Archive for the 'Social Networking' Category

Jul 28 2014

“Your cons are just an excuse to drink and party”

Published by under General,Humor,Social Networking

I’m sure we’ve all heard it before when trying to get approval to travel to conventions:  “This is just a boondoggle and you’re going to party the week away!”  Many people believe that the only thing that gets done at security conferences is that a lot of alcohol gets consumed and people get silly at night.  If you go by some of the things we talk about publicly, it’s no surprise that managers might believe that.  While there’s a little bit of truth in accusations, the reality is that there’s so much more going on at conferences that we don’t talk about.  

There’s obviously the talks.  While I personally only attend two or three talks a conference, I know people who spend their entire day running from talk to talk and wish they had time to see more.  There’s a lot of research being revealed at Security Summer Camp, some of which is being seen for the first time there.  It’s valuable to know what’s up and coming, what’s new and interesting and what the trends are in the security field.  The talks given at conferences are one way to find out about all of these.

A second reason to attend conferences is the contacts.  Having connections amongst your peers is easily as important as having knowledge about your field when it comes to a career in security.  There’s too much going on to know everything, there are times when you’re going to need help, so creating and cementing the relationships that will help you over the course of a career are fundamental to your success.  This happens in the hallway track between sessions, this happens during lunches and dinners and this happens even more during the parties at night.  Conferences provide a means to be social with like minded individuals that simply doesn’t exist in many other venues.

And finally there’s the break from the daily routine to de-stress and relax a little.  We need to get away from the daily routine from time to time, it’s a fact of life and why we have vacations.  Conferences provide a similar function, but in addition they give us an opportunity to gain new perspectives on our routine and exchange ideas with others that can be incredibly valuable in dealing with the problems in our normal work environment.  That shift of focus can make all the difference in the world in how you tackle a problem when you return to the routine.

So, yes, the conference parties are what a lot of people think of when they hear us asking to go to a conference.  But they’re only a small part of what’s going on at the conference and even they serve an important role as a social lubricant.  Of course, that’s assuming that you’re safe and sane when drinking and don’t do something that’s going to get you in deep trouble back at the office.  There’s always a few people who don’t know when to stop at every conference.  Don’t be ‘that guy’.

No responses yet

Jun 10 2014

If you don’t enter, you can’t win

Let me start by saying Nikita is brilliant and should be showered for accolades for coming up with this, presumably on the fly.

Let me give you some background.  Today was the day the letters about who’s talks were accepted for Defcon 22 came out.  Additionally, all the rejection letters for those not lucky (or well prepared enough) to be chosen to speak came out today.  I know my limitations, and as such, I haven’t submitted a talk to Defcon, other than being on panels and being part of the Defcon Comedy Jam in years past.  I also know I’m a smart ass and I jokingly asked Nikita on Twitter (@niki7a) “Can I get a #Defcon rejection letter?  Even though I never submitted anything.”  And here’s the reply I got.  As a coworker put it “So your talk on not submitting and regretting it was rejected because it wasn’t submitted and the rejection was song lyrics about not regretting your actions with a statement on why they regret rejecting your non-submitted non-submital? Meta.”

Martin,

The review board has reached a decision for your submission. Unfortunately, we will not be accepting your talk, “I didn’t bother to submit, and other regrets in the Hacker scene”, for DEF CON 22. If you submitted more than one paper, it may still be in review. Individual letters are sent out for each paper.

Every year, I have to write a bushel of rejection letters, and it’s never easy to shoot someone down who has put together a CFP. I really respect the effort each applicant puts into their work. The work you do, and the willingness to share your knowledge with the community is incredible, and I appreciate the fact you submitted with us. In a perfect world, every submission would be accepted and it’s contents shared with the community. Each talk has the potential to be the building blocks for a new idea, the solution to someone’s headache, the itch that needs scratching, or the salve for someone else’s.

In the end, I try to provide feedback for you so that when a talk is rejected you can get some sense of why and take that feedback to build a better paper. Hopefully, you can use it to submit it again to another conference, or again with us next year. Either way, Thank you again for the hard work. I’ve put together your feedback from the review board below.

———————————————
 We had to reject simply due to the fact that you didn’t submit. Maybe you will think about that next time. I mean seriously, like, what were you thinking?  I’d like to give you the following feedback as a way to help you understand this oversight on your part, perhaps my words will motivate you to improve your position for next year.

