To see our schedule with full functionality, like timezone conversion and personal scheduling, please enable JavaScript and go here.
06:30
06:30
150min
Wakeboarding and Wakesurfing
Somerset Recon

Like hacking computers? Now it's time to hack the wake! This event will allow participants of all abilities to wakeboard or wakesurf. Whether an advanced rider throwing toeside backrolls or a beginner who has never stepped foot on a wakesurf, this event will cater to the rider's ability and allow for a fun experience. Experienced instructors will provide participants with tailored tips and the equipment necessary for success. All boats, boards and safety equipment will be provided by the organizers. Participants must be at least 6 years of age or older and know how to swim (participants under 18 will need a parent/guardian to sign the liability form).

If you're interested in signing up for this, please indicate such in the questionnaire you have received from ToorCon and we'll get in touch.

Activity
Wake Boarding
09:30
09:30
20min
Opening Remarks
The Point
10:00
10:00
50min
KEYNOTE: The Demise of the Cybersecurity Workforce (!?)
G. Mark Hardy

Our career has been growing like crazy with an estimated 3.5 million unfilled cyber security jobs within the next few years. More certs, more quals, more money, right? But what if we’re wrong? AI, outsourcing, and visa programs may put a huge downward pressure on future job opportunities (and pay) in America. Of course, we don’t WANT this, but shouldn’t a wise professional prepare for possibilities? We’ll look at facts, figures, industry trends, and possible futures that might have us thinking that 2021 represents “the good old days.” No gloom-and-doom here; just a risk-based look at what happens if we really can NOT get the talent regardless of price, and why financial incentives haven't effectively raised the ability level of our cybersecurity workforce.

Talks
The Point
10:00
480min
ToorCon CTF

CTF begins 10:00 AM Tuesday October 12 and will continue through 4:00 PM Wednesday October 13th. (We can adjust the end time to whatever will work best for finalizing the standings and getting that info to the Closing Remarks people.)

No pre-registration is required, but people are encouraged to form teams before Toorcon. The Scoreboard URL will be posted in Toorcon Discord at 10AM Tuesday. Players can register then.

They can also follow us on Twitter for announcements and hints at @toorconctf.

There is no additional cost to participate in our CTF. It is open to all Toorcon attendees, virtual or in-person. (Some people were confusing our CTF with the Embedded CTF, which cost an additional $99.)

Activity
ToorCon CTF
11:00
11:00
50min
Fuzzers, analyzers, and other Gophers insecticides
Alex Useche

Go is a great language that is explicit, simple, and it makes writing concurrency extremely easy. Yet, it suffers from many of the same vulnerabilities you'd encounter in C and C++ applications. Writing concurrent Go code can also be risky, as vicious concurrency bugs can slowly sneak into your application. So, how can you get started discovering vulnerabilities in Go code? This talk will discuss approaches to finding vulnerabilities in Go code and the state of static and dynamic analysis tools for automated discovery of Go vulnerabilities, from static analysis to fuzzing to fault injection. We will learn about common vulnerabilities in Go and how to catch them, whether you are a security researcher or a Go developer.

Talks
The Point
12:00
12:00
50min
Lunch
The Point
13:00
13:00
50min
Sleight of ARM: Demystifying Intel Houdini
Brian Hong

In the recent years, we have seen some of the major players in the industry switch from x86-based processors to ARM processors. Most notable is Apple, who has supported the transition to ARM from x86 with a binary translator, Rosetta 2, which has recently gotten the attention of many researchers and reverse engineers. However, you might be surprised to know that Intel has their own binary translator, Houdini, which runs ARM binaries on x86.
In this talk, we will discuss Intel's proprietary Houdini translator, which is primarily used by Android on x86 platforms, such as higher-end Chromebooks and desktop Android emulators. We will start with a high-level discussion of how Houdini works and is loaded into processes. We will then dive into the low-level internals of the Houdini engine and memory model, including several security weaknesses it introduces into processes using it. Lastly, we will discuss methods to escape the Houdini environment, execute arbitrary ARM and x86, and write Houdini-targeted malware that bypasses existing platform analysis.

