Keynote Speakers

Trey Darley
Trey Darley has been a long-standing member of the BruCON and FIRST communities, and has served a variety of volunteer roles, including a term on the FIRST board of directors, during which he co-founded the FIRST standards committee. Trey is well known for his work on open cybersecurity standards like STIX/TAXII and others. He's also been aligned with the Langsec faction for many years. Trey's patron saints are Grace Hopper, Evi Nemeth, and Paul Erdös.

Jen Ellis
Jen Ellis is working to reduce cyber risk for society. She partners with security experts, technology providers and operators, civil society, and governments, to create greater understanding of cybersecurity challenges and strategies. Jen promotes better collaboration among these communities, more effective cybersecurity advocacy, and broader adoption of security best practices. Jen previously worked for cybersecurity firm, Rapid7, for 11 years, building the company’s security research, advocacy, and community engagement functions, before founding her own company, NextJenSecurity. Jen serves on the UK Government Cyber Advisory Board and various UK government working groups. She is an associate fellow of the Royal United Services Institute (RUSI), co-chair of the Ransomware Task Force, co-host of the Distilling Cyber Policy podcast, and sits on various nonprofit boards/advisory boards. She has testified before U.S. Congress and spoken at numerous security or business conferences.
Talks

Diogo Sousa
Open source software continues to steadily expand, with thousands of projects being added each day. Each new addition represents a variation in language, scope, purpose, and quality, adding to the millions of projects already in place across many different ecosystems.
However, this growth is not matched by a corresponding increase in new maintainers joining the fray. Where there is new life, there is also decay. This leads to challenges in project sustainability and opens the door to potential issues in long- and short-term vulnerability management. With nearly every organization using open source in one way or another, vulnerabilities are like a big iceberg. Sometimes they’re being dragged in your direction by oceanic currents or lying in wait for your product, like a cruise liner, to collide with them head-on.
In this talk, I’ll discuss the status quo of vulnerability management for open source projects: how it is done, how it could be done better, what’s working and what could be improved.
Once settled in, we’ll don our diving gear and head beneath the surface to gauge just how much of the iceberg is hiding.
Diogo Sousa is an Engineering Manager at Canonical, working in support of the Ubuntu Security Team’s mission of providing Canonical users with the most secure and reliable open source experience possible. His day-to-day focus is on Ubuntu Pro’s Expanded Security Maintenance offering, prioritizing workloads and coordinating fixes across main and universe packages for all Ubuntu LTS releases.
Outside professional endeavors, but still within arm’s reach, he co-leads the OWASP Lisboa chapter, delivers talks at cybersecurity events, participates in alumni events with current students, mentors people undergoing career upskilling, and writes some content here and there.
In his (truly) free time, you can find him cooking (still can’t do baking), expanding his movie collection, teaching math, and playing board games.

Davide Cioccia
The rapid adoption of large language models (LLMs) and the widespread use of open platforms like Hugging Face have introduced new security challenges, particularly in model integrity and supply chain vulnerabilities. This talk explores the feasibility and methodology of backdooring LLMs distributed via Hugging Face (or other channels), highlighting how subtle code or model manipulations can lead to hidden malicious behavior. Through practical demonstrations, we uncover how backdoors can be implanted at inference or load time, often without detection. During the presentation I will share two CVE on this topic.
Davide is the founder of DCODX a security research lab and pentesting firm based in the Netheralnds and CPO at SecDim where with his team is revolutionizing secure code learning.
He is a returning speaker and trainer at major conferences like BlackHat and DEF CON.

