BSides Basingstoke 2025

25/07/2025

 
        Time
        Track 1
        Track 2
        Workshop
    
        9:30-10:00
        Arrivals and check-in at The Dice Tower
    
        10:00-10:10
        Welcome - Committee
         
        10:10-10:35
        Walls, Tags, and TTPs: OpSec Lessons from Graffiti Writers - Pete Neve	
         
        10:35-11:00
         
        11:00-11:25
        Sigint & cracking RF - James Stone  
        DFIR Foundations - Jymit Singh
    
        11:25-11:50
        Meshtastic - Wireless wonders for the wandering techies - Martin Robertson
    
        11:50-13:00
        Lunch - The Dice Tower
    
13:00-13:25
         All at sea. Thought your OT / IT infrastructure was complex? Try doing it on a cruise ship. - Ken Munro
        Too Many Cooks in the Code: The Security Cost of Collaboration - Adaora Uche 
    
        13:25-13:50
        Breaking In, Giving Back: My Cyber Security Journey - Tom Coogans 
       
        13:50-14:15
        Bridging the Gap: Design and Ops Assemble - Paul Spruce
        Vesta Admin Takeover - Exploiting reduced seed entropy in bash $RANDOM - Adrian Tiron 
        How to Avoid an Udder Disaster - Keiran Fowler
    
    14:15-14:40
    
        14:40-15:00
        Break
    
        15:00-15:25
        Red Team: Are We the Baddies? - Rebecca 'Bex' Markwick
        Hacking ICS & OT Networks - Joseph Foote
        Building a Security Mindset, Lessons from the Trenches - Jymit Singh
    
        15:25-15:50
        Forensics: We're Not Just Byte-Sized - Ben Hodson
       
        15:50-16:15
        Debugging Burnout: Thriving in a Neurodiverse Tech Teams - Olga Zilberberg
        QR Codes: Threats, Detection and Mitigation - James Brimer 
    
        16:15-16:40
        IAM very confused - A Friendly Guide to Cloud and Modern AuthZ - Tom Cope 
    
        16:40-17:05
        Charity Auction and Closing Remarks - Committee
         
        17:05-??:??
        Drinks! Bar Tab sponsored by Interrupt Labs - The Dice Tower

Time	Track 1	Track 2	Workshop
9:30-10:00	Arrivals and check-in at The Dice Tower
10:00-10:10	Welcome - Committee
10:10-10:35	Walls, Tags, and TTPs: OpSec Lessons from Graffiti Writers - Pete Neve
10:35-11:00
11:00-11:25	Sigint & cracking RF - James Stone		DFIR Foundations - Jymit Singh
11:25-11:50	Meshtastic - Wireless wonders for the wandering techies - Martin Robertson
11:50-13:00	Lunch - The Dice Tower
13:00-13:25	All at sea. Thought your OT / IT infrastructure was complex? Try doing it on a cruise ship. - Ken Munro	Too Many Cooks in the Code: The Security Cost of Collaboration - Adaora Uche
13:25-13:50	Breaking In, Giving Back: My Cyber Security Journey - Tom Coogans
13:50-14:15	Bridging the Gap: Design and Ops Assemble - Paul Spruce	Vesta Admin Takeover - Exploiting reduced seed entropy in bash $RANDOM - Adrian Tiron	How to Avoid an Udder Disaster - Keiran Fowler
14:15-14:40
14:40-15:00	Break
15:00-15:25	Red Team: Are We the Baddies? - Rebecca 'Bex' Markwick	Hacking ICS & OT Networks - Joseph Foote	Building a Security Mindset, Lessons from the Trenches - Jymit Singh
15:25-15:50	Forensics: We're Not Just Byte-Sized - Ben Hodson
15:50-16:15	Debugging Burnout: Thriving in a Neurodiverse Tech Teams - Olga Zilberberg	QR Codes: Threats, Detection and Mitigation - James Brimer
16:15-16:40	IAM very confused - A Friendly Guide to Cloud and Modern AuthZ - Tom Cope
16:40-17:05	Charity Auction and Closing Remarks - Committee
17:05-??:??	Drinks! Bar Tab sponsored by Interrupt Labs - The Dice Tower

