Delegates at these cons are a mix of professional penetration testers and security admins, hackers of dubious history, curious developers, and students. Some of those attending are partly responsible for defending the nation’s biggest and most important companies.Most of these volunteer-run and continually sold-out events cost between A$50 and A$150, with some occasionally free for the most broke hacker, and are home to a staple of community-run lockpick and capture the flag competitions lasting what is a typically two-day conference.After an arguable decade of hiatus, the cheap grassroots cons have spread out to cover almost all Australian states. Hackers have WAHCKON in Perth, CrikeyCon in Brisbane, Platypuscon in Sydney, BSides in Canberra, Unrest in Melbourne, and regional pillar Kiwicon in Wellington.These could not be further from the typical C-level security event where ticket prices demand up to A$2000, technical talks are scarce, and vendor booths and pressed suits are as prolific as branded backpacks.BSides Canberra, held on the shoulder of the Government’s large defence sector-orientated Australian Cyber Security Conference (ACSC), concluded its second and last day to a standing ovation. The $50 hacker meet run by security pair Silvio Cesare and Kylie McDevitt sold out quickly. “There are many reasons we started BSides Canberra,” co-organiser Cesare says. “We wanted to provide a local conference for Canberra at which we could inspire the next generation of hackers.”
The popular pair have a focus on encouraging new blood into the security sector at large, and more specifically into the conference circuit to consume and present new research. To that end they have kept the ticket prices rock bottom to ensure it is accessible to anyone interested in the field.Sponsorship from community-centric security firms means the conference breaks even, throws two open-bar parties, and gives each of the 360 delegates a custom t-shirt and home-made Arduino badge that displays the conference running order. Says Cesare: “… we think there will be people at corporate conference that will go nowhere near a hackercon and vice versa but there will also be an overlap,” Cesare says. “We don’t make a profit … this is just our passion.”Highlights of the con include auctioning nasty Oracle zeroday flaws – one written on a napkin – to fund a ‘steak dinner’ for the organisers, a “nail-biting” capture the flag competition decided in the last four minutes, and some delegate badge re-tweaking.
Who: A stable core 'Crüe' of Bogan, Pipes (retired), metlstorm, Sharrow, Ad, Vex, Madman, Squirrelboy, and Lisa, along with a retinue of volunteers who make the ship sail, and SiteHost who host the con's web presence gratis.Kiwicon celebrates its tenth year in November and is placed at the top of many Aussie and Kiwi hacker con wish lists. It has ballooned in size from a small gathering at a university campus building to outgrow Wellington's iconic Opera House and the St. James Theatre.
Local and overseas speakers come to offer technical strolls, highlight horrid holes in enterprise software and advice to improve delegates' exploitation prowess, and a litany of illustrations that paint the sorry state of information security. This all takes place against a backdrop of metal music and pyrotechnics. Attendees gain perspective on the event with the aid of local craft beer bearing Kiwicon insignia.The genesis was simple; if the Aussies can do it, surely we can? con organiser Metlstorm says. How hard can it be to get 80 people in a room, talk about computer hacking, then go to the pub? … From there Kiwicon just burgeoned into a monster that fundamentally is built in our own image of not taking ourselves very seriously.What is now more of a hacker themed variety show Kiwicon has become a slick entertaining production that balances showmanship with technical content that guarantees the expanded 2200 seats this year will again fill fast. The upcoming event will likely be the biggest antipodean security con, despite its banishment of the immortal trade event annoyances: vendor shillin', big money illin', no booth babes, no booths, no paid talks, no swag bags full of crap you're gonna throw out immediately, no bullshit, and of course the sticker shock of the ticket price, the respected penetration tester says.
Recent notable talks include William Turner's evisceration of then still-vulnerable Christchurch bus system, a feat which led to the then kid hacker winning 'most likely to be arrested' and, through subsequent bureaucratic hamfisting, led to admin credentials being disclosed in public freedom of information documents.Another year hacker Denis Andzakovic outfitted his Yamaha with a HUD and hardware to build a Wi-Fi war bike. At last year's con two hackers displayed equal measures of daring and showmanship when revealing algorithm flaws that allowed Kiwis to print their own non-expiring discount petrol coupons scanned at the pump. They even printed and successfully demonstrated the barcodes printed on teeshirts.Kiwicon is like all the community cons that followed it a manifestation of hacker imaginings. We built the con we wanted to go to; cheap, real, friendly and interesting, Metlstorm says. That probably excludes the national-security F35-lovin' conference crowd. Tradeshow events showcase the root cause of the problems in the infosec industry, Metlstorm says. We humbly aim to be the opposite.
The con bears a different theme each year which of late tend to mock the corporate technology world and the military industrial complex: 'it's always 1989 in computer security' chimed one 8-bit motif, while cyber-friends was painted on Kiwicon 7 as an answer to the vacuous cries of cyber war.Still, Kiwicon is an inclusive event and Meltstorm welcomes the errant military industrial tradeshow traveller: So, if the day comes when they're ready to accept empiricism into their cold dead hearts, after all their shit got owned via the security products they bought or sold, we'll be here still, actual practitioners doing the actual work that actually advances the state of the motherf**kin' art.
Unrest is a brand spanking new security con set to hold the first of what history says will be many events in Melbourne's north. The hacker con is billed as an audiovisual experience which will eschew the traditional conference space along with its filter coffee, jerks in suits, and awful hors d'oeuvre for an unconventional audio-visual experience.The con with its fictitious Ministry of Unrest and Illuminati-esque iconography is home to promising technical and social engineering talks, workshops, and a chill-out art and gaming area.It is the brainchild of penetration tester, lockpicker, and hopeful comedian Wily. We wanted to do something different, he says. A non-traditional venue, no corporate sponsorship, low cost, and high impact.
Wily gives a nod to Ruxcon, the established but more pricer Melbourne hacker con that since 2003 has regularly sold out with technical talks and workshops. Ruxcon has been around in Australia since 2003, and has always brought together the Australian community, Wily says. Other community hacker conferences have sprung up around the country, and there is certainly room for more of these events.There is, Wily says, space for both the pricer cons such as the recently held AusCERT corporate conference in Queensland's Gold Coast, and the more expensive Syscan technical hacker con in Singapore, and the grassroots community events.But without the big ticket price tag, Wily is merely aiming to break even: We are hoping to break even, and if we're lucky we might, he says. When asked by Vulture South if he and his fellow con organisers 'hate money', the hacker sums up their collective commitment to community: we are a bunch of overpaid infosec jerks.
This Sydney startup con is a hands-on hacker meet where the policy is show up with a laptop or not at all. Co-organiser lin_s has, with a little help from his friends, developed a conference that emphasises practical hacker experimentation. “We started the con and our community (Just Hack Shit) on the basis that we wanted to see something different from the traditional security content of just speakers talking at the audience,” she says. “We wanted to build a group where people from all walks of life could come and do infosec nerd stuff on the proviso that they had to participate.”