BEGIN:VCALENDAR VERSION:2.0 PRODID:-//pretalx//cfp.pass-the-salt.org//pts2025 BEGIN:VTIMEZONE TZID:CET BEGIN:STANDARD DTSTART:20001029T040000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10 TZNAME:CET TZOFFSETFROM:+0200 TZOFFSETTO:+0100 END:STANDARD BEGIN:DAYLIGHT DTSTART:20000326T030000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3 TZNAME:CEST TZOFFSETFROM:+0100 TZOFFSETTO:+0200 END:DAYLIGHT END:VTIMEZONE BEGIN:VEVENT UID:pretalx-pts2025-WAKGHJ@cfp.pass-the-salt.org DTSTART;TZID=CET:20250701T141000 DTEND;TZID=CET:20250701T171000 DESCRIPTION:Once upon a time\, an algorithm's task was to make the distinct ion between a chiwawa and a muffin... true story. Human\, curiosity is a g reat thing\, and this workshop is built around it.\n\nHere total beginners in AI learn the fundamentals of deep learning\, set up their environment\ , and apply it to image classification. By the end of the workshop\, they are able to build a simple web application using Gradio that classifies im ages. DTSTAMP:20260515T161734Z LOCATION:Room LW109 SUMMARY:Practical intro to deeplearning: chihuahuas vs muffins - Pauline Bo urmeau (Cookie)\, William Robinet (Conostix S.A.) URL:https://cfp.pass-the-salt.org/pts2025/talk/WAKGHJ/ END:VEVENT BEGIN:VEVENT UID:pretalx-pts2025-RWCWKL@cfp.pass-the-salt.org DTSTART;TZID=CET:20250701T141000 DTEND;TZID=CET:20250701T144500 DESCRIPTION:In an increasingly connected world\, securing wireless communic ation is vital for protecting critical infrastructure and personal data. T raditional tools for Radio Frequency (RF) assessments\, while effective\, often lack flexibility\, cross-platform compatibility\, and adaptability f or diverse environments and architectures. RF Swift addresses these limita tions by providing a streamlined\, modular toolbox tailored for RF Securit y assessments and HAM radio enthusiasts alike.\n\nRF Swift is a multiplatf orm solution\, seamlessly running on Windows\, Linux\, and a wide range of architectures. This versatility empowers users to conduct RF assessments in virtually any environment without hardware constraints. Designed with a daptability in mind\, RF Swift enables security professionals and radio en thusiasts to deploy\, manage\, and analyze RF communications with unpreced ented speed and efficiency.\n\nAttendees will discover how RF Swift empowe rs both rapid assessments and deep analysis\, simplifying complex tasks su ch as spectrum monitoring\, signal detection\, protocol analysis\, and sig nal generation. Join us to explore how RF Swift redefines RF security asse ssment\, offering a robust\, scalable\, and flexible approach to tackle mo dern wireless security challenges. DTSTAMP:20260515T161734Z LOCATION:Amphitheater 122 SUMMARY:RF Swift: A Swifty Toolbox for All Wireless Assessments - Sébastie n Dudek URL:https://cfp.pass-the-salt.org/pts2025/talk/RWCWKL/ END:VEVENT BEGIN:VEVENT UID:pretalx-pts2025-8WLTNS@cfp.pass-the-salt.org DTSTART;TZID=CET:20250701T144500 DTEND;TZID=CET:20250701T152000 DESCRIPTION:A debugger is always a valuable tool when searching for vulnera bilities\, particularly in embedded systems where multiple peripherals may be involved. Most targets support either well-standardized debug protocol s such as JTAG or SWD\, or rely on proprietary alternatives. These debug p orts are often locked to prevent unauthorized access. When locked\, depend ing on the chip\, it may still be possible to reactivate them by exploitin g a bug. In rare cases where this is not possible\, direct modification of the firmware may be an option. In such scenarios\, an on-chip debugger ca n be implemented within the firmware itself. While potentially unstable\, this type of debugger can be highly useful for firmware analysis and explo it development. DTSTAMP:20260515T161734Z LOCATION:Amphitheater 122 SUMMARY:The Last Resort: Debugging Embedded Systems with Unconventional Met hods - Vincent Lopes (Security Engineer\, Quarkslab) URL:https://cfp.pass-the-salt.org/pts2025/talk/8WLTNS/ END:VEVENT BEGIN:VEVENT UID:pretalx-pts2025-CWYMPY@cfp.pass-the-salt.org DTSTART;TZID=CET:20250701T152000 DTEND;TZID=CET:20250701T154000 DESCRIPTION:LabCyber is an exploratory lab focusing on the hardware dimensi on of cybersecurity deployed by the PTCC -transfer program at Campus Cyber operated by INRIA on behalf of the French academic community. DTSTAMP:20260515T161734Z LOCATION:Amphitheater 122 SUMMARY:LabCyber - a FabLab dedicated to cybersecurity - Aline Becq\, Fabie n Caura URL:https://cfp.pass-the-salt.org/pts2025/talk/CWYMPY/ END:VEVENT BEGIN:VEVENT UID:pretalx-pts2025-HL8QKR@cfp.pass-the-salt.org DTSTART;TZID=CET:20250701T155500 DTEND;TZID=CET:20250701T163000 DESCRIPTION:OpenRelik is a new decentralized\, distributed\, containerized incident response forensic artifact processing pipeline. We’ll