Track 1

Graffiti artists and hackers may seem worlds apart, but both thrive in legal grey zones, chase notoriety with anonymity, and obsess over operational security. This talk explores the real-world OpSec tactics used by graffiti writers - disguises, tools, reconnaissance, and anti-surveillance techniques - and draws direct connections to red teaming, pen testing, and physical security for blue teams.
Whatever shade of grey your hat is there’s a surprising amount to learn from those who bomb walls, not boxes.
Equipment list and guide for getting started with snooping on the radio spectrum
OT/IT security is notoriously difficult but never more so than on a ship!
A fun and engaging talk around how to foster the much needed collaboration between your Security Design and Operational teams.
This talk will look at how Red Team engagements can cause long-term harm in how they plan out and run tests, the pretexts they use, and a fundamental misunderstanding of why they are testing at all. With a focus on human based testing as unlike computers, once you break a person you can’t just reboot or patch it. Certain ethical considerations are ignored or missed because of the attitude of ‘the bad guys could do it so we do it’ when that isn’t a legitimate ethical reasoning. Using real world examples to identify problematic testing and suggesting different ways of doing things, this talk will help change how Red Teams think about engagements and change how engagements are done to improve rather than undermine security in the organisations they work with.
The cybersecurity sector thrives on precision, deep focus, and complex problem-solving — strengths often found in neurodivergent professionals.
Yet behind the high performance, many individuals are silently facing burnout. This interactive workshop explores how to support mental health and reduce burnout risk in neurodiverse cybersecurity teams.
Through practical tools participants will uncover ways to create inclusive workflows, reduce overwhelm, and foster psychological safety.
Ideal for team leads, neurodivergent professionals, and anyone passionate about sustainable, human-centred cybersecurity workplaces.

Workshops

Its 5am, you are paged into an incident and what sets you apart from other incident handlers is that you have the basics down and never miss a step in the process. Its not always about being an expert in tooling, its about sticking to the plan and not missing an artefact when every second counts.
Udder Disaster is an interactive business continuity exercise. You will take the role of the owner of a dairy farm and must navigate 5 years of investment into the business. You'll need to invest in security, improve farming conditions whilst juggling advancements with automation.
Drawing from over a decade of on-call experience, incident response, and leading security teams at scale, learn the mental frameworks and operational habits that distinguish exceptional security professionals from their peers.

Track 2

I can give a rambling talk on Meshtastic, a hobby that can feel like a job at times lol
Picture this: Your startup's breakthrough app crashes overnight. The culprit? A single malicious line hidden in a dependency update from a library you've never audited, maintained by someone you've never met. This scenario isn't fiction—it's happening daily across organizations worldwide. While we celebrate collaborative coding as innovation's engine, we've inadvertently created a massive attack surface that traditional security misses entirely. Through real breach stories and practical defense strategies, this talk reveals how attackers exploit our trust in third-party code and, more importantly, how to secure your software supply chain without killing collaboration or velocity.
After 20 years in IT and cyber security, from Royal Navy networks to mentoring the next generation, I’ve learned that breaking into cyber can be daunting—but it doesn’t have to be. This talk shares my journey, including how I built the free Cyber Core Skills course to help beginners learn the ropes. It’s a call to action for mentoring, knowledge-sharing, and making cyber security more accessible to everyone.
The course covers:
Networking, Windows Domain, Linux, Programming, Cloud and Soft Skills which is equally as hard to develop and are a required skill.
No product pitches.
Vesta is a lightweight, web-based control panel that simplifies Linux server management, appealing to users seeking an intuitive alternative to traditional platforms like cPanel and Plesk. This presentation will examine a critical flaw in Vesta: an admin takeover exploit resulting from reduced seed entropy in the Bash $RANDOM variable. By transforming what was once a theoretical attack into a practical one, we successfully reduced the brute force domain of the seed by over 98%. This allows attackers to generate predictable random values, compromising the security of passwords and tokens. We will discuss the implications of this vulnerability and highlight best practices for enhancing server security in real-world applications.
Demystifying Industrial Control Systems and Operational Technology utilised by our country’s most critical infrastructure. We’ll be looking at how to get started hacking into energy, water and gas utilities, and the technology behind them.
Incident responders are constantly seeing larger and larger breaches, commonly involving multiple domains, more complex environments and critically, hundreds if not thousands of systems. Investigating each system individually is not feasible, so a new approach is needed, that can leverage cloud compute, machine learning and data science to uncover key findings at scale from diverse data sources in a single pane of glass. This talk will showcase the system architecture, discuss specific technologies for implementation, and show some real-world case studies of just how far this system can be pushed and how it can be used to reduce the mean time to respond (MTTR).
QR Codes are a popular attack vector used by threat actors. Statistical evaluation of common QR Code detectors shows that detection of a QR code which is blurred or occluded but none the less recoverable is a computationally hard task. This makes the implementation of practical detection and mitigation systems difficult in real-world scenarios. This is particularly relevant in an adversarial scenario, where an attacker can apply arbitrary transformations to an image which contains a QR code to attempt to bypass CDR systems by making the recognition task sufficiently difficult.
Zanzibar? Rego? OPA? Cedar? Who spilled my alphabet soup? In this talk we will take a walk down the last few years of IAM enhancements, discuss new idea, languages, implementations and access control types. We'll cover what you need to know, the move to Cloud Authorisation services and how you can advantage of these breakthroughs to secure your business and applications.

