pre-release: purplecon meeting announcement

Please take a moment to review your details and reply with OK or edits.
Subject and below is what will go out and also will be used to title the videos.

Subject: 
ANN: purplecon at Plenary Room Wed October 16, 9:20p


purplecon
=========================
When: 9:20 AM Wednesday October 16, 2019
Where: Plenary Room

None

Topics
------
1. opening ritual


(Needs description.) 
 recording release: yes license: CC BY-SA  

2. how to human in groups [keynote]
sauramaia

if you’ve ever tried to convince your high school friends that being racist is kinda terrible, or your work friends that they should use a password manager, this talk is for you. 

changing people’s minds is hard. each group has its own version of what’s normal. this talk is about how to work with the brain tools we’ve got to make the computer tools we want.
 recording release: yes license: CC BY-SA  

3. iam confused: a deep dive into how permissions work [keynote]
sera

One of the hardest things to understand in the world of cloud computing has to be IAM - What is a role? What is a policy? How do I keep my engineers away from production systems? How do? The aim of this talk is to try and give some practical examples to help security teams understand whats going on, and how to use this to keep their infrastructure running smoothly and safely.
 recording release: yes license: CC BY-SA  

4. embracing empathy [keynote]
shahn harris

"Empathy is a personality trait which is not often discussed in the world of InfoSec. In an industry with highly authoritative technical personalities, curious technical explorers and fully transparent decision makers empathy is the odd one out, why care about what other people think or feel when you have the mandate to enforce policy/solutions/architecture/technology as you have funding and ""because security"".

In this talk I will take you through how in my now near 20-year career predominately in the enterprise space I have tried to be anything BUT empathetic, the feeling of impostor syndrome I carried around for years as the way I worked and achieved results was not covered by any conference talks/certs/training/industry groups. And how through necessity I went from realizing that while my approach to InfoSec had always been classed as ""pragmatic"" it was empathetic. And that Empathy worked wonders in the most trying time of my career."
 recording release: yes license: CC BY-SA  

5. *banging fists on table* state machines state machines [keynote]
william

Writing software is hard. Really hard. Almost impossible one would say. We can see this from . As we all are walking talking fleshy bug emitting machines that sometimes emit good code as a lucky side effect, we need all the help we can get to increase this luck factor. 

State machines help us to reason about our programs, how they work, how they wont work, and why they didn't work - and from there, how we can design programs to never fail at all. There are state machines all around us. Let me show you how we can use them in code for security and robustness.

Area and assumed knowledge:
Area - Secure software development. 
Assumptions - Some programming knowledge, but demos will be in Rust and C. I will not use advanced or tricky code for any demo to make it as accessible as possible.
 recording release: yes license: CC BY-SA  

6. against lies, h*cking lies [keynote]
anton black

did you know that the more blue teamers are sent to handle a security incident, the worse that incident will be?

using science and statistics to make decisions about how you run security is a great idea - 𝘪𝘧 you can interpret and represent your data accurately. but statistics is rife with potential pitfalls that can lead you to all kinds of false conclusions.

with some help from planet earth's own blue team, we'll learn how to recognize and work around these problems to not only use your own data for good, but to also catch flawed analyses when you see them around you.
 recording release: yes license: CC BY-SA  

7. choose your own adventure: password reset [keynote]
moss

You build or are part of a team that has a thing on the web that does stuff for people. And those people would appreciate it if other people couldn't pretend to be them on your website doing their secret squirrel stuff.

So, you decide to have people login in with a password. It'd be mighty nice of you to give people a way to recover their accounts when they misplace their passwords.

Password reset flows are a choose your own adventure where the players just  want to be able to secret squirrel again, and if you're in charge of one let's learn about some game overs everyone would like to avoid.
 recording release: yes license: CC BY-SA  

8. deploying kubernetes safer(ish) [keynote]
james

Sometimes evil conglomerates, large companies and/or totally regular and normal individuals prefer to run Kubernetes themselves, instead of using a public cloud provider - perhaps they don't trust the InterGoogles, perhaps they want to experience the incessant joys of maintenance and upgrades themselves, or perhaps (THE REAL REASON) they wanted to justify their sweet, sweet devops stickers on their laptop.

Sure, not trusting someone else's computer make sense in some threat models, the (sometimes overly-enthusiastic) DIY approach does mean they open themselves up to a whole host of other problems - Google probably does know how to deploy, manage and secure Kubernetes better than anyone else, since they kinda built it. They've probably even got better stickers.

