Analyzing Android Malware - From Triage to Reverse Engineering
Vitor Ventura
Android malware has become prevalent across the landscape. In this workshop, Vitor will provide hands-on reverse engineering techniques for Android malware. This workshop is designed to provide the participants with different approaches to malware analysis, so that they can perform their own analysis without the use of automated tools. When everything else fails, knowing how the tools work under the hood provides the necessary knowledge to bypass the problems encountered. The attendees will learn, by doing it themselves, how to bypass the most common techniques used by malware to prevent analysis. The objective is that the attendees understand how they can use techniques like instrumentation and patching to help them analyze and bypass malware defenses when the automated tools fail, while using only free and open source tools.
Arduino for Total Newbies
Mitch Altman
You've probably heard lots about Arduino. But if you don't know what it is, or how you can use it to do all sorts of cool things, then this fun and easy workshop is for you. Arduino is an amazingly powerful tool that is very simple to learn to use. It was designed so that artists and non-geeks could start from nothing and make something cool happen in less than 90 minutes. Yet it is powerful enough so that uber-geeks can use it for their projects as well. This workshop is easy enough for total newbies to learn all you need to know to get going on an Arduino. Participants will learn everything needed to play with electronics, learn to solder, and learn to use a solderless breadboard to make a TV-B-Gone remote control to turn off TVs in public places - a fun way to learn Arduino (and electronics) basics.
ArduTouch Music Synthesizer
Mitch Altman
Learn to solder together a way cool, powerful music synthesizer - and learn how to make cool music, sound, and noise with a computer chip! For total beginners. Participants will learn to solder well for life, learn the basics of digital signal processing, and will bring home a working performing music synthesizer that is Arduino compatible, with a touch-keyboard and with a built-in speaker/amp.
A Brief Introduction to the Fediverse
Murph
The Fediverse is a collection of communities that is a bit of a throwback to a smaller, more personal time on the Internet. There are services for short messaging, audio and video sharing, and event organizing, among other things.
Mastodon is a fully open source social media platform, with no advertising, monetizing, or venture capital. It is a part of the Fediverse, a social network that is truly a network, by incorporating ideas and protocols that allow users and information to freely spread throughout a wide diaspora of servers and services. Explore how you might wish to join into the rich, new world that has more of a resemblance of the Internet as it was envisioned to be.
Building a Home Lab and Introduction to Web Application Hacking With Girls Who Hack and BiaSciLab
BiaSciLab
In this workshop, you will learn why you should set up a home lab and multiple ways to set it up. Then you'll jump right into hacking a web application! Students will leave this class with some web application hacking skills and the ability to set up their own home lab. Note: This class is aimed at middle school to high school kids, but adults are welcome if they make room for the kids!
Build Your Own USB Hacking Tool With the Wi-Fi Nugget and CircuitPython!
Kody Kinzie
Alex Lynd
In this USB attack workshop, you'll learn how hackers compromise computers over USB with techniques like keystroke injection - and even get to try it yourself! Kody and Alex will show you how to write your own "Duckyscript" payloads, and how to load the "RubberNugget" attack software on your S2 Wi-Fi Nugget. In addition to helping you write your own attacks, they will walk you through uploading the beginner-friendly CircuitPython programming language on your Nugget, and even demonstrate an experimental web interface you can use to remotely run your payloads.
A CRI for HOPE: Cyberminds Research Institute Teaches Avoidance of Being a Social Engineered Victim
Dr. Frederick L. Hicks
Dr. Natalie Foster Johnson
Dr. Tina Honey
Dr. Alexis Perdereaux-Weekes
Dr. Edvard Joseph
Dr. Lisa J. Knowles
Many individuals feel after a pandemic that there's no hope. Cyberminds Research Institute (CRI) is of a different opinion. Cyber-criminals attack those who are distracted with other life events. From the shadows of these attacks comes light and opportunity. HOPE evolves from the knowledge gained after cyber-attacks occur. After the pandemic and now a near recession, cyber-criminals are enthusiastically attempting social engineering related to lower gas prices, rent relief, mask mandates, free vaccines, bogus shot cards, and free COVID-19 funds. This offers new avenues of cyber-attacks where organizations and individuals are easy targets due to the distractions of a post-pandemic climate. This workshop focuses on social engineering, teaching and learning as a result of banally successful cyber-attacks, and the hundreds of unsuccessful cyber-attacks. Leave with hope and a technique to successfully avoid social engineers attempting to diminish hope for a safe cyber tomorrow.
