The rise and rise of Australia's community hacking conferences
Forget filter coffee, jerks in suits, and awful hors d'oeuvre. Expect metal, craft beer and zero-days galore
Special report In Australia and New Zealand, hackers are doing it for themselves by creating vibrant security conferences that run on their own terms and actively avoid the corporate-speak and fear-mongering that characterises so many vendor-led events.
These conferences, or "cons", are booming and showcase security skills that rival the best the global security industry can offer.
The hacker-run conferences are nothing like commercial technology confabs: vendor pitches are universally banned, so are trade show booths. Bars replace bain maries full of conference casseroles and black metal-inspired custom shirts are the de facto uniform.
At these events hackers reveal holes in the world's most popular technology and public transport systems to a soundtrack of sweeping moans of derision, laughter, and, for some cons, bursts of on-stage pyrotechnics.
Most hacker presenters follow the modern line and push the companies they hack to fix holes ahead of their on-stage disclosures, yet blasé promises to fix earn retribution as zero-days are still dropped.
Delegates at these cons are a mix of professional penetration testers and security admins, hackers of dubious history, curious developers, and students. Some of those attending are partly responsible for defending the nation’s biggest and most important companies.
Most of these volunteer-run and continually sold-out events cost between A$50 and A$150, with some occasionally free for the most broke hacker, and are home to a staple of community-run lockpick and capture the flag competitions lasting what is a typically two-day conference.
After an arguable decade of hiatus, the cheap grassroots cons have spread out to cover almost all Australian states. Hackers have WAHCKON in Perth, CrikeyCon in Brisbane, Platypuscon in Sydney, BSides in Canberra, Unrest in Melbourne, and regional pillar Kiwicon in Wellington.
These could not be further from the typical C-level security event where ticket prices demand up to A$2000, technical talks are scarce, and vendor booths and pressed suits are as prolific as branded backpacks.
Of the six community cons, three have or will launch this year.
|What: BSides Canberra
When: 17 - 18 March 2017
How much: A$50
Who: Silvio, Kylie, Andrew, Rick, Ryan, Topy, Wily, Klepas, Iggy, Ed, Pete, Villain, Matt, Sam, George, Peter, Nathan, Neal, Joffy, and Paul.
BSides Canberra, held on the shoulder of the Government’s large defence sector-orientated Australian Cyber Security Conference (ACSC), concluded its second and last day to a standing ovation. The $50 hacker meet run by security pair Silvio Cesare and Kylie McDevitt sold out quickly. “There are many reasons we started BSides Canberra,” co-organiser Cesare says. “We wanted to provide a local conference for Canberra at which we could inspire the next generation of hackers.”
The popular pair have a focus on encouraging new blood into the security sector at large, and more specifically into the conference circuit to consume and present new research. To that end they have kept the ticket prices rock bottom to ensure it is accessible to anyone interested in the field.
Sponsorship from community-centric security firms means the conference breaks even, throws two open-bar parties, and gives each of the 360 delegates a custom t-shirt and home-made Arduino badge that displays the conference running order. Says Cesare: “… we think there will be people at corporate conference that will go nowhere near a hackercon and vice versa but there will also be an overlap,” Cesare says. “We don’t make a profit … this is just our passion.”
Highlights of the con include auctioning nasty Oracle zeroday flaws – one written on a napkin – to fund a ‘steak dinner’ for the organisers, a “nail-biting” capture the flag competition decided in the last four minutes, and some delegate badge re-tweaking.
When: 17 - 18 November
How much: About A$80
Who: A stable core 'Crüe' of Bogan, Pipes (retired), metlstorm, Sharrow, Ad, Vex, Madman, Squirrelboy, and Lisa, along with a retinue of volunteers who make the ship sail, and SiteHost who host the con's web presence gratis.
Kiwicon celebrates its tenth year in November and is placed at the top of many Aussie and Kiwi hacker con wish lists. It has ballooned in size from a small gathering at a university campus building to outgrow Wellington's iconic Opera House and the St. James Theatre.
Local and overseas speakers come to offer technical strolls, highlight horrid holes in enterprise software and advice to improve delegates' exploitation prowess, and a litany of illustrations that paint the sorry state of information security. This all takes place against a backdrop of metal music and pyrotechnics. Attendees gain perspective on the event with the aid of local craft beer bearing Kiwicon insignia.
"The genesis was simple; if the Aussies can do it, surely we can?" con organiser Metlstorm says. "How hard can it be to get 80 people in a room, talk about computer hacking, then go to the pub? … From there Kiwicon just burgeoned into a monster that fundamentally is built in our own image of not taking ourselves very seriously."
