dc303

Reversing Bad Brew

Fri, 22 May 2026 00:00:00 +0000

Have you ever heard that Macs don’t get malware? Well that’s not true. Bad Brew was a click fix malware campaign that tricked users into downloading and running malware by imitating the homebrew package manager. I will compare an earlier and a more advanced malware sample that shows how the threat actors tactics changed over time

Intro to CDX: A cybersecurity training range built for real learning

Fri, 27 Feb 2026 00:00:00 +0000

“What am I working on?”

Building a flexible cybersecurity training range — one that can simulate everything from simple flat networks to complex multi-site enterprises with legacy systems, modern infrastructure, and all the messy realism in between.

Why?

Because learning security requires a safe space to fail. Red teamers need targets they can attack without consequences. Blue teamers need environments where missed detections are lessons, not disasters. Students need room to break things and understand why. CDX provides that space — fully isolated, fully contained, and ready to reset as often as the learning demands.

What makes it different?

The range isn’t just isolated networks in a vacuum. There’s underlying infrastructure that makes it feel like operating within a larger ecosystem — realistic enough to be worth a longer conversation if you’re curious.

Where is this headed?

The project is open source and actively evolving. I’m building exercises, refining automation, and exploring opportunities to support hands-on training for security professionals, students, and teams who want something more than a typical lab experience. Interested in training, contributing, or learning more? I’d welcome the conversation.

Car Hacking

Specters — Fri, 22 Aug 2025 00:00:00 +0000

Finding vulnerabilities in automobiles… Some old ones and some ??

Crash Course into the OWASP API Top 10

Alan Shen — Fri, 21 Feb 2025 00:00:00 +0000

At this month’s meeting, Alan will preview his upcoming SnowFROC talk, Crash Course into the OWASP API Top 10. As a DC303 exclusive complimenting the talk, we will practice on the vulnerable applications Completely Ridiculous API (crAPI) and VAPI.

To participate in the interactive part of the event, bring your own laptop with an intercepting proxy (Burp, ZAP, etc.) as well as an API testing tool like Postman. There will be several options for accessing the labs, including using API Sec University’s hosted environment, a local Proxmox lab network we will host in the space for the event, or setting up your own VMs on your laptop.

Recommended Tools:

https://portswigger.net/burp/communitydownload
https://www.zaproxy.org/
https://www.postman.com/
https://github.com/OWASP/crApi (or alternative to deploying a VM: http://crapi.apisec.ai/)
https://github.com/roottusk/vapi (or alternative to deploying a VM: http://vapi.apisec.ai/)

Talk Abstract:

Application Programming Interfaces (APIs) are the glue that allows independently evolving systems to communicate with each other, and are an important focus for security investment due to their privileged access to sensitive data and functionality. Recently, the OWASP API Top 10 has been updated for 2023, so join us as we introduce the OWASP API Security Project. We’ll cover what’s new in the 2023 API Top 10, as well as compare the differences with the previous 2019 version. For those interested in hands-on practice, we’ll also briefly introduce the OWASP crAPI (completely ridiculous API) Project which demonstrates common API vulnerabilities.

A Web CTF For Everyone

Mark Hoopes — Fri, 24 Jan 2025 00:00:00 +0000

At this month’s meeting we’ll spend some quality time with a truly insecure CRM application that has something for every level of web hacker. Entry level participants can explore a poorly designed authentication system, mid-level hackers will have plenty of opportunities to run SQL and JavaScript Injection attacks, and there is even a pathway to shell, but it will take some real dedication to get there. A walkthrough is available for those who need it so everyone should come away knowing a little more about how to attack (and defend) web applications. Bring your own laptop with an intercepting proxy (Burp, ZAP, etc.) installed to participate.

COME LEARN ABOUT WIFI HACKING!

Neko — Fri, 22 Nov 2024 00:00:00 +0000

COME LEARN ABOUT WIFI HACKING! We’ll be going over wifi’s evolution over the years, learning about vulnerabilities, mitigations, the tooling available, what’s under the hood of most wifi routers, and how you can run your own audits and even defend wifi in an enterprise or home environment.

