BSidesPDX-2025

Registration opens at the registration room.

Opening remarks

Day 1 Keynote

Stop by the Registration Room to chat with our amazing sponsors, grab some swag, and learn about the cool things they’re building. They’ll be here throughout the day!

BSidesPDX 2025 CTF

The annual BSidesPDX 2025 CTF competition, brought to you by an amazing group of volunteers!

Go to https://ctf.bsidespdx.org to register and play!

In 2020, I registered a domain as a joke and privacy experiment. I never expected it to become a passive honeypot. But over the next five years, I received over 30,000 unsolicited emails. From pizza orders and job applications to password resets, IT tickets, and sensitive government faxes, it turns out a lot of systems assume that “noreply” means no one is actually watching.

In this 20-minute talk, I’ll walk through how I accidentally built a data-collecting black hole, what I’ve uncovered inside, and what it reveals about our collective assumptions around placeholder email addresses, dev defaults, and ghost domains. Spoiler: someone is reading the mail.

Abstract
Binary exploitation can feel overwhelming for beginners. With so many tools, techniques, and architectures to learn, it’s easy to get lost without a structured path. Binary Jiu-Jitsu is designed to guide students through the fundamentals of binary exploitation using a skill-based, hands-on approach inspired by martial arts training.
In this workshop, we’ll cover the essential building blocks for exploiting simple 64-bit Linux ELF binaries. Attendees will learn the fundamentals of computer architecture, reverse engineering with Ghidra, debugging with GDB, finding stack-based buffer overflows, and developing custom exploits using pwntools.
Throughout the session, participants earn “stripes” by completing progressively harder hands-on challenges in a live CTFd environment. By the end, students will have the knowledge — and practical skills — to identify vulnerabilities, write working exploits, and pop their first shell.

⚠️ Important:
Workshops require registration via this link: https://square.link/u/LYlZ89gC
(Registration will open at 12:00 Noon PDT, on Friday, October 10th)

Join us in this workshop to engage in hands-on attacks to identify weaknesses in generative AI. If you’re interested in learning about getting started in red teaming generative AI systems, this is the workshop for you.

⚠️ Important:
Workshops require registration via this link: https://square.link/u/LYlZ89gC
(Registration will open at 12:00 Noon PDT, on Friday, October 10th)

Last year at BSides Portland we started the conversation about creating the Portland Hacker Foundation, and by many measures it seems to have been a roaring success. This session will talk about what we've done, where we're going, and what you can do to help.

Critical-infrastructure sites have hardened perimeters, access controls, and robust camera systems that deter and catch ground-level intrusions. But what about the airspace above them? This talk addresses a gap many sectors share: detecting and responding to drones. We’ll walk through how airspace pentesting over critical infrastructure actually works, what on-site defenders can do to strengthen detection and response, and demystify how to legally and safely get started with aerial assessments. Attendees will leave with equipment recommendations, a clear runbook for performing this work, and a persuasive narrative to secure budget and buy-in for launching aerial assessment and drone-defense programs.

"Instant API Hacker" is a fast-paced, 20-minute presentation that demonstrates how quickly someone can learn to identify and exploit API vulnerabilities. Led by Corey Ball, author of "Hacking APIs" and founder of APIsec University and hAPI Labs. This talk provides a practical introduction to API security testing using real-world tools and techniques. Attendees will witness the exploitation of critical vulnerabilities from the OWASP API Security Top 10, including broken authentication, authorization flaws (BOLA), and excessive data exposure. Through live demos using the crAPI vulnerable lab, participants will see firsthand how APIs can be compromised and gain actionable insights they can apply immediately. The presentation concludes with free resources for continued learning, including access to vulnerable labs and APIsec University courses.

Zero Trust is everywhere: on vendor datasheets, compliance frameworks, and executive roadmaps. But how do you separate real enforcement from marketing noise?