Talks
The Point
14:00
14:00
50min
Extra Better Program Finagling (eBPF) for Attack and Defense
Richard Johnson

Program instrumentation and tracing is a key component of any offensive persistence framework or defensive endpoint detection and response (EDR) technology. This talk will focus on the latest tracing infrastructure known as Extended Berkeley Packet Filters (eBPF) which is currently supported on Linux and is coming to Windows as well. eBPF is complex with several front end languages and backend hooking engines. This talk will explain how eBPF works, what it takes to write eBPF based hooks, and demonstrate two simple tools for verfiying or infecting ELF binaries on the fly.

Talks
The Point
15:00
15:00
50min
Getting Down with Bringup
Gene Erik

Discussing the interesting things in pre-boot stages of systems, especially SoCs. Cool stuff and tools, places to "hook", and why adding a resistor in the right place can drop the system to "debug" mode.

Talks
The Point
16:00
16:00
50min
Making Mischief with Machine Specific Register Based Exploits
John D Dunlap

You can use your favorite system monitoring drivers to gain code execution in the kernel by writing to a single register.

Model Specific Registers (MSRs) are little known outside of Kernel developer circles. Even among kernel hackers, the use of each register is not well known, with several registers being either partially or fully undocumented. This has led to a proliferation of low quality kernel mode drivers that expose primitives to read and write to these registers. While writing to a single register is seldom cause for celebration by the exploit developer, in several instances an understanding of these registers can lead kernel remote code execution allowing for privilege escalation. This talk will explore the purpose of these special registers, how we can use them to get kernel code execution, and how developers should be protecting themselves from these attacks.

Talks
The Point
17:00
17:00
50min
Free as in Beer: Building a low cost static analysis program
Erin Browning, Tim Faraci

Static analysis can be expensive, time consuming, full of false positives, a pain in the rear to manage multiple languages, and not very configurable. But no more! At Slack, we’ve designed a static analysis program which utilizes one free, highly configurable tool to scan over 60 different codebases in six languages and has saved us over $700,000 annually. Semgrep, an open source static analysis engine, uses highly configurable rules. Tuning these rules to our specific environment saves developer time while providing useful guard rails against dangerous code patterns. We’ve been able to reduce false positives by over 80%, and we’ve removed rules that don’t apply in our environment. Adding a new codebase to our scanning pipeline adds almost no additional overhead; we merely add one line to a file to enable the scans and review new results. Implementing our program this way has allowed us to meet our compliance requirements while providing a useful, low overhead static analysis program.

Talks
The Point
18:00
18:00
20min
Dinner
The Point
20:00
20:00
180min
Private Viewing: James Bond No Time to Die

We've rented out a private theater for us to view the new James Bond movie at! Come join us after dinner to see an in-person movie!!!

AMC Fashion Valley 18
7037 Friars Road, San Diego, California 92108

Activity
AMC 18 (Fashion Valley)
10:00
10:00
50min
KEYNOTE: On Hardware Hacking and Turtles
Jasper van Woudenberg

Hardware hacking is usually associated with soldering irons and wires, with the PCB being the primary attack surface. In reality, it's turtles all the way down: the deeper you dig, the more opportunities for attack emerge. I'll give a whirlwind tour of the incredibly diverse field of hardware hacking, including how transistors emit light and leak secrets, how to simulate hardware faults, and how you may spend most of your time dealing with software. I'll discuss how some attacks need a professional lab, but many can be done on a limited budget. This talk should allow anyone with a general technical background to walk away with an insight into what all this "hardware hacking" can mean.

Talks
The Point
10:00
360min
ToorCon CTF

CTF begins 10:00 AM Tuesday October 12 and will continue through 4:00 PM Wednesday October 13th. (We can adjust the end time to whatever will work best for finalizing the standings and getting that info to the Closing Remarks people.)

No pre-registration is required, but people are encouraged to form teams before Toorcon. The Scoreboard URL will be posted in Toorcon Discord at 10AM Tuesday. Players can register then.

They can also follow us on Twitter for announcements and hints at @toorconctf.

There is no additional cost to participate in our CTF. It is open to all Toorcon attendees, virtual or in-person. (Some people were confusing our CTF with the Embedded CTF, which cost an additional $99.)

