BSidesLV and DEFCON 2011 Summary

Thursday, August 11, 2011

Michael SecurityMoey

A8054e07abdfdcadb09322585cb2e085

It’s the first week of August which means many of my friends have already started the sniffles, coughs, and body aches… classic symptoms of “ConFlu”. 

It’s the price to pay to the gods I guess for a fantastic week of Infosec goodness.  I am talking about the annual BSides Las Vegas (BSidesLV) and DEFCON Security Conferences. 

This posting is meant to be on simpleton posting of highlights of the security conference that we all look forward to each year.

First, before I go into each event I want to make sure everyone is level set.  This is my second year attending DEFCON.  If you were a “greenhorn” (@coolacid’s term) to the conference I assume that you read one of the many guides that are out there for this week long events. 

I read the post at Info Sec Leader’s site as a refresher (found at: http://www.infosecleaders.com/2011/07/career-advice-tuesday-a-conference-first-timers-guide-part-ii/ ).  This is a nice short list of things to keep in mind in order prepare for this whole thing. 

Here comes the meat:

BSIDESLV 2011

If you have not heard of BSides events then I would ask you how the rock that you have been living under is.  The BSides phenomenon has spread across the globe with events just on every corner of the world (or soon will be) proving that “security is everywhere”. 

In all honesty if you have not heard about BSides please visit the site to find out more at http://www.securitybsides.com/w/page/12194156/FrontPage.  Las Vegas is the birth place to the BSides spectacle which makes it probably one of the largest events with 3 tracks this year and 2 workshops. 

As I helped planned the BSides CHICAGO 2011 (April 2011) event, I wanted to help with the Las Vegas event so I volunteered.   This means that I did not get to attend all the talks I would have like to which is a shame because the speaker line up rival that of the parallel Security Conference….ummm oh yeah BlackHat (heh).

Venue

This year BSidesLV was held at the Artisan hotel for the 1st time which was exclusively used for the conference.  The hotel is not one of the monster hotel/casinos Las Vegas is known for but rather a more imitate venue.  There is art work hanging all over the place in the main lobby and the place just oozed a cool vibe. 

Highlights

This is my 3-5 highlights for the event:

§  Better to burn out than to fade away Panel – WOW, just WOW.  This was one the talks that I wanted to attend since Jack Daniels was one of the speakers.  I was blown away by the content.  It didn’t seem like a panel but instead 5 of the smartest folks leading an intimate discussion of 40 people.  The talk help raise awareness of the increasing stress that Information Security Professionals are under.  As I cannot give the panel justice I highly recommend you downloading the talk once they are made available.   Thanks to @jack_daniel @stacythayer @joshcorman @mckeay @Shpantzer for doing this I know there were many people who this talk hit home for…THANKS!

§  Workshops – While I did not get a chance to attend the workshop themselves I heard nothing but great things.  These were free workshops for attendees…that is right FREE!!!!  The 2 workshops covered Networking for Penetration Testers and Mobile Application Security Code Reviews.  The classes both sold out almost immediately and were both well received.

§  InfoSex Sells: The Impact Of The Media And Public Opinion On Security – This was another panel discussion but I found it extremely interesting listening to the panel composed for journalist and PR folks discuss how the Media is influenced by Information Security.  They also discussed how stories make their criteria and all the work that is done ahead of publishing.

§  Misc – These are a list of talks that I will be going back and listening to (suggestion)

o   Vulnerability Research Circa 1851 – Schulyer Towne

o   Penultimate Hack - Manipulating Layers 8 & 9 of the OSI Model (Management & Budget) – Rafal Los

o   Smile for the Grenade! Camera go Bang! - Joshua Marpet and Vlad Gostom

o   Weaponizing The Smartphone: Deploying The Perfect WMD - Nicholas Donarski

o   Walking the Green Mile:  How to Get Fired After a Security Incident - Brian Baskin

o   Something Awesome(TM) – HDM

o   Hacking webapps is more fun when the end result is a shell! – Jabra

o   Transparent Botnet Command and Control for Smartphones over SMS - Georgia Weidman 

o   frak the Penetration Testing Execution Standard (PTES) - Charlie Vedaa

Conclusion

This was BSides at it’s best!  It was so good I am not sure if it could be considered a B-Side anymore.  Special thanks goes to the sponsors who enable the event to be FREE to the attendees (see site for list).  While thanks should go to the volunteers; the heavy lifting was done by the following people:

Chris Nickerson (@indi303) - Event Producer, and whatever else ya want me to be. =o) Mike Shea (@pinoles) - Speaker Wrangler Genevieve Southwick (@banasidhe) - Director of Safety & Security Scott Hazel (@phat32) - Volunteer Coordinator 

Thank you so much for all your work and making this event possible!!!!!

DEFCON 19

If you have never been to DEFCON there is no way to really describe it that would give it justice.  DEFCON is “the largest hacker conference in the world” which draws hackers, crackers, Feds, and now even kids!  The old staples were there such as the lock picking villages, hardware hacking village, Wall of Sheep, sky talks, Mohawk con, etc.; this year though had many first as well. 

