0.12 hackthebay-2026 2026-03-23 2026-03-23 1 00:05 https://cfp.pacifichackers.com UTC WORKSHOPS Lightning Talk 2026-03-23T10:45:00+00:00 10:45 00:15 OPENING CEREMONY hackthebay-2026-95-opening-ceremony OPENING CEREMONY en false https://cfp.pacifichackers.com/hackthebay-2026/talk/RZZMHT/ https://cfp.pacifichackers.com/hackthebay-2026/talk/RZZMHT/feedback/ WORKSHOPS Keynote 2026-03-23T11:00:00+00:00 11:00 00:30 You don't need a linear path or a specific degree to build an extraordinary career in cybersecurity. Tailored for junior professionals, career-switchers, and veterans, this keynote dives into the realities of the front lines. Ryan shares his unconventional journey—from IT administration and law enforcement to managing massive incident response teams and leading physical red teaming. Key Highlights: - The Art of the Masquerade: Jaw-dropping stories of physical penetration testing, including how to breach a cruise ship's bridge using open-source intel, fake uniforms, and a cup of espresso. - High-Stakes Incident Response: A raw look at the emotional weight of managing 2 AM ransomware crises for hospitals and defense contractors. - Actionable Advice: Discover why non-traditional backgrounds are a superpower, how to leverage AI tools, and why communication is your ultimate security control. hackthebay-2026-94-no-badge-required-an-unconventional-journey-through-cybersecurity-s-front-lines KEYNOTE Ryan Massfeller @Ryan4n6 en true https://cfp.pacifichackers.com/hackthebay-2026/talk/PTHYVR/ https://cfp.pacifichackers.com/hackthebay-2026/talk/PTHYVR/feedback/ WORKSHOPS Workshop 2026-03-23T11:30:00+00:00 11:30 01:10 Victims see the real site; you see everything. C.A.R.P. gives each visitor an isolated Firefox container that loads the actual target URL (Gmail, banks, SSO), no fake login page, just the real site in a browser you control. Passwords, 2FA codes, and session cookies are all captured allowing sessions to be hijacked in real time. Combine C.A.R.P. with ARP and DNS spoofing on the local network, and victims who type real URLs or use bookmarks can be silently redirected into your controlled browser. hackthebay-2026-91-catch-release-phramework-credential-harvesting-without-the-phishing-page WORKSHOP David PorcelloRob Wright en false https://cfp.pacifichackers.com/hackthebay-2026/talk/HPJMLP/ https://cfp.pacifichackers.com/hackthebay-2026/talk/HPJMLP/feedback/ WORKSHOPS Workshop 2026-03-23T13:00:00+00:00 13:00 01:30 Hackers are already gearing up to exploit the next new unlicensed wireless protocol – LoRa. It’s time to add LoRa-based attacks to your red team arsenal. Learn about LoRa, how it is used by a popular peer-to-peer network called Meshtastic, and how you can build your own LoRa-based implant. hackthebay-2026-73-red-teaming-with-lora-and-meshtastic WORKSHOP Venky Raju en This workshop introduces LoRa, a low-power, long-range wireless technology gaining traction in commercial and community networks. We will then explore a popular community networking application called Meshtastic. Using our devices, we will join the local community network and become familiar with how to locate other nodes and communicate with them. We will then learn how to create a closed community in which only we can participate. Will then download the Meshtastic firmware build system on our laptops and learn how to build custom firmware. Finally, we will explore how this technology can be used for red-teaming, considering that the bad guys are already looking for ways to exploit this new and fantastic technology. As part of this exercise, you will hack a remote system miles away using your LoRa node! For the best experience, participants should bring their laptops and also have access to a LoRa device. If you would like to purchase a LoRa kit, we will have kits for sale for $35. false https://cfp.pacifichackers.com/hackthebay-2026/talk/LBXQ3P/ https://cfp.pacifichackers.com/hackthebay-2026/talk/LBXQ3P/feedback/ WORKSHOPS Workshop 2026-03-23T14:30:00+00:00 14:30 01:30 Analyze malware to find indicators of compromise using static and dynamic techniques. We will modify Windows executables to cheat at games and examine malware's actions, including droppers, botnets, and keyloggers. Participants need a computer with VMware and at least 30 GB of free storage space. All workshop materials are freely available on the Web and will remain available after the workshop ends. hackthebay-2026-82-malware-analysis-learn-windows-internals-and-how-malware-operates WORKSHOP Sam Bowne en false https://cfp.pacifichackers.com/hackthebay-2026/talk/HAWGXZ/ https://cfp.pacifichackers.com/hackthebay-2026/talk/HAWGXZ/feedback/ WORKSHOPS Talk 2026-03-23T16:00:00+00:00 16:00 01:15 There are so many techniques, methods, focus areas in the hacking world which makes it overwhelming to begin. I would want to pause with all my research, pentesting, hacking, exploiting, writing ai to replace me.. and take an hour or two and guide you from the beginning. tackling 10 different areas I played with over the years, how to start, how to dive deep and how to think like a hacker. This presentation will be technical but built for anyone who wants to join this amazing world. We will learn web, mobile, iot, browsers, and more.. how to leverage code analysis and anything that can help you cheat your way into the exploit Following the talk we will have a collaborative workshop practicing these methods Let’s have fun!! hackthebay-2026-80-let-s-hack-from-the-beginning WORKSHOP Rotem Bar en This will be a presentation followed by a workshop on methods and tactics i’ve learned along my hacking adventures. I will pick a exploit or method that worked for me in each field and will drill down on how to look at it from the beginning with only beginner knowledge, I will share my way of thinking and how not to be afraid of going down weird rabbit holes false https://cfp.pacifichackers.com/hackthebay-2026/talk/QRWHYC/ https://cfp.pacifichackers.com/hackthebay-2026/talk/QRWHYC/feedback/ WORKSHOPS Lightning Talk 2026-03-23T17:15:00+00:00 17:15 00:15 CLOSING CEREMONY hackthebay-2026-97-closing-ceremony CLOSING CEREMONY en false https://cfp.pacifichackers.com/hackthebay-2026/talk/NDP7DU/ https://cfp.pacifichackers.com/hackthebay-2026/talk/NDP7DU/feedback/ TALKS Talk 2026-03-23T11:30:00+00:00 11:30 01:15 This session focuses on identity-driven cyber investigations using malicious documents as the primary intelligence source. Rather than treating documents merely as delivery mechanisms, the talk explores how weaponized files especially PDFs, Word, and Excel documents are intentionally crafted to harvest identities, map victims, and support large-scale infostealer and credential theft campaigns. Attendees will explore how malicious documents abuse embedded scripts, macros, metadata, and obfuscation techniques to evade detection while silently collecting identity-related data. The session breaks down how these files act as both an initial access vector and a rich source of intelligence, revealing attacker behavior, targeting strategies, and operational patterns. Through real-world case studies, the talk demonstrates how OSINT techniques can be applied directly to malicious documents to uncover attacker infrastructure, command-and-control relationships, reused artifacts, leaked credentials, and victim profiling indicators. By correlating file metadata, extracted indicators, and open-source intelligence, participants will learn how to transform a single malicious document into a full identity investigation. By the end of the session, attendees will understand how to investigate malicious documents beyond the payload, using them as intelligence artifacts to trace identity abuse, campaign evolution, and attacker tradecraft. hackthebay-2026-72-identity-hunting-with-malicious-documents TALK Filipi Pires en Outline 1 - Introduction & Context - Why identity is the real target behind document-based attacks. - The role of malicious documents in modern infostealer campaigns. 2 - Malicious Documents as Identity Attack Vectors - PDFs, Word, and Excel as weaponized platforms. - Common identity theft objectives in document-based attacks. - From initial access to credential harvesting. 3 - Understanding Malicious Document Structures - High-level overview of PDF, Word, and Excel internals. - Execution flow: scripts, macros, embedded objects, and actions. - Where and how identity-harvesting logic is hidden. 4 - Dissecting a Malicious Document (Live Demo) - Step-by-step analysis of a weaponized document. - Practical use of tools such as: - pdfid, pdf-parser, pdftk and others 5 - Encoding, Obfuscation, and Evasion Techniques ( Demo ) - Common encoding and obfuscation methods used in documents. - Layered techniques to bypass detection engines. - How attackers protect identity-stealing workflows. 6 - OSINT: From Document to Identity Infrastructure ( Demo) - Extracting indicators from malicious documents. - Pivoting to OSINT sources for enrichment. - Identifying Command & Control endpoints and identity abuse infrastructure. - Correlating domains, emails, reused artifacts, and leaked data. 7 - Building an Identity-Focused Investigation -Mapping document artifacts to attacker behavior. - Campaign tracking and attribution signals. - Using document intelligence to support IR, SOC, and Threat Intel teams. 