Archive for the 'BSidesROC' Category

B-Sides Rochester: Plans

Jan 25 2016 Published by under BSidesROC,News

It’s another year of BSidesROC, a local hacker con that we put together. Our sixth year actually. Not everyone really cares about how BSidesROC has changed over the years but it’s hard not to at least mention them for posterity and laugh at our failures.

I think that BSidesROC has evolved with the times or at least updated their memes. Year one was all about the memes and just messing around and to be honest, we didn’t care if anyone even showed up. We were going to have fun and hang out whether people attended. Today, here we are with a big group of organizers, 3 tracks of presentations, and hopefully even a keynote. We’ve gone from un-conference to regular conference and I think that’s OK. It’s what people told us they wanted.

After the fist year we started doing surveys to figure out what people actually wanted. Turns out a lot of people liked BSidesROC and looked forward to it, but didn’t really care about whether we made it an un-conference. I think we were trying so hard to make it like BSidesLV but really not that many people went to BSidesLV to care. So we built our own thing.

The Challenge of Finding Sponsors

There are inherent challenges with running a local con on a shoe-string budget. I say this every year, “We can’t do this without our sponsors.” I know this is a line that sounds robotic and everyone says it but I lack the ability to express this. It’s not the easiest thing for a bunch of hackers to go out and try to pitch this conference as something they want to advertise in. One quick story about someone that gets it though.

Secure NetworksIn the first year, Jason Ross and I were coming up with names of people we should talk to about sponsoring. We had seen this pretty awesome skull logo with keyboards, and concluded that whoever these guys were, they get “it”. (Honestly if you put skulls in anything I automatically want to be your friend.) So I nervously called Steve Stasiukonis (who I affectionately now call “Secure Steve”) and tried to give him my pitch. I don’t remember exactly what was said but it was something like this:

“Yeah, we’re like, a free and open hacker con and we’re all about having fun and we just want to build a hacker community…”

And he jumped in with, “Cool, but I’ll only do it if you make sure it’s not some kind of vendor fest. I’ll send you a check.”

This was the first time that I think someone figured out what we were trying to do and our first sponsor. Not only has he and Secure Network Technologies been sponsoring us for every year since, he’s given some of the most entertaining presentations, hooked us up with presenters, and provided us with gear.

The Horizon of 2016

Every year, we almost start from scratch. You may think we have some scripts that run like ./init_bsidesroc.py --year=2016 graphics=random_meme.jpg  but we put a lot of time and effort to come up with something that we think is better than last year or meets our interests. Being at a big venue like RIT affords us some options in terms of better presentation equipment and grabbing local college kids and just makes us seem more “legit” somehow. I’m sure we’ll fix that, don’t worry. 🙂

Cryptobar

The last few years we’ve had an anti-surveillance undertone that I think most of the industry has shared. This year, I’m stepping it up with an idea I call “Cryptobar.” It’s a dedicated area that attendees can go to learn how better to  lock down their gear and learn about the latest ultra-secure operating systems like Qubes and Subgraph.

New Designs

Last year was the first year we asked a local artist to build what they saw as a hacker con art piece. It was used on our shirts and badges and the entire process was a lot of fun. We’re hoping to do something similar this year.

Keynotes

I’m hoping that the people I’m talking to come through on a keynote. My underlying motive is to give students some perspective on the industry outside of what their school provides. We’ll see how it goes.

New CTF

We have a new team working on the CTF this year. Hacker Battleship remains the theme but expect more interesting challenges that you’ve never seen before. Also expect more shell code exploits. 🙂

BSidesROC 2015: Behind the Scenes

Apr 06 2014 Published by under BSidesROC

BSidesROC is over. I thought it might be interesting to give a behind-the-scenes look at some of the stuff that makes BSidesROC run.

OPs

We have “Ops”. A few years ago we decided to try to organize BSides like an IRC network where each channel has an Op and an Op controls what happens in that channel. So for us Ops are trusted volunteers, and the channels are facets of BSidesROC such as the website, Hacker Battleship, or T-shirts. This is a cheeky way of letting people manage stuff they want to manage. So when someone says “Man the website is great!” We can say – well you should thank the Website Op. But that also means, “Hey can you put this on the website,” it’s expected that the Website Op handles this.

So this is why Ops are an important part of BSidesROC. For the most part they need to manage their respective channel (with the support of the rest of the group). They’re also under a lot of pressure because if something goes terribly, they go down with their ship. 🙂

Our Venue

Some of you know that we needed to switch venues this year. That’s because our last spot at the Auditorium Center turned into a full blown church. I’m happy with the results at the German House. It required some extra money and logistics but the end result was what I would describe as more “adult.” It’s a legitimate venue as opposed to the ad-hoc setup that we did at the Auditorium. I was very nervous about traffic flow at The German House but attendees seemed to manage it alright.

One interesting issue was that at 4pm, what we labelled Track 1 needed to turn instantly back into a restaurant. So while the rest of the conference finished up, Zeppa was opening up shop downstairs. That made it a little stressful but everyone was awesome enough to make it work.

Tor and Privacy

I’ll be honest, I did not know how well a Tor talk was going to be received at BSidesROC. That is until I showed up to give my presentation to a packed room. The backgrounds were pretty wide. Some people I spoke with before the talk honestly admitted that they knew that Tor was a tool for anonymity, but not sure how it worked. Others said they have been using Tor for a long time and had even given presentations on the topic before. If I could do it again, I would probably spit it up into an Introduction to Tor and an Advanced Tor talk. I’d really love to hear from people that are working on Tor related things in the Rochester area. Get in touch if you are.

Financials

I haven’t really been asked about money, but I do think it’s important to be transparent about where it goes. Primarily to show that we’re not lying when we say that we are a 100% volunteer organization. I’d rather not give itemized details about venue and food, just in case Zeppa doesn’t want that information public but I’m happy to share other data.

  • 100% of cash goes into the organization. No one is paid a dollar.
  • At the beginning of the year, we try to budget a small portion for “infrastructure” such as new projectors, better screens, etc. This year, this was radios that ended up being a life saver.
  • The biggest line item this year was food costs. The second biggest item was venue costs.
  • None of the speakers were paid. 🙁 If we had more money, we would have.
  • At the end of the conference every year, we have little more than a few hundred dollars left in the bank.
  • We aren’t lying when we say sponsors are important to us

Food and Tickets

When people purchased a Breakfast, Lunch, or All The Things! ticket, BSidesROC paid for most of your meal. That meant that whenever someone bought a meal ticket, we had to pay more money. The problem with this is that it didn’t scale to the 250-300 attendees that we had. If everyone bought a food ticket with those numbers, we would have lost at least $5000 when the event was over. So that’s the main reason we had to stop selling tickets.

2 Weeks prior to the event, we had sold 115 tickets. When we saw that in the last 2 weeks, we sold over 150 more tickets, we got very scared about food. We didn’t want people to have to wander around the city not knowing where to go and we didn’t want people to have to go to a restaurant and sit for an hour to get fed. So one of the volunteers, Pee, said “We should get food trucks next year.” To which I replied, “Why not this year?” It turned out to be a great idea because Hello Arepa and Marty’s Meats did a great job at feeding the flood of people that poured out in the afternoon. I think we’ll modify our food options next year to play better into what attendees are willing to pay and still find a way of predicting how many people will be arriving the day of the conference.

Parking

Parking has always sucked at BSidesROC let’s be honest. Last year we had a case where people parked in the wrong place and got towed. This year we had an angry church lady yelling at our people. Just to share some info, Zeppa had let us know that there were 3 spots to park. The main parking lot, the one on South Ave, and then the church. But once again, a church got in our way. 🙂 I don’t know why, but the church decided it didn’t want to allow any attendees to park there. When I spoke to Zeppa they freaked out and ran over there to fix it. Unfortunately it was too late. Most of the people had to find other parking.

Hiring and Sponsoring

One of my goals last year was to do a hiring station. Somehow figure out how to tie employers that are hiring, to people looking to get hired. It turns out this is a really difficult problem to coordinate. Between figuring out an appropriate style of the event and talking with companies, the logistics are overwhelming. We’re still trying to stick this for next year but if someone has an idea, please email me.