Cryptography and Smart Contract Security
Sam Bowne
Learn how blockchains, cryptocurrency, coin offerings, and smart contracts (including NFTs) work. Sam will also cover the underlying cryptography: hashes, symmetric encryption, and asymmetric encryption. You will configure wallets, servers, and vulnerable smart contracts, and exploit them. You will configure systems using Bitcoin, Ethereum, Hyperledger, Multichain, Stellar, and more. You will perform exploits including double-spend, reentrancy, integer underflow, and logic flaws.
This workshop is structured as a CTF, so each participant can proceed at their own pace. The techniques will be briefly demonstrated, and tips will be provided along with help as needed to make sure everyone is able to solve at least some of the challenges. No previous experience with coding or blockchains is required.
Eyecillator: A Small Yet Surprisingly Complex Little Light-Sensitive Noise Maker
Travis Johns
Meet the Eyecillator, a small DIY tabletop opto-synthesizer for musicians, STEM evangelists, and other weirdos, brought to you by the folks at VauxFlores. Technically speaking, it's a four-oscillator, cascaded NAND opto-synth with controls over pitch and voltage sag, as well as the addition of a third control over the frequency of a misappropriated telephone chip that acts as a strange filter of sorts. Non-technically speaking, it's a chirpy sound thing that kind of sounds like that motorized garbage can robot from that one space movie... but with a drug problem - and you get to build one yourself! Even better, for this workshop, no prior electronics experience is needed and, yes, you get to keep this synth at the end of the day. As is tradition, we strive to keep things casual, informative, friendly and safe - so feel free to bring a snack and a story and let's build and be friends.
Fabrica de Unicornios Muertos: A Freaky Switched Capacitor Filter Eurorack Module
Travis Johns
Introducing VF's first DIY Eurorack module - the Fabrica de Unicornios Muertos! It's a switched capacitor filter, which is kind of a different beast than your usual techno sweepy-resonance things. Instead, it works harmonically - meaning as you turn the knob, things get freaky. And if those sounds are already freaky, things get freakier. It makes things crunch, chirp, and sputter and once that's over, it lets you in on the sounds behind the sounds. It's also a skiff-friendly 6 hp - always good when adding a touch of flavor without filling up your case. For this workshop, no prior electronics experience is needed and yes, you get to keep this module at the end of the workshop. Some synths will be available for testing, but if you want to share your setup, nothing's stopping it from tagging along to jam the sweet space music once this thing's all buttoned up.
Feeling Systems: Using Meditation to Prepare Us for the Metaverse
Obi O'Brien
Advances occurring in spatial computing and new buzzwords like "metaverse" represent both tremendous opportunities and unprecedented challenges upon our "feeling" systems. As stakeholders in an ecosystem evolve to include people, machine, objects, and their environments, we can use mindfulness practices to manage stressors this virtual world may evoke. Using mindfulness, we also can begin to anticipate and address developing questions of this new
world order:
How do we create meaningful interactions/relationships in a digital world?
How do we identify and address trauma as analog and digital interactions become increasingly "seamless?"
How do we define "optimized processes" and apply analytics that give positive value to processes that may otherwise be defined as "inefficient," e.g., pausing, looking, connecting?
This workshop will invite participants to practice mindfulness techniques, which will include guided practice (in a seated or lying position); gentle movement (with modifications for seated practice), and vocal exercises as part of trauma-informed mindfulness practices.