“And now, the end is here
And so I face the final curtain
My friend, I’ll say it clear
I’ll state my case, of which I’m certain
I’ve lived a life that’s full
I traveled each and ev’ry highway
And more, much more than this, I did it my way

Regrets, I’ve had a few
But then again, too few to mention
I did what I had to do and saw it through without exemption
I planned each charted course, each careful step along the byway
And more, much more than this, I did it my way

Yes, there were times, I’m sure you knew
When I bit off more than I could chew
But through it all, when there was doubt
I ate it up and spit it out
I faced it all and I stood tall and did it my way

I’ve loved, I’ve laughed and cried
I’ve had my fill, my share of losing
And now, as tears subside, I find it all so amusing
To think I did all that
And may I say, not in a shy way,
“Oh, no, oh, no, not me, I did it my way”

For what is a man, what has he got?
If not himself, then he has naught
To say the things he truly feels and not the words of one who kneels
The record shows I took the blows and did it my way!

[instrumental]

Yes, it was my way”

Thank you for your time, I can’t tell you how much I appreciate the opportunity you’ve given me to berate you over electronic medium, I can’t wait to see you at the show!

Please consider submitting or not submitting again in the future, and I hope that you enjoy DEF CON this year.

———————————————

Thanks,
Nikita Caine Kronenberg

There may be material here for a submission to Defcon 23.

No responses yet

Apr 06 2014

NSP Microcast – BSides London 2014

This afternoon I had a chance to talk to two of the main organizers of one of the biggest security events of the year, BSides London.  Paul Batson and Thomas Fisher have been working tirelessly (or maybe tiredly) for months to bring together all of the disparate elements required to make a conference come together.  And it’s no mean feat when the people you’re working with are all volunteers and the money comes from sponsors, both of whom believe in your cause.  This year will be my first chance to go to BSides London (this is the fourth) and I’m really looking forward to it.

-Martin

NSPMicrocast-BSidesLDN-2014
Time: 18:00

No responses yet

Mar 20 2014

European InfoSec Blogger Awards

Next month is Infosecurity Europe here in London, taking place from 29 April until 1 May, as well as BSides London on 29 April.  I’ve never had the chance to go to either event and I’m really looking forward to my first time.  Another event that’s happening alongside both of these is the European Security Bloggers Meetup at the Teck Pub (appropriately named place for our group).  Many people may not know it, but I’ve been one of the people organizing the RSA Security Bloggers Meetup from the very start and I’ve been the MC for almost every single one.  So I’m very excited to see how the event translates to London and the European community.  I know it won’t be the same event, which is why I want to go.  Brian Honan is hosting with a little help from Jack Daniel and Tenable Security, which pretty much guaruntees this will be a most interesting shindig.

One of the aspects of the Meetup since the second or third year has been the recognition of bloggers and podcasters by the security community, the Security Bloggers Awards.  As one of the organizers of the Security Bloggers Meetup, I’ve always held my blog and my podcast as being out of the running for any recognition in the RSA version of these awards. I didn’t want there to be any potential conflict of interest with the awards, so it was easier to opt out of the competition all together.  Some people might say it’s because I feared folks like the Security Weekly Podcast and Exotic Liability taking the awards even with my competition, but I’m going to stick with my story of conflict of interests.  

But a funny thing happened last year; I moved my family to London.  Which means I’m now a European blogger and podcaster.  And since I have absolutely nothing to do with the European Security Bloggers Meetup or the European Information Security Bloggers Awards, I feel free to compete and do my best as a transplant to take whatever awards I can wrest away from the natives!  It also helps that the only ‘competition’ here in the UK that I know of are the Eurotrash Security Podcast and Finux Tech Weekly. And I’m pretty sure you have to have actually posted within the last year and you can’t have any pictures of WickedClownUK in spandex.  Not just can’t have them on your site, you can’t even be in possession of them.  Since the ‘rules’ of this competition are … well, non-existant, if I can convince voters of these requirements, it helps my efforts.

So go vote for Rich, Zach and me as the hosts of the Network Security Podcasts for Best European Security Podcast of 2014!  Sure, I’m the only one of the three of us that actually lives in Europe.  Yes, I’m not really European, I’m an American transplant.  But none of that is nearly as important as not letting Chris John Riley win the award!  So vote early, vote often, and just vote for the Network Security Podcast!  Or at least go vote, since I’m not really all that attached to winning an award, truth be told.

Hmmm, vote for the Network Security Blog as the Best Personal Security Blog too while you’re there.  Maybe I do care about awards after all.

