The monthly RANT in London that is always good entertainment. It must have been eating its greens because it’s all grown up and had its first full on conference. If you want a proper review you can read write ups by Thom Langford or Lee Munson.
I was looking forward to attending, and was honoured to be invited to be part of a panel on the day. What could be better than being invited to speak at a conference you think is pretty cool to start with?
Well, it so happened that the panel I was on was entitled, “Infosec Rockstars… the Myth and the Reality” alongside panelists Neira Jones and Ed Gibson whilst being moderated by Stephen Bonner!!! There were two things that bothered me about this situation – firstly, I would be sharing the stage with three people who I have no business being on stage with. Secondly, I am by no stretch of the imagination a rockstar.
I’m one of those guys who ends up having random thoughts at the weird times. For example, during a family dinner I may start pondering over whether Commando was a better film than Predator. Or wonder if I have enough ironed shirts whilst helping a child out with their homework. As a result, I may have dropped a line from the movie “Reign of fire” into the talk and possible drew the attention to similarities between myself and Jack Black.
Anyway, whilst onstage and feeling out of my league I recalled the tongue in cheek video I made with Space Rogue entitled “how to become an infosec rockstar” and wondered if this was just a simple case of a joke going too far. Like how sometimes you make a joke in school, or a certain incident happens and for the rest of your years you’re remembered as “that guy” – a bit like how Jason Biggs will forever be linked to an American Pie.
I thought of Van Damme in the hilarious Coors Light advertisement and wondered if I too had ended up becoming a parody of myself.
From what I recall, the panel went well – there were plenty of friendly faces in the crowd I could turn to who were either smiling encouragingly or trying to put me off. During the breaks I got to mingle with plenty of cool people, a couple of whom referred to me repeatedly as a rockstar and I wasn’t sure whether to speak to them normally, or whether they expected me to get back into character and play up to the role… It’s at that time I realized how profound this dialogue from Tropic Thunder was:
One thing that can be universally agreed upon is that not all PR pro’s are created equal and some can be pretty annoying. So I break down a few of the common PR fails with Neil from Eskenzi PR.
What do you think are the most annoying PR traits?
Warning: this is a long post, if you don’t want to read it all then watch this short recap video, otherwise read on.
Even though it was summer, the sun had long set. It was late and getting chilly. My feet were numb and I was feeling the ill effects of 3 days of sleep deprivation. I was sat outside with 4 Americans and a Canadian. The man to the right of me with a goatee that was almost as big as his head took a long puff and declared himself “mellow”. The others nodded in agreement and they all thanked me.
How did I end up in this state? Well it all started three days earlier.
The Dinner Suit Situation
It was the first day of Infosec – I had gotten up early and was already in a bit of a dilemma. I had a suit ready to wear for Infosec, but in the evening I was invited to the SC Magazine awards which was a black tie event (a dinner suit / tuxedo). So I was wearing a suit and was carrying a second dinner suit with me. To make matters worse, I was traveling in on my motorbike; partly because I detest public transport and partly because it would be rather late by the time the awards ceremony finished and I would struggle to get back home; which upon reflection is one of the downsides of having a conference local to you. Had I been in another city, I would have been staying in a hotel within throwing distance of the conference centre and it would have been no problem.
I finally found a bag large enough which I could put the dinner suit in, whilst carrying on my back, whilst riding my motorbike through London’s rush hour traffic. Although I don’t know how Usain Bolt felt the first time he broke the world record in the hundred meter sprint, I can only imagine it was similar to the sense of achievement I felt when I finally reached Earl’s Court exhibition centre and was able to take out the dinner suit relatively uncrumpled. I proudly handed it into the cloakroom for safekeeping, with specific instructions to the attendant to make sure it didn’t get creased up until I collected it later that evening.
The Analyst Panel
Most of the morning was spent in meetings with various vendors. Unlike RSA, infosec Europe is comparatively smaller and I was fortunate that most meetings were scheduled to be in the press room so I didn’t have to travel very far. As a result managed to get through at least half a dozen meetings by lunchtime.
A few weeks earlier, I’d received an email from the editor of info security magazine, Eleanor Dallaway asking if I would be interested in taking part in an analyst panel alongside Brian Honan and Bob Tarzey. The discussion would be recorded for publication on youtube. Not being shy of having my mug on youtube, and knowing that Brian would be riding shotgun I felt comfortable enough to say yes. A decision I was beginning to regret as I found myself having pizza with Brian, Jitender, Thom, Cindy and Dwayne for lunch and realizing we were late for the panel. Brian seemed unfazed and with his typical Irish charm told me not to worry. I asked if he knew what we were going to be talking about, and he just shrugged let off a big laugh and carried on eating.
