Welcome to PhreakNIC / The state of the Nashville2600
Elonka Dunin and the other officers of the Nashville2600 will greet everyone and briefly discuss the activities and options at PhreakNIC this year.
The Nashville2600 past and future will be discussed and all the new changes for more transparency and communication will be highlighted.
Analog Network Security - Winn Schwartau
Winn Schwartau will give the talk "Analog Network Security".
I grew up analogue. Analogue engineering and all.
This talk is about applying analogue thinking to Network Security.
It’s about a different way of approaching our defenses, understanding the attackers and hopefully will inspire others. It’s about a mélange of concepts, many analogue, that when combined in various ways, I hope will help our industry.
My goal is to introduce some ideas more conventionally thought of as ‘analogue’ than digital, then glue them together in various ways to offer different views on how to solve security problems - whether they be in the cyber, physical or human domains.
One of my original goals was also to kill ‘Root’, ‘Spam’ and ‘DDoS’ in systems. I’m gonna try hard.
"Digital is not Binary" and “What is Analogue, Anyway?” For those who believe that digital is God, I will attempt to show you the errors in your ways. Or at least, show you another way of looking at networks. The idea of Binary vs. Spectrum has hurt our field as well as general real-politik globally. I will stick to the tech aspects, I promise. This is also where I get to have some fun, recalling my first career as a recording-engineer/producer during the rock’n’roll hey day.
I will re-cover the traditional basics of TBS, Time Based Security basics ( P > D+R, E = D+R, F(s)/BW = T), from the book of the same name in 1998. I'll position it with a dose of analogue terms thrown in to get your analogue neurons stirring.
Feedback and the OODA Loop are decidedly analogue concepts that add to the equations. Led Zeppelin taught me a lot about feedback, as did Paul Simon and Barbra Streisand. I will pass on those lessons as they relate to network security. With feedback, we will explore how to launch nukes, save marriages and drastically increase the efficacy of network security.
Then, we will return to the early 19th Century and re-meet Charles Boole for a refresher on Logic 101. We will discuss how to make Logic more analogue, add in the The Two Man Rule and OOB, Out of Band, methods for control and communications.
Trust is, unfortunately, often viewed as a binary function. I want to examine how an analogue view of Trust will give us a more accurate approach to trust in an ever-connected world. Yes, I mean the IoT or whatever current term is popular.
I will finally glue those ideas together, into one massively redesigned architecture to be used as the basis for network, application, and all things security.
· Kill root
· Stop DDoS
· ID and Stop Spam
· Reduce 'internet noise' - read, security.
By looking at security controls with an analogue eye and mindset, we can develop far better network security tools and solutions than those we are stilling tinkering with. You may well not agree with one or two of my concepts or assumptions; that agreement may not appear until various pieces are glued together. So, please, bear with me, as I attempt to explain Analogue Network Security.
Time Based Security is a set of concepts and tools developed by Schwartau in 1996 to help measure security throughout your existing networks and build measurable security controls in applications. In essence, TBS removes much of the binary (yes/no) nature of security by adding high degrees of measurable granularity into the controls.
We will go over the basics ( P > D+R, E = D+R, F(s)/BW = T) which use the time domain as the key metric to allow network security and risk modeling and applications development. In addition, the time domain allows security and risk professionals a means of ‘speaking the same language’.
Once the basic are covered, Winn will add additional concepts and maths to add to your tool kit. How to measure the security effects of multiple administrators in application and security settings What are the security effects of introducing the Two Man Rule (or three or more…) to security controls? Applying the basic tenets of electrical and mechanical engineering, Schwartau will show you how to introduce feedback mechanisms into security controls to allow fine-tuning and risk management quantification.
To achieve this, static Boolean math was not sufficient, so Schwartau will introduce a set of TB-Boolean ideas to assist with modeling, dynamic truth tables and a more realistic look at network risks.
