Security Con for Dummies – an intro

So this talk is for those of you who are here at a security conference for the first time or if this is not your first security conference just hang out and enjoy the ride and help the people who it is their first time. So uh for those of you who are attending for the first time uh these kinds of conferences can be pretty disorienting. There's a lot going on. There's not necessarily a lot of direction. uh if you're just walking around and you might not know exactly how to uh you know go participate and and what you're supposed to do. Uh so but first things first uh how many people this is their first security

conference. Well, first things first, welcome. We're very excited to have you. Uh this is a really great community. Uh it's it's coming to security conferences is one of my favorite things to do. There's so much interactive content. The people here are very passionate about what we're doing and we're really excited to just interact with you as well and it's a great way to learn. It's a great way to get involved and and it's just an all-around good time. So, uh so who am I? My name is Bryson Lof Miller. Uh I started my career at Adobe, was there for a few years as a security analyst and engineer. Uh then I moved over to a company called Podium and

helped to start their security team. uh managed that for a few years and then now I am the principal security architect at a company called Entrada in Lehi. So uh in addition I've been involved with Bsides for several years. I've helped uh run CFP and and on the organizing committee for for a few years. So I'm pretty familiar with Bides itself. Uh okay. So what is in a con? What is it that you're actually going to be looking for here? So usually you've got talks like the one you're attending. Well done. you have attended content. Uh we've got trainings and workshops. Uh there are communities all over the place where there's focused communities on various things like CTFs, the the keep,

soldering, circuit assembly, all sorts of fun stuff. Uh and then generally one of the most important things that I feel like gets overlooked is just the people at this conference. There are so many industry experts here as well as new folks uh who are here for the first time and just wanting to break into security and both of those groups are great uh community to make. So uh okay so if you haven't already noticed this uh besides slc.org is going to be your best friend for the con. Uh it has the event schedule portal and has all of the events going on as well as the maps for the venue in terms of where to go. Uh so

this is the main the main hall. There's another building if you haven't been there already. You go out these doors and just to the left there's another uh conference hall over there as well as the CTF community. Uh if you head back outside and up the stairs, we have additional communities on the second floor. So be sure to check out those those maps as well as the event schedule because it tells you exactly where everything is. Uh if you haven't already, would highly recommend joining us on Discord. So, this is not a malicious QR code. This is the uh link to join the Discord. Uh we've got a whole bunch of different discussions in the various communities in Discord. You

can hop in and chat with folks working on the CTF, folks working on the on on circuitry, people who are working on the badge, uh any general questions. So, highly recommend hopping into the Discord and poking around there. Uh okay. So we're going to just kind of talk through some of these different t uh kinds of content at a conference and some some general thoughts on what you should do. Uh now given that it is already the day of it's a little uh tough here but you know uh a wise person once said uh if you wait until the last minute it only takes a minute to do. Uh, and so one of the things that you can do

here is, uh, I I would recommend looking at the full schedule, plan around your interests, and add each of the individual talks and content that you want to go check out to your personal calendar so that it's just already there. Uh, once you're at once you're at a conference or once you're at a talk, uh, definitely take notes while you're there. Have a notes app. Uh, any interesting technologies. I really like writing down like somebody talks about a cool open source tool on GitHub, I want to go and check it out later. I'm going to go write down that technology. Any particular uh applicable insights that you find, I would highly recommend writing those down and going and

exploring them later. Uh all of this content will be back on YouTube uh later on on the Besides SLC channel on YouTube and so you don't have to worry about getting every single bit of content that's that's being discussed, but just those key highlights. Make sure you're taking notes on those. Would recommend uh trainings and workshops. Uh they mostly happened yesterday. So you might need a time machine to attend the besides uh trainings and workshops or just come next year. Uh but we do have uh the ACE your appsack interview with Florian uh Florian Noting. I don't know actually how to pronounce his last name. I apologize. Florian uh who's the principal security architect over at