Enisa Hoxhaxhiku and Dredhza Braina
Account Takeover (ATO) attacks are a growing threat to cloud environments, where attackers target a combination of misconfigured applications, weak authentication, and overlooked detection mechanisms. One of the most subtle yet effective methods for gaining unauthorized access is password spraying, an attack that avoids traditional brute-force detection by using commonly leaked passwords across a broad set of usernames.
In this talk, we will break down the anatomy of a cloud-based ATO attack, starting with the strategic targeting of popular applications such as Microsoft 365, Okta, and other SaaS platforms. We’ll explore how attackers leverage password spraying techniques to silently bypass defenses and gain initial access to accounts. As we walk through a real-world attack chain, we will highlight the critical role that suspicious user-agent behavior plays in detecting these attacks, and how this often overlooked indicator can serve as the key to uncovering the attacker’s presence before further compromise occurs.
Through practical examples and detection tips, we will show how cloud security teams can effectively can gain insights into detection strategies, hunting queries, and actionable defenses tailored for cloud-based identities and applications. This session will provide actionable insights for anyone responsible for securing cloud infrastructure, helping them stay ahead of evolving attacker techniques and ensuring their environments are resilient to ATO attacks.
Enisa Hoxhaxhiku is a Threat Researcher at Permiso Security’s P0 Labs. With a Bachelor’s degree in Computer Science and currently undergoing advanced training at Cyber Academy, Enisa possesses a strong foundation in both defensive and offensive cybersecurity.
Before joining Permiso, Enisa gained valuable experience in a corporate environment. This role involved identifying ongoing threats and weaknesses in networks, mitigating email-related security risks, and monitoring and analyzing security events to detect and respond to potential threats. Enisa also conducted security assessments and penetration testing on applications and network infrastructure.
These experiences provided Enisa with a practical and hands-on approach to cybersecurity, utilizing the latest techniques and tools for threat detection, incident response, and risk management.
Dredhza Braina is a Threat Researcher on Permiso Security’s P0 Labs team. She has prior experience as a software developer and Kubernetes security engineer, and now works as a threat hunter and cloud threat researcher.
Dredhza is an active member of the security community in her hometown of Prishtina, Kosovo where she has achieved 4th place in an international CDC (Cyber Defense Competition) event, attended local security conference like BSides Prishtina and KosICT and even led a YARA workshop at a Women4Cyber event. From YAML files to YARA rules, she is passionate about the security field with a particular focus on threat research, threat hunting and detection development.
Miss Braina holds a Bachelor of Science in Computer Engineering from the University of Prishtina Faculty of Electrical and Computer Engineering.

Vincent Ruijter
Security teams often struggle with alert fatigue, analyst skill gaps, and the complexity of SIEM query languages like Lucene or SQL. As a result, incident response slows and results are inconsistent due to varying analyst expertise.
This talk presents a practical approach to bridge the gap using an AI-powered security operations assistant. The agent translates natural language into precise SIEM queries and safely integrates with detection and response workflows. Built in Go with Anthropic’s Claude, I demonstrates how large language models can be used to operate in security workflows with strong guardrails.
Attendees will learn how to build an agent that:
- Converts natural language requests (e.g., “investigate failed logins for these IPs in GCP”, “for alert X, did this user log-in using MFA from a trusted device?”) into valid queries
- Correlates data from sources such as Okta, GCP Audit Logs, Cloudflare, and Google Workspace and writes technical reports for findings
- Safely manages alerts with human-in-the-loop guardrails
The session includes technical architecture, real-world use cases from IR and threat hunting, and code examples to kick-start your own AI-augmented SOC tools. Attendees will walk away with implementation strategies and lessons learned from using AI agents in live security environments.
Security @ Sourcegraph & AmpCode
Attempted follower of my own thoughts. Addicted to coffee and code.

