Equipped with a backpack, I headed to Brisbane airport for my first adventure to Canberra for the Bsides security conference. I was a bit disappointed to miss out on Bsides last year, so I made sure to get my ticket early for this one.
Security Bsides is a hacker conference in the US that was founded in 2009, but is now held all over the world by many different people. Last year was the first Bsides in Australia, and this year it has doubled in size to 690 attendees, with around 250 on the wait list. They've estimated that 15% of the attendees are female, based upon the number of ladies shirts ordered (all registrations come with a shirt). The CFP acceptance rate was ~19%.
As well as the main presentation track, there was a hardware & wireless presentation track and a separate area with workshops through both days. Additionally, there were numerous competitions held over the conference, including a capture the flag (ctf), in which you complete challenges across various disciplines (reverse engineering, crypto, programming, forensics etc.), a table full of tamper evident seals and tags, lock picking tables and contest, an incident response challenge, a bug bounty simulation, and a counter intelligence simulation.
My first stop after checking in was to pre-register, where I recieved a pack with the conference badges, shirt, stickers, booklet, and lanyard. One of the badges was a mifare nfc card. The other was a custom piece of hardware designed and put together by the organisers and volunteers. (Come visit my desk to take a look).
Afterwards, I went to a women's networking dinner. There I spoke to several accomplished women and speakers, who also helped develop a presentation idea I've been sitting on for a while. It's good to see this kind of event, and to meet some role models in the security industry.
When that ended, I found other attendees having pre-conference drinks. Even though I don't really drink, it's a great opportunity to meet people - and it paid off. I met someone who uses OpenStack day to day, which was pretty exciting - this is the first time since starting at Red Hat that I've gotten to really speak with someone who uses the product and the docs. The conversation also got others around asking about OSP, so I was able to explain what it does and answer a few of their questions, which was exciting.
Back at the accommodation it was time to read the schedule and plan the next couple of days. There's so much on, it's impossible to attend everything. At my very first hacker con I made the mistake of getting caught up in the ctf and not seeing anything else.
9am Opening and Keynote ("From 2600 to 1600 Pennsylvania Ave: Reflections on 15 years of infosec reporting" by Patrick Gray)
10am "Bug Bounty Simulation Contest Introduction" - Shubs. Looks fun, and I would learn something.
2:30am "Human vs Machine: A source code review challenge"
11:30am "How to Program the Bsides Canberra 2017 badge" - would be interesting
2pm "Shiny Toys vs Tools - getting better value out of your detection tool suite"
The rest of the free time will be for ctf & bug bounty simulation
9:10am Infosec 101.1 - since I've mostly been self-taught with security things, I'd probably learn something here
2:30pm PANEL - this looks good because topics include Shadowbrokers, Did Russia hack the US election?, are hacker cons sexist?, state of Australasian hackers cons and census fail
Again, the rest of the free time will be for the ctf & bug bounty simulation. I also want to try escape from handcuffs at the lock picking table, and need to get my passport stamped.
Lastly, I did the usual preparations before going to a hacker con: Turn off WiFi on phone and laptop (and made sure no sensitive information was on either of those things). Only going to access internet through usb-tethered phone (for searching things when doing the ctf). Made sure all nfc/rfid cards are in shielded sleeves.
The first day started with a keynote from Patrick Gray, who hosts a podcast I listen to, Risky Business. The two things that stuck with me from that talk were that:
- Attribution is easy: states mimic activists (I'm not sure how far I believe this)
- Sources have complex motives: self interest, public interest, ego, rage
Afterwards, I made my way to the bug bounty simulation introduction, and spent a few hours exploring that. One thing that was mentioned in the introduction was that a well written report will attract more money than a bad one, which highlights the importance of clear communication and writing skills.
In the afternoon, I spent a few hours exploring the ctf then made it to a few talks.
- "Human vs Machine: A source code review challenge" - Kate McInnes
In this talk they tried to compare several tools, as well as human software engineers to see how many vulnerabilities they could find in source code. Of course, the conclusion was both methods are valuable in their own ways.
- "The evolution of flight data recovery at the ATSB - from foil to flash" - Aaron Holman
I had originally overlooked this on the timetable and I'm not sure how - it was about forensics to recover flight data information, not just from black boxes but also other electronics found on smaller aircraft. This speaker ended up winning the 'best new speaker' award.
I started this day with the Infosec 101 'workshop'. They demonstrated some concepts and also provided a nifty pdf guide which I will go through more thoroughly at a later date.
Something fairly high on my 'to do' list was to get my hacker passport stamped. Each AU/NZ hacker conference some people in the community make sure there is a custom stamp, usually with the conference logo. It's a pretty cool record of all the conferences you've been to.
After watching a physical security talk ("Breaching physical security, and generally causing mayhem, with wireless signals" - T.J. Acton), I made my way to the lock picking tables. Another thing on my list was to try get out of handcuffs. I was told at Kiwicon that it was pretty easy, but never got around to it. After successfully learning how to do that, someone was kind enough to disassemble a padlock for us and explain the mechanisms and methods by which manufacturers try make them more difficult to pick.
After lunch at a congregation of food containers down the road, I poked around at the bug bounty a little more, then watch the panel discussion. The panel ended up talking a lot about Russia, which was interesting for a while, but I think that topic could have wrapped up a little sooner. They very briefly touched upon the lack of diversity, as one of the panelists said "I'm the only black guy in the room", so and they promised to get back to that topic later as it was one of the issues for discussion. However, there ended up being not enough time, which was unfortunate because I would have liked to hear their views and I think it's an important topic for all of the conference attendees to think about.
The conference close was fun to watch, as all the winners of the various competitions were announced. They also announced that Bsides will be moving to a new venue next year, and as a result, doubling in capacity. I'm looking forward to it!
The afterparty was held at a gaming bar downtown, where I smashed a couple of games of Mario Kart 64. The afterparty is a great opportunity to meet new people and chat more, so here I got to catch up with old friends, and meet a lot of new people. One of these people was a penetration tester who told me that about 30% of his work is writing, again showing the importance of writing skills. Another person gave me a fist bump upon finding out I was a tech writer: "Awesome! Documentation is important." It was a good way to end the weekend.
What I got out of it and concluding thoughts
Already knew report writing was important in this industry, but to hear bug bounties would be inclined to pay more for a well written report reinforces this. Also, the amount of respect people showed for documentation when I mentioned technical writing was good to see. When mentioning Red Hat, people would often say something like "Oh, do you know x person? He's a great guy". It seems like many people had positive things to say.
A message that was reiterated over the weekend was that security is easily bypassed by users not knowing how to use a system properly. Most exploits are due to misconfiguration rather than 1337 zero days, so it is important to educate users, but also to create sensible defaults. You want security to be easy, otherwise people aren't going to bother.
Lastly, how did my strategy go to try everything? I'm glad I did, because yay, new experiences, but I feel like my time was very split and it was difficult to get into any of the challenges without dedicating contiguous time. I think for my next con I'll pick a few talks that look interesting, but then spend my time getting stuck into something, as that feels more productive.