Riverside Receptions, 50 Oxlade Drive, Brisbane QLD 4005
CrikeyCon is a community-led conference targeting those with an interest in information security around South East Queensland and beyond.
The informal style of the event is designed to facilitate knowledge sharing between all participants. CrikeyCon consists of presentations and demonstrations by industry professionals, security wizards, and enthusiasts alike.
CrikeyCon is run on a costs recovery basis, with surplus funds donated to worthy registered charities in the greater Brisbane area.
Tickets MerchandiseOur lovely MC
The IDEs of March
Software is “eating the world”, and in the era of DevOps, those who are cutting the code often have privileged access to production systems and software delivery pipelines. A developer’s workstation is a fantastic place for an adversary to “be” in 2019.
We’re relentlessly and rightfully focused on secure design, code quality, and killing bugs. Are we hearing the call to protect the people and systems responsible for building and operating our squeaky clean code?
Through a in-depth breakdown of security bugs in client-side software development tooling (which are used by developers and hackers alike) and some crazy arm-waving and posturing about the CI/CD’s and the Jenkinses, we’ll explore the insecurities of software development software. How might an attacker gain control over a developer’s workstation? What might they do once they pop shell? And what can we possibly do to pursue business excellence through end-to-end secure delivery of software?
Justin is an independent AppSec professional, specialising in Application Security Review and Source Code Review. He has discovered and disclosed remote code execution vulnerabilities affecting software such as Ruby Version Manager (RVM), Visual Studio Code and Metasploit (yo dawg I heard you like exploits). He is the author of “Do Stack Buffer Overflow Good” (a popular introductory guide to stack buffer overflow exploitation launched at CrikeyCon 3), an avid bug bounty hunter and CTF competitor, and in his spare time he live-streams the exploitation of binary “pwnables” on twitch.tv
Heap metadata corruption on modern Linux
Heap metadata corruption attacks are not new. In July 2000, Solar Designer introduced the unlink write-what-where technique and heap exploitation from metadata corruption was born. The unlink attack has been prevented for more than a decade through metadata integrity checks and many more heap exploitation mitigations have been implemented since then.
Does heap metadata corruption still provide anything useful to an attacker on modern Linux?
The short answer is yes.
This presentation looks at some of the known attacks that still work to manipulate the Linux heap. We'll look at techniques like the House of Spirit, the House of Force, freelist poisoning, double frees, and the tcache changes introduced to the glibc allocator in recent years.
If you want to learn about the internals of the current Linux heap allocator, then attend this talk.
Dr Silvio Cesare is the Managing Director at specialist training provider, InfoSect (http://infosectcbr.com.au). He has worked in technical roles and been involved in computer security for over 20 years. This period includes time in Silicon Valley in the USA, France, and Australia. He has worked commercially in both defensive and offensive roles within engineering. He was previously the Director for Education and Training at UNSW Canberra Cyber, ensuring quality content and delivery. He is also the co-founder of BSides Canberra - Australia's largest cyber security conference. He has a Ph.D. from Deakin University and has published within industry and academia, gone through academic research commercialisation, and authored a book (Software Similarity and Classification, published by Springer).
How to lose a container in 10 minutes.
Moving to the cloud and deploying containers? In this talk I discuss both the mindset shift and tech challenges, with some common mistakes made in real-life deployments with some real life (albeit redacted) examples. We’ll also look at what happens to a container that’s been left open to the Internet for the duration of the talk.E
Sarah is a security architect based in Melbourne, Australia.
She has a decade of experience in tech and is particularly interested in cloud security, container security and good ol' fashioned networking and infrastructure security (having previously worked as a network engineer).
In her current role, Sarah helps enterprises move their stuff into the cloud securely.
Sarah spends most of her spare time speaking at security conferences in various parts of the world, eating hipster brunches and high teas and spending a disproportionate amount of her income on travel.
She is still holding out hope that - despite the obvious blockers - either Justin Trudeau or Prince Harry will become her husband one day..
Stealing Chrome cookies without a password
Buckle up kiddo we're gonna commit digital sin
If you steal someone’s Chrome cookies, you can log in to their accounts on every website they’re logged in to.
Normally you need the user’s password to do it, but I found a way to do it without the password. You just need to be able to execute code on their computer. It works by using Chrome’s Remote Debugging Protocol. To my knowledge this is the only way to extract a user's Chrome cookies without their password, and by far the easiest way.
