BSides Knoxville 2021 Conference and CTF Intro

all right good morning this is the seventh annual b-sides knoxville and our our second time virtual yeah we never thought we'd be doing any virtual much less a uh a second in a row but here we are uh let me know in the uh in the chat if you can hear me just make sure i've clicked all the right buttons here go to webinar isn't my my normal jam so all right great all right so literally nothing's changed um these slides are mostly the same from last year we figured you know it worked so so why change it um in fact you know i'll be honest it was really tough to get uh things going this year it was really

tough to get motivated to do another virtual conference you know we felt like um there's already been a year of virtual conferences so what what do we have left to say and then we we put out the cfp and we got some uh amazing responses back and um yeah clearly it was it was worth putting on another virtual conference so so here we are uh lots of people signed up i think uh i think we're just shy of 300 yeah i haven't checked this morning so so we might have broken that 300 mark of registrations a few differences this year we're not going to be live streaming to uh to youtube this year yeah that was

just one of those things that fell by the wayside because uh you know he'd jump on the planet call we'd say you know okay you know here's the energy we need to put on this conference and and we had about this much energy like we were right there we're like okay you know we're we're probably not going to do any extra stuff it was fun learning how to do that uh last year you know i i set things up to rebroadcast the stream to uh to youtube and it got a little it got a little iffy uh at times because i had to learn how to mute mics you know i was logged into two

sessions at the same time and we had two talks that didn't want their talks recorded so i i had to uh i had to run around and kill the live stream and then re remember to restart the live stream after that track so at a normal besides knoxville uh we'd be i'd be picking up fifteen dozen donuts this morning and uh and that's what uh that's what the aftermath of fifteen dozen donuts looked like when we beat everybody donuts for breakfast let's see it would help if i shared that screen nope yeah that's what 15 dozen donuts looks like and um yes thank you adam feeling the love from the from the people connected here um

yeah so you can you can see me you can hear me um only seeing a blank screen screen of monitor two ah monitor three sorry too many monitors how about that you seen donuts now donuts yeah um and it's interesting because we actually we've been around long enough to see donut companies come and go we used to get donuts from a company called makers donuts and made amazing donuts they'd make these uh these key lime donuts that had like a little corner of lime uh in the center of the donut uh amazing stuff uh this year we had to go with duck donuts because makers uh disappeared on us but um knoxville happens to be

a great city for um for b-sides especially when it's not raining when we've got a sunny day for it but we we've had a lot of good days for it and we usually do electronic badges on the left-hand side here that's jed he he designs all the electronic badges works at cisco and his job is basically like he's full-time makes pen test hardware for for pen testers for internal cisco pen testers so he's got one of the coolest jobs ever and we usually do these physical posters you know these uh screen printed made to look like a band poster those are great you can actually see some of those behind me here from over the years we've got uh one for

every physical conference we've done so there's there's five of those behind me and um and yeah we'd love to get back to that actually on uh we do have a merch shop if you go to um help me out here is it 10 sec or 10sec.org let me check real quick that's 10sec.org and there's a merch link i'll drop it in the chat here and you can actually get reprints of some of those posters if you want them so uh big thanks to um to james for setting up that merch store and and getting those uh prints on there and he he even tested some out ordered some and uh we've got the little uh

besides knoxville tape stickers there as well uh big fan of those but yeah we're gonna get back to this so next year we actually have a new venue picked out uh we'll show some pictures at the i think at the end of the slide deck at the end of the day i've got some pictures but it's called uh relics variety and they mostly use it for weddings but it's it's an excellent venue we don't really have any sponsors this year so we figured we'd just show our previous sponsors some love uh it doesn't cost a ton to put this on basically we have to pay for to go to webinar and we've got to pay for

sched and and that's about it um you know it's not our typical uh twenty thirty thousand dollar budget you know where we were feeding 300 people 350 people breakfast and lunch um you know and having to rent out the venue and order lanyards and uh electronic badges and have them soldered and all that so about a million things i don't have to worry about uh and the rest of us don't have to worry about with a virtual conference but we are very much looking forward to getting back to the physical so if you're not in discord um that's lobby con that's our hallway con so already people hanging out there chatting there and most of the organizers are are going

to be in there as well uh we'll have some speakers in there we've got a green room if you're a speaker and you have any questions or if you're an attendee and you have any questions that's the place to go we do have two tracks this is track one um track two is behind me i'll get that uh we'll get that started uh and we're gonna have a moderator for each track you know we'll introduce the next speaker uh what track is coming on uh we're not gonna read out their bio so speakers if you want your bio red i hope you have a bio slide uh i i just think it's it's uh uh

a bit much to read out a whole bio um social media we usually go with bsk and then the four digit year makes it easy to find tweets about us uh very little chance anybody else is going to be using that same hashtag so that's the hashtag to use make it easy for people to find stuff related to this particular b-side saxville we do have a ctf going on today hosted by secure code warrior and i'm looking for dan here usually last year dan did uh what's that i'm on here but you're on here yeah yeah oh i'm looking under attendees i'm not i did i've neglected to look at staff there you are so

this is where i hand it off to you dan great the only thing i was trying to figure out was to share my screen i guess you give me that ability i can give you that ability there we go you took it you got it i got it no worries uh let me make sure all right let's see this year it's been a while since i've used that go to webinar same it's been a year exactly uh let me see if i can uh show my webcam here here we go so there we go can you see me yep well you can see all right uh let's see i'm gonna find this there we go

