Last Saturday, I had a great pleasure to participate in the What The Hack Conference 2019 hosted by the National Stadium in Warsaw. Not only did I sit and listen to lectures, but I helped with its organization as well.
What was this event?
The event was probably the biggest one concerning IT Security in Poland. It gathered the best and celebrated specialists like sekurak.pl, niebezpiecznik.pl, zaufanatrzeciastrona.pl, the government representatives, the Polish Armed Forces, and many more, who give worth-listening talks and lectures. This year we had the opportunity to choose between 15 parallel theme paths that covered all the fields of IT security in the broad sense, which overall gave over 100 talks. Obviously, it was impossible to attend them all so I could listen to only some of them. However, I was surprised that the majority of them were really engaging and understandable for people like me - not so familiar with the subject of security and hacking.
The location of the event was also an advantage. The spacious and modern conference center in the National Stadium was a great place for such an event because it could seat hundreds of participants without making any crowd, which made it very comfortable to be there for the whole day. The chosen location is also very accessible from many parts of Warsaw, which made it easy to arrive there on time. Also for me, who overslept that day a little :)
I listened to many great talks
Except for the morning, when I was helping with the organization of the event, I had an opportunity to attend the lectures all day long. The first ones that I listened to were:
- Security for paranoiacs - email service - great talk about using simple programs like Developer Tools in browsers for testing security of web applications. The speaker used a great example of the Proton Mail service. He showed how the emails are encrypted and decrypted, how the service cares about our privacy, and shared a curious discovery about it.
- Using stylometry and machine learning in computer forensics for identifying perpetrators of a crime - presentation by detectives about using widely accessible data, that appear unconnected or even random, for detecting criminals. It turns out that having only some text written by a criminal, we can tell a lot about them. Moreover, when we have others their texts mixed with other people’s writings, we can very accurately point the criminal’s one, and by this, we can reveal his identity. The lecturers made me astonished when they said that using stylometry and machine learning, they can identify almost 80% of bitcoin transactions, which were meant to be anonymous. They also made a fascinating experiment about stylometry using only basic string operations in Python, which showed how powerful is this method.
- Peeking inside your brain. With an interface! - Do you ever wondered what if we could communicate with computers only with our brains? It turns out that the future is not so far away. We can make a program controlled by our heads pretty easily using even not-so-expensive machinery. The speaker also showed results of research by Russian scientists who claim to have created a device, which can read images from your brain while you are looking at them. What if such devices became more widely used, and what dangers connected with security would this cause?
After these wonderful three talks, I had to take responsibility for just one room where the speakers delivered their lectures, so I did not have a choice anymore. In the room of which I took care, there were talks from the theme path called “Hardcore”. Whatever that means, the lectures turned out to be interesting, as well as the previous ones.
Me listening to the WTH lectures
- Fuzz testing of JavaScript interpreters - a little advanced subject for me, as I had just some blurry idea about fuzz testing before the lecture. However, I left it with more knowledge than when I went on it. The speakers showed the results of their research and comparison of different fuzz testing engines. They also presented results of fuzz testing some main JS engines. It surprised me that lots of interpreters can be crashed, but they could not make crash one engine - Chakra. This engine is known from Microsoft browsers, which, to be frank, do not seem to be the best. However, their JS engine seems to be very secure.
- Some tricks with Portable Executable, that is what fun you can do in Windows - very binary topic. The lecturers presented some ways to modify Windows binary files, explained their structure and vulnerabilities, everything with plenty of curiosities. Could you imagine patching Gotic by modifying the assembly code? Do you know how to avoid memory access violation, and why this could be useful for writing obfuscated code? Why Internet Explorer is writing on its .dll files? These wonderful questions were explained by the specialists. If you want the answers, you can now ask me ^^.
- Crash Analyzing with Reverse Tainting - Did not we talk about crashes before? We did. But we did not talk about how to find the bugs that caused the crashes. One of the ways to deal with this problem is called tainting. It is about trying to find out which way of code execution caused the error, which chain of variables led to the problem. Tainting lets us see the wrong sequence from start to the end, that is the crash. However, it would be more useful if we could look from the end to the beginning. This is much more complicated, as the graph of variables’ dependencies is often very knotty, but there is some help offered by some tools. One of them is developed by the speaker, based on the good old Valgrind.
- root.txt. I want to capture the flags, but ${random_excuse} - I would say that it was like a simple guide to hacking. The lecturer presented the must-know tools for people who want to start discovering vulnerabilities in servers. We could also find some basic guidelines about cracking passwords and hashes, what made me aware about my passwords strength :)
Summary
Overall, the event was amazing. I would really recommend you participating in such conferences because it is an occasion to meet experts and open your eyes to new ideas. As for me, I feel much smarter after the conference than before. The lectures showed me lots of interesting ways to follow in IT and computer science turned out not to be just about programming, but there is lots of other stuff under the surface. And what is even more important - the stuff is extremely engaging. So such an event could be good for you if you are looking for a great way of your career. Maybe IT security waits for you. I hope we will meet at What The Hack 2020!
I am bad at writing summaries.