Win CRESTCon 2019 Tickets!

We’ve teamed up with CREST to give everyone the opportunity to win one of 5 (count ’em) CRESTCon 2019 tickets, worth £175 each. If you’ve never been, now’s your chance. If you’ve been before but don’t have a ticket, now’s your chance too!

CRESTCon is a one-day event organised by CREST, the international certification body for the technical information security market. This year’s CRESTCon is on March 14th at the Royal College of Physicians. If you’re on our 44CON training courses in the same week and/or are coming to 44CONnect, then this is a competition worth taking part in.

To win a CRESTCon ticket, all you need to do is make sure you’re signed up to our mailing list, and email training@44con.com from the address you’ve registered. To shamelessly stack the cards in favour of training attendees and early bird ticket holders, we’ve sliced our 5 ticket allocation the following way:

2 Tickets are prioritised for people who are booked on our March training courses
2 Tickets are prioritised for anyone registered to attend 44CONnect
1 Ticket is open to anyone signed up to our mailing list

Some of the talks we’re most looking forward to at this year’s CRESTCon include:

Matt Lorentzen – Sheepl – Automating people for Red and Blue Team Tradecraft
Thomas V. Fischer – Building a Personal Data Focused Incident Response Plan to Address Breach Notification
Martin Jordan – Austerbury: Iranian cyber threat briefing

Winners will be chosen at random over the course of February. Get your entry in quick because like our early bird tickets, once they’re gone, they’re gone!

44CON 2019 Early-Bird Tickets are now on sale

Our 2019 Early bird tickets are now on sale. There are 50 early bird tickets available until March 11th. Once they’re gone, they’re gone. As usual, the early-bird prices still start at £299 inc. VAT, but there are also accommodation and t-shirt options available.

We’re trialling a small selection of cheap expo tickets providing limited event access with certain groups, and there will be pre-registered free evening event tickets. Early bird tickets are the cheapest fully catered, full access tickets you can get. If you want to see the talks, you want one of these.

As well as full access to 44CON, Early bird ticket holders can also ask for an invite to our 44CONnect event in London on the 13th of March. This invite-only event will take place the day before CRESTCon, and will feature talks from some of the trainers taking part in our quarterly training programme. Please make sure you mention 44CONnect on your booking, or contact us after booking if you’d like to come.

Book your tickets in our shop. If you’d like to book in bulk or through your employer, contact us to arrange an invoice.

44CONnect – A 1-day invite-only event in March 2019

44CONnect is a 1-day invite-only event taking place on the 13th of March, somewhere in London. The purpose of the day is to bring together people doing 44CON training, so they can connect with trainers and people on different courses. It’s our way of giving people who’ve attended our courses the chance to get a taste of upcoming training, and the opportunity to get some extra credit to take back to the office.

To qualify for an invite, you need to have done one of the following:

Booked a seat on Rory McCune’s Mastering Container Security course
Booked a seat on Joxean Koret’s Malware Reverse Engineering course
Booked an early-bird 44CON 2019 ticket once they’re on sale, and be randomly* selected

There are 20 tickets available, so make sure you qualify!

Our trainers from the last two days of training will deliver talks, as well as some of those delivering courses later this year. All of our training course delegates are invited, for whom lunch will be included. Early bird ticket holders invited to the event will have to buy their own lunch, as we can’t book it for them in advance.

There’ll be a special round of lightning talks for training delegates to deliver a short talk about something they learned on their course. Those speaking will get a small certificate of thanks that they can take back to the office.

Drinks have been organised for the evening, but we need to be in bed early for CRESTCon the next day.

*Early-bird ticket holders will be chosen at random throughout February, although unsubstantiated rumours abound that asking for an invite on your ticket order may drastically improve your chances…

44CON Training Goes Quarterly

We’ve offered training courses around 44CON for a long time. We provide a mix of high-end focused course on everything from exploiting Windows Kernel bugs to broader, more generalist courses on web application security and security monitoring. From this year onwards, we’re expanding this to a quarterly schedule.

That’s right, you no longer have to wait a year to sit a high quality training course!

Our 12 month schedule is available here, and you can check out our first courses scheduled for the 11th and 12th of March 2019:

Mastering Container Security – Rory McCune, NCC Group
Malware Reverse Engineering – Joxean Koret

Both courses are two-days long and cost £1300 inc. VAT. When you book online remember to keep the 13th of March free for access to an exclusive, invite-only event.

If you’d like to offer a high-end course in London, get in touch.

