On the morning of June 3rd, 2011 the alarm clock rang at 4am as it did many other weekday mornings. This morning though was not at all like the previous mornings that week, this was the start of BSides Detroit (which we’ll refer to as BSD). If you’re unfamiliar with BSides, these are conferences that focus on the discussion that comes from the talks that are presented by various professionals in infosec. In other words, vendors need not apply…unless you’re sending your developers, not salespeople, to talk about your product.
Prior to BSD, I was writing CTF articles for Security Aegis and I followed a few people in the infosec community on Twitter. No face-to-face interaction, some Skype conversation, and a couple of infosec podcasts (Exotic Liability and PaulDotCom). I had stumbled upon a retweet that there was going to be a BSides event in Detroit and I knew that I had to get there. As June 3rd drew closer, I began following people on Twitter that were using the #BSidesDetroit hashtag and soon I had a roster of people who were going to be at the event. After that, there were a few messages back and forth and before I knew it June 3rd had come.
Laptop: check, camera: check, driving directions: check, fifteen hours worth of podcasts just in case: check! Everything was loaded up in the minivan…no, we’ll call it the ninja van, (nobody expects ninjas in a minivan right?) and I was on my way from Grand Haven to Detroit. First things first, I had to make a stop for doughnuts and Monster Low-Carb, because I’m all about nutrition lol. After many miles of talking to myself and imagining what the venue, talks, etc… would be like, I arrived in Detroit. OK, let’s all resurrect our imaginations a minute and picture somewhat of a redneck guy driving through D-Town without much of a clue where he was going. Amazingly, I managed to find East Market District (a.k.a my culture shock), and proceeded to drive past the venue twice before realizing that my preconceived notions of where I was going were total garbage.
Omnicorp Detroit is a diamond in the rough. I’ve been to conferences for custom electronics installation, home automation, and steel manufacturing, but none of those were anything like what I saw before me. What appeared to be a vegetable processing plant with a spray painted cloth sign that said BSides was actually a hacker hub. For a brief moment, I wondered if I was completely out of my element and the awful truth was yes. I was in a city I didn’t know, surrounded by people I didn’t know. I felt like a mouse in a room full of traps…uncomfortable. After getting checked in and heading up the rickety staircase this clam that is Omnicorp Detroit opened up to reveal the pearl on the inside.
The main area of OCD is a geeks dream. What do you want? Workstations, electronic components, various tools, audio equipment, a spot to just veg and talk to other people like you? OCD has it and I was, and still am, jealous. There are no hackerspaces that I know of in my area. This is exactly what all those people on Twitter were talking about when they said “ninja conference”. There were no salespeople here, the exterior showed no signs of being an information security hub, the slides were being shown on a cloth screen, and there was a feeling in my bones that we were going to be discussing things that just seemed so bad. After meeting some other attendees and snapping a few more photos, it was time for the talks to begin. The talks, listed here, went by in a flash. I had initially planned on taking copious notes, but as the talks went on, I found that I wasn’t even using my laptop because it would distract me from the talks. What’s the point of taking notes if you’re not listening to the speaker?
During one break in particular, I made my way over to the lock picking area. I’ve had experience with “unorthodox entry techniques”, but never used a pick. As a person who aspires to be a great pentester, I needed to know how these picks worked in conjunction with the locks and to get some experience with them. After successfully picking the 3 pin lock, I knew I had to keep at this. Let’s face it: slim jims, modified plastic cards, pocket knives, and the ever popular heavy rock aren’t always an acceptable option.
As the day went on, we were informed that day 1 was going to be two speakers short. At first , I was a little bummed out and wondering what would come from the “lightening talks” that the organizers had moved into those open slots. Wow. Dug Song opened the talks with some questions for us participants regarding the recent hack of Sony. The conversation shifted towards the ethics in hacking…yes, I said ethics. Does it really mean anything to be a Certified Ethical Hacker? Why are young teens finding the risk and “rewards” of blackhat hacking so appealing? As I looked back on my high school education, I noticed something that I would consider a detriment to our educational system (at least in my area). Our local high schools will teach keyboarding, basic computer use and an entry-level computer information systems class if you choose to attend a tech school. Notice I said nothing about security? Nothing about protecting yourself online, nothing about thinking before you post that questionable picture of yourself on Facebook, nothing about how posting that picture gives Facebook the rights to use it, and nothing about how prospective employers (or anyone else) can view all of that information. The conclusion we all reached is that information security people need to reach these kids before the wrong people can influence them. Watch a news story related to hacking sometime. Did you hear about a hacker pointing out the XSS vulnerabilities on a company website and how it got fixed or did you hear about a nefarious hacker stealing a bunch of credit card numbers? My point exactly. Omnicorp Detroit is an awesome hackerspace, something I didn’t know existed until shortly before the conference. They are achieving this goal, and another idea that came up was to setup an IRC for Michigan area infosec professionals and young people to connect.
Sadly, I was not able to stay for day 2. I did however watch Twitter feeds and caught the live stream for Rafal Los’ talk on “Ultimate Hack - Manipulating Layers 8+9 [Management & Budget] of the OSI Model”. This leads me to probably my favorite observation from this conference: The community, as a whole, exists to help each other. The live stream was there for people that were not able to make it to the event and all throughout the conference ideas were exchanged between presenters and participants. From my Twitter conversations with Ryan Harp, I could have saved a lot of microphone headaches if I had been there Saturday. Learning from that, I’ll be assisting with the A/V setup for next year. I feel as though I have a responsibility to help with the 2012 edition of BSD.
Before the conference had even ended, there was already discussion on things for next year. For instance, the mic problems have given us a slogan and logo for the 2012 edition of BSD “We don't use mics in Detroit, we get in your face and yell” with a smashed mic image on the shirts. I have to be there for next year, no REALLY, I will be there for both days. The organizers did an awesome job and HUGE props to Omnicorp Detroit for hosting this. Also, a big “Thank You” to everyone that signed up as volunteers. BSides Detroit was everything I hoped for and nothing that I expected all at the same time.
