Silicon Shecky

Infosec Practitioner

Connect

Sportsball and Infosec

By Leave a Comment

This past weekend was the Superbowl (yeah suck it NFL, I am using the word), and of course you get all the people who are not into sports with their meme’s and complaints about so much talk on sportsball. Hold on a moment though, there are similarities between our world of infosec and the world of sports, and I do not mean poker, chess or any of the other things along those lines. I mean the big name sports.

Back in the 90’s I was a coach for youth football. It was a volunteer position, and I enjoyed it. In fact, I have always enjoyed sports, but recently I started to wonder if there were lessons I could learn from understanding sports, that could be applied to the world of infosec. The answer is yes. Lets take a look at the “Big 4”, football, baseball, basketball and hockey, and how they can relate to the world of infosec.

The big 4 sports are all strategy based. Some, like baseball, are more individual compared to team based. I am not saying there is not a team aspect to baseball, but it is not as important in the overall strategy. The thing with all of them is you watch, you record stats, you analyze, you make a plan and then you adjust on the fly(if your coaching staff is any good). Baseball is a slower paced game, hockey and basketball are constant motion, and football is in between. Hockey and Basketball really can represent a full on attack with an active defense. The constant motion means everything is constantly changing. No break. Thin of this like dealing with an ongoing incident. Baseball, with its much slower pace is more along the lines of setting up new policies, procedures and technology. You have time, you can look at things and make a long term decision. Football I see as more the day to day type activities, but does encompass both the speed at times of baseball and of Hockey/basketball. I think it also has the most to teach us.

Football, at least at the college and pro levels, works like this. You have an opponent that you are facing. Over the past week you have watched film on them, devised a plan to stop them when they are on offense, and break through their defense, or in our terms blue and red team. When on defense you have to get everything right to stop them. The smallest mistake and they advance (or score). When on offense you only need to find the one weakness in the defense. When the play is actually going, it is fast paced, decisions have to be made split second. Take a wrong angle, you miss stopping them. Slip and they get past you. In between plays you get a chance to set up for the next attack. this setup is usually based on tendencies discovered between watching film of prior games the opponent has played, and statistics available, or in our world going through logs and stats and doing research. Conversely, when on offense the use the same research or OSINT to find the holes on defense and exploit them. During the course of the game it has to be agile and fast responses. Without that agility they get pwned er scored on.

So what can we learn from all of this? First, our world is not much different than the world of sports. Our ball (or puck) is data, our goal (basket, base) are locations (servers, folders, shares). Studying how the coaches come up with their plans in sports may give us better ideas on how to plan out our world, red and blue team. How they have learned to make fast adjustments is a skill we can learn. How they innovate can give us insight in how we can do that better.

This is just a small look, a quick overview of the similarities. Just a thought I had while watching the Superbowl this weekend, and something I am continuing to look at. Our world gets stagnant and we need to find other ways and angles to look at it otherwise we are sunk. This is just one idea.

Catfight!

By Leave a Comment

Over the last week we have seen the Strava heatmap and the Autosploit issues come up. since the start of the new year, I have watched fight after fight over opinions on many different things in the world of infosec. Can we get the claws retracted and have meaningful discussions please?

Ok, seriously, most of the debates have been quite informative and pretty clam. Still there have been some people who have dug deep trenches. Autosploit, if you think someone(s) else have not done that sort of script in the past, you are probably kidding yourself. Yes with ti out there, it makes it easier for the kiddies to do it, but truth be told it was going to be made public at some point. The debate on the morals of that are immaterial except for a thought experiment. Something like this will get released to the public again, and just like anything in the world of IT, not just inofsec, it can be used for good or evil. I suggest focusing on how to use it for good, as a way of showing why you need the new tool, new infosec employee or bigger budget. It is a golden opportunity, especially if you have higher ups that read infosec headlines and tend to freak out at the next problem they define.

Speaking of that, is it just me or does it seem like publications, both in print and on the net, have gotten away from proofreading? The idea that we can still understand what they mean (for instance lunch instead of lung when talking about breathing issues) shows two things related to our field. First, the mind is an amazing thing. We can figure stuff out pretty quickly if we do not fight ourselves over it. I know, easier said than done. Second, we have gotten lazy. We rely on the tool (spellchecker, grammar checker in the example I used) and have stopped using that great mind of ours. This is a complaint I know many in the infosec world have talked about. Start with the people and then get just what tools are needed. Still, it gives a great, easy to understand real world example to those not in our field of what we are talking about. Mistakes will happen, but they should be able to be mitigated.

That is it for this week. See you all on the flip side!

 

It is CFP season… So what

By 1 Comment

It has begun. CFP season is upon us. Really it tends to go throughout the year, but with Defcon opening up its calls, RSA sending out rejection letters to everyone, and it being early in the calendar year, it seems there are more tweets about CFPs than at other times of the year. Talking at a con is a badge of honor, something to put on a resume, something to make an individual stand out, and we get all up in arms about it.

