Tuesday, December 10, 2013

My daughter and I will be presenting @ShmooCon!!!



For those of you attending ShmooCon in January, please stop by the "One Track Mind" presentations on Friday. My daughter, Emily, and I will be presenting on her efforts to bring Rachel-Pi and Khan Academy to a school/orphanage in Kenya. Here is the outline:


How Hackers for Charity (possibly) saved me a LOT of money

Who we are
How she got to this point in her life
The process of gathering, building, deploying, and training
What's next

I am proud of my daughter and the work she is doing in Africa, all at the ripe old age of 13.

Help me support her by showing up to the talk. As I said in my CFP for ShmooCon: "As a dad, I feel the need to push the limits of my children. This is the perfect outlet for my daughter to learn about our community in a purposeful way. Not only this, I want the rock stars in our community to help me! IT TAKES A VILLAGE! (or so I hear)."

P.S. It is perfectly acceptable to heckle me, as always, as long as you are not too disruptive to her.

Saturday, November 23, 2013

NSA: The "big stick" of the Executive Branch and how this really affects US security worldwide

***As a former employee (US Navy analyst at NSA), I must say up front "I can neither confirm nor deny any comments made for or against NSA and their collection efforts both internal and external to the US. All questions should be directed to the Public Affairs Office at Ft. Meade, MD."***

Now that I have parroted the official party line, lets talk.

Today I read an very well written, but sad, article in the Wall Street Journal entitled "Missteps Doomed Civilians As Chemical Attack Loomed." The article outlines a series of steps leading up to the mass chemical attacks in Syria on August 21st. Due to efforts of the US collection system (probably NSA and/or CIA), Syrian troops were know to be using chemical weapons on the population prior to this occasion. These attacks led to the death of a small number of civilians, but were unconfirmed by independent sources. Then on the 21st, an order was giving by a senior level person to perform a mass attack on rebel held locations and the civilian population in the area.

"Sources" stated that the communications intercept (the order) was not immediately translated and reported because these attack had become commonplace. It was not until the death toll kept climbing up that the full weight of the intercepted order came to light.

I do not blame the analysts who intercepted, translated, and reported this occurrence. I blame the the 3 branches of the govarnment for this. You see, it was Congress who voted in the shambles of a law known as USA PATRIOT ACT. It was President Bush who approved the law with his signature. It is President Obama who has taken the collection requests to an absurdly high level (the number of collection requests on US citizens met a "critical mass" before the administration decided to stop reporting the numbers.) I also blame the Judicial Branch for slowly eroding the power of the Constitution and Bill of Rights over the years.

I mostly blame the Executive Branch of the government for endangering the US. You see, NSA has a military commander who receives collection orders from the Executive Branch. I don not advocate replacing DIRNSA with a civilian because a civilian would still receive orders from the same source. When orders are given, resources in the already strapped NSA are stretched further. This is simple supply and demand. You have a set number of resources. When you add tasking, something else has to stop being collected and analyzed. In this case, it appears that the Executive branch ramped up tasking on the US populace in a vane attempt to prevent terrorism at home. This left us with fewer resources to stop terrorism abroad.

***Side note - We homeschool. My wife spends a lot of time discussing the law of unintended consequences and their effect on our country. I am beginning to understand the value of this approach.***

Could the mass slaughter of a civilian population have been avoided in Syria? The simple answer is probably not. The long answer is that the Executive Branch already had knowledge of "low level" use of chemical weapons in Syria and did nothing about it. Worse, the Secretary of State opened the door for Russia to step in and solve the chemical weapons dilemma. Finally, the Presidents inability to lead the World (much less the country) in this matter is abysmal.

This leads me to the discussion of what many people are asking of the US government. Many are calling for the dismantling of the NSA and its collection methods. These people don't usually stop there. They often times complain that we monitor (spy) on other countries, including our partners. I say this is the direction we need to move in. The charter of the NSA was to collect on foreign communications and, at one time, were forbidden to spy on US persons. The collection of US persons was not actually forbidden, but the burden of proof and the need to collect on US persons was heavy.

Anyone who says we should NOT be spying on other countries is naive. Just because you are our friends today does not mean you will be our friend tomorrow. Not only this, you will NEVER have a utopian society in which all peoples are friendly to each other. The reason for this is human nature. Ask my 7 year old why communism is such a bad idea and he will tell you it is a great idea until you introduce the human element. After all, if we can't overcome racism, how do you ever think we will reach utopia?

