Behind closed doors, ubiquitous surveillance systems have evolved in parallel to and hidden within the global communications infrastructure. Developments in signals intelligence (Sigint) technology and tradecraft have shadowed all new telecommunications developments. Sigint agencies have covertly sought to lead, change, and subvert arrangements that IT practitioners make for security and privacy. Partly in consequence, in this decade, we have entered a period of frequent massive and damaging data losses. In this talk, he will review the history of mass electronic surveillance in the post Edward Snowden world, and the technical challenges that can be examined with the benefit of new information. The scale and intrusiveness of what has been found baked into the Internet has taken everyone by surprise. But it has not revealed magic. Instead, the security of the Internet and all connected to it has been broken by familiar, understandable techniques and technologies. Now we know their names. In the transitions from analogue to digital, from the first days of C2C ("computer-to-computer") spying to DNI (Digital Network Intelligence) today, from the first automated surveillance system to today’s multinational behemoths, common tools are still in use 50 years after they were first invented. This talk will help dissect the obscure tradecraft terms that mask and obfuscate how Sigint works. Hacking Cookies in Modern Web Applications and Browsers Dawid Czagan N/A N/A Since cookies store sensitive data (session ID, CSRF token, etc.) they are interesting from an attacker's point of view. As it turns out, quite many web applications (including sensitive ones like bitcoin platforms) have cookie related vulnerabilities, that lead, for example, to user impersonation, remote cookie tampering, XSS and more. Developers tend to forget that multi-factor authentication does not help if cookies are insecurely processed. Security evaluators underestimate cookie related problems. Moreover, there are problems with the secure processing of cookies in modern browsers. And browser dependent exploitation can be used to launch more powerful attacks. That's why secure cookie processing (from the perspective of web application and browser) is a subject worth discussing. The following topics will be presented: - cookie related vulnerabilities in web applications - insecure processing of secure flag in modern browsers - bypassing HttpOnly flag in Safari - problems with Domain attribute in Internet Explorer - cookie tampering in Safari - underestimated XSS via cookie - HTTP Strict Transport Security (HSTS) - importance of regeneration - and more