On Wednesday night we’ll be playing a couple of movies in the prime dome.

Time Movies
20:00 Movie: Hackers


The Thursday talks will happen inside the prime dome.

Time Track
11:30 ToorCamp Introduction
12:00 KEYNOTE: Berit Anderson & Brett Horvath
13:00 Michael Ossmann & Dominic Spill – Hacking the CampCopter
14:00 Ben Kurtz – RatNet: Flood-Routing Middleware for Covert Channels
15:00 Topher Timzen – Reverse Engineering and Attacking .NET Applications
16:00 hex – Secret Caching in the Linux Kernel: key resolution
17:00 Richard Johnson – Go Speed Go: Trace Guided Fuzzing
18:00 Dinner



The Friday talks will happen in the prime dome.

Time Track
12:00 Jens “ryd” Muecke – Vulnerability Scanning Performance
13:00 FalconK – Fundamentals of Ruggedized Semi-Electromechanical Crossbar Emulation Switching
14:00 elfmaster – Maya’s Veil: Advances in Linux binary protection and anti-exploitation technology
15:00 Dean Pierce – : No Bugs Left Behind!
16:00 Jon McCoy – Hacking .NET/C# Applications: Runtime Hacking Memory
17:00 Robert C Seacord – C Parallel Language Extensions
18:00 Dinner



The Saturday talks will happen in the prime dome.

Time Track
12:00 Joe Grand – Activate Engineer Powers! Creating a Real-Life Creaturepod
13:00 Rob Flickenger – Resurrecting a vintage scanning electron microscope
13:30 John Brooks – Toor Tor Tour
14:00 vito genovese – Capture the Flag: An Owner’s Manual
14:30 Ian Allison – The Good the Bad and the Ugly: AWS Account Takeover with IAM Instance Roles
15:00 willscott – Packet Spoofing as a service
15:30 Pavel Kirkovsky – Green Thumbs and Black Terminals: Personal Agriculture For Geeks
16:00 Jon Sonesen – Exploiting the North American Railways
16:30 Pierce Nichols – The return of the revenge of Hackerboat
17:00 Chris Sutton – Questions and Answers about DBIUA
17:30 Lightning Talks!
18:30 Closing Remarks
19:00 Dinner


Berit Anderson

Berit Anderson is the CEO and Co-Founder of Scout, which combines near-term science fiction with reporting to cover the intersection of technology, economics, and morality.

She is the former managing editor at, a Seattle-based local news site read by 1.6 million people in the last year, where she followed environment, tech, culture, media, and politics. While there, Berit created the Community Idea Lab, a new way of doing journalism that inspires and incubates solutions to local problems. In 2015, the Community Idea Lab won the Society of Professional Journalists’ 2015 Western Washington Innovation in Journalism award.

Berit consults and partners with Strategic News Service, a predictive newsletter read by Bill Gates, Elon Musk, and Michael Dell, as well as the SNS Future in Review (FiRe) conference, which brings together C-level technology executives, world-class scientists, and Oscar-winning documentary film-makers to discuss how science and technology are reshaping our world. In 2015 she was invited to join the World Economic Forum’s Global Shaper program. Previously community manager of the Tribune Company’s Seattle blogging network, her work has appeared in YES! Magazine and on, Geekwire, and television and radio properties.

Brett Horvath

Brett is the co-founder of Scout, which combines near-term science fiction with reporting to cover the intersection of technology, economics, and morality. He is also an instigator who has worked in the realms of technology policy, interaction design, climate risk, artificial intelligence, and disaster response. Brett regularly consults with corporations, universities, political campaigns, and governments.

In 2007, Brett launched America’s first online voter registration platform, Your Revolution, which allowed voters in Washington state and Arizona to register to vote instantly from their Facebook profiles. In 2008, Brett directed Online Organizing and Social Media for T. Boone Pickens’ “Pickens Plan” campaign. He helped the campaign sign up over 1 million members in four months, and by the end of his involvement was responsible for managing a community of 1.8 million members, who in turn sent more than 8 million letters to Congress. Then-Seattle mayor Mike McGinn asked Brett to head his Government 2.0 Task Force to create strategies for innovating government and the civic process. The task force helped launch Seattle’s Code for America project.

