Saturday, September 14, 2013

Can you trust them?

Let’s turn a common theme in InfoSec upside down:

Can you trust, and should you hire, former hackers government employees?

In the still-unfolding Snowden saga, we now have allegations that the US government, specifically the NSA, has attacked cryptography at scale, including the software, protocols, and algorithms we rely on for secure and private communications.  On one hand, I have to say “duh, that’s their job”, but it certainly appears to me that they have significantly overstepped their authority and damaged our ability to secure our data.  While I hold some senior NSA officials, notably General Alexander, partially responsible for part of this abuse, I believe that the real blame lies with past couple of presidents and the Congress for their utter abandonment of responsibility to the Constitution, and to us, the citizens it is designed to protect.  The NSA (as is true for much of the US federal government) is full of great people, working very hard to properly execute their assigned tasks.  But, if your assigned task is something like fighting terrorism, or combatting drugs, or child pornography- it is only natural that you will lose perspective in the face of the horrors you are trying to combat.  (Don’t get me wrong, I know that a lot of folks are in the “war on [whatever]as profiteers, but I believe most people are trying to do what they believe to be right).  That’s where the elusive property of “oversight” comes in.  Or in the case of things like the abuses of the NSA, oversight should come in, but presidents, congress critters, and others have abdicated their sworn duties.

Back to the question at hand…

Having “NSA” on your resume has traditionally been seen as an asset.  We now have credible claims that government agents have subverted the security of the systems we rely on, in some cases by covert infiltration of private enterprise.

Imbecile executives in the InfoSec industry like to make pronouncements like “We don’t hire hackers”, showing their ignorance of what “hacker” means to many people, and limiting their pool of talented recruits.  Computer criminals have a hard time concealing their past convictions, but covert agents have the power of the intelligence community behind them to create squeaky-clean résumés.  Is that former NSA researcher, the one who is now working on your software, really “former”?

Thus, we have to ask: Is it time for NSA to become scarlet letters on a résumé?

For the record, I don’t think so- but I do believe it is past time to reflect on “who can you trust” before hiring people and putting them in positions of responsibility, regardless of their past.

And that’s a belief I am confident the NSA shares with me…Edward_Snowden-2

(Image Attribution: Laura Poitras / Praxis Films)



[Note: I have not  provided links to anything in this post. There are so many sources, with so many revelations, counterclaims, and outright lies that I’ll leave you to use the sources you trust, and reach your own conclusions on the reality and implications of this mess].

Thursday, September 12, 2013

Security BSides, stories and back-stories, part 1

I realize that I’m overdue on providing an update on all things Security BSides, so here is a start.  Usual disclaimers apply, I’m writing personally, not on behalf of BSides or any of the BSides event or organizations, etc..

Bsides_Logo_No City_SM

This weekend will be the 92nd Security BSides, in Augusta, Georgia, a new city for BSides.  That makes 92 events in just over four years, spanning 51 cities, 11 countries, and 5 continents.  And event 100 is just over a month away.  In reality, there will be three events on October 18, numbers 99-101, so let’s call it a three-way tie for 100th.  That three-way tie spans three countries, Poland, Canada, and the US.  Pretty damned amazing if you ask me.

But let’s back up- just what is this “BSides” thing anyway?  There is still some confusion, and a little misinformation floating around.  It started when a handful of people had some ideas, which coalesced and merged the different thoughts into an event in July of 2009, parallel with Black Hat USA and before DEF CON.  The semi-official history is on the Security BSides wiki.  The original idea was to offer a “B-side” to the “A-side” events.  For those unfamiliar with the term, back in Ye Olden Days we listened to music on spinning bits of plastic called “records”; on singles there was usually a mass-market appeal (at least the artists and producers hoped so) song on the A-side, and the B-side was generally more experimental, or more artistic instead of pop-centric.  When such things made it to the radio A-sides were on generally AM and B-sides were often on that fancy FM.  That’s what we imagined for BSides, a place for more experimental, niche-audience content, plus some things with wider appeal.

(To save you Googling it, “Baby Face” was the A-side to this Little Richard B-side, “I’ll never let you go”)

The first event was held in a rented house in west Las Vegas, a lot of folks came together and made it happen (I won’t try listing names, there are too many to list- besides, everyone who showed up helped make it happen in some way).  We had about 200 people through the house in the two day event, and it was a great success.  People wanted more, so several of us began discussing “next steps”.

There was demand for a BSides parallel with RSA in San Francisco, and the San Francisco-based BSides crew started working to make that happen.

Before the event in San Francisco, some people wanted to have an event by the Bay in Mountain View, but there was no “A-side” event.  General consensus was that BSides events didn’t need an A-side to be successful, or to be useful to the community- so BSides Bay happened in December of 2009.  That’s right, the second-ever BSides didn’t have an A-side.  In fact, most Security BSides events haven’t had an A-side event.  By my count, only 27 of the 91 BSides events held thus far have been adjacent to, or parallel with, another event- and it is becoming less common.  Only 8 out of the 41 BSides this year have an adjacent event.  The standalone events often provide underserved communities with a security/hacker event where none would otherwise happen, and that is a huge part of the value the BSides community brings to the greater security and hacker community.

BSides do not require an A-Side, and over two-thirds of Security BSides have been standalone events.  BSides offer a B-Side to the mainstream.

Many of those 27 were done in cooperation with the adjacent event, sometimes even co-branding and cross-promoting to increase value to all attendees and participants.  Sure, some tensions are happen, but the two big overlapping event pairs (RSA US/BSides San Francisco and Black Hat/BSides Las Vegas) now have open communications and cooperation between the events.  Also, some proposed BSides events never happen; the BSides community sometimes discourages ones which might fragment or stress adjacent community-driven events.  (Note that there has never been a BSides around Shmoocon, for example).

BSides strive to work with and respect adjacent events.

There is a lot more to tell, but that’s enough for this post.  I’ll follow up with more on BSides in coming posts- until then, check the front page of the BSides wiki for all of the upcoming events around the world.

Oh, and pencil in Tuesday and Wednesday, August 5-6 2014 for Security BSides Las Vegas.  That’s right, we’re changing the days of BSidesLV to reduce overlap with both Black Hat USA and DEF CON- many people in the community have responsibilities which span two or all three of the events of that week, and this move makes it easier to meet those responsibilities.  Or maybe just give people time sneak over to Frankie’s or Double Down to unwind a bit between duties.