Wednesday, October 26, 2016

Wrong About Presentations

But first- this series is a bit off-the-cuff and lacking in polish, but I’ve been meaning to do it for ages and if I wait, well, this blog continues to look abandoned.  So please forgive the rambling and read on.

Today let’s start talking about presentations.

I have heard and read that they are all too long, except the ones that are too short.  That talks are simultaneously too technical and too high-level.  Oh, and all panels suck.  Ted-style talks are the best, except that they are hollow, empty, and don’t work for highly technical content.  And you should never let vendors speak because we’re all just sales weasels, except for the events where only “sponsors” get to speak.

Let me once again venture into crazy talk: it really depends on who you are and what you want.  I don’t like vendor sales pitches, but apparently some folks find them a good use of their time.  I’d rather avoid those kind of talks, but that’s me (and probably you, too, but whatever).  If sales presentations are a good use of your time, that’s OK with me.  I do hope you do some homework before whipping out the old purchase orders, though.

I will say that a lot of presentations I’ve seen could have been delivered better in a shorter timeframe- but that’s as much on the events as the speakers.  If the only choice is an hour slot, people do an hour talk.  I do think the quality of things like Shmoocon Firetalks is in part because people often pare down what they planned to be a longer talk, leaving only the key points and deliver them in a short time.  Scheduling talks of different lengths does pose real logistical challenges for conference organizers, but I think it would be good to make it easy for people to do shorter talks.  Of course, speaker ego can be an issue, we need to make it clear that the quality of the talk is not tied to the length of the talk.  I also thing that shorter talks make it easier to get new things in front of an audience.

Presentation style, there’s a topic sure to inflame absolutists.  The style has to match the speaker and the topic.  You will never do a good Ted-style talk that walks through the code of your new project or steps through disassembly of malware.  Conversely, a code walk isn’t the way to explain big picture issues.  Lately my presentations weave the ideas and information together via storytelling, in a style that sometimes borders on stand-up comedy.  And it works for me and the less technical topics I’ve covered in the past few years, but it certainly won’t work for everyone or every topic.  I know there are disciples of some books and styles such as Presentation Zen and Slide:ology, I think they are great resources but as always there is no One True Way.  Do what works for your audience and for you.

As far as panels, many are indeed often a lazy attempt at getting on the schedule, they’re frequently poorly moderated and wander off topic into incoherent ramblings.  It is also true that well-run panels can showcase display a diverse set of opinions and experiences and add nuance to complicated topics.  Panels do not suck, bad panels suck.

And no, this series isn’t over, I’m just getting warmed up.

 

Jack

Thursday, October 13, 2016

Relevant to my rants

Before I resume my rambling on conferences and presentations, here’s a great article I came across via Tales of the Cocktail, a site you would expect me to link to from my, ahem, travel blog.

This article is specifically about submitting a cocktail seminar to Tales of the Cocktail, but several points in the list of seventeen items apply to a wide variety of events, regardless of topic or venue.

Also, it has been said many times by many people and in many ways- one of the best tips for getting your proposal accepted at any event is to follow the rules. Really, read the rules/guidelines for submission, and follow them.  Also, submit early.  Most event reviewers are volunteers and do it in their spare time, something which gets scarce when the deadline approaches.  Submit early and you’re more likely to get non-bloodshot eyes looking at your paper.

 

Jack

Friday, October 7, 2016

Wrong About Conferences, part 3

Thought I’d get tired of this topic?  No way, I’m just getting warmed up.

Today’s installment continues on the events themselves:

A lot of people complain about the commercialization, the sales pitches, the circus-like atmosphere of some vendor areas.  I’m not a big fan of these things myself (OK, I loathe them), I prefer to engage with vendors in a rational manner- but whether you are buying antivirus, SIEM, a new car, or a washing machine, expect the sales hype.  If you are like me you’ll ignore the excesses and gravitate towards the companies who bring engineers and maybe even support personnel to accompany the sales and marketing teams  to shows so that they can answer hard questions and help existing customers.  And if you aren’t buying, or curious about the tech, avoid those parts of the events altogether (or as much as the venue allows).