talk abou t the main goal behind the project and its architecture\, but also lessons we’ve learned from past attempts at building this\, and how we’ve sol ved them this time around. Demos included! DTSTAMP:20260515T161734Z LOCATION:Amphitheater 122 SUMMARY:OpenRelik: a containerized incident response processing pipeline - Thomas Chopitea (Digital Forensics\, Google)\, Johan Berggren (Digital For ensics\, Google) URL:https://cfp.pass-the-salt.org/pts2025/talk/HL8QKR/ END:VEVENT BEGIN:VEVENT UID:pretalx-pts2025-SB7BEZ@cfp.pass-the-salt.org DTSTART;TZID=CET:20250701T163000 DTEND;TZID=CET:20250701T170500 DESCRIPTION:The Datadog Threat Research team routinely collects and analyze s potential malware samples from multiple sources such as honeypots\, inte lligence shared by partners and intel contacts\, internal security inciden ts or Guarddog sourced malicious packages.\n\nFrom these malware analysis\ , we extract Indicators of Compromise (IoCs)\, such as malicious IP addres ses\, domains\, file hashes and other atomic indicators. For example\, a c loud crypto-jacking campaign could involve malicious container images asso ciated with an attacker-controlled Dockerhub user. Malware in the Docker i mages could communicate with a Command and Control (C2) server at a specif ic IP. The names of the images\, along with the Dockerhub username and the C2 IP would be considered atomic indicators in this case. \n\nWith the in crease of daily analyses\, our team had to handle the detonation of variou s types of samples and built an automated pipeline from data ingestion to detonation and collection contextualised IoCs in our TIP. We built our pip eline by relying on several Open Source projects including eBPF tracers\, Threat Intelligence Platform and malware analysis orchestrator. \n\nWith t his talk we want to share how we implemented and deployed our pipeline and also give feedback and lessons learned while implementing it. DTSTAMP:20260515T161734Z LOCATION:Amphitheater 122 SUMMARY:End-to-end processing of malware samples using open source technolo gies - Frederic Baguelin\, Matt Muir URL:https://cfp.pass-the-salt.org/pts2025/talk/SB7BEZ/ END:VEVENT BEGIN:VEVENT UID:pretalx-pts2025-CSHGVJ@cfp.pass-the-salt.org DTSTART;TZID=CET:20250702T091500 DTEND;TZID=CET:20250702T121500 DESCRIPTION:This workshop will introduce you to our WHAD framework (WHAD st ands for *Wireless HAcking Devices* or *Wireless HAcking for Dummies*\, s ee https://whad.io) and its numerous tools designed to have fun with wirel ess devices in the wild\, with a focus on Bluetooth Low Energy (BLE). Lear n how to easily discover BLE devices\, connect to them and analyze how the y behave and expose information\, how to clone a device and trick a smartp hone to connect to it\, how to interact with a device in many unexpected w ays\, and more importantly learn how this framework can help you build pre tty efficient exploits in Python to complete the final challenge of this w orkshop !\n\nWe would be more than happy to get you started with Bluetooth Low Energy hacking with WHAD\, and hope you'll enjoy the ride and dig int o what this framework is capable of regarding other wireless protocols as well ! DTSTAMP:20260515T161734Z LOCATION:Room LW112 SUMMARY:Bluetooth Low Energy hacking with WHAD - Damien Cauquil (R&D Engine er at Quarkslab)\, Romain Cayre URL:https://cfp.pass-the-salt.org/pts2025/talk/CSHGVJ/ END:VEVENT BEGIN:VEVENT UID:pretalx-pts2025-WLKAH9@cfp.pass-the-salt.org DTSTART;TZID=CET:20250702T091500 DTEND;TZID=CET:20250702T095000 DESCRIPTION:Since the inception of Certificate Transparency\, the use of Tr ansparency logs is booming: go sumdb\, Key Transparency\, Sigstore\, etc. These various ecosystems build on top of the promise of transparency logs: accurate\, immutable\, publicly verifiable data. Building with tamper-evi dent logs means that you can cryptographically prove that the data hasn’ t been unexpectedly changed.\n\nThis growing number of ecosystems together with the increase of the logs’ size called for efficient APIs to ensure logs could deliver their promise. This led to the standardization of tran sparency logs APIs and format: the concept of tiles and checkpoint emerged . Tiles split the underlying Merkle tree into chunks that can be stored\, served and cached efficiently\, while checkpoints represent the state of t he tree.\n\nCertificate Transparency (CT) has been the most successful rol e model for transparency ecosystems. Static Certificate Transparency API\, an evolution of RFC 6962\, is Certificate Transparency’s attempt at imp lementing these new standards\, thus bringing all ecosystems closer to one another.