Silicon Shecky

Infosec Practitioner

Connect

First Defcon – The results

By Leave a Comment

This year marked the first time I made it out to Defcon. I have known about this conference since the 90’s, just had not figured out a way to get out there and experience it. For those that want a TL;DR, it is a supersized conference. There are also plenty of smaller conferences that I enjoy as much or more than Defcon. That is how I perceived it. Now lets get into the nitty gritty of it all.

In the Beginning…

Before I got to Vegas for Defcon, I had been told about things like linecon, the merchandise lines and the like. There are still people and especially news outlets that give advice based on what Defcon used to be in a different era. This covered what to and not to bring, use and be prepared for, and much of it has changed over the years. When I arrived and went to linecon, the fact that where I work pre-paid for my entry, meant that linecon itself was a much shorter and less involved situation. I did observe the old fashioned, cash only linecon going on though, and how everyone went about their business. It also, while many times longer than what I stood in, seemed to move pretty well. The Goons kept people in the right areas, and were quite helpful. Like with anyone, you be nice to them, they will be nice to you. Merchandise was another long wait, and the fear of things selling out is real. I get it, you can only afford to have so much on site. It makes people wonder if the item(s) they want will be in stock when they get up front or at least in their size. Having 30,000 plus of each item is not realistic, and of course people will be disappointed in the end, unless you get there early enough. The organization of it was well done though. The line again moved smoothly, and I did not see any incidents. After going through both lines I walked into a War talk, which that first day was held int he main track area. Considering they were the only talks going on Thursday that I saw in Hacker Tracker(an awesome piece of software by the way), I was surprised there was standing room and people allowed into the track.

The Main Event

Moving forward to Friday, Saturday and Sunday daytime, overall things were decent. There was a lot of walking. My knees hated me, and I do Ninja Warrior workouts multiple times a week. How spread out areas were from the main building is the problem. It also causes a problem of getting to talks, or even back to your room to watch talks on the closed circuit TV, or even twitch. WiFi in the hotels tends to be limited to guests unless you wish to pay for it, and mobile data in areas seem to be spotty, or flipping around between networks. I get that it is Defcon, and you “shouldn’t be trusting anything” but how else do you use things like Hacker Tracker to keep up on what is going on where? The closed circuit T.V. did not always have all the tracks in the hotels. Mine only carried track 1,2, 3. Some carried track 4. Both Twitch stream and the CCTV had network glitching and freezing making the talks tough to watch as you would miss things.

One of the more interesting things I had heard before going to Defcon was, “do not think you will get into the main talks, but watch them on T.V.” Also it was mentioned to focus on the villages. I personally had no problem getting into any of the main talks. Where problems came up were a number of village talks. Red Team Village, the Misinformation Village, and the A.I. Village all were at capacity most of the time, and in the case of Red Team Village, I did not even try to go in just to look at non-talk stuff due to how long the line was. Also most of the villages I did make it into were talk based. By that I mean, unless you were the to do the village CTF or see a talk there was nothing in the village of note. The 2 exceptions to this that I came across were the RF Village and the Ham Village. Both of those were easy to get into also. Blue Team Village, which I was excited about, I had heard was moved at the last minute so their layout had to be adjusted, and that could be the cause of it not having some things that I thought it should, at least from a non-talk perspective. I did love that there was a lot of focus in ti on training, and the organizers did their best with what they had.

The Nightlife

So much goes on in the evenings. There are tons of private, invite only room parties. Some people go out and just hang with friends. Then there are the main Defcon parties. I got a taste of all of the above. The Defcon parties are nice, with the exception of drink pricing, but there is not much Defcon can do about that. With no open bars at any of the main events, it seemed to keep trouble down to a minimum, except for one thing which I will get into in a moment. One of the things I was looking forward to was Hacker Karaoke. I love to sing, and had heard about how fun it was. MY issues had little to do with how long the wait was, and more about the feel. Having run karaoke in my past I know the line was going to be long. The only thing on that which could have been better is making sure first time singers got up first. Not always easy to keep track of, but it is possible. Instead, the big issues I had are, the sound system was awful. You couldn’t really hear the music, especially when on stage singing. The mix needed to be better. Next was the screen itself, which was projected on the wall. Makes it tough to make eye contact with the audience to bring them into the song. Finally, back to sound, it was very tough to hear the KJ. between ambient noise, echo on the mic, and the low quality sound system it became tough especially when the main KJ stepped away and their associate would take over, who was more soft spoken.

