Musings of an infosec nerd

My experience of San Francisco and the BSides SF conference

[caption id="attachment_345" align="alignleft" width="300"]San Francisco City Street San Francisco City Street[/caption]

I'm currently sat waiting to finish the PA-QSA course and take my exam. I should probably be studying a little more, but I've memorised the standard with a memory palace technique that I used for PCI-DSS so I recon I should be fine.

San Francisco is the first American city I've been in so the only comparisons I have are with large UK and european cities, but even so it seems to be very unique. It has the hustle and bustle that you'd expect from somewhere like London but everyone here seems to be a little more relaxed about life. The area around the Moscone center where RSA 2013 is being held is your typical conference district that you could find anywhere, but a few blocks walk from there you can find some of the worst poverty and homelessness that I have ever encountered. I'm not sure if it was because the RSA circus was in town but getting a hotel within a block or two of Moscone will cost you an arm and a leg. I managed to get a relatively cheap hotel only about 4 blocks from Union Square and Moscone, and even though the hotel itself is quite nice the streets around it are littered with people sleeping rough along with open drug use and people who are clearly in need of help with regards to their mental health. Those of you who know me might think I'm making a joke about this, I'm not. It's something that as an outsider really makes you consider how something like this comes about and where the people of the city are putting their priorities when something like this is just accepted as being the way things are.

[caption id="attachment_343" align="alignright" width="225"]DNA Lounge ATM machine DNA Lounge ATM[/caption]

Anyway, now I've bummed you all out I'll move to the more exiting parts of my visit. I'm actually in town to do my PA-QSA certification however as the flights at a weekend are half the price of the same flight in the week I ended up with some time on my hands. I decided to sign up for BSides SF and I'm really glad I did. I'm not going to write a point by point review of the talks as I believe that 99% of them were recorded, so go online and watch them. One that I really did enjoy was on physical pen testing by Valerie Thomas. She gave a very interesting presentation on the vast amount of recon you can do with simple to use open source data sources, and the kind of stupid things you can do to bypass a variety of access control mechanisms.

After lunch on day 2 I decided to take a break from the main tracks and have a play in the locksport room. They had just run a competition where about 30 attendees got to try and escape from handcuffs live on stage with a bit of training given by the experts. Pretty much all the people who got up managed to get the cuffs off in under 10 seconds, so I thought to myself, I'm having some of that!

[caption id="attachment_346" align="aligncenter" width="300"]Ian in handcuffs Ian in handcuffs[/caption]

The locksport guys provided a range of picks and practice locks as well as a few examples of typical law enforcement style handcuffs. After a couple of minutes instruction I got myself cuffed up and managed to shim the cuffs and get them off in about 5 seconds. It was way easier than it should be, although as it was pointed out to me there are ways of cuffing the hands together to make it harder, but not impossible, to do this kind of escape.

[caption id="attachment_342" align="alignleft" width="300"]A collection of locks and picks at BSides SF. A collection of locks and picks at BSides SF.[/caption]

After I'd perfected the shim technique they took us through how to pick the cuffs using a pick or bobby pin through the keyway. This also included picking cuffs that had been "double locked" so that the shimming technique would not work. Now, that is a lot harder than shimming but with an hour or so of practice I was getting pretty good at it. So, if anyone is stuck for a birthday present for me then a nice set of Law Enforcement grade cuffs would be grand :)

Now, if you've watched the Twitters then I'm sure you would have heard about the controversy surrounding @violetblue's talk, and the fact that it was pulled at short notice. I'll let Violet tell the story in her own words, as all I heard was a bit of conversation while I was being cuffed by Twitters head of security. If what Violet says is true then I have personally lost all respect in the ADA initiatives goals. Feel free to try to help people take part in the community, but do not try to censor hackers, we really don't like it.

[caption id="attachment_344" align="alignright" width="300"]Alcatraz Island docks Alcatraz Island docks[/caption]

After all that excitement I decided to take a tourist day before I was locked in a room with a bunch of auditors for 2 days. I had a walk around the various Piers near Fisherman's [STRIKEOUT:Enemy]Wharf and took a trip out to Alcatraz Island. I'm glad I did as the ranger guided tour along with the audio tour of the cell blocks was fascinating. If you want a breathtaking view of downtown San Francisco then there are very few to beat the one from the prison block on the top of Alcatraz.

The personal blog of a UK based penetration tester