The same events which have the big vendorfests are often the best for meeting people for quiet meaningful conversations- not at the show but nearby, away from the mayhem.  If thousands of people go to the event, there may be folks there you want to talk to, you don’t have to meet at the conference.  If you are going to do this, make appointments.  You will not just run into folks and have time to chat.  And “I’ll meet you in the lobby” isn’t good enough, especially at sprawling complexes like the Moscone Center in San Francisco, the Las Vegas Convention Center, and other huge venues.

The flip side of over commercialization are the community events with little or no advertising and sales.  They are a great relief to many of us who suffer the excesses at commercial shows, but they don’t generate leads for the sponsors so it can be hard to pull in the funding needed for the event.  These events often get funded primarily through ticket sales because someone has to pay.  A lot of companies will provide sponsorship for visibility and the good of the community, but there are a lot of community conferences and not enough money for all of them.

The realms of for-profit, not-for-profit, and non-profit are too convoluted a topic for this series, bet whether people want to make money from an event or not, they want people to like the event.

It is also worth mentioning the size of events.  Everyone want to go to the cool events, and so some grow until they aren’t what they used to be, and a lot of folks complain about this.  When I hear such complaints I am reminded of what the sage Yogi Berra said many years ago about Rigazzi’s in St. Louis:

“Nobody goes there anymore, it’s too crowded”

But if events cap attendance and demand continues to grow they get accused of being exclusionary by some.  What’s a conference organizer to do?

You’ll note I’ve avoided naming specific events, although I’m sure most of you have assigned names to several things I’ve mentioned.  I would, however, like to use one specific group as an example, an example that could be applied to many other groups and events.  DC303, the Denver area DEF CON group, is well known and very active, and I’ve heard them accused of being “cliquish”  and excluding people from activities and events.  I would like to make two points abut DC303 (note, I am *not* a 303 member):

First, as with most organizations, some things are limited to members.  I can’t expect to toss my kayak in the bay and be welcomed down at the yacht club.  Some things are more open than others- and some do require an invitation, which leads to my second point:

My first interaction with the 303 crew was in July of 2009, at the first BSides Las Vegas.  I knew almost no one other than from a few online exchanges, they certianly didn’t know me.  And it didn’t matter, I showed up and got to work as did several others- and many of us became friends.  That’s it, three simple steps: show up, participate, and be accepted.  If you skip step two you probably won’t make it to step three.  This applies at your local LUG or ISSA chapter as much as to 303 or pretty much any other entity.

Next week I’ll change topics a bit and babble about what’s wrong with presentations, speakers, and who knows what else.

 

Jack

Thursday, October 6, 2016

Wrong About Conferences, part 2

Today let’s start with a look at the conferences and events themselves.  One of the cyclical things I see is dismissing events people don’t like as irrelevant or worse.

“The big commercial cons are irrelevant…” as tens of thousands of people go to them, learn, share and yes, do the business of InfoSec.  The business of InfoSec, it’s so ugly and dirty, oh, and pays tens of thousands of us a living while funding an amazing amount of research.  Maybe they aren’t the places for cutting edge research, especially offensive security stuff, but that’s not their core audience.

Are there excesses? Sure there are.

Are they valuable to a lot of people?  Of course they are.

And very few people are forced to go unless they are paid to do so.

Don’t like it?  Not your scene?  Cool, don’t go.

 

“That’s just a hacker con, full of criminals…” as thousands or even tens of thousands of people gather to learn, share, and (gasp) maybe even do a little business.  Yeah, we’re all a bunch of criminals, right.  No, almost all of us at hacker cons are trying to make the world more secure.  You may disagree with some methods and opinions, but hacker cons help make us more secure.  Some may not be the best places to learn a lot about policy and compliance issues, or securing global enterprises, but that’s not what they’re about- and some “hacker” cons do cover these topics well.

Are there excesses? Sure there are.

