Johnny Xmas
"I don't seek to be well-known, I seek to be worth knowing"
Chicago, Illinois, United States
Actions
Johnny Xmas, a prominent figure in the Information Security community since 2002, is a board member of both Chicago's famous BurbSec community, as well as its BSides312 conference. He's most notably recognized for his pivotal role in exposing the American TSA Master Key leaks (2014-2018), uncovering Venmo stalking vulnerabilities (2018), and being an overall nuisance.
Past experience includes being: Director of Cyber Training at security research firm GRIMM, defending against the automated abuse of web infrastructure with Kasada, and as the Lead Researcher on Uptake's Industrial Cybersecurity Platform. Before this, he spent many years in the field as a penetration tester, security engineer for a global Fortune 500 retail corporation, and Mainframe auditor and Systems Engineer for several IT asset recovery firms.
Today, Johnny continues to shape and elevate the Information Security landscape with his expertise and contributions as the President of the Burbsec Information Security Network and the Head of Offensive Security for a massive, global manufacturing and agriculture corporation.
Links
Area of Expertise
Topics
SIEM and the Art of Motorcycle Maintenance
The Art of Proper SIEM and Motorcycle Ownership
Join me, an infamous local SIEM and motorcycle destroyer, as I walk you through the dos and don’ts of SIEM and motorcycle ownership!
A Word of Caution
NOTE: This talk will contain zero information that you have not heard many, many times before. For some reason, however, I see all of it being violated in the most egregious ways at company after company after company.
This has led me to believe that the industry has either:
Never received all of the information all at once, or
Not been given the information in a manner that didn’t immediately induce a deep and lengthy coma (probably the latter).
The Thousand-Foot View
As such, I will be attempting to convey the thousand-foot view of how to (or not to) choose, stand up, and manage a SIEM by wrapping it in thinly veiled metaphors derived from my hobby: propelling myself over (and sometimes at) asphalt at extremely high velocities.
Get ready for an enlightening journey through the world of SIEMs and motorcycles!
Superposition, not Superstition
SUPERPOSITION WITHOUT SUPERSTITION
## Why the foreseeable state of quantum computing is not a nightmare for security practitioners
In this illuminating talk, we’ll cut through the quantum hype to reveal why security professionals can approach quantum computing with informed confidence rather than panic.
While headlines scream about the imminent apocalypse of our cryptographic systems, reality paints a dramatically different picture. This presentation delivers a refreshingly sober analysis of quantum computing’s actual security implications, replacing fear with facts.
Key Insights:
Reality Check on Timelines
The horizon for practical cryptographically relevant quantum computers stretches far beyond sensationalist coverage, likely years or even decades before systems capable of breaking RSA or ECC at a meaningful scale materialize. Even then, these systems will initially be massive research facilities accessible primarily to nation-states, not everyday threat actors.
“Unless you’re a high-priority target for these select few actors with nation-state resources, should quantum computing really keep you up at night?”
Technical Hurdles That Won’t Disappear Overnight
We’ll dissect the substantial challenges quantum computing still faces, comparable to nuclear fusion energy, where “breakthrough announcements” often represent minimal progress in the greater journey. Error correction requirements, qubit coherence limitations, and scaling challenges aren’t merely engineering problems but fundamental physics puzzles requiring revolutionary solutions.
The Quantum Security Advantage
Discover how quantum technologies themselves offer robust security benefits through innovations like Quantum Key Distribution (QKD). Learn how the security community’s decades of preparation have yielded practical post-quantum cryptographic standards and hybrid approaches that organizations can implement today as part of sensible transition strategies.
Beyond the Hype: Practical Preparation
Walk away with actionable insights on how to approach quantum-resistant security planning without overinvesting or underestimating. Learn which threats are real, which are exaggerated, and how to communicate quantum risks accurately to stakeholders and executives.
Join us for a reality-based assessment that replaces quantum superstition with quantum understanding, providing security practitioners with a practical perspective on this fascinating technological frontier.
This session is ideal for CISOs, security architects, and security practitioners who need to separate quantum computing fact from fiction.
Travel Hacks for the Traveling Hacker
Work Travel Hacks: Comfort in the Skies, Chaos on the Ground
Whether you’re a seasoned road warrior or just dipping your toes into corporate and conference jet-setting, this session is your carry-on packed with real-world tips to make travel suck a whole lot less.
