Impressions from BsidesPhilly

cropped-bsidesphilly_black_720The first BSides conference in Philadelphia was a major success.  Hats off to Ryan Knox and his team.  It was well planned and executed.  A real homerun in my book.

For me, this had a different context.  It was my first security conference – ever.  My first BSides – ever.  It was also my first presentation, outside of internal company meetings and conferences – ever.  My impressions and expectations where wildly mismatched.  I’ve come away with a different perspective on the infosec community – what it is and what it will become.

1. Infosec has a Big Tent

On the surface, the community as a whole can be broken down into “red teamers” and “blue teamers.”  As additional layers were revealed to me, it’s far more diverse than that.  Of the presentations I attended, I learned how to hack Outlook, hack humans, ask permission to break things and what APRS is.  The conversations where just as diverse.  I spoke with people with a passion for drones, how writing pen testing reports is an art (spoiler alert: don’t copy and paste) and how rolling  your own crypto is a bad idea.

My impression is that the Infosec community is full of polymaths.  These are people that master or dabble in multiple disciplines /domains.  No one person is the same.  Everyone brings something different to the table.  That’s the beauty of it all. While some topics might be fundamental in nature, (a) if you don’t dabble in that domain, you learn and (b) the individual brings the material to life; differentiates in their space.

2. Community of Sharing

You would think that a bunch of Infosec specialists would be tight lipped.  Nope.  They share — big time. Ask them about their experience in a space — done.  Tools to use — no problem.  Best way to script a pen test with Powershell — let me show you.  Career advice for those staring out — let me see your resume.  Now ask them about what they are currently working on  — no comment.  They seem to be more tight lipped when it comes to clients and employeers. :][

On top of that, the BSidesPhilly team sponsored a non-profit organization.  They were able to raise funds via donation and open auction for Hackers for Charity.  Hackers for Charity improves the living conditions for third world countries via technology like Uganda.

3. We’re Still Young

If information security were a person, we’d be a 12 year old.  Bright eyed and excited, willing to take on the world.  Full of passion to address the coming security challenges.  When I was twelve, I remember hearing some of the world’s best advice , yet never following it.  The unique opportunity is Infosec is a relatively new domain.  There  are still generations of truths to help us out.  Years of advice to call on.  Frameworks laying the foundation of Infosec for years to come.  We just have to listen and learn.  Say the words out loud in our own voices.

This is why Bsides is so important.  It’s a forum for people of all security domains to slap another layer of mortar and bricks onto the foundation.  A place to lend a hand to pull the rest of team up with you.    A place to whisper “old” ideas and scream out the new.

Thanks, BsidesPhilly.

When you have some time, check out my talk on security metrics – Size Doesn’t Matter.

Where are they now?

It’s strangsuccesse how things work sometimes.  It feels like eons since I’ve posted here.  When I started this blog, I aimed at exploration.  Trying, succeeding….  technically failing.  This in essence, just trying is success.  Being brave enough to start the journey is a win.  Half of life is showing up.

The other half is being yourself.  Like Bruce Wayne with the League of Shadows, I went away for a while to learn what I didn’t know…to unlearn what I did know.  Search for the colors inside the outline.  In the process, I found the something I needed.

Over the last year, I finished my CISSP certification, performed my first open mic poetry slam, ran the Broad Street run (9 min/mi) and changed my job of 9 years.  And that was by June.  Since then, I’ve been getting comfortable in this new skin.

With that, I’m happy to announce that I’ll be speaking at the first ever BsidesPhilly.   Damn it feels good.  Hope to see you there.

2011 Personal Security New Year’s Resolutions

Introduction

So another year has come and gone and another list of personal resolutions start cropping up on the Internet like remixes of the “BED INTRUDER SONG”.  This one is no different.  In a year that has showed that Stuxnet virus could potentially harm people in the real world by affecting infrastructure and DDOS attacks both allied and against Wikileaks emerge as a form of “hacktivism”, taking a look at resolutions for information security in your personal life should resonate.  I’ve comprised a short list of resolutions to consider for the new year to protect yourself.  The playbook for each is simple: Take Inventory and Take Action.

1. Data Protection

Take Inventory
Knowing is half the battle (or so G.I. Joe and his marketers want you to think).  Understanding what information you store on your computer and Internet will give you a better understanding on how to protect it.  The following categories are a guideline to follow.  You can add in classifications as necessary.
Personal – Information that you would not share with anyone outside of your family or immediate social circle.  Think photographs, videos, drawings and poems.

Private – Any information that if compromised, could reveal personal information about yourself that you do not share with anyone.  This type of information could be used in conjunction with publicly available data sources to attempt to steal your identity.

Classified – Any information that if put in the wrong hands, could comprise your well being.  Think financial information, social security numbers, investments and tax returns.  This is the most prized possession for an identity thief to access since little additional information is required to steal your identity.
Take Action
Now that you understand the type of data you possess, it’s time to put countermeasures in place to protect your data.

A Brave New World (For Me)

The last time I shared anything meaningful on the internet was when Prodigy and AOL were king of the hill.  I remember being engaged in a discussion board on why paying $22 for a Ken Griffey Jr. Rookie card was a waste of money.  Especially, when I couldn’t buy one for less then $30 at the time.

Since that time, I’ve decided to purposely exclude myself from an maintaining an online presence.  No bulletin boards, blogs, Facebook or  Twitter.  I figured the less anyone knows about me, the better.  However, something recently changed in me.   While I would normally keep all of my thoughts, trials and successes in my head, I felt a grumbling deep inside of me.  I mean, I’ve always had a yearning to mentor, tutor and share, but recently, this yearning has been growing stronger and louder.  Each passing day my internal compass was getting much more difficult to ignore.

Since I do not currently have the time fulfill this need on a one-on-one basis in my personal life, I figured sharing this via a blog would be the next best thing.    My interests are vast.  They span from Asymmetric Key Encryption to the zen of the movie Zoolander.   So the subject matter I cover will be very eclectic.

This premise of this blog boils down to one thing.  That we all have a need to explore our world in an experimental manner.  My intentions are to share this process with you on all topics and subject matters I encounter.  I may not always succeed in my endeavors.  In fact, I’ll technically be failing most of the time.  And that’s alright.  I’m making a light hearted attempt to share the path to success (while hitting some bumps along the way).

So the motto here will be this:  We’re Always Trying; we’re Sometimes Succeeding; however, we’re Technically Failing.   I hope you enjoy.