In this talk, I present a practical, adversary-informed evaluation of several leading ZTNA solutions tested across the five core pillars of Zero Trust: Identity, Device, Network, Application, and Data. Using a controlled lab environment, I simulated trusted and untrusted scenarios, configured granular access policies, and executed known attack patterns to test each vendor’s actual enforcement capabilities.

Some solutions successfully blocked unauthorized access, enforced policy based on device posture, and prevented common web exploits and data loss. Others fell short: failing to detect endpoint misconfigurations, bypassing service cloaking, or letting malware and sensitive data flow freely. In multiple cases, achieving basic Zero Trust behavior required purchasing additional modules outside the core ZTNA platform.

This session delivers clear results, testing methodology, and takeaways any security team can apply when evaluating ZTNA vendors. If you're tired of buzzwords and want to see how “Zero Trust” actually performs under pressure, this talk is for you.

Seattle was one of the first USA cities to have a Surveillance Ordinance. This enables Seattle residents to pull back the curtain on a type of mass surveillance not as commonly discussed by the news media: a service that provides real-time travel time calculations using a system of WiFi/Bluetooth MAC address sniffers deployed across the city. I'll bring you up to speed on this surveillance technology, the variety of issues that have been identified with it (both technical and non-technical), and its removal from Seattle. I'll also discuss some aspects about privacy of mobile devices specific to challenges with MAC addresses (i.e. randomization, anonymization, etc). Lastly, I will give you pointers on how to get started reviewing surveillance technologies your local municipality has deployed, so that you too can put your technical/security skills to use to help your neighbors and community.

When traditional infrastructure fails, as it often does in the PNW, we may lose power, water, and even accessible roads. How do you plan to check in with your friends, family, share resources, and help others? In this talk, we’ll cover what options are available for long-distance remote communications between individuals: FRS, GMRS, CB, Amateur Radio, as well as Meshtastic. For the second half of the talk, we'll dive in deeper on Meshtastic: how it compares in terms of capabilities, legality, range, and ease of integration, as well as edge cases. By the end of the presentation, participants will be equipped with actionable knowledge to select affordable communication tools for their needs, ensuring they remain connected when it matters most.

Learn to secure GraphQL interfaces by looking at design decisions and actual attacks. This talk dives into a half dozen GraphQL services that were deployed at a tech unicorn. You'll learn practical defensive strategies, discover where common security controls fall short, and see the fall out from attack scenarios that were missed.

So, you’d like to present at a conference? Awesome - but making that decision is just the first step of a long journey. This workshop is primarily intended for people who already have ideas of things to present, but need some help fine-tuning them and understanding the process. We’ll start off in a lecture format covering all the parts of preparing, submitting and presenting your work, answering a lot of questions you might ask yourself. We’ll proceed into an extended question and answer session. Think of your questions ahead of time, and perhaps even ask them before the workshop. Finally, we’ll use the remaining time to team up in groups to share our ideas and give each other feedback. Hopefully you’ll leave with a better idea of how to navigate the process, as well as a clearer idea of how to structure your submission and presentation.

⚠️ Important:
Workshops require registration via this link: https://square.link/u/LYlZ89gC
(Registration will open at 12:00 Noon PDT, on Friday, October 10th)

Safety Net Project, the tech safety team at the National Network to End Domestic Violence (NNEDV) has seen a significant uptick in recent years with local organizations requiring additional aid and guidance on best practices to support survivors of domestic violence and continue critical communication, in the face of natural disaster events like fires, hurricanes, and flooding. This project was born out of a direct response to this need - inspired by literal natural disasters across the United States.

Graduate students from the University of Washington (UW) are conducting research on this critical topic of cyber security best practices and guidelines for local victim service providers in the context of disaster preparedness and response. Some key topics covered include: emergency response communication plans, privacy and digital protection during disasters, as well as location tracking (stalkerware, tracking through car, airtag, dog pet finder, children’s devices, etc.), detection, and prevention. The research presented will serve as a comprehensive guide that fills the current gap in NNEDV’s resources, by offering actionable recommendations to help local organizations continue critical communication and safeguard survivors during and after natural disasters.

