This week I got to enjoy going to InfoSecurity 2018 and BSidesLondon 2018. Both of these events are something I look forward to every year - they're probably the best of their kind each year. They're two distinctly different events though.
What are they?
For the last few years, InfoSec has been hosted in London's Olympia event centre. This year they'd had to extend by about 50% to an additional hall, a sign of how the security industry has continued to explode over the last year. Everything here is very business oriented and 'white hat'. It's all about defending businesses, protecting revenue, spotting the bad guys etc. etc. Downstairs is typically the long-term multi-million (billion?) companies like Symantec, Nominet, Fortinet etc. It's great to shake hands and learn about what established businesses are looking into, but upstairs is where the interesting innovations tend to be. There is the 'Startup Zone', as well as a zone specially reserved for UK innovations. I spent most of my time here. The suits and smiles of downstairs are pleasant enough, but they are often sales-y and lack technical. Upstairs you've got two technical guys who have barely managed to scrab together cash to get a stand the size of a phonebox, and they will talk technical to you for as long as you will listen. Occasionally, they'll pour their heart out and explain why what they're doing is so important to them. This is what I enjoy about Infosec the most.
And yes, like most expos there is loads of freebies like T-Shirts and Mugs. The free beer comes out from participating stands late in the afternoon. You go and find folks you've done business with in the past and then maybe go and grab food after. That's fine. It's very nice when business people stop being business-y and just talk over pizza and drinks. But I'd gladly miss that in favour of all the start-up stories.
BSides is in many ways the opposite of InfoSec. They're both security conferences, they're both in London, but have totally different goals.
- BSides is community-driven, InfoSec is business-driven.
- BSides is comparatively tiny next to InfoSec, sitting in a single conference centre.
- There are principally only white-hats at Infosec. At BSides you don't ask.
- InfoSec is mainly boothes and stalls, BSides is 95% expert talks.
- You won't see a single suit at BSides. Wear a suit and you stand out more than someone with pink spikey hair.
- Oh and they're run at the same time (supposedly a long-running joke from the BSides team). Infosec is Tue-Thurs, and BSides is on the Wednesday just to mess with them.
I could write tonnes for each conference, but I'll stick to the important bits.
At InfoSec this year there were fewer innovations or novel products and services than last year. However, this was offset for me by seeing that the more established start-ups have clearly taken the time to grow and improve their products so they're now in a mature state. This time last year everything had been noticeably rushed to meet the Security hype curve (which is still rife of course). In 2017 a great number of demonstrations could be boiled down to 'look at what we made in our shed, it sort of works, please buy it'. This year those same vendors are longer start-ups, back with a bigger stand and showing that they used experiences to make enhancements. Now they are pushing pseudo-mature products. This is a good step for the industry as there is less snakeoil being pushed, and more security capability offered to the industry.
I was suprised to find that despite all the recent media and market hype in the last few months around Blockchain and 'Artificial Intelligence' (Machine Learning really) - there were suprisingly few mentions or emphases of it at the show. Some existing vendors had taken their product and applied 'AI' to thei branding in some way to try and make extra sales, but that's not the same thing. It could be that the hype for AI/ML has taken off too recently and either few startups have the cash for an InfoSec booth, or there is no product to sell yet. Still, I'd expected more around Blockchain. I saw more at AWS Summit 2018 on both these topics than at Infosec.
In terms of interesting products from this visit, there were so, so many. Too many to list here. I may do a separate post, or you can email me and I'll send a list. I've got a box full of business cards, each of which I plan on using to bring so much great content to the Showcases. If you want to see them though, you'll just have to come and visit.
BSides had fantastic talks like they do every year. The introductory keynote by Mykko Hypponen was one of the best I've heard for ages. He took the audience through the history of hacking - what it started from, and where it is today. When he was young, hacking was fun and encouragable - almost solely educational rather than criminal. As the talk went on he went into explaining how money laundering works today with cryptocurrency wallets being used to disseminate funds. Then he brought things into reality by showing how people are quite literally being murdered to get hold of large crypto stashes. Of course the end of the talk was happy and positive, but the reality-hitting centre has stuck with me. He also touched on corporate spying, and government-level espionage - both fascinating subjects.
A group who break into Air-conditioning and Heating systems for a living (amongst other things) did a great talk on Hacking SCADA and showing how the buildings protecting our multi-million pound computers can be wrecked with simplistic exploits. Examples were cooling failures, poorly coded security doors, sensors which can be lied too. Matt and Mike from Insinia have even built themselves a SCADA training facility to bring future colleagues and clients up to speed.
There was a great Social Engineering talk explaining how you would 'get started' in the field if you were interested. The speaker took you through what he typically does to get into a secure building, as well as tips for remaining calm and not giving yourself away. He wouldn't give too much away, but rumour has it he has been able to get into secure areas of Gatwick Airport multiple times. The speaker was Chris Pritchard.
A guy called 'PortHunter' did a great talk entitled 'OpSec for Hackers - What you need to know to not get Caught, Leveraged or Pwned'. I went in expecting it to be a bit of "use this, do that, they won't look here". Instead it was a flipside talk of never assuming that anything you do is inherently safe or invulnerable, and promoted the idea of 'cover your &ss' with multiple layers. Very interesting.
John Scheier from Sophos Security did a fascinating talk entitled 'Deep Dive on the Dark Web'. He started you with the idea of being a disgruntled but tech-savvy employee who wanted to get revenge on his employer. Where would you start? How would you start? He showed us how you'd buy passports, driving licenses, exploit kits, botnets, DDoS Services, and so much more. I plan to visit the marketplace myself for fun, and see what they've got on there he didn't show. Obviously not to buy anything.
Vladimir Kropotov gave a great account of how fradulent travel works and is conducted on the 'dark web'. Confusingly entitled 'Travel with Underground Services' he showed how you can hunt for people offering discounted or illicit travel and what steps you have to go through to actually get yourself on a plane, train, passport and so on. The really interesting part for me was that he then took things away from travel itself, and went on to how illegal hotel stays are sold. Don't want to pay $1000 for a two week hotel stay? With a lot of tricks and insider-jobs being pulled, people exploit hotel booking systems en-mass and sell them off at $200 instead. It suprised me that it is done so often, as Vladimir showed.
After BSides ended, I went back to Olympia for the end of Infosec Day Two to catch up with some friends who left my old team and moved to other businesses.
That was the pseudo serious stuff. Now a few fun bits from the two days.
Remember Sesame Street, The Muppets, Sooty and Sweep? Well a group called The Cybermaniacs think that puppets are the solution to getting people engaged with Cyber Security training. Point and click training is definitely dead, and people rush through it as fast as they can anyway. Watching cutesy episodes of characters getting their laptops stolen? Sign me up. The preview clips at the show looked good! Also the puppets are BIG in real life, as you can see. This is Wanda.
I went to see some friends we are actually demoing in the Showcases right now, and they very generously offered me a Guinness. With my face on it. An app called 'Ripples' pairs with a special beer-pouring machine to overlay your face in a style resembling 3D-printing. The whole process took five seconds though. I still have no idea how it works, but I just know I want one.
Finally, Steve Wilson from BT was running an escapist challenge at the lockpicking corner. You were handcuffed inside a transparent box, and then had to lockpick your way past three challenges to escape and stop the timer running. I got out in 2:36, so pretty happy!
Fantastic two days as always, and I look forward to returning next year!