Hacker Battleship

I really like the idea of hacker battleship (but I’m biased of course) and I think a lot of people do  too. Especially college students. It’s a fun game. The problem was this year they re-used some of the challenges from last year and the game didn’t work for a variety of reasons, etc . It needs some help. Our hacker battleship op (who is also in charge of a dozen other things) could use some help if someone wanted to join in for next year.

Shirts and Doge

The shirts this year were Doge Meme based. This meme is still funny to me so I worked with local designer, Brian Boucheron to put them together. We didn’t plan on the insane draw of Dogecoin especially for my Doge Dancers that entertained us at the end of the day. If you missed it, I’m sorry. 🙂

BSidesROC 2014 and whatever a privacy workshop is

Mar 25 2014 Published by under BSidesROC,News

Rochester’s version of a Security B-Sides is coming up next week. There’s a rush to finalize everything and there might be a question about this new event I’ve referenced as “Privacy Workshop”, “OPSEC Training”, or just AntiTree talks for 3 hours. The Privacy Workshop Track is something that came out of an ad-hoc event that @CJP has been doing for the last couple of BSidesROC’s. He would walk in and say “I want to do a key signing party” and we’d go “Awesome!” and set him up with a table. This workshop/lecture series is an expansion on this idea where we said we’d like to do more than just key signing, we wanted to teach you what you’re doing get you started. As GPG is a pretty good answer to some of the surveillance out there, I thought I would expand it into a series of presentations focusing on other tools with a similar goal. I’ve broken it down into three parts; Connectivity, Communication, and Operations. The tools I’ll be focusing on will be Tor, TAILS, and GPG. Operational security with TAILS, anonymous connectivity with Tor, and secure communications with GPG.

With Tor, my main goal is to address the most common questions like “But I bet the NSA has a backdoor in Tor, right?” So I’ve turned it into a discussion about how Tor works, and ways it can be broken. I’d be happy to discuss real threats to Tor, but I’m pretty bored with the “Tor is funded by the government” tin-hat talk. I find it actually really interesting the challenges that Tor has so in other words, I’m just looking for people to have conversations with. 🙂

GPG and TAILS are both hands on workshops aimed at getting your hands dirty with both of the tools. GPG is pretty straight forward for the most part and I’ll go into a few extra tips that I think are interesting and then to go through Keybase.io if there’s time.

With TAILS, I’ve even built some USB sticks with TAILS prebuilt on them. I thought it might be interesting for the workshop to provide a hands on experience as quickly as possible.

Of course all of this is still up in the air, so I reserve the right to change everything. 🙂 I’m just hoping that with all the time I’m putting into putting this together, there are people actually interested. 🙂

New Year Review – 2014

For a few years now, I’ve been stating my plans for the rest of the year, and reviewing how the previous year went. Here’s the review:

Last Year

Major Con Presentation

One of my goals was to be accepted into a “Major Con” for some definition of that word. This year I presented at Derbycon, GRRCon, Defcon Skytalks, BSides Detroit, and the Rochester Security Summit. I will say that my moon shot was to be accepted into 30C3 but I was aptly turned down.

Intel/OSINT/OPSEC Project

This intel/OSINT/OPSEC topic has bugged for a few years now and thanks to Edward Snowden, I think I chose a good year to work on it. I put a ton of research time into formalizing what an intelligence gathering campaign would look like, and even implementing it. I even wrote some tools to help me get the job done. I presented my research at GrrCon, RSS, and BSides Detroit. I’ll admit, it’s a bit of a fluffy, opaque subject to talk about, which is why I really wanted to do the research and be done with it. The output from the research is just some new tools in my aresenal.

Hardware Hack into a PCB

Last year, although I was messing around with my hardware hacking project (that I was asked to take down), I never moved it from a proof-of-concept breadboard, to my own custom circuit. This year, I was able to build a couple circuits and get the fab’d. But I didn’t design them so I still think that’s cheating. Going through the process of loading an Arduinio with AVR software was a big enough step.

iButton Door System

DSCF5127DSCF5125

This was a failure. Some of us still talk about it but I didn’t build an iButton door system. I have all t he hardware and Raspberry Pis to do it, I just haven’t put the time in.

