Joshua Crawford's Development Blog

My First Cyber Security Conference

My First Cyber Security Conference

My weekend at Kernelcon in Omaha, Nebraska

Joshua Crawford's photo
Joshua Crawford
·

7 min read

Table of contents

Lead-Up

I've always loved the idea of Cyber Security since I was young and through my research months ago, I learned one primary thing: immersion was key. A few months ago I decided to get serious about creating and pursuing the career I want. Being active on Twitter and attending conferences are essential to take part in as you join the greater Cyber Security community.

With that knowledge, I went searching for a conference. I've heard the big names: DefCon, BlackHat, and RSAConference among others. However, in my search, I wanted something smaller, cheaper, and preferably local. A bit of searching led me to Kernelcon in Omaha, Nebraska. The organizers' goal of making Omaha an annual destination for security professionals resonated with me as a new member of the community.

The Conference

I walked into the doors of the conference hall excited at the opportunity. There were a few goals I had as the conference began:

  • Get exposure to the Cyber Security industry in the Lincoln and Omaha area.

  • Get some input on the path I have laid out for myself to transition from Software Engineer to Cyber Security Engineer in the coming years.

  • Try my first attempt at a conference Capture the Flag (CTF).

With those goals in mind, I checked in, received my bag of swag for the conference and started the day.

The Badge

Despite having some advanced knowledge of how Cyber Security conferences handle badges I naively still expected a laminated piece of paper or a hard plastic card. I pulled out the badge that I later learned was a brilliant solution to the still-present issues with the computer chip supply chain. The badge took the form of a working AM receiver that was entirely analog in design, with no need for expensive and hard-to-find chips!

Inspecting the badge I found the URL to read more about the badge with a notable line on the webpage.

You've read this far, probably hoping to find some clues on "what's hidden in the badge" or something similar. I'm going to let you in on a secret...

Nothing. There's absolutely nothing hidden *inside* the badge. There's no microcontroller. No flash storage. It's an old school analog design.

The emphasized word inside stared back at me as I looked from it to the badge and noticed the pattern above the frequency tuning knob that I just knew had to be a Spotify scan code. This led me to unknowingly participate in my first CTF challenge.

The CTF

Attempts at scanning the pattern failed to recognize anything using Spotify's scan search. Having seen these codes several times I knew there was going to be some way to get the app to recognize the code. I began reading everything I could about the code's design while I was at lunch. This revealed that the codes are all made of 23 lines all perpendicular to a horizontal line varying in length with the largest being a seven, and the smallest a zero. Counting these lines I confirmed it was a Spotify code.

Next, I learned that these Spotify codes need a Spotify logo next to the pattern to act as an anchoring point for the scan to occur. The badge's creator omitted the logo as part of the challenge. This led to several attempts at editing the pattern and a Spotify logo screenshotted from the internet in Snap Chat, trying to trace the pattern and doodle the logo next to it. All of this still led to the scans being unsuccessful.

Frustrated knowing I was on the verge of finding my first flag I sent the component pieces to my family. My older brother with much better photo editing skills and software than myself was able to press the two component pieces together and scan it leading to a playlist with the flag as the playlist name.

Excited to have found a flag I quickly realized I had no idea what to do with it. Returning from lunch with a high I walked around and stumbled upon the great folks at the AntiSyphon training who told me there was a place to sign up and I could likely backtrack the solution to find where to submit the flag. I quickly signed up for the CTF which I learned was Mario themed with most of the challenges outside the badge involving Mario and friends. I found the correct challenge, solving my first CTF challenge! By the end of the conference I learned I was the only person to solve this challenge and for the first day was listed in the top 10 of the CTF all by myself.

The organizers also handed out a fun 3D-printed token as a reward for solving your first challenge in the CTF which matched the Mario theme for the CTF.

Other challenges were attempted, getting very close on one that involved dumping the strings of an image and ended with trying to decode a .wav file containing morse code but I could not get it to decode what I assumed was the flag in a way that gave me the correct flag. I finished having grabbed up a few of the simpler challenges, in 14th place, and a hunger to do more CTFs.

The Talks

One of the more difficult parts of navigating my first conference was selecting which talks to attend. Kernelcon had two tracks both of which housed some fascinating talks almost every hour. Aside from some time spent in the lockpicking village(which has prompted a potential hobby) most of my time was spent listening to the conference's speakers. The two highlights for me were Web Hackers vs. The Auto Industry: Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More by Sam Curry and Trending Cloud Security Threats, and Defenses by Gabe Schuyler.

Web Hackers vs. The Auto Industry was flashy and exactly the type of entertaining talk I expect to hear at a Cyber Security conference. Sam did a great job explaining what he and his team did to compromise the applications and systems in the auto industry. Their efforts led to being able to remotely control 60% of cars and identified glaring points of failure with SiriusXM and Spireon for connectivity to these modern vehicles. While a lot of fun I learned just how seriously I need to take things like OWASP Top 10 in my current role as a developer. As Sam mentioned none of the attacks performed were complicated to execute and had disastrous results had a bad actor found them before his team did.

Trending Cloud Security Threats, and Defenses confirmed to me some of my paths for getting into the Security industry. The technology of the cloud is powerful and still new. Gabe provided some insight on what to look out for and how I could help strengthen my company's cloud as a developer. This talk made me excited for the opportunities available in the cloud as well as the worry of what exactly can go wrong in the cloud if more people don't take action to gain experience strengthening its defense. Most importantly was a closing message that the cloud is still new technology, and cloud professionals are still in demand.

Conclusion

I had a great time at my first conference and I can't thank the organizers, volunteers, speakers, and fellow attendees for making the conference what it is. My days had several conversations with extremely friendly professionals in the industry that helped me refine my plan to become part of their industry. All of my goals for the conferences were accomplished and had a fantastic time attending. I was able to make connections with the Cyber Security community close to home, learning about some of the meet-ups that were happening in the Lincoln and Omaha area.

Participating in my first CTF cemented my desire to get into this industry. Going beyond the gamified nature of a jeopardy-style CTF the drilling and exploration that each challenge presents is a perfect learning tool for those like me wanting to increase their knowledge and skill. I am looking into things like OverTheWire and PicoCTF as platforms to continue doing CTFs.

Finally, the talks were fantastic and I continue to be shocked looking back at the amount of knowledge that can be condensed into two days. Learning ranged from the Cloud to Quantum computing leaving me with pages of notes to sift through afterward and continue my learning. Web Hackers vs. The Auto Industry taught me that the common OWASP Top 10 style exploits are as dangerous as ever while Trending Cloud Security Threats, and Defenses reminded me that this new technology was susceptible and in need of experts. Individual conversations, especially with the team from Antisyphon helped me ensure that the path of self-education and certifications I created myself was sound.

CyberSeccybersecuritycyber securityinformation securitykernelcon