t2’21 changelog

For the first time during the history of the event, we’re skipping a year. In our previous post we shared our thoughts on the topic, and in this one, we’re announcing some changes and updates to practicalities.

First and most importantly, starting next May t2 will take place in Clarion Hotel Helsinki. This is something which really excites us. Not only is Clarion one of the newest hotels in Helsinki, they have a spectacular Sky Room offering beautiful views and refreshing (c|m)ocktails for the weary traveler. Located just across the street from the previous hotel, with easy access by boat, we’re confident t2 is able to cater to demands of even the most discerning conference guests. In fact, anyone attending t2 with a Wellcraft Scarab 38′ KV will be treated to a bottle of champagne or dinner on the AB. Terms and conditions apply.

In our effort to push t2 in to the Security Vacation Club Global Top 5000 list, we paid particular attention to Clarion’s rooftop pool and terrace. Open to all hotel guests, two saunas and a heated pool make it almost too easy to enjoy the Helsinki weather. For the seasoned conference guests, we can recommend saunas with unheated pools or easy access to the Baltic sea.

While t2 has always had that welcoming and safe atmosphere of a community-driven event, where many of our attendees have delivered a talk at some point, and/or know organizers, speakers or other long-time attendees personally, we realize it’s time to make the unofficial official by introducing documented incident reporting procedures. Beginning with t2’21 we will be publishing a transparency report documenting any incidents or noteworthy events related to the conference. Previously we’ve had the localhostess supporting attendees during the event, organizers actively keeping everyone entertained and safe, and a conference EULA setting the expectation for polite behavior. Against this historical background we are expecting the transparency report to hopefully be uninteresting and devoid of content.

In the meanwhile, stay safe.

Terms and conditions for the “t2 Scarab challenge”

  • The boat must be in legal possession of the participant (owned or rented) for the duration of the event
  • The participant must arrive to the conference with the boat (subtle flair, and making a grandiose entrance are both expected, but not mandatory)
  • At least one Advisory Board member must be able to perform an off-shore inspection on the boat, at which time the claimant must demonstrate ability to wear shoes without socks.
  • In case multiple attendees co-own or co-rent an applicable Scarab, the offer is valid for the captain only.
  • Challenge limited to the first 15 claims, in order of berthing. Number of lifetime claims limited to five per participant.

t2 2021 officially announced

The next edition of t2 will happen in spring 2021. We’re opening our thought process below.

As the first phase of COVID-19 pandemic is almost behind us, it may initially seem counter-intuitive to cancel now. Rest assured, we still know what we’re doing. t2 has always been an event for the community by the community, and shifting the traditional October event was not an easy decision, but it was the only one we could make.

This isn’t the case of being risk averse, rather it’s about understanding both the upsides and the downsides, our own values and focusing on what truly matters.

As a community event, protecting both our audience and speakers is the only important thing at the moment. While countermeasures and protocols against the novel coronavirus and other infectious diseases have been implemented all over Europe, there’s very little practical experience on living with the “new normal”. Second wave might be coming in the fall and that’s just Europe. Last year we had visitors from 17 different countries.

Being a practically-non-commercial event, we can err on the side of caution – there’s no need to calculate “acceptable infection rate”. If you don’t personally know your audience and guests, you might be tempted to categorize “95-99% uninfected” as a job well done, and the few infected just being the cost of doing business. Yet, many of our visitors are longtime t2 attendees and good friends – the rest, new friends and (hopefully) future t2 visitors. Who’s an acceptable casualty?

With the heavy parts out of the way, we can now ridicule glitchy webinars as full blown conference replacements. No doubt watching a hung-over Grugq deliver a keynote over Zoom, wearing just Vibrams without pants, and waiting for the video to buffer like it’s RealPlayer’s heyday, is the epitome of conference immersion for many. After all, how cool it is to sit at home, unshaven and alone, in pajamas, while tweeting how awesome a conference you’re attending? During breaks, you can either join a chat room with thirty to fifty other introverts trying to make awkward small talk all implementing CSMA/CD, or better yet, call one of the other attendees you know and with whom you speak weekly in any case. Instead of proving Dave Aitel so wrong by serving him pizza in Europe at 02:30AM, you can play online (chat) roulette or read someone else’s retweets.

The in-person interaction, exchange of gifts/drinks/insults/cash/exploits, lobby bar chats, meeting new people or old friends whom you mostly meet in conferences, or just casually (and legally!) analysing the security level of a publicly available computing device are the key ingredients for a successful t2. Just like Campari & Soda, t2 is an acquired taste.