INCLUDING PRACTICAL LABS! We’ll be putting out a bunch of wifi access points, maybe even some vulnerable clients, and you’re going to be hacking them.

HACK THE PLANET!

Cameron Hopkin

Fri, 25 Oct 2024 00:00:00 +0000

Examining the complex relationship between AI and Cybersecurity and Privacy. May do some exploration of the Claude family of AI models. Be ready for good discussion.

Programmable Cryptography: Actualizing Academic Innovation for Novel Technology

Nuke — Fri, 27 Sep 2024 00:00:00 +0000

Seemly all of a sudden many theorized cryptographic systems are becoming practically usable. Programmable Cryptography is an exciting vision for novel applications using these new tools to empower privacy, verifiability, and much more. This talk will highlight some of these new tools and cover a few key use cases. We will invite discussions from the audience about how we might use these, helping drive adoption and innovation here in our local community and beyond! With any luck, we will come away with a few groups to kick-off a series of talks and workshops around this theme. Speaker bio: Nuke ðŸŒ„ is a developer relations advocate at https://risczero.com/ working to evangelize Verifiable Computation and is a huge fan of all things Programmable Cryptography Application. He is a community Steward for https://cryptorado.org that in home for web3 innovators and open source tools to empower people to be self sovereign, focused on engineering coworking and community hackin’. Connect with him on Cryptorado’s Zulip (join at https://Cryptorado.org, or directly on signal

Hacker Summer Camp Recap and Highlights

Mark Hoopes — Fri, 23 Aug 2024 00:00:00 +0000

Couldn’t make it to Hacker Summer Camp? Made it, but didn’t see every talk available? Join us for a group brain dump on the most interesting talks, research, and tools released at Blackhat, BSides Las Vegas, or DEF CON. Really anything recent and interesting is fair game. Please come with at least one item to share, even if it was just something you saw referenced and would like to know more about.

Hardware Hacking for the Young and Old

Josh Datko — Fri, 28 Jun 2024 00:00:00 +0000

Have you agreed to a hardware pentest but don’t know where to start? Or perhaps you’re interested in hacking electronics for fun or profit. In any case, this talk will provide a gentle introduction to the hardware hacking scene. If you’re a software hacker, this session will empower you to start probing signals with confidence. For those already familiar with hardware hacking, we’ll delve into advanced attacks such as glitching and power analysis. We’ll even explore some fun analog hacking of cassettes. Join us for an informative and hands-on journey into the world of hardware hacking.

Open Source Industrial Control: Turning 2,800 Tons of Metal with Python and Flask

Jacob Lapenna — Fri, 26 Apr 2024 00:00:00 +0000

(Preview of upcoming conference talk…)

This is a story of how Python can fit into the physical world around us. It is a story of system design and product development. It is a tale of great breadth, covering distributed computing, custom printed circuits, electromagnetism, some of the largest hydropower generators in the world, and the software and hardware that brings this all together. This tale covers several years of research and development, culminating in a cyber physical system built on open-source software and easily attainable off-the-shelf products and components.

We will also discuss performing security reviews and penetration tests of these types of systems.

HardenedBSD 2024 State of the Union: A Decade of Hardened Bits

Shawn Webb — Sat, 23 Mar 2024 00:00:00 +0000

Abstract: The HardenedBSD Project is a “spork” of FreeBSD that aims to provide the wider BSD community with a clean-room reimplementation of the publicly-documented bits of the grsecurity patchset for Linux. The cofounders of the project started collaborating in 2013, and the project become official in 2014.

HardenedBSD goes above and beyond its original goal by providing extra security enhancements, exploit mitigation strategies, and unique access into our infrastructure. We seek out ways to serve in global human rights endeavors, navigating the nexus between {cyber,info}sec and human rights.