It involves plugging together several extremely forbidden and undocumented Chrome features, as well as figuring out how to speak the websocket protocol stealthily on a victim's machine.
This talk is about how the technique was found, how it works, and what you can do with it.
Alex does company-sponsored crimes (Red Teaming), recently completed Operation ACTUAL CRIMES, and can't wait until they're inevitably struck down by their own hubris. They're known for hacking a friend (with consent!) in Operation Luigi, being an organiser for purplecon (a defensive, inclusive, pastel-purple security conference) and for writing dumb blog posts on https://mango.pdf.zone.
This year they're looking forward to realising that the true exploits were the friends we made along the way.
Overwatch Offensive Digital Espionage
In the last few years we have seen a number of classified documents leaked from Wikileaks. This includes the data dump from the CIA’s entire hacking arsenal, which has been named “Vault 7”.
With parts of the dumps redacted and without access to the code base this will apparently make it harder for would-be hackers and governments to mimic the agency’s tool's.
So being a would be hacker and always dreaming and wanting my own cyber espionage weapon. This one quote from Charlie Miller constantly ringing in my ears “The difference between script kiddies and professionals is the difference between merely using other people's tools and writing your own."
I will present and demonstrate how I tried to develop my own cyber espionage weapon using “Vault 7” leaks as a development base.
I will discuss and demonstrate the development life cycle and how the “Vault 7” leaks helped me determine possible code base and testing metrics. I will show how the leaks allowed me to plan and begin my journey into my own personal cyber espionage weapon.
During my presentation I will discuss my requirements and how I tested my new toy in my lab environment (Family & Friends) and then in real world Red Team Assessments, discussing the lessons learnt from real world testing.
I will then take the plunge into the dark abyss and after talking the talk. I will walk the walk and demonstrate live, my new espionage weapon.
Wayne has conducted security assessments for a range of leading Australian and international organisations. Wayne has unique expertise in Red Team Assessments, Physical, Digital and Social and has presented to a number of organisations and government departments on the current and future state of the security landscape in Australia and overseas.
Blue Team Bluez
My presentation will go into the difficulty in monitoring and detecting red teams / nation state attackers. These hard lessons have been learnt through years of overexcited management keen to 'test' their organizations ability to respond. My therapist tells me that talking things through will help recover from the PTSD, therefore I will share some of the highs and lows of my blue team experience. In reflecting on on this, I will delve into the issues on why building detection's is a hard business and identify some key learning's. Mixed with a little red vs blue humor (and a healthy does of self-deprecation) it should make for a good show.
Ben Passmore started his career developing those really bad PHP sites everyone laughs at. After having so many fall pray to script kiddies he became the defunct security guy. From there he ventured into penetration testing for a few years but eventually fell was pushed into incident response. With nearly a decade of breaking or investigating things he may have some pearls of wisdom ... or he may just whinge that IRC was the superior communication platform.
Risky Risks are Risky
Risk is a strategy board game of diplomacy, conflict and conquest for two to six players. The standard version is played on a board depicting a political map of the earth, divided into forty-two territories, which are grouped into six continents.
Or is it?
The fact is I believe that the concept of risk is a massively misunderstood in our industry, by customers, by practitioners, and by vendors, even by people who put risk on their LinkedIn profile.
So laugh at me whilst I attempt to decipher the real game of risk, and why for many of us it’s simply the screwdriver we use as a hammer to nail post it notes to an office window because Gartner says security needs to be agile in 2019.
Eric has been breaking things just to fix them again since before he could walk, at 20, he spent his summer evenings as a nightclub bouncer, and read tarot cards during the day. He didn’t realise it back then, but nothing could have prepared him better for a career in Infosec, trying to predict the future, whilst ducking the punches.
Eric cut his teeth as a technologist for the BBC World Service in London, where he learned the importance of ‘educate, inform and entertain’ he also developed his passion for emerging technologies with a bent for security. Arriving in Australia in 2003 he landed an operational role at Australia’s first IP Telco, and has since served hard time at Telstra, Stratsec/BAE Systems, Datacom, CSC and finally Hivint, a TrustWave Company.
