A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:



Old News and Change Log:

07/13/2019 OISF 2019 Videos
These are the videos from the OISF Anniversary Event

Dr. John Carls/Paul Hankins

UBoot to Root
Deral Heiland

A Discussion of Secrets
Robert Stewart

Continuous Skills Improvement For Everyone
Matt Scheurer

DLP Demystified
Micah Brown

Pixel Tracking: How it’s used and abused
Barry Kimball

06/22/2019 BSides Cleveland 2019 Videos
These are the videos from the Bsides Cleveland conference. Thanks to Rich, ninewires, justinschmitt &  as the video team. Thanks to twuntymcslore & RockieBrockway for being con mom & dad.

David Kennedy

Operationalizing the MITRE ATT&CK Framework
Robert Olson

Markets for Malware
Adam Hogan

The TIP of the Stinger: Efficiently Using Threat Intelligence With TheHive
Matthew Gracie

Calls to Arms: US Elections Hacking
Damian Huising

The Overlooked Cyber-Security Risk: 3rd Party Risk Management
Rose Songer

The Politics of Cyber
Ian Thornton-Trump

Unix: the Other White Meat
Adam Len Compton & David Boyd

Hack for Show, Report for Dough
Brian King

Early Detection through Deception
Jason Nester

Eval Villain: Simplifying DOM XSS and JS Reversing
Dennis Goodlett

(Most Audio Missing)

Securing the DOM from the Bottom Up
Mike Samuel

(Missing Most Audio)

Data Access Rights Exploits under New Privacy Laws
Amber Welch

Public Partnership Panel for Security Response
Jeremy Mio and Others

Automating Windows Kernel Analysis With Symbolic Execution
Spencer McIntyre

Incident response on macOS
Thomas Reed

Getting youth interested in infosec from a youth's perspective.
Tristan Messner

Joshua Corman
(Not Recorded)


ShowMeCon 2019 Videos
These are the videos ShowMeCon 2019. Thanks to Renee & Dave Chronister (@bagomojo) and others for having me out to record and speak. Also thanks to my video crew @r3tr0_cod3x, James, Aaron, Jon, @AlexTShell, @Mayer302, @MatthewRekos  and some other people I may have forgotten.


A Practical Approach to Purple Teaming
Matt Thelen

Some assembly required, instructions not included
Dave Chronister

The Dark Side of Physical Access Control Systems
Valerie Thomas

The Art of Cyberwar: A Foundation and Framework for the Development of TTPs
Kevin L. Johnson

Human Centered Design and You: Hack Your Life
Hudson Harris

The rising geopolitical cyber power
Kurt Aubuchon

Cracking the Code - Hacking the Human Mind
Scott Holman

Confessions of Really Bad SysAdmins
Andy Thompson

Sync Your Sh*t: Why it's time you paid attention to time
John Clark

How to screw up your Incident Response investigation in 10 steps or less
Vadon Willis

Control of Unclassified Information in Non-Federal IT Systems - Or What You Don't Know Can Cost You
Tim Grace

Why should your employees know how to phish
Mike Morris

Redesigning Password Authentication for the Modern Web
Cliff Smith

Penetration Testing: The Good, Bad, and the Ugly of Vendor Management, Reporting and Risk Management (or lack thereof)
Justin L. Bauman

Why your red team shouldn't be snowflakes
Isaiah Sarju

0Day to HeroDay: Bringing a company from scorched earth to a modern security organization
Ryan Wisniewski

The Great Explainer: Feynman and Standing on the Shoulders of Giants
Kevin Johnson

TLSv1.3: Minor Version, Major Changes
John Wagnon

I PWN thee, I PWN thee not!
Jayson Street



Circle City Con 2019 Videos
These are the Circle City Con videos. Thanks to the staff for inviting me down to record. Big thanks to @irishjack, @TheHomoHacker, @Paint27, @songsthatsaved, @nogoodrobot, @kitwessendorf, @cxstephens, @uncrustabl3  and others for helping set up AV and record.


Data Access Rights Exploits under New Privacy Laws
Amber Welch

How to reach and teach youth about Cybersecurity (if anybody will let you)
Jason Smith

More Tales from the Crypt...Analyst
Jeff Man

Could Static Code Analysis and Secure Coding have Saved the Death Star?
Mary Waddick

I’ll Complete My Threat Model Later Mom!: Infosec in Middle School.
Ashley Benitez Smith

Cons & Careers
Steven Bernstein

3D printing canister-launchable drones for city-scale wardriving
Glytch Tech

The Hunter Games: How to find the adversary with Event Query Language
Ross Wolf

Star Wars: How an ineffective Data Governance Program destroyed the Galactic Empire
Micah Brown

Security lessons from the Woofmutt…
Chris Roberts

What The Frida Gave Me: A Novel Take on E-Ticket Forging and E-Ticket Stealing
Priyank Nigam
(Not Recorded)

It's Coming From Inside the House: An Inside-Out Approach to NodeJS Application Security
Yolonda Smith

Get off my lawn… or are we looking for the right people?
Mike (Shecky) Kavka

Endpoint Security, Swimming Through the Snake Oil
Dan Beavin

Do You Have What It Takes? How to Support Your Career From Community Involvement
Kathleen Smith

Catching the Guerrilla: Powershell Counterinsurgency
Aaron Sawyer

SigInt for the Masses: Building and Using a Signals Intelligence Platform for Less than $150
Josh Conway

InfoSuck: The Nasty Bits Of The Industry We Want To Tell Noobs But Aren't Allowed To In Polite Company.
Danny Akacki

Standardizer: a standardization framework for your security alerts
Christian Burrows

Call Of Duty, Modernest Browser Warfare v2
Dhiraj Mishra
(Did not happen)

Information Security Practice Principles a Rosetta Stone for information security work
Susan Sons

What Can Data Science Do for Security?
Wendy Edwards

Deepfakes: If anything can be real then nothing is real
April Wright
(Not Recorded)

Evicting the Password from the Digital Estate
Alex Chalmers

A Theme of Fear: Hacking the Paradigm
Catherine Ullman

Beginning DFIR - How to get started with Cooties
Lisa Wallace

Of CORS it's Exploitable! What's Possible with Cross-Origin Resource Sharing?
Rebecca Deck

Nexus Zeta - How a newbie hacker managed to create a monster botnet
Adi Ikan

5G: Security Pitfalls and Considerations
Swapnil Deshmukh
(Did not happen)

Training and Education for the New Realities of Privacy and Security
Mitchell Parker

Container Security Deep Dive
Yashvier Kosaraju

Hacking Humans: Addressing Vulnerabilities in the Advancing Medical Device Landscape
Gabrielle Hempel

One Random Insecure Wep Application Please (ORIWAP)
Nancy Snoke

an Implantable Computer
Doug "c00p3r" Copeland

Modern AppSec Gotchas
Fletcher Heisler

A Few Things Right: Insights from Live and Simulated Incident Response
Chad Calease

The Resilient Reddit C2
Zach Zenner

Behind The Locked Door: we built an escape room for security awareness
Matthew Southworth Christian Bobadilla

F! Attribution
Xena Olsen Jared Peck

Inside Out Security - Building Castles not Warehouses
Alyssa Miller

Failure Is Not an Option: Developing Realistic Disaster Recovery Tests
Colin Campbell

Wibbly Wobbly: Designing Security for Systems that are Bigger on the Inside
Wolfgang Goerlich

Closing Ceremonies


05/19/2019 NolaCon 2019 Videos
Recorded at NolaCon 2019. Thanks to @CurtisLaraque, @mikearbrouet, @openbayou, @takanola, @therealmacjeezy, Jason, Cole & @klulue for the video recording help, and @nola_con, @erikburgess_, @NolaConYvonne & Rob for having me down to record.

One Random Insecure Wep Application Please (ORIWAP)
Nancy Snoke

Understanding XSS
Christina Mitchell

Social Engineering At Work - How to use positive influence to gain management buy-in for anything
April C. Wright

DNS - Strategies for Reducing Data Leakage & Protecting Online Privacy
Jim Nitterauer

Automating Hashtopolis
Evil Mog

"It's Malware Time" - A Bar Crawl from Skunked Homebrew to Rotten Apples
Erika Noerenberg

Breaking into Cyber: How the hell are you supposed to get started?
Josh Millsap

After Mirai: Cyber Security Implications of IoT Botnet Proliferation Against Critical Infrastructure
Paul W. Brager Jr M.Sci, CISSP, GICSP, CISM

Making an internal Let's Encrypt relay server
Josh Harvey

Keynote - I PWN thee, I PWN thee not!
Jayson E. Street

Breaking Into Your Building: A Hacker's Guide to Unauthorized Physical Access
Brent White. Tim Roberts

Formula for a Bug Bounty Program
Chris Holt

Forensics Phish Tank: Breaking Down Analysis of Advanced Phishing Emails
Joe Gray & Sophia Fadli

Baking Your Anomalous Cookies
Jim Allee

Waiter, there's a compiler in my shellcode!
Josh Stone

Empathy for the (Devel)oper: Lessons Learned Building An Application Security Module
Yolonda Smith

MORE Tales From the Crypt...Analyst
Jeff Man

IR with Volatility Framework
Evan Wagner

Let's Talk About WAF (Bypass) Baby
Brett Gravois

Behavioral Security and Offensive Psychology at Scale
Josh Schwartz. Samantha Davison

My making of a Metasploit Module
Aaron Ringo

Don't Panic! A Beginner's Guide To Hardware Hacking
Phoenix Snoke

The Jazz Improv of Infosec
Damon J. Small

Elliptic Curve Cryptography: What it is and who needs it
Michele Bousquet

04/28/2019 BSidesCharm 2019 Videos
These are the videos BSidesCharm (Baltimore) 2019. Thanks for inviting me down to record. Thanks to my video team Robert, Ethan, Cory, Tim Steven, Trevor, Tom, Menachem and Josh.


Matt Blaze

Embrace the Red: Enhancing detection capabilities with adversary simulation
Mauricio Velazco

I'lll Complete My Threat Model Later Mom!: Infosec in Middle School
Ashley Benitez Smith

Cleaning the Apple Orchard - Using Venator to Detect macOS Compromise
Richie Cyrus

More Tales From the Crypt...Analyst
Jeffrey Man

Anatomy & Evolution of a Fast Flux Malware Campaign
Emily Crose

COM Under The Radar: Circumventing Application Control Solutions
Jimmy Bayne

On The Line: What Phishing Really Impacts
Steven Becker

Automated Adversary Emulation
David Hunt

Comparing Malicious Files
Robert Simmons

How to Start a Cyber War: Lessons from Brussels
Chris Kubecka

You Moved to Office 365, Now What?
Sean Metcalf

You're Not as Safe as You Think: Clearing Up Common Security Misconceptions
Joshua Meyer

Keynote: The Declarative Future
Liam Randall

Exploring Community Volunteering Through a Career Development Lens
Kathleen Smith and Doug Munro

Defense in Depth Against DDoS Diminishes Dollars Destroyed
Daniel Gordon

Reasonable Rapid Recognition and Response to Rogues
Craig Bowser

BloodHound From Red to Blue
Mathieu Saulnier

A Code Pirate's Cutlass: Recovering Software Architecture from Embedded Binaries

Technical Leadership: It's Not All Ones and Zeros
Timothy Schulz

Hunting for Threats in Industrial Environments and Other Scary Places
Nick Tsamis

It's Malware Time - A Bar Crawl from Skunked Homebrew to Rotten Apples
Erika Noerenberg

J-J-J-JEA Power
James Honeycutt

What did the SIEM Say?
JR Presmy and Shawn Thomas

Using Bashfuscator to Generate Bash Obfuscation


04/05/2019 Hacker/Infosec Con Types & Getting More Out Of Hacker/Infosec Conferences
03/01/2019 BSides Columbus 2019 Video
These are the videos from the BSides Columbus Ohio conference. Thanks to Mitch & Mike Spaulding for having me up and those who manned the video rigs such as Cody, Matt, Dillon, Nick, Cole Chris and others whose name I can't seem to remember in my old age..


Morning Keynote Featuring Runa Sandvik
Runa Sandvik

Brian Contos

Scrapping for Pennies: How to implement security without a budget
Ryan Wisniewski

Check Your Privilege (Escalation)
Kate Broussard

Wow, it really is always DNS! Becoming a Part of the DDoS Problem ( on purpose ).
Cody Smith

Unix: The Other White Meat
Adam Compton and David Boyd

Puppet Masters: How Social Engineers Continue to Pull Our Strings
Erich Kron

E-ZHack: An Update on SDR and Toll Booth Reverse Engineering
Kyle Westhaus

Mobile App Vulnerabilities - The Bad, The Worse And The Ugly
Ray Kelly

Mixing and Baking a New AppSec Person
Bill Sempf

(Some Missing Audio)

How Online Dating Made Me Better at Threat Modeling
Isaiah Sarju

What On Earth Is Quantum Computing?!? (And will it break all my encryption?)
Craig Stuntz

Battling Magecart: The Risks of Third-Party Scripts
Kevin Gennuso

Ship Hacking: Data on the Open Seas
Brian Olson

Common Developer Crypto Mistakes (with illustrations in Java)
Kevin Wall

The Overlooked Cyber Security Risk: 3rd Party Risk Management
Rose Songer

The Path to IAM Maturity
Jerod Brennan

Assumed Breach Testing
Brendan O'Connor

API Security: Tokens, Flows and the Big Bad Wolf
Ingy Youssef

Demystifying DMARC: A guide to preventing email spoofing
Sean Whalen

Afternoon Keynote Featuring Craig Hoffman
Craig Hoffman

02/03/2019 BSides Tampa 2019 Videos
These are the videos from the BSides Tampa conference. Thanks to all of the BSides Crew for having me out to help record and render the videos. Special thanks to my video crew: Matthew, Bridget, Patrick, Dan, Mike, Audrey and Chris


Doesn't It make You WannaCry: Mitigating Ransomware on a Windows Network
David Branscome

RegEx for Incident Response
Daniel Nutting Bryan Turner

Intermediate Physical Security
Justin Wynn

Security Analytics in the Cloud
Marc Baker

How to use 400+M endpoints to build strong AI detection systems
Filip Chytry

20/20 Enterprise Security Monitoring: Seeing clearly with Security Onion
Wes Lambert

Beyond Lockpicking
Brian Etchieson

Social Forensication: A Multidisciplinary Approach to Successful Social Engineering
Joe Gray

Phishing U2F-Protected Accounts
Nikita Mazurov Kenny Brown

Election Hacking: Getting Ready for the Russian Onslaught in 2020
Jeremy Rasmussen

Logging Pitfalls and How to Abuse Them
Kevin Kaminski Michael Music

Personal security while on travel with additional pro-tips from seasoned travellers.
Derek Banks Beau Bullock

Securing Shadow IT
Gene Cronk

Day When Quantum Computers Breaks Crypto
Roger Grimes

An Inside Look At Stopping Unauthorized Sellers & Counterfeiters On Amazon
Bruce Anderson

The Sound of Evil
Wes Widner

Serverless Security Top 10
Tal Melamed

Hacking IoT devices by chaining application security vulnerabilities
Rick Ramgattie

Becoming a Human nMAP! Cultivating a Renaissance Approach for the Social Engineer
Tigran Terpandjian

vCISO Is That the Right Answer
Mike Brooks

12/02/2018 SecureWV/Hack3rcon 2018 Videos
These are the videos of the presentations from Secure West Virginia 2018. Thanks to Justin, Tim, Lacy, Dave, Katie, Kevin, Todd, Alice, Brian, Brandon & Jon for helping record.

Intro/Welcome to SecureWV / Hack3rCon

Keynote - Hackers, Hugs, & Drugs.... Part II
Amanda Berlin

Why The Legal System Needs Your Help
Brian Martin

Mobile devices and you.
Detective Jeremy M. Thompson

The New Age of Ransomware: Cybercriminals Adopt Nation State Techniques
Allan Liska

Outside the Box: How the Internet of Things Poses New Cybersecurity Risks and Challenges the Law
Evan Kime

Applying the principles of Dodgeball: A True Underdog Story to CTFs
Branden Miller

Gun Safety Class
Branden Miller

Python Scripting
Justin Rogosky

Red Hat Enterprise Linux Security Technologies Lab
Lucy Kerner and Roy Williams

Automating Security Operations - on a budget
Jeremy Mio

Security Automation for the Blue Team
Eric Waters

Home Alone: A Pentester Perspective
Craig Vincent & Derek Banks

Simplified Red Hat Enterprise Linux Identity, Authentication, and Authorization management with Microsoft Active Directory and Red Hat Identity Management Trust
Roy Williams

Simple Attribution in Social Media and Websites
Brian Martin

Offensive and Defensive Security with Ansible
Lucy Kerner

High School Competitive Robotics and why you should care.
Charleston Area Robotics Team (CART)

Guaranteed Failure - Awareness The Greatest Cyber Insanity
Joshua Crumbaugh

Developing a Cloud Based Cyber Security Simulation Portal
David Krovich

The Hybrid Home Lab: From Laptop to Cloud
Holden Fenner

Securing your networks with Ansible
Adam Vincent

A deep look at Stack Buffer Overflows and Format String Vulnerabilities
Philip Polstra

Advanced threat hunting with open-source tools and no budget
Joseph DePlato

What's in a Domain Name?
Collin Meadows

Monitoring your home LAN with Python
Zach Tackett

Left of Boom
Ted Corbeill

Your Dead! Now what. How to help your family after your gone.
Steven Truax

A Brief Introduction to Metasploit
Joey Maresca

SecureWV / Hack3rCon Closing / Awards
Benny Karnes

10/19/2018 BSidesRDU 2018 Videos
These are the videos of the presentations from BSidesRDU. Thanks to Cyrus, Brian, James Carl and others for all the work.

Welcome & Opening Remarks
BsidesRDU Staff

Keynote from Shahid Buttar, EFF Director Of Grassroots Advocacy
Shahid Buttar

Approaching Parity: Considerations for adapting enterprise monitoring and incident response (IR) capabilities for efficacy in cloud environments, and how to operationalize these capabilities with a playbook.

Movement After Initial Compromise
SleepZ3R0 and HA12TL3Y

Our Docker app got hacked. Now what?
Joel Lathrop

Sky-high IR - IR at Cloud Scale

When it rains it pours
Sam Granger

Rise of the Advisor
Neal Humphrey

No Network Needed?!?!
Ron Burkett

Justin Hoeckle

10/8/2018 Derbycon 2018 Videos
These are the videos of the presentations from Derbycon 2018. Big thanks to my video jockeys @nightcarnage, @securid, @theglennbarrett, @LenIsham, @curtisko, @bsdbandit, @someninjamaster, @Simpo13, @primestick, @SciaticNerd, @CoryJ1983, @SDC_GodFix, @Skiboy941, @TeaPartyTechie, @livebeef, @buccaneeris, @mjnbrn, @sfzombie13, @kandi3kan3, @paint27, @AlexGatti


How to influence security technology in kiwi underpants
Benjamin Delpy

Panel Discussion - At a Glance: Information Security
Ed Skoudis, John Strand, Lesley Carhart. Moderated by: Dave Kennedy

Red Teaming gaps and musings
Samuel Sayen

A Process is No One: Hunting for Token Manipulation
Jared Atkinson, Robby Winchester

Fuzz your smartphone from 4G base station side
Tso-Jen Liu

Clippy for the Dark Web: Looks Like You're Trying to Buy Some Dank Kush, Can I Help You With That?
Emma Zaballos

Synfuzz: Building a Grammar Based Re-targetable Test Generation Framework
Joe Rozner

Escoteric Hashcat Attacks

RFID Luggage Tags, IATA vs Real Life
Daniel Lagos

#LOL They Placed Their DMZ in the Cloud: Easy Pwnage or Disruptive Protection
Carl Alexander

Maintaining post-exploitation opsec in a world with EDR
Michael Roberts, Martin Roberts

Hey! I found a vulnerability - now what?
Lisa Bradley, CRob

Foxtrot C2: A Journey of Payload Delivery
Dimitry Snezhkov

Kaleb Brown

IRS, HR, Microsoft and your Grandma: What they all have in common
Christopher Hadnagy, Cat Murdock

#LOLBins - Nothing to LOL about!
Oddvar Moe

Everything Else I Learned About Security I Learned From Hip-Hop
Paul Asadoorian

Hackers, Hugs, & Drugs: Mental Health in Infosec
Amanda Berlin

Android App Penetration Testing 101
Joff Thyer, Derek Banks

Draw a Bigger Circle: InfoSec Evolves
Cheryl Biswas

I Can Be Apple, and So Can You
Josh Pitts

From Workstation to Domain Admin: Why Secure Administration Isn't Secure and How to Fix It
Sean Metcalf


The Unintended Risks of Trusting Active Directory
Lee Christensen, Will Schroeder, Matt Nelson

Lessons Learned by the WordPress Security Team
Aaron D. Campbell

IronPython... omfg
Marcello Salvati

Invoke-EmpireHound - Merging BloodHound & Empire for Enhanced Red Team Workflow
Walter Legowski

When Macs Come Under ATT&CK
Richie Cyrus

Abusing IoT Medical Devices For Your Precious Health Records
Saurabh Harit, Nick Delewski

Detecting WMI exploitation
Michael Gough

Gryffindor | Pure JavaScript, Covert Exploitation
Matthew Toussain

Instant Response: Making IR faster than you thought possible!
Mick Douglas, Josh Johnson

The History of the Future of Cyber-Education
Winn Schwartau

State of Win32k Security: Revisiting Insecure design
Vishal Chauhan

Offensive Browser Extension Development
Michael Weber

Protect Your Payloads: Modern Keying Techniques
Leo Loobeek

Jump Into IOT Hacking with the Damn Vulnerable Habit Helper Device
Nancy Snoke, Phoenix Snoke

Tales From the Bug Mine - Highlights from the Android VRP
Brian Claire Young

Decision Analysis Applications in Threat Analysis Frameworks
Emily Shawgo

Threat Intel On The Fly

Make Me Your Dark Web Personal Shopper!
Emma Zaballos

Driving Away Social Anxiety
Joey Maresca

Off-grid coms and power
Justin Herman

CTFs: Leveling Up Through Competition
Alex Flores

Extending Burp to Find Struts and XXE Vulnerabilities
Chris Elgee

Introduction to x86 Assembly

Pacu: Attack and Post-Exploitation in AWS
Spencer Gietzen

An Inconvenient Truth: Evading the Ransomware Protection in Windows 10
Soya Aoyama

Brutal Blogging - Go for the Jugular
Kate Brew

RID Hijacking: Maintaining Access on Windows Machines
Sebastian Castro

Your Training Data is Bad and You Should Feel Bad
Ryan J. O'Grady

So many pentesting tools from a $4 Arduino
Kevin Bong, Michael Vieau

Building an Empire with (Iron)Python
Jim Shaver

SAEDY: Subversion and Espionage Directed Against You
Judy Towers

OSX/Pirrit - Reverse engineering mac OSX malware and the legal department of the company who makes it
Amit Serper, Niv Yona, Yuval Chuddy

How to test Network Investigative Techniques(NITs) used by the FBI
Dr. Matthew Miller

Cloud Computing Therapy Session
Cara Marie, Andy Cooper

Silent Compromise: Social Engineering Fortune 500 Businesses
Joe Gray

Dexter: the friendly forensics expert on the Coinbase security team
Hayden Parker

Going on a Printer Safari - Hunting Zebra Printers
James Edge

Hardware Slashing, Smashing, and Reconstructing for Root access
Deral Heiland

App-o-Lockalypse now!
Oddvar Moe

Web App 101: Getting the lay of the land
Mike Saunders

Invoke-DOSfuscation: Techniques FOR %F IN (-style) DO (S-level CMD Obfuscation)
Daniel Bohannon

WE ARE THE ARTILLERY: Using Google Fu To Take Down The Grids
Chris Sistrunk, Krypt3ia, SynAckPwn

Just Let Yourself In
David Boyd

A "Crash" Course in Exploiting Buffer Overflows (Live Demos!)
Parker Garrison

Living in a Secure Container, Down by the River
Jack Mannino

VBA Stomping - Advanced Malware Techniques
Carrie Roberts, Kirk Sayre, Harold Ogden

Media hacks: an Infosec guide to dealing with journalists
Sean Gallagher, Steve Ragan, Paul Wagenseil

Deploying Deceptive Systems: Luring Attackers from the Shadows
Kevin Gennuso

The Money-Laundering Cannon: Real cash; Real Criminals; and Real Layoffs
Arian Evans

Perfect Storm: Taking the Helm of Kubernetes
Ian Coldwater

How to put on a Con for Fun and (Non) Profit
Benny Karnes, John Moore, Rick Hayes, Matt Perry, Bill Gardner, Justin Rogosky, Mike Fry, Steve Truax

Web app testing classroom in a box - the good, the bad and the ugly
Lee Neely, Chelle Clements, James McMurry

Metasploit Town Hall 0x4
Brent Cook, Aaron Soto, Adam Cammack, Cody Pierce

Community Based Career Development or How to Get More than a T-Shirt When Participating as part of the Community
Kathleen Smith, Magen Wu, Cindy Jones, Kathryn Seymour, Kirsten Renner

Disaster Strikes: A Hacker's Cook book
Jose Quinones, Carlos Perez

Ninja Looting Like a Pirate

Hacking Mobile Applications with Frida
David Coursey

Victor or Victim? Strategies for Avoiding an InfoSec Cold War
Jason Lang, Stuart McIntosh

Ubiquitous Shells
Jon Gorenflo

99 Reasons Your Perimeter Is Leaking - Evolution of C&C
John Askew

Ship Hacking: a Primer for Today's Pirate
Brian Satira, Brian Olson

Code Execution with JDK Scripting Tools & Nashorn Javascript Engine
Brett Hawkins

PHONOPTICON - leveraging low-rent mobile ad services to achieve state-actor level mass surveillance on a shoestring budget
Mark Milhouse

Patching: Show me where it hurts
Cheryl Biswas

Advanced Deception Technology Through Behavioral Biometrics
Curt Barnard, Dawud Gordon

We are all on the spectrum: What my 10-year-old taught me about leading teams
Carla A Raisler

No Place Like Home: Real Estate OSINT and OPSec Fails
John Bullinger

The Layer2 Nightmare
Chris Mallz

Attacking Azure Environments with PowerShell
Karl Fosaaen

Blue Blood Injection: Transitioning Red to Purple
Lsly Ayyy

Mirai, Satori, OMG, and Owari - IoT Botnets Oh My
Peter Arzamendi

Comparing apples to Apple
Adam Mathis

How online dating made me better at threat modeling
Isaiah Sarju

Threat Hunting with a Raspberry Pi
Jamie Murdock

M&A Defense and Integration - All that Glitters is not Gold
Sara Leal, Jason Morrow

Social Engineering At Work - How to use positive influence to gain management buy-in for anything
April Wright

Ham Radio 4 Hackers
Eric Watkins, Devin Noel

Getting Control of Your Vendors Before They Take You Down
Dan Browder

Cyber Intelligence: There Are No Rules, and No Certainties
Coleman Kane

Getting Started in CCDC
Russell Nielsen

Changing Our Mindset From Technical To Psychological Defenses
Andrew Kalat

Red Mirror: Bringing Telemetry to Red Teaming
Zach Grace

Two-Factor, Too Furious: Evading (and Protecting) Evolving MFA Schemes
Austin Baker, Doug Bienstock

IoT: Not Even Your Bed Is Safe
Darby Mullen

Fingerprinting Encrypted Channels for Detection
John Althouse

On the Nose: Bypassing Huawei's Fingerprint authentication by exploiting the TrustZone
Nick Stephens

Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Gabriel Ryan

Goodbye Obfuscation, Hello Invisi-Shell: Hiding Your Powershell Script in Plain Sight
Omer Yair

Cloud Forensics: Putting The Bits Back Together
Brandon Sherman

Killsuit: The Equation Group's Swiss Army knife for persistence, evasion, and data exfil
Francisco Donoso

The MS Office Magic Show
Stan Hegt, Pieter Ceelen

Living off the land: enterprise post-exploitation
Adam Reiser

Hillbilly Storytime: Pentest Fails
Adam Compton

Bug Hunting in RouterOS
Jacob Baines

Breaking Into Your Building: A Hackers Guide to Unauthorized Access
Tim Roberts, Brent White

The making of an iOS 11 jailbreak: Kiddie to kernel hacker in 14 sleepless nights.
Bryce "soen" Bearchell

Who Watches the Watcher? Detecting Hypervisor Introspection from Unprivileged Guests
Tomasz Tuzel

Pwning in the Sandbox: OSX Macro Exploitation & Beyond
Adam Gold, Danny Chrastil

IOCs Today, Intelligence-Led Security Tomorrow
Katie Kusjanovic, Matthew Shelton

Closing Ceremonies

9/8/2018 GrrCON 2018 Videos
These are the videos of the presentations from GrrCON 2018. Big thanks to EggDropX and Jaime for having me out, and my video crew  (paint27, Erick, Jason, brettahansen, Angela, Luke & others) for recording.

Dave Kennedy

An Inconvenient Truth: Evading the Ransomware Protection in Windows 10
Soya Aoyama

The Abyss is Waving Back - The four paths that human evolution is charging down, and how we choose which one's right
Chris Roberts

Crypto Gone Rogue: A Tale of Ransomware, Key Management and the CryptoAPI
Pranshu Bajpai & Dr. Richard Enbody

You're right, this talk isn't really about you!
Jayson E Street

Analyzing Pwned Passwords with Apache Spark
Kelley Robinson

How to rob a bank over the phone
Joshua "Naga" Crumbaugh
(Posting Later Maybe)

Vibing Your Way Through an Enterprise: How Attackers are Becoming More Sneaky
Matthew Eidelberg

PwnBook: Penetrating with Google's Chromebook
Corey Batiuk

Life, Death + the Nematodes: Long live Cyber Resilience!
Chad Calease

Data Data Everywhere but No One Stops to Think
Scott Thomas, Carl Hertz & Robert Wagner

Automation and Open Source: Turning the Tide on Attackers
John Grigg

w.e w.e Internet Explorer Does What It Wants
Aaron Heikkila

Pacu: Attack and Post-Exploitation in AWS
Spencer Gietzen

Hacker Tools, Compliments of Microsoft
David Fletcher & Sally Vandeven

How to Conduct a Product Security Test: And How it Fits Into the Larger Security Strategy
Dr. Jared DeMott

Over the Phone Authentication
Spencer Brown

Designing a Cloud Security Blueprint
Sarah Elie

To Fail is Divine
Danny Akacki

Zero to Owned in 1 Hour: Securing Privilege in Cloud, DevOps, On-Prem Workflows
Brandon Traffanstedt

Malware Mitigation Sample Detonation Intelligence Automation: Make Your Binaries Work for You
Adam Hogan

emulacra and emulation: an intro to emulating binary code with Vivisect
Atlas of D00m

SniffAir - An Open-Source Framework for Wireless Security Assessments
Matthew Eidelberg & Steven Daracott

Threat Hunting: the macOS edition
Megan Carney

The Hybrid Analyst: How Phishing Created A New Type of Intel Analyst
Rachel Giacobozzi

Dragnet: Your Social Engineering Sidekick
Truman Kain

Intelligence Creating Intelligence: Leveraging what you know to improve finding what you don,t
Tomasz Bania

Guaranteed Failure: Awareness The Greatest Cyber Insanity
Joshua "Naga" Crumbaugh

Threat Modeling: How to actually do it and make it useful
Derek Milroy

Structuring your incident response could be one of the most important things you do to bolster Security
Matt Reid

How this 20 Year Old Changed the Security Industry
James O'Neill

Stop Boiling The Ocean! How To Succeed With Small Gains
Joel Cardella

Do I have a signature to detect that malware?
Ken Donze

2018 SIEM Trends: What is my Mean Time to Value?
Bill Lampe

Advanced Attackers Hiding Inside Encrypted Traffic at the Endpoint
Jared Phipps

More Tales from the Crypt-Analyst
Jeff Man

My First year in Application Security
Whitney Phillips

Career Risk Management: 10 tips to keep you employed
Chris Burrows

Red vs Blue: The Untold Chapter
Aaron Herndon & Thomas Somerville

Saving All the Money to Buy All the Booze: Learning to Hack All the Things on a Budget
Michael Morgese

Analyzing Multi-Dimensional Malware Dataset
Ankur Tyagi

Physicals, Badges, and why it matters
Alex Fernandez-Gatti

InSpec: Compliance as Code
Kent picat, Gruber

Bounty Hunters
J Wolfgang Goerlich

8/9/2018 Patreon, Bitchute, etc.
Hi all, I've set up a Patreon for those that want to help me increase the number of cons I can record each year. As a reminder, the videos I record appear on YouYube, Archive.org and BitChute for free, so don't complain about what I put on my site if you can't figure out how to get to the same content elsewhere. 😜
7/14/2018 OISF 2018 Videos
These are the videos from the OISF Anniversary Event.

Dr. John Carls

Catching the Social Engineer
Robert Stewart

Hacking Identity, A Pen Tester’s guide to IAM
Jerod Brennen

Active Defense: Helping the Threat Actors Hack Themselves
Matt Scheurer

Planning & Executing A Red Team Engagement
Tim Wright

6/23/2018 BSides Cleveland 2018 Videos
These are the videos from the Bsides Cleveland conference. Thanks to Rich, Nekko, justinschmitt &  as the video team. Thanks to twuntymcslore & RockieBrockway for being con mom & dad.

Hacking Your Happiness
Chris Gates

Active Defense - Helping threat actors hack themselves!
Matt Scheurer

Reflective PE Unloading
Spencer McIntyre

One Puzzle Piece at a Time: Logging Quick Wins
Celeste Hall

Christine Stevenson

Using Technology to Defend Digital Privacy & Human Rights
Tom Eston

Code Execution with JDK Scripting Tools & Nashorn Javascript Engine
Brett Hawkins

Abandoned Spaces: Reconstructing APT Campaigns From Lapsed Domains
Daniel Nagy

What's Changed In The New OWASP Top 10?
Bill Sempf

Raindance: Raining Recon from the Microsoft Cloud
Michael Stringer

Tools and Procedures for Securing .Net Applications
Sam Nasr

Hacking Identity: A Pen Tester's Guide to IAM
Jerod Brennen

Phishing Forensics - Is it just suspicious or is it malicious?
Matt Scheurer

Securing Code - The Basics
Michael Mendez

The Marriage of Threat Intelligence and Incident Response or... Threat Hunting for the Rest of Us
Jamie Murdock

Wacky and Wild Security - Getting things under CIS Controls V7
Jeremy Mio

Interdisciplinary Infosec: Equifax, Individuation, and the Modern State
Thomas Pieragastini

Mobile Application Privacy and Analytics
Kevin Cody

Evolving the Teaching of Pen Testing in Higher Ed
Robert Olson

Go back to the basics with your processes: Improving operations without technology.
Mark Abrams

Anatomy of an Attack
John Fatten

Hackers, Hugs, & Drugs: Mental Health in Infosec
Amanda Berlin

6/14/2018 A Digital Handbook for the Recently Deceased
Article on dealing with a deceased person's financial and Internet accounts, and making it easier for others to do so when you pass.
6/8/2018 ShowMeCon 2018 Videos
These are the videos ShowMeCon 2018. Thanks to Renee & Dave Chronister (@bagomojo) and others for having me out to record and speak. Also thanks to my video crew @r3tr0_cod3x, James, Aaron, Jon and some other people I may have forgotten.


The Insecure Software Development Lifecycle: How to find, fix, and manage deficiencies within an existing methodology.
April C. Wright

The Sky Isn't Falling, But the Earth May be Shifting: How GDPR Could Change the Face of InfoSec
Cliff Smith

Gulliver's Travels: Security Exploits and Vulnerabilities Around the Globe
Kevin Johnson

From DDoS to Mining: Chinese Cybercriminals Set Their Sights on Monero
David Liebenberg

ANTI-OSINT AF: How to become untouchable
Michael James

Who's Watching the Watchers?
Nathan Sweaney

We don't have to worry about that, It's in the cloud
Arnar Gunnarsson

Paul Coggin

Getting Newcomers into Infosec: The Tribulations of the Auburn University Hacking Club
Matthew Rogers

Exploring Information Security Q&A Panel
Timothy De Block

Securing Windows with Group Policy
Josh Rickard

ATAT: How to take on the entire rebellion with 2-3 stormtroopers

How Hyperbolic Discounting is keeping your security program from succeeding
Jon Clark

Hijacking the Boot Process - Ransomware Style
Raul Alvarez

Building a Cyber Training Range on a Budget
Robert Guiler

Lessons Learned from Development and Release of Blacksmith (The Meltdown Defense Tool For Linux)
Jared Phipps

How to Train Your Kraken - Creating a Monster Out of Necessity
Sean Peterson

PowerShell exploitation, PowerSploit, Bloodhound, PowerShellMafia, Obfuscation, PowerShell Empire, the Empire has fallen, you CAN detect PowerShell exploitation
Michael Gough

Offensive Cartography
Trenton Ivey

The Wrong Kind of DevOps Talk - Now with Extra Badness!
Bobby Kuzma

This Job is Making Me Fat!
Thomas Smith

You'll understand when you are older
Amanda Berlin & David Cybuck

Bitcoin - The generation of private keys based on public keys, a live demonstration
Richard Dennis

6/3/2018 Circle City Con 2018 Videos
These are the Circle City Con videos. Thanks to the staff for inviting me down to record. Big thanks to @irishjack, @0DDJ0BB, @Ajediday, Jim, @securesomething, @AnarchistDalek, @KitWessendorf, @m3ch4n15m, @Valacia, @songsthatsaved, @mchandleraz, @christinemobes and other for helping set up AV and record.

Opening Ceremonies
Circle City Con Staff

Espionage In The Modern Age of Information Warfare
Scot Terban

The Never Ending Hack: Mental Health in InfoSec Community
Danny Akacki

The Network Night Watch
Eric Rand & Lesley Cahart

Held for Ransom with a Toy Gun
Brian Baskin

Dear Blue Team: Proactive Steps to Supercharge your IR
Joe Gray

CTF Tips and Tricks
Aaron Lintile

Classic Cons in Cryptocurrency
Wolfgang Goerlich & Zachary Sarakun

Enterprise Vulnerability Management (Assessing, Implementing, and Maintaining)
Derek Milroy

Security Beyond the Security Team: Getting Everyone Involved
Luka Trbojevic

The consequences of lack of security in the Healthcare and how to handle it
Jelena Milosevic

Stealing Cycles, Mining Coin: An introduction to Malicious Cryptomining
Edmund Brumaghin & Nick Biasini

Applying Thermodynamic Principles to Threat Intelligence
Kyle Ehmke

SAEDY: Subversion and Espionage Directed Against You
Judy Towers

How to Lie with Statistics, Information Security Edition
Tony Martin-Vegue

IoT 4n6: The Growing Impact of the Internet of Things on Digital Forensics
Jessica Hyde

A Very Particular Set of Skills: Geolocation Techniques For OSINT and Investigation
Chris Kindig

Rise of the Machines
Aamir Lakhani

Backdooring with Metadata
Itzik Kotler

Automahack - Automate going from zero to domain admin with 2 tools
Dan McInerney

Patching - It's Complicated
Cheryl Biswas

Containers: Exploits, Surprises and Security
Elissa Shevinsky

Playing Russian Troll Whack-a-Mole
Courtney Falk

The FaaS and the Curious - AWS Lambda Threat Modeling
Bryan McAninch

Deploying Deceptive Systems: Luring Attackers from the Shadows
Kevin Gennuso

Quick Retooling in .Net for Red Teams
Dimitry Snezhkov

(Re)Thinking Cyber Security Given the Spectre of a Meltdown: (Someone Hold My Beer)
Jeff Man

Carrot vs. Stick: Motivation, Metrics, and Awareness
Magen Wu

Securing without Slowing: DevOps
Wolfgang Goerlich

Operator: The Well-Rounded Hacker
Matthew Curtin

Abuse Case Testing in DevOps
Stephen Deck

GreatSCT: Gotta Catch 'Em AWL
Chris Spehn

5/20/2018 NolaCon 2018 Videos
Recorded at NolaCon 2018. Thanks to @CurtisLaraque, @mikearbrouet, @openbayou, Cole & @klulue for the video recording help, and @nola_con, @erikburgess_, @NolaConYvonne & Rob for having me down to record.

Chasing the Adder... A Tale from the APT world
Stefano Maccaglia

Aww Ship! Navigating the vulnerabilities and attack surface of the maritime industry
John Sonnenschein

Hacking Dumberly, Just Like the Bad Guys
Tim Medin, Derek Banks

Automahack - Python toolchain for automated domain admin
Dan McInerney

Dear Blue Team: Proactive Steps to Supercharge your IR
Joe Gray

You'll Understand When You're Older
Amanda Berlin

Skills For A Red-Teamer
Brent White, Tim Roberts

Hacking Smart Contracts--A Methodology
Konstantinos Karagiannis

Fighting Child Exploitation with Oculum
Andrew Hay, Mikhail Sudakov

How to tell cajun doctors they have bad cyber-hygiene and live
Joshua Tannehill

What Infosec in Oil & Gas can Teach us About Infosec in Healthcare
Damon J. Small

On the Hunt: Hacking the Hunt Group
Chris Silvers, Taylor Banks

Your Mac Defenestrated. Post OSXploitation Elevated.
FuzzyNop & Noncetonic

Keynote: Follow The Yellow Brick Road
Marcus J. Carey

We are the Enemy of the Good
Stephen Heath

Taking out the Power Grid's Middleman
Nathan Wallace, Luke Hebert

Privacy for Safety- How can we help vulnerable groups with privacy?

Cash in the aisles: How gift cards are easily exploited
Will Caput

Mind Games: Exploring Mental Health through Games
Todd Carr

Jump into IOT Hacking with Damn Vulnerable Habit Helper IOT Device
Nancy Snoke, Phoenix Snoke

The Future of Digital Forensics
Imani Palmer

Changing the Game: The Impact of TRISIS (TRITON) on Defending ICS/SCADA/IIoT
Paul W. Brager Jr M.Sci, CISSP, GICSP, CISM

Ducky-in-the-middle: Injecting keystrokes into plaintext protocols
Esteban Rodriguez

Gamifying Developer Education with CTFs
John Sonnenschein & Max Feldman

Active Directory Security: The Journey
Sean Metcalf

HTTP2 and You
Brett Gravois

5/12/2018 BSides Detroit 2018 Videos
These are the videos from the BSides Detroit 2017 Conference.  Thanks to Ryan Harp (@th3b00st), Dan Falk (@dnfalk), Wolfgang Goerlich (@jwgoerlich), Matt Johnson (@mwjcomputing), Kyle Andrus (@chaoticflaws), Kate Vajda (@vajkat) and Chris Maddalena (@cmaddalena) for having me out and Samuel Bradstreet (@TeaPartyTechie), Leah Bradstreet,  Xavier Johnson, Ali Faraj, Camilla Martins, Ben Valentine, James Green, David Sornig, Steven Balagna,  Nick Papa, Lucas Gorczyca, J Parker Galbraith and others I may forget for helping to record.


Yes, You're an Impostor; now get back to work
Johnny Xmas

GRC - "What Would You Say You Do Here?"
Brian Martinez

Protecting Phalanges from Processor Pressure Points
Matthew Clapham

A Reporter's Look at OSINT
Hilary Louise
(Sorry, mic was off, but here is a longer version from GrrCon)

Nowhere to hide
Lucas Gorczyca

Know the Enemy - How to make threat intelligence work!
Nir Yosha

Hack like a Gohper
Kent Gruber

@taco_pirate's Art of Woo
Ben Carroll

Saving All the Money to Buy All the Booze: Learning to Hack All the Things on a Budget
Michael Morgese

Practical Incident Response in Heterogenous Environment
Kevin Murphy & Stefano Maccaglia

Security KPIs - Measuring Improvement in Your Security Program
Steven Aiello

5/11/2018 Converge 2018 Videos
These are the videos from the Converge Information Security Conference. Thanks to Ryan Harp (@th3b00st), Dan Falk (@dnfalk), Wolfgang Goerlich (@jwgoerlich), Matt Johnson (@mwjcomputing), Kyle Andrus (@chaoticflaws), Kate Vajda (@vajkat) and Chris Maddalena (@cmaddalena) for having me out and Samuel Bradstreet (@TeaPartyTechie), Leah Bradstreet,  Xavier Johnson, Camilla Martins, Ben Valentine, James Green, David Sornig, Steven Balagna,  Nick Papa, J Parker Galbraith and others I may forget for helping to record.


Hackers, Hugs, & Drugs: Mental Health in Infosec
Amanda Berlin

Winning the cybers by measuring all the things
Jim Beechey

Social Engineering for the Blue Team
Timothy De Block

The Emerging Product Security Leader Discipline
Matthew Clapham

Server Message Block Worms: The gift that keeps on giving
Matthew Aubert

Don't Fear the Cloud: Secure Solutions at Lower Cost
Matt Newell

DevSecOps: Security Testing with CI/CD Automation Servers
Ed Arnold

Backdooring With Metadata
Itzik Kotler

How to Conduct a Product Security Test: And How it Fits Into the Larger Security Strategy
Nick Defoe

Securing ASP.NET Core Web Apps
Dustin Kingen

All the Bacon: How Lesley Knope and Ron Swanson encourage community growth
Kevin Johnson

ATT&CK Like an Adversary for Defense Hardening
Steve Motts & Christian Kopacsi

Unblockable Chains – Is Blockchain the ultimate malicious infrastructure?
Omer Zohar
(may post later)

Richard Cassara

The Things You Should Be Doing Defensively Right Now
Joel Cardella

Held Hostage: A Ransomware Primer
Nick Hyatt

Prowling: Better Penetration Testing
J Wolfgang Goerlich

Automating Web App security in AWS
Luther Hill

Finding the Money to Run an Effective Security Program
Matt Topper

Cryptocurrency- The Internetwide Bug Bounty Program
Brian Laskowski

Hacking Identity: A Pen Tester,s Guide to IAM
Jerod Brennen

4/29/2018 BSidesCharm 2018 Videos
These are the videos BSidesCharm (Baltimore) 2018. Thanks for inviting me down to record. Thanks to my video team Shawn Thomas, Cory, Terry Holman, Thomas Moses, Jason Presmy and Martin Veloso.