\n\nThis talk introduces Trillian Tessera\, an open-source Go lib rary for building tile-based transparency logs using these standard format s on both major cloud and on-premises infrastructure\, together with Tesse raCT\, a readily deployable solution for Certificate Transparency using Tr illian Tessera.\n\nAttendees will gain insights into a lightweight yet pow erful library for building their own reliable and easily maintainable tran sparency solutions. We will showcase a concrete example of its application with Certificate Transparency. The demo covers the TesseraCT deployment a nd the performance of submitting entries and verifying the entry inclusion and log consistency. DTSTAMP:20260515T161734Z LOCATION:Amphitheater 122 SUMMARY:Building Efficient Verifiable Logs: Introducing Trillian Tessera an d TesseraCT - Philippe Boneff (Certificate Transparency Tech Lead\, Google )\, Roger Ng URL:https://cfp.pass-the-salt.org/pts2025/talk/WLKAH9/ END:VEVENT BEGIN:VEVENT UID:pretalx-pts2025-RTTHMW@cfp.pass-the-salt.org DTSTART;TZID=CET:20250702T091500 DTEND;TZID=CET:20250702T121500 DESCRIPTION:ROP (Return-Oriented Programming) is an essential technique for exploiting modern binary executables. The ROPEmporium website\, (https:// ropemporium.com/\n) developed by Max Kemper\, features a series of step-b y-step exercises designed to help you discover the ROPEmporiumhttps://cfp. pass-the-salt.org/pts2025/me/submissions/RTTHMW/#nav-abstract-preview prog ressively.\n\nThe workshop offers a shared experience of these exercises DTSTAMP:20260515T161734Z LOCATION:Room LW109 SUMMARY:ROPemporium party - Jean-Côme Estienney (CNAM) URL:https://cfp.pass-the-salt.org/pts2025/talk/RTTHMW/ END:VEVENT BEGIN:VEVENT UID:pretalx-pts2025-DCMUBQ@cfp.pass-the-salt.org DTSTART;TZID=CET:20250702T095000 DTEND;TZID=CET:20250702T101000 DESCRIPTION:The legitimacy of an online document today is bound to the way it has been retrieved: From a reputable source\, through an authenticated communication. However\, as primary sources become unavailable\, digital a rchives and other third-party repositories emerge as sole witnesses that s ome documents ever existed\, or that their content have not been altered. The proliferation of tools able to produce large amounts of convincing fak es\, as well as current incentives for bad actors to leverage these techno logies\, may eventually threaten the trust placed in these archives and fi nally question the genuineness of historical records.\n\nIn this talk\, we explore how existing technologies such as the Certificate Transparency\, may be leveraged to establish a robust foundation for digital archive inte grity and observability. We then present our on-going effort to develop li bre and open-source tools to build and maintain such transparency logs\, a s well as other integrations with existing standards for trusted timestamp ing and web archiving. DTSTAMP:20260515T161734Z LOCATION:Amphitheater 122 SUMMARY:Working towards digital archive transparency - The Terrible Archivi st URL:https://cfp.pass-the-salt.org/pts2025/talk/DCMUBQ/ END:VEVENT BEGIN:VEVENT UID:pretalx-pts2025-YKXAKR@cfp.pass-the-salt.org DTSTART;TZID=CET:20250702T101000 DTEND;TZID=CET:20250702T104500 DESCRIPTION:Or how to make sure you are communicating with the right person when using an end-to-end messaging app when the security relies on public keys you fetch from a third party. DTSTAMP:20260515T161734Z LOCATION:Amphitheater 122 SUMMARY:My friends have phone numbers\, not public keys - Thibault Meunier (Research\, Cloudflare) URL:https://cfp.pass-the-salt.org/pts2025/talk/YKXAKR/ END:VEVENT BEGIN:VEVENT UID:pretalx-pts2025-LEMGYM@cfp.pass-the-salt.org DTSTART;TZID=CET:20250702T110000 DTEND;TZID=CET:20250702T113500 DESCRIPTION:With the current massive user migration from X and Meta to dece ntralized social media such as Mastodon\, the interest in federated commun ication infrastructures is gaining traction. We have been documenting simi lar tendencies since 2018 already\, analyzing how users in various context s shift their preferences in terms of secure messaging applications. In th e context of a longitudinal study of secure messaging apps users and devel opers this presentation proposes to analyze several waves of user migratio ns and suggests an analytical framework to understand the changes in the p erception of what’s a “good secure messaging app” with a particular attention to federated architectures and their potential. The “Signal ga te” has shown that cryptographic properties of a messaging app per se do not offer a guarantee of security\, and many other (sometimes even non-te chnical) qualities enter the game. We propose to understand digital securi ty as an evolving sociotechnical process of adjusting tools and behaviors and to question the race for an “always more secure” messaging app. We argue that infrastructural choices (centralized vs decentralized vs distr ibuted) and social practices (such as contact discovery) matter. DTSTAMP:20260515T161734Z LOCATION:Amphitheater 122 SUMMARY:Always more secure? Analyzing user migrations to federated e2ee mes saging apps - Ksenia Ermoshina URL:https://cfp.pass-the-salt.org/pts2025/talk/LEMGYM/ END:VEVENT BEGIN:VEVENT UID:pretalx-pts2025-SYFQXB@cfp.pass-the-salt.org DTSTART;TZID=CET:20250702T113500 DTEND;TZID=CET:20250702T121000 DESCRIPTION:Messaging Layer Security (MLS) is a protocol for end-to-end enc ryption. It has been standardized at the IETF and has been published as RF C9420. Inspired by other protocols and designed with rigorous academic sup ervision it aims to be the go-to solution for whenever end-to-end encrypti on is needed.