BSides Basingstoke 2025

I can give a rambling talk on Meshtastic, a hobby that can feel like a job at times lol

Picture this: Your startup's breakthrough app crashes overnight. The culprit? A single malicious line hidden in a dependency update from a library you've never audited, maintained by someone you've never met. This scenario isn't fiction—it's happening daily across organizations worldwide. While we celebrate collaborative coding as innovation's engine, we've inadvertently created a massive attack surface that traditional security misses entirely. Through real breach stories and practical defense strategies, this talk reveals how attackers exploit our trust in third-party code and, more importantly, how to secure your software supply chain without killing collaboration or velocity.

After 20 years in IT and cyber security, from Royal Navy networks to mentoring the next generation, I’ve learned that breaking into cyber can be daunting—but it doesn’t have to be. This talk shares my journey, including how I built the free Cyber Core Skills course to help beginners learn the ropes. It’s a call to action for mentoring, knowledge-sharing, and making cyber security more accessible to everyone.

The course covers:

Networking, Windows Domain, Linux, Programming, Cloud and Soft Skills which is equally as hard to develop and are a required skill.

No product pitches.

Vesta is a lightweight, web-based control panel that simplifies Linux server management, appealing to users seeking an intuitive alternative to traditional platforms like cPanel and Plesk. This presentation will examine a critical flaw in Vesta: an admin takeover exploit resulting from reduced seed entropy in the Bash $RANDOM variable. By transforming what was once a theoretical attack into a practical one, we successfully reduced the brute force domain of the seed by over 98%. This allows attackers to generate predictable random values, compromising the security of passwords and tokens. We will discuss the implications of this vulnerability and highlight best practices for enhancing server security in real-world applications.

Demystifying Industrial Control Systems and Operational Technology utilised by our country’s most critical infrastructure. We’ll be looking at how to get started hacking into energy, water and gas utilities, and the technology behind them.

Incident responders are constantly seeing larger and larger breaches, commonly involving multiple domains, more complex environments and critically, hundreds if not thousands of systems. Investigating each system individually is not feasible, so a new approach is needed, that can leverage cloud compute, machine learning and data science to uncover key findings at scale from diverse data sources in a single pane of glass. This talk will showcase the system architecture, discuss specific technologies for implementation, and show some real-world case studies of just how far this system can be pushed and how it can be used to reduce the mean time to respond (MTTR).

QR Codes are a popular attack vector used by threat actors. Statistical evaluation of common QR Code detectors shows that detection of a QR code which is blurred or occluded but none the less recoverable is a computationally hard task. This makes the implementation of practical detection and mitigation systems difficult in real-world scenarios. This is particularly relevant in an adversarial scenario, where an attacker can apply arbitrary transformations to an image which contains a QR code to attempt to bypass CDR systems by making the recognition task sufficiently difficult.

Zanzibar? Rego? OPA? Cedar? Who spilled my alphabet soup? In this talk we will take a walk down the last few years of IAM enhancements, discuss new idea, languages, implementations and access control types. We'll cover what you need to know, the move to Cloud Authorisation services and how you can advantage of these breakthroughs to secure your business and applications.