BSides Idaho Falls 2025 - Badge Overview and Hot Wash

Test test.

That's your mic. when you're ready.

>> Pins. People need pens. >> U once that we when I get to the point where I pull this out, um I want to hand those to the rose. >> Okay. Because it'll be >> Yeah. >> All good. See? So when I ask that I knew him.

>> Well, then I got to stand right here.

Don't do that again.

>> Let's go for the close in.

Let's hope my battery lasts. Whoops.

>> See

I just don't know if I have a plug in. I could put it here. Oh sweet. Thank you.

Let's put it. That's not a plug. There we go. Let's not step on the cables. >> There we go.

All right. Are you everybody? Everybody ready? >> That's to Carl right behind you. >> Yep. All right. This is the badge talk. Unfortunately, people who created the badge and the kiosks that you guys were playing around with, one is in North Carolina, one is in Oregon, and one is at work that can give you any information. Um, one of them went ahead and gave me the talking points. Well, not talking points, what he would like me to read for the badge part. Um, after this I'll have Scott come up and talk about how we had to change some things because of some issues within the kiosks and the server. So bear with me reading from my phone.

Hello. The badge this year couldn't fully be electronic badge this year because of cost and other reasons, tariffs. But that doesn't mean that we want to leave everyone high and dry with paper badges. That would be boring. You have all noticed that you have RFID badges and there has been scanners around the conference that you can scan them at to maybe get points. These scanners have been called are being called kiosks and scanning them in the correct order is the key aspect of this game. Some or many of you may have figured out the underlining workings but we would be happy to go over the basics of how it works here via his text. Essentially, the bag has badge has been

set a set of attributes on it. And when you scan it at the kiosk, it will do a few things. Firstly, it will check which attributes you have and either assign or remove points depending on if you have the correct attributes or not. Secondly, the kiosk will add new attributes or take some away. Using this machine mechanics, you can you would have to find which kiosk requires certain attributes as well as which attributes it give you and which attributes it take away. If you notice, however, the attributes would written to the badge directly. This means that you could have spoofed attributes and written whatever you wanted. If you wanted, you could figure out which kiosk and the rule server

operated by by going to game.bsidee es slash kiosks. This may be extra helpful as well since the rules of the games changed over the course of the con. Some kiosks actually require some attributes which could not be acquired legitimately. In other words, you had to actually spoof some attributes. Unfortunately, I've got something to confess. Although the server responds and honor honored client side requests, we've been secretly keeping score on the back end as well. We can see what everyone's real point values are if you add an attribute to your badge directly and not by our kiosk assigning it to you. We secretly entered refused to issue points or remove points from your real score. We really just wanted to see

how much people were how much people were cheating. We'll touch on that a little bit later, which is definitely the intention of this game. You could not have scanned the final kiosk without cheating. Luckily, the final kiosk scan counts towards your real points if you cheated correctly. That is the scoreboard will let you know it is probably uh game scoreboard, but you can also see the real scoreboard via games.besides scoreboard. If you didn't make the real scoreboard, you can still see how many real points you had via the games.beside besides badge backslash. As always, we had documentation for an IP uh API this year. However, the badge don't directly talk to the API. So why

have docs? Firstly, documentation is incredibly useful for making games and coordinating everyone's busy schedules. And secondly, the kiosk themselves communicate to the server via the AIP, APIs acronyms people. We hope we all find uh lost my place there for a minute. We hope you all find that the APIs because we left some good goodies in there. If you didn't discover it, the Easter egg, you can get it by scanning your NFC tag hidden behind your sticker on your lanyard. Early on, the administration the admin section of the API required API API key to issue scary requests. But at some point, we both opened up the admin API and leaked some information. The entire game mechanics and kiosk

behaviors could be configured from JSON. And while it's both made our lives easier designing the kiosks, it gave us some fun ideas to change the behaviors of the kiosk throughout the conference, but also for all to discover and reprogram the server yourself, which we all know somebody tried. We greatly we created this tool internally and I could give you the website if you want this uh which we used to make the original game and generate the JSON but keep this tool ex exposed so you all could make your own game and reprogram the kiosk yourself and you had discovered the admin endpoint for doing so. This means you could have added your own fake kiosk

or reprogrammed the existing ones to take away millions of points if others scanned it or anything else your heart desires. So, that one's done. Um, the first day we had a lot of issues with our kiosks. Unfortunately, some of them didn't function properly. They didn't hook up to the website which kind of threw a lot of the game off in the first place. Um Scott spent his night last night at game night and at home on the phone with Jonathan Mikkels was not available to try to revamp all of your kiosks to make this game run a little bit more fluid. Um yes.

