BSidesPDX 101: Conference Organization, Capture the Flag, Contests & Events

organizational perspective to talk about the events and everything else that's kind of gone into this event um aside from the presentations and the workshops so up on stage with me are people that have had well minus Joe Joe's somewhere being Joe but the majority of people up on the stage have put in significant effort and a lot of work on top of everything else that the volunteers and everybody else with these orange staff uh lanyards have put in so we're going to talk about essentially the organization of of this so who we are up here essentially are we're the conference organizational committee we're event coordinators we're board makers badge makers hackers and in some cases people convinced they wanted

to help which in some cases takes a lot of convincing because there's a lot of work that goes into organizing events such as this um so this is bides Portland the The prominent Pacific Northwest security conference I'm very happy that y'all decided to stick around for the 101 track and to come here on a Friday while there's other lesser conferences potentially happening in the area so from an organizational perspective Joe had alluded to the fact that we're a 501c3 now and we actually have been a 501c3 now for uh two years we got our official status from the federal government last year right before con um and that was all due in part to John Hannis who's the president

of our board um listed on the screen here is everybody that's involved from an organizational perspective for the 501 C3 entity while these individuals also contribute to the conference and all of the conference planning that happens essentially all year um but really ramps up right after Vegas and the sort of Devcon black hat frenzy uh these people are on the phone once a month and behind the scenes working on uh various things just for the organization um so myself for example I serve as the treasurer so I get to count all of the money that you donated to us and that the sponsors donated to us around April to make sure that we're not going to to wind up in 501c3 prison uh

don't want that um furthermore we have a board members we have uh information in a Google group so the fact that it's a 501c3 means that everything we do needs to be public and documented so if you're at all interested in how the event comes together behind the scenes not from an event perspective but from an org perspective join the Google group uh Mike up on stage here is our treasur he hosts all of the board meetings and posts all of the minutes gets everything aligned and makes sure things happen um so the cfp this year was ran a little bit differently so this was actually the second time ever that we had a cfp process so last year Joe Fitz

led the effort to sort of um formalize the cfp and develop a process uh as he sort of said in his introduction uh we have the cfp form like on our website and it's there all year we never take it down anybody like you can go and submit to the cfp now for next year don't recommend it you should do it don't recommend it uh just because we're not going to tell you anything for 11 months about getting your submission but it's there but we've always had an informal process so as a result of last year's efforts we formalized a process we got an actual review board we came up with metrics and guidelines for

everybody involved we had speaker Communications we had acceptance emails we gave people that were rejected in round one feedback so they could make round two submissions better and and redo it so that their point was getting across better and then if you proceed in round two and still wind up with a a decline because of the overwhelming amounts of submissions that we actually have we do our best to provide every single person that submitted individualized feedback to make their submissions better for other events or for besides Portland next year this is a huge amount of work and it's in thanks to everybody on the screen listed that's on the board board so if you see any

board member at any point during this conference definitely go up to them and thank them but also if you see somebody with the blue badge as a speaker or a workshop coordinator thank them even more because they put in way more work than we did so as far as the cfp process goes we have two rounds one of which closes in August right after the Vegas frenzy and one which closes in September as a result of that we have about a month lead for round two in order to give people round one feedback if we feel that their submission is really good but not quite up to Snuff to get uh overall acceptance from the review board and we

also have a record number of those coming through every year for both rounds so the earlier you get a submission in the better and the more care that it gets from all of us uh with sort of the evolution of the con and the fact that we've grown this year about 40% the cfp has actually grown about that much as well we had record numbers for both rounds um and we unfortunately of course couldn't accept everything within the conference we have about 22 hours of Total prepared content so we basically run a keynote both days and then we start talks at 11: and we go till 5 so if you look at that time Block it's

