“I turn on the tube and what do I see
They point their crooked little fingers at everybody else
Spend all their time feelin’ sorry for themselves
Victim of this, victim of that
Your momma’s too thin; your daddy’s too fat
“I turn on the tube and what do I see
Community can be an awesome thing. It can also lead to a mentality of privilege, lying, shaming, head turning, and alienation.
I feel one of the best things about being involved in information security is the open community. through the community I have learned, made friends, and gained self confidence. Yet there is an ugly side of the community that has been coming to light, and the reveal has been a long time coming. The treatment of women, and the subsequent use of our talents to berate them, and those that support them, into silence. I am not talking about general disagreements, but about sexual misconduct. Sexual misconduct includes, continuous unwanted advances, drugging of women to allow for sexual advances that would otherwise be rejected, and rape.
We are the nerds, the geeks, the originals before being a nerd was the cool thing to be, before there were sub-categories of nerds and geeks. We were the ones who looked at the jocks and wanted to be like them, who were picked on, beaten up, and otherwise treated like we were less than everyone else in school (especially high school). We didn’t get to go to the cool kids parties, were (and might still be) socially awkward, and of course, had trouble getting dates. We looked at those who treated women poorly as bad people, something we would never do. How the times have changed.
We have become those jocks, those frat boys, those that will do whatever we want, to whomever we want and feel we can get away with it. You can look at the recent headline about the Tor Projects Jacob Applebaum, and the allegations against him. You can look at the whole backlash about Defcon and people I know and trust that have had their drinks drugged. There is a sense of entitlement, and the second someone goes and puts the truth out there, they get slammed, shamed, and people go on a social engineering tirade against them and anyone who supports them. All this because they are the opposite sex and we still haven’t learned the best way to deal with them is as human beings? To talk to them, to get to know them, to respect them for who they are and what they know?
Yes, we (we includes myself) are all guilty of sexist remarks, sexist jokes, staring at the opposite sex. That will never completely go away, and there are women who don’t mind the passing joke among friends, who sometimes find it an ego boost that someone is checking them out. I know I’ve made women in and out of the infosec community uneasy at times, especially when they haven’t gotten to know me yet. I try not to, but I am socially awkward to a degree. I will not push anything sexually on anyone though. I hear someone say they were drugged or raped, and I will stand behind them unless proven to be a falsehood. The law of the land might say Innocent until Proven Guilty, but that is for breaking the law, not public opinion, and definitely not the way the human mind tends to work.
I really wonder how many great ideas, and leaps forward we have missed in IT overall and infosec specifically, because women are afraid of us? They hear, and now with social media, see the fallout if you make an allegation and do not want to deal with it. They are not made to feel welcome. All of this because a relatively small portion have done bad things, and the rest of us either turn a blind eye or shame and attack the victims and their supporters until they disappear.
We are security people. Let us start by making our community a secure place for everyone.
This past Thursday and Friday I spent the days at Thocton 0x7. It is a well put together infosec/hacking con but like everything has some flaws. These are my thoughts and opinions, and yours may differ, which is fine.
The thing I find the best about the cons are the ability to meet and talk with people face to face. It is what I love about the Burbsecs, and is even more prevalent at a con like Thotcon, where there are people who come in from out of town. Putting faces to names, being able to chat in person, and just being around people who are into infosec as much if not more than ones self is worth it. There is no Lobbycon at Thotcon, so you do need to get your badge.
Talk wise I didn’t get to as many talks as I had figured (more on that later). There were a few that really were worth seeing. First, “Overcoming Imposter Syndrome” by Jesika McEvoy was an amazing look not only at Imposter Syndrome, but some of the state of the community and what we need to work on. I hope she does this talk at another con, so I can see it again. “Crimeware 101” by Vyrus, which was the final Keynote, was a great look at Ransomware and how easy it is to get it to work. Vyrus set up a great presentation, and with his pseudo-ransomware code, had everyone riveted and laughing. This one normally would have been the highlight for me if not for “Trend in Whitelisted Proxies” by Schmitt, Dyas & Valin.
A little background, Parker Scmitt is a regular at Burbsec. That is not why this talk was my favorite. I’ve seen Parker talk at cons before. What made this talk my favorite was Dyas & Valin. They are High Schoolers who are interns at Parker’s startup. Parker mentored them through the whole talk process, and really let them give the talk and live demo. Watching how they handled it, from issues with a live demo to keeping everyone interested in their research and findings made this talk that much more special. Seeing Parker stand behind them looking on like a proud father was the icing on the cake.
The Not So Good:
I found overall, the quality of the talks to be not as good as last year. It seemed some of the talks were bait and switch, and a couple of talks that I checked in on felt like sales pitches for the product the speakers used.
Also, and this is being a bit nitpicky, the venue charged for water this year. My issue with this was they did not want to allow outside food and drink. For those who were drinking alcohol (which was a good majority of people there), staying hydrated was important. For those like myself who are diabetic, free soda does nothing for us, since we really can’t have that. There also was no water fountains that I saw. I would love to see next year either allow water bottles in or go back to free water, and charge for soda.
The explanation for the no videos of the talks makes sense. The sad thing is that with social media (especially twitter), the reasoning (so people don’t get in trouble for what they present/say) is really thrown out the window anyway. Pictures and quotes are put out there. I think they could allow for recording of the talks as an option. Let the speakers decide of they want their talk put out on the web.
After working on, and helping to beat the puzzles at Cyphercon, I was really looking forward to working on the Thotcon puzzles in the program. The couple I did were fun and engaging, although the one on page 17 there was a small issue with but the guy who created it helped find that issue and I did solve it (writeup on that will come). This became ugly to me because of the point registering system. I am not a programmer by any means, and I spent a good majority of the con trying to get the API token system to work. I had some help from a couple of guys I know who are way better at working with API calls, and as much as I learned form them, we still couldn’t get it. When I went to the con people in charge, I got no help. We found out that there were other groups having similar issues, and this was reflected in the scoreboard, which showed very few registered teams/individuals with points. When I asked about this at the awards portion of the con on the second day, it was mentioned that a number of groups had issues that they thought might have been network related, but that we should just learn APIs better, since other teams had no issues.
Now if it had been just me that was having the problem, fine pick on me about it. Give me an elitist attitude, no problem. I would still be disappointed, but nowhere near as pissed as I got. The fact that only about 10 teams out of 50 got points, that multiple teams had issues with the token system, and that the people in charge of it, didn’t seem to care really got under my skin. I feel that the challenges should be a learning experience, and if you put the time in on them and get some of the, you should get points. Not that registering the points is a separate challenge, and one that no help is given on. We are supposed to be a community and as one we are at our best when we put egos aside and work together. You want better people, mentor, teach. I don’t want someone to do everything for me, I want to learn, but sometimes we need guidance to learn.
The API situation is why I missed 3 talks I wanted to see, as I was working with people to trying and get what seemed to be a system that had some issues to work. Next year I’ll wait until after Thotcon to do the puzzles that I want and don’t require me being on site for them. Lesson learned.
In the end, it was a good conference. Communication is really the biggest thing that I think needs to be worked on, but this year, API situation aside, was better thought out and run than last year. I look forward to next year and seeing how well they learn from mistakes and feedback. Seeing how they did this year, I have faith.