Eric has presented at Crikey, Cebit, AusCERT, AISA and AusNOG believes in a healthy level of cynicism and blogs about privacy, security and the myth of infallibility in humans.
Women's Stories from the Tech Trenches
A call was put out to women in technology across the globe for their stories of how they've been treated in the tech industry, to highlight things that have been done but are never spoken about...and the stories came *flooding* in. This discussion will go through some of those stories to shine a light on them and show they are not the exception, they are more common than you think; but it will also describe ways that you, as an ally to women and other minorities in this industry, can help and stamp out this kind of behaviour. We are one community and we want to lift *everyone* up!
Ops Witch, Lego zealot, WoW addict, purple-haired weirdo, geek, mum & Microsoft MVP! She/Her.💜 Provider of sarcasm, cynicism & profanity! 💜
Tales from the Dark Web : The Case of the Midday Hacker
"It was a dark and stormy night; the rain fell in torrents – except at occasional intervals, when it was checked by a violet gust of wind which swept up the streets (for it is in suburban Brisbane that our scene lies), rattling along the housetops, and fiercely agitating the scanty flame of the lamps that struggled against the darkness. (Edward Bulwer-Lytton, 1830) The river had swelled and the boats lay adrift from their moorings, whilst the haunting sounds of leaves from the trees, brushing against broken windows, bestowed the unfathomable foundation for what lie ahead.
Afoot was a sinister character, adorned in dark robes, a faceless mystique and a presence of unimaginable evil, plotting and planning a diabolical ruse. The scene is set. No actors garnish this script. Only the blackness that circles our souls and the fear of the exceptional that will leave you with a chill of insecurity down your spine.
Dare you enter this catacomb of mystery, treachery and deceit?
This is a true story, never before told in public, of how a certified hacker was arrested and charged by Queensland Police in February, 2013 and faced 20 years jail for offenses under CRIMINAL CODE 1899 - SECT 408E - Computer hacking and misuse, which were alleged to have occurred on the Australia Day long weekend in January 2013 - the weekend when Cyclone Oswald took hold and damaged the Queensland coast, leaving a trail of natural destruction.
The events that followed unravel in a web of deceit, corruption and a maniacal need to exhibit power on those considered lesser in the minds of those who consider themselves as untouchable.
In August, 2015, the matter finally came before a Brisbane court. What happened on that ill-fated day, will leave you shocked and appalled. But leave you will, with a memory that will haunt your soul for ever more."
Warren Simondson is managing director and founder of Ctrl-Alt-Del IT Consultancy, an Australian firm established in 2002. The company is known globally for its commitment to expertise and knowledge sharing throughout the community and the provision of its Freeware applications to extend the functionality and management of server based computing environments. Locally, the company is also well respected in the area of I.T. Forensics, for which Warren personally dedicates an ethos of truth and justice in the investigation of allegations of hacking and computer misuse. Warren has worked in the information technology field for over 25 years and is an evangelist for emerging technologies in mobility, IoT, server based computing, cloud and virtualisation. Warren holds various qualifications in post graduate study as well as industry based certifications in Citrix, Microsoft and VMware Technologies to name a few. He is an EC-Council CEH (Certified Ethical Hacker, CHFI (Computer Hacking Forensic Investigator) and a CEI (Certified EC-Council Instructor). He has spoken at many major conferences around the world and commits himself to community collaboration.
Check out www.ctrl-alt-del.com.au and be sure to follow his Twitter handle: @CADITC.
Breaking in with DNS rebinding
Improved ways of doing DNS rebinding, just how bad the trashfire is and where there are tonnes of problems (and how to find lots of 0days) and a demo of breaking into someones house by using DNS rebinding on a home automation system.
Senior Security Consultant for ContextIS and security researcher.
Helping make better security decisions with ATT&CK
Aimed at a non technical audience or those speaking to a non technical audience, this presentation certainly fits in to the "business excellence and passionate ranting" section.
Purpose:
By illustrating three quick scenarios how the open source information within the
MITRE ATT&CK framework can be used, explained and visualised for management we can not only
solve the problem of the ""detection bingo card"" (aka:""we must detect everything""), but we
can also help set intelligence priorities and start establishing exactly what is important for
us, and our security programs.
Promoting industry vertical collaboration based around the ATT&CK matrix, as it becomes easier to share relevant information without exposing potential problems or holes in security."
