BruCon 2011 Lightning Talk winner slides, experience and some pics

I would like to use this opportunity to thank everybody that voted my lightning talk “Web app testing without attack traffic” as the “BruCon 2011 Lightning Talk winner”.

I only had 5 minutes so I had to take out many things I wanted to cover, for this reason, I have significantly expanded this talk (106 slides + good feedback from reviewers so far) and submitted it to BerlinSides.

The slides I used for BruCon are now posted here (I only changed the website URL to the new one).

I did not even know the Lightning Talks part of the conference was also a contest and was surpised you chose mine over internationally well-known speakers and many great projects and ideas that were also presented (and I really liked myself!):

– “Metasploit shellbag information gathering module” by Jason Haddix
– “Impersonating SSL” – SSL interception tool via “plausible invalid cert” by Chris John Riley.
– “Do not fear crypto” (TYPO3 vuln walk-through) by Chris John Riley
– “Digital death – a very quick version” by Robin Wood
– “Honeymail project” to track spam by Tomasz Miklas:
– “Last year it was remote, now it’s local!” by Wicked Clown (on windows priv escalation vuln)
– “Ostinato” (a packet capture / crafter) by Joke:
– Joke gave another talk the following day too! (Chris John Riley and her were the only -I think- to give 2 talks, you rock!)
– “How (not) to pick up chicks at the BruCON Party” by Melisande
– “How to suck less at …SQUIRRELS” by Matt Erasmus
– biosshadow presented too but I forgot the talk name, I think it was about password profiling
– “Bypassing endpoint protection” by Matt Summers
(Sorry if I forgot someone, it’s been a while since September!)

 From the BruCon 2011 security conference itself, I was waiting for the pictures and video to do one of my “all out, pictures or it did not happen” security conference blog posts but no conference pictures were published and most of the video was lost unfortunately.

I will briefly say that for me, personally, the best talk/workshop of the conference was undoubtedly:
“The Web Application Hacking Toolchain” by Jason Haddix

In my opinion, many (but not all) of the other talks were too “high level”, Jason Haddix provided something practical that we can apply directly and explained his reasoning along the way. This is the kind of information sharing we need to do more of in the infosec community.

Thanks for the pic bioshadow!

Despite what I just said, the following non-technical talk was highly inspirational to me:
“You and your research” by Haroon Meer

From the rest, one of the best was obviously Dan Kaminski with “Black Ops of TCP/IP 2011” and also Alex Hutton with “Why Information Risk Management Is Failing, Why That Matters to Security & What You Can Do About It” you can see a picture of them enjoying a Mojito here:
Thank you to the person that tweeted this :). Was it you Marisa?

Jimmy had an awesome T-shirt everyday:
Thanks for pic Tomasz!

And I found everybody very approachable and nice during the 1st but also the 2nd day after party:
Thanks for the pic Marc!

I was also impressed by the Mobile phones talk: “Smart Phones – The Weak Link in the Security Chain” by Nick Walker and Werner Nel. This was really good research and definitely a lot of work.

There were many other great talks and I also specially liked Chris Gates and Joe McCray with “Pentesting High Security Environments” and “Abusing Locality in Shared Web Hosting” by Nick Nikiforakis.

As usual I could not physically attend everything but from what I attended, that was the best in my opinion.

A full list of what each talk was about can be found here: