BSidesPDX 101 - BSides Portland 2018

we are well you know the community is broad we are all like makers hackers students etc but like who put this together we have also kind of a broad group of people we have the board that runs the the runs the organization we have all the organizers who actually do all the hard work I'm one of the people on the board but not an organizer you got lucky the badge makers who do also a lot of hard work and then everyone else the be hackers they make sure work all right so we have some organizational changes this year which are kind of interesting so now for the after lots of hard work that the besides board has has

done print principally John we are now a 501c3 nonprofit in the eyes of the federal government which means that we can accept tax-deductible donations that are not in kind so that is super exciting at least for me exciting for me too because now on the box of like filing taxes I can just say yes we're exempt and I file really great anytime anytime you want it doesn't have to just be around here you can donate us money and write it down on your taxes it's fantastic so because we're a non-profit if your employer has a matching contribution we can also get extra money that that is also true of many employers do matching contributions so the as I alluded to

earlier we have the beat besides Board of Directors we have a Google Group where we actually talk about things we have we have board meetings every month except for this month because it was the ones day before besides and you guys are all welcome to call in although at least four board meetings that's mostly be quiet I'm gonna have Topher talking about the CFP process but we had once again a better CFP process than ever before that's right so it's not without a proper one-on-one talk with that actually talking about what makes the conference we're part of what makes the conference so great and that's all the wonderful speakers that have came up to give talks

to give workshops and to present themselves and show what they're doing to the world so this year the CFP process we actually did a lot differently and I'll get into that but we also received more submissions than ever this year we had in the three digits for the first time which was really wonderful but it also made the job exceptionally difficult to to curate and decide what we wanted to take in this year we had two rounds round one closed on the 15th and round two closed on the 15th basically by round one we had already had so many high-quality content submissions that round two is even more exceptionally difficult so this is kind of an homage to if you want to present

at conferences particularly ones that are growing in capacity like this one we have 800 people here now submit submit stuff early get it into the review board process people have more time to look at it give feedback and usually a better chance of getting up and presenting your work can I interrupt you yes another thing we we gave people who submitted the first round and we're not accepted in the first round we kept them in for the second round but we also gave them feedback on why they weren't accepted and of the people who took that feedback revise their submission and resubmitted it I think 80% of them made it in the second round where was like 20% that

didn't I like followed that trickled through to the second round so yeah just I think that was a big little a slight change that goes a long way and toward towards what we're trying to do definitely and speaking of all of that feedback we actually had a CFP review board this year for the first time after after eight years of being a conference moving into the community at large we started to realize that due to the fact that we're getting hundreds of submissions now we wanted to be able to give people individualized feedback that wasn't manageable with just one or two people being the body of curating all of that so we actually recruited local security

experts to help us go through all the submissions and they took a lot of their personal time in order to look at all of those provide individual feedback and give give Joe and I recommendations as to how to make the conference what it is and who we accepted so huge thanks to the wonderful work of everybody on the screen we had joy we had Maggie Tim Morgan case Mari on myself Jesse Michael Forrest and Emily really helped us out with this so big big round of applause for everybody that helped out [Applause] and and speaking of speakers and not the kind that play music like I said we had so many submissions this year and it

really was a lot of work for people on the review board so if you run into somebody please thank them and talk to them about submitting and getting getting yourself up on stage so with that we're gonna transition out an office deck so he's going to talk about the Badgers all right they work don't they I sure hope so they all passed QA on Wednesday night so they're so what do we have here this is our wonderful badge this year so we have around 36 parts on here mostly there are LEDs we are Charlie flexing the LED yellow LEDs so try flexing is you use few pins to drive a whole bunch LEDs then we're doing

pulse width modulation to change the brightness and the color on the RGB LEDs so the microcontroller were using is an eighty tiny a six one I wrote all the firmware in Lib Navy RC no Arduinos were harmed during the process I'm an electrical engineer so I'm not allowed to use Arduino that's what academia told me so this year we have USB programming via micronucleus you'll need a script to run the programmer for that otherwise there's the ICSP header so you can do direct programming through that the cost was pretty low this year we got the bomb to be about five and half dollars per board which is pretty low compared to previous years I think

this was also the most complex layout we had made things more difficult this year we are also featuring shitty add-ons so the hearts have the headers from the shitty add-ons there press-fit so the normal is 0.1 inch spacing so these are point one one inch so you don't have to solder you should just be able to push them in and hold and this is completely open-source hardware so the layout schematic building materials firmware is all on the github link and you can go there and hack the badge so how did this happen back for a Def Con I heard about the shitty add-ons so I decided to make my own shady add-on featured up there

for DC 503 the Portland Def Con group so basically I took the same concept the are same LEDs and a similar microcontroller and made it bigger and add some more functionality to it so with the hardware we follow a waterfall there's no agile scrum JIRA crap with hardware so basically it's an idea figure out what parts you need for a schematic together make up some art do the layout and kicad and make a prototype fix your mistakes on the prototype then do a final build no no second prototype because we do this last minute right protip is definitely make more than one prototype and have more time in the development process I think we did this

in about three months so the tools I use was Inkscape with this plug-in called SVG to shinjin it basically allows you to do all the layout layout artwork in Inkscape then export to kicad so you can do the copper layer silk screen layer solder mask inside of the vector arts program then export that to something kicad can understand and and kicad the twilights kinetics and circuitry stuff altogether this took probably over 200 hours to do it's very laborious and during the process a lot of mistakes were made not all of them were necessarily caught I did things like mirroring footprints and shorting some of the LEDs to ground so thank you Joe for catching those

mistakes and also I think the red and no the blue and the green LED pins were mislabeled so I had to fix that in firmer which is pretty common for hardware mistakes to be fixed in firmware if you've ever dealt with CPU development they they fix those so big thanks to ash Park they sponsored the circuit board as well as the Assembly of the boards this year then it's the first time ash Park is done board assembly normally they just do PCBs and we have to source the manufacturing to some other company by them doing this it really helped us out financially so big thanks to ash Park so josh josh clark also like we were

there too they used us as a test vehicle because they started a new like fab option so they just announced it thursday and we were we were the beta test for them to go and figure out how they're gonna work with this this fabrication partner so we were we were lucky to benefit from that and and and and ash parks generosity yet again they've they've donated thousands and thousands and thousands of dollars of PCB expenses over the past several years so thank them yes and they're also they're not here today because they are currently with the vendor they're working with to finalize more plans so gray so I'd like to thank Joe grant for kind of starting this whole entire badge

life stuff so back in 2006 is when the first Def Con electronic badge was made and so that kind of got the ball rolling for all this craziness I'd like to thank Joe for helping with the layout and review and getting the micronucleus bootloader for the board root killer for helping with micro nucleus and other programming myself for doing the largest amount of the board work we had a bunch of volunteers Wednesday night hammering out the PCBs basically one we had one panel about yay big that had two badges on it and we have 500 electronic badges so that was a manual process of taking hammers and chisels to pound out the badges so that was quite some work there

and everyone that did the programming and stuffing the badges into the bags

so now we're gonna transition into so none of you now after this you're not gonna need to read the website to know what's going on because we're gonna tell you the former badge maker and like obvious debts hairs is still on fire and he's still like shell-shocked from the experience the last week when he did a phenomenal job just don't don't let him know that it once he utterly just kind of drop like a favorite fails we won't make him do it again you keep succeeding you keep getting the job back that's right speaking of which if you notice your badge is kind of blinking but not blinking all the way I using USB power

but take the battery out yes all right so we have an quiz show we've done this I think before you click here you actually have to go to the website yes when I ride you have here that you have to go to the b-sides website which it is there and this is great the question was awesome it's ran by uh Steve and he's a huge gamer dungeon master in D&D and he's really good at coming up with contests and and quiz criteria so definitely go sit in on this there's gonna be people up on stage it's it's like a tamer version of like hacker jeopardy at Def Con cuz obviously we're in the convention center and people yeah

I can't say any more than that and hopefully people aren't as you don't have to be sober but it's also not DEFCON we also have for the first year this year ascent CTF for missing persons so we were approached by Trace Labs this year to to run this event they've had tremendous success for it with it at other conferences it's essentially a competition that's gonna take place tomorrow from 10:00 a.m. to 4:00 p.m. in the event room and it's open source intelligence to find actual missing people utilizing like FBI databases and stuff and everything is if basically using legal means to search the internet for missing people and there's there's flags and stuff that you can capture and

they're gonna walk you through like what databases to search for awesome like Google dorks to look for people and it should be a really good time and we're super excited to have them here for it they're a start-up out of Toronto I believe so they traveled all the way here just to run this event for us so super stoked we also have for the first year this this year you might have if you've seen it in the event room already there's a big bin for a backpack drive for foster youth so every conference that people tend to go to including this one people tend to like give out backpacks and things of that nature that

nobody actually really wants and they get thrown in the trash I'm sure a lot of you have a lot of backpacks in your closet from various conferences that you're never going to use bring those in and let's get them donated and have them go towards a good cause so these the bins are gonna be in the the event room all weekend's they're gonna we're gonna ensure that they get to the right people and yeah bring in your backpacks and bring in bring in your shitty black hat backpack that you never wanted in the first place and it's gonna go to some to some kid and they're gonna think what's that and you're gonna make the next

hacker out there that's right they're gonna Google what black hat is me like oh this is amazing we also have Carmageddon this year this is actually a really popular event in recent years it's caused a lot of awesome ruckus and people have gotten perma banned from reddit so sign up for karma gating and try to harvest all that karma and you know if you get banned from reddit you probably get a pretty cool prize we also have lightning talks this year so we unfortunately had some last-minute cancellations and while Joe and I were thinking of how we handle that it's like why don't we just do lightning talks we haven't done it before we're gonna try

it out this year so we have about 10 to 12 slots for it we're gonna do five-minute cut-offs for talks I'm going to be emceeing that so come check me down during the conference during the b-sides PDX 101 panel this is where I weigh if or in the event room because I'll primarily be over there is one of the CTF organizers to come find me and sign up so far I've got two people on the list so if you're interested come find me going kind of in tune to Jessica Payne's keynote and the opportunity and sponsorship aspect of getting people out there and making people known this is a really good opportunity to get on stage and just

talk about whatever you want for five minutes it doesn't need to be security it can be can be policy it can be a cool project that you're working on or or anything just get up on stage to talk for five minutes and you know get your ideas out there you can find me you can do this so now transitioning and this is something that you know you can boo me offstage because I'm actually this more more slides and probably needed but I'm one of the I've been running the besides Portland CTF for the last three years now and let's talk about it so if you're not familiar with CTF it's always important to go over terms so

capture-the-flag is a computer security competition it's basically you hack on vulnerable binaries web challenges soft forensics puzzles and things of that nature to find flags and those flags you concatenate to a leaderboard and that earns you points and you can see your rank and compete against peers and this like sort of like hacker hacker Olympics so to speak a lot of CTFs are actually pretty intimidating and a little bit overly challenging especially for events such as b-sides where we try to keep all of the challenges somewhat introductory at the beginning and as you progress through the levels they get harder much like a Jeopardy board would so we very intentionally try to make it so that if

you've never played CTF before if you've never hack the web challenge or you've never done it buffer overflow on a binary come play in the CTF room we'll get you started will tell you the tools and we'll show you the tips and tricks to succeed and you can cat your first flag if you've never done anything so definitely come find us and definitely come play this year we did 12 challenges across four domains so last year we did a four by four board and we realized that the challenges while they kind of fit that nature of introductory there's some that scale up in difficulty a lot of them were it was just too much for a

two-day conference of this nature so we kind of scaled it back a little bit and really really ated what we wanted to do and how we wanted to position the CTF and one one really excellent piece of feedback that we got was everything the way to offensive focused there's no defensive challenges there's no forensics and there's nothing that you can just utilize like Google for really now there other than like getting walkthroughs and stuff there was nothing directly like I can Google to get flag so we we kind of took a step back and we're like okay we definitely need to do web and binary exploitation it's a CTF those need to be there but

then we were thinking well let's do a forensics challenge there's a lot of people that do blue teaming there's a lot of people that sit in socks that are doing correlation rule isn't logging so let's have some forensics challenges for those people so they can also get involved with the CTF and cat some points and then when the ocean CTF got accepted it's like that sounds really cool that's all about open sourcing intelligence for missing people we should also probably do an ocean category for the CTF that's a little bit more gamified and a little bit silly so if you go on the ocean challenges you'll actually see some pretty interesting stuff I will say no more you should you

should check it out I'd be amiss not to take Jessica's advice to give a sponsorship and opportunity so this year we had Mozilla once again sponsor or CTF infrastructure and daniel did a tremendous job with it and i'm gonna he's gonna run up on stage to talk about it really quick this is when you grown up on stage and he's gonna talk about it a little bit he was in germany working on the infrastructure for us like the last two weeks and he's like on vacation in Germany and we're messaging it's like yeah this is a lot more you sure you want to do it you're on vacation he's like no this is awesome I'm doing it so he's gonna talk about

doing it thanks hey everybody yeah so I'm Daniel or working Mozilla and I just put a few ball points here this is put a few bullet points here with some of the stuff that we set up so we've got a kubernetes cluster running in AWS utilizing the eks service which is great a couple simple things like using Kalka for basically restricted network access cubed I am to kind of bind pods to certain roles in the account are backed in enabled cluster which is pretty normal so yeah a couple things there to try to lock stuff down but the main thing is that we want to really encourage everybody that participates in the CTF to see if they can break the

cluster break into it maybe compromise the account tell me what I did wrong so that would be fantastic and note that I didn't put on here was regarding Mozilla's bug right yeah but bounty program so if anybody wants to or if anybody does you know attempt to break into the cluster like that I we'd love to hear submissions through most of those bug bounty program if you have any questions feel free to come talk to me so oh yeah so I actually don't know the yeah maybe you should make a comment here but the we have a number if I assume that will be doing paid bounties for different levels of compromise in the cluster or the account

but actually don't know the severity levels that will throw there yeah yeah yeah not t-shirts well maybe extra t-shirt please do it challenges and then hack the cluster because once you hack a challenge you're on the cluster exactly yeah yeah you got you had access that container that pod and yeah see see where you can get [Applause] so there's also a big things that needs to get out the dream team that I had behind me this year writing the challenges and taking commands as to assigning people challenge category so big shout-out to FD Carl he wrote all of the web challenges for us this year huge shout out to a Galaga yeah how is your

handle pronounced hey Gallic is good he did the binary exploitation challenges they're freaking awesome we have Dade that did all of the ocean challenges for us and then we have I also don't know how to say this handle eight Ariane Ariane Aaron Aaron he's in the CTF from hacking on go find him and then of course huge thanks to the Mozilla guys for sponsoring us yet again with the infrastructure if you've been to besides or you saw my talk last year or played CTF last year you've you've heard that I'm a huge proponent for open sourcing CTF both the infrastructure and the challenges this is something that doesn't happen within the CTF community after the events are done typically

you'll get all of the binaries and people will do write-ups but there's never any how is this done how is it orchestrated so we publish all of our CTF all of the solutions that we've came up with all of the challenges and all of the infrastructure deployments so if you might you might not have the chance to play this weekend because you're doing the hallway track or seeing talks go to the link everything is docker compose so you can run it locally on on your Linux box or or whatever your OS of choices that works with docker and you can go and play so definitely do that open source and CTF is important if you know

people are writing CTF stuff that aren't open sourcing it yell at them and tell them they need to open source stuff because it's awesome and of course come to closing ceremonies there's prizes and with the with the dream team comment if you want to be involved next year either with planning challenge writing helping out doing the infrastructure stuff tweet me come talk to me I would love to have more people writing stuff for us so I have to do even less work next year come play besides PDX CTF dot party yeah question

fix it fix it fix it fix it fix it fix it fix it so I think we're almost running out of time so I'm gonna blast through the rest of this we also have a lot of evening activities lined up for the event so tonight at Pascal they're hosting the b-sides PDX after-party doors open at 7:00 they'll be beer not Alec non-alcoholic refreshments appetizers food there's a couple of really rad events that they're hosting so they're gonna have a social engineering costume theme you don't need to dress up if you don't want to but it's cool we're a construction out of hardhat and a nametag there's also a wireless CTF that they're doing that's gonna be really fun so definitely

participate in that there's also a Saturday night at control H we're doing another happy hour party doors open again at 7:00 after closing ceremonies and talked to a bunch of hackers drink some beers or don't and just hang out and chat with people so that's the end of file and now chatter can begin also if you notice the lanyards their different colors so green lanyards the speaker Black is attendee red is a special volunteer and orange is a volunteer so if you have questions look for the different colors we did

you