We eventually made it to the info security magazine booth where Eleanor seemed relieved to see us. The cameraman was all business and proceeded to get us mic’d up; although Bob didn’t look too happy that he’d been made to wait for 20 minutes doing nothing.
The panel wasn’t very long, it consisted of Eleanor asking a few questions and us answering individually. It was okay I suppose, although sitting there in the chair I did find myself continually wishing I could change the camera angle, do the editing and actually script something witty and clever for myself rather than having to think on the spot.
The CISO Panel
As soon as I wrapped up the analyst panel, I had to make my way to the keynote theatre where I was due to moderate a panel of five CISO’s to discuss the skills needed to make a good CISO. Room was pretty full, and I was thankful that over the previous few months I’d had ample opportunity to present several times so I found myself surprisingly at ease. I was told by the audio person that I had to stand very close to the microphone behind the lectern or risk not being heard. This was a bit of a pain as I generally dislike standing behind a lectern when on stage. It puts a barrier between you and the audience. The second issue was that the stage was very wide and I was perched behind the lectern on one side, whilst the panelists had a table on the other end. I hadn’t worn my glasses, and under the theatre lighting I was squinting to see who was who.
As I was squinting like a mole from across the stage, I made out the face closest to me and thought that I could see him; but his name had slipped my mind. In fact, I’d almost forgotten everyones name. I grabbed my notebook and jogged over to the other side of the ridiculously wide stage and tried to make a joke out of not remembering who was who. The CISO closest to me was Simon Riggs who helpfully suggested I write down everyones name in the same order they were sat at the table to make it easier to remember who was who. I thanked him for the tip and wrote down everyones name; Simon Riggs, Paul Swarbrick, Avtar Sehmbi, Matthew Ford and John Meakin.
A slight twinge of guilt did come over me. After all, I’d been in email contact with each of the panelists beforehand and they deserved that I remembered their names. I racked my brain for some sort of witty monologue to say, but all I could muster was a “great” and a half punch in the air before jogging all the way back to take my place behind the lectern on the other side of the stage.
Other than that the session progressed pretty well. I say it was pretty well but I do think I could have done a better job. In hindsight there were times when I should have jumped in and stopped some of the speakers from going on a bit too long. Having said that there was plenty of audience interaction and the questions flowed right to the very end.
Right at the very end I wanted to try and wrap up on a concluding question. So I threw out the old question whether CISO actually stands for Career Is So Over; implying that it is the end of the road and there is no clear progression path afterwards. It seemed to rattle a couple of cages, and maybe a couple of responses veered onto the defensive side. But in all honesty it had been an hour for me standing behind the lectern and my legs were feeling the effects. I thanked the audience and the panelists for their participation and felt relieved to have made it to the end without incident.
Awards, awards & more awards
It was a disabled toilet tucked away on the first floor away from the conference that I found myself changing into my dinner suit. Not exactly glamorous, but beggars can’t be choosers. I cursed as I fumbled a cufflink that fell onto the floor. I picked it up and wondered how clean the floor was. Sure it was on the other side, away from the toilet but doubt crept in. Luckily there was a sink inside so I gave it a quick rinse, being careful not to drop it down the drain, before shaking it dry and threading it through the cuffs of my new shirt.
I looked in the mirror and was greeted by an unfamiliar sight. I smiled at my reflection dressed up like James Bond. Then I snap out of it as I find myself admiring myself for too long. I wonder if its actually possible to creep yourself out by staring at yourself in the mirror.
First stop was the European security blogger awards which was sponsored by Tenable and Qualys. It was very nice of them, but still, it would not have been possible without the hard work put in behind the scenes by Jack Daniel and Brian Honan.
I’d been nominated in five of the categories, which in itself was a pretty humbling experience in itself. To even get nominated shows that your colleagues and peers value your contributions and maybe even like you as a person! I ended up winning two awards for best video blogger and most entertaining blogger. I’ve joked with friends about how I’m now a global multi-award-winning blogger… but the reality is that I am truly grateful to all my friends in the security world. So I’d like to say thank you!
After that it was off to the SC magazine awards where I had been kindly invited by SC magazine editor Dan Raywood. It was the first time I’d attended and it was pretty much how I thought it would be. Everyone in dinner suits looking very dapper, that gave the atmosphere that this was indeed a special occasion. A comedian was the compere for the night who was absolutely brilliant. She started off with a short routine, picking on some tables closest to the stage and also on some of the company names. It was one of the best events I’d been to in a long time (maybe ever).