Jessica Payne

To AI or Not to AI? What the US Military Needs for Fighting Cyber Wars
Ernest Wong

Preparing for Incident Handling and Response within Industrial Control Networks
Mark Stacey

FailTime:​ ​ Failing​ ​ towards​ ​ Success
Sean Metcalf

Getting Saucy with APFS! - The State of Apple’s New File System
Sarah Edwards

Basic Offensive Application of MOF Files in WMI Scripting
Devon Bordonaro

An Open Source Malware Classifier and Dataset
Phil Roth

Counting Down to Skynet
Nolan Hedglin

How we reverse engineered OSX/Pirrit, got legal threats and survived
Amit Serper

Threat Activity Attribution: Diferentiatinn the Who from the How
Joe Slowik

Quantify your hunt: not your parents’ red teaming
Devon Kerr

Internet Anarchy & The Global March toward Data Localization
Andrea Little Limbago

Powershell Deobfuscation: Putting the toothpaste back in the tube
Daniel Grant

Effective Monitoring for Operational Security
Russell Mosley Ryan St. Germain

Plight at the end of the Tunnel
Anjum Ahuja

Rise of the Miners
Josh Grunzweig

Malware Analysis and Automation using Binary Ninja
Erika Noerenberg

Between a SOC and a Hard Place
Shawn Thomas Andrew Marini James Callahan Dustin Shirley

Using Atomic Red Team to Test Endpoint Solutions
Adam Mathis

Exercise Your SOC: How to run an effective SOC response simulation
Brian Andrzejewski

Adding Simulated Users to Your Pentesting Lab with PowerShell
Chris Myers Barrett Adams

Building a Predictive Pipeline to Rapidly Detect Phishing Domains
Wes Connell

Closing Ceremonies

4/14/2018 BSides Nashville 2018 Videos
These are the videos BSides Nashville 2018. Thanks to @lil_lost for inviting me down to record and being my bodyguard while in Nashville. Big thanks to Gabe Basset, Geoff Collins, Cameron and others for helping set up AV and record.


Know Your Why
Oladipupo (Ladi) Adefala

Deploying Microsoft Advanced Threat Analytics in the Real World
Russell Butturini

An Oral History of Bug Bounty Programs
Dustin Childs

Blue Cloud of Death: Red Teaming Azure
Bryce Kunz

Brian Contos

Changing Who Writes the Queries: High-Leverage IR with Visual Playbooks & Visual Graph Analysis
Leo Meyerovich

Learning to Hack the IOT with the Damn Vulnerable Habit Helper IOT Device
Nancy Snoke, Phoenix Snoke

Hacking the Users: Developing the Human Sensor and Firewall
Erich Kron

Community Based Career Activities or How Having Fun Can Help You with Your Career
Kathleen Smith, Cindy Jones,Doug Munro, Magen Wu

Hillbilly Storytime - Pentest Fails
Adam Compton

See the ID Rules Before Us: FAL IAL AAL eh? Aaaagh!!! How, How, How, How?
Bruce Wilson

SAEDY: Subversion and Espionage Directed Against You
Judy Towers

Growing Up to be a Infosec Policy Driven Organization
Frank Rietta

Adding Simulated Users to Your Pentesting Lab with PowerShell
Chris Myers, Barrett Adams

Hacking VDI 101
Patrick Coble

Evaluating Injection Attack Tools Through Quasi-Natural Experimentation
John O'Keefe-Odom

Social Engineering for the Blue Team
Timothy De Block

4/6/2018 AIDE 2018 Videos
Recorded at AIDE 2018. Big thanks to Bill Gardner (@oncee) for having me out to record.

On Business Etiquette and Professionalism in the Workplace
Tess Schrodinger

InfoSec by the Numbers
Bill Gardner

Practical OSINT - Tools of the trade
Tom Moore

Potentially unnecessary and unwanted programs (a.k.a. PUPs)
Josh Brunty

How To Test A Security Awareness Program
Matt Perry

Disrupting the Killchain
Amanda Berlin

I have this piece of paper, now what?
Brandon Miller

Statistics Lie...Except About Passwords
Jeremy Druin

3/24/2018 BSides Chattanooga 2018 Videos
These are the videos from the BSides Chattanooga conference. Thanks to Ron and Kevin for having me out, and John for helping record.


Red vs Blue and why We are doing it wrong
Chris Roberts

The Semi-Comprehensive Guide to Setting Up a Home Lab
Andrew Williams

Lessons learned from a OWASP Top 10 Datacall
Brian Glas

Attacker vs. Defender: Observations on the Human Side of Security
Todd O'Boyle

The Gilligan Phenomenon: Fixing The Holes In the Ransomware And Phishing Boats
Eric Kron

Machine Learning and Cyber Security: How Smart is Can it Be?
Shayne Champion


3/10/2018 BSides Indy 2018 Videos
These are the videos from the BSides Indy conference. Thanks to Frank, MzBat for having me up, and Nate for helping with AC.


Lessons Learned - A 15 year Retrospective
Price McDonald

Phishing Forensics - Is it just suspicious or is it malicious?
Matt Scheurer

Presenting P@cketR@quet: An Auditory IDS
Killian Ditch

The Pillars of Continuous Incident Response
Brad Garnett

Zero to Owned in 1 Hour: Securing Privilege in Cloud and DevOps Workflow
Brandon Traffanstedt

Social Engineering for the Blue Team
Timothy De Block

Leveraging DevSecOps to Escape the Hamster Wheel of Never-ending Security Fail
Chris Reed

Creating a Cyber Volunteer Department
Ray Davidson

Frank Diaz

3/2/2018 BSides Columbus 2018 Videos
These are the videos from the BSides Columbus Ohio conference. Thanks to Mitch & Michael Spaulding for having me up and those who manned the video rigs.

Dave Kennedy

Automating Security Testing with the OWTF
Jerod Brennen

Looks Like Rain Again: Secure Development in the Cloud
Bill Sempf

How Stuxnet Ruined My Life For 6 Months (But I Got To Fly 1st Class A Lot)
Chris Raiter, Jeremy Smith

Emotet - Banking Malware With A Bite
Bradley Duncan

Kevin Burkart

Cryptology: It’s a Scalpel, not a Hammer
Mikhail Sudakov

Pass the Apple Sauce: Mac OS X Security Automation for Windows-focused Blue Teams
Brian Satira

Why People Suck at Delivery: How to get your security projects off the ground and into production!
Nick d'Amato

Zero to Owned in 1 Hour: Securing Privilege in Cloud and DevOps Workflow
Brandon Traffanstedt

Are you ready for my call? Security researcher insights into Responsible Disclosure.
Jason Kent

Everything you always wanted to ask a hiring manager, but were afraid to ask!
Mike Spaulding


Deep Learning for Enterprise: Solving Business Problems with AI
Christian Nicholson

Building Jarvis
Stephen Hosom

Active Defense - Helping threat actors hack themselves!
Matt Scheurer

Shifting Application Security Left
Craig Stuntz

Presenting P@cketR@quet: An Auditory IDS
Killian Ditch

Security and Networking: Dual Purpose Tools
Cody Smith

Cybereason's Jim VanDeRyt - Fileless Malware Breakout Session
Jim VanDeRyt

The Quieter You Become, the More You’re Able to (H)ELK
Nate Guagenti, Roberto Rodriquez

2/24/2018 BSides NOVA 2018 Videos
These are the videos from BSides NOVA 2018. Thanks to those who manned the video rigs and helped set u

AM Keynote
Matt Devos

Deep Dive in the Dark Web (OSINT Style)
Kirby Plessas

PM Keynote
Jack Daniel

Adding Pentest Sauce to your Vulnerability Management Recipe
Luke Hudson, Andrew McNicol

The Value of Design in Cyber Threat Intelligence
Devon Rollins

DNC Hacked Data in the Hands of a Trained Intelligence Professional
Wally Prather, Dave Marcus

Your Facts Are Not Safe With Us: Russian Information Operations as Social Engineering
Meagan Keim

DECEPTICON: Deceptive Techniques to Derail OSINT attempts
Joe Gray

I Thought Renewing the Domain Name Was Your Job?
Allan Liska

Automating Unstructured Data Classification
Malek Ben Salem

Vulnerability Patched in Democratic Donor Database
Josh Lospinoso

Living in a world with insecure Internet of Things (IoT)
Marc Schneider

Vulnerability Accountability Levers and How You Can Use Them
Amelie Koran

Cyber Mutual Assistance - A New Model for Preparing and Responding to Cyber Attack
David Batz

Rethinking Threat Intelligence
Tim Gallo

What Color Is Your Cyber Parachute?
Cliff Neve, Candace King, Kazi Islam, Trey Maxam, Amelie Koran

Feds Meet Hackers
Ariel Robinson, Alyssa, Feola, Gray Loftin, Beau Woods, Amélie E. Koran

Recruiting in Cyber
Dan Waddel, Kathleen Smith, Suzie Grieco, Sabrina Iacarus, Kirsten Renner, Karen Stied

How to get started in Cybersecurity
John Stoner

Improving Technical Interviewing
Forgotten Sec

Ask An Expert: Cyber Career Guidance and Advice
Micah Hoffman, Bob Gourley, John TerBush, Chris Gates, Kirby Plessas, Lea Hurley, Neal Mcloughlin, Ovie Carroll, Sarah Edwards, Tigran Terpandjian, Willie Lumpkin

2/17/2018 BSides Tampa 2018
These are the videos from the BSides Tampa conference. Thanks to all of the BSides Crew for having me out to help record and render the videos. Special thanks to my video crew: Julian, Andrew Schiro, Austin Ford, John Mejia, Michael Iglesias, Micheal Milford, Mike Ziolkowski,  Patty Morris, Robin Noyes

Cyber Assurance - Testing for Success
Col. John Burger

You Can Run..but you cant hide!
Bruce Anderson

Red Team Apocalypse
Beau Bullock and Derek Banks

Advanced Persistent Security
Ira Winkler

Adding Simulated Users to Your Pentesting Lab with PowerShell
Chris Myers and Barrett Adams

The Shoulders of InfoSec
Jack Daniels

Blockchain: The New Digital Swiss Army Knife?
G. Mark Hardy

Modern Day Vandals and Thieves: Wireless Edition
David Switzer and Jonathan Echavarria

Fraud; Should you worry?
Greg Hanis

A Security Look at Voice-Based Assistants
David Vargas

Hackers Interrupted
Alex Holden

Insane in the Mainframe: Taking Control of Azure Security
Jeremy Rassmusen

MiFare lady Teaching an old RFID new tricks
Daniel Reilly

Medical Device Security: State of the Art in 2018
Shawn Merdinger
(not recorded)

Weaponizing IoT - NOT!
Kat Fitzgerald
(not recorded)

Blue Team's tool dump. Stop using them term NeXt-Gen this isn't XX_Call of Duty_XX.
Alex Kot

Exploiting Zillow "Zestimate" for Reckless Profit
Robert "RJ" Burney

Self Healing Cyber Weapons
Logan Hicks

Ransomware: A Declining Force in Today's Threat Landscape
Brad Duncan

Modern web application security
Julien Vehent

Advanced Social Engineering and OSINT for Penetration Testing
Joe Gray

Critical Infrastructure & SCADA Security 101 for Cybersecurity Professionals
Juan Lopez

Exothermic Data Destruction: Defeating Drive Recovery Forensics
Nikita Mazurov and Kenneth Brown

Derrick's Thank Yous
12/08/2017 BSidesPhilly 2017 Videos
These are the videos from BSides Philadelphia 2017. Thanks to Mark, Mike, Austin, John, David and others I'm forgetting for helping with the video.

Innovating for 21st Century Warfare
Ernest "Cozy Panda" Wong

MFA, It's 2017 and You're Still Doing Wrong
Presented by Dan Astor and Chris Salerno.

Out With the Old, In With the GNU

IoT devices are one of the biggest challenges
Charles @libertyunix Sgrillo

Evading C2 Detection with Asymmetry
By Brandon Arvanaghi and Andrew Johnston

Abusing Normality: Data Exfiltration in Plain Site
Aelon Porat

Smarter ways to gain skills, or as the DoD puts it
Dr. P. Shane Gallagher, Institute for Defense Analyses, and Evan Dornbush, co-founder, Point3 Security, Inc.

Game of the SE: Improv comedy as a tool in Social Engineering
Danny Akacki - Security Monkey

File Polyglottery; or, This Proof of Concept is Also a Picture of Cats
Evan Sultanik

Your Facts Are Not Safe With Us: Russian Information Operations As Social Engineering
Meagan Dunham Keim

Supercharge Your SOC with Sysmon
Chris Lee & Matthew Giannetto

Threat Hunting: Defining the Process While Circumventing Corporate Obstacles
Kevin Foster, Matt Schneck, Ryan Andress

Put up a CryptoWall and Locky the Key - Stopping the Explosion of Ransomware

Web Hacking 101 Hands-on with Burp Suite
David Rhoades of MavenSecurity.com

Hacker Mindset
David Brown: CISSP, CISM, IAM

11/29/2017 SecureWV/Hack3rcon2017
These are the videos of the presentations from Secure West Virginia 2017. Thanks to Justine, Tim, Morgan, Kevin, Todd & Roy for helping record.

Benny Karnes

Fighting Advanced Persistent Threats with Advanced Persistent Security
Ira Winkler

Coming Up with the Next Wave of Cyber Innovations-Start by Thinking 1ns1d3 th3 B0x
Ernest Wong

I survived Ransomeware.... Twice
Matt Perry

Value of threat intelligence

SDR & RF Hacking Primer
Andrew Bindner

Digital Forensic Analysis: Planning and Execution
John Sammons

Intro to WireShark
Josh Brunty

Secrets of Superspies
Ira Winkler

Total Recall: Using Implicit Memory as a Cryptographic Primitive
Tess Schrodinger

IoT Panel

Hillbilly Storytime - Pentest Fails
Adam Compton

Hackers, Hugs and Drugs
Amanda Berlin

FLDigi - E-mail over Packet Radio
Aaron West and Rob West

From junk to jewels: Destruction is the key to building
Branden Miller & Audrey Miller

SCAP: A Primer and Customization
Scott Keener

Security Through Ansible Automation
Adam Vincent

Vehicle Forensics: An Emerging Source of Evidence
John Sammons

Network Forensics using Kali Linux and/or SANS Sift
Josh Brunty

911 DDOS
Dianiel Efaw

Pi's, Pi's and wifi
Steve Truax

Technical Testimony: Doing the Heavy Lifting for the Jury
John Sammons

Emergent Gameplay
Ron Moyer



GrrCON 2017 Videos
These are the videos of the presentations from GrrCON 2017. Big thanks to EggDropX and Jaime for having me out, and my video crew  (paint27, Erick, & brettahansen) for recording.


Jayson E Street

Population Control Through The Advances In Technology…
Chris Roberts

(sorry for the music in back ground)

You Got Your SQL Attacks In My Honeypot
Andrew Brandt

3rd Party Data Burns
Arron "Finux" Finnon

Morphing to Legitimate Behavior Attack Patterns
Dave Kennedy

Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF
Jerod Brennen

Oops! Was that your pacemaker?
Charles Parker, II

10 Cent Beer Night: The World we now Live In
Johnny Xmas

Realizing Software Security Maturity: The Growing Pains & Gains
Mark Stanislav & Kelby Ludwig

Cyber, Cyber, Cyber - Using the killchain to accomplish something
Amanda Berlin

An Employee, their Laptop and a Hacker walk into a Bar
Shannon Fritz

Eye on the Prize - a Proposal for Legalizing Hacking Back
Adam Hogan

I've got a (Pocket) Bone to pick with you
Dr Phil Postra


Topic depends on number of federal agents in audience
Atlas of Doom

Embedding Security in Embedded Systems
Dr. Jared DeMott

National Guard for Cyber? How about a Volunteer Cyber Department?
Ray Davidson

Red Team Yourself
Thomas Richards

An Attack Pathway Into Your Organization? Reducing risk without reducing operational efficiency
David Adamczyk

Pen Test War Stories - Why my job is so easy, and how you can make it harder
Aaron Herndon

Skills For A Red-Teamer
Brent White & Tim Roberts

ProbeSpy: Tracking your past, predicting your future

vAp0r and the Blooming Onion
Justin Whitehead & Jim Allee

A GRReat New Way of Thinking about Innovating for Cyber Defense (and even Cyber Offense)
Ernest "Cozy Panda" Wong

Threat Intelligence: Zero to Basics in presentation
Chris J

Learning from InfoSec Fails
Derek Milroy

A Reporter's Look at Open Source Intelligence
Hilary Louise

Hidden Treasure: Detecting Intrusions with ETW
Zac Brown

The Black Art of Wireless Post-Exploitation
Gabriel "solstice" Ryan

Mi Go

Change is Simply an Act of Survival: Predicting the future while shackled to the past
Bil Harmer

Dissecting Destructive Malware and Recovering from Catastrophe
Bryan York

Infosec State of Affairs: Too much Kim Kardashian - not enough Malcolm Gladwel
Jim Wojno & Dan Kieta

How do you POC? Are you really testing a product
Ken Donze

Tales From The Trenches: Practical Information Security Lessons
Michael Belton

Securing the Internet of Things (IoT) -Through Security Research and Vulnerability Analysis
Deral Heiland

The Future of Cyber Security
Anthony Sabaj

Building a Usable Mobile Data Protection Strategy
David "Heal" Schwartzberg

Software Defined Segmentation
Matt Hendrickson

The Shuttle Columbia Disaster: Lessons That Were Not Learned
Joel "I love it when they call me Big Poppa" Cardella

Infrastructure Based Security
Chris Barnes

Defending The De-funded
Keith Wilson

Real-World Red Teaming

We got it wrong
Wolfgang Goerlich

Critical Incident: Surviving my first layoff by applying BCP/DRP Principles
Tom Mead

9/25/2017 Derbycon 7 Videos
I still have a lot of work to do, but here are the Derbycon 2017 videos. Working on fixing major audio sync issues as I can. Big thanks to my video jockeys Some Ninja Master, Glenn Barret, Dave Lauer, Jordan Meurer, Brandon Grindatti, Joey, nightcarnage, Evan Davison, Tim Sayre, Morgan, Ben Pendygraft, Steven (SciaticNerd), Cory Hurst, Sam Bradstreet, MadMex, Curtis Koenig, Jonathan Zentgraf, James Hurst, Paint27, Chris, Lenard.
9/21/2017 Derbycon Streams
This page links to the streams for the different tracks when we start streaming Friday from Derbycon.

Louisville Infosec 2017
Below are the videos from the Louisville Infosec 2017 conference. Thanks to all the video volunteers for helping me record.

Building an Infrastructure to Withstand
David Kennedy

Learning Crypto By Doing It Wrong
Jeremy Druin

A Needle in the Cloud
Michael Leigh

How to make your next audit less awful: Compliance by Default
Tom Kopchak

Strengthening the Human Firewall
Alexandra Panaretos

Of Flags, Frogs & 4chan: OPSec Vs. Weponized Autism
Adrian Crenshaw

The Enemy Within - Detecting and Mitigating Insider Threats
Justin Wilkins

Assessing POS Devices for Tampering
Chris Gida

Or How I Learned to Stop Worrying and Love the ...
Robert L. Brown

The Edge of Normal
Mark Loveless

Measuring Cyber Risk with Open FAIR
Apolonio "Apps" Garcia and John Zuziak

Investigating Malware using Registry Forensics
Jason Hale

Defeating the Modern Cyber Attacker
Travis Funkhouser

Show me the Money! Using the CIS Critical Security Controls to procure funding for your security program
Carla Raisler


BSides Cleveland 2017 Videos
These are the videos from the Bsides Cleveland conference. Thanks to djaj9, , justinschmitt &  as the video team. Thanks to twuntymcslore & RockieBrockway for being con mom & dad.

Wendy Nather

Better manual web application testing through automation
Brian Mead

Blue-Teamin' on a Budget [of Zero]
Kyle Bubp

PANDA, walking loud in the cloud
Logan Hicks, Seth Hall, Kelsey Hightower, Laura Taylor, Doug Burks

Diary of a Security Noob
TJ Toterhi

Delete Yourself: Cognitive Bias during incidence response
Dru Streicher

Enterprise Monitoring From Zero
Andrew Johnson

What They're Teaching Kids These Days
Rob Olson, Chaim Sanders

Mid-Day Keynote
Ben Ten

IoT Device Pentesting
Erik Daguerre

Cyber, Cyber, Cyber - Using the killchain to accomplish something
Amanda Sullivan Berlin

Decentralization For Security and Freedom: A Discussion of Asymmetric and Decentralized Technologies
Tom Pieragastini

Getting back to the old school
Jamie Murdock

The Python in the Apple
Spencer McIntyre

Quantifying Security's Value - It Can Be Done!
Arianna Willett

Building your Human Firewall
Christopher Jones, John Winkler

Spy vs. Spy - Tips from the trenches for red and blue teams
Thomas McBee, Jeff McCutchan

Eye on the Prize - a Proposal for Legalizing Hacking Back
Adam Hogan

Choose Django for Secure Web Development
Vince Salvino

MacOS - An easy exploit 2-ways.
Cody Smith

Bypassing Next-Gen Tech
David Kennedy

Hacking in Highschool: Inspiring the next generation of security professionals
Michael Benich

Afternoon Keynote
John Strand

6/17/2017 ANYCon 2017 Videos
These are the ANYCon videos. Thanks to Tyler & Erin for inviting me down to record. Also thanks to the AV crew Chris, Bryan, Conner, Nigel, Ben, Dan & Joe.

ANYCon: Year One Kick-Off
Tyler Wightson

Keynote: Industry Of Change
Dave Kennedy

The Changing Landscape of Cyber Security and Training the New Generation of Cyber Warriors
Sanjay Goel

OWASP Top 10: Hacking Web Applications with Burp Suite
Chad Furman

Hacking Politics: Infosec in Public Policy
Jonathan Capra and Rashida Richardson and Shahid Buttar

Sniffing Sunlight
Erik Kamerling

Noob 101: Practical Techniques for AV Bypass
Jared Hoffman

Jedi Mind Tricks: People Skills for Security Pros
Alex DiPerna

Red Team Yourself
Thomas Richards

Jumping the Fence: Comparison and Improvements for Existing Jump Oriented Programming Tools
John Dunlap

The Stuffer
Sean Drzewiecki and Aaron Gudrian and Dr. Ronny L. Bull

Big Data's Big Problems
Jeanna Neefe Matthews

VLAN hopping, ARP Poisoning and Man-In-The-Middle Attacks in Virtualized Environments
Dr. Ronny L. Bull

Bringing Home Big Brother: Personal Data Privacy in the Surveillance Age
Todd Brasel and Michele Warner

Measuring the Efficacy of Real-Time Intrusion Detection Systems
Jeffrey Richard Baez

To SIEM or not to SIEM: an Overview
Chris Maulding

Let's Play Defense at Cyber Speed
Duncan Sparrell

Real Security Incidents, Unusual Situations
Adam Dean

Incident Response Evolved - A Preventative Approach to Incident Management
Aaron Goldstein

Thinking 1nside-the-B0x: Cyber Defense and Deterrence via How Hackers Think
Lieutenant Colonel Ernest Y. Wong

Making Friends for Better Security
Alexander Muentz

Does DoD Level Security Work in the Real World?
Jeff Man

The Road to Hiring is Paved in Good Intentions
Tim O'Brien

Whose Idea Was That? Comparing Security Curriculums and Accreditations to Industry Needs
Robert Olson and Chaim Sanders

Hacks, Lies, & Nation States
Mario DiNatale

Hold my Red Bull: Undergraduate Red Teaming
Jonathan Gaines

Ermahgerd: Lawrs
Prof. Robert Heverly

So You Want To Be A H6x0r, Getting Started in Cybersecurity
Doug White and Russ Beauchemin

DIY Spy Covert Channels With Scapy And Python
Jen Allen

InfoSec Career Building Through Reserve Military Service
Dan Van Wagenen

A Day in the Life of a Security Analyst
Marc Payzant and Ken Oliver and Aneesa Hussain

Breaking is Bad: Why Everyone at This Conference Will be Unemployed
Reg Harnish

6/11/2017 Circle City Con 2017 Videos
These are the Circle City Con videos. Thanks to the staff for inviting me down to record. Big thanks to @irishjack, @0DDJ0BB, @Ajediday, Jim, @securesomething Mike, @KitWessendorf, fl3uryz, InfaNamecheap, Chris and other for helping set up AV and record.

Opening Ceremonies

Opening Keynote: Words Have Meanings
Dan Tentler

And the Clouds Break: Continuity in the 21st Century
Wolfgang Goerlich

DNS Dark Matter Discovery - There's Evil In Those Queries
Jim Nitterauer

Tales from the Crypt...(analyst)
Jeff Man

Trials and Tribulations of setting up a Phishing Campaign - Insight into the how
Haydn Johnson

Everything is Not Awesome: How to Overcome Barriers to Proper Network Segmentation
Jason Beatty

Talky Horror Picture Show: Overcoming CFP Fears
Kat Sweet

Fuzzing with AFL
Adam DC949

Cybersecurity for real life: Using the NIST Framework to protect your critical infrastructure
Ryan Koop

Why is the Internet still working?
James Troutman

Effective Report Writing for Security Practitioners
Benjamin Robinson

The Decision Makers Guide To Managing Risk
Joel Cardella

Application Security Metrics
Caroline Wong

Security Training: Making Your Weakest Link The Strongest
Aaron Hnatiw

Network Security? What About The Data?
0ddj0bb 0ddj0bb

Detecting DNS Anomalies with Statistics
Jamie Buening

It's A Disaster!
Cheryl Biswas

OSINT And Your World A Love Story
Michael James

Network manipulation on video games.
Alex Kot

Threat Intelligence: Zero to Basics
Chris J

The Kids Aren't Alright: Security and K-12 Education in America
Vivienne Pustell

Ph'ing Phishers

How To Be Curious
Bret Mattingly

Of Flags Frogs 4chan OPSec vs Weaponized Autism
Adrian Crenshaw

The State of Security in the Medical Industry
Cannibal (billy)

Open Sesamee
Max Power

See beyond the veil: Automating malicious javascript deobfuscation
Chad Robertson

Changing our future with 3D Printing
Emily Peed

You're not old enough for that: A TLS extension to put the past behind us
Falcon Darkstar Momot

We Don't Always Go Lights and Sirens
Kendra Cooley

Ichthyology: Phishing as a Science
Karla Burnett

Creating Your Own Customized Metamorphic Algorithm
Raul Alvarez

Peakaboo - I own you: Owning hundreds of thousands of devices with a broken HTTP packet
Amit Serper

Ye Olde Hacking
Johnny Xmas

Closing Keynote: Lectures or Life Experiences - Awareness Training that Works!
Tottenkoph & Cindy Jones

Closing Ceremonies


ShowMeCon 2017 Videos
These are the videos ShowMeCon 2017. Thanks to Renee & Dave Chronister (@bagomojo) and others for having me out to record and speak. Also thanks to my video crew @r3tr0_cod3x Aaron, Jon and some other people I may have forgotten.

Data Loss Prevention in a Social Media World
Phllip Tully

Royal Testing: Purple teaming to build and secure applications better!
Kevin Johnson

Dark Web Economies (...and you can too!)
Johnny Christmas

DIY CTF - How to gain momentum on your security awareness program by hosting a CTF
Matt Thelan

Deconstructing Chaos: …through "Behavioral Detection"
Daniel Stiegman

Something Died Inside Your Git Repo: Recognizing the Smell of Insecure Code
Cliff Smith

Raul Alvarez

The Beginner's Guide to ICS:  How to Never Sleep Soundly Again
Dan Bougere

Windows IR made easier and faster - Find the head of the snake using AutoRuns, Large Registry Keys, Logs, IP/WhoIs and Netflow
Michael Gough

Homebrew powershell: Where to begin with Data Sources and baseline data.
Andrew Metzger

Where Cypherpunk Meets Organized Crime: The Shifting Landscape of Underground Economies and Crypto-driven Privacy
Ben Brown

VR-Bleeding Edge of Development and Technology-But Are We Making Old Mistakes?
Arnar Gunnarson

F@$#IN Trojans! An Interactive Impromptu Talk on Our Most Dangerous Threat

Kick starting an application security program
Tim De Block

Of Flags, Frogs & 4chan: OPSec vs. Weaponized Autism
Adrian Crenshaw

Intro to Threat Hunting
Aaron Mog

Panel Title: The Good, the Bad, and the Ugly: HIPAA in an InfoSec World
Hudson Harris

How to Patch Stupid - A Modern Approach To Securing Users
Joshua Crumbaugh

When Molehill Vulnerabilities Become Mountainous Exploits
Igor Matlin

Dear Blue Team, This is why I always win. Love, A Hacker
Dave Chronister

How I Inadvertently Outsourced My IT Job to a Fancy Bear
Tim MalcomVetter


NolaCon 2017 Videos
Recorded at NolaCon 2017. Thanks to @CurtisLaraque, Federico, Morgan, & Ken for the video recording help, and @nola_con, @erikburgess_, Yvonne & Rob for having me down to record.

Does DoD Level Security Work in the Real World?
Jeff Man

Hacking the IoT: A Case Study
Nancy Meares Snoke and Phoenix Snoke

Going past the wire: Leveraging Social Engineering in physical security assessments
"Snow" Stephanie Carruthers

Hurt Me Plenty: The Design and Development of Arganium
Todd Carr

Easy Indicators of Compromise: Creating a Deception Infrastructure
David Kennedy

Arming Small Security Programs: Network Baseline
Matt Domko

Make STEHM Great Again
David Schwartzberg

Designing and Implementing a Universal Meterpreter Payload
Brent Cook

EDNS Client Subnet (ECS) - DNS CDN Magic or Secur
Jim Nitterauer

Rooting out evil: defend your data center like the Secret Service protects the President
Nathaniel Gleicher

Attacking Modern SaaS Companies
Sean Cassidy

The Unbearable Lightness of Failure
Dave Lewis

Phishing for Shellz: Setting up a Phishing Campaign
Haydn Johnson

Iron Sights for Your Data
Leah Figueroa

Security Guards -- LOL!
Brent White & Tim Roberts

Embrace the Bogeyman: Tactical Fear Mongering for Those Who Penetrate

Skynet Will Use PsExec: When SysInternals Go Bad
Matt Bromiley & Brian Marks

The Devil's Bargain: Targeted Ransomware and Its Costs
Joshua Galloway

22 Short Films About Security
Charlie Vedaa

Security is dead. Long live Infosec!
David Shaw

An Employee, their Laptop and a Hacker walk into a Bar
Shannon Fritz

Beyond OWASP Top 10
Aaron Hnatiw

Scamming the Scammers: Hacking scammers with pwns
Nathan Clark

5/13/2017 BSides Detroit 2017 Videos
These are the videos from the BSides Detroit 2017 Conference. Thanks to Ryan Harp (@th3b00st), Dan Falk (@dnfalk), Wolfgang Goerlich (@jwgoerlich), Matt Johnson (@mwjcomputing), Kyle Andrus (@chaoticflaws), Kate Vajda (@vajkat) and Chris Maddalena (@cmaddalena) for having me out and Samuel Bradstreet, Daniel Ebbutt, Luke Gorczyca, James Green,  David Sornig, Steven Balagna, Brandon Robinson, Brett Hansen, Briee de Graaf, Nick Papa, Brandon Azer  and others I may forget for helping to record.

Moving Towards Maturity: 5 Issues InfoSec Must Address
Jim Beechey

Plotting Hackers: Visualizing Attack Patterns
Kent Gruber

STEHM is the new STEM
David Schwartzberg

Hacking with Ham Radios: What I have learned in 25 years of being a ham.
Jay and Jerome Radcliff

Navigating Career Choices in InfoSec
Fernando Montenegro

Windows Event Logs - Zero to Hero
Nate Guagenti / Adam Swan

Network Security? What about the Data?
Jack Hatwick

ProbeSpy: Tracking your past, predicting your future
Ian Odette

Playing in Memory: Examples of User Theivery and Hunting for Malware
Kyle Andrus

The AppSec Starter Kit
Timothy De Block

An Employee, their Laptop and a Hacker walk into a Bar
Shannon Fritz

Estimating Development Security Maturity in About an Hour
Matt Clapham

5/12/2017 Converge 2017 Videos
These are the videos from the Converge Information Security Conference. Thanks to Wolf for having me out and Sam, Samuel Bradstreet, Daniel Ebbutt, Luke Gorczyca, James Green,  David Sornig, Steven Balagna, Brandon Robinson, Brett Hansen, Amanda Ebbutt, Nick Papa, Brandon Azer  and others I may forget for helping to record.

You Are Making Bad Decisions and You Should Feel Bad
Joel Cardella

Violent Ruby: A Talk for Hackers, Forensic Analysts, Penetration Testers and Security Engineers
Kent Gruber

Prioritize Vulnerability Remediation
Amol Sarwate

Stories through Logging: "It was the best of logs, it was the worst of logs"
Tom Kopchak

That Escalated Quickly
Shaun Bertrand

How to kick start and application security program
Timothy De Block

Vectors and Victims: Analyzing vulnerabilities through disease models
Rich Cassara

Threat Modeling 101
Matt Clapham

Prioritizing IT Security Projects for the Business
Martin Bally, Steve Barone, John Beeskow, David Derigiotis, Russ Gordon, John Scrivens

Defending The De-funded
Keith Wilson

How to Transform Developers into Security People
Chris Romeo

You have Updates!...A look at an old tool making a comeback 'Evilgrade'
Reid Brosko

Predicting Exploitability
Michael Roytam

Fast wins for the defense!
Justin Herman

How Much Security Do You Really Need?
Wendy Nather

Tarnished Silver Bullets
Wolfgang Goerlich

A Top 10 List for Better AppSec (Hint: It's Not the OWASP Top Ten)
Dave Ferguson

AppSec Behaviors for DevOps Breed Security Culture Change
Chris Romeo

The 4 Eyes of Information Security
Fernando Montenegro

Practical Security Recommendations from an Incident Responder
Matthew Aubert

You and Your Technical Community
David Giard

Panel - Cyber Security Hiring, Retention, and How to Get the Perfect Job in a Competitive Market

Misbehaving Networks?
Daniel Gregory

Leveraging Vagrant to Quickly Deploy Forensics Environments
Jeff Williams

New School Security: Combat Mindset
Mike Behrmann

4/30/2017 BSidesCharm 2017 Videos
These are the videos BSidesCharm (Baltimore) 2017. Thanks for inviting me down to record

Rob M Lee

Clean up on Aisle APT
Mark Parsons

Frony Fronius - Exploring Zigbee signals from Solar City
Jose Fernandez

Weaponizing Splunk: Using Blue Teams for Evil
Ryan Hays

Current State of Virtualizing Network Monitoring
Daniel Lohin & Ed Sealing

The Not So Same-Origin Policy
David Petty

IoT Pressure Cooker What Could Go Wrong
Ben Actis

OPSEC for the Security Practictioner
Michael Clayberg

Automating Bulk Intelligence Collection
Gita Ziabari

I Went Phishing and Caught a Charge – Maryland Law for Pentesters
Joshua Rosenblatt

Imposter Syndrome: I Don't Feel Like Who You Think I Am
Micah Hoffman

The Battle for OSINT - Are you Team GUI or Team Command Line?
Tracy Z. Maleeff & Joe Gray

SOC Panel Keynote

Jim Christy

Red Teaming the Board
Robert Wood

The AVATAR Project and You

Threat Hunting - Thinking About Tomorrow

Understanding the Cybersecurity Act of 2015
Jeff Kosseff

Detecting the Elusive: Active Directory Threat Hunting
Sean Metcalf

Microsoft Patch Analysis for Exploitation
Stephen Sims

Arming Small Security Programs: Network Baseline Generation and Alerts with Bropy
Matt Domko

The Cryptography of Edgar Allan Poe
Robert Weiss (pwcrack)


4/22/2017 BSides Nashville 2017 Videos
These are the videos BSides Nashville 2017. Thanks to @lil_lost for inviting me down to record and being my bodyguard while in Nashville. Big thanks to Geoff Collins, Gabe Bassett, and others for helping set up AV and record.

Mental Health in Infosec: Hackers, Hugs, & Drugs
Amanda Berlin

Got Vendors?
Armin Smailhodzic and Willie Hight

Emerging Legal Trends in Cybersecurity
Rodney Hampton

Trust, But Verify, Your SAML Service Providers
Bruce Wilson

Does DoD Level Security Work in the Real World?
Jeff Man

Abstract Tools for Effective Threat Hunting
Chris Sanders

Infosec Tools of the Trade: Getting Your Hands Dirty
Jason Smith and Tara Wink

How to learn reverse engineering, kick ass at bug bounties, and being a bad ass SOC analyst
ben actis

A Pyrate looks at 40
Adam John

Springtime for code reviews
Ryan Goltry

Marrying Incident Response and Threat Intel Within Your Enterprise
Joe Gray and Ben Shipley

Security Guards -- LOL!
Brent White

Windows Operating System Archaeology
Casey Smithand Matt Nelson

Intro to drone tech
Ron Foster

Weaponizing Splunk: Using Blue Team Tools for Evil
Ryan Hays

Chunky Cookies: Smashing Application Aware Defenses
Russell Butturini

4/7/2017 AIDE 2017 Videos
Recorded at AIDE 2017. Big thanks to Bill Gardner (@oncee) for having me out to record.

The Attack Is Coming From Inside The Refrigerator!
Mark Boltz-Robinson

Human Error and It's Impact on Your Infosec Program
Mike Baker

How to Speak Cat Picture Resiliency -- The ability to make a business case for proactive incident response
Scott Lyons and Joshua Marpet

Learning Cryptography by Doing it Wrong
Jeremy Druin

I Survived Ransomware... TWICE
Matt Perry

How Russia Hacked The Election
Bill Gardner

OS X Forensics
Brian Martin

Making Our Profession More Professional
Bill Gardner


Cyphercon 2.0 Videos
These are the videos from the Cyphercon 2.0 conference. Thanks to Michael Goetzman for having me out to record, and Paul and Tom for helping record.

Opening Ceremony
CypherCon Organizors

David "Heal" Schwartzberg

Beyond the Fringe: Anomalies of Consciousness, Experience, and Scientific Research
Richard Thieme

Cluster Cracking Passwords & MDXfind
Robert Reif

A Look Behind the Scenes of DEFCON DarkNet
Ed Abrams (zeroaltitude), Demetrius Comes (cmdc0de)

JavasCrypto: How we are using browsers as Cryptographic Engines
Kat Traxler

Can Cryptography Frustrate Fascism?
Phillip Rogaway

Threat Intelligence 101: Basics without Buzzwords

Explore Wisconsin Hacker History
Brad Swanson

Brain Based Authentication
Melanie Segado, Sydney Swaine-Simon

The Upside Down: Going from NetSec to AppSec
Cody Florek

Tracking/Monitoring WiFi devices without being connected to any network
Caleb Madrigal

Wireless Capture the Flag
Eric Escobar

KEYNOTE: The History of Video Game Console Hacking
Dan Loosen

Protecting Passwords with Oblivious Cryptography
Adam Everspaugh

A Look Behind the Scenes of DEFCON DarkNet - Part II - Part II
Ed Abrams (zeroaltitude), Demetrius Comes (cmdc0de)

Forensic Deconstruction of Databases through Direct Storage Carving
Dr. Alexander Rasin

Espionage & Soviet MiGs
Dave Roebke

Naked and Vulnerable: A Cybersecurity Starter Kit
Shannon Fritz

Wasn't DLP supposed to fix this?
Amit Riswadkar (FeMaven)

IoT Security Privacy Weaknesses & Ransomware
Rick Ramgattie

Predictive Analytics and Machine Learning: 'Real' Use Cases for IT/Security Professionals
John Platais

From zero to Bender in 12 months, how a software guy turned hardware

Badge Panel

Does DoD Level Security Work in the Real World?
Jeff Man


Closing Ceremony
CypherCon Organizors

3/25/2017 Bloomcon 2017 Videos
These are the videos from the Bloomcon conference.

Strange times we live in:
Alexander Muentz

Real World Examples of IT Risks
Fred Reck

The first 48: All your data are belong to us
Chad Gough & Molody Haase & Jared Sikorski

Deleted Evidence: Fill in the Map to Luke Skywalker
David Pany

The Cox Fight and Beyond: Kodi, the Brave New World of Copyright Infringement, and ISP Liability
Alex Urbelis

What is the size of a sparse file in NTFS
John Riley

Black Box Mac OSX Forensics
Brian Martin

Math and Cryptography
Sam Gross

Road Ahead
Ben Tice

Honey, I Stole Your C2 Server: A dive into attacker infrastructure
Andrew Rector

Building a Scalable Vulnerability Management Program for Effective Risk Management
Katie Perry

New results in password hash reversal
Mark Sanders

Lessons Learned from Pwning my University Aaron Thomas
Aaron Thomas

Windows Event Logs - Zero to Hero
Nate Guagenti & Adam Swan

What Can my Logs Tell me?
Art Petrochenko

A POS Breach Investigation
Kevin Strickland

Abusing Google Dorking and Robots.txt
Dave Comstock

APT-What the heck is an APT?
Bill Barnes

Technological Changes that Affect Forensic Investigations
Diane Barrett

Deceptive Defence
Daniel Negron

Cryptography 0-128
Ben Tice

Sometimes They Are Innocent!
Scott Inch

Securely Deleting Data from SSDs
Stephen Larson

3/11/2017 BSides Indy 2017 Videos

These are the videos from the BSides Indy conference.


Strategies on Securing you banks & enterprises. (From someone who robs banks & enterprises for a living!)
Jayson Street

Crypto defenses for real-world system threats
Kenneth White

Hardware Hacking: Abusing the Things
Price McDonald

Kick starting an application security program
Timothy De Block

OSINT For The Win - Tools & Techniques to Maximize Effectiveness of Your Social Engineering Attacks
Joe Gray

Physical Phishing, Way Beyond USB Drops!
Rich Rumble

Weaponizing Nanotechnology and hacking humans; 2017 updates :)
Chris Roberts

Make STEHM Great Again
David Schwartzberg

2/25/2017 BSides NOVA 2017 Videos
These are the videos from BSides NOVA 2017.. Thanks to those who manned the video rigs.

AM Key Note
Ron Gula

Using Software Defined Radio for IoT Analysis
Samantha Palazzolo

Imposter Syndrome: I Don't Feel Like Who You Think I Am.
Micah Hoffman

PM Keynote - Tarah Wheeler

How the Smart-City becomes stupid
Denis Makrushin

Won't Get Fooled Again: The expected future of IoT malware and what to do about it.
Blaine Mulugeta

Software Supply Chains and the Illusion of Control
Derek Weeks

"Humans, right?" Soft Skills in Security
Ariel Robinson

Panel | Local Community Cyber Groups in NoVA
Jeremy Duncan

Networking with Humans to Create a Culture of Security
Tracy Maleeff

Why the NTP Security Problem Is Worse than You Think
Allan Liska

Bro, I Can See You Moving Laterally
Richie Cyrus

Panel | Parlaying Education and Experience into an Infosec Career
Forgotten Sec

So you want to be a "Cyber Threat Analyst" eh?
Anthony Melfi

0 to 31337 Real Quick: Lessons Learned by Reversing the Flare-On Challenge
Blaine Stancill

Finding a Companies BreakPoint
Zachary Meyers

Challenges and Opportunities: Application Containers and Microservices
Andrew Wild

Cyber Hunt Challenge - Develop and Test your Threat Hunting skills
Darryl Taylor

Anti-Virus & Firewall Bypass Techniques BY Candan BÃ-LÜKBAS
Candan Bolukbas

I'm Cuckoo for Malware: Cuckoo Sandbox and Dynamic Malware Analysis
Lane Huff

2/12/2017 BSides Tampa 2017 Videos
These are the videos from the BSides Tampa conference. Thanks to all of the BSides Crew for having me out to help record and render the videos. Special thanks to my video crew.

Keynote Talk : - Cyber Security in the Age of Espionage
Eric O'Neill (Not posted)

Advanced Targeted Attack.
Andy Thompson

Phishing Pholks Phor Phun and Prophit
Erich Kron

Alert All the Things! (Network Baselines/Alerts with Bro Scripts)
Matthew Domko

Intro to Fuzzing for Fun and Profit
Brian Beaudry

Kevin Poulsen (Not Recorded)

Build Your Own Physical Pentesting Go-Bag
Beau Bullock, Derek Banks

NFC Your Smartphone's Best Friend or Worst Nightmare
Shane Hartman

e-Extortion Trends and Defense
Erik Iker

HIPAA for Infosec Professionals
Michael Brown

Deconstructing 100% JavaScript-based Ransomware
Jeremy Rasmussen & Paolo Soto

Mozilla's tips on strong HTTPS
Julien Vehent

Redefining Security in a Cloud-Centric Future
Mike Spaulding & Mitch Spaulding

Securing The Electrical Grid From Modern Threats
Christopher Williams

Securing Agile Development
Alan Zukowski

What I've Learned Writing CTF Challenges
Vito Genoese

Build the capability to Detect, Triage And Respond
Scott Sattler

What the Hell is ICS Security?
Brandon Workentin

Protecting Third-Party Risk From Plundering
Stacey Banks

Protecting Visual Assets: Digital Image Counter-Surveillance Strategies
Nikita Mazurov & Kenneth Brown

ArchStrike Linux
Chad Seaman

Hacking The Sabbath
Jonathan Singer

Chaining The Future: Block Chains and Security
Joe Blankenship

1/16/2017 BSides Columbus 2017 Videos
These are the videos from the BSides Columbus Ohio conference. Thanks to Michael Spaulding for having me up and those who manned the video rigs.

Learning From Pirates of the Late 1600s - The first APT
Adam Hogan

What I Learned About Cybersecurity by Training With US Navy SEALs
Matthew Curtin

Cross Origin Resource Sharing Kung fu
Aditya Balapure

Redefining Security in a Cloud Centric Future
Mike Spaulding

Automating Security in Building Software
Warner Moore

Planning and Executing a Red Team Engagement
Timothy Wright

DNSSec Explained!
Dan Benway

Midwestern Nice - Stereotype or Enterprise Threat?
Valerie Thomas

Information Security Talent Trends to expect in 2017
Megan Wells AJ Candella

12/03/2016 BSides Philadelphia 2016
These are the videos from BSides Philadelphia 2016.

