Security wonks do some of our best work when we're away from the keyboard. Whether we're ruminating on a bug or dreaming up new research opportunities, our brains are almost always running. I've found that having a well-tuned productivity system helps keep my life on track when work gets hectic, and conversely, to be "regular and orderly in my life, so that I may be violent and original in my work" (Gustave Flaubert)

I'll walk you through my productivity management methodology based on David Allen's "Getting Things Done" (2001). We'll cover how to bootstrap a system using a painstaking brain-dump, how to triage and collate your tasks and projects, how to rapidly capture thoughts as soon as they come up, how to set up recurring events to put your life on auto-pilot, how to defer things using someday/maybe lists to hide the stuff you're not ready for yet, and how to use contextual tagging so that tasks come back to you exactly when you can do something about them.

Having a trusted system has helped me to achieve more, manage my stress, and make room for thoughts that are worth having. Whether you're a student, a professional, or just someone with responsibilities, you can be more present, focused, and effective in your personal and professional life.

One from the vaults. In 2020, Justin had a serendipitous encounter with a dangling legacy AWS S3 bucket once owned by the Linux Vendor Firmware Service (LVFS). "What if I registered it," he thought. "What's the worst that could happen?" This is the story of how he wedged himself between 100,000 Linux machines and their firmware updates, stumbled upon a bypass in fwupd's PGP-based firmware update signature checking, traced the flaw back to its root cause, and ultimately returned the bucket to its original owner.

Insomnia by Kong is a popular API client, especially among developers and security testers. Marcio and Justin discovered a critical template injection vulnerability (CVE-2025-1087) in Insomnia, exposing users to remote command execution with just a couple of requests to a malicious HTTP server.

They will walk you through the story in how they stumbled upon the initial "weird behaviour" during a routine API penetration test, examine Insomnia's templating implementation, dive into exotic Nunjucks template injection, dissect their exploitation strategy, and show you how they bypassed several attempted patches by the vendor. They'll close with some thoughts on the disclosure and patching experience, discuss the fragility of quick-fix sanitisation-based mitigations, explore the challenges of bug triage in the real world, and consider how decisions made during software development can lead to trouble down the road.