Offensive Security

This is the write-up of a talk I gave at PasswordsCon, which runs as a track inside BSides Las Vegas. It was my first time in Vegas and my first talk at a conference that size, so if the recording has me talking slightly too fast, that is why. The short version: attackers are starting to throw passwords at login systems that were never meant to work, and that breaks an assumption a lot of defensive tooling is quietly built on. ...

Disclaimer: The examples below are anonymised and aggregated across multiple engagements. The goal is to highlight recurring patterns, not embarrass any specific organisation. Security Theatre: Field Notes from the Inside The Scene Most environments I assess are not wide open. They have firewalls, policies, and controls that look sensible on a slide deck. The same weaknesses keep showing up anyway. Security gets implemented as a compliance checklist rather than an adversarial system. ...