 

 

No responses yet

Jan 23 2014

But first, BSides…

I’m looking forward to this year’s pilgrimage to San Francisco.  Not that it’s ever been a pilgrimage before, since I lived 60 miles away, but now that I live near London, it’s a much longer trip.  I’ll be arriving in San Francisco a few days early for a couple of reasons.  The first is to visit my family and friends in the Bay Area, who I haven’t seen since I moved away.  The second reason is to attend BSides SF on Sunday and Monday.  Which, in many ways, is also a visit to friends I haven’t seen since moving.

Let’s assume for a second you’ve never attended a BSides event.  It’s community led, it’s free, and each one is unique.  BSides SF is being held in the DNA Lounge, which has been a fixture in San Francisco for as long as I can remember.  Think of a funky, grungy, dark underground bar.  Then add in a couple of hundred hackers, security devotees and a few people who happened to find their way into the event with little or no idea of what’s going on.  The talks range from first time speakers (something that’s strongly encouraged) to some of the best speakers in the realm who want to step outside the confines of a business conference to talk about things that aren’t quite politically correct.  Finally, add in a healthy dose of chaos and an even healthier sprinkling of community and you have some idea of what BSides is.  But unless you actually attend, my description is never going to be adequate to capture the true energy of the event.

I make no bones about it, for me conferences are about meeting the people there, not about the talks.  However, the talks at BSides tend to take a higher priority than they do elsewhere.  While some of the talks are a bit rougher than those at conferences you pay for, the fact that people are speaking with unfiltered passion more than makes up for it.  And a number of the talks simply couldn’t be given at a corporate event.  I’m looking forward to Morgan Marquis-Boire’s (aka @headhntr) talk, even though he hasn’t publicly stated what it’ll be about yet.  Morgan has worked on uncovering a number of government surveillance schemes around the globe, so anything he’s chosen to talk about has to be interesting.  Along the same lines, Christopher Soghoian’s talk about living in a post-Snowden world is a must for me, even though I often find myself disagreeing with with what Chris says publicly.  What can I say, privacy has always been a favorite topic of mine and has never been something that’s more in need of open, public discussion.

I’m also looking forward to seeing three of my friends on one panel, Jack Daniel, Wendy Nather and Javvad Malik discussing how to talk to an analyst, or rather how not to talk to an analyst.  Javvad gave an excellent PK (20 slides, 20 second per slide) talk at RSA EU covering all the horrible slides he sees again and again as an analyst.  The trio will be entertaining at the least, and I might even learn a little about talking to analysts myself.  Ping Yan’s talk on using intelligence looks interesting and has potential for my day job, so I’m going to try to find a seat for that talk as well.  And I have to support my podcast co-host Zach Lanier, even though I usually understand about half of what he’s presenting on any given occasion.

There are other interesting talks, if I can sit through the talks I’ve already mentioned, it’ll probably be the most I’ve seen at one conference in a long time.  I have a pretty short attention (Squirrel!) span, and I’d rather be talking with the presenters than simply listening to them passively.   I’ll have a mic and my Zoom H4, so it’s entirely possible I’ll be able to get a few of them to spend a few minutes doing exactly that.  Which means I can share the conversations with you as well.

 

No responses yet

Jan 06 2014

Still going to RSA

In the last couple of weeks Mikko Hyponnen from anti-virus company F-Secure announced that he won’t be speaking at the RSA Conference in San Francisco at the end of February.  His reasoning is that the company, RSA, colluded with the NSA for a fee of $10 million in order to get a weakened version of a random number generator included in the public standards, a move that makes the whole suite of encryption standards easier to crack.  As Mikko points out, RSA has not admitted to this accusation, but they haven’t denied it either.    So Mikko has pulled his talk and has publicly stated that as a foreigner, he doesn’t feel right supporting the conference.  I understand his sentiment, I see what he’s hoping to accomplish.  But I don’t think boycotting will do much, other than gain Mikko a little bit of attention short term and harm his reputation long term.

The first problem with boycotting the conference is that RSAC is, for all intents and purposes, a side company from the RSA corporation.  It has it’s own management structure, it’s own bottom line, it’s own profit and loss reporting.  And it’s only a small fraction of the overall revenue stream of the corporation. As such, any impact that boycotting the conference might have is going to be highly dilluted when it reaches the management of the central corporation.  Yes, at some point in a meeting it will be discussed that a speaker has withdrawn over NSA concerns, maybe even a dozen other speakers will join in a show of allegance.  But the conference organizers will simply pick from the dozens of alternative speakers of nearly equal capability and move on.  Senior management might lose two or three minutes of sleep that night, but nothing more.  And any impact that having a particular speaker boycott has can easily be written off as being from other, much larger changes that RSA is making to the conference lay out this year. 