Audience members will learn how to use TBS in networks and applications to measure and model security in a quantifiable manner. Immediately after the session, members will be able to apply many of the TBS ideas to measure their existing risk in all and/or pieces of their networks.
The audience does not have to be a math wizard or programmer. Advanced Time Based Security is a simple set of math tools (really simple) and concepts from many disciplines that can be used by anyone from management to administration to risk and audit. Boolean math is simple AND OR NOT assembled in combinations to assist our security goals.
Much of what you will hear will seem 'obvious' once you have heard it. I hope that is true, because then it will be easier for you to apply these concepts into products, operations, processes, controls and of course, security.
So, please, bear with me, as I attempt to explain Analogue Network Security.
NOTE:
With his usual animated and dynamic style, Schwartau assembles some fascinating concepts and approaches to security that have evolved over the last 20 years. You will not be bored!
The Beale Ciphers - Elonka Dunin
Our very own Elonka Dunin (@ElonkaDunin) will be speaking this year on "The Beale Ciphers".
"The Beale ciphers, also referred to as the Beale Papers, are a set of three ciphertexts, one of which allegedly states the location of a buried treasure of gold, silver and jewels estimated to be worth over USD$63 million as of September 2011[update]. Comprising three ciphertexts, the first (as yet unsolved) text describes the location, the second (solved) ciphertext the content of the treasure, and the third (unsolved) lists the names of the treasure's owners and their next of kin."-from wikipedia
Doc it Your Own !@#$% Self - Steve Esposito
Steve Esposito (@AustrianAnarchy) will give the talk "Dock it Your Own !@#$% Self".
What is a documentary; What constitutes documentation; How to show it on the screen, in a professional cinematic way with free tools (Free as in free, along with Free as in GNU); Going the next step to legally protect your creation.
Magnetic rainbows and my favorite equation - Michael Snyder
Michael Snyder: "This year will be my forth talk at Phreaknic, I will bring everyone up to speed about my magnetic ferrofluid cell research and I will talk about my favorite equation (speed of light)^5 *(Elementary Charge)^2 *(fine structure constant)^(coth(7^(19/49)/pi^4)/2) *(ampere)^-2 *(reduced planck constant)^-1 *(gravity constant)^-1=1 I will also do ferrofluid cell demonstrations and hand out photographs during the conference."
Textmode: Kiss your ASCII goodbye - Arnie Holder
Arnie Holder (@Datathrash) will give the talk "Textmode: Kiss your ASCII goodbye".
A review of textmode art as distinct from ascii art. Notable pioneers, current artists, and its development through the demoscene with relevant videos and pics. Raquel Meyers will be interviewed and hopefully will provide some short video segments.
Rendering PhreakNIC Videos - Poiupoiu
Poiupoiu (@poiupoiu) will give the talk "Rendering PhreakNIC Videos"
The talks at PhreakNIC 17 were recorded but since no one knew how to combine the videos and render them, they sat dormant for over a year. It wasn’t until after PhreakNIC18 that poiupoiu got his grubby, little hands on these files and was able to cobble them together into watchable video streams. In this talk, he will talk about how he did it, what he learned works and doesn’t work, and will (if all goes well) demonstrate from start to finish his process for rendering PhreakNIC videos using the open-source software Kdenlive. After all, sharing is caring!
Hashcat: GPU password cracking for maximum win - _NSAKEY
_NSAKEY (@_NSAKEY) will give the talk "HASHCAT: GPU password cracking for maximum win"
After briefly touching on the general concept of password cracking, the focus of the talk will be on the effectiveness of different attack modes in hashcat, with a heavy emphasis on rule-based attacks. While the name of the talk is “hashcat,†this talk will almost exclusively discuss the GPU-enabled versions (Specifically cudahashcat). The final phase of the talk will include the results of my own experiments in creating rule sets for password cracking, along with an analysis of the known plaintext passwords from the test hash list.
