GrrCON: The Family Infosec Con

Tuesday, October 02, 2012

Philip Polstra


Having just returned from a packed 3-day trip to Grand Rapids for GrrCON I thought I would do a quick writeup for anyone that might have missed it.  

This was my first time at GrrCON (last year was the first iteration) and being totally insane I brought along 13 students from my university's computer & technology club.  

Given the club's budget limitations we drove up from Dubuque Wednesday and had to depart Friday night right after closing ceremonies.  So if you are looking for a review of the after party or after after party, I had to miss it, but heard it was quite a bit of fun.

First Impressions
Tickets were sold through Eventbrite online.  Attendees had to give a name, t-shirt size, and e-mail address when registering online.  The registration line moved very quickly when we arrived shortly before the start on Thursday.  There were 4 tracks on Thursday with 3 on Friday.  Rather than use track numbers, names were used for each room.  The main room was about 2x the size of rooms 2 and 3 which were in turn larger than the 4th room.  The 4th room did have tables for all chairs which lent itself well to workshops.

The solutions (vendor) area was conveniently located between the 3 main track rooms.  The lockpick village and VIP lounge were also in the solutions area.  Speaking of the VIP lounge, those that chose to purchase the $280 VIP tickets (vs. $115 for regular admission) and speakers were given access to this sizable area.  There were tables set up in the VIP lounge, some snacks and drinks, ping pong, air hockey, gaming systems, Foosball, 2 retro arcade games, and an area to watch piped in video from the main track.  There were also a couple of hostesses in the lounge on Thursday.  In each room the VIPs had seating in a separate area right up front with tables equipped with power strips. This was the first time I have been to a con with separate seating areas for VIPs.  I like the idea of this: allow people a pretty cheap ticket and given them the chance to pay a bit more for better seats and other perks.  Even the VIP ticket price is pretty reasonable for a 2-day con, in my opinion.

Talks, Contests, and Events
There were multiple contests going on before and during the con.  Not surprisingly, there was a CTF competition.  There were some nice prizes given away for various competitions.  Many of the competitions had tablets as prizes.  My students seemed to spend a lot of time at the lock pick village which featured a good number of locks to try your hand at picking.  It was always the first place I looked for anyone from my group.  The awesome folks that ran the lock pick village (I apologize that I don't have their names) spent countless hours there providing guidance.  A very nice set of picks was available for only $29 at the con.  These pick sets sold out Thursday morning, but there was a signup list for getting them later.  Two of my students were very proud to be in 1st and 2nd place in the lockpicking competition.  They were later knocked out of the top 3 by some later competitors including another one of my students who took 3rd place and went home with a nice set of picks.

I saw several really good presentations at GrrCON.  Here are just a few that stood out.  Atlas of d00m gave a really good talk on subgigaHertz devices.  The thrust of this talk was discussing the many devices out there that are not operating on 2.4GHz or 5GHz bands.  There are many interesting things you can do with things not running 802.11 protocols.  As a hardware hacker this was my kind of talk.

Aditya Sood (of IOActive) & Richard Enbody gave a good presentation on 3rd generation botnets.  They provided a nice overview and talked quite a bit about how modern botnets operate.  Several demos were provided.  Rafal Los (@Wh1t3Rabbit) presented a business oriented talk during the same timeslot as Aditya & Richard's botnet discussion.  I didn't attend Rafal's talk, not because I didn't think it was any good, but because I heard him give this talk 2 weeks ago at 44Con in London.  I encouraged some of my students to attend this talk and all who did so were not sorry.  Speaking of 44Con, Rafal was not the only speaker at GrrCON who also spoke at 44Con (the premiere con in the UK).

I saw 2 shorter talks in the somewhat crowded 4th speaking room on Thursday.  The upside to this small far away room was the ability to leach better wifi from some nearby art exhibit.  The first talk was on kernel debugging using virtualization by Seth Hutchins.  Despite being somewhat plagued by the demo gods, I think that people left Seth's talk with an idea of how to go about using virtualization to do kernel debugging.  Matthew Sjoerdsma (a good Frisian name!) gave the second talk I attended in the smaller room.  Matthew gave an insightful and entertaining talk on biometrics.  In particular, Matthew spoke about using a person's walk or gait to uniquely identify them.  He did a great job and I'm sure his parents, who were in the audience, were very proud.

