{"$schema": "https://c3voc.de/schedule/schema.json", "generator": {"name": "pretalx", "version": "2025.2.2"}, "schedule": {"url": "https://cfp.pass-the-salt.org/pts2026/schedule/", "version": "0.7", "base_url": "https://cfp.pass-the-salt.org", "conference": {"acronym": "pts2026", "title": "Pass the SALT 2026", "start": "2026-06-30", "end": "2026-07-02", "daysCount": 3, "timeslot_duration": "00:05", "time_zone_name": "Europe/Paris", "colors": {"primary": "#069494"}, "rooms": [{"name": "Amphitheater 122", "slug": "12-amphitheater-122", "guid": "e10da599-2e58-5d62-8cbb-2e6ac653d45d", "description": null, "capacity": null}, {"name": "Room LW112", "slug": "14-room-lw112", "guid": "4cac865f-6304-566c-a547-4203b8029da0", "description": null, "capacity": null}, {"name": "Room LW109", "slug": "13-room-lw109", "guid": "08301808-3867-517b-b353-bfb7b64da431", "description": null, "capacity": null}], "tracks": [{"name": "ThreatIntel", "slug": "57-threatintel", "color": "#bb0a58"}, {"name": "Hardware & IoT", "slug": "60-hardware-iot", "color": "#fc00ff"}, {"name": "Vuln Research", "slug": "63-vuln-research", "color": "#ff0016"}, {"name": "Exploitation", "slug": "59-exploitation", "color": "#000000"}, {"name": "System & Hardening", "slug": "61-system-hardening", "color": "#ff7a00"}, {"name": "Lost in PQC Translation (or not)", "slug": "54-lost-in-pqc-translation-or-not", "color": "#3b8937"}, {"name": "Security by Design", "slug": "62-security-by-design", "color": "#2008b3"}, {"name": "Crypto for Users", "slug": "55-crypto-for-users", "color": "#5709f6"}], "days": [{"index": 1, "date": "2026-06-30", "day_start": "2026-06-30T04:00:00+02:00", "day_end": "2026-07-01T03:59:00+02:00", "rooms": {"Amphitheater 122": [{"guid": "d0bd8658-5fde-594f-a210-0fd5563d86ef", "code": "XGWGAK", "id": 308, "logo": null, "date": "2026-06-30T14:10:00+02:00", "start": "14:10", "duration": "00:35", "room": "Amphitheater 122", "slug": "pts2026-308-finding-the-needle-in-the-haystack-with-dicozorus-a-new-companion-for-advanced-web-fuzzing", "url": "https://cfp.pass-the-salt.org/pts2026/talk/XGWGAK/", "title": "Finding the Needle in the Haystack with Dicozorus - A New Companion for Advanced Web Fuzzing", "subtitle": "", "track": "Vuln Research", "type": "Talk", "language": "en", "abstract": "URL fuzzing is a critical step in penetration testing, yet its effectiveness often hinges on the quality of wordlists. Publicly available lists frequently suffer from missing critical entries, poor sorting, lack of modularity, and irrelevant content, leading to inefficient scans and missed vulnerabilities.\r\n\r\nThis talk introduces a methodology for building better wordlists, along with a tool, Dicozorus, designed to support this process by providing a robust system for generating, managing, and curating high-quality fuzzing wordlists.\r\n\r\nDicozorus relies on a database that stores entries with rich metadata (severity, type, category, tags, references), enabling the creation of tailored wordlists based on context such as scope, network performance, or stealth requirements. Used internally for over five years, it has significantly improved wordlist quality and revealed numerous critical vulnerabilities absent from popular lists.\r\n\r\nDicozorus provides both a curated compilation of entries for immediate use as well as the ability for professionals to maintain custom, effective datasets.\r\n\r\nThe tool will be made publicly available on Synacktiv\u2019s GitHub repository ahead of the conference.", "description": "The presentation is structured in several parts:\r\n- **Introduction / The fuzzing challenge** : Penetration testing relies heavily on URL fuzzing to find vulnerabilities. Common fuzzing tools and wordlists, pros and cons.\r\n- **Motivations: Why Existing Wordlists Fall Short** : Lessons learned from many penetration tests and thousands of scans. Identified Issues: Missing Entries /Unsorted Wordlists / Lack of Modularity / Improper Sizing / Irrelevant Entries (Junk). Examples based on well known wordlists will be presented\r\n- **Objectives: What Dicozorus Aims to Achieve** : The solution we provide: not just an enhanced wordlist but a tool to generate, merge, filter, sort, tag, categorize, and track entries.\r\n- **Dicozorus in Action: How It Works**: Core architecture / Key commands overview\r\n- **How the builtin database was created**: A Multi-Source Aggregation Strategy based on:\r\n - Existing public Wordlists\r\n - Public Bug Bounty Reports\r\n - Public vulnerability databases\r\n - Past Fuzzing Traces\r\n - External contributions from auditors\r\n- **Manual Review & Curation**: While automated parsing provides volume, manual review is critical for assigning accurate metadata (severity, category) and filtering out noise, ensuring high-quality data for the built-in wordlists\r\n- **Tangible Results**: Proving dicozorus's value by presenting feedback from internal usages, statistics on the entries of the builtin wordlist and comparison with publicly known wordlists.", "recording_license": "", "do_not_record": false, "persons": [{"code": "C8ENML", "name": "Vincent Herbulot (Security\u202fResearcher, Synacktiv)", "avatar": "https://cfp.pass-the-salt.org/media/avatars/C8ENML_d7dk7i8.webp", "biography": "Vincent is a Security Researcher at Synacktiv, where he performs vulnerability research and penetration testing across diverse environments. With over a decade of experience, he has conducted a wide range of security assessments, placing a primary focus on web application security. Vincent is dedicated to sharing his expertise and has led multiple training sessions, helping security professionals enhance their skills in this critical area.\r\n\r\nX: @us3r777\r\nLinkedIn: https://www.linkedin.com/in/vincent-herbulot/", "public_name": "Vincent Herbulot (Security\u202fResearcher, Synacktiv)", "guid": "0914d2ca-65b2-5805-91d5-b6a93dffbcb7", "url": "https://cfp.pass-the-salt.org/pts2026/speaker/C8ENML/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2026/talk/XGWGAK/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2026/talk/XGWGAK/", "attachments": []}, {"guid": "a054a621-97eb-5100-8cf8-6e484d0e0c68", "code": "UA97SY", "id": 318, "logo": null, "date": "2026-06-30T14:45:00+02:00", "start": "14:45", "duration": "00:20", "room": "Amphitheater 122", "slug": "pts2026-318-fuzzwizard", "url": "https://cfp.pass-the-salt.org/pts2026/talk/UA97SY/", "title": "Fuzzwizard", "subtitle": "", "track": "Vuln Research", "type": "Short Talk", "language": "en", "abstract": "Fuzzwizard is a self-hosted fuzzer orchestrator for continuous fuzzing. It was built to help teams run fuzzers 24/7, monitor their status, centralize crashes, receive notifications, and inspect coverage.\r\n\r\nDevelopers now add fuzzers alongside their unit tests, running them manually and keeping track of their results becomes difficult. Fuzzwizard addresses that problem with a customisable platform that can run locally and scale to multiple projects. It can also be used to run fuzzing campaigns and collect crashes and related information.", "description": "Fuzzwizard is an open-source tool to orchestrate fuzzing campaigns. It is composed of several elements:\r\n\r\n- A TUI (Terminal User Interface) to monitor the platform, inspect running fuzzers, manage tasks, and review recent crashes and coverage information.\r\n- A backend and database to store crashes, expose them through an API, and make the collected data available outside the TUI for other tools.\r\n- A notification service that alerts users when a crash occurs or when an administrative event happens, for example if the backend fails. The notification layer is extensible. Today, we support both a file-based provider and a Slack provider.\r\n- A scheduler that orchestrates fuzzers for a given project. Several schedulers can run at the same time. The scheduler detects targets, launches fuzzers, monitors them, collects crashes, and triggers coverage collection. Fuzzers can be run either natively or inside containers. It can also rebuild targets and restart campaigns when binaries change.\r\n\r\nThese components are mostly independent, except for the TUI, which acts as a main entry point. The scheduler itself is implemented as a Rust library, and most of the behaviour is driven by configuration files, which makes the whole setup easy to adapt to different projects.", "recording_license": "", "do_not_record": false, "persons": [{"code": "EMTSSN", "name": "Marion Lafon (Security Engineer, Ledger)", "avatar": "https://cfp.pass-the-salt.org/media/avatars/EMTSSN_TLpNdql.webp", "biography": "", "public_name": "Marion Lafon (Security Engineer, Ledger)", "guid": "14f3ab78-21fc-5af6-8e6e-769b04a6a0a6", "url": "https://cfp.pass-the-salt.org/pts2026/speaker/EMTSSN/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2026/talk/UA97SY/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2026/talk/UA97SY/", "attachments": [{"title": "Demo", "url": "/media/pts2026/submissions/UA97SY/resources/demo_fuzzwizard_voplGRI.mov", "type": "related"}]}, {"guid": "db685638-bed6-5e67-bdc9-357bf82b1f39", "code": "KM8MUR", "id": 330, "logo": null, "date": "2026-06-30T15:05:00+02:00", "start": "15:05", "duration": "00:35", "room": "Amphitheater 122", "slug": "pts2026-330-automated-vulnerability-detection-in-go-concolic-execution-for-multi-threaded-binaries", "url": "https://cfp.pass-the-salt.org/pts2026/talk/KM8MUR/", "title": "Automated Vulnerability Detection in Go: Concolic Execution for Multi-Threaded Binaries", "subtitle": "", "track": "Vuln Research", "type": "Talk", "language": "en", "abstract": "Go powers critical infrastructure, but analyzing compiled Go binaries for security issues remains difficult in practice.\r\n\r\nIn this talk, we present Zorya, an open-source concolic analysis framework designed to detect vulnerabilities directly at the binary level, including bugs that do not immediately crash the program.\r\n\r\nWe will show how Zorya combines runtime state recovery, symbolic reasoning, and constraint solving with the Z3 SMT solver to analyze real-world Go targets. Attendees will learn where traditional approaches fall short, how Zorya helps uncover exploit-relevant paths, and how this can improve real security audit workflows.", "description": "This session presents Zorya end-to-end as a security analysis capability, with recent advances included as part of a broader system view.\r\n\r\nWhat attendees will get:\r\n\r\n- How Zorya works in practice: concrete+symbolic execution over binary code, via Ghidra P-Code and Z3.\r\n- What makes it usable on real Go binaries: compiler/runtime-aware strategies for TinyGo and gc targets, including multi-threaded/runtime constraints.\r\n- Coverage beyond obvious crashes: overlay path analysis to inspect untaken paths and detect silent bugs without custom oracles.\r\n- Operational usage model: interactive mode, function-focused exploration, and campaign/fuzzer-driven workflows.\r\n- Evidence on real cases: vulnerability findings across real-world Go projects, with reproducible artifacts and lessons learned.\r\n\r\nThe talk is intended for offensive security practitioners, reverse engineers, and defenders who need practical methods to audit compiled Go software when source-level tooling is insufficient.\r\n\r\nWebsite: https://zorya.karolinagorna.net\r\nProject: https://github.com/Ledger-Donjon/zorya\r\nEvaluation: https://github.com/Ledger-Donjon/zorya-evaluation", "recording_license": "", "do_not_record": false, "persons": [{"code": "PZMZJU", "name": "Karolina GORNA (Security Researcher, Ledger)", "avatar": "https://cfp.pass-the-salt.org/media/avatars/PZMZJU_pIs06HG.webp", "biography": "Karolina Gorna is a PhD candidate at T\u00e9l\u00e9com Paris, conducting her research with the Ledger Donjon on vulnerability detection and formal methods. She holds an ANSSI ESSI certification and previously led KRYPTOSPHERE, a tech student association of over 500 members across France. When she is not chasing silent integer overflows, she organizes and competes in hackathons including NASA Space Apps Challenge and ETH Global. She has also delivered technical training for AFORP and MIT Professional Education, and enjoys bridging academic research with hands-on security practice.", "public_name": "Karolina GORNA (Security Researcher, Ledger)", "guid": "be526c2c-38a3-5f51-af94-d0cdb20c22a4", "url": "https://cfp.pass-the-salt.org/pts2026/speaker/PZMZJU/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2026/talk/KM8MUR/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2026/talk/KM8MUR/", "attachments": []}, {"guid": "885ec5b2-29d9-519a-9cbe-9f2aab65915d", "code": "NRFUKL", "id": 273, "logo": null, "date": "2026-06-30T16:10:00+02:00", "start": "16:10", "duration": "00:35", "room": "Amphitheater 122", "slug": "pts2026-273-salty-firmware-adventures-in-firmware-encryption-reversing", "url": "https://cfp.pass-the-salt.org/pts2026/talk/NRFUKL/", "title": "__Salty Firmware - Adventures in Firmware Encryption Reversing", "subtitle": "", "track": "Hardware & IoT", "type": "Talk", "language": "en", "abstract": "With the increased scrutiny on embedded device security, firmware encryption is rapidly becoming a standard hurdle in the analysis pipeline. As vendors increasingly attempt to lock down their systems, we're encountering a growing variety of encryption schemes applied at different layers\u2014ranging from full firmware blobs to kernel images and root file systems.