Cyphercon is not particularly large, or in a glamorous part of the world — in fact most people who came in from out of town had to fight snow to make it. Yet when I stepped into the con last Thursday there was no doubt something awesome was in progress. People were camped out in small groups, working furiously on their computers, talks were packed with people who came alive in the Q&A, and everywhere you looked you found people deep in conversation with friends old and new. If you missed out on Cyphercon 4.0, you need to make an effort to be here for 5.0.
Join me after the break for the highlights of this two-day security conference nestled in the heart of Milwaukee.
Capture the Con
There were a ton of people working on Capture the Flag. This is a conference-wide challenge that lays out puzzles — some printed, Some digital, some like the IoT village encouraged hardware hacking — where you find a hash and enter them into a scoreboard to gain points for your team. I caught up with Trenton Ivey, who organizes this CTF and he shared the story of Capture the Con for the Hackaday Podcast.
The three gentlemen above came up with a fantastic idea. As I wrote about last week, the Cyphercon badge included a paper tape reader. You could unlock parts of the badge and gain flags by running tape through, but you were limited on how many tapes you could get the badge table to produce. These three brought a laser printer and transparency film. Since the reader is infrared, they printed black bars with empty spots for the “hole” and ran them through the badge to limited success.
There were a ton of people working on cracking the tape codes, and also asking everyone they could find to scan the QR code they received at registration (to score a quick 5 points). The other activity tons were working on was the Cypher Village challenge. You picked up a post card with the starter cipher on it. Once you got that you could go back and get a deck of cards. These cards are a visual puzzle, but you need more than one set to complete it and begin to discover and solve the puzzles within.
You Might Just Learn A Lot of Things
More and more I see hardware hacking finding a place at security conferences. Right off the bat I found myself at the hardware hacking village which had its own simple badge this year. Here’s the hook, you can have a badge if you take the workshop that teaches how to dump firmware and learn things from the disassembly. Neat!
It’s put together a bit like a stylophone. There is a bit of jumper wire with one end soldered to the board. The other end you use to touch the pads on the PCB to cause different behavior. With an ATtiny85, four LEDs, a single resistor, and a CR2032 coin cell holder, the BOM cost is low and all of them were assembled on an unmodified skillet.
I also gave the Hacking 101 table a try. This is an effort to help get people up to speed with basic hacking tools. There were a couple of staff on hand and a few computer stations. I worked my way through an intro to packet sniffing with wire shark.
Check out what was on display in the lock picking village. Most events have tables where you can learn lock picking. A cool thing I’m not used to seeing is a multiple locksets for safes. Most of them were just the dial assembly with no enclosure, but this acrylic enclosure was something special. Inside is a red badge — admission to Cyphercon for life for anyone who could crack the safe. It didn’t fall this year, but brush up on your skills for the next one. Looks like it did get cracked about 5 minutes before close ng ceremonies!
Talks, Art, and Badge Repair
What I’ve described is already a lot, but there were also three talk tracks going on all weekend. Conflicting schedules meant I didn’t get to see everything I wanted, but there were two I greatly enjoyed.
Michelle Meas presented a talk what impact future breaches of genome databases will have. You know, those kits people give as gifts that use your DNA to tell you where you came from? Something I hadn’t thought about is how close your DNA markers are to 3rd-cousins and closer relatives. If they’ve submitted DNA to one of these companies, it’s possible to infer a lot about you based on their results, even if you’ve never taken one of the tests.
Eric Escobar and Matt Orme gave a presentation on remote wireless pentesting. Their overview on hardware was fun — including the comment that if you run around with a laptop open sniffing networks people will get very curious, but if you do it on a smartphone nobody cares. They also had some stories about mailing packages with cell-connected pentesting gear… that’s more than just a FedEx box on your desk.
I really enjoyed seeing Cyphercon art on display. The large piece shown here is the work of Mar Williams. The art at the top of this article is from the conference program and is the work of Brian “Koyn” Van Stedum. I also wanted to give a shout out to Wire Engineer who, like a champion, spent the entire conference repairing broken badges. Yes, I managed to break mine when working on the article about the badge and he fixed it right up.
The Secret of the Not-A-Mega-Con
So what is Cyphercon’s secret? It’s special. Like all smaller conferences, it has traditions and tight friendships that are unique to this con. It’s welcoming, it’s fun, and it’s in a part of the country where people are hungry for more delightful hacking challenges.
The phreaker artwork – image with the cluttered desk, is credited to the wrong artist here. That one is by me (Mar Williams). ihate.art or IG @spuxo
Thank you!
It’s no surprise that it’s a well-kept secret. “Cypher” means “Hidden”, after all.
The safe did in fact open this year, minutes before the closing ceremonies.
Ah, I missed that . I’ve updated that as well as added Mar Williams in the section about art.
I know this idea will be frowned upon. But it did say to crack the safe . I would have just walked up with a sledge hammer. It is the best way to crack a safe.