It had gone midnight by the time I parked my motorbike back in the garage at home, almost in time for it to turn back into a pumpkin. It had been a very full, exhausting and fulfilling day… but that was just the beginning. My biggest challenge awaited me in the morning
Bsides London
I lost count of the number of times I hit snooze on my alarm before a finally rolled out of bed. Throwing on a pair of jeans and a black shirt, I felt I’d got the uniform for B-Sides correct. It was getting late and I really wanted to see David Rook aka Security Ninja’s talks before me, but I needed to go over my presentation one more time. It had been a couple of days since I’d revised it and the nerves were tingling slightly. I recalled the times when something sounded really clever in my head yet the dumbest thing in the world soon as I opened my mouth. That’s how I was feeling about my presentation… what if nobody liked it, what if people walked out, what if? what if? what if?
I wasn’t afraid of getting on stage and speaking in front of people, I was just a little apprehensive about publicly putting my thoughts out there without the safety net of a videocamera and post editing software where I can take out all of my mistakes. I had given myself enough time to prepare and I’d even given dry runs of the presentation over skype to Thom and Jitender. They had both provided me with some good feedback which I had incorporated as much as I could. But I knew that once on stage, I have a tendency to deviate almost totally from script.
Up on stage I hooked up my laptop and set it to start. The intro of my talk was a short video clip with explosions spinning animations that spelt out that talk title all to the sound of AC/DC’s back in black. The room was full with some people sitting on the floor, I clenched my fists together and slowly released them, technique that Thom showed me once is a good way of getting rid of stress from the body. I looked across the room and saw many familiar faces – accompanied by a feeling of calm. This was B-Sides London… this was the conference I helped organize for the last two years. This was my home!
The intro finished, the music faded and I stepped onto stage with an almighty “ hello B-Sides London!”
The room responded with enthusiastic applause and I felt a whole weight lifted from my shoulders. I got into character and delivered my talk. I think it was the best talk I’d ever delivered. I love B-Sides.
The rest of the day felt like a blur as there were so many people I want to see. It was like a montage of hundred conversations crammed into a few hours. It was the first time that I wasn’t a volunteer at B-Sides London, so I really got a chance to mingle with people and enjoy the conference as a whole.
The Rookie Talk
There was a rookie track for new speakers and one of the speakers was Leron, who had been assigned to me as a mentee and whom I had helped prepare to give the talk. I went down into the rookie track to see how he would fare. I arrived a bit early and Leron was in the room listening to another talk. He looked a bit tense so I invited him outside the room for a chat. He told me he was feeling a bit nervous and I laughed recalling my own nervousness. I reassured him that even I was nervous, but nerves are part of the game. I showed him the fist clenching routine… although I’m not sure whether he thought that was a cool technique or if I was just trying to be Yoda.
I sat through Leron’s talk which, in my biased opinion was very well delivered. Yes, he had a few nerves, but overall he kept to time, delivered his message clearly and didn’t melt under the pressure. I felt happy for him once he’d finished, like a sense of pride.
Afterwards, I saw a few other rookie talks which were all delivered brilliantly. In fact, other than the fact that they were slightly nervous (some visibly more than others) the quality of preparation they had put into the talks should put some ‘pro-speakers’ to shame.
The sentiment has been pretty unanimous that the rookie track was a resounding success and I hope to see many of this years rookies take to the main stage next year. A few days later Mo Amin who spoke on the rookie mentioned on twitter that a colleague of his had asked him to be his mentor for next year. Now that’s progress!
Hitting the wall
The alarm has been going off for a long time. I am having a weird dream in which I’m looking for my phone so that I can turn the alarm off but can’t find it. Eventually the fog clears and I wake up to turn it off. It’s nearly 9am and I needed to be out of the house 15 minutes ago. My legs are tired from standing too much and my throat is feeling a bit sore from talking too much. Not to mention the bloated feeling from eating too much conference food. I stop and wonder how many calories people end up consuming at conferences and try to think of what the average BMI of conference goers is. I make a mental note to pay attention on the show floor at the waist lines of attendees.
I don’t want to get out of bed. A full day lies ahead of me which will need me to have my game face on for the whole duration. It’s that low point that happens at nearly every conference I attend. Sometimes it’s on the first day, sometimes the last day or somewhere in the middle. I’m not crazy enough to have ever run a marathon, but I hear that at certain points runners hit a wall and that they have to keep pressing on to get through that barrier. Pushing through that barrier I get ready and head out to the last day of Infosec Europe.
There are many meetings lined up in the morning that go through to the afternoon. Once caffeine levels are normalized in my blood stream, I get a buzz and perk up. There are some genuinely interesting conversations, both one on one and also whilst walking the show floor. The French commission have a section where a number of French companies have small booths. One of them points out to me that they painted the French flag the wrong way around, and that the Americans always got a bigger and better-looking exhibition area. I smile and nod, the man had a point and I have mixed emotions as I find myself sympathizing with the French.