In conclusion, the current "policy" on spying on US persons is stretching already thin resources to a breaking point. This does not allow the NSA to effectively perform its chartered mandates in the collection and analysis of signals from non-US persons. This endangers US interests and persons by requiring poor asset management.

Please feel free to comment.

Thursday, November 21, 2013

The Question of Ethics from an Unethical Blogger

Today I read a blog from Jeffrey Carr (found here http://jeffreycarr.blogspot.com/2013/11/republican-cyber-security-experts.html). What first strikes me is the title, "The Questionable Value and Ethics of TrustedSec's Pen Test of the HealthCare.gov Website."

Value: the regard that something is held to deserve; the importance, worth, or usefulness of something.

The website requires a user to enter sensitive data into it. It is discovered that the website is subject to simple reconnaissance techniques that my 13 year old can perform, with the help of Google of course. This reconnaissance results in sensitive data being harvested. I think reporting this to the public is valuable. I could be wrong but I doubt it.

Ethics: moral principles that govern a person's or group's behavior

The problem with arguing ethics is that there is no standard by which to judge. Just as the argument that NSA wiretaps of US citizens is unethical cannot be effectively argued one way or the other, this cannot be argued one way or the other. (Author's note: David Kennedy is perhaps the most ethical person I have ever met. Of course, this cannot be proven. By the very definition, it is untenable.)

At this point, I began reading the swill that follows. The point of the article is to show that the witnesses testimony was swayed by their political beliefs. The arguments are "upheld" by the author in what can only be seen as a completely political tongue-lashing. He seems to be fighting his perceived politics with politics. What? (This reminds me of the "I know you are but what am I arguments of a schoolyard child.)

The author brings up the ethics of publicly "outing" vulnerabilities. David, on more than 1 account, in his verbal testimony and in his report, stated that he contacted the government. He also redacted key information about the vulnerabilities that he reported (clearly stated in the report and in his testimony).

What we have here is an author of a blog that clearly keyed in on a single phrase, David Kennedy speaking on FOX News, and put his political beer goggles on, shut down his ability to reason, and threw a tantrum. What he would have seen if he had performed a simple Google search is that Mr. Kennedy has appeared on CNN and other "liberal" shows several times. As a point of fact, he purposefully spreads the love so as to stay above board. (Plus, he would never hear the end of it from Martin Bos if he did it any other way.)

In conclusion, I could have torn this blog apart line by line and word for word but I have better things to do. So, I will leave you with this: Suck it Jeffrey Carr. SUCK IT!

P.S. One more definition. Slander: the action or crime of making a false spoken statement damaging to a person's reputation. (Used in a sentence: Jeffrey Carr's inaccurate blog article on David Kennedy and TrustedSec was slanderous.)

Correction #1 (Sure to be more) Libel: a published false statement that is damaging to a person's reputation; a written defamation. (Example: Jeffrey wrote therefore he is libel). Thanks to Nick for the correction and sorry to @popehat for not learning a thing from your blog!

Wednesday, November 13, 2013

Top 10 IT/InfoSec terms that need to go!

Many people are sick of buzzwords and want to see them go. I am one of them. I never had a problem with it in the past. Until, that is, non-techies began using them without understanding the implications. 

Here is a list of some of my favorites words or phrases that need to go...

1. Cyber - After many years in the DoD I never got tired of this word. Why is it on my list? Because it is overused by non-DoD peeps when they complain about its use. If you stop complaining about the word, its use will be cut by 3/4.

Image credits - L Macvittie

2. Cloud - When I first used this (10 years ago) it was a picture of an actual cloud to show users that the ISP took over. Now it is so pervasive my kids think of computers before they think of rain.

3. Big data - Uh, what! Why did we ever start using this phrase? Oh, I know. The phrase "lots and lots of data" never caught on. 

4. Black swan - Used to be something until it was EVERYTHING. Just because you suck at business continuity and disaster recovery doesn't mean your problem (experienced by others, by the way) is a black swan.

5. ... for fun and profit - Try to at least be original. Nothing says "I'm a copycat" like this phrase.

6. iWhatever - See number 5.

7. APT - If I can sell you on an idea, I can sell you anything else I want.

8. De-duping - Stop trying to sound cool and use words like efficient.

9. Bloatware - Really, we have to create a new word for unwanted software just because it is on a phone (a.k.a. handheld computer)?

