13 Nov

Kiwicon is awesomesauce

Kiwicon 7 came and went in a flash and consumed the entire last weekend. And like the previous three years that I’ve been at the con, it’s been a weekend to remember. The first year I went out of curiosity because lots of people in the office were talking about it, and I saw great posters on the walls. So I thought to check it out. I also went because you can not know enough to keep your digital information secure.

Kiwicon initiation

I remember sitting in a lecture theater at Rutherford House of Vic Uni and listening to talks and even understanding some. The demos intrigued me and I could space out a bit when it got too technical. Since it was fun to learn something new and be challenged in trying to understand as much as possible in a field very foreign to me, I was looking forward to 2011 and hoped that The Crüe would put on another Kiwicon. And they did.

Kiwicon reaquaintance

This time though, the interest was much bigger and a new venue needed to be organized. Enter: The Wellington Opera House. Attendance doubled if I remember correctly, and jumped to 600 plus speakers and The Crüe. What a success. The talks were great again and it was a fantastic mix of old theater charm and cutting edge infosec wisdom. I asked The Crüe if I could take pictures and wasn’t denied. I just needed to ask individual speaker. What a feat. But all of them were great and so I took some shots. I also helped out a bit doing odd jobs again and before the conference helped sorting name tags and T-shirts. It was a great way to also get to know some people.

Kiwicon continues

Last year, Kiwicon 6, I volunteered again, helping more than in the previous year. The Crüe also mentioned in the conference brochure that some volunteers were taking photos. That made it easier to document the conference. The team had stepped it up again a notch and used the grand stage that we had at our disposal – again in the Opera House – to have a huge projection screen, and one presenter rode his motorcycle on stage. That caused a stir and quite the clapping. The Crüe started offering more options for the social program than during previous years. So besides Te Kuiti Warrior and chilling in a pub, Saturday was also movie night and some others went to a concert.

I also distinctly remember one speaker who was asked to fill in for another speaker before his speaking slot. Because his talk had been moved up by about half a day, he hadn’t had time to double check his live demo or go through his presentation one last time. He was a bit frazzled on stage, and Murphy’s Law kicked in. The “demo gods” were not in a good mood, and his live demo did not want to work.

That may have been bad at other conferences with the audience starting to chat or leaving frustrated and then talking badly about the presenter. Not so at Kiwicon. You had about 700 people in the audience and could have heard a pin drop. As far as I could tell, everyone was sitting on the edge of their seat trying to help the presenter out and make the demo work. Initially, everyone was quiet to give him space to think of the right commands to get the program to work. When that didn’t seem to do the trick, suggestions were shouted out that the presenter tried out. Unfortunately, nobody could get the program to run. Nevertheless, this incident showed me how supportive the community was and how everyone wanted the presenter to succeed and run through his demo so they could also learn how he did it.

This year, the same presenter spoke again, and it was a joy to watch him because he was all collected, and his demos worked flawlessly. He learned from last year that live demos may be cool, but that a recorded demo may take some of the stress away and that it was easier to talk through them. So he had recordings of some more involved demonstrations.

… and continues

And that concludes my little walk through 4 Kiwicons and brings us to 2013. Yet another Kiwicon, yet again as volunteer and photographer, and yet again as part of a fantastic team. This year the con had grown to approximately 800 people that showed up without a fault even after nights of partying: Party hard but also work hard. The Crüe topped previous cons yet again by having a live band as opening act, and of course not to forget the fabulous high roller name tags. Where in the world do you get custom hand-made name tags at a conference? Even regular attendees have a different name tag every year that is custom designed. That shows the love that The Crüe is putting into the organization and running of the con.

Kiwicon is not just a weekend, but it already starts on Friday with free classes and walk-in sessions where anyone can ask questions. And it goes until Sunday night when the beer specially brewed for Kiwicon needs to be tasted over and over again. 😉

But that’s of course not it. Kiwicon starts much earlier with the organization, designing of the merchandise and name tags, assembling the name tags, crafting of more complicated gimmicks, packing of the merch and then setting up the Opera House on the first day. The AV engineers started at 4 a.m. on Saturday this year and stayed until 10 p.m. when the movie finished. That is some serious dedication and deserves a standing ovation. And all finishes with the break down Sunday evening which is really fast with many helping hands followed by more or less serious discussions in the Malthouse.

Kiwicon for non infosec specialists

So why do I still attend Kiwicon? It’s not because I am seeking a job in infosec or want to start hacking. It’s because it’s one of the best conferences. I look forward to it every year because I know I’ll be learning heaps in an area that is still quite foreign to me. I also get a reality check and am confronted with how easy it can be to break a system and what consequences this can have. And it’s just plain fun a lot of times.

When you see 800 people almost all in uniform black coming out of the Opera House, you may be crossing the street if you don’t know what’s going on, but if you actually talk to some of the attendees, you soon realize that they are not threatening, members of a cult or practice dark art (though some may be dabbling in that a bit at times). They are interested in exchanging opinions, discussing new practices and share experiences like at any other conferences. At Kiwicon it’s just the difference that there is a lot of fun and sometimes hackling involved because many attendees have known each other for years and know how they can talk to each other. I am still more of an outsider and often don’t get all the jokes or references and must look quite puzzled. But then I can ask what something means or someone may offer to explain it to me.

