Rite of Passage – Pilot

I’m now known as Shifty Mike:-)

Hi, I’m Mike, but you can call me Shifty…

My involvement in B-Sides began in 2014. Following a serendipitous IRC chat, I found myself at a 0xc0ffee meet-up in Woodstock and someone, I think it was @istvanberko, was talking about B-Sides. I attended and thoroughly enjoyed it, but found myself wanting to get more involved – the atmosphere of the conference and the general attitude of the people running it was quite different to conferences I’d been to in the past and I picked up on a real sense of community.

In 2015, I attended a badge making workshop held by @elasticninja and @andrewmohawk. It was essentially a room full of people, with a bunch of hardware, hacking away and brainstorming ideas for an electronic badge for the next year’s B-Sides. The conversations and ideas continued long after the conference ended and I found myself volunteering to help with the actual creation of the badges for 2016. A couple of meetings to discuss design, some hours of frantic soldering the night before the conference, 120+ badges and a new nickname later, I could say that I felt like part of the team. Little did I know that this had put me in the running for a pretty unique opportunity.

A few months later, I was told about an initiative that B-Sides wanted to pilot – it was called Rite of Passage (http://www.bsidescapetown.co.za/rite-of-passage/) and that I would be the first guinea pig as I met the necessary criteria. In short, this meant that because of my volunteering the previous year and my student status, I would be sent to Las Vegas to attend B-Sides Las Vegas as well as DEF CON, exposing me to the infosec industry on a more global scale, as well as giving me a behind the scenes look at how these conferences were run. This came as quite a surprise to me, but I was really excited about it.

Vegas, Baby! BSidesLV & DefCon25

Skip ahead a few more months and I’m on my way to Las Vegas. First up was B-Sides Las Vegas at which I had signed up as a volunteer. By default, everyone who volunteers for enough hours is provided with accommodation by B-Sides LV, thanks to the generosity of @banasidhe and the @BSidesLV team, I was given a room at Tuscany Suites for the duration of my stay. Having travelled for 30 hours and arriving on Monday night, the early morning start on Tuesday was pretty tough but I was keen to see what volunteering held in store for me. Thankfully, my journey from Cape Town to my hotel was pleasantly uneventful.

My first shift was on Tuesday morning from 07:45 until 14:00 and I was on SecOps duty. This basically entailed walking around, or standing at a particular point and making sure that attendees didn’t get lost, wander into places they shouldn’t, didn’t crowd the hallways, and to generally assist and be friendly and helpful. I was overwhelmed by the attitudes of the people who were either running things or just already knew what was going on – it was a team that I was proud to be a part of before I’d even started doing anything. The shifts when by pretty quickly and while they did keep me from seeing certain talks and stuff, I still managed to see a lot of the conference while volunteering and had a number of interesting conversations with various attendees, speakers, and fellow volunteers. Once my shift was over, I was free to walk around and just enjoy the con. Regrettably, I didn’t see many of the talks. Rather, I focussed on networking, exploring, and generally doing everything that I would only be able to do if I was physically there. At one point, I was chatting to a guy about the badge which he’d made for DEF CON. Only by the time I got to DEF CON, did I realise that it was Garrett Gee, the founder and owner of Hacker Warehouse. His badge was pretty great, too! http://hackerwarehouse.com/product/hacker-warehouse-electronic-badge/

My impression of B-Sides in general was that the community aspect of it was huge. People weren’t there because they were forced to, everyone who was there seemed like they genuinely wanted to be there. You could walk up to almost anybody and start a conversation and ask them a question and for the most part, be received with great enthusiasm. It made networking, even for someone like me who isn’t big on starting conversations with strangers, quite easy. The other thing that was pretty awesome was that many of the people you met also happened to be involved with running B-Sides somewhere else, so it was really cool to be able to talk to people who were dealing with the same kind of logistics, often on a much larger scale. It was also a great opportunity to shamelessly punt Cape Town as a holiday destination and try to encourage people to attend B-Sides Cape Town.

While there were talks going on in all of the rooms, there was still enough going on in the chill out space to occupy all of your time. There were groups of people lock picking (with instructional images on a projector, locks to pick, picks to pick them with and knowledgeable people), there was a very well-attended CTF, a group of people projecting all non-encrypted traffic captured on the open WiFi network, and many vendor tables with companies mostly advertising their services or recruiting. There was even a dedicated room called “Hire Ground” where you could go if you were either looking for a new job or had jobs to offer – a really cool idea which I’d like to see more of. One of my favourite parts of the chill out space was a table full of IoT or “smart” devices, connected to a single network for the sole purpose of being hacked. I was even allowed to take one of the devices apart to inspect its internals. In the evenings, there were social events – hacker pyramid on the Tuesday night and a pool party on the Wednesday night. This gave everyone an opportunity to socialise in a more casual environment. I attended hacker pyramid and had a great time, even though most of the references went over my head.