Andrey Lukashenkov
Traditional AI approaches to vulnerability analysis rely on single-model interactions that lack specialized domain expertise and structured intelligence integration. This talk demonstrates the evolution from simple ChatGPT prompts to sophisticated multi-agent systems capable of collaborative cybersecurity analysis.
We’ll explore building an agentic CVE analysis system using CrewAI, showcasing how multiple specialized AI agents can work together to provide comprehensive vulnerability intelligence. The presentation covers practical implementation of agent roles, task orchestration, and tool integration with vulnerability databases like Vulners MCP.
Key focus areas include prompt engineering strategies for agent collaboration, handling context limitations through specialized tools, and designing flexible yet specific agent configurations. Attendees will see live demonstrations comparing traditional single-prompt analysis against multi-agent approaches, highlighting improved accuracy and actionable intelligence.
The session concludes with lessons learned from building production-ready agentic systems, emphasizing the critical balance between agent specificity and flexibility. This is not about CVE overload—it’s about understanding scalable patterns for complex cybersecurity workflows that extend beyond vulnerability management.
Andrey Lukashenkov handles all things revenue, product, and marketing at Vulners - a bootstrapped, profitable company committed to providing an all-in-all vulnerability intelligence platform to the cybersecurity community.
Being naturally curious and having a technical background, he leverages unlimited access to the Vulners database to explore various topics related to vulnerability management, prioritization, exploitation, and scoring.

Luis Grangeia
This talk introduces Certificate Transparency (CT) log lists, with a focus on their security implications. I will focus on the security aspects of all certificates having to be published on a public log and how everyone can query that log to obtain information that can give an edge to an attacker.
Certificate transparency logs are not new, and are a very used tool by attackers to perform infrastructure reconnaissance. However, some defenders are still unaware that they can reveal various pieces of information on their infrastructure, including their internal networks. I will also touch upon some strategies that can be used by defenders to minimize the information that is disclosed by this mechanism.
Additionally, I will show how anyone can essentially download an monitor any CT logs, since they are publicly accessible by requirement and by design, even as CT logs become exponentially larger over time as certificate lifetimes become shorter. This allows for large scale data processing and discovering interesting curiosities and artifacts on the Internet as a whole, including relationships between companies, product and services usage, etc.
Luis Grangeia is an information security specialist with over 20 years professional experience. He has participated in multiple security audits and penetration testing projects in most industry sectors, including critical infrastructure.
Luis has a security research background, having published and presented research on topics such as Linux kernel level malware techniques, DNS Cache Snooping, advanced exploitation and reversing of IoT devices, radiofrequency security and others.
He is currently Security Researcher at BitSight, focusing on collecting and studying security data at scale.

Diogo Lemos and Fábio Pinto
This session will give attendees a behind-the-scenes look at what it takes to build a custom Software Composition Analysis (SCA) tool, and why you might want to. They’ll walk away with a clear understanding of the trade-offs between building and buying, and how an in-house tool can offer deeper integration, greater flexibility, and more precise control over dependency risks. Attendees will learn how to design an SCA system that fits their organization’s specific needs, from tracking vulnerabilities to scoring projects and automating updates. The talk will also highlight key challenges to expect and how to overcome them, based on real lessons learned. Finally, participants will leave with a preview of an open-source SCA solution they can explore and adopt themselves.
Diogo Lemos: I’m an Application Security Engineer with extensive experience in developing and managing security solutions. My professional journey began at Checkmarx, where I built security products, and later continued at Flutter Entertainment. At Flutter, I not only implemented these products but also had the freedom to develop and tailor them to meet specific organizational needs. I’ve recently moved to OLX, where I continue to expand my expertise.
My main focus areas include automating security processes, optimizing scanning programs, and driving cloud security initiatives. Beyond my day-to-day work, I contribute to open-source security projects and frequently speak at industry conferences. I’ve delivered talks on SAST, SCA and Secrets Scanning solutions at Flutter, BSides, BalCCon, Oposec, and other venues.
Fábio Pinto: As an Information Security Engineer at Flutter UK&I, my role is all about protecting our systems and applications from the ever-evolving landscape of security threats. With a Bachelor’s degree in Computer and Network Security, I’ve spent my career in the betting and gambling industry, where we safeguard complex, high-traffic platforms against increasingly sophisticated attacks.
At Flutter, I specialize in identifying and mitigating security risks across both applications and systems. Using tools like SAST, DAST, and SCA, we integrate security into every phase of the Software Development Lifecycle, ensuring it’s a core part of the process from the very beginning.
A key part of my work involves making security scalable and efficient. This means automating security controls and processes to enhance resilience without compromising delivery speed. We also utilize solutions like Cloudflare to strengthen the security of our web applications, helping to build a more resilient overall security posture.
Cybersecurity is a constantly evolving field, and that’s what drives my passion. I’m always learning—whether it’s mastering new tools, understanding emerging threat models, or exploring cutting-edge techniques—and I thrive on applying this knowledge to real-world challenges, keeping our defenses one step ahead of potential threats.


