Some thoughts on infosec and social media

I posted the thought above on Twitter a couple nights ago.

Rereading it, I feel I need to expand upon my idea, because there are a couple motivators for the tweet. First, the tweet was not worded very well. It comes off as saying that people on Twitter are not as good as those not on Twitter. This wasn’t my intention. I think there are really good people both on and off Twitter. The idea is more about myself and evaluating whether or not I’d be a better infosec person if I were to stay off Twitter.

A majority of the people I work with on the security team are not on Twitter. All of them are really good at what they do. I know there are more of those types of people, because I’ve worked with others who are really good at what they do. Twitter is a very small subset of the people within the infosec field. I think it’s important that what is said and done on Twitter doesn’t necessarily reflect on the entire industry. I was also watching a YouTube video at the time of a buddy of mine who has a Twitter account, but doesn’t tweet a lot. He’s really smart and is doing some pretty amazing things in the field. I’ve wondered if I need to be spending more time being productive and less time on Twitter.

Twitter being just a small part of Twitter is also why I was a bit disappointed to hear that this year is DerbyCon’s last. I like to go to DerbyCon. I have a good time and I catch up with friends and make new ones. There’s a lot of positives to the conference. Unfortunately, there is also some drama, which gets amplified by Twitter. It’s draining on the conference organizers. I get it and I don’t have any ill feelings towards their decision. It’s their conference.

What I think it highlights to me is that sometimes we need to step out of our own little bubble and look around. Twitter, and social media, is our own little world. We create it and curate it to our beliefs and preferences. It can certainly be a useful tool for information, but it can also create our own bubble that consumes and drowns us.

Things that get our attention the most are on social media are controversial. It’s frustrating and depressing. I take solace in the fact that there’s a larger world with the those things but also a lot more good.



ShowMeCon wrap-up and what's ahead

I know. I know. It's been two weeks since ShowMeCon. I've been busy! Within hours the neighbors wanted to hang out (I brought the St. Louis beer). The next day, I had a big case of the don't give a shits. I didn't get a podcast ready for that night's release.

I went to work Monday expecting to head home and work on some stuff (like get a podcast out). Instead I was informed the development team I work with was heading to Nashville Sounds game, because some people were in from out of town and I was invited. I went. Tuesday, I played soccer for two and half hours, because I like pain (I didn't regain full functionality of my legs until Saturday). Wednesday was a social night, because those same people were in town (yay!). I got home and got the podcast out, three days late. Thursday, I wrote about suicide. Friday, I wrote about password policy. Both very serious topics.

Things sort of got normal after that. I took the weekend to kind of dink around on stuff I wanted to do. Monday I got two of the four podcasts edited I needed to. I was invited over the neighbors Tuesday for beer and baseball. Finally, last night I got four podcasts scheduled. I'm heading to Asheville tomorrow for BSides Asheville (still looking for a ticket). Much beer (and maybe a podcast) will be involved. Tonight is the night for me to write something and hopefully get a little Overwatch in. Damn I've been busy. Didn't really realize that until writing it down.

Back to ShowMeCon. This was my third year and fantastic as always. It's the ideal security conference. The hackers think it's too businessy. The business people think it's two hackery. There are more women at this conference than any other security conference, I've been to combined. I love it!

I did my first ever podcast panel, which went really well for being the first time. They had a personal trainer there to talk about health and fitness. There were a lot of questions at the end. This might be something I need to write about. I do work at a wellness company after all!

During the conference I managed to get two interviews for the podcast recorded. I really like the idea of recording interviews at conferences. It's a much better vibe when the two people are in person. It flows better. There's the low rumble of the crowd. The low thud of doors smacking closed. It's fantastic. Those will be releasing over the next two weeks.

Now that ShowMeCon is over, I've been re-evaluating my desire and need for submitting to conferences. I've been speaking since 2015. It's a great challenge and a good career booster. Now that I'm at a company that I adore and in a role that continues to expand, I'm starting to wonder the value I'm getting out of submitting to conferences. I love sharing ideas and challenging myself to become a better speaker. The downside to speaking is that it takes time away from my family.

I have two kids still in the single digits. I'd like to spend more time with them. At one point I was slated to be at 12 conferences this year. With other obligations, conflicts, and one conference not happening this year, I'm down to eight. That's still quite a bit. I've presented at all five I've gone to this year. It's not just going to the conference that takes time. It's also the preparation leading up to the conference. I spend several hours putting the talk together. Then I spend the week leading up to the conference practicing the talk. This is on top of the weekly podcast I produce.

I spend a lot of time in the field. Because of my expanding role I'm spending more time at work now too. I'm trying to find that balance. I'd like to spend more time with my kids. I think that will be at the cost of the conferences I attend. If I do submit a talk, it'll be for a podcast panel. The preparation for that is much easier than a full blown talk. I'd like to say I'm cutting back on conferences, but I don't think it'll take much for me to go to a conference (someone asks). We'll see.

 This blog post first appear on Exploring Information Security

My first developer focused talk on security at Nodevember

On Monday, I had the opportunity to speak at Nodevember. The title of the talk is, "How to embed security into your process." I've wanted to get out and speak at a developer conference since the beginning of the year. Nodevember was the first conference to accept my talk (CodeMash next month is the second).

