2017 Wrapup

2017 Wrapup

This year marks the end of SecuringHardware.com’s 5th successful year in business. Looking back, however, the definition of ‘success’ has improved significantly every year for the past 5.

1 New class

I’ve developed a new class every year since starting out:

  • 2013: Sidechannels for Hardware N00Bz and WTFPGA short workshops
  • 2014: Software Exploitation via Hardware Exploits (depricated in 2016)
  • 2015: Applied Physical Attacks on x86 Systems
  • 2016: Applied Physical Attacks on Embedded Systems
  • 2017: Applied Physical Attacks and Hardware Pentesting

The Hardware Pentesting class was the first one I built entirely to meet the requests of attendees of my previous classes. The topics that I glossed over but shouldn’t have, the followup questions people had after trying to apply techniques on their own, and the questions on challenges with no obvious starting point are covered in the class.

The pilot class happened in May, 2017, an there have been 2 public and 2 private instances of the class, so the content is tried and tested (and also revised with lots of constructive feedback)

In addition to continuous revision and updates to existing classes, 2018 will likely see 2 new classes, but both will collaborations, and none of the existing Applied Physical Attacks are going away soon.

3 Events Organized

In past years, I’ve mostly done training at conferences or on-site. Since taking over organizing BSidesPDX for the past few years, I’ve built up my confidence in event organization. In 2017, I organzied a Pilot course for the Hardware Pentesting class at Widmer Brewery in Portland, acted as the event coordinator for BSides PDX for the third consecutive year, and launched HardwareSecurity.Training with a large training event in San Francisco.

HardwareSecurity.Training is an idea I’d been dwelling on for 5 years, and thanks to Dmitry Nedospasov’s persistence, I finally got my act together to make it happen this year. The logistics all worked out better than we expected for a first time event, and we were happy enough that we’re planning two more events in spring 2018

8 Talks at Conferences

There’s always a dilemma about whether it’s better to repeat a really good presentation, or only present new reasearch once before moving to a new project. In 2018 my strategy was to develop about 3 hours of content on a topic, then tailor the individual 50 minute presentations to the target audience. Each delivery had some overlap, some unique information, and I usually knew when there was overlap in attendees. Most of my presentations centered around spoofing and counterfeiting hardware security devices, but spanned the range from fun how-tos to high level implications for threat modeling and product design.

Not included in the 8 was probably the best presentation I delivered all year, a completely unscripted late-evening open-mic “44 infosec rants in 44 minutes for 44 people at 44CON”

20 classes or workshops

My personal goal is to deliver about 1 public or private class per month. Of course, timing never works exactly that way, it’s always worthwhile to double up travel, and I still do my best to make sure I offer free or low cost short workshops so people who don’t have training budgets can get started hacking on embedded hardware.

400+ unique students

Every time I realize I’m running short on business cards, challenge coins, or stickers, I feel like i went through them quicker than expected. Tallying up all my 2017 workshops and classes, I managed to get over 400 people’s hands dirty with hardware. A disproportionate number of them were in free/low cost workshops where I have had up to 50 attendees at a time vs. the 24 max in a full lenght class, but either way, I hope that I’m making an impact on hardware security.

Looking forward to 2018

Once a few events open their training registrations, I’ll follow up with what’s new for 2018, including additional HardwareSecurity.Training events, new classes, and changes to the equipment and tools that I use for my existing classes.

Stay tuned!

-joe


Joe FitzPatrick

Written by

Joe (@securelyfitz) is an Instructor and Researcher at SecuringHardware.com. Joe has spent over a decade working on low-level silicon debug, security validation, and penetration testing of CPUS, SOCs, and microcontroller. He has spent the past 5 years developing and leading hardware security-related training, instructing hundreds of security researchers, pen-testers, hardware validators worldwide. When not teaching classes on applied physical attacks, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects, which he regularly presents at all sorts of fun conferences.

Updated