Making Britain a Better Place For The Most Vulnerable

“You measure the degree of civilization of a society by how it treats its weakest members.”

This quote has been attributed in various forms to historical figures from Pope John Paul to Dostoevsky, Churchill and even Gandhi. It is a commonly held British value that we should treat others how we’d wish to be treated.

The UK’s food poverty crisis has been getting worse for the best part of a decade. From austerity to universal credit, by that quote above our society’s score is dropping like a stone. This year we’ve come together to support the Trussell Trust and Hammersmith & Fulham Foodbank. It’s an initiative we’re calling Hacking For Foodbanks, that will continue beyond 44CON. While it’s been founded by 44CON crew, we want it to be bigger and separate to 44CON. Food poverty is a national problem and we need your help to help those that need it the most. Hacking For Foodbanks has a 4-point plan to make an impact on UK food poverty through cybersecurity and the tech industry, which you can read more about here.

Help us raise money at 44CON

We want you to bring your (working) retro, old and cool tech that you’re willing to part with as part of a bring and buy sale operated by Hammersmith & Fulham Foodbank and the Trussell Trust. We’ll provide tags so you can set a suggested price for your donated goods, and people can come along to the Trussell Trust table and put in an offer. Got a reasonable-sized retro-battlestation like a Rubber keyed spectrum? Fantastic! WPA injection wifi cards and Hayes serial modems? Super! We’re ideally looking for bric a brac others would want to buy at £5-£50 in suggested value.

Anything that doesn’t get sold can be picked up by the people that dropped it off, or alternatively we’ll donate the kit to similar activities at other UK events.

We’re also offering people the opportunity to make a donation to the initiative both at the event and when they buy a ticket, or register for the free open evening.

All funds raised will be split 50/50 between Hammersmith & Fulham Foodbank and the Trussell Trust, in order to support foodbank activity in Fulham and across the UK.

Get involved

We’re also looking for people to take part in our mentoring scheme, to be piloted in early 2019. In particular we want people from non-technical as well as technical fields, particularly where a university degree isn’t required. We want to raise awareness for foodbank users that there are career opportunities out there, from sales and recruiting to technical jobs. We want to bring these opportunities to interested and able foodbank users and help them when they need a hand the most. Most important of all, we want to eliminate UK food poverty, one family at a time. If you’d like to help, wherever you are just drop us an email.

Building A Permanent Community At 44CON

44CON’s always been the kind of place where you turn up, hang out with friends old and new, get your head bent then go home and get on with your life. But we want to do more than that. We’re building a permanent community for everyone, whether you come to 44CON or not. We’re also mostly old(er Steve, damnit! – A) and riddled with nostalgia. Instead of using Snapbook, or Slickchat or whatever the cool kids use, we thought we’d build a traditional Bulletin Board System and drag it kicking and screaming into the modern age.

To say this was a bad idea was an understatement. Our first attempt used a hodge-podge of Docker, a piece of DOS-based software last updated before the average attendee was born and one instance of a DOS emulator per connection. It worked, but was telnet only (thanks to the joys of serial emulation) and was very, very unstable.

In the end we settled on a modern BBS implementation that has a learning curve almost as steep as Radare2, but allows us to do cool modern things, like provide access over SSH and HTTPS. Originally we worked on supporting older platforms like the BBC Micro, C64 and ZX Spectrum, but everything old struggled with newer software, and everything new struggled with older software.

Finally, we have something we think you’re going to love. Registration will open on the 12th of September. May we present the official 44CON rumour mill, Juicy HQ:

For those of you who’ve never used a BBS before, the first thing you need to know is that you apply for an account (register). Once you’ve filled in a form, you’ll be taken to the new scan screen. This is to check for updates since you last logged on. There are public and private message areas, file uploads (check out our collection of classic British hacking textfiles, or our PoC||GTFO archive) and you can play multiplayer old-school BBS games courtesy of our DoorParty setup. If things seem a little less interactive, remember that BBSes were typically built to serve very few, if any concurrent users, and most content was downloaded in batches for later offline use.

Most British people never really got to use dial-in BBSes back in the day due to BT’s monopoly and pricing, although Prestel and Micronet had some popularity. There was one information system that every British person had access to, which was Teletext. On the BBC, we had Ceefax. So we built our BBS around a Ceefax theme, although you might spot the odd reference to Teletext classics such as Bamboozle and even Digitiser. And yes, all of this is accessible in a web browser.