Microsoft's Configuration Manager (more commonly known as System Center Configuration Manager or SCCM) has received a great deal of attention from the offensive security community in recent years. The service's 30 year history includes a mountain of techincal debt that is still heavily relied on by enterprises across the globe. In fact, even with the industry's shift to cloud, SCCM remains the most depended on solution for endpoint management. This presentation will publicly disclose how an attacker under the right circumstances can abuse this dependence to escalate to SCCM admin simply by implying it.

Many a presenter, including myself, has talked about fuzzing. Usually, we touch on a small amount of theory and then show off what a cool tool we built or what a difficult target we fuzzed. Instead this talk will focus on fuzzing history. Where did we start? How did we get here? What were the turning points along the way? For each major development, we'll cover a motivating example, the theory behind a solution, and a tiny implementation until we arrive at the modern day.

Following the discovery of BadBox 1.0, I identified another device disguised as a streaming product called [redacted]. This one is particularly concerning, as it includes: [redacted]

This situation has underscored the growing need for research at the intersection of cybersecurity and social psychology, highlighting the importance of helping users recognize and protect themselves from products that offer services that seem “too good to be true.”

Public reporting on this activity began emerging in early 2024, with major coverage appearing in March 2025. I initially discovered this campaign in February 2024 and have since tracked its evolution and broader ecosystem connections. This led to a second PSA from IC3 in May of 2025.

In this talk, I’ll provide:
[redacted]

Ever dreamed of a portable hacking device that packs the punch of a full Linux system but is cool enough to wear on your arm? This talk is for you. We'll dump the bulky laptops and dive into creating a powerful, Pip-Boy-inspired wearable from scratch, without breaking the bank.
I'll take you through my whole chaotic journey: from picking the right parts to the rage-inducing 3D modeling, cramming a jungle of wires into a tiny space, making a Linux GUI actually usable on a touchscreen, and keeping the thing powered for more than five minutes. I’ve already bricked the components, scoured the darkest corners of GitHub, and copy-pasted with pride, so you get the blueprint without the pain. You’ll leave ready to build your own rig for whatever digital mayhem you have in mind.

Hackers are turning AI into a force multiplier for cybercrime. In this 20-minute talk, we’ll demo real hacker AI tools such as WormGPT and show how criminals use them to uncover vulnerabilities, generate exploits, and even weaponize zero-days at unprecedented speed. These tools also churn out phishing emails and call scripts in any language, letting novice hackers attack like experts on a global scale. See how AI is reshaping cybercrime and what defenders must prepare for now.

Advances in Generative AI have enabled the development of autonomous agents, combining large-language models (LLMs) and custom tools with plan generation, reasoning, and tool execution to automate security tasks. One drawback of initial agentic approaches has been their monolithic development. However, much like HTTP decoupled the development of web clients and servers by standardizing the communication protocol between them, the Model-Context-Protocol (MCP) has emerged to decouple the development of agents and their tools. This workshop will provide an introduction to LLM agents and their construction using MCP. Attendees will first walk through a set of simple MCP clients and servers for automating database and file system tasks to get an understanding of how agents and MCP work using labs from https://codelabs.cs.pdx.edu. They will then experiment with a range of MCP servers from the open-source PentestMCP project https://github.com/Craftzman7/pentest-mcp that leverage penetration testing tools such as nmap, nuclei, and metasploit to automatically find, exploit, and exfiltrate data from a vulnerable web application. Note: Due to the nature of the exercises, they will be hosted on a Google Cloud Project that registered attendees will be given access to during the workshop.

⚠️ Important:
Workshops require registration via this link: https://square.link/u/LYlZ89gC
(Registration will open at 12:00 Noon PDT, on Friday, October 10th)

Most organizations that deploy surveillance / safety technology don't actually know what they're putting on their networks exactly. i got curious about one specific device i had found in my high school's network.
when i finally got my hands on one, it raised bigger questions then i expected,
not just about the software or hardware. but about how widely it had been deployed without much scrutiny.

