Tag Archives: conferences

Vegas 2012 by the Numbers

So, I’m finally back from a very long week in Vegas. How long you ask? well, here are some numbers that start to reflect how it felt:

  • Number of days in Vegas: 6+1 (un-planned extra day due to a missed flight)
  • Number of conferences attended: 3.5 (BlackHat, BSidesLV, Defcon, and IOAsis counts as a 1/2 con…)
  • Number of talks given: 2 (in the same day… BlackHat + BSidesLV)
  • Number of shipments to my room at Caesars: 3 (shirts, phone, and locks which ended up unused due to my failure to run the lockpick sessions at IOAsis šŸ™ )
  • Volunteer gigs: 2 (BSidesLV and Skytalks)
  • Average hours of sleep per night: 3 (and that’s really stretching it)
  • Number of nights I went to sleep after sunrise: 2
  • Average number of parties visited per night: 3 (Freakshow skewed the numbers as there was NO reason to leave that place…)
  • No. of phones I came in with: 1
  • No. of phones I left with: 3 (Thank you NinjaTel!)
  • Average no. of meals per day: 1 (I know… but Alcohol does not count as food unfortunately)
  • Gallons of booze consumed: probably illegal in some states.
  • No of friends I caught up with: not enough. And the ones I did manage to catch up with needed much more time šŸ™
  • Hangovers: 0 (keep drinking -> no hangover to deal with…)
  • Workouts: 2
  • Miles walked: waaaaay too many
  • Weight lost/gain: 3.5lbs lost. Guess that’s the result of adrenaline rushes, parties, Infected Mushroom, long walks in the hallways, not much food, and lots of alcohol.

Overall this was personally the best Vegas trip I’ve had. I did take up a little too much on myself that I should have (as a couple fo friends duly noted, and excused me for some fuckups due to that), and I wanted to meet so many more people that I managed to somehow miss this year.

Nevertheless, some of the experiences were priceless – like having a chat with Infected Mushroom and finding out that Erez used to run a BBS back in the days, and that (although I don’t like to mention my darker days of hacking) we “knew” the same scenes. Having the opportunity to help out with BSidesLV and being amazed again by our community and what it can achieve. Being inspired by so many people, and learning constantly. These are the things that really make up the week of BlackHat/BSides/Defcon for me. It’s not necessarily the talks, but the socializing and the opportunity to pick people’s brains on a personal basis which makes it worthwhile to get to the levels of exhaustion that this week takes you to.

Guess it’s time to wrap up and figure out what timezone my body is on…

Sexy Defense

So, Source Boston proved to be a great venue for theĀ inaugurationĀ of the Sexy Defense paper and talk that I was working on recently. Had a great time both developing the concepts, as well as discussing them before, on stage, and especially after the talk.

I really was amazed by the great feedback that people had to this, especially from some of my more respected peers. It’s always a great feeling to get an “attaboy” from people you consider experts in their fields.

For convenience, here is the slide-deck I used during the talk. Would love to get more feedback and ideas for pushing this forward into more organizations, and to hear about ways to improve both on the strategy itself, as well as on how to “sell” it, or get organizational “buy-in” internally.

Last but not least – this could not have been done without the support and the peer-review from some of my friends and colleagues: Chris Nickerson, Brian Honan, Chris John Riley, Wim Remes, and Leon van der Eijk. Thanks for going through this and providing excellent commentary and insights!

 

Update: Dark Reading have posted a great article by Robert Lemos covering the topic, with a really insightful analysis and additional views.

Intelligence on Ashiyane and the Iranian Cyber Army

One of my favorite OSINT resources internet-haganah have opened up a new thread on their forums that are dedicated to Iran, called Ashiyane.

This is basically the hacker forum that I was researching a couple of years ago (see my DefCon18 talk, and here, and here).

The forum thread is here: http://forum.internet-haganah.com/showthread.php?440-Ashiyane

And an interesting intelligence profile for the group actually quotes my past research (which unlike what it may seem was NOT done as part of my reserve duty tasks in the Israeli AriForce…)

Keep up the great work guys! Truly humbled to have my work mentioned on your site.

So, what about that SecurityZone?