11 year old guide to Linux - Thomas Flatt
Thomas Flatt will give a talk on "The Eleven Year Old's Guide to Linux"
Thomas writes: "My speech is named after my book, The Eleven Year Old's Guide to Linux. In my speech I will first talk about my book. Next I will talk about OSes and Linux. Then I will talk about distros and I will show my youtube video about installing puppy. Finally I will announce book signings for everyone who bought a book."
Shall We Play a Game?: Better Living Through Wargames - James Powell
James Powell will give a talk on "Shall We Play a Game?: Better Living Through Wargames"
Security is hard. Much of the software is written by engineers. Most of the platforms are configured by system administrators. These professionals rarely have more than basic security training. To complicate matters further, application and platform security can be seen as "black arts" among non-security professionals. This perception can lead to paralysis in our colleagues attempts to learn better practices. What's not often understood, is that “security†isn't a different set of skills, but a mindset through which existing skills can be expanded and applied. Maybe there is a different approach that can help our colleagues overcome this paralysis by playing games. Games can have advantages over traditional learning methods, but it has to be the right type of game. Security professionals play Capture-The-Flag and wargames to test their current knowledge and skills. These games could prove to be an effective training mechanism for developers and administrators. CTF and wargames can show these professionals their programs and systems through the eyes of an attacker. Through playing, they become exposed to common attack methods, and realize that their "non-security skills" are the same ones that will lead them to the next challenge. Those skills when applied with this new knowledge will lead to stronger systems and more secure applications.
A defense of whoever you think was behind the Sony Pictures Entertainment breach - Brandon Tansey
Brandon Tansey will give a talk on "A defense of whoever you think was behind the Sony Pictures Entertainment breach"
Even in optimal conditions, incident response and attribution can be very difficult. Trying to get to the bottom of an incident when you've got no access to the compromised organization, network, or system is even more so, yet we try to do it each time there's a new headline-making breach. These communal and outsider-driven investigations are often doomed from the start when they're focused on painting a complete picture.
Last year Sony Pictures Entertainment announced a breach in true Hollywood fashion which drew lots of attention. This resulted in lots of people racing in attempt to assemble the puzzle with only a small fraction of the pieces. That said, when Richard Bejtlich was asked if he saw any public theories that were close to Mandiant's findings, he responded that he hadn't.
This presentation does not claim to be the first, nor will it make any attempt- in fact it will do the exact opposite. The audience will not leave the presentation knowing exactly what happened or "whodunnit." Instead, the presentation will attempt to demonstrate that there hasn't been enough information publicly disclosed for anyone to know with a reasonable degree of confidence. This will be demonstrated through an in-depth examination of the associated malware and its many potential red herrings, communications from "the attackers", and a review of other information reported following the disclosure. The examples discussed will be specific to the Sony Pictures Entertainment breach, however the concepts will not be.
Fear the Legal Platypus: Oracle v. Google and the Legal Protection of (and Restrictions on) Software - Rick Sanders
Rick Sanders will give the talk "Fear the Legal Platypus: Oracle v. Google and the Legal Protection of (and Restrictions on) Software"
Rick writes "Software is the platypus of the legal world: a beast that would be fantastical if you hadn't seen it for yourself. It's part copyright, part patent, part trade secret. The result is an ungainly patchwork of protection (and, hence, restrictions) that covers some aspects too well, others not at all, and generally just seems ill-suited for the creative functionality of software. Messy areas of the law also tend to be the most expensive, so courts don't often have to wade too deeply into the protection of software. But when Oracle sued Google over the use of Java APIs in the Android operating system, we had two well-heeled and highly motivated parties willing to fight for the soul of something that a lot of people cared around. In this talk, I'll explain what really went down in Oracle v. Google, dispelling several myths along the way; speculate about what it means for the protection of (and restrictions on) software; and wonder aloud about how the law could do a better job dealing with software."
