THOTCON 8 Talk: How to Doxx 60,000 Students, and the 6 cons I went to
It’s halfway through a busy year! I’ve done six or seven cons and con-like events, depending on how you count “con-like event”. Boilermake in January, RIP9 and Cyphercon 2.0 in March, ISUCDC in April, Thotcon 0x8 and ACEN in May, and Circle City Con 4.0 in June. Overall, they went super well, though, for rather different reasons.
This year, I’ve been killing myself a bit between classwork and going to… more con{ventions,ferences} than anyone rightfully should during college. It’s great.
It’s 6am and I’m still awake, so I’m logging everything here as part of my todo-list item of “finish post-thotcon cleanup”. 50 days later. I’m almost back in control of my life, I promise!
January: Boilermake
We made VR-DDR. It was great. I had a blast, but also didn’t sleep. My teammates were amazing and we made something really cool.
I still dislike hackathons, though: encouraging unhealthy sleeping/eating habits for young programmers is awful. I only went this time because I had the idea in mind and I wanted to visit Purdue friends. I ended up meeting Purdue’s Music Game Club and making a buncha friends there, in addition to seeing old friends, so it was an excellent weekend.
Next time, though, I think I’m just going to hang out with friends the entire weekend. Far less physically taxing than trying to code for 36 hours straight.
March: RIP9 and Cyphercon 2.0
Rumble in the Prairie 9
I help run a dance game tournament thing at UIUC. It’s an incredible experience, even though I need about two full days of sleep after it. I love the game and I love the people (even though I don’t get to hang out with them AT ALL during the tournament). My life has been improved in countless ways since I started hanging out in this community.
This was the 9th installment of the tournament, and we had the club’s founder come back, which was incredible. I’m really excited for next year, which’ll mark the ten year anniversary. I have plans.
Also. This. We made “gaming news” because Spooty/Ryan Uchima made an incredible thing. Racked up something like 15k views in the first two days.
Cyphercon 2.0
So, the weekend following the life-giving/life-draining tournament, I went to another con!
It was my first time in Milwaukee. We drove up a day early and bummed around the city for a bit, and then went to the con venue, Discovery World, and won the CTF. Lifetime badge, ho! This con falls solidly in “focused too hard on the CTF and can’t remember anything else”. But since I’ll have a free badge for next year, yo.
April: ISUCDC & UIUCTF
ISUCDC
I went to ISU and made high schoolers cry. We volunteered to redteam a high school cyber defense competition. It was fun. I knocked out Minecraft servers like it was nobody’s business: with the remote administration password and a looping shell script. One team got around me, though: they downloaded another copy of Minecraft’s server software, and ran it with the default config files, meaning I couldn’t remote in. I think they won first place, actually.
I futzed some with metasploit, but didn’t really get a chance to use it for real against them — we hopelessly backdoored their systems ahead of time, and just used the passwords we had to do mean things like rm -rf * or mess with their networking configs. It was a fun adventure in being the shitty sysadmin from hell, though! If I help out again next year, I think I’ll try to use it as an excuse to pick up some metasploit skills and legitimately hack the kiddos.
UIUCTF
Sigpwny ran a Taylor Swift-themed CTF. During ISUCDC, we designed some awful CTF challenges involving SecondLife and Stepmania. I’m not super proud of my challenge, which was basically a crappy encoding problem - it didn’t require much more than staring at the data, but I have plans for next year’s, which I think should be a spiritual successor and make for a much more interesting challenge.
The SecondLife Challenge was amazing, though. We called it “Sleet Bump - like Snow Crash, but shittier”. Sadly, it doesn’t look like anyone’s written it up, so here’s the premise. We gave players a link - blac.ksun.club. It returns a random lyric out of some Taylor Swift song. Examining the HTTP headers shows a link back to lindenlabs.com - the creators of SecondLife - as well as a coordinate and the name of a location in-game. Players would have to download the SecondLife client and navigate there in the world, where they’d find a black pyramid reminiscent of the Black Sun Club from Snow Crash. Inside, there were three “programming” challenges involving SecondLife’s proprietary scripting language.
We’re awful human beings, we know.
Lastly, this. We asked the queen of infosec to tweet a flag, and she graciously obliged.
May: Thotcon 0x8 & ACEN
Thotcon 0x8
Thotcon happens the weekend before UIUC finals, which is a great excuse to not study for finals. Some of our students actually do have finals on the Friday of, and have to travel back or skip the con entirely, boo. I lucked out this year, between having only two finals and having them the following week.
This year, I gave a talk with an ISU friend, Adam Ringwood. It was an exciting experience, to say the least, if not an exhausting one.