Secret Project
I got a text from Thom. He was waiting with Andy for me up on the mezzanine area for us to undertake our secret project. I’m unable to divulge the details of the secret project, because if I did so then it would cease to be secret anymore. All I can say is that it was immense fun – I got shouted at on no less than three occasions, Andy got manhandled by a huge man and Thom deserves a punch in the back of the head. But stay tuned and all will be revealed soon enough.
Dinner
Once we’d finished, Thom, Andy and I made plans to go out for dinner to celebrate the end of a successful conference and not killing each other. I hadn’t had a chance to catch up with many friends who were over from across the pond so I started emailing / tweeting whoever I could. Eventually I found myself in a Lebanese restaurant on Edgeware Road with Andy, Thom, Lindsay, Cindy, Anthony, Dan and Dave. It was a lovely meal and despite everyone looking like they could easily fall asleep within 30 seconds of lying down, the conversation flowed beautifully.
Immediately after dinner a few had to leave and Cindy’s husband joined us. Dan was of the opinion that everyone should go karaoke; but my body was giving up on me. My legs were gone and so was my throat. So I suggested that seeing as we were on Edgeware Road, we should try smoking a sheesha. No-one had tried one before, but I convinced them it was a good idea…
An hour later and I find myself sat outside with my five American friends. Dan is to the right of me, and takes a big puff on the sheesha and exhales smoke that seems to get stuck in his huge goatee. He declares himself “mellow”. The others nodded in agreement and I am thanked for the introduction to this fruity pipe. They all had flights in the morning – and I am thankful that I only have a short bike ride back home to get into my own bed.
At last weeks Infosec Europe, fellow blogger, friend and information security executive Jitender Arora was involved in a debate that asked the question whether the auditor was friend or foe to the security department.
This was an interesting debate that for many can bring up many mixed emotions and feelings. But it reminds me of a quote from the movie Jerry Maguire, “this ain’t show friends… it’s show business”. Which is to say, that does it really matter if an auditor is friendly or hostile towards you? At the end of the day, she is there to do her job and you are there to do yours. The real magic is in how you actually deal with the auditor – which is easy with these few steps by following my video tutorial.
The prestigious European Security Blogger awards are upon us. For those unfamiliar with the European Security blogger awards, it’s an award ceremony for bloggers who specialise in security and reside in Europe – at least that what I hope it means.
I am fortunate enough to have made it into the finals in five of the nine categories – which in itself feels like a great achievement considering how many super-awesome and cool security bloggers there are scattered around Europe. The categories I’m in are:
Best Security Video Blog
Most entertaining blog
Most educational blog
Best EU Security Tweeter
Grand prix prize for best overall security blog
Log management and SIEM are not really spoken about by those outside of security and understood even less. I guess one of the reasons is that unless there are a relatively large number of logs to go through (or there is actually have an interest in doing so) most people will not really do much about it. Hence why I’ve been asked often to explain what a SIEM is, how it differs from Log Management etc. I won’t go into too many details and split hairs, so for the purposes of a high level view on log management, I present to you this video.
I recently saw that researchers had published their findings on security flaws in RC4 in TLS which led to some articles being churned out with eye-catching heading such as “HTTPS is broken”. A decent write-up on the issue can be found on the Naked Security blog.
But this got me thinking about the whole relationship security professionals have with researchers. It’s kind of a love hate relationship. Researchers find flaws, bugs and general ways to bypass security controls, algorithms, processes and all that other good stuff.
The question becomes though, is it really broken if it was never fixed in the first place? The point being, it is an accepted fact that nothing is ever 100% secure. As Bruce Hallas is fond of saying, “If it is made by man it can be broken by man.” Therefore, it is not a matter of if a vulnerability is discovered in a security mechanism, but when. Once a vulnerability is discovered, be it by a researcher or an 8 year old messing around with her Rasberry Pi, it then falls to business security people to determine how likely that attack is to happen. Based on their viewpoint it may not be anything to worry about, or they may decide that this is something that is needed to be fixed urgently. However, beyond this the business owner ultimately decides whether they want to run with the risk or not. Which is why although researchers have demonstrated chip and pin can be defeated, banks had taken the view that for business purposes it is sufficient. Similarly, despite passwords being universally regarded as being about as useful as a chocolate teapot, they are still used as the primary authentication mechanism for the majority of web-based applications in the world.
Perhaps what we don’t have enough of in the information security industry is more collaboration between researchers and security professionals and the business. Although, this particular research team have been quite pragmatic about the whole situation and acknowledge the likelihood today is a bit slim we still see some researchers and industries bickering in public over whether they should be adopting a certain security posture or another.
Can’t we all just get along? Nah, where would the fun in that be?
