Silicon Shecky

Infosec Practitioner

Connect

First Defcon – The results

By Leave a Comment

This year marked the first time I made it out to Defcon. I have known about this conference since the 90’s, just had not figured out a way to get out there and experience it. For those that want a TL;DR, it is a supersized conference. There are also plenty of smaller conferences that I enjoy as much or more than Defcon. That is how I perceived it. Now lets get into the nitty gritty of it all.

In the Beginning…

Before I got to Vegas for Defcon, I had been told about things like linecon, the merchandise lines and the like. There are still people and especially news outlets that give advice based on what Defcon used to be in a different era. This covered what to and not to bring, use and be prepared for, and much of it has changed over the years. When I arrived and went to linecon, the fact that where I work pre-paid for my entry, meant that linecon itself was a much shorter and less involved situation. I did observe the old fashioned, cash only linecon going on though, and how everyone went about their business. It also, while many times longer than what I stood in, seemed to move pretty well. The Goons kept people in the right areas, and were quite helpful. Like with anyone, you be nice to them, they will be nice to you. Merchandise was another long wait, and the fear of things selling out is real. I get it, you can only afford to have so much on site. It makes people wonder if the item(s) they want will be in stock when they get up front or at least in their size. Having 30,000 plus of each item is not realistic, and of course people will be disappointed in the end, unless you get there early enough. The organization of it was well done though. The line again moved smoothly, and I did not see any incidents. After going through both lines I walked into a War talk, which that first day was held int he main track area. Considering they were the only talks going on Thursday that I saw in Hacker Tracker(an awesome piece of software by the way), I was surprised there was standing room and people allowed into the track.

The Main Event

Moving forward to Friday, Saturday and Sunday daytime, overall things were decent. There was a lot of walking. My knees hated me, and I do Ninja Warrior workouts multiple times a week. How spread out areas were from the main building is the problem. It also causes a problem of getting to talks, or even back to your room to watch talks on the closed circuit TV, or even twitch. WiFi in the hotels tends to be limited to guests unless you wish to pay for it, and mobile data in areas seem to be spotty, or flipping around between networks. I get that it is Defcon, and you “shouldn’t be trusting anything” but how else do you use things like Hacker Tracker to keep up on what is going on where? The closed circuit T.V. did not always have all the tracks in the hotels. Mine only carried track 1,2, 3. Some carried track 4. Both Twitch stream and the CCTV had network glitching and freezing making the talks tough to watch as you would miss things.

One of the more interesting things I had heard before going to Defcon was, “do not think you will get into the main talks, but watch them on T.V.” Also it was mentioned to focus on the villages. I personally had no problem getting into any of the main talks. Where problems came up were a number of village talks. Red Team Village, the Misinformation Village, and the A.I. Village all were at capacity most of the time, and in the case of Red Team Village, I did not even try to go in just to look at non-talk stuff due to how long the line was. Also most of the villages I did make it into were talk based. By that I mean, unless you were the to do the village CTF or see a talk there was nothing in the village of note. The 2 exceptions to this that I came across were the RF Village and the Ham Village. Both of those were easy to get into also. Blue Team Village, which I was excited about, I had heard was moved at the last minute so their layout had to be adjusted, and that could be the cause of it not having some things that I thought it should, at least from a non-talk perspective. I did love that there was a lot of focus in ti on training, and the organizers did their best with what they had.

The Nightlife

So much goes on in the evenings. There are tons of private, invite only room parties. Some people go out and just hang with friends. Then there are the main Defcon parties. I got a taste of all of the above. The Defcon parties are nice, with the exception of drink pricing, but there is not much Defcon can do about that. With no open bars at any of the main events, it seemed to keep trouble down to a minimum, except for one thing which I will get into in a moment. One of the things I was looking forward to was Hacker Karaoke. I love to sing, and had heard about how fun it was. MY issues had little to do with how long the wait was, and more about the feel. Having run karaoke in my past I know the line was going to be long. The only thing on that which could have been better is making sure first time singers got up first. Not always easy to keep track of, but it is possible. Instead, the big issues I had are, the sound system was awful. You couldn’t really hear the music, especially when on stage singing. The mix needed to be better. Next was the screen itself, which was projected on the wall. Makes it tough to make eye contact with the audience to bring them into the song. Finally, back to sound, it was very tough to hear the KJ. between ambient noise, echo on the mic, and the low quality sound system it became tough especially when the main KJ stepped away and their associate would take over, who was more soft spoken.

The second night, i was just moving around from room to room. I wasn’t able to get into Hacker Jeopardy, but did go into the Arcade Party, which was pretty cool, especially the physical pong machine and the huge Foosball table. The people I caught up with there, we started walking to check out some of the other rooms when we slipped into the Chill Out Space cause of things going on in the hallway. This wound up being the start of the lockdown and evacuation due to the suspicious package. The Goons, and security were amazing during this whole situation. Their calmness helps keep the rest of us calm and everything went smooth getting people out of the building.

The Highs/Lows/Conclusion

I got to see a few cool talks. I missed out on other village talks due to lines. I saw some of the things I expected, such as unique outfits, furries, and people just being themselves mixed in with parents and their kids. If there is still a counterculture/deviant aspect to Defcon, it was not out in the open. The truth is Defcon felt to me like a conference that has matured over the years into a more normal conference with some small aspects of its former self. Would I go back, yes. Most of what would stop me is cost. Talks will be online, or at other smaller conferences. There is only so much on person can go and see. That said, it was definitely worth going.

R.E.S.P.E.C.T.