\r\n\r\nThis talk dives deep into the landscape of firmware encryption as seen in the wild, drawing from real-world targets such as telco routers, firewalls, IP cameras, printers, and IP phones. We'll explore encryption schemes implemented across Linux and BSD derivatives, with decryption logic buried in bootloaders, kernel code, or even opaque self-update binaries.\r\n\r\nRather than just showcasing results, this session is built as a reversing adventure: starting with an opaque encrypted blob, we\u2019ll trace a path through static and dynamic reverse engineering to uncover the decryption primitive and ultimately access the firmware's inner workings. We'll analyze the recurring patterns, common developer pitfalls, and the surprising creativity some vendors bring to the table.\r\n\r\nWhether you're building firmware extraction pipelines or you're just in it for the puzzles, this talk will arm you with practical techniques and insights for taking back control of encrypted firmware.", "description": "We will demonstrate firmware decryption using [unblob](https://unblob.org), a firmware extraction tool we've open sourced and have been maintaining since 2022.", "recording_license": "", "do_not_record": false, "persons": [{"code": "TLLPZL", "name": "Quentin Kaiser", "avatar": "https://cfp.pass-the-salt.org/media/avatars/TLLPZL_3eRoXrE.webp", "biography": "Quentin Kaiser is a former penetration tester turned binary analysis nerd. He is currently the Lead Security Researcher at ONEKEY, where he focuses on binary exploitation of embedded devices and large-scale bug-finding automation across firmware corpora.\r\n\r\nAs part of his work, he maintains the firmware extraction tool [unblob](https://github.com/onekey-sec/unblob) among other open-source tools such as jefferson, ubi-reader, or sasquatch.\r\n\r\nHe has published extensive research on offensive security for eCOS and maintains https://ecos.wtf\r\n, a resource hub dedicated to eCOS exploitation. He also (infrequently) updates his blog at https://quentinkaiser.be.", "public_name": "Quentin Kaiser", "guid": "0e20d729-4bef-5de3-980c-f2313ee3d89d", "url": "https://cfp.pass-the-salt.org/pts2026/speaker/TLLPZL/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2026/talk/NRFUKL/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2026/talk/NRFUKL/", "attachments": []}, {"guid": "52489f9c-5d62-5224-b533-e25832238c9b", "code": "KVCNWM", "id": 334, "logo": null, "date": "2026-06-30T16:45:00+02:00", "start": "16:45", "duration": "00:20", "room": "Amphitheater 122", "slug": "pts2026-334-introducing-sighthouse-for-seamless-function-detection", "url": "https://cfp.pass-the-salt.org/pts2026/talk/KVCNWM/", "title": "Introducing Sighthouse for Seamless Function Detection", "subtitle": "", "track": "Hardware & IoT", "type": "Short Talk", "language": "en", "abstract": "The aim of this talk is to address a common challenge faced by reverse engineers: distinguishing relevant software from third-party libraries within firmware or programs. This task often wastes time as unnecessary code is reversed.\r\nOur goal is to provide an automatic function detection mechanism that enables researchers to efficiently identify third-party code, allowing them to focus on analyzing the proprietary components.\r\n\r\nTo tackle this issue, we introduce SightHouse, a new open-source project designed to assist reverse engineers. SightHouse is built on top of existing effective software, such as Ghidra's BSIM Similarity engine. Unlike previous tools like FLIRT, which rely on the raw bytes of the function; BSIM leverages Ghidra's P-Code (IIR), enabling cross-architecture similarity detection.\r\n\r\nThe challenges in function detection primarily revolve around the creation and maintenance of signature databases, and BSIM is no exception. Researchers face the task of finding, compiling, and extracting signatures from programs with symbols \r\nto populate these databases, which can be a time-consuming process.\r\n\r\nTo address these challenges, we proposed an automated pipeline designed to maximize data collection for function extraction. This system works by automatically scraping open-source projects, compiling and analyzing them, thereby streamlining the process and reducing the manual effort required.\r\n\r\nWe will present our contributions, including the benchmarks and experiments conducted to evaluate and select between different similarity engines. Additionally, we will release SightHouse to share with the community and encourage further development and improvement.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "SMLKRC", "name": "Sami Babigeon (Quarkslab)", "avatar": "https://cfp.pass-the-salt.org/media/avatars/SMLKRC_obDvwS9.webp", "biography": "Security researcher at Quarkslab, focus on embedded targets and reverse engineering.", "public_name": "Sami Babigeon (Quarkslab)", "guid": "b5ef9089-be23-547d-922e-f8cd3cb075d7", "url": "https://cfp.pass-the-salt.org/pts2026/speaker/SMLKRC/"}, {"code": "9UMAT8", "name": "Benoit Forgette", "avatar": "https://cfp.pass-the-salt.org/media/avatars/benoit_40sZvJM.png", "biography": "Passionate about how systems work since my childhood and with an initial education in computer science, I gradually moved to the security of these systems and the electronic part of these equipments.Today, I work as a Cybersecurity Engineer in software and hardware reverse engineering at Quarkslab, where my daily work consists in disassembling equipments sent by our clients, then inspecting all their attack surfaces (hardware, radio, software, cloud). Then, we help our clients to find the best way to protect their systems and their equipments.\r\n\r\nIn this work, the part that seems to me the most interesting is the automation/instrumentation/hijacking part. It is fascinating to see how much it is possible to hijack a piece of equipment from its original purpose. This is even more impressive when we talk about physical equipment which has an impact on its environment.", "public_name": "Benoit Forgette", "guid": "9a9d5d64-f0df-5f46-935b-a52fef0babfb", "url": "https://cfp.pass-the-salt.org/pts2026/speaker/9UMAT8/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2026/talk/KVCNWM/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2026/talk/KVCNWM/", "attachments": []}], "Room LW109": [{"guid": "cd4f7b74-9959-5624-aff8-4845a022fd84", "code": "AACNG9", "id": 332, "logo": null, "date": "2026-06-30T14:10:00+02:00", "start": "14:10", "duration": "03:00", "room": "Room LW109", "slug": "pts2026-332-design-your-first-pcb-from-concept-to-board", "url": "https://cfp.pass-the-salt.org/pts2026/talk/AACNG9/", "title": "Design Your First PCB: From Concept to Board", "subtitle": "", "track": "Hardware & IoT", "type": "Workshop", "language": "en", "abstract": "This workshop introduces you to the entire printed circuit board (PCB) design process, from the initial idea to the creation of your own board. You'll discover why creating a custom PCB can be a high-performance alternative to using standard modules and review the essential electronic concepts for designing reliable circuits. Through hands-on exercises, you'll learn to read and interpret component datasheets, understand the practical differences between analog and digital electronics, and use open-source PCB design software to transform a schematic into a complete PCB. We'll cover the process of sending a PCB to manufacturing, component selection and purchasing, and explore open-source options. Whether you're a maker, a student, or a future engineer, whether you're a complete beginner or not, this workshop will give you the tools to design your own PCB.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "899QAP", "name": "tcccorp", "avatar": "https://cfp.pass-the-salt.org/media/avatars/899QAP_wDNeyhR.webp", "biography": "I fell into computers when I was a kid and never really climbed back out. I\u2019ve always loved taking things apart \u2014 though putting them back together wasn\u2019t always guaranteed. That curiosity naturally pulled me toward hardware, first through basic electronics, then computer\u2011controlled circuits, and eventually the world of microcontrollers. Today, I\u2019m still fully immersed in it, juggling more projects than I probably should, but enjoying every minute of it. In open hardware I trust.", "public_name": "tcccorp", "guid": "0cf4427d-ec08-5555-9eeb-37eab090e852", "url": "https://cfp.pass-the-salt.org/pts2026/speaker/899QAP/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2026/talk/AACNG9/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2026/talk/AACNG9/", "attachments": []}], "Room LW112": [{"guid": "795ae6c4-8595-5f24-8acb-6077656f5ac2", "code": "J7EGL7", "id": 328, "logo": null, "date": "2026-06-30T14:10:00+02:00", "start": "14:10", "duration": "03:00", "room": "Room LW112", "slug": "pts2026-328-in-bed-with-qubes-os-hands-on-workshop", "url": "https://cfp.pass-the-salt.org/pts2026/talk/J7EGL7/", "title": "In bed with Qubes OS, hands-on workshop", "subtitle": "", "track": "System & Hardening", "type": "Workshop", "language": "en", "abstract": "This workshop begins by introducing the fundamental principles behind Qubes OS. We\u2019ll cover the entire process, from installation and configuration to common challenges and practical solutions.\r\n\r\nWe'll then explore various aspects of Qubes OS through demonstrations, hands-on labs, and exercises using pre-installed virtualized instances available to attendees.\r\n\r\nParticipants will leave with practical and operational knowledge that will enable them, maybe, to switch to Qubes OS as their main operating system.\r\n\r\nExperienced users are also welcome to join and share their perspectives, along with tips and tricks of their own.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "3ANECE", "name": "William Robinet (Conostix S.A.)", "avatar": "https://cfp.pass-the-salt.org/media/avatars/pic_ZjA8KLe.jpg", "biography": "William manages the technical team behind AS197692 at Conostix S.A. in Luxembourg. He\u2019s been working in cybersecurity using free and opensource software on a daily basis for more than 25 years.\r\nHe particularly enjoys tinkering with open (and not so open) hardware. Currently he likes playing around with new tools in the current ML scene, building, hopefully, useful systems for fun and, maybe, profit. When not behind an intelligent wannabe machine, he's doing analog music with his band of humans.", "public_name": "William Robinet (Conostix S.A.)", "guid": "3b84b965-4ff5-5894-a6a3-2d779304a6d1", "url": "https://cfp.pass-the-salt.org/pts2026/speaker/3ANECE/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2026/talk/J7EGL7/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2026/talk/J7EGL7/", "attachments": []}]}}, {"index": 2, "date": "2026-07-01", "day_start": "2026-07-01T04:00:00+02:00", "day_end": "2026-07-02T03:59:00+02:00", "rooms": {"Amphitheater 122": [{"guid": "38d1877e-1936-58a6-8e92-9c68b618416a", "code": "BLUZVX", "id": 288, "logo": null, "date": "2026-07-01T09:30:00+02:00", "start": "09:30", "duration": "00:35", "room": "Amphitheater 122", "slug": "pts2026-288-quantum-apocalypse-update-ical", "url": "https://cfp.pass-the-salt.org/pts2026/talk/BLUZVX/", "title": "Quantum Apocalypse Update.ical", "subtitle": "", "track": "Lost in PQC Translation (or not)", "type": "Talk", "language": "en", "abstract": "In the future, Quantum computers will be able to break today's asymmetric cryptography, especially RSA, CC and DH variants. This would lead to a catastrophic situation sometimes called \"Quantum Apocalypse\". To avoid such situation, the cryptographic community started, quite a long time ago, works on new replacement algorithms, based on other mathematical properties, and which are called \"post-quantum algorithms\" (or quantum-safe algorithms).\r\n\r\nThose new algorithms, while providing a solution for the Quantum threat, also comes with new various challenges to address: different usage constraints, size of keys/data, how to implement them in a secure\r\nway, ......\r\n\r\nIn this session, we'll have a quick reminder of the Quantum threat, the post-quantum algorithms, the challenges to address, then we'll see the updated state of the post-quantum transition, from strategy guidelines to latest algorithm and protocols updates and implementations.\r\n\r\nThen, we'll see some examples of what steps of this post-quantum transition can already be done in 2026, especially with Open Source tools, and what are the potential caveats and risks.