applied security conferences and training: CanSecWest | PacSec | EUSecWest | BA-Con

CanSecWest 2010

The eleventh annual CanSecWest conference will be held March 24-26 2010, Dojo training March 22 and 23 at the Sheraton Wall Centre hotel in downtown Vancouver, British Columbia.

Interact with the security community

CanSecWest, the world's most advanced conference focusing on applied digital security, is about bringing the industry luminaries together in a relaxed environment which promotes collaboration and social networking. The conference lasts for three days and features a single track of thought provoking presentations, each prepared by an experienced professional and talented educator who is at the cutting edge of his or her field. We give preference to new and innovative material, highlighting important, emergent technologies, techniques, or best industry practices.

The conference is single track, with one hour presentations over the duration beginning at 9:00 a.m. The registration fee includes the catered meals, and there will be a vendor display and lounge/eating area, where wireless internet access will be available (as well as in the speaking theater). The conference discount hotel room booking system can be found here.

2009-10-01-01:00:00 CFP 2010 is open

The Call For Papers for CanSecWest 2010 on March 22-26, is now open. The submission deadline is November 30th, 2009. We have a new online submissions system that will be available soon. Watch for notices here regarding its availability.

2009-03-26-15:54:00 Slides Online

Slides are being posted here.

2009-03-18-01:00:00 PWN2OWN Final Rules

Well after much discussion and deliberation here is the final cut at scenarios for the PWN2OWN competitions.

Browsers and Associated Test Platform

Vaio - Windows 7


Day 1: Default install no additional plugins. User goes to link.
Day 2: flash, java, .net, quicktime. User goes to link.
Day 3: popular apps such as acrobat reader ... User goes to link

What is owned? - code execution within context of application

Phones (and associated test platform)

Day 1 (Raw functionality out of the box, users configured for service) post phone, post email

Day 2

Day 3

What is owned? Must demonstrate...


2009-03-11-24:00:00 CanSecWest 10th Anniversary Party

The celebration of our tenth year and the social event for the conference will be held on Thursday March 19th. It will be the highest altitude congregation of computer researchers yet... at 11,000' elevation - it will be held at Grouse Mountain Chalet. After the lightning talks buses will be leaving every 30 minutes (starting at 19:00) from the Sheraton Wall Center and take people up to the Grouse Gondola Base Station, where the gondolas leave every 15 min (capacity 100) for the 8 minute ride pretty much straight up. Sunset that day should be at 19:22, which leaves a pretty spectacular view overlooking the city, the ocean, Vancouver Island, and the sunset if it is a clear day. The buses will use the same schedule on return and the Chalet will be upen until 12:30. Tickets are limited. DJ's T.B.A.

We are also happy to announce that our Chinese speaker "icbm" was approved for his Canadian entry visa on his second application, so he will be available to give us his fascinating overview of the infosec landscape across the Pacific.

Some more talks have been added to the agenda:

Writing User Friendly Exploits - Skylar Rampersaud, Immunity

Alexander Sotirov's and Jacob Appelbaum's SSL paper "Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate" has been published today.

Today @ryannarraine twitterred this bit of gossip from Boston: 'dino's planning a "really crazier demo" of exploit at cansecwest. plan is to make os x a "first class" target in metasploit'. Follow us on twitter at @secwest (where conference notices will be posted real-time during the conference), and @dragosr.

Dragos just recently received a copy of Dino's and Charlie's new book "The Mac Hacking Handbook" which apparently inadvertently released some vulnerabilities - we'll see if Apple can patch them before next week :-). But odds are if you do discover it in the book, it you probably won't be able to claim a PWN2OWN prize with it. It probably doesn't count as unreleased - we are waiting for a ruling from contest judges on that. Stand by for a review from dr of the book to be published soon. (dr says: 'They got my attention when some of the exploit examples in the book list "Dragos Ruiu's Macintosh" as the target' :-)

(p.s. If you folks haven't seen this yet... here is one of the coolest mobile phone hacks we've seen in a while.)

2009-03-04-12:00:00 Conference Vortex Spinning Up

Some late announcements, a new paper:

Sniff keystrokes with lasers/voltmeters: Side Channel Attacks Using Optical Sampling of Mechanical Energy Emissions and Power Line Leakage - Andrea Barisani and Daniele Bianco, Inverse Path

Some more details about mobile targets:

On the browser side, we will be running the latest bleeding edge version of each browser platform we can get our hands on (Yes that means the Safari 4 beta, the latest build of IE8 we can get our hands on, and the upcoming FireFox release) on each of the two prize laptops (for the corresponding multi-os browsers). We will wipe the laptops and restore them to their factory conditions after the contest.

On the social agenda side of things, our rf-lab toting, 3d camera tracking wizard, Marc Alfonso, who moonlights as a ski patroller and medic on Grouse, will be taking a group to ski by the moonlight (and other lighting) at Grouse mountain night skiing, on Wednesday night. You have to find your own way up to the gondola in North Vancouver (and they have night skating too), and Marc will be your experienced guide. Watch this space for instructions on how to sign up for this outing. Thursday night party venue and details TBD.

The detailed agenda will be published shortly, but a head's up for folks, we are considering moving the lightning talks to Wednesday.