By postponing the event to 2021, we have plenty of time to scout for a new venue, with a functional lobby bar. Having t2 in spring means better weather in Helsinki – we’re expecting to finally reach the Security Vacation Club Global Top 5000 list and are thus preparing accordingly. In the meanwhile, we’ll collect more data on the global pandemic and event safety processes, which actually work. 

Exact dates and CFP will come out later. Stay safe. Be Brave.

Hacking ML in images (and everywhere else)

This time we’re looking back into our archives to bring you a presentation from Guy Barnhart-Magen and Ezra Caltum. In their t2’18 talk the BSidesTLV co-founders cover offensive research possibilities when it comes to machine learning systems. Do you know which ML attacks have the most business impact? Watch the video to learn more.

The presentation will be answering questions such as “what does it mean to hack a machine learning system?” and “what would you actually target?”, with an emphasis on the methodology and the way Guy and Ezra approached the problem.

We have always enjoyed these types of talks, as the shared knowledge powers the audience to do research and find their own zero days. Speaking of research and zero days – don’t forget to checkout BSidesTLV, coming July 2 2020!

John Lambert keynote

Merry Christmas! As a small Christmas gift, we’re publishing John Lambert‘s t2’19 keynote “Advancing InfoSec”.

In the keynote John demonstrates with practical examples how we can accelerate learning through “Githubication of Infosec”. If you are a modern defender, or aspire to be one, this is the presentation to watch. Without giving away too much, graphs, MITRE ATT&CK (with cloud updates), winter2020, and repeatable analysis with Jupyter notebooks are all covered.

Thank you John for keynoting this year, and our warmest gratitude for the following kind words:

t2 has always had that commitment to technical excellence. .. Conferences, they may start like this, but they don’t always end up like this.

— John Lambert


Honoring that tradition has kept us going for the past sixteen years, and we promise to continue work hard to keep it this way, as t2 has always been and always will be an event for the community. Next year’s conference dates are Oct 29-30, 2020.

Finance With Attitude

Those who personally partake in the autumn theater, or have bosses who are in the game, know this is the time of the year when bigger decisions are made.

Since everybody is exposed to big ticket items and larger numbers, throwing in the annual training cost is best done close to those discussions. A pro player separates the travel costs from the event cost, as these come from a different category anyways. Depending on your organization, there may or may not be leeway, so act accordingly.

Why go through all this trouble, our junior readers ask? Well, the discussion of attending t2’20 (and your other favorite cons) is a lot more easier for you and your boss, when everything has been agreed already beforehand and there is the money available for it. If you have a boss who appreciates employees making their life a tiny bit easier, giving the right support at the right time can go a long way. 

At the end of the day, your boss is the one who needs to figure out the right course of action after the Good Idea Fairy visited C-level executive(s) and they decided to go three levels deep into the budgeting spreadsheet to make cuts without any discussion on its impact or guidance on a new direction. Or maybe your boss was naive enough to provide accurate numbers from the get-go, when everyone else was inflating their numbers in anticipation of the first round of cuts. 

The worst kind of budgeting wizard just runs out of money in Q4, and the rest of the organization takes the hit. For those, you reserve your sneakiest DDE payload, figure out a chain of actions resulting in the file on their workstation, get the code running (everyone clicks OK at some point), establish persistence and wipe the payload from the original file. Whatever happens after this is left as an exercise for the reader.

Talking of planning, the big game hunter is saving up their Office 0days for this time of the year. Depending on the organization structure and budgeting process, it might be trivial to land your carefully crafted version of the budgeting numbers on at least one C-level workstation. Be sure to take note well in advance if someone is deviating from corporate policy with their device choice – this is most likely one of the easiest targets from exploitation perspective, as you can bet it lacks some or all hardening. IT isn’t too keen on debugging mysterious crashes happening to a unique snowflake, in case your toolkit isn’t that stable. Bonus points given for pretexting service desk with a false track record of unstable behaviour on a similar device, if you just can’t be bothered to get your budget items stable enough.

Not that any of these kinds of hypothetical things ever happen in real life. It would be ridiculous to potentially burn valuable exploits when you can just enjoy the adrenaline rush of quick rubber ducky action on the top floor, or casually misplace USB-cables in the right meeting rooms (Outlook Scheduling Assistant is your friend here).

So, get those events locked down on the budget level. Getting the commitment for your attendance well in advance never hurts.

After all, bug bounty and exploit money is typically reserved for bottle service, fast cars, exotic vacations and expensive handbags. And yeah, while Helsinki definitely can tick those boxes, we hope that the main reason for attending is our curated and hand picked program – finally available in its complete version.

t2’19 speakers confirmed

The CFP is over for this year and the speaker lineup is ready for your reading pleasure.

