Silicon Shecky

Infosec Practitioner

Connect

Thotcon 0x9

By Leave a Comment

Security/Hacking conferences are interesting. Each one has its own uniqueness about it, and yet they are all similar in some fashion, stemming from the “granddaddy” of them all, Defcon. These conferences are all over the place, and in the Chicago area we have two main ones, BSides Chicago and Thotcon.

Now Thotcon just happened over the weekend with the 0x9 iteration. Nine years is a long time to learn and find your voice, and each year should teach a conference something to make it better for the next. The joke the last number of years with Thotcon was the whole undisclosed location idea. For years it was at the same venue, even though they never officially let attendees know until a week or two before. This year, it was a new location, and I would say a huge improvement. The problem with waiting so long to reveal said location is of course people coming in from out of town, and where should they stay. I personally think this can be remedied with a longer heads up. reveal the location 6 weeks before, so people have time to make reservations at a decent price. Just a thought.

The new location, which I will not reveal where it is, as I said above was an improvement overall. The echo and open space issue that caused problems hearing talks was gone. Each track you could hear the speakers clearly, at least I could. The overall layout was not too bad either. There were downsides also, as Barcon was not as large an area and did not have an easily accessible outside for people to just walk out and enjoy the sun while drinking. The villages were almost out of the way a bit, and the traffic there seemed lighter because of that. The temperature in the building in some areas was an issue also due to the age of the building and where air conditioning was actually available. This issue drove some people up to Track 2 which had the best air conditioning in the building, just to cool down at times. Finally, there was the food issue. The old venue food was inside, and was plentiful. With the move to food trucks because of the venue, Friday saw only 2 trucks which had long lines and eventually no food. People wound up walking a few blocks to get lunch. Food trucks also mean weather could have been a factor, which was not the case as it was nice outside, but should it have been storming there was a potential issue. Saturday saw the addition of a third food truck, and between that and what seemed like lighter attendance on Saturday it seemed to hold up better, even with the long lines still there.

With the switch from a Thursday/Friday to Friday/Saturday the “After Party” was put in between the two days. It also was moved well off-site which is not a bad thing. The venue for that was nice, with 80’s dance music playing and tones of pinball and old school video games to play. The light food there was a nice add on to the candy and free drinks. It did seem to get a little more crowded, or at least packed in compared to past years. Also, I have to wonder if having in between the two days contributed to what seemed like lower turnout for the con on Saturday.

The keynotes I felt were an overall improvement. Some of that might be from being able to hear them clearly with little distraction, and some from the bigger ideas they seemed to cover. Talks overall were good and well received. I found myself in Track X which was more along the workshop lines most of the time, due to 2 fantastic talks, one each day. The Jaku Puppet Show was definitely a sight to behold and gave some nice levity to the whole con.

I still maintain that Thotcon should give the speakers the choice on whether to record their talks or not. This is a personal preference, as I believe that information should be out there, and there are always talks scheduled at the same time that one has to choose between. I understand the reasoning behind not recording the talks, but in this day and age of social media, things said still can get out of the open and protective shell that not recording the talks is supposed to provide.

When all is said and done, Thotcon 0x9 I felt was an improvement from previous years. There are lessons to be learned from it, but for value it is definitely worth it. I am curious to see how Thotcon 0xA comes together and what is planned to celebrate a decade of Thotcon.

Not Much Really

By Leave a Comment

Short post this week folks, due to the fact that I have been busy with all sorts of stuff not related to InfoSec and there not being a big ticket item for me to muse about.

The biggest thing I saw was based on the ZDNet Article about Lawsuits and Research. It is pretty eye opening, and while there are some great points, (and one J0hnnyXmas telling his story), it really is just the tip of the iceberg. There is no suggestions of solutions for the idea of suing researchers into oblivion, and that is what is needed. Smashing Security talked about it this week and had a thought of a Good Samaritan law to protect researchers, but that could take years to even come about, plus it would have to happen in multiple countries.

Cisco released its Annual Cybersecurity Report, which you can get for free with giving them your e-mail address. I have not seen anything in it yet that sticks out at me as eye opening, just a lot of confirmation of things already talked about across the field.

Outside of that Thotcon has posted its full speaker list. There are some talks that I am looking forward to. The only issue I have is I know I will not get to see all the talks I want as they will be at the same time as each other or the mini-trainings I would like to go to. Since Thotcon styles itself in the old school hacker context and does not record talks, I hope many of these talks are given at cons that will record them so I can catch what I missed. Thotcon, which is in Chicago, is the first weekend in May this year and is sold out so watch and use the twitters if you want tickets for it.

Coming April 12-13, Cyphercon is in the Milwaukee area. While they have not posted a full list of speakers yet, I can say that I will be giving a 25 minute talk on some thoughts on improving security with integration. So as a response to my whole rant about CFPs earlier this year, even a blind squirrel finds a nut once in a while. I also hear that Hacks4Pancakes (Lesley Carhart) will be speaking there, and that you do not want to miss. Tickets are still available so check it out.

