Silicon Shecky

Infosec Practitioner

Connect

Cyphercon, a Con of Firsts

By Leave a Comment

A couple weekends ago was Cyphercon. This was not just the first(and not the last) year for this event, but was a few other firsts for me. A conference that was supposed to be one Saturday, with a special little party for VIPs the night before, blew up into a 2 venue, 2 day conference that went not just smooth, but very well in my opinion.

There were a lot of little nuances to this con, and I am sure I missed out on some. Still, if you looked at it in the simplest of ways, it was broken down into a few basic areas: the speakers, the contests and the villages. I could talk about the wonderful talks, but I really only saw the first evening talks, with a smattering of pieces of the talks at The Safehouse on Saturday. What I saw were awesome and can be watched at IronGeek’s Site. I do recommend Red Dragons talk on China, J0hnnyXm4s and Hacks4Pancakes, and Chris Robert’s talks on Friday. I am still going through the Saturday talk videos due to the contests, but we will get into that in a bit. The villages were pretty standard. lock picking, electronics, some vendors, and even the Wisconsin Hacker History group (who remembers the 414s).

Contests, you had the main overall Hack the Con contest which was broken down into different categories, from cyphers, to electronics, hacking, and even social. Here, points were gathered by scanning QR codes. The more interesting thing was the social portion of it, as each attendee had a QR code given to them, and once registered, you could scan each others QRs for points. It actually causes more interaction with each other and allowed people to meet who might not have talked otherwise. Basically an icebreaker for us, and considering how often I hear of the amount of introverts in infosec, a great idea. There was the old safe at the Safehouse that would give a lifetime badge if you could crack it, but no one was able to. There was a Wireless CTF that yielded a prize for winning that contest, along with QR codes for points. Then there was the cryptography challenge.

I would love to do a full write up of each challenge in the Crypto contest, but to be honest, I didn’t keep notes as I was over focused on helping my team solve the problems. What I can do is give a basic account of how my awesome partners David Schwartzberg and Steve McGrath and I went about solving all the puzzles. It was not easy, but a lot of fun.

When you are someone like me, you tend to wonder if you are looked at in your industry as a fake, I haven’t done a lot to have much notoriety, or as a value. My thoughts on that changed over the course of the Crypto Challenge at Cyphercon. Having been at only a few other cons, and never really having done challenges at them, I figured I would see if I could crack a code or two in the challenge. Where I sat though Steve and David, who I’ve both known for a while through Burbsec, were already sitting and David was work on the Crypto challenge. to be more precise, I was trying to figure out the initial challenge in the con book, and David, who had already gotten past that and gotten the crypto deck of cards, was working on trying to get Steve to help. I was sitting in between the two, so when I was looking at the cards, Steve got a chance to see them. I don’t know if it was this or David’s constant asking him, but Steve started working on the cards with David, as I tried to help a bit but mostly was watching and learning. It was after the first of many challenges that the deck had was solved, that I started to feel like I was pulling my weight, and it all started because of a clue.

I grew up listening to old time radio and fell in love with a character by the name of The Shadow. He is still one of my all time favorite detective/superhero type characters (pulp fiction her if you really want to get technical) . David and Steve had found the right pattern to put the picture cards (K,Q,J,A) to get the crypto straight for those challenges and the first one they were working on, David recognized the code, but it had extra characters in it. The clue though was about a specific Shadow story which used the bionicle code with a modifier character which turns the grid 90 degrees left or right or 180 degrees. Once I was able to remember that, Steve and I decoded that cipher while David started on the next one. This was the start of the pattern we used. We would work together on the same code at times, and at times split off to doing codes individually and then rotating who had which code when we would get stuck. The reason this worked was we kept an eye and ear on what each other was doing and were constantly talking about the different challenges. This ultimately allowed us to finish every code just as the day was nearing its end. I know there were other people who had been getting close, but as far as I know we were the only ones who cracked every single cipher and, at the Crypto master’s request, “assassinate” Korgo (the other founder of Cyphercon). As with the Wireless CTF as we got to the harder challenges we got QR codes to scan for point in the Hack the Con contest, which was key for me. See as the winners of the Crypto Contest, we got a Lifetime badge to share between the three of us. As we got to the end of the contest though, I was in second place overall for Hack the Con. The last QR code could only be scanned by one person at the conference, and while Steve was not doing the QR scanning, David was but was sitting a few spots lower. They allowed me the honor of scanning the last QR code, which put me over the top on the Hack the Con(I got a lot of social codes on Friday), which won me a lifetime badge of my own. I am grateful to them for the honor. It also shows what happens when we work together, putting our egos to the side.

When Cyphercon come back next year, I know I will be attending. I am curious to see what they have lined up for next year as they said the theme would be based around the TV show Fringe. For a smallish sized con, this one could become something special besides being a nice con between Shmoo and Thotcon.

A Woman’s Place Is Working At Her Keyboard…

By Leave a Comment

Thanks to @SwiftOnSecurity for the tweets about this. Harassment sucks. Period. There is no place in a civilized world for it.