Trey Darley and Pedro Umbelino
On 19 January 2038 at 03:14:07 UTC implementations relying on 32-bit signed integer representations of Unix epoch time will overflow, resulting in a system time of 20:45:52 UTC on 13 December 1901. (Unix epoch time is a concept more ubiquitous than Unix itself, this bug impacts a wide array of platforms.)
For most impacted systems, the result will be some chaotic breakdown of running state machine logic in which the flow of time logically reverses itself.
There are today orders of magnitude more systems needing to be checked and fixed than there were in the years leading up to Y2K. In order to address the Y2K38 bug we are going to have to pull a lot of fielded equipment out of the ground, test it in a lab, and put remediations in place, all across the globe, and during the next 13 years. Let that sink in for a bit.
Using controlled experiments across multiple environments (including IoT devices, ICS/OT, and embedded systems) we document unexpected vulnerabilities and behaviors.
These findings reveal critical risks that our society cannot afford to ignore, especially given that for a resourceful attacker, 2038 can be any old day they like.
This presentation is intended for developers, security professionals, and incident responders seeking to understand more about this issue. We will present technical realities in plain, hopefully so that any high school kid could understand it, therefore policymakers are encouraged to join, because this issue will impact us all soon!
Trey Darley has contributed to the cybersecurity community through his work on open standards including STIX and TAXII, which help organizations share threat intelligence. During his term on the FIRST Board of Directors, he co-founded the Standards Committee to improve incident response coordination across standards development organizations.
A supporter of the Langsec movement, Trey advocates for semantic clarity and security-aware protocol design. His approach to security is influenced by Grace Hopper’s elegance in code, Evi Nemeth’s dedication to teaching, and Paul Erdős’s collaborative spirit.
Currently focused on infrastructure resilience and the challenges of long-term system continuity, particularly around the 2036-2038 timestamp convergence issues.
There once was a hacker named Trey
Who said “timestamps will fail one day”
He wrote STIX and TAXII
Made standards quite classy
And warns that our clocks will betray.
Pedro Umbelino currently holds the position of Principal Research Scientist at Bitsight Technologies and brings over a decade of experience in dedicated security research. His eclectic curiosity has led to the uncovering of vulnerabilities spanning a gamut of technologies, highlighting critical issues in multiple devices and software, ranging from your everyday smartphone to household smart vacuums, from the intricacies of HTTP servers to the nuances of NFC radio frequencies, from vehicle GPS trackers to protocol-level denial of service attacks. Pedro is committed to advancing cybersecurity knowledge and has shared his findings at prominent conferences, including Bsides Lisbon, DEF CON, Hack.lu and RSA.