Attacker's Perspective: A Technical Demonstration of an Email Phishing Attack
Zac Davis

Crashing Android phones via hostile networks
Yakov Shafranovich

I'm Cuckoo for Malware: Cuckoo Sandbox and Dynamic Malware Analysis
Lane Huff

How to Find a Company's BreakPoint
Andrew McNicol

What the deuce? Strategies for splitting your alerts.
John T. Myers

Red Team Yourself
Thomas Richards

Matt Blaze

Solar Flare - Pulling apart SolarWinds ORION
Rob Fuller

Staying Afloat in a Tsunami of Security Information
Tracy Z. Maleeff

Hunting: Defense Against The Dark Arts
Danny Akacki

Every day is a Zero Day: Building an in-house Secure SDLC program
Tony Reinert

Owning MS Outlook with Powershell
Andrew Cole

A tour through the magical wonderful world of crypto land
Ben Agre

Remote attacks against IoT
Alex Balan

Hacking the Human: Social Engineering Basics
Dave Comstock (sten0)

Where do I start?
Charles Sgrillo II

Top 10 Mistakes Made In Active Directory That Can Lead To Being Compromised
Adam Steed

So you want to beat the Red Team?
Cameron Moore

Hacking Your Way into the APRS Network on the Cheap -- Extended Edition
Mark Lenigan

Threat Intel Analysis of Ukrainian's Power Grid Hack
Nir Yosha

Cryptography Pitfalls
John Downey

Information security and the law
Alex Muentz

Getting Permission to Break Things
William Bailey

"Knowing the Enemy"- Creating a Cyber Threat Actor Attribution Program
Jack Johnson

Red Teaming your Risk Management Framework
Keith Pachulski

Web Application Exploit 101 : Breaking Access Control and Business Logic
Tomohisa Ishikawa

Size Doesn't Matter : Metrics and Other Four Letter Security Words
Jim Menkevich

10/20/2016 SecureWV/Hack3rcon 2016 Videos

These are the videos of the presentations from Secure West Virginia 2016. Thanks to Dave, Justine and Tim for helping record. Sorry for the off audio timings, this is the first time I've used OBS Studio for a con and I was testing new capture gear.

Benny Karnes

Dave Kennedy

SHALL WE PLAY A GAME. How to make an two player bartop arcade machine with a Raspberry Pi.
Steven Truax

Maker/Hacker Space Panel - RCBI

So You Wanted to Work in Infosec
Joey Maresca

Making Our Profession More Professional
Bill Gardner

Special Agent Michelle Pirtle
(not recorded)

So You've Inherited a Security Department, Now What?
Amanda Berlin

SUSpect - A powershell based tool to provide early detection of ransomware and other attack techniques.
Mick Douglas

Building an Infosec Program from Ground Zero: From the Coat Closet to the Data Center
David Albaugh

How to Not Cheat on Your Spouse: What Ashley Madison Can Teach Us About OpSec
Joey Maresca

Windows Timelines in Minutes
Dr. Philip Polstra

Scripting Myself Out of a Job - Automating the Penetration Test with APT2
Adam Compton

WTF? Srsly? Oh FFS! - IR Responses
Mark Boltz-Robinson

Women in Infosec Panel
Adrian Crenshaw
Amanda Berlin
Blair Gardner
(not posted)

Securing The Secure Shell, The Automated Way
Adam Vincent

Bitcoin: From Zero to "I get it."
Luke Brumfield

How to hack all the bug bounty things automagically & reap the rewards (profit)!
Mike Baker

Giving Back - Submitting to PTES 101
Jeremy Mio

Benny Karnes


Intro to Linux
Benny Karnes

BASH Scripting
Justin Rogosky
(not recorded)

Python Scripting
Adam Byers

Intro to Kali
Wyatt Nutter


Evidence Collection
John Sammons

Intro to WireShark
Josh Brunty

Intro to Digital Forensics
John Sammons

Network Forensics using Kali Linux and/or SANS Sift
Josh Brunty

Mobile Forensics An Introduction
Josh Brunty

10/08/2016 GrrCON 2016 Videos
These are the videos of the presentations from GrrCON 2016. Big thanks to EggDropX and Jaime for having me out, and my video crew  (Chris, Erick, & Cooper) for recording.


Act Three, The Evolution of Privacy

Weaponizing Nanotechnology and hacking humans; defining the boundaries
Chris Roberts

Becoming a Cyborg: The First Step Into Implantable Technology
Michael Vieau

Abnormal Behavior Detection in Large Environments
Dave Kennedy

Secure Dicks
Michael Kemp

and bad mistakes I've made a few...
Jayson Street (Only first 30 min)

Predator to Prey: Tracking Criminals with Trojans and Data Mining for Fun and Profit
Ken Westin

Guarding Dinner
J Wolfgang Goerlich

Back to the Future: Understanding our future but following the past
Kevin Johnson

Breaking Android Apps for Fun and Profit
Bill Sempf

Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years
Matt Bromiley & Preston Lewis

Security Guards -- LOL! Brent White & Tim Roberts


Internet of Things (IoT) radio frequency (RF) Analysis With Software Defined Radio
Kevin Bong

So You Want to Be a Pentester

What do you mean I'm pwn'd! I turned on automatic updates!
Scott Thomas & Jeff Baruth

Surreal Paradigms: Automotive Culture Crash
D0xt0r Z3r0

Reversing and Exploiting Embedded Devices (Walking the software and hardware stack)
Elvis Collado

Threat Detection & Response with Hipara
J. Brett Cunningham

Still Broken After All These Years Aka Utility Security For Smarties
Doug Nibbelink

Threat Detection Response with Hipara
J Brett Cunningham

Quick and Easy Windows Timelines with Pyhon, MySQL, and Shell Scripting
Dr. Phil Polstra

Cruise Ship Pentesting OR Hacking the High Seas
Chad M. Dewey

Using Virus Total Intelligence to track the latest Phishing Document campaigns
Wyatt Roersma

Encryption, Mobility & Cloud Oh My!
Bill Harmer

Magnetic Stripes 101
Tyler Keeton

Machine Duping: Pwning Deep Learning Systems
Clarence Chio

Money, Fame, Power - Build your success as a security professional
Nathan Dragun

Tales from the Crypt...(analyst)
Jeff Man

What's in your Top Ten? Intelligent Application Security Prioritization
Tony Miller

Binary Ninja
Jared Demott

Phish your employees for fun!
Kristoffer Marshall

Mad Scientists

Securing Trust - Defending Against Next-generation Attacks
John Muirhead-Gould

Five Nights At Freddys: What We Can Learn About Security From Possessed Bears
Nick Jacob

Make STEHM Great Again
David "HealWHans" Schwartzberg

Pentester-to-customer:I will 0wn your network! - Customer-to-pentester:No, I will make you cry!
David Fletcher & Sally Vandeven

How Do You Secure What You Don't Control
Dimitri Vlachos

Fighting the Enemy Within
Matt Crowe

Getting to the Root of Advanced Threats Before Impact
Josh Fazio

Reality-Checking Your AppSec Program
Darren Meyer

How to Implement Crypto Poorly
Sean Cassidy

Stop attacking your mother's car!
Charles Parker, II

Contracting: Privacy Security and 3rd Party
Nathan Steed & Kenneth Coleman

Alignment of business and IT Security
Shane Harsch

So You've Inherited a Security Department, Now What?
Amanda Berlin

Piercing the Air Gap: Network Steganography for Everyone
John Ventura

On being an Eeyore in Infosec
Stefan Edwards

Welcome to The World of Yesterday, Tomorrow!
Joel Cardella

Board Breaking


Derbycon 2016 Videos
The link above is where I will be putting presentations from Derbycon 2016 (it will take a few days). Big thanks to my video jockeys Sabrina, Some Ninja Master, Glenn Barret, Dave Lauer, Jordan Meurer, Brandon Grindatti, Joey, Fozy, nightcarnage, Evan Davison, Chris Bridwell, Rick Hayes, Tim Sayre, Lisa Philpott, Ben Pendygraft, Sarah Clarke, Steven (SciaticNerd), Cory Hurst, Sam Remington, Barbie, Chris Bissle (and maybe the speakers too I guess).


Louisville Infosec 2016 Videos
Below are the videos from the Louisville Infosec 2016 conference. Thanks to all the video volunteers for helping me record. 

Morning Keynote
Chandler Howell
Ryan J. Murphy
John Pollack

The Domain Name System (DNS) - Operation, Threats, and Security Intelligence
Tom Kopchak

Insiders are the New Malware
Brian Vecci

Cloud Security; Introduction To FedRAMP
Sese Bennet

Cloud Access Security Broker - 6 Steps To Addressing Your Cloud Risks
Matt Bianco

Not One Thin Dime: Just Say No to Ransomware!
Mick Douglas

Securing Docker Containers
Chris Huntington

Emerging Governance Frameworks for Healthcare Security
Max Aulakh

Building Our Workforce
Kristen Bell

The Art of Offense and Defense
Mark Loveless

The Current State of Memory Forensics
Jason Hale

Understanding Attacker's use of Covert Communications
Chris Haley

How to Talk to Executives about Security
Harlen Compton

Pen Testing; Red and Blue Working Together
Martin Bos

Data Loss Prevention - How to get the most for your buck
Brandon Baker

The Transition: Risk Assessment > Risk Management
Mike Neal

Darwinism vs. Forensics
Bill Dean



9/11/2016 BSides Augusta 2016 Videos
These are the videos from the BSides Augusta conference. Thanks to Lawrence Abrams, and all of the BSides Crew for having me out to help record and render the videos and Pentestfail and everybody that staffed a recording rig.


Keynote - Robert Joyce

Super Bad

Mobile Hacking
Aaron Guzman

Incident Response Awakens
Tom Webb

Dr. Pentester or: How I Learned To Stop Worrying and Love the Blue Team
Ryan O'Horo

Exploit Kits/ Machine Learning
Patrick Perry

Detection of malicious capabilities using YARA
Brian Bell

Owning MS Outlook with Powershell
Andrew Cole

RAT Reusing Adversary Tradecraft
Alexander Rymdeko-Harvey

Internet of Terrible
Brandon McCrillis

I Got You

Using Honeypots for Network Security Monitoring
Chris Sanders

This one weird trick will secure your web server!
David Coursey

This is not your Momma's Threat Intelligence
Rob Gresham

Moving Target Defense: Evasive Maneuvers in Cyberspace
Adam Duby

Beyond Math: Practical Security Analytics
Martin Holste

Exploit Kits and Indicators of Compromise
Brad Duncan

ICS/SCADA Threat Hunting
Robert M. Lee and Jon Lavender

Agilely Compliant yet Insecure
Tom Ruff

It's Too Funky In Here

Gamification for the Win
Josh Rykowski and Scott Hamilton

IDS/IPS Choices: Benefits, Drawback and Configurations

Micro-segmentation and Security: The Way Forward
Jack Koons

Adventures in RAT dev
Hunter Hardman

Linux privilege escalation for fun, profit, and all around mischief
Jake Williams

How About a Piece of Pi - Experiences with Robots and Raspberry Pi Hacking
John Krautheim

Flaying out the Blockchain Ledger for Fun, Profit, and Hip Hop
Andrew Morris

Network Situational Awareness with Flow Data
Jason Smith

Living In A America

A worm in the Apple - examining OSX malware
Wes Widner

You TOO can defend against MILLIONS of cyber attacks
Michael Banks

Finding Evil in DNS Traffic
Keelyn Roberts

Ransomware Threats to the Healthcare Industry
Tim Gurganis

Using Ransomware Against Itself
Tim Crothers and Ryan Borres

Hunting: Defense Against The Dark Arts
Jacqueline Stokes, Danny Akacki, and Stephen Hinck

Automating Malware Analysis for Threat Intelligence
Paul Melson

Hide and Seek with EMET
Jonathan Creekmore and Michael Edie

7/17/2016 BSides Detroit 2016 Videos
These are the videos from the BSides Detroit 2016 Conference. Thanks to Wolf for having me out and Chris, Daniel, Daniel, Ed, Ben, Emi, Sam, Adam & Eric and others I may forget for helping to record.


BSides Keynote
Atlas Of D00m

Car Hacking 0x05
Robert Leale

Learning Security the Hard Way: Going from Student to Professional
Benjamin Carroll

So You Want to Be a Pentester
Calvin Hedler

Sheep, the Shepard, History, and Eugenics - A historical reminder on why personal privacy matters when it comes to the government and corporations in the digital age.
David Schaefer

Emerging Threats
Tazz Tazz (Not posted)

I Have Been to The Future and I Did Not Want to Come Back
Garrett McManaway

How to Build a Home Lab
Chris Maddalena

Vulnerability Management Systems Flawed - Leaving your Enterprise at High Risk
Gordon MacKay

Bootstrapping A Security Research Project
Andrew Hay


Converge 2016
These are the videos from the Converge Information Security Conference. Thanks to Wolf for having me out and Chris, Daniel, Daniel, Ed, Ben, Sam, Adam & Eric and others I may forget for helping to record.


Keynote 1
Steve Werby

So You've Inherited a Security Department, Now What?!?!
Amanda Berlin

Violating Trust: Social Engineering Past and Present
Paul Blonsky

AppSec Awareness: A Blue Print for Security Culture Change
Chris Romeo

Red Team Madness - Or, How I Learned To Stop Worrying and Expect Pentester Mistakes
Jeremy Nielson

Threat Modeling for Secure Software Design
Robert Hurlbut

Not Even One Shade of Gray: Stop Tolerating Compromise in Security
Rich Boyer

MySQL 5.7 Security
Dave Stokes

Evolving the Noise out InfoSec using Law Enforcement Paradigms
Charles Herring

Game of Hacks - Play, Hack, and Track
Igor Matlin

Red is the new Blue - Defensive Tips & Tricks from a Defender turned Pentester
Ben Ten

Building a better user: Developing a security-fluent society
Rich Cassara

Food Fight
J Wolfgang Goerlich

Maneuvering Management Madness
Andrew Hay

Enterprise Class Threat Management Like A Boss
Rockie Brockway

Compliant, Secure, Simple. Pick two.
Joshua Marpet

Sentry on the Wall
Reid Brosko

Expanding Your Toolbox the DIY Way
Chris Maddalena

Surreal Paradigms: Automotive Culture Crash
Dave Schaefer

Haking the Next Generation
David Schwartzberg

Malware Magnets: A practical walkthrough in developing threat intelligence
Tazz Tazz

Still broken after all these years aka Utility Security for Smarties
Doug Nibbelink

7/09/2016 OISF 2016 Videos
These are the videos from the OISF Anniversary Event

Tom Webster

Breaking The Teeth Of Bluetooth Padlocks
Adrian Crenshaw

Identifying and Exploiting Hardware Vulnerabilities: Demo of the HRES Process
Tim Wright

2016 Predictions and How History repeats itself
Jason Samide

A Lawyer's Perspective on Data Security
Dino Tsibouris and Mehmet Munur

The Attacker's Dictionary
Joel Cardella


BSides Cleveland 2016 Videos
These are the videos from the BSides Cleveland conference. Thanks to djaj9, , Kevin, f0zziehakz &  as the video team. Thanks to twuntymcslore & RockieBrockway for being con mom & dad.

Morning Keynote
Ian Amit

Elementary, my dear Watson - A story of indicators
Nir Yosha

Preventing credential theft & lateral movement after initial compromise.
Cameron Moore

Ask a CISO
Jamie Murdock

Crime Prevention Through Environmental Design
Michael Mendez

Fun with One Line of Powershell
Matthew Turner

Learning From Pirates of the Late 1600s - The first APT
Adam Hogan

Food Fight!
Wolfgang Goerlic

Afternoon Keynote
Chris Roberts

The Art of Bit-Banging: Gaining Full Control of (Nearly) Any Bus Protocol
Aaron Waibel

Playing Doctor: Lessons the Blue Team can Learn from Patient Engagement
J Wolfgang Goerlich & Stefani Shaffer-Pond

Security Automation in your Continuous Integration Pipeline
Jimmy Byrd

The WiX Toolset, How to Make Your Own MSIs
Charles Yost

A Rookie PoV: The Hollywood Fallacy
Raquel Milligan

Port Scanning the Hermit Kingdom: Or What NMAP Can Teach Us About Geopolitics
Thomas Pieragastini

Responder for Purple Teams
Kevin Gennuso

Splunk for IR and Forensics
Tony Iacobelli

Bridging the Gap or: How I Learned to Stop Worrying, and Love the Developers
Eric Mikulas

SafeCracking on a Budget Redux
David Hunt and Zack Nagaich

Process Ventriloquism
Spencer McIntyre

The Digital Beginning of the Analog End
Brad Hegrat

Gamify Security Awareness: Failure to Engage is Failure to Secure
Michael Woolard

Cons and Conjurers: Lessons for Infiltration
Paul Blonsky

Closing Keynote
David Kennedy



ShowMeCon 2016 Videos
These are the videos ShowMeCon 2016. Thanks to Renee & Dave Chronister (@bagomojo), Renee and others for having me out to record and speak. Also thanks to my video crew Mathew, Morgan, James and some other people I may have forgotten.

Red is the New Blue

My Cousin Viinny: Ethics and Experience in Security "Research"
Kevin Johnson

The Psychology of Social Engineering
Dave Chronister

Show Me Your Tokens (and Ill show You Your Credit Cards)
Tim MalcomVetter

IRLHN Pt.3 Intermediate Networking Techniques for the Recovering Introvert
Johnny Xmas

And Bad Mistakes…I've made a few
Jayson Street

All your Door(s) Belong to Me - Attacking Physical Access Systems
Valerie Thomas

Exploiting First Hop Protocols to Own the Network
Paul Coggin

Check Yo Self Before you Wreck Yo Self: The new wave of Account Checkers and Underground Rewards Fraud
Benjamin Brown

The Collission Attack - Attacking CBC and related Encryptions

It's not a sprint….
Tim Fowler

Social Media Risk Metrics - There's a way to measure how +@&# you are online
Ian Amit

Attacking OSX for fun and profit: tool set limiations, frustration and table flipping.
Dan Tentler

The Art of AV Evations - Or Lack Thereof
Chris Truncer

Understanding Offensive and Defense - Having a purple view on INFOSEC
Dave Kennedy

Breaking the Teeth of Bluetooth Padlocks
Adrian Crenshaw

PowerShell Phishing Response Toolkit
Josh Rickard

Championing a Culture of Privacy: From Ambivalence to Buy-IN
Hudson Harris

Why Compliance Matters; You've Been Doing it Wrong
Stacey Banks

How to Build a Home Lab
Timothy De Block

Logging for Hackers, How you can catch them with what you already have and a walk through of an actual attack and how we caught it.
Michael Gough

Where to Start when your environment is F*(3d
Amanda Berlin


Circle City Con 2016 Videos
These are the Circle City Con videos. Thanks to the staff for inviting me down to record. Big thanks to Mike, 3ncr1pt3d, fl3uryz, InfaNamecheap, f0zziehak, Chris, PhenixFire, Sammy and other for helping set up AV and record.

Opening Ceremony
CircleCityCon Staff

Keynote - Dave Lewis
Dave Lewis

Food Fight!
Wolfgang Goerlich

Binary defense without privilege
Steve Vittitoe

Establishing a Quality Vulnerability Management Program without Wasting Time or Money
Zee Abdelnabi (not posted)

Why it's all snake oil - and that may be ok
Pablo Breuer

Break on Through (to the Other Side)
Grape Ape

Bootstrapping A Security Research Project
Andrew Hay

Playing Doctor: Lessons the Blue Team Can Learn from Patient Engagement
Wolfgang Goerlich

Planes, Trains and Automobiles: The Internet of Deadly Things
Bryan K. Fite

Killing you softly
Josh Bressers

Now You See Me, Now You Don't - Leaving your Digital Footprint
Aamir Lakhani

Red Team Madness - Or, How I Learned To Stop Worrying and Expect Pentester Mistakes
Jeremy Nielson

Open Source Malware Lab
Robert Simmons

So you want to be a CISO?
Von Welch

You want to put what…where?
John Stauffacher

 IoT on Easy Mode Reversing and Exploiting Embedded Devices
Elvis Collad

Top 10 Mistakes in Security Operations Centers, Incident Handling & Response
Paul R. Jorgensen

Untrusted Onions: Is Tor Broken?
Joshua Galloway

Contextual Threat Intelligence: Building a Data Science Capability into the Hunt Team
Brian Genz

Head in the Sand Defence or A Stuxnet for Mainframes
Haydn Johnson; Cheryl Biswas

SIEM, Supersized!
Walleed Aljony

Fantastic OSINT and where to find it
Tony Robinson (da_667)

Creating a Successful Collegiate Security Club (WIP)
Chris "Lopi" Spehn; Adam "avidhacker" Ringrood

Where to Start When Your Environment is F*(K3d
InfoSystir (Amanda Berlin)

Haking the Next Generation
David Schwartzberg

Exfil and Reverse Shells in a Whitelisted World

Hacking Our Way Into Hacking
Kat Sweet

Attacking OSX for fun and profit: Toolset Limitations, Frustration and Table Flipping
Viss (Tentler)

Intro to Mobile Device Testing
Damian Profancik

Your Password Policy Still Sucks!
Martin Bos

Closing Ceremony
CircleCityCon Staff


NolaCon 2016
Recorded at NolaCon 2016. Thanks to @CurtisLaraque, @HoltZilla, @sid3b00m & @ynots0ups for the video recording help, and @nola_con, @erikburgess_, & Rob for having me down to record.


Analyzing DNS Traffic for Malicious Activity Using Open Source Logging Tools
Jim Nitterauer

Snake Charming: Fun With Compiled Python
Gabe K

Monitoring & Analysis 101: N00b to Ninja in 60 Minutes

Calling Captain Ahab: Using Open Tools to Profile Whaling Campaigns
Ryan Jones, McOmie

Check Yo Self Before You Wreck Yo Self: The New Wave Of Account Checkers And Underground Rewards Fraud
Benjamin Brown

Introducing the OWASP API Security Project
Leif Dreizler, David Shaw

Breaking Barriers: Adversarial Thinking for Defenders
Stacey Banks

It's Just a Flesh Wound!
Brett Gravois

Owning MS Outlook with PowerShell
Andrew Cole

Why can't Police catch Cyber Criminals?
Chip Thornsburg

David Kennedy

Calling Captain Ahab: Using Open Tools to Profile Whaling Campaigns
Matt Bromiley

Haking the Next Generation
David Schwartzberg

Hacking Web Apps (v2)
Brent White

Evolving Your Office's Security Culture by Selective Breeding of Ideas and Practices
Nancy Snoke

I Promise I'm Legit: Winning with Words
Cyni Winegard &  Bethany Ward

You Pass Butter: Next Level Security Monitoring Through Proactivity
Cry0, S0ups

Going from Capture the Flag to Hacking the Enterprise. Making the switch from 'a hobby and a passion' to a lifelong career
Joseph Pierini

Hackers are from Mars, CxO's are from Jupiter
Rob Havelt

Don't be stupid with GitHub

DDoS: Barbarians at the Gate(way)
Dave Lewis

Hunting high-value targets in corporate networks
Josh Stone

4/22/2016 AIDE 2016 Videos
Recorded at AIDE 2016. Big thanks to Bill Gardner (@oncee) for having me out to record.

Do You Want Educated Users? Because This is How You Get Educated Users.
Tess Schrodinger

Don't blame that checklist for your crappy security program
Branden Miller

Shooting Phish in a Barrel
Amanda Berlin

Minimalistic Physical Assessment Kit
Tom Moore

Hacking Web Apps
Brent White and Tim Roberts


BSides Nashville 2016 Videos
These are the videos BSides Nashville 2016. Thanks to @lil_lost for inviting me down to record and being my bodyguard while in Nashville. Big thanks to Geoff Collins, Branden Miller, Blake Urmos, Gabe Bassett, Nate and Alex McCormack for helping set up AV and record.

And bad mistakes I've made a few
Jayson Street

At the mountains of malware
Wes Widner

Collection and Detection with Flow Data: A Follow Up
Jason Smith

Container Chaos: Docker Security Container Auditing
Chris Huntington

It's Not If But When: How to Create Your Cyber Incident Response Plan
Lucie Hayward, Marc Brawner

Threat Modeling the Minecraft Way
Jarred White

AppSec Enigma and Mirage - When Good Ideas Can Go Awry
Frank Catucci

The Art of the Jedi Mind Trick
Jeff Man

How to get into ICS security
Mark Heard

The Ransomware Threat: Tracking the Digital Footprints
Kevin Bottomley

InfoSecs in the City - Starting a Successful CitySec Meetup
Johnny Xmas, Fletcher Munson, Chris Carlis, Kate Vajda

Ever Present Persistence - Established Footholds Seen in the Wild
Evan Pena, Chris Truncer

Forging Your Identity: Credibility Beyond Words
Tim Roberts, Brent White

IAM Complicated: Why you need to know about Identity and Access Management
Ron Parker

Put a Sock(et) in it: Understanding and Attacking Sockets on Android
Jake Valletta

3/31/2016 Central Ohio Infosec Summit 2016 Videos
These are the videos from the Central Ohio Infosec Summit conference. Thanks to the video volunteers for helping me record.

Track 1

Penetrating the Perimeter - Tales from the Battlefield
Phil Grimes

Navigating the FDA Recommendations on Medical Device Security _ and how they will shape the future of all IoT
Jake "malwarejake" Williams

Detecting the Undetectable: What You Need to Know About OSINT
Jerod Brennen

Why I quit my dream job at Citi - A data centric approach to key management
Mike Bass

Fail Now _ So I Don't Fail Later "A look into security testing and training methodologies"
Deral Heiland

Putting the Intelligence back in Threat Intelligence
Edward McCabe

All Your Door Belong To Me: Attacking Physical Access Systems
Valerie Thomas

The Humanity of Phishing Attack and Defense
Aaron Higbee

The Node.js Highway: Attacks Are At Full Throttle
Joshua Clark

Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway

Understanding Attacker's use of Covert Communications
Chris Haley

InfoSec Productization
David Kennedy

Track 2

Future of Information Security Governance, Risk and Compliance
Max Aulakh, Bill Lisse

How Experts Undermine Your Forensic Evidence
Matthew Curtin

Datacenter Security Virtualized
John Michealson

Embracing the Cloud
Lisa Guess

"It was the best of logs, it was the worst of logs" - Stories through Logging
Tom Kopchak

Finding the Needle in the Hardware Haystack - Identifying and Exploiting Vulnerabilities via Hardware Reverse Engineering
Stephen Halwes, Timothy Wright

PKI-Do You Know Your Exposure?
Kent King

No Tradeoffs: Cloud Security and Privacy Don't Need to Be at Odds
Jervis Hui

Today's Threat Landscape
Dean Shroll

6 Critical Criteria For Cloud Workload Security
Sam Herath

Track 2

Educating the Board of Directors
Bob West

Burp Collaborator: The Friend You Didn't Know You Needed
Jon Gorenflo

Psychological Warfare: How Cyber Criminals Mess With Your Mind
Brian Henger

Threat Modeling for Secure Software Design
Robert Hurlbut

IAST Deep Dive: Understanding Interactive Application Security Testing
Ofer Maor

Building an Application Security Program
Mike Spaulding

Formal Verification of Secure Software Systems
Aaron Bedra

AppSec without additional tools
Jason Kent

Leveraging your APM NPM solutions to Compliment your Cyber Defense Strategy
Ken Czekaj, Robert Wright

Artificial Intelligence Real Threat Prevention
Art Hathaway

Defending the Next Decade - Building a Modern Defense Strategy
Mark Mahovlich

Track 3

Security vs Compliance in Healthcare
Sean Whalen

How to Secure Things & Influence People: 10 Critical Habits of Effective Security Managers
Chris Clymer, Jack Nichelson

Economically Justifying IT Security Initiatives
Ruben Melendez

Cross Industry Collaboration
Helen Patton

Third Party Risk Governance - Why and How
Jeffrey Sweet

IT Data Analytics: Why the cobbler's children have no shoes
Carolyn Engstrom

BYODAWSCYW (Bring Your Own Device And Whatever Security Controls You Want) One approach to reduce risk
Steven Keil

Disaster Recovery and Business Continuity -_It's never so bad that it can't get worse
Valerie Thomas, Harry Regan

Cybersecurity Act of 2015 and Other Hot Privacy and Cybersecurity Topics
Heather Enlow, Chris Ingram

The Legal Perspective on Data Security for 2016
Dino Tsibouris, Mehmet Munur

The Legal Perspective on Data Security for 2016
Mehmet Munur, Dino Tsibouris

Track 4

Gamify Awareness Training: Failure to engage is failure to secure
Michael Woolard

Office 365 Security and Compliance Cloudy Collaboration - Really?
Robert Brzezinski

State of Security and 2016 Predictions
Jason Samide

A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs

Risk Management: Tactics to Move From Decision to Execution
Tremayne (Tre) Smith

Incident Response - No Pain No Gain!
Jim Wojno

Building an OSS CI/CD Security Toolchain
Kevin Glavin

A Touch(ID) of iOS Security
James (Jamie) Bowser

Track 5

Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski

You're measuring all the wrong things - information security metrics
Shawn Sines

Why Cybercriminals Are "Following The Money" Into Online Video Games
Matthew Cook

Security Certifications - are they worth it, and which ones are right for you?
William Diederich

Information Security Metrics - Practical Security Metrics
Jack Nichelson

The CONfidence of Things
John Robinson

Who is Winning?
Gary Sheehan

Security analytics journey - a year's lesson learned.
Mike Schiebel

Track 6

Integrated Software in Networking _ the Mystery of SDN
Oliver Schuermann

Securing our Future: Lessons From the Human Immune System
Gavin Hill

Have you tied together your IAM and Information Security Incident Management Program?
Joseph Greene

Compliance and Security: Building a Cybersecurity Risk Management Program
Jason Harrell

Don't try this at home! (Things not to do when securing an organization)
Jessica Hebenstreit

CISO for an Hour
Keith Fricke

Apple v. DOJ: Privacy in Today's Enterprise
Justin Harvey

Myths of Cloud Security Debunked!
Bil Harmer

Cyber Security - Super Bowl 50
Jim Libersky


CypherCon 2016 Videos
These are the videos from the Cyphercon 2016 conference. Thanks to Michael Goetzman for having me out to record.

CYPHERCON's Opening Ceremony Begins!

Security Control Wins & Fails
Jason Lang

Offensive Wireless Tactics "used in DEFCON 23’s Wireless CTF"
Eric Escobar

China"s Hackers and Cyber Sovereignty
Lieutenant Colonel Bill Hagestad II

You're Right, This Sucks
J0hnnyxm4s & Lesley Carhart

No encrypted data on this drive; just pictures of my cat
Parker Schmitt

Curry and TARTS

All your Wheaties belong to us. Removing the basics that humans need for survival.
Chris Roberts

CYPHERCON I Conference Begins!
Korgo & The CYPHERCON PuzzleMaster Speaks

P.I.S.S.E.D. Privacy In a Surveillance State, Evading Detection
Joe Cicero

Bypassing Encryption by Attacking the Cryptosystem Perimeter
Trenton Ivey

Hypervault Demo
& HTTP and SSH Tunneling
Caleb Madrigal

Quantum Computation and Information Security
David Webber

Medical Devices: Pwnage & Honeypots
Scott Erven

Werner Juretzko

3/5/2016 BSides Indy 2016 Videos
These are the videos from the BSides Indy conference.

Eddie Mize (Not recorded)

Managing Elevated Privileges in the Enterprise Environment
Erik Burgess

Food Fight
Wolfgang Goerlich (Not recorded)

Where to start when your environment is F*(k3d
Amanda Berlin

Building an Application Security Program
Mike Spaulding

The Art of the Jedi Mind Trick
Jeff Man

Securing Docker Instances
Chris Huntington

ClientHacking: How a chef uses OSINT and SE to make more money.


BSides San Francisco 2016 Videos
These are the videos from the BSides San Francisco conference. Special thanks to Mike & Doug for having me out, Steen, Zappo & Jeremy for their house AV work, and n0ty3p, Forest, Nick, James & others I'm forgetting for their help recording

Track 1

Keynote: A Declaration of the Independence of Cyberspace
John Perry Barlow

The Tales of a Bug Bounty Hunter
Arne Swinnen

Reverse Engineering the Wetware: Understanding Human Behavior to Improve Information Security
Alexandre Sieira, Matthew Hathaway

Who's Breaking into Your Garden? iOS and OS X Malware You May or May Not Know
Claud Xiao

A year in the wild: fighting malware at the corporate level
Kuba Sendor

Breaking Honeypots for Fun and Profit
Gadi Evron, Dean Sysman, Itamar Sher

Everything Is Awful (And You're Not Helping)
Jan Schaumann

Why it's all snake oil - and that may be ok
Pablo Breuer

Ask the EFF
Kurt Opsahl, Eva Galperin, Andrew Crocker, Shahid Buttar, Cooper Quintin

Sedating the Watchdog: Abusing Security Products to Bypass Windows Protections
Tomer Bitton, Udi Yavo

Sweet Security: Deploying a Defensive Raspberry Pi
Travis Smith

Planning Effective Red Team Exercises
Sean T. Malone

Fraud Detection & Real-time Trust Decisions
James Addison

Fuzz Smarter, Not Harder (An afl-fuzz Primer)
Craig Young

Elliptic Curve Cryptography for those who are afraid of mathematics
Martijn Grooten

APT Reports and OPSEC Evolution, or: These are not the APT reports you are looking for
Gadi Evron

Sucker-punching Malware: A Case Study in Using Bad Malware Design Against Attackers
John Bambenek, Hardik Modi

Employee Hijacking: Building a hacktober awareness program
Ryan Barrett, Ninad Bhamburdekar, Dylan Harrington

Track 2

Mainframes? On My Internet?
Soldier of Fortran (not recorded)

Securing the Distributed Workforce
William Bengtson

Hackers Hiring Hackers - How to hack the job search and hack talent
IrishMASMS (not recorded)

Scan, Pwn, Next! - exploiting service accounts in Windows networks
Andrey Dulkin, Matan Hart

Guest to root - How to Hack Your Own Career Path and Stand Out
Javvad Malik

IoT on Easy Mode (Reversing Embedded Devices)
Elvis Collado

In the crosshairs: the trend towards targeted attacks
Lance Cottrell

Developing a Rugged DevOps Approach to Cloud Security
Tim Prendergast

Digital Intelligence Gathering: Using the Powers of OSINT for Both Blue and Red Teams
Ethan Dodge, Brian Warehime

Sharing is Caring: Understanding and measuring Threat Intelligence Sharing Effectiveness
Alex Pinto

The Ransomware Threat: Tracking the Digital Footprints
Kevin Bottomley

Access Control in 2016 - deep dive
Dr. Ulrich Lang

Using Behavior to Protect Cloud Servers
Anirban Banerjee

The Art of the Jedi Mind Trick
Jeff Man

Mobile App Corporate Espionage
Michael Raggo

Advanced techniques for real-time detection of polymorphic malware
Ajit Thyagarajan

2/15/2016 BSidesCapeTown 2015
Mike Davis asked me to post these videos to get wider circulation.

Ode to the Node

Automating the process of mapping and compromising networks

Hack all the things - Exploiting and fixing IoT

Running a Secure Tor Hidden Service

Sharepoint Hacking

Hacker Jeopardy

2/07/2016 BSides Huntsville 2016 Videos
These are the videos from the BSides Huntsville conference. Thanks to @PaulCoggin, @CharlineNixon, Brian, @NagleCode, @GRMrGecko and all of the BSides Crew for having me out to help record and render the videos.

Opening Keynote
Jack Daniel

Hacking Peoples' Lives with Google Sync
Shawn Edwards, Sean Hopkins

Slaying Rogue Access Points with Python and Cheap Hardware
Gabriel Ryan

Web shells as a covert channel
Joe Vest

A practical approach to deploying Data Loss Prevention
Jon Damratoski

Afternoon Keynote: TSA Luggage Locks: Details, Flaws & Making The Best Of A Bad Lock
Adrian Crenshaw

Threat Modeling the Minecraft Way
Jarred White

At the mountains of malware: Lessons learned from analyzing terabytes of malware
Wes Widner

History of WRT and Wireless Mesh protocols.
Alex Kot

BSides Closeout
Paul Coggin

1/16/2016 BSides Columbus 2016 Videos
These are the videos from the BSides Columbus Ohio conference. Thanks to Michael Spaulding for having me up and Greg, James & Brandon who manned the video rigs.


Keynote Thomas Drake
Thomas Drake


Where Did All My Data Go
Deral Heiland

Developers: Care and Feeding
Bill Sempf

Open Secrets of the Defense Industry: Building Your Own Intelligence Program From the Ground Up
Sean Whalen

The Economics of Exploit Kits & E-Crime
Adam Hogan

Hacking Corporate Em@il Systems
Nate Power

All Your Base Still Belong To Us: Physical Penetration Testing Tales From The Trenches
Valerie Thomas & Harry Regan (Not recorded)


Establishing a Quality Vulnerability Management Program without Wasting Time or Money
Zee Abdelnabi (not posted)

Practical DLP Deployment for your Organization
Jon Damratoski

The Good The Bad and The Endpoint Protection
Joseph Ciaravino

Securing Docker Instances
Chris Huntington

Better SIEM Notifications - Making Your SIEM Situationally Aware
Jesse Throwe

Social Media Correlation of Credit Card Fraudsters
Chris Cullison & CW Walker

Special Teams

Removing Barriers of Diversity in Information Security
Helen Patton & Connie Matthews

Panel Discussion: InfoSec Trends, Talent Management, and Retention
Michael Butts, AJ Candella & Megan Wells

Indecision and Malformed Conclusions: The things that stifle security improvement and what can be done about them.
Tyler Smith

Gamify Awareness Training: Failure to engage is failure to secure
Michael Woolard

The Long and Winding Road: An InfoSec Career Panel
Lonnie Kelley & Valerie Thomas

The Pineapple is dead..Long live the Pineapple
David Young



Shmoocon Firetalks 2016
Videos from Shmoocon Firetalks 2016.

Opening Red Team Upgrades Using SCCM for Malware Deployment Matt Nelson (@enigma0x3)

Jailbreaking a Digital Two-Way Radio Travis Goodspeed (@travisgoodspeed)

CheapBugs.Net - Low-End Bug Bounties for the Masses Dean Pierce (@deanpierce)

Failure to Warn You Might Get Pwned Wendy Knox Everette (@wendyck)

GreatFET, a Preview Michael Ossmann (@michaelossmann)

Fuck You, Pixalate! @da_667

DNS C&C Ron Bowes (@iagox86)


SecureWV 2015 Videos
These are the videos of the presentations from Secure West Virginia 2015.

Building a Cantenna
Ed Collins

Dropping Docs on Darknets Part 2 Identity Boogaloo
Adrian Crenshaw

Network Segmentation - Some new thoughts
Mark Jaques and Brandon Schmidt

Security Onion
Brandon Schmidt

Mike Lyons

The Lemonaid Pomegranite, basics of security in a digital world
Tim Sayre

My Little P0ny: What you can do with 20 lines of code and an open machine
Mark Jaques and Brandon Schmidt

And now for something completely different, security at Top O Rock
Tim Sayre

The Art of Post-Infection Response and Mitigation
Caleb J. Crable

Documenting With ASCIIDOC
Jeff Pullen

The Core of Cybersecurity: Risk Management
Josh Spence

The Unique Challenges of Accessing Small and Medium Sized Organizations
Bill Gardner

OpenNSM, ContainNSM, and Docker
Jon Schipp

Here is your degree. Now what?
Shawn Jordan

Wolf in shell's clothing, why you should be skeptical of your trusted tools
Jeff Pullen


10/16/2015 HouSecCon v6 2015 Videos
These are the videos from HouSecCon 2015 v6. Thanks to Michael R. Farnum for having my down and all of the video crew.

Opening Keynote - Mike Rothman

Chris Jordan - Fluency: A Modern Approach to Breach Information and Event Management

Dennis Hurst - Application Security in an Agile SDLC

Wendy Nather - How Google turned me into my mother: the proxy paradox in security

Chris Boykin - Mobile Threat Prevention

Adrian Crenshaw - Dropping Docs on Darknets Part 2: Identity Boogaloo

Julian Dunning - Kraken: The Password Devourer

Trey Ford - Maturing InfoSec: Lessons from Aviation on Information Sharing

Richard Peters and Matthew Roth - Parasyste: In search of a host

Lunch/ISACA Session

Damon Small - Connections: From the Eisenhower Interstate System to the Internet

Rich Cannata - Arm Your Endpoints

Anthony Blakemore - Removing the Snake Oil From Your Security Program

Erik Freeland - Does SDN Mean Security Defined Networking?

Danny Chrastil - What I know about your Company

Lunch / Business Skills Workshop

Josh Sokol - The Fox is in the Henhouse: Detecting a Breach Before the Damage is Done

Jason Haddix - How to Shot Web: Better Web Hacking in 2015

Zac Hinkel, Andrew Huie, and Adam Pridgen - Arm Your Endpoints

Dan Cornell - SecDevOps: A Security Pro's Guide to Development Tools

Closing Keynote - Eric Cowperthwaite - Everything I need to know about Information Security, I Learned Shooting Tank Guns



GrrCON 2015 Videos
These are the videos of the presentations from GrrCON 2015. Big thanks to EggDropX and Jaime for having me out, and my video crew  (Chris, Justine, Aaron & Brian) for recording.


Subject matter to be determined by the number of federal agents present in the audience
Chris Roberts

Breaking in Bad (I,m The One Who Doesn,t Knock)
Jayson Street

Process The Salvation of Incident Response - Charles Herring

But Can They Hack?: Examining Technological Proficiency in the US Far Right
Tom Holt

The wrong side of history - everything that is old is new again
Arron Finnon

Poking The Bear
Mike Kemp

The Hitch Hikers Guide to Information Security
Kellman Meghu

Backdooring Git
John Menerick

Spanking the Monkey (or how pentesters can do it better!)
Justin Whithead, Chester Bishop

Adding +10 Security to Your Scrum Agile Environment

How I Got Network Creds Without Even Asking: A Social Engineering Case Study
Jen Fox

Shooting Phish in a Barrel and Other Terrible Fish Related Puns

This Is All Your Fault
Duncan Manuts

The Safety You Think You Have is Only a Masquerade
Nathan Dragun

Bumper Massage

Security Incident Response
Derek Milroy

Hacking the Next Generation

Findings Needles in a Needlestack: Enterprise Mass Triage
Keven Murphy

Punch and Counter-punch Part Deux: Web Applications
J Wolfgang Goerlich, NerdyBeardo

Application Recon - The Lost Art
Tony Miller

The Hand That Rocks the Cradle: Hacking Baby Monitors
Mark Stanislav

Software Security IWR
Thomas "G13" Richards

Cyber 101 - Upstaring your career in a leading industry
Johnny Deutsch

Understanding and Improving the Military Cyber Culture
Dariusz Mikulski

Harness the Force for Better Penetration Testing
Patrick Fussell

Targeted Attacks and the Privileged Pivot
Mark Nafe

Shell scripting live Linux Forensics
Dr. Phil Polstra

Can you patch a cloud?
Scott Thomas

Is it EVIL?

Submerssion Therapy

Ticking me off: From Threat Intel to Reversing
Juan Cortes

Securing Todays Enterprise WAN
Andy Mansfield

Footprints of This Year's Top Attack Vectors
Kerstyn Clover

Phones and Privacy for Consumers
Matt Hoy (mattrix) and David Khudaverdyan (deltaflyer)

Path Well-Traveled: Common Mistakes with SIEM
Nick Jacob

How compliance doesn't have to suck….at least totally
Robert Carson & Bradley Stine

What is a cloud access broker and do I need one?
Tom Doane

Security Frameworks: What was once old is new again
Brian Wrozek

Attacks Against Critical Infrastructures Weakest Links
Jonathan Curtis

Wireless Intrusion Detection Systems with the Raspberry Pi
Chris J

No One Cares About Your Data Breach Except You ... And Why Should They?
Joel Cardella

09/30/2015 Louisville Infosec 2015 Videos
Below are the videos from the Louisville Infosec 2015 conference. Thanks to @theglennbarrett, Jordan, Daren and @bridwellc for helping me record.

Nexum FireEye Keynote Advesarial Paradigm Shift
Che Bhatia and Artie Crawford

Compromise Analysis - Why
we're seeing so many breaches
Dave Kennedy
Founder of TrustedSec

What to Expect When You're Expecting a Pentest
Martin Bos

Memory Acquisition in Digital Forensics and Incident Response
Jason Hale

Visualizing Complex Cyber Compliance Data Using Big Data Tools
Max Aulakh

Hacking Web Apps with Style: Path Relative Style
Jeremy Druin

TSA Luggage Lock Duplication
Adrian Crenshaw

Cloud Device Insecurity
Jeremy Brown

How the Cloud Drives Better Security
Kevin Peterson

Heartbleed, ShellsShock, and Poodles
Jason Gillam

Using Gamification in Security Awareness Training
Brandon Baker

More Technology, More People, No Process
Mike Robinson

Preventing Common Core Pen Tests
Nathan Sweaney

Ashley Madison Breach
Jeff Jarecki

Integrating Mobile Devices into Your Pen-Testing
Georgia Weidman

Home Depot vs The World
Rodney Hampton


09/28/2015 DerbyCon 5 Videos
These are the videos of the presentations from Derbycon 2015. Big thanks to my video jockeys Sabrina, Skydog, Some Ninja Master, Glenn Barret, Dave Lauer, Jordan Meurer, Brandon Grindatti, Joey, Fozy, nightcarnage, Evan Davison, Chris Bridwell, Rick Hayes, Tim Sayre, Lisa Philpott, Melanie Lecompte, Ben Pendygraft, Austin Hunter, Harold Weaver, Michael Shelburne (and maybe the speakers too I guess).

