Vegas, the week after…

So I’ve returned from Blackhat & Defcon 2012, and I’ve had a week to let it all sink in. I met more people than I can recall, and most of the people on my “must meet” list. I came away with some good and some bad things from the trip, including the city, sites, and people I interacted with.

The trip started off pretty tame, made it to Vegas, deplaned, and noticed that there were slot machines in the airport. Not unexpected, but what was unexpected was the long lines I was to encounter for most of my trip. After I left the baggage claim, there were lines for cabs, lines to check in the hotel, lines for lines. It was crazy. Being someone that doesn’t do well in crushing amounts of people, I was a little unnerved. I headed to Blackhat and my first time in Vegas, first time at a major conference, after the keynote speech ended, there was a mass of people trying to get to their next talk/meeting/vendor discussion. It took me a few days (read: until Defcon) to realize that unless you *really* have to see some talk, if you don’t make it, you don’t. Hallway con is definitely worth it as an alternate. You get to meet quite a few interesting people, and make some connections that continue via social media after the conference. Defcon was definitely a better time for me. I felt more relaxed, I didn’t feel like I was going to wander into the wrong area, and could just soak in the¬†atmosphere.

Another thing that shocked this kid from the South-side of Chicago is the prices for everything. My company put me in the Bellagio for the week, and the food and drinks they had were through the roof! I’m used to hitting the local McD’s if I need breakfast. I went to the local Cafe there, and I could have eaten fast-food breakfast for a week on the cost of one meal. I finally did find some lesser expensive things to eat, but it was a shock to the system.

The big thing that I would tell to someone going to Blackhat, Defcon, or BsidesLV for the first time though, is meet people. I finally got to meet some of the big names in our infosec community and they are an amazing group of people. They were extremely helpful, and even just sitting and talking with them gives you a sense that our industry is heading in the right direction. I won’t name everyone that I was impressed by because there are too many, but the thing that I was most thankful for, was that I didn’t meet any “rockstars”. Everyone was willing to take the time and say “hi, glad you made it”, talk for a few minutes, etc. Even those people who were working at one of the conferences were friendly and approachable. I love this industry and hope to be working in it until someone kicks me out ūüôā

Sexism & Harassment

Not sure why I’m writing this, other than to give my own opinion. A few things were said today regarding sexism and sexual¬†harassment¬†in the conference arena, and while I agree with most of the items mentioned one of the links provided in the stream stated that telling someone that they are attractive (or not attractive) was offensive. While I can see the assault, rude comments, unwelcome advances, and the like as something that should be dealt with, I felt this went too far.

Regardless of where you are, be it work, school, the mall, the bar, a conference, or walking down the street, you are in public. If someone finds you attractive, and pays you a polite compliment (for example: “You are very attractive and I’d like to get to know you”), you can politely thank them and say you’re either interested or not. At that point they know where they stand. If you automatically take offense to the first thing they say, and were to berate them for having that opinion of you, I feel that would be out of line.

While you’re entitled to your own opinion, and you may not be attracted to that person, they are a person as well, and deserve the same respect that you would like them to afford to you. If they do not approach you and pay you that compliment, a connection could be lost. I believe that while respect must be adhered to, the “time and place” is irrelevant in most times (yes I know, hitting on people is sometimes tacky, see funeral, divorce court, etc.).

What should be adhered to at all times is respect. If you respect the person you are speaking to, they should respect you back. You can think of how you would want someone to talk to your son/daughter/sister/brother/mother/father and if they are showing that level of respect, respond accordingly. If not and you want to slap them senseless, that’s on you.

Is it really OK to say ‘No’?

*EDIT* The person who started the term¬†“our job is to see the iceberg, not steer the ship.” was @randomuserid on July 10th. Thanks to him for allowing me to attribute the quote to him. *EDIT*

As information security professionals we often get the stigma of being “the department of no”. We tend to rain on everyone’s parade who doesn’t take a second and think “huh…you mean validating input would be a good idea?” We’re the ones trying to make sure that the rest of the IT departments are looking at potential attack surfaces, and always being the road block can wear on your psyche. You start to feel bad saying no so often and want to say yes. You feel that if you don’t, you’ll start to lose respect and people will stop bringing ideas and projects to your group for review. So you start saying “Ok…but what if you add this” or “Have you considered this?”