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "HATQUS", "name": "Yvan Vanhullebus", "avatar": null, "biography": "", "public_name": "Yvan Vanhullebus", "guid": "022a288a-14ef-533b-a828-5cb4ae942df8", "url": "https://cfp.pass-the-salt.org/pts2026/speaker/HATQUS/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2026/talk/BLUZVX/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2026/talk/BLUZVX/", "attachments": []}, {"guid": "a1efbcbc-1cd7-55b2-9fee-9ee90cc2b87c", "code": "MV83GM", "id": 310, "logo": null, "date": "2026-07-01T10:05:00+02:00", "start": "10:05", "duration": "00:35", "room": "Amphitheater 122", "slug": "pts2026-310-cryptpad-experimented-on-post-quantum-cryptography", "url": "https://cfp.pass-the-salt.org/pts2026/talk/MV83GM/", "title": "CryptPad experimented on Post-Quantum Cryptography", "subtitle": "", "track": "Lost in PQC Translation (or not)", "type": "Talk", "language": "en", "abstract": "CryptPad is an open-source end-to-end encrypted collaborative office suite focusing on being easy to use and protecting the privacy of its user, including from the service provider itself.\r\n\r\nWhile security against a quantum adversary becomes more and more relevant, we experimented on the realisability of Post-Quantum CryptPad. This talk will expose how cryptography is used inside CryptPad, our methodology and the results of these experiments.", "description": "CryptPad is an open-source end-to-end encrypted (E2EE) collaborative office suite. It enables secure collaboration between users without the service owner knowledgable about the content of their documents. It has been designed to be secure from login to document sharing\u2026 with even the internal support system being E2EE.\r\n\r\nThis architecture is by design interlaced with cryptographic constructions. Meanwhile, the deployment of quantum resilient solutions are becoming more and more urgent, especially in the context of encryption (as they can be targeted by \u201charvest-now-decrypt-later\u201d attacks, while authentication cannot be forged _a posteriori_). In this context, we explored the different implementations of post-quantum standards selected by the NIST post-quantum cryptography standardisation process.\r\n\r\nAfter careful consideration of the different candidates for both encryption and signature, we integrated crypto-agility solutions in CryptPad. This was done both for the advantages from a security and software engineering standpoint, and to be able to easily switch between traditional and post-quantum solutions for testing.\r\n\r\nIn this talk, we will first present how CryptPad works, then expose the different challenges we faced during the experiments, and finally show the results of these aforementioned post-quantum experiments from a performance and usability point of view.", "recording_license": "", "do_not_record": false, "persons": [{"code": "YCK3VP", "name": "Fabrice Mouhartem (Senior R&D Engineer, XWiki SAS/CryptPad)", "avatar": "https://cfp.pass-the-salt.org/media/avatars/YCK3VP_lGXlHkJ.webp", "biography": "Fabrice started as a cryptography researcher working on post-quantum and classical construction for privacy-preserving constructions. He joined the CryptPad team in 2023 to work on a cryptography-first open-source product and make cryptography accessible to most people.", "public_name": "Fabrice Mouhartem (Senior R&D Engineer, XWiki SAS/CryptPad)", "guid": "470bb69c-30be-5b29-a457-a203cf266d51", "url": "https://cfp.pass-the-salt.org/pts2026/speaker/YCK3VP/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2026/talk/MV83GM/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2026/talk/MV83GM/", "attachments": []}, {"guid": "09785f2b-1e00-5721-b3b2-a52804660252", "code": "DVVX3Z", "id": 329, "logo": null, "date": "2026-07-01T11:10:00+02:00", "start": "11:10", "duration": "00:35", "room": "Amphitheater 122", "slug": "pts2026-329-let-s-stay-encrypted-rethinking-webpki-for-post-quantum-age-with-merkle-tree-certificates", "url": "https://cfp.pass-the-salt.org/pts2026/talk/DVVX3Z/", "title": "Let's stay encrypted\u2014rethinking WebPKI for post-quantum age with Merkle Tree Certificates", "subtitle": "", "track": "Lost in PQC Translation (or not)", "type": "Talk", "language": "en", "abstract": "The Web PKI is the foundation on which many security systems depend, and for many the gold standard of how to do PKI. On closer inspection, the Web PKI is an old system evolved with patches added from one crisis to the next. In this talk, we discuss recent efforts to modernize the Web PKI to maintain reliability and security in the face of the imminent threat from quantum computers.\r\n\r\nThe transition to post-quantum cryptographic algorithms is hampered by the massive increase in size of PQC signatures relative to traditional cryptographic signatures. A straightforward \u201ccopy/paste\u201d approach in which PQC algorithms were naively added into the existing WebPKI would add massive increases in the size of the TLS handshake, leading to a significant (around 50% P50) handshake latency to every HTTPS connection made.\r\n\r\nThe impact of PQC on the web PKI wouldn\u2019t stop at handshake sizes. The public web PKI also relies on transparency into certificate issuance (\u201cCertificate Transparency\u201d, CT) to help detect and mitigate unauthorized certificate issuance. For the past decade, CT has served its purpose of holding Certification Authorities (CAs) accountable, recently notably detecting Fina CA\u2019s mis-issuance of certificates for 1.1.1.1, Cloudflare\u2019s Encrypted DNS service late last year. Unfortunately, a naive adoption of the most mature PQC algorithms into the current public CT ecosystem would likely result in the ecosystem\u2019s collapse due to the increased operational costs for logs, burdening an already-fragile group of volunteer log operators.\r\n\r\nCloudflare and Google Chrome have spearheaded an effort, Merkle Tree Certificates (MTCs), that offer a new approach to HTTPS certificates that combine issuance and transparency into a single cryptographic object. Under active development in the Internet Engineering Task Force (IETF)\u2019s PKI, Logs, and Tree Signatures (PLANTS) working group, MTCs reduce the overhead of post-quantum TLS certificates by 4-22Kb, eliminating the impact on client latency. Simultaneously, the design mitigates the impact on the Certificate Transparency ecosystem, likely resulting in reduced costs compared to today\u2019s status quo.\r\n\r\nIn this talk, we\u2019ll walk through the MTC proposal, interesting open discussions happening in the working group and discuss the results of early experimentation between Chrome and Cloudflare.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "MELKGU", "name": "Bas Westerbaan", "avatar": "https://cfp.pass-the-salt.org/media/avatars/MELKGU_K02ZVqX.webp", "biography": "Bas is the technical lead for post-quantum at Cloudflare. He works to drive the adoption of post-quantum cryptography at Cloudflare and the Internet at large. His works range from cryptography engineering, standardisation, to large-scale experimentation, and subsequent deployment. In a previous life, Bas studied the mathematical foundations of quantum theory.", "public_name": "Bas Westerbaan", "guid": "66ef14c8-2575-5448-9749-3d7ee1767872", "url": "https://cfp.pass-the-salt.org/pts2026/speaker/MELKGU/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2026/talk/DVVX3Z/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2026/talk/DVVX3Z/", "attachments": []}, {"guid": "960cdbad-8653-56b5-a6a3-62800f0db5f0", "code": "8JJSMR", "id": 324, "logo": null, "date": "2026-07-01T11:45:00+02:00", "start": "11:45", "duration": "00:35", "room": "Amphitheater 122", "slug": "pts2026-324-suricata-and-iocs-latest-news-on-a-love-story", "url": "https://cfp.pass-the-salt.org/pts2026/talk/8JJSMR/", "title": "Suricata and IOCs, latest news on a love story", "subtitle": "", "track": "ThreatIntel", "type": "Talk", "language": "en", "abstract": "Suricata\u2019s approach to handling Indicators of Compromise (IoCs) has fundamentally evolved from basic IP-only rules to the highly performant Dataset concept. The talk will outline the key advancements, particularly the evolution in Suricata 8.0 to support JSON-based context within Datasets. This upgrade is crucial as an IOC is nothing without context. With JSON datasets, alerts embed comprehensive threat context opening the way to performance improvement and integration ease.", "description": "The presentation will detail several capabilities for dynamic threat intelligence operations, including the use of a Unix socket to dynamically add and remove elements from the live dataset list, and ongoing integration efforts with platforms like OpenCTI and MISP for seamless threat intelligence exchange. Additionally, a new feature allowing the output of PCRE captured groups directly into the alert context will be examined. This talk will demonstrate how these features enhance Suricata's ability to process, manage, and contextualize threat data in real-time.", "recording_license": "", "do_not_record": false, "persons": [{"code": "BGFYUD", "name": "Eric Leblond", "avatar": "https://cfp.pass-the-salt.org/media/avatars/StamusNetworks-Eric-5x7-Gray_6xx4JQJ.jpg", "biography": "Eric Leblond is a cybersecurity professional and open-source developer focused on network threat detection. He is the co-founder and Chief Technology Officer (CTO) of Stamus Networks, a company that provides Network Detection and Response (NDR) solutions.\r\n\r\nIn the open-source security space, Leblond is a core developer of Suricata, an intrusion detection and prevention system (IDS/IPS). His work on the project centers around network visibility and alert context. He also serves on the board of directors for the Open Information Security Foundation (OISF), the non-profit organization behind Suricata.\r\n\r\nAdditionally, Eric Leblond is an emeritus member of the Netfilter Core Team, where his work involves kernel and user-space interactions.", "public_name": "Eric Leblond", "guid": "b6d86565-a490-50b1-9a64-cf00a7a9849b", "url": "https://cfp.pass-the-salt.org/pts2026/speaker/BGFYUD/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2026/talk/8JJSMR/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2026/talk/8JJSMR/", "attachments": []}, {"guid": "a30ac0d2-beb7-56cb-bea7-dd62e019721e", "code": "XKQRMJ", "id": 312, "logo": null, "date": "2026-07-01T14:15:00+02:00", "start": "14:15", "duration": "00:35", "room": "Amphitheater 122", "slug": "pts2026-312-cve-2025-54068-deep-dive-into-livewire-from-weak-typing-to-pre-authenticated-remote-command-execution", "url": "https://cfp.pass-the-salt.org/pts2026/talk/XKQRMJ/", "title": "CVE-2025-54068 : Deep dive into Livewire, from weak typing to pre-authenticated remote command execution", "subtitle": "", "track": "Exploitation", "type": "Talk", "language": "en", "abstract": "CVE-2025-54068 exposed a critical vulnerability in Livewire, a popular full-stack framework for Laravel, enabling pre-authenticated remote command execution (RCE) by exploiting PHP\u2019s weak typing and Livewire\u2019s hydration mechanism. According to GitHub, Livewire was downloaded more than 74 million times, making it one of the most used Laravel dependency ever.\r\n\r\nTraditionally, Livewire protects its state with a checksum signed by the application\u2019s APP_KEY. However, this vulnerability allowed attackers to bypass the APP_KEY requirement entirely by smuggling synthesizers through the updates mechanism, effectively breaking the state synchronization between server and browser.\r\n\r\nThe root cause lies in Livewire\u2019s component property update hydration process, where recursive calls and improper context preservation enabled malicious payload injection. Exploitation required only the target application\u2019s URL, making it accessible to unauthenticated attackers. The vulnerability affected Livewire versions from 3.0.0-beta.1 up to 3.6.3, and was patched in version 3.6.4.\r\n\r\nThis talk will detail the technical chain from weak typing to RCE, demonstrate the exploit process, discuss the hardening measures implemented by Livewire to prevent similar issues in the future and more especially, show the consequences being the publication of the associated proof of concept during the end of last year.", "description": "Livewire traditionally secures its state using a checksum signed by the application\u2019s APP_KEY. However, CVE-2025-54068 allowed attackers to bypass this protection entirely by smuggling synthesizers through the updates mechanism, disrupting the synchronization between server and browser. The root cause has been found in Livewire\u2019s component property update hydration process, where recursive calls and improper context preservation created an opening for malicious payload injection. Exploitation required only the target application\u2019s URL, making it accessible to unauthenticated attackers and significantly lowering the barrier to attack.\r\n\r\nTo automate the exploitation of CVE-2025-54068, we released Livepyre last December, an open-source tool on our GitHub page. The tool simplifies the process by identifying vulnerable Livewire installations and attempting to achieve RCE either by leveraging object types in the application\u2019s snapshot or through a targeted brute-force approach. Livepyre\u2019s release not only demonstrated the practical risk of the vulnerability but also served as a proof-of-concept to raise awareness and encourage rapid patching within the Laravel and Livewire communities.