The second problem I have is that while Mikko has stated he’ll be boycotting the RSA Conference, he’s said absolutely nothing about F-Secure boycotting.  As a vendor, I know that marketing departments have to commit to the conference at least a year in advance and I’ve heard that some commit to multi-year contracts in order to get better pricing.  The small booths at either end of the halls cost tens of thousands of dollars, while the big booths in the center of the floor cost the vendors several hundred thousand dollars when all is said and done.  If Mikko wanted to make a statement that would really be heard, he’d have F-Secure withdraw from the RSA Conference this year and for the next few years.  Except he can’t.  Any vendor that’s mid-size or larger in the security field has to be at the RSA conference.  In many cases, this conference is the keystone for the whole marketing effort of the year, and any talk of a boycott would be immediately quashed as an impossibility.  Quite frankly, if you’re a security vendor and you don’t have a presence at RSA, you’re not really a security vendor and everyone knows it.  

The third issue I have with the boycott has nothing to do with Mikko and is closely related to the vendor point; it’s become a popular meme since Mikko’s announcement for security professionals to say they’re going to boycott RSA as well.  I’ll be honest, I’ve never paid to go to RSA, I’ve always had a press pass, gone as a vendor, or gone as a speaker, more than once as all three at the same time.  But even if I was, the money I’d pay to go to RSA is still insignificant when you compare it to what the organization makes off of the sponsors.  It would take a huge number of attendees failing to show up in order to make an impact.  Given the growth rate of the converence over the last few years, it’s most likely that even a thousand people joining up in a boycott would simply lead to a flat growth rate at best.  Additionally, similar to vendors, most people who are attending and have their company pay for it have already purchased their tickets and a boycott at this point would be more detrimental to them than it could be to the RSA Conference.

If you think that NSA has been behaving badly and you really want to have an impact, go to the event and talk to people at the event.  If you’re a speaker, change your talk to include a slide or ten about what you believe RSA has done wrong.  You might be right or you might be wrong, but you’ll have a chance to tell your story to the several hundred people in your audience.  If you’re an attendee, go to the conference and talk to other attendees, tell them why you think the RSA Corporation has crossed the line and spread the word.  You gain almost nothing by throwing a temper tantrum and leaving the playground.  But if you attend, talk to people and raise awareness of the issues, you let others know that something isn’t right, something needs to be changed.

I wish Mikko the best, and maybe his boycott has raised awareness some.  But all the people who say “Me too!” aren’t going to have an impact.  They might feel better about themselves for a short period of time, but all their really doing is cutting themselves off from one of the biggest events in security.  It’s better to attend, be social and spread your opinions that opt out and leave your voice unheard.  I’m attending as a blogger, as a podcaster, as a speaker (panelist, really) and as a vendor.  It would have more impact on me and my career to boycott than it ever would to the RSA corporation.  

If you really want to send the RSA Corporation, quit buying their products and tell them why.  Now that’s a message they’ll hear loud and clear.

 

 

8 responses so far

Nov 21 2013

Had fun in Norway

I got invited to speak at the annual dinner of the Cloud Security Alliance in Oslo, Norway earlier this week and had a lot of fun at the event.  I always enjoy visiting cities I’d probably never see if not for my job.  Even more importantly, I love talking to people who are outside of the conference circuit and the echo chamber that is twitter.  It’s always interesting to see how these people see security differently than I do and differently than most of the people I hang around with (digitally, at least) do.  I appreciate the invitation Kai Roer (@kai_roer/kairoer.com) extended to me and I’m glad I went.

The other gentlemen who talked at the event was Mo Amin (http://www.infosecmo.blogspot.co.uk/) a London-based security professional who was giving what was only his second ever talk in front of a crowd.  There were some rough edges to his talk, but then again, there are enough rough edges to my own talks that you could grate cheese on them.  But Mo brought up some points about security awareness and training that many security teams need to be thinking about.  Specifically, he asked how many of us are teaching to a plan we developed in a vaccuum without understanding the needs of our audience or having talked to the people we’re trying to communicate with before hand.

It’s surprising (or maybe not) how many security training seminars are something that was developed by people who are more concerned with what the target “needs to know” as defined by the trainer.  We spend a lot of time developing the training based on what we believe our co-workers need to know to be secure, rather asking them what they’d like to know about and how they’d like to be taught it.  This is by no means true of all security teams, but it’s more prevalent than it should be and it’s thought of as ‘the right way to do things’ by many people.

