'Malcon' that is the name of the first ever malware conference which was held in Mumbai in Dec 2010. I was very excited when I heard about this conference and immediately decided to attend this. The number of people that showed up for this conference were beyond my expectation and surprised me a lot, though it can in no way be compared with the crowd I've seen at DefCon, however as a new comer it was a great success. The audience was a mix of students, security pros, government officials, teachers, cops and may be the real bad guys too. There were a couple of pre-conference workshops, of which I attended the malware analysis by Atul Alex. It was good to hear all the low level stuff like assembly instructions, opcodes, interrupts etc and see a demonstration of writing malware.

Atul Alex also presented a paper in the conference which was about taking over control of Symbian phones which was an eye opener. The other presentations were also quite good and so was the panel discussion at the end of the conference. One of the panelists was Alok Vijayant, Director NTRO who has been backing the organizers of most of the security conferences and encouraging the young Indian hackers. He believes that having the best protection is not just enough but we also need to have the capability to attack back. The conference has done a good job of making people aware of the malware capabilities and how it is created, there is also a threat of people getting the wrong message or misusing their skills. It is actually debatable whether such conferences will help the nation by spreading awareness and have better skills or creating more malware making it difficult for the entire world to cope with. Well I would hope for the better but it will have some kind of side effects too.

During the panel discussion, a teacher stood up and said that now she can give a Green signal to her students to GO AND HACK, though the panelists explained her the right way to go about it. There was another interesting question about reporting a vulnerability on some government website, if someone finds a vulnerability on a website that means he might be trying to attack the site or must have done something which he was not supposed to be doing, in that case will he be arrested for the misconduct or awarded for reporting the bug. An example of the EVM machines was given by the participant. Taking the case of downloading data using SQL injection, which was mentioned by the participant, the panelist answered that if he downloads the data then he is at fault so he can just report the SQL injection vulnerability. This seemed perfectly fine to me while i was there but then I thought if he was testing a DoS attack, it can be detected only if there is actually a denial of some service, unlike SQL injection where an alert message will prove that the vulnerability exists. What will happen in that case?

Well to end this note, I would just say Malcon was great, I enjoyed being there and I hope we see it happening every year and growing always. I also hope that the government always supports such events and hope Alok is always part of it.