Join Johnny as he unpacks the art of surviving airports, hotels, and the gastrointestinal distress that all that restaurant food is guaranteed to induce.
What You’ll Learn:
Flight price hacks — including how to score more legroom for free
Status acceleration — because loyalty programs are rigged… until they’re not
Comfort in coach — yes, it’s possible
Bag pack hacks — master the one-bag life
The myths of drugs and hydration — melatonin and electrolyte bro science, debunked
Dodging jetlag — without selling your soul to circadian math
Lightspeed airport traversal — TSA can’t stop you if they can’t catch you
Easily eating healthy — even when trapped between gate C27 and Auntie Anne’s
Hotel selection hacks — comfort, cleanliness, and quiet in a single swipe
You’ll leave with practical, road-tested strategies for maximizing comfort, productivity, health, and personal space—even at 50,000 feet.
Perfect for anyone who wants to make business travel feel less like a chore and more like a first-class hustle (even in seat 48B).
Bring your passport, but gate check your stress.
Infosecs and the City
BurbSec Meetup: Exploring the Midwest’s Social InfoSec Scene
A current showrunner of BurbSec meetups will delve into the vibrant social InfoSec community developing across the Midwest. Drawing from real-world experiences and notable success stories, they’ll offer insights into the most productive “CitySec” frameworks in the region. You’ll gain an insider’s look at how these grassroots gatherings have fostered networking, professional development, and knowledge sharing among security enthusiasts at all levels.
By the end of this session, you’ll walk away equipped with the essential knowledge and practical tools needed to launch your own meetup or to breathe new life into an existing one. Whether you’re a seasoned InfoSec professional or just starting out, you’ll discover clear, achievable steps for building a thriving local security community. Join us to learn how to forge meaningful connections and set your “CitySec” initiative on a solid path to success
Poisoning Pidgins in the Park
Discover how a hacker hobbyist—armed only with curiosity and spare time—took on an active supply-chain attack against the popular FOSS communication tool, Pidgin. In this talk, you’ll learn all about the step-by-step incident response process: from spotting red flags in the code to countering advanced social engineering ploys orchestrated by a crafty threat actor across multiple platforms. It’s a real-world example that shows how anyone—even with zero professional security background—can become an effective defender and give back to the community.
If you’ve ever found yourself stuck in the frustrating loop of “How can I get a job if I have no experience because I can’t get a job?”, this session is for you.
Saving Ryan's Privates
The Illusion of Privacy: When Your Intimate Photos End Up Online
You did everything right:
* A long and hard password
* The thing that sends a code to your phone
* You even used a VPN even though you don’t know what it does but YouTube said it keeps hackers away
* Everything, and yet…
There they are: those full frontals you sent to your SO 3 years ago, now splayed across some website with a weird name like “Coomer.party.”
How Did This Happen?
You don’t know, but Johnny does. Come sit in as he discusses:
* The nonexistence of privacy in the digital age
* The most common methods of theft of the most private of photos
* What you can do to protect yourself
Despite strong passwords and MFA use, we'll discover how the world’s most private digital assets are still being stolen and leaked. Join Johnny as he exposes privacy myths, common theft methods, and actionable steps to reclaim control.
5 Lies Enterprise Security Still Tells Itself
Nearly 10 years ago, Johnny quit full-time penetration testing out of sheer boredom. The repetitive nature of finding the same systemic problems at company after company made the gigs not only a cure for insomnia, but also exceptionally frustrating to someone who cares deeply about security.
Now he’s back, and wow, is he pissed about what he found. Join him as he rants about the biggest (and most actionable) things Large Enterprises are still doing wrong from a cybersecurity perspective, and presents basic frameworks for fixing them.
IC (What you Did There)
For many of us in IT, the thought of moving into management feels like abandoning our true passion—our technical skills. Who wants to trade coding for meetings, or problem-solving for paperwork? But how can we advance our careers and command higher salaries without stepping into management? This session will equip you with the mindset, strategies, and negotiation skills to thrive as a technical expert. Learn how to carve out a rewarding career path that honors your talents, keeps you hands-on, and helps you avoid the management track. Let’s ensure you never have to leave Vim behind!
DefCamp 2025 Sessionize Event
Johnny Xmas
"I don't seek to be well-known, I seek to be worth knowing"
Chicago, Illinois, United States
Links
Actions
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top