott is a director at Matasano Security, an independent security research and development firm that works with vendors and enterprises to pinpoint and eradicate security flaws, using penetration testing, reverse engineering, and source code review. Prior to joining Matasano, he was the Vice President of Technical Security Assessment at ABN AMRO / Royal Bank of Scotland. He also has held technical management positions at @stake and Symantec. He has presented at Blackhat Briefings, USENIX, OWASP and SANS.

Moxie Marlinspike
Changing Threats To Privacy: From TIA To Google
Synopsis: A lot has changed since discussions around digital privacy began. The security community won the war for strong cryptography, anonymous darknets have been successfully deployed, and much of the communications infrastructure has been decentralized. These strategies were carefully conceived while planning for the most dystopian visions of the future imaginable, and yet somehow they've fallen short of delivering us from the most pernicious privacy threats today. Rather than a centralized state-backed database of all our movements, modern threats to privacy have become something much more subtle, and perhaps all the more sinister. This talk will explore these evolving trends and discuss some interesting solutions in the works.

Bio: Moxie Marlinspike is a fellow at the Institute for Disruptive Studies and a co-founder of Whisper Systems.
He has more than thirteen years of experience attacking networks. He is the author of sslsniff, used by the MD5 hash collion team to deploy their rogue CA cert, and sslstrip, which implements Moxie's deadly "stripping" technique for rendering communication insecure. His tools have been featured in many publications, including Hacking Exposed, Forbes, The Wall Street Journal, The New York Times, and Security Focus as well as on international TV.
Additionally, he runs a cloud-based WPA cracking service, manages the GoogleSharing targeted anonymity service, and is the author of the sailing film Hold Fast.

Steve Adegbite
Rage against Security: A different Scene shift
Abstract: This talks takes a look into the perspective of why present security best practices need to change. It’s not enough to just follow a structured secure development process. Come walk through where the flaws can creep in both your development and software maintenance aka application incident response plan. The talk will conclude with a thought of where the industry needs to go and where investments to date have been lacking. You will be surprised by the answer. Here is a hint: it doesn't lie with the binary bits.

Bio: Steve aka "Capn Steve" Adegbite is a Senior Security Strategist in the Adobe Secure Software Engineering Team(ASSET) with over 15 yrs of security scene background, working in the group that is responsible for securing current and future Adobe products. He also in his spare time serves as the chairman of the Forum of Incident Response and Security Teams(FIRST) helping out to advance security principles and process now after getting old and having to give up his right to geek out over code. Prior to joining Adobe, Steve worked in the Microsoft Security Response Center(MSRC) on the EcoStrat team dealing with all manners of vulnerability sharing and stuff. He is the brain child that lead to the creation of the Microsoft Active Protections Program(MAPP) that publically provides early vulnerability information to AV,IDS and IPS vendors prior to the Microsoft's Patch Tuesday public release of a security fix.

Sam Bowne
Getting Started With IPv6
Abstract: In 2011, the IPv4 address space will be exhausted. Everyone will be forced to convert to IPv6--a transition that will take years, and be very complex and messy. We will all have to run both IPv4 and IPv6 simultaneously on our networks for the next decade. The conversion will raise many issues of availability and security, because many network security devices are blind to IPv6, and much traffic will flow through tunnels, sometimes automatically-generated tunnels. IPv6 is a large topic to learn, but it is easy to get started with free tunnels and Hurricane Electric's IPv6 Certification. I'll demonstrate that process. I will also explain the essentials of IPv6 addressing and some of the security concerns that have already been discovered. But the real action will happen over the coming years, as real-world implementations of IPv6 devices create new vulnerabilities and defenses.

Bio: Sam Bowne has been teaching computer networking and security classes at CCSF since 2000. He has given talks at DEFCON and Toorcon on Ethical Hacking, and taught classes and seminars at many other schools and teaching conferences. He has a B.S. in Physics from Edinboro University of Pennsylvania and a Ph.D. in Physics from University of Illinois, Urbana-Champaign. His Industry Certifications are: Certified Ethical Hacker, Microsoft: MCP, MCDST, MCTS: Vista; Network+, Security+, Certified Fiber Optic Technician, HE IPv6 Guru, CCENT.