Brett has also worked with the International Centre for Earth Simulation based in Geneva, Switzerland, working directly with founder Bob Bishop to evaluate pilot projects deploying supercomputing centers to conduct climate risk modeling. Brett is also a co-founder of Lumana Credit, a micro-finance cooperative based in Ghana.

Hacking the CampCopter

Low cost microcontrollers show up everywhere these days. Devices that once used non-programmable logic now contain turing machines, often with integrated digital radios. We’ll show you how to reprogram the microcontroller in a popular toy quadcopter, changing its behavior according to your whim.

But wait, there’s more! Many of these devices use radio control systems that are easily reverse engineered with readily available tools. We’ll show how you can use tools such as HackRF One or Ubertooth One to interface with the control system of the same quadcopter, even without modifying the firmware.

Michael Ossmann
Michael Ossmann is a wireless security researcher who makes hardware for hackers. Best known for the open source HackRF, Ubertooth, and Daisho projects, he founded Great Scott Gadgets in an effort to put exciting, new tools into the hands of innovative people.

Dominic Spill
Dominic Spill is the lead maintainer of Ubertooth and full-time malingerer.

RatNet – Flood-Routing Middleware for Covert Channels

This talk will present a novel design for an onion-routed anonymity network, designed for deployment across mesh-routed low-cost microcontrollers, regular PCs, and Android phones. This new network is more similar to FidoNet or UseNet than Tor, and can be easily embedded into a cross-compilable application.

The Tor anonymity network has problems being deployed on embedded devices and high-latency network connections. Tor’s reliance on the bidirectional socket model also leaves it open to timing correlation attacks. RatNet solves those issues by making a drastically different set of design assumptions.

We need some peer review! If you’re the sort that loves picking apart other people’s attempts to use crypto, this is the talk for you!

Ben Kurtz
I am old enough to remember FidoNet.

Reverse Engineering and Attacking .NET Applications

This talk will demonstrate reverse engineering and attacking .NET applications. I will start by discussing reverse engineering as it pertains to .NET and show how to get a glimpse into a binaries code base. Moving forward I will show how to modify running applications with advanced .NET and assembly level attacks using open source tools I developed. By discussing internal framework structures you will leave understanding why and how these attacks work. You will also be able to implement defense and attack scenarios in test cases.

You will leave with an overview of how to use reverse engineering to discover weaknesses in .NET applications and how to leverage those as an attacker.

Topher Timzen
Topher Timzen has had a research emphasis on reverse engineering malware, incident response and exploit development. He has instructed college courses in malware analysis and memory forensics. Currently a Security Researcher at Intel Topher is working with the dark insides of hardware and has presented past research at DEF CON, BsidesPDX and SecTor.

Secret Caching in the Linux Kernel: key resolution

Within the Linux Kernel there’s a secret caching service. The construction of this service allows for some interesting behavior that can be used to improve the security of many applications. This talk will cover how to use keyctl, how to write “key resolvers”, and some interesting things you can do with these.

This talk also touches on a solution to a problem that has plagued the Linux world for years: secure key storage on Linux.

At some point in the past I was born. This event was a major factor in the direction of my life. I’ve been doing things ever since. Most recently I wrote a brief bio.

Go Speed Go: Trace Guided Fuzzing

The past few years have seen a leap in fuzzing technology. The original paradigm established a decade ago resulted in two widely deployed approaches to fuzzing: sample based mutation and model based generation. Thanks to ever-increasing computational performance and better engineering, newer guided fuzzing approaches have proven to be supremely effective with a low cost of deployment. This talk will explore a few different approaches to guided fuzzing through dynamic analysis including code coverage analysis, constraint solving, and sampling/profiling based feedback mechanisms.

Novel contributions in this talk include:

- Opensource Windows Driver enabling Intel “Processor Trace”
- DBI based tracing engine for Windows/Linux/OSX binaries
- American Fuzzy Lop with full support for Windows binary targets

Richard Johnson
Richard Johnson is a computer security specialist with a focus on software vulnerability analysis. Currently the Research Manager of Talos Group for Cisco, Richard offers 15 years of expertise and leadership in the software security industry. Current responsibilities include research and development of advanced fuzzing and crash analysis technologies facilitating the automation of the vulnerability triage and discovery process. Richard has presented annually at top-tier industry conferences worldwide for over a decade and was co-founder of the Uninformed Journal.

