For those who don't know: NaClCON is a new, intentionally small (300 person cap) conference focused on hacker history and culture, not zero-days or AI hype. Beach venue, open bars, CTF, the whole deal. $495 all-in.

The speaker list is a who's-who of people who built the scene:

Speakers:

• Lee Felsenstein — Homebrew Computer Club OG, designer of the Osborne 1 (the first mass-produced portable computer)
• Chris Wysopal (Weld Pond) — L0pht Heavy Industries, testified before the Senate in 1998 that they could take down the internet in 30 minutes, co-founder of Veracode
• G. Mark Hardy — 40+ years in cybersecurity, talking "A Hacker Looks at 50"
• Richard Thieme — Author/speaker who's keynoted DEF CON 27 times, covering the human impacts of tech since the early internet days
• Brian Harden (noid) — Helped build the LA 2600 scene, DC206, and DEF CON itself. Now farms and writes about himself in third person
• Izaac Falken — 2600 Magazine / Off The Hook, 30 years in professional security
• Mei Danowski — Natto Thoughts, speaking on ancient Chinese strategy and the birth of China's early hacker culture
• Josh Corman — "I Am The Cavalry" founder, CISA COVID task force, currently working on UnDisruptable27
• Casey John Ellis — Bugcrowd founder, co-founder of disclose.io, White House, DoD, and DHS security advisor
• Jericho — 33+ years in the scene, speaking on life in an early 90s hacker group
• Andrew Brandt — Threat researcher (Sophos, Symantec), demoing early hacking tools on obsolete hardware
• Johnny Shaieb: IBM X-Force Red, speaking on the history of vulnerability databases
• B.K. DeLong (McIntyre) — Attrition.org, the team that manually archived 15,000+ web defacements in the late 90s
• Jamie Arlen — 30+ years, Securosis, Liquidmatrix; "an epic career of doing all the wrong things and somehow still being right"
• Heidi and Bruce Potter — Developers of Turngate and founders of ShmoonCon
• Dustin Heywood (EvilMog) — IBM X-Force, Team Hashcat, multi-time Hacker Jeopardy World Champion

Fireside chats include noid doing DEF CON war stories and Edison Carter on old-school phone phreaking in the 80s/90s and a grog filled night with the dread pirate Hackbeer'd.

A couple things worth knowing before you register:

The conference hotel (Courtyard by Marriott Carolina Beach Oceanfront) has a room block at $139/night (roughly 70% off the peak beach-season rates) so book through naclcon.com/hotel or use group code NACC. Block expires May 1st so don't sit on it.

P.S. If the tickets are too large a hurtle for you, DM me and I'll see what I can do to get you a discount code.

naclcon.com | Register

Hi everyone, I’m a Cybersecurity student at HFU in Germany and recently submitted a vulnerability to the Google VRP regarding the Google Password Manager on Android (tested on Pixel 8, Android 16).

The Issue: When you view a cleartext password in the app and minimize it, the app fails to apply FLAG_SECURE or blur the background. When opening the "Recent Apps" (Task Switcher), the cleartext password is fully visible in the preview, even though the app actively overlays a "Enter your screen lock" biometric prompt in the foreground. It basically renders its own secondary biometric lock completely useless.

Google's Response: Google closed the report as Won't Fix (Intended Behavior). Their threat model assumes that if an attacker has physical access to an unlocked device, it's game over.

The BSI Discrepancy: What makes this interesting is that the German Federal Office for Information Security (BSI) recently published a study on Password Managers. In their Threat Model A02 ("Attacker has temporary access to the unlocked device"), they explicitly mandate that sensitive content MUST be protected from background snapshots/screenshots. So while Google says this is intended, national security guidelines classify this as a vulnerability. (For comparison: The iOS built-in password manager instantly blurs the screen when losing focus).

Here is my PoC screenshot:
https://drive.google.com/file/d/1PTGKRpyFj_jY9S76Jlo62mSCDJ3c6uLO/view?usp=sharing
https://drive.google.com/file/d/1nIJMQbM4R17EMt9f1Ffb4UmCPYY7-GXb/view?usp=sharing

What are your thoughts on this? Should password managers protect against shoulder surfing via the Task Switcher, or is Google right to rely solely on the OS lockscreen?

I wrote a practitioner critique of Anthropic’s Mythos claims — focusing on exploitability vs raw findings.

Would appreciate feedback from others in AppSec.

Hi everybody,

I have built an open source CLI tool to help conduct DNS related audits. Let me explain the rationale and the roadmap.

So I have worked in DevSecOps for the past few years and at 3 different companies I have built som variation of this to handle issues raised by SOC tools and to help to do basic black box pentesting. After doing it the 3rd time I decided I should take a stab at open source and build it properly myself.

What it offers is CAA, DMARC, DKIM, SPF, MX, DNSSEC and some header audits (basic ones like HSTS and CSP). Output can be done via rich terminal, JSON, Markdown and SARIF and baked into it is an “sdk” layer which would allow you to develop internal tools on top whilst getting access to the fully typed Python objects.

The next step is honestly inspired by a BS scare tactic email sent to the non-technical CEO and founder of a start up I was at where the sales person made false claims about the posture of our DMARC in order to trick the CEO into a sales call. Personally, I’m quite passionate about security and I believe in a world of cat-and-mouse security (where the cats are the hackers / exploiters), tools that help with basic security should be free. This leads us to the next phase, a dockerised app to conduct the audits based on your configuration at regular intervals with alerting through the appropriate channels.

I would appreciate anybody who took a look, gave it a go and provided any feedback (or anybody who wants to help contribute!). This is my first go at open source and building a tool like this so really any feedback is appreciated. Docs can additionally be found at https://dnsight.github.io/dnsight/