After working for five and a half years within Government, two and a half years in finance, Kevin now works as Symantec's Australia Pacific Japan Manager of Cyber Intelligence. Key elements of his variety of intelligence roles has always been explaining key concepts to non-technical internal stakeholders and fostering inter-agency and inter-organisation intelligence sharing and collaboration.
Reverse Engineering an Endpoint Protection and Response (EDR) product
Endpoint Detection and Response (EDR) product vendors will give you the spiel on what they do and their capabilities, but how do they actually work at the lowest level? And how can we discover weaknesses in these products to develop bypasses or evaluate them?
Join me as we reverse engineer an EDR product and the windows kernel to unveil its inner-workings, alongside the windows kernel structures and functions EDR products rely on to operate, and by doing so discover weaknesses and gaps in their protections that allow actors to bypass the product’s defenses, rendering them null&void.
Finally, by abusing an identified weakness I’ll use a custom-build mimikatz to dump all the hashes on a machine protected by EDR.
I am a Security Consultant at Context Information Security, I’ve worked on all types of engagements including testing critical infrastructure (autonomous trains, air-traffic control systems) and red teaming, with knowledge and experience in Windows internals and Windows kernel programming. Recent research includes reversing endpoint security products.
Electric Blue: Lessons Learned from a blue team securing Azure
Like a lot of companies, we've been transitioning infrastructure to the cloud. As a SOC analyst this meant that our protection needed to be extended to incorporate the new infrastructure, while also ensuring detection and mitigation of new attacks and risks.
This involved undertaking a deep assessment to understand threats and vectors in the environment, this presentation details some of the interesting things that have been uncovered, and could help both red and blue teams respectively.
Sean is a senior security analyst that works at one of the nations top financial institutions by day, and by night he's tinkering and experimenting with new technologies. He's worked in red teams, blue teams, and as an engineer developing the infrastructure for both.
Cutting to the core of Apple WiFi
iPhones have an enviable reputation for security. The close link between hardware and software, curated AppStore, and frequent security updates make exploitation of the iPhone difficult. This has, however, not deterred malware companies and others from compromising iOS devices by exploiting security flaws in the browser, the 4G baseband processor, and the Wireless Network Interface Controller (WNIC).
In this presentation we focus on exploiting the WNIC. This avoids many of the defences built into iOS and exposes a new set of otherwise inaccessible attack surfaces within the iOS kernel. We’ll also take a look at how Apple makes the iOS WiFi stack “think different”. This includes a brief coverage of Bonjour and the Apple Wireless Direct Link (AWDL) protocol that’s at the heart of AirDrop, AirPlay, and similar services. These protocols have been implemented, in part, by offloading some of their processing onto the WNIC itself - and we’ll look at how this might help exploit the device. The approach taken here follows in the steps of Gal Beniamini’s Project Zero articles and that of SEEMOO's NexMon framework and we’ll bring things up-to-date in light of Apple’s latest security controls. In practical terms, we’ll show how to find, analyse, reverse engineer, and patch the WNIC's firmware and conclude with a discussion of WiFi fuzzing and exploit hunting.
Steve is a developer, researcher, and educator specialising in network and software security.
The Boring Security Talk
We all know that securing our applications is a necessity, but it can be incredibly boring. With time and budget constraints, we often focus on the more exciting security aspects and tools. In this talk, we'll be looking at some of the aspects to our application security that are often overlooked; the software we depend upon, CI/CD infrastructure, sending email and resolving DNS.
Vulnerabilities here might not result in a newsworthy breach, yet they are still worth discussing and defending.
Kieran Jacobsen is the Head of Information Technology at Readify and a Microsoft MVP for Cloud and Datacenter Management. Kieran maintains several PowerShell modules, supports Planet PowerShell (https://planetpowershell.com), and writes the Posh Security (https://poshsecurity.com) blog. Kieran is a regular speaker at a various conferences and user groups including NDC Sydney, CrikeyCon and Experts Live.
Defect to doctrine: security bug case studies
I am not a security research or bug bounty hunter. Just a humble programmer who has found and fixed some security bugs over the years. I admire exploit authors who take advantage of programmers' mistakes to penetrate, pivot and profit. But this is not that talk.
As an industry, we can (and must) improve the security of the the systems we write by learning from our mistakes. Every bug tells a story. Every story has a moral, if you care to look for it.
