J4vv4D

Infosec conferences – client side vs server side

by javvad Malik with no comments

Because infosec has cured cancer, ended poverty and created a utopian paradise that the villain in Demolistion Man could only dream of – the industry often finds itself trying to fix the really big issues via twitter and other social media platforms as well as within the hallways of conferences as to what is wrong with the infosec conference scene.

A few suggestions have been thrown out about what can be done to remedy the problem and what the ideal number and style of infosec conferences look like.

Haroon Meer gave a very good talk (as always) during his 44con keynote last year.

The infinitely quotable Grugq posted a thought-dump on the issue and most recently, Rob Fuller commented on the role alcohol plays within the infosec conference scene which caused a firestorm of opinions to rain down from all sides.

Of course, those aren’t the only opinions in this space – we often also get the chance to grab some popcorn and witness some absolutely mind-blowingly epic micro-movements which generate dialogue that Simon Pegg would be proud to have penned himself. Examples include

  • • Banning of booth babes
  • • Expensive ticket prices
  • • Not enough free caffeine
  • • Too much free caffeine
  • • Vendor parties
  • • My talk not getting accepted

Not to belittle some of these issue, I mean I know how cranky I get without caffeine, but the problem is that these are what I’d say are, “server side” issues that primarily are up to conference organizers to address and resolve. Average attendees have little say or influence in how conferences are run – so what can you, as an average attendee do in order to maximise your chances of having a fruitful and useful experience?

It’s like me complaining that the luggage allowance on flights isn’t enough, or that there isn’t enough legroom in economy. Sure they are valid complaints that need the U.N. to get involved, but these can only be fixed by the airlines and not by the passengers. On the other hand, you can make your flight a much more pleasant experience by simply investing in luggage bags which meet the airlines dimensions and a bottle of sleeping pills.

Until a couple of years ago I wasn’t a regular conference goer. However, in my job as an international analyst, my job revolves around me going to quite a few conferences. At first it sounded like the ideal job, but my boss did warn me it would take all the fun out of going to cons… and she was right. So, I’ve adopted a bunch of activities that try to make cons a better experience for me.  In other words, these are some of the ‘client-side’ changes I’ve made.

1. Book early

There’s something quite heroic about booking a last minute flight, not knowing if you’re going to get to the airport, sharing tweets with the world letting them know how you like to live dangerously and always on the edge. In reality though, few things worse than booking late to find all the nearby and good quality hotels have been taken leaving you across town in a seedy part of town. Sure, it may allow you to experience some of the local culture, but I prefer to conserve as much energy as possible – it’s a marathon and nothing is worse than my short legs having to carry me halfway across town to walk all day at a conference.

Less walking, less tiredness = more happier conference goer.

2. Know what you want

I think this is one of the most important questions one has to ask themselves before attending a conference. For the longest time I’d simply attend a conference just for the sake of it, or because everyone else seemed to be going – or simply to get a day out of the office. Maybe you want to catch up with friends, maybe it’s to attend some talks, or workshops, or get freebies? It’ll help form your actions over the course of the days.

If you’re a technical security person and you’re looking for technical security talks – just look up who is talking and about what. If you want to meet all the vendors, check out who is sponsoring and exhibiting. It’s half as difficult as some people make it out to be… unless you intentionally want to go to a vendor-run conference and then complain that most of the talks were about that vendors product.

If you don’t know what you want, or think the conference won’t provide for you what you want other than a week out of the office … then maybe it’s best to not go.

3. Plan in advance

It’s easy to be blinded by the crowds, the vendors, the noise and invites to after-parties and dinners. It’s easy to find yourself caught up in a tidal wave of rushing from one event to another before you realise you’ve only had 3 hours sleep in 5 days.

It’s far easier to spend a few hours a week or two beforehand seeing which sessions or parties you want to attend. It’s also a great time to scour the social media platforms to see who is attending and taking the opportunity to reach out to contacts both old and new and arranging time slots to meet up. Personally I keep all my work meetings during the work day to meet with the vendors – but I keep breakfasts and dinners free to meet up with individual or small groups of peers on a more social basis.

Sidenote: Don’t always believe the hype or hysteria. I’ve been told some cons are supposed to be awful or great but my personal experiences have proven otherwise. For new cons, I try to plan generally and without prejudice.

4. Make the connections

For the first few conferences I attended I probably didn’t take full advantage of the fact that I’d  bump into and be introduced to new people. If you’re slightly introverted this can be a daunting experience… I’m not sure I’m the best person to say how to overcome it as I usually fall into that category myself. One of the easiest ways would probably be to find Jayson Street, ask for an awkward hug picture with him and then hang around as he introduces you to everyone in attendance.

In seriousness though, most people who you know can introduce you to people they know. Also if you know two people and think they don’t know each other – just make the connection for them. A simple, ‘do you guys know each other?’ usually suffices.