Although Juicy HQ is the official 44CON BBS, it’ll be open to everyone from the 12th of September. Whether you’ve been to 44CON or not, live in the UK or not, or if you’ve never been to a conference before, all are welcome providing Wheaton’s law is followed at all times.

We’re still refining Juicy HQ in preparation for launch, but we’re making sure there’s plenty of easter eggs for you to find. If you’re interested in beta testing the BBS, give Steve a shout on twitter or mastodon and he’ll hook you up.

What To Expect On Thursday Night

44CON’s a bit different to some other cons in that we tend to run our own Thursday night entertainment instead of a traditional sponsor party. Sponsors and others are welcome to run their own events if they prefer, and indeed, this year some are. Last year was a little quiet, mostly due to Steve not being well enough to plan things.

If you’ve never been to a 44CON, or if last year was your first, you might not expect much, but this year we have a lot going on.

First of all, the biggest of big big shout outs go to our dear friends and Gold sponsors, HackerOne, without whom this night wouldn’t happen. HackerOne are sponsoring the entire evening, so make sure you thank them for helping out. We’ll have complementary food and drinks from Gin O’Clock onwards courtesy of our Gin O’Clock sponsors Crowdfense, up till 19:00, and at various points and places in the evening from 19:50 onwards courtesy of HackerOne. As well as a selection of Alcoholic drinks, we’ll also have a fantastic Mint and Elderflower Fizz mocktail and soft drinks for those who want to keep things light.

The evening session starts at 19:00 with Pwning the 44CON Nerf Gun, by Chris Wade and Dave Lodge of PenTest Partners. This is no ordinary stunt hack talk. The Nerf Terrascout is pretty well put together for a toy tank, and it took the PTP guys a heck of a lot of effort in reversing proprietary RF protocols, manipulating the SPI bus and all kinds of wacky techniques, all to hijack the controller in real-time so they can shoot Steve. This is rather odd, as it’s absolutely not going to happen. The crew won’t let Steve get shot…. honest!

Nicky Bloor will be running a two-hour workshop from 20:00 on Diving Deep into Deserialization, starting with an overview, then diving through exploit and gadget chains into a CTF-style VM for you to play along with (so don’t forget your laptop). Expect this to bend your head a little, but you’ll come out of the other side made of steel.

Looking for something more blue team than red? From 20:00, Phillipe Arteau will run a two-hour workshop on Machine Learning with the Orange data visualization, machine learning and data mining toolkit. His workshop, Orange is the new Hack is essential for anyone conducting triage and will take you through implementing vulnerability classification at scale. The same skillset can be applied to other contexts such as malware classification, system alert classification and vulnerability management.

While the workshops are going on, we’ll have Duckies Den in Track 1 from 20:00. Pitch your ideas to our panel of industry duckies, who’ll award beer tokens accordingly. Our sponsors will also get short pitch slots… but the audience get the beers. This year’s theme for our attendees is “Zany cybersecurity ideas that don’t exist, and probably shouldn’t”. Prizes will be awarded for:

Best billed idea
Most lame duck pitch
Most quackers concept

Could your idea be the nest big thing? Which pitches will fly, and which will sink without a trace? Waddle our panel of duckies take under their wing? Will our sponsors earn a feather in their cap, or will they cry fowl play? It’s not just an eggscuse for duck puns, but we’re sure avian will have a good time!

If it’s all a bit too much and you want to veg out in front of a film, we’ll be screening all-time classic The Big Lebowski in the coffee area from 20:00. Chill out on the sofas, grab some snacks and see what happens when you meet a stranger in the alps. If you don’t like The Big Lebowski, well, that’s just your opinion, man.

Last year we had Linux Kernel poetry and Yoga. This year we’re looking for lightning talks with a twist in our Lightning Talk Poetry Slam from 22:00 in Track 1. Slots are 5-15 minutes long, and should feature either in part or in hole, some form of poetry. Haikus, Limericks and epic Rap battles are most welcome. Sign up at the front desk, then come up, either take a shot of Sourz or try a British snack and SHOW US WHAT U GOT.

On Hotel Accommodation And Safety

First and foremost, if you’re attending 44CON, please add this phone number to your contacts list, under “44CON”. It’s our at-event emergency crew contact number:

+44 (0)7955 376 729

Recent events in Las Vegas as a result of policy changes following the Mandalay Bay shooting seriously affected some of our attendees visiting the city for conferences in early August. We watched from a distance in abject horror as people routinely had their privacy and safety compromised by aggressive security teams demanding entry to rooms and confiscating soldering irons and lockpicks, some of which we understand haven’t been returned to their owners.