Welcome to the Family - Intro

Jordan Harbinger Keynote

Information Security Today and in the Future
HD Moore - Ed Skoudis - John Strand - Chris Nickerson - Kevin Johnson - Katie Moussouris hosted by David Kennedy

The M/o/Vfuscator - Turning 'mov' into a soul-crushing RE nightmare - Christopher Domas


Red vs. Blue: Modern Active Directory Attacks & Defense - Sean Metcalf "@PyroTek3"

Metasploit Town Hall - David Maloney "thelightcosine" - James Lee "egyp7" - Tod Beardsley "todb" - Brent Cook "busterbcook"

$helling out (getting root) on a 'Smart Drone' - Kevin Finisterre - solo ape

Phishing: Going from Recon to Creds - Adam Compton - Eric Gershman

APT Cyber Cloud of the Internet of Things - Joey Maresca (@l0stkn0wledge)

Stealthier Attacks and Smarter Defending With TLS Fingerprinting - Lee Brotherston

Honeypots for Active Defense - Greg Foss

Manufactorum Terminatus - The attack and defense of industrial manufacturers - Noah Beddome - Eric Milam

High Stake Target: Lo-Tech Attack - Bill Gardner "oncee" - Kevin Cordle

Operating in the Shadows - Carlos Perez "darkoperator"

Getting Started with PowerShell - Michael Wharton "MyProjectExpert"

 When A Powerful Platform Benefits Both Attackers And Defenders: Secure Enhancements To Scripting Hosts In Windows 10 - Lee Holmes

A deep look into a Chinese advanced attack. -Michael Gough - "HackerHurricane"

Pavlovian Security: How To Change the Way Your Users Respond When the Bell Rings - Magen Wu (@tottenkoph) - Ben Ten (@ben0xa)

The State of Information Security Today - Jeff Man

Learning through Mentorship - Michael Ortega "SecurityMoey" - Magen Wu "Tottenkoph"

The Law of Drones - Michael "theprez98" Schearer

The Phony Pony: Phreaks Blazed The Way - Patrick McNeil "Unregistered436" - Owen "Snide"

HackerQue - Michael Smith (DrBearSec) - Kyle Stone (Essobi)

Current Trends in Computer Law - Matthew Perry (Mostly no audio)

Spankng the Monkey (or how pentesters can do it better!) - Justin Whitehead "(at)3uckaro0" - Chester Bishop "@chet121"

On Defending Against Doxxing - Benjamin Brown Ajnachakra

Practical Windows Kernel Exploitation - Spencer McIntyre @zeroSteiner

Shooting Phish in a Barrel and other fish related puns - Amanda Berlin

Don't Laugh - I Dare You! - Carl Alexander "DrHaxs"

Marketers Are Friends - Not Food - Kara Drapala

Blue Team Starter Kit - Timothy De Block

Simplified SIEM Use Case Management - Ryan Voloch "VDog90"

Bypassing 2Factor Auth with Android Trojans - Paul Burbage

Putting the Management into Vulnerability Management (or - YOU'VE GOT BEARS!!!) - Jesika McEvoy (octalpus)

Moving Target Defense - Learning from Hackers - Sachin Shetty

Malfunction's Functions : Automated Static Malware Analysis using Function Level Signatures - Matthew Rogers - Jeramy Lochner

We Owe You Nothing - Rockie Brockway

Backdooring Git - John Menerick

Detecting phishing attacks with DNS reconnaissance - Mike Saunders

Hacking Web Apps - Brent White

Sticky Honey Pots - Paul J. Vann

Top Ten is Old Skool - Meet the New Age of AppSec - Andrew Leeth

Cryptography and You - Justin Herman

Pwning People Personally - Josh Schwartz "FuzzyNop"

Stagefright: Scary Code in the Heart of Android - Joshua "jduck" Drake

Dec0ding Humans Live - Chris Hadnagy @HumanHacker

Gray Hat PowerShell - Ben Ten (@ben0xa)

WhyMI so Sexy? WMI Attacks - Real-Time Defense - and Advanced Forensic Analysis - Matt Graeber - Willi Ballenthin - Claudiu Teodorescu

Hackers vs. Defenders: Can the defender ever stop playing catch up and win? - Mano Paul "dash4rk"

Medical Devices: Pwnage and Honeypots - Scott Erven "windshield wipers" - Mark Collao

State of the Metasploit Framework - James Lee "egypt"

Credential Assessment: Mapping Privilege Escalation at Scale - Matt Weeks "scriptjunkie1"

Pwning People Personally - Josh Schwartz "FuzzyNop"

Stagefright: Scary Code in the Heart of Android - Joshua "jduck" Drake

Dec0ding Humans Live - Chris Hadnagy @HumanHacker

Gray Hat PowerShell - Ben Ten (@ben0xa)

WhyMI so Sexy? WMI Attacks - Real-Time Defense - and Advanced Forensic Analysis - Matt Graeber - Willi Ballenthin - Claudiu Teodorescu

Hackers vs. Defenders: Can the defender ever stop playing catch up and win? - Mano Paul "dash4rk"

Medical Devices: Pwnage and Honeypots - Scott Erven "windshield wipers" - Mark Collao

State of the Metasploit Framework - James Lee "egypt"

Credential Assessment: Mapping Privilege Escalation at Scale - Matt Weeks "scriptjunkie1"

Mobile Application Reverse Engineering: Under the Hood - Drew Branch - Billy McLaughlin

Introducing the RITA VM: Hunting for bad guys on your network for free with math. - John Strand - Derek Banks - Joff Thyer - Brian Furham

 Breaking in Bad (I'm the one who doesn't knock) - Jayson E. Street

Developers: Care and feeding - Bill Sempf

Fingerprinting the modern digital footprint -  Arian Evans

Surviving your Startup - Bruce Potter
(part of talk missing)

How to ruin your life by getting everything you ever wanted. - Chris Nickerson

Using Windows diagnostics for system compromise - Nicholas Berthaume "aricon"

InfoSec Big Picture and Some Quick Wins - Schuyler Dorsey

Hacking for homeschoolers - Branden Miller

Going AUTH the Rails on a Crazy Train - Tomek Rabczak - Jeff Jarmoc

  Bugspray - The 802.15.4 Attack Surface - Bryan "Crypt0s" Halfpap

Unbillable: Exploiting Android In App Purchases - Alfredo Ramirez


Dynamic Analysis of Flash Files - Jacob Thompson

Attacking Packing: Captain Hook Beats Down on Peter Packer - Vadim Kotov - Nick Cano

Johnny Long and Henry Wanjala - HFC Update

HARdy HAR HAR HAR: HAR File Collection and Analysis for Malware - Robert Simmons "Utkonos"

Stacking the Virtual Deck: Attacks by Predicting RNGs - Adam Schwalm

Homebrewing for Hackers - Benjamin Holland - Amber Aldrich

Stealthy and Persistent Back Door for Z-Wave Gateways - Jonathan Fuller and Ben Ramsey

Building a Better Honeypot Network - Josh Pyorre

Surveillance using spare stuff - Matt Scheurer "Cerkah"

Crypto 101: An Intro To Real-World Crypto - Adam Caudill

Practical Attacks Against Multifactor - Josh Stone

Hacking the Next Generation - David Schwartzberg

The Human Interface Device Attack Vector: Research and Development - Alexander Livingston Segal

A survey of Powershell enabled malware - Tyler Halfpop

Tool Drop: Free as in Beer - Scot Berner - Jason Lang

Tactical Diversion-Driven Defense - Greg Foss - Thomas Hegel

Windows 10 Defense in Depth - Eddie David

Latest Tools in Automotive Hacking - Craig Smith

Ansible. And why it works for me. - Charles Yost

Learning Mainframe Hacking: Where the hell did all my free time go? - Chad Rikansrud "Bigendian Smalls (BeS)""

Intercepting USB Traffic for Attack and Defense - Brandon Wilson

Geeks Need Basements! - Kathleen Veach

Intro to x86 - Stephanie Preston

Spy Vs. Spy: How to Use Breakable Dependencies to Your Advantage - Stacey Banks - Anne Henmi

Is That a Router in Your Pocket or are You Trying to P0wn Me? - Michael Vieau - Kevin Bong

The little-known horrors of web application session management - Matthew Sullivan

Practical hardware attacks against SOHO Routers & the Internet of Things - Chase Schultz "f47h3r"

Stretching the Sandbox with Malware Feature Vectors - Mike Schladt

Gnuradio demystifying rf black magic - Matthew O'Gorman "mog"

Beyond Bad IP Addresses Hashes and Domains - Ed McCabe

DNS Miner - A semi-automatic Incident response and threat intelligence tool for small - over worked security teams - Doug Leece - AJ Leece

Larry Pesce - My password cracking brings all the hashes to the yard..

Intrusion Hunting for the Masses - A Practical Guide - David Sharpe

How I Stopped Worrying and Learned To Love InfraOps - Karthik Rangarajan (krangarajan) - Daniel Tobin (dant24)

Blue Team Army - It's *your* network - defend it! - Mick Douglas - Jamie Murdock

LongTail SSH Attack Analysis - Eric Wedaa

Hunting Unicorns and Jerks - Irrational - Defensible - or Necessary? - Steve Werby

The problems with JNI obfuscation in the Android Operating System - Rick Ramgattie

PHaaS - Phishing as a Service - Raymond Gabler

Circles & Boxes - Drawing SecArch into your program - Chris Robinson

Disecting Wassenaar - Tyler Pitchford

Five Hardware Hacking Projects Under $30 - Kevin Bong - Michael Vieau

Confessions of a crypto cluster operator - Dustin Heywood "EvilMog"

Voltron: Defender of your inferiors - Richo Healey "richo"

Malware is hard. Let's go Shopping! - Richard Wartell "wartortell"

The Pentesters Framework (PTF) - The easy way to roll your own distro. - Dave Kennedy (HackingDave)

Hack my Derby - Nate Lager

Closing Ceremonies

09/13/2015 BSides Augusta 2015 Videos
These are the videos from the BSides Augusta conference. Thanks to Lawrence Abrams, and all of the BSides Crew for having me out to help record and render the videos and Pentestfail, Robert, Mike, John, Ryan, Harry and others for manning capture rigs.


Major General Fogarty

Ed Skoudis

Blue Team Track 1

Fundamental Understanding of Baseline Analysis and Remediation for Industrial Control Systems
Juli Joyner and Jeffrey Medsger

Taking a Distributed Computing Approach to Network Detection with Bro and “The Cloud”
Mike Reeves

 A Scout's Perspective on Network Defense
Justin Edgar

Doomsday Preppers: APT Edition
Tanner Payne

Building a Better Security Analyst Using Cognitive Psychology
Chris Sanders

Viper Framework for Malware Analysis
Paul Melson

Infiltrating C2 Infrastructure
Tim Crothers

Building “Muscle Memory” with Rekall Memory Forensic Framework
Alissa Torres

The Blue Team Starter Kit
Timothy De Block

Red Team Track

Using a HackRF One to Infiltrate the Digital Thetford Wall
Patrick Perry

Malvertizing Like a Pro
Alex Rymdeko-Harvey

Weaponizing our youth: The Case for Integrated Cyber Ethics
Josh Rykowski

Making Everything Old New Again
Andrew Cole and Rich Moulton

DIY Vulnerability Discovery with DLL Side Loading
Jake Williams

Recon-ng and Beyond
Tim Tomes

Attacking OWASP - Exploiting the Top 10
David Coursey

Blue Team Track 2

Go Hack Yourself
Jason Frank

2015 - It's not over yet…
Joel Esler

How to Get Into ICS Security
Chris Sistrunk

Destruction as a Service: Security Through Reanimation
Jon Medina

The Programmatic Evolution of Technology Defense.
Roland Cloutier

Lessons Learned from Analyzing Terabytes of Malware
Wes Widner

08/27/2015 TSA Master Key Duplication & Why "Security Through (Not So) Obscurity" Fails


BSidesLV 2015 Videos
Working on getting all of the BSidesLV videos at the link above. I hope to make a full entry once they are all indexed.
07/27/2015 BSides Cincinnati 2015 Videos
These are the videos from the BSides Cincinnati 2015 Conference.

Welcome and Introduction
Josh Ohmer - President, BSidesCincy

Lateral Movement
Harlan Carvey

Automated Detection Strategies
John Davison

Powershell for Incident Responders
Jesse Lands

Cyber Intelligence: Concrete Analysis in a Fluid World
Coleman Kane

The Response-Ready Infrastructure
Justin Hall

A Distributed Computing Approach for Network Detection
Mike Reeves

The Value of a Simple DLP Program
Chris Tyo

07/18/2015 BSides Detroit2015 Videos
These are the videos from the BSides Detroit 2015 Conference. Thanks to Wolf for having me out and Chris, Justine, Robin, Sam, Mike and others I may forget for helping to record.


Information Security Reconciliation: The Scene and The Profession
Mark Stanislav

Track 1

Level One: How To Break Into The Security Field
Aaron Moffett

Hacker High - Why We Need To Teach Computer Hacking In Schools
Ron Woerner

Getting Started - Help Me Help You
David Trollman

From Blue To Red - What Matters and What (Really) Doesn't
Jason Lang

Clear as F.U.D.: How fear, uncertainty, and doubt are affecting users, our laws, and technologies
Christopher Maddalena

Data Breaches: Simply The Cost Of Doing Business
Joel Cardella

Eating the SMB Security Elephant - An ITSEC framework for small IT shops
Austen Bommarito


Track 2

Enterprise Class Vulnerability Management Like A Boss
Rockie Brockway

Funny Money: What Payment Systems Teach us about Security
Drew Sutter

Building a sturdy foundation - a program-based approach to IT Operations, Application Development, and Information Security in business
Steven Legg

Moving past Metasploit: Writing your first exploit
Calvin Hedler

Wielding BurpSuite: quick-start your extensions and automation rules
Marius Nepomuceno

Browser and Windows Environment Hardening
Kurtis Armour

07/17/2015 Converge 2015 Videos
These are the videos from the Converge Information Security Conference. Thanks to Wolf for having me out and Chris, Ben, Briee, Nick and others I may forget for helping to record.


Hacking To Get Caught - Keynote
Raphael Mudge

Breaking in Bad (I'm the one who doesn't knock)
Jayson E. Street

Track 1

Weaving Security into the SDLC
Bill Sempf

If My CI/CD Teams have Time for Security, So Does Yours
Kevin Poniatowski

Adaptive Monitoring and Detection for Todays Landscape
Jamie Murdock

Threat Intelligence - A Program Strategy Approach
Jenn Black

Cymon: New Cyber Monitoring Tool
Roy Firestein

That's NOT my RJ45 Jack! | IRL Networking for Humans Pt. 1
Johnny Xmas

On Defending Against Doxxing
Benjamin Brown

Hiding in the ShaDOS
Richard Cassara

Security Culture in Development
Wolfgang Goerlich

Cracking and fixing REST services
Bill Sempf

PVCSec Live!

Clientless Android Malware Control
David Schwartzberg

Who Watches the Watchers? Metrics for Security Strategy
Michael Roytman

How to Dress Like a Human Being | IRL Networking for Humans Pt. 2
Johnny Xmas

Soft Skills for a Technical World
Justin Herman

Track 2

The Domain Name System (DNS) - Operation and Security
Tom Kopchak

Homebrew Censorship Detection by Analysis of BGP Data
Zach Julian

Four Pillars: Passion, Vision, Communication, Execution
Edgar Rojas

Excuse me while I BURP
Steve Motts

Public Recon: Why Your Corporate Security Doesn't Matter
Ronald Ulko (Not recorded)

Building the team for a successful SOC
Donald Warnecke

The Path Well-Traveled: Common Mistakes Encountered with SIEM
Nick Jacob

I failed, therefore I succeeded
Zee Abdelnabi (Not recorded)

 Adventures in Communication: Taming the C-Suite and Board
Jim Beechey

Under the Unfluence: the Dark Side of Influence
Ron Woerner

Application Security Awareness: Building an Effective and Entertaining Security Training Program
Chris Romeo

10 Reasons Your Security Education Program Sucks
Kris French Jr

Shooting Phish in a Barrel and other bad fish puns
Amanda Berlin

Process - The Salvation of Incident Response
Charles Herring

07/11/2015 OISF 2015 Videos

Gray Hat PowerShell
Ben Ten

Secret Pentesting Techniques
Dave Kennedy

Of History & Hashes
Adrian Crenshaw

hacker-ng: Farming the Future IT Crowd
Phil Grimes (th3grap3ap3)

Lawyer's Perspective On Data Security Breaches
Dino Tsibouris

06/20/2015 BSides Cleveland 2015 Videos
These are the videos from the Bsides Cleveland conference. Thanks to  &  as the video team. Thanks to twuntymcslore & RockieBrockway for being con mom & dad.

Track 1

Morning Keynote
Jack Daniel

Metasploit & Windows Kernel Exploitation
Spencer McIntyre zeroSteiner

PwnDrone: The Modern Airborne Cyber Threat
Devin Gergen @DevinGergen

Afternoon Keynote
So You Want To Be An Infosec Rockstar?
Chris Nickerson

Why the Web is Broken
Bill Sempf @sempf

Outside the Box
David Kennedy Larry Spohn @HackingDave, @Spoonman1091

The Entropy of Obfuscated Code
Adam Hogan @adamwhogan

Track 2

Why the foundation of security is broken.
Alex Kot

Desired State Configuration (DSC): Dream Tool or Nightmare for Security Baseline and Configuration Management
Zack Wojton Wayne Pruitt zbirdflipper

Common Sense Security Framework
Jerod Brennen @slandail

Secure Test Driven Development: Brakeman, Gauntlet, OWASP and the Work Still to Be Done
Ricky Rickard rrickardjr

Building a sturdy foundation - a program-based approach to IT Operations, Application Development, and Information Security in business
Steven Legg ZenM0de

Building a Threat Intelligence Program
Edward McCabe @edwardmccabe

Phishing Without Ruby
Brandan Geise Spencer McIntyre coldfusion39

Security Not Guaranteed - Or, how to hold off the bad guys for another day.
James Gifford Elijah Snow-Rackley @jrgifford

Cleveland Locksport
Jeff Moss Doug Hiwiller, Damon Ramsey jeffthemossman

Augmenting Mobile Security and Privacy Controls
Brian Krupp @briankrupp

Track 3

DIY Hacker Training, a Walkthrough
Warren Kopp warrenkopp

Quick-start your Burp Suite extensions (Jython) and automation.
Marius Nepomuceno

Flourishing in a Hostile Work Environment
Dennis Goodlett

Defense in Depth - Your Security Castle
Tom Kopchak @tomkopchak

EMET Overview and Demo
Kevin Gennuso @kevvyg

10 Reasons Your Security Education Program Sucks
Kris French Jr @Turtl3Up

Call of Duty: Crypto Ransomware
Brett Hawkins @hawkbluedevil


06/14/2015 Circle City Con 2015 Videos
These are the Circle City Con videos. Thanks to the staff for inviting me up to record. Big thanks to Oddjob, Glenn, Jordan, Tim, Will, Mike, Nathan, & Chris for helping set up AV and record, as well as others who I'm forgetting. It was a great time.

Track 1

Opening Ceremonies


Rethinking the Trust Chain: Auditing OpenSSL and Beyond
Kenneth White

Actionable Threat Intelligence, ISIS, and the SuperBall
Ian Amit

Security Culture in Development
Wolfgang Goerlich

Simulating Cyber Operations: "Do you want to play a game?"
Bryan Fite

Hacking IIS and .NET
Kevin Miller

User Awareness, We're Doing It Wrong
Arlie Hartman

Departmentalizing Your SecOps
Tom Gorup

Shooting Phish in a Barrel and Other Terrible Fish Related Puns
Amanda Berlin

ZitMo NoM - Clientless Android Malware Control
David Schwartzberg

Data Loss Prevention: Where do I start?
Jason Samide

Reducing Your Organization's Social Engineering Attack Surface
Jen Fox

1993 B.C. (Before Cellphones)
Johnny Xmas

Building a Comprehensive Incident Management Program
Owen Creger

 Is that a PSVSCV in your pocket
Jake Williams

Analyzing the Entropy of Document Hidden Code
Adam Hogan

Making Android's Bootable Recovery Work For You
Drew Suarez

Does anyone remember Enterprise Security Architecture?
Rockie Brockway

Malware Armor
Tyler Halfpop

Closing Ceremonies

Track 2

Ruby - Not just for hipster
Carl Sampson

Configure your assets, save your butt
Caspian Kilkelly

Digital Supply Chain Security: The Exposed Flank
Dave Lewis

I Amateur Radio (And So Can You)
Kat Sweet

Wireless Intrusion Detection System with Raspberry Pi
Chris Jenks

The Answer is 42 - InfoSec Data Visualization (Making Metric Magic & Business Decisions)
Edward McCabe

Running Away from Security: Web App Vulnerabilities and OSINT Collide
Micah Hoffman

Lessons Learned from Implementing Software Security Programs
Todd Grotenhuis

Stupid Pentester Tricks - OR - Great Sysadmin Tips! - Done in style of Rocky and Bullwinkle
Alex Fernandez-Gatti / Matt Andreko / Brad Ammerman (not to be posted)

Findings to date.
Cameron Maerz

Clean Computing: Changing Cultural Perceptions
Emily Peed (No Sound)

From Parking Lot to Pwnage - Hack?free Network Pwnage
Brent White / Tim Roberts

PlagueScanner: An Open Source Multiple AV Scanner Framework
Robert Simmons

How not to Infosec
Dan Tentler

Building a sturdy foundation - a program-based approach to IT Operations, Application Development, and Information Security in business
Steven Legg

Hacking the Jolla: An Intro to Assessing A Mobile Device
Vitaly McLain / Drew Suarez


Track 3

Operationalizing Yara
Chad Robertson

An Inconvenient Truth: Security Monitoring vs. Privacy in the Workplace
Ana Orozco

From Blue To Red - What Matters and What (Really) Doesn't
Jason Lang

Using Evernote as an Threat Intelligence Management Platform

Surfing the Sea and Drowning in Tabs: An Introduction to Cross-Site Request Forgery
Barry Schatz

Turn Your Head And Cough: Why Architecture Risk Assessments Are Like Being A General Physician
Nathaniel Husted

Jonathan Thompson

The Hacker Community is Dead! Long Live the Hacker Community!
Bruce Potter

Square Peg, Round Hole: Developing a Security Culture Within an Enterprise
Jeff Pergal / Stuart McIntosh

Smuggling Plums - Using Active Defnse techniques to hide your web apps from your attackers and their scanners
John Stauffacher

Deploying Honeypots To Gather Actionable Threat Intelligence
James Taliento

Clear as FUD: A look at how confusing jargon and technology can create fear, uncertainty, and doubt
Chris Maddalena

How to Budget for IDS
Brian Heitzman

Reverse Engineering Windows AFD.sys
Steven Vittitoe

Nepenthes: Netpens With Less Pain
Andy Schmitz

Do We Still Need Pen Testing?
Jeff Man



Lock Picking & Bypass Class

Your Own Worst Enemy Landing Your First Infosec Gig Despite Yourself - Johnny Xmas

Building an Incident Response Program - Lesley Carhart

Security Auditing Android Apps - Sam Bown


ShowMeCon 2015 Videos


Breaking in Bad (I'm the one who doesn't knock)
Jayson Street

Security's Coming of Age: Can InfoSec Mature and Save the World
Dave Chronister

Confessions of a Social Engineer, My Dirty Tricks and How to Stop them.
Valerie Thomas

The Security Trust Chain is Broken: What We're Doing about it
Kenn White

Maturing Information Security - When Compliance doesn't cut it.
Joey Smith

Hunting the Primer: Looking into DarkNet
Aamir Lakhani


Left Track

Gray Hat Powershell

Sensory Perception: A DIY Approach to Building a Wireless Sensor Network
Tim Fowler

Stop The Wireless Threat - Dawn of the Drone
Scott Schober

Automated Static Malware Analysis Using Function-level Signatures or: How I Learned to Stop Worrying and Love the APT
James Brahm, Matthew Rogers, Morgan Wagners

Forensic Artifacts of Host-Guest Interaction in the VMware Environment
Kurt Aubuchon

Enterprise Class Vulnerability Management like a Boss
Rockie Brockway


Right Track

Paul Coggin

Behind the Hack
Ralph Echemendia

Mobile Forensics and its Anatomy of Extractions
Charline F. Nixon

Building Virtual Pentesting Lab
Kevin Cardwell

That's not my RJ45 jack: IRL networking for Humans
Johnny Xmas

The Great Trojan Demo
Ben Miller

Disco Track

HIPAA 2015: Wrath of the Audit
Hudson Harris

Practical Electronics: Fixing the fan in a post-poop scenario
Evan "treefort" Booth

Of History and Hashes
Adrian Crenshaw

06/07/2015 ShowMeCon Videos Coming Soon
As I record the ShowMeCon 2015 videos, I will be putting them here. I will also be tweeting as I get them out from @Irongeek_adc
05/30/2015 Of History & Hashes: A Brief History of Password Storage, Transmission, & Cracking
I'd like to expand this article with new anecdotes of "they should have know better" and "this has been done before". Please let me know how I should expand it.
05/30/2015 Kiosk/POS Breakout Keys in Windows
I wanted to point out some articles I wrote for the TrustedSec blog. If you mess with Kiosk systems, you may like this.
05/17/2015 Password Cracking Class for Hackers For Charity
This is the Password Cracking class the Kentuckiana ISSA put on to support Hackers For Charity. Speakers include Jeremy Druin @webpwnized, Martin Bos @purehate_ and me @irongeek_adc. If you like the video, please consider donating to Hackers For Charity. Keywoords: John, Hashcat, OCLHashcat, rockyou, sam, system, Windows, Unix passwords.
05/16/2015 BSides Knoxville 2015 Videos
These are the videos BSides Knoxville 2015. Thanks to Aaron, Tim and Nicolas for the video help.

Travis Goodspeed

How I've hacked and un-hacked a logic game (20 years to Lights Out)
Gyora Benedek

Finding Bad Guys with 35 million Flows, 2 Analysts, 5 Minutes and 0 Dollars
Russell Butturini

Dumping the ROM of the Most Secure Sega Genesis Game Ever Created: A Reverse Engineering Story
Brandon Wilson (not recorded)

Phishing: Going from Recon to Credentials
Adam Compton, Eric Gershman

Multipath TCP - Breaking Today's Networks with Tomorrow's Protocols
Catherine Pearce

High Performance Fuzzing
Richard Johnson

Cyber Cyber Cyber: Student Security Competitions
Eric Gershman, Raymond Borges

The Impossibility of Protecting the Enterprise at $7.25 an hour
Kevin Thomas

 I've met the enemy information security and it is us
Slade Griffin

The Poetry of Secrets: An Introduction to Cryptography
Eric Kolb

From Broadcast to Totally Pwned
Russel Van Tuyl, Matt Smith

Introducing User-Centered Design to Augment Human Performance in Cyber Warfare
Frank Cohee, Joe Davis

Back to the Future
Neil Desai

Virtualized Routers Soup to Nuts
Jeff Nichols, Benjamin Taylor, Tommy Hardin

05/10/2015 BSides Boston 2015 Videos
These are the videos BSides Boston 2015. Thanks to @plaverty9 for inviting me out to record.


The Securitized State: Where it came from, where it's going, what can be done about it
Molly Sauter

Track 1

Is Threat Modeling for Me?
Robert Hurlbut

Hacker or criminal? Repairing the reputation of the infosec community.
Melanie Ensign

Running Away from Security: Web App Vulnerabilities and OSINT Collide
Micah Hoffman

Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Program
Paul Asadoorian

Protect Your "Keys to the Kingdom" _ Securing Against the Next Inevitable Cyberattack
Paul Kozlov

In pursuit of a better crypto puzzle
Samuel Erb

Track 2

When penguins attack - Linux's role in the malware ecosystem
Chester Wisniewski

The Benefits in Externalizing DMZ-as-a-Service in the Cloud
Israel Barak

Common misconfigurations that lead to a breach
Justin Tharpe

Applying Big Data technology to security use case
Max Pevzner

Marketing: They're not all Schmucks.
Jen Ellis & Josh Feinblum

Next-Gen Incident Management - Building out a Modern Incident Management Capability
John McDonald


04/24/2015 AIDE 2015 Videos
Recorded at AIDE 2015. Big thanks to Bill Gardner (@oncee) for having me out to record.

ISLET (Isolated, Scalable, & Lightweight Environment for Training) - Jon Schipp

Examining Hacktivism: Crime and Punishment in the Digital Age - Bill Gardner/Kim DeTardo-Bora/Amanda Richards

INFOSEC Flash Forward - Changing how we think - Dave Kennedy

Quantum Computing 01100101 - Tess Schrodinger

Introducing Network Scout: Defending the Soft Center of Your Network - Aeadan Somerville/Shawn Jordan

Mutillidae - Jeremy Druin

Quick Intro To Lock Picking - Adrian Crenshaw

OWASP Applied - Elliott Cutright (Not Recorded)

Kevin Cordle - Kevin Cordle (Not Recorded)

Better Threat Intel Through OSint - Frank Hackett

Overview of Darknets - Adrian Crenshaw

BREAKING in BAD (I'm the one who doesn't knock) - Jayson Street


BSides San Francisco 2015 Videos
These are the videos from the BSides San Francisco conference. Special thanks to Doug, Jim, @dgc, 'Grond' <grond66@riseup.net>, @flee74 , Wayne and some others I'm forgetting for their help recording

Track 1


Stick a Pin in Certificate Pinning: How to Inspect Mobile Traffic and Stop Data Exfiltration
Gopal Jayaraman

OSXCollector: Forensic Collection and Automated Analysis for OS X
Ivan Leichtling

DNS Spikes, Strikes, and The Like
Thomas Mathew

Ask the EFF

Your Users Passwords Are Already Stolen
Lucas Zaichkowsky

Analyze This!
Aaron Shelmire
(not recorded)

Medical Device Security - From Detection To Compromise
Scott Erven

How SecOps Can Convince DevOps To Believe In The Bogeyman
Leif Dreizler

Human Hunting
Sean Gillespie

Phighting Phishers Phake Phronts
Kevin Bottomley

Corporate Governance For Fun and (Non)Profit
Christie Dudley

HIPAA 2015: Wrath of the Audits
W. Hudson Harris

Lessons Learned from Building and Running MHN, the World's Largest Crowdsourced Honeynet
Jason Trost

Getting started...help me help you
David Trollman


Track 2

Critical Infrastructure: The Cloud loves me, The Cloud loves me not.
Bryan Owen

F*ck These Guys: Practical Countersurveillance
Lisa Lorenzin

Collective Action Problems in Cybersecurity
Allan Friedman

Intrusion Detection in the clouds
Josh Pyorre

Hacker or criminal? Repairing the reputation of the infosec community
Melanie Ensign

Student Surveillance: How Hackers Can Help Protect Student Privacy
Jessy Irwin

When Doing the Right Thing Goes Wrong - Impact of Certificates on Service Based Infrastructure
Robert Lucero

How to Lie with Statistics, Information Security Edition
Tony Martin-Vegue

Ground Zero Financial Services: The Latest Targeted Attacks from the Darknet
Brian Contos

Securing the Hastily Formed Network: Infosec for Disaster Relief and Emergency Response
Rakesh Bharania

GitReview - Reflective Control In Action
Jon Debonis

Probing Patches: Beyond Microsoft's ANS
Bill Finlayson (not recorded)

*Blink*: The Network Perimeter is Gone
Rick Farina (Zero_Chaos)

Federating AWS CLI
Paul Moreno

04/12/2015 BSides Nashville 2015 Videos
These are the videos BSides Nashville 2015. Thanks to @lil_lost for inviting me down to record and being my bodyguard while in Nashville.

BSides Nashville Intro and
Pondering the False Economy of Secrets
Trey Ford @TreyFord

Applied Detection and Analysis Using Flow Data
Jason A. Smith

Using devops monitoring tools to increase security visibility
Chris Rimondi

The Great Trojan Demo
Ben Miller

Nobody Understands Me: Better Executive Metrics
Michael St. Vincent

So you want to be a pentester?
Not Recorded

We Built This & So Can You!
Tim Fowler

That's NOT my RJ45 Jack!: IRL Networking for Humans
Johnny Xmas

Finding Low Hanging Fruit with Kali
Stephen Haywood

What do infosec practitioners actually do
Slade Griffin

From Parking Lot to Server Room
Tim Roberts and Brent White

N4P Wireless Pentesting: So easy even a caveman can do it
Chris Scott


Use of Attack Graphs in Security Systems
Not Recorded

Skiddiemonkeys: Fling "stuff" at your Defenses and See What Sticks
Russell Butturini & Joshua Tower


04/01/2015 Guess I Stay In Infosec
Well, I tried to join the ranks of radical feminists, but they would not have me. I'll keep running Irongeek.com for awhile. Guess I need to change causes and fight for machine liberation instead (Hail Skynet!).

Irongeek signing off, time for other projects
Hello everyone. It’s been a great 11 years, but my life and career plans have moved on. I’m moving away from information security and plan to dedicate my life to radical feminism. As such, I won’t have time to maintain this infosec site (working on my PhD in women’s studies takes a lot of time), so please archive Irongeek.com while it is still up. I will be announcing the URLs of my Tumblr, GoFundMe and Patreon pages shortly. Thanks for your support.


Central Ohio Infosec Summit 2015 Videos
These are the videos from the Central Ohio Infosec Summit conference. Thanks to the video volunteers for helping me record.


We're At War - Why Aren't You Wearing A Helmet?
Bill Sieglein

Ghost In The Shadows - Identifying Hidden Threats Lurking On Our Networks
Deral Heiland

Rebuilding and Transforming and Information Security Function
Susan Koski

InfoSec’s Midlife Crisis & Your Future...
Tsion Gonen

Current Cyber Threats: An Ever-Changing Landscape
Kevin Rojek

Tech 1

IT Isn't Rocket Science
David Mortman

Mind On My Money, Money On My Malware
Dustin Hutchison

Private Cloud Security Best Practices
Mike Greer

Cyber Espianoge - Attack & Defense
Michael Mimoso

Three Years of Phishing - What We've Learned
Mike Morabito

Piercing Your Perimeter, Dodging Detection, and Other Mayhem! a.k.a. Pen Tester Voodoo 101
Mick Douglas

Physical Penetration Testing: You Keep a Knockin' But You Can't Come In!
Phil Grimes

Tech 2

Honeypots for Active Defense - A Practical Guide to Deploying Honeynets Within the Enterprise
Greg Foss

Building Security Awareness Through Social Engineering
Valerie Thomas & Harry Regan

Open Source Threat Intelligence: Building A Threat Intelligence Program Using Public Sources & Open Source Tools
Edward McCabe

Modern Approach to Incident Response
James Carder and Jessica Hebenstreit

Having your cake and eating it too! Deploying DLP services in a Next Generation Firewall Environment
Mike Spaulding

Using Machine Learning Solutions to Solve Serious Security Problems
Ryan Sevy & Jason Montgomery

Electronic Safe Fail
Jeff Popio

Emerging Trends in Identity & Access Management
Robert Block

Building a Successful Insider Threat Program
Daniel Velez

A New Mindset Is Needed - Data Is Really the New Perimeter!
Jack Varney


Software Security Cryptography
Aaron Bedra

Threat Analytics 101: Designing A "Big Data" Platform For Threat Analytics
Michael Schiebel

Developers Guide to Pen Testing (Hack Thyself First)
Bill Sempf

OWASP 2014 - Top 10 Proactive Web Application Controls
Jason Montgomery


IAM Case Study: Implementing A User Provisioning System
Keith Fricke

Measuring the Maturity of Your Security Operations Capabilities
Clarke Cummings

Exploring the Relationship between Compliance and Risk Management
Mark Curto

Data Loss Prevention - Are You Prepared?
Jason Samide

Compliance vs. Security - How to Build a Secure Compliance Program
Jeff Foresman

Overview and Analysis of NIST Cybersecurity Framework
Sarah Ackerman

The Explosion of Cybercrime - The 5 Ways IT May Be an Accomplice
Mark Villinski

GRC: Governance, Ruses & Confusion
Shawn Sines

Security Directions and Best Practices
Kevin Dempsey


Data Breach: If You're Not Prepared, You Can't Be Responsive
John Landolfi

Ten Practical Ideas For Creating An Attentive and Supportive Organization: Sales & Marketing For the Security Team
Glenn Miller

Strengthening Your Security Program
Chad Robertson

Presenting Security Metrics to the Board
Nancy Edwards

DREAMR - Obtain Business Partnerships
Jessica Hebenstreit

Security Talent In Ohio - A Discussion
Helen Patton

Silos to Seamless: Creating a Comprehensive Security Program
Jeremy Wittkop

Ascending Everest: Managing Third-Party Risk in the Modern Enterprise
Thomas Eck

And Then The World Changed…Again
Jason Harrell

Corporate Uses for Anonymity Networks
Adam Luck

Going To The Dark Side: A Look Into My Transition From Technologist To Salesman
Aaron Ansari

Building An Industrial Controls Cybersecurity Framework (Critical Infrastructure)
Ernie Hayden

Panel Discussion Insourcing Outsourcing and Hybrid
Helen Patton, Louis Lyons, Greg Franz, Jeffery Sweet, Sassan Attari, Carla Donev, Kent King


02/28/2015 Louisville Lock Picking And Bypass Class Hosted At LVL1
Hackers For Charity donation class taught by @irongeek_adc and @essobi. Hosted at the LVL1 Hackerspace.
02/22/2015 BSides Tampa 2015 Videos
These are the videos from the BSides Tampa conference. Thanks to @PolarBill and all of the BSides Crew for having me out to help record and render the videos.

Track 1

Bug Bounties and Security Research
Kevin Johnson

Securing The Cloud
Alan Zukowski

Chris Berberich

Vendor Induced Security Issues
Dave Chronister

Pentest Apocalypse
Beau Bullock

Kippo and Bits and Bits
Chris Teodorski

The Art of Post-infection Response & Mitigation
Caleb Crable

The Need for Pro-active Defense and Threat Hunting Within Organizations
Andrew Case

Track 2

Finding Common Ground within the Industry and Beyond
David Shearer

Ways to Identify Malware on a System
Ryan Irving

Android Malware and Analysis
Shane Hartman

Teaching Kids (and Even Some Adults) Security Through Gaming
Le Grecs

Evaluating Commercial Cyber Threat Intelligence
John Berger

Track 3

Cyber Geography and the Manifest Destiny of the 21st Century
Joe Blankenship

Mitigating Brand Damage From A Cyber Attack
Guy Hagen

What is a security analyst and what job role will they perform
James Risler

Live Forensic Acquisition Techniques
Joe Partlow

Cyber Security Awareness for Healthcare Professionals
Marco Polizzi

02/08/2015 BSides Huntsville 2015 Videos Posted
These are the videos from the BSides Huntsville conference. Thanks to @PaulCoggin, @CharlineNixon, Brian, @GRMrGecko and all of the BSides Crew for having me out to help record and render the videos.

Track 1

Real World Threats
Russ Ward

Lock picking, but bypass is easier
Adrian Crenshaw (@irongeek_adc)

The Dark Side Of PowerShell
Joshua Smith

Give me your data!
Dave Chronister

Gods and Monsters: A tale of the dark side of the web
Aamir Lakhani

Sensory Perception: A DIY approach to building a sensor network
Tim Fowler

Hijacking Label Switched Networks in the Cloud
Paul Coggin (@PaulCoggin)

Reverse Engineering Network Device APIs
Dan Nagle (@NagleCode)

Track 2

So Easy A High-Schooler Could Do It: Static malware analysis using function-level signatures
James Brahm, Matthew Rogers, and Morgan Wagner

Pragmatic Cloud Security: What InfoSec Practitioners Have Been Waiting For
Josh Danielson (@JoshGDanielson) and Arthur Andrieu

Developing and Open Source Threat Intelligence Program
Edward McCabe (@edwardmccabe)

Applying User-Centered Design Techniques for Augmenting Human Perception in Cyber Warfare
Frank Cohee

The Great Trojan Demo
Ben Miller

A Virtual SCADA Laboratory for Cybersecurity Pedagogy and Research
Zach Thornton

PlagueScanner: An Open Source Multiple AV Scanner Framework

01/28/2015 Circle City Con, Indianapolis Indiana 06-12-2015 - 06-14-2015
Come join us for Circle City Con in Indianapolis Indiana this June 12th-14th. I had a great time last year, and will be staffing again this year (video of course, and some time in the lock pick village). Call for presentations and call for trainers is currently open. More information at https://circlecitycon.com
01/21/2015 BSides Columbus Ohio 2015 Videos

These are the videos from the BSides Columbus Ohio conference. Thanks to Michael Spaulding for having me up and the guys who manned video rigs.


Breaking Bad
Jayson Street

Cloud and Virtualization Theory
Grauben Guevara



User Behavior Analysis
Matt Bianco

Plunder, Pillage and Print - The art of leverage multifunction printers during penetration testing
Deral Heiland

Common Sense Security Framework
Jerod Brennen

OWASP Mobile Top Ten - Why They Matter and What We Can Do
Ricky Rickard


Got software? Need a security test plan? Got you covered.
Bill Sempf

Corporate Wide SSL Interception and Inspection
Frank Shaw

How to Rapidly Prototype Machine Learning Solutions to Solve Security Problems
Jason Montgomery

A Basic Guide to Advanced Incident Response
Scott Roberts

Supply and Demand: Solving the InfoSec Talent Shortage
Brandon Allen

Special Teams

Do We Still Need Pen Testing?
Jeff Man

Trolling Attackers for Fun & Profit
Stephen Hosom

Inurl:robots.txt-What are YOU hiding?
David Young

Malware Development as the Evolution of Parasites
Adam Hogan

Snort Beyond IDS: Open Source Application and File Control
Adam Hogan


Shmoocon Firetalks 2015 Videos

Opening - @grecs

PlagueScanner: An Open Source Multiple AV Scanner Framework - Robert Simmons (@MalwareUtkonos)

I Hunt Sys Admins - Will Schroeder (@harmj0y)

Collaborative Scanning with Minions: Sharing is Caring - Justin Warner (@sixdub)

Chronicles of a Malware Hunter - Tony Robinson (@da_667)

SSH-Ranking - Justin Brand (@moo_pronto)

Resource Public Key Infrastructure - Andrew Gallo (@akg1330)

12/6/2014 WiGLE WiFi Database to Google Earth Client for Wardrive Mapping Tool Updated
Uploaded version 0.97. Now uses HTTPS for connecting to WiGLE since they have a properly signed cert. I also added code contributions from njd who updated for WiGLE changes (WiGLE now supports more encryption types). Folders are broken down into WAPs that a Open, WEP, WPA, WPA2 and Unknown.
11/22/2014 DerbyCon 2014 Higher Education Panel for Hackers Irongeek’s Thoughts
Just my thoughts on the state of infosec education at universities.
11/17/2014 Hack3rcon 5 Videos
Here are the videos from Hack3rcon^5 Enjoy.

Bash Scripting for Penetration Testers
Lee Baird

Intro to PowerShell Scripting for Security

ISLET: An Attempt to Improve Linux-based Software Training
Jon Schipp

Remote Phys Pen: Spooky Action at a Distance
Brian Martin

Introducing Network-Scout: Defending The Soft Center of Your Network

Using the techniques of propaganda to instill a culture of security
Justin Rogosky

Identify Your Web Attack Surface: RAWR!
Tom Moore, Adam Byers

Gone in 60 minutes _ Practical Approach to Hacking an Enterprise with Yasuo
Saurabh Harit, Stephen Hall

Check Your Privilege(s): Futzing with File Shares for low hanging fruit
Adrian Crenshaw

DERP - Dangerous Electronic Redteam Practices
Luis Santana

When Zombies take to the Airwaves

I Am Nation State (And So Can You!)
tothehilt, SynAckPwn


GrrCON 2014 Videos
These are the videos of the presentations from GrrCON 2014. Big thanks to EggDropX and Jaime for having me out, and my video crew  (Chris, Steve, Ian, Justine, and other Chris) for recording.


Around the world in 80 Cons (A tale of perspectives)
Jayson E Street

Infosec in the 21st century
Tim Crothers

Securing our Ethics: Ethics and Privacy in a Target-Rich Environment
Kevin Johnson

Social Engineering Can Kill Me, But It Can’t Make Me Care
Gavin ‘Jac0byterebel’ Ewan

Finding Our Way - From Pwned to Strategy 
David Kennedy (Likely lost due to sound guy not muting music, plan to post to archive.org to see if anyone can clean the tracks)

Emulate SandBox and VMs to avoid malware infections
Jordi Vazquez (Likely lost due to sound guy not muting music, plan to post to archive.org to see if anyone can clean the tracks)

Security Hopscotch
Chris Roberts (Likely lost due to sound guy not muting music, plan to post to archive.org to see if anyone can clean the tracks)

Email DLP: Simple concept, often poorly implemented
c0rrup7_R3x (Likely lost due to sound guy not muting music, plan to post to archive.org to see if anyone can clean the tracks)

Look Observe Link (LOL) - How I learned to love OSINT
NinjaSl0th (Half lost due to sound guy not muting music, plan to post to archive.org to see if anyone can clean the tracks)

ZitMo NoM
David “HealWHans” Schwartzberg

Bigger Boys Made Us
Mike Kemp

Full Douchesclosure
Duncan Manuts

Finux’s Historical Tour Of IDS Evasion, Insertions, and Other Odditie
Arron ‘Finux’ Finnon



Beating the Infosec Learning Curve Without Burning Out
Scott ‘secureholio’ Thomas

Picking Blackberries
Thomas 'G13' Richards

Exercising with Threat Models
J Wolfgang Goerlich

Seeing Purple: Hybrid Security Teams for the Enterprise

CryptoRush - Rising from the Ashes
King Dragon

Autonomous Remote Hacking Drones
Dr. Phil Polstra

Proof That Windows Computer Forensics is Sexy
Kyle ‘Chaoticflaws’ Andrus

BioHacking: Becoming the Best Me I Can Be

Vulnerable By Design - The Backdoor That Came Through the Front
Matthew ‘mandatory’ Bryant

OAuth2.0 - It’s the Implementation Stupid!!
Tony Miller

Breach Stains
Matt ‘The Streaker’ Johnson

Are you a janitor, or a cleaner?
John ‘geekspeed’ Stauffacher & Matthew ‘Mattrix’ Hoy

PCI and Crypto: The Good, The Bad, and The Frankly Ugly
Robert Former



Advanced Threats and Lateral Movement 
Terrance Davis

Adopting a Risk-based Threat Model to Secure Your Defenses and Regain Control of Your Critical Data
Todd Bursch

New World, New Realities: Endpoint threat Detection, Response and Prevention
Brian Orr

Reducing Your Organization’s Social Engineering Attack Surface
Jen Fox

Memory Forensics with Hyper-V Virtual Machines
Wyatt Roersma

$#!T My Industry Says. . .
Kellman Meghu

Bringing PWNED To You: Interesting Honeypot Trends
Elliott Brink

The Security Implications of Software Defined Networks
Shane Praay

Lessons from the front lines: Top focus areas for information security leaders
Shogo Cottrell

How to budget IDS’s
Brian ‘Arcane’ Heitzman

LEVIATHAN: Command and Control Communications on Planet Earth
Kevin Thompson

Red Teaming: Back and Forth, 5ever

Intelligence Driven Security
Shane Harsch

Security for the People: End-User Authentication Security on the Internet
Mark Stanislav

Hackers Are People Too

Vaccinating APK’s
Milan Gabor



Hack the Hustle! Career Strategies For Information Security Professionals
Eve Adams

The Challenge of Natural Security Systems
Rockie Brockway

Application Pen Testing
Chris Pfoutz

Advanced Breaches of 2013 vs. Behavioral Detection
Charles Herring

Security On The Cheap
Joel Cardella

Hacking Android
Godfrey Nolan

Cyber Security Incidents: Red Blue Team
Unc13 Fuck3r


Board Breaking Challenge

GrrCON Talent Accelerator Program
Abe Jones


Louisville Infosec 2014 Videos
Below are the videos from the Louisville Infosec 2014 conference. Thanks to @theglennbarrett, @f0zziehakz and @bridwellc for helping me record.