Our Wonderful Sponsors

DSTL

Long-time sponsors of BSides Basingstoke, DSTL is part of the Ministry of Defence providing expertise and delivering cutting-edge science and technology for the benefit of the nation and allies. We sustain and grow science and technology capabilities that must remain in government, and help develop capabilities that are managed elsewhere, for example, in industry and academia. Based at Porton Down and Fareham, we identify and monitor national security risks and opportunities to protect the UK and our interests at home, at our border, and internationally, in order to address physical and electronic threats from state and non-state sources. We work collaboratively with external partners in industry and academia worldwide, providing expert research, specialist advice and invaluable operational support.

ControlPlane

Trusted by the world's most secure organisations to build and assure mission-critical platforms. ControlPLane is a team of cloud native security experts with a passion for open source and a focus on culture and collaboration. Offering threat modelling, hardening, offensive & defensive security, engineering, opperations and training.

Sainsburys

Making good food joyful, accessible and affordable for everyone, every day. Offering delicious, great quality food at competitive prices has been at the heart of what Sainsburys does since their first store opened in 1869. Today, inspiring and delighting their customers with tasty food remains their priority. They focus on great value food and convenient shopping, whether in-store or online is supported by their brands – Argos, Nectar, Habitat, Tu, Sainsburys Bank and SmartCharge.

Tenable

Another returning sponsor, Tenable is the Exposure Management company. Approximately 43,000 organizations around the globe rely on Tenable to understand and reduce cyber risk. As the creator of Nessus®, Tenable extended its expertise in vulnerabilities to deliver the world’s first platform to see and secure any digital asset on any computing platform. Tenable customers include approximately 60 percent of the Fortune 500, approximately 40 percent of the Global 2000, and large government agencies

Softcat

Generously sponsoring us again, Softcat support commercial and public sector organisations to design, procure, implement and manage their digital infrastructure. Over the course of the last 25 years, we’ve built a vibrantly successful, industry-leading business with an unwavering dedication to customer services and solutions. We help customers to use technology to succeed, by putting our employees first and now count over 2500 individuals as part of our team.

LMAX

LMAX Group is a global financial technology company and the leading independent operator of multiple institutional execution venues for FX and digital assets trading. With offices in 9 countries and a global client base, the Group builds and runs its own high performance, ultra-low latency exchange infrastructure, which includes matching engines in London, New York, Tokyo and Singapore. LMAX Group has a strong presence in all the major capital markets across Europe, North America and Asia-Pacific.

Their rapidly expanding global institutional and professional client base is a testament to their distinctive business model that delivers efficient market structure and transparent, precise, consistent execution to all market participants. LMAX Group is uniquely positioned across traditional finance and digital assets trading and infrastructure, providing cross-asset market access for all client segments. The LMAX Group portfolio includes LMAX Exchange, LMAX Global and LMAX Digital.

Interrupt Labs

Interrupt Labs is a leading vulnerability research company working on some of the toughest challenges in the industry; from popping browsers to exploiting phones and cars, we cover it all with our exceptional team of vulnerability researchers. We are always on the lookout for talented people; whether you are early on in your career, or you already know your way around IDA, we are keen to talk research.

Special Thanks:

Jymit Khondhu

Kieran Fowler

Brian Whelton

Dice Tower staff

and of course all of our wonderful speakers, exhibitors and volunteers!