matthewhughes.co.uk

Belgium has Brucon. Ireland has AppSec. Barcelona has Black Hat. The UK has around 15 universities doing courses in ethical hacking and information security, and most universities offer a computer forensics class. As a nation, we’re one of the most IT powered in the world, with almost ubiquitous usage of technology in government, services and enterprise. Unfortunately, the UK has not had a single computer security and hacking conference since Brumcon 2006, excepting the smaller OWASP and 2600 meetups.

The UK really is the prime place for a hacking conference. We have a level of enthusiasm and expertise in the computer security fields that parallels most other Western countries. Newcastle also is a prime location for a computer security conference, with an expansive public transport network, an international airport and amazing nightlife (I speak from experience). It also has a top-50 university which does a well respected Ethical Hacking course. Surely then, Newcastle is an ideal city for a con. Despite all this, nobody has run a convention in the Newcastle area.

I’ve always been enthusiastic about computers and security, to the level that I chose to study computer security at degree level. I read about it constantly, and hacking conferences have always fascinated me. In a moment of inspiration, I decided to buy a domain name, and investigate the possibility of a sub-small-scale security conference in Newcastle, where ticket prices were affordable and it allowed younger talents to showcase their projects, ideas and skills to their peers and potential employers and investors.

Let it be said that I think the likelihood of a security conference emerging from this late night fit of inspiration to be very, very slim, for a number of reasons which I will list in detail below. I also don’t think that if a security convention did emerge, it would be by any means successful, be it fiscally, personally or with regards to its aims.

The first reason why is that I am honestly the worst person imaginable for hosting a security convention, on a number of levels. The first reason is that despite my enthusiasm for the subject, and constant desire to learn more, my level of expertise is virtually negligible compared to the many people my age who know a lot more than me, when it comes to computer security. Whenever I am doing anything with regards to computer security, I always approach it with a degree of humility, because I’ve got a lot to learn. This, despite not disqualifying me from running a con, probably suggests that it’s not the best idea.

The second reason is that conventions are notoriously difficult to run, according to… Well… People who have ran conventions before. You’ve got to book speakers, book a room to host it, get interest in the actual convention itself. This is a hefty amount of work. On top of this, you have to ensure that things run smoothly and there are no hickups. Which brings me on to my next point…

I study ethical hacking at great expense because I enjoy it and want to make a career out of it. To do that, I need to work incredibly hard. I’m doing an incredibly intensive course where you can’t really be abstract. You have to be incredibly precise and know your stuff. This means you have to study insanely hard. It’d be nigh on impossible to maintain a decent social life, study hard and manage a convention at the same time. From what I understand, it’s a real timesuck, which wouldn’t bode well for my studies.

There are other, smaller, but still important issues that put me off hosting a’ con. The first is the issue of liability. I wouldn’t want to be held responsible for any stupidity that goes on that breaches a law, or gets me in trouble with my university. It’d be a bit of a pain, cobbling together the early investment. Function rooms and speakers aren’t cheap. I also don’t really have that many contacts within the computer security industry to help garner enthusiasm for the event.

Conversely, a short, affordable number of presentations relating to computer security would be potentially a good thing. It would undoubtedly generate and enhance enthusiasm, awareness and knowledge of the field of computer security in people who normally wouldn’t be able to make it to one of the larger, and more expensive, conventions.

It also gives a staging ground to display locally developed projects and knowledge by people, predominantly students, who normally wouldn’t have access to the decision makers in computer security.

If I was to realize my aspiration of launching a ‘con in the North East, it’d be simple. Just a one day, or half day event with speakers making presentations on computer security in a function room, or in a small lecture room. It’d be straight to the point, affordable and would be open to anyone with a good idea, or something cool to show or teach.

I want to say that I’ve not decided anything regarding a potential Newcastle based convention (which, I’ve named GeordieCon). I’ve registered a domain name (geordiecon.co.uk), but nothing more, and if nothing becomes of this project, I won’t be too upset. Honestly, I’m just investigating the potential of launching a convention in the North of England. Admittedly, I’d like to launch one, but in the real world, you can’t always have what you’d like, and it’s much more sensible to approach this with a cautious, investigative eye.

If anyone has looked in to launching a ‘con before, or has actually done one, or even runs regular technology meetups, feel free to comment on this post and give advice or feedback. Like I said, I’m just investigating the possibility of a convention in the North of England. Nothing has been decided yet, despite how much I’d like to make this a reality.

Matthew Hughes

Thanks to Krysta McBurnie for the logo. Follow her on Twitter at @thenonbeliever. You can find her website here.

Facebook is a pretty cool site. Around 400 million people use it to share videos and photos, talk with friends and family and play games. However, Facebook as an entity has shown a blatant disregard for the privacy of its end users. A new website called Openbook shows the pitfalls of Facebook privacy settings by making a search engine that shows what facebook users are posting in real time. As you can expect that with 400,000,000 users, some will mistakenly make some status updates that they’d rather keep private, but end up on the openbook search engine.

What a delightful specimin of humanity. I, for one, are glad that people like the above are our next generation of doctors, lawyers, teach… Oh wait. Never mind.

(On an unrelated note, the garbage she is talking about refers to where someone attached England flags to property that didn’t belong to them, and they were cut down and returned to the owner. Nothing as sensational as a blanket ban on the England flag.)

I… Uh… Don’t think that’s how politics works, dude.

Yeah, you probably shouldn’t post a status like that Eric. Especially with open privacy settings…

Whilst it’s almost inevitable that the likes of 4chan and other internet riff raff will use a tool like Openbook to get as many people fired from their jobs as possible, it serves a purpose to educate people that Facebook isn’t the best place to post ill informed diatribes or rants about your employer.