\n\nThis talk will cover the following areas:\n\n - How does MLS work?\n - What problems does it solve?\n - What does the ecosystem loo k like?\n - What extensions and variations exist?\n\nThis will also give a n outlook on the MIMI interoperability working group and how it relates to MLS. DTSTAMP:20260515T161734Z LOCATION:Amphitheater 122 SUMMARY:Messaging Layer Security (MLS) – towards more end-to-end encrypti on - Raphael Robert (MLS co-author\, CEO of Phoenix R&D) URL:https://cfp.pass-the-salt.org/pts2025/talk/SYFQXB/ END:VEVENT BEGIN:VEVENT UID:pretalx-pts2025-K3MKZQ@cfp.pass-the-salt.org DTSTART;TZID=CET:20250702T140000 DTEND;TZID=CET:20250702T163000 DESCRIPTION:MISP is an open-source platform for threat intelligence and inf ormation sharing. This workshop is designed to introduce MISP concepts and get started with using the platform. Participants will learn about MISP f eatures by conducting a hands-on analysis during the workshop. DTSTAMP:20260515T161734Z LOCATION:Room LW109 SUMMARY:MISP for analysts - Pauline Bourmeau (Cookie)\, William Robinet (Co nostix S.A.) URL:https://cfp.pass-the-salt.org/pts2025/talk/K3MKZQ/ END:VEVENT BEGIN:VEVENT UID:pretalx-pts2025-P3DZRZ@cfp.pass-the-salt.org DTSTART;TZID=CET:20250702T140000 DTEND;TZID=CET:20250702T143500 DESCRIPTION:Over the years\, Delta Chat has matured to be an easy-to-use\, secure\,\nand even fast decentralized FOSS messenger app for all platforms .\nIn this talk we discuss two key security architectures: \n\n- Autocry pt and SecureJoin key distribution protocols for achieving\n automatic en d-to-end encrypted messaging safe against MITM attacks\, and\n\n- the open -signup Chatmail server network which successfully uses strict\n cryptogr aphic interoperability contraints (DKIM\, OpenPGP\, TLS) \n instead of IP -reputation and spam classification methods.\n\nWe also highlight the six independent security audits and analysis conducted so far. DTSTAMP:20260515T161734Z LOCATION:Amphitheater 122 SUMMARY:Usable end-to-end security with Delta Chat and Chatmail - Holger Kr ekel URL:https://cfp.pass-the-salt.org/pts2025/talk/P3DZRZ/ END:VEVENT BEGIN:VEVENT UID:pretalx-pts2025-AN9QJ8@cfp.pass-the-salt.org DTSTART;TZID=CET:20250702T143500 DTEND;TZID=CET:20250702T151000 DESCRIPTION:The French government has deployed a private Matrix federation for French civil servants called Tchap.\n\nCurrently this federation has a bout 300 000 monthly active users and its usage is growing constantly.\n\n Today our federation is closed and we would like to be able to connect wit h other public French Matrix nodes (local authorities for instance)\, and also other European countries.\n\nWe should implement measures to ensure t hat the federation remains resilient against potential attacks\, both tech nical (e.g.\, DDoS\, data interception) and organizational (e.g.\, unautho rized access\, insider threats) :\n\n* How can we restrict the servers w e wish to communicate with? How can we be sure that we are actually commun icating with them? Since TLS can be vulnerable to man-in-the-middle attack s by state actors\, we can't rely on it entirely.\n* How can we trust th e identities of users from external deployments that we don’t control?\n * How can we limit the interactions that external users can have with us ers from our federation?\n\nWe spent a lot of time thinking about this and now have a plan that looks legit\, and that we are currently implementing . I'm sure you want to know more about it\, right?