\r\n\r\nEven tho the vulnerability was patched during July 2025, many servers were not protected against it on the internet. The vulnerability affected Livewire versions from 3.0.0-beta.1 up to 3.6.3, and was patched in version 3.6.4. Its severity was underscored by its inclusion in advisories from CISA (Cybersecurity and Infrastructure Security Agency) after a worldwide spread by threat actors during the start of 2026, highlighting the risk to a vast number of applications and the urgency for immediate patching.", "recording_license": "", "do_not_record": false, "persons": [{"code": "NCLGMX", "name": "R\u00e9mi Matasse (Security research, Synacktiv)", "avatar": "https://cfp.pass-the-salt.org/media/avatars/NCLGMX_TlaioZo.webp", "biography": "I am R\u00e9mi Matasse (pseudo Remsio), a pentester that worked at Synacktiv for the past four years, passionated by offensive web security, especially on anything related to PHP.\r\n\r\nI passed some years working on concrete PHP filters chain exploitation, documenting it in blogpost and presenting it in several conferences such as Nullcon or hack.lu.\r\n\r\nI then decided to focus on the Laravel since we often come across this framework during audits before jumped in with both feet on exploitation based on APP_KEY leaks.", "public_name": "R\u00e9mi Matasse (Security research, Synacktiv)", "guid": "1a75cd13-7e9c-5cb8-aa7e-cec6a7ef6e80", "url": "https://cfp.pass-the-salt.org/pts2026/speaker/NCLGMX/"}, {"code": "GQXKTN", "name": "Pierre Martin (Security Researcher, Depi)", "avatar": null, "biography": "Cybersecurity Researcher at Depi focused on software supply chain security.", "public_name": "Pierre Martin (Security Researcher, Depi)", "guid": "ca22980a-da37-598d-b8aa-45b3db94586e", "url": "https://cfp.pass-the-salt.org/pts2026/speaker/GQXKTN/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2026/talk/XKQRMJ/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2026/talk/XKQRMJ/", "attachments": []}, {"guid": "7611cf15-2934-5945-97fc-72e4b0b608c4", "code": "MPAYUX", "id": 327, "logo": null, "date": "2026-07-01T14:50:00+02:00", "start": "14:50", "duration": "00:35", "room": "Amphitheater 122", "slug": "pts2026-327-chainleak-from-ai-framework-to-cloud-secrets", "url": "https://cfp.pass-the-salt.org/pts2026/talk/MPAYUX/", "title": "ChainLeak: From AI Framework to Cloud Secrets", "subtitle": "", "track": "Exploitation", "type": "Talk", "language": "en", "abstract": "As organizations rapidly adopt AI frameworks and third-party components, traditional software\r\nvulnerabilities are increasingly being introduced into AI infrastructure. While AI security discussions often\r\nfocus on model level issues such as prompt injections, the most dangerous risks frequently arise from\r\ntraditional software vulnerabilities within the frameworks that power AI systems.\r\n\r\nIn this talk, we will present two vulnerabilities we discovered in Chainlit, a widely used open-source\r\nframework that helps building conversational AI apps (CVE-2026-22218 and CVE-2026-22219). The issues\r\naffect internet-facing AI systems and can be triggered remotely, enabling attackers to steal sensitive files,\r\nleak cloud API keys and secrets, and perform server-side request forgery (SSRF) on the AI framework\r\nserver. We confirmed the vulnerabilities in real world, internet facing applications used by major\r\nenterprises, demonstrating how a framework layer vulnerabilities can escalate to cloud level impact.\r\n\r\nWe will walk through the technical details of the vulnerabilities and the exploitation chain that leads to\r\nserver compromise and credential exposure. We\u2019ll also show how leaking artifacts such as cached\r\nconversation history, configuration files, or environment variables can reveal highly sensitive enterprise\r\ndata.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "QKCQH3", "name": "Gal Zaban", "avatar": "https://cfp.pass-the-salt.org/media/avatars/QKCQH3_2RpgptE.webp", "biography": "Gal Zaban is a Research Team Lead at Zafran. Gal has over 10 years of experience as a Security Researcher, with vast experience in reverse engineering. She has a particular interest in low-level research and vulnerability research. Gal also contributed a C++ reverse engineering class to Open Security Training2 and presented in various security and development conferences.", "public_name": "Gal Zaban", "guid": "cc650c14-59c3-524a-8523-5702ad1a0680", "url": "https://cfp.pass-the-salt.org/pts2026/speaker/QKCQH3/"}, {"code": "XFZRXR", "name": "Ido Shani", "avatar": "https://cfp.pass-the-salt.org/media/avatars/XFZRXR_kcFT5Jd.webp", "biography": "Ido is a Security Researcher at Zafran, specializing in vulnerability research of open-source Python packages. With a background in security product research, he is currently focused on detecting logical vulnerabilities within AI infrastructure projects.", "public_name": "Ido Shani", "guid": "b0df0d77-1371-5566-9640-e09744f0bc69", "url": "https://cfp.pass-the-salt.org/pts2026/speaker/XFZRXR/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2026/talk/MPAYUX/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2026/talk/MPAYUX/", "attachments": []}, {"guid": "24d61e98-0acc-578a-ad46-82b5c593c02b", "code": "RVFD8B", "id": 292, "logo": null, "date": "2026-07-01T15:55:00+02:00", "start": "15:55", "duration": "00:35", "room": "Amphitheater 122", "slug": "pts2026-292-bypassing-bitlocker-in-under-5-min-using-boot-manager-downgrade-attacks", "url": "https://cfp.pass-the-salt.org/pts2026/talk/RVFD8B/", "title": "Bypassing BitLocker in under 5 min using boot manager downgrade attacks", "subtitle": "", "track": "Exploitation", "type": "Short Talk", "language": "en", "abstract": "BitLocker without a pre-boot PIN is widely deployed across enterprise environments and often considered a sufficient protection against physical access attacks. In practice, several techniques can defeat it, including long known hardware attacks; the bitpixie PXE-based software attack published in early 2025; and a boot manager downgrade attack we developed that exploits the slow rollout of Microsoft's UEFI CA 2023 certificate transition to revive a patched vulnerability (CVE-2025-48804) on fully updated machines.\r\n\r\nThis talk is a practitioner's field report. Drawing from real penetration testing engagements, we compare hardware and software attacks across the dimensions that matter in the field \u2014 setup time, required hardware, risk to the target device, success rate, and post-exploitation impact. We walk through the open-source PoCs we developed to operationalize bitpixie and the BitUnlocker downgrade attack, and share honest observations on the effectiveness of recommended mitigations in real-world enterprise configurations.\r\n\r\nSee https://github.com/garatc/BitUnlocker", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "KN7ASU", "name": "Cassius Garat (Intrinsec)", "avatar": "https://cfp.pass-the-salt.org/media/avatars/KN7ASU_bd10aNn.webp", "biography": "Information security auditor with a passion for building security tools", "public_name": "Cassius Garat (Intrinsec)", "guid": "c8abffd1-7e66-5dcf-bb56-4a72322962d9", "url": "https://cfp.pass-the-salt.org/pts2026/speaker/KN7ASU/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2026/talk/RVFD8B/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2026/talk/RVFD8B/", "attachments": []}, {"guid": "04e9e2f0-f710-5e4b-9ab4-81b437a485ed", "code": "J9JGWE", "id": 313, "logo": null, "date": "2026-07-01T16:30:00+02:00", "start": "16:30", "duration": "00:20", "room": "Amphitheater 122", "slug": "pts2026-313-zero-dependencies-sounds-great-until-you-try-to-share-your-code-for-the-security-good", "url": "https://cfp.pass-the-salt.org/pts2026/talk/J9JGWE/", "title": "Zero Dependencies sounds great... until you try to share your code for the security good.", "subtitle": "", "track": "Security by Design", "type": "Short Talk", "language": "en", "abstract": "The Rust ecosystem is often praised for its \"harmonized chaos\" of crates, but a new trend is emerging in security-critical tools: the total avoidance of dependencies. While projects like sudo-rs aim to reduce the supply chain attack surface, this architectural choice comes with a cost. During my PhD work on RootAsRole, I discovered that dependencies minimisation leads to monolithic designs where security logic is tightly coupled to use-cases.\r\n\r\nThis talk explores the friction between security-hardened isolation and the community\u2019s need for reusable, battle-tested components. When we refuse to depend on others, we stop contributing to shared building blocks. We end up reinventing the wheel, forking unmaintained libraries, and scattering security expertise across dozens of \"independent\" forks. I will share many insights about what is the Good, the Bad and the Ugly.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "G739SC", "name": "Eddie Billoir (Airbus Protect)", "avatar": "https://cfp.pass-the-salt.org/media/avatars/12381165_nAp2pxu.jpeg", "biography": "PhD in Cybersecurity. Open-source enjoyer.", "public_name": "Eddie Billoir (Airbus Protect)", "guid": "bb8947cc-6977-5141-b75a-cea08f43a029", "url": "https://cfp.pass-the-salt.org/pts2026/speaker/G739SC/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2026/talk/J9JGWE/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2026/talk/J9JGWE/", "attachments": []}], "Room LW109": [{"guid": "b4337c06-1e63-58cc-8d1a-529d54cb449b", "code": "3EQEU7", "id": 314, "logo": null, "date": "2026-07-01T09:30:00+02:00", "start": "09:30", "duration": "03:00", "room": "Room LW109", "slug": "pts2026-314-web-forensics-with-lookyloo-and-lacus", "url": "https://cfp.pass-the-salt.org/pts2026/talk/3EQEU7/", "title": "Web forensics with Lookyloo and Lacus", "subtitle": "", "track": "ThreatIntel", "type": "Workshop", "language": "en", "abstract": "Websites are complex, they change all the time, it is extremely tedious to reproduce the load of one URL, especially when the malicious actors don't want you to probe their infrastructure.\r\n\r\nDuring this workshop, we will look at techniques used by malicious actors to trick unsuspecting users, find phishing campaigns, and see **a lot** of slop.", "description": "This workshop will cover the basics of Lookyloo, and Lacus, the infrastructure and use-cases:\r\n\r\n* Capturing a website or rendering an HTML document\r\n* Detailing the capture settings, different browsers\r\n* Browser instrumentation and / or headfull capture\r\n* Socks5 Proxies\r\n* Init scripts post rendering\r\n* Monitoring\r\n* Automatic reporting\r\n* Why using Lacus\r\n* Onion / I2P support\r\n\r\nYou may have attended talks or workshops about lookyloo in the last few years, but we implemented many new features int he last year.\r\n\r\n* Indexing, pivot and search across the dataset\r\n* Forensic acquisition with Trusted Timestamps (RFC3161) \r\n* Use of Iframes in the tree, export rendered iFrames contents\r\n* Proton VPN support for proxies\r\n* Automatic and manual categorization on submission", "recording_license": "", "do_not_record": false, "persons": [{"code": "YPKMAQ", "name": "Rapha\u00ebl Vinot (Developer, Lookyloo)", "avatar": "https://cfp.pass-the-salt.org/media/avatars/0aed579ff806e3c3_wFum0Vj.jpg", "biography": "Formerly member of CIRCL, I moved to France but didn't go that far in spirit as I'm still part of the developers and maintainers for a whole bunch of tools there. Some say it is too many, we disagree.", "public_name": "Rapha\u00ebl Vinot (Developer, Lookyloo)", "guid": "8d08aadb-a86c-5a2c-89d1-3e8c2c813b98", "url": "https://cfp.pass-the-salt.org/pts2026/speaker/YPKMAQ/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2026/talk/3EQEU7/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2026/talk/3EQEU7/", "attachments": []}, {"guid": "ad3831ec-711b-5b01-883f-053cefba8068", "code": "THXBWZ", "id": 323, "logo": null, "date": "2026-07-01T14:15:00+02:00", "start": "14:15", "duration": "02:45", "room": "Room LW109", "slug": "pts2026-323-threat-detection-engineering-with-suricata", "url": "https://cfp.pass-the-salt.org/pts2026/talk/THXBWZ/", "title": "Threat Detection Engineering with Suricata", "subtitle": "", "track": "ThreatIntel", "type": "Workshop", "language": "en", "abstract": "This hands-on workshop provides an in-depth exploration of advanced techniques for maximizing network threat detection using Suricata. Building upon core Suricata capabilities, this session delves into critical areas such as effective utilization of metadata keywords, including MITRE and regular metadata, to enrich detection context. Participants will learn practical methods for achieving fast Indicator of Compromise (IOC) matching and strategies for managing multiple Suricata versions within diverse environments. The workshop will also cover leveraging the Suricata Language Server (SLS) for rule development and optimization, including interpreting performance hints and implementing Continuous Integration (CI) for rulesets using SLS in batch mode. This session is designed for cybersecurity professionals seeking to enhance their Suricata expertise and implement cutting-edge threat detection strategies. Attendees will leave equipped with actionable techniques and practical examples to improve their organization's security posture.