10. Brick - You say you bricked your device. Then you rebooted/restored it. If it is bricked then it will never work again for its intended purpose.

Lets throw one more in for good measure.

11. 4G - Stop using this for anything phone related. It is the 4th generation of mobile phone technology, that is all.

There are others that annoy me but these are the top of my list. Do you have any terms that you want gone? Add them to the Comments sections so they will be used again. 

Monday, November 11, 2013

My misfortune and my new (old) phone

     A few months ago, I had the distinct displeasure of updating my company's Mobile Device policy. It was not the fact that I was writing policy (I actually am one of those weird types who enjoy the nuances of policy writing). The displeasure stemmed from the fact that I purchased the Samsung Infuse and this particular phone did not allow encrypting the handset, a clear violation of said policy. Woe is me. I was discussing this fact with our company's AT&T rep when those fateful words came out; "What kind of phone do you want?" I immediately went tops and asked for a Samsung Note II. His answer, "Give me a few weeks and you'll have it!"

     This sounded like a great deal. In hindsight, it was a mistake. After getting attached to my new Note II, I got a fateful call. I had to return the phone. Now I am back to my Infuse. What was a great phone (when first purchased) is now woefully inadequate. Not only that, but now my development device is no longer usable. I can't play with the Infuse while using it as my only phone. Also, I cannot login to corporate email anymore. (Actually, I can. I just choose to not bypass our technical controls). All of this has led me to technology withdrawals. I feel out of touch when I can't respond to an email while waiting in line at the DMV. I always laughed at those who were not sufficiently connected to the world. I know know their pain.

***On a later note. After a week of using my original phone, I am rather enjoying the freedom of responding in my own time! #silverlining***

Thursday, October 31, 2013

ACLU - A Wolf in Sheep's Clothing: But they got this one right!

     In my recent presentations at Hack3rCon^4 and SkyDogCon 2013, I spoke about the fact that NSA wiretaps are legal (according to current interpretation of many laws). In addition, I highlighted some programs that push the envelope on constitutionality. One such program is the Nationwide Suspicious Activity Reporting (SAR) Initiative (NSI). I talked about how this program violates our First Amendment and (possibly) Fourth Amendment rights.

     Yesterday, program details came to light after many years when the ACLU published the findings of its Freedom Of Information Act request. Years ago, the ACLU submitted a FOIA request that  was summarily denied by the government. They quickly followed this denial with a lawsuit against the FBI. Well, they won.

     Just as I suspected, the ACLU determined that the program did not have adequate checks to ensure citizen's rights were being honored. This is not their interpretation of the data. You see, they received volumes of internal  emails and reports that stated this as fact. Several State level "fusion centers" complained about the handling of private citizen's data, the lack of a privacy policy, and storage of data in the eGuardian system.

     I still stand by the premises I stated in my presentation. NSA warrantless wiretaps are legal (albeit, unconstitutional), blame rests equally on the 3 branches of the government, and the ACLU is a den of hypocrisy! I base the latter on the fact that they claim that they have

"been the nation's guardian of liberty, working daily in courts, legislatures and communities to defend and preserve the individual rights and civil liberties that the Constitution, Bill of Rights and laws of the United States guarantee everyone in this country."  

Why am I so critical? The ACLU pushes hard for the Bill of Rights on a national level with the exception of the Second Amendment. When I questioned an ACLU lawyer about this at DEFCON XXI, I was summarily dismissed just as the government dismissed their FOIA request. When I asked again for a reason, this time at their vendor table, I was told that it was a state-by-state issue, not a national issue. 

***Apparently, rather than being a guardian of you rights, they see fit to pick and choose what rights you should have!***

I once again submit to you that you should NOT support the ACLU but you should support organizations that believe the entire Constitution and Bill of Rights is worthy of being defended.

Also, before you try and interpret the Bill of Rights, you must read what the authors and original supporters of this great document said on the issue.

If you would like to know more see the following sites:
NSA wiretaps are legal (and other annoying facts) presentation http://www.irongeek.com
Quotes by founding Fathers (public domain) http://cap-n-ball.com/fathers.htm
ACLU article and reports on SAR/NSI www.aclu.com

Wednesday, October 30, 2013

SkyDogCon 2013: Southern charm meets hackers/makers, then gets owned!