Freedom of Information (FOI) Workshop
Michael Ravnitzky
Public records requests are an important research tool. But for these requests to be effective, you need to know how to make the requests so they have the best chance of success, and to be able to counter obstacles that agencies may throw in your path. This workshop teaches the nuts and bolts of submitting FOI requests to federal, state, and local agencies. Learn how to formulate and submit records requests (even from your phone), and how to overcome stonewalling, delays, unfair fees, and release of records in unhelpful formats. Find out how to tap agency portals to track requests, how to negotiate with agencies on the scope of your request, how to best appeal incorrect agency decisions, and how to seek declassification of classified records. The workshop will offer ample opportunities for Q&A, so bring your toughest FOI questions and real-life examples to learn from.
Hands-On Introduction to Apache Beam (Any-Scale Data-Processing)
Austin Bennett
Apache Beam is an open source unified model for defining data processing pipelines (Batch and strEAM), which allows you to write your pipeline in your language of choice and run it with minimal effort on the execution engine (ex: Apache Spark, Apache Flink, Google Cloud Dataflow) of choice. In this practical session, you will get hands-on experience writing Beam pipelines, as well as learn about the fundamentals of the Beam programming model and SDKs (ex: Python, Go, Java). Also, Austin will be open/available to talk use-cases and more.
How to Start Contributing to Open Source: Examples From the Apache Software Foundation and Beyond
Austin Bennett
Open source software sounds great to use, and hopefully even better to contribute to! This session will discuss and demystify the various ways to get involved with open source software, with notable examples taken from within the Apache Software Foundation, though this session will speak to the larger ecosystem more generally.
How to Submit a GDPR Data Subject Access Request
Giulia Corona
Alessandro Polidoro
The General Data Protection Regulation (GDPR) regulates everybody operating within the European Union and the European Economic Area (even if non-European). GDPR Article 15 gives people the "right of access" to their personal information processed by digital platforms. These platforms must communicate with no delay many precious details regarding how they process personal data, such as purposes of processing, parties with whom data will be shared, and even the logic of their automated decision-making. In this workshop, participants will learn the best strategies for submitting Data Subject Access Requests and countermeasures for most common elusive replies. DSARs have often been used by the non-profit Tracking Exposed (tracking.exposed/), who foster digital rights and algorithm accountability. Also of great support is the presenters' Guardoni tool, which allows users to double-check if the information received matches that provided by digital platforms.
The Job Seeker of Information Security - Beyond COVID-19
Tas
This workshop will focus on helping attendees hunt for their next job in the information security world, post COVID-19 and with the understanding of the current job market. You will dive deep into the stages of job hunting, hiring process, and hands-on learning on numerous tools that you can use to help your job hunt, including LinkedIn and Canva. The current cyber security market will be reviewed, along with the skills used on each common position. Tas has already been through this process during COVID-19 and he would like to share the knowledge gained along the way. All the presentation materials and tools will be free and available for participants before their session. Hopefully after this, the attendees' next gig will be right around the corner!
Kubernetes Security: Learn by Hacking
Andrew Martin
Learn how to attack, exploit, and hack Kubernetes clusters and application workloads. In this workshop, attendees are set loose on a series of vulnerable clusters in a competitive and collaborative capture the flag. Full methods, solutions, and vulnerabilities are revealed, along with actionable mitigation steps to enhance a cluster's security and lock down common misconfigurations. It is an entertaining and frenetic experience designed to develop the kind of expertise only realized in production environments. Emphasis is placed on collaboration and communication, which are key to unlocking some of the advanced flags. Previous experience with Kubernetes is required.
Learn to Solder With BiaSciLab and Girls Who Hack!
BiaSciLab
In this workshop, you will learn the basics of soldering by assembling the Girls Who Hack soldering kit! This class is aimed at kids (younger ones will need adult supervision), but adults are welcome as long as they make room for the kids. Kits are available for $10.
LED Strips Everywhere for Everyone!
Mitch Altman
Learn how to light up LED strips with a cheap Arduino, and make your life trippy and beautiful! For total beginners - no knowledge needed at all. LED strips have become really cheap. Lots of people have created inexpensive methods of controlling their color and brightness. This workshop shows one way to control LED strips, to make them do what you want. This workshop will use a very cheap Arduino clone. Mitch will show you everything you need to know to use existing programs - as-is or to hack on - to control the colors in your world with LED strips.