Gavin Ewan (@Jac0byterebel) was on right after Matthew in the smaller room.  I chose not to attend his talk because, as was the case with Rafal, I had seen his talk at 44Con.  I encouraged my students to attend this talk and to my knowledge most of them were in the packed room.  Gavin spoke about social engineering.  Gavin has a background in psychology and has also worked in sales prior to attending University of Abertay in Dundee, Scotland and studying in their ethical hacking program.  Prior to seeing Gavin talk live in London, I had seen his B-sides London talk online.  His talk is now in my required material for my information security class at the university.

 While my students were listening to Gavin, I was in a talk by Chris Roberts.  Chris talked about vulnerabilities in multiple vehicles including cars, buses, boats, and planes.  I found some of the technical information he presented interesting.  He didn't really go into much technical detail during his talk, but he did say that his slides and other info would be available after the talk.  Personally I felt that someone of the things he talked about were more than a little past the line.  He bragged about hacking into engine control systems on cars and boats and doing things like changing gears and shutting down engines.  This type of behavior is unacceptable in my opinion.  He didn't seem to have any regard for the fact that he might be harming other people and essentially stated that if anything bad happened it was the fault of others for not securing their stuff.  I found it especially troubling that he encouraged people to try to hack into the aircraft network when on airline flights featuring inflight wifi.  Incidentally, if you were in this talk some of the things he encouraged people to do won't work (thankfully).  Without going into detail, I have done some work in the aerospace industry, and that's all I'm going to say about that.

Thursday night there were a couple of free sessions open to the public at GrrCON at Night.  Initially I was hoping to attend this event, but alas my students all had to return to the hotel and do homework for much of the night because some of there other professors were not quite willing to let them turn in work next week.  Hopefully these professors will be a bit tolerant of students who turned in work a few minutes or hours late due to some really slow and unstable Internet at our cheap hotel.

Friday morning started off strong with a presentation by Kevin Mitnick (@kevinmitnick).  I'm guessing that most of the people reading this know who Kevin is.  If you don't know the story you can buy Kevin's latest book "Ghost in the Wires" which was also the title of his talk.  Kevin was available for a bit for those wanted to get a book (or GrrCON badge or iPhone) signed by him.  I have read Kevin's latest book and found it very interesting.  Along with many of you reading this I supported the whole "Free Kevin" movement during his not quite legal incarceration.  Kevin is a great story teller and it is worth listening to him tell his story in person if you have the opportunity even if you have read his book.  Little does he know that he dodged a bullet that day.  He was going to be a central figure in an epic "event" (dare I say prank) that had been planned over many months that was called off at the last minute because of an unrelated tragedy the previous evening.  I did have the opportunity to thank Kevin for opening for me as I was on right after him talking about The Deck, a full penetration testing and forensics Linux distro I developed that runs on the BeagleBoard/BeagleBone.   

Speaking of my talk on The Deck, I had a good time presenting it.  I was really proud of myself finishing right at 50 minutes in time for questions.  Then when I thought I was done someone asked me about USB impersonators and it took me a couple minutes to pull up part of my DEFCON XX presentation.  Between picking up my considerable collection of equipment and people rushing the stage with questions as I was packing up I ended up about a minute late getting off the stage.  My apologies to the next speakers.  I ended up missing their talk while I sat out in the lobby really packing my stuff and answering some questions.  The Deck debuted in London two weeks ago and this was the first time I spoke about it in the US.

After lunch I attended a great talk on social engineering over the phone by Chris Silvers from Foundstone.  Chris' talk was both informative and entertaining.  As someone who lived in Atlanta for 11 years, it was good to hear the story behind an interesting law in the nearby town of Kennesaw (they require residents to own firearms and strangely have the lowest crime rate in the state).  GrrCON featured quite a few social engineering talks.  I found it refreshing that the organizers chose so many talks in this important area.  It seems like lots of cons with over emphasize talks on 0days and other stuff that while sexy and cool doesn't really do much for your average infosec person in terms of their daily work.