Without sounding too enthusiastic for a Finn, it’s difficult not to get excited when there are entries on the agenda like the keynote from John Lambert, Distinguished Engineer and General Manager of the Microsoft Threat Intelligence Center. A seasoned t2 attendee might remember him from sparking the original inspiration behind olleB’s t2’15 talk ”If attackers think in graphs, why can’t we?”.

Looking at the schedule, it’s both refreshing and rousing to see research targeting wireless input devices and VPN clients. Both could easily be dismissed during target selection as mature technology, yet here we are. Having said that, there’s still a healthy focus on modern and up-and-coming tech in the agenda, such as using machine learning for vulndev.

Traditionally this post always ends with a gentle reminder to get your ticket early. The sales have been open for a couple of months and a good chunk of the tickets have already been sold. If you haven’t bought yours already, there’s not a better time for action than right now.

Call for papers 2019

We’re back. October 24-25 in Helsinki. CFP and ticket sales are now open.

Looking for an event worthy of your 0days or world class research? Prefer conference disclosure over jumping through hoops with uninterested vendors? Worried of sponsors doing shady backroom deals to block your talk? We’ve got your back. As an independent, vendor-neutral, practically-non-profit conference we value freedom of information and our guests over everything else – ethos, which has kept us going for the past fifteen years.

Organized for hackers by hackers, we’re the oldest technical security event in Finland. Our goal of providing audience with high quality technical content and a welcoming atmosphere, competitive on a global scale, brings people to Helsinki annually from all around the globe. Whether you’re coming from US, Israel, Russia, Germany, UK, France, Singapore, or heaven forbid, even Sweden, you’re guaranteed to find like-minded people to share ideas or drinks with.

“What happened in Vegas does not happen in Finland”

— Eevil Stöö


Never heard of Finland? No worries, we’re used to it! In addition to being the home country of Slush, we have a vibrant Moomin based import-export relationship with Japan. Luckily the Finnish language is as easy to learn as Japanese, only less popular. Here, in the home country of Linux, technology is so ingrained into our culture that even gangsta rappers know what’s up. As a nation, we’re also very comfortable with the idea of having a meeting naked – as long as traditional Sauna is involved.

t2’19 offers you an audience with a taste for technical security presentations containing original content. This is your chance to showcase the latest research and lessons in playing Jenga with memory allocators, practical cryptographic attacks against hardware, blinking the wrong LEDs, DIY torque vectoring, stealing Wu-Tang albums with Bill Murray, bypassing modern exploit mitigation techniques, combining policy work with offensive/defensive technology, running a Whisk(e)y distillery, having a complicated relationship with nation states, efficient data analysis of Internet traffic streams on botanical continent level, hacking space shuttles, catching bad guys with SIGNIT, nondestructive / covert entry, professional shitposting, elegant cyber crime or any other relevant research containing the type of love and happiness appreciated by seasoned conference attendees.

The advisory board will be reviewing submissions until 2019-07-31. Slide deck submission final deadline 2019-09-11 for accepted talks.

First come, first served. Submissions will not be returned.

Quick facts for speakers
+ presentation length 60-120 minutes, in English
+ complimentary travel and accommodation for one person[6]
+ decent speaker hospitality benefits
+ no marketing or product propaganda

Still not sure if this is for you? Check out the blast from the past.

Considering many of our visitors know what they want and trust us to deliver, we’re making their life easy.. The registration is now open!

The total amount of attendees, including speakers and organizers is limited to 99.

How to submit
Fill out the form at https://t2.fi/action/cfp

[0] {“enableDebug”:true, “password”:”changeme”}
[6] Except literally @nudehaberdasher and @0xcharlie

2019 dates announced

Get your calendar out and be ready for another edition of t2! Like a French scientist once remarked, in the field of observation, chance favors only the prepared mind.

Dates announced: t2 infosec in Helsinki | October 24-25, 2019 | 15 years of technical security excellence #t2infosec

With that out of the way, we are also updating the process for giving out complimentary tickets. After successfully running the t2 challenge for over a decade, and then giving a shot at other formats, we are retiring the concept of a challenge. While this marks the end of an era, it does not mean we have stopped appreciating fresh and upcoming talent – on the contrary, we feel it is extremely important to give young guns a helping hand and an opportunity to jump-start their artisanal career in the craft of cyber.