Mindfulness - The Link Between Stress and Virtual Perception
Obi O'Brien
The connection between stress and perception will be explored in this workshop, sharing "practice formulas" on how to meet discomforts that we may encounter in an increasingly virtual environment. Participants will also engage in two short meditation practices with a focus on sound and the body. The goal is to give participants the tools to develop or enhance a meditation practice of their own, as well as sharing the science and research behind the stress phenomenon we experience.
Models for Community Curation
Aziz Isham
How can we build local networks that curate, support, and incubate arts and creativity? What funding models exist to help us do so? What are the technical tools that we can utilize to make more community arts networks possible? What innovations can allow such networks to form and flourish? In this workshop, you will learn new ways to organize around community curation, from the traditional (grants and donations, fiscal sponsorship) to the experimental (NFTs and collective actions). Artists, creatives, writers, nonprofits, academics, and arts organizations should bring ideas for practical and/or radical ways to support, organize, fund, and fundraise.
Negotiating the Interview
Tom Kranz
Tom has over 30 years' experience in cyber security, starting with breaking into Prestel with a BBC Micro in the U.K. in the early 80s - he's now a CISO and author of Making Sense of Cyber Security (Manning) and "Data Driven Cyber Security" (NVIDIA). Tom has built high performance cyber security teams for global companies, consultancies, and government departments, as well as advised executives and company leadership on how to change their hiring process to attract the best and retain the best security talent.
This interactive workshop will help you turn job interviews from nerve-wracking gauntlets to casual conversations that land you the job - or help you avoid the jobs you don't want. Whether you are trying to get your first cyber security job, or are looking to progress your career, this workshop will help you, by working through:
How to spot and fix common mistakes on CVs/resumes.
How to showcase your skills and experience.
Common interview techniques, questions, and how to respond.
How to negotiate salaries and compensation.
Employer red flags: weeding out the bad gigs.
This will be a practical workshop, so expect lots of participation and engagement: please bring something to write with, a printed copy of your CV, and lots of questions!
Plausible Deniability and Cryptocurrency Privacy
Lane Rettig
Michelle Lai
Arctic Byte
Hackers around the world use cryptocurrencies like Bitcoin and ether every day under the mistaken assumption that these networks are somehow privacy-preserving (often conflating pseudonymity for privacy). This couldn't be further from the truth, as it is in fact often easier to trace crypto transactions than fiat transactions. Even so-called private networks like Zcash and Monero aren't failsafe from a privacy perspective. However, with a few tricks and tools, it is possible to preserve privacy on cryptographic networks in a robust way. This workshop will present a brief history of privacy successes and failures in cryptocurrency and blockchain with important case studies. It will also demonstrate tracing and de-anonymization of actual transactions in real time, and will present tools and techniques for guaranteeing strong privacy.
The Polyjuice Potion: A Workshop on Netflow Correlation Avoidance
William Jones
This workshop covers modern netflow correlation and web traffic fingerprinting attacks and countermeasures in practice, with a focus on Tor, i2p, nym, and other publicly accessible anonymity tools. Most of the academic literature focuses on how to perform these types of attacks only in theory. In practice they are difficult to set up and require extensive collaboration between backbone-positioned adversaries. One would hope that these adversaries are careful, accountable, well-resourced, and not beholden to the interests of private corporations. William will first describe the state of the art for these attacks, including netflow correlation, web traffic fingerprinting, active traffic disruption, and throttling. He'll then detail an end-to-end pipeline for legally spinning up a C2 server with full non-attribution, enabled using publicly available infrastructure.
Programming in Zero Knowledge
Ying Tong
Zero-knowledge proofs are primitives for proving the integrity of arbitrary computation over confidential information. They are used in applications like private digital cash and anonymous voting. In this workshop, you will learn the theory behind zero-knowledge proving systems, and try your hand at writing a few circuits. The session will also brainstorm ideas for more private applications that can be built.