OpenSCAD and its Cousins - Phillip Showers
Phillip Showers will give the talk "OpenSCAD and its Cousins"
Tutorial of CAD programming language OpenSCAD, with additional mentions of OpenJSCAD and BlocksCAD
The Embedded Technology Generation - Robert D. Lewis
Robert Lewis will give the talk "The Embedded Technology Generation"
"They’re the sixth consecutive Worst Generation Yet.
"They’re self-absorbed, have no work ethic, are entitled, and their cell phones are glued to their hands. They’re…
"No, they’re not. Forget all that nonsense.
"Unlike past worst generations yet, this one has two characteristics that truly and uniquely belong to it. Because of these characteristics they’ll change the world.
"The first: It's the first generation to grow up in a world where cradle-to-grave employment never existed. As a result, unlike previous generations they have no expectation of employer loyalty.
"The second: It’s a generation accustomed to technology being pervasive, used wherever it makes their lives more comfortable or convenient. Its members expect technology to be there when and where they want it, working the way it’s supposed to work. Pervasive."
"Don’t call them millennials. Call them the Embedded Technology Generation … the ETG because along with their low expectations of employer loyalty, it’s how thoroughly embedded technology is in how they live their lives that’s their defining characteristic."
This will be a PowerPoint-free discussion of what the world of work is turning into, and what technical professionals will need to do to thrive in it.
A Beginners Guide to Nootropics - PonyBoy
PonyBoy will give the talk "A Beginners Guide to Nootropics"
A discussion about the use of nutraceuticals, foods, and drugs for the purposes of enhanced brain function, learning, and memory retention. This primer will introduce you to the world of Nootropics and give you a basic insight into the science/magic that makes them work.
Ways to bring tech teaching into your local school - Amy Flatt
Amy Flatt will give the talk "Ways to bring tech teaching into your local school"
Amy writes "I will show you the hidden ways, resources and language you need to successfully bring tech learning into your school."
How do we reach students and help them learn to program? By engaging teachers; but it's not as easy as it looks. Hear Amy's story about how the community reached her.
How to make nearly anything super fast - Chad Ramey
Chad Ramey will give the talk "How to make nearly anything super fast"
This talk will cover rapid prototyping. Chad will talk about his experiences as a maker and discuss some of the work of the Georgia Institute of Technology's Invention Studio where he served as President. It might even include a sneak peak at his recent passion, building a battlebot.
BloxBot: STEM Education With Legos! - Kimberly Lewis
Kimberly Lewis will give the talk "BloxBot: STEM Education With Legos!"
School does not have enough robots, and it definitely doesn't have enough Lego. BloxBot is aiming to fix that. In this talk, you'll be introduced to the brainchild of a hacker and two educators that will change the way you see school, robots, and most of all, Legos.
The future of Linux: A discussion of systemd, containers, and cloud technology. - Wesley Duffee-Braun, Dagmar, and Ben Hicks
Wesley Duffee-Braun, Dagmar, and Ben Hicks will talk about the future of Linux. Questions will be asked by the audience. Trends and the roadmap that Enterprise Linux is taking and thus the desktops will be discussed.
3D printed guns, why I am not afraid and nether should you - Oddball
Oddball will give the talk "3d printed guns, why I am not afraid and nether should you.
Oddball will discuss the hype and fear around this "threat". Oddball will share his knowledge of this controversial subject and take questions from the audience.
Ingress - Dagmar
Dagmar will talk about "Ingress"
An introduction to the location based game popular on smart phones. Dagmar will discuss his experiences and go over the finer points of the game. Dagmar has experienced the many up and downs as the game has evolved as he was an early adopter and still an avid player.
Hacking Web Apps - Brent White
Brent White will speak on "Hacking Web Apps"
Assessing the security posture of a web application is a common project for a penetration tester and a good skill for developers to know. In this talk, I'll go over the different stages of a web application pen test, from start to finish. We'll start with tools used during the discovery phase to utilize OSINT sources such as search engines, sub-domain brute-forcing and other methods to help you get a good idea of targets "footprint", all the way to tools used for fuzzing parameters to find potential SQL injection vulnerabilities. I'll also discuss pro-tips and tricks that I use while conducting a full application penetration assessment. After this talk, you should have a good understanding of what is needed as well as where to start on your journey to hacking web apps.
