Post RSA musings

So it finally happened – I’ve had my first RSA in 9 years.

And what an experience. Suffice to say that I ended that week with no voice, a bad back, and minimally functioning knees, but given the premise of the show I’d peg is as a huge success.

First – having BSides to catch up with friends and colleagues was a perfect beginning to the week (not to mention the weekend in Napa right before – thanks for having me, Tenable!). There still is a huge value that I see in BSides, and BSidesSF specifically. Albeit the great venue (thanks OpenDNS), some more hallway-con was sorely missed. Be it the way the venue is laid out (preventing from more active/vocal discussions from happening other than outside), or the decision to run a dry venue (not even bring your own alcohol), I’d want to see how peer-engagement gets more focus there.

Second – the ability to “hack” RSA from a technical person’s perspective, and yes, I still consider myself somewhat technical, regardless of my ability to don on a suite and behave like a business guy. Which is sort of what hacking RSA is… It was intriguing having interactions with people outside of the echo-chamber (aka infosec) who deal with security and having them take a preconceived notion of me as a sales person. Or with those who gravitated to me as “I needed to talk to someone who is technical” – probably after snooping around a bit and choosing their approach based on existing conversations 😉

Last (and I saved the downer for here) – the show floor. After getting over the sheer size of the convention (no worries – BlackHat has a way to go until it becomes an RSA), I had my expectations adjusted a bit. Walking through the halls, you get into a realization that a lot of the companies showing there (especially the south hall) should probably have no reason to exist. The same regurgitation of “threat intelligence”, “endpoint protection” (i.e. APT, 0day, etc…), and your usual “trust me, I’m an engineer” approaches, were becoming comical to a point where I’d need to keep my gaze pointed far away and ignore the noise while walking around. I truly expected to see some new innovative approaches to security, and companies who would break out of the circle-jerk of security vendors. Unfortunately I didn’t see many, the reason for which I can’t really put my finger on (maybe the cost of entry to RSA?).

Overall, a great experience (and yes – lots of new business too), so yes, I believe my #notatrsa streak has come to an end. Or maybe I’m just getting old 😉

2015-04-21 15.57.44

Yes – you can engage with other evangelists at RSA! (and what seemed like a weird obsession – collect truckloads of branded t-shirts and vendor giveaways).

May the force? May in full force…

Lack of updates here usually means that time constraints are in effect… But apparently all that work is paying off as some of the research we have been working on is starting to get front-and-center stage.
May marks a busy month where I’ll be bouncing around a few places (São Paulo, North Carolina, and locally here in NYC) to talk about it.
Stay tuned for details 😉

ISTS12 Keynote and Red Team

I’ve had the pleasure and the honor to keynote this year’s ISTS (Information Security Talent Search) that ran at the Rochester Institute of Technology (RIT). Additionally I was also fortunate to get a seat with the Red Team during the event itself and work closely with some of my friends and colleagues.

It has been a while since I had the chance to work with students (mostly with my Alma Mater from the IDC during freshmen orientation, and the “CS for Real” series for CS students). And I honestly didn’t know how to address this initially. Thankfully, Jared and the ISTS team were pretty open to my suggestion of combining a “here’s how I got here” rant with some technical examples of challenges and engagements.

The keynote wasn’t recorded (thankfully?) but here are the slides that were used as the backdrop for it. I ended up coming back with some insights from the keynote (as I usually try not just to provide information, but also learn new things), and thanks to some awesome questions from the audience (students, red teamers, and apparently faculty which I haven’t realized were also there…) it ended up a really great session for me!

The next day was spent with the red team, which was a great opportunity to catch up on some skills that I left behind (always pick the task that you are less familiar with!), and really kick some ass with the team. Chris Gates has written a great wrap-up blog on it here: http://carnal0wnage.attackresearch.com/2015/03/ists12-thoughts-notes-feedback.html

Really looking forward to working more closely with people who are just starting their way in the industry – if the feedback doesn’t lie, it seemed to be somewhat beneficial to them, and from a completely selfish perspective, I had a chance to learn a few things myself too!

Honest review – CSI:Cyber

There seems to be a lot of chatter (at least on my highly biased Twitter and Facebook feeds) about how terrible of a show CSI:Cyber was. People seem to be extremely concerned about the fact that the show did not portray all the hacking related activities (cyber, infosec, whatever you want to call it) precisely as it is in real life. So here’s my take at it.

First – I’m not talking about the overall quality of the show. I’m not a TV critic, and I’m not going to go into the casting choices, the bad acting, the hollow and predictable script or any of the cinematographic elements. Let’s just focus for a second on what irks people the most – cyber.

So let’s talk about some (again some!) of the technical elements that show up there:

1. Hacking into baby cameras. Totally true. http://www.cnet.com/news/hacker-shouts-at-baby-through-baby-monitor/

2. Social media being a major source for intelligence. Been using it for a decade now through red teaming. Actually joined a social risk management company as it’s that big of an issue. (www.zerofox.com)

3. Social engineering – micro expressions, cold reading, etc. Legit. Again – red teaming. We even teach it on our red team classes.

4. The camera ball used to survey a site before entering it. http://bounceimaging.com/

5. Usage of malware (RAT) to spy on people. Welcome to the last 17 years of my professional career. And yes – you can buy this on the “surface web” (WTF – can’t you just say Internet?). Blackshades used to go for about $40-$50 a pop as far as I recall (and no, not going to do the homework for you and link to a live site that sells this. Google it.).

6. Companies that release products with known flaws in them? Yeah, you are probably reading this from one of those. Welcome to reality, where business decisions trump technical purity and security. Companies want to make money. Fast. If fixing all the flaws found in the software or hardware will keep them from making money, guess what – they will prioritize these to a point where they can get $ in the bank.

And yes – there where some highly amusing things where the artistic license was taken very liberally. Malware showing up in the code as red letters (vs. the traditional green on black). Fingerprints taken from a scene of a crime using an “Expensify” like app – quick snap of the phone’s camera, and within seconds you got a match with full profile and mug. Tracking every IP address to a physical location and swatting it within minutes. A teenager that needed help on a console game from a 30-something year old FBI agent. Having an online bidding that consists of basically a conference call conducted in multiple languages (nobody has time for this – it’s all going to be done through IM’ing, and on dedicated forums). And the list goes on… no regard to the judicial process, medical examinations that are beyond absurd, taking an hour to drive from DC to Baltimore, but from Baltimore to upstate New York in minutes just to get to the drowning car so that the baby can be saved.

Am I hearing my lawyer friends going crazy on the lack of judicial process? About the deal that put a convicted felon to work closely with the FBI? (they are having hard time finding good people because they smoked pot FFS)? Nope. You know why? BECAUSE IT’S TELEVISION.

It’s not a documentary.

If it would be, 90% of the show would be someone staring at a debugger on a screen, drinking coffee, eating junk food, and cursing. And then writing a report. I’m sure that’s a blockbuster – call in the writers.

So ease off. Be thankful that this isn’t another Scorpion, and that there are enough elements in the script based on reality, kick back, take a load off and watch your entertainment on TV. If you want more accuracy – feel free to watch the hundreds of videos from conferences like BlackHat, Defcon, Derbycon, etc. You’ll get educated. Can’t promise anything about entertained though 😉

Oh. here’s a bonus for you if you thought that the image above was cool – my desk is much simpler 😛2015-03-05 10.43.43