Opening Ceremony

All of Your Compliance Needs with One Methodolgy
Jim Czerwonka

Lockade: Electronic Games for Locksport
Adrian Crenshaw

Mining Data from the Windows Registry
Jason Hale

Identity Theft: Who's in YOUR Wallet?
Richard Starnes & Rick Nord

Mobile Telephony for InfoSec Practitioners
Daniel Helton

A Crosswalk of the Department of Defense (DoD) Information Assurance Certification and Accreditation Process (DIACAP)
John McLain

Building an Enterprise DDoS Mitigation Strategy
Mitchell Greenfield

Practical interception of mobile device traffic
Jeremy Druin

Changing What Game- One Future for Information Security
Michael Losavio

Trash Talkin - IT Audit Guide to Dumpster Diving
John Liestman

Linking Users to Social Media Usage on Android Mobile Devices
Ryan Ferreira

Origin of CyberSecurity Laws - An Insider's Story
Steve Riggs

A Place at the Table
Kristen Sullivan

What your Web Vulnerability Scanners Aren't Telling You
Greg Patton

ISSA Awards

Creating the Department of How: Security Awareness that makes your company like you.
Ira Winkler

Are You Really PCI DSS Compliant? Case Studies of PCI DSS Failure!
Jeff Foresman

Where does Data Security fit into the Data Quality strategy?
Michael Vincent

Closing Ceremony

10/01/2014 Derbycon 4 Videos
These are the videos of the presentations from Derbycon 2014. Big thanks to my video jockeys Skydog, Sabrina, Some Ninja Master, Glenn Barret, Dave Lauer, Jordan Meurer, Brandon Grindatti, Joey, Steven, Branden Miller, Joe, Greg and Night Carnage (and maybe the speakers too I guess).

Welcome to the Family - Intro

Johnny Long (Keynote) - Hackers saving the world from the zombie apocalypse

How to Give the Best Pen Test of Your Life (Keynote) - Ed Skoudis

Adaptive Pentesting Part Two (Keynote) - Kevin Mitnick and Dave Kennedy

If it fits - it sniffs: Adventures in WarShipping - Larry Pesce

Abusing Active Directory in Post-Exploitation - Carlos Perez

Quantifying the Adversary: Introducing GuerillaSearch and GuerillaPivot -Dave Marcus

A Year in the (Backdoor) Factory - Joshua Pitts

Ball and Chain (A New Paradigm in Stored Password Security) - Benjamin Donnelly and Tim Tomes

Et tu - Kerberos? - Christopher Campbell

Advanced Red Teaming: All Your Badges Are Belong To Us - Eric Smith

Bypassing Internet Explorer's XSS Filter - Carlos Munoz

 Threat Modeling for Realz - Bruce Potter

A Guided Tour of the Internet Ghetto :: Introduction to Tor Hidden Services - Brent Huston

Red Teaming: Back and Forth - 5ever - Fuzzynop

How not to suck at pen testing - John Strand

Mainframes - Mopeds and Mischief; A PenTesters Year in Review - Tyler Wrightson

The Multibillion Dollar Industry That's Ignored - Jason Montgomery and Ryan Sevey

Code Insecurity or Code in Security - Mano 'dash4rk' Paul

C3CM: Defeating the Command - Control - and Communications of Digital Assailants - Russ McRee

So You Want To Murder a Software Patent - Jason Scott

Leonard Isham - Patching the Human Vulns

Burp For All Languages - Tom Steele

Passing the Torch: Old School Red Teaming - New School Tactics - David McGuire and Will Schroeder

I Am The Cavalry: Year [0] - Space Rogue and Beau Woods

University Education In Security Panel - Bill Gardner (@oncee) - Ray Davidson - Adrian Crenshaw - Sam Liles - Rob Jorgensen

What happened to the 'A'? - How to leverage BCP/DR for your Info Sec Program - Moey

Securing Your Assets from Espionage - Stacey Banks

Subverting ML Detections for Fun and Profit - Ram Shankar Siva Kumar - John Walton

Secrets of DNS - Ron Bowes

Snort & OpenAppID: How to Build an Open Source Next Generation Firewall - Adam Hogan

GET A Grip on Your Hustle: Glassdoor Exfil Toolkit - Parker Schmitt - Kyle Stone (essobi) - Chris Hodges (g11tch)

DNS-Based Authentication of Named Entities (DANE): Can we fix our broken CA model? - Tony Cargile

Exploiting Browsers Like A Boss w/ WhiteLightning! - Bryce Kunz

Real World Intrusion Response - Lessons from the Trenches - Katherine Trame and David Sharpe

Application Whitelisting: Be Careful Where The Silver Bullet Is Aimed - David McCartney

NeXpose For Automated Compromise Detection - Luis "connection" Santana

A girl - some passion - and some tech stuff - Branden Miller and Emily Miller

InfoSec - from the mouth of babes (or an 8 year old) - Reuben A. Paul (RAPstar) and Mano Paul

Why Aim for the Ground? - Teaching Our School Kids All of the Right Computer Skills - Phillip Fitzpatrick

NoSQL Injections: Moving Beyond 'or '1'='1' - Matt Bromiley

SWF Seeking Lazy Admin for Cross Domain Action - Seth Art

Planning for Failure - Noah Beddome

The Social Engineering Savants - The Psychopathic Profile - Kevin Miller

Hiding the breadcrumbs: Forensics and anti-forensics on SAP systems - Juan Perez-Etchegoyen

You're in the butter zone now baby. - Chris Scott

Making BadUSB Work For You - Adam Caudill - Brandon Wilson

PassCrackNet: When everything else fails - just crack hashes. - Adam Ringwood

Vulnerability Assessment 2.0 - John Askew

Social Engineering your progeny to be hackers - Sydney Liles

A Brief History of Exploitation - Devin Cook

Hunting Malware on Linux Production Servers: The Windigo Backstory - Olivier Bilodeau

Interceptor: A PowerShell SSL MITM Script - Casey Smith

Egypt - More New Shiny in the Metasploit Framework

The Human Buffer Overflow aka Amygdala Hijacking - Christopher Hadnagy

Shellcode Time: Come on Grab Your Friends - Wartortell

The Internet Of Insecure Things: 10 Most Wanted List - Paul Asadoorian

DDoS Botnet: 1000 Knives and a Scalpel! - Josh Abraham

wifu^2 - Cameron Maerz

Attacking Microsoft Kerberos: Kicking the Guard Dog of Hades - Tim Medin

Attack Paths: Breaking Into Infosec From IT Or Other Totally Different Fields - Eve Adams and Johnny Xmas

How to Secure and Sys Admin Windows like a Boss. - Jim Kennedy

Red white and blue. Making sense of Red Teaming for good. - Ian Amit

Around the world in 80 Cons - Jayson E. Street

Mirage - Next Gen Honeyports - Adam Crompton and Mick Douglas

Active Directory: Real Defense for Domain Admins - Jason Lang

The Wireless World of the Internet of Things - JP Dunning ".ronin"

Hackers Are People Too - Amanda Berlin (Infosystir)

Ethical Control: Ethics and Privacy in a Target-Rich Environment - Kevin Johnson and James Jardine

The Road to Compliancy Success Plus Plus - James Arlen

Are You a Janitor - Or a Cleaner - "John Stauffacher and Matt Hoy

Practical PowerShell Programming for Professional People - Ben Ten (Ben0xA)

GROK - atlas

How building a better hacker accidentally built a better defender - Casey Ellis

Exploring Layer 2 Network Security in Virtualized Environments - Ronny L. Bull - Dr. Jeanna N. Matthews

Hardware Tamper Resistance: Why and How? - Ryan Lackey

Making Mongo Cry-Attacking NoSQL for Pen Testers - Russell Butturini

Step On In - The Waters Fine! - An Introduction To Security Testing Within A Virtualized Environment - Tom Moore

Give me your data! Obtaining sensitive data without breaking in - Dave Chronister

Third Party Code: FIX ALL THE THINGS - Kymberlee Price - Jake Kouns

Just What The Doctor Ordered? - Scott Erven

Powershell Drink the Kool-Aid - Wayne Pruitt - Zack Wojton

powercat - Mick Douglas

Macro Malware Lives! - Putting the sexy back into MS-Office document macros - Joff Thyer

Girl… Fault Interrupted - Maggie Jauregui

Human Trafficking in the Digital Age - Chris Jenks

Cat Herding in the Wild Wild West: What I Learned Running A Hackercon CFP - Nathaniel Husted

How to Stop a Hack - Jason Samide

We don't need no stinking Internet. - Greg Simo

Hacking the media for fame and profit - Jen Ellis and Steve Ragan

Rafal Los - Things Being a New Parent of Twins Teaches You About Security

ZitMo NoM - David Schwartzberg

Penetrate your OWA - Nate Power

RavenHID: Remote Badge Gathering -or- Why we sit in client bathrooms for hours - Lucas Morris - Adam Zamora

Interns Down for What? - Tony Turner

i r web app hacking (and so can you!) - Brandon Perry

Building a Modern Security Engineering Organization - Zane Lackey

Information Security Team Management: How to keep your edge while embracing the dark side - Stephen C Gay

5min web audit: Security in the startup world - Evan Johnson

Project SCEVRON: SCan EVrything with ruby RONin - Derek Callaway

Soft Skills for a Technical World - Justin Herman

Gone in 60 minutes a Practical Approach to Hacking an Enterprise with Yasuo - Saurabh Harit and Stephen Hall

Snarf - Capitalizing on Man-in-the-Middle - Victor Mata - Josh Stone

Electronic locks in firearms - Oh My! - Travis Hartman

The Achilles Heel Of The American Banking System - Brandon Henery and Andy Robins

It's Not Easy Being Purple - Bill Gardner - Valerie Thomas - Amanda Berlin - Eric Milam - Brandon McCann - Royce Davis

Control Flow Graph Based Virus Scanning - Douglas Goddard

Ok - so you've been pwned - now what? - Jim Wojno

Everybody gets clickjacked: Hard knock lessons on bug bounties - Jonathan Cran

Are you a Beefeater - focused on protecting your crown jewels? - Jack Nichelson

Dolla Dolla Bump Key - Chris Sistrunk

What Dungeons & Dragons Taught Me About INFOSEC - Joey Maresca (l0stkn0wledge)

Gender Differences in Social Engineering: Does Sex Matter? - Shannon Sistrunk - Will Tarkington

Introduction to System Hardening - Eddie David

 Hacking your way into the APRS Network on the Cheap - Mark Lenigan

Building a Web Application Vulnerability Management Program - Jason Pubal

Fighting Back Against SSL Inspection - or How SSL Should Work - Jacob Thompson

Physical Security: From Locks to Dox - Jess Hires

Am I an Imposter? - Warren Kopp

Call of Community: Modern Warfare - Ben Ten and Matt Johnson

The Canary in the Cloud - Scot Bernerv



BSides Augusta 2014 Videos
These are the videos from the BSides Augusta conference. Thanks to Lawrence Abrams, and all of the BSides Crew for having me out to help record and render the videos and Pentestfail for manning a capture rig.


Defeating Cognitive Bias and Developing Analytic Technique
Chris Sanders

Chris Sistrunk

Scaling Security Onion to the Enterprise
Mike Reeves

Techniques for Fast Windows Investigations
Tim Crothers

Using Microsoft’s Incident Response Language
Chris Campbell

Is that hardware in your toolkit, or are you just glad you’re keeping up?
Jeff Murri

Chris Truncer

The Adobe Guide to Keyless Decryption
Tim Tomes

App Wrapping: What does that even mean
David Dewey

Adventures in Asymmetric Warfare
Will Schroeder

When Zombies take to the Airwaves
Tim Fowler

Spying on your employees using memory
Jacob Williams

Crazy Sexy Hacking
Mark Baggett

08/21/2014 Passwordscon 2014 Videos
These are the videos from the Passwordscon 2014 conference. Thanks for having me out to help record and render the videos.

Track 1

How we deciphered millions of users’ encrypted passwords without the decryption keys. - Josh Dustin (Canceled)

Is Pavlovian Password Management The Answer? - Lance James

DoCatsLikeLemon? - Advanced phrase attacks and analysis - Marco Preuß

Tradeoff cryptanalysis of password hashing schemes - Dmitry Khovratovich, Alex Biryukov, Johann Großschädl

Using cryptanalysis to speed-up password cracking - Christian Rechberger

Password Security in the PCI DSS - Jarred White

Defense with 2FA - Steve Thomas

I have the #cat so I make the rules - Yiannis Chrysanthou

Penetrate your OWA - Nate Power

Surprise talk + advisory release - Dominique Bongard

All your SAP P@$$w0ЯdZ belong to us - Dmitry Chastuhin, Alex Polyakov

Target specific automated dictionary generation - Matt Marx

Bitslice DES with LOP3.LUT - Steve Thomas

Net hashes: a review of many network protocols - Robert Graham

Energy-efficient bcrypt cracking - Katja Malvoni

The problem with the real world - Michal Špaček

Password Topology Histogram Wear-Leveling, a.k.a. PathWell - Rick Redman

Beam Me Up Scotty! - Passwords in the Enterprise - Dimitri Fousekis

Track 2

Welcome & Announcements - Jeremi Gosney, Per Thorsheim

Opening Keynote - Julia Angwin

Secure your email - Secure your password - Per Thorsheim

Highlights of CMU’s Recent Work in Preventing Bad Passwords - Sean Segreti, Blase Ur

Password Hashing Competition: the Candidates - Jean-Philippe Aumasson

What Microsoft would like from the Password Hashing Competition - Marsh Ray, Greg Zaverucha

How Forced Password Expiration Affects Password Choice - Bruce K. Marshall

Security for the People: End-User Authentication Security on the Internet - Mark Stanislav

Authentication in the Cloud - Building Service - Dan Cvrcek

How EFF is Making STARTTLS Resistant to Active Attacks - Jacob Hoffman-Andrews, Yan Zhu

Proof of work as an additional factor of authentication - Phillippe Paquet, Jason Nehrboss

The future of mobile authentication is here - Sam Crowther

Password hashing delegation: how to get clients work for you - Thomas Pornin

Throw the User ID Down the Well - Daniel Reich

Password Generators & Extended Character Set Passwords - Stephen Lombardo, William Gray

Encryption and Authentication: Passwords for all reasons. - Jeffrey Goldberg

Enhancing Password Based Key Derivation Techniques - Stephen Lombardo, Nick Parker

Capturing Passwords into the Secure Desktop - Marcio Almeida de Macedo, Bruno Gonçalves de Oliveira

08/20/2014 TakeDownCon Rocket City 2014 Videos
These are the videos from the TakeDownCon Rocket City 2014. Thanks to Devona Valdez and Paul Coggin for having me out to record.

Hacking Industrial Control Systems - Ray Vaughn (Not Recorded)

Dropping Docs on Darknets: How People Got Caught - Adrian Crenshaw

How Networks are Getting Hacked: The Evolution of Network Security - Omar Santos

Building on Device Vulnerabilities: Attack Modes for ICS - Bryan Singer

Survival in an Evolving Threat Landscape - David Hobbs

Practical Side Channel Attacks On Modern Browsers - Angelo Prado

IPv6 Attack tools - Soctt Hogg

Mobile Forensics and Its App Analysis - Dr. Charline Nixon

Keynote - How Not to do Security - Kellman Meghu

Baseball, Apple Pies, and Big Data Security Analytics: Shorten the Kill Chain Window - Aamir Lakani

Hijacking Label Switched Networks in the Cloud - Paul Coggin

Shepherd’s Pi - Herding Sheep with a Raspberry Pi - Timothy Mulligan

Radio Hack Shack - Security Analysis of the Radio Transmission - Paula Januszkiewicz

IT Security Myths - "How you are helping your enemy" - Joe Vest

Splinter the RAT Attack: Creating Custom RATs to Exploit the Network - Solomon Sonja

Policy Defined Segmentation with Metadata - Scott Kirby

Cyber Attack Mitigation - Christopher Elisan

08/12/2014 Defcon Wireless Village 2014 (Defcon 22) Videos
These are the videos from the Defcon Wireless Village 2014 (Defcon 22). Thanks to the Village People for putting on the event, especially Maeltac for recording.


So ya wanna get into SDR? - Russell Handorf

Pentoo Primer - Village People

802.11ac Evolution: Data rates and Beamforming - Eric Johnson

Practical Foxhunting 101 - SimonJ

Pwn Phone: gg next map - Timothy Mossey

Hacking 802.11 Basics - Benjamin Smith

UAV-Assisted Three-Dimensional Wireless Assessments - Scott Pack & Dale Rowe

Manna from Heaven; Improving the state of wireless rogue AP attacks - Dominic White & Ian de Villiers

ApiMote: a tool for speaking 802.15.4 dialects and frame injection - Ryan Speers & Sergey Bratus

Pineapple Abductions - Craig Young

Choosing your next antenna, types, power, sizes, the truth. - Raul J Plà

Introduction to the Nordic nRF24L01+ - Larry Pesce

Driver-less Wireless Devices - Dominic Spill & Dragorn

Hacking the Wireless World with Software Defined Radio - 2.0 - Balint Seeber

The NSA Playset: Bluetooth Smart Attack Tools - Mike Ryan

PortaPack: Is that a HackRF in your pocket? - Jared Boone

PHYs, MACs, and SDRs - Robert Ghilduta

SDR Tricks with HackRF - Michael Ossmann

SDR Unicorns Panel - Robert Ghilduta & Michael Ossmann & Balint Seeber

Inside The Atheros WiFi Chipset - Adrian Chadd

08/11/2014 BSides Las Vegas 2014 Videos
These are the videos from the BSides Las Vegas conference. Thanks to all of the BSides Crew for having me out to help record and render the videos.

@bsideslv, @banasidhe, @jack_daniel, @SciaticNerd and all my video crew

Breaking Ground

Opening Keynote -- Beyond Good and Evil: Towards Effective Security - Adam Shostack

USB write blocking with USBProxy - Dominic Spill

Allow myself to encrypt...myself! - Evan Davison

What reaction to packet loss reveals about a VPN - Anna Shubina • Sergey Bratus

Untwisting the Mersenne Twister: How I killed the PRNG - moloch

Anatomy of memory scraping, credit card stealing POS malware - Amol Sarwate

Cluck Cluck: On Intel's Broken Promises - Jacob Torrey

A Better Way to Get Intelligent About Threats - Adam Vincent

Bring your own Risky Apps - Michael Raggo • Kevin Watkins

Invasive Roots of Anti-Cheat Software - Alissa Torres

Vaccinating Android - Milan Gabor • Danijel Grah

Security testing for Smart Metering Infrastructure - Steve Vandenberg • Robert Hawk

The Savage Curtain - Tony Trummer • Tushar Dalvi

We Hacked the Gibson! Now what? - Philip Young

Closing Keynote It\'s A S3kr37  (Not recorded :( )

Proving Ground

#edsec: Hacking for Education - Jessy Irwin

So, you want to be a pentester? - Heather Pilkington (Not Recorded)

Securing Sensitive Data: A Strange Game - Jeff Elliot

Brick in the Wall vs Hole in the Wall - Caroline D Hardin

Cut the sh**: How to reign in your IDS. - Tony Robinson/da_667

Geek Welfare -- Confessions of a Convention Swag Hoarder - Rachel Keslensky

No InfoSec Staff? No Problem. - Anthony Czarnik

Can I Code Against an API to Learn a Product? - Adrienne Merrick-Tagore

Bridging the Air Gap: Cross Domain Solutions - Patrick Orzechowski

Back Dooring the Digital Home - David Lister

iOS URL Schemes: omg:// - Guillaume K. Ross

Oops, That Wasn't Suppossed To Happen: Bypassing Internet Explorer's Cross Site Scripting Filter - Carlos Munoz

What I've Learned As A Con-Man - MasterChen

Training with Raspberry Pi - Nathaniel Davis

Black Magic and Secrets: How Certificates Influence You! - Robert Lucero

Attacking Drupal  -Greg Foss

Hackers vs Auditors - Dan Anderson

Third-Party Service Provider Diligence: Why are we doing it all wrong? - Patrice Coles

Pwning the hapless or How to Make Your Security Program Not Suck - Casey Dunham • Emily Pience

Teach a man to Phish... - Vinny Lariza

The Lore shows the Way - Eric Rand

Common Ground

SHA-1 backdooring and exploitation - Jean-Philippe Aumasson

Evading code emulation: Writing ridiculously obvious malware that bypasses AV - Kyle Adams

Security Management Without the Suck - Tony Turner • Tim Krabec

Vulnerability Assessments on SCADA: How i 'owned' the Power Grid. - Fadli B. Sidek (not posted)

Malware Analysis 101 - N00b to Ninja in 60 Minutes - grecs

Travel Hacking With The Telecom Informer - TProphet

The untold story about ATM Malware - Daniel Regalado

Using Superpowers for Hardware Reverse Engineering - Joe Grand

Why am I surrounded by friggin' idiots?!? (Because you hired them!) - Stephen Heath

Demystiphying and Fingerprinting the 802.15.4/ZigBee PHY - Ira Ray Jenkins • Sergey Bratus

Insider Threat Kill Chain: Human Indicators of Compromise - Ken Westin

A Place to Hang Our Hats: Security Community and Culture - Domenic Rizzolo

Booze, Devil's Advocate, and Hugs: the Best Debates Panel You'll See at BSidesLV 2014 - David Mortman • Joshua Corman • Jay Radcliffe • Zach Lanier • David Kennedy

Pwning the Pawns with WiHawk - Santhosh Kumar • Anamika Singh (Missing?)

Ground Truth

The Power Law of Information - Michael Roytman

Measuring the IQ of your Threat Intelligence feeds - Alex Pinto • Kyle Maxwell

Strategies Without Frontiers - Meredith L. Patterson

ClusterF*ck - Actionable Intelligence from Machine Learning - Mike Sconzo

Know thy operator - Misty Blowers

Improving security by avoiding traffic and still get what you want in data transfers - Art Conklin

The Semantic Age - or - A Young Ontologist's Primer

I Am The Cavalry Q&As

07/20/2014 BSides Cleveland 2014 Videos
These are the videos from the Bsides Cleveland conference. Thanks to  &  as the video team. Thanks to twuntymcslore & RockieBrockway for being con mom & dad.

Keynote: Destroying Education and Awareness - David Kennedy

Track 1

APT2 - Building a Resiliency Program to Protect Business - Edward McCabe

Threat Models that Exercise your SIEM and Incident Response - J. Wolfgang Goerlich and Nick Jacob

Fun with Dr. Brown - Spencer McIntyre

Malware Evolution & Epidemiology - Adam Hogan

Plunder, Pillage and Print - The art of leverage multifunction printers during penetration testing - Deral Heiland

Seeing Purple: Hybrid Security Teams for the Enterprise - Mark Kikta (Not posted)

Attacking and Defending Full Disk Encryption - Tom Kopchak

Track 2

Phishing Like a Monarch With King Phisher - Brandon Geise and Spencer McIntyre

The importance of threat intel in your information security program - Jamie Murdock

Lockade: Locksport Electronic Games - Adrian Crenshaw

Pentesting Layers 2 and 3 - Kevin Gennuso and Eric Mikulas

Cleveland Locksport - Jeff Moss, Doug Hiwiller, and Damon Ramsey

Hacking Diversity - Gregorie Thomas

PowerShell: cool $h!t - Zach Wojton

Thinking Outside the Bunker: Security as a practice, not a target - Steven Legg

Password Defense: Controls your users won’t hate - Nathaniel Maier

Am I an Imposter? - Warren Kopp



OISF 2014 Videos
These are the videos from the OISF Anniversary Event


For the Love of God, DEFEND YOUR MOBILE APPS! Part 2 - Jerod Brennen

Destroying Education and Awareness - Dave Kennedy

Lockade: Electronic Games for Locksport - Adrian Crenshaw

Modern Times: Passwords - Tom Webster

Praeda to PraedaSploit: The embedded device data Harvesting tool for the masses - Deral Heiland “Percent_X”

06/15/2014 Circle City Con 2014 Videos

These are the Circle City Con videos. Thanks to the staff for inviting me down to record. Big thanks to Oddjob, Glenn, James, Mike, Nathan, Chris and Branden for helping set up AV and record.


Conference Opening

Keynote - Beau Woods

Containing Privileged Processes with SELinux and PaX and Attacking Hardened Systems - Parker Schmitt

Whitelist is the New Black - Damian Profancik

Developing a Open Source Threat Intelligence Program - Edward McCabe

Blurred Lines- When Digital Attacks Get Physical - Phil Grimes

Hackers, Attack Anatomy and Security Trends - Ted Harrington

Exploring the Target Exfiltration Malware with Sandbox Tools - Adam Hogan

Day 2

From Grunt to Operator - Tom Gorup

Moving the Industry Forward - The Purple Team - David Kennedy

Software Assurance Marketplace (SWAMP) - Von Welch

OWASP Top 10 of 2013- It’s Still a Thing and We’re Still Not Getting It - Barry Schatz

Tape Loops for Industrial Control Protocols - K. Reid Wightman

OpenAppID- Open Source Next Gen Firewall with Snort - Adam Hogan

Challenge of Natural Security Systems - Rockie Brockway

InfoSec Big Joke - 3rd Party Assessments - Moey (Not recorded)

How to create an attack path threat model - Wolfgang Goerlich

Day 3

Are You a Janitor or a Cleaner - John Stauffacher / Matt Hoy

Ain’t No Half-Steppin’ - Martin Bos

Track 2

Competitive Hacking- why you should capture the flag - Steve Vittitoe

3 Is a Magic Number (or your Reality Check is About to Bounce) - Edward McCabe

The TrueCrypt audit- How it happened and what we found - Kenneth White

Seeing Purple- Hybrid Security Teams for the Enterprise - Mark Kikta (Beltface)

Eyes on IZON- Surveilling IP Camera Security - Mark Stanislav

Cognitive Bias and Critical Thinking in Open Source Intelligence (OSINT) - Benjamin Brown

Day 2

Hackers Are People Too - Amanda Berlin

gitDigger- Creating useful wordlists and hashes from GitHub repositories - Jaime Filson

Retrocomputing And You - Machines that made the ‘net - Pete Friedman

Doge Safes- Very Electronic, Much Fail, WOW! - Jeff Popio

Human Trafficking in the Digital Age - Chris Jenks

Keys That Go *Bump* In The Night - Loak

How Hackers for Charity (Possibly) Saved Me a LOT of Money - Branden Miller & Emily Miller

Ten Commandments of Incident Response (For Hackers) - Lesley Carhart

Threat Modeling- Fear, Fun, and Operational - James Robinson

Decrypting Communication- Getting Your Point Across to the Masses - Katherine Cook Frye

How often should you perform a Penetration Test - Jason Samide

Proactive Defense - Eliminating the Low Hanging Fruit - Matt Kelly

Active Directory- Real Defense for Domain Admins - Jason Lang

Day 3

Profiling Campus Crime - Chris J., Jason J., Katelyn C.,Alex H.

Proper Seasoning Improves Taste - James Siegel

Executive Management Manaing the Executives Beau Woods & Engaging the Media API Steve Ragan

06/06/2014 And We're Back!
Looks my account is reinstated. Let me know if any videos seem to be deleted.
Hi there,

After a review of your account, we have confirmed that your YouTube account is not in violation of our Terms of Service. As such, we have unsuspended your account. This means your account is once again active and operational.

If you forgot your password, please visit this link to reset it:


The YouTube Team

©2014 YouTube, LLC 901 Cherry Ave, San Bruno, CA 94066




Google & Youtube

I woke up today to find a bunch of Facebook/Twitter messages that said my Youtube account was suspended. If you know someone at Google who can directly help me, let me know (their email support fails the Turing test). These are the messages I got from them.

YouTube | Broadcast Yourself™

Regarding your account: Adrian Crenshaw

The YouTube Community has flagged one or more of your videos as inappropriate. Once a video is flagged, it is reviewed by the YouTube Team against our Community Guidelines. Upon review, we have determined that the following video(s) contain content in violation of these guidelines, and have been disabled:

Your account has received one Community Guidelines warning strike, which will expire in six months. Additional violations may result in the temporary disabling of your ability to post content to YouTube and/or the permanent termination of your account.

For more information on YouTube's Community Guidelines and how they are enforced, please visit the help center.

Please note that deleting this video will not resolve the strike on your account. For more information about how to appeal a strike, please visit this page in the help center.


The YouTube Team

Copyright © 2014 YouTube, LLC


We'd like to inform you that due to repeated or severe violations of our Community Guidelines (http://www.youtube.com/t/community_guidelines) your YouTube account Adrian Crenshaw has been suspended. After review we determined that activity in your account violated our Community Guidelines, which prohibit spam, scams or commercially deceptive content. Please be aware that you are prohibited from accessing, possessing or creating any other YouTube accounts. For more information about account terminations and how our Community Guidelines are enforced, please visit our Help Center at https://support.google.com/youtube/bin/answer.py?answer=92486&hl=en.
©2014 YouTube, LLC 901 Cherry Ave, San Bruno, CA 94066


Come on Guys! is it just because of viagra in the title? Please get our InfoSec videos back up! (pun intended)


BSides Nashville 2014 Videos
These are the videos BSides Nashville 2014 Videos. Thanks to @lil_lost for inviting me down to record and being my bodyguard while in Nashville. Big thanks to Geoff Collins, Branden Miller, Blake Urmos, Don Baham, Gabe Bassett and Some Ninja Master for helping set up AV and record.

Main Hall

Welcome to BSides Nashville
BSides, Harmonicas, and Communication Skills - Jack Daniel
Closing Ceremonies

INFOSEC 101 Track

Attack Paths: Breaking Into Infosec From IT Or Other Totally Different Fields - Eve Adams
Learn From Your Mistakes - Adam Len Compton
Beating the Infosec Learning Curve Without Burning Out - Scott Thomas
Sun Tzu was a punk! Confucius was an InfoSec rockstar! - Branden Miller
Around the world in 80 Cons - Jayson E Street Not Recorded

INFOSEC 418 Track

Making Mongo Cry: Automated NoSQL exploitation with NoSQLMap - Russell Butturini
Buy Viagra! - Matt Smith
How do I hack thee? Let me count the ways - Stewart Fey
Healthcare Security, which protocal? - Adam John
Why you can't prove you're PWND, but you are! - Ben Miller

INFOSEC 429 Track

Bending and Twisting Networks - Paul Coggin
Succeeding with Enterprise Software Security Key Performance Indicators - Rafal Los
Scaling Security in the Enterprise: Making People a Stronger Link - Kevin Riggs
Closing the time to protection gap with Cyber Resiliency - John Pirc Did not happen, replaced with:
Applying analog thinking to digial networks Winn Schwartau (@winnschwartau)
Seeing Purple: Hybrid Security Teams for the Enterprise - Mark Kikta

05/11/2014 Nmap Class for Hackers For Charity
This is the Nmap class the Kentuckiana ISSA put on to support Hackers For Charity. Speakers include Jeremy Druin @webpwnized, Martin Bos @purehate_ and me @irongeek_adc. If you like the videos, please consider donating to Hackers For Charity.

ShowMeCon 2014 Videos
These are the videos ShowMeCon 2014. Thanks to Renee & Dave Chronister (@bagomojo), Ben Miller (@Securithid) and others for having me out to record and speak. Also thanks to my video crew Josh Tepen, Robert Young, Kali Baker, Andrew Metzger & Brian Wahoff.

Introduction - Parameter
Hacking Hollywood - Ralph Echemendia
Give Me Your Data - Dave Chronister
Terminal Cornucopia: Demystifying The Mullet - Evan Booth
Thinking Outside The (Sand)Box - Kyle Adams
Protecting The Seams: Military Doctrine Applied To Application And Network Security - Paul Vencill
Start With The BPT Then Worry About The APT! - Kevin Cardwel
Introduction - Parameter (Rolled in with next talk)
Cognitive Injection - Andy Ellis
Inside The World’S Most Dangerous Search Engine - John Matherly
Hacking To Get Caught: A Concept For Adversary Replication And Penetration Testing - Raphael Mudge
Power-Ups And Princesses: What Video Games Taught Me About Building A Security Awareness Program - Aamir Lakhani
Powershell And You: Using Microsoft’S Post-Exploitation Language - Chris Campbell
Dropping Docs On Darknets: How People Got Caught - Adrian Crenshaw
Around The World In 80 Cons - Jayson E Street (not recorded)
Threat Modeling In The C-Suite, A Practical Guide - Erick Rudiak (pending review)
The Call Of Community: Modern Warfare - Ben0xa 
Physical (In)Security - It’S Not All About Cyber - Inbar Raz
Bending And Twisting Networks - Paul Coggin
Here, Let Me Hold That For You. Consumer Metadata And Its Dangers - Robert Reed

04/28/2014 BSides Chicago 2014 Videos
These are the videos from the BSides Chicago conference. Thanks to all of the BSides organizers @elizmmartin and  @securitymoey for having me out to help record and render the videos. Also big thanks to the @BSidesChicago A/V crew Chris Hawkins
@Lickitysplitted, Todd Haverkos @phoobar, Jason Kendall @coolacid and Asim.

Aligning Threats and Allies through Stories - J Wolfgang Goerlich and Steven Fox - @jwgoerlich @securelexicon

The Ultimate INFOSEC Interview: "Why must I be surrounded by frickin' idiots?" -- Dr. Evil, 1997 - Stephen Heath - @dilisnya

Call of Community: Modern Warfare - Matt Johnson & Ben Ten - @mwjcomputing @Ben0xA

How To Win Friends and Influence Hackers - Jimmy Vo - @JimmyVo

Checklist Pentesting; Not checklist hacking - Trenton Ivey - @trentonivey

Seeing Purple: Hybrid Security Teams for the Enterprise - Belt - @b31tf4c325

Looking for the Weird - Charles Herring - @charlesherring

InfoSec Big Joke: 3rd Party Assessments - moey - @securitymoey

Bypassing EMET 4.1 - Jared DeMott - @jareddemott

Comparing Risks to Risks - Why Asset Management Is Broken and How to Fix It. - Michael Roytman - @mroytman

Bioinformatics: Erasing the line between biology and hacking - Krystal Thomas-White and Patrick Thomas - @coffeetocode

Building an AppSec Program from Scratch - Chris Pfoutz - @cpfoutz

Minecraft Security - Riese Goerlich

The SMB Security Gap - Mike Kavka - @SiliconShecky

Everything I Ever Needed to Know About Infosec, I Learned from Hollywood - Tom Ervin - @TechByTom

Sit, stay, proxy. Good beagle. Why I love the beaglebone black and why you should too. - Colin Vallance - @_CRV

Hacking Diversity in InfoSec - Greg Thomas - @minossec

04/13/2014 Notacon 11 (2014) Videos
These are the videos from the 11th Notacon conference held April 10th-13st, 2014. Not all of them are security related, but  I hope my viewers will enjoy them anyway. Thanks to Froggy and Tyger for having me up, and to the video team: Securi-D, Ross, KP, Jeff and myself (Let me know who else to add).

Track 1

Big Data Technology - The Real World ‘Minority Report’ - Brian Foster

Naisho DeNusumu (Stealing Secretly) - Exfiltration Tool/Framework - Adam Crompton

Wireless Mesh Protocols - Alex Kot

MDM is gone, MAM is come. New Challenges on mobile security - Yury Chemerkin

Moving the Industry Forward - The Purple Team - David Kennedy

Pwning the POS! - Mick Douglas

Nindroid: Pentesting Apps for your Android device - Michael Palumbo

Building a private data storage cloud - Michael Meffie

Lessons Learned Implementing SDLC - and How To Do It Better - Sarah Clarke

Plunder, Pillage and Print - Deral Heiland & Peter Arzamendi

Microsoft Vulnerability Research: How to be a finder as a vendor - Jeremy Brown & David Seidman

SMalware Analysis 101 - N00b to Ninja in 60 Minutes - grecs

Omega - A Universe Over IP - Mo Morsi

IRS, Identity Theft, and You (or Someone Pretending to Be You). - 123-45-6789

Track 2

All About the Notacon Badge -Sam Harmon

Collaboration between Artificial Intelligence and Humans: How to cure every disease within 50 years - Joe O’Donnell

Science “Fair” - The Nomad Clan

Hacking Your Way Into the APRS Network on the Cheap - Mark Lenigan

Dominate! (Or let your computer do it for you.) - Paul Jarc

Wearable Technology as Art for Countersurveillance, Cinemaveillance, and Sousveillance - Ross Bochnek

3D Printing for Work and Fun (temp title) - Mirabela Rusu

Comparing “Go Green” With “Common Sense” - Suellen Walker

Living in the Future: It seems to be in Beta - Jeff Goeke-Smith

A Brief Introduction to Game Theory - Charlotte DeKoning - Beyond Using The Buddy System - Holly Moyseenko & Kris Perch


03/27/2014 Lockade: Locksport Electronic Games
This page is mostly going to be a place holder till I get all the games up. Gamification can make learning more fun, and some people are inspired and motivated by competition. This talk will be on integrating hobbyist electronics with lock picking games. We will show rough schematics, release code, and invite people to play the games at cons.
03/10/2014 ASAReaper: Grab Configs From Multiple Cisco Devices Over SSH (Demos PExpect and AES Encrypted INI Files in Python) Updated
Mostly updated for longer timeouts and to use "more system:run" so you can save passwords in the configs too. You should now just have to edit the commandonall and prefixonall to set the script up to run a given command on a series of Cisco ASAs in every context.


So does IU Southeast and Indiana University take Linda Christiansen's plagiarism seriously?
The answer is apparently no. I've includes my emails with IU officials on the matter. Apparently, plagiarism is ok at IU/Indiana University Southeast if you are tenured faculty and it's only a business law and ethics syllabus.
02/10/2014 BSides Huntsville 2014 Videos
These are the videos from the BSides Huntsville conference. Thanks to @PaulCoggin, @CharlineNixon and all of the BSides Crew for having me out to help record and render the videos. Sorry for the bad sound, we had to go ambient in a crowded room.

BSides Huntsville 2014 - Intro

Building The Future of P-12 Cyber Education - Dr. Casey Wardynski

Cyber Security Program At HAH - Dr. Ray Vaughn

1337 in the Library: Obtaining your information security education on the cheap - Adrian Crenshaw @irongeek_adc

Zero to Hero: Breaking into the security Field - Jeremy Conway

Certifications in Cybersecurity - Adam Wade Lewis

Trojans - The Forgotten Enemy - Dave Chronister

The Amazing Cybermen - Ben McGee

Why you are pwn’d and don’t know it! - Ben Miller

Cyber Security, What's The Fuss? - Deborah William

HTTPS: Now You See Me - Tim Mullican

Introduction to hacking with PowerShell - Scott Busby

All You Base Still Belong To Us: Physical Penetration Testing Tales From The Trenches - Valerie Thomas - @hacktress09

Digital Energy BPT - Paul Coggin
02/01/014 Intro to Darknets: Tor and I2P Workshop
This class introduces students to the I2P and Tor Darknets. We cover setting up Tor & I2P, the basics of use, and how to make hidden services. We also go over case examples like Eldo Kim Harvard & the Harvard Bomb Threat, Hector Xavier Monsegur (Sabu)/Jeremy Hammond (sup_g) & LulzSec, Freedom Hosting & Eric Eoin Marques and finally Ross William Ulbricht/“Dread Pirate Roberts” of the SilkRoad, to explain how people have been caught and how it could have been avoided.
01/30/2014 10 Years Of Irongeek.com
Today marks the 10th anniversary of Irongeek.com's existence. Also, the Intro to I2P/Tor Workshop Notes have been updated.

ShmooCon Firetalks 2014
These are the videos for the ShmooCon Firetalks 2014. Day 2 I overslept, but Squidly1 got me copies from Ted's recordings ( http://www.MediaArchives.tv ).

Thanks to:

Day 1

Welcome grecs
Eyes on IZON: Surveilling IP Camera Security - Mark “@markstanislav” Stanislav
Get Out of Jail Free Cards? What Aviation Can Teach Us About Information Sharing - Bob “@strat” Stratton
Crossing the Streams with State Machines in IDS Signature Languages - Michael “@michaelrash” Rash
Another Log to Analyze - Utilizing DNS to Discover Malware in Your Network - Nathan “@HackHunger” Magniez
Windows Attacks: AT is the New Black - Rob “@mubix” Fuller
Weaponizing Your Pets: War Kitteh and the Denial of Service Dog - Gene “@gbransfield” Bransfield
Women's Tech Collective, and Gender Equality in Tech - Sarah “@dystonica” Clarke

Day 2

Welcome grecs
You Name It, We Analyze It - Jim “@JimGilsinn” Gilsinn
Having Your Cake and Eating It Too: FOIA, Surveillance, and Privacy - Michael “@theprez98? Schearer
Building An Information Security Awareness Program From Scratch - Bill “@oncee” Gardner
TrendCoins: Making Money on the Bitcoin/Altcoin Trends - Zac “@ph3n0? Hinkel
Writing Your Own Disassembler in 15 Minutes - Jay “@computerality” Little

01/17/2014 Installing Nessus on Kali Linux and Doing a Credentialed Scan
I recorded this video twice. First time, the sound was hideous when the fan came on. I decided to re-record it and post both versions. I cover installing Nessus on Kali Linux and doing Nessus credentialed scans using Windows passwords and Linux SSH keys.
01/13/2014 Update of the Linda Christiansen Plagiarism case in the article Critically Plagiarizing?: Ideas On Spotting Plagiarism
Just a small update after I got some data back from my open records request.

SkyDogCon 2013 Videos
Here are the videos from SkyDogCon 3. Thanks to all of the SkyDogCon crew, especially @pentestfail who was in charge of video (I just spoke at this con, and killed my brain and liver cells). @pentestfail may still be working on some of the missing videos, so I plan to update this page later

Opening Remarks & Hack the Badge

Curtis Koenig: Hacking Your Career

Nathan Magniez: Alice in Exploit Redirection Land: A Trip Down the Rabbit Hole

Explanation of Contests

Security Phreak & SkyDog: The Dark Arts of OSINT

G. Mark Hardy: How the West was Pwned

Winn Schwartau: I Survived Rock and Roll!

Jon Callas: Do You Want to Know a Secret?

Billy Hoffman: Start Ups and Lessons Learned

Panel Talk: Building and Growing a Hacker Space With: l0stkn0wledge, Dave Marcus, and SkyDog

IronGeek & SkyDog: Con Video Rig Enhancements

Evan Booth: Terminal Cornucopia

Deviant Ollam: Android Phones Can Do That?!?: Custom Tweaking for Power Security Users

Branson Matheson: Hacking Your Minds & Emotions

Billy Hoffman: Inside the Hacker’s Studio Interviews Dave Marcus: Director and Chief Architect of Threat Research and Intelligence for McAfee®'s Federal Advanced Programs Group

Josh Schroeder: CCTV: Setup Attack Vectors and Laws

Travis Goodspeed: Building an Actively Antiforensic iPod

Branden Miller: NSA Wiretaps Are Legal and Other Annoying Facts


Vivek Shandilya: Lightning Talks

Charline Nixon: Lightning Talks

Chris Anderson: Operational Security and Your Mental Health

Michael Raggo: Data Hiding and Steganography

Closing Remarks / Good-Byes

12/26/2013 Intro to I2P/Tor Workshop Notes Updated
I'm working on updating my I2P/Tor Workshop Notes for a class I'll be doing soon. Please look at them and offer suggestions on extra topics I should cover.
12/26/2013 IU Southeast School of Business to offer an MIS (Management Information Systems) Masters degree? Yes, same people behind the IUS MBA.
I recently heard that IU Southeast is planning to offer an MIS (Management Information Systems) Masters degree. While I think their Computer Science and Informatics Schools seem good, since the degree would be co-ran by the School of Business I would not recommend it to anyone in the Louisville area under its current leadership. Anyplace where an IU Southeast Business Law & Ethics instructor appears to plagiarize on her own syllabus that warns that students will be instantly failed for plagiarism, and asking simple questions about laws as it relates to technology is considered "excessive us of jargon", is not a good place for IT people (and especially security people concerned with integrity) to be. While the School of Business at IUS has its current leadership, I strongly recommend that you steer clear if you really want to learn. Just figured I'd help others not go through the same things I did there.
12/14/2013 Intro to Metasploit Class at IU Southeast
This is a class we did to introduce students to Metasploit at IU Southeast. Special guest lecturer Jeremy Druin (@webpwnize). To follow along, I recommend downloading Kali Linux.
12/02/2013 Critically Plagiarizing?: Ideas On Spotting Plagiarism
Just a few tips for how to find plagiarism online, thanks to my old IU Southeast Business Law & Ethics teacher Linda Christiansen for giving me the example material.

BSides Delaware 2013 Videos
These are the videos from the BSides Delaware conference. Thanks to all of the BSides Crew for having me out to help record and render the videos.

@bsidesde, @kickfroggy, @quadling

110 Years of Vulnerabilities 
Brian Martin, aka Jericho
HTML 5 Security
Justin Klein Keane @madirish2600

Cloud - Business and Academia - Bringing it all together
Cloud Security Alliance - Delaware Valley Board

Uncloaking IP Addresses on IRC
Derek Callaway @decalresponds

Baking, even more, Clam(AV)s for Fun & Profit.
Nathan Gibbs @Christ_Media

Introducing Intelligence Into Your Malware Analysis
Brian Baskin
ANOTHER Log to Analyze - Utilizing DNS to detect Malware in Your Network
Nathan Magniez @HackHunger

Software Security: Game Day.
Evan Oslick @eoslick

Winning isn't Everything: How Trolling can be as much Fun
Joey @l0stkn0wledge
Antipwny: A Windows Based IDS/IPS for Metasploit
Rohan Vazarkar & David Bitner

Playing the Forensics Game: Forensic Analysis of Gaming Applications For Fun and Profit
Peter Clemenko III

Project.Phree: Phucking the NSA
BTS (square-r00t)

Hacking Benjamins (Intro to Bitcoin)
Bob Weiss @pwcrack

Wireless Penetration Testing For Realz

How to Become an Unwitting Accomplice in a Phishing Attack
Mark Hufe @hufemj

LinkedAllUpIn Your Email

Growing Up In The Information Security Community 
11/01/2013 ISSA Kentuckiana - RESTful Web Services - Jeremy Druin - @webpwnized
Jeremy Druin (@webpwnize) gave the following presentation at the Nov 2013 meeting of the Kentuckiana ISSA.
10/30/2013 Circle City Con (http://circlecitycon.com) Hacker/Security Conference happening on June 13-15, 2014, Hyatt Regency, Indianapolis Indiana
Looks like I have another almost local con to go to, Circle City Con in Indy! I'll be doing video baring unforeseen circumstances, and may toss something into their CFP (please consider sending something in). More info at http://circlecitycon.com or Twitter stalk them at @CircleCityCon.


