After BSides Lancs and Leeds, Newcastle was my third BSides, both of the year and ever. I got up early in the morning for a road trip from Preston to Newcastle, and setting off at 5:30 on Saturday turned out to be atmospheric and straightforward. So I was a bit early and got a glimpse of the chaos that is putting together a BSides. Later I found out that BSides Newcastle was traditionally more chaotic than some of the other BSides. Now, even though the signs were hand-written at the last minute, the start was late and the schedule a little bit random, this did not matter one bit. Who needs precision organisation, when you can have energy that is just on the right side of chaos? And that is infectious.

No T-shirts at NCL, no, let’s have aprons. Orange for organisers, yellow for volunteers, pink for sponsors and brown for speakers. Talking shit, eh?

One of the best comments of the conference was overhearing someone saying “looks like a shopkeeper convention”. You’re not wrong:

Why is there a guitar, you might ask. Well obviously for the opening conference singalong of “I’ve no more hacks to give” to the tune of “I’ve no more fucks to give”.

That’s the right attitude. Considering that about a week before the con, the organisers had been left with no venue and had to find a new place and still managed to put together a fab day is just testament to exactly that attitude.

It didn’t get any less sweary. And no, I’m not just thinking about Eliza’s tale of vendor horror stories:

• the one about the SIEM in a flat network structure, that got ransomwared with the rest of the company
• the one about the vendor that blackmailed their client to not sack them
• the one about the vendor that installs a SIEM but then doesn’t plug it in
• the one about the phishing simulation that uses sexual abuse or miscarriage in pregnancies as a hook and then displays a “Haha, you need to do” phishing awareness training" without any thought of how this might affect people
• the one about charging for doing log aggregation and then not doing anything other than storing the raw data

Though probably the best one came out of the audience where a phishing campaign got detected and warning emails were sent out, including to the phisher themselves.

Can’t not swear there.

Oh shit

Probably not as bad as Lee’s opening keynote with the story how when he checked the details on his DBS check, the details of a convicted sex offender with weapons charges was returned because the name was a bit similar.

Fuck me

The horror continued, as Vi gave an excellent overview of BGP. That’s the protocol that holds the internet together, that was designed on three napkins and has some pretty glaring security flaws that are still not completely fixed. Flaws, which allowed an ISP in Turkey to bring down the whole internet for an hour, or have a Pakistani ISP mistakenly down YouTube for everyone, or allow a clever campaign to steal cryptocurrency by pretending to be AWS Route 53. It’s always DNS… except when it is BGP.

My turn

I was gutted to miss Brian’s talk about the Great Post Office scandal, you know the one where Fujitsu instead of owning up to software problems, got lots of sub-postmasters convicted of fraud instead, but it was my turn to give my talk on Denial of Service. At the start of the session, I shook hands with the only two people that were there. Though there were a few more that came about halfway through, so I did a quick recap at the end. I loved it though. I probably would have given the talk to just a single person, though next time, I probably should sit down and turn it into a workshop!

Patch This!

For the scran note (love the concept), Jerry went through the difficulty of fixing security dependency issues. There were some fab stats in there, which I will undoubtedly steal:

• Only about 7% of CVEs get exploited
• Only about 12% of CVEs get patched

The problem is just the sheer volume. These days, on average 75 new CVEs get raised every single day!

In order to help the community work out what should be looked at, Jerry hacked together patchthis.app during a long-distance flight which aggregated a few good vulnerability intelligence sources and aggregates a CSV file that contains CVEs that are being actively exploited according to CISAgov, Metasploit, Nuclei and EPSS. And it’s open source too. Bravo! This is right down my alley.

Grow the industry

The closing keynote was delivered by Rosie, who is now organising four BSides, with an impassioned plea to do more to help grow the industry, to make it easier for people to start out in Cyber. There’s a lot of people with years and years of experience, and the infosec community needs to do more to welcome fresh talent in. Hear hear!

And brilliantly, the conference was fully of children! Complaints departments and little ones running around, playing with battlebots, putting glitter and face paint on people. I thought that was really cool, maybe I’ll bring my little ones along next time. And it also, albeit temporarily, put a stop on some of the sweariness…

All in all, I loved the chaos, the undercurrent of anarchy and embracing the weird and wonderful. Don’t ever change, Boncl!

Tags bsides conference security appsec

If you'd like to find more of my writing, why not follow me on Twitter or Mastodon?