Friday, October 2, 2015

Recruiter and SEO response templates

I’m normally sympathetic to technology recruiters, but some are just hopeless.  These, I have no sympathy for.  An the SEO spammers, no sympathy for any of them.  Every now and then, one is so obnoxious that I feel compelled to respond, and as a community service I’m sharing templates I use for responding to the worst of them.

For the recruiters:

[Dude/Dudette], I hate to be an ass, but really- digging up an ancient resume and throwing names at the wall to see if any stick- this is why recruiters like you and your ilk are loathed.  As someone who spends a lot of time trying to help folks develop and advance their technology and security careers this shit really pisses me off.

I'm not interested in moving at this time, but not being a fool I would entertain appropriate offers.  That means a minimum of [INSERT LARGE NUMBER HERE] plus options or equity, a maximum of [SMALL AMOUNT OF TIME HERE] hours per week dedicated to direct company work, support of my [LARGE NUMBER] of hours per week for community development and engagement, plus research time.  Oh, and support of my [TRAVEL, SPEAKING, DRINKING, ETC.] schedule.

The one I use for SEO is specific to Security BSides, but feel free to adapt as appropriate for your needs:

I'm sorry [SEO SCUMBAG'S NAME HERE], but we're a global community of technology and security experts, many of us have been in the field since pre-Web days... and none of us has ever heard of you or your firm.  We have a globally recognized and respected brand and have drawn several thousand participants to hundreds of events around the world without your help.

In fact, perhaps you would be interested in contracting with some of our technology, social media, and marketing experts to help build your brand- at competitive consulting rates, of course.  If not, please remove this, and every other Security BSides affiliated email from your lists.

Yes, I can be a bit of an ass, but it is occasionally justified.


Sunday, September 20, 2015

SWAMP, the Software Assurance Marketplace


I recently took a fresh look at the “SWAMP”, the Software Assurance Marketplace- it is a great idea and a valuable resource.  The short and incomplete story is that SWAMP is a suite of software analysis tools integrated into a centralized, cloud-based software testing environment- and it is available to software developers, software tool developers, and researchers- for free.

From their website:

“Software is a crucial component of daily living, affecting worldwide economic structures and the services we depend on every day. With the increasing rate of security breaches, it is clear that conventional network security solutions are no longer able to defend our privacy, corporate data, and critical banking information. Today’s applications need to be built more securely at the code level, and that code needs to be tested regularly.

The SWAMP was developed to make it much easier to regularly test the security of these applications and to provide an online laboratory for software assessment tool inventors to build stronger tools. Testing is often complicated and challenging, because comprehensive testing requires the use of several disparate tools with no central means of managing the process. The SWAMP is a no-cost, high-performance, centralized cloud computing platform that includes an array of  open-source and commercial software security testing tools, as well as a comprehensive results viewer to simplify vulnerability remediation. A first in the industry, the SWAMP also offers a library of applications with known vulnerabilities, enabling tool developers to improve the effectiveness of their own static and dynamic testing tools. Created to advance the state of cybersecurity, protect critical infrastructures, and improve the resilience of open-source software, the SWAMP integrates security into the software development life cycle and keeps all user activities completely confidential.”

The current test environment is able to test software written in C/C++, Java (including Java on Android), Ruby and Python- with JavaScript and PHP in development.  SWAMP will support eight languages by the end of the year.  There are currently sixteen tools in the suite with more being added, and numerous commercial companies are participating- including Veracode, CodeDX, Goanna, GrammaTech, and Parasoft.

The Marketplace team includes some serious academic centers for technology, the Morgridge Institute and the Department of Computer Sciences at U of Wisconsin-Madison, the Pervasive Technology Institute at Indiana University, and the National Center for Supercomputing Applications (NCSA) at U of Illinois Urbana-Champaign.  In my conversation with Bart Miller and Miron Livny of SWAMP it was clear that this project was built for practical use in the real-world, it is not an academic exercise- this is immensely practical and useful stuff.

There are many more details on their background page, including some impressive tech specs (at least I consider 700 cores, 5 TB of RAM, and 104 TB of HDD impressive).

We are going to try to get folks from SWAMP on the Security Weekly Podcast to discuss the marketplace in depth.  Stay tuned for more on that.