Vulnerability Scanning Performance

Network Scanning for Mapping and indetifying Vulnerabilities is a time-consuming affair. While there is a tool for everything, it’s a hard job for pentesters to focus on truly testing. Customers often don’t understand their own network and running automated tools in corporate networks is a delicate situation without interference or interruption of any systems. Reports always have to be done yesterday, and in no time. This talk goes into performance of network mapping, vulnerability scanning automatisation and improvement of results for large scale networks.

Jens “ryd” Muecke
Jens is a German hacker living in Beirut, Lebanon. He’s a co-founder of the attraktor hackerspace in Hamburg, Germany as well as one of the founders of KRYPTON Security, an information security comapny based out of the middle-east. He’s also a member of the Chaos Computer Club (CCC), and a conferance speaker. In his spare time, Jens builds things with micro-controllers and travels to hackerspaces and interacts with different communities around the globe. He also has a special place in his heart for Seattle, having lived there for many months.

Fundamentals of Ruggedized Semi-Electromechanical Crossbar Emulation Switching

Shadytel network engineers explain the principals of operation and design of a new generation of cost-focused PSTN switching technology, and discuss its performance in hostile environments.

FalconK, Shadytel
FalconK is a Shadytel tactical lineman (and a security consultant at Leviathan).

Maya’s Veil: Advances in Linux binary protection and anti-exploitation technology

Maya’s Veil is a binary protector that I designed for ELF binaries. It is a combination between anti-tamper and anti-exploitation. Imagine being able to instrument any program you want with an intelligent runtime engine who’s sole purpose it is to dynamically arm the program against reverse engineering and exploitation. This is what Maya’s Veil does, with features such as on the fly function decrypt/re-encrypt, encrypted heap implementation, advanced anti-debugging, protection against code injection, and binary instrumented control flow integrity that prevents ROP attacks. In short, Maya is possibly the most advanced userland binary protector for Linux.

Ryan O’Neill (elfmaster) is a computer security researcher at Leviathan Security Group with a strong interest in researching many areas of computer security including binary protection, exploitation mitigation, and memory forensics. These interests have all led to research and development efforts, some of which can be found on : No Bugs Left Behind! is a community driven program with the singular goal of proving a minimal baseline incentive for people to report the bugs that are currently flying under the radar. Come learn about the history of bug bounties and bug markets, the existing gaps, and what we have been working on to close them.

Dean Pierce
Dean Pierce is a security researcher in Portland Oregon. In his 15+ years in the information security community he has worked towards diminishing infosec disparity and increasing consumer confidence in the security of emerging technologies.

Hacking .NET/C# Applications: Runtime Hacking Memory

This talk will cover hacking .NET Framework applications and how to rapidly bend applications and malware to do as you wish.

This will focus on executing BlackBox security reviews and putting back doors in applications.

This should be understandable by the average programmer, and be repeatable by a average .NET/C# developer. The tools we produce and use are all free and open.

Jon McCoy/DigitalBodyGuard
I focus on Hacking .NET applications both on disk to in memory. With a background in Software Engineering I am responsible for building defensible software systems.
I have released a number of innovate tools/techniques focused on .NET application security.

From BlackBox security reviews to securer application design and defense, I get my hands dirty with the day-to-day implementation of security solutions.

C Language Parallel Extensions

Cilk Plus and OpenMP are parallel language extensions for the C and C++ programming languages. The CPLEX Study Group of the ISO/IEC C Standards Committee is developing a proposal for a parallel programming extension to C that combines ideas from Cilk Plus and OpenMP. We conducted a preliminary comparison of Cilk Plus and OpenMP in a master’s level course on security to evaluate the design tradeoffs in the usability and security of these two approaches. The eventual goal is to inform decision-making within the committee. We
found several usability problems worthy of further investigation based on student performance, including declaring and using reductions, multi-line compiler directives, and the understandability of task assignment to threads.

