Interact with the security community
CanSecWest, the world's most advanced conference focusing on applied digital security, is about bringing the industry luminaries together in a relaxed environment which promotes collaboration and social networking. The conference lasts for three days and features a single track of thought provoking presentations, each prepared by an experienced professional and talented educator who is at the cutting edge of his or her field. We give preference to new and innovative material, highlighting important, emergent technologies, techniques, or best industry practices.
The conference is single track, with one hour presentations over the duration beginning at 9:00 a.m. The registration fee includes the catered meals, and there will be a vendor display and lounge/eating area, where wireless internet access will be available (as well as in the speaking theater). The conference discount hotel room booking system can be found https://www.starwoodmeeting.com/Book/CSW2015">here.
Well after much discussion and deliberation here is the final cut at scenarios for the PWN2OWN competitions.
Browsers and Associated Test Platform
Vaio - Windows 7
Day 1: Default install no additional plugins. User goes to link.
Day 2: flash, java, .net, quicktime. User goes to link.
Day 3: popular apps such as acrobat reader ... User goes to link
What is owned? - code execution within context of application
Phones (and associated test platform)
- Android(Dev G1)
- iPhone(locked 2.0)
- Windows Mobile (HTC Touch)
Day 1 (Raw functionality out of the box, users configured for service) post phone, post email
- Email (arrival only)
- wifi on if default
- bluetooth on if default
- Radio stack
- All of Day 1
- Email/SMS/MMS (reading only - no secondary actions)
- wifi on
- bluetooth on (not accept pairing by default. Paired with a headset. pairing process not visible)
- All of Day 1 and 2
- one level of user interaction with default applications
- bluetooth on (not accept pairing by default. Paired with a headset/other devices upon request. pairing process visible)
What is owned? Must demonstrate...
- loss of information (user data)
- incur financial cost
- 30 minute slots
- Names submitted and then randomly drawn
- 1st pop eligible box and cash
- Follow on pops eligible $
- All must disclose and have exploit validated.
- Lottery will be done for time-slot location.
- Register on ZDI if you want the $
- Sign ZDI NDA
- Infrastructure attack will get you escorted out of the building.
- ZDI/Dragos have final say.