Silicon Shecky: IT News, Opinions, and Reviews

Crying Wolf

May 18, 2018 By Michael Kavka Leave a Comment

It is happening more and more, and it is hurting how we are perceived. Flaws that are treated as super critical potentially end of the world and upon further inspection are not. This needs to change.

I almost titled this piece OMGWTFBBQ because that is what happened again recently. A flaw was teased on Monday that people got up in arms about. It was not going to be released until Tuesday, but the sensationalism got the better of people, and someone was able to put out the information late on Monday. Yes I am talking about the PGP/SMIME problem, but this is not the first time this has happened. For those into sports the situations turned into, “Upon Further review the call is reversed.” I am no expert by any means. I read the articles, watch Twitter, ask questions, and try to use some basic logic and common sense. That means waiting for good info, and to make sure you have all the info. The situation this week got so out of hand that articles were telling people to get rid of PGP. Again, this rush to judgement that people in our field had turned out to cause more panic than was needed, and turned into bad advice being given out.

Now, I am not going to get into the flaws themselves. There are plenty of others who have done that way better than I can. What I am more concerned about is the reputation of our field.

“We are Samurai… the Keyboard Cowboys… and all those other people who have no idea what’s going on are the cattle… Moooo. “

-The Plague – Hackers

That is how we do tend to see ourselves. That is how others outside of our field tend to look at us. Part of our job is to give good information that can be used to give good advice to the public in general. Unfortunately, we are jumping the gun more frequently. We are not waiting for peer review of flaws before deciding on pushing the panic button. This I feel is mostly due to ego. People want to be known as doing something, anything. We want recognition. With the PGP/SMIME situation those that found the flaw still get the proper credit. They lose points though for the way they released it in a sensationalized way. The people who started flailing like a muppet about the flaws before they eve saw it then caused more problems. At some point doing this people will stop trusting us. We will be looked at the boy who cried wolf. So what can we do about this?

The answers are simple and might surprise you. First we need to slow down. We need to take time to look at flaws when they are released and not look at any hype or sensationalism that builds up around their release. Second, we need peer review. This double checks anything that is being published for accuracy. A flaw could be found but until someone else reviews we need to be skeptical about the severity. Yes this can cause a day or two delay, but the reputation it will build up as us being trustworthy is worth it. People will listen, and will get good advice instead of the infamous OMGWTFBBQ.

Thotcon 0x9

May 11, 2018 By Michael Kavka Leave a Comment

Security/Hacking conferences are interesting. Each one has its own uniqueness about it, and yet they are all similar in some fashion, stemming from the “granddaddy” of them all, Defcon. These conferences are all over the place, and in the Chicago area we have two main ones, BSides Chicago and Thotcon.

Now Thotcon just happened over the weekend with the 0x9 iteration. Nine years is a long time to learn and find your voice, and each year should teach a conference something to make it better for the next. The joke the last number of years with Thotcon was the whole undisclosed location idea. For years it was at the same venue, even though they never officially let attendees know until a week or two before. This year, it was a new location, and I would say a huge improvement. The problem with waiting so long to reveal said location is of course people coming in from out of town, and where should they stay. I personally think this can be remedied with a longer heads up. reveal the location 6 weeks before, so people have time to make reservations at a decent price. Just a thought.

The new location, which I will not reveal where it is, as I said above was an improvement overall. The echo and open space issue that caused problems hearing talks was gone. Each track you could hear the speakers clearly, at least I could. The overall layout was not too bad either. There were downsides also, as Barcon was not as large an area and did not have an easily accessible outside for people to just walk out and enjoy the sun while drinking. The villages were almost out of the way a bit, and the traffic there seemed lighter because of that. The temperature in the building in some areas was an issue also due to the age of the building and where air conditioning was actually available. This issue drove some people up to Track 2 which had the best air conditioning in the building, just to cool down at times. Finally, there was the food issue. The old venue food was inside, and was plentiful. With the move to food trucks because of the venue, Friday saw only 2 trucks which had long lines and eventually no food. People wound up walking a few blocks to get lunch. Food trucks also mean weather could have been a factor, which was not the case as it was nice outside, but should it have been storming there was a potential issue. Saturday saw the addition of a third food truck, and between that and what seemed like lighter attendance on Saturday it seemed to hold up better, even with the long lines still there.

With the switch from a Thursday/Friday to Friday/Saturday the “After Party” was put in between the two days. It also was moved well off-site which is not a bad thing. The venue for that was nice, with 80’s dance music playing and tones of pinball and old school video games to play. The light food there was a nice add on to the candy and free drinks. It did seem to get a little more crowded, or at least packed in compared to past years. Also, I have to wonder if having in between the two days contributed to what seemed like lower turnout for the con on Saturday.

The keynotes I felt were an overall improvement. Some of that might be from being able to hear them clearly with little distraction, and some from the bigger ideas they seemed to cover. Talks overall were good and well received. I found myself in Track X which was more along the workshop lines most of the time, due to 2 fantastic talks, one each day. The Jaku Puppet Show was definitely a sight to behold and gave some nice levity to the whole con.

I still maintain that Thotcon should give the speakers the choice on whether to record their talks or not. This is a personal preference, as I believe that information should be out there, and there are always talks scheduled at the same time that one has to choose between. I understand the reasoning behind not recording the talks, but in this day and age of social media, things said still can get out of the open and protective shell that not recording the talks is supposed to provide.

When all is said and done, Thotcon 0x9 I felt was an improvement from previous years. There are lessons to be learned from it, but for value it is definitely worth it. I am curious to see how Thotcon 0xA comes together and what is planned to celebrate a decade of Thotcon.

Lack of Vision

May 3, 2018 By Michael Kavka Leave a Comment

I have noticed something about our field. The lack of vision we have. We get comfortable with our knowledge, and are afraid of being wrong. We blind ourselves which makes us susceptible to attacks.
<span style="display: inline-block; width: 0px; overflow: hidden; line-height: 0;" data-mce-type="bookmark" class="mce_SELRES_start">?</span>

via GIPHY

Unfortunately this feeling can eventually lead us to feeling like this when things go wrong:
<span style="display: inline-block; width: 0px; overflow: hidden; line-height: 0;" data-mce-type="bookmark" class="mce_SELRES_start">?</span>

via GIPHY

I am not saying there is anything wrong with being confident in what one knows. I am talking about blinding ourselves. We have been seeing some old techniques and tactics come back into play again. We aren’t watching for these because they were eradicated years ago perhaps, or never were much of a threat. Instead they are being used as one part of an attack. We also get caught up in not only attribution, but a blame game. It is “X” companies fault. The legacy system needed only works on “Y” OS so it is the OS companies fault. I see this all the time. Watch twitter enough and you will see it too. The thing is we are all to blame. We have our hatred of X company because of reasons. We prefer Y because it seems more secure. We discount the simple answer immediately until we wind up taking the long way around and come back to it after eliminating the more complex and sexier looking possibilities.

There are reasons for so many things. For instance legacy and the countries infrastructure. I saw a talk at Cyphercon on the basics of ICS threat hunting. Lesley Carhart gave some basic information on the world of ICS so we could understand things better. There are reasons that upgrading systems are so slow in that world. Very good reasons, such as making sure your power is not interrupted. All the majority of us see is, legacy bad, change it now, instead of learning why legacy is needed.

The world of the theoretical is lovely, but it is not always achievable. We have to learn that. We have to take off the blinders and understand that we may be wrong, that the old ways may come back in a vicious circle. We need to realize that we do not know so much, and that it is okay not to know. What is not okay is to have tunnel vision.