Are they valuable to a lot of people?  Of course they are.

And very few people are forced to go unless they are paid to do so.

Don’t like it?  Not your scene?  Cool, don’t go.

Fifty years ago buffalo Springfield sang “Nobody's right if everybody's wrong”, and that sums up the way I feel about a lot of the con noise, hype, and drama.  Find the events that work for you, contribute to making them better, and avoid the ones that don’t work for you.

There are plenty of things I don’t like about a lot of events, I’m a cranky old man.  I do, however, understand that different events serve different needs and audiences.  That doesn’t excuse hype, lies, and bullshit but no event has a monopoly on that.

More on events in the next few posts.

 

Jack

Wednesday, October 5, 2016

Everyone is wrong about conferences

In the past couple of years there have been many blog posts and articles on the topics of what’s wrong with InfoSec and hacker conferences, which events are or are not relevant, and what’s wrong with the talks and panels at those conferences.  A lot of good points have been raised, and some great ideas have been floated.file00029400867

But they are all wrong.

Many of them aren’t just wrong, they’re also symptomatic of some of the things wrong with InfoSec, a failure to understand the importance of context and perspective.

Let’s start with this simple fact:

Your experience is unique, it is not not universal.  Your perspective is therefore not a universal perspective.

As with anyone offering The One True Answer to any question, allow me to suggest that It Isn’t That Simple.

In upcoming posts I’ll dig into a few of theses topics, not to give The One True Answer, but to share some of my experiences and perspectives, and float a few ideas of my own.  I don’t claim to be an expert on conferences or presentations (or much of anything else), but I am and have been involved in a lot of conferences- as an attendee, participant, program committee member, organizer, volunteer, vendor booth staff, speaker, and even bartender.  I also participate in events large and small, commercial and community, business- and hacker-centric.

And I have opinions.  You may have noticed.

Stay tuned.

 

Jack

Friday, September 30, 2016

Debunking fuel in the gas tank, case closed.

Picking up from yesterday’s post:

Imagine a time when carburetors ruled the earth (or at least car’s fuel systems), and a time before emissions controls extended to evaporating fuel vapor, say perhaps in the 70s when I began my career as a mechanic, working on cars of that era and older.  Back then, in ye olden days, fuel systems were open to the environment, both in cars and in the tanks at gas stations.  That meant that water vapor could condense in the fuel tanks and drip or run down the sides and pool at the bottom of the tanks.  This is why the fuel pickups in gas stations’ underground tanks were a few inches above the bottom, and why we always used water-detecting paste on the giant tank sticks used to measure the amount of fuel in the ground.  An inch or two of water at the bottom of the tank and no one cared as long as the amount didn’t increase rapidly- it would stay down there harmlessly.  Unless, of course, you got a fuel delivery which churned up everything on the bottom of the tanks, water, sediment, whatever.  Still, it would eventually settle back down- but if you happened fill up your car while the much was stirred up you could get the nasties, including water, into your car’s tank.  And no, most stations didn’t have great fuel filtration between the tank and the pumps.  To this day I avoid filling up my vehicles if I see a fuel truck in the gas station lot- I had to deal with too many dirty fuel systems to take the chance.  And even if you didn’t get water from a bad gas station fill up you could build up water from condensation on the roof of your fuel tank settling to the bottom.

Now we have a couple of paths to getting water into your car’s gas tank, where does that take the sugar myth?  It doesn’t take a lot of water to dissolve sugar that finds its way into the tank, especially given the constant vibration and sloshing that happens in a moving vehicle, so now we can move the sugar solution along with the gasoline towards the engine.  We still have a fuel filter to deal with, but they were generally simple paper filters designed to stop solids, not liquids, so our mix of gasoline and sugar water wouldn’t get stopped there.  This assumes that the vehicle has a fuel filter at all- which is not a safe assumption if you go far enough back in time, or if you happen to be dealing with someone who bypassed their fuel filter “because it kept clogging up”.  (If you think no one would ever do something that dumb, you have probably never worked a helpdesk).