8 - Conclusion & Key Takeaways - Turning malicious documents into intelligence assets. - Investigating identity abuse beyond the payload. - Final insights and open discussion. false https://cfp.pacifichackers.com/hackthebay-2026/talk/3NCYCE/ https://cfp.pacifichackers.com/hackthebay-2026/talk/3NCYCE/feedback/ TALKS Talk 2026-03-23T13:15:00+00:00 13:15 00:45 AI models are increasingly delivered as compiled artifacts inside firmware images and native binaries, particularly in IoT, OT, and embedded environments. While these deployment models improve performance and reduce operational dependencies, they also create security blind spots that are poorly understood. This session examines how AI models can be discovered and analyzed once deployed in embedded systems. The talk focuses on practical reverse engineering techniques used to identify model components, recover structural and behavioral information, and understand the risks introduced by different model packaging and compilation approaches. Attendees will leave with a clearer view of how embedded AI expands the attack surface and why it matters for both offensive and defensive security work. hackthebay-2026-78-reverse-engineering-embedded-ai-models-in-firmware-and-binaries TALK Stephen BrennanUlrich Lang en This presentation takes a technical, hands-on look at how reverse engineers encounter AI models once they are deployed inside firmware images and compiled binaries. Rather than treating AI as a black box, the session walks through concrete analysis workflows that expose how models are packaged, optimized, and executed at the binary level. The talk covers multiple deployment patterns, including serialized model formats and fully compiled inference pipelines produced by modern AI toolchains. Attendees will see how common reverse engineering tools can be used to locate model artifacts, distinguish inference logic from surrounding code, and reason about model structure and behavior even when traditional metadata is absent. Practical demonstrations illustrate how recovered information can be used to reconstruct portions of a model, validate assumptions about its architecture, and assess downstream risks such as unauthorized reuse, tampering, and adversarial manipulation. The session concludes by discussing defensive implications and what these findings mean for teams responsible for deploying or securing AI-enabled systems. false https://cfp.pacifichackers.com/hackthebay-2026/talk/ZHCF3M/ https://cfp.pacifichackers.com/hackthebay-2026/talk/ZHCF3M/feedback/ TALKS Talk 2026-03-23T14:00:00+00:00 14:00 00:45 AI is not just changing the systems we build, but the kinds of issues that show up in a bug bounty queue. As someone who triages submissions for a large public bug bounty program, I've seen how AI related findings introduce new gray areas. These issues do not always look like traditional vulnerabilities. They often sit at the intersection of model behavior, product design, and real security impact. In this workshop, I'll walk through how AI reports enter our bug bounty program, how policy boundaries are applied in practice, and how we evaluate whether a finding represents meaningful risk. In the second half, we'll get hands-on with a vulnerable MCP style server adapted from the open source Vulnerable MCP Servers Lab. We'll reproduce a trust boundary failure, analyze its impact, and walk through how a report like this would be classified and triaged inside a real bug bounty program. This session offers a practical look at how AI vulnerabilities are evaluated from the triage side and how architectural decisions determine whether an AI issue stays theoretical or becomes infrastructure risk. hackthebay-2026-88-what-happens-after-you-report-an-ai-bug-from-model-behavior-to-real-impact TALK Ani Turner en false https://cfp.pacifichackers.com/hackthebay-2026/talk/KNEYAQ/ https://cfp.pacifichackers.com/hackthebay-2026/talk/KNEYAQ/feedback/ TALKS Talk 2026-03-23T14:45:00+00:00 14:45 00:45 The most exploitable attack surface in modern businesses might not be their network perimeter, it's the Bluetooth-enabled receipt printer broadcasting without authentication. This talk demonstrates how trivially easy it is to hijack commercial Bluetooth devices using only a smartphone, then scales that threat to reveal city-wide surveillance implications