Remote Hardware Development, Hacking, Reverse-Engineering, and Education for the Next Pandemic
Tarek Omar
In this workshop you will learn about the available tools and methods that will help you access, hack, reverse-engineer, or teach embedded systems using physical hardware in a remote location. Tarek will share with you what he successfully used before and during the pandemic to help the Cairo Hackerspace community have seamless remote access to unaffordable (to them) educational embedded systems devices. He will show you how remote hardware tools helped him teach Arduino, robotics, and software defined radio more efficiently to his online students. And lastly, Tarek will present some professional use cases from his personal experience and how it helped him supply a museum and an escape room in New York City with quick remote technical support for most of their hardware related problems that previously required an engineer to be present in person. He will be using a Linux laptop and Raspberry Pi running Ubuntu.
Think Like a Hacker: Lateral Thinking and Social Engineering for Complete Newbies
Gus Andrews
HOPE often attracts attendees who may be new to the hacking space - people who learned of the conference through the Off The Hook radio show, youth who are keen to get into this space, artists, journalists, activists, and others who see their work increasingly overlapping with hacking. There's a lot newcomers may have missed about hacking techniques over the years! This workshop is for those newcomers, to bring them up to speed about some very fundamental habits of thought in the hacking community. In this session, Gus will get attendees engaged in hands-on exercises developed in the engineering and hacking communities for finding vulnerabilities. To demonstrate counterintuitive strategies beyond code, this will be followed up with examples of past hacking, including social engineering and voting machine testing. Wrap-up discussion explores how these activities change what we think, feel, and see, and what we can do with the systems around us.
Threat Hunting With Splunk
Sam Bowne
Splunk is "Google for log data" and it is the leader in network security monitoring. Learn how to find attackers, identify malware, and attribute attackers to real-world APT groups. You will use cloud servers running the free version of Splunk, with open-source network data from Splunk's "Boss of the SOC" contest. This workshop is structured as a CTF, so each participant can proceed at their own pace. The techniques will be briefly demonstrated, and tips will be provided along with help as needed to make sure everyone is able to solve at least some of the challenges. Participants only need a computer with a web browser.
Travel Hacking Workshop With TProphet
TProphet
Do you have airline miles, bank points, or hotel points? Have a trip you've always wanted to take? In this workshop, you can learn how to (legally!) fly for (almost) free. Use the points you've earned to take the trip of your dreams for far less than you may expect. Learn how to enjoy luxury travel and even fly "up front" with the rich and famous for as little as $5.60 out of pocket. There's a catch, though: airlines only give away the seats they don't think they'll sell, so you'll need to think like a hacker. Can you be flexible with dates, airlines, and destinations? Are you willing to consider visiting countries off the beaten path? Come prepared to book right away - great deals don't last!
Violent Python 3
Sam Bowne
Elizabeth Biddlecome
Kaitlyn Handelman
Irvin Lemus
Even if you have never programmed before, you can quickly and easily learn how to make custom hacking tools in Python. The presenters build tools that perform port scanning, brute-force attacks, crack password hashes, and XOR encryption. Python is among the top three programming languages in the world, for good reason: it's the easiest language to use for general purposes. This workshop is structured as a CTF, so each participant can proceed at their own pace. The techniques will be briefly demonstrated, and they will provide tips and help as needed to make sure everyone is able to solve at least some of the challenges. Participants need only a computer and a web browser.
Windows Internals
Sam Bowne
Explore the structure of Windows executable files and the operating system itself to better understand programs, services, malware, and defenses. Projects include: cheating at games, building malicious DLL libraries, stealing passwords from the API, building a keylogger, and debugging a driver. Tools used include pestudio, API Monitor, Visual Studio, OllyDbg, IDA Pro, Ghidra, and WinDbg. This workshop is structured as a CTF, so each participant can proceed at their own pace. The techniques will be briefly demonstrated, and tips will be provided along with help as needed to make sure everyone is able to solve at least some of the challenges. No previous experience with Windows internals is required.