Sharing the research publicly showed me just how much people were questioning it, both inside and outside the security community.
what really surprised me was realizing how tightly knit the Portland Infosec community is, and how many people helped me along this journey.

in this talk, I'll share that story. from the initial discovery, to the struggles, and reflections.

Do burner phones really still exist, or are they the stuff of urban legend? Can you get a phone that's untraceable any more? Why would you even want to?

Follow my journey as I find out, and maybe discover some privacy tips along the way.

A lot has changed since the 80s. Gone is the boom box with a cassette tape. You have a Flipper Zero instead of a magstripe writer. Forget ISDN: you can get better than an OC-24 at your house for less than your long distance bill. Viruses don't put random text on your screen, they shut down hospitals. But you know what hasn't changed? The CFAA. It's about time we look at how our laws can transform the incentives and move us beyond the cyber-vandalism era to respond to real threats with real defenses. Let's stop wringing our collective hands about evil hackers, and get real about how it actually works.

In this raw, open, and honest session, I'll pull from my own and fellow VC-backed founder experiences on the crazy journey to build a security startup based in the PNW. We'll cover all major parts of the 0 -> 1 journey, including: ideation / idea validation, learning to sell, raising capital, building an MVP, finding PMF, and building a team. 1 year after graduating from the Y Combinator 2024 cohort, I'll open up about the things I wish I knew sooner, and the secrets to YC's success. I'll specifically talk about the challenges and strengths of building a non-SF-based startup.

Threat modeling has always been critical but also slow, manual, and often skipped. What if your security champions could generate a first draft of a STRIDE analysis from architecture diagram itself ? In this talk, we’ll explore how vision models (like Gemini Vision) and LLMs can automate early threat modeling by “seeing” system diagrams and translating them into structured security insights.
I’ll show how we built an agent that ingests architecture diagrams, interprets flows and trust boundaries, and outputs threat models in a developer-friendly format. We’ll cover practical benefits (speed, adoption, developer engagement) as well as real challenges: hallucinations, missing context, and having humans in the loop. Finally, I’ll share how we turn these outputs into generating adversarial test cases, making threat modeling more actionable.
Attendees will leave with a framework to experiment with their own AI-assisted threat modeling pipeline, lessons learned from real reviews of AI agents, and a realistic sense of what today’s vision models can (and can’t) do for security.

Closing remarks and reception

Appetizers and drinks in the back room of Track 1

This is the game where we take some BSides attendees and pit them against each other in a battle of wits to see who’s the smartest… who’s the fastest… who’s going to emerge with the ultimate alpha- geek status for the next year!

WHAT’S IT LIKE? Just like many TV game shows you’re probably already familiar with. We take three contestants, put them on stage and ask them a series of questions relating to aspects of system and network security, exploits, hacking, hardware, software, administration, history, and even some random bits of pop culture thrown in for hack value.

And then maybe we'll do it again with three more contestants!

This event is for anyone with an interest in any or all of the topics that bring people to BSides. Questions for the quiz show are drawn from current events, information security, computer technology, hardware, software, geek culture, games, and general interest topics.

Registration opens at the registration room.

Opening remarks

Day 2 Keynote

Stop by the Registration Room to chat with our amazing sponsors, grab some swag, and learn about the cool things they’re building. They’ll be here throughout the day!

BSidesPDX 2025 CTF

The annual BSidesPDX 2025 CTF competition, brought to you by an amazing group of volunteers!

Go to https://ctf.bsidespdx.org to register and play!

Capture the flag (CTF) exercises can be great practice and fun. However, sometimes things get complicated. Even the best of us may sometimes be lost, move in the wrong direction or get frustrated. In this workshop, not only are we giving you an overview and access to several CTF exercises, you are also provided hints (in case you need some). This way, everybody who shows up and spends some time can successfully complete some CTF exercises.

Instruction for attendees:
Bring a laptop.
(It is nice if you can ssh via terminal. Otherwise have a browser ready.)