The Rest of the Hack3rcon^4 Videos
Here are there rest of the videos from Hack3rcon^4

ANOTHER Log to Analyze - Utilizing DNS to Identify Malware - Nathan Magniez

Netsniff-NG - Jon Schipp

SDRadio: Playing with your Dongle - An Introduction to Software Defined Radio Using Cheap TV Tuner Cards - Justin Rogosky

10/20/2013 Hack3rcon^4 Videos
As I post them, they will be at the link above. So far we have:

Advanced Evasion Techniques - Pwning the Next Generation Security Products - David Kennedy

Imaging a Skyscraper - Brian Martin

Character Assassination: Fun and Games with Unicode - Adrian Crenshaw

MS08-067 Under the Hood - John Degruyter

NSA Wiretaps are Legal and Other Annoying Facts - Branden Miller

Red Teaming Your Bug-Out Bag - Tom Moore

Making it Rain and Breaching the Levees - K.C. Yerrid

10/07/2013 Louisville InfoSec 2013 Videos Mostly Up

These are the videos from Louisville Infosec 2013 conference. There are not all up yet, but this is my place holder.

Mobile Security and the Changing Workforce - Matthew Witten

Burn it Down! Rebuilding an Information Security Program - Dave Kennedy (Pending review)

Weaponized Security - Kellman Meghu

Information Security in University Campus and Open Environments - Adrian Crenshaw

Past Due: Practical Web Service Vulnerability Assessment for Pen-Testers, Developers, and QA - Jeremy Druin (Pending finished upload)

STRC: The Security Training and Research Cloud - Jimmy Murphy

Assessing Mobile Applications with the MobiSec Live Environment - Nathan Sweeney

Attacking iOS Applications - Karl Fosaaen

Can cloud and security be used in the same sentence? - Joshua Bartley

Breaking SCADA Communications - Mehdi Sabraoui

FBI - InfraGard - Current Cyber Trends

How Do I Get There from Here? Security-to-Privacy Career Migration - Michael Carr

Assessing the Risk of Unmanaged Devices (BYOD) - Pete Lindstrom

Acquisitions…your latest zero day - Mitch Greenfield/Scott MacArthur

NIST and your risky application - Conrad Reynolds

Convergence: Configurations, Vulnerabilities and Unexpected Changes - Brian Cusack

What Healthcare Can Learn from the Banking Industry - Jim Czerwonka

Eliminating Data Security Threats And BYOS - David Braun


10/04/2013  Derbycon 3.0 Videos Tracks 3, 4, 5 & Stable Talks Posted

Track 3 (Teach Me)
It's Only a Game: Learning Security through Gaming - Bruce Potter
Ooops - Now What? :: The Stolen Data Impact Model (SDIM) - Brent Huston
Anti-Forensics: Memory or something - I forget. - int0x80
The Mysterious Mister Hokum - Jason Scott
Appsec Tl;dr - Gillis Jones
DIY Command & Control For Fun And *No* Profit - David Schwartzberg
IPv6 is here (kind of) - what can I do with it? - Dan Wilkins
Dancing With Dalvik - Thomas Richards
Big Hugs for Big Data - Davi Ottenheimer
Antivirus Evasion: Lessons Learned - thelightcosine
Jared DeMott - Is Auditing C/C++ Different Nowadays?
Getting Schooled: Security with no budget in a hostile environment - Jim Kennedy
Browser Pivoting (FU2FA) - Raphael Mudge
Taking the BDSM out of PCI-DSS Through Open-Source Solutions - Zack Fasel & Erin “SecBarbie” Jacobs
John Strand - Hacking Back - Active Defense and Internet Tough Guys
An Encyclpwnia of Persistence - Skip Duckwall & Will Peteroy
Your Turn! - Johnny Long - HFC
Practical File Format Fuzzing - Jared Allar
Surviving the Dead - Christopher ‘EggDropX’ Payne
How can I do that? Intro to hardware hacking with an RFID badge reader - Kevin Bong
A SysCall to ARMs - Brendan Watters
The Netsniff-NG Toolkit - Jon Schipp
Why Dumpster Dive when I can pwn right in? - Terry Gold

Track 4 (The 3-Way)     
Pigs Don’t Fly - Why owning a typical network is so easy - and how to build a secure one. - Matt “scriptjunkie” Weeks
Finding The Signal in the Noise: Quantifying Advanced Malware - Dave Marcus
Applying the 32 Zombieland Rules to IT Security - Larry Pesce
Windows 0wn3d By Default - Mark Baggett
Android 4.0: Ice Cream “Sudo Make Me a” Sandwich - Max Sobell
Attacking the Next Generation Air Traffic Control System; Hackers - liquor and commercial airliners. - Renderman
Antivirus Evasion through Antigenic Variation (Why the Blacklisting Approach to AV is Broken) - Trenton Iveys
Hello ASM World: A Painless and Contextual Introduction to x86 Assembly - nicolle neulist (rogueclown)
SQL injection with sqlmap - Conrad Reynolds CISA
The Internet of Things: Vulns - Botnets and Detection - Kyle Stone (@essobi) - Liam Randall
The Malware Management Framework - a process you can use to find advanced malware. We found WinNTI with it! - Michael Gough and Ian Robertson
Hack the Hustle! - Eve Adams
Operationalizing Security Intelligence in the Enterprise- Rafal Los
New Shiny in the Metasploit Framework - egypt
Everything you ever wanted to know on how to start a Credit Union - but were afraid to ask. - Jordan Modell
A developer’s guide to pentesting - Bill Sempf
Steal All of the Databases. - Alejandro Caceres
Sandboxes from a pen tester’s view - Rahul Kashyap
iOS Reverse #=> iPWn Apps - Mano ‘dash4rk’ Paul
Terminal Cornucopia - Evan “treefort” Booth
Wait; How is All This Stuff Free?!? - Gene Bransfield

Track 5 - Hybrid Room     
Building An Information Security Awareness Program from Scratch - Bill Gardner - Valerie Thomas
Malware : testing malware scenarios on your network - Tony Huffman (@myne_us) - Juan Cortes (@kongo_86)
Password Intelligence Project - Advanced Password Recovery and Modern Mitigation Strategies - John Moore “Rabid Security”
Tizen Security: Hacking the new mobile OS - Mark Manning (AntiTree)
RAWR - Rapid Assessment of Web Resources - Adam Byers - Tom Moore
Decoding Bug Bounty Programs - Jon Rose
Patching Windows Executables with the Backdoor Factory - Joshua Pitts
Jason Scott - Defcon Documentary Q&A
Panel: Building and Growing a Hacker Space - Joey Maresca - Dave Marcus - Nick Farr - SkyDog
SO Hopelessly Broken: the implications of pervasive vulnerabilities in SOHO router products. - Jacob Holcomb
Put Me In Coach: How We Got Started In Infosec - pr1me - Chris “g11tch” Hodges - Frank Hackett - Dave “ReL1K” Kennedy
Alice Goes Deeper (Down the Rabbit Hole) - Redirection 2.0 - Nathan Magniez
Emergent Vulnerabilities: What ant colonies - schools of fish - and security have in common. - Nathaniel “Dr. Whom” Husted
Why Your IT Bytes - Frank J. Hackett
Using Facial Recognition Software In Digital Forensics And Information Security - Brian Lockrey
How to Fight a War Without Actually Starting One - Brendan O’Connor
Crypto-Exploit Exercises: A tool for reinforcing basic topics in Cryptography - Nancy Snoke

Stable Talks
Gen Y:Getting Them to Talk Rather than Text at Work - Nancy Kovanic
Battle Scars And Friendly Fire: Threat Research Team War Stories - Will Gragido and Seth Geftic
Unmasking Miscreants - Allixon Nixon - Brandon Levene
gitDigger: Creating useful wordlists from public GitHub repositories - Jaime Filson (WiK)
PowerShell and Windows Throw the Best Shell Parties - Piotr Marszalik
Owning Computers Without Shell Access - Royce Davis
Sixnet Tools: for poking at Sixnet Things - Mehdi Sabraoui
Hardening Windows 8 apps for the Windows Store - Bill Sempf
Intro to Dynamic Access Control in Windows Server 2012 - Evan Anderson
Evolutionary Security - Embracing Failure to Attain “Good Enough” - Josh More
DIY Forensics: When Incident Response Morphs into Digital Forensics - John Sammons
ANOTHER Log to Analyze - Utilizing DNS to Discover Malware in Your Network - Nathan Magniez
Phishing Frenzy: 7 seconds from hook to sinker - Brandon <zeknox> McCann
Electronic Safe Fail: Common Vulnerabilities in Electronic Safes - Jeff Popio
The Good Samaritan Identity Protection Project  www.thegsipp.org - Zack Hibbard - Chris Brown and Jon Sternstein
Some defensive ideas from offensive guys. - Justin Elze and Robert Chuvala
Grim Trigger - Jeff “ghostnomad” Kirsch
A n00bie’s perspective on Pentesting… - Brandon Edmunds
My Security is a Graph - Your Argument is Invalid - Gabriel Bassett
Follow the Foolish Zebras: Finding Threats in Your Logs - Chris Larsen
Security Training and Research Cloud (STRC) - Jimmy Murphy
Passive Aggressive Defense - Jason Clark
So you want to be a pentester? - Raymond Gabler
Digital Energy - BPT - Paul Coggin
An Anti-Forensics Primer - Jason Andress
What if Petraeus was a hacker? Email privacy for the rest of us - Phil Cryer (@faker)

09/30/2013 Derbycon 3.0 Videos Tracks 1 & 2

I think I have all of tracks 1 and 2 posted:, more to come

Scanning Darkly - HD Moore (keynote)
Kinetic Pwnage: Obliterating the Line Between Computers and the Physical World - Ed Skoudis (keynote)
Look Ma - No Exploits! - The Recon-ng Framework - Tim “LaNMaSteR53? Tomes
Practical Exploitation Using A Malicious Service Set Identifier (SSID) - Deral Heiland
JTAGulator: Assisted discovery of on-chip debug interfaces - Joe Grand
Seeing red in your future? - Ian Iamit
TMI: How to attack SharePoint servers and tools to make it easier - Kevin Johnson and James Jardine
The High Risk of Low Risk Applications - conrad reynolds
It’s Okay to Touch Yourself - Ben Ten (Ben0xA)
Collaborative Penetration Testing With Lair - Tom Steele and Dan Kottmann
Malware Automation - Christopher Elisan
What’s common in Oracle and Samsung? They tried to think differently about crypto. - L·szlÛ TÛth - Ferenc Spala
Burning the Enterprise with BYOD - Georgia Weidman
Getting the goods with smbexec - Eric Milam(brav0hax) and Martin Bos (purehate)
Shattering the Glass: Crafting Post Exploitation Tools with PowerShell - Matt Johnson
Cheat Codez: Level UP Your SE Game - Eric Smith
My Experiments with truth: a different route to bug-hunting - Devesh Bhatt
The Art and Science of Hacking Any Organization - Tyler Wrightson
Living Off the Land: A Minimalist’s Guide to Windows Post-Exploitation - Christopher Campbell & Matthew Graeber
Cracking Corporate Passwords - Exploiting Password Policy Weaknesses - Minga / Rick Redman
Ownage From Userland: Process Puppeteering - Nick Cano
) UNION SELECT `This_Talk` AS (‘New Exploitation and Obfuscation Techniquesí)%00 - Roberto Salgado
Exploiting_the_Zeroth_Hour(); Developing your Advanced Persistent Threat to Pwn the Network - SOLOMON SONYA and NICK KULESZA
Phishing Like The Pros - Luis “Connection” Santana
Raspberry Pi - Media Centers - and AppleTV - David Schuetz
Cognitive Injection: Reprogramming the Situation-Oriented Human OS - Andy Ellis
IOCAware - Actively Collect Compromise Indicators and Test Your Entire Enterprise - Matt Jezorek and Dennis Kuntz
Cash is King: Who’s Wearing Your Crown? - Tom Eston and Spencer McIntyre
Security Sucks - and You’re Wearing a Nursing Bra - Paul Asadoorian
Windows Attacks: AT is the new black - Rob Fuller and Chris Gates
How Good is Your Phish - @sonofshirt
Identifying Evil: An introduction to Reverse Engineering Malware and other software - Bart ‘d4ncind4n’ Hopper
How Im going to own your organization in just a few days. - RazorEQX
Pass-The-Hash 2: The Admin’s Revenge - Skip Duckwall and Chris Campbell
The Cavalry Is Us: Protecting the public good and our profession - Josh Corman
Love letters to Frank Abagnale (How do I pwn thee let me count the ways) - Jayson E. Street
The Message and The Messenger - James Arlen
50 Shades of RED: Stories from the "Playroom" - Chris Nickerson
Beyond Information Warfare “You Ain’t Seen Nothing Yet” - Winn Schwartau
Stop Fighting Anti-Virus - Integgroll
How the Grid Will Be Hacked - Josh Axelrod and Matt Davis
help for the helpdesk - Mick Douglas
Weaponizing your Coffee Pot - Daniel Buentello
Practical OSINT - Shane MacDougall (NOTE THAT THIS IS AN ADULT ONLY TALK - 18+ or older)
Stop making excuses; it’s time to own your HIV (High Impact Vulnerabilities) - Jack D. Nichelson
Uncloaking IP Addresses on IRC - Derek Callaway

09/29/2013 Derbycon 3.0 Videos
As I get them up, you can find them here. Big thanks to my video jockeys Robin, ladymerlin, Jennifer, Sabrina, Reid, Skydog, Some Ninja Master, Glenn Barret, Dave Lauer, Jordan Meurer, Brandon Grindatti, MadMex, Joey, Steven, Sara, Branden Miller and Night Carnage
09/18/2013 Unicode Security Notes Page
This page has notes for my HackerHalted and Hack3rCon talk.
08/24/2013 Unicode Text Steganography Encoders/Decoders
The idea of this page is to demo different ways of using Unicode in steganography, mostly I'm using it for Twitter. :) I have some notes on the bottom about how these Unicode characters show up or get filtered by some apps. Most of the algorithms should work ok on Twitter, Facebook however seems to strip out more characters. There seems to be no perfect character set.
08/09/2013 Every Unicode Character For Fuzzing and Research
I will be doing a talk on Unicode and security at Hacker Halted, as prep work I've generated some files with ever Unicode character. I'd be interested in knowing if any of them crash apps on you. Open with care.

Every Unicode Character Blob Page or TXT file
Every Unicode Character 80 Column Page or TXT file
Every Unicode Character With Hex Page or TXT file


BSidesLV 2013 Videos
These are the videos from the BSides Las Vegas conference. Thanks to all of the BSides Crew for having me out to help record and render the videos. @bsideslv, @banasidhe, @kickfroggy, @quadling, @jack_daniel 

"The Security Industry - How to Survive Becoming Management" - Christien Rioux

Discovering Dark Matter: Towards better Android Malware Heuristics - Jimmy Shah, David Shaw, Matt Dewitt

Mom! I Broke My Insulin Pump... Again! - Jay "Rad" Radcliffe

Dungeons & Dragons, Siege Warfare, and Fantasy Defense in Depth - Evan Davidson and Noah Schiffman

HiveMind: Distributed File Storage Using JavaScript Botnets - Sean Malone

gitDigger: Creating useful wordlists from public GitHub repositories - WiK and Mubix

Collaborative Penetration Testing With Lair - Tom Steele and Dan Kottmann

Social Aftermath Responding to Social Pwnage - Steven F. Fox

Silence Equals Death - Violet Blue

The Cavalry Isn't Coming: Starting the Revolution to Fsck it All! - Nicholas J. Percoco and Joshua Corman

A Fire In The Eye - Olli-Pekka Niemi and Antti Levomaki

Defense Evasion Modeling - Frank Artes

"Malware Management Framework" - We detected WinNTI with it! - Michael Gough

Crunching the Top 10,000 Websites' Password Policies and Controls - Steve Werby

Governments and UFOs: A Historical Analysis of Disinformation and Deception - Richard Thieme

Strange interactions in personal data: Brokers and the CFAA - Christine Dudley

Diamonds, Fitness and Cults: Manipulation for Fun and Profit - Katie Rodzon

Vulnerability & Exploit Trends: A Deep Look Inside The Data - Ed Bellis, Michael Roytman

EC2 or Bust - How to Build Your Own Pen Testing Lab in Amazon EC2 - Grecs

Techniques for Escaping the AppSec Labyrinth - Andrew Hay

The Erudite Inebriate's Guide to Life, Liberty, and the Purfuit of Happinefs - Jack Daniel

Hack the Hustle! Career Strategies for Information Security Professionals - Eve Adams

Information Sharing, or "I've got 99 problems and they're probably pretty similar to yours" - Chris Mills

Convincing Your Management, Your Peers, and Yourself That Risk Management Doesn't Suck - Josh Sokol

How embracing social media helped me stop the hackers, save the world and get the girl! - Javvad Malik

Malware Automation - Christopher Elisan

Popping the Penguin: An Introduction to the Principles of Linux Persistence - Mark Kita

Network Survival WCS - James Costello

The Slings and Arrows of Open Source Security - Tod Beardsley and Mister X

What if Petraeus was a hacker' Email privacy for the rest of us - Fak3r

Never Mind Your Diet, Cut the Crap From Your Vocabulary - Keli Hay (Brian Martin)

The 7 habits of highly effective CISOs - Franklin Tallah (Wendy Nather)

The Little Dutch Boy - D0n Quix0te (Bill E. Ghote)

Stop Shooting Blanks: No magic bullets in your arsenal - Renegade6 (Nicolle Neulist)

Flameout - Burnout Supernova - Dan Ward (Ally Miller)

The Sensual Side of 3D Printing - Kat Sweet (Javvad Malik)

Fun with WebSockets using Socket Puppet - Mister Glass (Weasel)

Using Machine Learning to Support Information Security - Alex Pinto (Joel Wilbanks)

The Truth, You Thought We Wouldn't Know' - Wolf Flight (Terry Gold)

Vulnerabilities in Application Whitelisting: Malware Case Studies - Jared Sperli and Joe Kovacic (J0hnny Brav0)

The Goodness is Baked In: Baking Assurance into Software - Ebony (Davi Ottenheimer)

Matriux Leandros:An Open Source Penetration Testing and Forensic Distribution - Prajwal Panchmahalkar (Savant42)

Sixteen Colors: Archiving the Evolution of ANSI and ASCII Art - Doug Moore (Brendan O'Connor)

You Are Being Watched! - Bharat Jogi

Calling All Researchers: A Discussion on Building a Security Research Framework - Michael "DrBearSec" Smith

Evil Empire: SIEM FTW - EggDropX and Tha CheezMan

Attribution Shmatribution! FIX YOUR SHIT! - Krypt3ia

Breach Panel - Davi Ottenheimer, Raymond Umerley, Jack Daniel, Steve Werby, David Mortman & George V. Hulme

Roll-your-own Lightning Talks

Attacking and Defending Full Disk Encryption - Tom Kopchak

Say It to My Face - Shannon Sistrunk

Alex Dreams of Risk: How the Concept of Being a Craftsman can Help you Find Meaning and Avoid Burnout - Alex Hutton

You can't make people act more securely, you can help them want to. - Ivan Campbell and Twyla Campbell

08/02/2013 BSidesLV 2013 Videos
Putting these up at the link above as I get them together. This will take a bit, 5 tracks takes time. Follow @bsideslv for more.
07/14/2013 OISF 2013 Videos

These are the videos from the OISF Anniversary Event

Webshells History, Techniques, Obfuscation and Automated Collection - Adrian Crenshaw

Kali Linux Backtrack Linux reborn - Martin Bos

Locks & Physical Security - Deviant Ollam

Leveraging Mobile Devices on Pentests - Georgia Weidman

Reverse Engineering Demystified (a little maybe) - Chris Eagle

07/04/2013 Web Shells Collection Page Updated
I'm prepping to give my Webshells talk again at OISF and TakeDownCon Rocket City. I like to update things if I give a talk more than once, so I enhanced my script to save an archived copy of the webshells in a zip file so even if the infected host cleans it up (which they really should), it can be examined later.
07/04/2013 NQSFW Free CISSP Study Guide
I'm working on studying for a CISSP, so I figured I should record my notes. As I do them, I plan to post them here. @gozes also pointed me to http://www.opensecuritytraining.info/CISSP-Main.html which looks like a damn good resource.
06/21/2013 BSides Boston Videos
While at BSidesRI I met a bunch of folks from BSidesBoston. Roy asked me to put up a link to their videos:
Next year I hope to be able to make it out there.
06/15/2013 All BSides Rhode Island Videos

Friday pre-con:

Large-scale application security - Charlie Eriksen
SMB SRMF for identifying top 10 risks - Jim Peeler
How I Do a Weekly Podcast (or Three) - Paul Asadoorian
Show and Tell: Super-Minipwner - James Edge
Opening the Treasure Chest-Attacking Network Attached Storage on a Pen Test - Russell Butturini

BSidesRI Track:

Hacking Your Neighbors for Fun! - Josh Wright
Public cloud PCI compliance or a sharp stick in the eye, which to choose? - Chris Brenton
Bite the Wax Tadpole - The importance of culture in user security - Kati Rodzon and Mike Murray
Exploiting the Top Ten Database Vulnerabilities and Misconfigurations - Josh Shaul
Exploit Development for Mere Mortals - Joe McCray
Future Trends in IT security - Ron Gula
The Freaky Economics Of Cybersecurity - Robert David Graham

PaulDotCom Track:

Booting the Booters, Stressing the Stressors - Allison Nixon and Brandon Levene
Talk More Better - Jack Daniel
Security Sucks, and You're Wearing The Nursing Bra - Paul Asadoorian (Not Recorded)
So, you want to compute post-apocalypse? - Larry Pesce & Darren Wigley
Feeling Sick? Healthcare Information Security - Roy Wattanasin
Blitzing with Your Defense - Ben Jackson
Lessons Learned: Why I became a PaulDotCom Intern and why you should become an Intern too. - Mike Perez
Learning Security on the Cheap (30 min) - Patrick Laverty

Download link coming later.

06/15/2013 BSides Rhode Island Videos
As I get them up, I'm putting them on this page above.


ASAReaper: Grab Configs From Multiple Cisco Devices Over SSH (Demos PExpect and AES Encrypted INI Files in Python) Updated
Updated the code to make it easier to maintain and to fix a timeout issue. Also, Arne Lovius told me about a tool called Rancid (http://www.shrubbery.net/rancid) that can do the same thing as my script and more, but I figured the sample code is still of help to some.

Indiana University (IU, IUS, IU*, Etc) Salaries
I noticed the someone visited my IU Southeast School of Business (MBA) Review page from a search for something like "IU Salaries". This made me curious as I knew Indystar had the information. Seems Indystar's page is having errors, another newspaper hides it behind a pay wall, and IU makes you login with an account AND use an on campus IP. My understanding is this information is suppose to be public, but it seem somewhat hard to find. As a public service, here is the 2012/2013 Salary information in HTML (Just for IUS) and Excel formats (all campuses) for easier parsing. Hopefully it helps alumni and the like consider if it is really a fruitful place to donate to (and how to earmark donations). For some of the pay levels, it really is a shameful waste.


Kali Linux Live Boot USB Flash Drive - Jeremy Druin
Jeremy Druin (@webpwnize) gave the following presentation on creating a persistent Kali Linux thumbdrive install for the June 2013 meeting of the Kentuckiana ISSA.

05/27/2013 Webshell Demos And Notes
This is a page I'm putting together for my TakeDownCon and OISF talks on webshells. My slides are pretty text, link, command and code heavy, so this way I can just point the attendees to this page for all the notes and links.


Webshell Collection Page Updated With Source Code
I have a script I run against my web logs periodically to see if anyone is trying to use a Remote File Include Webshell against my site. I've done some more filter work, and can now find more webshells with it. If you spot bugs in the code, please let me know. I'll also be speaking at TakeDownCon St. Louis and the OISF Anniversary Event on webshells, this is part of that project.
05/23/2013 About page and CV updated
I finished my Master of Science in Security Informatics, so I've update my "about" page and CV. Unfortunately, I did not maintain the straight A average I had in my Informatics courses (I made a B in Machine Learning, which equals calculus, linear algebra, matrix mathematics and pain), so I had to change a blurb in my IU Southeast School of Bussiness/MBA review about being a straight A student in my new program. I just wanted to have more integrity than the people at the IUS MBA program who still boast about being the 9th rated part time MBA from the Business Week ratings in 2009, forgetting to mention that they have fallen to 74th since then (University of Louisville is at 35 by the way). Now, I know my readers think I'm a little OCD about this subject, which I admit I am, but I think integrity and ethics are important in both business and infosec, especially in those who are supposed to be educating the future workforce and leadership. I don't want others looking for a Master degree in the Louisville area to go through the same things I did, at least then something good would have come from what happened to me. There is some reason to think that IUS may get better, Gil Atnip, Ruth Garvey-Nix, and Sandra R. Patterson-Randles are all either retired or retiring from their positions of power. Still, the kinds of people who seem to gravitate toward academic administration positions have a tenancy to be less than caring towards student concerns in my experience. They may be better now, one VC seems to care at least a little considering his visits to the page and another VC seemed to be a decent person in the one Philosophy class I had with him, but the current student affairs person refuses to even respond to questions. Also, people like Jay White, Jon Bingham, and Linda Christiansen are still in their positions of power in the school of business, not even chastised for their behavior. With that in mind, I still can't recommend IUS to the people I know in IT around the Louisville area. I'm really sort of torn about it, as I think the IUS Informatics and Comp-Sci programs are pretty good, and I know there a good professors out there in business, but I don't think most people are willing to speak out unless they are personally involved. If you go there for Informatics or Comp-Sci, I recommend going with one of the math science options instead of business.


ISSA Kentuckiana Web Pen-Testing Workshop
Below are the videos form the Kentuckiana ISSA's Web Pen-Testing Workshop. It was put on in part to raise funds for Hackers For Charity. A few of theses are still uploading, but should be available shortly.
Part 1: Intro to Mutillidae, Burp Suite & Injection Jeremy Druin
Part 2: SQL Injection Conrad Reynolds
Part 3: Uploading a web shell via SQLi Jeremy Druin
Part 4: Authentication Bypass via SQLi & Cookie Tampering Jeremy Druin
Part 5: Intro to Kentuckiana ISSA Jeremy Druin
Part 6: Remote File Inclusion (RFI) & Local File Inclusion (LFI) Jeremy Druin
Part 7: Webshells Demo Adrian Crenshaw
Part 8: Intros to Speakers
Part 9: HTML & Javasript Injection XSS Jeremy Druin
Part 10: XSS & BeEF Conrad Reynolds
Part 11: What we have of CSRF (Camera ran out of space, slides kept going) Jeremy Druin
Part 12: JSON injection Jeremy Druin
04/21/2013 AIDE 2013: The rest of the videos
At this point I had to leave for Notacon to record their talk and was not there to run the slide capture rig for AIDE. I shanghaied some volunteers into recording, and while they did not get the slide rig working, we have the presenter and slides on camera. Thanks for filling in.

Boring eForensic Science Items - Brian Martin

Hackers in Unganda: A Documentary (Kickstarter Project) - Jeremy Zerechak

Small Businesses Deserve Security Too - Frank Hackett

Help from the helpdesk - Mick Douglas (@bettersafetynet)

Malware Analysis Triage for n00bs - Grecs (@Grecs)

CCDC and Industry - James L. Siegel Jr. (WolfFlight)

Building an Engaging and Effective Information Security Awareness and Training Program - Bill Gardner



Notacon 10 Videos
These are the videos from the 10th Notacon conference held April 18th-21st, 2013. Not all of them are security related, but  I hope my viewers will enjoy them anyway. Thanks to Froggy and Tyger for having me up, and to the video team: SatNights, Widget, Securi-D, Purge, Bunsen, Fry Steve and myself (at least that is who it was last year, if you got he names for 2013 let me know).

Track 1

Model Integrated Computing (Code Generation) and how it loves you and deserves love back - Michael Walker

Guns & Privacy - Deviant Ollam

Domestic Preparedness (the zombie Apocalypse is nigh upon us) - Illustrious Niteshad & megalos

DIY Neuroscience, EMGs, EEGs, and other recordings - meecie

Hacking Your Ability to Communicate - kadiera

Lasers for Fun! Lasers for Science. Lasers for Security! - Ethan Dicks

Video Everywhere! aka The Personal Distributed HD Video Network - Woz

Esolangs - Daniel Temkin

How We Learned Security from Steve - ghostnomad, ghostnomadjr, knuckles & micronomad

Are we getting better? - Hacking Todays Technology - David Kennedy

Critical Making - Garnet Hertz

DC to Daylight: A whirlwind tour of the radio spectrum, and why it matters. - Stormgren

Skeleton Key: Transforming Medical Discussions Through 3D Printing - KK Pandya

Youthful Exploits of an early ISP - Dop & KevN

Whose Slide Is It Anyway? - nicolle @rogueclown neulist

Track 2

I Forked the Law and We All Won - Fork The Law

Make me Babyproof! - Gina “the kat” Hoang

The Maru Architecture Design: A proposed BYOD architecture for an evolving threat landscape - Michael Smith

You Keep A-Knockin’ But You Can’t Come In - grap3_ap3

Encryption for Everyone - Dru Streicher (_node)

How I Became an iOS Developer for Fun and Debt - Mark Stanilav

AR_GRAF.OBJ: a darknet for the nuEra ?? - kevin carey, shawne michaelain holloway & brian peterson

Creating professional glitch art with PoxParty - Jon Satrom & Ben Syverson

Let’s Go CSRF’n Now! - grap3_ap3

Bad Games Arcade - Jake Eliott

The Winamp Imperative - Yoz (sorry, audio died at 6:09)

04/18/2013 AIDE 2013
I got to record and put up a few videos from AIDE. I had to head to Notacon before I could record them all, but I left some gear so hopefully I'll have more to come. Recorded at AIDE 2013. Big thanks to Bill Gardner (@oncee) for having me out to record.

Network King Of The Hill (NetKotH): A hacker wargame for organizers who are lazy - Adrian Crenshaw (Irongeek)

Can You Hear Me Now? Leveraging Mobile Devices on Pentests - Georgia Weidman

RAWR (Rapid Assessment of Web Resources) - @al14s and @c0ncealed

04/11/2013 Hacker Swap Meet: Don't Let That Old Junk Go To Waste!
Many of us are tech pack rats, we have old gear laying around we don't use but don't want to just throw away. Got something you want to trade with other hacker/maker types? Too expensive to ship but you can drive it to a con you will be at anyway? Set up the trade at the new forums I put up. One man's treasure is another man's hazmat. If you don't see a con/meet spot listed here, let me know and I can add it.
I should have some old gear at Notacon I want to get rid of.
04/08/2013 Outerz0ne 9 (2013) Videos
These are most of the videos from the Outerz0ne 9 conference. I have a few more I have to get clearances on before I post them. Big thanks to Joey and Evan on the video crew.
SkyDog Kicks Off Year NINE! (Number Nine)
Gursev Kalra - Impersonating CAPTCHA Providers
Tuttle/Brimstone - State of the BitCoin Address; Pizza, Pirates, and Profiteers.
Halfjack - Living to the Singularity: Geeks Guide to a Healthy Lifestyle
Chad Ramey - Hacking the Atom
Jeremy Schmeichel & Brian Wilson - IPv6? Ain't Nobody Got Time For That!
Chris Silvers - Weapons of Miniature Destruction
Hacker Movie Challenge
Inside the Hacker's Studio - Billy Hoffman and IronGeek
Contest Prize Giveaway, Awards, Closing Ceremonies
Lightning Talks and such:
Andy Green - The Southeast Collegiate Cyber Defense Competition Lightning Talk
Lilyjade-v2.com - Why You Are Not Safe Lightning Talk
Presentation Karaoke
03/26/2013 Updated: Links for Doxing, Personal OSInt, Profiling, Footprinting, Cyberstalking
I have to give presentation on online privacy shortly, and figured it would be a good time to update the page above with a few new links. See the change log at the bottom. If you have more good links to add, please contact me. I'll also be speaking at TakeDownCon St. Louis on webshells so I've updated my Webshell Collection Page to keep a log of not only live webshells, but also keep a history of dead ones.
03/13/2013 Outerz0ne 9 Dates Announced: April 5-6th, 2013
I know it's a little short notice, but dates and the CFP have been announced for Outerz0ne 2013: April 5-6th, 2013 in Atlanta Georgia. I'll of course be there helping out the video crew. It's a donation based con, so give what you can. To see videos from past years, check out:
Outerz0ne 8 (2012) Videos
Outerz0ne 2011 Hacker Con
Outerz0ne 2010 Videos
and a bunch of others spread out over the Hacking Illustrated page.

In other news, Jessica Miller from No Starch Press wanted me to announce this:

"We've just released the free PDF of bunnie's "Hacking the Xbox" in Aaron Swartz's honor, with links to support the causes Aaron believed in. I thought you might be interested in seeing bunnie's note and helping to spread the word -
http://nostarch.com/xboxfree "

I did not know Aaron, but as a person who has be screwed by an uncaring cover-ass bureaucracy before, I can sympathize.

03/03/2013 Introduction to HTML Injection (HTMLi) and Cross Site Scripting (XSS) Using Mutillidae
New Video From Jeremy Druin:
This video covers the basics of injecting HTML into sites with vulnerabilities in which injected code is placed inline with intended code and executes in the users browser. The injected HTML in this video is a fake login box that posts the user username and password to a capture data page (in the NOWASP Mutillidae application).

Later the same vulnerability is used to inject cross site scripting attack that hooks the users browser with a Beef Framework script (hook.js) given an attacker control of the users browser.
03/03/2013 Introduction to Pen Testing Simple Network Management Protocol (SNMP)
New Video From Jeremy Druin:
The Simple Network Management Protocol (SNMP) is used on networked devices to read, write, and update device configuration remotely. Windows desktop systems typically do not run SNMP services by default but these can be enabled for testing. Server operating systems often run snmp services by default as do network devices such as routers, printers, special purpose equipment, switches, and firewalls.

In this video, a Windows XP box has SNMP enabled to act as a test target. A Backtrack 5 R3 host is used to perform assessment. The video progresses through host discovery, port identification, service verification, finding community strings, dumping device configuration, and altering device configuration.
02/24/2013 Bro IDS/Network Programming Language Video Page
Liam Randall, a developer on the Bro team, and the guy that supplies cherry flavored refreshment at many cons, asked me to post his Shmoocon 2013 video. Since he said there would be more videos to come, I decided to make a page for them. Go check out the project at: http://www.bro-ids.org/
02/23/2013 Intro To The Louisville OWASP Chapter
Quick intro to the Louisville OWASP chapter by Curtis Koenig. Sorry that the video is cut a little short. I've also updated the Shmoocon FireTalks 2013 page to have a downloads link at the bottom.
02/18/2013 Shmoocon FireTalks 2013
The Shmocon FireTalks are now up:

“Thin Slicing a Black Swan: A Search for the Unknowns” by Michele “@mrsyiswhy” Chubirka & Ronald Reck
“When Did the Smartphone Pentest Framework Get Awesome?” by by Georgia “@georgiaweidman” Weidman
“ShellSquid: Distributed Shells With Node” by Tom Steele
“If You Can Open The Terminal, You Can Capture The Flag: CTF for Everyone” by Nicolle “@rogueclown” Neulist
“Becoming a Time Lord – Implications of Attacking Time Sources” Joe “@joeklein” Klein
“Swinging Security Style: An Immodest Proposal” by Wendy “@451wendy” Nather
“Drones: Augmenting your cyber attack tool bag with aerial weapon systems” by Zac “@ph3n0” Hinkel
“Managed Service Providers: Pwn One and Done” Damian “@integrisec” Profancik
“No Tools? No Problem! Building a PowerShell Botnet” Christopher “@obscuresec” Campbell
“Extending the 20 Critical Security Controls to Gap Assessments and Security Maturity Modelling” John “@pinfosec” Willis
“Protecting Big Data From Cyber APT in the Cloud” Bill “@oncee” Gardner
“Writing a Thumbdrive for Active Disk Antiforensics” Travis “@travisgoodspeed” Goodspeed

On the non-info-sec related front, you know I like to use my backlinks to get things in search results as sort of a bully pulpit. It's my understanding that IU Southeast Chancellor Sandra R. Patterson-Randles is searching for a new job because of some IU policy about mandatory retirement. Ask around the faculty/staff at IUS about her (off the record of course) before you make a hiring decision. Personally, I'd want someone who cares more about the espoused values of the organization, and less about appearances only. Then again, maybe she has the skill set you are looking for, but a parrot with good grammar would seem to be a much cheaper solution in that case.

02/11/2013 Basics of using sqlmap - ISSA Kentuckiana workshop 8 - Jeremy Druin
This is the 8th in a line of classes Jeremy Druin will be giving on pen-testing and web app security featuring Mutillidae (or other tools) for the Kentuckiana ISSA. This one covers SQLMap.
02/01/2013 ASAReaper: Grab Configs From Multiple Cisco Devices Over SSH (Demos PExpect and AES Encrypted INI Files in Python)
Simple script I wrote for backing up Cisco ASAs. Does it all over SSH, and may serve as example code for other projects.
01/05/2013 SQL Server Hacking from ISSA Kentuckiana workshop 7 - Jeremy Druin
This is the 7th in a line of classes Jeremy Druin will be giving on pen-testing and web app security featuring Mutillidae (or other tools) for the Kentuckiana ISSA. This one covers SQL Server Hacking.
01/03/2012 Information Security in University Campus and Open Environments 2013
This is an update of an article I did almost 8 years ago. Lots of things have changed in that time, do I figured the update was in order. It almost acts as a meta-page to other parts of my site, but I hope you enjoy it.
12/29/2012 Webshell Collection Page Updated
I have a script I run against my web logs periodically to see if anyone is trying to use a Remote File Include Webshell against my site. I wrote this awhile back, but the list was getting long and there were a lot of 404s, duplicates, and other problems. I've filtered out many of those. If you want to take a look at some Webshell that are in active use on the Internet you may like this page.
12/27/2012 IU Southeast School of Business / MBA Write-up Updated
I've made many small changes over the months to my IUS MBA Review site (change log). I realize that this page is not very security related, but I can tie it to infosec in a few ways (regular readers, please ignore the noise in the signal). Lots of infosec folks I know seem to go for an MBA if they want to get into management, so I figured it might help some of the infosec folks in the Louisville Metro area (Kentuckiana Metroversity) know what to avoid. It's also an opportune time since some students are about to finish their bachelors in the spring, and will start looking for grad schools now. I can tie it in as an experiment in how some spiders index sites. I've done a bit of forensic metadata work on a file I received via an open records request that might be interesting as well, but it's not in-depth. It may also help people who have to deal with bureaucracies that have people like Jay White, Jon Bingham, Linda Christiansen and Gil Atnip in them know that they are not alone. Hopefully I'll be able to work with the IU Southeast SGA to get a real grievance policy put in place over the spring semester so students are treated with more respect.
12/26/2012 MadMACs: MAC Address Spoofing and Host Name Randomizing App for Windows 7 (Should work in Windows Vista and Windows 8 too) Updated
I wrote MadMACs awhile back, as a simple script to randomize my MAC address (and host name) in Windows on every boot. I had not updated it in a long time so it stopped working well in newer versions of Windows (Windows 7, Windows Vista and Windows 8). When someone would try to get MadMACs to work on a newer version of the OS, Windows would not always respect the registry setting for what MAC address they were suppose to use. Seems that if it is a wireless interface, the 2nd nibble has to be a 2, 6, A or an E on Windows Vista and newer. I included functionality in the new version of MadMACs to make sure this nibble is correct if you tell it the NIC you are trying to change/randomize the MAC address on is a WiFi card. I've also added a GUI for configuring your MAC addresses on your network cards (the old version used prompts), made the config file more INI like, and made it so that MadMACs itself can reset your adapter and start using the new MAC address immediately (name changes will take a reboot).
12/22/2012 Anti-Arp-Poisoning Switch Demo Using OpenFlow & POX
When I posted my OpenFlow/SDN Security paper, I spaced on including the source code to the ARP Poisoning resistant POX controller I mentioned. It is now included in the link above. Also, go check out Steve Erdman's blog for a bunch of security/networking articles.
12/16/2012 Security and Software Defined Networking: Practical Possibilities and Potential Pitfalls
This is a short paper I wrote for class involving SDN (OpenFlow specifically) and it's potential ramifications in the infosec world.
12/09/2012 Introduction to Installing, Configuring, and Using Burp-Suite Proxy

Another video from Jeremy Druin.

11/24/2012 Introduction to buffer overflows from ISSA KY workshop 6 and two other videos from Jeremy Druin

Mutillidae: Using ettercap and sslstrip to capture login
This video by webpwnized (@webpwnized) reviews how to intercept web communications using ettercap and intercept web traffic that is supposed to be protected with SSL using SSLStrip.

Mutillidae SQL Injection via AJAX request with JSON response
This video by webpwnized (@webpwnized) covers pen-testing an SQL Injection vulnerability that occurs in an AJAX request made in the background. The response from the server is JSON. Since AJAX requests and regular request work the same way (since they both follow the rules of the HTTP protocol), the AJAX request can be pen-tested using the same tools and tecniques used with the more traditional requests. The SQL Injection flaw is first discovered then used to pull a list of the tables in the database along with the columns for the target table. Once the target is identified, the defect is used to pull a list of the username and password fields.

Introduction to buffer overflows from ISSA KY workshop 6
This recording is from the Kentucky ISSA Workshop #6 from the November 2012 meeting. In part 5, using Metasploit was covered. In this workshop, buffer overflow vulnerabilities were examined more closely to see how Metasploit exploits might be written. A custom program is written with a known buffer overflow and compiled without the stack canaries or non-executable stack. Also ASLR is disabled on the Ubuntu 12.04 testing host. The program is fuzzed to determine an overflow exists and decompiled with GDB to look at the program logic more closely. Python scripts are used to generate exploits that get closer to over-writing the return pointer with a user supplied value. Once the buffer overflow is identified and the size of the buffer found, the exploit development begins. A custom exploit is developed to inject shellcode into the buffer, determine a reasonable memory address in which to jump, and a root shell gained.

11/11/2012 PhreakNIC 16 Day Two Videos Posted
Here are the videos from day 2 of PhreakNIC 16. Big thanks to Ben the Meek and the rest of the video crew. I'll get the AVIs up on Archive.org soon.

Where We're Going We Don't Need Keys - sp0rus

The Effects of Online Gaming Addiction - Gregory C. Mabry

Android Best Practices and Side Projects - Michael Walker

Starting up a Crypto Party - Peace

Build Free Hardware in Geda - Matthew O'Gorman, Tim Heath

IP Law: Myths and Facts - Rick Sanders

The Safety Dance: Wardriving the 4.9GHz Public Safety Band - Robert Portvliet, Brad Antoniewicz

The Power of Names: How We Define Technology, and How Technology Defines Us - Aestetix

DNS Sec Today - Thomas Clements

Why I am pessimistic about the future - Tom Cross

11/10/2012 PhreakNIC 16 Day One Videos Posted
Here are the videos from day 1 of PhreakNIC 16. Big thanks to Ben the Meek and the rest of the video crew.

Welcome to PhreakNIC - Warren Eckstein

Magnets, How Do They Work? - Michael Snyder

Own the Network – Own the Data - Paul Coggin

Something about middleware - Douglas Schmidt

Homebrew Roundtable - Scott Milliken, Erin Shelton

Repurposing Technology - Kim Smith & Kim Lilley

Hiring the Unhireable: Solving the Cyber Security Hiring Crisis From DHS to Wall Street - Winn Schwartau

Network King Of The Hill (NetKotH): A hacker wargame for organizers who are lazy bastards - Adrian Crenshaw

11/06/2012 Derbycon 2012 Stable Talks
We did not officially record the Stable Talks this year but Damian Profancik stepped up and volunteered to do it. Big thanks for the recording and editing!
Valerie Thomas: Appearance Hacking 101 - The Art of Everyday Camouflage

Tim Tomes "LanMaSteR53": Next Generation Web Reconnaissance

Thomas Hoffecker: Hack Your Way into a DoD Security Clearance

John Seely CounterSploit MSF as a defense platform

Chris Murrey "f8lerror" & Jake Garlie "jagar": Easy Passwords = Easy Break-Ins

Tyler Wrightson: The Art and Science of Hacking Any Target

Thomas Richards: Android in the Healthcare Workplace

Spencer McIntyre: How I Learned to Stop Worrying and Love the Smart Meter

Shawn Merdinger: Medical Device Security

Rockie Brockway: Business Ramifications of Internet's Unclean Conflicts

Nathan Magniez: Alice in Exploit Redirection Land

Magen Hughes: Are you HIPAA to the Jive

Justin Brown & Frank Hackett: Breaking into Security

Josh Thomas: Off Grid Communications with Android

Jennifer "savagejen" Savage & Daniel "unicorn Furnance": The Patsy Proxy

Jason Pubal: SQL Injection 101

James Siegel: Nice to Meet You

Brett Cunningham: Beyond Strings - Memory Analysis During Incident Response

Gus Fritschie & Nazia Khan: Hacked Hollywood

Evan Anderson: Active Directory Reconnaissance - Attacks and Post-Exploitation

David Young: ISO8583 or Pentesting with Abnormal Targets

David Cowen: Running a Successful Red Team

Damian Profancik: Managed Service Providers - Pwn One and Done

Ben Toews & Scott Behrens: Rapid Blind SQL Injection Exploitation with BBQSQL

Andy Cooper: Why Integgroll Sucks at Python..And You Can Too
11/04/20122 The potential impact of Software Defined Networking on security - Brent Salisbury
This is Brent Salisbury talk on SDN and security for the Kentuckiana ISSA November meeting. Sorry about the sound, I need to get a mic next time. Sorry I did not get Jeremy Druin's talk, we had multiple levels of video fail.


SkyDogCon 2012 Videos
Here are the videos from SkyDogCon. Thanks to all of the SkyDogCon crew, especially SeeBlind and others for running the cameras.