Um unfortunately during the lightning talks someone within our conference caused the kiosk and our badge system to have issues where it was no longer playable and take all the points away from all the children who was also playing the badge. And I understand it's funny and we all want to be hackers, but also we need to be respectful. So, I'm gonna have Scott come up and just talk about a few things that he did change to try to make sure that the kios were trying to be up and running this morning. Come on, Scott.

>> How many of you guys play the game yesterday? didn't find it worked too well. The code that was pushed to the badge didn't have any 404 error handling and something was broken on the server side. So, we had to add add 404 handling. Scan your badge. It's a 404. It just crashes. Like, what the heck's going on? So, fix that in the code. Um, we also got pretty valuable feedback that you guys wanted feedback from the card readers. So, we LEDs to the boards so you can tell when it actually successfully scanned. Sometimes it would take 10 seconds to scan. Sometimes it take a little less. So I hope that kind of helped you refresh all the badges last night.

>> Huh? >> Yes. practically all of them. >> Turns out Amazon doesn't always send you the consistent items. So if you order all the same board, guess what? Sometimes they're different. So hidden out on some of the RFID boards were mixed up. So it wasn't said unsolder those. Solder better ones back on. Make sure they work. Test them all. >> Got my portion done at 3:30 this morning. I don't know if Jonathan to sleep. >> Uh, I'll check later. >> Worked a 10our shift yesterday, stayed all night, and another 10our today. So, a lot of props to him. >> Yep. I definitely won't need that if he watches this. So,

does anybody have any questions about the badge and the game side? >> No. website. >> Um, games.

>> Are you looking for the scoreboard? >> So, the scoreboard, the real scoreboard is real dash scoreboard, but I looked at it and it has the uh the cheating points, too. So, I think we're trying to keep a scoreboard where you can see valid points and invalid points. >> You guys are too good. So, >> sweet. Any other questions? Okay. Thank you, Scott. That will conclude the badge talk and we'll go into the hot wash. And I know a lot of people don't understand what the hotash is about. The hot wash is for the community. So, everybody who's sitting here, whether no matter what shirt you're on, you're all community, this is what we do it for. So,

you have Post-it notes in front of you. Um, you have a green one where you can list all the things that you loved, liked, and want to keep. And on your red one, tell us what you didn't like, how you'd like us to change it, and what you would like to see. But what what would you like to see on the green one, please? What you don't want to see or want us to take it out, put it on the red one. So, negatives on red, positives on the green. And then that'll give you the whole time while I'm talking to add whatever information you want. This helps us tweak the conference so that it's something that you guys want, not

what we want you to have. So, all right. So, we made it to the end of our seventh year. [Music] It's nice to be able to check off another year. Um, this year was my 13th year with Besides Las Vegas and I'm no longer with them anymore after this. So, my my soul is in Bides Idaho Falls. So, so this year we had 320 registered attendees. This included 15 speakers, four workshop instructors, 20 volunteers, and 28 organizers. Um, this year we set our budget at 10,600. Um, this helps us pay for your badges, the bags, the shirts, the food, um, pretty much everything that we put together. a lot of the equipment or parts like filament for the kids con. Um

we try to make sure that our villages don't have to have the out of pocket so much when it's especially for here. So and this year we spent a thou 11,500. So we did go over budget. So but some years goes on under budget and some years goes over budget. So, >> nope. A little bit. But let me get to that point because Zach's donation isn't in the tally I'll be uh speaking of. So, so we want to take the time to thank our wonderful sponsors who helped us raise over 13,800 this year. So, we raised more money this year than we went over budget on and what we spent. So, u the University of