My talk

I believe developers have a lot of say in regards to the security of an application. I believe that we have a lot to say in regards to application security. I've been speaking on application security for the past couple years at security conferences and local meetups. That's great and it helps teach others in the field about application security. Where I can also make an impact (and potentially more so) is at developer conferences.

Developers have a lot of interest in security. There is proof of that from today. The talk before mine, "The State of Node Core" (good talk) had about a third of the seats filled. By the time my talk started just about all the seats were filled and a couple people were standing in the back. I was both happy and terrified.

My assessment of my talk was okay. I checked the schedule of the talks when I got to the conference. The 40 minutes I thought I had, was actually 30 minutes (my goof). I tried not to freak out. I'm usually quick on practice and I could cut out some things I needed to. By the end of it, I had discussed everything I felt was necessary and still had three minutes to spare.

I missed a couple elaboration points and a rant. I could have gotten those on my final thoughts slide, but my mind was blank. I was doing the talks with just slides and not presenter notes. This was due to me not wanting to waste time switching displays for the demos I was doing. Speaking of demos, I had one fail on me because I didn't practice my talk using my phone hot spot. My VM network settings was set to use Wifi.

Overall, it was okay. I got positive feedback from several people, plus some suggestions on what I could add to the talk (I asked for that specifically and was not disappointed). It was expressed to me that developers would love more security talks at developer conferences. There was some frustration around getting fellow developers to take security more seriously. Something I can sympathize with.

Here's some of the specific feedback and suggestions I got (thank you to those that gave feedback):

  • They really liked the OWASP ZAP demo

  • securityheaders.io (I did a content security policy demo before my talk)

  • Docker Hub Images - static analysis (I need to research this)

  • HTTPS - Cloudflare and Lets Encyrpt

  • Lateral movements

I don't think all the feedback is in the scope for this talk. It certainly gives me ideas for future talks.

Other talks at Nodevember

I also really like attending developer conferences, because I still have a lot to learn from the development community. I have the same feeling of wonder and inadequacy as I did when I first started going to security conferences. All three talks I attended were great and taught me something new.

Unlocking the Mysteries of Unfamiliar Codebase by Randy Cox touched on diving into an unfamiliar codebase. This is a big thing for application security professionals who need to do code analysis. My confidence was boosted by Randy, because I was already doing a lot of the things he recommends. He also gave me some new ideas for looking at unfamiliar code.

My notes:

  • Document

  • It's like an investigation

  • Make sure everything is in source control

  • Where is all the code?

  • Git blame

  • Document startup sequence and system architecture

  • Use "code analysis" instead of "documentation" if management wants you to only code.

  • Don't fix things - document and write bug tickets

Using npm scripts as your build tool by Elijah Manor. This talk was a little over my head. The scripts he covered were for automating some of the builds you can do in Node. Lot of cool scripts and ascii art.

The State of Node Core by Colin Ihrig. This talk gave an over view of the Long Term Support (LTS) schedule. Talked about some of the statistics on Node version use. Talked about new features and some other items I hadn't heard of before. Colin also talked about some of the security improvements on the way.

The closing keynote, Welcome to the new npm by Laurie Voss was very entertaining and enlightening. He covered the past of npm, as well as looked at the future of npm and Javascript development.

Final thoughts

More security people need to get out to non-security conferences to learn, gain an understanding, and contribute.

HipChat's Security Win

<INSERT SCARY HACKER PICTURE WITH SALACIOUS HEADLINE>

I was disappointed not to find any of the HipChat coverage in my Feedly reader this morning from the infosec news sites. It hit plenty of main stream sites like engadget. I'm sure there is coverage on some infosec sites. It's just not as wide spread as I see for other breaches. Why is this?

Well it might have to do with HipChat having a good response to their incident. Most of the detail for the breach comes from their own blog. Over the weekend the detected a security incident affecting their servers. The incident was the result of a vulnerability in a popular third-party library.  The attacker may have accessed user account information for everyone using the service. Because of that they invalidated everyone's password and asked them to setup a new one via the forgot password link.

They were reaching out to 0.05% of their users who were more seriously impacted by the breach. For those users messages and room content may have been accessed. For everyone else it was just (potentially) account information.

While this is an unfortunate incident to occur, this is a security win for HipChat.

They detected the incident and within days made an announcement. This led to a very small percent of users being impacted. They went ahead and invalidated everyone's password. I logged out and tried to get back in with my old password and it wouldn't work. I had to use forgot password. This meant that password didn't need to be changed immediately if people were still work or hadn't heard of the breach yet. Unfortunately, I don't think they accounted for the demand on their forgot password page. The page was essentially denial of serviced causing some frustration among users. I'm sure there will be plenty of lessons learned this week.

I wanted to write this post because I think we should highlight more security wins in our industry. The sites I use to keep up on infosec are focused on NSA backdoor detection, BrickerBot, among other nasty things. All still relevant and scary. However, we are seeing some positive things in security. HipChat is a good example of that and I applaud them.

This post first appeared on Exploring Information Security.

How to build a home lab links