\n\nIn this talk\, we wi ll share the approach we’ve taken to address these challenges and we wil l present the architecture we designed. DTSTAMP:20260515T161734Z LOCATION:Amphitheater 122 SUMMARY:Matrix French gov deployment: opening a private federation securely - Mathieu Velten\, Yoan Pintas URL:https://cfp.pass-the-salt.org/pts2025/talk/AN9QJ8/ END:VEVENT BEGIN:VEVENT UID:pretalx-pts2025-UATTRT@cfp.pass-the-salt.org DTSTART;TZID=CET:20250702T154000 DTEND;TZID=CET:20250702T160000 DESCRIPTION:VRRP (Virtual Router Redundancy Protocol) is an open-standard p rotocol designed to ensure high availability of routers. Proven and widely adopted\, it is used in many network infrastructures. However\, the secur ity aspects of VRRP are rarely discussed in depth in available online reso urces. For instance\, VRRPv2\, which remains widely used today\, offers tw o authentication modes\, one of which is easily bypassed. In contrast\, VR RPv3 has completely removed authentication\, as the protocol's authors con sidered that security should be handled at a different layer. In this pres entation\, I will focus on the IP tie-breaking dilemma that arises during VRRP priority conflicts\, particularly when the legitimate master router i s configured with the highest priority value of 255. To illustrate this is sue\, I will rely on Keepalived\, a widely used open-source implementation of VRRP. I will also highlight a design flaw I co-discovered in the VRRP protocol (RFC 9568)\, in collaboration with the Keepalived project maintai ners. This vulnerability\, documented in erratum 8298 and validated by the IETF\, allows an attacker on the same network to impersonate the master r outer during a priority conflict\, revealing a weakness in the protocol’ s design. DTSTAMP:20260515T161734Z LOCATION:Amphitheater 122 SUMMARY:When Priority Isn’t Enough: Exploiting the VRRP Tie-Breaking IP M echanism - Geoffrey Sauvageot-Berland URL:https://cfp.pass-the-salt.org/pts2025/talk/UATTRT/ END:VEVENT BEGIN:VEVENT UID:pretalx-pts2025-EN3WB8@cfp.pass-the-salt.org DTSTART;TZID=CET:20250702T160000 DTEND;TZID=CET:20250702T162000 DESCRIPTION:Wireshark is a widely used tool when it comes to view the conte nts of a network traffic capture.\nWhen reversing a protocol\, we tend to develop a simple program with a "simple" programming language (Python\, Go ...) to parse what is currently known.\n\nThe most logic way would be to d evelop this program as a Wireshark plugin\, but the Wireshark plugin API i s rarly used\, since it's quite complex and does not fit for a quick and d irty task.\n\nWirego allows simple development of Wireshark plugins in Pyt hon and Go (and maybe more). DTSTAMP:20260515T161734Z LOCATION:Amphitheater 122 SUMMARY:Wirego\, a Wireshark plugin development framework - Benoit Girard URL:https://cfp.pass-the-salt.org/pts2025/talk/EN3WB8/ END:VEVENT BEGIN:VEVENT UID:pretalx-pts2025-JFTTLJ@cfp.pass-the-salt.org DTSTART;TZID=CET:20250703T093000 DTEND;TZID=CET:20250703T123000 DESCRIPTION:The Delta Chat decentralized instant messaging project has over the years evolved a rich ecosystem of distinct project areas\, from insta nt onboarding with a versatile cross-platform messenger\, over using chat- shared web apps with integrated Peer-to-Peer realtime messaging to partici pating with own Chatmail servers in the world-wide e-mail server network.\ n\nFirst\, we onboard all participants on different Chatmail servers and g et into a joint chat group and play around with the many features\, answer and discuss questions and maybe play some games.\n\nSecond\, we offer par ticipants hands-on sessions: \n\n- setting up a chatmail server\n\n- writi ng a webxdc app\n\n- writing a chat bot DTSTAMP:20260515T161734Z LOCATION:Room LW109 SUMMARY:Dive into Delta Chat\, Chatmail\, webxdc apps and P2P realtime - Ho lger Krekel\, Ksenia Ermoshina\, missytake URL:https://cfp.pass-the-salt.org/pts2025/talk/JFTTLJ/ END:VEVENT BEGIN:VEVENT UID:pretalx-pts2025-DEKPBL@cfp.pass-the-salt.org DTSTART;TZID=CET:20250703T093000 DTEND;TZID=CET:20250703T095000 DESCRIPTION:__Rcat__ is a modern _netcat_ written in Rust 🦀. It supports __TLS__\, and __upgrading reverse shells__ to a fully interactive TTY. DTSTAMP:20260515T161734Z LOCATION:Amphitheater 122 SUMMARY:Make better shells with rcat - Olivier Lasne URL:https://cfp.pass-the-salt.org/pts2025/talk/DEKPBL/ END:VEVENT BEGIN:VEVENT UID:pretalx-pts2025-XE9K9T@cfp.pass-the-salt.org DTSTART;TZID=CET:20250703T095000 DTEND;TZID=CET:20250703T101000 DESCRIPTION:Named Pipes are interprocess communication primitives used by m any Windows applications.\nHowever\, these operating system APIs are often blindly trusted\, and one can intercept and tamper with transmitted data by abusing a Man-in-the-Middle setup.\nCommonly admitted mitigations impli es checking process IDs\, executable signatures or permissions on the name d pipe. With proper tooling\, such mitigations can be bypassed.