In this talk I will describe four different vulnerabilities in programs I worked on, including FreeIPA, Dogtag PKI and Firefox. I will explain what the bug was, it's impact, how it was discovered and how I resolved it. From each case study I will develop one or two important principles for secure programming.
This presentation will be most useful for programmers, engineering managers, and security folk who want an engineer's perspective on how issues arise and how to avoid them.
Fraser works at Red Hat on the FreeIPA identity management system and Dogtag Certificate System. He's interested in security, cryptography and functional programming. Jalapeño aficionado.
Hacking & Unhacking Yet Another IOT Device
It is estimated that 127 new devices connect to the internet every second (McKinsey) and by 2020 there will be over 26 billion connected devices, which means they will outnumber humans 4-to-1 (Gartner).
This talk investigates the current state of IoT security. We look at how easy IoT devices are to compromise and steps being taken to mitigate this growing issue.
Harry Shepherd is a security researcher currently focused on IoT. He enjoys fishing and camping with his dog Knox.
Kylie McDevitt is currently Director of Emerging Technology and Engineering. She is responsible for leading vulnerability research into emerging technologies as well as developing and providing security architecture advice to early adopters.
Introducing the CCM - Cyber Century Mentoring
Cyber Century Mentoring (CCM) is an international volunteer organisation, founded by our directors, Amanda-Jane Turner (Australia) and Lana Tosic (New Zealand), and our communications manager and blog editor, Kristine Sihto. CCM aims to be a part of the solution to the 'cyber skills shortage' by connecting mentees in the Information Security industry with appropriate mentors to guide them on their journey, develop mentors' skills, and inspire and motivate people in the information security industry. Along the way we will provide supporting resources for both the mentor and the mentee.
Kristine Sihto is a freelance technical writer and editor who transitioned from the training industry to information security in 2016. Her self-imposed mission is now to support the Information Security community through creativity: through the written word, artwork, and the occasional sewing project.
She volunteers as the Senior Blog Editor and Communications Manager for Cyber Century Mentoring (CCM), and has written for the Australian Women in Security Network (AWSN) blog. Kristine also enjoys assisting with other InfoSec events across South-East Queensland, particularly where these may lead to any opportunity to get her hands dirty or to learn new skills.
Scaling your "inner cyber"™
Nowadays IT is all about scaling and agility; containerization, virtualization, devops. Attackers have been using the advantage of scaling for quite some time, think about botnets. But what about defenders. Are we fighting a loosing battle? Or can we learn from other parts of IT on how to scale information security solutions? This talk will assess several case studies of practical open domain information security approaches that a defender could apply. A central question is how effective are current scale-able defensive security practices and at what trade-offs?
Joachim Metz is a Digital researcher, IT/IS specialist, currently working for a large information technology company.
In 2006 he started working in the field of computer forensics as a digital forensic investigator at Hoffmann Investigations. At that time Hoffmann Investigations carried out digital forensic investigations for organisations (private law).
Before that he worked in multiple Information Communication Technology (ICT) disciplines like: system and network administration, programming, deployment, etc. and also Information Security (IS). He has been working in the field of digital forensics for several years now.
Mental Health: We Need To Talk
The Consulting, Digital, Information and Technology industries traditionally have attracted a certain ""type"" of person. Detail-oriented, technically very literate, perfectionist, with stereotypical character traits that give us (un)flattering labels such as nerds and geeks and the reputation of not being ""people"" people.
However, all of us are people. And people go through ups and downs in their lives, and suffer poor mental health. Its normal - anxiety, depression, bipolar disorder, right up to more serious areas of severe mental illness such as psychosis, substance addiction, attempted and actual suicide.
Just like physical health, poor mental health is a disabling condition that affects our own quality of life, as well as of those around us. Men tend to suffer at younger ages, self-medicate with alcohol and drugs and cause themselves permanent disability or death. However further research in this area seems to indicate this affects Women a lot more from the early 40s … and the suffering is longer right through to the end of natural life. Women don’t appear to take the easy way out so suffer long-term with this.
We need to have a conversation within the Information Security Industry of how we can identify, support and help each other through these ups and downs; but also identify what we can practically do to support each other at the community level.