Monday, September 14, 2015

A long overdue note of thanks

It has been way too long since I stopped and thanked folks to whom I owe a debt of gratitude, today I would like to start to remedy that. I have been incredibly fortunate to have had a series of great jobs with outstanding employers over the past several years, without the support of my employers I would not have achieved what I have, and I couldn’t have contributed near as much to the many communities and causes I’ve been able to support over the years.

Almost eight years ago I joined Astaro, a German UTM company. I started in the support team, but ended up in the role of Community Development Manager or something like that. Astaro was where I really started expanding my engagement with the hacker and security communities beyond my home turf of Boston and Providence; at first they tolerated it, then they encouraged it, and eventually encouraged it and supported many community events. (BSides Trivia: Astaro was the first company to put up sponsorship money for Security BSides).

The team at Astaro was great, and I think that was a reflection on the founders, three college friends, very smart, but different people. Jan Hichert, Markus Hennig, and Gert Hansen built a strong team, and a great company. Sophos agreed, and acquired Astaro in 2011. Jan, Markus, and Gert have a new company now, Ocedo, and it looks like they’re putting together another solid company. I owe Jan, Markus, Gert, and the entire Astaro team thanks for all of their support and encouragement- and I wish them the best of fortunes in their latest and future ventures.

In 2011 as Astaro was being acquired by Sophos I had a conversation with Ron Gula about joining Tenable Network Security. I had chatted with Ron and also with Jack Huffard about joining Tenable in the past, but this time it seemed like it was time for me to make the next step in my career. Tenable was founded by three very smart, but very different people, Ron Gula, Jack Huffard, and Renaud Deraison (I see a pattern here). I have evolved through a variety of roles at Tenable, all the time getting the support that has enabled me to continue to engage with various communities and projects that I have supported through the years. At Tenable I’ve had the amazing fortune to work not only with the founders, but also with people like Marcus Ranum, Cris Thomas (better known as Space Rogue to most folks), Carlos Perez, Paul Asadoorian, and many others. As with Astaro, I owe Ron, Jack, Renaud and the team they’ve built at Tenable many thanks for opportunities I’ve been given and the support I’ve received.

So when I’m whining on Twitter or wherever, remember that I have been fortunate enough to work for and with some brilliant people, and not just brilliant, but genuinely good people.

Can you imagine how much of a bitter old man I’d be if it weren’t for having awesome jobs?


If you’re going to be upset with me, please do it for the right reasons.

First- I’m speaking personally here, I am not speaking for anyone else, or for any organization, just for me.

Second, please remember that BSides Las Vegas is not Security BSides. Each Security BSides event is organized and operated separately. Although there are familiar faces at some BSides (and also at many other non-BSides events) they are separate events and organizations. As of this writing there have been 202 Security BSides events across 83 cities which were not BSidesLV. Please do not let any frustration you have with Security BSides Las Vegas damage the work of thousands of people building communities around the globe.

I doubt I’ll change any minds, but I want people to understand my perspective on what happened between Security BSides Las Vegas, Inc. and Adrian Crenshaw, better known as Irongeek to many. Adrian has been a huge asset to the security and hacker communities for many years, providing videography and other services to a myriad of events- generally for free or for token assistance with expenses. Until recently I considered Adrian a friend, and I still do- although I doubt he feels the same towards me; I can’t blame him if he no longer considers me a friend and this truly saddens me. I still have a great deal of respect for Adrian and for what he does and has done for the communities he serves. Adrian’s website, is an amazing resource, it houses a phenomenal archive of presentations from a multitude of conferences.

If you are unaware of the situation, it might be good to see Rob Graham’s post at Errata Security, Rob has a detailed and independent view, and also see the official statement from the BSides Las Vegas Board of Directors. Or maybe you’ll want to ignore it altogether, many do.

Some folks mistakenly think this was about Adrian’s views on women and is some kind of politically correct attempt to silence him; that is absolutely wrong. We (I and other members of the BSidesLV board) have defended Adrian’s right to voice his opinions; even when BSidesLV was challenged for having someone with some of his views on staff we defended his right to express himself and we continued to embrace Adrian as part of the BSides Las Vegas team.

We are a diverse community, and we have diverse opinions. Security BSides Las Vegas has encouraged diverse voices from the beginning, including content some found offensive. From Val Smith’s brilliant social and political rant at the first event through John McAfee last year, from topics like 3-D printed sex toys to prostitution on Craigslist, we have never been shy about hosting and encouraging challenging ideas. Some will remember that BSidesLV’s response to an unfortunate situation with Violet Blue at another event was to invite Violet to keynote BSidesLV 2013 to make sure her voice was heard.