HACKING 101
Elonka Dunin and Dru Meyers (and a few other mysterious guests) will lead a panel and open discussion with the audience on what hacking is and take questions from the audience. Everything you want to know about hacking but were afraid to ask is welcome. No question is stupid, you are among friends.
Closing / HACKING 201
Elonka Dunin, Dru Meyers, and Chad Ramey (and a few other mysterious guests) will wax eloquent on the world of tech and hacking. This will go more in depth with questions from the audience. What went right with PhreakNIC this year and also what went wrong will be discussed. The NETKOTH contest will be reviewed briefly, as well as any other contests or competitions. There is no time limit and this will probably devolve into everyone chipping in 5 bucks in a hat and buying pizzas to continue the discussion until everyone is too tired to stay up any longer.
Almost Idiot Proof Portable Android App Pen-testing - Robert McCurdy
Robert McCurdy will give the talk "Almost Idiot Proof Portable Android App Pen-testing"
Have you ever wanted to test mobile applications? If you have ever had the pleasure of working with Eclipse or Android Virtual Devices (AVD) don’t worry! Adware or paid apps like Bluestacks, Andy OS and GenyMotion have bloatware and garbage you don’t need. I will share and show you how-to setup a working super-fast portable android application testing rig including everything you need to get testing.
Cognitive Biases Affects on Security - SA Hale
SA Hale will give the talk "Cognitive Biases Affects on Security"
Our brain has many ways of doing its job, including tricks and shortcuts that help it work efficiently. But studies how shown that these tricks and shortcuts can lead to making predictable mistakes. Does your brain lie to you, or at least does it filter reality?
In this talk, we will discuss some of the most common cognitive biases, how to identify these biases and heuristics cognition, how to potentially implement cognitive biases for use in the Cyber arena and finally how to mitigate them in cyber security and/or cyber warfare. Research in Cognitive Psychology, Evolutionary Psychology, Cognitive Science, Neuroscience, Anthropology, and Human Reliability Engineering has identified over one hundred cognitive biases. These cognitive biases appear to be part of our evolutionary human brain and transcend cultures or generations. We can describe cognitive biases as a replicable pattern in perceptual distortion, inaccurate judgment, and illogical interpretation. Cognitive biases are the result of distortions in the human cognition that always lead to the same pattern of poor judgment, often triggered by a particular situation. Three main types of cognitive bias will be identified and discussed; Decision-making, Social Biases, and Memory Biases. By developing an understanding of our cognitive biases, cyber defenders will be able to be adaptable and resilient to meet the rapid and ever evolving cyber threat to our national security. We must understand our own vulnerabilities, i.e. cognitive biases, because we are the weakest link in security. Once understood, training, tools, and processes can be implemented in Information Security, Information Assurances, and cyber warfare.
Drones for fun and hacking - Ron Foster
Ron Foster will give the talk "Drones for fun and hacking"
Learn the ins and out of drone building where we discuss the technical, legal, and hacking challenges of building a drone from scratch. We will discuss parts, controllers, when and where you can fly, as well as their uses for hacking and profit.
Educating Tomorrow's Security Analysts Today and Why Hacking is Necessary - Steve Mallard
Steve Mallard is the the IT Director and Computer Information Technology Master Instructor at the Tennessee College of Applied Technology - Shelbyville. The Computer Information Technology program has won the 2005 Computer Forensics Award, 2011 Computerworld Laureate, 2012 Techtarget Leadership Award, 2012 TCAT Shining Star - Learning Management System, "2014 CTE Excellence in Action and the 2015 White House -Celebrating Innovations in Career and Technical Education". Learn why hacking is necessary in education of security analysts.