Davi Ottenheimer
All clouds love logs. Yes, logs.
Abstract: Surveys show ongoing concern related to security and compliance for the cloud. These concerns are not unfounded; the cloud brings up new questions to old (audit) requirements for logs and monitoring. How should you look for and respond to attacks when you get visibility as a service? This presentation looks at the present and evolving log management challenges introduced by cloud providers. Recommendations, as well as real-world examples, will be given to show how to get back the necessary view into what, when and even where attacks happen. All clouds love logs; SIEM might just not know it yet.

Bio: Davi Ottenheimer, President of security consulting firm flyingpenguin, has more than sixteen years experience managing global security operations and assessments, including a decade of leading incident response and digital forensics. He is a recognized expert in compliance and a qualified PCI DSS and PA-DSS assessor and a former Board Member for the Payment Card Industry Security Alliance and the Silicon Valley chapters of ISACA and OWASP. A frequent public speaker at international conferences he also has been quoted or written articles on security, risk management and compliance for publications including Bank Info Security, Network World, Red Herring, Chain Store Age and SC Magazine. Davi was formerly Director of Compliance for an industry-leading SIEM company. Prior roles include manager of global communications security for Barclays Global Investors and a dedicated paranoid at Yahoo! -- responsibile for mobile, broadband and digital home security.

Julia Wolf
OMG-WTF-PDF: Stuff you probably didn't know about PDF
Abstract: PDFs are currently the greatest vector for drive-by (malware installing) attacks and targeted attacks on business and government. A/V technology is extraordinarily poor at detecting these. The PDF format itself is so diverse and vague, that an A/V would need to be 100% bug-compatible with the parser in the vulnerable PDF reader. You can also do cool tricks like make a single PDF file that displays completely differently in several different readers.

Bio: Julia Wolf is the senior security researcher at FireEye's Malware Intelligence Labs where she reverse-engineers the latest malware threats and builds advanced detection mechanisms. She also does exploit R&D, cryptanalysis, and other low-level bit-twiddling stuff. Occasionally she'll hijack a botnet too.

Jim MacLeod
Signed Sessions Spoil Spoofing: Building assured ephemeral identity continuity into TCP
Abstract: IP Spoofing is a favorite InfoSec Cocktail Party topic. Though most attacks must be done "blind", spoofing a node on a local network segment allows a whole world of pwn. Cleartext connections can be hijacked through injected data, and even TLS/SSL can be closed through injected control bits (e.g. RST). Notable locations allowing on-path spoofing include coffee shops and security conferences.

In this talk, I will present a proof-of-concept tool which can detect and drop spoofed packets. The tool will exchange anonymous credentials during TCP session setup, hash every packet on send, and verify every hash on receive. Encryption and authentication are often handled at higher layers in today's Internet, so patching the spoofing hole only requires a way to verify that the received packets all come from the same remote endpoint. The goal is not to replace SSL, but to provide an optional supplement to protect SSL at the TCP layer. It's TCP-AO with a BTNS attitude, faster and leaner than Bubba and Skeeter. (No, really.)

Bio: Jim MacLeod works as a product evangelist on a network application platform from a networking vendor. In a previous role, he developed anti-CSRF for a network management appliance webUI, then integrated a load balancer and a data-driven firewall into a self-clustering server appliance. Since his current position doesn't require him to write any code, he amuses himself by cramming odd features into old technology. Jim snooped his first password in 1993, injected his first routes in 1995, and configured his first firewall in 1998, after which he found it more fun to build than to break. He occasionally posts on Twitter as @shewfig.

Vinnie Liu
Good Guys Wear Black
Abstract: Many people claim to be penetration testers, yet most are no better than an automated scanning tool. So what is it that makes someone a penetration tester? What is it that makes one pen tester better than the next? How can you cut through their crap to find out if they’re any good?
In this very lively presentation, we'll define the different penetration testing skill levels and answer the question of whether or not penetration testing can be learned or taught. We'll discuss what makes a pen tester and also what separates the good from the bad from average. And finally we'll talk about why the very best penetration testers are so much $#@! better than the rest.

