You can now find many of the presentations from PasswordsCon on May 15-16 here.
Author: Per Thorsheim
My presentation from PasswordsCon in Bergen, May 15, is now available as PDF.
Phone & wifi:
You cannot buy anonymous prepaid SIM cards in Norway, so you better arrive with a SIM that includes voice/data in Norway. There is free WIFI absolutely EVERYWHERE, so you will easily get online.
Navigation:
I’ll say it is rather easy to navigate around the city center, as it is fairly small and you just have to look out for a mountain top or two in order to figure out directions. I do however recommend using Google Maps and downloading a map of Bergen for offline use. That will save you some data and make navigation easier. Instructions: https://support.google.com/maps/answer/6291838?hl=en&co=GENIE.Platform%3DAndroid
Unfortunately publicly available toilets are not well marked, or a scarcity in the city center. For our constitution day on Wednesday May 17th, keep this in mind. However social engineering and politeness works in most places.
Payment:
debet/credit cards accepted pretty much everywhere. Most payment terminals will happily take Apple Pay and other solutions as well. We use contactless for small payments (<=USD 50), contactless + pin or chip+pin for bigger amounts. Nobody uses cash anymore – you might even find those who refuse to accept it as payment, even if they are required by law to accept cash. Everything is expensive in Norway, so be prepared for that. I like to tell visitors they’ll go bankrupt before they can get drunk. You’ve been warned.
Transportation from airport (Bergen airport Flesland) to city center, and back again:
You can use the airport bus to hotels in the city center: https://www.skyss.no/en/, or use the train (“bybane” as we call it here) to get to the absolute center of the city, or take a taxi (EXPENSIVE!). From the city center (“torgalmenningen”) I’ll say it is walking distance to all relevant hotels, plus our event location. That means <10 minutes walking. Send me info on which day, time & flight you’ll be arriving in Bergen, I just might show up at the airport with a big PASSWORDSCON sign to greet you, and offer free transportation to city center & your hotel. Expect 25-45 minutes from airport to city center. For international flights I recommend showing up at the airport at least 1 hour before your departure, that’ll leave you all the time needed to catch your flight home.
Water & weather:
Bergen city is a safe place for visitors. Water in shower and sink is clean and safe to drink. It rains a lot, and the weather can change very quickly. Umbrellas can be purchased almost everywhere because of that. Official weather forecast looks good right now (partially sunny, 16-19C): https://www.yr.no/en/forecast/daily-table/1-92416/Norway/Vestland/Bergen/Bergen.
Venue location & info:
https://goo.gl/maps/aZ6SNn4sxTU2Lux8A?coh=178573&entry=tt
Schedule, speaker bios & abstracts: https://passwordscon.org/passwordscon-2023-bergen/
Nøstegaten 58. Auditorium on ground floor, left side after entering hallway. Several tech companies have offices in the building, there is a cafeteria just opposite of the auditorium. Vegetarian burger place just across the street, and a grocery store 20-30 meters before you get to venue entrance. I’ll have some chargers, power adapters & powerbanks available for those in need. For speakers: HDMI preferred, but other display adapters are also available. Free wifi available. Coffee & tea, snacks & fruits will be available. Lunch will be at 12:30 monday & tuesday.
Monday afternoon we’ll bring in pizza, beer & other beverages for lightning talks, challenges, surveys and more.
Tuesday evening for locals are either for watching football at the local stadium or staying at home with family preparing suits, dresses and kids for constitution day. Depending on the weather a lot of people will also be out at restaurants and bars this evening.
Meetups & things to see:
For people arriving friday, saturday or sunday, I’m ready for meetups & a bit of local guidance around the city center, including up on top of mount Fløien (https://www.floyen.no/en) & mount Ulriken (https://ulriken643.no/en/). I consider them close to mandatory to visit, but there are tons of options in and around the city: https://en.visitbergen.com/. I’ll be around on Friday 19 as well, if you’re still here and want company (& talk passwords along the way obviously!)
IF you are keen on a challenge, like to stay fit and enjoy having a pulse above impossible levels for 10-30 minutes, I can highly recommend https://en.visitbergen.com/things-to-do/stoltzekleiven-p1529323. Estimate approximately <3 hours if you want to walk to the starting point, walk/run up the path, walk further on to mount Fløien and down again. Absolutely beautiful trip, remember good shoes and fitness clothing!