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "BGFYUD", "name": "Eric Leblond", "avatar": "https://cfp.pass-the-salt.org/media/avatars/StamusNetworks-Eric-5x7-Gray_6xx4JQJ.jpg", "biography": "Eric Leblond is a cybersecurity professional and open-source developer focused on network threat detection. He is the co-founder and Chief Technology Officer (CTO) of Stamus Networks, a company that provides Network Detection and Response (NDR) solutions.\r\n\r\nIn the open-source security space, Leblond is a core developer of Suricata, an intrusion detection and prevention system (IDS/IPS). His work on the project centers around network visibility and alert context. He also serves on the board of directors for the Open Information Security Foundation (OISF), the non-profit organization behind Suricata.\r\n\r\nAdditionally, Eric Leblond is an emeritus member of the Netfilter Core Team, where his work involves kernel and user-space interactions.", "public_name": "Eric Leblond", "guid": "b6d86565-a490-50b1-9a64-cf00a7a9849b", "url": "https://cfp.pass-the-salt.org/pts2026/speaker/BGFYUD/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2026/talk/THXBWZ/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2026/talk/THXBWZ/", "attachments": []}], "Room LW112": [{"guid": "f8c30c29-8cfb-5eb5-84a9-ccbda7eb9fb6", "code": "UUCD9C", "id": 296, "logo": null, "date": "2026-07-01T09:30:00+02:00", "start": "09:30", "duration": "03:00", "room": "Room LW112", "slug": "pts2026-296-workshop-to-explore-sighthouse-learn-how-to-use-it-to-accelerate-your-reverse-engineering-process-using-its-function-identification-features", "url": "https://cfp.pass-the-salt.org/pts2026/talk/UUCD9C/", "title": "Workshop to explore SightHouse! Learn how to use it to accelerate your reverse engineering process using its function identification features.", "subtitle": "", "track": "Hardware & IoT", "type": "Workshop", "language": "en", "abstract": "Reverse engineers frequently encounter firmware or large binaries containing a mixture of proprietary code and numerous third-party libraries. Identifying which components belong to external libraries is a recurring and time-consuming challenge that can significantly slow down analysis.\r\n\r\nThis workshop introduces SightHouse, an open-source project designed to help reverse engineers automatically detect third-party functions within binaries. SightHouse leverages similarity detection techniques built on top of Ghidra\u2019s BSIM engine, which uses Ghidra\u2019s P-Code intermediate representation to enable cross-architecture function similarity analysis. By identifying reused code, researchers can quickly isolate proprietary logic and focus their efforts where it matters most.\r\n\r\nThe workshop will begin with a short introduction to the challenges of third-party code identification and the similarity detection techniques used in modern reverse engineering workflows. Participants will then be introduced to SightHouse, its architecture, and how it integrates with existing reverse engineering tools.\r\n\r\nFollowing this introduction, participants will apply SightHouse on a real-world reverse engineering target, learning how to detect and filter third-party libraries in practice.\r\n\r\nIn the final part of the workshop, participants will explore how SightHouse can be extended. They will learn how to create their own workers, enabling them to add new data sources, automate signature extraction, and contribute to expanding the system\u2019s capabilities.\r\n\r\nBy the end of the session, participants will understand how to integrate automated function identification into their reverse engineering workflows and how to customize SightHouse to fit their own research needs.", "description": "Material Prerequisites:\r\n- Participants should bring:\r\n- A Linux laptop\r\n- Docker installed and working\r\n- A supported Software Reverse Engineering (SRE) tool, such as:\r\n - Ghidra\r\n - Binary Ninja\r\n - IDA\r\n- A functioning brain\r\n\r\nTechnical Prerequisites:\r\n- Participants are expected to have:\r\n- Basic reverse engineering knowledge\r\n- Basic Python development experience", "recording_license": "", "do_not_record": false, "persons": [{"code": "9UMAT8", "name": "Benoit Forgette", "avatar": "https://cfp.pass-the-salt.org/media/avatars/benoit_40sZvJM.png", "biography": "Passionate about how systems work since my childhood and with an initial education in computer science, I gradually moved to the security of these systems and the electronic part of these equipments.Today, I work as a Cybersecurity Engineer in software and hardware reverse engineering at Quarkslab, where my daily work consists in disassembling equipments sent by our clients, then inspecting all their attack surfaces (hardware, radio, software, cloud). Then, we help our clients to find the best way to protect their systems and their equipments.\r\n\r\nIn this work, the part that seems to me the most interesting is the automation/instrumentation/hijacking part. It is fascinating to see how much it is possible to hijack a piece of equipment from its original purpose. This is even more impressive when we talk about physical equipment which has an impact on its environment.", "public_name": "Benoit Forgette", "guid": "9a9d5d64-f0df-5f46-935b-a52fef0babfb", "url": "https://cfp.pass-the-salt.org/pts2026/speaker/9UMAT8/"}, {"code": "SMLKRC", "name": "Sami Babigeon (Quarkslab)", "avatar": "https://cfp.pass-the-salt.org/media/avatars/SMLKRC_obDvwS9.webp", "biography": "Security researcher at Quarkslab, focus on embedded targets and reverse engineering.", "public_name": "Sami Babigeon (Quarkslab)", "guid": "b5ef9089-be23-547d-922e-f8cd3cb075d7", "url": "https://cfp.pass-the-salt.org/pts2026/speaker/SMLKRC/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2026/talk/UUCD9C/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2026/talk/UUCD9C/", "attachments": []}, {"guid": "1ae9a8be-2ac1-5be9-a3f0-30227c03fa4a", "code": "TZJESW", "id": 272, "logo": null, "date": "2026-07-01T14:15:00+02:00", "start": "14:15", "duration": "02:45", "room": "Room LW112", "slug": "pts2026-272-hands-on-firmware-extraction-exploration-and-emulation", "url": "https://cfp.pass-the-salt.org/pts2026/talk/TZJESW/", "title": "Hands-on Firmware Extraction, Exploration, and Emulation", "subtitle": "", "track": "Hardware & IoT", "type": "Workshop", "language": "en", "abstract": "Join us for this hands-on demo of [Unblob](https://unblob.org/), the flexible firmware extractor. In this session, we will extract firmware from an EV charger, dig into the firmware, and eventually emulate it so we can interact with the services in real-time. Unblob works on both hardware and downloadable versions of firmware so we have a target rich environment.", "description": "Pre-requisites: \r\n- Familiarity with command-line tools.\r\n- Laptop\r\n\r\nNo prior experience needed, this session is appropriate for all skillsets.\r\n\r\nBy the end of the workshop, participants will have gained practical experience in extraction, reverse engineering, and emulation of embedded firmware. They will be equipped with the skills to understand and analyze firmware structure, write custom unblob handlers and extractors, and use full-system emulation for security research.\r\n\r\nWorkshop Duration: 2 hours", "recording_license": "", "do_not_record": false, "persons": [{"code": "TLLPZL", "name": "Quentin Kaiser", "avatar": "https://cfp.pass-the-salt.org/media/avatars/TLLPZL_3eRoXrE.webp", "biography": "Quentin Kaiser is a former penetration tester turned binary analysis nerd. He is currently the Lead Security Researcher at ONEKEY, where he focuses on binary exploitation of embedded devices and large-scale bug-finding automation across firmware corpora.\r\n\r\nAs part of his work, he maintains the firmware extraction tool [unblob](https://github.com/onekey-sec/unblob) among other open-source tools such as jefferson, ubi-reader, or sasquatch.\r\n\r\nHe has published extensive research on offensive security for eCOS and maintains https://ecos.wtf\r\n, a resource hub dedicated to eCOS exploitation. He also (infrequently) updates his blog at https://quentinkaiser.be.", "public_name": "Quentin Kaiser", "guid": "0e20d729-4bef-5de3-980c-f2313ee3d89d", "url": "https://cfp.pass-the-salt.org/pts2026/speaker/TLLPZL/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2026/talk/TZJESW/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2026/talk/TZJESW/", "attachments": []}]}}, {"index": 3, "date": "2026-07-02", "day_start": "2026-07-02T04:00:00+02:00", "day_end": "2026-07-03T03:59:00+02:00", "rooms": {"Amphitheater 122": [{"guid": "458ef4d6-f5d7-591c-be86-d85aa68930f7", "code": "PJHY3V", "id": 320, "logo": null, "date": "2026-07-02T09:30:00+02:00", "start": "09:30", "duration": "00:35", "room": "Amphitheater 122", "slug": "pts2026-320-simplifying-log-management-not-just-for-security-logs", "url": "https://cfp.pass-the-salt.org/pts2026/talk/PJHY3V/", "title": "Simplifying log management, not just for security logs", "subtitle": "", "track": "System & Hardening", "type": "Talk", "language": "en", "abstract": "We live in an age where all decisions are based on data, and in case of IT security, the most important data are log messages. Logs are collected centrally and analyzed by various applications, so there are several trends to simplify log message collection. In his talk, Peter introduces central log collection, how creating a dedicated log management layer can save you resources on all fronts, and new technologies to simplify your infrastructure. OpenTelemetry combines logs, traces and metrics into a single protocol, while Kafka can provide a single data pipeline for your organization. A simple and efficient central log management solution allows you not just to save resources, but also provides real-time insight into what is happening in your organization, improving security. While configuration examples come from syslog-ng, the concepts that Peter presents apply to most log management applications.", "description": "Even at IT security conferences, people often tell me that they \u201cdo not have central log collection\u201d or that they \u201conly do it due to compliance requirements\u201d. Central log collection, however, is a lot more than just mere compliance. Setting up such a framework is in your best interest, as it provides ease of use, availability and security for log messages. If your logs are collected centrally, you can correlate problems across your whole network.\r\nHowever, central log collection can easily get out of hand once your organization starts growing, especially if multiple analytics tools and collectors get involved. This is where a dedicated log management layer can help. Half a decade ago, Peter showed you how to implement such a layer purely based on the syslog protocol.\r\nNowadays, there are lots of possibilities for log management. OpenTelemetry combines logs, traces and metrics into a single protocol, simplifying data collection at the protocol level. All important data about your applications, including security logs, are forwarded using a single protocol and application.\r\nAnother possibility is using Kafka as a data pipeline in your organization. In this case, all data that are needed to run an organization are pushed to various Kafka topics, including security logs.\r\nWhile my configuration examples come from syslog-ng, the concepts I describe apply to most log management applications.", "recording_license": "", "do_not_record": false, "persons": [{"code": "RRBVLJ", "name": "Peter Czanik, syslog-ng PO at One Identity", "avatar": "https://cfp.pass-the-salt.org/media/avatars/czp_uj_balabit_crop_36wP6Rd.jpg", "biography": "I gained IT and infosec experience while running many of the university servers. I turned my teaching skills, gained as a PhD student, into writing technical blogs and talking at conferences.\r\n \u2022 Engineer working now as an open source evangelist and technical product manager\r\n \u2022 Lead the development of syslog-ng open source edition, and contribute to sudo development\r\n \u2022 Experienced in open source community outreach, work with distributions to maintain the syslog-ng package, follow bug trackers, help users\r\n \u2022 Accomplished blog writer and conference presenter with a proven track record of creating engaging content and delivering impactful presentations (All Things Open, FOSDEM, Pass the SALT, EuroBSDCon, and others).