Presenters 2021

These are the amazing speakers we have lined up for this year's event so far!


Casey Ellis

Release The Hounds - Part 2 (aka 8 Years Is A Long-Ass Time)

Casey is the Chairman, Founder and CTO of Bugcrowd, and has been inventing stuff and generally getting technology to do things it isn’t supposed to since childhood. He’s been in the industry for 20 years, working with clients ranging from startups to government to multinationals, and awkwardly straddles the fence of the technical and business sides of information security. Casey pioneered the Crowdsourced Security as a Service model, launching the first bug bounty programs on the Bugcrowd platform in 2012, co-founded the disclose.io vulnerability disclosure standardization project in 2014, and has presented at DEF CON, Black Hat USA, RSAC, Techcrunch DISRUPT, Shmoocon, ENISA Incibe, Usenix ENIGMA, AusCERT, and others. A proudly “currently semi-repatriated ex-pat” of Sydney, Australia, Casey normally lives with his wife and two kids in the San Francisco Bay Area. He is happy as long as he’s got a problem to solve, an opportunity to develop, a kick-ass group of people to bring along for the ride, and free reign on t-shirt designs.


Release The Hounds - Part 2 (aka 8 Years Is A Long-Ass Time)

It has been 20 years since Rainforest Puppy released the RFPolicy responsible disclosure policy, 11 years since Google and Facebook brought the concept of bug bounty into the eye of the security industry, and 9 years since Bugcrowd pioneered the concept of inserting a platform in the process to facilitate conversations between builders and breakers. In March 2013, there was a talk at Ruxmon Sydney titled “Release the Hounds! A look inside Bugcrowd.” At the time we had a total of 10 programs, 1,500 hunters, and a $50,000 “Ramen-noodle round” from Startmate under our belts; and were getting ready to depart for Silicon Valley in April... In this talk, Casey will provide a long-overdue status update (apologies... got a bit sidetracked) on Australia’s crowdiest export and indulge in a few tall tales of the crazy stuff that happens as you build a multi-national, venture-backed category creator. More importantly, he’ll dig into the evolution of crowdsourced security and vulnerability disclosure, where it’s going next, and what that means for an Internet and a global userbase who are undergoing some pretty dramatic change.

Georgia Turnham 'Georgia'

The Subtle Art of Cognitive Hacking

I am a GRC Cyber Security Consultant with Trustwave - an Optus Company. I have consulted across a number of industries, including banking, airline and federal government. I graduated Macquarie University with a Bachelor of Security Studies and complimented with study in New York and an internship Africa. I was a member of the Overall Runners Up and Category Winning Team in the 2018 ASEAN – AUSTRAC’s Codeathon (Cyber Six), and a volunteer in the first Australian – TraceLabs National Missing Person’s Hackathon, returning as a judge in 2020. I am certified as an ISO27001:2013 Provisional Implementer, have passed the ISACA CRISC Certification exam, and am an ambassador for the NSW Cyber Security Innovation Node. I was awarded AISA's 2020 Cyber Security Rising Star of the year, and am passionate about making meaningful change in the cyber security industry. I have recently consulted and advised to a United Nation's member working group on threats to International Peace and Security in the ICT field.