Thursday was largely spent helping pack up, then it was time for DEF CON. While the con only officially started on Friday, Caesar’s Palace was abuzz with people attending the various workshops and events which took place before the conference. I managed to register for a workshop: “Brainwashing Embedded Systems” with Craig Young @craigtweets so that was my mission for Thursday. Aside, registering for a workshop is no small feat. Registration opens some time before the con, registration for all workshops open at the exact same moment and within 5 minutes, every sign-up list and waiting list has been completely filled. The workshop was very interesting and I learnt a few new tricks, but I also picked up some really valuable techniques from the way that the workshop was run. Embedded devices don’t take well to having 60 people try and access them at the same time, so Craig emulated the devices so that every participant had their own instance which they could attack. This also means that you can pen-test a device without actually having it or spending any money, a technique which I’m excited to use. The workshop was really well-run and I enjoyed it overall, it’s obvious why they’re so sought after.

From Friday, DEF CON officially started. The selection of talks to attend, villages to explore and general areas to hang around in was all but completely overwhelming. Again, I made a point of walking around and seeing as much of the villages as I could. Villages are interest-specific areas at the con where there are talks, challenges, contests, hardware related to the particular interest, and usually hundreds of people who collectively know just about everything there is to know. For example, the IoT hacking village had a table full of IoT devices with known 0-day vulnerabilities, including a fridge, the car hacking village had at least 3 actual cars, the voting machine village, in their first year as a DEF CON village, had a number of electronic voting machines which were used in actual elections and were proven vulnerable to tampering. Nothing was done on a small scale, everyone who organised anything at DEF CON took it seriously and went all-out. It was truly impressive.

Down the DEF CON rabbit hole we went

Knowing that I would be able to watch the talks at a later stage, I didn’t really focus on them. There was however one room which really got my attention – the Skytalks track. Talks which took place in this track were often slightly more sensitive topics, and as such were not recorded. The room was patrolled by DEF CON Goons who made sure that nobody had their phone or any other recording devices out – this had the pleasant side-effect of forcing everyone to actually pay attention to the talk and not play with their phones and listen with half an ear. The talks I saw in this track definitely had a different feel to the main tracks and I found them especially engaging.

At some point, @elasticninja and myself went to one of the common areas to chill out and mess around on our laptops, only to have our attention grabbed by the table decorations. At the base of the tower was a locked box. We looked at one which was already unlocked and saw that the lights were driven by a Raspberry Pi and powered by a 10000mAh power bank. Naturally we removed the micro SD card, inspected the firmware, took a dump of the card, got the wireless network details, added our SSH public key and put everything back together. Once we got access to one and discovered that we could make it do stuff, we enlisted the help of someone who was better at lockpicking then we were to open up the remainder of the boxes and bring us SD cards. Not only did we get most of the lights to blink perfectly in time with one another (there were issues with the WiFi reception on the boards on tables further away), we also learnt a surprising amount about whoever put the things together. It was an interesting exercise and before we knew it, we’d killed several hours playing with table decorations.

 

Throughout the conference, there were a number of occasions where an ATM would mysteriously be “out of order”, a hotel self-service machine would be streaming amusing GIFs instead of helping people check in, or something similar. UPS refused to accept USB sticks for printing jobs and Caesar’s Palace closed its business center. Every time some system failed, there was the immediate question of whether it had been hacked while normally it might not even have been noticed. It was pretty fun.

DC was also a rare opportunity to rub shoulders with people who you’d never think of meeting in real life – people who are hugely respected and widely known within the community. One of those opportunities flew right past me as I was introduced to Dark Tangent and I had no idea who he was at the time. (if you don’t know who he is, now is a good time to learn.) I also met Jayson E. Street, a world-famous social engineer (wearing a minions onesie at the time) and probably walked past a number of other famous people who I don’t yet know about.

Phillip Goosen

Inspired

Ultimately, this experience changed my perspective on the information security industry as a whole. It got me excited to go back to projects that I’d forgotten about and inspired me to start new ones. It made me think about problems in new ways and pull up my laptop at random times to try stuff out or learn more about something that someone was talking about. I was completely immersed in infosec for a full week and it was awesome. If you’re eligible to apply for this, there’s no reason not to do it. If you have so much as a vague interest in infosec, this experience will develop it into something more.

A huge thank you to the B-Sides Cape Town team for making this possible, the B-Sides LV team for making sure that I didn’t have to sleep under a bridge, @rewtd for driving the initiative and helping organise everything, @elasticninja for showing me around and making sure that I didn’t get too badly lost, @fluffypony and @MyMonero for their financial contribution, and everyone else who helped make this possible. I’m really looking forward to hearing the stories of Phillip Goosen, who was announced as the lucky one to be chosen for Rite of Passage Ep.1. I can’t wait to go back myself!