Simon is an Information Security Professional with nearly 20 years of Information Security-releated Academic Research, Business Consulting and Management experience. He is currently employed as an Enterprise Security Architect at a large financial services organisation; and is overcoming his natural shyness by becoming more actively involved within the local InfoSec community, such as being part of the organising team for AISA's BrisSec Conference in 2017 and 2018.
He is unfairly tarnished by his peers for his terrible Dad Jokes.
Exploring Imposter Syndrome and its relationship with InfoSec
I believe there is a different relationship between InfoSec and Imposter Syndrome. This talk will cover what Imposter Syndrome is, how to approach managing it, and if Imposter Syndrome is any different in InfoSec to other areas, and why that could be. (Please note that I am interested in this but not qualified in the scope of mental health.)"
Information Security Team leader at Heritage Bank.
10 Years in IT
Organiser Toowoomba SecTalks
Speaker at Tuskcon 2017
CCNA – Route + Swicth
ECEH (Ethical Hacker)
ECIH (Incident Handler)
CMNO (Certified Meraki Network Operator)
Come open locks...without the keys!
Ever picked a lock? Know how to get yourself out of handcuffs with just a paper clip?
Come join the crew for some lockpicking fun, learning, competition and everything locks
Dale Hewitson
What is the Friendly Bear Initiative?
From my experience at CrikeyCon last year, it was clear the community is tight knit and friendly but these events can be intimidating if you don’t already know a few people attending! This initiative is meant to help people self identify as someone you should feel comfortable approaching. Please feel free to introduce yourself if you are a person who might be attending a security conference for the first time, just looking to make or get some help making new connections and we even have a few bears happy to assist with looking over your CV / LinkedIn if you’re hunting that first security gig! This initiative is being organised by myself Paul Jenkins.
How do I find a Friendly Bear on the day?
Look for anyone wearing a Friendly Bear name badge or ask one of the conference volunteers to point you in the direction of a Friendly Bear!
I am a friendly bear! How do I sign up?
Please reach out to me before hand via LinkedIn or my twitter handle (@redindisguise) or come find me on the day (ask one of the friendly bears to point you in my direction)!
Area 51 alien invasion
You have infiltrated the top secret military base Area 51. Finding your way into a mysterious laboratory only for the door to lock behind you. You hear warning sirens and a panicked announcement declaring that the aliens are on route to the base to seek revenge on any humans remaining. You have 20 minutes to escape the room before the aliens arrive. If you're doing the CTF, you'll get a flag for completing the escape room.
All you need to know.
We will continue to grow a grass-roots, not-for-profit, community-led conference targeting security folk around South-East Queensland and beyond. The event is to be informal to encourage a greater flow of information between attendees and speakers.
CrikeyCon was founded in 2014 to address the Brisbane local demand for a community styled security conference. CrikeyCon is a not-for-profit, community-led conference targeting those interested in information security around South-East Queensland and beyond.
The informal style of the event is designed to facilitate knowledge sharing between all participants. The event consists of presentations and demonstrations by Industry Professionals, security wizards and enthusiasts alike.
Active participation is strongly encouraged with Q&A sessions after each presentation to draw on the intellect of the speakers and participants to help break new ground.
The focus is on Information Security with the usual mix of infrastructure- and application-space shenanigans.
We want to push out from the core though, so are keen to get submissions on the social, political and environment twists on the theme, the impact of technology on our daily lives, shifting perspectives and pretty much anything that interests you if you’ve poked around the site this far. Dig out your old survivalist txts and give us a history lesson.
We want to maintain the informal and interactive air about the conference, encouraging information exchange and quality discussion.
To support this, the venue for the event is a riverfront reception venue with food and drink facilities. For the entrance fee, the attendees will get access to great talks, some side activities, and great people (organisers excepted). Food and drink are not included in the cost.
Talks will be in a dedicated room with AV, speakers are encouraged to keep the presentations as active as possible rather than making attendees suffer Death by PowerPoint. Active Q&A sessions are expected after each talk concludes.
We’ve got access to some additional spaces this year, and will have some other activities going on during the day to keep you entertained if you want a change of scenery.
CrikeyCon is proud to support the IN Security Movement, and acknowledges IN Security for its Code of Conduct Template. See IN Security - The Code of Conduct for further information.
