Sunday, March 19, 2017

On loss and responsibility

We have lost more great figures in our world of InfoSec, and we are diminished by their loss.

Spaf has written eloquently on the passing of Kevin Ziese, Howard Schmidt, and Becky Bace. I never met Kevin, and I only met Howard a couple of times, but I know of them and their impact on our industry and people in our field.

Becky had become a friend over the past several years, and her loss has hit me hard. Becky has a long and storied history in InfoSec and cybersecurity (and damn, could she tell great stories). Becky was instrumental in nurturing the fledgling fields of network analysis and IDS when she was at NSA, but more importantly than her technical work she was  a great friend and mentor to so many in our field that it is hard to overstate how many people she touched in her life and career. For a glimpse into what Becky was like, check out Avi’s very personal and touching remembrance of meeting Becky.

Once again, we take time to remember lost friends. While natural to mourn their passing we must remember that there are still many in our communities who need the kind of friends and mentors that Kevin, Howard, and Becky were to those of us who knew them. It is our responsibility to them and many others we’ve lost in our young field to remember them, but more importantly to fill those roles of friends and mentors to those who never knew them.

 

Jack

Wednesday, February 1, 2017

What upsets Troy Hunt about conferences

Getting back to my normal territory here-

In case you missed it, in late December Troy Hunt posted 10 Ways for a conference to Upset their speakers on his blog. I mostly agree with Troy’s list and it adds to my series of rants about conferences from last fall. It’s worth a read if you are interested in conferences and speaking and you haven’t  already read it.

 

Jack

A few words about ovarian cancer

Cancer sucks. The number of people who are touched by cancer is terrifying, it is rare to find someone who hasn’t had friends or family attacked by cancer if they’ve avoided it themselves. Sometimes, as with my bladder cancer, it’s not that bad- for me I get a rather uncomfortable exam regularly, and sometimes get a small tumor or two removed, no big deal. That makes me lucky, few who face cancer get to shrug it off as a mere annoyance.

Since I’ve recently learned a lot more about ovarian cancer than I ever expected to know, I’d like to share a few things with everyone. Remember, I’m not a medical professional, these are my observations and ideas formed over the two and a half years of my late wife’s struggle with clear cell ovarian cancer.

First, routine tests and doctor visits are unlikely to detect it early.

Second, it’s insidious- many women develop ovarian cancer around the time of menopause, and many of the symptoms of the cancer are also expected conditions that accompany menopause.

There is a blood test which looks for a marker, CA 125, which may help detect ovarian cancer but the test is far from perfect. Many people have suggested it should be a regular test, others think it may lead to a false sense of security. Gilda Radner talked about the test in her autobiography before we lost her to ovarian cancer. Here’s my take- and keep in mind that I’m not a doctor of anything and this isn’t medical advice- I think that CA 125 screening and the symptoms of ovarian cancer are things women should be aware of. I think that routine CA 125 screening probably makes sense for women with a family history of cancer, maybe for a broader population- but only if the test is considered a weak indicator, and is done as part of comprehensive medical care (a low reading does not mean there’s no cancer). If you have a healthy relationship with your doctor it should be part of a conversation, as with most tests. I don’t think much about my prostate, but I do think about symptoms of prostate problems every time my doctor sends me off for a PSA test. Awareness of symptoms, thinking about them honestly, and having real conversations with your doctors is key to minimizing Bad Things.

Note: I was going to prefix this with a note saying this is another personal post with nothing to do with InfoSec, then I realized I’m talking about using weak indicators as component in a comprehensive detection plan, and that sounds pretty familiar.

I don’t want to watch any more people die of cancer, and neither do you. But we will, so let’s try to spread the word and minimize the suffering.

Finally, I am not a doctor, psychologist, or anyone else who can provide real help- but if you or a loved one are facing ovarian cancer and want someone to talk to, yell at, or commiserate with- reach out to me. There’s email info in the upper right corner of the page.

Jack

Monday, January 30, 2017

“Thank you” is not enough

A few weeks ago I made a very personal, and very public announcement- that I had lost my wife to cancer a few days before Christmas. I debated how to share the news, especially since we had largely kept it quiet- she was as private a person as I am public. I decided to share the news on Twitter and Facebook, and the response was overwhelming. Literally overwhelming. The outpouring of love and support I received was humbling and deeply moving. It made me want to be a better person (although a dear friend cautioned me against making any rash decisions).
The words “thank you” are not enough, especially tossed out here on my neglected blog, but it is a start. Thank you- to friends old and new, acquaintances, and complete strangers. I am truly humbled by your support.
For those who had not heard the news or our story, my wife and I met when she was 14 and I was 15, we started dating a few months later and never stopped. Below is a photo of us from 1976 (and yes, it is one of the last known photos of me without a beard).FallFormal1976-1