through systematic warwalking research. I'll demonstrate live exploitation of devices I've compromised in the wild: receipt printers, Samsung TVs, and commercial IoT devices, all requiring zero technical knowledge to attack. Then I'll show how I scaled this from opportunistic hacking to systematic research using a $100 Raspberry Pi rig running Kismet with GPS tracking, collecting over 100,000 device observations across San Francisco, Nashville, NYC, and Las Vegas. The privacy implications are severe: 60-65% of Bluetooth devices broadcast persistent identifiers enabling long-term tracking as people move through cities. I'll present data-driven analysis showing how static MAC addresses combined with GPS logs create a surveillance infrastructure accessible to anyone with basic Python skills. Hotel door locks broadcast room numbers in plaintext. Air purifiers send 50 packets per minute for no legitimate reason. The gap between "possible to secure" and "secured in practice" is enormous. Attendees will see live demonstrations including a receipt printer available for audience hijacking attempts, real-time Kismet data collection from conference attendees' devices, and Python analysis scripts running against live data. I'll share open-source tools for conducting this research and provide actionable defensive recommendations for manufacturers, businesses, and individuals. This presentation combines accessible exploitation demonstrations with rigorous data science to show that if I can build city-scale surveillance infrastructure without Bluetooth expertise, anyone can. hackthebay-2026-77-bluetooth-warwalking-hacking-the-airwaves-with-your-phone-and-a-pair-of-sneakers TALK kn0ck0ut (Matt) en TALK STRUCTURE & TIMELINE (45 MINUTES) ___ This presentation delivers comprehensive coverage of Bluetooth exploitation, moving from accessible demonstrations through systematic data collection to large-scale privacy implications with detailed technical methodology. PART 1: PRACTICAL EXPLOITATION (12-15 MINUTES) ___ I'll demonstrate real-world Bluetooth hijacking using only commodity hardware with expanded audience interaction: • Receipt Printer Takeover: I'll bring an Epson TM-M30II thermal printer and demonstrate the complete connection process step-by-step. I'll share the story of how I discovered and exploited an unsecured café printer using only the free iOS Epson TM Utility app to print messages claiming to be from "time travelers from 2036," which convinced local high school employees they'd made contact with the future. The printer will be live in the room with time for 2-3 audience members to attempt connections during the presentation. This attack requires zero technical knowledge, just opening your phone's Bluetooth menu and downloading an app. • Samsung TV Hijacking: I'll walk through my two-stage attack progression in detail: (1) Audio-only takeover using smartphone Bluetooth pairing (demonstrated at a smoothie bar), showing the actual pairing interface, and (2) Full video control combining Flipper Zero IR commands (universal Samsung remote) with same-network Wi-Fi access (demonstrated at a Chicago bar). I'll demonstrate the Flipper Zero IR commands live if the venue has a Samsung TV. The vulnerability: manufacturer default settings with no authentication. In Chicago, simply asking the bartender for WiFi password gave me complete control of all their Samsung displays. • Extended Device Tour: Detailed demonstrations of additional vulnerable devices including ProSmart bed bases at Mattress Firm, commercial speakers, hotel door locks broadcasting room numbers in plaintext, and smart home devices, all with specific exploitation scenarios and video footage where available. PART 2: SCALING RESEARCH WITH KISMET (15-18 MINUTES) ___ How I moved from opportunistic hacking to systematic research with technical depth: • Hardware Deep Dive: Raspberry Pi 4 + GPS dongle + battery (~$100 total). I'll show the actual physical rig and walk through the complete setup: auto-connects to phone hotspot, establishes Tailscale VPN for remote access, syncs Kismet logs to home server via rsync. I travel with this constantly and will explain why each component matters for scalable data collection. • Kismet Configuration: I'll share my actual Kismet config files, explain what data fields I'm capturing (device names, MAC addresses, manufacturer data, signal strength/RSSI, timestamps, GPS coordinates) and discuss storage requirements and data management at scale. • Dataset Overview: ~100,000+ device observations across San