all right can you see my um presentation yep got it great um yeah i'm gonna try to keep this short and sweet uh since we've got ten minutes uh for the kickoff at nine so um my name is dan lewin i'm the enterprise account executive for secure code warrior and um and thank you so much for inviting us we uh it's great to be a sponsor for besides knoxville again and again we are putting on the ctf or the secure coding tournament for those who haven't heard a part of us we provide a secure code uh training platform for developers and really what our mission is is to inspire developers to really embrace preventive secure coding

of approach that enables every team to both build and ship quality software with confidence and what we developed was a cloud-based solution built by developers for developers and what this ultimately does it basically improves security during the software development process and it helps organizations to achieve faster more secure product development it's going to bring security to the developers so they're going to become more security minded or more secure be conscious and one of our biggest goals in the organization is really kind of change or create a more positive security culture to the development community we have really changed the paradigm from a more traditional approach to more hands-on so you think of the traditional training

of cbts classroom instruction where we're more hands-on more like micro uh training where you can spend five to ten minutes and we find with that the retention rates are pretty high when it comes to learning about how to address security vulnerabilities uh within your particular language or framework which is something that people can retain over time and can apply to their everyday work uh we have an all-in-one skills platform that consists of tournaments courses training assessments everybody that gets access to our platform today you're going to have access until i believe it's like may 12th so you have another week or two to practice uh but in the tournament it's or in the platform itself

today uh you will get access at nine o'clock to the tournament this is really the ctf this is how we're doing a you know a culture shift in awareness um you know really exciting developers and security people um to have an open competition um to score as many points as possible you can also have access to our training this is self-paced so you go in and select the language or framework and this will you know help build and maintain your skills and it helps improve your your your scores in the tournaments so feel free uh to do that if you have some time today even after the tournament feel free to go into our training

um i'll just do a quick um uh demonstration real quick i'm just looking at my time here three so uh just give me one second uh when you register and get into our platform uh you're going to come to our home page here and where you're going to access the tournament you're going to see down here in the in the bottom far right you'll see the b-sides knoxville you're going to click on that and this will take you to the tournament page so once you're ready to join you can hit join now you can join any time uh during the tournament the tournament runs from nine o'clock eastern to 4 30 today so um feel free to go in when you have some

time you don't have to do it you don't have to complete the tournament on one sitting you can come in and go and then whenever it takes somewhere maybe about an hour to two hours max if you want to maximize all the points in the tournament um feel free to go into our training here um we have a training tab here um you can um select the language or framework you're you're currently working on um we have over 50 different languages for the tournament i think we have about 20 or so but you're going to go in and you can practice here and which what you find in the training is going to be very similar to what you find in the

tournament and uh it's going to basically oh i'm going to just get rid of this uh you'll have a quick introduction first time you load in here oops let me get this let me just buy this real quick just gives you a quick run through if you're brand new i'm just using as a user logging in here so we're going to go into a mission and typically uh when you go through these um these challenges here again it's going to give you a little bit of a run through so you'll just give an idea of how to use the screen as you progress through the tournament i'm just going to click through this real quick

um but there's three things you're going to be doing you're going to be locating identifying and fixing vulnerabilities and in in this case right here we're going to be actually locating a vulnerability um the vulnerability category is going to be an injection flaw particular vulnerabilities remote file inclusion and so when you go in here um you know take your time uh try to find the vulnerability what my recommendation here is use the hinting tab here it's just going to help you learn learn about the vulnerability how to go about solving it um the first the first hint is free it doesn't cost you any points for the locate and identify when you're fixing a vulnerability it will cost you some

points but the first vulnerability hint is free for when you locate and identify vulnerabilities but typically what we have is a little bit um some information about the vulnerability we have a little small video here about it um take your time watch it learn about it and then go about in trying to solve this particular um vulnerability so this is kind of the process of how it's going to work you're going to go through either locating identify a vulnerability you're going to select on the right answer you think is right and you would hit next to move forward to see if you get it right or wrong again you want to maximize as many points

since we're kind of running out of time i would show you more in the demo uh but i'd like to go back to the the presentation real quick just so you can get a little bit more tournament details so just bear with me um okay so in our platform we have 50 or more languages for this particular tournament i think we've got a little bit over 20 languages frameworks that you can choose from there's around 40 challenges so it will take somewhere somewhere between one hour to two hours to complete all the challenges again you don't have to do it all in one sitting i do ask if you do go and select a tournament

language that you only be able to select one so that will be the only language that so choose wisely um there's three types of challenges that you're going to be working with you're going to be identifying a particular vulnerability within a block of code you're going to be locating a name vulnerability within a block of code and then finally you're going to be fixing a vulnerable piece of code how scoring works for easy challenges you're gonna get about 100 points medium is about 200 points and hard you're going to get 300 points you're going to have different missions requests one through seven or eight you can start wherever but my recommendation to start at the very

beginning kind of work your way up to the more difficult questions so you get familiar with it there is some life's loss so you have a maximum temps per challenge so there's up to three challenges and of course if you get the first one right uh the first time you get 100 of the challenge or all the points and then if you get on the second attempt at 60 correct and 30 that's how our scoring system works um we do have hints there is a cost of using hints but like i said for the the vulnerability of the locate vulnerability stages in the identify vulnerability stages the first vulnerability hint is free so i recommend using that

but then you start to see that we do start to take points off for using additional hints and then finally the pick solution stage which is more of the uh you know fixing the the particular vulnerability um there is no free hints you will be um deducted points for using hints throughout you will have until 4 30 p.m today to complete and then we will announce winners and prizes i will update the scores in uh any announcements on the discord in the secure code warrior panel but if you have any questions feel free to um you know message me i'm happy to help you out we will have prizes we're giving away a hoodie t-shirts and hats for the winners

and again this is in art in the discord so you can go here and set up and register complete setup information to log in and again i wish everybody the best and good luck and again if you have any questions feel free to message me in the discord back to you