River of Light.00_00_08_03.Still001

River of Light

On 20 February 2016, hundred and fifty lanterns will create a ‘River of Light’ for one night event in the city of Gothenburg, in the winter darkness bringing people together to celebrate our hope for the future. We gather at 16.00 at Götaplatsen to light the lanterns. After that we walk trough the city and the procession ends at A-venue on Avenyn at 18.00 with soup and bread and festivities.

The procession is a part of the 150 years celebration of the Valand Academy and on UN World Day of Social Justice which is annually observed on February 20.

During the last couple of months has the refugee crisis become worse and worse and Sweden has taken in on third of all the unaccompanied minors seeking asylum in Sweden. They come to Sweden as it is a country with an excellent reputation for respecting Human Rights and recognized for the good education system. Migrationsverkets numbers shows us that there were 30 000 children without their family in Sweden by the end of 2015. The situation in Gothenburg is also getting worse, with to little room for the young people seeking a safe place to stay.

In the project “River of Lights” and artists from the Academy of Valand has worked with international children, many of them who just arrived from Syria and Afghanistan, and created lanterns together.

Mario Heiderich An Abusive Relationship with AngularJS – About the Security Adventures with the Super-Hero Framework.00_44_29_24.Still001

Mario Heiderich – An Abusive Relationship with AngularJS – About the Security Adventures with the ”Super-Hero” Framework

Some voices claim that ”Angular is what HTML would have been if it had been designed for building web applications”. While this statement may or may not be true, is certainly accounts as one of the bolder ones a JavaScript web framework can ever issue. And where boldness is glistening like a German Bratwurst sausage in the evening sun, a critical review from a grumpy old security person shouldn’t be too far away. This talk will have a stern, very stern look at AngularJS in particular and shed light on the security aspects of this ever-popular tool. Did the super-hero framework do everything right and follow its own super-heroic principles? Does AngularJS increase or rather decrease the attack surface of a web application? How does AngularJS play along with the Content Security Policy, and was it a good idea to combine this kind of security with futuristic feature creep? And what about AngularJS version 2.0? Beware that we won’t stop at glancing at the code itself, investigating security best practices, and verifying compatibility and other common things that contribute to robust security (or lack thereof). We will cross the moral border and see if the AngularJS team could notice rogue bug tickets. A pivotal question that everyone is wondering about is: Have they successfully kept evil minds like yours truly speaker here from introducing new security bugs into the code base? This talk is a reckoning with a modern JavaScript framework that promises a lot and keeps even more, not necessarily for the best for developers and users. We will conclude in deriving a general lesson learnt and hopefully agree that progress doesn’t invariably mean an enhancement.

An Abusive Relationship with AngularJS – About the Security Adventures with the ”Super-Hero” Framework. Dr. Mario Heiderich, handsome heart-breaker, bon-vivant and (as he loves to call himself) ”security researcher” is from Berlin, likes everything between lesser- and greater-than. He leads the small yet exquisite pen-test company called Cure53 and pesters peaceful attendees on various 5th tier conferences with his hastily assembled PowerPoint-slides and a lot of FUD.

Marie Moe Unpatchable - Living with a Vulnerable Implanted Device.00_49_25_17.Still001

Marie Moe: Unpatchable – Living with a Vulnerable Implanted Device

My life depends on the functioning of a medical device, a pacemaker that generates each and every beat of my heart. This computer inside of me may fail due to hardware and software issues, due to misconfigurations or network-connectivity.

Yes, you read that correctly. The pacemaker has a wireless interface for remote monitoring and I am forced to become a human part of the Internet-of-Things. As a seasoned security-professional I am worried about my heart’s attack surface.

This talk will be focused on the problem that we have these life critical devices with vulnerabilities that can’t easily be patched without performing surgery on patients, my personal experience with being the host of such a device, and how the hacker community can proceed to work with the vendors to secure the devices.

Marie Moe (@MarieGMoe):
Marie Moe is passionate about incident handling and information sharing, she cares about public safety and securing systems that may impact human lives, this is why she has joined the grassroots organisation “I Am The Cavalry”. Marie is a research scientist at SINTEF ICT, and has a Ph. D. in information security. She has experience as a team leader at NorCERT, the Norwegian national CERT. Marie also teaches a class on incident management and contingency planning at Gjøvik University College in Norway. Marie loves to break crypto protocols, but gets angry when its in her own body.

Martin Johns Your Scripts in My Page - What Could Possibly Go Wrong.00_19_56_23.Still001

Martin Johns: Your Scripts in My Page – What Could Possibly Go Wrong?