   
     I wrapped up my year of cons with the 2013 SkyDogCon. After attending last year for the first time, the decision to attend this year was a no brainer. This is perhaps the most unique collection of mini-events wrapped up into a con there is. Highlights include the typical: quality speakers, lock pick area, hardware hacking village, etc. In addition, there is a healthy smattering of the unique: a rocking electronic badge (includes a hardware hacking challenge), paid breakfast on Sunday morning, a Pirates vs. Ninjas Ball, a ham radio license exam, lego challenge, and others.

     I will begin the blog with a review of the Hotel Preston. This hotel is the model of "southern hospitality" with a twist of the unique, bordering eclectic . From the decor to the staff, this hotel sets itself apart. Think of a scaled down version of The Artisan Boutique Hotel in Las Vegas (former home of BSides Las Vegas) but not as dark. The artwork and decor is an experience in itself, the food is appropriately priced, and the rooms are clean and modern. My one complaint from last year was the speed of food delivery from the kitchen. This was remedied this year. No complaints from me.

 ****Note: If you are feeling lonely, ring the front desk and ask for a fish. Yes, you read that correctly. If you ask for one, the hotel will loan you a fish tank, complete with scenery and a fish. Then you won't feel weird since you can talk to something instead of yourself.****


   The second thing I will talk about is the relentless promotion of the con by its Core Team and Staff. I first learned of SkyDogCon from SkyDog himself, at DerbyCon. Yep you read that correctly. SkyDog was staff at DerbyCon in Louisville and was printing up gimmick badges from popular movies. The one from last year was a mock credit card with the "Triple Crown" challenge on the back. This was a call for all card carriers to attend not just SkyDogCon but DerbyCon and Hack3rCon (a.k.a. the trifecta of regional cons). I later discovered that SkyDog (who is also a Goon at DEFCON) was going to give out special promotional badges at DEFCON to anyone willing to promote the con. Sign me up! This level of detail for promoting his con, and the sister cons of the area, highlights his commitment to the industry as a whole! This year he and Mad Mex spent over 6 hours, during the party, printing up badges for anyone who wanted one.

     Third, we have the awesome lineup of speakers. There were 2 speaker tracks (Friday-Sunday) with 20 minute Lightening Talks (Thursday night). I was fortunate enough to be selected for both a Lightening Talk and a main track. The Lightening Talks format was a set of 20 slides that autoforward every 30 seconds. This was a challenge that forced me to work on my presentation skills. My Lightening Talk was entitled Defense-in-Depth: Fists, knife, gun and will be posted on my blog when they are uploaded. Unfortunately, with 2 main talks going on simultaneously, and the other speaker in my time slot being Deviant Ollam, I had a sparse audience. (Thanks to the 7 people who listened to my presentation NSA Wiretaps are Legal and Other Annoying Facts.) My favorite presentation of the weekend was Evan Booth's. He presented a very serious topic with wit, charm, and grace. Then he showed videos of himself totally destroying fruit. You have to see it. It will make your day as well as scare the heck out of you.

     Finally comes the piéce de résistance (i know, the accent mark on the first e is going the wrong way, but I can't make it work on my Mac).  SkyDogCon is known for its electronic badges. This year's badge does not disappoint. This badge, which has some hardware issues, is utilizing only about 5% of the functionality it was designed for. That 5% however will blow you away! It's simple design, coupled with the Parallax Propeller chipset, and brilliantly written code is a n00b hardware hacker's dream.

****Note: SkyDog announced that he will repair the badge himself if you bring it to one of the future cons he will be at. Anyone up for a quick trip to Atlanta for Outerz0ne? I'll drive if you pick up the room!****

Schematics and badge hacking tips will be posted on the website shortly.


     So, if you feel that you want to know more, visit the website. Don't forget to sign up for the mailing list and follow them on Twitter.

Website: www.skydogcon.com
Twitter: @skydogcon

I hope you enjoyed this blog entry and I hope to see you next year.

P.S. If you sign up for a ticket early, you get "Early Bird" status and this results in upgrades to your badge!

Wednesday, October 23, 2013

"Stop Watching Us Rally" - How I wish I could be there!