Francisco, Nashville, NYC, Las Vegas. • Extended Live Analysis Session: I'll have the rig running during the talk, collecting data from the conference room. I'll SSH in and execute multiple Python analysis scripts live, showing my complete data pipeline from raw Kismet logs to actionable intelligence. Expect to see real-time enumeration of Flipper Zeros, smart watches, meshtastic nodes, and whatever else attendees are carrying. I'll demonstrate querying patterns across cities and show visualization of tracking patterns. • Cross-City Comparisons: Detailed statistics comparing device security posture across San Francisco vs Nashville vs NYC vs Las Vegas, discussing how geographic and demographic factors influence what devices are present and how they're configured. PART 3: PRIVACY IMPLICATIONS & TRACKING (10-12 MINUTES) ___ Data-driven privacy implications with concrete examples: • Key Statistics: 7-8% devices broadcast human-readable names, 60-65% have persistent identifiers enabling tracking, 99% are Bluetooth Low Energy (IoT dominance), 1,300 devices detected in a 1/4-mile suburban walk. • Tracking Demonstration: I'll show actual examples of tracking specific devices across multiple days and locations using GPS-tagged data (anonymized), explaining how correlation attacks work in practice. Hotel Lock Analysis: Detailed discussion of Bluetooth door locks broadcasting room numbers in plaintext and the privacy implications for hotel guests who don't realize their room location is being broadcast to anyone nearby. • Surveillance Infrastructure: Static MAC addresses + GPS logs = anyone with $100 and basic Python skills can track people moving through cities. I'll discuss how retailers could use this technology, compare it to existing WiFi tracking infrastructure, and explain why Bluetooth tracking is actually more problematic due to its ubiquity and constant broadcasting. • Statistical Deep Dive: I'll present my data science methodology, show visualizations of device density patterns, and discuss temporal patterns (time of day, day of week variations). • Wasteful Broadcasting: Some devices transmit absurdly: Molekule air purifiers send 50 packets/minute (38,000 in 12 hours), Pura fragrance diffusers constantly broadcasting. No legitimate reason for this frequency. PART 4: DEFENSIVE MEASURES & CALL TO ACTION (5-6 MINUTES) ___ • Manufacturers: Specific technical standards they should adopt (default-secure configs, require authentication, rotate MAC addresses), with examples of companies doing it right vs wrong. • Enterprise Security: How businesses should audit their Bluetooth attack surface, specific tools for continuous monitoring, disable discoverability on commercial devices. • Individual Actions: Practical steps attendees can take today to audit their own devices, discussion of iOS/Android privacy controls, understand what your devices broadcast. • Policy Discussion: Should there be regulations around Bluetooth device security? What would effective regulation look like? Core Problem: If I can do this without Bluetooth expertise, anyone can. Q&A (Remaining Time) TECHNICAL DETAILS FOR REVIEWERS ___ • Tools & Code: Open-source Python scripts for Kismet log analysis (available via GitHub), Kismet REST API for real-time data access, FastAPI backend for querying cross-city statistics, integration with WiGLE database (4.5 billion Bluetooth devices mapped globally). • What Makes This Different: Most Bluetooth talks focus on protocol vulnerabilities or specific CVEs. This demonstrates: (1) How trivially low the barrier to entry is (smartphone + curiosity), (2) Surveillance implications at scale, (3) Data science applied to security research, (4) The gap between "possible to secure" and "secured in practice." • Interactive Elements: Receipt printer in room available for audience connection attempts (2-3 participants during talk), live Kismet session showing real-time device enumeration from conference attendees, multiple Python analysis scripts executed live against conference data, open-source tools shared for attendees to replicate research. • Audience Takeaways: Practical exploitation techniques requiring minimal technical knowledge, understanding of systematic warwalking methodology with detailed technical implementation, open-source tools to conduct this research in their own cities, privacy implications of always-broadcasting IoT devices with concrete tracking examples, actionable defensive measures for individuals and organizations. FORMAT NOTES ___ This 45-minute format allows comprehensive coverage of