Security Fest 2024

Introduction

This blog is usually about technical matters within the cyber security arena. But now and then I feel like sharing nontechnical stuff that still matters within this context. Now is one of these times. I recently attended the Swedish conference Security Fest and thought Id share my impressions.

I have covered Security Fest back in 2022 when I did a post about some of the major conferences abroad and in Sweden. As far as I remember that was the year when everything started up again after covid. Since then I have not been back to Defcon or BSides finding them rather disapointing. I still have been going to SEC-T and Security Fest since they both are here in Sweden.

None of these conferences really changed up until now. I found it refreshing that the Security Fest conference has evolved in a direction I really like. I have to say that they made major improvement in almost every part possible. And that’s why I decided to write a small summary of my impressions.

Registration

The process of registration has always been easy with this conference. Last year there was a problem with the t-shirts that arrived late and I never got one. I still found this years registration process an improvement. I heard that there was a queue outside the block but you know, when many people enters a building at the same time…

This was like a Defcon-registration in nano-format, very well organized. After one of the goons has validated the QR-code on your ticket you enter a room with a few stations. First of all you pick up your badge.

To be able to carry this beauty around your neck you need a lanyard. You got an information mail a day before the conference telling you that the color of the lanyard was going decide where you had lunch. Once again this information was repeated when you entered the room.

Anyone with food restrictions should pick the color green. You could argue that im a grumpy old man caring about tiny details like this. BUT this is what shows signs of very good organization. Im sure if our company had missed this information, all of us would have picked different colors (being morons) and ended up eating in different rooms, pissed of and telling the world.

Now with a badge hanging from your neck you take a few steps further and get your hands on the sponsor goodie bag. We all need more stickers for our belowed laptops so this is always welcome. And from the years before I know there will be drink tickets inside. Yummy.

I guess we can see here who the main sponsor of this event is. We got stickers, mouse pad, Mullvad VPN voucher and so on. There was also some candy, a can of CTF-juice (energy drink), some drink tickets and fluid replacement in the bag. As you can se all of that last stuff is missing here. I have no idea what happend… :)

I actully did not look that much inside it at the conference but waited until I got home. One of the stickers stood out as it was mocking a major swedish/finish company. They did an epic security clusterfuck recently and earned this so hard. There’s so much to say about this but… The guy who did this… you are awsome!!! And the balls of putting that sticker in the bag. I LOVE IT.

Last but not least, pick a size and get a t-shirt.

This year I got my hands on the conference t-shirt so thats a major improvement from last year :) We all wear that black hacker shirt all year around and they all get washed out so filling up the wardrobe again is essential.

It’s all over in 3 minutes. Well, I stayed at the hotel so I did not have to queue around the block but anyway, this process is flawless as far as I can se and Im old enough to care about these things.

The venue

Security fest moved to the city center of Gothenburg and is now being held at Elite Park Avenue hotel. The conference used to be held at Eriksbergshallen. When people are traveling a few hours to Gothenburg they need to arrive one day ahead of the event. All you want to do then is going out having a nice dinner with your friends. That was kind of a pain with the other location since it was quite a taxi drive from the central station. This is not a problem anymore, we had a really good taco dinner at Puta Madre on the day of arrival.

Another thing that was kind of annoying with the old location was the lack of places to sit down with your laptop. There used to be a large conference hall and then if you wanted to sit down and do the CTF you had to move back to the hotel lobby and there you got a bit isolated and missed meeting up with the conference people.

This has completely changed with this new venue. Everything is located on one floor and there is plenty of space to sit down. There was even a hardware village where you could sit down and solder your badge.

The hall where all the talks is held is spacious and comfortable. It’s a bit wide but two large screens made that a non problem. Here you can see the hall from the perspective of the key note speaker Jim Manico.

I would say this venue is about perfect. Downstairs, you can find the hotel bar if you want to have a drink and some peace for a while. They serve shitty beer like all hotels do but neighboring te hotel thers is the pub Bishops Arms that at least got some Craft beer so no problem on that part either.

Really, this change of venue is such an improvement that it makes all the difference. My only worry here is the ability to scale this up, can it be done at this location? But more about that in the summary.

The food

First of all there was a breakfast sandwich and coffee served on both days. Coffee and some kind of snacks were available more or less all over the day.

There is a lunch included in the conference fee on both of the days. As I mentioned before it is now served at different locations depending on your lanyard color. I found this to be perfect. No more endless queues. The choice of food was smart, not everything can be done for hundreds of people. I found both the fish and the meat as good as you can expect.

There is also a dinner included on the first night. I was very impressed how they managed to change the speaker room into a large dinner hall in 1,5h. That’s professionals at work. The choice of food for the dinner was also smart. You can’t make gourmet shit for hundreds of people so go rather simple with stuff that most people like and do it good.

There were some queues at dinner but nothing extreme. Im kind of a foodie and rather picky when it comes to these things but there is nothing to complain about here. Doing this for hundreds of people at the same time this is as good as it gets.

The speakers

Before stating my thing here I just want to say that I liked the key note speaker this year (Jim Manico) very much. He has the ability to look at things in a broader perspective and find interesting views. That’s the kind of talks I go for nowadays and I leave all the technical stuff for another day. And here is why:

I have totally changed my way of approaching conferences after Covid. it has nothing to do with Covid in itself, rather that something changed after that pause. I used to go to Defcon and could not choose between all the interesting talks. I came out from a few of them with my mind blown. Like this one at Defcon 26 with Christopher Domas, it totally changed me in some ways.

Going to the Swedish conferences you can’t expect to stumble upon that kind of life-changing stuff but I always found one or two interesting talks. That was why I always wathced the talks and did not care much about the rest of the conference. But since that Covid pause everything changed for me. Being back at Defcon in 2022 I found ZERO, NONE, NULL, VOID, not a single talk that was interesting.