Mo related a lot of his past experience from teaching English abroad to teaching security within a company.  And when you think about it, from the point of view of a lot of our co-workers outside of security, we really do speak a different language in our little club.  So maybe it’s worth taking some time out as you develop training to talk to your users in order to find out how they’d like to be taught. It might be interesting to see how that changes your effectiveness.

One response so far

Nov 07 2013

Congratulations to my friends at Twitter

Published by under Social Networking

It looks like the Twitter IPO went well, maybe even exceptionally well.  Now lets hope they don’t pull a Facebook and see their stock at 25% of it’s current value in 3 months.  

No responses yet

Nov 03 2013

Building the tools to spy on us

Even if folks like Google, Microsoft and Facebook weren’t mining every bit that flows across their networks, there’s a number of companies out there that are building the tools to let government agencies and law enforcement organizations to spy.  Companies like NICE, Bright Planet and 3i:Mind are probably just the tip of the iceberg when it comes to companies who see a profit to be made in the monitoring and spying space.  

I’m a bit torn when it comes to products like these that make it easy for LEO and other state actors to monitor the public.  On one hand, these are valuable tools for catching criminals.  On the other, they create a long term record of everything a protestor or dissident does, something that’s begging to be abused down the line.  And just because it’s not making national news doesn’t mean there aren’t already examples of exactly this sort of thing happening.  

I find Bright Planet’s product, BlueJay to be at least slightly amusing in that it’s basically just a Twitter search engine that looks for people who are stupid enough to tweet about the crimes they’ve committed or are planning to commit.  Why a police department couldn’t do something like this on the cheap I don’t know, but I hope that this isn’t that expensive of a product.

As long as there’s a way to make a buck from monitoring the public, someone will do it.  I’m sure there’s a lot of internal justification and arguments for these products that goes on, just as I’m sure that some of these companies know their products will be used and abused for purposes they weren’t meant for.  I’m just hoping that as the companies build the tools, they take in mind the need for checks and balances to track the usage of their tools and make catching the abusers possible.

No responses yet

Oct 24 2013

LinkedIn Outro

“I know!  Let’s build a man in the middle (MITM) attack into our iPhone app so that we can inject small bits of information into their email that show how useful our site and service are.  At the same time we’ll now have access to every piece of email our users send, and even if we only have the metadata, well, that’s good enough for the NSA and other national spying agencies, isn’t it?  Let’s do it!”

I have to imagine the thinking was nothing like that when LinkedIn decided to create Intro, but that’s basically what the decided to do anyway.  If you read the LinkedIn blog post, you can see that they knew that what they were doing is a MITM attack against your email, even if they are calling it a proxy.  They’ve broken the trusted, or semi-trusted, link between you and your IMAP provider in order to get access to your email so they could insert a piece of HTML code into each and every email you receive.  Additionally, they’ve figured out how to make it so that this code is executable directly in you’re email.

Basically, what LinkedIn is asking you to do is create a new profile that makes them the proxy for all your email.  This is similar to what you do for your corporate email when setting it up on a new phone, but rather than having something that’s finely tuned for that corporation, LinkedIn makes the new profile on the fly by probing your phone’s configuration and basing it on the settings it finds.  

I have a hard time believing that someone at LinkedIn didn’t wave a red flag when this was brought up.  You’re asking users to install a new profile making you their new trusted source for all email, you’re asking that they trust you with their configuration and you’re capturing, or at least having access to the stream of all authentication data for their email.  Didn’t anyone at LinkedIn see a problem with that?  I have to imagine there are plenty of corporate email administrators who’ll have a problem with it.

Given recent history and the revelations that metadata about a person’s communications, LinkedIn is  audacious to say the least.  They know what they have, or at least want to have: information similar to what Google and Facebook have about your daily contacts and habits.  This is a huge data mining operation for them, aimed at learning everything they can about their users and applying that to advertising.  But I think they have overreached in their their desire to have this information and are going to get shut down hard by Apple.  And this doesn’t even take into account the fact that they’ve already had data breaches and are being sued for reaching into consumers’ calendars and contact information.

I don’t think LinkedIn has been a good steward of the information they’ve had before, and there’s no way I’d install Intro onto one of my iDevices if I was a heavy user.  The fact is, I have an account that I mostly keep open out of habit and this is nearly enough to make me shut it down for good.  If I wanted my every move tracked, I’d just keep open a Facebook tab in my browser. And while they may not be much of an example when it comes to privacy, I guess Facebook is a great example when it comes to profitability.  Way to go LI.

 

No responses yet

Next »