Activity
ToorCon CTF
11:00
11:00
50min
The Unauthorized Guide to the LUNA USB Multitool
Karl Koscher

The LUNA USB Multitool is Great Scott Gadgets’s forthcoming FPGA-based platform intended for USB hacking and development. This talk will walk through several supported uses cases, including analyzing high-speed USB traffic, emulating USB devices with the FaceDancer framework, and performing MitM attacks against USB. Additionally, this talk introduces ways you can (ab)use its FPGA-based design in unsupported ways, such as using the hardware as a flexible FPGA development board with extensive USB connectivity, as well as targeting the LUNA gateware to other, unsupported FPGA boards.

Talks
The Point
12:00
12:00
50min
Lunch
The Point
13:00
13:00
120min
Free as in Beer: Building a low cost static analysis program (Demo Time)
Erin Browning

We will demo tuning static analysis rules to specific environments. Attendees will need to download Semgrep, the static analysis engine our program is based upon, beforehand. We have tuned our rules extensively, which has greatly reduced our false positive rate.

Workshops & Demos
The Lawn - Beta
13:00
240min
House of Heap Exploitation (Workshop)
Maxwell (Strikeout) Dulin, Kevin Choi

Heap exploitation is an incredibly powerful tool for a hacker. As exploit mitigations have made exploitation more difficult, modern exploit development has moved to the heap. However, heap exploitation is a subject that has evaded many people for years for one reason: they focus on the techniques instead of the allocator. By learning with an allocator first style, the techniques are easily understood and practical to use.

This workshop is for learning heap exploit development in GLibC Malloc. GLibC Malloc is the default allocator on most Linux distros. With this hands-on introduction into GLibC Malloc heap exploitation you will learn how the allocator functions, heap specific vulnerability classes and to pwn with a variety of techniques. Whether you're an avid CTFer or just trying to get into heap exploitation on your pwnables site, this course is good for adding another tool to the tools arsenal. After taking this course you will understand the GLibC Malloc allocator, be able to discover heap specific vulnerability classes and pwn the heap with a variety of techniques, with the capability to easily learn more.

Workshops & Demos
The Point
13:00
240min
Nerf Modding 101 (Workshop)
Riverside

Are you a gadgeteer, modder, tinkerer? Do you want to be but hardly know how to use a screwdriver? Well, then this workshop is for you... There is no reason to settle for a stock blaster out of the box!

Join long time prop maker, inventor & nerf modifier Riverside in a workshop that will go step by step through modding the Nerf Zombie Strike Hammershot Blaster; one of the hottest blasters on the market.

What will I learn if I join this workshop?
In this workshop you will learn the secret inner workings of the four major classes' of nerf blaster (Electric, Spring, Air, Gas).

We will cover modification principles for both functionality (shoot farther) and cosmetic (wow that's pretty/cool!)

This includes masking & paint, form factor changes (addition and reduction), air-flow restriction removals, and a lot more...

As part of our nerf gun cosmetics instruction, we will be covering an introduction to basic electronics and the use of LED lights to make things glow as well as the basics of Bondo to change shapes of basic guns.

Of course all of this amazing stuff will require some crazy tools; drills, hammers, saws, dremmel's, etc. So we will be going over the proper "safe" use of each tool for beginners.

NOTE: Basic paint colors will be provided. If you would like super fancy colors and want to bring your own, please contact the instructor ahead of time to ensure it is the right type of paint (Must be paint for plastic).

Workshops & Demos
The Lawn - Gamma
13:00
120min
The Unauthorized Guide to the LUNA USB Multitool (Demo Time)
Karl Koscher

I will have my LUNA prototype with me that people will likely be able to experiment with. I’m hoping to have a CodeSpaces-like environment where people can simply load up the base LUNA code base in their browser, hack on some Python or nMigen gateware, run tests, and finally see their hacks running on real hardware.