\r\nIn my free time I am interested in non-x86 architectures, and work on one of my PPC or ARM machines. I am an IBM Champion for POWER.", "public_name": "Peter Czanik, syslog-ng PO at One Identity", "guid": "4ebe43d9-92da-56e9-b538-7535b68c3101", "url": "https://cfp.pass-the-salt.org/pts2026/speaker/RRBVLJ/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2026/talk/PJHY3V/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2026/talk/PJHY3V/", "attachments": []}, {"guid": "756b87e0-607b-5b5d-b042-196140963636", "code": "MVPRCH", "id": 322, "logo": null, "date": "2026-07-02T10:05:00+02:00", "start": "10:05", "duration": "00:35", "room": "Amphitheater 122", "slug": "pts2026-322-private-key-leaks-in-the-wild-from-pts-to-rwc-and-back-to-pts", "url": "https://cfp.pass-the-salt.org/pts2026/talk/MVPRCH/", "title": "Private Key Leaks in the Wild: from PTS to RWC, and back to PTS", "subtitle": "", "track": "ThreatIntel", "type": "Talk", "language": "en", "abstract": "Private key leaks represent a critical security vulnerability, with over 400,000 leaked keys on GitHub in 2025, yet their real-world impact remains largely unknown due to the challenge of linking these mathematical objects to their operational usage.\r\n\r\nWe present the first systematic analysis mapping leaked private keys to active certificates, combining GitGuardian's dataset of 945,560 unique leaked private keys with Google's historical Certificate Transparency databases. In September 2025, our methodology successfully mapped 42,690 private keys to 139,767 certificates, revealing the impact of private keys leaked on GitHub and DockerHub. Using custom online and offline validation, we identified 2,622 valid certificates, enabling website impersonation and MITM attacks.\r\n\r\nOur analysis reveals systematic failures in certificate revocation practices, with only 80 certificates revoked via CRL/OCSP and just 3 properly marked as key-compromised. We attributed certificates to 600 organizations across critical industries, though many could not be mapped to identifiable owners. With 20% of valid certificates having been exposed for over two years, our large-scale responsible disclosure campaign sent thousands of emails and revealed significant challenges in reaching certificate owners. \r\n\r\nBut this research didn't happen in a vacuum. A discussion at Pass the Salt in 2025 sparked a research collaboration between GitGuardian and Google that made it possible. This talk tells that story. We'll walk through the methodology: from what seemed impossible in 2025, to leveraging Google's CT data, to today's Static CT logs.\r\n\r\nIn one year, the TLS ecosystem evolved to make duplicating this research possible. Classic CT logs are being replaced by static CT, which simplifies both log operations and certificate retrieval. Moreover, Certificate Transparency Log Archive is now available on archive.org. Together, these changes let any researcher replicate our results in 2026.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "LXUYHG", "name": "Guillaume Valadon", "avatar": "https://cfp.pass-the-salt.org/media/avatars/LXUYHG_qs0DIVy.webp", "biography": "Guillaume is a Cybersecurity Researcher at GitGuardian. He holds a PhD in networking. He likes looking at data and crafting packets. He co-maintains Scapy. And he still remembers what AT+MS=V34 means!", "public_name": "Guillaume Valadon", "guid": "0b6493ee-a102-5d0a-894f-226a8f0b10c0", "url": "https://cfp.pass-the-salt.org/pts2026/speaker/LXUYHG/"}, {"code": "7G3XZA", "name": "Gaetan Ferry (Security research, GitGuardian)", "avatar": "https://cfp.pass-the-salt.org/media/avatars/profile_voj03zt.jpeg", "biography": "Gaetan is a security researcher with a decade of experience uncovering software vulnerabilities. After establishing himself in offensive security in 2015, he transitioned to security research in 2022, bringing his hands-on expertise in application security. His track record includes uncovering significant vulnerabilities in enterprise-grade systems like Cisco Nexus and Apache HTTPD. Gaetan loves sharing his knowledge through blog posts, speaking at conferences, or hands-on security training sessions at universities and private organizations.", "public_name": "Gaetan Ferry (Security research, GitGuardian)", "guid": "03439db1-670e-5df0-9796-e0846f1fda53", "url": "https://cfp.pass-the-salt.org/pts2026/speaker/7G3XZA/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2026/talk/MVPRCH/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2026/talk/MVPRCH/", "attachments": []}, {"guid": "06d783e8-7603-5f1c-b10d-b930685e99ee", "code": "QNGYSR", "id": 321, "logo": null, "date": "2026-07-02T11:10:00+02:00", "start": "11:10", "duration": "00:35", "room": "Amphitheater 122", "slug": "pts2026-321-gcve-rebooting-vulnerability-tracking-for-an-open-security-ecosystem", "url": "https://cfp.pass-the-salt.org/pts2026/talk/QNGYSR/", "title": "GCVE: Rebooting Vulnerability Tracking for an Open Security Ecosystem", "subtitle": "", "track": "ThreatIntel", "type": "Talk", "language": "en", "abstract": "The vulnerability ecosystem has become critical infrastructure for defenders, vendors, researchers, and open source maintainers. Yet the way identifiers and vulnerability data are assigned, published, and distributed still reflects a centralized model that does not always match the speed, diversity, and realities of today\u2019s security landscape.\r\n\r\nThis talk introduces GCVE, a new approach to vulnerability identification and tracking designed to support a more open, decentralized, and resilient ecosystem. GCVE rethinks how vulnerability numbers can be allocated, how trusted actors can publish advisories, and how vulnerability information can be synchronized without creating unnecessary bottlenecks or dependency on a single central authority.\r\n\r\nThrough the lens of open source security, the talk will explain why this matters: maintainers need lightweight processes, defenders need timely and structured data, and the community needs a model that encourages participation rather than gatekeeping. It will also show how GCVE and its associated tooling can help make vulnerability tracking more transparent, interoperable, and adaptable.\r\n\r\nRather than presenting only a new identifier format, this session will explore a broader idea: how we can build vulnerability tracking as shared public infrastructure for the security community.", "description": "The vulnerability ecosystem has become critical infrastructure for defenders, vendors, researchers, and open source maintainers. Yet the way identifiers and vulnerability data are assigned, published, and distributed still reflects a centralized model that does not always match the speed, diversity, and realities of today\u2019s security landscape.\r\n\r\nThis talk introduces GCVE, a new approach to vulnerability identification and tracking designed to support a more open, decentralized, and resilient ecosystem. GCVE rethinks how vulnerability numbers can be allocated, how trusted actors can publish advisories, and how vulnerability information can be synchronized without creating unnecessary bottlenecks or dependency on a single central authority.\r\n\r\nThrough the lens of open source security, the talk will explain why this matters: maintainers need lightweight processes, defenders need timely and structured data, and the community needs a model that encourages participation rather than gatekeeping. It will also show how GCVE and its associated tooling can help make vulnerability tracking more transparent, interoperable, and adaptable.\r\n\r\nRather than presenting only a new identifier format, this session will explore a broader idea: how we can build vulnerability tracking as shared public infrastructure for the security community.", "recording_license": "", "do_not_record": false, "persons": [{"code": "MWF7U8", "name": "Alexandre Dulaunoy", "avatar": "https://cfp.pass-the-salt.org/media/avatars/40d2a172b3e9160f1709d3a05b7e8e8a_ld8lWKE.jpg", "biography": "", "public_name": "Alexandre Dulaunoy", "guid": "c9201d6b-2483-50e7-a2e7-e01c13c44465", "url": "https://cfp.pass-the-salt.org/pts2026/speaker/MWF7U8/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2026/talk/QNGYSR/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2026/talk/QNGYSR/", "attachments": []}, {"guid": "ec27c7b5-8eff-528d-98f1-d64fe806447c", "code": "8SANMK", "id": 316, "logo": null, "date": "2026-07-02T11:45:00+02:00", "start": "11:45", "duration": "00:35", "room": "Amphitheater 122", "slug": "pts2026-316-your-credentials-were-leaked-so-what", "url": "https://cfp.pass-the-salt.org/pts2026/talk/8SANMK/", "title": "Your credentials were leaked, so what?", "subtitle": "", "track": "ThreatIntel", "type": "Talk", "language": "en", "abstract": "Everyday, all of us are flooded with phishing emails trying to impersonate many well-known brands (Netflix, DHL, Microsoft, Google, Facebook & co). Some phishing campaigns are poorly prepared and can be easily spotted. On the other side, some are really well crafted and, be honest, who never clicked on a malicious link? If the flood is constant, it means that it works! And thread actors expect to get our credentials. But, is it really the case? How fast do they react once we disclosed them? That\u2019s the purpose of our research.\r\n\r\nWe developed a tool, called PhishTrack, that behaves as a honeypot but with more interaction with phishing kits. The tool is fed with phishing URLs. They are visited, categorized and, if possible, we provide unique credentials. Then, we monitor the honeypot and expect (crossing fingers) that our credentials will be re-used. We simulate classing landing pages and protocols: a web portal, MS account, VPN login, VNC, SSH, RDP (and maybe more soon). As an example, our current record is 3 mins between the phishing page visit and the attempt to (ab)use the credentials from Nigeria.\r\n\r\nThe talk will be split in two parts: We will introduce the tool, what are the core components, how it works, how we deployed it. The second part of the talk will be a review of our findings.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "RU9UTJ", "name": "Xavier Mertens", "avatar": "https://cfp.pass-the-salt.org/media/avatars/Photo_Xavier_800_Bl1BSrp.jpg", "biography": "", "public_name": "Xavier Mertens", "guid": "56915001-aa85-5973-ad1f-3b14a2df40ab", "url": "https://cfp.pass-the-salt.org/pts2026/speaker/RU9UTJ/"}, {"code": "BB7SU8", "name": "Teqagogo", "avatar": null, "biography": "", "public_name": "Teqagogo", "guid": "493d81c7-0e24-551d-8da8-bdc4ac14cc2b", "url": "https://cfp.pass-the-salt.org/pts2026/speaker/BB7SU8/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2026/talk/8SANMK/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2026/talk/8SANMK/", "attachments": []}, {"guid": "da0f7b88-d690-5c5a-86b3-e09340378594", "code": "B8AN9M", "id": 333, "logo": null, "date": "2026-07-02T14:00:00+02:00", "start": "14:00", "duration": "00:35", "room": "Amphitheater 122", "slug": "pts2026-333-oblivious-http-when-the-server-does-not-want-to-see-your-ip", "url": "https://cfp.pass-the-salt.org/pts2026/talk/B8AN9M/", "title": "Oblivious HTTP - when the server does not want to see your IP", "subtitle": "", "track": "Crypto for Users", "type": "Talk", "language": "en", "abstract": "It's common for users to look to hide their IP addresses. With Oblivious HTTP, it's reversed: the service chooses to blind itself.\r\nWe'll go over how this IETF standard ended up in Apple, Google, Mozilla, and Meta products, and how it evolved.", "description": "HTTPS encrypts your request, but the server still sees your IP. That metadata alone may be enough to identify you. Oblivious HTTP ([RFC 9458](https://www.rfc-editor.org/rfc/rfc9458.html)) splits the request across two non-colluding parties: a relay sees your IP address but not your request, a gateway sees your request but not your IP address. Assuming they don't collude, no single party sees both.\r\n\r\nThe interesting part: this is a privacy guarantee services opt into, not users. By contracting a neutral 3rd party, the service operator makes a commitment that they cannot link their own users' identity to the request these users are making.\r\n\r\nThe protocol was standardised at the IETF, and has [open source implementations](https://ohttp.info/#resources) in Go, Rust, Kotlin, and TypeScript. I'll demo one of them - ohttp-ts - and walk through [ohttp.info](https://ohttp.info/), built to make the protocol approachable.