When it comes to web security, there is the one policy to rule them all: The Same-origin Policy. Thanks to this policy, sites hosted on disjunct origins are nice and cleanly separated, thus preventing the leakage of sensitive information into the hands of unauthorized parties. Unfortunately, HTML predates the Same-origin Policy and, thus, was not designed with the origin-based security model in mind. In consequence, HTML tags can freely reference cross-domain locations and include cross-domain content in their hosting web pages.

In this talk, we will present an attack, resulting from this circumstance, that has been widely overlooked in the past but affects a surprisingly high number of Web sites: Information leakage via cross-domain script inclusion.

Modern web sites frequently generate JavaScript on-the-fly via server-side scripting, incorporating personalized user data in the process. Thanks to HTML’s general ignorance of the Same-origin Policy, an attacker is able to include such dynamic scripts into web pages under his control using script-tags pointing to the vulnerable site. This, in turn, allows him to learn many of the secrets contained in these scripts, through the scripts interaction with the page it is included in. In our experiments, we were able to obtain personal information such as name & address of the logged-in user, leak CSRF tokens, read the users emails, and occasionally fully compromise the user’s account. All possible by simply including a script-URL into one of our web pages.

To systematically investigate the issue, we conducted a study on its prevalence in a set of 150 top-ranked domains, in which we observed that a third of the examined sites utilize dynamic JavaScript. Using our attack techniques, we able to leak sensitive data from more than 80% of these sites via remote script inclusion. In the talk we will present the study in general, and the most interesting cases in detail, showing the wide range of possible attack variations along with a bag of tricks how the including page can be prepared to efficiently leak a script’s secrets. Furthermore, we present an efficient detection mechanism, in the form of a browser extension, as well as defensive measure, which enable robust protection.

Martin Johns (@datenkeller)
Dr. Martin Johns is a research expert in the Security and Trust group within SAP SE, where he leads the Web application security team. Before joining SAP, Martin studied Mathematics and Computer Science at the Universities of Hamburg, Santa Cruz (CA), and Passau. During the 1990s and the early years of the new millennium he earned his living as a software engineer in German companies. He is board member of the German OWASP chapter, holds a Diploma in Computer Science from University of Hamburg and a Doctorate from the University of Passau. Martin is a regular speaker at international security conferences, incl. Black Hat, the OWASP AppSec series, ACSAC, ESORICS, PacSec, HackInTheBox, RSA Europe, or the CCC Congress.

Michele Orrù Dark FairyTales from a Phisherman (Vol. III).00_13_17_12.Still001

Michele Orrù (@antisnatchor) – Dark FairyTales from a Phisherman Vol III

Phishing and client-side exploitation DevOps for all your needs. Combine BeEF, PhishingFrenzy and your fishy business to automate most of the usual phishing workflow while minimizing human interaction. Multiple real-life phishing engagements will be discussed, together with the shiny new BeEF Autorun Rule Engine.

Michele Orrù a.k.a. antisnatchor is the lead core developer and smart-minds-recruiter for the BeEF project. Michele is also the co-author of the ”Browser Hacker’s Handbook.” He has a deep knowledge of programming in multiple languages and paradigms, and is excited to apply this knowledge while reading and hacking code written by others. Michele loves lateral thinking, black metal, and the communist utopia (there is still hope!). He also enjoys speaking and drinking at a multitude of hacking conferences, including CONFidence, DeepSec, Hacktivity, SecurityByte, AthCon, HackPra AllStars, OWASP AppSec USA, 44Con, EUSecWest, Ruxcon, InsomniHack, PXE, BlackHat and more we just cant disclose. Besides having a grim passion for hacking and programming, he enjoys leaving his Mac alone, while fishing on saltwater and praying for Kubricks resurrection.



Göteborgselektronikerna Skyltfönsterspelning Kulturnatta 2016

Göteborgselektronikerna performing on Moog Voyager, Moog Voyager Old School, Roland SH101, Logan String Melody and lots of other interesting stuff!

Göteborgselektronikerna är en elektronisk orkester där vi spelar och skruvar våra synthar och trummaskiner live utan datorer eller backingtracks. Musiken hämtar inspiration från 70-80-talet med Kraftwerk, Jarre, Knight Rider och Miami Vice men är samtida förpackad och med lokalpatriotiska element i texterna. Rösten görs med talkbox och vocoder.

Vi kommer bjuda på en spelning med några låtar från vår kommande debut och några helt improviserade.

Vi spelar, precis som förra Kulturnatta, på Galleri PS. Skillnaden denna gång är att det i år blir en skyltfönsterspelning där vi står inne medan publiken får stå utanför och titta in. Så klä er varmt, men vi ska göra vårt bästa för att ni ska hålla värmen uppe.

Förbered er på gött elektroniskt sväng med liveskruvade trummor, rejäl Moog-bas och sköna analoga synthslingor som kranas och spelas fram i stunden. Pluspoäng till de som ropar med på sin favorithållplats i Hållplatz!