Constitution day – May 17 – and then some!
https://en.visitbergen.com/whats-on/17th-may-norwegian-constitution-day-p827203
Experiencing this day here in Bergen – the best city in Norway – is an experience for a lifetime in my opinion. 😄
Bergen has lots and lots of traditions, and the city itself has history back to approximately 1070AD (https://en.wikipedia.org/wiki/Bergen). In fact St. Mary’s church (“Mariakirken”) is estimated to have been built in the period between 1140 and 1250, and is in regular use today as well. Our constitution day starts VERY early for morning birds, and since Thursday May 18th this year is public holiday (ascension day), expect people to party well into the night, with a quiet thursday morning. For those attending day 3 on Thursday 18th, we’ll start at 10:00, for good reasons…
I may have forgotten something here, but feel free to email or ping me on Signal/SMS at any time if you have any questions!
Best regards,
Per Thorsheim
On January 26 2023 I did a short talk at an event hosted by The Norwegian Society of Graduate Technical and Scientific Professionals (tekna.no) in Oslo, where I mentioned the very common advice “do not click on suspicious links in text messages”.
One challenge with this advice is that we get A LOT of of unexpected e-mails and text messages in our everyday life, with totally legitimate links that you HAVE to click, even if you didn’t directly or recently initiated a process to get them.
Another challenge is that you do not receive any information that as part of a process you will receive a text message with a link that you are supposed to click, for example a link to signing an agreement online.
A third challenge is that we simply lack a common & easy understanding of what constitutes a “suspicious link”.
So I went through all my received text messages from organizations in 2022, and I found a total of 78 senders. The vast majority from Norwegian organizations since I live in Norway, but also some foreign organizations, such as Twitter & Coinbase. 12 senders were numbers ranging from length 5 to 14, while 66 were different names such as Telenor, Gjensidige, KPMG and SAS. In these different text messages I received 4, 5, 6 og 7-digit OTP codes. Some sent me passwords, which were all VERY bad. Out of 20 senders of OTP codes, 3 stated in the message for low long it was valid, like 5 minutes.
Suspicious links
41 senders (of 78 total) had 1 or more links in the text messages I received from them. I chose to define a “suspicious link” as a link to a domain name that has no obvious relation to the sender, like using the bit.ly URL shortener, or using a name that has no natural connection with the sender. Based on that definition 16 senders had “suspicious links” in their text messages, and came from a wide range of different organizations, including Norwegian telecom giant Telenor. I have yet to examine if these organizations have publicly informed about their use of “suspicious links”, and how we as end users can verify the authenticity without clicking the link to see what happens next.
Spoofing test
I have also tested if it was possible to send spoofed text messages from all 78 senders. I have a subscription with Telenor myself, and with 78 senders, only 4 spoofed messages didn’t get through to my phone: 2 messages pretending to be a large bank, a large classifieds site and the Norwegian governments owned gambling company. All others could be spoofed, so that text messages sent using their number/name nicely appears inline with existing messages from the real organization. The Norwegian telecom operators have some capability to prevent such spoofing from happening, but it requires the organizations to contact the telcos and ask for “protection” for themselves. There’s also a sad irony of Telenor as a telecom provider allowing their own name “Telenor” to be spoofed, so their own customers can be tricked, thinking Telenor is the real sender.
The advice of not to click on suspicious links in text messages and e-mails make sense. However anyone who send out legitimate SMS text messages must first make sure they cannot easily be spoofed, or use links that can be considered suspicious.
Until that happens it is very easy to understand why people get tricked, and become victims of fraud.
I’ve created the playlist where you will find the talks from the PasswordsCon track at the Swedish Internet Days, kindly hosted by the Swedish Internet Foundation. A big thank you to @amelsec for her continued support as well!
You can find the playlist here.
My talk “How I hacked a bank using pen & paper” from our #PasswordsCon / Ground1234! track at BSides Las Vegas is now available on YouTube. The recording also has the live Q&A that we did after my talk. You can watch the talk here.
I’ve uploaded a PDF of my slides from the presentation I did for OWASP Copenhagen on May 20, 2021. You can get it here.
The livestream recording on YouTube is also available, but its just 720p unfortunately.
Yup, PasswordsCon is happening TWICE this year. Fully online as a track with BSidesLV on July 31 – August 1, and as a track at the Swedish Internet Days on November 22-23 (physical and/or online only TBA). CFP is available here.