From Wikipedia, the free encyclopedia
Jump to: navigation, search

Kiwicon is an all-ages computer security conference (Hacker con) organised by members of the computer security community of New Zealand, held in Wellington annually since 2007.

Kiwicon provides a venue for hackers and computer security professionals as well as other interested parties to get together and share knowledge, war stories, and beer. In the spirits of H.O.P.E. and DEF CON, Kiwicon intends to bring together the best and brightest from academia, the computer security industry, the hacker underground, those who manage critical infrastructure and law enforcement.

The conference format allows for talks, informal discussions, socialising, key signing parties and competitions. Talks are of various lengths on a wide range of subjects, usually including a wide range of modern exploit techniques, security philosophy, New Zealand hacker history, related New Zealand law, and a few talks on more esoteric topics.

Past Conferences[edit]

The first Kiwicon was held during the weekend of 17–18 November 2007 at Victoria University of Wellington. Approximately 200 people from the New Zealand security community (and elsewhere) attended the two-day event. Talk topics included: the psychology of user security errors, information warfare, hiding files in RAM, cracking PlayStation, and attacks on: kiosks, telecommunications company ethernet, and non-IP networks.

Kiwicon 2k8 was held on the 27th and 28 September, once again at Victoria University of Wellington, with an attendance of over 250 people. A broader range of attendees arrived, with presale tickets selling out before the doors opened. Attendees were greeted with an array of video phone captures proving the insecurity of video conferencing systems. Topics included: mass surveillance, using honeypots to detect malicious servers, physical security, using search engine optimization to make websites disappear from search results, Bluetooth surveillance, Internet probe counterattacking, speed hacking, and attacks on: wired and mobile phone systems, biometrics, Citrix XenApp, and Windows Vista via heap exploitation.

Kiwicon 2k9 was held during the weekend of 28th-29 November 2009 at Victoria University of Wellington for the third year running. The event sold out with an attendance of over 350 people. Some talk topics were: professional vulnerability research, identifying online identities using Bayesian inference, social engineering, radio sniffing, defending against denial-of-service attacks, Linux rootkits, an introduction to the New Zealand Internet Task Force, and attacks on: physical access control systems, GPS, smart cards, shared hosting platforms, ActiveSync, iOS App Store, pagers, wireless routers, and scientific software.

Kiwicon IV was once again held on the weekend of 27th-28 November 2010 at Victoria University of Wellington, and sold out even earlier than in 2009. The title was a play on the term Four Horsemen of the Infocalypse. Some talk topics included: a survey of unpatched devices connected to the internet, fast data erasure, urban exploration, web scraping, wardriving with Arduino, New Zealand's proposed Search and Surveillance Act, and attacks on: RFID tags, Internet exchange points, Amazon Kindle, Microsoft Office and Java serialization.

For its fifth year, Kiwicon took place on 5th and 6 November 2011, at a much larger venue, the Wellington Opera House. The slogans "It Goes b00m" and "Shellcode, treason and plot", and the date of the event reference Guy Fawkes and the Gunpowder Plot. Among the talk topics were: an example attack on a film studio, policing hacking from organized crime gangs, operational security, "cyberwarfare", New Zealand's new file-sharing law, automated memory corruption exploitation, Mac OS rootkitting, and attacks on: NFC transactions, iPhones, Android, and garage door openers.

Kiwicon 6 was on the 17th and 18 November 2012, again at the Wellington Opera House. Talk topics included: hacktivist communities, measuring security, security lifecycle, one-time audio passwords, Bluetooth sniffing, biohacking,[1] phishing, stealth web application reconnaissance, remote wiping smartphones connecting to Exchange,[2] a social network monitoring tool, and a wardriving motorcycle. In reference to a joke from the previous year, a homebrew beer labelled "cyberwar" was given to volunteers and sold at the afterparty.


Kiwicon hosts hacking competitions. Every second year is Tokémon, where hackers race against each other to exploit as many vulnerabilities as possible in the target systems. The first Tokémon was in 2008, with Tokémon 2 for Kiwicon IV in 2010. Kiwicon 2k9 saw the "Skid wars" event take place on the Saturday evening; with ~16 entrants hacking into virtual machines that been set up with known vulnerabilities left unpatched, using of script kiddy tools (hence the name). Kiwicon V involved a combined simulated attack on a power company called Operation Lights Out. Operation Lights Out 2011 was ultimately won by team "Sasha Grey" comprising Tui Kapo, Andy Railton, and Chris McKoy.


The first year that Kiwicon was run, a tradition of advertising the conference through Cross Site Scripting attacks on high profile sites was started. Usually these are not reported in mainstream press.

On August 29, 2007, persons associated with Kiwicon spoofed the NZ Herald website with a simple XSS attack. No actual pages on the server were altered. This event was reported on the rival newspaper site

Media coverage[edit]

Beau Butler (Oddy)'s wpad talk garnered extensive media coverage due to its public disclosure of a years-old supposedly fixed security flaw in major browsers and operating systems:

Nick Breese's Crackstation talk on PlayStation 3 password cracking also generated extensive media coverage:

Ben Hawkes talks Vista heap exploitation

William Turner identifies home detention bracelet fault

General Media

References (media coverage)[edit]

  1. ^ Darren Pauli (20 November 2012). "Biohacking: Why is my kitten glowing?". SC Magazine. Retrieved 31 January 2013. 
  2. ^ Darren Pauli (19 November 2012). "Pwning Androids, iPhones with Exchange". SC Magazine. Retrieved 31 January 2013. 

External links[edit]