2016 was a rough year for many of us and 2017 is presenting us with new challenges, but (forgive my optimism) together we can make things suck less, personally and professionally.
For me 2017 is about friends old, new, and as yet unmet. I still love technology, I love abusing technology and solving problems with technology, but this year is about people. I’ll be at most of the usual events, and a lot of smaller ones, all around the world. If our paths cross please find me, say hello, maybe share coffee or a cocktail and conversation.
I was recently at Shmoocon, it is an event I have always enjoyed and this year it was especially good to reconnect with the Shmoocon crowd as I started my return to being active and engaged on the road. I’ll be at BSides San Francisco and RSA in a couple of weeks, after that I’m regrouping before hitting the road again, but more on that later.

Thank you
Jack

Wednesday, October 26, 2016

Wrong About Presentations

But first- this series is a bit off-the-cuff and lacking in polish, but I’ve been meaning to do it for ages and if I wait, well, this blog continues to look abandoned.  So please forgive the rambling and read on.

Today let’s start talking about presentations.

I have heard and read that they are all too long, except the ones that are too short.  That talks are simultaneously too technical and too high-level.  Oh, and all panels suck.  Ted-style talks are the best, except that they are hollow, empty, and don’t work for highly technical content.  And you should never let vendors speak because we’re all just sales weasels, except for the events where only “sponsors” get to speak.

Let me once again venture into crazy talk: it really depends on who you are and what you want.  I don’t like vendor sales pitches, but apparently some folks find them a good use of their time.  I’d rather avoid those kind of talks, but that’s me (and probably you, too, but whatever).  If sales presentations are a good use of your time, that’s OK with me.  I do hope you do some homework before whipping out the old purchase orders, though.

I will say that a lot of presentations I’ve seen could have been delivered better in a shorter timeframe- but that’s as much on the events as the speakers.  If the only choice is an hour slot, people do an hour talk.  I do think the quality of things like Shmoocon Firetalks is in part because people often pare down what they planned to be a longer talk, leaving only the key points and deliver them in a short time.  Scheduling talks of different lengths does pose real logistical challenges for conference organizers, but I think it would be good to make it easy for people to do shorter talks.  Of course, speaker ego can be an issue, we need to make it clear that the quality of the talk is not tied to the length of the talk.  I also thing that shorter talks make it easier to get new things in front of an audience.

Presentation style, there’s a topic sure to inflame absolutists.  The style has to match the speaker and the topic.  You will never do a good Ted-style talk that walks through the code of your new project or steps through disassembly of malware.  Conversely, a code walk isn’t the way to explain big picture issues.  Lately my presentations weave the ideas and information together via storytelling, in a style that sometimes borders on stand-up comedy.  And it works for me and the less technical topics I’ve covered in the past few years, but it certainly won’t work for everyone or every topic.  I know there are disciples of some books and styles such as Presentation Zen and Slide:ology, I think they are great resources but as always there is no One True Way.  Do what works for your audience and for you.

As far as panels, many are indeed often a lazy attempt at getting on the schedule, they’re frequently poorly moderated and wander off topic into incoherent ramblings.  It is also true that well-run panels can showcase display a diverse set of opinions and experiences and add nuance to complicated topics.  Panels do not suck, bad panels suck.

And no, this series isn’t over, I’m just getting warmed up.

 

Jack

Thursday, October 13, 2016

Relevant to my rants

Before I resume my rambling on conferences and presentations, here’s a great article I came across via Tales of the Cocktail, a site you would expect me to link to from my, ahem, travel blog.

This article is specifically about submitting a cocktail seminar to Tales of the Cocktail, but several points in the list of seventeen items apply to a wide variety of events, regardless of topic or venue.

Also, it has been said many times by many people and in many ways- one of the best tips for getting your proposal accepted at any event is to follow the rules. Really, read the rules/guidelines for submission, and follow them.  Also, submit early.  Most event reviewers are volunteers and do it in their spare time, something which gets scarce when the deadline approaches.  Submit early and you’re more likely to get non-bloodshot eyes looking at your paper.

 

Jack

Friday, October 7, 2016

Wrong About Conferences, part 3

Thought I’d get tired of this topic?  No way, I’m just getting warmed up.

