Feb 26, 2013

the 5by5 race is on

At BruCON 2012 we announced that we launched our 5by5 project where we were looking forward to see submissions coming in from individuals or groups that we could support to drive or speed up development.  With a budget of €25000 we coud support 5 projects with up to €5000 and here we are today, ready to support the following projects:

1. OWASP OWTF (Abraham Aranguren)

More details on the Offensive Web Testing Framework can be found here : https://www.owasp.org/index.php/OWASP_OWTF

2. The Cloudbug Project (Carlos Garcia Prado)

The Windows OS integrates a mechanism to report technical information when a program crashes. This information is pretty useless to a normal user and the crash is going to happen anyway so why don’t do something useful with it?

By installing a small, nonintrusive program (it will only kick in if another program crashes) the users will be reporting anonymous information about the state of the application at the time of the crash. This information is invaluable to security researchers in order to find software flaws that could indicate critical security issues.

Data mining and reverse engineering will be performed on the submissions pool. The vulnerabilities found will be reported to the corresponding vendors for fixing. 

3. A tool a month (Robin Wood)

Over the last few years I've created and publicly released over 30 free open source tools. Almost all of these have been done in my spare time without any kind of monetary backing. I'm happy doing this as I enjoy creating new tools but doing it this way means that paid work comes first and so good ideas often get delayed or forgotten about.

If I were selected for the project I would use the money to take time off client paid work and build a selection of tools for the community. BruCON is at the end of September which gives about 10 months from selection date to conference so I propose to write/publish a tool a month each month leading up to the event. The tools would not be huge Metasploit sized projects, more along the lines of CeWL [1] or Pipal [2].

I have a bunch of ideas but would like to see what the community needs so I think I'd like to have 5 tools that I've thought up then open the other 5 up to community submissions. I'm sure there are plenty of people out there who would like to automate a task or have an idea they don't have the skills to program themselves.

4. Eccentric Authentication (Guido Witmond)

Eccentric Authentication (Ecca) is a protocol to replace password authentication with client certificates. By doing so we can:
  • make it easier to login and log out of web sites;
  • make it anonymous; you can sign up to site without providing any details that would tie the account to your person;
  • make communication more secure; with certificates, people can send encrypted and signed messages securely without revealing their identities. Ideal for a dating site;
  • make it possible to bootstrap other communication protocols securely.
If applied correcty, Ecca would take us out of the cryptographic bronze age into the silver age. From there we might lift ourselves into the golden age.

Feb 25, 2013

It's official: our keynote speakers

Every year we get loads of suggestions on "this would be an awesome keynote speaker" or "I would really like to see this person present at BruCON". Every year we are on the lookout for remarkable individuals that are defining, influencing and shaping the information security community and industry to present their unique perspective to you, our BruCON audience.

There are always the usual suspects: big names you'll eventually see at one of the bigger venues in the course of a year. Then comes the realization of what a keynote means to somebody. Is it a figurehead that you "rent" to sell your conference? We don't think so and we don't need to...

For us a keynote is one of those persons that you'd gladly start talking to early in the evening over some tasty cocktails, a person that listens and shares knowledge over a good meal and that thinks -just like you- it's too early to leave when the waiter kicks you out of the bar at 3am in the morning.

We believe that for our 5th anniversary we once again lucked out with both of our keynote speakers agreeing to come out to BruCON. The team can not wait to have them and you over for another epic edition of BruCON !!

Without further ado:

Justine Aitel

Justine Aitel has worked in Information Technology and Security for fifteen years, serving private and public sectors in technical, analyst and management roles. Her career started at New Zealand’s Government Communications Security Bureau, where she entered the world of security research and computer/network offense. She was later employed by ISS (now IBM) X-Force as a security researcher and consultant. During that time she relocated to New York City. In 2002 Justine joined Bloomberg L.P as a software security expert, taking on increasing responsibilities over time, leading to head of global risk management. Justine later joined her husband to growing the specialized security firm Immunity Inc, which remains a leader in the security offense space. In 2013 Justine took on the position of Head of Digital Infrastructure and Security at Dow Jones.

Dan Guido

Dan Guido leads the strategic vision for Trail of Bits products and services and manages its day-to-day operations. His most recent research applied intelligence-driven defense to mass malware and demonstrated that, contrary to popular belief, only a very small number of vulnerabilities are used in these massive exploitation campaigns. Prior to Trail of Bits, Dan was a Senior Security Consultant at iSEC Partners where he provided application security and incident response services to a wide variety of clients in the technology, finance, and media industries. Previously, Dan has worked for the Federal Reserve System where he proposed and developed a centralized function for threat intelligence; a team that used its expert knowledge of attacks in the wild to develop sophisticated, enterprise strategies to mitigate them. In addition to his professional work, Dan is a Hacker in Residence at NYU-Poly where he oversees student research and teaches classes in Application Security and Vulnerability Analysis.

Are you as excited as we are? That's what we thought ;-)