Venue

DEFCON did move to the Rio! If you were there are the Riveria last year you felt like a sardine and the new venue did allow for breathing room.  The Rio was large and while it wasn’t as familiar as the RIV it was definitely nice. 

To quote our favorite goon, Priest, “this place is nice so don’t do anything stupid so that on Sunday we have to tell you ‘this is why we don’t have nice things’”  The only down side to the venue is the general food price was a little more than the RIV but the trade-off is better options!

Highlights

This is my 3-5 highlights for the event:

§  HacKid – I was not sure at first where it was the new venue that gave DEFCON a different vibe than last year.  It suddenly hit me the number of people under 5 ft. (not you @shortxstack).  HacKid has arrived to DEFCON with a resounding success.  Based on my conversation, the youngest attendees where 10 to the oldest 16 and their enthusiasm were infectious.  Perhaps one the biggest news that came out was a 10 year old girl who discovered a flaw in iOS and Andriod devices (see: http://dvice.com/archives/2011/08/10-year-old-gir.php)

§  Social Engineering – While this contest was not new this year it was fantastic!  I had a chance to sit in a few calls and the wrap podcast recording.  The folks at social-engineering.org and the constants did a great job!  I even listened to the Oracle call which was one of the funniest things I heard in a contest! 

§  Hacker Pyramid – This is the third year for the Hacker Pyramid contest and it was back in force.  Awesome questions, funny responses, and a great host made it my favorite game show at DEFCON.  OK, I have to be honest I and Chris Hoff (@beaker) took 3rd place so I am not impartial at all.  It was such a fun time!  Congrats to the @rogueclown @jaysonstreet, second place winners and the 3rd time champion The DAN KAMSKIES and his ringer Josh Corman

§  InfoSec Without Borders – Johnny Long was in town for DEFCON.  As usual it was great to listen to Johnny Long but was equally as great was to hear about a new project with Marcus Carey, Infosec Without Borders.  The project takes the same idea of “Doctors w/o Borders” to help those non-profits in need of Security Services.  Visit the website and volunteer!!!

§  Network Security Podcast – The folks at Network Security Podcast recorded eposide 250 at DEFCON.  CONGRATS!!!  There was so much hilarity on stage…not sure if they are going to be able to post their recording but it was quite entertainment.  I never seen so many people get hit in the face with balls

§  Talks, Talks, Talks – These are a few of the talks that I recommend reviewing

o   Security when nano-seconds count – James Arlen

o   Chip and Pin is broken –

o   Penetration testing – @shrudlu

Conclusion

DEFCON is a lot of things to a lot of different people but I hope it was great to all.  I enjoyed my second DEFCON more than my first.  I learned lots, met smart people and was able to have the most amount of fun legally allowed in Vegas.

Final Thoughts

If you are still in Vegas then I will need to refer you to Pauldotcom list:

Top Ten Reasons You Know You've Been In Vegas Too Long

1.    Nosebleeds.

2.    You don't even hear the "slot machine noise" anymore (ding, ling, la ling, ding ding)

3.    Vegas Throat - Its a scratchy, irritating, dry, "I've been breathing too much Vegas" kind of feeling that is often accompanied by pain and loss of voice.

4.    When you get home and pay $20 for lunch, you think, "Wow, that's such a bargain!"

5.    Walking 5 miles to the store when you get home is a short trip

6.    You walk outside when its 107F and say, "Its not that hot"

7.    You start to wonder if the older nice lady serving you breakfast was once the gogo dancer at the club 30 years ago

8.    The big topic of conversation over dinner is whether or not the dancers at the shadow bar are really naked

9.    You are worried that your wife will notice that $300 withdrawal from the ATM at 1AM, and the other for $200 at 3AM

10.  You think its totally normal for women to be dressed in gstrings

In all seriousness, this was a fantastic week of Info Sec goodness.  I had the opportunity to meet so many (too many to name) smart people in our industry.  If I did meet you and hang out with you it was great; if not, I hope we can remedy that soon.

I hope this gave you flare of what happened in Vegas last week.  I hope I have the opportunity to write a similar post for DerbyCon for you.  Please feel free to send me any feedback.  I hope to see you in Vegas next year!!!!

About the author:

Michael (@securitymoey) – an Information Security professional for the last 6 years, Michael has worked in Information Technology for 13 years. Michael has had an opportunity to lead teams of Information Security professionals from small to large scale enterprise level projects. Michael enjoys contributing to the Information Security industry and exploring technology.  Find Michael's personal blog at www.securitymoey.com

Possibly Related Articles:
20063
Security Training
Information Security
Training hackers Infosec Security BSides Conferences DEFCON
Post Rating I Like this!
E798c5a2fdb044f3be4e6204eb13abcc
Darryl MacLeod I definitely recommend Rafal Los' presentation (Penultimate Hack - Manipulating Layers 8 & 9 of the OSI Model (Management & Budget). I had the chance to see him present it at AtlSecCon last march.
1313148706
5d3b9af5a870b9a89f8fa51fb390d488
Joe Schorr Nice wrap-up Moey! You hit most of the highlights. I'd add SkyTalks as well. They had excellent content and speakers as well. Pyr0 and Tuna's QR hack sticks out the most.
1313156101
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.