The second night, i was just moving around from room to room. I wasn’t able to get into Hacker Jeopardy, but did go into the Arcade Party, which was pretty cool, especially the physical pong machine and the huge Foosball table. The people I caught up with there, we started walking to check out some of the other rooms when we slipped into the Chill Out Space cause of things going on in the hallway. This wound up being the start of the lockdown and evacuation due to the suspicious package. The Goons, and security were amazing during this whole situation. Their calmness helps keep the rest of us calm and everything went smooth getting people out of the building.

The Highs/Lows/Conclusion

I got to see a few cool talks. I missed out on other village talks due to lines. I saw some of the things I expected, such as unique outfits, furries, and people just being themselves mixed in with parents and their kids. If there is still a counterculture/deviant aspect to Defcon, it was not out in the open. The truth is Defcon felt to me like a conference that has matured over the years into a more normal conference with some small aspects of its former self. Would I go back, yes. Most of what would stop me is cost. Talks will be online, or at other smaller conferences. There is only so much on person can go and see. That said, it was definitely worth going.

Holiday CTF review

By Leave a Comment

With the holiday season behind us so are the yearly holiday themed CTF challenges. I participated in 2 of them , TryHackMe’s Advent of Cyber and SANS Holiday Hack Challenge.

Going into TryHackMe’s Advent of Cyber I was not sure what to expect. I had been using TryHackMe off and on for learning. I had found them a bit easier to navigate and honestly more my speed right now compared to Hack The Box. The first thing about it was the format had not really changed from their normal learning paths except for one thing. They supplied a browser connected attack box if you chose to go that route. If you were not a paying member of TryHackMe you had to use that browser based box, otherwise you could use your OpenVPN connection and use your own VM/System for doing the challenges. The browser attack box I found a bit painful to use due to lag. Booting it up you were warned would take a bit, but once up it was slow responding for me. Also it split my browser in half, and no real good way of resizing. The minimum to help out with this would have been being able to open the attack box in a new tab. This would have minimized scrolling and not having the desktop real-estate that many would be use to having. It also would have stopped the constant side scrolling back and forth which causes redraws of the desktop and slows the process down.

The challenges on the other hand were a great tool, and fun. There was a whole Santa’s been hacked theme going on. The idea was one topic to learn (multiple questions) per day. So one day you would be using nmap, one day burp, one day something else. 25 days, 25 direct topics. The Advent style of this meant you do not have to spend hours upon hours on the CTF. Most days took me no more than 45 minutes to go through. Also, a top level topic would span days. so you would get multiple days of web attacks, with each day covering a different thing (command injection, burp, slqi etc…), and it would follow that top level topic day to day. Each topic could build upon the prior ones at times, or be stand alone. The accompanying video for each day was a nice added touch for people that learn better that way, and while they did get into the topic a little bit more, and occasionally give the thought process of the person doing the video, the basically amounted to reading the actual written instructions/explanations of the topic written before you get to the actual CTF questions. At the end of the video though they did do a walkthrough. This was nice if you got stuck, but since it gave the answers in most instances it could be use to bypass actually doing the challenge itself. Rating Advent of Cyber on a scale of 1-10 I would give it a solid 8.

Kringlecon, otherwise known has SANS Holiday Hack Challenge is a different creature. Yes it is a story driven type CTF, with a web based interface. It also has mini terminals for you to use to solve the challenges so you do not need a VPN setup at all. There are challenges for every skill level and this year they added a Discord server where there was rooms for each individual challenge so you could get help if needed. Most challenges had multiple ways to figure them out, and there was a wide variety of challenges included. The intro to Linux challenge was a good mini-version of what I got when doing my SANS504 class last year. The intro to scapy again is a great base tool learning challenge. There were 12 main objectives and a number of side ones. Overall I solved 7 of the main Objectives and a number of the side ones. I had unlocked 4 of 7 parts of the narrative. This was better than I had done the prior year, so while not finishing everything, I was very satisfied. The talks that lined up with objectives worked well. As it was free flowing and everything there at once, it was also easy to get lost for hours on end. I spent 2 hours one the scapy intro only to run into a problem where I accidently deleted the file I needed on the final question and had to start again. Moving around was tough at times, and even tougher if you did not use the option to make other players disappear from your screen. The other advantage is while the competition is over, you can still go and do the challenges(and all the past Holiday Hack versions also).  One thing missing is a way of saving your progress when in a challenge, as going out to get hints or look at hints you got from the elves meant restarting the whole challenge. Rating Kringlecon on a scale of 1 to 10 again it gets a solid 8.

