Sheffield is the city of steel, and at the heart of it lies a lovely university building - the Owen building that hosted the

North’s premier hacker con

And I had been accepted to talk at SteelCon about AppSec and Agile and who wouldn’t want to drive over Snake Pass to cross into the wrong side of the Pennines. [Ducks].

Over the past year, I found myself going to quite a few community infosec events (I did the Northern BSides triathlon last year - Lancs, Leeds and Newcastle) and I feel like becoming part this family and have always felt really welcomed in this anarchic environment where leaf blowers and complaints desks take on special meanings. (I’ll leave you to decide who the dysfunctional uncles and aunties are…)

So I was quite excited when SteelCon came along and accepted my CFP, and putting on the conference badge felt quite normal.

The headband is the badge… obviously! The fake mustache soon enough moved onto my T-shirt, it kept falling off. I felt really comfortable, at least it gave me an excuse for not recognising people. I jest, no excuse needed, these days I start conversations on how rubbish I am with names and faces.

I have to repeat it though: as soon as I walked in, I felt at home. These were my people. And no, the breakfast beer had nothing to do with it:

What I did really appreciate was just the sense of different little activities that were open to all. I love the fact that SteelCon has a kids track, and if I’m honest it sounded fantastic: soldering blinking LED badges and animating lemmings sound cool. I also liked the jigsaw track and battle bots and trying to find a secret message on the tape. And while I didn’t get a chance to join it, I loved the idea of post-conference Warhammer session and a Sunday lunch!

(those 1000-piece jigsaws were done by the end of the day)

After the right amount of chaos - tracks were reorganised, something to do with A&E and being dosed up on pain killers, it got going. And I promptly got lost trying to find track 2.

Are you going to tells us about talks?

Nick gave us a very cool talk about hacking AS/400s. I think they came out in the right decade, so this was acceptable for the 80s. [Ducks]. I do like legacy anyway, but I loved his tour of the peculiarities of an operating system where everything is a database and any account has access to almost anything. And IBM helpfully lists the default accounts which typically follow the username=password level of security.

I did love the tip when using Wireshark for scanning network traffic to ensure to search for EBCDIC. This reminded me of the fun I had with people treating Base64 as if it was encrypted.

Next up was a fascinating talk by Chris who talked about the psychology of social engineering. Social engineering is when you try to hack human brains to let them into places that you shouldn’t get into, or convincing receptionist to print you a badge, even if you look nothing like the person on the record.

Even sophisticated gates like the one above can be circumvented by pressing the intercom in the high-security US office and pronouncing

Hi, my UK badge doesn’t work, can you let me in?

Of course, it is not as easy as that, but even as a colour-blind introvert like me, there is hope because all too often do marketing departments put the hex/RGB values of their badge colouring scheme on their website, and confidence can be practiced in the mirror.

My favourite statement though came quite early on, when Chris compared exploiting Miller’s law (roughly: the number of object an average human can hold in short-term memory is around 7) with buffer-overflowing the brain.

After lunch, I went for some more nostalgia, where Tim took us on a brief history of time, from simple, single threaded processors to super-complexity.

And then there was James’s talk about Due Diligence. Or lack of it. It took him on a journey of simple google searches, fraud and surprising disinterest in checking whether things are what they say they are. He’s not yet ready for publishing, but it sounds explosive to me. I’m certainly going to follow the developments with interest!

My turn

And then it was my turn to speak. My talk was titled “AppSec and Developers: The Good, The Bad and The Ugly” where I told a story about how developers and security don’t have to act like this - and how the principles of the agile manifesto would help (more here).

Close

By the time the conference came to a close, it felt quite normal that there was an auction where people were sold off, stickers went for lots of money and a fantastic sum of money was raised for charity. I also love that as part of the swag that SteelCon handed out, lots of jigsaws and board games had been raided from a charity shop. The stuff that people didn’t want to take would be donated straight back to the same charity shop!

All in all, not a Mickey Mouse operation, I loved it!

[Ducks].

Tags steelcon conference security

If you'd like to find more of my writing, why not follow me on Twitter or Mastodon?