What is now more of a "hacker themed variety show" Kiwicon has become a slick entertaining production that balances showmanship with technical content that guarantees the expanded 2200 seats this year will again fill fast. The upcoming event will likely be the biggest antipodean security con, despite its banishment of the immortal trade event annoyances: "vendor shillin', big money illin', no booth babes, no booths, no paid talks, no swag bags full of crap you're gonna throw out immediately, no bullshit, and of course the sticker shock of the ticket price," the respected penetration tester says.
Recent notable talks include William Turner's evisceration of then still-vulnerable Christchurch bus system, a feat which led to the then kid hacker winning 'most likely to be arrested' and, through subsequent bureaucratic hamfisting, led to admin credentials being disclosed in public freedom of information documents.
Another year hacker Denis Andzakovic outfitted his Yamaha with a HUD and hardware to build a Wi-Fi war bike. At last year's con two hackers displayed equal measures of daring and showmanship when revealing algorithm flaws that allowed Kiwis to print their own non-expiring discount petrol coupons scanned at the pump. They even printed and successfully demonstrated the barcodes printed on teeshirts.
Kiwicon is like all the community cons that followed it a manifestation of hacker imaginings. "We built the con we wanted to go to; cheap, real, friendly and interesting," Metlstorm says. That probably excludes the national-security "F35-lovin'" conference crowd. "Tradeshow events showcase the root cause of the problems in the infosec industry," Metlstorm says. "We humbly aim to be the opposite".
The con bears a different theme each year which of late tend to mock the corporate technology world and the military industrial complex: 'it's always 1989 in computer security' chimed one 8-bit motif, while "cyber-friends" was painted on Kiwicon 7 as an answer to the vacuous cries of cyber war.
Still, Kiwicon is an inclusive event and Meltstorm welcomes the errant military industrial tradeshow traveller: "So, if the day comes when they're ready to accept empiricism into their cold dead hearts, after all their shit got owned via the security products they bought or sold, we'll be here still, actual practitioners doing the actual work that actually advances the state of the motherf**kin' art."
When: 1 and 2 July
How much: A$100 - A$130
Who: Wily, Nanomebia, Buffy, Filsy, Sully, Topy, McCormack, Liam, and a 'few other random miscreants'.
Discount code: Enter code DARREN POORLY for a 10 percent discount on tickets.
Unrest is a "brand spanking new" security con set to hold the first of what history says will be many events in Melbourne's north. The hacker con is billed as an "audiovisual experience" which will eschew the traditional conference space along with its "filter coffee, jerks in suits, and awful hors d'oeuvre" for an unconventional audio-visual experience.
The con with its fictitious Ministry of Unrest and Illuminati-esque iconography is home to promising technical and social engineering talks, workshops, and a chill-out art and gaming area.
It is the brainchild of penetration tester, lockpicker, and hopeful comedian Wily. "We wanted to do something different," he says. "A non-traditional venue, no corporate sponsorship, low cost, and high impact."
Wily gives a nod to Ruxcon, the established but more pricer Melbourne hacker con that since 2003 has regularly sold out with technical talks and workshops. "Ruxcon has been around in Australia since 2003, and has always brought together the Australian community," Wily says. "Other community hacker conferences have sprung up around the country, and there is certainly room for more of these events."
Ruxcon will be held 22 and 23 October.
There is, Wily says, space for both the pricer cons such as the recently held AusCERT corporate conference in Queensland's Gold Coast, and the more expensive Syscan technical hacker con in Singapore, and the grassroots community events.
But without the big ticket price tag, Wily is merely aiming to break even: "We are hoping to break even, and if we're lucky we might," he says. When asked by Vulture South if he and his fellow con organisers 'hate money', the hacker sums up their collective commitment to community: "we are a bunch of overpaid infosec jerks".
When: 24 September
This Sydney startup con is a hands-on hacker meet where the policy is show up with a laptop or not at all. Co-organiser lin_s has, with a little help from his friends, developed a conference that emphasises practical hacker experimentation. “We started the con and our community (Just Hack Shit) on the basis that we wanted to see something different from the traditional security content of just speakers talking at the audience,” she says. “We wanted to build a group where people from all walks of life could come and do infosec nerd stuff on the proviso that they had to participate.”
It is a popular and unique concept born of a night spent on the museum lawns in Sydney’s Circular Quay where lin_s and her friends got together to hack in a capture the flag competition. Total cost was munchies and beer. "It turns out lots of people were interested in this kind of thing - we couldn't find anything similar already, so we built something ourselves."