     I recently gave a presentation entitled "NSA Wiretaps are Legal and other Annoying Facts." I am not a lawyer and maybe I got some things wrong. I am ok with this since my point was to get the community talking. The basis of my talk was that the NSA is performing many surveillance actions at the direction of the President, under the guise of crappy law written by incompetent lawmakers in Congress, and with the aid of a Supreme Court and a legal framework that couldn't care less about the Constitution. I made mention of the rally put on by Stop Watching Us. My only regret is that I cannot be there in person. That is why I am writing this. I want to get the word out!
     Please use the link to check out Stop Watching Us and sign their petition (571,000 have signed so far). Also, sign up for their rally. If you cannot go to DC on such short notice, fine, you can attend online. After you do this, please use these 2 links to find you Representative and Senator. When you find them, send them an email AND fax. Then call them! This has to STOP!
     Don't stop there. Think long and hard about supporting the EFF and their Constitutional campaign.

I will leave you with a quote from one of our founding fathers. Keep in mind that these guys were in the midst of throwing off the yoke of tyranny and the blood was still in their mouths from the fight.


"Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety."
Benjamin FranklinHistorical Review of Pennsylvania, 1759
US author, diplomat, inventor, physicist, politician, & printer (1706 - 1790)

Sunday, October 20, 2013

Hack3rCon^4: Eye of the Storm

     What do you get when you mix Information Security, prepping, and technology with mountains, makers, and moonshine? Hack3rCon! I was fortunate enough to both attend and speak/teach at Hak3rCon^4 this year. This is my second time to attend Hack3rCon and I was not disappointed. For the meager price of $75 the attendee will be privy to cutting edge tools, "A" list presenters, and fellowship.



     This year's con began on Friday with a community driven class on the installation and use of the new Kali Linux BackTrack load. This class introduced the novice to the tool. The relaxed setting and knowledge of the instructor set the tone for the weekend. Students learned that installing and setting up Kali is easier than earlier versions and is not as frustrating for noobies. Friday ended with an @HackerFamilyDinner at a local steakhouse.
     Saturday began with Dave Kennedy as the keynote. As always, Dave captivated the audience with his simple way of communicating the holes in security "best practice." After all, just because the masses are doing it, doesn't mean that it is best. He wrapped his presentation by performing a quick demo of his new tool [working title: Pentesting Framework]. This was promptly followed by a series of outstanding presentations that ran until 5PM. After a short break for dinner, 304 Geeks treated everyone to a gun safety class (something you never see at a conference).
   The conference wrapped up on Sunday with another lineup of great talks, the wrap-up of the CTF, and several raffle drawings. People said their goodbyes and, as usual, teams were formed to tackle some hard infosec problems.
    My thoughts of this conference are all positive. The small size, usually around 100 people, coupled with the low price for a ticket and the caliber of the presentations makes this one of my favorite cons. I look forward to attending next year.

As always, videos for this con can be found at irongeek.com. Thanks Adrian!

I would also like to thank the rocking sponsors for making this con possible. This is the first time I have thanked sponsors on my blog. This should tell you something about the level of support.






Saturday, October 19, 2013

Hack3rCon^4: Handgun Safety Course

     For those of you that attended my handgun safety course, and are wanting to file for your license in West Virginia or Virginia, you will be required to present a copy of my NRA Instructor credentials in addition to the affidavit. Please go here to download my credentials. NRA Card 

Hack3rCon^4: Notes and slide deck "NSA wiretaps are legal and other annoying facts"

I have had several people request my slide deck from Hack3rCon^4. Because of bandwidth and email issues, I have uploaded it and my notes here. Dropbox

The video of my presentation can be found on IronGeek's site.

Have fun and don't forget to speak with your elected officials often!

*****Note: I got a couple of things wrong in my presentation.
1) The coauthor of the 2nd Amendment that I was referring to is George Mason. Some really good quotes on the 2nd Amendment can be found here and here. Before discussing what the founders "intended," read what they actually said!
2) I eluded to the 17th Amendment as a joke but got the timeframe wrong. The 17th amendment forced States to hold direct elections for Senators in 1913. Prior to this, some States still allowed  Senators to be appointed by those State's governors. This intent of the 17th Amendment was to stop the corruption of Senators at the State level. This worked! However, Senators are now corrupted at the national level.

Friday, October 11, 2013

My EPIC week of FAIL! and better things to come

So, this week was a hum-dinger! I tackled some tasks at work that, well, didn't work. I finally started some high priority home projects that, well, FAILED! I decided that self deprecation is about the only thing I can get right this week so here it is...





WORK
Q: What happens when you spend hours creating a powerpoint presentation and import it into Captivate (like I have done many times before)?
A: It crashes your computer of course.

