COMMENT:

Evil corporate minions and government agents missed a fantastic opportunity to get a good look at a huge chunk of annoying infosec practitioners and researchers last weekend in Wellington.

Gathered at the Michael Fowler Centre auditorium were many of the super-skilled people who find holes and mistakes in the best laid IT plans and designs along with those who came to learn more at the Kiwicon 2038AD security conference.

Around 2,400 people attended Kiwicon, the biggest hackiest, cyber security conference in the southern hemisphere until next year at least when the even larger BSides in Canberra kicks off.

Advertisement

I for one am glad that Bad Actors didn't take security through obscurity to the extreme in Wellington.

Mainly because the infosec researchers are sorely needed to protect us against copious amounts of poorly secured systems that are now part of our lives thanks to the internet, personal computers, smartphones and electronics everywhere - but also because I was in the audience and would like to come back next year.

Kiwicon's a big, important regional security conference that most people won't have heard of. This is a shame in many ways, although looking around the motley crew of attendees it's clear that they'd be challenging people, with a Low Acceptance Factor in more conservative environments.

The LAF extends to infosec researchers' work. Things have got better and more insightful tech companies accept vulnerability reports and handsomely reward researchers who find bugs in their products and services - and disclose them responsibly so that they can be fixed before they're exploited.

Nevertheless, researchers are still likely to receive legal letters from companies who take their work the wrong way. Thanks to ambiguous and overly broad computer security laws everywhere in the world there's always the chance of early morning fun for researchers as cops kick in their doors and take them away to holding cell parties to await lengthy trials on matters the authorities often don't understand.

That's one reason why many use pseudonymous nicknames like Metlstorm, bogan, sput, moloch and mandatory, as attention around their work is a two-edged sword.

There's definitely shades of grey to many people in the cyber security industry.

One of the conference organisers joked about the infamous Rawshark being in attendance, knowing full well that the police might take it seriously and come and visit.

Rawshark is the undisputed Master of Operational Security, along with mysterious AI botherder and spammer turned good, Bismillah, who was rumoured to be at Kiwicon too.

On a serious note, infosec remains a male-dominated field. It has been tarnished by sexual misconduct against women, especially during conferences and events. That's unacceptable and the Kiwicon organisers sought to crack down on such rubbish behaviour and to ensure everyone felt safe and comfortable.

"Don't be an asterisk-hole," summarises Kiwicon's code of conduct. Everyone seemed to follow that, creating a respectful and relaxed atmosphere mixed with a cheesy 90s cyberpunk theme that the younger folks tapped into, much to the surprise of old folks arranging the conference.

Yes, the first generations of infosec practitioners have grown up. Mike Forbes and Adam Boileau said that between them and the other Kiwicon organisers, they have 15 kids which is way more than 2007 when the conference started.

Instead of leaving it at that, Kiwicon ran a day-long Kuracon programme for kids that was staffed volunteers. I brought two children who were taught lock-picking, coding basics, building little electronic robots, and taking apart old computer gear. Kuracon is fantastic initiative that other conference organisers should copy.

Unwrapping the hacker-proof tinfoil from my devices after the conference, the takeaway from Kiwicon is just how tenacious researchers are. They'll spend weeks cracking problems that other people give up on in a day or two. Black hat hackers do the same. Since IT is part of everyone's life now, that's a great reminder of how insecure it can be, and why we need security researchers.

My thoughts and thanks (don't do prayers) go to the hardworking volunteers who have been organising Kiwicon over the years. They took a breather last year, but here's hoping they'll recharge for 2019.