Workshops & Demos
The Lawn - Alpha
15:00
15:00
120min
Fuzzers, analyzers, and other Gophers insecticides (Demo Time)
Alex Useche

I will demo three tools:

  • Go-fuzz for fuzzing Go applications
  • GCatch for detecting concurrency bugs in Go code
  • gotico, a tool currently in development for catching library-specific bugs
Workshops & Demos
The Lawn - Beta
15:00
120min
Getting Down with Bringup (Demo Time)
Gene Erik

For the demo, we will take a loot at a modern arm based platform and an x86/64 platform that are easy to recover from if broken. We'll build some firmware, learning the tools, break a device, recover it, look at debug points. Attendees will probably need/want some VU meters, FTDI/TTL connectors, power strips, and something raspbery-pi like to follow along.

Workshops & Demos
The Lawn - Alpha
17:00
17:00
10min
The isle of tortuga, but on the internet
Dan Tentler

Despite several thousand companies in the security space doing everything from PR to deep
packet inspection and threat intelligence, the internet is still very much lawless, international
waters. Largely because policymakers and elected officials just "aren’t computer people" and
are woefully underprepared to deal with highly technical topics. Add to this that most
organizations do not actually do much real security - they only do whatever their corporate
compliance legally requires, and few companies do anything more. The result of this
arrangement is that ransomware gangs and other flavors of attackers can do whatever they
want with impunity - and they're getting creative about it. In this presentation we'll cover some
of the threat landscape we've seen in recent years, and what businesses and governments are
doing to stay on top of things.

Lightning Talks
The Point
17:15
17:15
10min
HACK THE, er... WESTERN HEMISPHERE!!
Karl Koscher

We're legitimately live-streaming Toorcon across North America via a geosynchronous satellite. This talk explains how we did it.

Lightning Talks
The Point
18:00
18:00
20min
Closing Remarks
The Point
18:30
18:30
90min
Beach Luau

We'll be grilling up some amazing food on the beach and have bonfires going to chill around. Join us to eat some grub before heading to the party downtown!

Activity
Beach Lounge
21:00
21:00
180min
Party!
Keith Myers

We've rented out our own space at the lively Toro nightclub downtown and have none other than Keith Myers and a slew of other infamous hacker DJs to rock the con all night long. Come join us downtown in our exclusive space with some of the best DJs in the scene!

Activity
Toro (Downtown)
10:00
10:00
440min
Beach Lounge & Activities

We'll be grilling up food all day and have tons of activities lined up at the Mission Bay Sportcenter that's next to The Point. We'll be running sign-ups for the activities throughout Tuesday & Wednesday and sending out a poll to attendees the week before the event to gauge interest. We look forward to having a great fun day with you all! Here's a sample of the available activities we're considering:

  • Take a Sailing Class
  • Jet Ski Tour of San Diego Coastline
  • Glow Paddleboard Tour (at Night)
  • Paddle Pub Tour of Mission Bay
  • Stand Up Paddleboard Yoga
  • Rent a Jetpack!
  • Rent a Power Boat
  • Rent a Jetski / Waverunner
  • Rent a Sail Boat / Catamaran
  • Rent a SUP / Kayak
  • Ride Rollercoasters
Activity
Beach Lounge
15:00
15:00
120min
Paddle Pub & San Diego Beer Tasting

We're renting a paddle pub and getting a bunch of SD beers for everyone! Feel free to join us on this 12 passenger paddle boat that YOU (and your beer) power. We'll will have two sailings, leaving the dock at 3PM and 4PM, respectfully.

'NOTE': Attendance is limited. There will be sign-up sheets to reserve a sheet, and EVERYONE HAS to fill out a waiver form in Advance of the event.

Activity
Paddle Pub
17:30
17:30
90min
Escape Rooms!

We've rented out 3 different escape rooms at Quicksand Escape Games for us to tackle. We need 3 groups of up to 8 people each to head over. Must be there by 5:30pm and expect to be done around 7pm.

Activity
Escape Rooms
20:00
20:00
120min
Party Cruise

We've bought a ton of tickets for the Bahia Belle Bay Cruise for us to take from 8pm-10pm. There's drinks available on-board and we'll be catching it at the dock at the Catamaran Resort.

Catamaran Resort
3999 Mission Blvd, San Diego, CA 92109

Activity
Bahia Belle