⚠️ Important:
Workshops require registration via this link: https://square.link/u/LYlZ89gC
(Registration will open at 12:00 Noon PDT, on Friday, October 10th)

From LM hashes and rainbow tables to GPU rigs and Kerberoasting, the art of cracking Active Directory (AD) passwords has changed dramatically over the past two decades. What once took hours on a desktop can now be achieved in seconds with cloud GPUs and smarter wordlists. At the same time, attackers have shifted tactics—favoring low-and-slow spraying, ticket roasting, and credential theft over brute force.

This talk traces the history of AD password cracking, exploring the techniques that defined each era and how defenses evolved in response. We’ll walk through legacy weaknesses, modern attacks like AS-REP roasting, and the growing role of hybrid AD/cloud identity. Along the way, you’ll see demos of cracking in action and gain a deeper appreciation of why old best practices (like complexity rules) don’t hold up today.

Most importantly, we’ll cover practical steps defenders can take right now: from smarter password policies and banned password lists to detection strategies and long-term mitigations like MFA and passwordless authentication.

Whether you’re red team, blue team, or somewhere in between, you’ll walk away with a clear understanding of how AD password cracking works, how it’s evolved, and what you can do to stay ahead of the curve.

Context switching during incident response is a silent productivity killer that costs security engineers hours of valuable time and significant cognitive load. This talk shares a real-world case study of how we transformed our on-call experience at Databricks by implementing Model Context Protocol (MCP) servers to enable AI-assisted incident triage and investigation.

Attendees will learn how traditional incident response workflows—involving dozens of browser tabs, multiple tools, and constant context rebuilding—can be revolutionized through natural language interfaces. We'll demonstrate how MCP servers provide a standardized way for AI assistants to interact with infrastructure tools like PagerDuty and Databricks, reducing incident investigation time from 15+ minutes to under 2 minutes.

Through real-world examples, we'll show how this approach eliminated overhead during on-call rotations, enabled cross-cloud investigation capabilities without manual intervention, and allowed engineers to focus on actual problem-solving rather than tool navigation. The talk includes practical implementation details and lessons learned from production deployments across 55+ multi-cloud Databricks workspaces.

In this hands-on workshop, you'll learn to design intelligence-driven exercises using the Hero's Journey storytelling format. We'll explore how to transform generic "bad thing happened, now what?" scenarios into compelling stories that energize players and highlight real gaps.

You'll walk away with:
• A draft tabletop scenario outline tailored to YOUR organization
• Practical techniques for incorporating adversary tradecraft using MITRE ATT&CK Navigator
• Facilitation skills for managing the room, asking the right questions, and avoiding common pitfalls

Please bring a laptop if possible.

⚠️ Important:
Workshops require registration via this link: https://square.link/u/LYlZ89gC
(Registration will open at 12:00 Noon PDT, on Friday, October 10th)

Security teams drown in endpoint telemetry: processes spawned, commands executed, binaries triggered. But not every log line should become an alert, and not every alert should trigger a 2 a.m. wake-up call. The real challenge is knowing when a query result crosses the line from “informational” to “actionable.”

In this talk, I’ll walk through how different types of endpoint queries; single-process anomalies, correlated multi-event queries, and time-bounded patterns; map to thresholds that determine whether engineers should escalate or suppress. We’ll explore practical heuristics for building alert thresholds that balance false positives and false negatives, tie signals back to MITRE ATT&CK techniques, and prioritize based on host and user context.

Using an open-source EDR as a demo environment, I’ll showcase how raw suspicious process data can be transformed into high-confidence detections. The goal: give engineers and SOC analysts a framework for deciding not just what they can detect, but when they should start worrying.

In March 2025, the tj-actions/changed-files GitHub Action, which is used by 24,000 repositories, was weaponized to steal CI/CD secrets. All 361 version tags were pointed to malicious code that dumped credentials from memory directly into build logs. We were the first responders.