Today’s installment continues on the events themselves:

A lot of people complain about the commercialization, the sales pitches, the circus-like atmosphere of some vendor areas.  I’m not a big fan of these things myself (OK, I loathe them), I prefer to engage with vendors in a rational manner- but whether you are buying antivirus, SIEM, a new car, or a washing machine, expect the sales hype.  If you are like me you’ll ignore the excesses and gravitate towards the companies who bring engineers and maybe even support personnel to accompany the sales and marketing teams  to shows so that they can answer hard questions and help existing customers.  And if you aren’t buying, or curious about the tech, avoid those parts of the events altogether (or as much as the venue allows).

The same events which have the big vendorfests are often the best for meeting people for quiet meaningful conversations- not at the show but nearby, away from the mayhem.  If thousands of people go to the event, there may be folks there you want to talk to, you don’t have to meet at the conference.  If you are going to do this, make appointments.  You will not just run into folks and have time to chat.  And “I’ll meet you in the lobby” isn’t good enough, especially at sprawling complexes like the Moscone Center in San Francisco, the Las Vegas Convention Center, and other huge venues.

The flip side of over commercialization are the community events with little or no advertising and sales.  They are a great relief to many of us who suffer the excesses at commercial shows, but they don’t generate leads for the sponsors so it can be hard to pull in the funding needed for the event.  These events often get funded primarily through ticket sales because someone has to pay.  A lot of companies will provide sponsorship for visibility and the good of the community, but there are a lot of community conferences and not enough money for all of them.

The realms of for-profit, not-for-profit, and non-profit are too convoluted a topic for this series, bet whether people want to make money from an event or not, they want people to like the event.

It is also worth mentioning the size of events.  Everyone want to go to the cool events, and so some grow until they aren’t what they used to be, and a lot of folks complain about this.  When I hear such complaints I am reminded of what the sage Yogi Berra said many years ago about Rigazzi’s in St. Louis:

“Nobody goes there anymore, it’s too crowded”

But if events cap attendance and demand continues to grow they get accused of being exclusionary by some.  What’s a conference organizer to do?

You’ll note I’ve avoided naming specific events, although I’m sure most of you have assigned names to several things I’ve mentioned.  I would, however, like to use one specific group as an example, an example that could be applied to many other groups and events.  DC303, the Denver area DEF CON group, is well known and very active, and I’ve heard them accused of being “cliquish”  and excluding people from activities and events.  I would like to make two points abut DC303 (note, I am *not* a 303 member):

First, as with most organizations, some things are limited to members.  I can’t expect to toss my kayak in the bay and be welcomed down at the yacht club.  Some things are more open than others- and some do require an invitation, which leads to my second point:

My first interaction with the 303 crew was in July of 2009, at the first BSides Las Vegas.  I knew almost no one other than from a few online exchanges, they certianly didn’t know me.  And it didn’t matter, I showed up and got to work as did several others- and many of us became friends.  That’s it, three simple steps: show up, participate, and be accepted.  If you skip step two you probably won’t make it to step three.  This applies at your local LUG or ISSA chapter as much as to 303 or pretty much any other entity.

Next week I’ll change topics a bit and babble about what’s wrong with presentations, speakers, and who knows what else.

 

Jack

Thursday, October 6, 2016

Wrong About Conferences, part 2

Today let’s start with a look at the conferences and events themselves.  One of the cyclical things I see is dismissing events people don’t like as irrelevant or worse.

“The big commercial cons are irrelevant…” as tens of thousands of people go to them, learn, share and yes, do the business of InfoSec.  The business of InfoSec, it’s so ugly and dirty, oh, and pays tens of thousands of us a living while funding an amazing amount of research.  Maybe they aren’t the places for cutting edge research, especially offensive security stuff, but that’s not their core audience.

Are there excesses? Sure there are.

Are they valuable to a lot of people?  Of course they are.

And very few people are forced to go unless they are paid to do so.

Don’t like it?  Not your scene?  Cool, don’t go.

 

“That’s just a hacker con, full of criminals…” as thousands or even tens of thousands of people gather to learn, share, and (gasp) maybe even do a little business.  Yeah, we’re all a bunch of criminals, right.  No, almost all of us at hacker cons are trying to make the world more secure.  You may disagree with some methods and opinions, but hacker cons help make us more secure.  Some may not be the best places to learn a lot about policy and compliance issues, or securing global enterprises, but that’s not what they’re about- and some “hacker” cons do cover these topics well.

Are there excesses? Sure there are.

Are they valuable to a lot of people?  Of course they are.

And very few people are forced to go unless they are paid to do so.

Don’t like it?  Not your scene?  Cool, don’t go.

Fifty years ago buffalo Springfield sang “Nobody's right if everybody's wrong”, and that sums up the way I feel about a lot of the con noise, hype, and drama.  Find the events that work for you, contribute to making them better, and avoid the ones that don’t work for you.