Getting things done - Mog
Mog will give the talk "Getting things done"
Getting things done Starting projects is easy. Finishing them is difficult but not impossible. Here are some tricks to solve and finish your projects.
Building Management-Staff Bridges for Better InfoSec - Michael St. Vincent
Michael St. Vincent will give the talk "Building Management-Staff Bridges for Better InfoSec"
There is growing frustration at all levels with how the passion for information security meshes with how businesses operate. Individual contributors work in an increasingly complex technical environment, while managers and directors work under heavy demands for expense controls and contributions to profitability. Often the result is considerable difficulty avoiding conflict, even when all individuals involved are striving to meet these demands.
Moving the discussion forward requires hacking our conversations and approaches. This session will overview multiple factors which are both hidden and intuitive, and invite participants to start identifying the solutions which embrace the diversity of interests, skills, and the harsh realities of profitable business. Come ready to be a hacker and bridge builder, while creating staff and management techniques to become better at interoperating with our diversity.
Hacking Crime - Crimson Fist
Crimson Fist will give the talk "Hacking Crime"
Crimson Fist spoke on this topic last year at PhreakNIC. He is back to share how he has been making a lot of headway on his crime prediction system with the help of the folks at Freeside Atlanta, and share updates and new developments.
Laser and chip tune show
This is still in the planning stages, but stay tuned...
Seriously, I Really Do Have a PhD: Research, Stereotypes, and Why You Can Do This, Too - Dr. Theda Daniels-Race
Theda M Daniels-Race will give the talk "Seriously, I Really Do Have a PhD: Research, Stereotypes, and Why You Can Do This, Too"
The rallying cry for STEM and/or STEA(rts)M education is loud and clear and has been so for many years. However, the still pervasive dearth of U.S. scientists and engineers seems to contradict these efforts. This talk will offer some facts and figures--briefly from my research on hybrid electronic materials (HEMs), some "experience-based" views--on how stereotypes, prejudices, and unintentional bias affects the STEM population, and hopefully some insight for (or at least encouragement to) those of you who may have wondered if you can "make it" in STEM and may even have been told that you can't!
The Poetry of Secrets: An Introduction to Cryptography - Eric Kolb
Eric Kolb will give the talk "The Poetry of Secrets: An Introduction to Cryptography"
"The exchange of information is a defining characteristic of civilization, and so follows the keeping of secrets is the focal point in all of humankind’s great acts. Despite the importance of cryptography, many today eschew its study as an inscrutable, arcane magic. “Crypto is hard,” conventional wisdom asserts; “Leave it to the experts.” While it’s entirely possible to succeed with only a utilitarian grasp of cryptography, learning about this mathematician’s munition can be deeply rewarding.
Join us for a beginner’s tour of the science and art of secret writing, ranging from the simplest substitution ciphers to the state of the art. We’ll focus on understanding cryptographic primitives through the ages, why they worked (or didn’t), and how that success impacted history.
Why are You Still Getting Cryptolocker? - Aaron Lancaster
Aaron Lancaster will give the talk "Why are You Still Getting Cryptolocker?"
With the advances of security technology and configurations keeping in stride with increasingly sophisticated threats, many companies are still feeling the pain that “Crypto Ransomware” inflicts on their business operations. In this talk, we’ll explore the problem, prevention, detection and remediation of these threats and how you can act now to keep your data freedom.
Workshop: Beginning PowerShell - Mick Pletcher
Mick Pletcher will help get you started with PowerShell.
PowerShell has become and essential tool to windows sysadmins. Its time to stop making excuses and learn how to use it from one of the founders of the Nashville PowerShell User Group!
Workshop: Kids: How do computers Talk to each other - BenTheMeek
BenTheMeek will give a workshop for kids entitled "How do computers talk to each other"
Workshop: Kids: Python
Python for kids! Lets get them started early on programming!
Workshop: Getting started with Python/ Making a python port scanner - Chad Ramey
Chad Ramey will give a workshop entitled "Getting started with Python/Making a python port scanner`"