Security events present opportunities to learn, share knowledge and network. As a security event organiser, we believe these events should represent a safe, enjoyable and inclusive environment for all people, irrespective of gender, race, ethnicity, age, sexuality, religion, disability, socioeconomic background, experience, size, shape and so on. No one should undergo harassment, bullying or abuse. Any sign of such behaviour will be deemed unacceptable and will be handled in line with our zero-tolerance policy. We will apply consistent, specific sanctions regardless of the circumstances to ensure they do not reoccur. This code of conduct explains exactly what we mean by unacceptable behaviour and it outlines the steps someone subjected to such behaviour at an event can take to report it.
Unfortunately, unacceptable behaviour still occurs and whilst harassment metrics are yet to be introduced and measured, anecdotal reports are widespread and have been reported in the media and social media platforms for years. This has reportedly resulted in increased dissatisfaction and non-attendance by some minorities who feel disenfranchised and threatened. The purpose of this code of conduct is to get participants fully aligned on what constitutes unacceptable behaviour, how the aggrieved can report it, and what will be done about it.
Our code of conduct is for event attendees, speakers, sponsors, partners, facilities staff, committee, and board members.
People's interpretation of acceptable or unacceptable behaviour is subjective and influenced by personal experience, religion and cultural background. That's why we believe it's important to define what we mean by both.
As an event organiser, we expect everyone to be professional and respectful to others at all times. Everyone should be aware of the impact their behaviour can have on others. We ask that you:
Unacceptable behaviour is offensive in nature - it disturbs, upsets or threatens. It lowers self-esteem or causes overwhelming torment. It is characteristically and can take the following forms:
Option 1. Speak up. See it, say it, sort it. If you are disrespected, or witness this happening to someone else, engage politely with the person involved, if you feel able to, and let them know that you find their behaviour unacceptable and offensive. Sometimes the best way to change unacceptable behaviour is by bringing it to the perpetrator's attention and giving them an opportunity to acknowledge this and apologise.
Option 2. Report it to us via any of the following ways:
When reporting, please provide as much detail as possible, preferably:
Note: you can remain anonymous if you so wish and providing any of the above information is optional.
We don't have a time limit for reporting unacceptable behaviour, although we encourage you to do it as quickly as possible, as it can be difficult to obtain accurate witness statements the longer time passes. If you report unacceptable behaviour more than 3-months after an incident, you should explain why as it may impact the ability to respond accordingly. We will consider your explanation and then endeavour to deal with your report.
We are committed to ensuring that you experience a positive, enjoyable and inclusive event. We strive for customer service excellence when reporting unacceptable behaviour. That's why, for the duration of our event, we will have a number of reporting mechanisms available (e.g. suitable informed event staff , event feedback forms etc.). When you report unacceptable behaviour to us we will respond promptly and with care, consideration and respect. Our process does not replace nor remove the formal mechanisms available to you as an individual to report inappropriate or offensive behaviour such as making a police report.
Our process is as follows:
Proposals on topics not listed above, but related to the conference interests (i.e. information security / hacking) may also be accepted, especially if they are interesting, different, or edgy.
Is this may your first time speaking? If so and you want some help, please get in touch. We want to encourage everyone to join in on the fun and we can put you in touch with someone that can help. So, if you want to bounce your ideas off someone, want some help with polishing your presentation, or want advice in doing a live demo, then let us know! [email protected]
Good question .. Good question ..
We have a Google form here: CrikeyCon VI CFP
Or if you prefer the retro feel (and making work for us), send the following information to [email protected]
NOTE: Training will be held the day before the conference.
We are seeking training proposals on any of the following topics (in no particular order):
Proposals on topics not listed above, but related to the conference interests (i.e. information security / hacking) may also be accepted, especially if they are interesting, different, or edgy.
Good question. Send the following information to [email protected]:
Training classes are assumed be 1 full day (0900 hours - 1700 hours). Please inform the CFT committee if your training is shorter than 1 day during your CFT submission.
All submissions must be in English. The more information you provide, the better the chance for selection. CrikeyCon understand that there are people who cannot afford to pay for training events and we want to encourage the next generation of security professionals. Therefore, we will be offering a number of free seats to any training event.
Some events and workshops that will give you a good idea of what we are seeking:
Good question. Send the following information to [email protected]:
All submissions must be in English. The more information you provide, the better the chance for selection.