Yes, the conference is still attended by a predominately male audience, but the organizers actively encourage women to attend and also present. This year an achievement was unlocked in that regard: There were two occasions when there was a queue to the ladies’ restroom. 🙂 Normally, I wouldn’t rejoicing hearing that, but at a tech conference that is fantastic.

To discourage any sort of misbehavior or even harassment, The Crüe takes their number one rule seriously: Don’t be a dick. It’s not just an empty slogan, but people have been kicked out of Kiwicon when they misbehaved and it was made known to the organizers. While the con is not PG 13 or for the faint-hearted that detest metal, it is a con that you can enjoy even when you are not a member of that particular culture.

I’m already looking forward to the 8th edition of Kiwicon. Thanks to The Crüe, I have some reading material that introduces me more to the subject matter.

09 Nov

Kiwicon Pebble watchface

Kiwicon 7 is just a few hours away, and while charging my Pebble watch, I had the idea to create a Kiwicon Pebble watchface. Unfortunately, it was way too late to call Lisa or any of the organizers for the original file and proper permission. I hope they’ll be lenient. Thus, it’s a draft watchface for the time being and not openly shared.

The original artwork is by Lisa from pixellab. And as you can see on the Kiwicon site, the image looks much nicer with the splash of color. But nevertheless, I like my Kiwicon watchface.

It was created rather easily with the Watchface Generator.

Now the con can begin.

Draft Kiwicon 7 watchface

Draft Kiwicon 7 watchface

08 Nov

Kiwicon 7 prep

Kiwicon is upon us again for the 7th year in a row. I’ve been at this most awesome and fun conference already 3 times and am not going to miss this year’s edition. I’m looking forward to a weekend full of talks relating to info security in the Wellington Opera House. Over 750 people have signed up and the venue is completely sold out so that a number of people who were late registering were out of luck.

The weeks before the conference are busy for the organizers, The Crüe, but the week before Kiwicon takes the cake. Last minute preparations need to be made, name badges sorted, crafting finished, and of course the merch orders fulfilled. This year it took us just about 2 hours to get all 271 orders sorted. That may not sound like much, but it is a big effort to sort hoodies and T-shirts into “dudes” and “chicks” and then put them all into numbered bags so that it’s easier and quicker to hand them out during registration.

The system is being improved every year. This year, we had a pretty smooth work flow and check points built in to avoid order confusion:

  1. Sort all hoodies and T-shirts according to size and “dudes” and “chicks”.
  2. Count all hoodies and T-shirts and make sure we’ve got them all.
  3. One person writes the numbers on stickers (next year these will be printed).
  4. Teams of two take sheets with the orders and bag the respective hoodies and T-shirts. They seal the plastic bags with the stickers so that the numbers are easily seen but also so that the bags could be re-used since some people ordered more than one item.
  5. One person with the master list puts the bags into boxes in sequential order and ticks off the bags.
  6. When a box is full and the orders have been ticked off, the box gets a check mark and is placed aside. All boxes are lined up in rows in sequential order for a quick check that all orders are there.
  7. Rinse and repeat until done.
Getting ready for fulfilling the Kiwicon 7 merch orders

Getting ready for fulfilling the Kiwicon 7 merch orders

16 Dec

Kiwicon 6 restrospective

Kiwicon 6 descended on Wellington on November 17, 2012. Approximately 750 hackers, non-hackers, and wanna-be hackers congregated in Wellington’s Opera House until November 18, 2012.

Artwork by Lisa

Artwork by Lisa

28 presentations by Kiwicon veterans and newbies had the audience captivated. In the evening there was more entertainment planned than ever. And now who says that nerds can’t be social? Drinks flowed freely, games were on, clubbing was organized as well as a movie night. The Opera House ushers – if they hadn’t already been working at Kiwicon 5 – certainly had a different experience than with their usual opera crowds.

The Kiwicon Crüe outdid itself again this year (is there a word beyond superlative?) with awesome name tags and lanyards. This year we all had floppy disks: from 3 1/2″ ones for regular attendees to 5 1/4″ ones for speakers to huge 8″ ones for The Crüe. The high rollers received hard-to-get backup disks. These are definitely worth keeping and nothing like your regular conference-grade boring name tags.

High roller name tag and disk: a lot of bling

High roller name tag and disk: A lot of bling

As usual, some presentations were way beyond my comprehension, others were easy to follow, then there were the ones where I just stared open mouthed, and the last but not least category was the ones of the awesome humor. Now, I don’t want to give a recount of each presentation because you had to be there to experience it, but I just want to highlight a few of them.

I got your number

Nick von Dadleszen is a regular Kiwicon speaker, and this year he continued frightening us with news from the Mobile NFC hacker world and gave a demonstration of his latest tool which he could also persuade a bunch of people to install (hackers trust each other, right) and test during Kiwicon.

