Slide background


print page

National and international experts informed 400+ participants during this one day security event. On 29 June 2017, Madison Gurkha organised this unique event for the fifteenth time: a special anniversary edition.

The day-long event consisted of a management track and a technical track. Additionally, there was an opportunity to get some practical experience during the Hands-on hacking workshop (Check out the slides) and PGP Key Signing Party


Programme Black Hat Sessions 2017

08:30  Registration
09:30  Opening speech by Dirk Jan van den Heuvel Download the slides
KEYNOTE by Bill Cheswick Download the slides

 Management Track  Technical Track
The ethics of privacy - Rachel Marbus, Privacy Officer KPN No slides available

Losing Yourself in a Cloud of Things - Michael Kubiaczyk, Principal Security Consultant Madison Gurkha Download the slides
11:15  Coffee break / Information market
 Management Track  Technical Track
Physical Pentesting - Walter Belgers, Principal Security Consultant Madison Gurkha
Download the slides

Plan to Throw the First One Away - Meredith L. Patterson, polymath technologist and science fiction author Download the slides
12:30  Lunch / Information market / PGP Key Signing Party
 Management Track  Technical Track
13:45   New Sheriffs in town - John Fokker, Digital Team Coordinator NHTCU Download the slides  

A century of data stealing - Duncan Campbell, investigative journalist, author and TV-producer Download the slides
The Future is False Positive - Hans de Zwart, Executive Director Bits of Freedom Download the slides

No presentation recording available

Hack for Safety - TIBER & MGs RED teaming Approach - Rogier Besemer, Program manager TIBER at De Nederlandsche Bank (no slides available) & Ralph Moonen, Technical Director Madison Gurkha Download the slides
15:15  Coffee break / Information market
15:45   KEYNOTE: Brigadier General Hans Folmer, Commandant General of the Dutch Cyber Command (DCC) slides will follow soon
16:40  Closing ceremony by Dirk Jan van den Heuvel
16:45  Drinks / Information market

KEYNOTE by Bill Cheswick

Bill Cheswick (Ches) joined us from the U.S. to provide a keynote for this special edition. Ches is known for his early work in Internet security, including firewalls, proxies, and as co-author on the first full book on firewalls. He is also noted for his work in visualizations, especially Internet maps, which have been (re)published widely.

"I am throwing together lots of thoughts, experiences, and predictions into a new talk." Topics may include ancient data, old data, data analysis, leaky data, vast data, fake data, tagged data, public data, lucrative data, personal data, protecting data, long term data, and anonymous data.

About Bill Cheswick

KEYNOTE by Brigadier General Hans Folmer

Brigadier General Hans Folmer, Commandant General of the Dutch Armed Forces Cyber Command (DCC) gave a keynote speech at the end of the program on June 29th 2017. The DCC contributes to military operations with cyber capabilities in order to realise freedom of manoeuvre in the information environment. During his keynote he explained what this means.

"The Future is False Positive" by Hans de Zwart, Executive Director Bits of Freedom

About Hans de Zwart

The future will indeed be false positive. In this talk he discused the following three things:

  • 1. Look at some worrying (and occasionally wryly funny) recent examples of false positives: a person with Parkinson's disease suspected of being a bus bomber, a police officer identified as a burglar and a black person classified as a gorilla. Examples like these can be interpreted as "weak signals" of a future that will likely be riddled with wrong judgments and spurious accusations.

  • 2. Identify some of the causes of this problem: fear as a motivator for policy making, our changing attitude towards risk and, most importantly, a drastic increase in the number of decisions made by machine learning algorithms.

  • 3. Explore a few of the practical strategies that we could implement in trying to decrease the number of false positives and minimise their damage.

Madison Gurkha had an extensive interview with Hans de Zwart in anticipation of his presentation. Click here to read it! (in Dutch only)

"New Sheriffs in town…" by John Fokker, Digital Team Coordinator at the Dutch National High Tech Crime Unit (NHTCU)

About John Fokker

John Fokker works as a Digital Team Coordinator at the National High Tech Crime Unit (NHTCU), the Dutch federal police unit dedicated to investigating advanced forms of national and international cybercrime. He is a project leader for the NoMoreRansom initiative, a public-private project founded by the NHTCU, Europol’s European Cybercrime Center, Kaspersky Lab and Intel Security, to disrupt cybercriminals spreading ransomware and to aid victims of ransomware.