I saw a tweet earlier today from @SwiftOnSecurity that really made my blood boil. It is about a woman who was fired after reporting sexual abuse in the workplace to HR. Released from her contract and fired by the actual firm she worked for. Here are the links to the Reddit posts Swift tweeted:

Original post: https://www.reddit.com/r/sysadmin/comments/474q2s/having_trouble_with_a_contract_and_i_dont_know/

Followup One: https://www.reddit.com/r/sysadmin/comments/47qor0/update_i_am_now_jobless/

Followup Two: https://www.reddit.com/r/sysadmin/comments/483hgy/update_thank_you/

This troubles me a lot. We all know there are cases in all fields, but especially the Tech Industry of sexual harassment. We all also know that there are times where claims can be false, but not very often. Yes we are only getting one side of the story on this, but hearing that reporting sexual harassment got someone fired, and that a law firm admits that the odds of winning a case are slim to none is problematic. This is a systemic issue in this day and age. I do applaud the law firm for being up front and honest, not only about the chances of winning but the harassment this woman could take from the case. It does show though a sad case in a world where we want more women in tech. Heck most women that I know in tech are way better at it than I am. How though can we get past all of this?

First, realize that innocent until proven guilty is only true in a criminal case and that it never equates to the court of public opinion. Second, do not rush to judge either side of something like this, just try to weed through the facts. Third, and most importantly, stop the damn harassment, at work, in forums, on social media. Anyone, and I mean anyone can help prevent these actions. Make friends at work that can back you up. Make sure to document any and everything related to harassment so if you need lawyers, they can have a better chance of winning. Understand that there are plenty of us who will support you in your claims.

As far as the HR situation in this case, don’t let it stop you from reporting like you should. Most HR departments I know won’t stand for sexual harassment in the workplace.

I hope things do work out for this young lady. I hope that we all learn from this. I wish these things did not happen.

Superstars and Giving Back to the Community

By Leave a Comment

We all hear it. Give back to the community. Speak at a conference they say. Yeah, about that…

I follow a lot of Infosec people on twitter. I frequent some Infosec IRC channels. I’ve met some of the more well known Infosec people what I would call the “Superstars” of the Infosec world. I call them Superstars, not because they are putting themselves above the rest of us, but because they are easily recognizable, and always out there. You know, the ones that give advice, have been around forever and are looked upon as leaders by a bunch of us. Almost all of them say the same thing at some point. Everyone should give back to the community. Everyone should speak at security cons. I totally agree, having spoken at one con (BSides Chicago back in 2014), and trying to be more chatty on twitter. The problem comes in with the amount of speaking slots at the cons and getting selected.

Here is the thing as I see it, and it isn’t pretty nor is it fair. I don’t look at this lightly, nor do I think any of this is malicious or really intentional, but like in any large group of people, there are cliques. We can’t avoid them, it is our nature to form smaller subgroups. This unintentional grouping of us has other unintended results. One of those is the speaker selection process. So many talks given by such a small subset of our industry, and it becomes a daunting task to break in. I for one would love to speak again, but I keep running into the issue of what to talk  about that I actually know. For myself, that runs into areas where other people give very similar talks and are better known. Yes, I have filled out CFPs for more cons and after the rejection letter have seen a similar talk being given by those people. I don’t hold any ill will about it, and I keep trying to find some other area to talk about that I might be able to slip through the CFP process. Unfortunately, I am more of a jack of all trades and am not comfortable with my knowledge level to go different routes (Most of what I come up with there is a “Superstar” that does talks along those lines).

Now, to be fair there are cons that have the first timers/new speaker track, which try to promote new speakers. I know at leas tone of the big cons out in Vegas (which I have never been to) has this sort of set up. BSides Chicago use to have this track, but right now doesn’t. It is a great idea, pair up the new speaker with a mentor who has spoke before. Having these tracks at more cons, say Derby, Shmoo, Circle City, Local Bsides everywhere, is a great way to get more people to speak. Talk about instilling confidence and getting more people involved!

Another way, and one that I think has even better potential, is for the “Superstars” or any speaker for that matter, to offer to team-up with other people who are interested in speaking but haven’t, or don’t get to speak very often. For instance, say Jim gives talks quite frequently. Jim knows a lot of people from local meetups, twitter, and IRC. He knows that Fred is interested in an area that Jim is going to send a CFP in at a conference that both are planning on attending. Before filling out the CFP, Jim talks to Fred and offers to do the talk as a tandem, mentoring Fred not only in doing a CFP, but on how to set up the power point slides, and even more information about the topic itself. Fred and Jim tag team for talks at a few more conferences. It gives Fred the information and confidence to talk to Jim before the a conference  asking Jim if he can do the talk on his own. Jim agrees and submits on a different topic, and Fred gets selected. After a few more cons, Fred now takes someone else under his wing, and Jim does the same. Now we are getting into really giving back to the community. Fred not only has been mentored on how to do a presentation, from CFP to the Conference, but has been mentored in the topic by someone who has more experience with it. It becomes a win/win situation.

Maybe some con would allow the adding of a second speaker after a talk is selected. Maybe a speaker will just offer to have someone not as experienced help with everything up to the talk itself because they don’t want to be up talking at a con yet. There are many ways to spin this into giving back.

BSides to me is the place that this should be happening all the time. I’ve been to some that have the feel of an ASide conference, more formal, big name speakers, people split into areas like a VIP. Personally I think that is not what BSides should be, and instead it should be a place to let newer speakers get their feet wet. That every Bsides (if big enough to have 2 tracks) should have a new speaker track, and if not big enough, should favor speakers that are not as well known. Give people the chance. Cons are a great way to really mentor the new people to our community, and in so many ways. Lets all take time to give back.