We have a wonderful list of speakers for this year! See below the names and titles of the speakers we have!
| Speaker | Talk Title | Time |
| Parker Seaman | Opening Remarks | 9:50 |
| Aidan Raney | Key Insights From Infiltrating a North Korean ITW Cell | 10:00 |
| Liam Powell | Click, Paste, Compromise: Unpacking ClickFix | 11:05 |
| Matt Evans | Thrift Store CTFs: Disregard Labs, Publish CVEs | 11:40 |
| Lunch Break | 12:15 | |
| Marie Fromm | Modern Cryptography in Practice: Systems, Hardware, and the Post-Quantum Shift, including how you can explore cryptographic interfaces and Post-Quantum Tooling on a Budget. | 1:15 |
| Katy W | Cyber Security Awareness Training and Human Risk | 1:50 |
| Aviral Srivastava | ROP Alchemy: Crafting Universal Gadgets for Arbitrary Code Execution via Type Confusion and Control Flow Bending (recording) | 2:25 |
| Chase Peterson | Lava Cakes, Anyone? | 3:00 |
| Ann Petersen | Advocacy Research Group | 3:35 |
| Steven Gingras | The state of data privacy laws in 2025 | 4:10 |
| BSides Team | Closing Remarks | 4:45 |
Lunch Options
There a few options in the area for lunch and refreshments, such as FRGMNT coffee, Clay Oven, Sarpino’s Pizzeria, Spice and Tonic, Kindee Thai, Zen Box Izakaya and Sawatdee.
Talk Abstracts
Key Insights From Infiltrating a North Korean ITW Cell – Presenting on my infiltration of a DPRK ITW farm. The ITW threat is wide-spread and poses grave risks to supply chain security. The audience should be aware of the threat and this presentation will do that, but it will also tell them how to mitigate it and provide key IoC’s and information for detecting it in the wild. It also includes footage and content about my infiltration and about North Koreans that keeps the presentation light and entertaining while still providing vital technical information.
Click, Paste, Compromise: Unpacking ClickFix – ClickFix is a sophisticated malware delivery technique that leverages social engineering to trick users into executing malicious commands via the Windows Run dialog. Threat actors compromise vulnerable websites or stand up malicious domains mimicking services like Cloudflare or reCAPTCHA. Upon visiting these pages, users are presented with instructions to utilize the Windows Run dialog to execute malicious code. In recent months, ClickFix has undergone significant development and expansion, transitioning from Windows-specific targeting to also targeting macOS and Linux. This talk focuses on the origins and evolution of ClickFix, from first observed activity to recent incidents. Primarily, this talk will utilize real incidents observed in enterprise environments, detailing the successes and failures of enterprise security tools in identifying and responding to ClickFix-related incidents. Attendees will gain exposure to various ClickFix techniques, payloads, and real-world infections. They will also learn practical methods of identifying and remediating ClickFix incidents.
Thrift Store CTFs: Disregard Labs, Publish CVEs – The S in IoT stands for security” – learn how to prove it. This talk argues for replacing virtual labs and manufactured scenarios with something tangible: cheap IoT devices. These low-cost gadgets are riddled with real vulnerabilities just waiting to be found, and no one’s going to reset your target halfway through your exploit chain.
You’ll get the workflow I used to turn a couple of impulse buys into 20 published CVEs in under a year, a list of core technical skills needed to begin interrogating these devices, and a rogues’ gallery of pitfalls and vulnerabilities I’ve discovered from my thrift store hauls.
By the end, you’ll walk away with a roadmap for transforming second-hand electronics into professional credibility in offensive security and vulnerability research.
Modern Cryptography in Practice: Systems, Hardware, and the Post-Quantum Shift, including how you can explore cryptographic interfaces and Post-Quantum Tooling on a Budget – In an era of increasing digital threats, cryptographic systems must balance performance, usability, and unrelenting security. This session offers a pragmatic overview of the cryptographic mechanisms and systems in active deployment today. We’ll discuss foundational design principles, software libraries, cryptographic HSM’s (Hardware Security Modules), cryptographic interfaces, enclave integration, and other hardware-backed key protection strategies. We’ll also confront the quantum horizon, examining current vulnerabilities, NIST’s standardization efforts, and practical barriers to adopting post-quantum cryptography across platforms and ecosystems. While most hobbyists won’t have access to an expensive six-figure cryptographic HSM, we’ll explore creative ways to experiment with similar cryptographic interfaces – post-quantum algorithms included – using inexpensive hardware and open-source tooling. Advanced concepts, made accessible to the curious.
Cybersecurity – The Least Professionalized Profession – Cybersecurity, despite its rapid growth into a multibillion-dollar industry, faces a critical challenge: a pervasive lack of professionalization that hinders its effectiveness. This talk posits that the industry often mirrors a medical scenario where “solutions” are abundant but frequently fail to address the core “disease” or underlying business risk. This results in a landscape flooded with undifferentiated products and a persistent, perilous gap in understanding between technical teams and business leadership. To evolve, cybersecurity must embrace a new paradigm of discipline and a commitment to understand the fundamental problem before proposing solutions. A shift towards continuous innovation and validated learning will enable more effective risk mitigation and prioritize implementation. By doing so, cybersecurity can transition from a reactive, solution-driven approach to a proactive, professionalized discipline that genuinely transforms risk into a strategic advantage for organizations.
Lava Cakes, Anyone? – Can you make lava cakes at home? Yes, but can you make lava cakes at home with only some brownie mix, ice cream and pudding mix? Possibly, but you need an advanced degree in hackery with a reckless disregard for your own safety if you’re going to engineer something of this magnitude. Join us as we take an in depth look at what makes a lava cake a lava cake, and what kinds of gastronomic alchemy we will need to barter with to create a lava cake that’s as much party trick to make as it is to eat.
The State of Data Privacy Laws in 2025 – With the United States’s current legal and political upheaval and changing international landscape, individual data privacy rights may seem like they are getting lost in the shuffle. But what is the state of data privacy in 2025? This quick 30-minute update looks at the state of data privacy laws in the United States and around the world to see how governments are handling individual privacy as the second half of the decade starts.
Advocacy Research Group – Advocacy Research Group is focused on supporting undervalued research and researchers for human rights. Since the work is sensitive in nature, we are on some high security! Together the architect and I developed a way to support this research and these researchers and are publishing their work ASAP in the form of white papers either anonymously or with given consent. I am in the cybersecurity field and a former teacher and I share my journey of education and hands on learning. This talk is inspirational with a call to action for identifying and securing sensitive data. Please feel free to reach out for more information 🙂