Q: What happens when you restore files from the midnight backup?
A: It does not restore the the last 6 hours of work of course.

Q: What else happens?
A: You also have to do another 5 hour FTP of Rachel-Pi.

Q: What happens when you change your password and forget what it is?
A: You continue an all day loop of forgetting and reseting your password.

HOME
Q: What happens when you root for the Jets while putting DD-WRT on that shiny new router?
A: You accidentally rip the power cord out of the back, bricking the router.

Q: What happens when you perform a "hard" reset (like I have had to do many times before)?
A: You listen to things go pop, watch the blue smoke escape, cry as the power light goes black, and cover your nose from the acrid odor.

Q: What happens when you root your old Android phone in order to get ready to play at SkyDogCon?
A: You remember that you stopped using the phone because it won't hold a charge longer than 1 hour!

Q: What happens when you decide to give up on all things electronic and you take the trash to the curb?
A: The Herbie cart slips out of your hand and trash spills all over the yard!

On the plus side, I will be starting a new blog series that will include learning a new tool, reviewing it, and interviewing the author. Many brilliant people have responded favorably to my interview requests and I will begin with Armitage and  Raphael Mudge. 

Oh, last but not least, I have been accepted to speak at SkyDog! This week was not a total FAIL.

I think I will sleep until Monday now.

Tuesday, October 8, 2013

What are you doing in May? I'm going to another BSides!

     BSides is one of the greatest ideas I have seen in a while. Its stated goal is to be a "community-driven framework for building events for and by information security community members." That leads me to the next BSides I will be attending. On May 17, 2014, the Ezell Center at Lipscomb University will play host to BSides Nashville.
     Looking at the list of organizers/volunteers, I can tell you this should be a quality event. This coupled with the location and the keynote speaker already slated to present is money baby!
     I had the opportunity to hear Brett Wahlin, the CISO of HP, speak (you still haven't accepted my invite on LinkedIn by the way). He came to the University of Kentucky HealthCare and helped to educate our IT staff on the importance of protecting the confidentiality, integrity, and availability of our strategic asset, data, without resorting to FUD. This is something very few people can accomplish. FUD usually creeps into the conversation in some way.
     Looks like I will need to start a new research project so I can have something new for the CFP (happening now by the way). See you there!

Make sure you check out the websites and follow them on Twitter for updates.
BSides Nashville website: http://www.bsidesnash.org
Security BSides website: http://www.securitybsides.com/w/page/67993467/BSidesNash2014

Twitter handle: @bsidesnash
Twitter tag: #BsidesNash

As always, feel free to comment.

   

Saturday, October 5, 2013

Louisville Metro InfoSec Conference

     A small conference, in a big city. This year I attended the Louisville Metro InfoSec Conference. This is my third time to attend and will not be my last. The quality of presentations is always great and the small number of attendees give the con an intimate feel. This year, the highlights for me were the second keynote speech by David Kennedy (Burn it Down! Rebuilding and Information Security Program), the presentation by Adrian Crenshaw (Information Security in University Campus and Open Environments), and the lock pick area run by Kyle Stone.
     What can I say about Dave's speech. As usual, it was very entertaining. Start with a gut check, add a liberal dose of humor, and end with 5 key steps that will help any organization improve their business. Yes, I did say, improve your business. After all, no one wants to start a business to meet compliance. They want to make money. Watch Dave's presentation for more information.
     Adrian had a very interesting presentation. He helped the audience understand how an average college co-ed could wreak havoc on the open networks at universities. After all, most university administrators actually believe that creativity is stifled if you even attempt to secure your environment. He also highlighted the means by which IT and InfoSec can counter these "hackers." The presentation is heavy with links to tools but I recommend it since the tools are worth it.
     Finally, the lock pick village was the break I needed from the typical con burnout. There are few things better than picking up a couple of small pieces of metal and opening those wafer locks!
   

As always, the videos can be found on www.irongeek.com.

Monday, September 30, 2013

DerbyCon 3.0 is over, CPEs logged, It's a wrap!

