ZeroNights'2013 - Conference Report

On November 7-8, Moscow hosted another, third time conference on practical security - ZeroNights .

And, you know, I would not want to describe everything in the usual Habra format - they say, look how cool it was, what cool peppers we collected and various successful photos! I think that such reports are needed mainly by those who have not been to the event and having read it, provided useful information for themselves from the current event and understood whether he wants to come to ZeroNights next year. Therefore, I will spend time with benefits - I will tell those who really need it, and the reader will make useful things for themselves, and not read the next marketing bang. But I still insert the pictures.

1. Intro

I myself was a participant and an ordinary visitor at ZeroNights 0x01, and at the last ZN I acted as a speaker and co-organizer. What is ZeroNights in general? In Russia, and what can I say, in the CIS, you can count the conferences on your fingers, which are involved in technical rather than paper security aspects. And ZeroNights is a bright representative of such a conference. The first ZN was held in St. Petersburg, lasted 1 day. The second and third were already held in Moscow and lasted 2 days.
')

2. ZeroNights 2013

2.1 Get a ticket

To get to ZeroNights, you need to either buy a ticket (for students the price is ~ 1500 rubles), or win at our annual HackQuest invite. This year, the hakkvest format was the following - 1 week, every day - one task for 24 hours. Who decides first gets an invite. There was an escape from the Python sandbox, and reverse, and web, and intelligence. The archive of tasks lies here .
Well, if you become a speaker - of course the entrance will be free. Even if on FastTrack, where you can only tell 10-15 minutes about some funny survey, a found bug or a new approach of old attack vectors. So be sure to think about participating in CFP next year.


Main hall

Move forward

Having made a plan that I would like to visit from the program , having learned the list of speakers , and if necessary: ​​by purchasing tickets and finding a place to live, we move to the conference.

The conference includes:

• 2 tracks, i.e. 2 halls. 250 and 350 people;
• 2 rooms for free workshops (trainings) on the following topics:
  
  • Application fuzzing;
  • SMT solvers;
  • Time analysis in cryptography;
  • BlackBox analysis of iOS applications;
  • Reversing applications written using OOP;
  • Exploitation of bugs in applications written using HTML5 (shortened training with Black Hat USA'2013).
• HardWare Village;
• Pentest laboratory PentestIT;
• Various other contests.

Trying to set priorities, where you want to go (quite rarely, it turns out that they follow in fact) we come to the registration.

2.2 First day of the conference

After registering and receiving a badge (and also, if desired, the ClubMate drink), we begin to look around.


Anton Karpov brings joy to BugHunters

Opening remarks by the organizers and sponsors in the common room. Yandex talked about innovations in its BugBounty program (increase in payments, personal project to bughunters), then a keynote report of Rafal Wojtczuk on virtualization. Next, a short break and have a break on 2 tracks. I didn’t visit many reports, of which on the first day there was a report about rounding in banks - a 100-year-old bug at lunch, and still works. But the report was interesting because the author also made an OTP recognition device :) And yet, it turned out that it works in some Russian bank ! Fully attended the training on (non) security HTML5 and learned a lot for myself.

In parallel, contests (for example, from Kaspersky Lab. One and two Wrytaps), a PentestIT lab, which they described in detail on their blog and other reports that I didn’t get (excluding HART (in) security) of my colleague dark_k3y .

And, of course, HarWare Village!


HackRF, BladeRF have become a hit! And some of them took them at the end of the competition with the transfer of a special package.


Transmitter from the competition Hardware Village

2.3 Second day

Speech of the key speaker Gregor Kopf about the state of cryptography and why you should not write your bikes, the continuation of the workshops and began a fast track! Fast track - a section with reports of 15 minutes, which is very popular. Since in such a short time you can learn a lot and in essence!



In parallel, the participants had fun as they could. For example, running Kali Linux on the Qiwi terminal:


Or they spoofed the network and led away accounts (including those who saw other people's Google accounts on some screens).


So attending a conference is worth being careful.

All ended with a "battle" - OpenSource vs Microsoft. It took place in the following format: both parties are introduced, after each of them some tricky questions are asked from the organizers. The answer is 5 minutes. Further, already cross-discussions. Show show :) Record can be downloaded here - 2013.zeronights.ru/includes/docs/zvuk.rar

For me, ZeroNights was also a great opportunity to meet in person with everyone who has only been on Twitter / Skype for a long time.

3 ZeroNights 2014

Of course, we are waiting for everyone! Those who were not, and who were. This year there were excellent reports, but there were organizational problems. Therefore, I want to finish the article by quoting the CEO of our company, Ilya Medvedovsky:

What do you want to change or improve, what are your plans for the future?

Organization In Russia, it is objectively difficult to organize a budget conference for 1,000 or more people. In Moscow, there is a problem with the rooms and everything is very expensive. Luxury rooms and catering outside of our concept and budget. We are positioning this event as a budget, we want young people and students to come here, so we try to set the maximum budget prices and we have a very democratic organization.

Of course, we will work on organizational issues. Next year we will have a new professional organizer plus a separate supervisor from our side. We will let you know about the new organizer as soon as possible, and we promise to do everything we can to improve the level of the organization in 2014.

I can say with confidence that the next ZeroNights 2014 will be no less interesting in terms of content, much better organized, primarily in terms of various trifles, plus we and our new partners will prepare a number of interesting surprises. According to our forecasts, about 1,500 people will visit her in 2014. We will be glad to see everyone as visitors, and if you have interesting world-class research, we are waiting for you as speakers!

References:

• Conference proceedings
• Official photo report
• Report and opinions of participants in the magazine "Hacker"
• Official Twitter Conference