I do not want to silence Adrian. I have defended his right to voice his opinions, including those I strongly disagree with, and I will continue to do so. I’m no Voltaire, but the quote from Evelyn Beatrice (often misattributed to Voltaire himself)

“I do not agree with what you have to say, but I'll defend to the death your right to say it.”

applies here. OK, maybe not all the way to death, but you get the idea.

So what happened?  Adrian inserted offensive popups between content hosted on his site and anyone accessing the site from Mississippi State University, apparently because of a long-running disagreement with Wesley McGrew, an associate professor at MSU.  Wesley has had disagreements with others in the past, but that isn’t really relevant here. Regardless of what Wesley said or did to Adrian, part of Adrian’s response used content donated to the community and entrusted to BSidesLV to advance his personal agenda without the consent or even knowledge of those whose videos were hosted on Adrian’s site. BSides Las Vegas was notified and called out publicly and privately for the offensive material and once it became public, the response had to be public. Sadly, the appropriate response was terminating our relationship with Adrian and stating it publicly.

Although not part of my decision to support the board’s actions, I feel the issue was compounded because the few who saw the offending messages were students; the next generation of our industry was exposed while trying to learn from community contributed content.

I regret the action we had to take, but I stand with the board. Could we have handled it better? Of course- but I’m not sure exactly how. Maybe the wording of the statement could have been better, but the entire board was involved in drafting the statement. If you have genuinely constructive suggestions or criticisms, I welcome them.

That’s the short version (yeah, almost 800 words is the short version), but I’m including a few points below to address specific comments I’ve seen. There’s no prize for reading to the end, but if you want more context, please read on.

The fact that few saw the message, and that the content was available elsewhere does not change the fact that community contributed content was used to promote offensive messages in a personal disagreement.

No, it wasn’t just an “April Fools” joke, I checked my calendar and couldn’t find April 1 anywhere in September. It may have started with that, but it ran long after April 1, and the timing of hundreds of hours of new content uploaded over the summer and a new semester at the university inevitably led to the offensive messages being seen by students and reported publicly.

And to be clear, Adrian is not “banned” from BSidesLV. I would welcome him with open arms if he ever wants to attend another BSides Las Vegas.

Oh, and David Kennedy is a gentleman. Many people are only friends when it is easy to be friends- which isn’t really what I consider friendship. David, thank you for being a friend with whom I can disagree and still remain friends.

About the public response- in the past several years I have helped to mediate a number of conflicts, both public and private, within the hacker and InfoSec communities. One of the clear lessons I’ve learned is that once an issue is public any attempt to sweep it under the rug is likely to backfire. Had the BSides Las Vegas Board of Directors attempted to be silent on this issue we would have been called out for it, and the issue would have become public, but not in any way under our control.

The immediate rush by some to take sides wasn’t unexpected, but it was generally disappointing. I have received many messages of support, but some were concerning rather than comforting. There seemed to be a significant, but not universal, split along an already stressed line; those who primarily self-identify as “hackers” were more likely to attack BSidesLV, those who identify as “InfoSec” were much more likely to support BSidesLV. I guess we still have work to do bridging the gap, and those of us who straddle it continue to struggle. Statements like “there’s no room for misogynists in InfoSec” are problematic for me. I’ve had my little battles with systemic misogyny, notable the “booth babe” phenomenon; this led to my parody company Misogyny Networks and a few amusing encounters. But “there’s no room for (X)ists in (Z)” is troubling once we abstract it from the specifics. Thierry Zoller recently shared a video on “The Right to Offend”, delivered by Brendan O’Neill at Oxford, That video and by Shami Chakrabarti at the same event are powerful reminders of the importance of dissent and the freedom to offend.

A factor that some have overlooked is that BSidesLV is different than many conferences. Security BSides Las Vegas, Inc. is a Nevada Charitable and Educational Non-Profit Corporation, and a 501(c)(3). The current corporation and board were built after BSides Las Vegas reorganized after earlier struggles, it was a conscious decision to create a 501(c)(3) and create a transparent and structured entity- but that meant being a real corporation, with lawyers, accountants, bookkeepers, insurance, directors, officers, and policies. And legal and financial restrictions. It also means that we annually review and sign our conflict of interest policy and submit it to the Nevada Secretary of State; it means we have our Sarbanes-Oxley-mandated Compliance Officer, and a lot of other fun things. At our size it means our tax forms do not end in –EZ, and they aren’t completed in an afternoon. It means we act like a corporation- because we are. So if the response seemed a bit corporate, it was. On the other hand, this structure means stability and survivability. It means unusual levels of transparency for a conference, including publicly available tax records and other filings. It also means that we are able to continue to offer free, anonymous, walk-in registrations since our non-profit status helps us manage expenses.