   
     I have just logged my CPEs so it must be over. Another DerbyCon has come and gone. Friends were reunited for a flash and life will be returning to normal soon. I always write something about the cons I attend and this is no different. Well, maybe it is a little different.
     You see, this year's DerbyCon was completely different for me. After helping Adrian Crenshaw (Irongeek) with video at BSides Las Vegas, I offered my services again. This time, my reasons were less selfish. (After all, I was late to the game for BSides and couldn't get a ticket unless I volunteered). This time, my purpose was to give back. The crew of DerbyCon have each helped me in some way or another in the past 3 years so I felt the call. They are not aware of how they have helped so here it is:

1. DerbyCon has put me in touch with a new crop of people who have similar experiences in IT/Security burnout.
2. I have been able to talk to industry leaders and determine my future Information Security roadmap/career.
3. The quality of my work has increased due to me having a core of colleagues that I can bounce ideas off of.
4. I just enjoy talking to people again...

I tried not to bore you guys with a recap of the briefings I sat through. After all, you can just check those out at the irongeek.com website. Thanks for taking time to read my blog and, as always, feel free to comment.

And again, thanks for putting on a great "family" style conference. See you next year (I'll be the guy in the Staff t-shirt and the hip toy).

Wednesday, September 25, 2013

DerbyCon 3.0 - All in the Family

Welcome to DerbyCon 3.0 – “All in The Family”.

     It is that time of the year again. Every September (for the past 3 years anyway) InfoSec professionals, hackers, and the 3l33t descend on Louisville, KY for a week of technical training, presentations, and more importantly hallway con. I am looking forward to catching up with friends and making new ones. If you are going, feel free to hit me up. You can contact me on Twitter at @cowboysfaninky or email at bwmgwm1@gmail.com. I can't wait to see you there!  

Goals: It is hard to hit the target if you can't see it

Pick up just about any self help guide or management book and you will read about the virtues of written goals. I have had great personal success over the years by writing down, and working from, goal sheets that include short-, medium- and long-term goals. Because of this success, I have decided to do the same with my bucket list. After perusing the interwebs, I decided to use a website called wishberg.com. This website allows the user to create a bucket list with a Pentrest feel to it. Feel free to check out the site and my bucket list. You can find my bucket list at  http://www.wishberg.com/bwmgwm/wish

As always, feel free to leave a comment.

Monday, August 26, 2013

Hack3rCon^4 - Eye of the Storm

Drum roll please!!!

I have been selected to present at Hack3rCon^4. This will be my second time presenting at what is one of my favorite cons. What is the topic you ask?


NSA wiretaps are legal and other annoying facts

I debated whether I wanted to display my outline here but, to be honest, my presentation grows with every day of research.

As usual, I will write a blog post about the con and will provide a link to the video provided by IronGeek.

Tuesday, August 13, 2013

DEFCON Shoot (Two days I never should have missed)

   
To sum it up...♫ I did a bad bad thing ♫ You see, while volunteering at BSides Las Vegas, I decided not to go the DEFCON shoot. After all, I didn't have a car, I didn't know anyone, and I was having a good time at the Tuscany. Now that I am home and the con craze is over, I realized I should have gone anyway. Here are the top 10 reasons why:

(Drum roll please!)

  1. What better way is there to exercise your 2nd Amendment rights than to throw some lead down range!
  2. Having no car is not an excuse! The DEFCON Forums include a shoot thread where details of the carpool are discussed.
  3. The BSides staff had a shuttle bus that ran to the Rio multiple times a day.
  4. Registration for the shoot is easy.
  5. The price is right. $20 at the door. Cheaper if you register early and get one of the discounts.
  6. You get to spend time with some really great people. Deviant Ollam (of DEFCON17 "Packing & Friendly Skies" fame) for one.
  7. A bad day on the range is still a great day!
  8. The smell of gunpowder is exhilarating!
  9. Transfer of knowledge. I have been shooting for 30+ years and am still learning.
  10. The chance to shoot guns that you haven't shot before. I have access to quite an extensive collection but there are still guns haven't shot. Friendly shooters will let you shoot their guns.
(Crash of the cymbals!)

     To correct my transgressions, I reached out to Deviant and volunteered for the DEFCON22 Shoot. After all, the top reason for me becoming a certified NRA Pistol Instructor and Range Safety Officer was to promote the shooting sports in a positive and safe manner.
     I encourage you head out to the DEFCON forums and the Unofficial DEFCON Shoot Page for more information. I hope to see you next year and remember to shoot safe, shoot accurately, and defend your 2nd Amendment rights!

Friday, August 9, 2013

Thanks Irongeek!!!

