Web Security

Security B-Sides Ottawa

I spent last Friday and Saturday at an information-security conference here in Ottawa. I had a really great time, and just in case you weren’t paying attention to my constant spamming via Twitter, here’s a slightly more cohesive summary of how it went down:

What is Security B-Sides?

Security B-Sides is a sort of unconference for the information security community. It’s free and community-driven, and still attracts some fantastic speakers. There have been eight of them to date, and this was the first to be held outside of the United States.

There are at least half a dozen planned for 2011, so if this is your kind of thing, see if you can make it to one near you!

The organizers did a great job bringing B-Sides to Ottawa.

They would be local information security rockstar Justin Foster, western Canada’s D-List infosec celebrity Andrew Hay, and self-proclaimed “infosec curmudgeon” Peter Hillier.

The event was hosted at Tuscon’s, a blues bar/restaurant in town (the staff there were fantastic, by the way). Justin managed to chase down a myriad of talented speakers, which we’ll get to in a moment. It was a two-day conference, with free admission, free food, and (some) free drinks. Registration maxed out at 125 well ahead of time, and at least on the Friday it looked like a full house. This was especially good for the unconference vibe, as the layout of the restaurant (many small tables) encouraged lots of chatter among attendees.

All in all, it was a total hit. Now, on to the speakers!

First up was organizer Andrew Hay, talking about his D-List status.

Andrew discussed celebrity status within the infosec community, and how other than a few big names there really aren’t that many well-known computer security experts, especially in the B- and C-list range. Therefore, he says, more or less everyone is on the D-list by default. He encouraged all of us to get out there and join the community. He’s quite the role model!

Oh, and his slides featured a picture of himself in a dress. All in all, a solid opening to the event.

Next up was Kellman Meghu, explaining some information security lore.

Kellman‘s talk was hands-down my favourite for day 1. He debunked a number of myths relating to computer security, and told some great stories about common mistakes made back in the early days of the interwebs. It was very insightful, and just as funny — he had the audience in stitches almost the entire time.

One of my favourite things about this talk was that it wasn’t targeted at any particular level of knowledge. Everyone watching could relate to his points and jokes, and all of it was appropriate for the given audience. If you ever get a chance to see Kellman talk, don’t turn it down.

After that was lunch, and then a talk about Star Trek.

Well, a talk about paradigms in information security, but using Star Trek as a metaphor — complete with clips and lame jokes. This one was full of surprises (it was added in a last-minute line-up change), but I couldn’t really relate to it. I’m not even a little bit into Star Trek, so most of the comedy was lost on me, and the material didn’t quite stack up to Kellman’s. A lot of people were into it, though, so maybe it was just me.

Then there was Peter Hillier’s EMR talk.

This was a presentation I was really looking forward to. We do a lot of healthcare work at my 9-to-5, so I took a lot of notes as it’s not every day you get to hear a public-sector security expert discuss electronic medial records.

The main message I got out of the talk was that we’re currently seeing a big disconnect between vendors, doctors and regulators. All the knowledge related to what we need in terms of security and privacy features is held by the vendors, which leads to regulators largely ignoring security features in their legislation. This is frustrating for doctors, which are left to figure out the complex issues of security and privacy on their own.

This sparked some great discussions, and I caught up with Pete afterwards for a quick chat. He’s a stand-up guy, and a huge supporter of the infosec community in Ottawa (I recognized him from our local OWASP chapter meetings, and his Twitter account). Definitely the right kind of speaker for a B-Sides event.

Following a short break, Eric Skinner lectured us on authentication.

As in Eric Skinner from Entrust, the kind sponsor who bought us all lunch. Two things were particularly notable about this presentation:

First, it was a really good summary of modern authentication techniques. It wasn’t boring, even though the information is inherently dry, and the level of depth he went into on each topic was perfect for the given audience.

Second, you would never have guessed Eric worked at Entrust (they sell authentication solutions) if he hadn’t clearly disclosed it. He didn’t push any of his company’s products or services, and was completely fair in his analysis of each method of authentication he covered. This is very important for a conference like B-Sides, and it was good to see Eric do it right.

Wrapping up day one was a security debate.

This was pretty neat. Four security aficionados on stage, debating various security issues, led by the venerable Jack Daniel. I won’t go into too much detail about the topics, but they all led to some interesting conversations. Justin was handing out drink tickets at this point, so the chatter really started picking up in time for dinner.

Halfway done! Take a break if you need one. Otherwise, let’s get to day two:

Day 2 started out with a bit of math.

Specifically, Ahmed Masud explained how algebra can be applied to computer security in place of algorithms. The idea here was that algorithms are always heuristic in nature, and that the only way to ever truly reach 100% security will be with equations and problem spaces.

The math was a bit over my head, and I think a lot of the other attendees were also a touch lost. Interesting concept, though — definitely good food for thought.

Next up was a talk on fuzzing.

This was definitely one of the most popular talks of the entire conference. Karim Nathoo and Mike Sues gave an absolutely mind-blowing explanation of modern fuzzing techniques. It was a real eye-opener for a lot of people (myself included) and they played some recorded demos to illustrate their points. Definitely a winner.

On a somewhat-related note, Karim totally won a Macbook Air through a random draw on day 1. And he gave it to his wife. Having only been married for a month and a half, I’m still not sure if that was crazy or pure genius.

After lunch was Raf’s talk.

Rafal Los is a web application security evangelist for HP, and a funny guy. I met him on day 1 (he gave me a sticker!) and he was in the debate at the end of the day. He’s exactly the kind of speaker you want at a B-Sides event; there was an avalanche of heckling audience interaction during his talk.

Content-wise, he was talking about automated tools for security-testing web applications. His material was very interesting, and covered a lot of quality assurance concepts that I was aware of but had never really thought to apply to security. Very neat stuff.

Next was Ben’s talk on motivation.

Predictably, I loved this one. Motivation is becoming a big interest of mine, and Ben Tomhave‘s talk about how to motivate users with security in mind was absolutely stellar. I think he’s given this talk before, which means he might do so again, and if that’s the case I would suggest you listen in if given the opportunity. Everyone was talking about this one.

Then there was a big discussion about CERT.

I was completely lost on this one. There were a lot of public-sector folk at the conference, and this was less of a talk and more like a discussion among attendees being moderated by the speaker, Adrien de Beaupré. It was apparently very engaging and valuable to a lot of people, but I realized this would all be over my head right from the start when I had to use my phone to look up what a Computer Emergency Response Team was. A great presentation for a B-Sides event, just not my thing at all.

Finally, we learned a bit about Nmap.

I really didn’t know anything about Nmap going into this talk. Fortunately for me, the speaker (Ron Bowes) was a developer, so we clicked on that level. I learned a lot of interesting things (did you know Nmap is written in Lua?) and he did a fantastic job setting up demos considering Nmap is a network scripting framework and there was no wireless at the event.

Thanks to everyone I met and talked to!

Specifically, I’d like to call out Justin, Andrew, and Pete again for organizing everything, Mark and Ken for hanging out with me during the talks, Ben and Nicky for chatting/drinking with me and Norbert Griffin, who came all the way from Newfoundland to volunteer at the event and lent me a charge cable when my iPhone battery died.

Can’t wait to see you all again someday!

2 replies on “Security B-Sides Ottawa”

Leave a Reply

Your email address will not be published. Required fields are marked *