Finally, NullCon 2014 broke my inertia and pulled me back to my blog. Experience taught me that large tech meets will give wonderful memories which will soon be forgotten. So I thought of recording my little experiences in my blog, which for sure I will cherish for years to come.
Undoubtedly, NullCon is a top notch security conference in India, attracting offensive and defensive Information Security enthusiasts (Just to clarify, this is not an academic security conference). For the virtue of being one of the core members of OWASP Hyderabad, I have received a complimentary VIP pass from OWASP to attend NullCon. Thanks to the wonderful collaboration between OWASP and NULL communities for the pass, and to my employer for sponsoring my travel!
The Venue & the search for accommodation:
Bogmallo beach resort, Goa! I bet there won't be a place cooler than Goa to organize a tech conference in India. I've been to South Asia MVP Open Day at Goa only recently (Aug 11-13, 2013) and yet this place didn't bore me (Aah, nostalgic, the MVP Open Day is one of my best experiences that I will cherish for years. Story here and pics here). What makes this trip different is the date. Find the odd man out - "Feb 14", "Valentine's day", "Goa", "Beach Resort" "Security Conference" . All guest houses within 10KM radius of the venue were full and many of us were in a dilemma till the eve of the conference.
Thanks to my friends (Mahesh, Prithvi, Bhaskar, Rakesh, Srinu), the hackers of OWASP/NULL Hyderabad chapters. They hired 2 motor bikes and we rode triples from Bogmallo to Vasco da Gama on the midnight of 13th Feb (Seriously, these are life's little but wonderful experiences one should appreciate!). Finally with the "influence" of my friend Raj Shalem (OWASP Hyd chapter lead), I could get a decent hotel at Vasco (about 8.4 kms from Bogmallo beach resort
) at about 12:00 A.M on 14th Feb. Phew! Never imagined I would spend a Valentine's day eve like this, away from my wife (I told her that I would give her a surprise for Valentine's day and I attended NullCon
There are several wonderful talks which gave me that "paisa vasool" (bang for the buck) feeling. "Hacking YOu'r Cable TV Network
" by Rahul Sasi and Nafeez, Chrome Security 2014: New and future hotness
by Sumit Gwalani are my personal best among those I have attended. Hope to see the recorded videos of the missed talks soon. I am not a big fan of keynote speeches, especially if they are "news aggregators". No offence meant, but that's my take. I had to skip a few interesting talks due to offline Q&A chats, parallel talks or networking with other techies.
The speakers list had a mixture of renowned security folks as well as a couple of newbies (at least for me). Interestingly, I've noticed a few undergraduate students doing some promising work: Abhay Rana
on Browser extensions security, Bharadwaj Machiraju (@tunnelshade_
) on web testing framework
, Ajin Abraham on Xenotix
, an XSS exploitation framework (Surprise! Ajin is a B.Tech 4th year student and his tool is already in Top 5 security tools of 2013
!), Francis Alexander on NoSQL exploitation framework
and Yashin Mehaboobe
on Hardware Attack vectors. Appreciate the folks at NullCon for genuinely validating and recognizing the work of these folks, instead of taking the years-of-industry-experience constraint into consideration. I am sure these folks will have a promising future and will set an example to the so called, complacent web experts.
I've learnt this from my mentors and I've been a pretty decent follower of this rule-"Your primary goal of attending a conference should be networking. Everything else comes later". Tea/lunch/dinner breaks, boring keynotes, dull talks etc. should be utilized to meet new people. I've set a personal target of meeting at least 10 non-local techies and discuss tech. The interesting thing about techies is, they already follow each other on Twitter for years, though they haven't met in person. It is always fun to attach faces to twitter handles and interact in person. It was nice meeting Lavakumar Kuppan (@lavakumark
), Amol Naik (@Amol_Naik
), Nafeez Ahmed (@Skeptic_fx
), Rahul Sasi (@fb1h2s
), Akash Mahajan (@makash
), Vivek Ramachandran (@SecurityTube
fame), Manu Zacharia (@manuzacharia
), Prashant KV (@kvbhai
), Ajin Abraham (@ajinabraham
), Riyaz Walikar (@riyazwalikar
), our very own Omair (@w3bd3vil
) and several other webapp sec folks whose names keep popping up on my Twitter timeline.
Seriously, two tightly packed days are too short to discuss and understand what problems people are working on and their approach to solve them. However, I had a sneak peek of what some of these folks are doing.
I've missed catching up with Lavakumar at a couple of occasions but finally met him at Nullcon. He explained about his tool IronWasp
and how it outperforms other web vulnerability testing tools. As against static code analysis, IronWasp relies on fault injection to detect about a dozen web application vulnerabilities and has a robust architecture. I wish I can spend some time to check its source code. Lots of learning in it.
>> Ajin explained how his B.Tech project turned into a full-fledged tool (Xenotix). Its strength lies in having a huge repository of XSS payloads (1600+) and in rendering infected web pages on 3 different browsers to achieve zero false positives. We briefly discussed about a few architectural challenges which turned out to be quite interesting.
>> I have exchanged emails with Amol Naik a couple of years ago and I presumed him to be a serious-looking geek. Contrary to my imagination, this geek is so down-to-earth and extremely fun-loving. Couldn't discuss much of tech with him but glad that there was a trigger for future discussions.
Met Nafeez Ahmed, the JS wizard at the event. I planned to extract a few tricks from him, but ended up explaining some of my on-going research works. We had a short but nice discussion about ECMAScript5, Content Security Policy, browser models etc. Good to see common areas of interest between us and we hope to continue the discussions online. By the way, keep watching for his interesting talk at Black Hat Asia 2014
Met Vivek Ramachandran, the founder of SecurityTube
, and had a brief chat about his infosec trainings. Glad to see someone who is so passionate about teaching infosec the right way, right from the basics.
Met Sumit Gwalani of Chrome OS team after his talk and discussed about Chrome's new "site isolation" architecture. The discussion slowly moved towards the browser-security related research paper I submitted to WWW 2014
conference (which got rejected). I explained the browser model I was proposing to defeat certain web attacks and he is affirmative about the core idea of the paper. However, he said he is not sure if it goes well with complicated web functionality and gave a few pointers to experiment with. Taking Sumit's feedback boosted my confidence levels to work on enhancing the paper.
Breathing the Goan breeze
We planned to roam around Goa after the conference on Day 2 (15th Feb) and have some fun. Fortunately, we met a Goan geek (Madan) at the conference whom we made our guide for the day. However, our persons:bikes ratio did not change (now we are 9 people with 3 bikes). We started at 7.30 P.M at Vasco and drove to Panjim (30 km distance, triples!). Three folks visited a Casino while the rest of us drove to Baga beach (another 20 KM). We enjoyed a fantastic candle-light dinner served right on the sea shore, drove to Night Bazaar and stayed till 1.30 A.M. By the time we reached back to our hotels, it was 4.00 A.M!! This is one of those days which I will not forget anytime soon.
Why attending the conference when I can read online?
Of course the proceedings of the conference will be hosted online, but there is something more important. Meeting people at good conferences like this and starting a discussion helps you understand where you stand in the real world (I mean, the world outside a company's internal ratings, star awards, peer groups, onsite assignments etc.). They silently instigate motivation and give you a "I-too-can-do-it" feeling, which is otherwise difficult to obtain. Also, evaluating your ideas with the cream of the community helps you identify your strengths, weaknesses and opportunities for improvement.