Just one hour to go, get ready. ti.to/steelcon/2026

Remember, tomorrow is our second, and last, big ticket drop. Three sittings, 9:10, 13:00 and 19:00. Make sure you have your F5 fingers ready if you want to make sure you bag one before they sell out. ti.to/steelcon/2026

Kids track tickets are also on sale on Friday at 1:30pm, this is slightly after the lunchtime main drop just to try to keep things a little separate.

Workshop tickets will go on sale next week, you need a main event ticket to take one so we need everyone to be settled and know they definitely have a ticket before they start grabbing workshop tickets so we don't have to mess around cancelling them and upsetting people.

That means this Friday will be the main ticket drop. As usual, three sittings, breakfast, lunch, and dinner ti.to/steelcon/2026 This is your last chance, there may be a few more trickle out if sponsors don't take their allotments, but no guarantees.

Today is the turn of our workshops to get announced: www.steelcon.info/2026-friday-... Some returning, some new, all brilliant!

Finally found 10 minutes to update the site and put up a list of our Saturday Speakers. www.steelcon.info/2026-speakers/ We are still waiting for a few more confirmation emails from speakers to finish off the line up. I'll get the workshops up soon.

Time for a little jog round Manchester

I think I've just been trolled by Google!

I've just released a new video explaining what NPM postinstall scripts are and how they can be abused to gain a remote shell on a dev's machine or to steal secrets from GitHub. youtu.be/-S8_0LevuqY

I'd love to know how I got on the SEO spammers lists as the owner of seclist<dot>org. I regularly get emails offering to get their domain to number one on google. I do know how I got on their list for specialfriedrice, that was a really good troll and resulted in some very interesting reports.

For anyone who still uses it, I've just pushed a load of small updates to CeWL. Better email address parsing, better meta data extraction, and fixed protocol relative URL handling. Get it at github.com/digininja/CeWL

We have started sending out CFP accept emails. If you submitted but haven't got anything yet, please wait, the review process has been delayed due to illness but we will get through it as quick as we can.

A beg bounty has just come in for ssh banner version disclosure on one of my subdomains. What they failed to notice is the IP for the domain is localhost, they've scanned themselves! I'm trying to work out what to do next, I've got to get them to start attacking themselves in some way.

On Thursday someone registered a new domain and then sent me two emails from it, both from different "people" asking about my testing services. Seems like a very odd but slightly targeted attack, I'll see if they come back to me so I can work out their angle.

Time to pause the ride and sell some @steelcon.info tickets

We've still only got a couple of workshops submitted for Friday, we need some more. If you have something cool you'd like to share with the community in a hands on way, please submit it here: forms.gle/Gn6Cicdw7N6E...

The second round will be at 12 and the final round at 7pm. Kids tickets will be with the main drop after we have announced the speakers. And it looks like we might not be able to disable locking, we are working on it.

The first ticket drop off the day is at 9:10. We figured we would give you a few minutes to get a drink and settled at your office desk before opening them up. We are also going to turn ticket locking off to make it easier this year.

A reminder, our first day of ticket sales is this Wednesday. These are before the talk announcements so are perfect for those who know all the talks are going to excellent and just want to guarantee their place. ti.to/steelcon/2026

This little thing has been sitting on a local pavement since at least Friday evening. I'm so tempted to drive up and throw it in my boot, I bet it's got some good tech in it.

I've just put out a new video, What is dependency confusion, and how to exploit it. www.youtube.com/watch?v=sn7z... If you like this type of content, and think training like this could help your organisation, please get in touch.

You've got till Friday 3rd to submit your talks and workshops. We've got plenty of talks but could do with a few more workshops, so if you've got an idea, but aren't sure, submit it anyway and let us decide forms.gle/hLXt1dibQrA6...

I hate it when my machine bings at me for no obvious reason and there are 50 different apps and tabs that could have caused it.

Screw you Bugcrowd. A full, read, write, drop database given a P5 because I didn't demonstrate actually dropping the db so it is only a "not best practice" exposing the db to the world.

At the EMR Community Awards with the kids theatre group doing their play about George Stephenson.

@computerist.org happy birthday sir. Here's to many more years of hacking ahead.

We've had quite a few submissions to our CFP so far, but we still need more. If you have something interesting to share with the community, get it submitted here: forms.gle/Sx4EZNRcS9zb...

Just built a cool demo for dependency confusion with NPM. I can hijack my local packages to run malicious code. If I get time I might publish it all.

For those who missed it yesterday, our CFP is now open.

Our call for crew is also open. First timers and 10 year veterans, all welcome to apply. forms.gle/doLgUMgGPtTo...

Our CFP is now open. We aren't just looking for 1337 tech talks, we want social skills, admin, defence, and all sorts to give us a nice rounded day. Any questions, please ask. forms.gle/JRrZQZojtbGQ...

@infosecmo.bsky.social don't turn to ice mate, it's daft!

If you want to get your company shouted out on our socials, get an advert in our brochure, and get mentioned in both the opening and closing talks, please get in touch, we are always looking for more sponsors.

Our first fully committed sponsor is @zephrfish.yxz.red. Long time supporter as a speaker and now a sponsor as well. Andy would like everyone to know about his Malwareless Adversarial Emulation training course lms.zsec.red We may be biased, but we reckon it is top quality stuff.

@j4vv4d.com what was the name of the Alienvault alien? I've still got an inflatable one sitting in my kitchen and I'm sure had an official name but can't remember it

Airport Incident Response I was going to be click-baity and title this post, "what incident response taught me about mixing up airports", but honestly, looking at LinkedIn these days, I think the humour would be lost. I'd end up with 50 new followers (75 if I ended the post with the word, "Agree?"…

And we are still looking for sponsors, so if you want to get your brand involved, let us know and we can do you a deal.

And just to confirm, the event itself is July 10-12, we are the weekend before EMF Camp. We had them move their weekend so it didn't clash with ours.

With Easter coming up quick it is time for a date announcement. 1 March - CFP and call for crew opens 1 April - Pre talk announcement tickets 3 April CFP and CFC closes ~ 20 April speakers confirmed ~ 24 April main ticket drop Links and stuff coming closer to the dates.

i built an entire x86 CPU emulator in CSS (no javascript) you can write programs in C, compile them to x86 machine code with GCC, and run them inside CSS lyra.horse/x86css/

I'm taking a @jameskettle.com approach to bug bounties and I've found a vuln and I'm firing it all over to see where it lands. I've found some cool stuff, but working out who to report things to, and getting people to listen, is a nightmare!

You can tell Gmail is getting good at spotting low end extortion scam emails. I just got one where they have put a lot of effort into disguising all mentions of coin, btc, stuff like that. They've even split the BTC address in two and then explained how to put it back together

Royal Mail Tracked 48 only aims to deliver in 2-3 days. "Royal Mail Tracked 2-3 days ish" I guess probably wouldn't sell as well.

If anyone is good with telegram and is bored, I've just been sent a link to a phishing page which sends captured credentials to this telegram chat channel. Go at it!

The Pastebin security team are on the ball. I've reported three comment spammers over the last two days and all three have been taken down within hours of the report. Compare that to GitHub where I reported something two days ago and I've just got a mail to say they received the report.

My book keeper has just pointed out that she has been doing my returns for 24 years. In my head I've only been doing this security thing for a few years, where has the time gone?

Can anyone recommend a good third-party Windows app for blocking USB devices?

I've just had two transactions made on my credit card to Asos. I've not spent with them for over 3 years and my card details have changed since then. My card provider says it looks like a saved token rather than new transactions. Have Asos been popped?