Mannequin

My poor mannequin has been around for years. I’ve chopped her head open and loaded her up with an xbee controlled arduino, I’ve made her my T-Shirt model for BSides Rochester, but this was to be the year of her demise. I accomplished this in a fantastic fashion though using Tannerite – an explosive that we packed inside of her.

3D Printing A Model

This was just a fail. I didn’t print anything really. We used a 3D printer to make the badges for BSidesROC this year, but I never actually went through the process myself.

Unplanned Accomplishments

There have been some interesting unplanned accomplishments this year:

  • Becoming a minister and performing in someone’s wedding ceremony
  • Going to Korea, twice
  • Building a silicone brain
  • Having a thermite party to destroy all of my old media
  • Operating a back hoe
  • Receiving my first DMCA request

Next Year

Grown-up Things

This is the year I know I’m going to have to and want to do some what I would call Grown-Up Things. Things that aren’t necessarily about completely full blow chaos and fun. One being learning about how businesses work, forming an LLC, and paying attention to financials. There’s some other things but where’s the fun in discussing that. I just know that this year will be filled with a lot of “Adult” opportunities.

 Crypto

Although I have a decent understanding of crypto, I’d like to put some time in and develop this into a skill. A friend of mine is taking the Stanford Cryptography class and I’m hoping we can learn that together. But beyond that, I’d like to apply it to some actual research. Maybe doing some basic crypto audits of something like BitMessage. I’ll never be a cryptographer, but I’d like to be able to identify and exploit poor cryptographic implementations.

Development

I’m have a decent ability to make something in Python, but it’s all scripting. I’ve never taken a class or anything that would give me any kind of structured development style. My goal for this coming year is to further build my development skills beyond just scripting and hacking things together. Ideally I’d like to join a development team on a project of some kind.

Bitcoin

Gah – Bitcoin… when I say it out loud it sounds so stupid. But this year I’ll be putting time into learning how the bitcoin protocol works, the community that supports it, and slightly riding the roller coaster as it goes up and down. Last year I was doing intelligence when Edward Snowden released all his intel, this year I may be doing Bitcoin when we watch the first crypto currency become regulated.

Hardware RE

This year hasn’t taken me into much hardware reverse engineering lately. I’ll be looking for an interesting project to spend some time on.

BSidesROC 2012 The Results

May 23 2012 Published by under BSidesROC,Uncategorized

BSidesROC is over. There’s no reason to really give you a blow by blow but I think it might be entertaining to see some of the feedback we received from attendees. Both years that we’ve done BSidesROC we’ve sent out a survey email right after the event with a very quick survey that gave us some feedback on what people thought about the event. I really do take it seriously but also some of the responses were very interesting.

The responses we received were overwhelmingly positive which is good. But I’m not going to make a post about “Why BSidesROC 2012 Was a success!” I think it’s more entertaining to you, and more useful for next year, if we talk about what sucked.

Here are a summary of some of, what I regard as, more interesting survey responses.

Chartz!1!

 Closeness to death:

Why are you here?

Badges:

The badges this year were fake handcuffs. Last year they were dog tags. There was a lot of thought put into coming up with something different for badges. We didn’t want to do the uber-techno-arduinobased-microwave-generating-death-ray badge like Defcon and other cons do (mostly because we can’t!). And we didn’t want to spend any money because let’s face it, we dont’ have any. So our constraints were to find a badge that we think is cool, that will be ready to go by the con, and that won’t kill our budget if we buy $150 of them. The backstory on this idea was that sometime when we were driving back from BSidesDE, the van full of hackers decided that handcuffs were a good idea. The thought being you can learn how to shim or pick out of handcuffs so not only were they the badge, but a useful training tool. But we learned, they suck.

For your entertainment, here are some of the responses about how badges weren’t the greatest:

 If you’re going to give out handcuffs, you have to give out handcuffs.  Having a cheap version of something is worse than not having it at all imho.

Maybe get badges like AIDE has or Lascon had?