Robert C Seacord
Robert is a Principal Security Consultant with NCC Group where he works with software developers and software development organizations to eliminate vulnerabilities resulting from coding errors before they are deployed. Previously, Robert led the secure coding initiative in the CERT Division of Carnegie Mellon University’s Software Engineering Institute (SEI). Robert is also an adjunct professor in the School of Computer Science and the Information Networking Institute at Carnegie Mellon University. Robert is the author of six books, including The CERT C Coding Standard, Second Edition (Addison-Wesley, 2014) Secure Coding in C and C++, Second Edition (Addison-Wesley, 2013), and Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs (Addison-Wesley, 2014). Robert is on the Advisory Board for the Linux Foundation and an expert on the ISO/IEC JTC1/SC22/WG14 international standardization working group for the C programming language.

Activate Engineer Powers! Creating a Real-Life Creaturepod

What happens when your kids have an idea for a project? Help them turn it into reality! In this presentation, Joe details the design, testing, and building of the Creaturepod, a walkie talkie based on the fictional Creaturepod from the popular children’s television show, Wild Kratts. The project came to life with an Arduino, LCD, ham radio transceiver, and a host of other components. His kids, aged 3 and 7, were involved in every step along the way and learned that while engineering can be hard (and sometimes boring), creating a project from scratch is exciting and rewarding.

Joe Grand
Joe Grand (@joegrand) is a hardware hacker, product designer, runner, daddy, and washed-up TV host.

Resurrecting a vintage scanning electron microscope

In 2014 I acquired a defunct and decommissioned FEG scanning electron microscope manufactured in the early 1980s. This is the story of its glorious resurrection.

From repair of analog circuit boards covered in mouse urine to capturing megapixel images with an audio card, enjoy this epic tale of sub-nanometer hackery.

Rob Flickenger
Bioinformatics hacker, lightning enthusiast, and aspiring mad scientist.

Toor Tor Tour

Tor is a critical piece of infrastructure for online privacy, anonymity, and censorship circumvention. From new applications designed for Tor to upgraded hidden services, the tor project is building exciting new tools to preserve the world’s privacy.

This talk will cover the technical progress on and around Tor and our efforts to fight back against attacks on the network, our users, and our values.

Beyond just writing software, the Tor Project is a community doing incredible work for human rights around the world. I’ll share my experience in joining this community, and how everyone can join us to preserve privacy online.

John Brooks (special)
John is a Tor core developer working on next-generation hidden services, and the developer of Ricochet, a metadata-resistant messaging system built on Tor hidden services.

Capture the Flag: An Owner’s Manual

Capture the Flag is a genre of hacking competitions that turn vulnerability research into a real-time multiplayer game between teams of experts. Competing in a CTF is extremely challenging and demanding, and organizing one immediately presents a greater challenge: how do you run a competition for clever and creative computer hackers that love nothing more than breaking rules, voiding assumptions, and infiltrating infrastructure? It’s complicated.

This talk explores what it takes to build a team, design principles for a fun contest, the art of starting on time, and keeping momentum for successive contests. We’ll also be looking at the differences between CTF organizing teams, CTF competing teams, and modern commercial devops teams, and some of the common ways all these teams mature, grow, and change over time.

vito genovese
Vito Genovese is a founding member of Legitimate Business Syndicate, organizers of DEF CON Capture the Flag starting in 2013. Vito’s work includes building infrastructure for distributed software development, designing and building both cloud-based and on-site scoring systems for cybersecurity games, visual design and branding of competition materials, picking fonts, sourcing coffee and other beverages, and writing public material for the Legitimate Business Syndicate blog and Twitter accounts.

The Good the Bad and the Ugly: AWS Account Takeover via IAM Instance Roles

Over the past year and a half I have been able to get to know Amazon Web Services (AWS) through the eyes of an attacker. Red teaming AWS accounts has become both a learning experience as well as a deep dive into the Identity and Access Management (IAM) aspects of AWS. AWS IAM is an awesome tool that can help make your account and instances more secure. However, when used without granularity and thought the use of IAM instance profiles can lead to a full AWS account compromise. This talk will focus on the offensive side of IAM hacking and show how AWS instances with bad IAM roles can lead to a full AWS account takeover. I’ll go over some of the good, bad and ugly things that can be done with AWS IAM and demonstrate a full AWS account takeover through overly permissive AWS IAM permissions.