\r\n\r\nFinally, we'll cover [chunked OHTTP](https://datatracker.ietf.org/doc/html/draft-ietf-ohai-chunked-ohttp-08), an advanced proposal, which enables streaming encrypted payloads incrementally directly relevant for AI inference over private prompts and large transfers.", "recording_license": "", "do_not_record": false, "persons": [{"code": "QN7WW3", "name": "Thibault Meunier (Research, Cloudflare)", "avatar": "https://cfp.pass-the-salt.org/media/avatars/thibault-meunier_webp_iDDRlke.png", "biography": "", "public_name": "Thibault Meunier (Research, Cloudflare)", "guid": "ee9ea5ce-194b-516e-afe8-ec8ca0b9ef73", "url": "https://cfp.pass-the-salt.org/pts2026/speaker/QN7WW3/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2026/talk/B8AN9M/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2026/talk/B8AN9M/", "attachments": []}, {"guid": "8ac70f8f-7c1f-520a-9d0b-1665676c809d", "code": "33DFWY", "id": 287, "logo": null, "date": "2026-07-02T14:35:00+02:00", "start": "14:35", "duration": "00:35", "room": "Amphitheater 122", "slug": "pts2026-287-keibidrop-post-quantum-encrypted-peer-to-peer-file-transfer-without-the-cloud", "url": "https://cfp.pass-the-salt.org/pts2026/talk/33DFWY/", "title": "KeibiDrop: Post-Quantum Encrypted Peer-to-Peer File Transfer Without the Cloud", "subtitle": "", "track": "Crypto for Users", "type": "Talk", "language": "en", "abstract": "We present KeibiDrop, an open-source (MPL 2.0) peer-to-peer file transfer tool that provides end-to-end encryption using a hybrid post-quantum key exchange (ML-KEM-1024 + X25519) with ChaCha20-Poly1305 at the transport layer. KeibiDrop operates over direct IPv6 connections with no cloud intermediary, no STUN/TURN servers, and no persistent metadata. The relay server is treated as an untrusted blind intermediary: it sees only opaque lookup keys and encrypted blobs, and cannot correlate users or decrypt content. We discuss the cryptographic design, the privacy model, the trade-offs of an IPv6-only architecture, and the practical challenges of mounting remote files as a local FUSE filesystem with forward secrecy via automatic re-keying. A live demonstration accompanies the talk.", "description": "**KeibiDrop** addresses a concrete problem: transferring files between two devices without trusting a third party. Existing solutions make trade-offs: cloud storage (Google Drive, Dropbox) requires trusting the provider; tools like croc and Magic Wormhole relay traffic through servers that see both peers' IP addresses and lack post-quantum resistance; platform-native solutions (AirDrop, Nearby Share) are locked to specific ecosystems. KeibiDrop works across any combination of macOS, Linux, Windows, and mobile (iOS/Android via gomobile), with or without FUSE - the filesystem layer is optional, not required, but very fun to use. The desktop UI is built with Slint and bound in Rust; the total binary size is 20 MB.\r\n\r\n**Cryptographic design.** KeibiDrop implements a hybrid key exchange combining ML-KEM-1024 (NIST FIPS 203, Security Category 5) with X25519, deriving session keys via HKDF-SHA512. Key pairs are ephemeral: generated fresh each session and never persisted to disk. Peer authenticity is established through out-of-band fingerprint exchange: each peer's fingerprint is a SHA-512 hash over its ephemeral public keys (X25519 || ML-KEM), shared via a trusted channel (e.g. Signal, in person, QR code). During the handshake, the received public keys are verified against the registered fingerprint using constant-time comparison before any session key is derived. No certificate authority, no long-lived keys \u2014 if the fingerprint does not match, the handshake is rejected. The transport layer uses ChaCha20-Poly1305 AEAD with counter-based nonces and direction-separated prefixes to prevent nonce reuse. Automatic session re-keying triggers every 1 GB or approximately one million messages, providing forward secrecy by discarding old key material.\r\n\r\n**Relay privacy model.** The relay server facilitates peer discovery only. Registered keys are held in memory for 10 minutes and then discarded - nothing is persisted. Registration data (fingerprints, public keys, IP addresses) is encrypted client-side before upload. The relay stores only `lookup_key -> encrypted_blob`, where the lookup key is derived via HKDF from a room password shared out-of-band. The relay cannot reverse-engineer fingerprints, decrypt registration blobs, or correlate sessions across rooms. The relay operator sees IPv4 source addresses in access logs, but has no access to the encrypted content or the identities behind it. We present the threat model and the test suite that validates these privacy guarantees.\r\n\r\n**IPv6-only architecture.** KeibiDrop deliberately avoids STUN/TURN/UPnP to prevent IP metadata leakage to third-party NAT traversal infrastructure. This is a privacy-first design choice with real trade-offs: it requires globally routable IPv6 on both peers. We discuss why this trade-off is defensible for privacy-sensitive use cases and what it costs in practice, including the challenges we encountered deploying across consumer ISPs.\r\n\r\n**FUSE filesystem integration.** Remote files appear as a mounted local filesystem with lazy loading, enabling real-time access without downloading entire files upfront. We cover the practical challenges of building a secure FUSE filesystem: macFUSE versus fuse3 versus WinFSP behavioral differences, direct_io for write operations, deadlock prevention in the VFS layer, and cross-platform support across macOS, Linux, and Windows.\r\n\r\n**Live demonstration.** Two laptops, one room. Files transferred with post-quantum encryption.\r\n\r\nThe talk targets security practitioners, privacy engineers, and contributors to free software who want to understand practical post-quantum cryptography deployment, privacy-preserving protocol design, and the engineering reality of building encrypted file transfer tools.", "recording_license": "", "do_not_record": false, "persons": [{"code": "9PDJAS", "name": "Marius-Florin Cristian", "avatar": "https://cfp.pass-the-salt.org/media/avatars/9PDJAS_6N0XQij.webp", "biography": "Marius-Florin Cristian is a computer scientist and the author of KeibiDrop, an open-source post-quantum encrypted file transfer tool. He holds a CISSP certification and a Master's degree in Computer Science from the University of Copenhagen (DIKU), where his thesis addressed the minimum spanning tree problem in the context of linear-time complexity. He served as CISO at two B2B SaaS startups in Copenhagen---Krizo.io and Omnio.net---where he built cybersecurity programs from scratch (ISO 27001 ISMS, NIST RMF/800-53, risk management) while simultaneously contributing to product development (Haskell at Krizo, Rust at Omnio), managing DevOps and Kubernetes infrastructure, and shipping features in sprints---both acquired within two years of his joining. After Omnio's acquisition by IBM, he worked briefly as a Senior Cybersecurity Specialist at IBM before moving to Romania to build KeibiSoft full-time. He works across the full stack---from cryptographic protocol design and threat modeling to systems programming and infrastructure---doing whatever it takes to ship.", "public_name": "Marius-Florin Cristian", "guid": "11dfacae-d5b4-5d5f-beee-8be58648ab33", "url": "https://cfp.pass-the-salt.org/pts2026/speaker/9PDJAS/"}], "links": [{"title": "Website with KeibiDrop presentation (and screenshots), and links to github (soon public)", "url": "https://keibisoft.com/tools/keibidrop.html", "type": "related"}, {"title": "One of the technical blog entries from the KeibiDrop series", "url": "https://keibisoft.com/blog/keibidrop-technical-deep-dive.html", "type": "related"}], "feedback_url": "https://cfp.pass-the-salt.org/pts2026/talk/33DFWY/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2026/talk/33DFWY/", "attachments": []}, {"guid": "6e5db19f-97d2-507a-8044-f0420cadd4d5", "code": "9VXT39", "id": 291, "logo": null, "date": "2026-07-02T15:10:00+02:00", "start": "15:10", "duration": "00:35", "room": "Amphitheater 122", "slug": "pts2026-291-fractum-an-open-source-cli-for-threshold-based-cold-storage-of-critical-secrets", "url": "https://cfp.pass-the-salt.org/pts2026/talk/9VXT39/", "title": "Fractum: an open-source CLI for Threshold-Based Cold Storage of Critical Secrets", "subtitle": "", "track": "Crypto for Users", "type": "Talk", "language": "en", "abstract": "**Shamir's Secret Sharing (SSS)** has been trusted for decades by organizations like ICANN (DNSSEC root key ceremonies), Trezor (SLIP-39), and Coinbase ; yet it remains largely inaccessible to individual practitioners and small teams who need cold storage for cryptocurrency wallets, SSH keys, infra recovery keys, or root CA credentials.\r\n\r\nThis talk introduces **Fractum**, an open-source (MIT) CLI tool that combines AES-256-GCM authenticated encryption with Shamir's Secret Sharing over GF(2^8) to split sensitive files into K-of-N threshold shares. Designed as an air-gapped, portable & offline-first tool with zero network dependencies, This tool brings information-theoretic security to anyone with a terminal.\r\n\r\nI will walk through the cryptographic design decisions: why GCM over CBC, how polynomial interpolation in GF(256) actually works at the byte level, how we handle entropy collection from multiple sources, and the trade-offs of implementing memory protection (SecureString with mlock and multi-pass overwrite) in a garbage-collected language like Python. A pre-recorded demo will show a full encrypt-split-distribute-reconstruct cycle running inside a network-isolated Docker container.\r\n\r\n**Attendees will take away**: a clear mental model of how threshold cryptography works in practice, an understanding of the security properties (and honest limitations) of implementing SSS in Python, and a free tool they can use immediately for their own cold storage needs.\r\n\r\nGitHub: https://github.com/katvio/fractum", "description": "**The gap no one talks about (3 min):**\r\nThere is a missing category between \"encrypt it and hope you don't lose the key\" and \"$50K HSM setup.\" Most practitioners fall back on copying encrypted files to multiple locations, which means a single key compromise exposes everything. I will frame the cold storage problem: cryptocurrency wallets, root CA keys, disaster recovery credentials, digital inheritance ; all scenarios where you need security measured in years, not sessions. \r\n\r\n**How Shamir's Secret Sharing actually works (5 min):**\r\nNo hand-waving. I will walk through polynomial construction over GF(2^8), Lagrange interpolation for reconstruction, and why the information-theoretic security guarantee is fundamentally different from computational security. If you have K-1 shares, every possible secret is equally likely ; this is not a bruteforce problem, it is a mathematical impossibility. Real-world precedents: ICANN DNSSEC ceremonies, Trezor SLIP-39, Ledger Recover, military grade algos.\r\n\r\n**Building it in Python: the honest version (4 min):**\r\n- Memory protection with SecureString: ctypes.memset(), mlock(), multi-pass overwrite\r\n- Honest limitations: Python string immutability, garbage collection timing, no side-channel resistance\r\n- Air-gapped design: '--network=none' Docker guarantee, no telemetry, self-contained share archives\r\n- Supply chain considerations: minimal dependencies, SHA-256 integrity checking\r\n\r\n**Demo: encrypt, split, reconstruct (4 min):**\r\nPre-recorded terminal session inside a '--network=none' Docker container. Encrypt a file, split into 3-of-5 shares, attempt reconstruction with 2 shares (fails, by design), reconstruct with 3 shares (succeeds). Inspect the share metadata and integrity verification.\r\n\r\n**What is missing and what comes next (4 min):**\r\nOpen discussion of limitations: no formal verification of the SSS implementation, no side-channel analysis, Python GC constraints. Roadmap items: DPSS (Dynamic-committee Proactive Secret Sharing), HSM integration. Open questions for the community: share verification without reconstruction, HSM integration, formal verification approaches for Python crypto.\r\n\r\n### Resources:\r\n- **GitHub**: https://github.com/katvio/fractum\r\n- **Documentation**: https://fractum.katvio.com\r\n- **Security Architecture**: https://fractum.katvio.com/security-architecture/", "recording_license": "", "do_not_record": false, "persons": [{"code": "SNCTYX", "name": "C\u00e9dric - Katvio.com", "avatar": null, "biography": "C\u00e9dric is a seasoned DevSecOps and infrastructure engineer with 10yrs of experience spanning defense, blockchain, and cloud-native environments. He began his career working on safety-critical software in the defense industry, then moved into the blockchain space as a DevSecOps & SRE for the Tezos Foundation. He now runs his own digital agency, delivering security, and key management services to key accounts across banking and SaaS. His expertise sits at the intersection of cybersec, supply chain security, and applied cryptography, with a particular interest in privacy-preserving technologies. Company: Katvio.com", "public_name": "C\u00e9dric - Katvio.com", "guid": "81ae658c-c2ba-55f5-8484-83f7cded9878", "url": "https://cfp.pass-the-salt.org/pts2026/speaker/SNCTYX/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2026/talk/9VXT39/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2026/talk/9VXT39/", "attachments": []}, {"guid": "b27d7b85-15f8-5499-9b42-9e08ef59305f", "code": "FJZPZL", "id": 319, "logo": null, "date": "2026-07-02T15:45:00+02:00", "start": "15:45", "duration": "00:20", "room": "Amphitheater 122", "slug": "pts2026-319-desktopranger-blocks-keystroke-spying-hardening-windows-desktop-isolation", "url": "https://cfp.pass-the-salt.org/pts2026/talk/FJZPZL/", "title": "DesktopRanger Blocks Keystroke Spying: Hardening Windows Desktop Isolation", "subtitle": "", "track": "Security by Design", "type": "Short Talk", "language": "en", "abstract": "Modern businesses routinely handle sensitive data\u2014entering passwords, managing internal documents and emails, or conducting confidential meetings in applications such as Zoom and Signal. **Windows desktop isolation** can block basic keyloggers from capturing keystrokes from applications running on newly created desktops. Several security tools rely on this mechanism by running sensitive applications or password-entry screens on isolated desktops, providing effective defense against unsophisticated keyloggers. In practice, however, this protection is often treated as \u201cgood enough\u201d once a protected desktop has been created.