Kiwicon's a big, important regional security conference that most people won't have heard of. This is a shame in many ways, although looking around the motley crew of attendees it's clear that they'd be challenging people, with a Low Acceptance Factor in more conservative environments.
The LAF extends to infosec researchers' work. Things have got better and more insightful tech companies accept vulnerability reports and handsomely reward researchers who find bugs in their products and services - and disclose them responsibly so that they can be fixed before they're exploited.
Nevertheless, researchers are still likely to receive legal letters from companies who take their work the wrong way. Thanks to ambiguous and overly broad computer security laws everywhere in the world there's always the chance of early morning fun for researchers as cops kick in their doors and take them away to holding cell parties to await lengthy trials on matters the authorities often don't understand.
That's one reason why many use pseudonymous nicknames like Metlstorm, bogan, sput, moloch and mandatory, as attention around their work is a two-edged sword.
There's definitely shades of grey to many people in the cyber security industry.
One of the conference organisers joked about the infamous Rawshark being in attendance, knowing full well that the police might take it seriously and come and visit.
Rawshark is the undisputed Master of Operational Security, along with mysterious AI botherder and spammer turned good, Bismillah, who was rumoured to be at Kiwicon too.
On a serious note, infosec remains a male-dominated field. It has been tarnished by sexual misconduct against women, especially during conferences and events. That's unacceptable and the Kiwicon organisers sought to crack down on such rubbish behaviour and to ensure everyone felt safe and comfortable.
"Don't be an asterisk-hole," summarises Kiwicon's code of conduct. Everyone seemed to follow that, creating a respectful and relaxed atmosphere mixed with a cheesy 90s cyberpunk theme that the younger folks tapped into, much to the surprise of old folks arranging the conference.
Yes, the first generations of infosec practitioners have grown up. Mike Forbes and Adam Boileau said that between them and the other Kiwicon organisers, they have 15 kids which is way more than 2007 when the conference started.
Instead of leaving it at that, Kiwicon ran a day-long Kuracon programme for kids that was staffed volunteers. I brought two children who were taught lock-picking, coding basics, building little electronic robots, and taking apart old computer gear. Kuracon is fantastic initiative that other conference organisers should copy.
Unwrapping the hacker-proof tinfoil from my devices after the conference, the takeaway from Kiwicon is just how tenacious researchers are. They'll spend weeks cracking problems that other people give up on in a day or two. Black hat hackers do the same. Since IT is part of everyone's life now, that's a great reminder of how insecure it can be, and why we need security researchers.
My thoughts and thanks (don't do prayers) go to the hardworking volunteers who have been organising Kiwicon over the years. They took a breather last year, but here's hoping they'll recharge for 2019.