about 24 hours but then we do lightning talks and then we do bides PDX 101 so we're reduced to 22 hours of actual uh presentation content by uh presenters with that we have 1 hour talk and 25 30 minute talks um and we try to lap those in the schedule such that uh they're paired together so you can go back and forth to a room and there's not 2 30 minute talks happening with a one hour talk but that's all just schedule coordination um as a result of all the expansion 2 in round one for example we realized that the worksop submissions were at such a high caliber this year that we couldn't turn any of them down

for any reason because they were all just terrific so we had a problem early on in round one where we were running out of capacity already for the workshops so I got on a phone with Joe I'm like Joe all of these workshops are amazing this year I don't want to decline any of them what can we do about it it's like well let's spend more money and get a second track for Workshop so we can have an A in a b track so we were able to actually through the process accept every single Workshop that came through because every single one of them was terrific and we couldn't say no So for anybody that's organizing a workshop

go up to them and think them and tell them like keep doing the good work is workshops are where it's at um furthermore presentations they're all terrific from an organizational perspective and being the chair of the cfp this year I got to have sort of first Dabs at reviewing everything and having Direct Communications with speakers and it's never been an easier process to work with everybody everybody going through the process was great and to kind of quote Ava uh and her keynote that just happened a lot of people go into talks and they think that they don't have something to offer or that oh this person beat me to what I wanted to talk about don't worry about it submit

to the cfp submit to every cfp with your ideas make sure your abstract is good get it reviewed have an outline and then submit it don't think that you're not somebody that can also be presenting and Kill Kill Your Heroes like get up here submit to the cfp and we'll we'll see if we can fit you into the schedule because we'd love to uh I talked about that already I got ahead of myself uh Google Google sheet is horrible we need a better way to do the cfp so that's coming next year but that's like behind the scenes basically I have like this huge spreadsheet and I had to do a lot of GPS and stuff on like

comma separated values from an exported Google cheet it it's horrible don't recommend um so I'm going to transition now that we've kind of talked about organizational things to badges so who loves the badge this year everybody so it's maltoma Falls which is near and dear to my heart as an outdoor en iast if you read any of my BIOS or grow on my Twitter like I try to make everything like yeah you know computers are great security is fun I'd much rather be like in the woods uh so I'm glad that while I'm here I have like a little piece of nature around my neck and I'd like to thank Maggie for that and get her up here to talk about the

the idea and how it all came to

be hi my name is Maggie and I got to design your badge this year so um I I'm here to tell you how you too can become badge Master for a conference um basically i' I've been seeing Joe and Mike do amazing badges year after year for both bsides and 503 and DC 503 and my favorite was the the bike badge where there were LEDs going around the wheels and if you touch the pedal it would go faster and I had the idea to make a waterfall one with LEDs in the back and I would tell everybody we should do this we should do this and this year when when I recommended it again they said

you should just do it so so I did um I didn't have all that much experience I'd made one badge before um one of the projects that my team at Intel supports is chipseek if you've heard of chipseek but that was kind of easy because I there were front- facing LEDs it already had the artwork the logo was done and everything so but but I did have some experience I'd used dip Trace to do that one um we also did have um electronic just for our wedding um I worked on a little bit of the artwork for that but not not the electronics and i' had also been known to um put LEDs on my shoes or eel wires on my dresses and

rip off components off of boards and put them on my nails in between acrylic layers but this year we started from scratch we started with the artwork and I wasn't sure exactly what shape would be good because if you've been to multnoma Falls it's kind of this really long thin thing so do we do a square long thing um that would probably have sharp edges so I thought of an oval the oval was a little portally and strange so then I thought raindrop because Portland so um sketched this this little drawing out and I found this awesome PCB art tutorial on hater. it's on YouTube and I've linked it in in in the slides if

anybody wants to go check it out it's great it's by Andrew zoa and step by step it tells you how to manipulate the images and and break them into different uh images that you can then process with Kad and um put them all together and have it you know have every single piece of your artwork be in the layer of the PCB where you want it to be so that's kind of half of the work then um then came Kad because I'd never touched it before and I I met Chris gaml this year during black hat and he's he's fantastic and he told me all about you know his podcast and and YouTube channel and I