Ian Allison/evade
Ian has been working in the offensive security field for longer than he wants to admit. When he’s not helping put up the Mega Dome at Toorcamp he likes to do infosec research, play with his kids and help further the work of DevSecOps.

Packet Spoofing as a service

The talk will start with the design of SP^3 (, a system that opens up the ability to spoof packets – to send traffic on the Internet that appears to come from a different source. From there, it will explore some of potential of this capability: You can use the ability to send data from arbitrary sources to design protocols that are much harder to surveil or learn active participants. You can also use them to make TCP connections between NAT’ed devices almost possible / practical, and to check routing policy of your network. Apart from these mechanisms, I’ll talk about the concerns that have existing around spoofing, and how SP^3 was designed to make it more accessible while mitigating the potential for DDOS and malicious traffic using the mechanism.

I am a fifth year graduate student in the networks lab at the University of Washington. I’ve also spent time over the last three years teaching computer science in Pyongyang.

My research centers on how to make a more resilient web, through working with in-browser peer-to-peer and caching, and applying operating systems lessons to web frameworks.

I’m a Seattle native, taught skiing for a few years, speak some Chinese, and enjoy playing with fire.

Green Thumbs and Black Terminals: Personal Agriculture For Geeks

Want to grow your own food? Live in an apartment or have a tiny yard? Have trouble keeping houseplants alive? Concerned about monoculture and unsustainable agribusiness?

In this talk we’ll cover the basics of hydroponics, aquaponics, system maintenance & automation, and how small-scale personal agriculture can help the environment and support food sovereignty.

Pavel Kirkovsky
Pavel is a collector of hobbies, ranging from vintage synthesizers to nuclear physics to pottery.

Exploiting The North American Railways

With over 139,679 route-miles of railway in the United States alone there are many ways to gain free transport, and even supplies from workers on these railways. I will explain the basics of exploiting this system to get around for free.

Jon Sonesen / Little John
I am new to software engineering professionally. At 24 I have travelled all of the lower 48 US states as well as most of the Canadian provinces by freight train in lieu of attending high school. I like punk rock, infosec, mountains, and software engineering.

The return of the revenge of Hackerboat

Hackerboat is an ongoing project to build an autonomous boat capable of circumnavigating the globe. Last Toorcamp, we did an unsuccessful ocean test. We’re back to talk about what we’ve learned and the current state of the project and our future plans. We’ll be doing some day-long autonomous trips during Toorcamp.

Pierce Nichols
I build things. Sometimes they’re interesting.

Questions and answers about dbiua

A brief intro about dbiua and the opportunity to “ask anything” about out member isp.

Chris Sutton
Founder of dbiua.

Lightning Talks!

Here’s a list of the submitted 5 minute talks. If you want to give a lightning talk, please just show up with a laptop and we’ll do what we can to let you show what you’ve been working on.

The woodgas adventure

Did you know you can run an engine on wood? Starting with plans from FEMA and wanting to stay one step of the zombie apocalypse, this talk will describe the adventures of creating a practical wood gas generator out of stuff you can find at your local hardware store and use only commonly available hand tools. We will be building from scratch v3 of this woodgas generator design at Toorcamp.

Franklin Hu
Franklin Hu is a mid mannered software engineer by day, but by night becomes a mad scientist fighting scientific dogma where ever it may occur. He loves to tinker and build, creating practical inventions which are simpler and less expensive than anything else out there.

Hello Darkness, My Old Friend

Most of us live in parts of the world that are inundated with light pollution (excessive light sources). It affects natural ecosystems, our sleep cycles, and our view of the night sky. This talk will briefly go over why it happens, what the effects are, and offer ways we can mitigate this (both for ourselves and more broadly). For extra effect, maybe ToorCamp will go dark for a few hours, then we can all look up and see what we’ve been missing.

Luke Gotszling
I’m the founder of, we’re creating AI that replies to your emails. Growing up, I’ve always liked to take things apart to see how they work, and even sometimes successfully put them back together. I like to dabble in new technologies and computer security. I’m currently training for my tenth half-marathon and looking forward to my second ToorCamp.