In this talk John gave some interesting details about this project. How did the No More Ransom initiative start and grew from a one-hit wonder to a global movement to fight Ransomware. Check out

"Plan to Throw the First One Away" by Meredith L. Patterson

About Meredith L. Patterson

In The Mythical Man-Month, Fred Brooks famously advised, "The management question, therefore, is not whether to build a pilot system and throw it away. You will do that. Hence, plan to throw one away; you will, anyhow." His advice sparked the evolution of rapid prototyping and agile development. Even so, especially in the web era, companies still find themselves taking hacked-together prototypes into production -- and having to re-engineer at great cost later, especially once security flaws rear their heads. What would happen if people really did plan to throw the first one away? We decided to find out, and built our development budget, hiring plans, schedule, and architecture around Brooks' advice. Does prototyping by any means necessary, then reimplementing from scratch in functional languages according to language-theoretic security principles reduce technical debt and lead to more reliable software? The participants now already know!

"Physical Pentesting" by Walter Belgers, Principal Security Consultant Madison Gurkha

About Walter Belgers

In this lecture, Walter Belgers, explained some techniques and tricks to get past doors and locks with the ultimate goals of getting physical access to your IT infrastructure. If an attacker can just walk in to your computer room, access to the data that is on your systems becomes dead easy. IT people normally do not have to deal with physical security as that is another departments' responsibility. The attendees of this talk are now hopefully be able to detect physical flaws to get them fixed.

"The ethics of privacy" by Rachel Marbus, Privacy Officer KPN N.V.

About Rachel Marbus

In working with data, we want to comply with the law. We consider the processing of personal information. This is supposed to be done in accordance with the rules in the Personal Data Protection Act (and soon, with the General Data Protection Regulation). In doing this, we are really only considering the micro level of privacy; data protection. The macro level is the constitutional right - "Everyone has the right to protection of his/her private life" - which also provides protection for values like autonomy and freedom. These values become more important as we process more data, from more sources, with more resources. It becomes truly big.

Are we still seeing The Bigger Picture? Rachel Marbus took a close look at the ethics of privacy. What if an application of big data is permitted by law, but not really right?

"A century of data stealing" by Duncan Campbell

About Duncan Campbell

25 years before the Edward Snowden revelations, in 1988, Scottish investigative journalist Duncan Campbell uncovered and reported the world's first mass surveillance system targetting international communications - covername ECHELON.

At every step of technical change in data transmission and processing, from the long secret invention of the world's first computer, and even soon after Marconi deployed his invention, government intruders into privatecommunications have been in to help themselves - deeper, wider, and faster than historians have ever recorded, or than most people could have believed.
Technologists have hoped that technical solutions, especially cryptography, might by now have become the means to normalise previous experiences of security and privacy.But is it now "game over"? Can better understanding, transparency, and regulation help?

"Losing Yourself in a Cloud of Things" by Michael Kubiaczyk, Principal Security Consultant Madison Gurkha

About Michael Kubiaczyk

The "Internet of Things" is growing and we can't stop it. We've barely seen the tip of the iceberg when it comes to Internet-enabled devices which make us ask: "What is this ridiculous nonsense?" As the security-unconscious masses buy into the promise of personalized everything, everywhere, identity management will become even more important - for devices as well as their attached human peripherals. Michael presented a few future use-cases and draw parallels with existing technological solutions.

"Hack for Safety - TIBER & MGs RED teaming Approach" by Rogier Besemer, Program manager TIBER at De Nederlandsche Bank & Ralph Moonen, Technical Director Madison Gurkha

About Rogier Besemer About Ralph Moonen

TIBER (Threat Intelligence Based Ethical Red teaming) tests the cyber resilience of the Dutch core financial institutions against advanced attackers. It aims to improve the cyber resilience of the participants. TIBER builds on previous experiences by the Bank of England (CBEST). Key to the program are: Threat intelligence, emulate the best attackers and collaboratively learn from the findings. Rogier presented the TIBER background, goal and the expected results.

What makes a Red Teaming exercise truly worthwhile? Ralph presented his point of view and share his experiences in recent projects. Several topics have been highlighted, including social engineering, threat intel uses and pitfalls.

Hands-on hacking workshop Raspberry Pi

Always wanted to gain insight in the approaches a hacker will use to retrieve your passwords? Even from a locked computer? During this workshop we showed the particpants how a Raspberry Pi can be used to receive passwords, install backdoors, siphon data and monitor network traffic. In various scenario's we guided the participants through the setup and possibilities of a Raspberry Pi as an attack platform.

Time: morning session 10.30 – 12:30 and afternoon session 13:30 – 15:30

Please note! Hands-on hacking workshops are very popular and the number of participants is limited. Are you on the waiting list? We are looking at possibilities for organizing the workshop later this year. We will keep you up to date.

PGP Key Signing Party

During this year's BHS edition we also organised a PGP Key Signing Party. PGP is a popular method to provide end-to-end encryption for email communication. The PGP public key infrastructure relies on a web-of-trust where users are validated by other users. A key signing party is a get-together of people who use the PGP encryption system with the purpose of allowing those people to sign each other's keys, thereby strengthening the web of trust.

This session was intended for experienced PGP users and will not be an introduction on how to use or configure PGP. In fact, computers are not even used during a PGP Key Signing.