09 March, 2020 Nullcon 2020 An opinion-filled review of Nullcon Goa, 2020 Disclaimer: Political. This year's conference was at the Taj Hotel and Convention center, Dona Paula, and its associated party at Cidade de Goa, also by Taj. Great choice of venue, perhaps even better than last time. The food was fine, the views were better. With those things out of the way -- let's talk talks. I think I preferred the panels to the talks -- I enjoy a good, stimulating discussion as opposed to only half-understanding a deeply technical talk -- but that's just me. But there was this one talk that I really enjoyed, perhaps due to its unintended comedic value; I'll get into that later. The list of panels/talks I attended in order: Day 1 * Keynote: The Metadata Trap by Micah Lee (Talk) * Securing the Human Factor (Panel) * Predicting Danger: Building the Ideal Threat Intelligence Model (Panel) * Lessons from the Cyber Trenches (Panel) * Mlw 41#: a new sophisticated loader by APT group TA505 by Alexey Vishnyakov (Talk) * Taking the guess out of Glitching by Adam Laurie (Talk) * Keynote: Cybersecurity in India -- Information Assymetry, Cross Border Threats and National Sovereignty by Saumil Shah (Talk) Day 2 * Keynote: Crouching hacker, killer robot? Removing fear from cyber-physical security by Stefano Zanero (Talk) * Supply Chain Security in Critical Infrastructure Systems (Panel) * Putting it all together: building an iOS jailbreak from scratch by Umang Raghuvanshi (Talk) * Hack the Law: Protection for Ethical Cyber Security Research in India (Panel) Re: Closing keynote I wish I could link the talk, but it hasn't been uploaded just yet. I'll do it once it has. So, I've a few comments I'd like to make on some of Saumil's statements. He proposed that the security industry trust the user more, and let them make the decisions pertaining to personal security / privacy. Except...that's just not going to happen. If all users were capable of making good, security-first choices -- we as an industry don't need to exist. But that is unfortunately not the case. Users are dumb. They value convenience and immediacy over security. That's the sad truth of the modern age. Another thing he proposed was that the Indian Government build our own "Military Grade" and "Consumer Grade" encryption. ...what? A "security professional" suggesting that we roll our own crypto? What even. Oh and, to top it off -- when [1]Raman, very rightly countered saying that the biggest opponent to encryption is the Government, and trusting them to build safe cryptosystems is probably not wise, he responded by saying something to the effect of "Eh, who cares? If they want to backdoor it, let them." Bruh moment. He also had some interesting things to say about countering disinformation. He said, and I quote "Join the STFU University". ¿wat? Is that your best solution? Judging by his profile, and certain other things he said in the talk, it is safe to conclude that his ideals are fairly...nationalistic. I'm not one to police political opinions, I couldn't care less which way you lean, but the statements made in the talk were straight up incorrect. Closing thoughts This came out more rant-like than I'd intended. It is also the first blog post where I dip my toes into politics. I've some thoughts on more controversial topics for my next entry. That'll be fun, especially when my follower count starts dropping. LULW. Saumil, if you ever end up reading this, note that this is not a personal attack. I think you're a cool guy. Note to the Nullcon organizers: you guys did a fantastic job running the conference despite Corona-chan's best efforts. I'd like to suggest one little thing though -- please VET YOUR SPEAKERS more! group pic References 1. https://twitter.com/tame_wildcard