Crafting an Effective Security Organisation - KiwiCon and WrongIslandCon

by Rich Smith on December 19, 2014

Overview

I'm writing this post while sunning myself on the Coromandel Peninsula of New Zealand, sitting on my balcony overlooking the harbour. A hard life I know, but given the positive reaction to the talk I gave at KiwiCon 8 I wanted to share the slides online before waiting until I was back in NYC.

Overall the combination of WrongIslandCon's inaugural happening, along with KiwiCon's 8th appearance, made the trip the most enjoyable and fulfilling conferences I have done for the whole of 2014. I can't think of a better way to close out the year before the holidays take hold.

Anyway, on with a few thoughts on both these great cons.

Wrong Island Con

For those unaware New Zealand is a country of two lands, the aptly named North and South Islands. KiwiCon takes place in Wellington which is on the Southern tip of the North Island, meaning the only logical thing to do is to run a prequel conference in Christchurch on the South Island! (Truth be told there is some deeper mythology at play to do with WIC but that is definitely better left to Rich0H to explain over a pint).

Organised on a shoestring by Rich0H this was a small event where a number of lightning talks took place all whilst drinking a variety of great beers from the The Twisted Hop. What could be better?!

I landed in Christchurch from NYC a day late and an hour or so before the con started due to United's inability to have a flight leave from JFK on time (seriously United, 50+ hours for the journey? I hate that you get my money.... ). Still despite United's best effort I made it in time for the first talk, and even with some capacity for semi articulate speech.

The content discussed varied across a pretty wide spectrum of topics from my talk about the security shortcomings of the TR-69 protocol and the flaws of implementation, to some deep EFI shenanigans, much Bluetooth hilarity, to how to steal children’s RC toys wirelessly, and all the way to preventing APT in 5mins by guest speaker Liamosaur - That's 'Anterior Pelvic Tilt' incase you were wondering and thought someone had found a way to derail the FUD inducing marketing machine that is Mandiant. Unfortunately I guess that shit show will rumble on until they find another acronym to extract dollars from ......

Anyway, do yourself a favour and check out the WrongIslandCon's website for a list of speakers, topics and maybe even slides if we get ourselves together enough to make them available.

While small Wrong Island Con can not be slated as anything other than a resounding success with most everyone hoping it will happen again next year. If in doubt be sure to ask Rich0H when it will be taking place, he closed out the con with a specific request that if people were wondering about next year then they should definitely definitely ask him ;)

Mention should also go to HackerOne, Insomnia Sec and Great Scott Gadgets who sponsored the con and picked up the tabs for all the thirsty speakers and hackers!

KiwiCon 8

After a short but enjoyable stay in Christchurch it was a hop over to Wellington to get set for KiwiCon8. Having never been to NZ before and only knowing a handful of the folks in the local hacking scene I wasn't 100% sure what to expect, but from the first minute it was clear this was going to be both a hugely friendly and ego free con that was about fun and knowledge sharing rather than peacocking and sales pitches.

One of the first things I noticed on day 1 of KiwiCon was the big mixture of people in the attendees. This was not your normal 'hacker mix' (though there was good representation of that for sure), it really was a cross section of people interested in technology and the potential security implications that are finding there ways increasingly into their everyday lives. For example for the opening remarks and keynote I was sat behind what appeared to be a mum, dad and daughter (outfitted in 8 bit style with hair bows and a Minecraft pick axe). Upon a quick conversation with them, this was indeed the case and when I asked what brings you here? the answer of we're just interested in finding more about this hacking stuff, we know we don't know enough about it only confirmed my initial thoughts that KiwiCon is something special among hacker cons.

Single track cons are my favourite. Single track cons in a beautiful historic theatre are even better. Those that combine all of this with a stage set up that includes a Delorian, a sheep containing beer, and a llama ...... I'm lost for words.

The talks covered a great range of topics over the 2 days and I won't do the injustice of trying to summarise them all here, just do yourself the favour and go to the KiwiCon website to see what was being presented and track down slides from the ones that interest you.

As for my talk, I was genuinely surprised by the super positive reaction it got and the great conversations it generated in the hallway track afterwards. This all in addition to one slide in particular that seemed to resonate with people and generate more buzz than I expected (and yes that is a sheep in a tophat. Don't ask.....)

I assumed the rule of Not hiring assholes was a pretty standard one that everyone would see as obvious, however it seems having it on a 50' screen rallies people to it's cause and triggers a twitter chain reactions - no bad thing in my eyes if I'm honest.

It was pleasantly reaffirming to be at a conference where there were a number of talks about security culture, how to make it better, and how to ensure a focus on people and not just technology to try and create a more secure environment. I'm not sure if this was intentional by the organisers or just came about organically with many people begin to share the same concerns as myself? Regardless, it was great to be a part of and I very much hope it's a theme that continues to be present in other hacker cons.

In a word KiwiCon 8 managed to fire me up as to how great a con can be without having to pander to vendor halls, paid for presentations, and ambulance chasing the latest bug with a fancy brand name and swish logo.

To the organisers I have nothing but admiration and congratulations, just hands down a fantastic job. I'm counting down the days until the next KiwiCon as I cannot wait to see what next year has in store and I will do my very best to be there to witness, despite what United may try to throw my way.

Badges

A blog post about these two awesome cons would in no way be complete without a mention of the badges!

The Wrong Island Con badges were a piece of 3D printed tactile magic that is sure to stay on my desk and be fiddled with for months to come. Really fun and seemingly loved by all recipients.

The KiwiCon badges, in keeping with the retro 80's theme of this years con, were a range of audio cassettes for attendees and Betamax tapes for speakers :) In a word AWESOME!!

The audio cassettes also contained a badge challenge of an encoded C64 program, a few enterprising attendees went all out and completed the challenge in style - if I find a writeup of their solutions then I'll be sure to link them here as they were really neat.

Slides

So for the kind folks who have been asking for them the slides from my talk are shared on my speaker deck How to Craft an Effective Security Organisation.

If anyone has questions or comments please feel free to hit me up on the Twitters.

Other Articles

Finally there were a couple of real journalists who can actually string coherent sentences together (unlike myself) and they wrote some articles that included some of the topics from my KiwiCon presentation. Their KiwiCon related articles and can be found below:

• Craft bazaar Etsy's security plan is candy to get devs talking by Darren Pauli
• Changing the culture of the hackers by Megan Whelan