by Fred Theilig – @fmtheilig
Occasionally mentioned in a podcast, I was only tangentially aware of the Security BSides conferences. More notice was taken while attending DEF CON this past summer, which is a story for another time. BSides Las Vegas, along with DEF CON, Black Hat, and a few others, make up what is known as “Hacker Summer Camp”. Similar to real summer camp, it is a time where hackers and security professionals can learn, have fun, socialize, and not shower as often as they ought to. It was at DEF CON when a gentleman gave me the BSides sales pitch. Same talks, same workshops, and not the shitshow DEF CON is.
Don’t get me wrong: DEF CON was amazing, but it was also absolute chaos. I will go again (maybe in 2025) and will be better prepared, but now BSides was on my radar. Some backstory is in order. Security BSides started back in 2009, as an outlet for rejected Black Hat presentations. Over time it grew into loosely affiliated conferences across the globe. While at an Infragard event in September I was made aware of a BSides conference being held in Cambridge, MA. Tickets were only $20. I attended in November.
BSides Cambridge (actually in Belmont, MA) was a single day, single track event, and I really didn’t know what to expect. Because of weather related traffic, I arrived just after 10. The conference was held in a shabby Odd Fellows hall on a residential side street with precious little parking. The young man who handed me my badge was one of the organizers. Here are some of the highlights of the day.
A panel discussion titled “Security Research: Finding, Disclosing, and Reporting Vulnerabilities in 2023” was staffed by Bobby Rauch, Amit Serper, and Jonathan Leitschuh. Amit works for Cybereason and discovered a “vaccine” that prevents the NotPetya ransomware from infecting a system. Jonathan is a Senior Software Security Researcher for the Open Source Security Foundation and was the man who discovered and reported the Zoom Bomb vulnerability. The discussion was mediated by Bobby Rauch. I would know more about him but every time I would google his name I would get pictures of Melissa Rauch, which in itself isn’t a bad thing. What followed was a lively and informal discussion which was worth the price of admission.
Other talks include “Socially Malicious: Discord as Malware Infrastructure” and “Who Goes There? Actively Detecting Intruders With Cyber Deception Tools”. The final talk of the day was titled “Ape Tax: what million-dollar NFT heists can teach us about security principles” presented by conference organizer Ryan Cohen. It was quite entertaining.
I don’t mean to imply that a one day event could compare to a Vegas extravaganza. It’s a humble, local event put on by a couple young guys, but boy did they hit it out of the park. They booked some great speakers and everything went off seemingly without a hitch. As tickets sold out quite quickly, they could stand to find a larger venue. If you value polish over content there are many opportunities for improvement. But, for the most part, that’s not the crowd. Here is an accessible, well-run conference, with great talks, and no filler. Support your local BSides.