Come hear the untold story of the 72-hour incident response. You'll learn how we detected an attack that traditional tools missed, built an IOC scanner over a weekend while the attack was live, and coordinated disclosure with dozens of organizations.

You'll walk away with:
- A tested incident response playbook you can adapt for your organization
- Open-source tools: harden-runner (behavioral monitoring) and ghscan (IOC scanning)
- Practical defenses for resilience against similar attacks

Intel's CET Shadow Stack is a CPU feature aimed at preventing Control-Flow Hijacking shenanigans by implementing a redundancy copy of the process stack, which can be verified for integrity through the program execution. Supporting CET Shadow Stacks in Linux applications is something that took a long long time to be implemented and deployed, and given the magnitude of changes required both in the kernel and in the toolchain, there was a reasonable chance that security details could be missed in the process. In this talk we'll cover the interactions between a kernel engineer and a security researcher regarding a last minute security finding that ended-up surfacing an intricate trade-off discussion around safety, performance and compatibility. These discussions led into redesigns of the shadow stack support at the brink of its release and are still relevant as new feature designs still stumble on the gritty details of these trade-offs.

Besides the technical scope, this talk aims on emphasizing how the collaborations between software engineers and security researchers can be fruitful, fun and crucial to achieving more reliable security outcomes.

Okta is at the heart of identity for many organizations, which also makes it a prime target for attackers. For security engineers, the real challenge isn’t just understanding Okta logs — it’s turning them into reliable detections that catch threats without overwhelming the SOC with noise.

This talk provides a hands-on roadmap for building Okta detections from the ground up. We’ll begin by breaking down the different types of Okta logs and classifying them into meaningful categories (authentication, application access, administrative actions, MFA events, etc.). From there, we’ll show how multiple log types can be grouped to reveal attack patterns such as account takeovers, suspicious MFA bypasses, or privilege escalations.

The core of the session focuses on the detection design process itself:

Researching and threat hunting to baseline your Okta environment.

Identifying the behaviors or signals you want to catch.

Mapping those behaviors back to specific log fields and event types.

Enriching with user, device, and IP context to reduce noise and add clarity.

Testing and tuning the detection to validate it in production.

Attendees will walk away not just knowing what data Okta provides, but how to use that data to design, build, and test an effective detection end-to-end. Whether you’re starting from zero or refining your existing Okta detections, this talk gives you a repeatable workflow for turning identity logs into actionable security signals.

LLMs are racing into clinics and back offices, but a single prompt, log or misstep can leak Protected Health Information (PHI) and erode trust. This fast paced, vendor agnostic talk shows how to ship useful Large Language Model (LLM) features in healthcare without violating privacy or slowing delivery. Instead of theory, we’ll focus on what can go wrong across the LLM lifecycle (e.g. in training, prompts, logs, embeddings etc.) and how to think like an attacker. Then translate all of it into a pragmatic, privacy by design workflow you can adopt immediately. You’ll leave with a concise blueprint, a threat to control matrix you can copy into your program, and a simple decision rubric for on-premises versus cloud deployments. If you own security, ML or compliance and need practical patterns, this session is for you!

GitHub forks are...weird. A couple implementation quirks lead to some funny (or alternatively, scary) consequences. And yeah, this is publicly documented, but who reads these days? This talk walks through real-world personal examples: recovering commits from a deleted project, brute forcing hidden commit history back into existence, and skirting a DMCA takedown by inserting hidden commits in a someone else's repository.

Quantum computing has sparked both excitement and alarm in the cybersecurity world and honestly, I’ve felt both. Between promises of solving problems previously thought impossible and fears of cracking RSA wide open, it’s hard to tell what’s real and what’s just well-dressed science fiction.

In this talk, I want to cut through the noise not from a purely academic standpoint, but from the perspective of someone who's actively working on quantum readiness in the fintech world. I’ve been navigating the hype, hope, and hard truths that come with trying to future-proof sensitive systems against a threat that’s not quite here… but definitely not imaginary.
We'll look at quantum computing from a high level without drowning in math and break down what's real vs. speculative. We'll cover which cryptographic algorithms are truly at risk, where post-quantum cryptography (PQC) comes into play, and how to think about timelines without spiraling into paranoia.