Thanks to Chris John Riley’s post, I was inspired to share my views and experiences from SecurityZone. Some of which I have already shared on the last post on SexyDefence, but there’s so much more to that…

SecurityZone 2011 speakers and organizers

First things first – SecurityZone. Colombia. I know… Sounds weird, especially when considering that this turned to the last stop in the DirtySecurity World Tour 2011. Well, when I was first connected to Ed Rojas who basically masterminded this whole thing (with the help of a small group of his friends/partners) I was skeptical as well. But as it works out in the industry, a quick check and a vouch from a colleague and I was ok.

Then I saw a like-minded person in Ed whom I shared a similar vision about how a conference should be running, and what kind of content should be in it, and I became the de-facto speaker recruiter/bringer…

At that point I was amazed again by the kind of industry we work in, and the kind of relationship I have with my friends in the industry. With a first-time conference, and in a country that isn’t exactly getting a lot of friendly press I approached some of the best people in the industry (whom I just happen to be able to call close friends), and was able to witness some of the best responses ever. From a “sure, I’m in!” to a “sure I’m in! oh, you think this place is safe? whatever, I’m in!” we managed to rally up a wicked lineup.

updated: On our way from the airport to the hotel (we were picked up by Ed personally!), I got the news that two of the speakers couldn’t make it in the last minute. My immediate response to Ed was “no problem, Nickerson and I will fill those slots in for you”. Funny thing is – I didn’t speak with Chris before on this, and as expected when I told him about it I got the expected “sure thing. let’s think which talk would fit best here”. EPIC.

I won’t repeat Chris’ views from the conference as I totally share them, but just to add a few experiences:

The place is safe. Probably safer than some of the metro areas I’ve been to in the US (not to mention some of the shadier places I’ve had a chance to visit). There wasn’t a single incident where we were in any kind of situation where danger was apparent or even a concern. And remember that wer were rolling #DirtySec style (which in most places means at least one encounter with the local law enforcement…).

Cali Police Department - picking their way out of cuffs...
The Cali Police learning from schoolkids how to pick handcuffs

Running a full day red-team workshop with Chris Nickerson was totally awesome (and yes – we plan to take it on the road for 2012). What made it even more over the top were the schoolkids not only doingĀ simultaneousĀ translation, but alsoĀ learningĀ how to pick locks (and the obligatory twitter I got later that night “@iiamit btw we opened all our doors yesterday with our new tools!”). Furthermore, as the police saw us start theĀ lock-pickingĀ session and huddled at the door, we invited them in, and because of the language barrier had the schoolkids teach them how to pick locks, and best of all – handcuffs… Yeah, I know, if there was a doubt on my placement on santa’s naughty list, that definitely put me there šŸ™‚

Being driven around beautiful Cali could not have been better – we saw the highs, lows, mountains, downtown, suburbs, and even some of the touristic sites in the region (sugar plantations, the Casa Paraiso) and looking at other conferences I spoke at this year, probably the best hospitality EVER!

This has definitely been the right closer for the #DirtySec world tour of 2011, and I can only hope that 2012 will include some more SecurityZone content (stay tuned – we are working on some great content…)

See you all at Shmoocon!

Post Brucon thoughts – guesstimates in an engineering field

So, another epic Brucon has ended, and while everyone is getting their thoughts together again (the amount of super smart people I have had the pleasure to have conversations with is unimaginable), I wanted to post a quick recap.

First things first – numbers. I’ve been working with the FAIR methodology quite a while now, and have actually (with the kind permission of Jack Jones) integrated some of its elements into the Penetration Testing Execution Standard (PTES). Watching the discussions that started after Jack’s talk at Brucon was heartwarming. Pentesters and security practitioners finally “get it”, was divine. Working in a field of engineering that has the least engineering in the sense of how it’s applied to businesses has been frustrating to say the least. With the ability to effortlessly connect the technical elements of vulnerabilities and exploits to business-speak has been one of my personal challenges (and hopefully strengths), and being able to tilt the industry even a little towards that direction is something that we all needed for a long time.

A quick “teaser” to add on top of it (which has been previewed in my talk) is the ability to also marry in the social media risk into the risk management practice (look out for some more cool research and insights coming from that direction very soon!).

Which leads me to the last point – the ever evolving presentation I use to deliver the message about data exfiltration is provided for your viewing pleasure. Don’t fear the >100 slide count – it’s mostly the “build” effects that I left in for clarity.

Looking forward for some more discussions and developments in the way that we as an industry are justifying what we practice (if it wasn’t obvious by now – go check out what FAIR is, and then start thinking on how to integrate it into what you do…).