This past Thursday and Friday I spent the days at Thocton 0x7. It is a well put together infosec/hacking con but like everything has some flaws. These are my thoughts and opinions, and yours may differ, which is fine.
The thing I find the best about the cons are the ability to meet and talk with people face to face. It is what I love about the Burbsecs, and is even more prevalent at a con like Thotcon, where there are people who come in from out of town. Putting faces to names, being able to chat in person, and just being around people who are into infosec as much if not more than ones self is worth it. There is no Lobbycon at Thotcon, so you do need to get your badge.
Talk wise I didn’t get to as many talks as I had figured (more on that later). There were a few that really were worth seeing. First, “Overcoming Imposter Syndrome” by Jesika McEvoy was an amazing look not only at Imposter Syndrome, but some of the state of the community and what we need to work on. I hope she does this talk at another con, so I can see it again. “Crimeware 101” by Vyrus, which was the final Keynote, was a great look at Ransomware and how easy it is to get it to work. Vyrus set up a great presentation, and with his pseudo-ransomware code, had everyone riveted and laughing. This one normally would have been the highlight for me if not for “Trend in Whitelisted Proxies” by Schmitt, Dyas & Valin.
A little background, Parker Scmitt is a regular at Burbsec. That is not why this talk was my favorite. I’ve seen Parker talk at cons before. What made this talk my favorite was Dyas & Valin. They are High Schoolers who are interns at Parker’s startup. Parker mentored them through the whole talk process, and really let them give the talk and live demo. Watching how they handled it, from issues with a live demo to keeping everyone interested in their research and findings made this talk that much more special. Seeing Parker stand behind them looking on like a proud father was the icing on the cake.
The Not So Good:
I found overall, the quality of the talks to be not as good as last year. It seemed some of the talks were bait and switch, and a couple of talks that I checked in on felt like sales pitches for the product the speakers used.
Also, and this is being a bit nitpicky, the venue charged for water this year. My issue with this was they did not want to allow outside food and drink. For those who were drinking alcohol (which was a good majority of people there), staying hydrated was important. For those like myself who are diabetic, free soda does nothing for us, since we really can’t have that. There also was no water fountains that I saw. I would love to see next year either allow water bottles in or go back to free water, and charge for soda.
The explanation for the no videos of the talks makes sense. The sad thing is that with social media (especially twitter), the reasoning (so people don’t get in trouble for what they present/say) is really thrown out the window anyway. Pictures and quotes are put out there. I think they could allow for recording of the talks as an option. Let the speakers decide of they want their talk put out on the web.
After working on, and helping to beat the puzzles at Cyphercon, I was really looking forward to working on the Thotcon puzzles in the program. The couple I did were fun and engaging, although the one on page 17 there was a small issue with but the guy who created it helped find that issue and I did solve it (writeup on that will come). This became ugly to me because of the point registering system. I am not a programmer by any means, and I spent a good majority of the con trying to get the API token system to work. I had some help from a couple of guys I know who are way better at working with API calls, and as much as I learned form them, we still couldn’t get it. When I went to the con people in charge, I got no help. We found out that there were other groups having similar issues, and this was reflected in the scoreboard, which showed very few registered teams/individuals with points. When I asked about this at the awards portion of the con on the second day, it was mentioned that a number of groups had issues that they thought might have been network related, but that we should just learn APIs better, since other teams had no issues.
Now if it had been just me that was having the problem, fine pick on me about it. Give me an elitist attitude, no problem. I would still be disappointed, but nowhere near as pissed as I got. The fact that only about 10 teams out of 50 got points, that multiple teams had issues with the token system, and that the people in charge of it, didn’t seem to care really got under my skin. I feel that the challenges should be a learning experience, and if you put the time in on them and get some of the, you should get points. Not that registering the points is a separate challenge, and one that no help is given on. We are supposed to be a community and as one we are at our best when we put egos aside and work together. You want better people, mentor, teach. I don’t want someone to do everything for me, I want to learn, but sometimes we need guidance to learn.
The API situation is why I missed 3 talks I wanted to see, as I was working with people to trying and get what seemed to be a system that had some issues to work. Next year I’ll wait until after Thotcon to do the puzzles that I want and don’t require me being on site for them. Lesson learned.
In the end, it was a good conference. Communication is really the biggest thing that I think needs to be worked on, but this year, API situation aside, was better thought out and run than last year. I look forward to next year and seeing how well they learn from mistakes and feedback. Seeing how they did this year, I have faith.