This works for a while. People see you as an enabler and a business partner. You are the one that can make sure that their app/project/program is successful, as well as reduce the risk. You’re finally in a Win-Win, right? But what happens when you *have* to say no? Where are you left when there is no choice but to say “Really….No. You can’t put your application with the un-encrypted customer payment database out on the internet as world-readable. I don’t really care how much time/money you saved by doing it that way.” (I hope no one has ever had to have that conversation in real life)

We all know it’s a business decision on what risk to accept and what to mitigate or transfer. Sometimes you need to step back and say “Ok, it’s your deal but we warned you.” Other times you need to stand in front of that bus and get run over. When you have to do each is a personal decision and can include regulatory requirements, your personal feelings or even your professional reputation.

I wish I knew who tweeted it first, but someone in my stream the other day said something akin to “It’s our job to see the iceberg, not steer the ship”. I believe this is how we need to see things. Our job isn’t to run the business or set direction, our job is to tell the ones at the helm that building a boat out of tin foil¬†is a bad idea.

I think we need to change the sign on the door from “Department of No.” to “How does this affect our risk-posture?” and realize even then sometimes you need to say “Just…No.”

Is privacy worth the loss of opportunity?

As information security professionals we have to admit that our industry is a hot¬†commodity¬†right now. Everyone knows someone who is or was recently looking for a new job, or who is at least weighing their options. Living in this hyper-connected world, we know people all across the globe who work in our field. What we don’t always know is who is actually looking versus who is looking behind the scenes.

Privacy is a huge issue to most of us in the infosec community. We are always discussing it, preaching¬†it, or trying to protect it. Where this hits home though is when you’re¬†contemplating¬†making a career move. You want the industry to know that you’re considering your choices, but you don’t want “the wrong people” to know (read: your current employer). There are many reasons to review the job market. A main one would be that you want to know what you’re worth. You want to know that you’re being paid fairly for the job you’re doing. A sensible employer knows this, and shouldn’t fault you for it. If you’re doing it on company time, that’s a different story, but posting discussions on job boards and discussing with friends in the industry is just talk.

The issue of privacy comes into play when you’re using social media. If you use Twitter or Facebook, and any of your coworkers or employers follow you, they may see this as you trying to find a new job. You may be looking for a new job, or you may just be gathering market data for your next review. This is where you may strike a balance between “Do I put myself out there, or leave less to explain at work?” While this is a personal decision that many of us make, I would consider one question if you are looking to make a move: Is the privacy you covet worth losing the opportunity you may find?

You could do the networking thing. You could find out that a friend of a friend of a next-door neighbor had heard of a job…but if you post your resume, network, and let everyone know that you’re curious, I believe you’ll have more opportunity to find that information or even that great job than if you try the whisper net. True, you may get the question at work of “So…I heard about your post…”, but if you don’t, you could lose out on a bigger raise or a job where you’re excited to go to work every day. Something to think about in this hot market we call Information Security careers.

Stupid users or stupid us? Yes.

Today while working I noticed that I was starting to drift into the “stupid users!” thoughts. What causes us to do this? Yes I understand that you may not know how to reboot your system, although the methods haven’t changed much in the last decade or so, but that’s not the point. We as IT Professionals can start to run down this path of “Well what do you mean you don’t know how to configure your local firewall!? It’s on your computer!” Many times we work inside of a larger organization who’s main business is something other than IT. You’re going to be dealing with people who are very smart in what they know. They may be someone who is a banker, or a doctor, or a lawyer. They are very good at determining what is going on in their profession. What they are not proficient at is knowing how configuration files should look, or how to write a batch script, or why when they go to a website all of the sudden you want to reload their computer.

All they know is that something inside the box you gave them is holding up their work. They want it fixed and they want it fixed now. You getting frustrated at them is not going to make them any happier. Now I don’t want anyone to get the wrong idea, because after working on the helpless desk for over five years I know that sometimes you can’t just keep taking the beating they’re giving to you. The idea is to get them working, off the phone, and out of your life as fast as possible. You may not know how to fight a court case, underwrite an insurance policy, or treat a patient, but they do. If you can work together and get the problem solved faster it’s going to go a lot easier on everyone.

Let’s all try to stop calling them “stupid users” and maybe they’ll stop calling us “stupid IT”.