Drop the cheezy handcuffs

I could say that we’ll improve our badges for next year but I can’t promise that. 🙂 We enjoy wasting time brainstorming weird badge ideas so expect something weird and possibly stupid next year. 

Tracks and Seating: Failures

This was interesting because there were some last minute changes that caused some issues. We had 2 tracks this year that were originally meant to be “Presentation” and “Workshop.” Kizz Myanthia was kind enough to offer to do a workshop that went along with his presentation and it was going to last for 4 hours. It was going to be cool – attend his talk, and then do a hands on workshop into how to use Metasploit and the such. Kizz unfortunately got his workshop pulled because he was transitioning between jobs. His previous employer told him that he was not allowed to do his workshop because he was using the Pro version of their company’s tool. If you can figure out who I’m talking about, let me just say that this was because of the Sales/legal/corporate dictator department and not that of the cool people that are part of the pentesting portion of the company. If I’ve just confused you, don’t worry about it.

So that left us with a big 4 hour block that we needed to fill. Which we didn’t. 🙂 We had some ideas but I admit: FAIL.

Also added to the fail was the screens. They weren’t big enough to reasonably read. We figured this out way too late to make a change. Lesson learned.

Things We Won’t Change:

There are a few things that make a BSides different than a normal conference and we’ll continue to follow those tenants. Here are a few examples of responses that we just won’t change and why:

A better venue. More comfortable and better seating would be preferable. Maybe RIT would sponsor the event in the Golisano auditorium.

This is really good feedback but I want to point out why we won’t be doing this. First of all, we love RIT and I’m an RIT grad, but in my opinion it’s important to develop a community not based on colleges and universities. There’s a lot of reasons for this that is not going to fit into this post. Second, we don’t want a conference that looks like a conference. (Read my other post about “con” vs “conference.”) That being said, yeah the chairs did suck. We’ll see what we can do. 🙂

More vendor tables setup

We love our sponsors and we love people that support the hacker community. The problem with this is that other conferences have made vendor tables the focus of the con. We’re sensitive to having vendor tables and probably won’t have any in the future. This is a “Security B-Sides” thing and one of the reasons that we like the BSides framework. If you love sitting through vendor presentations, don’t give a crap about practical technical content, and want to pretend to be a “hacker,” then you should check out Hackerfest. This is the reason that BSidesROC exists.

Random responses:

Here are some random questions and their responses to the survey:

Q. What do you think we could have done better?

A. Mark’s mom

A. this is 2012, where was the IPv6?

A. More restrooms…

 

Q. What did you like the best?

A. Flying fucking sharks

 

Q. Name as many BSidesROC sponsors as you can without looking

A. Baby jesus

A. Oh no…I didn’t know there was a quiz!

 

BSidesROC Part II: Things we’re doing

May 09 2012 Published by under BSidesROC,Uncategorized

BSidesROC is this Saturday at 8am. Holy crap. I wanted to give a final post before the con so you can figure out what to expect the day of the event. If you haven’t signed up, you should get a ticket right now. Do so on the website. http://www.bsidesroc.com

Capture All The Flags

We will have a capture the flag style competition. The open competition will involve you and your team being rewarded for cracking security challenges. It’s going to be run by RIT’s student security organization SPARSA. The skill level is from into to 1337 so if you just wanted to take a crack at it, you can.

Present All The Talks

We have to have presentations. It’s just what we do. There will be a bunch of talks in multiple tracks this year. You can check out the schedule for a list of talks HERE.  Also, if you can’t make it to the con, the presentations will be streamed live on UStream. We’ve spent as much money as we can afford on audio and video equipment in an attempt to have quality streaming.

Pick All The Locks

Last year, The Open Organization Of Lockpickers came up to run a lock pick village and it was a smash. There were a lot of people learning how to pick locks for the first time ever. This was really awesome to me and that’s coming back. Since last year, there’s been a local TOOOL chapter that’s popped up so that they’ll be running the booth themselves. They’ll be doing presentations on the basics of lock picking and how locks work throughout the day. They have lock picks and practice locks that you can use to practice. Plus, they have lock picks for sale during the con.