The Subtle Art of Cognitive Hacking

I will be submitting a discussion on the threats posed by Cognitive Hacking to society and the population, and the lack of a solution to such a threat. Cognitive Hacking, disguised as the manipulation of social media has now become common practice, with this vulnerability being increasingly exploited by nation states and opportunistic individuals alike. It has given actors unprecedented access and ability to cause fundamental shifts in the way targeted demographics think and behave, and it has now become a weaponised tool that warfare is able to be waged. The use of information and the media to wage war is far removed from the traditional concepts of warfare, but has surged in popularity amongst actors today because its cheap, largely risk free readily accessible and easy to do. It’s notoriously difficult to pinpoint where these campaigns originate and whether they’re state-sponsored or rogue individuals, and in many cases, it’s likely that even the actors carrying out the profiles and activities themselves don’t know exactly by whom, or to what ends their actions are directed. Salient examples of Cognitive hacking are found in the US 2016 election, and the BREXIT leave campaign. Other examples include the Internet Research Agency, a russian backed group waging concerted disinformation campaigns that attempt to stoke and inflame both sides of a debate. The use of cognitive hacking, information manipulation and influence operations as a mode of warfare and in modern conflict has expanded the scope of the battlefield and the ability to conduct war out of the purview of the state and state actors, and into the hands of the girl next door. This blurring of the battlefield is embellished in the recent Solar Winds event breach. Of most concern is the lack of any one solution to this problem. China for example has moved to isolationist protective measures to prevent the impact of this threat, regulating their own intranet through the Great Firewall of China. However, a problem with this is that government actors and big wigs are still able to influence the message that does reach the population. And not only that, but such measures are incongruous with many democratic social norms. Another possibility is to continue pressing on educating people regarding awareness and cyber hygiene, but as a security consultant who spends a lot of effort pursuing this, I must confess that I have serious doubts on the efficacy of these endeavours. Another commonly suggested silver bullet, is that of simply regulating the big social media companies, but I think we can all agree that in actuality, the viability of this in such a complex and dynamic landscape is moot. To further this, any attempts by states and international institutions to codify the “laws of war” for the cyber and ICT space are fraught with the same difficulties of conventional protocols and doctrines in that states can ratify and adopt these at their disclosure. So, with that in mind - what does this mean for our future?

"Alex" 'mangopdf'

Finding Tony Abbott’s passport number and entering the Do Not Get Arrested Challenge 2020

“Alex” is an Australian citizen with no convictions of cyber treason. Their hobbies include origami and Following the Law. They work on a Red Team, committing metaphorical crimes, and writing really really detailed confession letters. On the side, they organise purplecon, a gentle, pastel, inclusive security conference, but it’s unclear whether the whole thing is like a joke, or what. Follow them on SoundCloud at https://mango.pdf.zone. In 1633 “Alex” was excommunicated by the Catholic Church for insisting the Earth revolves around the sun.


Finding Tony Abbott’s passport number and entering the Do Not Get Arrested Challenge 2020

I found Tony Abbott’s passport number in the HTML of Qantas’ “manage booking” page. The manner in which I found it did not possess ANY intent to subvert the Commonwealth of Australia. Wanting to do the right thing, I spent the next six months participating in the Do Not Get Arrested Challenge 2020, in which I try to tell the government about this in precisely the manner which avoids instant jail. Anyone thinking about participating in the 2021 challenge, my #1 tip is: do not do a crime. Things this talk is about: Boarding pass security, what happens when there isn’t boarding pass security, the consequences of my actions, calling everyone in Australia one-by-one, desperately struggling to contact the right person for the disclosure of cyber treason, my Twitter DMs

Jess Dodson 'GirlGerms'

Back to Basics - Why can't we get this stuff right?!

Based in Brisbane, Australia and with over 15 years experience in the management & architecture of identity & security system platforms, a passion for fixing things and a stubbornness to push people to get the basics RIGHT, Jess wears the title of SecOps Witch proudly! Chances are if you've run into "girlgerms" online, you've spoken to Jess. Having spoken at Ignite Australia in 2015, she was bitten by the public-speaking bug and has spoken again at both Ignite New Zealand and Ignite Australia for 2016 & 2017, as well as more local cons such as CrikeyCon and DDDBrisbane. After taking a year of maternity leave, she made the jump to the corporate world. Jess is now a Customer Engineer with Microsoft, where she spends most of her days presenting to customers - just as if she was on stage at a con. In her downtime, Jess spends far too many hours playing video games & with Lego.


Back to Basics - Why can't we get this stuff right?!