There are plenty of things I don’t like about a lot of events, I’m a cranky old man.  I do, however, understand that different events serve different needs and audiences.  That doesn’t excuse hype, lies, and bullshit but no event has a monopoly on that.

More on events in the next few posts.

 

Jack

Wednesday, October 5, 2016

Everyone is wrong about conferences

In the past couple of years there have been many blog posts and articles on the topics of what’s wrong with InfoSec and hacker conferences, which events are or are not relevant, and what’s wrong with the talks and panels at those conferences.  A lot of good points have been raised, and some great ideas have been floated.file00029400867

But they are all wrong.

Many of them aren’t just wrong, they’re also symptomatic of some of the things wrong with InfoSec, a failure to understand the importance of context and perspective.

Let’s start with this simple fact:

Your experience is unique, it is not not universal.  Your perspective is therefore not a universal perspective.

As with anyone offering The One True Answer to any question, allow me to suggest that It Isn’t That Simple.

In upcoming posts I’ll dig into a few of theses topics, not to give The One True Answer, but to share some of my experiences and perspectives, and float a few ideas of my own.  I don’t claim to be an expert on conferences or presentations (or much of anything else), but I am and have been involved in a lot of conferences- as an attendee, participant, program committee member, organizer, volunteer, vendor booth staff, speaker, and even bartender.  I also participate in events large and small, commercial and community, business- and hacker-centric.

And I have opinions.  You may have noticed.

Stay tuned.

 

Jack

Friday, September 30, 2016

Debunking fuel in the gas tank, case closed.

Picking up from yesterday’s post:

Imagine a time when carburetors ruled the earth (or at least car’s fuel systems), and a time before emissions controls extended to evaporating fuel vapor, say perhaps in the 70s when I began my career as a mechanic, working on cars of that era and older.  Back then, in ye olden days, fuel systems were open to the environment, both in cars and in the tanks at gas stations.  That meant that water vapor could condense in the fuel tanks and drip or run down the sides and pool at the bottom of the tanks.  This is why the fuel pickups in gas stations’ underground tanks were a few inches above the bottom, and why we always used water-detecting paste on the giant tank sticks used to measure the amount of fuel in the ground.  An inch or two of water at the bottom of the tank and no one cared as long as the amount didn’t increase rapidly- it would stay down there harmlessly.  Unless, of course, you got a fuel delivery which churned up everything on the bottom of the tanks, water, sediment, whatever.  Still, it would eventually settle back down- but if you happened fill up your car while the much was stirred up you could get the nasties, including water, into your car’s tank.  And no, most stations didn’t have great fuel filtration between the tank and the pumps.  To this day I avoid filling up my vehicles if I see a fuel truck in the gas station lot- I had to deal with too many dirty fuel systems to take the chance.  And even if you didn’t get water from a bad gas station fill up you could build up water from condensation on the roof of your fuel tank settling to the bottom.

Now we have a couple of paths to getting water into your car’s gas tank, where does that take the sugar myth?  It doesn’t take a lot of water to dissolve sugar that finds its way into the tank, especially given the constant vibration and sloshing that happens in a moving vehicle, so now we can move the sugar solution along with the gasoline towards the engine.  We still have a fuel filter to deal with, but they were generally simple paper filters designed to stop solids, not liquids, so our mix of gasoline and sugar water wouldn’t get stopped there.  This assumes that the vehicle has a fuel filter at all- which is not a safe assumption if you go far enough back in time, or if you happen to be dealing with someone who bypassed their fuel filter “because it kept clogging up”.  (If you think no one would ever do something that dumb, you have probably never worked a helpdesk).

And now the fuel hits the carburetor, where a little bowl acts as a reservoir for fuel before it finds its way into the intake system.  Carburetors are full of tiny orifices, the kind that don’t like dirt, or much of anything other than clean gasoline and clean air.  Sugar water can gum things up, block holes, or settle out into the bottom of the fuel bowl- and that’s where things are no longer theoretical.  I had to clean out a few carburetors with sticky goo in them in my “gas station mechanic” days, and I recall one where we dropped the gas tank and found an ugly mess in the tank.  Sugar in the tank could, under some circumstances, be annoying.  Not catastrophic but mildly disruptive, and a genuinely unpleasant thing to do to someone.

What’s the moral of the story?  I don’t think there is one, other than exaggeration and hyperbole feed urban legends whether they’re based on complete nonsense or a tiny grain of truth.

Bottom line, don’t put sugar in gas tanks.  Not just because it won’t work, but because it’s a rotten thing to do.

 

Jack