Level: Tehnical

Abstract:
Discover the world of encrypted DNS protocols – DoH, DoT, DoQ, and DNSCrypt – and why they matter for safeguarding your online privacy against eavesdroppers and censors.

Session explores the core concepts of DNS encryption, starting with a comparison of popular protocols like DNS over HTTPS (DoH), DNS over TLS (DoT), and DNS over QUIC (DoQ). These methods secure DNS queries from interception, but each has trade-offs in speed, compatibility, and deployment.

After DNS encryption, anonymized DNS will be presented with ODOH and DNSCrypt as two main actors in this area.

Shifting attention to DNSCrypt, the protocol that stands out with its unique blend of authentication, encryption, and short-term key rotation for enhanced anonymity. Learn practical setup tips, real-world use cases, and why it often outperforms others in privacy-focused scenarios.

There will be mention of modns, PoC fork of DNSCrypt aiming to extend anonymization by adding support for multiple relays in dns query chain.

Lastly, explain how encrypted dns can pose a threat in business environments, or generally in the wrong hands or with bad actors.

Bio:
Nikola Garafolic aka nix is a Linux enthusiast and self-hosting advocate who thrives on building homelab projects and exploring emerging tech trends. Comfortable with IPv6 and passionate about creating practical solutions from the ground up.

Level: Zero tech

Abstract:
I intend to present my journey as a Penetration Tester, trying to inspire and motivate youngsters to follow this path.

Bio:
Razvan Ionescu, Head of Offensive Security Services at Pentest-Tools.com. He spent the last decade+ deep in the world of ethical hacking and application security, breaking into complex systems so teams can build and ship software that’s actually secure.
His work focuses on uncovering business-impacting vulnerabilities in web apps, APIs, and AI-powered systems — especially the logic flaws, privilege issues, and hidden assumptions that tools rarely catch.

He is also GSE-certified (#298), one of the few security professionals globally to earn the GIAC Security Expert certification. For him, it’s less about the badge and more about the path to get there: years of hands-on testing, real-world problem-solving, and a constant desire to understand how things fail.

At Pentest-Tools.com, he leads offensive security engagements across industries. His goal is simple: turn complex technical findings into clear, practical guidance that developers and security teams can use immediately. Whether it’s bypassing access controls or chaining business logic flaws across AI-driven workflows, he enjoys the process of breaking things apart and helping others put them back together, stronger.

Level: Tehnical

Abstract:
Imagine a development pipeline where code writes itself, tests itself, and deploys itself—all before you finish your morning coffee. This is the promise of agentic IDEs and agent-driven development. But for security professionals, it’s a potential nightmare. When an LLM generates thousands of lines of code in minutes, human review cycles become the bottleneck, and the uncertainty of the output becomes the primary risk.

Traditional SDLC security is built for human velocity; it breaks under AI velocity. This session dissects the collision of AI agents and application security. We will move beyond the hype to dissect real-world implementations: where AI-native development shines, where it fails, and where it introduces terrifying new risks.

We will contrast the old world with the new, exploring the dual nature of AI-native coding: the massive productivity gains versus the anxiety of deploying code generated by a probabilistic engine. We will discuss how to build new verification layers and processes that don’t just “review” code, but validate it at the speed of the agent.

Join us to learn how to build security guardrails capable of handling high-velocity uncertainty, ensuring that the agent doesn’t just ship code faster, but ships it safely.

Bio:
Jozsef Ottucsak is a seasoned Product Security Architect with over a decade of experience in secure software development lifecycle (SDLC) initiatives for on-premise, hybrid, and cloud-native applications.

Currently serving as a Staff Product Security Architect at Diligent, he specializes in enabling developers to build secure products by establishing security requirements, designing secure-by-design processes, and providing technical guidance.

Level: Low tech

Abstract:
Across industries, more than half of the software used is now open source (OSS). This includes both OSS in a company’s own developed products, and OSS in components provided by suppliers. The shift towards OSS has led to an ever increasing demand for license compliance, security assurance, and software bills of material (SBOMs). In addition to that, the need for supply chain visibility required to address security issues will only become more crucial with the introduction of the EU’s Cyber Resilience Act. To deal with these challenges, organizations can adopt the ISO standards developed within the OpenChain community, namely 5230:2020 for license compliance and 18974:2023 for security assurance. This talk will highlight where to start and how you can get involved in the OpenChain community.

Part 1 of the talk will make the case for implementing a program to manage OSS in your organization. It will focus on both the positive effects of establishing such a program, as well as the risks assumed by not having one.

Part 2 will focus on the OpenChain ISO Standards and how they can be used as simple reference documents for upgrading your operations for a secure and compliant software supply chain.

Part 3 will be about the OpenChain community, what it has to offer, and how you can get involved and contribute. Special focus will be placed the on the OpenChain Meridian 22 Chapter* which we recently created for central and eastern Europe, with an open invitation to anyone who would like to participate.

Bio:
Vladimir Slavov is a lawyer and a programmer. He works at Bosch’s Open Source Program Office, focusing on open source management and compliance. He is an AWS Certified Solutions Architect Associate, an AWS Certified AI Practitioner, and an AWS Certified Cloud Practitioner. He is also a committer on the Eclipse Apoapsis Project. His recent obsession is messing around with Claude Code.

Level: Advance Subject Matter

Abstract:
Not just a talk, but a punk journey in a home-made reverse engineering of an Android application to investigate how an NFC tag (NXP NTAG 21X) stores credits and manages transactions at live events, for profit and fun free drinks (and fun, it’s always about fun). Like in Cluedo, we put together all the clues: the public product features, the hardware datasheets, and open-source tools (P1sec/hermes-dec, mitmproxy/android-unpinner, iBotPeaches/Apktool, and Kirlif/HBC-Tool) to reverse an Hermes-encoded Android bundle.
The failures, the technical constraints, the code review and analysis, the hypotheses, and, in the end, the patience: the patience to wait more than four months to test my theoretical idea.
Come and listen to this story, a little punk, a little hacker.

Bio:
Luigi Gubello – Security Engineer. Sometimes I try to hack stuff. Investigated by the authorities due to an SQL injection, financed by the powers that be, someone said.