We once again made our way to Grand Rapids for our favorite Michigan-based hacker con west of U.S. Route 127! Each year we attend GrrCON, the conversations become less about "What is two-factor authentication?" and more about, "Hey, what's been going on since last year?" -- and we like it that way.
A Cut Above
Having attended something like forty technology events this year, I can certainly say that GrrCON manages to bring a close-knit feeling that other events haven't quite worked out yet. That's not to say these other events aren't fun or informative, just that the people who run GrrCON feel more like they are there to make sure you have a good time than they are to push you around so they don't have to deal with too many headaches. It's difficult for cons to find a balance between being friendly and keeping the venue intact, while still being able to execute a second or third year.
This extends past staffing and into the talk selection. The amount of local speakers (many Michigan, but a lot across the Midwest) certainly show that while GrrCON does attract some "big names" and folks across the ocean, for many of us, it's a chance to catch up with friends and learn while not having to die of heatstroke in Vegas at Black Hat or DEF CON.
Part of that experience is being able to see the newest talks said friends and all-around awesome people have to share each year, many times being content they're given at some of the yearly "big" cons around the world. This is because at GrrCON, there's a pretty strict "no diva" policy. This isn't about how awesome anyone one person is (and when it becomes that, trust me, it's handled by next year), but rather actually sharing what it is you know or have done with friends, old and new.
I'll go ahead and say now, my choice in talk selection doesn't always involve the most "polite" titles but I appreciate a bit of honesty, especially from GrrCON speakers. To that end, a few of my favorite presentations this year were...
Full Douchesclosure by Duncan Manuts
See, I warned you about titles. This "bearded" mystery man who speaks at GrrCON each year does a great job at providing salient points with just enough cursing to make you excited but not annoyed. This year's talk covered vulnerability disclosure with more history than most lengthy "industry" blog posts would. Further, his level of snark wants you to love and hate information security at the same time.
His presentation touched on some important points such as the disparity in bug payouts from some of the largest vendors out there. Google may give you $1337.37 while Cisco probably won't give you a cent. Additionally, there was some talk of the idea of having governments buy-and-burn-bugs. That's to say, if the government has piles of money it likes to waste, why not buy bugs, get people paid, and then disclose them to vendors so patches come out and 0-day is swallowed up? Interesting idea, at the very least.
If you're new to information security research and wonder what all of the fuss is about with exploit brokers, bug bounties, and gettin' paid, check out Duncan's curse-heavy diatribe that still gets to some important points.
Seeing Purple: Hybrid Security Teams for the Enterprise by Mark Kitka
Mark is a good buddy of mine and has made quite a career for himself over the past couple of years. Part of that growth has been due to his focus on this concept of "purple team". Whereas most infosec pros think in terms of red (offensive) and blue (defensive), purple team is about blending skill sets and focuses. Unlike other talks on the subject, Mark does a great job giving actual examples of what purple team ideals can bring to a team and the outcomes by doing so. Real-life experience paired with progressive thinking around security methodology -- you've got to appreciate that.
Mark's talk has the flow all of us want and with content that engages. Oh, and he was so bold to create purple slides with green text... that's just leet.
$#!T My Industry Says... by Kellman Meghu
I first saw Kellman speak at another feels-like-home conference, AtlSecCon. He's got amazing stage presence and is one of the more personable speakers you will even witness. Through digital-whiteboard-fu, solid Google Image Search, and great narration, Kellman will give you some thoughts on software-defined networking that you'll actually want to hear.
If you're looking for an entertaining look at where infosec is at and where it's going, watch this session -- you will not be disappointed.
Sadly, I don't have a video to link for this one. Henry Rollins, the man you known from film, TV, and Black Flag, gave a two hour spoken word to the unworthy souls of GrrCON. I've always thought Rollins was a cool dude, but this was beyond amazing. If you have ever thought you "knew" someone based on what they have done or what you've heard, Henry Rollins throws all of that down the toilet and flushes -- twice. A brilliant, funny, self-deprecating, and sensitive guy, Henry Rollins definitely had the undivided attention of everyone in the room.
While I definitely had fun at GrrCON, met some new friends, and enjoyed time with the Duo Security team, Henry was honestly a firm highlight in my mind. If you ever get the chance to see him perform live, it's well worth the time for the experience you will have.
Don't Miss Out Next Year
I know some of you are going to read this and go, "cool, another con I don't have time for!" but you're missing out, trust me. As someone who travels way too much and sees a lot of cons in action, I can honestly say GrrCON is in my top 5 every year, without question.
We hope you all had a chance to come by the booth, say hello to the team, enjoy some laughs, and gain some knowledge. Duo Security is always humbled by how much love you show us and we can't tell you what it means when you come up to us and tell us how much you love our service. We love you, too.
I'll see you all next year. (Notice how that's a statement, and not a question? :P)