Conference – We learn Security!

Softskills: Networking for your Career

Whether looking for a new job, enhancing your knowlege or finding like-minded people, networking is important for your career.

Social Networks

When I looked for my first job as a pentester I wrote to CEOs and company owners from smaller companies that I found interesting on Xing (which is manily active in Germany) and later I also used LinkedIn. I got invitations to interviews and found a job.

Further I use twitter, but not as much as I did 2-3 years ago. But you can still get information very quick when you follow the right people. For example when a PoC for an exploit is available it is posted fast here, but be careful and check the information.

On all networks you can use direct mail for contacting people when you have questions, in my experience most people are happy to help.

But how to start? First follow and add people you know. Search for people who might be interesting for you and also add/follow them. When contacting the first time, just say a few words about yourself. Share posts you find interesting and maybe start sending your own post, maybe a link to an interesting blog post you found interesting or a short course review.

You can also be successful without social media accounts, but for me it was a booster. It is also useful to stay in contact with people you meet at…

Conferences & Meet-ups

Another great place for networking is conferences and local meetings. At local meetings (I visited the OWASP meeting Cologne for some time) it is easy to get into touch with people in the area you live, you have presentations and can learn.

At conferences it depends strongly for me what you expect. For networking it might be better to go to smaller conferences, especialy if you don’t know anybody. Bigger conferences are also good, but maybe a bit overwhelming first.

You can get more contacts when participating actively, for example by giving a presentation or as a volunteer.

Or, when you are in the industry for a longer time, just meet with people you know.

And guess what? I got in touch with one of my employers at a conference.

Links

Review Threatcon & Offensive HTML, SVG, CSS & Other Browser-Evil

End of August I travelled from Germany to far away Kathmandu in Nepal for visiting threatcon and the browser security workshop by Mario Heiderich and the beautiful country. Here is a short review.

Browser Security Workshop

With the conference I booked the 2 days workshop Offensive HTML, SVG, CSS & Other Browser-Evil. The covered topics:

History of browser security and the browser market
Defense 101
XSS
URL obfuscation
Unicode, character sets
Breaking Filters (WAF)
IE/Edge compatibility modes
mXSS

The presentation includes 255 slides, so in 2 days it was not possible to cover everything, also there was no time for the hands-on parts. XSS is not the big topic anymore, but I was happy I can fresh up my knowlege and also learned some new stuff.

The Conference

The conference was one day with a single track, so contrary to Blackhat & Defcon everything was clearly arranged. On the speaker list were Mario Heiderich, Jim Manico, Georgia Weidman, Vignesh, Yogesh Ojha, Aniruddha Dolas and Prashant Tilekar, you may see some familiar names here.

Between the presentations there was lot of time for networking and discussions, with the business pass I also joint the evening event which came with great drinks & food.

For me the best at conferences, of course, is the networking part. It was a great pleasure to meet and connect with new people and friends.

#threatcon2019 #nullcon @THREAT_CON
@DanielX4v3r @AniruddhaDolas pic.twitter.com/cpFw5KjfMX
— prashant tilekar (@prashanttilekar) August 29, 2019

When you are new to IT security I highly recommend to visit smaller and local conferences if possible, it is much easier to connect and to visit.

Thanks to the organizers of threatcon for a great event.

Visiting Nepal

After the conference I took four days for traveling and sightseeing, this is just a very small impression (I made >1000 shots). I travel a lot, and this was one of the most impressive experiences I’ve had.

Review Black Hat & Defcon 2019

Black Hat

Black Hat is a pretty commercial conference, tickets for two days cost more than 2000$, if you want to attend the briefings. There are also trainings, costs vary and are much higher. The content qualitiy is usually very high, the attendees vary from consultants, CISOs, developers, and all kind of IT security professionals. There is a big crowd with about 17000 attendees in 2017.

The Black Hat is being held at the Mandalay Bay.

The briefings are picked by a review board in a call for papers process. Researchers present their top work, often campaigned weeks before the conference.
In the business halls all kind of vendors are present and giving away loads of swag for attendees and also throwing parties.

Keynote

Black Hat USA 2019 Keynote: Every Security Team is a Software Team Now by Dino Dai Zovi

Arsenal

I am mainly at the Black Hat for the Arsenal. It is a great opportunity for developers to present their work at booths that are also located at the business hall. For the last three years I could thankfully present AVET (AntiVirus Evasion Tool), which is giving presenters a briefings pass. The tools are also picked by a review board.

There are a few things I wanted to mention about my experience #Blackhat2019 @ToolsWatch
— Daniel Sauder (@DanielX4v3r) August 10, 2019

A short thread

Defcon

Defcon is the “real” hacker event in Vegas and is completly different as Black Hat (although both have the same founder). Black Hat and Defcon overlap one day, Defcon is four days. Costs for 2019 were 300$, qualitiy of the talks is also high and more fun might be included (like talks about phreaking). More offensive security stuff seems to be included here.

pic.twitter.com/gwxbxNlOvj
— DΛNIΞL 🤖 (@hypoweb) August 7, 2019

This year the event was spread over four hotels including four presentation tracks, several villages (areas with talks and hands-on for several topics), parties, CTFs, movies and so on. It was said that about 30000 people attended defcon in 2019, so everything was pretty crowded and also a bit confusing. Walking between the different spots can take between 10-20 minutes.

Defcon is meant to be a hacker con, which is true. Also, there is a strong drinking culture present, fist time speakers must drink a shot (and attendees demand it loudly).

Track 2 @ 11 am! Might have to make the speaker take a shot.
— defcon parties @ cancelled (@defconparties) August 10, 2019

There is also a media server which is worth a look.

Conclusion

If you have the chance to attend Black Hat/Defcon you should give it a try. It is great to connect and develop your skills and I have met some great people and made new friends.
For people who want to advance their career it is definetly great, but if it is your first conference you might consider to go to a smaller event. The atmosphere in Las Vegas is somewhat special, with the hotels, the casinos and the tourists around.

Short Review: x33fcon

x33fcon is a nice & small conference in Poland, Gdynia near to Gdansk.

“Welcome to x33fcon, a new gathering for IT security professionals and enthusiasts. It’s a new event where blue and red teams meet to exchange views and ideas, share experiences, and discuss the latest security challenges in the industry.”
From: https://www.x33fcon.com/

The ticket price is low (also if you plan to travel there privately), the content was really professional and interesting, a bit more than someone might expect when you see the size of the con. Kudos to the organizers for getting so many interesting speakers and talks. Besides the talks there is also a CTF and workshops, after the conference trainings take place. There is also some great food for lunch, in the breakes there is coffee and small snacks. The breakes are long, so you have some time to talk with speakers and other folks around. Seems to be that ATT&CK is the hot topic currently, at x33fcon alone they had three talks about that.

From my point of view as a Red Teamer some more talks about breaking stuff on exploitation level would have been great. x33fcon is a great conference, the only critics from my side is that the attendees are being filmed in every talk from any perspective possible. At other conferences they ask when making photos or filming, maybe that might be an idea when not filming the whole audience.

Besides the conference Gdynia, Gdansk and the beaches around are really nice:

Conclusion: Highly recommended.