Don’t forget business cards or other identifiers if you want people to be able to contact you easily afterwards. Scribbling your twitter handle on your pass is also a good idea.

5. Follow up

This is more of a sub-section to the earlier point, but things happen so fast at conferences I usually can’t remember every person I met in detail. I keep all business cards I collect in one place and try to follow up afterwards with connections whether it’s just to connect, remind people how nice it was to meet with them or just to share those research we discussed late one night in the hotel lobby.

6. You’re never off duty

This is one of my personal quirks – but despite the sociable atmosphere and the fact that there can be a lot of really interesting people around. These are still industry peers – and it’s not to say I’m not myself, but I am wary of the fact that the person I’m engaged in a heated debate with or the girl towards whom I made an inappropriate comment could have been my next boss, or may be best friends with my boss. If not today, then in a couple of years time.

It’s a small fishbowl of an industry – bad news travels fast and it’s never a good idea to engage in activity that could have negative repercussions.

7. Give feedback

Conference organizers, speakers, presenters, staff …  everyone loves feedback. Well as long as it’s not done in a whinging tone on twitter 140 characters at a time.

If you can tell a speaker what you thought of their talk, you can do so in person while the iron is hot, drop an email to them later, use the official evaluation forms or even phone them up for a chat. Chris Jon Riley wrote a nice post on the art of giving feedback way back in Sept 2012.

8. Review

One the smoke settles, teary goodbyes have been said and I’m back on a plane, train or automobile I take time to reflect upon the meaning of life and conferences. Did I enter the conference a boy and emerge a man? Did I learn anything new? Did I meet anyone cool? How much free swag is in my bag and how many free meals did I consume? These are all important questions and help form decisions for the next con, or indeed whether I want to return to this one again.

9. Create content

Information security is a knowledge industry and so creating content is a natural part of it – whether that be speaking at a conference, blogging, podcasting, writing papers etc. A conference is a great time to gather content from sessions and conversations to share with others. A lot of people like to live tweet events as they are happening. Others like Xavier Mertens write some excellent conference posts – which sum up not just the talks, but the overall atmosphere and mood of the con.

Which I suppose is why I still enjoy the video I created in Vegas video in 2013 that covered Blackhat, Defcon and BsidesLV.

filed under blog

Security and the cobra effect

by javvad Malik with no comments

Some people just want to watch the world burn. Others just want to give bad security advice. Check out Troy Hunt’s blog post on the matter.

filed under blog, Video

The CISSP companion handbook: A collection of tales, experiences and straight up fabrications fitted into the 10 CISSP domains of information security

by javvad Malik with no comments
I didn’t write the book, the book wrote me. Which is kind of true because I kind of wrote a lot of stuff independently and then combined it with some of my old notes that I took whilst preparing for the exam and scoured through old emails for the rest.

 

It’s definitely not something that will help you pass the test, but the idea was simple, give a perspective and some real-life stories on how the knowledge pans out.
Ben Rothke kindly took the time to read and review the book, so that should  give you some ideas as to what it’s all about.

 

If you want to get your hands on a copy, then it’s virtual only from Amazons UK  , US and other stores.

 

If you’re a publisher or in a similar line of work and would like a review copy, get in touch via email, javvad<at>j4vv4d.com.

 

filed under blog

We won!!!

by javvad Malik with no comments

If you like to keep up with my ramblings on the Facebook or twitter, you’d probably have seen that not only was I nominated in several categories for the European Security Bloggers Awards, but so was Girl Cynic.

Well, apparently Girl Cynic has been doing something right because she won the award for most entertaining blogger whilst I won the award for best video blogger. It’s an honour and I’m immensely proud to win an award two years in a row, not to mention glad to see the Girl is helping keep things in the family. All that’s left really is for me to get her to write my reports for me and I can quit my day job and retire! I’m sure that day will come soon enough…

Until then, Girl Cynic did demand that her picture go up on the website as she now see’s herself as an equal partner in this venture. The student really has surpassed the master…  created a monster have I.

A full list of the nominees and winners can be found here.

P.S. As its customary to thank people when winning an award, I’d like to thank you and everyone who voted – this one’s for all you guys! <exit stage left>

filed under blog

Spotting phishing scam emails

by javvad Malik with no comments

Phishing emails can be nasty pieces of work. They put a lot of effort into appearing legitimate in order to trick users into falling for their scams. In this video, I only take a look at this one specific email which claimed to come from Apple. There are lots of signs to look out for that aren’t covered in the video. Each of these signs may not mean anything on their own, but putting them together could indicate a phishing attempt.

Some of the other things you can look out for that aren’t in the video would include things like the email being sent from a weird address, like Yahoo or Gmail. Or it claims to come from a government department of some sort.

Slowing down helps a lot – nothing bad will happen if you don’t open or respond to an email immediately – well, I guess unless it’s your boss, in which case you could get fired. But at least you didn’t infect the whole company… now that’s what I call going out on your shield!

filed under Video

A friend with photoshop is all you need

by javvad Malik with no comments

Jimmy is a good guy – I like him, he works in security and trains MMA. Which means if he can’t gain access to your server, he’ll simply beat the password out of you.

