5 Interesting things I learned at BSides Canberra

Over the weekend I attended Australia's largest 'hacker con' - BSides Canberra with 1800 other people. Here are 5 Interesting things I learned.

1. Hacking isn't all about computers

20180413_112536---small-1
I had assumed that because BSides is a modern security conference that it was mostly about network and software hacking/security. It turns out that the conference is very diverse and has many different aspects to it. Probably my favourite thing that wasn't computer related was the lock sports room.

There were basically tables of physical locks and tamper evident seals for you to play with. I had a crack at lock picking - fortunately there were some very friendly volunteers there to help me out. I did manage to pick a lock - albeit a see through one. I saw some other people pick solid padlocks like you would find at a hardware store. Moral of the story here: if you want to secure your shed, use a proper high quality lock.

2. You can create your own Bitcoin wallet

20180413_121300---small
I didn't realise how easy it is to create a bitcoin wallet address. @bigmac did a great talk explaining how the addresses are created using Elliptical Curve cryptography (specifically secp256k1). That gives you 2256 combinations, or 115,792,089,237,316,195,423,570,985,008,687,907,853,269,984,665,640,564,039,457,584,007,913,129,639,936 (78 digits) possible combinations.

The interesting part is that you can seed the algorithm with your own words/numbers of a much shorter length. You could do something like "password" and get a valid wallet - and if you look at the block chain you can see someone already has. As another example, “Down the Rabbit-Hole” had 85 BTC (a lot of money) at one stage.

Michael speculated in his talk that there are people out there building "death star" like bots that would use known password lists and common phrases and constantly monitor those addresses, and immediately steal any coins in there. The lesson here: don't use a Brainwallet (storing your address in your brain). Someone else will probably be able to test your memorable word/phrase and see if there is any money there.

3. Kids these days

kids
At the conference they have a huge room for people to bring their laptops in to do some hacking. There is a special network and a do a Capture the Flag (CTF). Essentially it is a series of small hacking tests that are assigned a certain amount of points based on difficulty. At the end of the conference the person (or team) with the most points wins.

The winners of the competition were some seasoned veterans but to my surprise in third place was @CodeCadets, a group of school kids! There were at least 20 teams so for a 'bunch of kids' to come third was a massive achievement, and just goes to show what young talent is out there in the next generation of IT professionals. I wish I had these opportunities at school!

4. They have really cool lanyards

20180413_085441---small
Usually at a conference the lanyard will show your full name and your employer. That is supposed to make it easier to make friends. But not at BSides! Partly because it's a security conference and some people want to remain anonymous, and partly because it would be a waste of space just to have your details there, the lanyard is actually a hacking tool.

There is a whole room set up dedicated to hardware hacking, complete with soldering iron stations. This was in part because at registration you got swag including a sweet t-shirt and a kit of electronics (that was also your lanyard). I personally don't know how any of it works so only put it together in a very basic way. I did meet and talk to someone who had completed all the soldering however and they were busily downloading some open source Arduino based code to deploy to the lanyard.

What does it do? Apparently it can 'detect UART and JTAG pinouts or dump SPI and I2C memory', which means nothing to me but everyone there thought it was pretty cool. And hey, it looks good!

5. Hackers have a really great community

20180413_200714---small-1
I barely knew anyone at the conference yet I didn't have any trouble making friends. I talked to everyone I sat next to while waiting for sessions to start and they were all very keen to chat. I had no idea how to pick locks but just asked the closest person with a pick in their hands and we hit it off straight away. I didn't know how to do any of the CTF but someone let me look over their shoulder and explained what they were up to and answered all of my basic questions with enthusiasm.

Did I mention the after parties? The apparently famous after parties were back in full swing with a full laneway booked out on the Friday night. Everyone was having a great time with plenty of 'shop' talk and plenty of banter as well.

Overall the conference was a great experience and a great way to learn something and meet new people too. With attendance more than doubling each year there is no actual venue big enough in town to hold everyone, but who knows, maybe they can hack something together.

Stephen Wells

Hi, I'm Stephen, and I'm a software developer. I work in Government and private enterprise, using technologies like .Net, Azure and Angular.

Australia