The world of infosec, I have noticed, tends to be about acceptance and rejection. There are a lot of introverts in our field. Introverts tend to have a tough time with both acceptance and rejection, hence why they do not feel comfortable in situations where an extrovert does. Yes there are plenty of introverts that play the role of extrovert, but really think about it. We sit in front of a computer screen, doing our thing, research, games, or other stuff, and we get along just fine. Well sort of. We do crave acceptance, and hate rejection, and I am sure somewhere in our psyche our being an introvert is some sort of subconscious method of protection from rejection (disclaimer, I am not a psychiatrist, but have played on one stage). So what does this have to do with CFPs? Everything.

Think about it this way. Human beings are said to be social animals. We get our social on at the cons we go to. Those cons are where we are around our peers, the people who are sharing our interest and passion to make the world more secure. We want to show that we belong, so we put in our CFP. We get rejected, we get down, and imposter syndrome either kicks in or ramps up to higher levels all because we want to be accepted by our peers. We yearn to show that we belong and know what we are talking about. We yearn to make an impact and share our findings, thoughts and experiences. That CFP gets rejected, and boom, there is a slap to our ego, our pride. What makes it worse is we keep preaching that speaking at a con is a great thing to do and everyone should at some point. Except, most of us never will either because we never put in to talk at one, or the cons never select us.

I will be honest here, I spoke at one BSides in Chicago back in 2014. I have not since. I have tried, I put in my CFP jsut like everyone else. I have gotten tips on how to write a better CFP, and still nothing. I put in the CFP figuring it is going to get rejected, but I still force myself to. Yes, I have imposter syndrome just like many of you do. This year I was thinking about it, while waiting for the first rejection e-mail (which I know is coming within a week of this post per the cons twitter account), and watched people talking about RSAs rejection letters that they were getting. These are people who are pretty much regulars on the con presentation circuit. People who I have watched present either in person or recorded at a con many times. Some have even been keynote speakers. I came to a multi part realization about the cons and being a speaker.

First, there are 3 types of cons we go to. The first is the vendor con like RSA. These are the cons where you really need to be speaking on what the vendor wants and extolling that vendor to become a speaker. There is plenty of good information at these cons, they can be fun, but ultimately you need to think like the vendor to get a speakers slot. The next 2 types tend to merge and shift between each other depending on the organizer and which way the wind is blowing for them. They are the Security con and the Hacker con. Most cons will lean one way or the other. You can usually tell them apart by a couple of factors. Do they focus on the latest and greatest vulnerabilities and exploitation techniques? Yes, well that tends to be a hacker con. Do they record the talks? No, well that tends to be a hacker con. Are they giving many defensive talks? No? That tends to be a hacker con. Are they giving talks about the state of the field, tips on being better in the field with soft skills or looking at our own shortcomings and how to hack around them? No? Guess what, hacker con. There is nothing wrong with hacker cons, I enjoy them, but I will more than likely get rejected from any sort of talk from them. My CFPs tend to lean more toward state of our field or soft skills, because I have yet to come up with a new, good tech talk.  You can look at the history of this blog and see I do not put many technical blog posts up there. That is the thing though, we have more hacker and vendor cons than security cons. There are cons out there that try to strike a balance between security and hacking. Some do a decent job of it also, but for the most part cons tend to lean one way or the other. Some, if you look at their talk history, are rather obviously one or the other. Again, nothing wrong with it, but it does limit what we learn.

Second is the “rockstar” status. These are the people who are well known in the world of infosec, and give talks all the time. they might be SANs instructors, well known researchers or people that just are well known and respected. These people will get invited to be keynotes, as well they should. They also, unknowingly tend to be the cause of new or lesser known speakers not speaking at a con. It is not an intentional thing, they put in a talk and your talk is too similar to theirs, they get the nod. Be it because their CFP is seen first, written in a more catchy way or, if it is not a blind selection process, their name means the con might get a few more people. I know this has happened to me and it was not intentional. Those speakers, who I know pretty well, and I never knew that we were putting in similar talks. It happens. A good number of cons do a blind selection, where they do not see names, but the regular speakers know how to write a compelling CFP (even when it is a 140 word max and no outline is able to be submitted as is the case with a con I put in a CFP to). How do we get around this issue? There is a simple way quite honestly. If a well known speaker and an unknown speak have put in for the same talk, when accepting the well known let them know about the unknown’s talk and give them the option of reaching out to said person to do a dual talk. This all of a sudden does two major things. It gives the new speaker a great mentor to work with, and it helps get more speakers out there. Simple option, easy to do. The well known does not have to, but give them the option, and be willing to adjust to having it as a dual presentation. It does not take up an extra slot.

Those of us that are not selected for CFPs we have other options out there. This blog for instance is my thing. I will probably do some write ups of my rejected talks after I get all the rejection notices. Blogs are a low barrier to entry, and with a little bit of push, can make someone into a well known quantity that cons would want as speakers. It also allows for one to work on their writing skills. There is actually taking with people on twitter instead of just watching your feeds, again allowing you to become a known quantity. Join slack channels, speak locally at meetups, or even do a podcast. The options are out there if you want to get the word out on an idea.

The toughest part of all of this is getting over the rejection stigma. Imposter syndrome will always be there. We crave acceptance. Remember though, you need to accept yourself, as you are, in order to truly be happy.