Hopefully you now understand my perspectives, and if you’re upset with me about this at least you’re upset for the right reasons.


Wednesday, June 24, 2015

Packing up and moving

No, not a real blog post, just a quick note.
Yes, I feel guilty about that.

I'm changing domain registrars and will inevitably miss a simple step and knock myself  offline, but I'll be back here if I disappear.


Saturday, April 18, 2015

IEMs, In Ear Monitors

I’m old. My hearing sucks.  Years of power tools, especially air tools, a few concerts with the volume cranked to 11, and age have combined with male selective hearing to leave me with a bit of hearing loss.  Not bad mind you, but I know I’ve lost a lot of hearing range.  But I recently gambled on an inexpensive pair of IEMs, and was amazed at how much better they are than any earbuds I’ve ever tried.  Even the bottom end of the Shure IEM line lets me hear things in music that I haven’t heard in years.  I’m not likely to get much value from high-end IEMs, but I may experiment.  And properly fit earpieces block so much noise that they shut out the world as well as noise cancelling headphones- but with vastly better acoustic range.  I use them all the time now.

But now I’m walking around San Francisco (a remarkable safe city, BTW) and I’m freaked out by the sounds isolation- my loss of situational awareness makes me uncomfortable even on a gorgeous day in a nice neighborhood.  I’ve started walking around with one earpiece out, only listening to music through one ear so I can hear the world around me.  Thankfully I realized the problem in a safe environment.

Once again I’ll leave you to connect the dots to InfoSec… new toys, myopic focus, loss of big picture…


Monday, March 9, 2015

Software Stockholm Syndrome

Q: Why do you use that software? It’s horrible!

A: Because it’s what I know, and once you get used to it it isn’t so bad.

Sound familiar?  It’s what I like to call “Software Stockholm Syndrome”, and we’re all victims.

Take the application I’m using to write this post, Windows Live Writer.  Writer used to be a sweet little WYSIWYG blog editor, lightweight and versatile.  Sure, a little light on features, but a great little app.  Microsoft put their stamp on the app they acquired with the Onfolio acquisition until it had a few more features and a stunning amount of bloat.  And yet, I use it regularly.  OK, not that regularly (it gets more use these days for my travel^^drinking blog), but I stick with it because I know it.  Don’t laugh, pretty much everyone does it with some software.  Some companies are worse than others, even Apple does some things horribly- see every other iteration of the dreaded iTunes (aka iTurds), or that recent OS update that shattered audio (and other) workflows.

Software Stockholm Syndrome is part of the reason that those people who’s computers you fix don’t want to give up their AOL accounts, or Windows XP, or whatever.  But it isn’t just the luddites, even those of us who love new stuff cling to a few things out of familiarity.

Of course, newer isn’t always better (what, did I say “Windows 8”?), but if we don’t question our choices we’re all stuck with crappy software because “it’s popular”.

I don’t have a cure for Software Stockholm Syndrome, but as with many problems awareness is the first step to recovery.



Tuesday, February 10, 2015

We need to talk about attribution.

One of the InfoSec community’s greatest distractions lately has been attribution, both specifically and generically.
Let’s start with the Sony fiasco and the FBI’s pinning the attribution tail on the North Korean donkey.  Many people have beaten this to death, there has even been name calling over it.  And I don’t care.  There are certainly questions unanswered, but I’m not opposed to the idea that it was North Korea, I’m just not convinced “beyond a reasonable doubt”.  The argument is lost in the greater public, everyone believes it, just like they believe “hackers” are all bad.  In InfoSec many of us refuse to blindly believe the government for a variety of reasons- political, factual, conspiratorial, and probably even astrological.  Here’s my take- if the FBI came out and said something like:

“Hey, remember those Snowden docs?  Well then you won’t be surprised to hear that we’re all up in North Korea’s stuff and have been for years.  The NSA saw things come and go which prove to us that they are responsible, but we can’t show you the sensitive bits for obvious reasons.”