One last thing is prizes for these. With the Holiday Hack Challenge they choose from write ups of the event that are sent in by a specific date, which has passed at the time of this post. Advent of Cyber, for each day you completed you got your name entered into a drawing for prizes, this also has passed. The write up method is nice since part of security is being able to write what you have done and how you accomplished it, especially on the red team side of things. Just getting entered into a drawing on the other hand makes the prizes available to a wider range of people, including those who are not good at write ups.

I do recommend both, although it looks like Advent of Cyber is not available anymore, but there are other leaning paths, all are in their CTF style,  at TryHackMe (they just added a Blue Team based path). I do look forward to seeing what they come up with for the 2021 challenges.

Pain Point: The Announcement of the End of Derbycon

By Leave a Comment

For those who came in late, earlier this week Derbycon announced that its board has decided that 2019 will be the last year for Derbycon. This of course has been met with dismay, anger, and talk. The statement from Derbycon was it had to do with multiple things over multiple years taking a toll on them, professionally and personally, so they decided it was not worth running anymore after this year.

The first rule I learned years ago about doing something is when you stop enjoying it, do not do it, and move to something new. This is basically what the whole Derbycon decision actually boils down to. Yes, their have been publicly known instances where Social Justice Warriors (SJW) have gone too far. Yes there have been instances, like the whole Code of Conduct situation, that could have been handled better and way more quickly. Issues, similar or not, come up with every conference out there. I know plenty who are worried that Derbycon shutting down will embolden the SJW people and cause more conferences to shut down.

We have heard of the issues with HOPE. I have heard rumors of Shmoocon having complaints and issues. We all have heard complaints about Defcon, and Spacerogue even mentioned Thotcon have had issues that were handled behind the scene. So why have these other conferecnces not capitulate, where Derbycon did?

I am willing to speculate on the actual reason. The following is my own thoughts and opinions, I have no inside knowledge, nor have any direct affiliation with Derbycon. Logically it boils down to one of two ideas, and very well could be a combination of both.

First let us look at the organizers, in particular Dave Kennedy. I met Dave at the last Derbycon, seems like a nice, stand up guy who really wants to help the field as a whole. He owns Binary Defense and Trusted Sec, gets brought onto national news outlets as an expert, and is rather high profile. Recently he took to twitter to announce he was cutting back on twitter due to the way things were going for him on it. Speculation is that he was catching flack from people and wanted to make his twitter more professional. Still this shows that something was getting to him. I have to imagine that other board members were getting flack about things also, I mean look at how much gets tossed onto twitter as it is, so this is completely logical. It also takes its toll on a person. So the first idea is that it basically wore them out to where it is not fun anymore.

The second thought I had was that it was taking a toll on them in a professional sense. Perhaps less clients (I am not sure how many on the board work for Dave or own their own companies) or clients dropping them due to affiliation. Again, just speculation.

The truth is probably a little of column A a little of column B. The difference being that it became too much work, not enough fun, especially with how Derbycon has grown.

What hurts more is they way a good portion of the people who attend Derbycon look at it. It is a mid-size conference, easy enough to get to know people and meet people at. There is an overall cool vibe to it, plus the lobbycon is really good (although I understand it was better at the Hyatt due to the different layout). With so many supporters, the shutdown takes a life of its own.

Obviously with conferences having been around as long or longer than Derbycon, there are ways to get past the pain points. The odds that SJW will be able to shut down a conference on its own is very slim, and in this case it was just one of many things, but the most public situation that occurred. Does it suck? Yes it does. Will we go on? Yes we will. There are other conferences that are small to mid size that are available. Circle City Con, GrrrCon, Thotcon, Cyphercon, Wild West Hackin Fest, Shmoocon are just a few to be named. There are also tons of BSides out there to go to. None of them will actually be Derbycon, but we can make them as fun to be at. Thank you Derbycon for the great times.