Track 1 Speakers


May 27, 9:10-10:00


BSides Vancouver Keynote Speaker


MICAH LEE

Micah Lee is a security engineer, software developer, journalist, and author. He recently worked as Director of Information Security at the nonprofit newsroom The Intercept. He’s an advisor to the transparency collective Distributed Denial of Secrets, a Tor Project core contributor, and he used to work for Electronic Frontier Foundation. He did opec for journalists while Edward Snowden was leaking NSA docs to them.

He’s the author of Hacks, Leaks, and Revelations: The Art of Analyzing Hacked and Leaked Data, a hands-on book that teaches journalists, researchers, and activists how to download, research, analyze, and report on datasets. He also develops open source security tools like OnionShare and Dangerzone. 


Website: https://micahflee.com/ 

Bluesky: https://bsky.app/profile/micahflee.com

Mastodon: https://infosec.exchange/@micahflee

May 27, 10:40-11:30

From Zero to ISO27k

We prefer to avoid ISO 27001 accredited corporations” said no current or future customer ever. ISO compliance can be a catalyst for new sales, improved customer relationships and increased platform confidentiality, integrity and availability.  This talk by two seasoned security professionals will demonstrate how to use open source tools and techniques to build existing business practices into the ISO 27001 framework.

Josh Sokol

Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies, including AMD and BearingPoint, spent some time as a military contractor, and recently left a ten year career as the Information Security Program Owner at National Instruments in order to pursue a full-time role as the Creator, CEO, and CISO of the free and open source risk management tool named SimpleRisk. Josh has spoken on dozens of security topics, including the much-hyped “HTTPSCan Byte Me” talk at Black Hat 2010, and served for four years on the OWASP Global Board of Directors.

Twittter/X @joshsokol

LinkedIn

May 27, 11:40-12:30

Top Tips for Python Security

In the realm of writing secure Python code, it's not only about functionality and performance; it's equally vital to shield your application and users from potential threats and vulnerabilities. Given Python's immense popularity, it becomes even more essential that we acquire the skills to build secure, dependable, and robust applications. Join me in this talk as we embark on a shared journey to master the art of secure Python coding. Together, let's empower ourselves to create a safer digital world.

Tanya Janca

Tanya Janca, also known as SheHacksPurple, is the best-selling author of ‘Alice and Bob Learn Application Security’. She is also the Head of Education and Community at Semgrep, sharing content and training that revolves around teaching everyone to create secure software. Tanya has been coding and working in IT for over twenty-five years, won countless awards, and has been everywhere from public service to tech giants, writing software, leading communities, founding companies and ‘securing all the things’. She is an award-winning public speaker, active blogger & podcaster and has delivered hundreds of talks on 6 continents. She values diversity, inclusion, and kindness, which shines through in her countless initiatives.   Advisor: Nord VPN, Cloud Defense Faculty: IANs Research Founder: We Hack Purple, OWASP DevSlop, #CyberMentoringMonday, WoSEC


LinkedIn

May 27, 1:30-2:20

The Sand Castle - The State of the MacOS Sandbox Through the Lens of Office Macros

The macOS sandbox is a powerful tool for application security, and hardens macOS office to a point where they're not wildly used as an entry vector. Or are they? In this talk we will dive into sandbox escape mechanisms on macOS, as well as present a few technique for potential generic sandbox escapes.

Jonathan Bar or

Jonathan Bar Or ("JBO") is the Microsoft Defender research architect for cross platform and an all around offensive security researcher.

Twitter/X

LinkedIn


May 27, 2:30-3:20

Behind the Dashboard: Tales of a Car Bug Bounty Hunter

Previously, we discovered a bug that could bypass the PIN2Drive feature for Tesla vehicles. We were rewarded by Tesla and entered the Tesla Hall of Fame. Additionally, we disclosed a creative bug named Rolling-Pwn, which affects Honda vehicles globally. Vehicle bug bounty hunting is the new trend. In this talk, I will provide advice on vehicle bug bounty hunting and present the successes and failures of our vehicle bug hunting stories over the past few years.

Kevin Chen

Kevin2600 is a security researcher who primarily focuses on vulnerability research in wireless and embedded systems. He has spoken at various conferences, including BSides, DEFCON, and CANSECWEST


Twitter/X @kevin2600

May 27, 3:30-4:20

Phishing Expedition: A Group-Based, Choose Your Own Adventure Style Phishing Game

20,000 Leagues Under Accounting, your syndicate has established a foothold. What happens next is up to you. Come play Phishing Expedition, a choose your own adventure style phishing game, where participants take on the role of a fictional organized crime syndicate, attacking fictional organizations. Spend your collective cash wisely on the right infrastructure, payloads, and OSINT to gain access, compromise new hosts, and (hopefully) earn big profits from ill-gotten data. 

A.J. Leece

A.J. Leece is the founder and Managing Director of Syntax Security Solutions, an innovative company built around harnessing the power of curiosity and fun to help make information security accessible and effective for everyone, regardless of their technology background. With more than 15 years in the infosec space as a front-line worker, teacher, mentor, consultant, and innovator, AJ has become an authority on building and gamifying effective competence training in an industry beset by threats from all sides. By employing gamification in programs, lectures, and tabletop exercises, AJ creates safe and fun ways for business teams to explore their vulnerabilities, learn new skills, and identify the ways that threat actors may try to impact their operations.

Website

LinkedIn

May 27, 4:30-5:20

Hacking Libraries (The Kind That Loan Books)

What's the one place that will let anyone walk in off the street and start using a computer? The library!  But what if you want to do more than search the catalog for books?  

This presentation will cover two types of hacking that you can do at the library.  The first type involves how to gain control of an otherwise locked down public PC.  Libraries encourage everyone to learn, they probably just didn't intend for it to be so hands on!

The second part of this presentation will cover how a widely used library web service was tested for vulnerabilities.  This software was found to contain a large variety of vulnerability classes, and is a great example of what can be uncovered through a software security assessment.  All of the findings were remotely exploitable 0day vulnerabilities, and this software was used by hundreds of libraries.

wesley wineberg

Wesley Wineberg is a full time bug bounty hunter, and has over 15 years experience working in information security. Prior to being a professional bounty hunter, Wes worked at several companies, including being a member of the Azure Red Team at Microsoft. Wes has had various security roles, covering everything from web apps to hardware security but primarily enjoys the offense side of security.