Vitor Ventura
The ever growing mercenary spyware targeting iOS devices poses a formidable challenge to cybersecurity, threatening user privacy and data integrity. These advanced malicious implants are crafted to exploit system vulnerabilities, often leveraging iOS entitlements to deepen their infiltration and maintain persistence. This paper delves into the anatomy of mercenary spyware on iOS, emphasising the pieces of information that can be used to triage and hunt the implants.
Understanding the operational blueprint of mercenary spyware involves analysing its use of iOS entitlements, which define permissions and capabilities for apps, and Team IDs, which are used to associate apps with a developer account. The attack vectors often used to deploy the spyware often abuse vulnerabilities which allow the assignment entitlements to the spyware itself. Once the spyware has the necessary privileges then it is a regular part of the system and has a more stable environment to perform its activities. Identifying anomalies in entitlement usage and unauthorized Team ID associations can serve as early indicators of compromise (IOCs).
Scrutinising entitlement requests and validating Team IDs against known developer profiles, security professionals can provide useful clues to the disposition of unknown iOS binaries.
Vitor Ventura is a Cisco Talos senior security researcher and Talos EMEA Outreach team manager. Over the last two years Vitor dedicated most of his time researching approaches for the application of Large Language Models into the CyberSecurity domain. For the MSc dissertation Vitor researched and implemented a Retrieval-Augmented Generation system to perform analysis on cybersecurity open source reports. Previously within the cybersecurity domain Vitor focused on the investigation of Private Sector Offensive Actors which led to several conference talks and publications on the Cisco Talos blog. Before Vitor investigated and published various articles on emerging threats, and biometric authentication both in face recognition and fingerprinting. At Labscon and Pivotcon Vitor delivered workshops on RAG usage for document processing and analysis. Vitor has presented in leading cyber security intelligence conferences like LabsCon, PivotCon, VirusBulletin, CARO. Among other cybersecurity related conferences like NorthSec, Recon, Recon Bruxels, Defcon’s Recon Village and Crypto and Privacy Village, BSides Lisbon and Dublin among others. Prior to that he was IBM X-Force IRIS European manager where he was the lead responder on several high profile organizations affected by the WannaCry and NotPetya incidents. Before that he did penetration testing at IBM X-Force Red, where Vitor led flagship projects like Connected Car assessments and ICS security assessments, custom mobile devices among other IoT security projects. Vitor holds a MSc in Computer Science, a BSc in Computer Science and multiple security related certifications like GREM (GIAC Reverse Engineer Malware), CISM (Certified Information Security Manager).

Dorota Kozlowska
-
Introduction Welcome & Objectives of the Presentation Definition of Elicitation in Social Engineering Importance in Covert Access Operations Real-World Examples of Elicitation Success
-
Fundamentals of Elicitation Psychological Principles Behind Elicitation Reciprocity Authority & Credibility Social Proof Curiosity & Information Gaps The Role of Human Biases in Information Disclosure
-
Methods & Techniques Pretexting & Personas: Crafting a Believable Identity Conversational Triggers: How to Steer Dialogue for Maximum Information Yield Framing & Leading Questions: Extracting Data Without Direct Inquiry Exploiting Ego, Pride, or Sympathy Mirroring & Active Listening for Building Trust Subtle Challenges & False Information Testing
-
Practical Applications in Covert Access Assignments Reconnaissance & Intelligence Gathering: Mapping the Target Infiltrating Restricted Areas: Leveraging Insider Conversations Engineering Unwitting Cooperation: Influencing Employees & Gatekeepers Digital & Physical Elicitation Techniques: Online Pretexting vs. Face-to-Face Interactions
-
Case Studies & Real-World Scenarios Historic & Modern Examples of Social Engineering Exploits Lessons from Espionage & Corporate Security Breaches
-
Countermeasures & Defensive Strategies Recognizing Elicitation Attempts in Various Contexts Active Defense: How to Respond Without Raising Suspicion Red Teaming: Using Elicitation to Test Security Resilience
-
Ethical Considerations & Legal Boundaries Ethical Use vs. Malicious Intent Laws & Regulations Governing Social Engineering Practices
-
Conclusion & Q&A Recap of Key Takeaways, Final Thoughts Open Floor for Questions
Certified in Covert Access, Physical Auditing, and Elicitation, with proven expertise in physical penetration testing and security audits. I enjoy blending my technical penetration testing skills, hands-on physical security experience, and evolving Red Teaming capabilities.
Beyond my technical expertise, a host a Twitch podcast “Ethical Hacking, Guests, and Wholesomeness” and an international keynote speaker on Offensive Security related topics. My articles were published in HVCK and Top Cyber News Magazine (TCNM). I am a contributor to upcoming cybersecurity books:
- Preface contributor: Introduction to Red Operations 2.0 – A Basic Guide for Your Red Team Operations by Joas A. Santos.
- Technical reviewer: Hacking Mainframes: Dispelling the Myth of the Impenetrable Fortress by Kevin Milne.
My contributions to cybersecurity have been recognized with the Cyber Woman Hope Award by CEFCYS and featured on the “40 Under 40 in Cybersecurity 2023” list by TCNM.
I have been selected to present at events such as:
- WWHF @ Mile High 2025
- Disobey 2025
- FIC EUROPE 2023 & 2024
André Tavares
In late 2024, Russian antivirus vendor Dr.Web uncovered a massive botnet targeting Android TV set-top boxes, which they called Vo1d. The malware was found on roughly 1.3 million devices worldwide and acted as a hidden backdoor, allowing attackers to silently download and install apps or updates in the background, often pre-installed on off-brand devices!
By early 2025, follow-up research by XLab revealed the botnet had grown to about 1.6 million infected devices, and uncovered some of its techniques and capabilities like the domain generation algorithm, the potential anonymous proxy services, ad fraud, and DDoS attack.
This talk follows our team’s investigation into Vo1d’s botnets, picking up from XLab’s findings and breaking the botnet apart. In this presentation, we will share the technical journey alongside the investigative mindset that drove it: curiosity, persistence, and the ability to connect malware analysis, DNS intelligence, sinkhole telemetry, and shared research into a single coherent picture of the threat. We show how DNS intelligence can complement malware analysis, how collaboration between researchers can break investigative deadlocks, and how storytelling helps make complex security research accessible.
“Into the Vo1d” is both a deep dive into a resilient IoT botnet and a broader lesson in threat hunting.
As a Senior Threat Researcher on the Threat Research team and a researcher at BitSight since 2018, André has been specializing in tracking malware botnets, by employing a combination of open-source intelligence gathering, malware analysis, and reverse engineering techniques to shed light on threat actors’ tactics, techniques, and procedures.
Committed to sharing knowledge, he has been contributing to the infosec community through informative blog posts, providing key insights, indicators of compromise, and detection signatures to support the defense and threat hunting efforts of fellow professionals.
Blog: https://tavares.re/

