Thotcon 0x6 has come and gone

After a few years of swearing up and down, I finally made it to Thotcon. It was definitely an experience with good and bad.

Kinetic on Cybercrime

I found out about Thotcon a few years ago, but it always seemed to either conflict with my schedule, or I couldn’t get time off work for it. This year was different, so I bought myself a ticket and went. What I came into was an interesting mix of talks and socializing. Let’s start off though with the not so good aspects of it.

The whole idea of having to walk outside to get between tracks was one of the worst things about this convention, if only because you could not bring your booze outside. Yes the booze that you paid for, you had to chug or leave it behind when you went into the alley to get to the Turbo Talks in Track 2. Speaking f the Turbo Talks, I really felt that some of them that I saw, such as the one on the CFAA, and the one about Going Kinetic on Cyber-crime, should have been in Track 1 and some of the talks in Track 1 should have been limited down. I was disappointed in some of the Track 1 talks also, because they seemed to be more about trying to pimp the speaker, a “Hey, look at me, I am l33t,” and skipped around substance, or the speakers put in a lot of fluff to help stretch the time frame of the talk. Others probably will disagree with me, but I do know some other attendees felt the same way. Finally, the communication system inside the convention needed work. There were talks that were shifted between days or times near the last minute, which prevented people from seeing talks they had planned on. Day 2 they killed off the afternoon lunch break for Track 1an hour beforehand, moving all the talks up an hour. For myself this prevented me from seeing a talk in in Track 2 that I wanted to see because a talk in Track 1 was more important to me. Also, with no recordings of the talks, there was no way to catch up on missed ones.

While the venue itself was nice, the location was difficult. Being off the Brown Line meant the choices for public transportation were very limited, especially for those coming from the suburbs. This in itself stops some people from going to Thotcon, as the parking around the venue is difficult at best, and travel times there are tough to gauge.

Overall though, the convention was well organized. There was enough time between talks to not make one feel rushed, yet everything flowed. Registration on the first day was very smooth and problem free. Food in the venue was pretty good, and having a dedicated bar area upstairs of Track 1 and across the hall of Track 2 worked to keep noise down while the talks were going on. Also having video feeds in both bar areas was a nice way to allow people to keep track of what was going on. The awards presentations at the end of Day 2 went smooth and quick.

It was interesting to me that some of my favorite talks were non-technical in nature. The talks about the CFAA and how to get more active with the politicians were both amazing. The keynote by Jack Daniels was interesting, along with hearing the social engineering exploits of Jayson Street. The talk about taking down botnets and other cyber-crime operations was another favorite (pictured a the beginning of this article), as was the talk on the deep web. There were some talks I did walk out of, mostly because I found them either not what the abstract made them out to be, or just boring because they seemed to promote the speaker more than it being either a technical talk or call to arms talk.

Thotcon in general turned out to be a decent security (hacker) convention. Yes it has flaws, but the move to it being 2 days worked nicely. Don’t expect too much from it as far as deep technical talks (they decide dot not have workshops this year so they could have the main bar/socializing area), but instead figure you will get some tech, some policy and a nice overview of different topics. Definitely not a training convention as much as it is a call to arms for the infosec world convention.

Can Infosec get ahead of the Blackhats?

It is described at times as an arms race. Information Security always seems to be behind the bad guys. Can this ever change?

We all know the routine by now. New exploit, new signatures, new patches, new updates, new exploits. Rinse, lather, and repeat. We hear of the next big thing to be adaptive. Heuristic scanning, signature scanning, IDS, IPS, all to mitigate the threats. We are always fighting the good fight from behind. Unfortunately, this will always be the case. Yes, we get faster, not as far behind, and better. Yes, we have people on our side actively looking for the latest exploits. It is a neck and neck race in this day and age, but the fact remains, the bad guys will always find something we haven’t. We do our best to mitigate. We know that people are the weakest link. We try to educate, but even the best education, following the best practices will not stop exploitable scenarios, be they human or code. Why? Because we are human and are flawed.

Now don’t think that I am all doom and gloom. We have made great strides forward, and will continue to do so. Truth be told though, their are only a few ways to even have a chance of truly stopping the situation, and they are either super extreme or extremely improbable.

First idea I have is to have, as was a tag line from the movie Sneakers, “No More Secrets.” If everyone from corporations, to governments were wide open about everything, then what is there left to steal? Just money which brings me to the second thought. Go back to the bartering system. This gets rid of the money issue, and actually makes sense. Trading goods and services for other goods and services. Now you don’t need credit cards, Money, bank accounts, etc… The other big one that gets brought up in my mind is of course getting rid of technology all together.

None of these ideas are practical of course, so we are back to the original thought here. Can we ever get ahead. More thank likely not, but we keep getting closer to being even. So keep training, keep educating others, and keep your wits about you. We are in for a bumpy ride.

Meanwhile, away from Las Vegas

Yep, Hacker or Security Summer Camp time is here. For those of us not out in Las Vegas at Blackhat, B-Sides, and Defcon, The world continues on. As it goes, the U.S. Army has a lot to learn about the world of hacking.

The Register put out a story on how the US Cyber Army got its rear whooped by reservists. This article should be scary, and for good reason. If the full time Cyber Army didn’t even know how they had been attacked, how do we expect them to defend our country, let alone attack aggressors? The simple answer is they won’t be able to, but why? Well it is actually a matter of a few things.

The military is a great institution. As such they have a great regiment, and are highly organized. Follow orders, follow procedures, be a good soldier. The higher up you are the more planning you are able to do, but still the open thinking is still limited unless under true fire. This goes against the idea of being a hacker, someone who can go out and keep directly up to date with the infosec world. the world of Zero Days, backdoors, malware and the like is ever evolving and at a breakneck pace. The amount of “Eureka” moments compared to normal military strategy “Eureka” moments is astronomical. Yes the ideas put for in The Art of War by Sun Tzu still apply but the pace of shifts, adjustments and new “weapons” one talks about is daily.

Now while both the full timer Cyber Army members and the reservists both might have an interest or passion for the world of hacking and security, the reservists have a huge advantage. According to the article a good majority of the work in the infosec field full time. Imagine how more up to date, be it from looking at darknet forums, to researching zero days, penetration testing all different sorts of systems, they are. Add on that they have gone through the training and regiment that the full time Army has. This is where the full time military failed. think about it, we all have heard of former hackers recruited by the government, and for good reason. It is straight out of Art of War, “Know thyself and know thy enemy and never in 1000 battles will you lose.” The full time Cyber Army needs that adaptation. they need to be more loose on regulations, need to be able to constantly think outside the box and be able to expand their skills and knowledge outside of a regimented system. Until that time, I hope those reservists are ready to defend the country cause the full timers are a liability.