both practical exploitation and research methodology. Real-world exploitation stories create immediate engagement, extended live technical demonstrations show research depth and reproducibility, and detailed privacy implications provide the "why this matters" hook with concrete examples. Live demos include fallback screenshots if connectivity fails. NEW CONTENT FOR HACKTHEBAY ___ This is active, ongoing research with continuous data collection. The HackTheBay presentation will feature: • Latest multi-city comparative analysis including recently completed Las Vegas high-density environment data • Most current statistics from expanded dataset (growth from initial research to 100,000+ observations) • New exploitable device classes discovered through ongoing warwalking • Refined privacy pattern analysis showing geographic differences in device security posture • Updated defensive recommendations based on latest findings • Extended technical methodology section covering data pipeline architecture and analysis techniques Core demonstrations and methodology provide consistent framework, but specific statistics, device examples, privacy implications, and technical depth will reflect the current state of research at presentation time. RESPONSIBLE DISCLOSURE NOTE ___ All exploitation demonstrations use devices I own or have explicit permission to access. No unauthorized access to third-party systems will be demonstrated. The research methodology and tools are shared for educational purposes to raise awareness of systemic security issues and encourage better manufacturer defaults. The goal is to demonstrate how accessible these vulnerabilities are to drive positive change in device security practices. false https://cfp.pacifichackers.com/hackthebay-2026/talk/XNRRSQ/ https://cfp.pacifichackers.com/hackthebay-2026/talk/XNRRSQ/feedback/ TALKS Talk 2026-03-23T15:30:00+00:00 15:30 00:30 This talk is a follow-up to our September research on denial-of-service and permission escape in Claude Code. We now examine how LLM-powered coding agents can be weaponized end-to-end, including paths to remote code execution. Using Claude Code as a primary case study, and extending to VS Code extension exploits and recent Cursor incidents, we show how agent autonomy, extension APIs, and execution boundaries collapse into a practical RCE surface. hackthebay-2026-98-when-agents-execute-rce-paths-in-llm-powered-coding-tools TALK Manesh Babu en false https://cfp.pacifichackers.com/hackthebay-2026/talk/D9EHLH/ https://cfp.pacifichackers.com/hackthebay-2026/talk/D9EHLH/feedback/ TALKS Talk 2026-03-23T16:00:00+00:00 16:00 00:45 This hands-on workshop dives into real-world AWS misconfigurations that attackers actively exploit to gain privilege escalation and access sensitive data. You’ll step into the shoes of an adversary and learn how common oversights like loose IAM roles, misconfigured Cognito identity pools, or exposed metadata endpoints can be chained into full-blown breaches. hackthebay-2026-92-hunting-shells-via-chaining-misconfigs-in-aws TALK SumanthBhagavan Bollina en Key Takeaways: ● Escalate IAM permissions to gain admin-level access ● Exploit SSRF in EC2 to steal credentials ● Abuse misconfigured Cognito identity pools for unauthorized access ● Understand how small missteps can trigger large-scale compromise ● Use tools like Cloud Nuke to safely clean and reset your infrastructure Built for all skill levels, this lab gives security engineers, DevOps teams, and developers a safe space to break things, fix them, and come out with a sharper eye for spotting these risks before attackers do. false https://cfp.pacifichackers.com/hackthebay-2026/talk/QQRLTF/ https://cfp.pacifichackers.com/hackthebay-2026/talk/QQRLTF/feedback/ SOLDERING VILLAGE Village 2026-03-23T11:30:00+00:00 11:30 05:00 Do you want to learn how to solder? Are you afraid of thinking you are going to burn yourself? Don't be scared, we've got your back. Famous and renowned badge Maker Abhinav (Panda) Pandagale will teach you the basics of soldering. You are going to have a chance to solder a badge. hackthebay-2026-93-soldering-101 WORKSHOP Abhinav Pandagale en false https://cfp.pacifichackers.com/hackthebay-2026/talk/FX83XQ/ https://cfp.pacifichackers.com/hackthebay-2026/talk/FX83XQ/feedback/ VENDOR AREA Village 2026-03-23T14:00:00+00:00 14:00 03:00 THANK YOU YESWEHACK FOR YOUR SUPPORT hackthebay-2026-96-happy-hour HAPPY HOUR en false https://cfp.pacifichackers.com/hackthebay-2026/talk/FFD9GD/ https://cfp.pacifichackers.com/hackthebay-2026/talk/FFD9GD/feedback/