I decided I wanted to submit to the CFP last Thotcon, when two of my friends gave a talk. The following (fall) semester, I took an awesome class, “Communicating Public Policy” with Grace Giorgio, which enabled me to spend part of the semester digging into the school’s directory software, LDAP.
We titled it “Doxxing 60K Students: Student Privacy at Illinois Universities”. I don’t really want to go into details here (you can see our abstract on Thotcon’s site or ask me for our slides), but the gist of it was that our universities leak a substantial amonut of student PII through the student directories. There are easy-to-implement fixes, and other universities certainly have the same problem.
If you’re a university student who wants to try to do an infosec project, investigating your student directory is a great one to start with. If you’re an IT/security professional at a business or school that uses an LDAP server as its directory, you should definitely take a look at what sorts of PII you might be leaking. I’d be happy to help — just shoot me a twitter DM or something.
I did Model UN through high school, so I’ve done presentations in front of large crowds (700+), but never for a duration longer than ten minutes, or with anywhere near as much preparation/anticipation as we put into this talk. I came off the stage drained and had to take it easy the rest of the con. I even skipped the afterparty!
I survived the rest of my finals and projects, but I was so exhausted and… dare I say, busy, that I didn’t get around to writing about the experience until now, almost two months later. My biggest regret from last Thotcon/Cyphercon was spending too much time playing CTF (to be fair, we won both) and I wanted to avoid that this time around. I didn’t really succeed in having a relaxing con experience with Thotcon, though, but I still got to catch up with friends and make new ones, so I did enjoy the con.
Anime Central
I don’t care as much for anime cons as I did in high school, but I get free badges some years because a friend of a friend works at the convention center. It’s good to catch up with high school friends, buy nerdy gifts for friends, buy prints from artists, and memorize more of the Rosemont Convention Center’s layout. This year was the first I had a hotel room, which was most excellent and very relaxing.
One thing that does keep me coming back to anime cons is that they attract dance gamers. I usually bump into friends I don’t see elsewhere, and meet new ones. Tokyo Attack’s ITG cab is kinda dumpy, though, which is a disappointment.
Oh, highlight, though: I took 4th place in the con DDR tournament! Which is ridiculous, I’m nowhere near as good as the other players. I just cheesed my opponent by picking a song with shock arrows. Sorry, Antoine!
Around here I took a whole week off to play something like 40 hours of Breath of the Wild. It’s an excellent game.
June: Circle City Con 4.0
I brought one of my oldest friends along for the ride, and focused on having fun and being social. I actually went to talks. A whole two! That’s more talks than I’ve ever been to at any one con!
I met up with a lot of friends, and met lots of new people! Indianapolis is pretty, for a swing state :}
I liked that there was a con theme - Camp Circle City. Merit badges were fun to get and I didn’t go crazy trying to collect them all.
Perhaps my favorite part about CCC was how relaxed it was compared to Thotcon and Cyphercon. The fact that it’s in a hotel helps, but I really appreciated that the con was small and friendly. Family-friendly, too: there was a sign on the Hak4Kidz room: “UNATTENDED CHILDREN WILL BE GIVEN RED BULL AND ACCESS TO THAT ACCOUNT”. I think it’s really valuable to keep conferences accessible to younger people, because they’re a big part of what initially drew me into the security community. I’m glad to see that in CCC.
Looking Back & Planning Ahead
So! It’s been a pretty busy year — I’ve been doing a LOT… I even passed all my classes! Haha. Well, I normally do that. But I did get the best grades I’ve gotten yet in college, so that was a relief, especially since I took operating systems this semester, ECE391. It’s quite an intense class — I think I pulled something like 8 all-nighters for it, alone? Some days I wish I’d get my shit together and actually start deadlines earlier, but when I’m out of town basically once a month for some fun event, it’s not exactly easy. I don’t regret it.
This was a very taxing semester. I dealt with a death in the immediate family, a rude romantic rejection, an awful roommate, and the whole president thing, on top of all these cons and what is probably the most difficult class I will ever take. I’m pretty frustrated with a lot of my friends right now, but I realize that it’s largely frustration on my part — that is, not necessarily that they’re doing something wrong so much as I’m not super patient with them/it’s my fault, or bad circumstances driving crappy situations out of our control.
That being said, I’m lucky to be in college, I’m lucky to have the friends and family that I do, and I’m lucky to have the ability to travel as much as I do.
My goal for the summer was to take it easy — I opted against taking a class — but I’m doing an awful job of it… I’m trying to complete a cool research project by the end of July, when I’m planning on heading to my first DEF CON, and then a dance game event, UKSRT, the week after. I’m super excited! Now, if only I could start going to bed at sane hours instead of staying up late writing blog posts, then I think I’d be set :^)