Bio: Vincent Liu is a Managing Partner at Stach & Liu, a security consulting firm providing IT security services to the Fortune 1000 and global financial institutions as well as U.S. and foreign governments.
Before founding Stach & Liu, Vincent led the Attack & Penetration and Reverse Engineering teams for the Global Security unit at Honeywell International. Prior to that, he was a consultant with the Ernst & Young Advanced Security Centers and an analyst at the National Security Agency. In these roles, he gained extensive experience conducting risk assessments, analyzing source code, and performing penetration testing.
Vincent is a sought after speaker and has presented his research at conferences including Black Hat, ToorCon, InfoSec World, SANS, and Microsoft BlueHat. Vincent has been published in interviews, journals, and books with recent highlights including: Hacking Exposed Wireless 1st and 2nd Edition and Hacking Exposed Web Applications 3rd Edition.

Billy Rios
Will It Blend?
Abstract: Today’s information systems are giant mesh of complexity. Typical consumer systems have large numbers of software created by different software manufactures installed on their machines. This mesh of software creates an ecosystem, where software is intertwined and in some cases dependant on each other. When one piece of the ecosystem gets out of line, it can have a dramatic effect on the ecosystem as a whole. A small vulnerability or even an “annoying” behavior from one piece of software can alter the behavior of a 2nd piece of software, a behavior which a 3rd piece of software is depending on for a security decision. Enter the world of blended vulnerabilities and attacks.
This talk will discuss the details of various “blended” attacks. The talk demonstrates the chaining of seeming low risk vulnerabilities and unusual design decisions from popular software together to create a higher risk exploit.

Bio: Billy currently works for Google, a small technology company headquartered in Mountain. Before Google, Billy was a Security Program Manager at Microsoft where he helped secure several high profile software projects including Internet Explorer. Prior to his roles at Google and Microsoft, Billy was a penetration tester, testing the defenses of various companies in the Fortune 500. Billy has spoken at numerous security conferences including: Blackhat briefings, Bluehat, RSA and DEFCON. Billy holds a Bachelors degree in Business Administration, Master of Science degree in Information Systems, and a Master of Business Administration.

Allison Miller, Andy Steingruebl
Working without a (Perimeter) Net: Protecting Customers from Online Threats
Abstract: Setting up defenses around a corporate network is one thing, but how do service providers respond to threats when it is their end-users -- i.e. their customers -- who are the target of choice? In this discussion we'll review threats and attacks that commonly target end users like social engineering, credential theft, malware, spam & abuse -- and the resulting problems like account takeovers, botnet activity, privacy leaks, and identity theft. We'll then discuss our successes and lessons-learned from adding additional controls both at the system level and provided directly to customers.

Bio: Allison Miller is a Senior Manager in Risk Management for PayPal. Allison focuses on leveraging data to improve fraud detection and customer account security. Miller is active in the security community and presents research regularly to both industry and government audiences, including the Black Hat Briefings, ITWeb Security Summit (South Africa), the SOURCE conferences (Boston & Barcelona), and RSA. Prior to joining PayPal, Miller was Director of Product and Technology Risk at Visa International.

Andy Steingruebl is the manager of Internet standards and governance for PayPal. In this role, he serves as a technical expert in systems and application security. Andy previously managed the secure development program for all PayPal applications including the websites supporting PayPal's tens of millions of active customers. He has been with PayPal since 2006.

Dan Kaminsky
Towards The Domain Key Infrastructure
Synopsis: We've really got to get past passwords. That much is obvious. But X.509 based PKI does not work -- hundreds of millions of dollars of failed deployments make that even *more* obvious. So what do we do? Much to my surprise, DNSSEC. For various architectural reasons (effective delegation, one root instead of a thousand, exclusion), DNSSEC provides a remarkable foundation for keying -- thus, DKI, or Domain Key Infrastructure. But all the theory in the world is irrelevant without working code. With the release of the Phreebird Suite, it is now possible to:
* Deploy DNSSEC records w/o any complex preconfiguration
* Validate DNSSEC records, end to end
* Upgrade OpenSSL dependent apps to use DNSSEC for chain validation (with no code changes)
* Federate authentication in OpenSSH
* Finally secure email
There's been a lot of talk about how DNSSEC is going to change security. This is the beginning of code that shows the way.

Bio: Dan Kaminsky really does things other than DNS, though perhaps the evidence is questionable. Best known for finding, and repairing, a pretty nasty universal bug in DNS in 2008, Dan's actually been giving security research talks for a decade, and has spent his career in the Fortune 500 assisting companies like Cisco, Avaya, and Microsoft. Dan is one of the seven Recovery Key Share Holders for the DNSSEC root -- he is the American. Dan is based...somewhere.