2023 in Review - DEFCON, CVEs, and Life

What is time, anyway?

2023 is at an end, and my posts to this blog have been few and far between this year. Fortunately, this isn’t a reflection of having a lack of things to do but perhaps the opposite. Please enjoy this highlight reel of “fun” things that 2023 has brought…

I spoke at a few conferences

One of my personal goals this year was to submit to a few CFPs (Call for Papers) for various security-related conferences after getting back into public speaking in some capacity with BSides Ottawa in 2022.

Astonishingly, several conferences accepted my submissions.

I had a chance to speak at NorthSec 2023 and DEFCON 31’s AppSec Village. In both cases these talks were focused on what I do for a living right now - helping to run a large Bug Bounty program at GitHub.

More interesting than the talks, personally, was just the added reason to attend these conferences. The quality and depth of content at NorthSec blew me away and I’m really looking forward to attending in 2024 (and am trying to come up with a CFP submission…). DEFCON is always a blast, though the conference is certainly outgrowing itself - endless lines, but also endlessly interesting talks. I’ve started to look at DEFCON more as an opportunity to meet up with friends and colleagues than as a purely educational experience since so much of the content is available online after and the real treasure is the friends we made along the way. Pro tip - if you’re going to DEFCON and don’t enjoy the chaos of casino hotels check out the Westin just off the strip (across from Bally’s/Horseshoe).

I found some vulnerabilities and got some CVEs credited to me

While these bugs were nothing too exciting, the learning that came with finding and exploiting them was an absolute blast. You can read about the findings, exploits, and remediation in my post on GitHub’s Security blog.

More broadly this was an opportunity to formally collaborate and “intern” with GitHub’s Security Lab team. While I’m not sure security research is something I’d want to do for a full time job, it was absolutely eye opening in terms of unknown unknowns for me and really reignited my desire to dig deeper into appsec in general.

Going into 2024 I’m going to be focusing a lot more time in this space, moving a bit away from operational focus and more into the bug hunting/fixing side of the house.

I spent a lot of time doing CTFs

Whether it was a casual day at NorthSec, a public event with HackTheBox, internal CTF events (shoutout in particular to the team at MetaCTF, or creating challenges for Ekoparty 2023 I really continue to enjoy this space.

Not only are CTF challenges a fun brain teaser, they really compound over time into what you could consider to be actual “training”. Bluntly, I’ve learned more about webapp and Linux vulnerabilities and exploitation from CTFs than from years of actually working in the space.

There’s no equivalent to being really hands-on finding these vulnerabilities and building exploits for them. Looking forward to more of this in 2024 to align with other learning goals.

Home lab

I haven’t upgraded anything significant in the lab since the last update, however the home network has grown a bit with the addition of some WiFi 6 APs, an outdoor AP for the backyard, MoCa adapters addressing my in-wall wiring issues, and a really bad PoE switch that needs replacement. 2024 will probably bring a switch replacement, but otherwise I’m reasonably happy with the network at this point. Full coverage everywhere in and around my house! I even have my garage wired up for LAN… I just need to find some other degenerates who are still interested in LAN parties.

The “lab” machine itself is still going strong, though it’s really in need of an upgrade. 8 threads & 32GB of RAM is sufficient for any and all of the services I’m running (and want to run), but limits are hit incredibly quickly when I start running VMs or poking at larger applications that I want to run either for personal usage or research purposes.

I think a proper server is in the books for 2024… 32 threads and 128GB of RAM perhaps? I’m not interested in digging to deeply into hypervisor tech so it’ll probably just be a single Proxmox node with a mix of NVMe & SATA SSD storage. I think the spinning rust can stay in the NAS. We’ll see what the budget allows!

Beyond that, everything is still (loosely) managed with Ansible, though part of the project planned above is to dig deeper (again) into Terraform/OpenTofu and other tech to make spinning up VMs on demand easier.

That’s a wrap!

2023 has been fun, but certainly not without its stress. Stress == Growth, though, so it all works out.

Here’s to hoping 2024 brings more of the same!