Hacker All The Space

Since this is a hacker community event, we’re going to bring back the guys from the Rochester hackerspace, Interlock Rochester. They’ll be showing off what they do with 3D printers and fun toys. You should pay them a visit to see how the space is doing and maybe they’ll print you a trinket to take home.

Decrypt All The Challenges

We’re adding a new portion to BSidesROC. The Crypto-Challenge Of Doom! Or just the Crypto Challenge. If you’ve attended other hacker cons, this is a way to exercise your brain cracking a crypto puzzle. And if you’ve attended other hacker cons where they do this, you’ve probably met the guys that wins all of them, Darth Null. All of them is a little over zealous but maybe all the ones he’s attempted. He has put together the crypto challenge for us this year and I’m pretty excited to see what everyone thinks.

Eat All The Food

We will even feed you in the morning and afternoon. Bagels and coffee for breakfast and subs for lunch. Hurray.

Sponsor All The Things

Do I need to remind you that this is a free con that feeds your mouth for free and pumps your brain full of information for free and entertains you for free? Freely free freedom. Well this is because of our sponsors. No seriously, love these people and please tell them how much you appreciate them because these are the guys that understand what a hacker con is and are interested in giving money to the community. If you use their products, please remind them that you saw them at our conference so that hopefully they sponsor us next year. Go buy all their products and services and give them hugs.

Secure Network, Inc.

AdvizezX Technologies

HP Enterprise Security

Rochester ISSA Chapter

Tenable Network Security

Intrepidus Group

GreyCastle Security

Assured Information Security, Inc.

the mongolians     there is no dc585

BSidesROC Part I: Define Hackercon

May 05 2012 Published by under BSidesROC,News

There’s only a few days left for this years BSidesROC on 5/12/12. “Rochester’s first and only hacker con”. << Do you know why we say that? Not because we’re the only computer security conference, and not because we think other security conferences suck (well some do), but it’s because an info sec event is not the same as a hacker con. I’m talking about Rochester Security Summit for example. It’s been going on for years run by the local ISSA chapter and they do a good job. It is a corporate crowd.  You expect that when you pay a certain amount of money that there’s a certain level of professionalism. And the people that attend are info sec professionals. A hacker con on the other hand…

Con != Conference

“Con” used to stand for “conference” , and it literally still does but it’s also a reference to the “con” community. Defcon, Shmoocon, Comicon, (FurryCon?). Each of these are conferences but there’s something else to it. Different. If you’ve been to Defcon or Shmoocon, your expectation is to have a ton of fun, meet cool people, and take part in fun activities with such people. In some ways, it’s much more of an intense experience because you’re not walking in with your button down shirts enjoying a coffee while you sit at the white circle table that hotels always have. That would be a conference. At Defcon you’re walking in with a black shirt ready to be punched in the face by awesomeness. You may look around and notice a lot of younger people but it’s not that the crowd is necessarily young; it’s the ideas and the passion usually associated with young people. And that’s what it comes down to in con versus a conference; passion. These people want to be here, they’re not being forced by their employers. They want to see what’s happening in a community.

Hacker != Infosec

Hacker: That scary word that Rochester is learning to accept. Slowly. You know the word, and the politics behind it. But I think there’s a big difference between hacker and infosec, both in how they act and the way they think. Hacker and infosec have an overlap of course, but a hacker refers to someone with a passion to learn about security. Infosec on the other hand is a job position or career path. It’s business driven, professional, and pretty easy to define. By day, I am an Information Security professional and I attempt to be professional and goal oriented when it comes to my job. At night, I’m a hacker that wants to learn things related to security whether or not they benefit my career.

Y U SO Pedantic

The point is to show that BSidesROC is a different beast than any of the other conferences in Rochester. Maybe it’s not better if you enjoy professional cons. But definitely better if you have a passion for security and don’t take life too seriously. And if you don’t like paying for things. It’s also a warning for those people expecting to walk into a comfortable sit-in-your-seat-and-listen event. Because this is not it. If you haven’t been to a hacker con, I strongly recommend that you come to this one if for nothing else, to see what a hacker con is like.

By the end of the week, I’ll include some details about what’s happening at BSidesROC.