Marina Bochenkova
We know the world runs on legacy. We know it’s not supposed to. But when vendors or LinkedInfluencers command us to phase out old systems and protocols, it sometimes seems like their expectation-versus-reality connection is faulty.
This talk will walk you through the ~adventure~ of disabling a recently-deprecated Microsoft authentication protocol with numerous security problems: NTLM. Microsoft introduced NT Lan Manager in 1993 as a replacement for LANMAN, born in 1987. Just seven years later, they announced Kerberos as the default replacement for NTLM and instructed companies to stop using it. No one did. Then, in June 2024, Microsoft announced the deprecation of the entire NTLM authentication protocol family, and even removed older versions from newer OS versions.
Having completed this project in the IT environment of a mid-sized enterprise, this presentation will discuss resources and lessons learned that could help get the job done elsewhere. It will also illustrate to those outside the field why IT and security are critical business functions, not cost centers.
For decision-makers, this is an opportunity to better understand the struggles of on-the-ground IT and security teams trying to bring outdated systems in line with industry standards. For IT and information security peers, this presentation will share valuable resources and “lessons learned” for successfully phasing out NTLM (and similar thorns-in-sides) within their own organizations.
Marina Bochenkova wears many hats as a cybersecurity analyst focusing on digital forensics, incident response, and OT security, while also dabbling in security awareness and culture. She combines a passion for protecting people, a strong belief in digital privacy as a human right, and an overly-enthusiastic approach to problem-solving. When not defending digital spaces, Marina actively nurtures her already-unhealthy obsession with cats and resorts to baking or martial arts when desperate.