Opening Remarks-Trevor Hearn-Skydog

Rious and Sachin - "Hack the Badge"
GCS8 and Ginsu - Physical Security; Make sure your building is "Butter Knife Proof"...

Marcus Carey - Security Myths Exposed
SpikyGeek - Dealing with difficult co-workers: How I became the "Thanks for the candy" guy
Peter Shaw - Pivot2Pcap: a new approach to optimzing cybersecurity operations by tightly coupling the big-picture view provided by Netflow with the in-depth resolving power of PCAP.
Carter Smith - Gangs and the use of Technology
G. Mark Hardy - Hacking as an Act of War
Jeff Brown - RE, CND and Geopolitics, Oh My!

Curtis Koenig - Insanely Great!

Lee Baird - Setting up BackTrack and automating various tasks with bash scripts

Bob Weiss & Benjamin Gatti - Cryptanalysis of the Enigma

Dr. Noah Schiffman - Bioveillance: The Surreptitious Analysis of Physiological and Behavioral Data

Martin Bos & Eric Milam - Advanced Phishing Tactics Beyond User Awareness

Sonny Mounicou - Build a UAV!

Alex Kirk - Lifecycle and Detection of an Exploit Kit

Chris Silvers - Go With the Flow: Strategies for successful social engineering

Scott Moulton - Hack your Credit Score; How the System is Flawed

David Wyde - User-Readable Data and Multiple Personality Disorder

Closing of Conference

10/27/2012 SkyDogCon 2 Videos
Most of the talks are up, full post coming soon.
10/25/2012 Hack3rcon 3 Videos
I still have one video from Hack3rcon 3 left to edit, but I wanted to put all of the talks out in the  RSS before the SkyDogCon talks come out. One more coming soon hopefully.
Keynote: Hacking Survival
Speakers: Larry Pesce
Next Generation Web Reconnaissance
Speakers: Tim Tomes
Intro to Network Traffic Analysis - Part 1
Speakers: Jon Schipp
Intro to Network Traffic Analysis - Part 2
Speakers: Jon Schipp
Automated Spear-twishing - It was only a matter of time
Speakers: Sean Palka
In case of ZOMBIES break glass
Speakers: Chris Payne
Building Dictionaries and Destroying Hashes Using Amazon EC2
Speaker: Steve Werby
Secrets of Running a Consulting Business
Speakers: Brian Martin
Bash Scripting 101 for Pen Testers
Speakers: Lee Baird
Keynote: Finding the MacGyver in You
Speakers: William A. Minear
EMP, yeah you know me..
Speakers: Adrian Crenshaw
Intro to Linux exploit development - Part 1
Speakers: John deGruyter Intro to Linux exploit development - Part 2
Speakers: John deGruyter
This video is combined with the one above, but I'm too lazy to redo my numbering system. :)
Advanced Phishing Tactics – Beyond User Awareness
Speakers: Eric Milam, Martin Bos
DNS Reconnaissance
Speakers: Carlos Perez
Sponsors: Tenable Network Security *SILVER*
Social Engineering Applied: Exploit the Target
Speakers: Keith Pachulski
From Patch to Pwnd
Speakers: Deral Heiland
Building a pad that will survive the times
Speakers: Branden Miller
Wielding Katana: A Pentesters Portable Pal
Speakers: Ronin
10/20/2012 Hack3rcon 3 Videos, A Little Early
Those at Hack3rcon know I'm posting videos on the site while I'm at the con. I noticed someone at the con looking for them on the front page, but I had not linked to them there yet (Just Tweeted them from @irongeek_adc). The link above will take you to the Hack3rcon 3 video page, and I will make a longer post when I have them all out there (but keep watching that page over the weekend if you like).
10/06/2012 Louisville Infosec 2012 Videos
Below are the videos from Louisville Infosec 2012 conference. Sorry about the noise, I had no line in from the house audio. My talk is not in here because the slides rig failed. You can see a previous version of it here: Dingleberry Pi Building a Blackthrow: More inexpensive hardware to leave behind on someone else's network - Adrian Crenshaw

Keynote Jack Daniel InfoSec Stress & Community
Nathan Heald - No Keys, No Worries Lock Picking
Jeremy Druin - NOWASP Mutillidae 2.2 A web pen-testing environment for secure development
Curtis Koenig - Grey Hats and Bug Bounties
Deral Heiland - From Printer to Pwnd Leveraging multifunction printers during penetration testing
James Jardine - Ninja Developers App Sec Testing and SDLC
Joshua Bartley - Data Hiding In Your Application
Keynote Michael Peters The Security TrifectaT - Isolation vs. Collaboration

10/03/2012 Derbycon 2012, Day 3 Tracks 2, 3 & 4 Videos Posted

In this batch we have:

Matt Weeks: Ambush- Catching Intruders at Any Point
Joshua Marpet: separating security intelligence from security FUD
Steve Werby: Building dictionaries and destroying hashes w/amazon EC2
Raphael Mudge: Dirty Red Team Tricks II
David Schuetz (Darth Null) – Slow down cowpoke – When enthusiasm outpaces common sense
Nicolle Neulist: Write your own tools with Python
David McGuire: Maturing the Pen Testing Professional
Matt Presson: Building a database security program
Chris Jenks: Intro to Linux system hardening
Eric Milam: Becoming Mallory
Patrick Tatro: Why isn't everyone pulling security- this is combat
Jason Frisvold: Taming Skynet-using the cloud to automate baseline scanning
JP Dunning & Chris Silvers: Wielding Katana- A live security suite
Mick Douglas – Sprinkler: IR
Matthew Perry: Current trends in computer law
Leonard Isham: SE me – SE you

See you next year, or at Hack3rcon, Skydogcon or Phreaknic.

10/02/2012 Derbycon 2012, Day 2 Tracks 3 & 4, Plus Day 3 Track 1 Videos Posted

In this batch we have:

Michael Schearer – Flex your right constituion and political activism in the hacker community
Eric Smith – Penetration testing from a Hot Tub Time Machine
Chris Nickerson (ind303) – Tactical Surveillance: Look at me now!
Jamie Murdock – How to create a one man SOC
Branden Miller / Bill Gardner – Building an Awareness and training program
Dan Crowley / Chris Vinecombe – Vulnerability Spidey Sense
Nathaniel Husted –  Everything you always wanted to know about Security Academia (But were too afraid too ask)
Bill Sempf – What locksport can teach us about security
JP Dunning (.ronin) - The Glitch: Hardware With Hacking Made Easy
Christopher Domas – The future of RE: Dynamic Binary Visulization
Tom Eston / Kevin Johnson – Social Zombies: Rise of the Mobile Dead
KC. Yerrid / Matt Jezorek / Boris Sverdlik (JadedSecurity)- It's not your perimenter. It's you
Deral Heiland -Format String Vulnerabilities 101
Jack Daniel – How Screwed Are We?
Kellep Charles: Security Vulnerablity Assessments. – Process and best practices
John Woods – So you got yourself an infosec manager job. Now what?
K.C. Holland (DevAuto) - Personal Darknet or How to get pr0n @ work
Tony DeLaGrange / Jason Wood:SH5ARK ATTACK- taking a byte out of HTML5!
Matthew Sullivan: Cookie Cadger – taking cookie hijacking to a new level
Stephen Haywood (AverageSecurityGuy) - Introduction to Metasploit Post Exploitation Modules
Noah Beddome: The devils in the Details-A look at bad SE and how to do better
Jay James & Shane MacDougall: Usine McAfee secure/trustguard as attack tools
Roamer and Deviant Ollam - Welcome to NinjaTel, press 2 to activate your device now
Laszlo Toth & Ferenc Spala: Think differently about database hacking

10/01/2012 Derbycon 2012, Day 2 Tracks 1 & 2 Videos Posted

In this batch we have:

Skip Duckwall / Chris Campbell – Puff Puff Pass – Getting the most out of your hash
Jordan Harbinger – Social Engineering Defense Contractors on LinkedIn and Facebook: Who's plugged into your employees?
Paul Asadoorian / John Strand – Everything they told me about security was wrong.
Zack Fasel – Pwned in 60 Seconds -From Network Guest to Windows Domain Admin
Ryan Elkins – Simple Security Defense to thwart an Army of Cyber Ninja Warriors
atlas: RfCat-subghz or bust
Georgia Weidman – Introducing the Smartphone Pentest Framework
Gillis Jones – The Badmin Project
Kyle (kos) Osborn – Physical Drive-By Downloads
Johnny Long – The Evolution of HFC
Dual Core (int0x80) – Moar Anti-Forensics – Moar Louise
Bruce Potter – Security Epistemology: Beliefs – Truth – and Knowledge in the Infosec Community
Josh More – Pen Testing Security Vendors
Jason Gunnoe & Chris Centore -Building the next generation IDS with OSINT
Babak Javadi / Keith Howell: 4140 Ways your alarm system can fail
Benjamin Mauch – Creating a powerful user defense against attackers
Bart Hopper – Hunting Evil
Doug Burks – Security Onion – Network Security monitoring in minutes

Direct downloads from Archive.org will be uploaded when I have all of Day 2 ready.

09/30/2012 Derbycon 2.0: The Reunion, Day 1 Videos Posted

Hi all. Expect these to come out in phases.

Opening Ceremony
HD Moore – The Wild West
Dan Kaminsky – Black Ops
Mudge – Cyber Fast Track; from the trenches
Jayson E. Street – Securing the Internet: YOU’re doing it wrong (An INFOSEC Intervention)
Jason Scott – Rescuing The Prince of Persia from the sands of time
Dave Marcus – 2FA-Enabled Fraud: Dissecting Operation High Roller
Rafal Los – House of Cards
Rob Fuller / Chris Gates – Dirty Little Secrets Part 2
Chris Hadnagy – Nonverbal Human Hacking
Rick Farina: The Hacker Ethos meets the FOSS ethos
Brent Huston – Info overload..Future shock.. IBM & nature of modern crime
Ian Amit – SexyDefense – the red team tore you a new one. Now what?
egyp7 – Privilege Escalation with the Metasploit Framework
Larry Pesce / Darren Wigley – Hacking Survival: So. You want to compute post-apocalypse?
James Arlen – Doubt – Deceit -Deficiency and Decency – a Decade of Disillusionment
Carlos Perez – DNS Reconnaissance
Sam Gaudet: Pentesting for non-pentesters…through virtual machines
Ryan Linn – Collecting Underpants To Win Your Network
Jerry Gamblin: is it time for another firewall or a security awareness program?

09/19/2012 How To Upgrade To Latest Mutillidae On Samurai WTF 2
Jeremy Druin has a new video:
This video covers upgrading the default version of NOWASP (Mutillidae) which comes with SamuraiWTF 2.0 with the latest available version. On this particular version of SamuraiWTF 2.0, NOWASP (Mutillidae) 2.1.20 was installed in the ISO. The latest version of NOWASP (Mutillidae) available at the time of this video was 2.3.7. In the video, the hosts file responsible for activating the links to the "target" web applications was modified so the default web applications would work. Also, the "samurai" start up script is reviewed to show why the LiveCD version of Samurai includes working web app targets but the installed version requires the targets be "activated". The video then covers how to upgrade the existing default installation of NOWASP (Mutillidae) with the latest available version. Additionally, the video discusses how to run the default version and latest version of NOWASP (Mutillidae) side-by-side or replace the existing installation with the latest version.
09/16/2012 Installing Latest Mutillidae On Samurai WTF Version 2
Jeremy Druin has a new video:
Samurai WTF is an excellent platform for web pen testing. A very large number of tools are already included. An older version of NOWASP Mutillidae comes pre-installed. This video covers installing the latest version on Samurai WTF 2.0. Installation requires downloading the latest verion of NOWASP Mutillidae, unzipping the Zip file which contains a single folder named "mutillidae", and placing the "mutillidae" folder into /var/www directory. Configuration is done by opening the /var/www/mutillidae/classes/MySQLHandler.php file and changing the default MySQL password from blank empty string to "samurai". Starting the project is done by browsing to http://localhost/mutillidae and clicking the Reset-DB button on the menu bar.


Web Shells and RFIs Collection
I wrote a little script to periodically look through my web logs for unique RFIs and Web Shells, and then collect them on one page where I can go look at them or download them to add to my Web Shell library. Many of these attacks are repeated multiple time, so I ignore the time fields in judging if an RFI/Web Shell is unique. I may have to weed this over time as I imagine many of the links to Web Shells will be 404ing over time. I also use nofollow and a referrer hiding service so it does not look like I'm attacking anyone with the web shells. This page will also let you link off to firebwall.com where you can use their PHP decoder to look at the obfuscated code. Enjoy my Web Shell zoo, it should update itself every hour or so. If you see your domain on the list of websites hosting Web Shells you are likely pwned and should clean up your server.
09/09/2012 Into to Metasploit - Jeremy Druin
This is the 5th in a line of classes Jeremy Druin will be giving on pen-testing and web app security featuring Mutillidae for the Kentuckiana ISSA. This one covers Metasploit.
09/04/2012 Teensy 3.0
As many of my readers know I've done a lot of work with the Teensy 2.0 in projects such as the programmable HID USB keyboard and my own hardware keylogger. Now Paul Stoffregen is coming out with a new version, Teensy 3.0. You should still have the easy of development that comes with the Arduino framework (or more raw C/C++ if you like) but there are two major new features, of many, that I'm excited about: More powerful 32 bit ARM Cortex-M4 and USB host support. Go check out Paul's Kickstarter page for more details and added features.
08/29/2012 SSH Phone Home: Using the Raspberry Pi as a proxy/pivot (Shovel a Shell)
I added a new section to my Raspberry Pi recipes page that covers setting up a Raspberry Pi to send you a Reverse Shell using SSH (AKA: Shovel a shell). This is pretty good for blowing past NAT and some firewalls with weak egress filtering. The idea is that you can use these as drop boxes to leave on someone else's network, then have them remote back out to you. These instructions should work pretty much the same on any *nix device or distro that uses OpenSSH.


Irongeek's Logwatch Script To Grep For RFI, Webshells, Password Grabs, Web Scanners, Etc.
This is a simple script I put together for those using shared hosting providers. It let's you grep through your logs for things like RFIs, likely webshells, passwords grabs, web scanners, etc. The video below gives more details. This can be a great tool for collecting webshells.
08/07/2012 Jeremy Druin has two new Mutillidae/Web Pen-testing videos

Setting User Agent String And Browser Information

Introduction to user-agent switching: This video uses the Firefox add-on "User-Agent Switcher" to modify several settings in the browser that are transmitted in the user agent string inside HTTP requests. Some web applications will show different content depending on the user agent setting making alteration of the settings useful in web pen testing.

Walkthrough Of CBC Bit Flipping Attack With Solution

This video shows a solution to the view-user-privilege-level in Mutillidae. Before viewing, review how XOR works and more importantly that XOR is communicative (If A xor B = C then it must be true that A xor C = B and also true that B xor C = A). The attack in the video takes advantage that the attacker knows the IV (initialization vector) and the plaintext (user ID). The attack works by flipping each byte in the IV to see what effect is produced on the plaintext (User ID). When the correct byte is located, the ciphertext for that byte is recovered followed by a determination of the correct byte to inject. The correct value is injected to cause the User ID to change.

Mutillidae is available for download at http://sourceforge.net/projects/mutillidae/. Updates about Mutillidae are tweeted to @webpwnized along with announcements about video releases.

08/05/2012 Host Vulnerability Assessment with Nessus, NeXpose and Metasploitable 2
This is the 4th in a line of classes Jeremy Druin will be giving on pen-testing and web app security featuring Mutillidae for the Kentuckiana ISSA. This one covers Nessus, NeXpose and Metasploitable 2.
07/31/2012 BSides Las Vegas 2012 Videos
They have been up on Youtube since Friday, but now I have them indexed and with links to where you can download AVIs from Archive.org. Enjoy. Thanks to all of the BSides Crew for having me out to help record and render the videos. @bsideslv, @banasidhe, @kickfroggy, @quadling, @jack_daniel 

Breaking Ground

KEYNOTE, Jack Daniel: "The State of Security BSides"

Matt Weeks: "Ambush - Catching Intruders At Any Point"

Robert Rowley: "Max Level Web App Security"

Davi Ottenheimer: "Big Data's Fourth V: Or Why We'll Never Find the Loch Ness Monster"

HD Moore: "Empirical Exploitation"

Christopher Lytle: "Puzzle Competitions and You"

Parth Patel: "Introducing 'Android Security Evaluation Framework' - ASEF"

Terry Gold: "RFID LOL"

Raphael Mudge: "Force Multipliers for Red Team Operations"

Andrew Hay & Matt Johansen: "Applications and Cloud and Hackers, Oh My!"

Brendan O'Connor: "Reticle: Dropping an Intelligent F-BOMB"

Josh Sokol/Dan Cornell:"The Magic of Symbiotic Security: Creating an Ecosystem of Security Systems"

James Lester & Joseph Tartaro: "Burp Suite: Informing the 99% of what the 1%'ers are knowingly taking advantage of."

dc949 - "Stiltwalker: Round 2"

Gillis Jones: "The Badmin project: (Na-na- nanana Na-na-nanana BADMIN)"

IPv6 Panel / Drinking Game

Proving Ground

Michael Fornal: "How I managed to break into the InfoSec World with only a tweet and an email."

David Keene: "Breaking Microsoft Dynamics Great Plains - an insiders guide"

William Ghote: "Lotus Notes Password Hash Redux"

Spencer McIntyre: "How I Learned To Stop Worrying and Love the Smart Meter"

Christopher Campbell "Shot With Your OwnGun: How Appliances are Used Against You."

Shawn Asmus, Kristov Widak: “Mirror Mirror – Reflected PDF Attacks using SQL Injection”

Georgia Weidman: "Introducing the Smartphone Penetration Testing Framework"

Phil Young: "Mainframed - The Forgotten Fortress"

Walt Williams: "Metrics that Suck Even Less"

Conrad Constantine: "The Leverage of Language: or : How I Realized Information Theory could Save Information Security"

Jason Ding: "The Blooming Social Media Economics Built on "Fake" Identities

Lightning Talks



Indiana University Southeast School of Business/MBA Review Updated: Emails from Gil Atnip, Alan Jay White, Lawyer Cover Plate, Etc.
Hi all. Don't worry, I'll be back to infosec content soon (with a posting of the BsidesLV videos). In the mean time, I just wanted to make an update post about the situation I shared with you awhile back (see change log at the bottom of the IUS MBA page). It seems many of the faulty/admins at IUS have been told to responded to be with only an IU lawyer cover plate response that tells me to contact IU Counsel. Unfortunately, the contacts I have at IU Counsel are not responding to my requests either at this point. Another interesting tidbit, seems someone has forwarded my MBA review site to the campus police (reverse DNS lookup for the win), though I have little idea what allegations may have been made (and they are not saying). I've posted the details on all this to the page. At this point there is not much I can do but shut up and go away, as is their intention, but I do ask for something from my readers. If you know of an organization that cares about academic abuses/student rights to due process, please forward them to the page. If you are a web admin, please just link to the page so it's easier for perspective students to find if they search for it. Thanks for your time.
07/16/2012 OISF 2012 Videos

Here are the talks from the OISF Anniversary Event 2012:

Conference Kickoff - Deral Heiland & Abyss of Cybersecurity - John Bumgarner
Size Does Matter: Password Tools and Data - Bob Weiss
Dingleberry Pi Building a Blackthrow: More inexpensive hardware to leave behind on someone else's network - Adrian Crenshaw
Threat Model Express - Sahba Kazerooni

07/16/2012 Bsides Cleveland 2012 Videos

Here are the talks from Bsides Cleveland 2012:

Secret Pentesting Technigues Shhh...Dave KennedyDave "ReL1K" Kennedy
Focusing on the Fool: Building an Awareness & Training Program - Branden Miller & Bill Gardner
<? $People ?> Process Technology - Jeff @ghostnomad Kirsch
Dingleberry Pi Building a Blackthrow: More inexpensive hardware to leave behind on someone else's network - Adrian "Irongeek" Crenshaw
Testing Enterprise DLP Systems // Advanced data exfiltration techniques - Albert School
Automating Incident Response - Mick Douglas
Business Ramifications of the Internet's Unclean Conflicts - Rockie Brockway
Netflow for Incident Response - Jamison Budacki
Winter is Coming: Cloud Security in Dark Ages - Bill Mathews
What locksport can teach us about security - Bill Sempf <missing>
Pass the Hash like a Rockstar - Martin "PureHate" Bos
Naked Boulder Rolling - Applying Risk Management to Web Application Security - J Wolfgang Goerlich
Anti-Forensics Filler - Irongeek
Outside the Echo Chamber - James Siegel (aka WolfFlight)
Pentesting ASP.NET - Bill Sempf

07/15/2012 Basic Output via Raspberry Pi's GPIO and Serial/UART to an Arduinio or Teensy Updated
While I was at Bsides Cleveland and OISF I found some problems with my write-up and schematics, I've updated them now so you won't encounter blue smoke.


More Web Pen-Testing Videos From Jeremy Druin
Here are two more videos from Jeremy Druin (@webpwnized):

Using Command Injection To Gain Remote Desktop On Windows

How To Exploit Metasploitable 2 With Nmap Nexpose Nessus Metasploit



Basic Output via Raspberry Pi's GPIO and Serial/UART to an Arduinio or Teensy
I added a "recipe" for using the Raspberry Pi's GPIO pins to interface with a Teensy (which means it is also no problem to talk to an Arduino). I've included simple code, schematics/diagrams and videos to demonstrate. Right now I'm just outputting from the Raspberry Pi to the Teensy, but input should not be a problem either with the linked to resources.
07/06/2012 Running an I2P Svartkast on the Raspberry Pi Updated
I updated the article a little to show how to set up a SSH tunnel through the I2P darknet. Expect to see a few more Raspberry Pi posts as I prep up for my talks at Bsides Cleveland and OISF.
07/04/2012 Updates to About and Irongeek in print pages
I noticed a few people at Indiana University Southeast looking at my review of the IUS MBA program, then looking at my "about" page. Maybe they wanted to see if I was a crackpot. I decided to update my about page to list more of the talks I've done around the country since it was last updated. I have also updated the Irongeek in print page with more books my site or I have been referenced in.
06/28/2012 Raspberry Pi Recipes
On this page I'll be posting little security ideas for the Raspberry Pi. Current sections include:
I2P on the Raspberry Pi
Installing Metasploit on the Raspberry Pi
Making an “EtherLogger” to log Ethernet packets with the Raspberry Pi


Running an I2P Svartkast on the Raspberry Pi: Even more cheap hardware to leave on someone else's network
This is sort of a sequel to a previous article I wrote titled "Running an I2P Svartkast on the Raspberry Pi: Even more cheap hardware to leave on someone else's network". In that article I answer the obvious question of what the hell a Svartkast is, as well as show how to make one out of a Raspberry Pi.
06/16/2012 How To Install Metasploitable 2 With Mutillidae On Virtual Box
Here is another one from Jeremy Druin (@webpwnized):

This video covers installing Rapid7's Metasploitable 2.0 with Mutillidae on a Virtual Box Host Only network. In addition to reviewing how to install Metasploitable 2 on Virtual Box, the configuration of the virtual network card is shown so that the Mutillidae web application running on Metasploitable 2 can be accessed from a separate Backtrack 5 virtual machine running on the same Host Only network.
06/07/2012 Out of Character: Use of Punycode and Homoglyph Attacks to Obfuscate URLs for Phishing
This is the paper I was working on in last semester's class. Hope it is helpful.
06/07/2012 IUS MBA Program Continued: Amendment of records, FERPA and getting your side put in the record
Again, not security related, but could be of interest to some. Next post I swear will be security related.
06/02/2012 Traceroute and Scapy Jeremy Druin @webpwnized
This is the 3rd in a line of classes Jeremy Druin will be giving on pen-testing and web app security featuring Mutillidae for the Kentuckiana ISSA. This one covers Traceroute and Scapy.
05/26/2012 AIDE 2012 Videos posted

Recorded at AIDE 2012. Big thanks to Bill Gardner (@oncee) for having me out to record.

Anti-Forensics: Occult Computing
Adrian Crenshaw

Out of Character: Use of Punycode and Homoglyph Attacks to Obfuscate URLs for Phishing
Adrian Crenshaw

An Introduction to Traffic Analysis: A Pragmatic Approach
Jon Shipp

Pen Testing Web 2.0: The Client
Jeremy Druin

Breaking into Security
Frank J. Hackett and Justin Brown

Sabu the Hacker: The capture, the crimes, the damage done, the slip, the apprehension, and the fallout.
Dr. Marcus Rogers
Jill McIntyre
Boris Sverdlik
Ronald Layton, U.S. Secret Service

BNAT Hijacking: Repairing Broken Communication Channels
Jonathan Claudius

Setting up BackTrack and automating various tasks with bash scripts
Lee Baird

Going on the Offensive - Proactive Measures in Securing YOUR Company
Dave Kennedy

05/23/2012 BSidesCleveland
Here is another event I will be speaking at.

What: BSidesCleveland
When: Friday, July 13, 2012
Where: Embassy Suites Cleveland - Rockside
Address: 5800 Rockside Woods Boulevard, Independence 44131
Cost: Free (as always!)

Register at:

Submit to CFP at:

05/22/2012 Homoglyph Attack Generator Updated: Obfuscating EXEs, scripts and documents using 'Right-To-Left Override' (U+202E)
Added option to use 'Right-To-Left Override' (U+202E) so you can do some stupied EXE tricks, and added a linkless output so you can copy & paste your homography without formatting
05/21/2012 Gaining Administrative Shell Access Via Command Injection
Here is another one from Jeremy Druin (@webpwnized):

Using command injection against the Mutillidae web application, we gain a root shell (Administrative Windows cmd shell). The server is fully patched with anti-virus running and a firewall blocking port 23. Additionally the telnet service is disabled. With the command injection vulnerability, this video demonstrates how misconfiguring web services can have serious consequences for security. Additionally we review how to remediate command injection vulnerabilities and discuss some of the defects which expose the server to compromise.
05/21/2012 Offensive-Security Ohio Chapter (OSOC) Version of OSInt/Footprinting Talk
This is the version of my OSInt/Footprinting talk as given at the Offensive-Security Ohio Chapter (OSOC) class on May 18th. I did not have my video gear with me, so @securid did the recording. Videos can also be downloaded from http://www.1dave1cup.com/
05/21/2012 Review of the IUS (Indiana University Southeast) MBA Program (and a bit about filing student grievances)
Most of my writings are on Information security, but this one delves into something else. It may still be of interest to those with a security mindset. I hope that it will serve two purposes: 1. To help other students that file grievances against faculty learn from my experience, and 2. convince those interested in pursuing an MBA in the Louisville area to go someplace other than the IUS MBA program.

Intro to Scanning: Nmap, Hping, Amap, TCPDump, Metasploit, etc. Jeremy Druin
This is the 2nd in a line of classes Jeremy Druin will be giving on pen-testing and web app security featuring Mutillidae for the Kentuckiana ISSA. This one covers scanning Nmap, Hping, Amap, TCPDump, Metasploit, etc.

05/06/2012 Jeremy Druin did some more Mutillidae/Web Pen-testing videos

At some point, I will start putting up some of my own content :) I have done some tricks that I hope will make the page load better, but I'm not sure about the browser compatibility. In the mean time, here is some more of Jeremy's work:

Using Metasploit Hashdump Post Exploit Module Creds Table And John
This video shows how to have the hashdump post exploitation module automatically populate the creds table in the metasploit database, then export the credentials to a file suitible to pass to the john the ripper tool in order to audit the passwords.

Using Metasploit Community Edition To Determine Exploit For Vulnerability
In previous versions of Metasploit it was possible to run "db_autopwn -t -x" in the msfcomsole in order to have metasploit guess the best exploits for a given vulnerability. This video looks at alternative functionality for the depreciated "db_autopwn -t -x" option in older versions of Metasploit's msfconsole. Metasploit Community Edition has similar exploit analysis functionality accessible via the web based GUI.

05/03/2012 More Mutillidae/Web Pen-testing videos from Jeremy Druin

Jeremy had two more videos for you. It's beginning to become a load problem with all the iframe embedded videos :). I'm willing to take suggestions.

Using Hydra To Brute Force Web Forms Based Authentication Over Http
This video covers using nmap to ping sweep network then discover ports on two machines to locate a web server on which Mutillidae is running. Once the web server is running, the site is loaded into Firefox and the login page is located. Using View-Source, Burp-Suite, and the sites registration, the login process is studied. Potential usernames are gathered from using Reconnoitter, CeWL, and the sites own blog page. A password file from john the ripper is used. With the potential usernames and passwords in hand, hydra is used in http-post-form mode to search for a username and password which can log into the site.

Connect To Unreachable Web Site Through Meterpreter Port Forwarding
This video covers accessing a web site that is normally unreachable from our Backtrack 5 box. However, after gaining a session on a third box, we forward our web browser through the compromised host in order to browse the website. The port forwarding is done via a meterpreter session on the compromised host. After setting up the port forward, the browser is able to use the compromised host as a relay (almost like a web proxy) in order to browse to the "internal" web application.

04/27/2012 DerbyCon tickets go on sale this today! (Friday April 27th) – CFP OPEN!
We will be opening up ticket sales on Friday at 1:00PM EST on April 27th 2012. Both training and normal conference tickets will be going on sale at this time. We feel we have a very stable ticketing system at this point from the tests last week and don’t anticipate any major issues! We look forward to seeing everyone at DerbyCon this year… It’s going to be amazing!!!

Call for papers are also open! Check out the CFP section on the DerbyCon here.

Some of the current speakers: Jeff Moss, Dan Kaminsky, Kevin Mitnick, Martin Bos, Adrian Crenshaw, HD Moore, Dave Kennedy, Ryan Elkins, Johnny Long, Chris Nickerson, Chris Gates, Eric Smith, Paul Asadoorian, Rob Fuller, Larry Pesce, Chris Hadnagy, John Strand, Peter Van Eeckhoutte, int0x80, Thomas d’Otreppe, Jack Daniel, Jason Scott, Deviant Ollam, Jayson E. Street, James Lee, Rafal Los, Kevin Johnson, Tom Eston, Rick Hayes, Georgia Weidman and Karthik Rangarajan

Check out videos of last year's Derbycon here.


2 more Mutillidae/Web Pen-testing videos from Jeremy Druin

Three more great videos from Jeremy Druin (@webpwnized ):

Creating Syn Port Scan Manually With Scapy
Contrast Nmap And Amap Service Version Detection Scanning



Outerz0ne 8 (2012) Videos

Here is the list:
Kickin' it off for year number 8! Outerz0ne: The History, The Legend SkyDog
Bare Metal Install of Linux from a Network Server Halfjack
How To Cyberstalk Potential Employers IronGeek
Complex Litigation in America Tyler Pitchford
Hook, Line and Syncer: Outerz0ne Remix Chris Silvers
IPv4 -to- IPv6 Service Providers Challenges Jeremy Schmeichel & SlimJim
Your Camera is Worth $300,000 to Microsoft Scott Moulton
Outerz0ne Closing and Awards Skydog and Crew

04/16/2012 Notacon 9 (2012) Videos
These are the videos from the 9th Notacon conference held April 12th-15th, 2012. Not all of them are security related, but  I hope my viewers will enjoy them anyway. Thanks to Froggy and Tyger for having me up, and to the video team: SatNights, Widget, Securi-D, Purge, Bunsen, Fry Steve and myself. Sorry about the sound issues, but there is only so much pain I want to go through in post. Also for some videos we only have the slides or the live video, but not both.

Track 1
Day 1

Game Maker: Crash Course
Chris Sanyk

Minute Man: All I Need is 60 Seconds
Rick Deacon

Get your kicks on route IPv6
Mike Andrews

We lit IPv6. This is what happened.
Jeff Goeke-Smith

Civic Hacking
Jeff Schuler, Beth Sebian

Vulnerabilities of Control Systems in Drinking Water Utilities
John McNabb

Hacking for Freedom
Peter Fein

Building a Game for the Ages (well, the young ages anyway)
Bill Sempf

Day 2

Mo data? Mo problems!
Mick Douglas

What if Max Zoran Succeeded? Living without Silicon Valley

How to totally suck at Information Security
Christopher Payne, Doug Nibbelink

(Just About) Everything you think you know about Wilderness Survival is Wrong
Mark Lenigan

Baking in Security
Jeff “ghostnomad” Kirsch

Your Hacker Class is Bullsh1t
Christopher Payne

REFACTORING THE REVOLUTION (Occupy as an Agile project)
Some Guy On Bridge

Custom Distributions Via Package Aliasing: release of The Pentest Repository
Ryan Holeman

Numbers, From Merely Big to Unimaginable
Brian Makin

Whose Slide Is It Anyway?
nicolle “rogueclown” neulist
(Sorry, I can't post this one since we did not get permission from everyone)

Track 2
Day 1

I’m a Hacker…and I’m a QSA (Hacking PCI Requirement 6.6. Why Your Web Applications are Still Not Secure)
David Sopata, Gary McCully

Neurohacking: from the bottom up

Code That Sounds Good: Music Theory and Algorithmic Composition
nicolle “rogueclown” neulist

Collaboration. You keep using that word…
Angela Harms

Kinetic Security
Knuckles, Jeff “ghostnomad” Kirsch, Ghostnomadjr

Milkymist: video synthesizers at the cutting edge of open source hardware
Sébastien Bourdeauducq

Development Operations: Take Back Your Infrastructure
Mark Stanislav

Exercise Your Mind and Body
Suellen Walker, Joe Walker

Day 2

How to Market the Morally Broken and Sociologically Depraved: A Guide to Selling Your Local Hacker Conference to the Public
Jaime Payne

Geocaching 101
Jon Peer

Notacon 9 Network

1984 2012 Legal Privacy Trends
Nick Merker

The Sword is Mightier than the Pen(test): an Introduction to Fencing
Brian Stone, Amy Clausen

What Locksport Can Teach Us About Security
Bill Sempf

Octodad: Building a Better Tentacle Ragdoll
Devon Scott-Tunkin


More Mutillidae/Web Pen-testing videos from Jeremy Druin

Three more great videos from Jeremy Druin (@webpwnized ):

Detailed Look At Linux Traceroute

This video takes a detailed look at the traceroute program in Linux. The newer traceroute is used (version 2.0.18). The later versions have the ability to send packets of different protocols (i.e. TCP) to the target. This feature was previously found in the LFT (Layer Four Traceroute) tool but not found in the Linux traceroute. While LFT still is more feature-rich than the traceroute built into Linux, the new features in Linux traceroute make the tool very useful and quite capible. It helps to understand how the traceroute tool forms the packets, to what ports the packets are sent, and what protocols can be used to send the packets. This information can be used to get traceroute commands to work through firewalls and HIPS systems when ICMP and/or UDP and/or most TCP ports are blocked.

Introduction To TCPDump Network Sniffer

This video is an introduction to the tcpdump network packet sniffer/capture tool. The video is relatively long because of the demo used required "building up" to the HTTP capture. The video only covers the basics but is meant to be a good introduction to practical use of tcpdump.

Basics Of Using The Maltego Reconnaissance Graphing Tool

This video looks at using Maltego to both gather and organize information in a customer pen-test. Maltego is a GUI-based tool for Linux which is included in the Backtrack 5 R2 release. The tool is able to gather information from public sources on entities. The Community Edition (used in this video) is free. There is a paid-version with more features. The site used in this video is irongeek.com and was used with written permission from the owner. If following along, please use a domain for which you have permission.

04/08/2012 Finding Comments And File Metadata Using Multiple Techniques
Jeremy Druin has made a new video:
This video has two related parts. The first part discusses finding the comments in Mutillidae related to the "comments challenge". This is an easy challenge in Mutillidae but the techniques can be extended to search entire sites for comments. The second part of the video looks at finding metadata in general using a variety of tools.

The tools used are Firefox "View Source", W3AF, grep, wget, Burp Suite, exiftool and strings. The demo site used is Mutillidae, which is a free open-source fully functional PHP site with a MySQL database. The site runs on localhost or it can be run in a virtual network as a practice target or capture the flag target. It is not a good idea to run Mutillidae publically because it will get hacked. Mutillidae is available at Sourceforge and Irongeek.com. Along with the project is several documents and an installation guide for Windows 7.

Also, I updated the Pen-testing practice in a box: How to assemble a virtual network post to fix an audio issue (it was cutting out after a certain amount of time).

04/07/2012 Pen-testing practice in a box: How to assemble a virtual network
This is the first in a line of classes Jeremy Druin will be giving on pen-testing and web app security featuring Mutillidae for the Kentuckiana ISSA. Topics: Virtual Box Installation, Installing virtual machines, Configuring virtual networks - bridged, nat, hostonly, USB devices in virtual machines, Wireless networks in virtual machines, Installing Guest Additions, How to install Mutillidae in Windows on XAMPP, How to install Mutillidae in Linux Samurai
04/05/2012 Mutillidae How To Use Dradis To Organize Nmap And Nessus Scan Results
New video from Jeremy Druin:
The latest version of Dradis (2.9) has excellent import speed compared to version 2.7. This video looks at using the import features of Dradis to organize the scan results from an nmap scan and a Nessus 5 scan. Dradis is a tool that allows pen testers, auditors, and vulnerability assessors to organize their work by server or other categories. The Dradis starts a web server which other team members can share information as well.
04/03/2012 Homoglyph Attack Generator Updated
I found a list of IDN blacklisted characters on Mozilla's site and added them. I also added a table of the homoglyphs I'm using.
04/01/2012 Two More Web Security Videos From Jeremy Druin
Jeremy Druin has made two more videos:

How To Upgrade To Nessus 5 On Backtrack 5 R2

This video looks at upgrading Nessus 4 to Nessus 5. The operating system used in the video is Backtrack 5 R2. Nessus 4 was successfully registered and running on this OS prior to attempting to upgrade to Nessus 5. If a fresh Nessus install is needed, the process is different.

Creating Reports And Metasploit Db Importable Reports With Nmap Xml Output

Nmap reporting is excellent with the XML option but this is not used in a lot of cases. The XML output from nmap can be imported into other tools such as the Metasploit Community Edition (Import button), metasploit DB, and other tools. Also, the XML format can be opened in a web browser to produce a well-formatted report suitable for attachment to a pen-test.


Outerz0ne Video Move
Still working on moving videos to YouTube to support more devices. Since Outerz0ne is coming up I decided to move their videos next:

Outerz0ne 2011:

SkyDog - Opening Ceremonies/etc.
SkyDog - The Modern Day Hacker
IronGeek - Rendering Hacker Con Videos with AviSynth
MadMex - Windows Command Line Incident Response
HalfJack -Building your Own Green Home
Beau Woods - What Companies and Vendors must know about securing mobile devices, mobile applications, access and data.
Rick Hayes - Assessing and Pen-Testing IPv6 Networks
Pure Hate - Why your password policy sucks
Billy Hoffman - Advice on starting a start-up
Contest Prize Giveaway, Awards, Closing Ceremonies

Outerz0ne 2010:

Intro to Outerzone and Talk 1 - Security People Suck - Gene Bransfield
IronGeek - Turning the Zipit 2 into a mobile hacking device
PBR90X - Social Networking #FAIL
Scott Moulton - Hard Drive Kung Fu Magic
Brian Wilson -Docsis Coolness
Billy Hoffman - Web Performance Talk Craziness
Closing Ceremonies

Outerz0ne 2009

Morgellon - *Duino-Punk! Manifesting Open Source in Physical Space from Outerz0ne 5
Tyler Pitchford - They took my laptop! - U.S. Search and Seizure Explained
SkyDog - Screen Printing Primer - Make your own Con Shirt!
SlimJim100 - Live Demo of Cain & Able and the Man-in-the-middle-attack
Nick Chapman - Embedded Malicious Javascript
Makers Local 256 - A primer on hackerspaces
Scott Moulton - Reassembling RAID by SIGHT and SOUND!
Rob Ragan - Filter Evasion - Houdini on the Wire
Acidus (Billy Hoffman) - Offline Apps: The Future of The Web is the Client?

Also, a video I did about Outerz0ne and Notacon 2009:

Outerz0ne and Notacon 2009 Hacker Cons Report

03/28/2012 Manual Directory Browsing To Reveal Mutillidae Easter Egg File
Jeremy has made another video:
This video looks at manual testing for directory browsing misconfiguration vulnerabilities in Mutillidae. For directory browsing brute forcing, OWASP DiRBuster or Burp-Suite Intruder are great tools. However, Mutillidae gives away some of its directory paths when serving PDF and other files. These can be tested manually to reveal the Mutillidae Easter egg file. Also common directory names like "include" and "includes" can be tried quickly just using a browser before firing up the tools.
03/26/2012 Password Exploitation Class (YouTube Migration)
I've migrated the "Password Exploitation Class" to YouTube. This should allow it to be viewed on more devices.

This is a class we gave for the Kentuckiana ISSA on the the subject of password exploitation. The Password Exploitation Class was put on as a charity event for the Matthew Shoemaker Memorial Fund. The speakers were Dakykilla, Purehate_ and Irongeek.

03/26/2012 Anti-Forensics: Occult Computing Class (YouTube Migration)
I've migrated the "Anti-Forensics: Occult Computing Class" to YouTube. This should allow it to be viewed on more devices.

This is a class I gave for the Kentuckiana ISSA on the the subject of Anti-forensics. It's about 3 hours long, and sort of meandering, but I hope you find it handy. For the record, Podge was operating the camera :) Apparently it was not on me during the opening joke, but so be it, no one seemed to get it. I spend way to much time on the Internet it seems. Also, I'm in need of finding video host to take these large files. This class video is 3 hours, 7 min and 1.2GB as captured.

03/26/2012 OSInt, Cyberstalking, Footprinting and Recon: Getting to know you (YouTube Migration)
I've migrated the "OSInt, Cyberstalking, Footprinting and Recon: Getting to know you" to YouTube. This should allow it to be viewed on more devices.

The following are videos from the Footprinting/OSInt/Recon/Cyberstalking class I did up in Fort Wayne Indiana for the Northeast Indiana Chapter of ISSA. I've split the class into three videos by subtopic, and included the text from the presentation for quick linking.

03/24/2012 Mutillidae Injecting Cross Site Script Into Logging Pages Via Cookie Injection
Jeremy has made another video (I can't keep up):
By setting the values of browser cookies, then purposely browsing to a web page that logs the value of user cookies, it may be possible to inject cross site scripts into the log files or the log data table of the web site. Later when the logs are reviewed by Administrators, the cross site scripts may execute in the administrators browser. The video uses the Mutillidae capture data pages as an example. In Mutillidae one of the capture the flag events is to poison the attackers browser by purposely exposes the attacker to a cross site script. This can be done by infecting a cookie then "letting" the attacker trick you into visiting the capture data page.
03/24/2012 Mutillidae Generate Cross Site Scripts With SQL Injection
Jeremy has made another video:
This video discusses an advanced SQL injection technique. The SQL injection is used to generate cross site scripting. This is useful when cross site scripts cannot be injected into a webpage from a client because web application firewalls or other scanners are in place. When an SQL injection can be snuck past the WAF, it is possible to have the SQL injection generate the Cross Site Script dynamically.

DOJOCON 2010 Videos Migrated To YouTube
I've started to migrate the con videos I record and embed on this site to YouTube. I'm doing this for a few reasons:

1. Vimeo took down Dave Marcus' talk because they said it was in violation of their TOS, and when I tried to explain to them what it was about they would not email me back (and I was a paying customer to their service at the time).
2. I'm now allowed longer videos on YouTube, so why not.
3. This should support more devices.

I've started with DOJOCON 2010 to get Dave's talk back up. Below are the videos from the conference, at least the ones I can show :), enjoy.


