Copyright 2005 Nizar Diamond Ali Dawn Sci-Tech World 8 January, 2005 SECTION: Hacking HEADLINE: "Survival of the fittest?" BYLINE: Nizar Diamond Ali URL: (may go obsolete) BODY: Security has almost always been taken for granted in the corporate jungle -- it's only recently that awareness in organizations has arisen and so they are moving towards securing their network and data. One of the key factors that contribute towards lack of knowledge and interest in this area is exposure -- exposure to threats and vulnearbilities and lack of forums to discuss this issue. To fill this gap, Pakistan Cyber Security Convention (Pak Con) was held in Karachi on December 22-23. The two-day convention had a plethora of security and related stuff under one-roof -- briefings and hacking competitions ran side by side in this first of its kind even in Pakistan. So where did the idea came from? A young security expert (a security consultant by profession) gathered a team of dynamic students and enthusiasts working as volunteers who worked day and night to make this even possible. Originally named "the Hacking Convention", the organizers kept this a low-profile event in a bid to ensure the presence of selective groups and not script-kiddies. The event was more than a methodical monologue followed by jotting down of important issues. One could see Karachi's hacking elite head-to-head combating with their arsenal of Linux builds, personal zero-days and exploit CDs trying to outdo one another and to learn a thing or two in the process. The hacking competitions (including those of wireless hacking) were mind-blowing to say the least. A few things about the speakers must be mentioned here. To diversify the ethnicity of speakers and to bring forward issues from different perspectives, two international speakers were invited. Unfortunately, however, one of them never turned up whereas the other gave a very lengthy speech -- and that was a bit generic for an event as specific as Pak Con. Nonetheless it was highly appreciated. When local speakers gave their presentations, the participants seemed very interested in listening to what they had to say and asked them a number of questions. It was heartening to see that the discussion was more like a meeting instead of a speaker-listener interaction. Since the attendants were trained and qualified professionals, the speakers felt at home discussing technical issues with their hard-to-read slides. There was also a lawyer who spoke about the Electronic Transaction Ordinance, 2002, providing much-needed information on the subject and added to the learning value of the convention. Also, a consultant shared his experience of fending off hackers, while another professional discussed the ways used to gain substantial network information. A local security startup's founder discussed the definitions and intricacies of cryptography methods. On the second day, secure application development, DOS attacks, spam, Pakistan Honeynet Project (for analyzing network attacks, and the motives of Black Hat Community), wireless security, detection of operating systems, Metasploit framework, and ways to secure a PC were highlighted by security experts and researchers. This healthy trend, evident by the interest taken in matters of security, was greatly acknowledged and appreciated by attendants wh oadmitted that the concept of security did not exist five years ago. This scribe also got an opportunity to have a few words with the organizer of this event, Faiz Ahmed Shuja. When asked what was the purpose of the convention, Faiz explained, "Its purpose was to bring to light, the issues related to information security and create awareness among the IT community as well as the masses. "The greatest cause of concern for Pak Con is the lack of focus and negligence towards information security issues in Pakistan in the IT sector at the higher levels. The mainstream media which has started to cover such activities has still not been able to give adequate coverage to computer security issues. This is the reason that we have come forward to fulfill all inadequacies in this field. This was the first initiative of its kind in Pakistan, and there is still a long way to go." When this scribe asked how Faiz managed to invite international speakers, he replied, "We did a call for papers for Pak Con on international information security communities. Many international researchers showed interest in speaking at Pak Con, which was very encouraging for us. Other foreign speakers were also expected by they could not attend it due to unavoidable circumstances. However, you will get a chance to listen to them at Pak Con 2005." Elaborating on any shortcomings that needed to be dealt with, he said, "Dedicated and motivated volunteers organized Pak Con 2004. We have learned a lot from the mistakes and plan to improve them. I believe we could have done better in marketing and sponsor areas; techies are always bad at this. Thus, we need folks related to marketing and sponsors, who can plan much better for Pak Con 2005." About the response of the participants respond, Faiz remarked, "The participation really liked the selection of papers and were impressed with the level of knowledge present in discussions. They really applauded the efforts that made Pak Con 2004 possible and are looking forward to attending Pak Con 2005." On running hacking tracks, Faiz said, "Our strategy is of a bold nature; instead of hiding our face from circumstance, we are willing to confront all dangers facing the IT community and provide them definite resolutions. The reason for running hacking tracks was to give an idea about the motives and tactics of hackers, how they get into network, what they do after breaking into it, and how they move on. When asked whether there were any plans to open a hacking school, Faiz said, "We will be coming up with in-depth information security training sessions. They will be detailed sessions of longer duration with hands-on experience." "Currently, people do not have options to go through in-depth, technology-based, information security training. Rather, they get to attend vendor-based training which focus on the product. Such training would give them an opportunity to learn about the latest information security technologies, selecting the right solution, and then implementing them. I wouldn't mind calling it an information security school." About the future plans, he said, "There is still a long way to go and we have very exciting plans. We want to arrange for briefings, trainings, competitions, and geek parties separately while on our way to Pak Con 2005. In addition, we plan to hold Pak Con in Lahore as well as in Islamabad." Faiz added, "We have made it a point to keep our efforts free from all kinds of restrictions and intimidation. We do not want anything to dampen our spirits and constrain our tasks. This is the reason what we have established ourselves as a neutral and nonprofit organization. We do not want to market our products; instead we want to deal exclusively in bringing into public eye the issues related to information security and create awareness among the IT commnuity as well as the masses." Of course, the convention wasn't just about computing -- a PGP key signing party and a geek party with traditional beverages and the shrill sounds of Karachi's underground heavy metal bands rocked the hotel till late. LANGUAGE: English