So this week was the annual Cactus-Con, Arizona’s only security conference (that I know of). Cactus Con is an all day security event with talks, workshops, and soldering. It was held at ASU this year, which was a great deal better than where it was last year (a cramped Hotel on the other side of the earth i.e. Chandler). It was formed out of a very successful B-Sides Phoenix, and it’s growing every year! Best of all, it’s free (the nice circuit board badge costs $50, or you could be a good social engineer and get stickers from sponsors to get one)! Anyways, let’s talk about what went down.


I came in a little late, but the first place I went was the Firetalks that were only held in the morning, these are very short talks that are very to the point. I love these and when I attend Defcon I usually make a point of attending these types of talks because they aren’t popular, the speakers never feel the need to be politically correct, and I usually learn a lot more than I would at the major talks.


Chad Reid held a talk on Net Neutrality, which, while it was only twenty minutes long, gave me insight as to why anyone would oppose net neutrality, and why the fight to keep our internet free isn’t quite over due to the vague terminology used in the net neutrality agreement. For example, the FCC has “reasonable use” as one of it’s clauses for the ISP and there is a whole host of other problems we could encounter in the future. The EFF has outlined them all here.

The reason Net Neutrality became a problem in the first place is due to the consumer model that the internet is based off of, which is deprecated model in the era of huge companies like Facebook, pushing out more data than is ever consumed by the customer.


After this talk I snuck into a talk a little late by Paulo Shakarian and Eric Nunes about computer learning and malware, and how easy it was to find similarities in malware families in order to address them. It was a pretty high level talk, all AI is essentially statistics and algorithms (and a lot of charts depicting them) but I think they did a very good job. They are currently looking for new data sets to test their software on, and people willing to sponsor it!


The Keynote this year with Dave Kennedy was better than last years but still went over the same topics (state of the industry, what can we do to fix the world, etc) and I wish that Keynote Speakers didn’t use their place of importance to talk about such vague topics, but Dave Kennedy was so personable and nice, that I couldn’t be angry listening to him talk about lofty goals. I wished I could have at least talked to him, but he was pretty popular. I’ve read his book on social engineering and you should too.


I took some time to mingle after this, checking out the Root the Box competition that a few of my friends either set up or were participating in. I think it was a good idea including Root The Box in Cactus Con, but next year I’d like to see an OpenCTF too. It gives you something to do during talks you don’t want to go to. I was supposed to submit my CTF to the people running Root The Box, but I got caught up in 500 other events that were last week.


The next talk I managed to catch was about web vulnerabilities, and the overall talk was about the rise of drive by pwning. Sysadmins don’t bother to check where traffic is coming from, or even what URLs are being queried in order to stop malware attacks while they’re hacking. The presenter (I feel bad for not catching his name) made some good points about how sloppy the attackers are, just ingesting data without looking to see what the content is. It would be very easy to create honeypots on sites for these attackers, but you’d have to pay attention to what traffic is coming in, and look for suspicious URL queries. I wanted to ask about the rise of DNS poisoning but it was hard to get to the presenter. My friend asked about making a wordpress plugin in order to create these honeypots for attackers to hit and feed bad data back through, but he dismissed it because who installs WordPress (as an aside this is some kind of running gag with security professionals, despite there being almost hundreds of thousands of wordpress installs on the web, they somehow still don’t warrant enough importance in InfoSec to be taken seriously as a platform, I might write a blog post about this later).

That was probably my favorite talk of the day (and no, it was not just because someone else uses my tactic of putting cats into powerpoint presentations), I popped back in to watch more Root The Box before going out and soldering (rather poorly) my badge. The HeatSync people are really patient with me, but the diagrams they gave were so terrible. A friend of mine helped me with resistors and stuff. I’m terrible at hardware hacking. Electronics lab didn’t prepare me for this.


Some really awesome things I noticed at Cactus Con:

  • So many girls, where did these girls come from? I met the coolest chick from Canonical, I actually met a person in the PLUG that was likable!
  • More talks, more things to do
  • More Space
  • Not on the other end of the earth
  • Better Quality Talks
  • Sweet Badge

Some things I didn’t like:

  • No place to chill out and meet people, at the Chandler Location, there was a patio where I could just talk to fellow hackers, this con I felt like it was hard to meet anyone at all
  • Hardware hacking station was pushed outside
  • Sponsors are hard to find, please give them a room where they can stand and give me my stickers easier
  • Too Short!

The header image is the flowers found outside Hayden Library at ASU, so it’s kind of topical?