Following Chris' talk I finally got to hear Arron Finnon (@f1nux) speak.  Like Gavin, Arron is also from Dundee, Scotland and attended University of Abertay.  I have seen recorded talks from Arron, but before GrrCON I had never heard him live.  Arron is known for his work with IDS/IPS.  Arron spoke on false positive abuse.  Lots of good stuff in his talk and it was well presented. I resisted the temptation to ask him how he got into security during the Q&A session at the end of his talk.  As some of you may know, Arron is a podcaster and this is a standard question he asks all guests. Take note that Arron is working on something new and he needs your help.  He is launching OSNIF the Open Source Network Intrusion Framework.  If you are working with IDS/IPS you should consider getting involved with this new organization.  In a nutshell OSNIF could be the OWASP of IDS/IPS, but only if you help make it happen.  The project website is at

The last talk I attended was by "Duncan Manuts" and was about certifications.  This lighthearted talk discussed some of the more common certs (CISSP and CEH were most discussed).  Was it ranty?  Of course it was.  Did he bring up some valid issues and concerns? Yes.  There has been a push to reform (ISC)2 recently.  As part of this grassroots effort Wim Remes was elected to the board last year.  This year 2 other not-so-big-corporate-types are on the ballot.  If you are an (ISC)2 member you might want to consider voting for them.

As always happens in a multi-track con, I was unable to attend every talk, so don't take offense if you spoke and your talk isn't listed here.  I received many good reports from my students who attended different talks.  None of my students complained about any bad talks.

Overall Feel
I would say that GrrCON felt like a family con.  What do I mean by that?  True Chris Payne, one of the founders, is married to Jaime who is the marketing director, and their 8 year old daughter also worked during the first day of the con.  That isn't what I mean by a family con, however.  What I mean by family con is that this con felt like it was put on by a mom & pop shop and not some huge corporation.  Being somewhat of a regional con it seemed like many attendees knew each other which contributed to the family feel.  I would also feel comfortable taking my 7 year old to this con.  The same couldn't be said about many security cons.

There were some really good talks at this con.  A con is much more than presentations, however.  All of the speakers were approachable and there was a lot of "hallway con" going on in the solutions area and the lobby.  I ran into several people who wanted to help me advance our field in various ways back here in Iowa.  In other words, they made unsolicited offers to help me do good things here that don't benefit them in any direct way.  This is not uncommon in the friendly world of infosec, but I did feel that this level of community was a tad higher at GrrCON than what I would normally expect.  The staff were all very friendly.

GrrCON is unique.  Every con is a little different.  In the case of GrrCON I don't feel as if I can point at another con and say that GrrCON is trying to be just like it.  It really is a unique con.  The two main questions for me when looking at any con are: do you feel that you got a good value? and would you come back?  I definitely feel that my students got a great value.  It isn't really fair to use student tickets to answer the value question, however.  That said, I would consider $115 for regular admission and $280 for VIP tickets to be a good value for a 2-day con with quality presentations, workshops, free lunches, competitions, lockpick village, free t-shirts, and free beer. 

Do I plan on coming back next year?  You bet!  Ultimately it is up to my students whether or not they attend any con as a club, but I suspect that everyone who is still at the university next year will tell everyone else why they want to do GrrCON 2013.  Many of these students (including the guy who won a set of lock picks) just started college a few weeks.  A few said they had trouble following some of the talks because of this.  The exciting thing is that GrrCON has inspired them to do some investigation into various infosec topics so they will get even more out of next year's con.

Cross-posted from

Possibly Related Articles:
IDS/IDP Security Awareness General Impersonation
Information Security
Training Information Security Infosec GrrCON
Post Rating I Like this!
Jim Palazzolo Bah! You forgot to mention the speaker get together on Wed night!

Epic =)

Nice meeting you Phil - Hopefully see you next year or sometime soon.
Philip Polstra Jim, you are right I didn't mention it. Not because it wasn't epic, but because I wanted to write a review for potential attendees. I really enjoyed meeting the other speakers and staff. My group was the first to leave and we blasted down the road solely for making it in time for the speaker dinner.

The speaker dinner was awesome and the GrrCON staff were excellent about how they treated speakers. I wouldn't discourage anyone from submitting to next year's GrrCON.

I didn't mention it here, but I challenged my university students to think about something they could research and become experts in to present at cons, including GrrCON, next year.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.