And now the fuel hits the carburetor, where a little bowl acts as a reservoir for fuel before it finds its way into the intake system.  Carburetors are full of tiny orifices, the kind that don’t like dirt, or much of anything other than clean gasoline and clean air.  Sugar water can gum things up, block holes, or settle out into the bottom of the fuel bowl- and that’s where things are no longer theoretical.  I had to clean out a few carburetors with sticky goo in them in my “gas station mechanic” days, and I recall one where we dropped the gas tank and found an ugly mess in the tank.  Sugar in the tank could, under some circumstances, be annoying.  Not catastrophic but mildly disruptive, and a genuinely unpleasant thing to do to someone.

What’s the moral of the story?  I don’t think there is one, other than exaggeration and hyperbole feed urban legends whether they’re based on complete nonsense or a tiny grain of truth.

Bottom line, don’t put sugar in gas tanks.  Not just because it won’t work, but because it’s a rotten thing to do.

 

Jack

Thursday, September 29, 2016

Debunked debunking, part 2

Another “debunked” automotive urban legend is the “Sugar in the gas tank will destroy your engine!!!11!” story.  Let’s take a look at this tale, and look at a few angles folks often miss when discussing it.  This myth has been thoroughly debunked, by people both smart and not-so-smart, but let’s look at it again.

First and foremost, sugar does not dissolve in gasoline.  You might be able to stir it into some kind of suspension, but it won’t really dissolve.  (Sugar doesn’t dissolve well in alcohol, either, but that’s a topic for my other blog.)  That would seem to thoroughly debunk the story by itself, and in modern vehicles in good condition it pretty much does.

Modern, good condition… I just opened two interesting views into one angle to the tale.

Second, modern (there’s that word again) vehicles have very thorough fuel filtering which will prevent sugar granules from making it anywhere near the engine.

And finally for this post, even if sugar did dissolve in gas (which it doesn’t) and sugar made it through the filter(s) (which it won’t), the sugared fuel would only flow through the fuel, intake, and exhaust systems.  I suppose it might make it into the lower parts of the engine if the pistons/rings/cylinder walls were junk but then the engine is already trashed.

Let’s talk about what could happen in the scenario above, assuming sugar did dissolve in gas and/or filtration didn’t stop it.  It is a safe bet that fuel injectors wouldn’t like it, they might gum up eventually as the sugar burned (caramelized?) due to engine heat.  I suppose, since we’re suspending disbelief, that sugar could build up on the valves and contribute to burned valves- but the operating temperatures of modern valves are extremely high and  since they’re designed to function at such temperatures that I doubt it would be a problem as the sugar would burn off without building up.  Continuing with the fantasy, maybe turbochargers and catalytic converters wouldn’t enjoy the sugar solution- but again the extreme heat would burn the sugar somewhere in the process and probably burn it cleanly with no significant ill effects.

So there we have it, thoroughly debunked.  Except maybe not.  What if we scale back the expected damage from catastrophic to annoying, and go back in time?  In the first post on debunking going back in time was also a key to understanding the battery myth.

The rest of this story comes tomorrow (really).

 

Jack

Tuesday, June 14, 2016

Bad analogy, bad. No biscuit.

If you use the “If I leave my door unlocked you don;t have the right to walk in…” analogy when discussing web disclosures, you really need to stop.  Bad analogies are bad.

You know the cases, folks find things on the Internet that people didn’t mean to make public, and a storm ensues and all kinds of people say all kinds of na├»ve stuff, including people who should know better.

Your website is not a house, and not just because of the physical vs. virtual difference.  If we have to use this analogy, let’s at least get it more accurate.

You live on a road, it may be public, or it may be private, but either way it is open to the public- in fact public use is encouraged.  That’s why you put your house there, because of good access in and out to the rest of the world.  You put sensitive data on signs in your yard, visible from the road.  There might even be a sign that says “only read your own data”, but it is all visible.  Someone drives by and reads someone else’s sign from the road.  Maybe they take pictures of the signs.