\n\nThis pr esentation will delve into Windows Named Pipes APIs while highlighting com mon attacks\, usual mitigations\, and how to bypass them using the soon-to -be-opensource tool thats_no_pipe. DTSTAMP:20260515T161734Z LOCATION:Amphitheater 122 SUMMARY:Hooking Windows Named Pipes with thats_no_pipe - Thomas Borot (Pent ester @Synacktiv) URL:https://cfp.pass-the-salt.org/pts2025/talk/XE9K9T/ END:VEVENT BEGIN:VEVENT UID:pretalx-pts2025-XZGSN8@cfp.pass-the-salt.org DTSTART;TZID=CET:20250703T101000 DTEND;TZID=CET:20250703T103000 DESCRIPTION:In this session\, we will examine the Vesta control panel\, kno wn for its user-friendly approach to Linux server management. While Vesta facilitates tasks like hosting websites and managing domains\, it also pre sents security challenges. Our focus will be on a significant vulnerabilit y that allows for admin takeover due to the predictable output of the Bash $RANDOM variable used for password and token generation.\n\nAttendees wil l gain insights into the exploit process\, its implications for server sec urity\, and best practices for mitigating similar risks. Join us to learn how to enhance the security of your Linux server environments and protect against unauthorized access. DTSTAMP:20260515T161734Z LOCATION:Amphitheater 122 SUMMARY:Vesta Admin Takeover - Exploiting reduced seed entropy in $RANDOM - Adrian Tiron URL:https://cfp.pass-the-salt.org/pts2025/talk/XZGSN8/ END:VEVENT BEGIN:VEVENT UID:pretalx-pts2025-9ZCTRE@cfp.pass-the-salt.org DTSTART;TZID=CET:20250703T104500 DTEND;TZID=CET:20250703T110500 DESCRIPTION:Keycloak is a popular open source Identity and Access Managemen t solution that provides single sign-on\, user federation\, and fine-grain ed role-based access control. However\, in complex setups with multiple re alms\, roles\, and groups\, misconfigurations may go unnoticed. In this sh ort talk\, I will demonstrate a straightforward way to export Keycloak dat a (realms\, roles\, users\, groups\, etc.) into a Neo4j graph database\, t hen run Cypher queries to pinpoint potential security issues such as privi lege escalation. By visualizing Keycloak objects as a graph\, we gain a cl earer view of relationships and can spot unusual privileges more easily. A n open-source tool facilitating this process will be released once the fin al configuration details are settled\, enabling others to replicate and ad apt the method. DTSTAMP:20260515T161734Z LOCATION:Amphitheater 122 SUMMARY:Auditing Keycloak Configurations with Neo4j - Kévin Schouteeten (p entester @Synacktiv) URL:https://cfp.pass-the-salt.org/pts2025/talk/9ZCTRE/ END:VEVENT BEGIN:VEVENT UID:pretalx-pts2025-FUL7LS@cfp.pass-the-salt.org DTSTART;TZID=CET:20250703T110500 DTEND;TZID=CET:20250703T114000 DESCRIPTION:The pacman package manager is used by the Arch Linux distributi on and its derivatives. It is written in a memory-unsafe language\, runs a s root\, and performs complicated tasks while downloading packages over th e internet.\nThis is the story of how in 7.0 we isolated the download step s into a separate process\, running as an unprivileged user\, and further restricted it using seccomp and Landlock. DTSTAMP:20260515T161734Z LOCATION:Amphitheater 122 SUMMARY:Putting pacman in jail: a sandboxing story - Rémi Gacogne (Securit y Team\, Arch Linux) URL:https://cfp.pass-the-salt.org/pts2025/talk/FUL7LS/ END:VEVENT BEGIN:VEVENT UID:pretalx-pts2025-C9MMHN@cfp.pass-the-salt.org DTSTART;TZID=CET:20250703T114000 DTEND;TZID=CET:20250703T120000 DESCRIPTION:This presentation introduces RootAsRole\; an alternative to sud o/su commands that applies more finely the principle of least privilege\, dives into security issues with Ansible and how RootAsRole helps to deal w ith. DTSTAMP:20260515T161734Z LOCATION:Amphitheater 122 SUMMARY:RootAsRole: Simplifying Linux Privileges and Fortifying Ansible Dep loyments - Yves Rütschlé (Security architect\, Airbus Protect)\, Eddie B illoir (Airbus Protect) URL:https://cfp.pass-the-salt.org/pts2025/talk/C9MMHN/ END:VEVENT BEGIN:VEVENT UID:pretalx-pts2025-PKWQUD@cfp.pass-the-salt.org DTSTART;TZID=CET:20250703T140000 DTEND;TZID=CET:20250703T142000 DESCRIPTION:Publicly accessible registries and repositories are often assoc iated with well-known SaaS platforms such as GitHub or DockerHub. However\ , a significant number of individuals and companies rely on self-hosted so lutions like GitLab or Harbor for managing their code and container images . Surprisingly\, many of these self-hosted instances are inadvertently exp osed\, granting unauthenticated access to repositories and container image s.\n\nThis talk will explore methods for discovering publicly accessible s elf-hosted registries using techniques such as Certificate Transparency (C T) logs and Shodan scanning. We will discuss how to retrieve repository co ntents and container images from these sources\, subsequently performing s ecrets scanning to assess the extent of exposure and raise awareness of po tential security risks.\n\nFrom a tooling perspective\, our investigation reveals a critical gap: most scanning tools fail to retrieve images from r egistries that are only available via plain HTTP. We will take this opport unity to discuss the registry API\, and demonstrate approaches for interac ting with it.