Hacker Summer Camp: BSides Las Vegas and DEF CON 2018 review

BSides Las Vegas 2018

Time flies... It's already been a few months ago that BSides Las Vegas and DEF CON 2018 were held.

BSides Las Vegas was nice, although the overall quality of talks seemed to be a little higher in previous editions. This of course can be completely due to me picking exactly the wrong talks: There is simply too much to see.

DEF CON 2018 was also different than previous editions - mostly, because it was now so spread out (Caesars Palace as well as the Flamingo Las Vegas). In practice, this meant a lot of walking between the two locations. When you were attending a talk in one location, it physically wasn't possible to attend the next one unless it was located in the same or surrounding room.

Fortunately DEF CON is all about learning, doing and networking - and in that aspect it didn't disappoint.

Especially for Hacker Summer Camp, I designed and built my own badge - consisting of an ESP32 [1] microprocessor running MicroPython [2], an e-Ink display, some custom Python code, and a retro cassette case. The display rotates numerous fitting images. The image was visible even when the power was disconnected, thanks to the 3-color e-Ink display.

ESP32 and an eInk display

A follow-up …

more ...

Hacker Summer Camp: BSides Las Vegas and DEF CON 2017 review

BSides Las Vegas 2017

The 2017 edition of Hacker Summer Camp is over... Blackhat, BSides and DEF CON: Arguably the best security conferences in the world, being held during a week in Las Vegas. And wow, what an amazing edition it was this time.

I tried to learn, network, enjoy and soak up as much as possible - which unfortunately means not seeing each and every talk, and (probably) missing out on amazing content. That's why I'm so glad that recordings and slidedecks are being released by BSides and DEF CON, so that you can see where you should have been - after the fact.

The biggest draw for me personally to BSides and DEF CON is that you can immerse yourself in fields and interests that are outside of your daily work or routine. Car hacking, lockpicking, the Internet of Things, this year even voting machines: It's all there. You can learn from and play with everything.

As with playing Capture the Flag, it's a great way to touch a lot of surfaces in a short amount of time.

Josh Corman's BSides Las Vegas keynote was amazing - each time I hear him speak, he manages to get everybody even more enthusiastically about cooperation, about personal …

more ...

Defcon 23 was great - people are great

Defcon 23
For quite a while now, I work in the security industry. One of the things I do is providing security advice for companies on all sorts of guidelines, policies and hardening stuff. Web penetration tests is also something I do very regularly. In other words, a disclaimer before you read on: I should have known better...
VirtualBox, Packer, Vagrant and Ansible are tools that I use a lot. These four tools make virtualizing and provisioning really easy. You can create new machines, experiment with them and test different setups in a repeatable and automated way.
As I sometimes organize pentesting workshops, I have several virtual machines with Kali (a penetration testing distribution) installed on them readily availabe.
So, I connected my laptop to the network of the 23rd Defcon conference in Las Vegas, when one of these standard Kali virtual machines was (still) running as guest on my machine. Not only was Kali running, the guest was also configured to run in bridged networking mode. This means that Kali got it's own network IP address assigned.
What I hadn't changed on that machine was Kali's default root password. To make matters worse, what I had changed was the ssh server …
more ...

Us versus them: CrikeyCon 2015 review

I had the chance to visit CrikeyCon February 2015, which was held in Brisbane

CrikeyCon

It was the second time this event was held, but it already got the looks and feel of a professional organization behind it. The program was really diverse, from social engineering and awkward hugs to iOS runtime hacking, and everything in between.

Takeaway ? Well, it surprised me to hear that there's still a general feeling of us versus them. We the security gods who lay bare all the faults and stupid mistakes the others make.

As a security professional, especially as a pentester, it's your job to find vulnerabilities and weaknesses. It's your job to hunt for other people's mistakes, lack of knowledge, or constrained security budgets. Security falls into the quality assurance department.

This means that most of the time you're telling other people what's wrong with an application. Unfortunately it's not your job to tell them how awesome their web application is, how well it scales, or the nifty features it has.

One of the more challenging issues when for instance presenting a pentest report to a group of developers is to get everybody on board, to get everybody to work together. And if …

more ...

Black Hat Europe 2014 review

Black Hat Europe was held in Amsterdam in October, 2014. The so called Briefings (tech talks) were extremely versatile, ranging from Android pentesting to SCADA hacks. It was difficult to choose which talk to attend - there were around 50 or so, each title vying for your attention ("Hack Your ATM with Friend's Raspberry.Py" [sic], or "Endrun - Secure Digital Communications for Our Modern Dystopia").

Black Hat Europe 2014

I really enjoyed the technical depth of some talks, and it was great to hear someone like Adi Shamir, one of the inventors of the famous RSA algorithm, talk about his current research.

Because of the sheer size I couldn't find one generic takeaway, or see the, or a current bigger picture in information security land. Even all of the vendors' offerings looked similar.

Now that I come to think of it, that actually IS the key takeaway: Genericity.

more ...

DevOps 2014 Brisbane and security

DevOps is a worldwide phenomenon, which is reflected by the global popularity of its major event, the DevOps Days.

DevOps Days 2014 - Brisbane

I was fortunate enough to attend the DevOps Days 2014 in Brisbane.

The keynote speaker was Sidney Dekker, a Dutchman who has extensive experience on human factors and safety. He argued that a lot of major incidents don't have any precursor events.

You can have a clean track record with regards to security and still suffer a huge incident. Do I agree ? Not completely, but nonetheless thought provoking.

Personally I think that the inverse will always hold true: There is a higher chance on a major security incidents after a number of several minor security incidents. Cluttered desks mean cluttered minds after all.

Some buzzwords and issues that were (frequently) discussed:

  • Docker - A lightweight virtualization platform (can it live up to its sky-high expectations ?)
  • Microservices - Build small, independently deployable services
  • ChaosMonkey
  • Terminate random virtual machines to test (and improve) resiliency
  • Edwards Deming - The godfather of Devops ?

For me the key takeaway was that DevOps doesn't really changes your (level of operational) security. Whether system administrators deploy code built by developers or developers push their own code to an environment - in both …

more ...