Still imperfect, but much more accurate.  And so convoluted it doesn’t help make any point.  These issues are not simple and misrepresenting them and oversimplifying things does not help.

Note that I have not made any judgements about who exposed what where, and who drove by and looked at it.  If it is your house and you post my data in an irresponsible manner, you are being irresponsible.  If someone feels the need to copy everything to prove a point, that causes problems, even when their intentions are good.

Without picking any specific cases, most of the ones that make the news are a combination of errors on both sides.  You should act like sensitive data is, I don’t know, sensitive.  And when you stumble across things like that (and you will if you use the Internet and pay attention), you should think about how folks will react, and keep the CFAA in mind.  Right or wrong, that’s the world we live in.  I think the CFAA is horrible and horribly out of date, as is the DMCA- but while they are the law and enforced, ignore them at your peril.  It is worth considering that when people find stuff that shouldn’t be posted publicly, it generally doesn’t require downloading the entire dataset to report the problem, in fact that is likely to create problems for everyone.

And yes, that’s a gross oversimplification from me in a post where I decry gross oversimplification.  Literary license or something.

And because I actually care about this mess we’re in, I’ll make an offer I hope I don’t regret: if you stumble across things which are exposed and you really don’t know how to handle it please pause and reach out to me.  I’ll ask friends in law enforcement for guidance for you if you wish to remain anonymous, or I’ll try to help you find the right folks to work with.  If you are outside of the US, I’m unlikely to be if much help, but I’ll still make inquiries.

Note that if you are on any side of one of these situations and act like a dumbass, I reserve the right to call you a dumbass.  I’ll still try to help, but I’m calling you a dumbass if you deserve it.  That’s as close to idealistic as you’ll get from me.

 

Jack

Monday, March 28, 2016

Where’s Jack, updated

A few changes and an addition- In the upcoming weeks and months I’ll be speaking at the following events:

InfoSec Southwest, Austin, April 8-10

Sayers’ #Curio Technology Summit, Chicago, April 13

BSides Calgary, April 28-29

ISSA-LA Summit, May 19-20

IT-PRO, Seekonk MA, June 15

ISSA-NE, Waltham MA, July 12

I will not be speaking there, but I will be at the NIST Cyber Security Framework Workshop at NIST in Gaithersburg, MD- if you’re going to be there please say hello if you see me.

And I’m sure I’ll be at a few more.  See you on the road.

 

Jack

Friday, March 25, 2016

Debunking debunking, part 1

Things need to be proven, or disproven. Urban legends need debunking.  But unless you dig into the history and have some context you may be wasting your time.  And if you have the context, you can make your case more convincingly.

Let’s venture into automotive lore for two examples.  First, a simple one- there’s a longstanding belief that you should never place a battery on bare concrete or it will damage the battery, or at least cause it to discharge.  You regularly see shops with batteries on scraps of plywood to this day.  I had this “debunked” at a manufacturer’s tech training many years ago, one of the instructors put a fully charged battery on the bare floor and the beginning of a week of training and it was fully charged at the end of the week.  End of story, right?  Well, not quite. 

First, the school was new and well equipped, it even had infrared heating, so the concrete floors were always warm, as opposed to the cold, damp floors many garages have throughout the winter.  Putting a modern battery on a cold damp floor really won’t hurt the battery- but cold batteries don’t release their power as well as warm ones, so putting a marginal battery on the floor could make it weak enough that it won’t start a car without being charged.

Second, above I said:

“Putting a modern battery on a cold damp floor really won’t hurt the battery”

The word “modern” is key to this legend.  In ye olden days car battery cases were made of “sealed” wood, then of natural rubber- both of which were somewhat porous.  Concrete is very good at wicking moisture, so putting one of these old batteries on concrete could really discharge it and suck water out of the battery.  Knowing this backstory means you can make a more convincing argument when faced with this particular legend.

Later, I’ll dive into one that has been “debunked” on TV and in universities.  By people who apparently don’t get the significance of context.

 

Jack