Dave Lewis
The rapid advancement of agentic artificial intelligence (AI), characterized by autonomous decision-making, persistent memory, and dynamic integration with external systems, has significantly enhanced cybersecurity capabilities, from automated threat detection to intelligent incident response. However, this powerful technology introduces new governance challenges and ethical dilemmas. As AI agents operate with minimal human oversight, critical questions arise regarding accountability, transparency, bias, and control.
This talk explores the intersection of cybersecurity, AI governance, and ethics, drawing from real-world implementations across various industries, including financial services, healthcare, and critical infrastructure. We present frameworks and methodologies for responsibly deploying agentic AI, ensuring transparent decision-making processes, robust accountability measures, and effective human-AI collaboration. Special emphasis is placed on the SPAR framework (Sensing, Planning, Acting, Reflecting) to assess AI agents’ autonomy levels and ethical implications.
Dave has 30+ years of industry experience. He has extensive experience in IT security operations and management. Dave is the Global Advisory CISO for 1Password.
He is the founder of the security site Liquidmatrix Security Digest & podcast. Dave also hosts the Chasing Entropy Podcast. He was a member of the board of directors for BSides Las Vegas for 8 years. He currently serves on the advisory boards of Byos.io and Knostic.ai. Dave has previously worked in critical infrastructure for 9 years as well as for companies such as Duo Security, Akamai, Cisco, AMD and IBM. Previously he served on the board of directors for (ISC)2 as well as being a founder of the BSides Toronto conference.
Dave was a DEF CON speaker operations goon for 13 years. Lewis also serves on the advisory boards for the Black Hat Sector Security Conference in Canada, and the CFP review board for 44CON in the UK. Dave has previously written columns for Forbes, CSO Online, Huffington Post, The Daily Swig and others.
For fun he is a curator of small mammals (his kids) plays bass guitar, grills, is part owner of a whisky distillery and a soccer team.

Kat Fitzgerald
What’s more suspicious than someone carrying a laptop around DEF CON? Someone not carrying one.
My entire setup — a Raspberry Pi running a custom-built OpenWRT with Docker (following the official OpenWRT Docker host guide) — fit neatly into my purse. I call it my PursePot: an inconspicuous, mobile, fully weaponized bag that no one gives a second glance.
Inside, Docker containers powered both my OpenCanary honeypot and a suite of Wi-Fi deauth tools, letting me simultaneously broadcast irresistible Evil Twin networks (“Xfinity,” “Target Guest WiFi,” “attwifi,” and “Home Depot”) and occasionally encourage connections by randomly de-authing people on the DEF CON open net.
Over a single day of roaming DEF CON’s villages (especially the CTF-heavy ones), my PursePot collected:
- 78 hits from the P2PInfect worm (gold medal winner in persistence)
- 68 attempts from Mirai variants
- 37 XMRig cryptominer drops
- Plus Outlaw/ShellBot, Gafgyt, Prometei, and Xorddos trying their luck
Between the data chaos and my tragic /tmp mistake (RIP wireless scan logs), this talk is part technical debrief, part mischief memoir. We’ll cover:
- Building a custom OpenWRT to run Docker on a Pi
- Running honeypots and deauth tools side-by-side without tipping off targets
- Making Evil Twins irresistible (even to people who should know better)
- What top opportunistic malware looks like in a high-target environment
- Why mobile honeypots thrive in RF-rich chaos
- Lessons learned, including how not to log to volatile memory
Key Takeaways:
- How to build a portable Evil Twin + honeypot rig (aka the PursePot) using a Raspberry Pi, custom OpenWRT, and Docker.
- Methods for running multiple offensive/defensive tools in parallel without drawing attention in high-surveillance, high-skill environments.
- Practical tips for making Evil Twin networks attractive (even to experienced attendees) and encouraging connections.
- Firsthand data on what opportunistic malware looks like in the wild at a major hacker conference.
- Lessons learned about logging, persistence, and avoiding rookie mistakes (like writing critical data to /tmp).
- How to turn field data into future-proof security insights without doxxing your participants.
Chicago-based and proudly a natural creature of winter, I thrive on snow, OSS, and just the right amount of chaos. Whether sipping Grand Mayan Extra Añejo or warding off cyber threats with a mix of honeypots, magic spells, and a very opinionated flamingo named Sasha (the BSidesChicago.org mascot), Honeypots and wifi-refrigerators rank among my favorite things—though my neighbors would likely disagree.