Whether you're in offensive security, defense, leadership, or just crypto-curious, this session will give you a clear picture of where things stand and how to start preparing without panicking (or overpaying a vendor with a quantum logo slapped on their pitch deck).

The last decade has been revolutionary for making embedded security research intellectually and financially accessible for thousands of curious minds around the world. Just by watching YouTube recordings of talks and reading blogposts from individual tinkerers and security firms alike, one can quickly start making a splash in a research area that was formerly thought to be prohibitively expensive and required lots of prerequisite knowledge.

Pan back to you: you saw the title of this presentation, and thought it was interesting. You have a $5 multimeter, a crusty soldering iron, a few bootleg debug adapters, and a wallet full of lint and toothpicks, but not a lot of bread. Where to now?

This talk presents the Hardware Procurement Iceberg (not coincidentally modeled off of the iceberg meme template): three distinct visualizations that show off different ways to procure (see: legally purchase and own) hardware to probe and modify for the sake of vulnerability and security research. Each visualization lays out various procurement methods measured by cost effectiveness, ethicality, and ease, which is left to the audience as to which route they choose to take.

Whether it be eBay, GovDeals, or somewhere more obscure/exotic, this talk walks through all possible routes to find your desired router, medical equipment, ICS/SCADA device, or whatever you fancy to complete your end-to-end research testbed.

We will be taking a look at a photo printer firmware for no particular purpose other than having fun and learning something. We will start by downloading a firmware update from the manufacturer's website, continue with figuring out firmware update format and start digging into the code. We will be using free and open tools, we will be introducing common reverse engineering principles and learning firmware and microcontroller concepts. We'll go as slow as necessary and will get as far as we can in the time allotted.

⚠️ Important:
Workshops require registration via this link: https://square.link/u/LYlZ89gC
(Registration will open at 12:00 Noon PDT, on Friday, October 10th)

In 2023 one of the largest libraries in the world fell victim to a ransomware attack. Their online catalogs were down for months, and the cost of recovery exceeded eight million dollars. In March 2024 the Library posted a detailed 18-page account of what happened and what they learned from the experience. I studied the full report so you don’t have to.

If the analysis contains any surprises, it’s that there are no real surprises: the problems the British Library faced are common to many businesses, and the improvements the Library developed in response to the attack are reassuringly familiar best practices. We know how to reduce risk from ransomware.

This 35-minute talk draws from the Library’s report to summarize the attack and explain how security controls such as network monitoring capabilities, multi-factor authentication, defined intrusion response processes, holistic risk management, and cyber-risk awareness at senior levels would have made a difference for the British Library-–and might in your company too.

Learn how to configure, use, and abuse long-range, cheap communication devices through Meshtastic, without a license! Talk to friends, control remote devices, gather remote sensor data - all at low power use, low cost, with encryption.

This workshop is designed for experience levels ranging from 0/5 to 2/5:

• Beginner: never touched Meshtastic
• Intermediate: installed Meshtastic, played with the app, messaged people

Specifically, we’ll cover:

• Hardware involved, mild theory
• Configuration and set-up
• Messaging and interacting with others
• Working with telemetry and sensors
• Basic walkthrough of controlling remote devices
• Show and tell of several projects that use Meshtastic
• How to keep advancing after the workshop

For the price of admission ($50), you’ll receive hardware you’ll be working with at the workshop, that you will keep:

• Heltec v3
• 4000mAh battery
• Temperature/humidity/barometric pressure sensor
• GPS sensor
• A custom case to house all of the above
• An ultrasonic distance sensor
• Stickers

⚠️ Important:
Workshops require registration via this link: https://square.link/u/LYlZ89gC
(Registration will open at 12:00 Noon PDT, on Friday, October 10th)

Webcams secretly running Linux reveal embedded system vulnerabilities, insecure firmware, and broken update mechanisms. Tracing the tech stack from distributors to chipset manufacturers exposes supply chain issues, security oversights, and risks at the hardware-software boundary. The talk includes demos and highlights the need for transparency and responsibility.