Time and time again we see breaches occurring that happened because, with 20/20 hindsight, something incredibly simple was missed. So if it was simple, if it was basic, if it was common sense - why was it missed? This talk will highlight some of the basic security items that are often forgotten, ignored or are marked as "too difficult". Be prepared for a passionate talk, told from the perspective of someone who's been down in the trenches as a sysadmin and is now helping other organisations rise to the challenge of fixing the "old and busted". Covering a wide range of topics including identity, server management, hybrid cloud and security systems, this talk will take us all Back to Basics. The basics are your foundations - if you don't get them right, everything else will crumble.

JP Haywood 'JP'

How to stand up fun incident response exercises with zero experience

JP is the Information Security Manager at one of Australia's largest mutual organisations. His achievements including saetting up a new infornmation security team, overseeing the establishment of the organisations SIEM and internal SOC as well as being a key player in the organisations CPS 234 compliance project. JP also contributes to the InfoSec sommunity in a number of ways including founding the SecTalks Toowoomba chapter and spaeking at conferences such as CrickeyCon, TuskCon and AusCert.


How to stand up fun incident response exercises with zero experience

This talk will cover how to use publicly available information to stand up table top discussion excercises to train incident response scenarios in a fun and engaging way. The talk will give you the skills and knowledge to go back to your workplace and run Incident Response training and table top execises with your response team.

William Brown 'Firstyear'

Mad Monster Standards - Exploring Webauthn

William is a senior software engineer for SUSE. He is part of the 389 Directory Server project, which is one of the major opensource LDAP servers used internationally, and the foundation of FreeIPA's server. He is also the developer of the Webauthn server and softtoken for Rust, and has been invited to participate in the w3c working group to further develop Webauthn. When not deep in authentication services, he can be found flipping people on a mat, or doing vertical stick tricks.


Mad Monster Standards - Exploring Webauthn

Webauthn is a standard allowing browsers to communicate between an authenticator device and a web server to perform cryptographic authentication. Seen as the future of login and "the end of passwords" by microsoft and many others, this standard and it's behaviour will only become more important - and relevant - in the field of security. In this talk we'll explore the benefits of webauthn to end users and deployments, how webauthn works, and we'll dive into some of the darker cobweb ridden corners that yield some surprising - and common - mistakes in implementations. For defense, you'll walk away knowing more about why webauthn is the future of auth and how to avoid common pitfalls that may impact your deployments. For offense, you'll learn about ways to bypass or reduce the strength of webauthn when incorrectly implemented.

Paul McCarty '6mile'

All your code repo are belong to us. What the Solarwinds hack should tell us about the state of software development

Paul McCarty has been working in the distributed systems space since 1993 when he took his first job as a unix sysadmin in the university computer lab. In 1996 he started his own computer store and ISP, and then later a consultancy. Fast forward to 2021 and that consultancy evolved over the years to specialize in deploying security controls at scale, first in the datacenter, and then later in the public cloud. Paul's contracted for NASA, Boeing, Queensland government, the US military and a lot more. Now he nerds out on helping companies adopt real, no bullshit DevSecOps practices as the CTO of SecureStack, one of Forbes magazine's top cybersecurity companies to watch in 2021!


All your code repo are belong to us. What the Solarwinds hack should tell us about the state of software development

If there's anything that the Solarwinds hack has taught us, it's that our industry needs to look internally and really try to understand WHY developers are not embracing security. Simply saying we need to "shift left" is bullshit hype and means nothing. This talk will lay out the behaviours and workflows that developers use and how that affects the security of the products they built. It will also talk about the management and business requirements that encourage developers to build insecure products. I will use public and proprietary data to underpin the arguments and show how things are getting worse, instead of better in a public cloud-focused world.

Jordan Welden-Iley 'JJ'

"Active Defense and Hacking Back: The legalities, implications and next steps of retaliatory hacking in self-defense"

Jordan Welden-Iley isn't your run-of-the-mill cyber security advisor. The former Australian lawyer and corporate advisor, travelled an interesting career path before landing in cyber security. Persuading judges in Court, investigating the depths of ponzi schemes, and hunting merger and acquisition targets; the prefect crucible. On his way to being a cyber czar, this dude currently graces Australia's enterprise businesses helping them solve their cyber security problems.