that was exciting and then we said our goodbyes but I feel like I've been hanging out with him ever since because every time uh I I would run into a problem how do I do this Google Chris's video was the first hit and he's just an amazing teacher um he has this YouTube channel called contextual Electronics so if you're new to Kad when you run into problems not if uh you'll probably see his face click on it he's he's an amazing teacher he's really organ nice and he'll walk you through it um and then thanks to OSH Park we got prototype boards one day and they looked pretty good um there there was a a lot of

lessons learned this was one of the early prototypes where I thought of of the oval shape um originally I thought of doing a more realistic picture uh PCB art but that was kind of messy um it definitely recommend doing more of a clip artsy type simpler image if you want the trees to be one color and and the the water to be a different one definitely give yourself more than two months we started working on this after Vegas and do not recommend um it's a little bit of panic there and some late nights um sidew LEDs are a thing that I did not know about uh the the the bike badge for example had backlit LEDs so

they're LEDs are very directional so you you'll see a DOT on the front so these have LEDs that are on its side if you you see them they have like a belly so they shine parallel to the board so they disperse the light that way and adding the hot glue in the back helps give a viscous medium that you can disperse that light over we tried sparkly hot glue and that that helped a little bit but not significantly enough to where we wanted to do it for every badge uh one of the other things we learned is that um the polygons on the artwork um for example the the trees I I made on on the

copper I used all that those copper planes as ground planes and so DRC was good ERC was good but it didn't there was a bit of a short in one of the first prototypes because it didn't recognize that that was a ground plane that was touching AA and we had to do a little cut the trays and do a little mag wire Meg Wire um but uh all was fixed and yeah uh it it really takes a village I did not do this on my own I had tons of help first and foremost thank you so much to Ash Park and screaming circus they really went above and beyond especially Drew Dwayne um they've they they they

even made uh specific jigs to so they could pick and place all the parts they did everything for free and they were amazing to work with it wasn't a oneandone deal we we we we bounced emails back and forth for months um Andrew zo is tutorial go check it out it's it's fantastic and he he has his own website where he does like um portraits of people and in PCP art it's fantastic Chris gaml is Stellar uh so Joe Fitz and and Mike for for letting me reuse their schematics and code that that we recycle every year that that's great um office djet did your badge last year and he he he he's the one who knew

how to do the side view LEDs and the the the hot glue and and had a lot of Kat experience so a lot of those late nights he was helping me figure out uh if I'd mess anything up Mickey for all the tribal knowledge and support you're you're awesome and everybody who was here uh helping put these together in in the in the badge party the other day you guys are great if you want to go look at the code make your own change it look at the images or anything it the everything's up on GitHub so go check it out and uh thank you so much for trusting me with your badge I hope you

like it as much as I do

hey so it wouldn't be besides if they weren't contest and events I mean the talks are neat and all but uh let's let's play some games um so uh I guess this isn't strictly a game but you can make it one if you try hard enough we have a sticker swap uh if you go to the event room you can pick up a sticker and you can stick it on things please don't to face the convention center at least don't let them see you do it um we have once again the uh back Haack drive for foster youth this is uh a a great program and I know that you have uh at least one perhaps several uh black

hat bags that you don't want um I don't know if we have a bin yet in the event room but they are they are there okay they weren't there last time I looked but they are there now so yeah bring your black hat bag uh today or tomorrow and and put it in there uh once again we have lightning talks uh if you uh didn't think uh ahead of time to submit something to the cfp and instead uh had a great idea just right now or maybe five minutes before the lightning talk or maybe like five minutes after just do it um Dean's going to MC that and it will be amazing uh once again we have the quiz

show Steve puts us on every year and it is a fantastic time if you uh for forgot to do the lightning talk but then you had a good idea and you want to do the quiz show you should do it it'll be amazing uh we also have who slided of anyway so if you ran out of ideas uh for the for the you know the quiz show and that didn't work out you can still go to whose slide is it anyway and you don't even have to uh prepare slides we have those for you so you're really ready to go uh then of course uh every year we have the CTF and I want to