This talk explores the converging risk factors that could transform helpful AI systems into potential security threats within organizations. We examine three critical ingredients that create this vulnerability: increasing capability, expanding agency, and exploitable motivation. As AI task capabilities surpass human performance in some domains, organizations naturally grant these systems greater autonomy and access privileges—mirroring how we treat valuable human employees. However, current AI systems remain fundamentally gullible, lacking robust skepticism when faced with indirect prompt injections and social engineering techniques. This talk will analyze how these three factors interact to create novel security challenges.

Residential proxy networks, which reroute user traffic through residential IP addresses, present unique risks to enterprise networks and individual users. These proxies, often bundled with low-reputation applications, enable external traffic to appear as if originating from legitimate endpoints, frequently without user consent. Cisco Security's research highlights that residential proxies are 4.8 times more likely to connect to malicious domains compared to regular enterprise network traffic, underscoring the threats posed by such activity.
This research investigates the mechanics, detection, and prevalence of residential proxies, leveraging datasets from Cisco Network Visibility Module (NVM) and the open-source mercury tool. By analyzing billions of network flows and telemetry data from approximately 240,000 devices, researchers identified residential proxy activity linked to applications like Infatica and Rave Helper. These programs, while not inherently malicious, misuse enterprise resources and can serve as vectors for attacks, including click fraud, spam, and internal reconnaissance by adversaries. The research also presents a novel detection approach based on Transport Layer Security (TLS) random nonces enables robust identification of residential proxy behavior in network traffic.
This study underscores the risks posed by residential proxies and emphasizes the importance of addressing these threats to safeguard enterprise environments. By detailing threat detections for this behavior and some of the tools that exhibit it, it provides practical tools that can be leveraged to identify residential proxy behavior through network traffic analysis. These insights aim to empower organizations with actionable strategies to mitigate the misuse of their resources and reduce exposure to malicious activity.

In a state agency responsible for fighting wildland fires (including a fleet of drones, aircraft, and firetrucks) and responding to regional natural disasters, securing sensitive data and IT infrastructure is critical and challenging. From protecting endangered species data to ensuring secure computing at the most remote locations, a cybersecurity program in such an agency requires speed, flexibility, and hand-tailored problem solving. This session will share how the Washington State Dept of Natural Resources built a cybersecurity program from the ground up, addressing unique challenges like risk tolerance, rapid deployment, and balancing security with mission-critical operations.

As automation and orchestration become key components in security operations, their limitations are becoming equally apparent. Static workflows and predefined playbooks often fall short when facing novel threats or when responders are overwhelmed by false positives and incident fatigue. Agentic solutions—where large language models (LLMs) operate as autonomous or semi-autonomous agents—arises then as a promising evolution.

This talk will explore the spectrum of AI-enabled assistance, starting with simple LLM usage for text-based tasks and moving toward autonomous multi-agent systems designed to handle complex, dynamic security scenarios. We will highlight both the opportunities and the challenges: while LLMs are accessible through simple chat interfaces, applying agentic solutions to real-world incident handling requires thoughtful orchestration, integration with tools, and recognition of inherent limitations.

Examples will be provided, including email Security Agents implemented on top of workflow orchestration frameworks.

Attendees will gain insight into the technical, operational, and human factors needed to responsibly adopt agentic solutions in security. By the end, they will better understand how to balance ambition with practicality, and how to begin experimenting with agent-driven incident response in their own environments.

Closing remarks

PDX Hackerspace (Ctrl-H)
7600 N Interstate Ave
Portland, OR 97217

Take the Yellow Line MAX to the N. Lombard Station - Parking is VERY limited

https://maps.app.goo.gl/tw4NeRZEG9jMt8CG7