When: 6-7 May 2017
How much: A$60
Who: Kronicd, Nanomebia, Swarley, Romper, Grug
Now in its fourth year, WAHCKon remains Perth's first and only hacker con home to a repeat solid line-up of security talks ranging from the technical to the absurd. For the former, speakers this year detailed the security chops of Docker, the perils of SSL, and PHP malware debriding. The latter was catered by the opening talk given by WAHCKon organisers who took delegates on a journey into the skulking malware PC assistant known as Bonzi Buddy who was this year's mascot.
"These (grassroots cons) are absolutely a thing now, and we're continually hearing about new cons starting all over Australia," Kronicd says. "When we began there really wasn't anything of the sort."
The Perth confab was fired up to bridge the 4000 kilometre void between Perth and Australia's big east coast cities. "Western Australia is pretty isolated from the community, and we saw that it just wasn't possible for a lot of less established hackers to attend existing hacker cons due to the prohibitive cost of travel and lack of corporate sponsorship," he says.
WAHCKon 3 this year. Image: Darren Pauli
He also misses the casual vibe of bygone Aussie hacker cons, and so sought with colleagues to build the conference they wanted to attend. "The scene in Australia had become extremely corporate, and we wanted a return to the hacker cons we remembered -- we wanted to bring together the WA hacker community and to ensure that everyone had a chance to attend." To this end, organisers are willing to hand out free tickets to those who can't afford the $60 face price.
Kronicd like his kin beg each year for their complicated conferences to come to an end, but persistent popularity serves as a defibrillator: "Honestly, we've wanted this to stop for years. We're tired. People keep showing up and incredible speakers keep submitting talks. It really isn't up to us anymore."
When: 25 February 2017
How much: A$80 - A$150
Who: Wade Alcorn, Scotty Brown, Robert Winkel, Glyn Geoghegan, Gary Gaskell, Ashley Deuble, Anne Luk.
CrikeyCon is another community-led charitable not-for-profit con based in Australia's Sunshine State that offers a diverse range of security talks and capture the flag and lock picking events over a day and a half. Co-founder Wade Alcorn says the concept was found at the bottom of a beer glass in a Brisbane pub.
"Crikey was born over a few beers between mates in Brisbane lamenting the lack of a local con," Alcorn says. "We wanted to give something back to the security community that's been great to all of us … and create a local event where people can share, learn and socialise with like-minded enthusiasts.
The crew expected the first event to host numbers resembling a large night out, but instead 60 hackers turned up, with 150 attending cons soon after. This year pulled 250.
Those punters are a mix of hackers and business infosec types both of whom Alcorn credits with sufficient olfactory sense to sniff out the good cons from the bad. "True security nerds try to get to as many things as they can that they get value from - even if it is on their own time," he says.
|What: Wrong Island Con
When: 29 July
Where: Formerly Christchurch, now Catalina Island (migrates to various 'wrong' islands)
How much: US$50
Who: Richö Butts
Wellington is one of the windiest cities in the world. Pilots aborting landings at New Zealand's capital have the Cook Strait – the chasm between mountain ranges running the length of the North and South Islands - to thank. Delegates to Wrong Island Con thank the Cook Strait for similar reasons.
The conference in its third year in 2016 was born of a bad situation, and pretty well typifies the impromptu larrikinism of the antipodean hacker scene. "Wrong Island Con was basically an in joke that got horribly out of hand," lone con organiser Richo says. He explains how hackers en route to Kiwicon 7 in the dying months of 2013 were diverted from Wellington to Auckland on account of severe weather.
Three plane loads of Australian binary breakers ended up on the South island, cloistered in the body of the plane for hours while staff refused to let them disembark. Cabin fever rose among the trapped hackers as they pledged to honour the occasion next year by holding a hacker con on the wrong island.
"Enough people convinced me that it was a really good idea that we actually had a Wrong Island Con the next year before Kiwicon 8," Richo says, adding thats the low-key con emphasises "less is more" with talks clipped to 20 minutes. There are exceptions; hacker Snare took the liberty to give an hour-long thesis on uefi, Richo recounts.
The security guy at a US tech company agrees that community cons are proliferating quickly. "I think the tipping point was the realisation that basically any idiot can run one -- that's definitely how Wrong Island Con came about."
Everyone pays the US$50 to attend, even the speakers, but Richo like others only hopes to cover costs. The community tends to dig deep, and indeed Vulture South has spoken to security companies that save their sponsor cash for grassroots cons, without expectations of returns. Richo started the first Wrong Island Con in Christchurch with no sponsors, and had signed up three by day's end. "That was pretty humbling," he says. ®