thank toer once again for running the uh the CTF so I get up here every year to talk about the CTF it's a project that I've been leading for bides Portland for the last I believe three years I started running it in 2016 so I ran it 1617 and 18 we also did a CTF at omy um which was excellent it was ran through their maker fair in 2018 right before bsides Portland so everybody on the CTF committee got to run two events within like a month of each other and there was no challenge reuse was horrible it was a lot of work but it worked out uh I get up here and I also talk

about um how I really enjoy the fact that a lot of ctfs are becoming open source now there's a big issue amongst CTF organizers and people that compete in ctfs that there's never source code afterwards there's never solutions from The Challenge organizers or concepts there's Solutions of people that solved the challenge but never of how the organizers felt the challenge should have been solved so there's this huge disconnect of knowledge so in 2017 I got up here and I gave a talk about the CTF framework that I helped develop and how we're making ctfs at least for bides Portland a little bit revolutionary where everything's online everything can be played afterwards so we do everything with like Docker

compose and not only do we give the the challenge code we make easy for you to to deploy on your own machine so you can solve it as it was meant to be solved during the CTF because I know a lot of people want to play they don't necessarily have the time the event room is limited in Space the inner tubes usually sucks in the conference center hopefully that's better this year with the dedicated CTF AP but people always want to play but there's not enough time in two days to to do it all so we we publish everything in order for people to be able to play whenever they want and for the most part

there's not a lot of code rot so you can probably still play the 20 17 CTF um so sort of backing going forward in time uh we had this thing called hack booat this year which who who was on hack booat anybody in the room yeah hack booat so on a hack booat I gave a talk as well about the history of the bides Portland CTF it talked more about the framework it had statistics and metrics of how many people participate how many people solve challenges why we scale certain challenges to a certain difficulty one of the things that we really like doing with the bides Portland CTF is making things very accessible this isn't Devcon this isn't

Vegas if you've never solved a CTF challenge before get into that room and you're going to cat your first flag and you're going to during the closing ceremonies be able to raise your hand when we ask the question that we do every year who catted their first flag in the CTF so go do that I want to see people's hands up so as I Was preparing that talk to go on to hack booat I sort of realized that I have been the face of this for three years years I help build this framework I keep talking about how the framework makes challenge writing easy and events easy to run but I the one that's always

been doing it so I'm using my own framework and I've never seen somebody else use it I I know people at other bsides that have done it I don't necessarily know if they use the same format um but it is there and people have used it but I've never seen firsthand at my conference besides Portland somebody do it so I joked on stage at hack booat uh I'm done and I kind of pointed to a couple people like you're doing it next year and uh one guy was silly enough to to say yes so well welcome uh Aaron at the stage to talk about how he took over the CTF for

me yeah so I'm the uh AFF forementioned silly guy who uh agreed to do this for some reason uh but I have really gotten appreciation for how much work Topher has put in just from doing it from one year I'm like kind kind of burnt out now trying to find someone else to hand this off to um but uh you know had a lot of fun this year uh and and just to kind of go over really quickly if you don't know what a CTF is um it's a computer security competition so we basically take hacking uh and we try to include both kind of like the blue side and the red side and we gamify it so there's a

scoreboard it's like a Jeopardy board so you just you just pick the challenge you want to try and do there's no prere requis it you don't have to like have done another challenge before that and uh the kind of stuff we'll take you through is like web and binary exploitation uh so that's uh the web stuff that's you know pulling up burp and you know looking at the traffic uh binary exploitation that's pull up GDB and uh try and build some exploits find some uh vulnerabilities with you know gedra or Ida Pro or something like that we also have forensics which is you know like uh pcap files uh and reverse engineering um unlike at like toer said