People were presenting 2-3 years old discoveries and were bragging about how much bounty they received for it. At Defcon they even had this UFO guy that was bat shit crazy and made me leave the room.

I have my theories about why this changed. First of all there are the bounties that introduce quite a delay before information about a new vulnerability comes out. But most of all I think that being a speaker at conferences kind of became a profession. It’s more or less become an influencer thing and it’s not a good thing.

People research for a year and find nothing but the feel that they just have to do that presentation anyway. So they push out totally nonsense stuff over and over again. And then there are a bunch of wannabees that push their luck on to the stage. Yes I know Im pushing it hard here but this is how I feel.

This does not mean this is true for the talks at Security Fest, it’s just an explanation why I did not see ANYTHING but the key note speaker so I can’t really say anything about this years speakers. Actually some of the talks last year made me a bit angry and pushed me furter in the direction of not paying this much attention.

A good thing here is that everything is streamed live.

If you should find something interesting, you could always go and watch it on youtube afterwards.

That’s a long rant about nothing that had to do with Security Fest 2024. I did watch one talk and can’t really say anything about the rest. But still being able to watch everything at home is great. So I really have no complaints here, im jus annoyed about the state of the Speaker thing in general.

The CTF

So finally. My favorite thing. I love CTF:s and this year there were the offcial one and a few more to choose from. SANS and Omegapoint had their own CTF:S that some of the Cybix staff tried.

I had two major complaints about the CTF in the years before. First of all it has always been really hard. A lot of guessing games that makes the path to exploitation long. If you havent approached that specific topic before it can take days of research to wrap your head around it. Having that kind of stuff in a 30 hour CTF is a bit challenging.

My other complaint was that it was open to everyone and there was nothing that made it an advantage to be participating the conference. Rather the oposite, it’s way easier to sit at home in silence and focus on the challenges.

At least one of these things changed this year. The introduction of the badge as a part of the CTF is brilliant and makes this CTF an integrated part of the conference. BUT, the badge!!! 2 out of the 5 badges in our company switched on as we attached a battery. We got one of them to work after som heavy soldering over 1,5 day. You could guess this is why:

That is NOT our soldering, but the way the badge looked when we received it. This was the case for all of our 5 badged. I can’t wrap my head around the decision to solder hundreds of badges by hand. As far as I can see that is what’s going on. I am truly impressed with the effort but not that much with the result.

This has to be a decision based on budget. The horror of hand soldering al these badges. Guys I feel your pain. This made the badge part of the CTF a bit hard for us. We only had a few hours left before leaving when we finally got one of our bdges to work. But still there was a lot of other categories to choose from.

I did one of the pwn challenges in a few hours while some of us focused on some misc, crypto and web stuff.

After a while all of us ended up trying the same web challenge. We spent 1,5 day trying the same challenge and headaces became a fact. The problem from the years before is till present. The challenges are a bit too hard in general. I have done hundreds of boxes at Hack The box and most of these challenges would be rated hard there.

I think all these challenges are great, it’s not that. The guys who did them obviously put a lot of effort into making them. And this is the real problem here. When 6 out of 29 challenges has 0 solves!!! it’s such a waste of all the hard work you put in there.

And from another perspective, there’s actually a lot of younger people joining these conferences nowadays. Some are complete nerds and probably solve more stuff than I can, but some are new in this business and I think it would be a good thing to have them involved and doing the CTF. But with this difficulty it’s like hitting a brick wall for many of them.

So here’s my suggestion for upcoming conferences. Why not have one or 2 easy challenges in each category that younger people and first time CTF:ers can solve? Add 2 medium ones and one or two of the hard ones. That way everyone can be involved and not just us old farts. And it could actually be solveable in 30 hours AND all of your hard work designing the challenges would pay off.

In the end we came in at 6th place in the CTF not solving more than a handful of challenges which kind of makes my point. Why put all that work into the challenges when almost no one solves them?

That said, I think that this CTF was much much better than the previous ones. PLEASE PLEASE keep the badge in the CTF for upcoming years. That makes the CTF a real integrated part of the conference an adds some misc stuff that anyone can take part of and some hw-hacking that some of us love.

Summary

First of all…

All my respect to all the people involved. You made such a great conference and you are worth all the respect.

A lot of what I write above is criticism of things that I would like to see improved. That can sound very negative, Don’t missunderstand me here, I do love how this conference is evolving. This was the best Security Fest I have attended. This was the best conference in Sweden that I have attended. The improvements that was made with the new venue is AWSOME!!!!

This puts Security Fest at the forefront of conferences in Sweden in my opinion. It’s all professionally organized in every part. There might be panic and tears behind the scenes to make it all work, I have no idea, but from my perspective this was rather close to 100% perfect and flawless.

Of course there’s the things I mentioned above, but that’s details in all of this. My advise: get a sponsor for soldering the badges at the factory, im sure you can find someone willing to help.! Tune down the difficulty of a few challenges in the CTF so that more people can get involved. Keep developing the conference in the same way you did this year. Perhaps add another village of some kind and keep the conference evolving.

And that’s my big concern. This conference has the ability to grow and become a thing here in Europe. Personally I would like to see that happen. I love when people do great things and succeed. Can this venue handle growing or do they have to move again then? Do the people involved in this want to see the conference grow? I guess most of the work they put ito this is all unpaid and done on precious free time hours. But I have no insight into this Im just guessing or “killgissar” like we say in Seden.

Well I guess we will see what happens next year. As long as I get my hands on a ticket I WILL BE THERE!

/f1rstr3am