~$ I gave a talk at BeerCon2!

Posted on Nov. 2nd, 2020. | Est. reading time: 10 minutes

Tags:Information SecurityIOTTalksConference


There's a great many jokes that start with 'A developer enters a bar', but I would be hardpressed to see one that ends with 'And they gave a talk about IoT/Mobile development security'.

And yet, I've just lived through that, and it was no joke!

Summary

The road so far!

Flashback to a few years ago, in May of 2020 (at least from my psychological perspective of the decade that was 2020).
There, I found myself scrolling the Twitterverse, somewhat aware of the InfoSec community on Twitter, but not interacting with it that much.
So when Gamithra popped into my feed, saying she was building a Discord server to practice CTF boxes on HTB and THM, and I requested to join said server, little did I know where that would lead me.

There I met one of my soon to be best friends, Lennaert, and through many activities (such as mindless chatting, distanced drinking and occasionally playing Mindnight or Minecraft), we got closer.

At some point, Lennaert tells me about this weekly meetup on Friday evenings with people from the InfoSec community, aka. InfoSec Happy Hour.

Originally, I felt I would be quite out of place joining that meetup, and quite heftily refused. A short while later though, I -- whilst inebriated, said I would at least partake in the experience once.

And that is how I came to be a card-holding (not really) regular member of the InfoSec Happy Hour crew!


How did I get involved in this?

Fast-forward to mid/late September, COVID-19 is rampant, everything is more-or-less shutdown, and many conventions with rookie speaker tracks have decided to cancel (because -- allegedly -- no one wants to attend virtual conferences).

All the while, after being delivered from my apprehensions in joining the Happy Hour gang, The Beer Farmers announce they will be having a second iteration of their convention, the infamous BeerCon, aptly named BeerCon2: Rise of the Rookie.

That tagline is also the key selling point? The only people that are allowed to speak there this time around are rookie speakers! (ie. people who've never spoken anywhere before).

After some nudging in the first few days (done to me, not by me), I submit a CFP titled 'Securely storing and transmitting information on mobile/IoT devices: A story in development'.

A week or two pass by, and I get the answer! My CFP was accepted!

Wooohooo!


Oh shit I now need to write the damned thing.

Apparently, choosing a subject as vast as 'the entirety of secure storage and transmission for IoT and mobile devices' is not necessarily a 300 IQ move, especially not for a rookie speaker.

I get into writing the talk, mostly using my CFP as a guiding board, and manage to divide the flow of it into 5 parts:

  • Where? - The scope of the problem and how I relate to it.
  • What? - The terminology and ideas that comprise the subject.
  • Why? - The people, the technology, the risks and incident fallout.
  • How? - Fixing the problem.
  • Wait, say again? - An overview of things I'd heard in the field.

Mind you, I only have 30 minutes to talk about all of this. So I time myself saying the things, and I manage to cram in 47 slides.


The many averted fuckups.

The multitude of positive things that happened at and emanated from BeerCon2 is mostly due to the mentors.

Since we were all rookie speakers, 5 seasoned speakers had volunteered their time and energy to mentor us, and help us with our presentations.

The names of these MVP's are:

Speaking for myself, I was told that there was some content I could potentially cut from the presentation, and that a few visual details to be added or amended could make the presentation become even better.

Aside from the mentors, us speakers banded together to preview each others talks and -- most importantly -- to practice them.

On the side, I'd taken the opportunity to ask a few people their opinions on my talk to gain an outside view on it, notably:

In hindsight, I would've had a lot more issues giving my talk in the alloted time if I hadn't gone through the ringer a few times, gained my footing and cut a bit of content left and right.

The big day(s).

So, along comes Thursday the 29th of October, and I'm scheduled to deliver my talk at 12:50 local time.

I take all of my stuff (webcam, microphone, laptop, etc.) and bring it with me to university, where I'd planned to give my talk from.

I arrive there a few minutes before the opening keynote, and then start watching it from the comfort of my desk, slightly incredulous that I'm going to be a part of this!

Then the first talk -- titled 'DevOps and Dragons: A guide to working differently through fantasy roleplay' -- hits, where Zak Slater goes into detail as to how aspects of LARPing (aka. Live-Action Role-Playing) can be found in incident simulations, which really bluffs me!
Except it also scares me. Because I'd seen that high quality of a talk, I was suddenly afraid of how I would perform, and I start getting all jittery.

Right after that, Juan Spinel does a deep dive on 'GDPR, The Good intentions, The Bad Implementations & the Ugly Loopholes'. Yet another fantastic talk, and my nerves don't subside.

Surely that couldn't be a constant for the convention right? Surely I wouldn't be the only one feeling insecure about their talk? Next up was Ben Ellis.
I knew from our runs together that he too was stressed. Although at the beginning his nerves did show, he steeled them and blasted it out of the park in his talk on how to grind Tokyo -- the capital of convenience -- to a halt in 'Tokyo Takedown: How 10 seconds can change the world?'