Adobe. Um, and he's if you're looking to break into security and get a job, uh, then this is an excellent opportunity to go and review your resume, how to actually conduct that interview, uh, and and yeah, he'd be a great one to go chat with. So, good training on that side. But for as far as next year, this is typically how we do things at Bides is there's a day of trainings and workshops and then a day of of largely talks. So if you're coming back next year, make sure to attend the the training day. Uh okay, communities. So communities are one of my favorite personal parts about uh about general security conferences. Uh one of the one of my favorites is the

CTF uh the capture the flag events. So this is again in the other building up the stairs and this uh I got to get my directions. south east corner of the building is where the CTF community is happening. So a CTF uh within security is usually a series of puzzles uh associated with security and you're trying to find a flag value of some sort. So usually they look something like this. It's marked with a flag and brackets and then you submit those flags for points and you compete uh against the other people playing the CTF. So usually you have cryptography and steganography challenges. We've got some application security challenges where you actually get to go in and try and break into an

application and extract a flag. Uh we have OSEN challenges, reverse engineering, trivia, all sorts of different types of things. So CTFs are are a fantastic way to go get hands-on with uh practical exercises uh as well as to just unravel some puzzles, learn some new things, meet some cool people. Uh would highly recommend checking out the CTF if you've never done a CTF before and we've got a great one this year uh with a lot of great content. Um some tips on how to solve a CTF if you've never been to one. Uh Google is your best friend. Make sure that you are checking on Google. Uh looking uh you know googling all the little pieces

within the actual uh description or hint. There's there's a lot of different potential ways that that can help. So, make sure that you're using Google while trying to solve a a CTF challenge. Uh, read the description, read it again, read it again. Usually, the description of the challenge is going to have some hints that will help you and point you in the right direction of how to actually solve the challenge. Uh, and then work with others. Uh, CTFs, a lot of the times there's teams, but also lots of people are willing to help help out with with understanding how the challenges work. We're all kind of here to learn, right? So, uh, and then take

notes on your challenge as you're working through it. Make sure you step away if you've been, you know, doom scrolling, so to speak, on a specific challenge for too long and you have to like you got to step away and come back to it. So, uh, CTFs are great. Okay. So, we're going to do a little a little basic CTF challenge together right now. So, this is a basic cipher and I'm going to give you each I don't know 5 minutes or however long it takes to solve this cipher. So, have at it. I'm going to drink some

more. First person who solves it or even knows what it is, yell out what you think it is. Okay. All right. Caesar Cipher, I heard. Very good. So yes, this is indeed a Caesar cipher. So with that information, have at it and I'll start to kind of describe what a Caesar cipher is. So Caesar cipher is an old Roman uh cipher, you know, uh cryptography, ancient cryptography, where you would take the letters of an alphabet of the alphabet and you basically rotate them by a certain number of letters or a certain number of Yeah. a certain number of of twists, per se. Uh, so Z might map to S, A might map to T, B might map to

U, etc. Uh, and I think we've got an answer here. So, you want to yell that out? Roman crypto is full of holes. Uh, and that's exactly right. So, this is a rot 13. Often times when we talk about Caesar ciphers, rot 13, just right in the middle of the alphabet, is a very common one. Flip it halfway around. Uh, and there it is. So we take every single one of those letters rotate oh sorry rotate the whole alphabet 13 uh 13 I don't know notches uh then that's what we get Roman crypto is full of holes. So this is a very common type of of CTF challenge that you might see and then it might look something like this

with the flag and you go submit that in the portal and you you know get some points. So ctf.bsideslc.org org is where you can go to sign up for the the CTF itself and the CTF community is the in the other building. So, highly recommend going and checking that out. Um, we have another community called the keep. So, Nightb Blood Zach Lure has has put this one together and um it's very cool. Uh, especially if you are brand new to security. Essentially what what Nightb Blood has built here is a game a video game that teaches you how to how to hack effectively. So uh so you log in, they've built this entire gaming system,