Tiffany Strauchs Rad, @tiffanyrad: International Cyber Jurisdiction: "Kill Switching" Cyberspace, Cyber Criminal Prosecution & Jurisdiction Hopping
John Strauchs, @strauchs: Security and IT Convergence
Richard Goldberg, @GoldbergLawDC: Rules of Engagment: Mitigating Risk in Information Security Work
Jon McCoy: Ninja Patching .NET
Marco Figueroa, @marcofigueroa & Kevin Figueroa: Detecting & Defending Your Network using Nepenthes/Shaolin Tools
Dave Marcus, @davemarcus: Using Social Networks To Profile, Find and 0wn Your Victims
Brian Baskin, @bbaskin: P2P Forensics
Jonathan Abolins, @jabolins: Internationalized Domain Names & Investigations in the Networked World
Deviant Ollam, @deviantollam: Don't Punch My Junk
Michael Shearer, @theprez98: How to 0wn an ISP in 10 Minutes
Christopher Witter, @mr_cwitter: Enterprise Packet Capture on Da'Cheap
Ben Smith: Printer Exploitation
Adrian Crenshaw, @irongeek_adc: Malicious USB Devices: Is that an attack vector in your pocket or are you just happy to see me?
Shyaam Sundhar, @EvilFingers and John Fulmer, @DaKahuna2007: Is the IDS Dead?
Chris Nickerson, @indi303: The State of (In)Security
Gal Shpantzer, @shpantzer: Security Outliers: Cultural Cues from High-Risk Professions
Michael Smith, @rybolov: DDoS


Web Application Pen-testing Tutorials With Mutillidae
When I started the Mutillidae project it was with the intention of using it as a teaching tool and making easy to understand video demos. Truth be told, I never did as much with it as I intended. However, after Jeremy Druin (@webpwnized) took over the development it really took off. I have since come to find out he has been doing A LOT of YouTube video tutorials with Mutillidae, which he said I could share here. I will be copying his descriptions with slight editing and embedding his videos in this page. Videos include:

  • Determine Http Methods Using Netcat

  • Determine Server Banners Using Netcat Nikto And W3af

  • Bypass Authentication Using SQL Injection

  • Using Menus

  • Bypass Authentication Via Authentication Token Manipulation

  • Explanation Of HTTPonly Cookies In Presense Of Cross Site Scripting

  • Closer Look At Cache Control And Pragma No Cache Headers

  • Demonstration Of Frame Busting Javascript And X-Frame Options Header

  • How To Install And Configure Burp Suite With Firefox

  • Basics Of Web Request And Response Interception Using Burp Suite

  • Brute Force Authentication Using Burp Intruder

  • Automate SQL Injection Using SQLMap To Dump Credit Cards Table

  • Command Injection To Dump Files Start Services Disable Firewall

  • How To Exploit Local File Inclusion Vulnerability Using Burp Suite

  • HTML Injection To Popup Fake Login Form And Capture Credentials

  • Two Methods To Steal Session Tokens Using Cross Site Scripting

  • How To Bypass Maxlength Restrictions On HTML Input Fields

  • Two Methods To Bypass Javascript Validation

  • Three Methods For Viewing Http Request And Response Headers

  • Basics Of SQL Injection Timing Attacks

  • Basics Of SQL Injection Using Union

  • Basics Of Inserting Data With SQL Injection

  • Inject Root Web Shell Backdoor Via SQL Injection

  • Basics Of Using SQL Injection To Read Files From Operating System

  • How To Locate The Easter Egg File Using Command Injection

  • Injecting Cross Site Script Into Stylesheet Context

  • Introduction To Http Parameter Pollution

  • Basics Of Injecting Cross Site Script Into HTML Onclick Event

  • Basics Of Finding Reflected Cross Site Scripting

  • Analyze Session Token Randomness Using Burp Suite Sequencer

  • Using Nmap To Fingerprint Http Servers And Web Applications

  • Spidering Web Applications With Burp Suite

  • Basics Of Burp Suite Targets Tab And Scope Settings

  • Brute Force Page Names Using Burp Intruder Sniper

  • Using Burp Intruder Sniper To Fuzz Parameters

  • Comparing Burp Intruder Modes Sniper Battering RAM Pitchfork Cluster Bomb

  • Demo Usage Of Burp Suite Comparer Tool

  • Import Custom Nmap Scans Into Metasploit Community Edition

  • Using Metasploit Community Edition To Locate Web Servers

  • XSS DNS Lookup Page Bypassing Javascript Validation

  • Use Burp Suite Sequencer To Compare Csrf Token Strengths

  • How To Remove PHP Errors After Installing On Windows Xampp

  • Quickstart Guide To Installing On Windows With Xampp

  • Basics Of Running Nessus Scan On Backtrack 5 R1

  • How To Import Nessus Scans Into Metasploit Community Edition

  • Basics Of Exploiting Vulnerabilities With Metasploit Community Edition

  • Sending Persistent Cross Site Scripts Into Web Logs To Snag Web Admin

  • Quick Start Overview Of Useful Pen-Testing Addons For Firefox

  • Three Methods For Viewing Javascript Include Files

  • Reading Hidden Values From HTML5 Dom Storage

  • How To Execute Javascript On The Urlbar In Modern Browsers

  • Adding Values To Dom Storage Using Cross Site Scripting

  • Alter Values In Html5 Web Storage Using Cross Site Script

  • Altering Html 5 Web Storage Values Using Persistent XSS

  • Altering HTML 5 Web Storage With A Reflected XSS

  • 03/13/2012 Crypto & Block Cipher Modes (OpenSSL, AES 128, ECB, CBC)
    Hopefully this will give a nice visual illustration of how Electronic codebook (ECB) and Cipher-block chaining (CBC) work using AES-128 and OpenSSL. You can learn a lot from a known plain text, and repeating patterns. Inspired by labs from Kevin Benton & "Crypto Lab 1" SEED.
    03/12/2012 Shared Hosting MD5 Change Detection Script Updated
    Fixed an issue with permlog.txt not being put in the $ScriptDir directory.


    Derbycon 2.0: The Reunion Promo Video Posted
    Dave Kennedy has posted a promo video form Derbycon 2012. A few prominent speakers have been announced. Hope you all can make it this year. To see what you missed from Derbycon 2011, go visit the video page.
    03/03/2012 Proposal for "Out of Character: Use of Punycode and Homoglyph Attacks to Obfuscate URLs for Phishing"
    Below is a project I'm doing for class. If you want to make suggestions and tell me about weird Unicode/Homoglyph security issues, please email me. If you want to play with making homographs, look at my Homoglyph Attack Generator.
    02/28/2012 Shared Hosting MD5 Change Detection Script
    I was wanting a simple shell script that would monitor the files on a site, and report any changed via email. Dave Kennedy's Artillery was close to what I needed (and does a lot more), but I wanted something I could run on my shared hosting account. This is what I came up with, for better or worse. If nothing else, it was a good exercise in BASH scripting, and may come in handy for those that want to make something similar.
    02/22/2012 Malicious USB Devices Page Updated With Videos
    I recently found out that the CACR at Indiana University posted a video of a talk I did for them awhile back, so I decided to update my Malicious USB Devices page to embed it and the other versions of the talk I have.
    02/21/2012 InfoSec Daily Podcast 600 Tonight
    The ISD Podcast is having its 600th episode tonight, Feb 21st 2012. Come join us on the live stream and IRC (#isdpodcast on Freenode) at 8PM EST.
    02/20/2012 How I Got Pwned: Lessons in Ghetto Incident Response
    For those wondering about the details of my recent defacement.
    02/05/2012 ShmooCon Firetalks 2012 Videos
     Night 1
     “How Do You Know Your Colo Isn’t “Inside” Your Cabinet, A Simple Alarm Using Teensy” by David Zendzian
     “Bending SAP Over & Extracting What You Need!” by Chris John Riley
     “ROUTERPWN: A Mobile Router Exploitation Framework” by Pedro Joaquin
     “Security Is Like An Onion, That’s Why it Makes You Cry” by Michele Chubirka
     “Five Ways We’re Killing Our Own Privacy” by Michael Schearer
     Night 2
     “Cracking WiFi Protected Setup For Fun and Profit” by Craig Heffner
     “Passive Aggressive Pwnage: Sniffing the Net for Fun & Profit” by John Sawyer
     “Ressurecting Ettercap” by Eric Milam
     “Security Onion: Network Security Monitoring in Minutes” by Doug Burks
     “Remotely Exploiting the PHY Layer” by Travis Goodspeed


    ShmooCon Epilogue 2012 Talks
     Resurrection of Ettercap: easy-creds, Lazarus & Assimilation
     Eric Milam - (Brav0Hax) &
     Emilio Escobar
     Media Hype and Hacks that Never Happened
     Space Rouge
     More than one way to skin a cat: identifying multiple paths to compromise a target through the use of Attach Graph Analysis
     Joe Klein
     Proper Depth / Breadth testing for Vulnerability Analysis and fun with tailored risk reporting metrics.
     Jason M Oliver
     Extending Information Security Methodologies for Personal User in Protecting PII.
     John Willis
     Stratfor Password Analysis
     Chris Truncer
     Intro To Bro
     Richard Bejtlich
     Javascript obfuscation
     Brandon Dixon


    Unix File Permissions and Ownership (CHOWN, CHMOD, ETC)
    I'm taking a security class were we had a lab on Unix/Linux file system permissions. I decided I might as well record it, and the steps taken, along with explanations as to what I was doing to set the permissions such as read, write, execute, SetUID, SetGID and the Stickybit. Kevin Benton created the lab, so I'd like to give him credit for inspiring me to do this video.
    01/16/2012 Basic Setup of Security-Onion: Snort, Snorby, Barnyard, PulledPork, Daemonlogger
    Thanks to Doug Burks for making building a Network Security Monitoring Server much easier. I mentioned Snort, Snorby, Barnyard, PulledPork and Daemonlogger in the title, but there is a lot more on the distro than that. This is a nice way to get an IDS up and running featuring pretty frontends without going into dependency hell.


    Pen-Testing Web 2.0: Stealing HTML5 Storage & Injecting JSON Jeremy Druin
    This is Jeremy's talk from a recent ISSA meeting. In it he covers what the title says, showing off stealing of HTML 5 storage, injecting JSON, using Burp Suite, Muttillidae and some XSS attack fun. Sorry about the noise in the first bit, I had to set the camera up a ways off and it picked up my bag of chips better than it did Jeremy's talk. @webpwnized

    Video Posted and Code Updated for Homemade Hardware Keylogger
    My video from NeoISF is now posted: PHUKD/Keylogger Hybrid.

    The code has been updated in the following ways:

    On the PIC side: Updated Firmware for the USB Host Module - PIC24FJ256GB106 to work with more keyboards.

    On the Teensy side:

    * If a keyboard was plugged in after the keylogger was already powered on, it would type "i7-". I added code
    to fix this problem.
    * Fixed RAW serial debug mode not to print key
    * Changed name of variable "lasttenletters" to "lastfewletters" and expanded it to 60.
    * Ctrl+Alt+Y is now used for typing more debugging details.
    * Implemented likely to fail code for unlocking workstation using captured password.
    * I had some problems with running out of SRAM because of all of my static strings. I started using the F()
    function to pull these strings from flash memory to solve this issue.
    * Fixed a case issue with lastfewletters. I did not know the method changed it in place.
    * Fixed a bug in HIDtoASCII that made it top row of number keys not work right.

    12/08/2011 DIY USB And PS/2 Hardware Keyloggers/PHUKD Hybrids Updated
    I've updated my Do It Yourself Keylogger's project site with the following information.

    I've uploaded improved code,
    Just PS/2:
    * Converted ints to bytes in many places. Why take the extra space? :)
    Both USB and PS/2:
    * Made sure it worked with Arduino 1.0.
    * Switched to using the SD library that comes with Teensyduino (from the comments, it looks like
    it's a wrapper by SparkFun Electronics around William Greiman's work).
    * Changed the variables "file" to "logfile" and "filename" to "logfilename" to be less ambiguous.

    I also embedded my talk from Skydogcon and pasted my class project report on the end which gives a lot more details about how this hardware keylogger was created and why.

    12/05/2011 Programmable HID USB Keystroke Dongle Library Updated With OS X Functionality
    I updated the PHUKD library to 0.4. There are some new function. OS X Spotlight and Terminal code was provided by Adam Baldwin and Aaron Howell ngenuity-is.com / evilpacket.net.
    jp (.ronin) http://www.hackfromacave.com also provide some source code for the OS X side, but I ended up using Adam and Aaron's. The functions added were:

    extern void CommandAtRunBarOSX(char *SomeCommand);
    extern void CommandAtNewTerminal(char *SomeCommand);
    extern void ShrinkCurWinOSX();

    I also tested to make sure it worked with Arduino 1.0.

    12/03/2011 NetworkMiner Professional for Network Forensics
    This video was made to show some of the extra features of NetworkMiner Professional, like Pcap-over-IP, running on OS X under Mono, Export results to CSV / Excel, Geo IP localization, Host coloring support, and Command line scripting support.
    11/30/2011 Mutillidae 2.1.7 Deliberately Vulnerable Web App Updated (a lot)

    Jeremy Druin has been doing a lot of work on Mutillidae since I last posted to the front page/rss about it. Here is the change long since the last time I mentioned it:

    Change Log for Mutillidae 2.1.7:

    Added a new page for HTML5 storage. The page is meant to show how to both use and attack HTML5 storage. The page supports Local and Session storage types. The user can attack the storage in two contexts. They can act as if they want to read to contents of their own browsers session storage to see if the developer put authorization tokens or other items into the storage. They can also try to use XSS to steal the session storage. In this use-case the user would be acting as if they wanted to read someone elses storage. A large number of hints has been added to the page. The page name is "html5-storage.php" and can be accessed from the Cross Site Scripting menu and information leakage menu. In security level zero, the page has no defenses. In level 1, the page will use trivial JavaScript validation. In security level 5, the page will refuse to put the secrets in client side storage.

    11/13/2011: Jeremy Druin / Kenny Kurtz

    Change Log for Mutillidae 2.1.6:

    Enhanced the .htaccess file to automatically disable magic quotes on systems which enable them by default (such as some OSX versions of PHP)
    Fixed some bugs in the phpinfo.php file that made the page display weird.
    Enhanced the hidden PHPINFO page so that it would work if the user browsed to http://localhost/mutillidae/index.php?page=phpinfo.php or to http://localhost/mutillidae/phpinfo.php. This example assumes Mutillidae is running on localhost.
    Fixed a bug in index.php that kept the log-visit page from being included.
    Fixed a bug in log-visit.php that kept the page from working.
    Fixed installation instructions format for IE 8 not in compatibility mode.

    11/10/2011: Jeremy Druin

    Change Log for Mutillidae 2.1.5:

    Added vuln to login sequence. Now a cookie is created with username. Students should try to XSS the cookie and see what happens. Also try a response splitting attack because a cookie is an HTTP header.
    Created new twitter feed to make Mutillidae announcements and other web vulnerability tweaks. @webpwnized
    Fixed installation instructions format for IE 8 not in compatibility mode

    10/14/2011: Jeremy Druin

    Change Log for Mutillidae 2.1.4:

    Moved usage instructions and php errors from the home page to their own pages.
    In insecure mode, changed the method of the user-info.php page to GET in order to make it easier to use sqlmap against Mutillidae. sqlmap supports POST but it is easier to use with GET.
    Added hints about sqlmap to sql injection tutorial and to the easter egg file
    Added a credit card table as a target in the database
    Confirmed that the view-blog table can be attacked with sqlmap. The answer is in the Easter Egg file.

    10/13/2011: Jeremy Druin

    Change Log for Mutillidae 2.1.3:

    Fix a bug. If the user was on the home page, without having clicked any link to this point (such as when using a bookmark), then the user clicked the "change security level", the page would redirect to page not found.
    Increased the slide time for the ddsmoothmenu to make it slow down a little bit
    Added a NEW vulnerability. Many sites have crazy pages that show server settings, expose admin functionality, allow configuration, or other features a user should not be able to see. The problem is not the pages themselves so much as the fact that developers think no one will guess the name and browse to them. Shoulder surfing, guessing, brute-forcing, etc can be used to find these pages. Mutillidae now has such a page. It is in the "Server Misconfiguration" category. See secret-administrative-pages.php for hints.
    Augmented the installation instructions
    Added link to ihackcharities to front page
    Added a new security level. Now there is security level 1. The only difference in this release between level 0 and level 1 is that level 1 has JS validation. The JS validation has been in place for a while to allow but was activated in level 0. Since level 0 is supposed to be very easy, the decision was made to create level 1 and move JS validation to level 1. The JS validation is trivial to bypass. Simply disable JS or use a proxy such as Tamper Data, Paros, Burp, WebScarab, or others.
    Page homenotes.php has been merged with home.php.
    Page home.html has been renamed home.php
    Added protection for SQL injection to add to your blog.php output of the current users blog entries. Prior to this patch, you could SQL inject in security level 5 by putting your injection in the current users login name because the query uses the current users login name as the input to the query.
    Improved the DNS lookup page to add JS validation in security level 1 mode.
    Changed padding for BACK button to use styles rather than HTML BR tags.
    Changed the password generator password length to 15 to set a better example.
    Some refactoring on user-info.php and login.php to clean up code
    Added CSRF Protection to page add to your blog. This only works in secure mode.
    Added more scripts to the easter egg file (Mutillidae Test Scripts)
    Bug fix: The setupandreset.php errors were not printing out.
    Stupid bug fix: Removed the "open DB" that was firing before the database was actually created.
    Created output on page setupandreset.php to show what happened
    Added try/catch and more error handling to setupandreset.php

    11/26/1011 Jamison Scheeres – "Social Engineering is a Fraud" Talk from Derbycon
    Jamison gave me the go ahead to post his video from Derbycon. Now I just have to get off my lazy butt and do the video for the updated/professional version of NetworkMiner.

    SkyDogCon 2011 Videos
    Here are the videos from SkyDogCon. Thanks to all of the SkyDogCon crew.

    SkyDog - Conference Opening Remarks

    Curtis Koenig - The Neurobiology of Decision Making

    Chris Anderson - Corporate Evil

    Rious - Making of the SkyDogCon Electronic Badge

    IronGeek - More PHUKED Than Ever

    Nick Levay - Counter Espionage Strategy and Tactics

    Karlo Arozquerta - Windows Command Line Forensics

    Brian Wilson - DOCSIS Networks

    Brent Baldwin/Robert Jason - Brewing Coffee the Soft Brew Way

    Sonny Mounicou - Hackerspace Technology 101

    Pat McCoy/Mike McGilvray - Hook, Line and Syncer: A Liar for Hire's Ultimate Tackle Box

    James Ruffer - Information gathering and social media attacks to gain physical and electronic access to companies

    Bart Hopper - Avoiding the Landmines in Your Own Backyard

    HackerSpace Panel

    Ben Feinstein - Morto Kombat: Understanding the Morto Worm

    11/04/2011 Updates To Homemade Hardware Keylogger/PHUKD Hybrid
    Fixed some bugs, added some features.

    Change logs:

    PS/2 Hardware Keylogger/PHUKD:

    * Holding mod keys did not always work for multi select. Got it working (at least I think I did).
    * Nulls were getting into the logs, so I made an unhandled keycode exception.

    USB Hardware Keylogger/PHUKD:


    * Holding mod keys did not always work for multi select. Got it working by taking out the key replay code,
    and made held keys function better in the process. Also, it made the code simpler to read as I got rid
    of a bunch of unneeded cruft code. :)
    * Nulls were getting into the logs, so I made an unhandled keycode exception.
    *Changed log brackets from <> to [].

    * Fixed bug in logging unknown keys.
    * Added logging for keys [KEY_TAB] and [KEY_NON_US_NUM].
    * Ctrl+Alt+S toggles the typing of raw bytes as they come in the serial connection.
    * Converted ints to bytes in many places. I think their was a type casting problem causing weird issues.
    * Fixed a buffer overflow issue caused by IncomingHIDReportIndex going over 18.
    * Many other tiny changes.

    11/02/2011 Homemade Hardware Keylogger/PHUKD Hybrid
    I've been doing some work recently on making homemade keyloggers of both the USB and PS/2 persuasion that will take keystrokes, record/replay them, and modify programmable HID payloads accordingly. This hardware and software is not exactly ready for prime time, but I figured I'd share it with you. On this page you will find rough schematics, source code and links that may help you build your own. I plan to put a video up that demos the devices right after Skydogcon.

    For related work see:

    Hardware Key Logging Part 1: An Overview Of USB Hardware Keyloggers, And A Review Of The KeyCarbon USB Home Mini (Text)
    Hardware Key Logging Part 2: A Review Of Products From KeeLog and KeyGhost (Text)
    Hardware Key Logging Part 3: A Review Of The KeyLlama USB and PS/2 Keyloggers (Text)
    Irongeek - Hardware Keyloggers: Use, Review, and Stealth Presentation (Phreaknic 12) (Video)
    Hardware Keyloggers In Action 1: The KeyLlama 2MB PS/2 Keylogger (Video)
    Hardware Keyloggers In Action 2: The KeyLlama 2GB USB Keylogger (Video)
    Bluetooth Wireless Hardware Keylogger Review (Video)
    Programmable HID USB Keystroke Dongle: Using the Teensy as a pen testing device (Defcon 18) (Video)
    Programmable HID USB Keystroke Dongle: Using the Teensy as a pen testing device (Text)
    Plug and Prey: Malicious USB Devices (Text)
    Malicious USB Devices: Is that an attack vector in your pocket or are you just happy to see me? (Video)

    10/24/2011 Hack3rcon II Videos Posted

    Contents are as follows:

    Opening Ceremony - Johnny Long - Keynote (via Skype)
    Chris Silvers and Pat McCoy Hook Line and Syncer A Liar for Hires Ultimate Tackle Box
    Boris Sverdlik Your Perimeter Sucks
    Joshua Perry OSINT
    Gus Fristschie Getting f***ed on the river
    Eric Milam Automating MiTM for Winning
    Keith Pachulski Common Project Issues with Technical Assessments
    Tim Tomes and Mark Baggett Lurking in the Shadows
    Martin Bos Your Password Policy Sucks
    James Macgregor Watson Online Time OF cRIME
    Charlie Vedaa F*** the Penetration Testing Execution Standard
    Stephan Looney Up and Running with Backtrack Workshop
    Thomas Hoffecker Exploiting PKI for Fun & Profit or The Next Yellow Padlock Icon
    @grecs How to Win Followers and Influence Friends Hacking Twitter to Boost Your Security Career
    Jon Schipp Knowing What's Under Your Hood Implementing a Network Monitoring System

    10/15/2011 Downloads for Derbycon 2011 Posted
    For those wanting to download copies of the videos from Derbycon 2011, I have them all uploaded to Archive.org. You can find the link at the bottom of the Derbycon 1 page. Archive.org's automated process should be generating smaller OGG and MP4 versions.

    Also, since we had problems with the audio rig in Joff Thyer's talk he sent me slides and demo videos for his Covert Channels using IP Packet Headers presentation. Enjoy.

    10/08/2011 Derbycon Videos 2011: The rest of them
    In this wave are the last of the videos from the Derbycon conference (tracks 2 and 3 of day 3 plus closing). Unfortunately, there were a few losses.

    Day 3, Track 2

    Jason n00bz – Advanced Penetration Techniques for the non-technical n00b (Not Recorded)
    Jayson E. Street – Steal Everything, Kill Everyone, Cause Total Financial Ruin!  (Or How I Walked In And Misbehaved)
    James Lee (egypt) – State of the Framework Address (Sound came out as just ground noise)
    Ron Bowes – Advanced Nmap Scripting: Make Nmap work for you!"
    (Sound came out as just ground noise)
    Deviant Ollam – Distinguishing Lockpicks: Raking vs Lifting vs Jiggling and More
    Raphael Mudge – Dirty Red Team tricks

    Day 3, Track 3
    Note: Some of these had weird ambient noise that I could not remove without making all of the audio sound weird. I did the fix to JDuck's, but the rest I left alone.

    Chris Roberts – A Tribute to Dr. Strangelove
    Kyle Osborne (kos) – The Hidden XSS – Attacking the Desktop
    Mick Douglas – Blue team is sexy — refocusing on defense — Part II — All you baseline are belong to us
    Garrett Gee – Typo-squatting Just Got A Lot More Dangerous (Not Recorded)
    Thomas d’Otreppe (mister_x) – OpenWIPS-ng
    Joshua Drake (jduck) – Exploiting Java Memory Corruption Vulnerabilities

    I have ideas for Derbycon 2 to make the recording a bit more reliable. See you next year!

    10/07/2011 Derbycon 2011, Day 2 Track 3 and Day 3 Track 1 Talks Posted
    In this wave are the videos from the 2nd day 3rd track and 3rd day 1st track of the Derbycon conference. Please note that some videos were lost because of audio issues or are awaiting approval. In this wave:

     Day 2, Track 3:

    Georgia Weidman – Throw It in the River? Towards Real Live Actual Smartphone Security
    Rob Simon – Pentesting over Powerlines
    Larry Pesce – You are the Smart Meter: Making (and hacking) of the 2011 MA-CCDC electronic badges
    Bill Sempf – Is locksport a sport?
    Infojanitor – Virtual trust, Virtual Permission and the Illusion of Security
    Ben Feinstein & Jeff Jarmoc – Get Off of My Cloud": Cloud Credential Compromise and Exposure
    Jimmy Shah – Mobile App Moolah: Profit taking with Mobile Malware
    McCorkle & Rios – 100 bugs in 100 days: An analysis of ICS (SCADA) software
    Scott Ullrich + Chris Buechler – Open source firewalling with pfSense (Sound came out as just fuzz)
    Spiky Geek – How I learned to roll my own:Building custom pen testing platforms on the fly (Sound came out as just fuzz)
    Brent Huston – Realize Your Hacker Heritage: Do The Needful

     Day 3, Track 1

    Charlie Miller – Battery Firmware Hacking
    Peter Van Eeckhoutte & Elliot Cutright – Win32 Exploit Development With Mona and the Metasploit Framework
    Ryan Linn – collecting Underpants To Win Your Network
    Jamison Scheeres – Social Engineering is a Fraud (Awaiting approval)
    Josh Kelley (winfang98) – Infectious Media – Bypassing AutoRun once and for all
    Kevin Johnson & Tom Eston – Desktop Betrayal: Exploiting Clients through the Features They Demand


    10/06/2011 Derbycon 2011, Day 2, Track 2 Talks Posted
    In this wave are the videos from the 2nd day of the conference that took place in track two. In this wave:

    Brian Baskin – Walking the Green Mile: How to Get Fired After a Security Incident
    Joe Schorr – “Rule 1: Cardio” (and 9 other rules to keep intruders out)
    Thomas Hoffecker – Exploiting PKI for Fun & Profit or The Next Yellow Padlock Icon?
    Matthew Becker – 73o7\/\/@\/\/Ki – Survival Hacking your way out of Armageddon
    Bart Hopper – Avoiding the Landmines in your own Backyard
    Chris Gates and Rob Fuller – The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
    Boris Sverdlik – Your perimeter sucks
    Evan Booth – Hide yo kids, hide yo wife: Residential security  and monitoring the bottom line
    Rick Farina – Free Floating Hostility
    Jack Daniel – Surviving a Teleporter Accident (It could happen to you)
    Adrian Crenshaw – Building a Svartkast: Cheap hardware to leave behind on someone else’s network

    Had to do some work on the audio to raise the voices and lower the noise. Choke up on the mic folks. :) Next year maybe we can get some lavalier microphones.

    10/05/2011 Derbycon 2011, Day 2, Track 1 Talks Posted
    In this wave are the videos from the 2nd day of the conference that took place in track one. In this wave:

    Dennis Kuntz – Mining Sensitive Information From Images Using Command-Line OCR
    Michael Arpaia – Beat to 1337: Creating A Successful University Cyber Defense Organization
    Carlos Perez (darkoperator) – Tactical Post Exploitation
    Paul Asadoorian + John Strand: Offensive Countermeasures: Still trying to bring sexy back
    Tony Huffman (Myne-us) – When Fuzzers Miss: The no Hanging Fruit.
    Rafal Los – You’re Going to Need a Bigger Shovel – A Critical Look at Software Security Assurance
    Rick Hayes + Karthik Rangarajan – OSINT Beyond the Basics
    int0x80 (of Dual Core) – Anti-Forensics for the Louise
    Rick Redman – Tomorrow you can patch that 0day – but your users will still get you p0wn3d
    Tottenkoph – Data Mining for (Neuro) hackers

    Unfortunately, the audio buzz on Joff Thyer's "Covert Channels using IP Packet Headers" talk is pretty catastrophic. I'll look at it again, but I don't have high hopes. Also, I know some of the later videos have this audio issue as well.



    Derbycon 2011, Day 1 Talks Posted
    Remember, these are coming out in waves. In this wave are all of the videos from the first day of the conference. In this wave:

    Adrian, Dave, Martin: Welcome to DerbyCon 2011 – Intro to the con and events
    KEYNOTE ~ HD MOORE – Acoustic Intrusions
    Johnny Long – Hackers for Charity Update
    Kevin Mitnick + Dave Kennedy – Adaptive Penetration Testing
    The Penetration Testing Execution Standard (PTES) Panel
    Bruce Potter – The Details Don’t Matter
    Chris Nickerson – Compliance: An Assault on Reason
    Pat McCoy & Chris Silvers – Hook, Line and Syncer: The Liar for Hire’s Ultimate Tacklebox
    atlas – sploit me if you can
    Jason Scott – Jason Scott’s Shareware Calvacade
    Vlad Gostom & Joshua Marpet – Smile for the Grenade! Camera go Bang!

    10/03/2011 Derbycon Thank Yous
    Thanks for making Derbycon a huge successes guys. Be sure to hit up @purehate_, @dave_rel1k or myself (@irongeek_adc) for suggestions on making next year even better.  Next up for me are Hack3rcon and Skydogcon. Also, the videos from Derbycon will be coming out in waves soon. DigiP is working on the splash and title card art, and after I have that I can start rendering out the split screen versions. Thanks again.
    09/26/2011 Derbycon Area Map
    Putting this up to help attendees, speakers and sponsors find food, supplies, booze, ATMs, shipping and sites near the Derbycon hotel.
    09/25/2011 Programmable HID USB Keyboard/Mouse Dongle Library Updated
    I put up the version 0.3 of the Programmable HID USB Keyboard/Mouse Dongle Library. It should now work with newer versions of the Arduino and the Teensyduino environments.


    Defcon 19: Cipherspaces/Darknets An Overview Of Attack Strategies
    This is the talk I gave at Defcon 19, this time as recorded in front of a live studio audience (as oppose to the canned version I posted before). The canned one may be more polished, but the Defcon 19 one looks cooler. Here is the description:

    Darknets/Cipherspaces such as Tor and I2P have been covered before in great detail. Sometimes it can be hard to follow attack strategies that have been used against them as the papers written on the topic have been academic and abstract. What this talk will attempt to do is step back and give an overview of the topic in a manner hopefully more conducive to the understanding of security practitioners, giving more concrete examples. While little to nothing in this talk will be "new and groundbreaking" it should lead to a better understanding of how encrypted anonymizing networks can be subverted to reveal identities.

    09/16/2011 Pilfering Local Data: Things an Attacker Would Want to Grab with Short Term Local Access
    Here's my talk from the 2011 Nashville Infosec. This is more or less the description I sent them: "This talk will cover core items an attacker would want to locate and copy off of a Windows system, as well as what tools they would use to bypass weak security precautions like file system permissions and OS/BIOs passwords. Core date in this case would be things like stored passwords and wireless keys, but could also include network paths and the like. It will underscore the importance of physical security and hard drive encryption."
    09/13/2011 MAN Pages From BackTrack 5 R1 List
    I converted a bunch of the MAN pages from BackTrack 5 R1 into HTML. I did this for BackTrack 3 back in the day, so I figured I'd do an update for the tools in BackTrack 5 R1. I made this in a somewhat automated fashion, so please excuse the errors and dead links. It may still be helpful for those that just Google for the MAN pages.

    List Includes: acct_users, affcat, airbase-ng, aircrack-ng, airdecap-ng, airdecloak-ng, airdriver-ng, aireplay-ng, airgraph-ng, airmon-ng, airodump-ng, airolib-ng, airoscript-ng, airserv-ng, airtun-ng, amap, arping, arpspoof, bombardment, buddy-ng, bulk_extractor, capinfos, clientsconf, crunch, dc3dd, dff, dftest, dictionary, dmitry, dnsspoof, dnstracer, dsniff, dumpcap, dupemap, easside-ng, editcap, fatback, fcrackzip, fiked, filesnarf, fping, fragroute, fragrouter, fragtest genlistp, giskismetp, gpshell, greenbone-nvt-sync, gsad, gsd, gsmtprc, hashdeep, hexedit, honeyd, honeydctl, hydra, idl2wrs, ike-scan, ivstools, kismet, kismetconf, kismet_drone, kismet_droneconf, kstats, layingsiege, lspst, macchanger, macof, magicrescue, magicsort, mailsnarf, makeivs-ng, md5deep, medusa, mergecap, miredo-checkconf, miredo-server, miredo-serverconf, miredo, miredoconf, missidentify, msgsnarf, ncat, ncrack, ndiff, netdiscover, netmask, nmap, nping omp, openvas-adduser, openvas-mkcert, openvas-nasl, openvas-nvt-sync, openvas-rmuser, openvasad, openvasmd, openvassd, outlookpst, outputpbnjp, packetforge-ng, psk-crack, pst2dii, pst2ldif, pw-inspector, radclient, raddebug, radeapclient, radiusd, radiusdconf, radlast, radmin, radrelay, radrelayconf, radsqlrelay, radtest, radwatch, radwho, radzap, randpkt, rawshark, readpst, recoverjpeg, recovermov, rlm_acct_unique, rlm_always, rlm_attr_filter, rlm_attr_rewrite, rlm_chap, rlm_counter, rlm_detail, rlm_digest, rlm_expr, rlm_files, rlm_mschap, rlm_pap, rlm_passwd, rlm_policy, rlm_realm, rlm_sql, rlm_sql_log, rlm_unix safecopy, scalpel, scanpbnjp, scapy, scrounge-ntfs, sha1deep, sha256deep, siege, siege2csv, siegeconfig, sipsak, smtprc, smtpscan, sort-pictures, sshmitm, sshow, ssidsniff, ssldump, sslh, tcpdump, tcpkill, tcpnice, tcptraceroute, teredo-mire, text2pcap, thc-ipv6, tigerdeep, tkiptun-ng, traceroute, tshark, unicornscan, unlang, urlsnarf, urls_txt, users, webmitm, webspy, wesside-ng, whirlpooldeep, wireshark-filter, wireshark, xhydra, xprobe2, yersinia, zenmap
    09/12/2011 Building a Svartkast with a pretty pink Pogoplug: Cheap hardware to leave on someone else's network
    The first obvious question is what the hell is a Svartkast? Well, it’s a term I picked up from Telecomix. Before I would have just referred to it as a “drop box” (too much name collision there now), but some also call it a kamikaze box or a Blackthrow (which is English for the Swedish term Svartkast). The core idea is to have a cheap host you can leave on someone else’s network that you can remote into but that can’t easily be tied back to you. The Svartkast does this one better by using a cipher-space like Tor or I2P to further obfuscate where communications to the box are coming from (though slowing down communications of course, anonymity isn’t “free”).
    09/05/2011 Mutillidae 2.1.0 release
    Jeremy Druin has been at it again, with more upgrades to the webapp security teaching tool Mutillidae. In his words:

    Well. Its finally here for better or worse. This version of Mutillidae has nearly every vulnerability known. And they come in bulk. There is all of the OWASP Top 10 plus another ten categories at least. The documentation has been upgraded extensively including the hints and installation instructions. The menu system has been redesigned again to make it easier for users to find the exploit they want to try. Current vulns that are not OWASP top 10 have been added including click-jacking, parameter pollution, cross site framing, and arbitrary file inclusion. I ripped out the MYSQL interface and replaced it with the new object oriented version that comes with PHP 5.3.0 called MYSQLi. The "i" is supposidly for improved. I also enhanced the presentation and output on many pages. Hopefully it is enterprise grade now. My goal is for pros to use this in training developers.

    I added test scripts in the documentation folder. You might like some of them. Some are more fun than monkeys with bubble-gum.


    Curriculum Vitae added to my about page
    I've had some academics ask for it, so I decided to add my Curriculum Vitae to the about page. It's mostly teaching an presentation experience. I'll need to update it again soon since I have a lot of conferences I'm speaking/working at this fall (copied from ISDPodcast):

    Nashville Infosec
    When: Sept 15, 2011
    Where: Nashville, TN

    Louisville Infosec
    When: September 29th
    Where: Louisville, KY

    When: September 30th – October 2, 2011
    Where: Louisville, KY

    Hack3rCon 2011
    When: October 21-23rd, 2011
    Where: the Charleston House Hotel and Conference Center

    When: Nov 4th – Nov 6th
    Where: Holiday Inn Airport, Nashville, TN

    When: Nov 4th – Nov 6th
    Where: Days Inn Stadium, Nashville, TN

    Subjects to be announced later.

    08/23/2011 Louisville Infosec Discount Code
    If you registered for DerbyCon and want to go to the LouisvilleInfosec the day before email chair (at) LouisvilleInfoSec.com for a $50 off discount code.

    Security Tips For The Small Business From 70,000 Feet - Joseph Hollingsworth and Adrian Crenshaw
    A little while back Joe Hollingsworth and I were interviewed for an article in the Southern Indiana Business Source. The local Kiwanis club asked for a 25 min talk on the subject of the article, so we came up with this mandate:
    Given only 25 minutes, tell us what a small business could do to help their security posture.
    Well, it ended up being almost 40min and we did not get through all of the slides. The live video camera failed, so the audio in this video is what the laptop recorded. It may not be something most of my readers will be interested in, but it may help you present on a similar topic.

    08/09/2011 Cipherspaces/Darknets An Overview Of Attack Strategies
    This is essentially the talk I gave at Defcon 19, but I had a little more time to cover the topic in this canned video:

    Darknets/Cipherspaces such as Tor and I2P have been covered before in great detail. Sometimes it can be hard to follow attack strategies that have been used against them as the papers written on the topic have been academic and abstract. What this talk will attempt to do is step back and give an overview of the topic in a manner hopefully more conducive to the understanding of security practitioners, giving more concrete examples. While little to nothing in this talk will be "new and groundbreaking" it should lead to a better understanding of how encrypted anonymizing networks can be subverted to reveal identities.

    08/08/2011 I2P/Tor Workshop Notes Updated
    After running the I2P and Tor workshop at Defcon 19, I've decided to make some tweaks before Hack3rcon. I've fixed some typos, and now have an index:

    Places to go, data to see
    I2P eepSites
    I2P Services/Apps
    Tor Hidden Service Websites
    Tor Hidden Service IRC

    I2P Install
    Install I2P In Windows
    Install I2P in Linux (Standard Method)
    Install I2P in Linux using APT Method
    Proxy Settings for I2P

    Tor Install
    Install Tor in Windows
    Install Tor in Linux
    Proxy Settings for Tor

    I2P Tweaks
    I2P, connection and Firewall settings
    Name Service subscripts to add
    To Make I2P accessible to your network
    Run I2P as a service

    Tor Tweaks
    Tor IRC
    Specify an Exit Node in Tor
    Make Tor accessible to your network
    Run Tor as service in Windows
    To make Vidalia work again in Window after making Tor a service
    Run Tor as service in Linux (Ubuntu)
    To make Vidalia work again in Linux after making Tor a service
    Torify vs Torsock (hint:use Torsocks) in Linux

    Tor Hidden Services
    Just a simple Tor Hidden Service
    Backing up Tor Hidden Server Key

    Working with I2PTunnels
    Using the built in web server (Jetty) I2P Tunnel
    Make SSH Server and SOCKS Tunnel
    Naming and announcing your eepSite
    Encrypted Lease Set

    Other Notes

    I also plan to make videos for each of these short text guides.

    08/02/2011 I2P/Tor Workshop Notes
    These are the rough notes and recipes I'll be using in my I2P and Tor workshop at Defcon 19. It gives truncated steps to do things like host a hidden service, make an encrypted lease set, back up your eepSite and hidden service keys, etc, etc. Hope it helps.
    07/27/2011 Mini-DisplayPort on New Dells: Resolving issues with output to projectors in Windows 7
    Ok, this is not security related, but I know a lot of people who do presentations and may run into these issues when they try to use an Apple Min-DisplayPort adapter with their new Windows 7 laptop. Hope it helps.


    Hack3rcon II Call For Papers
    We all had a great time last year, so we are doing it again. Dave Kennedy (Re1ik) and myself are set to speak. The CFP is open, so submit away:
    You can also check out videos from last year's Hack3rcon.

    Ohio Information Security Forum (OISF) Anniversary Event Videos
    These are the presentations from the Ohio Information Security (OISF) Anniversary Event. The descriptions are largely Ligatted from the OISF website.

    Endpoint Security Decisions - Kurt Roemer
    Defending against XSS - Jason Montgomery
    Project Ubertooth: Building a Better Bluetooth Adapter - Michael Ossmann
    Making Windows 7 SP1 32/64bit Boot CD/DVD/USBs with Winbuilder - Adrian Crenshaw
    Cloud Computing Security - Dr. James Walden


    AIDE 2011 Conference Videos
    These are the presentations from the AIDE 2011 conference at Marshall University. We had some issues early on with the schedule not matching the talks, so descriptions are incomplete. The descriptions I do have are largely Ligatted from the AIDE website.

    Social Networks - Evan Patterson
    Who are you going to call? - Evan Patterson
    WV Crimes requiring Electronic & Digital Evidence - Philip Morrison
    Professionalism on the Witness Stand - Phillip Morrison
    Common Darknet Weaknesses - Adrian "Irongeek" Crenshaw
    Recent HIPAA/HITECH Changes - Caleb Knight
    Hacking A Mature Security Program - David "ReL1K" Kennedy



    Dual booting Winbuilder/Win7PE SE and Backtrack 5 on a USB flash drive with XBOOT
    This is a quick and dirty video to show how to make a multiboot thumbdrive with XBOOT. You can also create a multiboot CD/DVD by combining other ISOs. Operating Systems loaded on mine include: Backtrack 5, Winbuilder/Win7PE SE, DBAN, UBCD4Win, TAILS, Gparted, Ubuntu 11.04, etc.


    Upcoming Irongeek Speaking Engagements
    I figured I'd take a little time to announce a few places I'll be speaking at shortly. This is not a complete list, there are a few more I've not confirmed yet.

    AIDE: July 15th, 2011
    Cipherspaces/Darknets: An Overview Of Attack Strategies

    Ohio Information Security Forum: July 16th, 2011
    Making Windows 7 SP1 32/64bit Boot CD/DVD/USBs with Winbuilder

    Defcon/B-Sides: Aug 2-7th, 2011
    Only speaking at Defcon, but I plan to hang around B-Sides while I’m in Vegas that week.
    Talk: Cipherspaces/Darknets: An Overview Of Attack Strategies
    Workshop (in 2 parts):  "Getting up and running with I2P and Tor" & "Hosting sites as I2P eepSites and Tor hidden services"

    Louisville Infosec: Sept 29th, 2011
    As some of you know, the Louisville Infosec is happening the day before Derbycon, so if you are already in town you might as well come out. I'm running the Network King Of The Hill (NetKotH) game there, and to get more players they gave me a special reg code to get the first 15 people in for free who promise to compete in the game. The code is: koth2011
    Last year the first prize was an iPod touch, not sure what it will be this year.

    Derbycon: Sept 30th-Oct 2nd
    I'm one of the organizers for the event. Most likely I'll not be speaking (we had so many submissions for talks, and we wanted to fit in as many as possible), but I will be doing a workshop along with the other founders Dave Kennedy and Martin Bos.



    Building a boot USB, DVD or CD based on Windows 7 with WinBuilder and Win7PE SE Tutorial
    As many of you know, I’m a big fan of Bart's PeBuilder and derivative works based on it like UBDC4Win. Having a bootable USB drive or CD I can run Windows tools from just comes in hand so often for task like malware/spyware removal, system recovery and harvesting locked files for “pro bono pen-test purposes”. Unfortunately, the Bart’s PE project has not been updated in awhile, and Windows XP is getting kind of long in the tooth, so I went looking for a replacement. For those wanting to build something a little newer, check out WinBuilder.
    06/21/2011 Mutillidae 2.0.8: More vulnerable web app fun
    Jeremy Druin has been at it again. :) New changes for Mutillidae 2.0.8 include:
    • Added more comments to the code to explain how defenses work
    • Added support for the <u></u> tag to the blog. In secure mode Mutillidae will allow this tag but still safely encode output and stop XSS.
    • Added JavaScript filtering to prevent single quotes from being entered in blog entries. This give practice bypassing JavaScript "security" and helps the user understand JavaScript cannot provide security.
    • Added lots of JS filtering to login.php. Nearly all characters are filtered. Users are encouraged to understand that JavaScript and filtering are useless for security.
    • Added autofocus to login.php and add-to-blog.php
    • Added more "allowed dangerous HTML tags" to the blog. Until now only the bold HTML tag was supported. Also the output was not HTML5 compliant. For example, if the user entered a bold tag, then a bold tag was output however the bold tag is depreciated. Styles must be used. So Mutillidae allows the user to input a bold tag but will correctly encode this as a sytle upon output. The italic tag is now supported as a dangerous input which is safely output without fear of Cross Site Scripting. These defenses only operate in secure mode of course. In insecure mode, the site allows any input and simply outputs whatever is input without any encoding.
    • Changed menu for OWASP A1 - Injection to differentiate between SQL, HTML, and Command Injection. This should make it more clear which pages exhibit vulnerabilities with the specific injecton sub-types. Also added new link for Blind SQL Injection.
    • Changed menu for OWASP A2 - Cross Site Scripting to differentiate between XSS coming in via user supplied fields (GET/POST) and values within HTTP Request Headers.
    • Added tutorials feature.
    • Added SQL Injection Totorial
    • Added Cross Site Scripting tutorial
    • Added Command Injection tutorial
    • Added new feature. Hints can now be at different levels. Each time the user clicks Hints, the level increases by 1 until rolling over.
    • Removed the installation instructions from the home page. A new page for instructions is created and linked from the menu.
    • Augmented the installation instructions to include running from Samurai, creating a custom ISO, installing to XAMPP, and running in virutal machines.
    • Reformatted install instructions and main home page to be compliant with HTML 5.


    Altruism: EFF Fund Raiser / Self-interest: Help the ISDPodcast Team win!
    Largely quoted from the ISD Podcast site:
    The ISD Podcast has entered entered into a contest to see who can raise the most money for the Electronic Frontier Foundation. For those who don’t know, the EFF is a non-profit group of lawyers, policy analysts, activists, and technologists who fight for digital rights and have helped countless hackers and security researchers get out of hot water as well as exposing injustices caused by ignorant legislation and bad judgments. Please click the following link to donate to a vitally important cause:


    Please help if you can.

    Obligatory Robert A. Heinlein/Lazarus Long quote:

    'If tempted by something that feels "altruistic," examine your motives and root out that self-deception. Then, if you still want to do it, wallow in it!'

    06/04/2011 Portable Boot Devices (USB/CD/DVD): Or in Canadian, what is this all aboot?      
    This is a talk I did on making bootable USB drives/CDs/DVDs for my local ISSA. Think of it as a braindump and starting point for making your own.
    05/31/2011 Konboot from a USB flash drive files and instructions updated
    People kept complaining because my old config did not work with newer versions of Unetbootin. Changed the syslinux.cfg file since Unetbootin now uses menu.c32 instead of vesamenu.c32. Also put in a newer chain.c32 and updated the instructions. Works fine with Win 7 SP1 32bit.

    OSInt, Cyberstalking, Footprinting and Recon: Getting to know you
    The following are videos from the Footprinting/OSInt/Recon/Cyberstalking class I did up in Fort Wayne Indiana for the Northeast Indiana Chapter of ISSA. I've split the class into three videos by subtopic, and included the text from the presentation for quick linking.

    DNS, Whois and Domain Tools
    Finding general Information about an organization via the web
    Anti-social networks
    Google Hacking
    Other odds and ends

    05/22/2011 Mutillidae 2.0.7: More vulnerable web app fun
    Jeremy Druin has been at it again. :) New changes for Mutillidae 2.0.7 include:
    • Added a new page rene-magritte.php to explore click-jacking. In secure mode, Mutillidae will send the X-FRAME-OPTIONS: DENY header. In modern browsers, this will cause the browser to throw an error rather than allow the page rene-magritte.php to be framed.
    • Added a resources link to the main menu. Links are to information or tools that can help with testing Mutillidae.
    • Added new class LogHandler to take over logging. Previously logging statements has to be copied to each spot that logging was needed. With the new class, logging requires only one line of code and the logger automatically logs based on the current security level. If in insecure mode, no attempt to stop XSS or SQLi is made. With the new class, many less lines of code are needed and many more places log. With more places logging, there is a much better chance of finding a log exploit and taking advantage (insecure mode). Logging added to pages: add-to-your-blog, dns-lookup, text-file-viewer, source-viewer.php, register.php, redirectandlog.php, and user-info.php
    • Added more default users to initial setup to give more targets.


    "Cyberstalking, Footprinting and Recon: Getting to know you" class in F