If anyone takes anything from this blog post, it’s that you should really, really make your Facebook privacy settings the most strict that you can (or even better, delete your facebook account). What you post on Facebook isn’t private. If you post something potentially embarassing on the site, and it becomes viral, there’s nothing you can do about it. Whenever you post a status update, or upload a photo, just think ‘is this a good idea?’

Food for thought, anyway.

Leonardo Botelho, a Brazilian FreeBSD and computer security enthusiast is a greatly valued member and contributor to the SecurityBSD project. One of his personal, older projects accomplishes some of the goals of SecurityBSD, with an emphasis on eusability.

All in all, it’s all pretty cool. Screenshots below.

One of the contributors to the SecurityBSD project, Leonardo Botelho, from Brazil has been so kind as to make a SecurityBSD splash screen.

This will be included in version 0.02, and, in my opinion, is pretty damn cool.

Thanks again to Leonardo.

Announcing Security BSD 0.02 – Codename: Banal

Named after a comment describing SecurityBSD on a Russian blog which translated, meant ‘Banal Shit’, SecurityBSD 0.02 is the next step in the FreeBSD based security distribution. This distribution has three aims: Functionality, customization and expansion. It will feature more security tools, it will fix config files to make sure that each application works as intended and the boot process will be adorned with the SecurityBSD branding.

We are looking for a late June release date for a number of reasons, which will be discussed on a separate blog post.

This version will also be ported to the O2 Joggler, which I will elaborate on in a later post.

Matthew Hughes

The O2 Joggler is a pretty powerful piece of kit. It features a dual core Atom processor, 512 megs of RAM, 1 gig of storage, wireless networking, Ethernet and USB connectivity and a touch screen. You’d assume that this machine would be a good computer for the kids or for the kitchen, able to handle most tasks with ease.

You’d think wrong, as it’s actually an incredibly locked down piece of kit with sub standard piece of software with limited functionality. Built on Ubuntu 8.10 with O2 branded OpenPeek software, it features a calendar, video, photos, a Sky News RSS feed and a Sudoku game… And that’s about it. Such as shame, as it’s such a decent piece of kit. It’s also a very hackable piece of kit, and affordable too, being only £50.

It’s already been hacked, with Ubuntu Netbook remix and Android running on it. I’ve decided to buy one, and try to get FreeBSD and SecurityBSD running on it, ideally without turning it into a very expensive paperweight. In a couple of weeks, when I return home from Newcastle, I’ll be hacking the Joggler and posting about it here.

I’ve compiled a list of things to do. As I see fit, I’ll update this list with what needs to be done.

• Fix the config files. This should have been done before I made the release, but I was pressed for time. On the top of my head, I can think of two different apps which I pkg_add installed in to the distro, but didn’t edit the necessary config files in order to make them functional. Incidentally, these two applications are Snort and Netcat. Feel free to edit the config files chaps.
• Translations and keyboard layouts. Since I released SecurityBSD as a Virtualbox image, the keyboard layout is UK English and the language is British English. The vast majority of people in the world don’t actually speak English, and don’t live in the UK. I therefore will release other virtual machines in different languages and keyboard layouts, with the first two released being Russian and Portuguese.
• Expand! So far, SecurityBSD only has NMAP, Metasploit, Snort and Netcat, with only NMAP and Metasploit working! I plan to work through the NMAP 100 and investigate the potential for each app as a part of SecurityBSD.
• Investigate the possibility of a GUI interface. Personally, I’m pretty averse to the idea of having a GUI. I want it to be entirely CLI based, in order to make it easy to run on legacy machines. Usability has to be a consideration too, so I will play around with some of the ultra-lightweight windowing managers and see if one will be suitable for use with SecurityBSD.
• Customize the bootup process with a (to be designed) SecurityBSD logo in ASCII art.
• Make a SecurityBSD logo.
• Documentation. Documentation. More documentation.

As always, I need help with this, and I can always use volunteers. I want SecurityBSD to be a democratic, open project with a democratic, open development process. If you want to be a part, please, do e-mail me at me _-(at)-_ matthewhughes _-.-_ co _-.-_ uk or at admin _-(at)-_ securitybsd _-.-_ co _-.-_ uk.

SecurityBSD has been hit with an amazing amount of interest. I’m personally floored by how well it has been received by the online community, with major open source publications reporting on it. One commenter asked if I’d be porting the distro to the SPARC64 platform.

When I make SecurityBSD, I make it using the Virtualbox open source virtualizing software, which emulates an x86 platform, running on either Windows 7 32 bit or Ubuntu Linux 64 bit. I don’t actually have access to a SPARC64 system, so it’s impossible for me to produce for this platform. This issue is further exacerbated by the fact that many of the software which will be used in SecurityBSD will be wholly incompatible with certain platforms, namely the SPARC64 series of CPUs.

This, however, doesn’t discount the idea of me producing for the SPARC64 platform. If somebody was willing to let me SSH or Telnet in to a server running these series of processors or even donate a system running these CPUs, I’d happily work on the SPARC 64 (or any other architecture) port of SecurityBSD to the best of my ability.

Food for thought anyway.

SecurityBSD is an exciting new FreeBSD distro aimed at computer security professionals, and I’m very pleased to announce the first release of this young new operating system.

This release is not even slightly functional, and it is not currently even remotely reccomended for production use. Most of the applications included do not work at the moment. The purpose of this release is more of a display of intentions of the SecurityBSD project rather than any functional project.

To run this, you’ll have to install Sun Virtualbox, which can be downloaded for free online.

Many thanks to John Bell of the University of New Mexico for providing bandwidth and hosting.

Download here.

I’ll be sure to post some documentation on the weekend, along with a roadmap for the project.

Matt