Silicon Shecky

Infosec Practitioner

Connect

Random Thoughts Again

By Leave a Comment

Another week where I just have been swamped with other things to come up with a great article, ok, maybe a typical mediocre article. Truth be told, it is not easy trying to write every week. I am doing it for a few reasons.

First, writing is important in our field. It is something that has been a weak point for me over the years, at least in my own eyes. What does one do to get better? They practice and do. Hence the writing on this site. Second, it allows me to share with the world. I know I am not a big name superstar, but I at least like to give back, and this is just one way. Third, it allows for me to have something to break and learn with.

Now out in the security world, there was some drama on twitter with a bsides. I won’t post all the details about it, but it was drama and apologies have been put out there. Seems Equifax has found another 2.4 million people affected by its breach. Outside of that it is pretty much business as usual.

Not Much Really

By Leave a Comment

Short post this week folks, due to the fact that I have been busy with all sorts of stuff not related to InfoSec and there not being a big ticket item for me to muse about.

The biggest thing I saw was based on the ZDNet Article about Lawsuits and Research. It is pretty eye opening, and while there are some great points, (and one J0hnnyXmas telling his story), it really is just the tip of the iceberg. There is no suggestions of solutions for the idea of suing researchers into oblivion, and that is what is needed. Smashing Security talked about it this week and had a thought of a Good Samaritan law to protect researchers, but that could take years to even come about, plus it would have to happen in multiple countries.

Cisco released its Annual Cybersecurity Report, which you can get for free with giving them your e-mail address. I have not seen anything in it yet that sticks out at me as eye opening, just a lot of confirmation of things already talked about across the field.

Outside of that Thotcon has posted its full speaker list. There are some talks that I am looking forward to. The only issue I have is I know I will not get to see all the talks I want as they will be at the same time as each other or the mini-trainings I would like to go to. Since Thotcon styles itself in the old school hacker context and does not record talks, I hope many of these talks are given at cons that will record them so I can catch what I missed. Thotcon, which is in Chicago, is the first weekend in May this year and is sold out so watch and use the twitters if you want tickets for it.

Coming April 12-13, Cyphercon is in the Milwaukee area. While they have not posted a full list of speakers yet, I can say that I will be giving a 25 minute talk on some thoughts on improving security with integration. So as a response to my whole rant about CFPs earlier this year, even a blind squirrel finds a nut once in a while. I also hear that Hacks4Pancakes (Lesley Carhart) will be speaking there, and that you do not want to miss. Tickets are still available so check it out.

As always feel free to hit me up on Twitter, I love a good discussion/debate.

Line in the… silicon

By Leave a Comment

We have a problem. It is a big problem. We want maturity. Maturity of the security scene. Mature security postures. All while we tend to be immature gits. This is a big problem.

Over the last week there was yet another big to do in our community, and a few more minor ones. Lets start off though by defining our community. The infosec community at large is not a be all end all, in fact as Jack Daniel mentioned in a twitter thread


Jack is of course correct. We have splinters, as large groups usually do, back down to more manageable sizes. Each of us in many different groups. Some are maturing faster than others, some are not.

I bring this up because even with different groups, we still tend to have an overall gang mentality. We pile on something we do not like until we beat it to death. Sometimes, like Trevor, it was meant to be in fun. Sometimes, Like with the case of a company slamming a security researcher, we go too far. There is a line that we should not be stepping over if we are mature. Complain about stuff, yes, but to what degree? A company issues an apology, fires the offending employee and wants to go on with what it does. Do we punish the rest of that companies employees by constantly berating them? Do they make a decent tool that we could use, but now won’t because of a mistake? When do we stop complaining and berating? When do we start acting mature? You know being mature gets you more respect than throwing an ongoing temper tantrum, and that is something parents try to teach their children at a young age. We want to be taken seriously, and we should be, but it is harder to do that when we act like over privileged spoiled brats, and we do act like that at times.

Now back to the statement by Jack. There are people, like Jack, or Lesley (@hacks4pancakes) and may others who we look to as leaders. They are respected by many if not all of our sub communities, and see this issue. Some of the sub communities take this to heart and others do not. We need all of the communities to start thinking more maturely, start using more honey than bitters to get our points across, and stop with the gang mentality. We want to be taken seriously, but we can’t even take ourselves seriously. Look at the “rockstars” that slam people for getting certs. Look at how we slam each other for thinking differently, for having opinions that do not agree with our own. Do we act mature and discuss or do we berate?

It is not easy to change, we know that because we are trying to change corporate cultures to being more secure. We have a chance right now to show them that we accept change, and change ourselves and our attitudes to something more mature. The choice is in each one of our hands.