Idaho information tech department allows us to get this campus for free. So, we don't have to pay for you guys to be here um for them to clean the bathrooms or anything even though they may not be here. um Black Hills Information Security, they helped us in Career Village, so we can actually have Career Village on both Friday and Saturday instead of just Friday. Um CR Advantage also was in Career Village. They were here on Friday, but not Saturday. So, a non-sponsor stepped in. Idaho National Lab sent two people over. Well, they volunteered their time to come over and help run Career Village this Saturday. So, we always had two people in there, two sponsors,

two tables to make sure that you guys can have a chance to go resume reviews and mock interviews. So, um, Total Care It, they're the ones that paid for the wonderful breakfast that we had laid out this morning. So, give happy for that.

Compunionet was here and ran their CTF this year. They were also a sponsor. University of Idaho Falls, Idaho Falls campus. College of Eastern Idaho, Idaho State University Gravwell Corite, and Frontline Cyber Solutions. So, I definitely want to thank all of those sponsors being able to raise money so we can have the money for next year as well. So, round of applause.

Um, so at this point, if we have any speakers or workshop instructors, could you stand up?

I sit down. >> These are the people who help us uh attract, you know, attendees like yourself to be able to have time to to share their information with attendees and everybody else that comes here. Without our talks and our workshops, uh we'll just be a group standing around. Thank you. [Applause] And can we have all the volunteers stand up? Sweet. Without these volunteers, us organizers would be crushed because we spend all year long and they help us on the day of the events on Friday and Saturday to make sure that everything runs smoothly for everyone. And I want to give applause. Thank you. You can Now, our organizers, you get to stand up again.

Remember, we have 28 organizers. Not all of them could be here today and in the hot wash. All of these people put in their time all year long to coordinate and think about and set up and create CTFs for KidsCon and many other ideas that we offer here at Bsides. And I want to get a warm applause to them for all the hard work they've done this year. [Applause]

It's never just one. It's a team that makes the dream. Now, attendees, stand up.

I definitely want to give thanks to you because if we didn't have any attendees here, we would have spent a lot of money and talk to the same people we've been talking to the last few month last few years. So, I want to give you a round of applause. Thank you for coming and enjoying this. Thank you for another wonderful year. next year. >> Yes. [Applause]

>> Next year, call for papers and workshops. I'm making an executive decision here. March 1st, it will open. So, if you have talk ideas and you have workshop ideas, mark it on your calendars. March 1st 20th 2026 words that we will open the call for papers on our website. If you have ideas for villages, let me know. And that's something I missed in this whole point. I'm going to have her pass around a paper. We're doing a call for organizers. Yes, we have 28 of them, but we want to grow, be better, and I would really like each department to have three people. So then we're not feeling overloaded and burnt out and we have our own team to support

us as well. So I'm passing these papers around. If you would like to be part of the organizer or even a volunteer, please put your name number on there and we will get in contact with you. If you know somebody who would like to actually be part of it, go ahead and have them send their information to besides Idaho Falls or info@bsidesalls.com. org. And then next year's dates are September 18th and 19th. And we are hoping that if the CI building, the new tech building is built in time that this bides will be over there next year in the brand new building so everybody can see it from the inside. So, and I hope to see you all next year. We

made it. [Applause] And if you're done with your Post-it notes, you can come stick them up on the um chalkboard. I say dry erase because they put this back in. I skipped over that part. Whoops. lines are hard. Oh, another thing. Um, who would like a game?

>> I'm not gonna throw it. >> I like that would be rude. Well, thank you. >> There you go.

You can share. Anybody else would like a game? Now the hands go up. It's like, okay, if you'd like a game, come down here. So if if I have two more more than I need, we're gonna play Rashambo. >> You can stick them wherever you want. Huh? >> I didn't bring my postit. >> That guy remembered. Oh, >> that's fine. >> Well, I have top 10 family games. Scratch off cards. Scratch off, play, bond, and repeat. And then I have right left center.

All right. All the games.

>> Which one do you want? >> Which one do you want? >> Right. Let's center. >> You can just leave them on the table. >> Which one do you want? One of those. Mhm. >> I got one more. Right, left, center. >> I think you already have one.

Thank you all for coming.

Thank you everybody for watching.