unlike at other CT uh ctfs um we we try and make it as uh easy and beginner friendly we'll find out if we succeeded at that um so if you don't solve one don't don't feel bad about it that probably means we didn't uh make it easy enough um but I I really hope you come and check it out and talk to us and if you're struggling uh talk to us we might be able to drop you some hints to get you moving in the right direction um these are the categories we have uh as I kind of already mentioned binary exploit reverse engineering web exploit forensics but then this year we've also introduced two new categories that I'm

really excited about uh we have a physical category which includes stuff like lockpicking RFID scanning uh stuff like that and then also a data recovery uh category so uh I don't even really totally understand how this challenge works but uh basically you're provideed with like little like clean box where you can uh try and reassemble and fix the drive heads on a hard drive and if you're successful you can pull that flag out and submit it on the scoreboard um and just to talk about the infrastructure a little bit um the scoreboard is uh manually deployed to an uh oci that's Oracle Cloud infrastructure compute instance on its on a separate virtual Cloud network uh

totally separate from the challenges uh all the challenges are automatically deployed with kubernetes using the uh kubernetes Oracle kubernetes engine uh and this year I I spent a lot of time working on the network policies we're using cico for that so the idea is uh once you own a certain Challenge and you now have like a shell on it the idea is to try and make sure you can't then pivot to other challenges uh and uh hopefully not Escape out of the Pod and get on the Node but if you do definitely like let me know and I'll give you lots and lots of points uh for disclosing it but I prefer you don't uh totally

totally hose the entire infrastructure and ruin the fund for everyone else so but you you'll basically win if uh if you can get out of a pod uh yeah and then another uh security measure is I made sure that the uh service account tokens don't have any capabilities uh at least as far as I could tell I can't even use the service account token to enumerate uh pods and on top of that I also tried and made sure that no pod even can connect to the API master um I just want to give a huge thanks to Oracle Cloud infrastructure they they sponsored the entire CTF infrastructure we didn't have to pay for any of it um

and then I would also really like to thank all all these people who worked really hard to create challenges uh W without them I would not have been able to do it and if I had no one would have fun doing the challenges because it would all just be like Pon and re stuff uh so uh thanks to F Harding Ox FD Carl one ndo m dead and wire glitch if any of you are here can you like stand up I see F Harding you got to stand up everyone give him a round of applause yeah and I I I assume everyone else is uh hard at work uh fixing stuff last minute uh I think like the CTF goes

live in like half hour so uh this is the URL come come uh check it out we're going to be like across the hall in the events room hanging out I've got the uh scoreboard showing on the uh on the projector um Rula was awesome and got us our own AP uh hopefully hopefully uh the Network's a little better than it has been in the past and a projector for the first time and a projector so that's that's awesome it's going to make it more competitive you'll you'll see your team name moving up the the leaderboard so should be

fun no keep keep it going Aaron did an amazing job [Applause] so it wouldn't be a bsid with that of course some some evening activities and potential debauchery uh but not that much debauchery tonight because it's going to be right here in the convention center as Joe mentioned we're going to have uh who Slide the quiz show we have two movies showing so war games and sneakers and we're going to have like drink tickets that you have to hunt down and find it's a it's a CTF but without points but the points are beer um Saturday night uh we have sort of informal Gatherings because we've outgrown the capacity of a lot of the venue spaces that we used to host the

Afterparty at such as control h we're going to restrict that now sort of to like uh volunteers and staff but we're going to have events and informal Gatherings at Spirit of 77 across the street which is where lunch is today which I believe is starting like now uh and then also at Ground Control in downtown Portland who's been to ground control is it is it awesome everybody go to Ground Control Saturday night it's it's it's a blast Portland geeking and arcade games what what what's not to love uh we already talked about lunch it's happening now Saturday there food tents outside in the Columbia Bank parking lot Columbia bank's awesome they're a sponsor and they're also who

we uh choose to bank with for our 501c3 awesome group of awesome group of folks and they're letting us use their parking lot uh and that's the end of file and now we can have chatter or if there's questions you can come up to that microphone or harass any of us like later [Applause]