If you have a RFID chip – and you most likely will have one on a credit card, Snapper card, or your passport – you better get some RFID blocker so people with simple smartphones can’t read them. Nick presented his latest tool for Android with which you just need to put the phone onto the card with the RFID chip, and it reads all its information. It works like a charm and over 370 cards and Snappers and passports were scanned during the 2 days.

You could have heard a pin drop

Cartel, another Kiwicon regular, was asked to give his presentation early swapping with another presenter. That gave him about 5 minutes to polish his slides and go through his demos again. For some reason, the demo gods weren’t in a good mood and almost all of his demonstrations failed. While he was trying to troubleshoot his commands to run the demos, you could have heard a pin drop in the audience because nobody moved (except to the front of their seats), and everybody was glued to the screen. The audience made it their mission to help Cartel figure out the problem and possible solutions were shouted out at intervals, and everybody held their breaths to see if it worked.

Normally, when you are at another conference, the audience gets impatient when something doesn’t work, people start talking to each other or even leave. Not so at Kiwicon. Here it seemed like a a code of honor to stay put and help the presenter figure out the problem. The problem became a challenge for the entire audience.

Hacker on the road

Hackers don’t just sit in front of their computers in dingy and dark rooms, but they can be found out in the open participating in sports. Denis Andzakovic combined his two passions of hacking and riding motorbikes by sniffing out WLANs around the country simply by riding his bike. His gear fits into saddlebags, and he collects the data while he enjoys the landscape. He mapped his data and showed us the impressive result of whee WLANs can be found across New Zealand, and he could zoom in on each.

WLAN mapping with a motorbike

WLAN mapping on a motorbike

Honor your ancestors

Hacking is not a new profession and viruses etc. have been around for a considerable time. Metlstorm took us back to the 1980s when New Zealand’s first virus, Stoned, was created. He took us on a tour and brought history to life uncovering the truths and half-truths and lies. His presentation was the funniest hands down besides being informative and insightful. He also sported the most ancient equipment seen at Kiwicon. The computer didn’t even have a VGA cable that could be hooked up to the projector and thus a video camera had to be employed.

Metlstorm retelling the history of

Metlstorm retelling the history of “Stoned”

Thank you, Crüe

A big thank you goes again to the Kiwicon Crüe for putting on such an amazing show which didn’t just start on the conference days, but already when you went to the web site to read up on it and when you registered.

And another big thank you for the Raspberry Pi I received during the closing session. I should have all supplies together soon to set it up over Christmas.

Kiwicon 7

Although Kiwicon 6 just finished, I am already looking forward to Kiwicon 7 and the multitude of interesting, challenging and mind-boggling presentations and discussions. It’s a conference that is not to be missed.

09 Nov

A weekend amongst hackers

Blackhat, whitehat, rootkit, cyber security, and bugs are just some of the terms that flew around my head the past weekend because I went to Kiwicon V. Having gone already last year, I kind of knew what to expect and was very much looking forward to 2 days of technical bombardment interspersed with demos of how the talented hack into the system of their choice.

Mind you: hacking is not just the bad, bad guys. There is also a lot of good coming out of hacking: software / web site producers are made aware of security holes in their systems that could be exploited by not so kind people.

It was amazing that some companies don’t care at all: vt for example took down 5 software packages frequently used in Hollywood and only 1 company really talked to him. Others were not as willing and still haven’t fixed their bugs.

I learned:

  • how insecure the iPhone is and how easily you could read the RFID information stored on an EFPOS card by using a mobile device.
  • that poop has an ASCII sign UTF8 character Unicode code point but in contrast to the snowman sign, it cannot be used in a URL. Go figure.
Poop can't be used as URL

Poop can't be used as URL

  • not to say CyberWar if I didn’t want to start on a drinking binge.
  • that I didn’t understand Erlang and couldn’t defile MacOSX on my own.
  • how to go rogue.
  • how to hide images in images.
  • about the National Cyber Security Center.
  • how not to go about your first hacking job and that if you do you better know some people in high hacker circles.
  • and was reminded of the security fails of the last year.
  • and much more

This year’s Kiwicon was the largest so far. There were over 600 participants, and we were in Wellington’s Opera House as the previous venue would not hold as many people. Just imagine 600 people mostly clad in black in the middle of Wellington on a sunny weekend.

Kiwicon is not just a conference, but it is an experience. The pre-conference emails are the funniest ever, the registration process produced random quotes as comments that made you laugh, name tags were not your typical plastic around paper, but laser engraved leather and VIP had hand-made ones. Participants can also learn how to pick locks and handcuffs, and how to work in a team to hack a big organization who does evil.

I am already looking forward to Kiwicon VI to learn even more and be awed by the things that some people find when they look more closely.

While listening to talks on exploiting RFID technology and hiding information in pictures via steganography, I was wondering how secure EyeFi cards were. Could somebody put malicious code on them which would alter images put on the card so that when they are transferred they would not just include the image taken by the photographer but also some hidden information, possibly code that could endanger the computer / server where these images can be uploaded immediately wirelessly?