SteelCon 2023.

This year I attended probably one of my favourite conferences, SteelCon. I had not been since, I think, 2018 or 2019, for a variety of reasons including The Lost Years.

SteelCon is a multi track conference, family friendly, with all sorts of mad shit going on - it had everything from a kids track to a scaled down robot wars esque setup that I understand is showing up at a bunch of conferences, and has me even more interested than ever in purchasing a 3D printer to build my own robot. There also was a bring and buy charity stand with everything from servers/firewalls to books (I procured a C programming textbook, which I plan to go through to find vulnerable programming patterns), a stand offering stickers, etc.

If you get a chance to go to SteelCon, you absolutely should. They even have locally produced ice cream at lunch, and you may well end up with a bottle of Hendersons Relish.

As per usual, I didn't make it to quite as many talks as I would have liked to, however, the ones I did were excellent. I ended up spending a fair bit of time catching up with former colleagues, friends, and peers in the industry, swapping ideas, etc. For probably the first time in SteelCon history, I also managed to avoid any absolutely catastrophic hangovers.

Andy and Chris had to swap talk slots due to some dickhead dropping Lockbit on Andys lab during his workshop, which caused some issues with the planned live demos. Andy and Neil's talk demoing their latest tooling releases went well, even with that lockbit-based-setback, and you can find more information about their tool releases over on the Lares blog. Doing basically a set of live demos as a talk is a move that requires some serious intestinal fortitude!

Chris talked about ransomware operations, looking at them from the perspective of an offensive security practitioner (as opposed to the usual blue team perspective), which was an interesting change from the usual ransomware talks.
The TL;DR in general is that the methodology, tooling, and such used by prolific ransomware crews in general is rather simplistic compared to red team operations, and that even relatively basic security practices should stymie their work.
I did find it rather interesting though that Chris asserted that red teams often simply don't, or won't, use such intrusion methods - due to them being inelegant or overly simplistic. I probably will write up more on this in the future.

Brian Whelton gave an absolute banger of a talk on the ongoing Horizon Post Office Scandal. If you haven't heard of that, click away now and read up on it. I'd read a bit about it in the papers, but Brians talk really brought home the absolute scale of the injustice and ratfuckery that is still ongoing. Brian has compiled an excellent resource of links, articles, etc about the whole shebang that can be found here.

I did manage to make it to a most excellent workshop by Soroush Dalili on writing BurpSuite extensions (and all the reasons to not write them). When I had first heard of the workshop, I had an actual idea for an extension in mind, but I've since implemented that planned extension as a rather simple BCheck that I'll publish at some point. I did, however, get to grips with using IntelliJ's IDEA IDE for debugging Burp extensions, lose some of my antipathy towards Java in general, learn a lot of useful stuff about the new Montoya API, and learn a great deal of interesting tricks using Stepper and Hackverter to avoid writing an extension where possible.

In short, an excellent conference, and one I look forward to going back to next year.