“I turn on the tube and what do I see
They point their crooked little fingers at everybody else
Spend all their time feelin’ sorry for themselves
Victim of this, victim of that
Your momma’s too thin; your daddy’s too fat
“I turn on the tube and what do I see
I was having an interesting conversation on twitter with Mr. Jeff Man this morning about the state of the infosec world. Mostly about our lack of true understand of risk, and how we have become one of our own biggest problems.
It all started with a tweet from Jeff, ” A vulnerability is one part of the risk equation, but not the only variable. Do we spend as much time on the other variables? #“. Throughout the discussion we talked about understanding the variables in risk management, which in the end is what security really is.
We all know nothing will ever be 100% secure. We have learned about formulas for figuring risk. We realize that we have to use intuition on this formula at times. Do we really understand that upper management looks at the monetary figures more? In a different way, look at the credit card companies here in the U.S. They have lagged behind moving to chipped cards, and still don’t require pins for those chips, even though they are more secure. The risk equation to them points out that they save money by paying out for breaches, instead of requiring the higher priced safer technology. Don’t take the initial hit until you have to. This same principle I remember being described as Japanese manufacturing principle. Figure out what percent of items will not be at proper specifications (returned due to defect). Build in part of that cost into the price, and if the overall cost of returns becomes too high then worry about a recall and redesign. Don’t fix it unless absolutely needed.
Once we grasp this idea, and I mean truly grasp and understand it, we can work with it to our favor. It might take longer term projections, or showing how the brand could be impacted with bad PR (according to some in marketing no PR is bad PR). The issue with us grasping this becomes more cultural though.
The vast majority of us are techies. We are the geeks, the nerds and we love being that type of person. We hyperfocus on the hard problems and ignore or shove to the side the stuff we don’t want to deal with. This though not only affects risk assessment, but the future of the infosec community.
Our community is young still in some ways, but has been getting a lot more rigid lately. Look at what we deem good certs vs. bad certs. How we accept different ideas in, and how we learn. Each year I see more of a divide in certain areas. Training, top notch training, is affordable through your work, if you are lucky, but to do it on your own. $5,000 is a lot of money to shell out, especially for the new people in our line of work, or those looking to break into it. Yes there are things like Cybrary and ITProTV with lower cost, online training (both on demand and virtual classroom). But that $5,000 is in person, hands on, focused training. It is the GIAC, which is a great cert. It is how to get people up to speed and on the same page. It can be a barrier, to entry at worst, but to advancement at the minimum. We as a community have to help ourselves out better with training.
See how thick the forest starts getting? See how we keep looking at just a few trees? We are getting to a point that our lack of vision is creating the problems we are trying to solve. Where we are the problem. The question is, where do we go from here?
This past Thursday and Friday I spent the days at Thocton 0x7. It is a well put together infosec/hacking con but like everything has some flaws. These are my thoughts and opinions, and yours may differ, which is fine.
The thing I find the best about the cons are the ability to meet and talk with people face to face. It is what I love about the Burbsecs, and is even more prevalent at a con like Thotcon, where there are people who come in from out of town. Putting faces to names, being able to chat in person, and just being around people who are into infosec as much if not more than ones self is worth it. There is no Lobbycon at Thotcon, so you do need to get your badge.
Talk wise I didn’t get to as many talks as I had figured (more on that later). There were a few that really were worth seeing. First, “Overcoming Imposter Syndrome” by Jesika McEvoy was an amazing look not only at Imposter Syndrome, but some of the state of the community and what we need to work on. I hope she does this talk at another con, so I can see it again. “Crimeware 101” by Vyrus, which was the final Keynote, was a great look at Ransomware and how easy it is to get it to work. Vyrus set up a great presentation, and with his pseudo-ransomware code, had everyone riveted and laughing. This one normally would have been the highlight for me if not for “Trend in Whitelisted Proxies” by Schmitt, Dyas & Valin.
A little background, Parker Scmitt is a regular at Burbsec. That is not why this talk was my favorite. I’ve seen Parker talk at cons before. What made this talk my favorite was Dyas & Valin. They are High Schoolers who are interns at Parker’s startup. Parker mentored them through the whole talk process, and really let them give the talk and live demo. Watching how they handled it, from issues with a live demo to keeping everyone interested in their research and findings made this talk that much more special. Seeing Parker stand behind them looking on like a proud father was the icing on the cake.
The Not So Good:
I found overall, the quality of the talks to be not as good as last year. It seemed some of the talks were bait and switch, and a couple of talks that I checked in on felt like sales pitches for the product the speakers used.
Also, and this is being a bit nitpicky, the venue charged for water this year. My issue with this was they did not want to allow outside food and drink. For those who were drinking alcohol (which was a good majority of people there), staying hydrated was important. For those like myself who are diabetic, free soda does nothing for us, since we really can’t have that. There also was no water fountains that I saw. I would love to see next year either allow water bottles in or go back to free water, and charge for soda.
The explanation for the no videos of the talks makes sense. The sad thing is that with social media (especially twitter), the reasoning (so people don’t get in trouble for what they present/say) is really thrown out the window anyway. Pictures and quotes are put out there. I think they could allow for recording of the talks as an option. Let the speakers decide of they want their talk put out on the web.
After working on, and helping to beat the puzzles at Cyphercon, I was really looking forward to working on the Thotcon puzzles in the program. The couple I did were fun and engaging, although the one on page 17 there was a small issue with but the guy who created it helped find that issue and I did solve it (writeup on that will come). This became ugly to me because of the point registering system. I am not a programmer by any means, and I spent a good majority of the con trying to get the API token system to work. I had some help from a couple of guys I know who are way better at working with API calls, and as much as I learned form them, we still couldn’t get it. When I went to the con people in charge, I got no help. We found out that there were other groups having similar issues, and this was reflected in the scoreboard, which showed very few registered teams/individuals with points. When I asked about this at the awards portion of the con on the second day, it was mentioned that a number of groups had issues that they thought might have been network related, but that we should just learn APIs better, since other teams had no issues.
Now if it had been just me that was having the problem, fine pick on me about it. Give me an elitist attitude, no problem. I would still be disappointed, but nowhere near as pissed as I got. The fact that only about 10 teams out of 50 got points, that multiple teams had issues with the token system, and that the people in charge of it, didn’t seem to care really got under my skin. I feel that the challenges should be a learning experience, and if you put the time in on them and get some of the, you should get points. Not that registering the points is a separate challenge, and one that no help is given on. We are supposed to be a community and as one we are at our best when we put egos aside and work together. You want better people, mentor, teach. I don’t want someone to do everything for me, I want to learn, but sometimes we need guidance to learn.
The API situation is why I missed 3 talks I wanted to see, as I was working with people to trying and get what seemed to be a system that had some issues to work. Next year I’ll wait until after Thotcon to do the puzzles that I want and don’t require me being on site for them. Lesson learned.
In the end, it was a good conference. Communication is really the biggest thing that I think needs to be worked on, but this year, API situation aside, was better thought out and run than last year. I look forward to next year and seeing how well they learn from mistakes and feedback. Seeing how they did this year, I have faith.