Instead, starting 2019, each member of the advisory board has the power to annually reward a person (or an entity) with a free ticket. As before, this free entry entitles the recipient to all the same benefits given to a regular ticket holder. To commemorate that special moment, we have ordered custom t2 challenge coins. All hints and tips are naturally appreciated, so if you know someone who in your opinion deserves a free entry, please let us know! Elegant bribery, trickery, subterfuge, exploitation or other artful, mischievous behavior requiring skill is always appreciated.

Greetings to Daniele Bianco for the awesome challenge coin design! Pics will be posted on Twitter once the coins arrive.

Halvar Flake keynote

The advisory board and organizers of t2 are honored and pleased to have Halvar Flake deliver the headlining keynote for the 15th anniversary edition of the event. His speaking history with t2 starts in 2005, and Halvar is certainly recognized as one the luminaries in the field. The following teaser provides a taste of what to expect.

Risks, Damn Lies, and Probabilities

IT continues to bring pervasive change to our societies, industries, and everyday life. This transformation also brings individualized and complicated risks to individuals, companies, and to societies.

IT security is, to some extent, charged with managing these risks. But for an industry tasked with managing risk, we are pretty unstructured in thinking about risk, accounting for risk, and most of all: Holding ourselves and other tech executives accountable for estimates of risks and their probabilities.

The IT industry is often incentivized to incur risks on behalf of others – and to underestimate the actual magnitude of these risks. Customers are either not empowered or not incentivized to challenge excessively rosy risk estimates. Entire executive careers in IT are built on underestimating risks incurred for others.

This talk will cover my observations about the ways we think sloppily about risk and harm, about the IT industries’ lack of risk management for systemic risks, and some thoughts about holding IT industry executives accountable for their risk estimates and decisions.

— Halvar Flake

The Art of the Budget hacking

It’s that time of the year again. To commemorate the 15th anniversary edition of t2, we wanted to open up the reasoning behind the frequent reminders to allocate training budget for t2 and our friendly suggestions for early registration.

Before getting to the nitty gritty it’s important to highlight that we organize t2 out of love, both for community/scene and hackerdom. This cannot be done for any other reason.

Conferences, and event business in general, imposes certain rules of business and financial terms on the organizers. These are location and time insensitive, and apply to most parts of the world.

  • Venue
    • Needs to be booked well in advance, and unless you have been doing business for a long time, they require a prepayment of some sort.
    • Once you confirm dates, you are committed. Cancellation terms do exist but it’s not like you can bail out at the last moment.
    • Multiple this by the number of locations (e.g. you plan on organizing dinners related to the event).
  • Liquidity
    • To offset for invoices due before the event, you either need to have healthy finances with some buffer from the previous years or take a loan (usually from the main organizer who takes the biggest financial risk personally). If ticket sales start early, you might have enough cash flow to balance everything out.
  • Travel arrangements
    • After CFP is done, you have the confirmed speakers and the event is nearer, the booking of flights begins. If you are covering 100% travel cost, you want to optimize the time of purchase to get the best price. Not too soon, not too late.
    • Here you have the risk of cancellations, or other last minute changes – all part of normal life.
  • Scale economics
    • Applies to your business only if you’re Jeff Moss. Forget you ever heard the term, more important jargon is MOQ.
    • Smaller the number of maximum attendees and planned financial upside, smaller the window of error between loss, breakeven and profit.
  • Sponsors
    • Depending on the year, sponsors might save the day when it comes to event’s financial performance. Fewer sponsors means smaller risk margin.
    • Some sponsors would prefer to have the attendance list (with contact details, of course) or buy speaking slots. t2 does sells neither of those.
    • Please take a moment to check out what the valued sponsors are doing during the event and online. Few events could do without them.
  • Conference schwag
    • Needs to be ordered well in advance to account for unexpected delays. Typically a prepayment is required, as your vendor needs to pay their suppliers and/or material.
    • Even when using high quality partners, you will have defects. More professional the partner, the easier it will be sort out the mess.
    • You end up ordering a good amount of extras to account for everything, and then giving these away for free the following year (or during the year, unless you organize an exclusive luxury fashion event in case you burn the extras with the receipts)

Having been in the game for well over a decade, most of it with the same partners, we have been able to build the trust and negotiate cash flow friendly payment terms. It’s like playing Tetris during the year with the calendar, but the blocks are invoices and you are actually gambling.

Nevertheless, each year the familiar friendly faces in the audience, the first timers and returning speakers make it all worthwhile.  It’s an honor to have the event filled with enough intelligence to make your brain hurt. With that out there in the open, we hope you register your ticket to this year’s 15th anniversary celebrations sooner than later!