"Active Defense and Hacking Back: The legalities, implications and next steps of retaliatory hacking in self-defense"

To protect digital businesses, companies are increasingly employing active defense capabilities, at the same time they put basic cyber-hygiene protocols in place. This means maintaining up‐to‐date intelligence from both internal and third‐party sources, mitigating insider threats, engaging attackers on the company's own network, and partnering to mitigate external threats. However, organisations are increasingly questioning whether or not they have (or ought to have) a right to 'hack back' as an offensive retaliatory measure. Revenge is sweet, but is it legal? This presentation explores the current legal positions and evolving debate, proposing the time has come to permit hacking back in particular circumstances and lightening the nudge with a tongue-in-cheek addendum to NIST (The ‘Revenge’ Function).

Shubham Shah 'Shubs'

Hacking on Bug Bounties for Five Years

Shubham Shah is the co-founder and CTO of Assetnote, a platform for continuous monitoring of your external attack surface. Shubham is a prolific bug bounty hunter in the top 50 hackers on HackerOne globally and one of the top 3 hackers on HackerOne for Australia. He has presented at various industry events including Kiwicon, BSides Canberra and 44Con.


Hacking on Bug Bounties for Five Years

Bug bounties have become an established process in organisations with a mature security posture. Over the last five years, I have been submitting vulnerabilities to companies in almost every industry. By participating in bug bounties over such a long period of time, there has been an evolution in the skills, reporting and payouts. There is a broad perception in bounties that there is a secret to unlock to be successful and only a handful of individuals are capable of that success. This presentation will break down why that is not the case. I will walk through all of my favourite bugs that I have found in the last five years, explaining step by step what led to the discoveries. I will discuss some of the lessons I have learned from my participation, and how you can replicate my success.

Edward Prior 'JankhJankh'

Introduction to Adversarial ML and other AI attacks

JankhJankh is an AI researcher turned pentester and wearer of many hats.


Introduction to Adversarial ML and other AI attacks

AI attacks, and especially adversarial ML is an evergrowing threat that has finally been given an appropriate threat model. However, the field is still deeply lacking in defensive theory. The goal of the talk is to go over the current threats posed by Adversarial ML and other AI attacks and discuss the proposed theories for fixing these problems. The goal of the talk will be to make sure pentesters know what to look for when attacking AI solutions, and that defenders know what to consider when protecting these systems.

Alice Butler 'Emvy'

Securing Cloud for Enterprise

Alice has a 15 year career in IT working for large enterprise and government. She has worked in hosting, datacentre-as-a-service and education in IT Support, Sysadmin, technical and strategic management including for Sysadmin, Cyber Security and Cloud teams. Alice has lead a two year effort to clean up the cloud investments of her current employer and is now leading an Automation & Cloud Engineering team.


Securing Cloud for Enterprise

How do you go about Securing the Cloud for Enterprise? Where do you start? It can be a huge and overwhelming task to take on, so I'll help you with some guiding tips and pointers (learned the hard way) to help you on your journey.

Eric Pinkerton 'Pinky'

Twenty Twenty to Twenty One (A tribute to 20:1)

Occasional Volunteer checkout operator, and cybersecurity consultant Eric has seen it all. At only nine years old he was expelled from University when it became apparent that he had hacked the grading system, (not to improve his own grades, but to lower everyone else's). He might have go away with it if he hadn't accidently changed the year of his own birth by 10 years. For the past 30 years, Eric has been diligently collecting material for a book, or possibly a screen play by purposefully placing himself in to the most unbelievable, uncomfortable and unwittingly humorous situations, and it is the pursuit of this that led him to a career in Cybersecurity Consulting.


Twenty Twenty to Twenty One (A tribute to 20:1)

For most people 2020 was a shitty damp squib of a year, but for both Cybercriminals and Cybersecurity folks alike, it was a bit of a banger. Allow me (The cyber equivalent of Bert Newton) to present my top 20 moments of the past 12 months. What will they be? - I don't know yet, I haven't thought that though!