\n\nThrough real-world examples and hands-on insights\, this talk aims to shed light on the current state of public registry exposure\, providing actionable recommendations for improving security posture. DTSTAMP:20260515T161734Z LOCATION:Amphitheater 122 SUMMARY:Secrets at Sea: Hunting Exposed Code & Container Registries - Guill aume Valadon\, Gaetan Ferry (Security research\, GitGuardian) URL:https://cfp.pass-the-salt.org/pts2025/talk/PKWQUD/ END:VEVENT BEGIN:VEVENT UID:pretalx-pts2025-7A7B8G@cfp.pass-the-salt.org DTSTART;TZID=CET:20250703T140000 DTEND;TZID=CET:20250703T163000 DESCRIPTION:This hands-on workshop will guide participants through the proc ess of reverse engineering and modifying Android applications without the need for rooted devices.\nI will present [apkpatcher](https://apkpatcher.c i-yow.com/) to explore various techniques to analyze\, modify\, and remove tracker on Android apps\, focusing on practical skills that can be applie d in real-world scenarios. DTSTAMP:20260515T161734Z LOCATION:Room LW109 SUMMARY:Apkpatcher: Reverse Engineering and Modifying Android Applications Without Rooting - Benoit Forgette URL:https://cfp.pass-the-salt.org/pts2025/talk/7A7B8G/ END:VEVENT BEGIN:VEVENT UID:pretalx-pts2025-RDEFF3@cfp.pass-the-salt.org DTSTART;TZID=CET:20250703T142000 DTEND;TZID=CET:20250703T144000 DESCRIPTION:You meticulously craft constant-time code to protect against si de-channel attacks—only to have your compiler silently sabotage it. Opti mization passes\, designed to make code faster\, can introduce timing leak s\, violating security guarantees in ways developers never intended. But w hich optimizations are responsible? And how can you stop them without rewr iting the compiler itself?\n\nIn this talk\, we investigate the mystery be hind compiler-induced constant-time violations. We analyze real-world exam ples from GCC and LLVM\, exposing how specific optimizations betray securi ty assumptions. More importantly\, we provide practical solutions: which c ompiler flags can mitigate these leaks\, and what is the real cost of secu ring your compiled code?\n\nYour compiler may not be your friend—but wit h the right knowledge\, you can stop it from turning against you. DTSTAMP:20260515T161734Z LOCATION:Amphitheater 122 SUMMARY:Fun with flags: How Compilers Break and Fix Constant-Time Code - An toine Geimer URL:https://cfp.pass-the-salt.org/pts2025/talk/RDEFF3/ END:VEVENT BEGIN:VEVENT UID:pretalx-pts2025-GBEYZP@cfp.pass-the-salt.org DTSTART;TZID=CET:20250703T144000 DTEND;TZID=CET:20250703T150000 DESCRIPTION:Microarchitectural side-channel attacks exploit subtle hardware behaviors\, such as cache activity and instruction retirement patterns\, to extract sensitive information. Understanding these attacks is essential for developing effective mitigations. However\, real hardware imposes lim itations on observability and experimental flexibility. The gem5 simulator \, an open-source and highly extensible architectural simulator\, provides a powerful environment for analyzing these attacks with fine-grained cont rol over execution\, memory access\, and timing behaviors.\n\n\nIn this pr esentation\, I will demonstrate how gem5 can be used to evaluate side-chan nel vulnerabilities\, focusing on attack scenarios such as Flush+Fault and Access-Retired attacks targeting the RISC-V architecture. By simulating b oth attack and non-attack conditions under controlled settings\, gem5 enab les precise identification of attack patterns. These datasets can then be used to train machine learning (ML) models for classifying microarchitectu ral events with high accuracy.\n\n\nBy leveraging gem5’s multi-ISA suppo rt\, full-system simulation\, and cycle-accurate modeling\, researchers ga in deeper insights into attack mechanisms\, accelerate the prototyping of detection techniques\, and design architectures resilient to both known an d emerging side-channel threats. This approach not only enhances detection capabilities but also informs secure hardware-software co-design strategi es. DTSTAMP:20260515T161734Z LOCATION:Amphitheater 122 SUMMARY:Analyzing Microarchitectural Side-Channel Attacks Using Open-source gem5 simulator - Mahreen Khan URL:https://cfp.pass-the-salt.org/pts2025/talk/GBEYZP/ END:VEVENT BEGIN:VEVENT UID:pretalx-pts2025-MMAXWW@cfp.pass-the-salt.org DTSTART;TZID=CET:20250703T150000 DTEND;TZID=CET:20250703T152000 DESCRIPTION:Most of you made your own website at least once or twice. You w rote HTML or used a framework that generated static content for you. And y ou were pretty proud to have something as lightweight as possible.\n\nIt t urns out we are the weirdos.