Unfortunately, setting it up is HARD. There's so many moving parts and the vaguely dodgy how-to posts on random blogs always seem to be a few versions behind - AND they feel like they get away with it by saying “Definitely probably don't do this in production, but it's totally fine to do for testing, what's the worst that could happen?*""

This talk will take you through some of the parts of the kubernetes setup that are commonly ignored (“oh yeah we’ll definitely $100% get to that later”), or excluded from scripts you piped from curl to bash, or are pretty easy to accidentally get wrong if you didn’t know about this other thing that wasn’t made immediately obvious. If you’re an auditor, these are your super tasty critical severity fairy-bread tickets. If you’re a defender, these are the things that differentiate your totally awesome cluster of orchestrated hotness from a totally awesome cluster of orchestrated hot mess. If you’re an attacker who’s popped a shell and found themselves trapped in a container of emotions, these are the things that make you have a big sad when they’re done right.
 recording release: yes license: CC BY-SA  

9. a novice red teamer's guide to self help [keynote]
bl3ep

advice and learnings from a newbie's first year: how to get better hacking yourself, hacking others, and defence against the se arts.
 recording release: no  

10. to identity and beyond! [keynote]
ben dechrai

"It's unusual to develop applications that have no identity requirements nowadays. Whether it's securing access to resources, synchronising data between devices, or providing a customised experience, any new project will soon need that login form.

While you might start out with a simple login form and a backend user directory, these soon grow into their own beasts, when requirements call for multi-factor authentication, or machine-to-machine authorisation functionality.

These requirements and associated maintenance costs are often at odds with the desire to focus on building new features that actually bring your users value, or fixing bugs that currently bring them pain.

In this talk, you will learn about OAuth, OpenID Connect, and JSON Web Tokens; where they came from, how they work, and how they can simplify your projects, from single-page apps to the APIs that drive them, and everything in between.
 recording release: yes license: CC BY-SA  

11. risk management without slowing down [keynote]
mikala easte

Most organisations start out relying on people and their expertise when making decisions, but this doesn't scale well and leads to bottlenecks and pain. Larger corporates rely on processes, controls and systems, but these can overwhelm smaller companies. I'd like to share some thoughts on how to set up lightweight risk management processes to empower teams to make informed decisions and not just rely on what the security person thinks of it.
 recording release: yes license: CC BY-SA  

12. incident response drills: how to play games and get good [keynote]
kirk

Computers are exceptionally good at taking instructions and making very fast, very precise mistakes very reliably. Humans are conceptually similar but interpret their inputs and decide on courses of action based on experience. 

Preperation and rehearsal for messy, no-notice events that are definitely (hopefuly) not business  as usual makes us more chill for when something (production) does go down due to novel (gremlins) issues. Incident Responders should practice for sensitive and time-critical events before they happen so they are able to return things to a safe and stable state with grace and aplomb.

This talk is for team leaders or security program owners interested in the craft of using incident response exercises to develop their people. We will learn how these synthetic experiences can be devised against specific environments and standards with measurable outcomes. Finally we will cover ways to easily scale difficulty and iteratively improve your exercise program.
 recording release: yes license: CC BY-SA  

13. an introduction to ghidra [keynote]
helen

So the NSA made its internal reverse engineering toolkit open source in early 2019, which means everyone now has access to a THING for FREE. Sure... it has dark mode. A five minute overview on getting started for the overwhelmed and/or the lazy.
 recording release: yes license: CC BY-SA  

14. protecting people from social media harassment [keynote]
tom eastman

In some ways, Twitter seems like it was designed from the ground up to be the perfect tool for harassment. Twitter’s own mechanisms that are supposed to protect users sometimes seem to be pretty inadequate to the task.

So I decided to make a few of my own.

Along the way, I got to grapple with some interesting challenges, including and especially how to build a tool safe enough for use by people who have been threatened online.

In this talk I explore risks you have to consider, how you mitigate them, and the ethics of the decisions you end up making.
 recording release: yes license: CC BY-SA  

15. face your fearful foes to dodge a dark and dreary phishy fate [keynote]
brendan shaklovitz

after a short stint with the malicious masterminds of our red team, i've seen the terrifying tactics that real attackers could use against you. it's dirty, underhanded, and quite brilliant, and it's only fair that we level the playing field a bit by sharing some of our secrets.

in this talk we'll skip past basic tech-support scams and talk about lovingly hand-crafted ""spear phishing"" campaigns specifically targeting individuals based on publicly available information. who knew your gaming habits would be your downfall?

and finally we'll talk about some things you can do to really ruin a fledgeling evil mastermind's day, and repurposing some strategies learned from a career in site reliability engineering to help create a psychologically safe environment where people aren't afraid to tell you when they make mistakes.
 recording release: yes license: CC BY-SA  

16. security confessions of a small country [keynote]
laura bell

We live in a small country. While geographically we're not a pip squeek, in terms of population we're really rather adorable. So how does being a small country affect our approach to security and how can we learn to love our little island thinking and use it as a superpower.
 recording release: yes license: CC BY-SA  

17. closing ritual


(Needs description.) 
 recording release: yes license: CC BY-SA  



Location
--------
Plenary Room


About the group
---------------