As I wrote recently, somehow I have found myself over in Europe at the cold end of the season, including in Oslo which as I understand it is both cold and dark in Jan. But the invite to do what I‘m doing was just too tempting to say no so let me outline it here for those who may be able to get along.
Hack Yourself First Workshop: Wed 20 and Thu 21 Jan
I’ve written about this workshop many times before in various places, the piece here before some of my most recent travel is a good overview. In short, it’s a couple of non-stop days of teaching software developers how vulnerabilities in web apps actually work. Not the “oh here are some nice slides” method of teaching, but actual hands on exploiting of things.
Here’s a great example of an outcome from the same workshop I just did in Vegas: Someone came to me the next day and explained that after the exercise on how you can observe mobile API calls, he found a massive hole in his company’s software. I can’t go into detail on exactly what it was (and I did later see it first hand too), but imagine an API that controls seriously big things that move around… and anyone could have easily taken control of said big things in literally minutes. It was scary stuff, but he caught it early.
Normally I do these workshops as private engagements for organisations and very occasionally do them publicly so it’s a great opportunity to get along regardless of where you work. You can register for this workshop right now and it’s open to anyone who can get themselves to Oslo.
Security Day 2016: Fri 22 Jan
If I’m going to go all the way to Oslo, I’m going to make the most of it! We’ve organised a separate security day after the aforementioned workshop and the organisers have pulled together some great local speakers. There’s Erland Oftedal who’s going to talk about how badly we’re screwing up crypto, Einar Otto Stangvik who did some amazing research recently around online predators and my very good friend Niall Merrigan who’s going to join me in presenting a talk.
As for me, I’m going to do an all new talk on What I’ve Learned from 220 Million Breached Records… except that it’s already about 240M records now (this is what’s in Have I been pwned?) and I have no idea how many it’ll be by the time I actually deliver the talk. 280M? I just don’t know, but it’ll be a really interesting insight of how these systems are breached and the way company data is then distributed, traded and abused.
I’m also going to do Web Security Essentials by Example which will cover a heap of really practical things around how we secure the web. Much of this comes from the misunderstandings I see when I go into organisations and talk to developers. It’ll also be driven by how attackers are compromising the systems I cover in the previous talk. It’s a real world look at security and I’ll deliver it in a way that people can actually take away and use in practice.
And finally, Niall and I are going to do a session called Both sides of the attack where we’ll be playing both victim and attacker roles to show how various exploits work. We’re already talking details about this and it’s going to be a heap of fun and with any luck, completely terrifying as well! I really like the idea of showing how these attacks work on both sides and I think this will be a highlight of the day.
There’ll also be a Q&A session using sli.do which will give the audience an opportunity to participate by lodging questions through their mobile devices. We spoke a lot about this in the planning and really wanted to give people the opportunity to get engaged and have the issues that are important to them addressed.
You can register for the security day right now and as with the workshop, it’s open to anyone who can got themselves to Oslo.