Then he posted this picture on twitter in a cowboy hat. Ridiculous cowboy hat

As they say, a little photoshop is a dangerous thing – and the temptation was too great to not take advantage of the opportunity.

1 brokeback

Which led to the birth of Jimmy Sozé

2 usual suspects

This got Jimmy a bit worked up, so I challenged him to a duel.

3 duel

He said he’d kill me – to which I said that’s a crime punishable by hanging till he’s dead, dead, dead!

4 hang em high

The subsequent barrage of messages proved that Jimmy was indeed unchained.

5 Jimmy unchained

With his other friends and colleagues chiming in, Jimmy said he felt like he was surrounded by children.

6 vo day care

Eventually though, the gag ran a bit old and I was worried that he’d get me in a choke hold at some conference so I tried to make amends. He seemed to genuinely accept my apology and even came to me one day and asked me for a favour.

Of course – I jumped on the opportunity to make amends with Jimmy. I think I done a pretty good job too. Hope he’s happy.

 

filed under blog, Uncategorized

RSA & BSides SF 2014

by javvad Malik with no comments

For the times you feel like the ball inside a pinball machine.

 

 

filed under Video

Here’s full disclosure – now no disclosure

by javvad Malik with 2 comments

Full disclosure has announced it’s shutting down. Even people far more capable than me are trying to comprehend why. One of the key grievances cited by John as to why Full Disclosure is being shut down was the constant battling against trolls – even from within the security community.

It raises a number of interesting questions about the state of security, the trends and the meaning of life. I think in summary it comes down to trolls. The day the internet was created, all trolls celebrated – for it signified the day they would be able to hide behind their keyboards and spout venom indiscriminately. It’s a very sad – but undeniable part of the internet as a whole. Whoever has been a victim of hate mail, mean comments or even an ‘unlike’ on a youtube video can tell you that despite how thick-skinned you are, it all eventually takes its toll. I cannot imagine how stressful running something like Full Disclosure could be in the long run – hell, I still carry a chip on my shoulder from the time Reed Exhibitions legal team got their panties in a twist over my use of the word Infosec.

 

The question of the ‘security community / scene / industry / freak show’, what it is,  where it’s going, or even if it actually exists is one that could fill several volumes – but it’s at times like this I am reminded of a quote from the movie “Young Guns II”

“You remember the stories John use to tell us about the the three chinamen playing Fantan? This guy runs up to them and says, “Hey, the world’s coming to an end!” and the first one says, “Well, I best go to the mission and pray,” and the second one says, “Well, hell, I’m gonna go and buy me a case of Mezcal and six whores,” and the third one says “Well, I’m gonna finish the game.” I shall finish the game, Doc.” – William H. Bonney

Will the security community finish the game? Are we even playing the same game? Or is Haroon Meer right when he says, “When we win, it’s with small things, and the victory itself makes us small.

 

PS: If the title didn’t make any sense:

filed under blog

The Cyber Security Skills Gap

by javvad Malik with 2 comments

Monday morning and RSA 2014 has not even properly started but there I was up on stage in front of a rather packed room. Feeling jet-lagged and wishing I had more caffeine in my system, I was glad that I was simply moderating a panel which included Dwayne Melancon, Andy Ellis, Jane Lute and Mike Assante.

The topic – “Closing the cyber security skills gap” where conversation flowed extremely well. I threw out a few questions and sat back and watched the show. TripWire had commissioned an artist to draw a visual representation of the conversation which turned out to be fantastic.

Most of the conversation escapes me because I was too worried about keeping the conversation flowing and staying on track to end on time. But luckily twitter captured most of the sentiments which are collated below:

 

 

 

 

 

 

 

 

 

 

filed under blog

Bug Bounty

by javvad Malik with 2 comments

A bug bounty is a reward handed out by companies to people who disclose bugs or vulnerabilities to them in a responsible manner. Think of it like the wild west where anyone is deputised with powers to chase after the Kid and claim the reward dead or alive.

Traditionally companies like Google and Facebook offered bounties, but seeing the potential benefits, more and more smaller companies have been getting in on the act with companies like BugCrowd offering a brokerage service to bring together testers and companies.

After years of ‘will they, won’t they’ Microsoft jumped into the bounty-offering scheme with whooping $100k being paid out for cool windows 8 hackery. What is even more interesting about Microsofts bounty offering, as described by its Senior Security Strategist Katie Moussouris, was that it was designed to disrupt the vulnerability and exploit markets.

In other words, if an unsavoury person finds a vulnerability they would rather not disclose because they’d rather try to use it to make illicit gains, then any one of their associates can do a “Huggy Bear” and hand in the vulnerability whilst making off with the cash.

Wild west indeed – as J4vv4D and Girl Cynic found out.

filed under Video