As always feel free to hit me up on Twitter, I love a good discussion/debate.

Thotcon 0x7 thoughts

By 2 Comments

This past Thursday and Friday I spent the days at Thocton 0x7. It is a well put together infosec/hacking con but like everything has some flaws. These are my thoughts and opinions, and yours may differ, which is fine.

The Good:

The thing I find the best about the cons are the ability to meet and talk with people face to face. It is what I love about the Burbsecs, and is even more prevalent at a con like Thotcon, where there are people who come in from out of town. Putting faces to names, being able to chat in person, and just being around people who are into infosec as much if not more than ones self is worth it. There is no Lobbycon at Thotcon, so you do need to get your badge.

Talk wise I didn’t get to as many talks as I had figured (more on that later). There were a few that really were worth seeing. First,  “Overcoming Imposter Syndrome” by Jesika McEvoy was an amazing look not only at Imposter Syndrome, but some of the state of the community and what we need to work on. I hope she does this talk at another con, so I can see it again. “Crimeware 101” by Vyrus, which was the final Keynote, was a great look at Ransomware and how easy it is to get it to work. Vyrus set up a great presentation, and with his pseudo-ransomware code, had everyone riveted and laughing. This one normally would have been the highlight for me if not for “Trend in Whitelisted Proxies” by Schmitt, Dyas & Valin.

A little background, Parker Scmitt is a regular at Burbsec. That is not why this talk was my favorite. I’ve seen Parker talk at cons before. What made this talk my favorite was Dyas  & Valin. They are High Schoolers who are interns at Parker’s startup. Parker mentored them through the whole talk process, and really let them give the talk and live demo. Watching how they handled it, from issues with a live demo to keeping everyone interested in their research and findings made this talk that much more special. Seeing Parker stand behind them looking on like a proud father was the icing on the cake.

Schmitt, Dyas & Valin

 

The Not So Good:

I found overall, the quality of the talks to be not as good as last year. It seemed some of the talks were bait and switch, and a couple of talks that I checked in on felt like sales pitches for the product the speakers used.

Also, and this is being a bit nitpicky, the venue charged for water this year. My issue with this was they did not want to allow outside food and drink. For those who were drinking alcohol (which was a good majority of people there), staying hydrated was important. For those like myself who are diabetic, free soda does nothing for us, since we really can’t have that. There also was no water fountains that I saw. I would love to see next year either allow water bottles in or go back to free water, and charge for soda.

The explanation for the no videos of the talks makes sense. The sad thing is that with social media (especially twitter), the reasoning (so people don’t get in trouble for what they present/say) is really thrown out the window anyway. Pictures and quotes are put out there. I think they could allow for recording of the talks as an option. Let the speakers decide of they want their talk put out on the web.

The Ugly:

After working on, and helping to beat the puzzles at Cyphercon, I was really looking forward to working on the Thotcon puzzles in the program. The couple I did were fun and engaging, although the one on page 17 there was a small issue with but the guy who created it helped find that issue and I did solve it (writeup on that will come). This became ugly to me because of the point registering system. I am not a programmer by any means, and I spent a good majority of the con trying to get the API token system to work. I had some help from a couple of guys I know who are way better at working with API calls, and as much as I learned form them, we still couldn’t get it. When I went to the con people in charge, I got no help. We found out that there were other groups having similar issues, and this was reflected in the scoreboard, which showed very few registered teams/individuals with points. When I asked about this at the awards portion of the con on the second day, it was mentioned that a number of groups had issues that they thought might have been network related, but that we should just learn APIs better, since other teams had no issues.

Now if it had been just me that was having the problem, fine pick on me about it. Give me an elitist attitude, no problem. I would still be disappointed, but nowhere near as pissed as I got. The fact that only about 10 teams out of 50 got points, that multiple teams had issues with the token system, and that the people in charge of it, didn’t seem to care really got under my skin. I feel that the challenges should be a learning experience, and if you put the time in on them and get some of the, you should get points. Not that registering the points is a separate challenge, and one that no help is given on. We are supposed to be a community and as one we are at our best when we put egos aside and work together. You want better people, mentor, teach. I don’t want someone to do everything for me, I want to learn, but sometimes we need guidance to learn.

The API situation is why I missed 3 talks I wanted to see, as I was working with people to trying and get what seemed to be a system that had some issues to work. Next year I’ll wait until after Thotcon to do the puzzles that I want and don’t require me being on site for them. Lesson learned.

In the end, it was a good conference. Communication is really the biggest thing that I think needs to be worked on, but this year, API situation aside, was better thought out and run than last year. I look forward to next year and seeing how well they learn from mistakes and feedback. Seeing how they did this year, I have faith.