we would have grumbled about facts and proof and stuff, but I think many of us would have bought the story more than we did with the approach they took.  I’m not sure how Sony would have felt about that revelation, but they’ve probably figured it out by now.  The feds told us they had proof, then released some data, some of which was refutable or inconclusive- and being skeptics, several folks in InfoSec took the data apart and poked holes in some details and raised questions about others.  Being skeptical is what we do.  Gullibility is not a great trait for a career in InfoSec.  Even if the feds had released what they did with the disclaimer “this is imperfect, but it is all we can release because: reasons” it would have been better. But most folks bought the story blindly, so I guess they don’t need PR lessons from me.
If you want some good reading material on attribution, Marcus Ranum recently wrote “Attribution is Hard” Part 1 and Part 2, a good look at the challenges of attribution.  If you want more visceral posts on attribution, head over to Krypt3ia’s blog for some great rants and content.
As for me, when I feel like getting all wound up over attribution I update and patch systems in my home and lab environments- it is more productive than pinning the attribution tail anywhere other than on my own butt.
The fundamental flaw with most attribution stories I see is that they are based on forensic evidence alone.  That means evidence the attackers were willing to let us see.  That’s a problem for me, it means that if the apparent attacker is the real attacker I’ve been beaten by a lazy or incompetent attacker, and otherwise I’m unlikely to find the real culprit with my limited resources.  Either way, I would be better served making backups, checking configurations, and typing “yum –y update” or “apt get update” into SSH sessions.
Don’t get me wrong, for some folks attribution is important, and for many of us it is an amusing diversion.  If you are trying to prosecute criminals, you need solid attribution.  If you are doing serious threat intelligence then attribution matters (whatever the hell “threat intelligence” means- it’s become yet another InfoSec term that means so many different things that it means nothing).
If you have the choice between spending your limited post-breach resources on chasing attribution or fixing stuff, I suggest you fix stuff.  If you have truly secured your environments well and have the resources, maybe post-breach attribution will be valuable.  I think those situations are rare.  Note that I resisted the temptation to say “if you’ve secured your environment you wouldn’t need attribution because you wouldn’t get breached”, I think we all know those days are long gone (if they ever existed).

Jack (as far as you can tell)

Friday, January 30, 2015

But Jack, community and stuff…

A few folks have asked me about my roles on the advisory board for Intelligent Defence and as a judge for RSA’s new crowdsourced track.  I’m often thought of as “Mr. BSides”, which is unfair to a lot of people who do a lot more than I do to build and sustain the Security BSides movement and community, and unfair to the thousands of organizers, volunteers, speakers, sponsors, and participants who make BSides what it is.  This also overlooks the fact that I have long been engaged with a variety of groups and events, and I work in the security industry.

The short version of the story is this:

Two big events are listening to their attendees and responding to their audiences’ requests, and they asked me to be involved.  As someone who has pushed for better content, conversations, and community engagement in numerous events and organizations over the years I jumped at the opportunities;  I would have to be a much bigger hypocrite than I already am to decline the requests.

Of course I am watching to see if these new programs have any impact on the local security and hacker communities, but the nearby BSides San Francisco and BSides London events have a very different vibe from RSA and Infosecurity Europe, and other events such as 44Con are at other times of the year.  My hope is that the new programs will expand the much-needed conversations about information security and security research and help grow the security community, that’s why I’m involved.



Thursday, January 29, 2015

RSA Conference’s new crowdsourced submissions program

The US RSA Conference is adding something new for 2015, a crowdsourced submissions track.  RSA gets a stunning number of submissions each year, and it takes a long time to sort through them all- leading to a common grumble about the long lead time between submissions and the conference.  And as with almost any event, some question why certain talks were accepted over others.  RSA has been listening, and is trying this new crowdsourced track to address some of the feedback they have received.  You want a short leadtime for talks to allow for recent topics?  You want a say in some of the talks which get accepted?  The new track will add 12 sessions to answer these requests. 

The Call for Papers opened today, January 29, and will close on February 27 (less than two months before the event).  Given the size and scope of the RSA Conference, it is significant that they have taken this step.

I am excited to be one of the judges for this program, joining industry leaders Alex Hutton, Eve Maler, Jennifer Minella, and Rich Mogull.  Our role is to make sure the submissions follow the guidelines, aren’t sales pitches, and to filter out any “ballot stuffing” which might happen.  See the Crowdsourced Submissions FAQ for details.