CarolinaCon 13 – When a 12 Step Program Isn’t Enough

For those of you who were unable to attend CarolinaCon 13 this past weekend (19-21 May), then you definitely missed out on a great con.

The Con

For those of you unfamiliar with the con, here is a quick blurb from the CC website

“CarolinaCon was started in 2005 and has been held every year since. With each passing year the conference continues to grow and attract more attendees and speakers. As has always been the case, CarolinaCon is put together and run by an all-volunteer staff. CarolinaCon is proudly brought to you by “The CarolinaCon Group”. The CarolinaCon Group is a non-profit organization registered in the state of NC, dedicated to educating the local and global communities about technology, information/network/computer security, and information rights.

The CarolinaCon Group is also closely associated with various 2600 chapters across NC, SC, TN, VA, LA, DC, GA, PA and NY. Many of the volunteers who help develop and deliver CarolinaCon come from those chapters.”

I’ve attended since CC3 (or 2?), and it’s definitely one of my favorite conferences.

The theme this year was, “When a 12 Step Program Isn’t Enough”, and there was an awesome badge made by FALE and pandatrax to show for it.

Talks

I actually made it to a bunch of talks this year, so I’ll probably just give the title and a quick little blurb about each.

That said, Curbob will post the videos to YouTube soon, and you can always catch them there.

• Phishing, Whaling: Beyond Technology Social Engineering… This was an awesome talk by Luke Stephens about the non-technological aspects of social engineering. It covered presence/perception, power positions, tone, and a few other quick tips for handling any interpersonal interaction.
• RFID is dead; long live RFID! A pretty introductory talk about RFID giving by smrk3r, but definitely one that filled in some gaps in my knowledge. A good starting point if you’re looking to get into testing, securing, or just playing with RFID-based access control methods.
• CTFs – Not Just for Halo. Obviously the best talk at the con, and if you missed it, then you should feel bad. But in all seriousness, this talk went really well, and be on the lookout for more information about CTFs (or other cons the talk may happen at)!
• So you want to learn Machine Learning? A talk about getting into ML, with a ton of great resources (including John’s personal reviews and notes on a ton of course). It got a bit heavy towards the end, but definitely gave me a better feeling for the field.
• Hillbilly Storytime: Pentest Fails. Adam Compton from the Hillbilly Storytime channel came and gave a few of his talks in person. Definitely a fun, non-technical talk for any audience.
• How to buy illegal stuff online. Vic and QR back giving a talk at CarolinaCon! An interesting talk about the Dark Web, some better ways to reach it, and a few popular sites. This talk also had my favorite quote, “If you think you're protected from a rocket-propelled grenade, well… you're not…”
• A ROP Primer. Pandatrax lays down some knowledge about DEP, defeating DEP with ROP, and some intermediate exploit development tricks. I actually took his Intermediate Exploit Development course earlier in the week, and it was awesome.
• Forgotten History of Cyberwar. Sean made it down to NC (unfortunately, no craps this time) for this fun talk. Sean had some historical accounts (and really funny stories) about forgotten methods in “cyber” warfare. This talk didn’t cover your Stuxnet etc., but rather your Bat Bomb, MITM attacks for telegraphs, and even some chicken bombs!
• HoneyPy & HoneyDB. An interesting talk about honeypots, a new tool (HoneyPy), and even honeypots as a service. This gave me a few possible ideas for actual use for honeypots, and I’m looking forward to picking the author’s brain some more.
• The Unofficial Security Enthusiast’s Meme Filled Guide To The Do’s and Don’ts of Breaking Into InfoSec Whilst Having a Fun Time Doing So and Meeting Some Cool People Along The Way. A great talk, not only about getting into infosec but about giving back to the community. A shorter, and more lighthearted talk featuring a number of do’s, don’ts, and memes.

Speaking

It was such an awesome experience speaking at CarolinaCon 13. Giving my first talk at the first con I ever attended made it even better.

Our presentation went great, there were no major hiccups, and the crowd was awesome. There were plenty of great questions (and hopefully answers), even after the talk was over.

I realized that I should repeat the questions in the future, for anyone watching the videos later to hear.

This was a great experience, and I’ve definitely got the speaking bug now. I’m hoping to give this talk at a few more cons this year. After that, it’s time to prepare a new talk for next year!

That said, if you have any feedback (positive, negative, or neutral) about the content or speaker, then it’s always welcome.

CarolinaCon 13 – Villages/Competitions

EverSec ran the CTF again this year, and it went great.

It was a close competition, but Team RED ended up edging out Dangling Pointers for first place.

A great year for the competition, and some sweet prizes.

I also went to the hardware hacking village, and had some help building my badge.

It mostly works, though my LEDs are flashing a bit slower than everyone else’s.

Patrick over in the lock picking village helped Hacker’s Girlfriend out, and she was a natural at it. She burned through the first 4 progressive locks in a few minutes, where I’m still struggling with consistency. Maybe this is a good opportunity to pick up some cheap practice locks and work on them at home?

Other than that, I also briefly tried my hand at lintile’s Crypto Challenge after the con was over. I’ve never had much success with these, but he gave me a few resources that should help with them/CTFs in the future. I did manage to get to level 3 at least, which I consider a minor success.

CarolinaCon 13 – Conclusion

All in all, another great year for a great con. I’m definitely looking forward to next year, where I hope to speak (again) and drink (unlike this year).

It was awesome seeing people I hadn’t seen in months/years, and the number of new faces was great.

If you’ve never made it out to CarolinaCon, then I highly recommend putting #14 on your list for next year.

Ray Doyle

Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.