This presentation recaps the last decade of development and dives into where we aim to go in the next one, five, and ten year periods. We give tangible (yet sanitized) examples of the impact of our human rights focus.

John Hoopes

Fri, 29 Dec 2023 00:00:00 +0000

Active Directory lab setup, exploitation, and walkthroughs. If you want to set your own up, cloud cost should be under 5 dollars for the evening, or people can use mine. (Sharing means you have to take turns.)

Austin Ballard

Fri, 01 Dec 2023 00:00:00 +0000

Compilation of the best hacks across AWS, Azure, and Kubernetes; showing off common security misconfigurations.

CodeQL

Kurt Burrell — Fri, 22 Sep 2023 00:00:00 +0000

Source code analysis is consistently regarded as one of the most effective strategies for uncovering vulnerabilities. However, manual reviews can be time consuming, not to mention difficult to scale for large applications or across application portfolios. Advancements in tooling have traditionally not kept pace with the industry’s needs, with security researchers often relying exclusively on non-security focused solutions such as Developer IDEs and grep.

Enter: CodeQL. CodeQL is a semantic code scanning engine that introduces a rich, custom query language. This query language can augment manual source code review by highlighting areas of interest to focus on, or it can be used to model entire vulnerability classes and provide alerts when those models are detected in a code base.

This workshop starts out with an introduction to CodeQL, how it works and what sets it a part from other solutions. It ramps up quickly to showcase how CodeQL can be applied to find vulnerabilities in real world applications. Tips and tricks, as well as strengths and weaknesses will also be covered. No experience is required.

Ruby on Rails for Pentesters

Fri, 28 Jul 2023 00:00:00 +0000

Ruby on Rails makes it easy to spin up a web application in minutes, but has proven to be reliable enough to run large company product offerings as well. Web Pentesters don’t technically need to know the platform behind the websites they’re testing, but when we do, we can sometimes find more interesting bugs more quickly. At this meeting we’ll start with the fundamentals by spinning up a trivial Rails app and then take a look at some vulnerabilities that often arise within Rails’s “sensible defaults”. Bring a laptop you’re willing to install Rails on to play along.

Purple Team 101

Fri, 28 Apr 2023 00:00:00 +0000

The how and why of a threat informed, offensive driven Defense

API Security Exercises with crAPI and vAPI

Fri, 24 Mar 2023 00:00:00 +0000

There is a recent wave of interest in API security within the broader security community, and APIs continue to be a promising source of security findings due to their ubiquity as the glue that connects disparate systems. With the goal of spending the latter half of the night on hands-on exercises, we will start with an introductory talk that will survey the resources that are available for learning API security, and discuss tips for what to look for when practicing with API-focused testing exercises. After the intro talk, let’s work through any questions regarding the exercises. If you would like to participate in the exercise half of the night, it is recommended in the interest of time to prepare before the meetup the tool/lab setup instructions under the “Lab Setup” chapter of API Sec University: https://www.apisecuniversity.com/courses/api-penetration-testing

Red Teaming: Windows and Linux Persistence Techniques

Fri, 24 Feb 2023 00:00:00 +0000

Red Teaming for a [redacted] college cybersecurity competition is a great opportunity to work on persistence techniques and develop some useful custom tools. We’ll go over the unique environment of this competition, how that applies to real world scenarios, and also share some tricks that can be played when you have permission to burn the environment to the ground.

We will cover the high-level concept of a fuzzer, then dig into the paper written by the authors of LibAFL, and then explore some code.

Fuzzing with LibAFL — Fri, 27 Jan 2023 00:00:00 +0000

From the GitHub page: “LibAFL is a collection of reusable pieces of fuzzers, written in Rust. It is fast, multi-platform, no_std compatible, and scales over cores and machines.”

If you want to learn and explore in advance, here are the main resources:

GitHub is here: https://github.com/AFLplusplus/LibAFL

Academic paper is here: https://www.s3.eurecom.fr/docs/ccs22_fioraldi.pdf