Whilst The Beer Farmers and Dave McKenzie hashed out war stories, I got into the waiting room, prepared to meet my fate.
My jitters had not subsided, and I was really stressed.

In the waiting room, Lennaert and Gerard, acting as roadies for BeerCon2, and James were all there to help me calm down.
Then my time was at hand.


I start out quite stressed, going through a portion of my talk before feeling the sense of familiarity that came with my knowing it.

I cut some content in the middle and finish in about 28 minutes, get one or two questions answered and then it was finally over.
A sense of relief washes over me: I'd done it.

In my talk I've cited a few resources, they are:

  • Henri Jiang's Map of Cybersecurity domains ( link)
  • @smealum's DEFCON 27 talk 'Adventures in Smart Buttplug Penetration testing' ( link)
  • @tautology0's collected thread about hacking BLE smart locks ( link)
  • Using concurrency issues to produce funky and destructive results in Android ( link)
  • Detecting sleep using mobile sensors ( link)
  • IoT Child Tracking watch information disclosure news article ( link)
  • @LisaForteUK's Rebooting Special - Rebooting Resilience ( link)
  • IEEE754 float conversion tool ( link)
  • The Schmoo Group's DEFCON 11 talk (2003) on Bluetooth Wardriving: ( link)
  • NY Times Privacy Project (2019) - 'ONE NATION, TRACKED: AN INVESTIGATION INTO THE SMARTPHONE TRACKING INDUSTRY FROM TIMES OPINION' ( link)

My takeaways from the event.

Everyone really gave their all to talk about something that was interesting and dear to them, and it permeated through their presentations.

These weren't talks by people in suits, who'd done talks for the last 10 years, and thus didn't have the same energy behind it.

The energy behind it was one aimed at sharing, one of community, one of mutual aid.
And all of that my friends, is beautiful.

The Beer Farmers have a catchprase (#HereForYou), and they definitely delivered on that promise, from setting up the event, to being involved in it for it's whole duration, for the general good vibes they brought all along, to finally the efficiency with which they made the content available online.

My fellow speakers (and their talks)!

I'd be remiss if I talked about the first few talks without actually linking them and the speakers.
All of these are brilliant, and you should definitely have a look!

#SpeakerTalk
Day 1
0 Zak SlaterDevOps and Dragons: A guide to working differently through fantasy roleplay ( link)
1 Juan SpinelGDPR, The Good intentions, The Bad Implementations & the Ugly Loopholes ( link)
2 Ben EllisTokyo Takedown: How 10 seconds can change the world? ( link)
3 Nikhil MohanlalDemystifying ZeroTrust ( link)
4 Rae Jeffries-HarrisYour Friendly Neighborhood Hacker ( link)
5 Dan ConnUsing OPSEC and Social Engineering as AWOL (A Way Of Life). ( link)
6Marius PoskusAtt&ck the Cloud! Common techniques and how threat informed defence can help? ( link)
7 Elizabeth MomolaHow to move from Admin to Security Analyst - survival story of a Graduate Apprentice ( link)
8 Seán GDoSsing around: HaHa packets go brr ( link)
9 Vivian BandMalicious Mass Host Recruitment over IPv6 ( link)
10 Shahrukh Iqbal MirzaKerberoasting ( link)
11 t3chbitsWhy you should give your developers coca*ne & caviar ( link)
Day 2
12 Chloe
Jennifer
Charlie
A sudo guide to our experiences in hackathons and ctfs ( link)
13 James BirdseyeThe box in the corner, not the one that goes beep ( link)
14 Michael FowlerCommunicate better by knowing yourself a little bit more ( link)
15 Gerard BarrettImpact of Data Breaches to Insurance Fraud ( link)
16 Vix SzymanskaLessons learned from my first year in cybersecurity: tales of an exhausted pigeon ( link)
17Aqeeb HussainGaining an initial foothold on your target ( link)
18 Khaula KarimSetting up Malware Dissection Box ( link [unavailable as of 03/11, technical issues])
19 James HareManaging The Patch Cycle with Modern Tools ( link)
20 Ayush PriyaHunting Secrets in Code ( link)
21 Will ThomasGone Phishin' / Attack of the Phish (something something phishing) ( link)
22 Mark SShocking Tales of Common Fails - a responder's view ( link)
23 Joshua MooreCOVIDCATION - surviving education and making the most of it in a time of uncertainty ( link)
24 Parker Seamanwhen I tried to hack a freal machine and what that taught me about OSINT and life ( link)
25 Lennaert OudshoornEthics in Ethical Hacking & Responsible Disclosure ( link)
The many thanks list

The many people without whom this event would not have taken place, or that personally helped me in building my talk.