While we completely understand the need to beef up security in the shadow of yet another mass shooting in America, the horrific stories that unfolded on twitter made us ask ourselves what we were doing to ensure that such invasions of safety and privacy don’t happen here.

To that end, we’ve done two things:

We’ve asked the ILEC’s attached hotel under what terms they’ll enter rooms booked there.
We’ve set up an emergency contact number you can call to reach the crew at any time during the event.

In the UK there are reasons under which your hotel room can be forcefully entered, but generally it shouldn’t need to happen unless your stay is longer than a few days and you’ve left the Do Not Disturb tag on your door. This is partly to check that you’re still alive, and also to check you haven’t trashed the hotel room. From the ILEC:

We do not access guests rooms apart from cleaning. If the Do not disturb sign is displayed up to 3 days we do not enter but after that we have to check. Initially we would ring the room and if the guest answers we would ask to go and see the room if it is inacceptable[sic] conditions ( as in damages).

If there is a fire evacuation the fire marshals will go floor by floor and knock and open the rooms for people to evacuate as they can be asleep.

The only other reason for someone to enter the room by force would be if the police or fire service needed to enter in an emergency.

The author of this post is a man, but the 44CON crew are a mix of men and women. If you’re struggling to see why this is primarily a safety rather than privacy issue, I think Joe Fitz summed things up best in this twitter thread:

“I sympathize with @maddiestone and @k8em0 ‘s experiences but realize I can’t possibly know how terrified they probably felt.”

Once again, that emergency crew number is:

+44 (0)7955 376 729

If you’re attending 44CON, please add this number to your contacts. It’ll only be active during the event, but someone will have the phone 24×7. Please don’t abuse this number, as it may block the line for someone who needs it.

Fundamentally, your safety is the most important thing to us. If we can’t get that right, nothing else matters. While we don’t expect problems, should anything happen that could compromise your safety:

If you’re in your room and something is happening outside, make sure the room is locked. Do not let anyone into your room if you don’t want to.
Dial reception on the in-room phone and tell them what’s happening, and what you need them to do.
Let us know something’s happened via email so we can track it, regardless of whether it’s been resolved.
If it’s unresolved, or you feel your safety is being threatened then call +44 (0)7955 376 729. We’ll sort things out from there.
In case you need it, please remember that the emergency services number is 999 in the UK, not 911. 112 will also work.

We don’t expect anyone to need this, but if you do, we’ll do our best to keep you safe.

44CON Talks and Workshops announced

Our CFP process has completed and we’re now putting talks and workshops up. We still have a few more to add, but there’s enough up to start checking out. So, what are we covering this year? Continue reading “44CON Talks and Workshops announced” →

Introducing 44CON’s House Rules

44CON was born out of a private event that Adrian and I used to occasionally get involved in organising. It was a close-knit group of people featuring deeply opinionated and often spectacularly drunk people who somehow mostly got along.

As 44CON grew, more people outside that group attended. The new people didn’t know about our overton window. These people paid good money for a good time, but were new to our community and we hadn’t provided guidance on what was acceptable behaviour, or how we handle concerns.

An event with talks about exploiting human and computer trust relationships tends towards some attendees holding unusual views about acceptable behaviour. To make things easier for everyone, we introduced Wheaton’s Law. For those that don’t know, it’s fairly easy to take on board:

“Don’t be a dick.”

For a long time “Don’t be a dick” was the only rule we had. Every year we’d review it, and every year it would stay.

We have had people breach the rule. We’ve had and investigated complaints. We stand by Wheaton’s law as it’s stood by us. What we haven’t done is properly track complaint resolution, and we hadn’t told people how to raise concerns. That’s why we’ve launched our House Rules. They’re not going to be perfect, but it’s a start.

The House Rules are simply an expansion of Wheaton’s Law. They set expectations, a reporting process and circumstances under which we’ll eject someone, along with a reminder that the laws of England and Wales may not match your own at home.

We’ve integrated feedback from event organisers up and down the country, and we’re fully open to suggestions on how to improve them for next year. To be clear, there’s no change in our expectations from previous years, only in how we communicate them.

If you’re coming to 44CON you’ll see the house rules in your brochure or you can read them now. Please take a moment to read them, as they apply to everyone. If you have any questions, suggestions or comments, use the email address on the House rules page before the event, or follow the procedure to report a concern once you’re there.

We want everyone to have a good time, regardless of preferred text editor, open source licensing beliefs or i/o port configuration. We hope you’ll join us and keep making 44CON a great place for everyone.