Treading water in the sea of knowledge

So I had this thought last night watching a video from SecurityTube (which is now my new video hangout place) about burp proxy. SecurityMoey mentioned it to me, I’ve talked about it in my presentation at BsidesDetroit, I’ve said it to people, but I haven’t done it myself lately…


When you’re swimming, you can only power-stroke so long before you become exhausted. You need to get out of the water, dry off, sleep, eat, de-prune yourself, etc. You get to the point that you can spend forever in the water until the only thing you can do is float or tread. The same is true for learning. I would assume this is the reason for summer break for school kids. They need time where they can “just be”. You need time where you aren’t constantly learning. You need to let your brain idle for a bit so you can go back at it with renewed vigor.

I started to realize that I wasn’t taking my own advice. I needed to take a step back, and watch a movie, play a game, or just sit and have a conversation with my family. So while I ordered a few new books, and I updated all my tools to play with, I think tonight will be a no twitter, no computer, no tech evening.

Anyone seen my towel? It’s time to dry off for a bit.

BsidesDetroit – ConBlu, first try at presenting


I just got back from the BsidesDetroit trip and my first shot at giving a talk. I was wired for this trip for about a week before I went, worried about what would happen with me giving my first talk. Also, on the drive home I think I came down with “ConBlu”. Not the “ConFlu” ¬†sickness most people talk about when they go to a conference and shake hands/hug a lot of people. This is more of a slight letdown that you get when you have to leave after having the chance to hang out with people who really “get you”. The people who are as geeked out as you are when you “pop a box” for the first time. You start to wish for next year’s conference as you’re walking to your car to leave.

On to my first try at speaking. I hadn’t tried to give a presentation since sophomore year in college. While I haven’t had the chance to watch the video and see how I did, I did get plenty of feedback on my first try. Many people felt that the topic was definitely good, and something that needs to be addressed in Information Security. For those of you who haven’t followed me lately, I collaborated on a talk with Len Isham on “Infosec Flameout”. My angle on the issue was that I was burned out in my current job, but I was working myself even harder trying to change careers.

Len and I worked on the slides and content for a couple months prior to the event, but Len wasn’t happy with how his part was going, so he spent a day or two before the event completely re-doing his slides/talk. My portion was about my career, how I got burned out, and what I have tried to do about it. Len’s was about socially engineering your career after you decided where you wanted to go.

When we first started going through the talk via Skype , I hit about 13 minutes for my section. I wanted to be closer to 20 or so, leaving time for questions at the end of the hour. Len & my wife both said I needed to slow down because I was talking too fast. The second try through it, I got just over 19 minutes. I was happy with how I was pacing myself and I liked how much detail I was giving for the time-frame.

So we start our talk, and I was definitely speaking too fast. I was very nervous and realized it too late, ending up with only about 9.5 minutes after hitting my last slide. Len realized this as well as he got up to do his talk, and he was able to stretch it out so we hit about 35-40 minutes total for both of us. The great thing about the people attending (and our industry as a whole) is that people attending were willing to share their thoughts and what they did to stave off burnout. By the time we finished the discussions, it was about 7 minutes before the hour. It actually turned out great with how everyone chimed in.
With all that said, I definitely need to slow down if I’m going to present again. I had a couple people suggest that I submit to DerbyCon with just my portion. I would definitely have to expand on everything in my talk. Hindsight is always 20/20 they say, and I think I needed to do the slides a little different for next time, as well as give quite a bit more information on what caused my burnout at different times in my career and how I worked through them. I guess I’ll mull that over in my head a bit and think on it.

The conference itself was awesome. I loved the venue, it was well laid out, there was quite a bit to do in the conference center itself, as well as having the hotel right there. The different tracks in different rooms made it easy to have hallway-con, as well as two tracks, a teaching area, and a lock-pick village. I really loved the set-up and the Detroit team did a great job with putting it together.¬†The talks were awesome! The great thing about this industry is that people are willing to share their knowledge. I didn’t get to meet everyone I wanted to, and I didn’t get to see all the talks I wanted, but I got two classes in (Metasploit & Armitage), and saw quite a few really good talks.

The only issue I had with the con personally was with the hotels (Marriott & Courtyard by Marriott where I stayed). Both were very pricey and provided nothing I wanted for it. Breakfast for both hotels was extra, as was wi-fi in the Marriott. ¬†I have some ideas to take back to my work which I’m sure my boss is going to appreciate, and maybe I can get him to pay part of the hotel. I guess I’ll see how good my social engineering skills are ūüėČ