you know, where where you walk around and and enter dungeons and fight bosses, but the actual boss fights themselves are exploits that you're running. So you open up a Kali Linux VM and you run a handful of exploits against a vulnerable system and that is how you actually defeat the boss. Uh it's very very fun. Uh you've got people there all around helping uh everyone who's there to actually run an exploit if you've never done that before. How do you open Kelly? How do you run something like Metas-ploit? How do you actually uh run end mapap? All these different things. Usually if you're struggling, someone for five minutes, somebody will come over and help you out. And it's just a

very fun gamified way to to learn a handful of these uh security principles and and hack your first system uh in video game form. So would highly recommend checking out the keep. That one is in uh let's see the back of this building upstairs and to the right. So to the south. So um would highly recommend checking that one out in 224 and 220. Uh we got the circuit assembly community. So uh if you've never soldered anything before or if you're interested in playing around with the badge that you got uh again that is upstairs and let's see I believe yeah to the to the left. So uh circuit assembly community if you've never done any

soldering and you want to learn how to do some basic soldering, put your mini badges together, uh learn about circuitry, great community to go check out as well. Uh okay. And then finally, again, one of the most important things about a security conference is the community, the people that are here. And now I know because I am one of these that the majority of us are probably introverts, right? And this is largely how I feel when coming to a large group of of people is wanting to avoid as much as possible, right? The old the old Ron Swanson flip around in the chair. Uh avoid as much as you can. Uh, so while while it might be tempting to

go stand in the corner and scroll Reddit, I would highly recommend running around and talking to all of the different people at this community cuz there's so much you can learn from the industry professionals who are here, from the people who are just getting into the the community itself, uh, from the from the organizers, from the speakers at at the talks. I would highly recommend going and finding the speakers after the fact and talking to them about their presentation. They would love that and you will get to meet someone in the industry and learn a whole bunch. Uh if you have questions, no question is a dumb question. Even if you're brand new to the industry, we're all very excited

that new people are getting into security. So come chat chat with people in the hallways. Chat with everyone you can. This is one of the most important opportunities at a conference like this. So, be sure to chat with people even if even if this is the, you know, initial gut reaction. Uh, okay. Quick quick snippet. Code of conduct. Uh, this is on the the Bides website. Essentially, just don't don't be stupid, don't be mean, don't be a a jerk, you know, like just be nice is effectively the the code of conduct. Uh, just don't harass people. the these things should be fairly common sense. Um, but just be nice. We're we're all we're all having a good time. There's no

reason to harass anyone uh or any of those things. But yeah, worth worth a review. Uh, but effectively the the sentiment is just be excellent to each other. Uh, a few more basic tips. Don't get overwhelmed. There's a lot of content. You're not going to be able to see all of it. That's just how it is. Don't stress about not being able to get to every single talk or training or community that you want. Just go around and and hit a few and and make the most of it. Uh don't forget about the hallway track, as they call it, which is effectively what I said before. Spend time chatting with folks in the hallways, meet new people, have

conversations, join the community, and drink water. And energy drinks do not count as water. So, make sure to stay hydrated. Uh yes. Um and then last thing, quick shout out for Saint Con. Uh this is in October. It's a it's a much larger conference than this multi-day. Uh and a lot of the same folks who are here put this on as well. And great, fantastic conference with a lot more content, a lot more communities, uh lot more events, uh tons of great hands-on opportunities. So if you come to Bsides today and you have a good time, absolutely I would highly recommend going and checking out St.Con. You would you would have a great time there. So

cannot but um and I think that's it. Last of all, just have fun, have a good time. This is this is a great community. This is a great time. So uh feel free to come chat with me. Uh I've got another talk in a few minutes here, but uh anyone else who uh yeah, chat with anyone else around you if you don't if you're a first- timer. So anyway, welcome welcome to Bites.

[Applause]