July has always stood out for me in the cyber security conference year, because it’s when SteelCon—one of the events that really helped me decide to move into the industry—is held.

This year, it took place from July 19^th ‘til July 21^st, with the main event taking place on Saturday 20^th. We travelled down to Sheffield on the Friday (grimacing slightly at the traffic but enjoying the sunshine) and arrived in time for networking at a nearby pub, taking the opportunity to meet others in the industry and catch up with those we hadn’t seen since the previous event.

On Saturday morning, we arrived at Sheffield Hallam University and were quickly greeted by… a couple of hundred people carrying board games and wearing  ’80s wigs? After some mild bemusement and presenting our QR codes to the registration desk, we likewise joined the board game-carrying, wig-wearing crowd and started digging through the conference swag bag: cassette tapes and sweat bands alongside the usual programme and snacks. Confirmed: the theme of this year’s conference was the 1980s.

Another general theme at SteelCon, as at many other cyber security events, is that of community and charity. This theme would be present throughout the day with the sticker stall and auction, which would be raising money for The Children’s Hospital Charity.

The board games, prominent because their bulk meant they didn’t fit in the swag bags, were part of an awesome SteelCon initiative that they also pursued in 2023 (I’m not sure if longer-standing). In 2023, the organisers went to a local charity shop and asked for 400 random books, which were then distributed to attendees. And when I say random, I mean I know of attendees who received a book on theoretical models in nursing, a book on Martin Luther, a crime novel, a book on baby-led weaning, a school study guide, etc. Attendees were encouraged to chat with fellow attendees, compare the books they’d received, and negotiate swaps if they so desired. Any unwanted books were returned to the organisers and donated back to the charity shop so they could sell them for a second time. The same applied this year to the games, which is why I started out with a card game and left with Kerplunk.

After the opening remarks, I spent a little time exploring the sponsor stands before making my way to ‘Social Engineering 101—Part Deux’ by Chris Pritchard. This was a direct follow-up to a talk he’d given at SteelCon in 2018, though I didn’t see this at the time; my first SteelCon was 2022, when I saw Chris highlight the social engineering tactics used as suspected Mossad agents infiltrated a hotel room. Based on how much I’d enjoyed that talk, I knew this would be good!

Early on, Chris introduced Miller’s Law, which essentially says that the average human can maintain seven (plus or minus two) pieces of short-term information, and pointed out that this is really helpful on social engineering engagements. As an example, he described how he’d noticed the style at a particular company was for employees to load up their badges with trinkets (e.g., USB sticks, tokens); when creating his fake badge, he therefore prioritised the trinkets, knowing that Miller’s Law would mean they would be the focus during security checks. He showed us a photo of the resulting badge, laden with trinkets, that led to a successful infiltration: the badge itself was entirely blank.

Chris also gave some general insights on successful badge creation, keeping Miller’s Law in mind, highlighting how sometimes people take photos of their badges on their last day at a company—‘just handing this in!’—and post on LinkedIn, meaning an easy overview of the company’s badge design, and how marketing teams often publish colours with the exact hex/RGB on the company website.

After some more insights and stories about social engineering engagements, he summarised that these skills aren’t natural but are learnable, social engineers need to present a state of confidence, and they should always be prepared for surprises. It was certainly no surprise to me that I thoroughly enjoyed this talk, both the content and Chris’s entertaining presentation style!

The next talk I attended was ‘The Code Compilation Process’ by Tom Blue. I’ve known Tom personally for a while but hadn’t seen any of his presentations until now—I was delighted to discover that his infectious passion shines through in his talks. This talk presented an overview of the code compiler pipeline, from lexing through to code generation, and, as an inexperienced coder, I will readily admit that I came into this talk purely intending to support a friend but instead I very quickly realised I was getting a lot out of it.

Not only did Tom break down the compiler steps in a very clear and understandable way, but since “parsing applies to natural language too,” he also drew attention to the connections between code compilation and grammar—an obvious attraction for this ex-linguist! It really helped me gain deeper understanding from his presentation overall. Finally, he covered some security aspects relating to compilers, including how malicious modifications can easily propagate and benign code can be made malicious through a compiler. I genuinely learned a lot from this talk, thank you Tom!

Next up was an absolutely fantastic talk by James Bore on ‘Doing Due Diligence’. This is currently embargoed and we were asked not to publicise the content, but I heartily recommend checking it out when the recording is eventually released. I’ve seen James speak several times now—the quality is always top-notch but this was, in my opinion, one of his best.

Because of the embargo, the only photo I took was of Steve who was working AV for this session.

The final talk I saw was by Maya Boeckh: ‘post-startup (security) growing pains: “Hi, It’s me, I’m the risk”’. I’ve seen Maya speak before but on very different topics, with their SteelCon 2023 talk focusing on a language based on JavaScript that uses only six characters. The real similarity between all of Maya’s talks is that they only talk about things that they have a real genuine passion and interest in, and this one was no different.

This talk drew on Maya’s comprehensive experience of working in and with start-ups to offer insights on security aspects that are commonly deprioritised in the early stages of building a business, and the challenges surrounding these. For example, they spoke about start-ups where staff end up using their own devices which are not managed or overseen by the company at all, and the resulting issues this can cause. Unfortunately this talk had to start late due to some technical issues, which meant there was no time for a Q&A before everyone made their way to the conference closing remarks—I think there could have been a very worthwhile discussion had there been more time!

At the conference closing remarks, most of the attendees (myself included) had removed their ’80s wigs due to the heat but the charitable nature of the event continued, with the announcement that almost £1,500 had been raised for the organisation’s chosen charity, The Children’s Hospital Charity. It was a fitting way to end such a community-focused conference.

Although there was an afterparty, we left after the closing remarks to make the trip back up to Glasgow (through wind and rain this time, rather than the glorious sunshine of Friday’s journey south!). Many thanks to the organisers, speakers, volunteers, and sponsors—I’m very much looking forward to next year!