By Leave a Comment

“R E S P E C T! Find out what it means to me” – Aretha Franklin

The recently deceased Queen of Soul sang about Respect. Respect, something that should be given across the board, to everyone until they prove otherwise. Respect, which is one quality that makes people Rockstars in our industry. Respect, something that winds up lacking all too often.

There has been a <expletive> storm going on from Defcon and the hotels about security policies that have been put in place since the mass shooting last October. This has had to do with room checks and issues with them, especially for women. Now, I am not going ot get into it all, you can look up at Katie Moussouris’ Twiter timeline to get a full idea of the storm itself. The fact that this female in our industry, who is not just a “Rockstar” but a huge leader wound up having to argue with others in our industry about the fears and the way the room checks were handled shows a lot about us. It shows why there are movements to protect women, it shows why women do not want to go into our industry. If someone who should be respected and listened to has to put up so many explanations because people keep belittling her statements and not listening to her, imagine how the women who keep a low profile feel? The funny thing is that Katie (and the others) did not object to the room searches themselves, but the way they were handled, and the blind faith they were supposed to put into believing a stranger at their door (if they were not walked in on which has been documented also for both male and female attendees).

Let us frame this in another way. Think of the field we are in, and the red team tests that happen. Think of the social engineering. For that matter, look up the show on Nation Geographic which featured Jayson Street performing social engineering in Lebanon. He walks into banks, no ID needed just saying that he is from X and needs to check X on their computers. Physical pen test complete. We can sit back and listen to his stories from other engagements he has been on and shake our heads at why people are so trusting without ID, and yet we turned around when women in our field that know this and were trying to verify that strangers were who they said they were (possibly hotel security), and felt threatened and uncomfortable, and tell them they were wrong to feel threatened? Look at this information from the National Sexual Violence Resource Center:

 

  • One in five women and one in 71 men will be raped at some point in their lives
  • In the U.S., one in three women and one in six men experienced some form of contact sexual violence in their lifetime
  • 51.1% of female victims of rape reported being raped by an intimate partner and 40.8% by an acquaintance
  • 52.4% of male victims report being raped by an acquaintance and 15.1% by a stranger
  • Almost half (49.5%) of multiracial women and over 45% of American Indian/Alaska Native women were subjected to some form of contact sexual violence in their lifetime
  • 91% of victims of rape and sexual assault are female, and nine percent are male

We are supposed to be security experts. Yes our main area is that of 1s and 0s but that does not matter. Security is security. Katie had mentioned ways that the situation could have been avoided. Defcon’s organizers are investigating the situations with the hotels. Hopefully something good will come of this in the end, but the lack of trust in fellow information security practitioners is not going to be easily fixed. Those that lashed out at the people complaining about the way these checks were handled might not care about the trust they lost, but I do, because that reflects on our “community” as a whole. It shows that we are not as welcoming as we think. We have a long way to go. We need to learn from this, and fast.

 

Securing the Future, Securing the Community

By Leave a Comment

Community can be an awesome thing. It can also lead to a mentality of privilege, lying, shaming, head turning, and alienation.

I feel one of the best things about being involved in information security is the open community. through the community I have learned, made friends, and gained self confidence. Yet there is an ugly side of the community that has been coming to light, and the reveal has been a long time coming. The treatment of women, and the subsequent use of our talents to berate them, and those that support them, into silence. I am not talking about general disagreements, but about sexual misconduct. Sexual misconduct includes, continuous unwanted advances, drugging of women to allow for sexual advances that would otherwise be rejected, and rape.

We are the nerds, the geeks, the originals before being a nerd was the cool thing to be, before there were sub-categories of nerds and geeks. We were the ones who looked at the jocks and wanted to be like them, who were picked on, beaten up, and otherwise treated like we were less than everyone else in school (especially high school). We didn’t get to go to the cool kids parties, were (and might still be) socially awkward, and of course, had trouble getting dates. We looked at those who treated women poorly as bad people, something we would never do. How the times have changed.

We have become those jocks, those frat boys, those that will do whatever we want, to whomever we want and feel we can get away with it. You can look at the recent headline about the Tor Projects Jacob Applebaum, and the allegations against him. You can look at the whole backlash about Defcon and people I know and trust that have had their drinks drugged. There is a sense of entitlement, and the second someone goes and puts the truth out there, they get slammed, shamed, and people go on a social engineering tirade against them and anyone who supports them. All this because they are the opposite sex and we still haven’t learned the best way to deal with them is as human beings? To talk to them, to get to know them, to respect them for who they are and what they know?

Yes, we (we includes myself) are all guilty of sexist remarks, sexist jokes, staring at the opposite sex. That will never completely go away, and there are women who don’t mind the passing joke among friends, who sometimes find it an ego boost that someone is checking them out. I know I’ve made women in and out of the infosec community uneasy at times, especially when they haven’t gotten to know me yet. I try not to, but I am socially awkward to a degree. I will not push anything sexually on anyone though. I hear someone say they were drugged or raped, and I will stand behind them unless proven to be a falsehood. The law of the land might say Innocent until Proven Guilty, but that is for breaking the law, not public opinion, and definitely not the way the human mind tends to work.

I really wonder how many great ideas, and leaps forward we have missed in IT overall and infosec specifically, because women are afraid of us? They hear, and now with social media, see the fallout if you make an allegation and do not want to deal with it. They are not made to feel welcome. All of this because a relatively small portion have done bad things, and the rest of us either turn a blind eye or shame and attack the victims and their supporters until they disappear.

We are security people. Let us start by making our community a secure place for everyone.