     I had the honor of assisting Irongeek (Adrian) with video capture at BSides Las Vegas last week. Not only did it get me a free badge to the event, it reinforced a lesson I learned years ago: The more you help others, the more you get in return. Volunteering at BSides connected me with a whole new group of friends as well as solidified my friendship with those I had met before.

   
Irongeek ButtonToday I added Irongeek's RSS feed to my blog. His feed/website hosts videos from many conferences (BSides Las Vegas, BSides Boston, AIDE, Outerz0ne, and Notacon to name a few), InfoSec articles (Raspberry Pi recipes, How I Got Pwned, and I2P/Tor workshot notes) , and a host of other information. Please check it out regularly and don't forget to click on his sponsored links (he does get a few pennies when you do).

Thursday, August 1, 2013

The BSides that started it all

This year I was fortunate enough to attend Security BSides Las Vegas. Security BSides spawned from the inability of Black Hat USA to include all of the worthy presentations in their lineup in 2009. This shortcoming resulted in one of the best InfoSec conferences in the nation.

     The first thing that I noticed was that the venue changed from the Artisan to the Tuscany Suites and Casino. I liked the unique atmosphere of the Artisan but felt cramped (this from a former Navy submariner). The Tuscany suites were nice and spacious, cheap, and clean. In addition, the hotel staff were friendly.
     Because I arrived the morning before the conference, I decided to take a stroll around the facilities. This is something that I learned in the military. Always know where you need to go, how to get there, and develop a sense of situational awareness. While doing so, I stumbled across the main meeting room for the con. There were many volunteers rushing around putting the finishing touches on the meeting rooms. Because I like to meet new people and felt the need to pitch in, I asked where I could help. Over 2 hours later, after folding what seemed like thousands of t-shirts, I managed to meet many new friends. Exhausted from the days travels, I turned in.

     The morning of July 31st, I woke early and returned to the conference area to check in and badge up. The abilities of the volunteer staff was evident as the line constantly flowed and I got my volunteer badge and complimentary sling bag in no time. In addition, a random staff member handed me a social engineering badge and explained that I was now part of the Social Engineering Capture the Flag. Fun! I quickly found Irongeek since I was volunteering to be one of his video monkeys (he used a different name for me).
   
      What I experienced next was pure joy and
excitement. I was witness to 2 full days of information security, computer hacking, and life enrichment/self help. I only attended 2 presentations out of 16 that I didn't absolutely enjoy. These 2 just weren't to my liking (personally, not professionally). The con staff did an excellent job at selecting presentations/presenters. Every presenter was personable and stayed to ask questions after their talks (something that doesn't always happen at other cons).
     Some of the presentations I attended were:

  • Christien Rioux: "The Security Industry - How to Survice Becoming Management" (KEYNOTE)
  • Jimmy Shah, David Shaw, and Matt Dewitt: "Discovering Dark Matter: Towards Better Android Malware Heuristics"
  • Jay "Rad" Radcliffe: "Mom! I Broke My Insulin Pump...Again!"
  • Evan Davidson and Noah Schiffman: "Dungeons & Dragons, Siege Warfare, and Fantasy Defense in Depth"
  • Jack Daniel: "The Erudite Inebriate's Guide to Life, Liberty, and the Pursuit of Happiness"
  • Nicholas J. Percoco and Joshua Corman: "The Calvary Isn't Coming: Starting the Revolution to FSCK it All!"
  • Steve Werby: "Crunching the Top 10,000 Websites' Password Policies and Controls"

     So, I have rambled on as usual. I will now cut to the chase. Here are the takeaways from my BSides Las Vegas 2013 trip:

Pros
  1. The new venue (Tuscany) was open and airy with plenty of space
  2. There were 6 distinct tracks (double last year): breaking ground, common ground, proving ground, underground, lightning talks, and training ground
  3. The staff were approachable, helpful, and cared about their product
  4. The volunteers did a great job
  5. The price was right - FREE!
  6. The talks were informative and high quality (new presenters were assigned mentors)
  7. There were free shuttles to the other cons (Black Hat and DEFCON)
Cons
  1. I didn't get my free drink coupons upon checkin (remedied quickly when I notified the staff)
  2. There are not many budget restaurants within walking distance (the midnight Steak and Egg special in the hotel was only $5.99)
More information on BSides Las Vegas can be found at www.bsideslv.org and www.securitybsides.com.


***BSides Las Vegas presentations (and many others) can be watched for free on the website irongeek.com.