\n\nOver years of developing [lookyloo](https: //github.com/Lookyloo)\, we have encountered a lot of interesting (and som etimes terrible) techniques used to show you a webpage\, and harvest your data. These techniques include what happens before you see anything (DNS\, geolocalisation\, time in the day)\, when you start seeing the page (GDPR popup\, Captcha\, mouse movement)\, and after it is fully rendered. (If i t ever does...) DTSTAMP:20260515T161734Z LOCATION:Amphitheater 122 SUMMARY:The Even Darker Web - Dirty tricks and questionable code choices on some of the world's largest websites. - Raphaël Vinot (Developer\, Looky loo) URL:https://cfp.pass-the-salt.org/pts2025/talk/MMAXWW/ END:VEVENT BEGIN:VEVENT UID:pretalx-pts2025-7K9MEV@cfp.pass-the-salt.org DTSTART;TZID=CET:20250703T153500 DTEND;TZID=CET:20250703T161000 DESCRIPTION:Twelve years after the public specification of the Signal proto col\, almost all\ninstant messaging protocols have embraced the ratchet co nstruct\, granting perfect\nforward secrecy and post-compromise security.\ n\nWhatsapp\, Signal\, OMEMO-based applications\, Olm and Megolm-based app lications\,\nor SimpleX Chat all use the Double Ratchet protocol. Olvid al so uses a ratchet\nprotocol\, although the construct is a bit different. A nd there are the stragglers\nwho insist on not using any form of perfect f orward secrecy\, such as Session or\nDelta Chat. Of those\, we will talk n o more.\n\nBut since then\, we have learned the hard way from some NSA exe cutive that\nmetadata gets you arrested or killed. And so begs the questio n: how well are\nprotected our metadata by the various instant messaging i nfrastructures?\n\nSignal claims one cannot hand over data one doesn't hav e. But how honest are\nthey about the metadata they do have\, and that cou ld be requested from them or\ntheir hosting provider by a subpoena and sea led orders.\n\nIn this talk\, we will explore some metadata available to S ignal servers\, Olvid\nservers\, Matrix/Element home servers and SimpleX C hat SMP queue servers. We will\nthen discuss the strategies that some of t hese applications have deployed to\nlimit metadata exposition\, including those leveraging external transport security\,\nsuch as the use of Tor. DTSTAMP:20260515T161734Z LOCATION:Amphitheater 122 SUMMARY:Metadata Protection in Instant Messaging Applications: a Review - F lorian Maury URL:https://cfp.pass-the-salt.org/pts2025/talk/7K9MEV/ END:VEVENT BEGIN:VEVENT UID:pretalx-pts2025-BT3FTH@cfp.pass-the-salt.org DTSTART;TZID=CET:20250703T161000 DTEND;TZID=CET:20250703T163000 DESCRIPTION:Android is the dominant mobile operating system\, powering more than 70% of the global mobile market and presenting a significant opportu nity for user tracking. As privacy regulations tighten around how personal data can be used and collected\, trackers are looking for alternatives th at are under less scrutiny to evade detection. Device fingerprinting has e merged as a key solution\, allowing trackers to create identifiers without user consent in a stealthy manner. Despite the extensive research on fing erprinting done from a web browser in the past decade\, device fingerprint ing on Android remains relatively understudied\, with limited literature e xploring its specific techniques and implications for user privacy.\n\nIn this study\, we introduce EXADPrinter\, a novel exhaustive permissionless device fingerprinting framework targeting Android devices. Without requiri ng permissions\, our framework extracts over 200\,000 properties per devic e by leveraging methods such as Java reflection and execution of shell com mands. Through a dedicated Android application and a 6-month data collecti on\, we gathered over 1151 fingerprints coming from 833 different Android devices\, covering 41 manufacturers and 7 Android versions ranging from 9 to 15.\n\nThrough our framework\, we demonstrate that diverse data can be collected about the device hardware\, the operating system running on it\, and the user\, without requiring special permissions. We show that combin ing a few attributes without any IDs or personal information is enough to uniquely identify each device of our dataset\, painting a bleak picture of the current state of the Android ecosystem.\nMoreover\, our framework hig hlights the negative impact of custom operating systems and manufacturer-s pecific customizations as they enhance the device fingerprinting effective ness. Furthermore\, EXADPrinter uncovers some leakage of sensitive informa tion caused essentially by manufacturer customizations\, including the exp osure of user emails\, emergency contacts\, and persistent identifiers suc h as SIM identifiers. DTSTAMP:20260515T161734Z LOCATION:Amphitheater 122 SUMMARY:EXADPrinter: Exhaustive Permissionless Device Fingerprinting Within the Android Ecosystem - Sihem Bouhenniche (University of Lille - Inria) URL:https://cfp.pass-the-salt.org/pts2025/talk/BT3FTH/ END:VEVENT END:VCALENDAR