\r\n\r\nThis talk shows why that assumption is wrong: **Windows Desktop Isolation is not a true isolation boundary**.\r\n\r\nThe focus of this research is not kernel-mode interception, but high-privilege user-mode keyloggers. In other words, the talk addresses attackers that remain in user space, yet possess enough privileges to actively interfere with desktop-based protections and attach spying logic to sensitive contexts. This makes the problem especially relevant in **Man-at-the-End (MATE)** scenarios common in business environments.\r\n\r\nI will present a series of experiments covering the four most common Windows keystroke interception techniques\u2014**SetWindowsHookEx**, **GetAsyncKeyState**, **Raw Input**, and **DirectInput**\u2014as well as **ETW-based monitoring**. The results show that privileged attackers can still capture keystrokes from protected desktop contexts, including Secure Desktop environments such as Winlogon, for example by launching a high-privilege process via **PsExec/Sysinternals**.\r\n\r\nTo address this weakness, I will introduce **DesktopRanger**, an open-source defensive prototype for creating hardened Windows desktops for secret input. **DesktopRanger** creates a protected desktop with a restrictive security descriptor, expressed in SDDL as `D:P`, preventing unauthorized opening through the standard desktop access path and limiting the attacker\u2019s ability to obtain even the desktop name. When a legitimate application must be launched, access is relaxed only for a very short period. At the same time, desktop enumeration is blocked at the **Window Station** level to prevent hostile processes from discovering or attaching to the target desktop. Once the application has been initialized, the original restrictive state is restored: the user can again enumerate active desktops, but the protected desktop does not appear in the returned list.\r\n\r\nI will explain the **Windows Desktop** and **Window Station** internals behind this design. I will also discuss how this approach can be combined with the open-source **MemoryRanger** bare-metal hypervisor to protect relevant kernel-side security structures against tampering, including **BYOVD-style attacks**.\r\n\r\nThe experiments show a clear contrast: a high-privilege attacker can still spy on Secure Desktop-style protected contexts, including **Winlogon**, whereas the same attacker is unable to attach to and spy from a desktop created by **DesktopRanger**.", "description": "This talk examines a practical and widely misunderstood security question: can **Windows desktop isolation** really protect sensitive keyboard input against a privileged attacker?\r\n\r\nThe problem is highly relevant because keylogging is not a legacy threat: modern spyware, stealers, and surveillance-oriented malware continue to use keystroke interception in active campaigns. This makes secure input a live defensive problem for password managers, privacy tools, and other applications handling credentials or confidential text on Windows.\r\n\r\nI will begin with a concise explanation of the Windows desktop model, including the relationship between **Window Sessions**, **Window Stations**, and **Windows Desktops**, and why many security tools rely on isolated desktops for password entry and other sensitive workflows. I will show that this mechanism is effective against basic user-mode keyloggers, which is why it is often treated as a sufficient defense in practice.\r\n\r\nThe talk then presents the experimental results. I will show tests covering the four major Windows keystroke interception techniques\u2014**SetWindowsHookEx**, **GetAsyncKeyState**, **Raw Input**, and **DirectInput**\u2014as well as **ETW-based monitoring**. These experiments demonstrate that a privileged attacker can still deploy spying logic against protected desktop contexts, including Secure Desktop-style environments such as Winlogon, for example by launching a high-privilege process via PsExec/Sysinternals.\r\n\r\nThe second half of the talk introduces **DesktopRanger**, an open-source defensive prototype designed to harden the existing Windows desktop model. Its core goal is to create a protected desktop that an attacker cannot easily discover, open, or attach to. **DesktopRanger** creates the target desktop with a restrictive `D:P` security descriptor and limits the attacker\u2019s ability to obtain even the desktop name. When a legitimate application must be started, access is relaxed only briefly, while desktop enumeration is blocked at the **Window Station** level, and the original restrictive state is restored immediately after initialization. In addition, **DesktopRanger** can deploy multiple desktop honeypots to mislead hostile attachment attempts toward decoy desktops instead of the real protected one. I will explain the Windows internals behind this workflow and why it changes the attack surface compared to conventional isolated-desktop designs.\r\n\r\nFinally, I will show the security contrast observed in the experiments: a high-privilege attacker can still spy on Secure Desktop-style protected contexts, while the same attacker is unable to attach to and spy from a desktop created by **DesktopRanger**. I will also discuss how this design can be strengthened with the open-source **MemoryRanger** bare-metal hypervisor to protect relevant kernel-side security structures against tampering and **BYOVD-style abuse**.\r\n\r\nThe talk is intended for developers of password managers, desktop security tools, and other Free Software projects that need reliable secure-input mechanisms on Windows.", "recording_license": "", "do_not_record": false, "persons": [{"code": "KZLJKS", "name": "Igor Korkin (independent security researcher)", "avatar": "https://cfp.pass-the-salt.org/media/avatars/KZLJKS_VYZ1ODJ.webp", "biography": "Igor Korkin, Ph.D., is a security researcher, developer, and innovator with over 15 years of experience in system security\u2014holding a Huawei security patent, authoring over 50 research papers and a monograph [Kernel Protection of Operating Systems Under Countermeasures](https://igorkorkin.github.io/monograph/). \r\n\r\nSpecializing in advanced security research and development, he focuses on Windows and Linux kernel security, Rootkit Detection, Memory Forensics, Bare-metal Hypervisors, Data Storage Protection, Ransomware Defense, and Evasion Techniques.\r\n\r\nHe is open to new challenges and international collaboration, seeking opportunities to work with global partners on innovative security projects.", "public_name": "Igor Korkin (independent security researcher)", "guid": "b31587e6-b838-5317-a22d-9930d2a7a4ca", "url": "https://cfp.pass-the-salt.org/pts2026/speaker/KZLJKS/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2026/talk/FJZPZL/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2026/talk/FJZPZL/", "attachments": []}, {"guid": "f7aed09d-c4b4-5a03-ad82-fdb6d0d0c94d", "code": "NHZTG7", "id": 315, "logo": null, "date": "2026-07-02T16:05:00+02:00", "start": "16:05", "duration": "00:20", "room": "Amphitheater 122", "slug": "pts2026-315-rust-pam-and-typestate-cooking-up-spotless-authentication-with-nonstick", "url": "https://cfp.pass-the-salt.org/pts2026/talk/NHZTG7/", "title": "Rust, PAM and Typestate: Cooking up spotless authentication with nonstick", "subtitle": "", "track": "Security by Design", "type": "Short Talk", "language": "en", "abstract": "Bim bam PAM! In this talk, we\u2019re diving into the kitchen of system security to look at the PAM (Pluggable Authentication Modules) architecture.\r\n\r\nWe\u2019ll start by deconstructing the classic PAM lifecycle. But instead of just \"wrapping\" the C API in Rust and hoping for the best, we\u2019ll introduce nonstick. The secret sauce? We will demonstrate how nonstick uses Rust's design to encode the PAM expected behavior directly into the compiler.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "G739SC", "name": "Eddie Billoir (Airbus Protect)", "avatar": "https://cfp.pass-the-salt.org/media/avatars/12381165_nAp2pxu.jpeg", "biography": "PhD in Cybersecurity. Open-source enjoyer.", "public_name": "Eddie Billoir (Airbus Protect)", "guid": "bb8947cc-6977-5141-b75a-cea08f43a029", "url": "https://cfp.pass-the-salt.org/pts2026/speaker/G739SC/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2026/talk/NHZTG7/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2026/talk/NHZTG7/", "attachments": []}], "Room LW112": [{"guid": "e3ce3b4e-cb2f-5c76-ba4d-b24c55818f2e", "code": "UJGHEX", "id": 317, "logo": null, "date": "2026-07-02T09:30:00+02:00", "start": "09:30", "duration": "02:30", "room": "Room LW112", "slug": "pts2026-317-a-phishing-trip-with-fancy-bear-let-s-analyze-apt-malware-together", "url": "https://cfp.pass-the-salt.org/pts2026/talk/UJGHEX/", "title": "A phishing trip with Fancy Bear - Let's analyze APT malware together!", "subtitle": "", "track": "Exploitation", "type": "Workshop 2h30", "language": "en", "abstract": "In this beginner-friendly, hands-on workshop, participants will walk through the full attack chain of a real-world Fancy Bear (APT28/GRU) intrusion - from the initial phishing email to command & control - guided by a purpose-built interactive training platform.\r\n\r\nWhat to expect:\r\nThe workshop is structured across five chapters, each building on the last: threat actor background, payload delivery, exploitation, persistence & installation, and command & control. Participants work hands-on with real artefacts (phishing email headers, a weaponised RTF document, malware samples, and a C2 implant) and answer quiz questions via an interactive platform to validate their findings along the way - making progress immediately visible and keeping the session engaging for all skill levels.\r\n\r\nWhat you will learn:\r\n- How to analyse phishing emails and extract indicators from mail headers\r\n- How to identify and dissect malicious Office documents (including MIME type mismatches and OLE/COM object abuse triggering CVE-2026-21509)\r\n- Persistence techniques: file staging, scheduled task abuse, and LSB steganography in PNG files\r\n- How to reverse simple string obfuscation (XOR + Base64) using CyberChef\r\n- How threat actors repurpose legitimate open-source tools (Covenant C2 framework) and abuse trusted cloud services to blend into normal traffic\r\n- All tools demoed/used throughout the workshop (e.g. oletools, CyberChef, and Covenant) are free and open-source, making every technique immediately reproducible.\r\n\r\nWho should attend:\r\nNo prior malware analysis experience is required. Basic familiarity with the command line and a curiosity for how attacks actually work is all you need. Security students, CTF players, sysadmins, and blue teamers looking to build intuition for real-world threat actor tradecraft will get the most out of this session.\r\n\r\nWhat to bring:\r\nA laptop with a browser and internet access. All you need is a web brower, a text editor and an archive tool to unpack ZIP (AES-256) archives - other than that, no prior setup is required.", "description": "This workshop does not depend on domain-specific knowledge, we will try to break the steps down as far as possible. Attendees will follow along through small exercises, with the opportunity to compare their solution through a quiz/validation system. Questions will be answered by the instructor, collaboration between attendees is strongly encouraged!\r\n\r\nImportant for message for attendees: If you would like to follow along, please bring laptop with a charged battery. You will be handling real-world malware (you act at your own risk; No backup, no pity). I recommend to use a virtual machine (e.g. FLARE-VM, Remnux). No special tooling is required, make sure to have the basics (Text and Hex Editor, Browser, ZIP utility) installed. No photos during the workshop please, you will receive a copy of the slides.", "recording_license": "", "do_not_record": false, "persons": [{"code": "KNGYNN", "name": "Marius Genheimer (DFIR/Research, SECUINFRA)", "avatar": "https://cfp.pass-the-salt.org/media/avatars/KNGYNN_mziARtg.webp", "biography": "Marius Genheimer is a DFIR Specialist and Threat Researcher with the SECUINFRA Falcon Team. He specializes in malware analysis and defensive security training.", "public_name": "Marius Genheimer (DFIR/Research, SECUINFRA)", "guid": "4a19fab7-2477-59fb-a716-efc172e516f8", "url": "https://cfp.pass-the-salt.org/pts2026/speaker/KNGYNN/"}], "links": [], "feedback_url": "https://cfp.pass-the-salt.org/pts2026/talk/UJGHEX/feedback/", "origin_url": "https://cfp.pass-the-salt.org/pts2026/talk/UJGHEX/", "attachments": []}]}}]}}}