I attended BSides Lisbon and had a lot of fun
BSides Lisbon was a one day event on information security (InfoSec) organised by AP2SI, a Portuguese organisation that is trying to develop InfoSec in Portugal. Although this wasn’t the first edition, this was the first time I participated in the BSides event. The event is very international (with speakers from different parts of the world and all the talks in english) but the audience was mostly Portuguese. Many students from software engineer and computer science were attending the event.
The importance of bringing information security knowledge to Portugal
As a native Portuguese living abroad, I’m very glad that these awesome events are happening Portugal. Creating InfoSec awareness in Portugal is going one step further. Security in Portugal doesn’t seem to be a really big deal because almost everyone believes that it’s safe and no hacker will come on their way. For instance, the Portuguese presidency website is not secure and although in some EU countries this would be a huge problem, in Portugal it isn’t.
This is just an example that demonstrates how hard it is to make people aware of InfoSec in Portugal. If even the government itself is not giving the example, how can anyone encourage enforcement of security by design? Some say that Portugal, as many other EU countries, goes with the flow of EU, but for me what AP2SI guys are doing is indeed a great initiative.
What did I find?
Let me tell a little about what I’ve seen.
Although I got there late and a bit frustrated with the delay, I was immediately well received! This warm welcome of Portuguese people makes anyone feel at home, no matter where you come from or who you are!
Nice InfoSec talks
The first talk I attended was from Oliver Kunz about semi-offline attacks on android full-disk encryption. He talked about a set of attacks based on brute-forcing the encryption mechanism of hard-disk android phones. I learned that google moved from one KDF to derive the encryption key, to 2 KDFs and a signature after the first brute-force attack from Oliver, and, even then, it was possible to break it in the same way.
I know some good people working at Google security group, but sometimes, people just over complicate. In this case increasing the PIN size you’d just solve problem, but as always the trade-off between usability and security is always on the way. I guess that making the users more aware of security would make things easier, but this is a topic for another post.
I went to the talk of Dima Bekerman and he taught us about DDoS attacks. Awesome to learn the diversity of industries setting up DDoS protection: it goes from government, banks till gambling or porn. But, and without disregarding all the other talks, my favourite talk was the one from BinaryEdge on data science and internet scanning.
BinaryEdge built an amazing product to scan the entire internet (including images content). The things you can do with it are very scary, but amazing at the same time. For sure in the wrong hands these tools can make more harm than good, but the potencial of BinaryEdge product is huge.
I’m sure there were more interesting talks, but I couldn’t attend to all of them. I’m still trying to watch all the missing talks on youtube (all talks available here).
Ethical Hackers from Abertay
By lunch time I stumbled upon a group of students from Scotland participating in the Capture the Flag (CTF) challenge. It was a surprise for me to known that Scotland has now, not one, but two bachelors on Ethical Hacking! These students were from Abertay Ethical Hacking bachelor. This is freaking awesome! Fellow security co-workers will understand why I’m saying this!
I truly believe that we need to start training people on InfoSec and Crypto from the very early stage of their education! This will improve a lot the security of software systems. My opinion is that nowadays software security is bad mostly because developers and system engineers don’t have security knowledge. Spreading security knowledge in the very beginning of their education will make future software applications much more secure.
Congratulations for making this an awesome event
All in all I had a lot of fun!
I want to say thanks to all the people attending to BSides and giving such nice talks, to AP2SI organisation and specially to Bruno Morisson and Jorge Pinto, for all the effort you put into this event! Congratulations for the initiative! Looking forward be there next year.