Skip navigation
All Places > Information Security > Blog > Tags events
1 2 3 Previous Next

Information Security

759 Posts tagged with the events tag

[ETA: Added in James Lee's excellent State of the Metasploit Framework talk, which I stupidly omitted by accident!]

 

Once you hang around in infosec for a little while, you learn that each of the major cons have their own reputation, their own mini-scene. This one's got the great parties, that one has the best speakers, that other one is where the fresh research is presented, et cetera. One I kept hearing lots of good things about -- full of great content and really great people -- was Derbycon, a newer con entering its 5th year this year in Louisville, Kentucky.

 

With these words of praise in mind I went to Louisville last weekend and learned very quickly that Derbycon really does live up to its great reputation. It's a space where not only are n00bs (like me) welcome, but even seasoned pros bask in the positivity and family feel of the space. I don't think I've ever seen quite so many whole families with kids at an infosec con as I did at Derby. Maybe it's the genteel kindness of Louisville that rubs off on the attendees, but at Derby everyone was so friendly and the whole con felt very welcoming. Linecon, barcon, outside-the-front-entrance-smoking-con -- anywhere you went you had a great conversation with someone. (And it really can't be a coincidence that the 2 Black badges up for auction at the closing ceremonies each went for $7000, with all money going to Hackers for Charity. That's really amazing.)

 

... True enough, the beer and bourbon were flowing a-plenty -- and boy was that bourbon good -- and the community and surrounding company were the best part of the con. No surprise, the talks were top-notch too. I'm embedding a few videos of my favorite sessions below, but admittedly I am not as up on my technical knowledge as most of you. You can peruse the ENTIRE list of Derbycon 5 talks in this playlist: https://www.youtube.com/playlist?list=PLNhlcxQZJSm8cr3iBN27VZ4Rm11Erbae-

 

But for those of you looking for a little taste of it, take a look:

The State of the Metasploit Framework -- by Egypt

What changed this year? What community contributions did we see? What are the cool and new shiny things are in Metasploit Framework that you might have missed? Everyone who uses Metasploit should tune in.

 

The Opening Keynote - Information Security Today and in the Future -- featuring Ed Skoudis, John Strand, Chris Nickerson, Kevin Johnson & HD Moore

This was a really fascinating keynote -- there was a lot of emphasis on pen testing in this, but it touches on a lot of topics from the importance of relationships with your IT and devops team to educating the workforce. There's a ton in here, give it a listen.

 

Started from the bottom and now I'm here: How to ruin your life by getting everything you ever wanted - by Chris Nickerson

I missed this one in person and regret it IMMENSELY. Thankfully, Egypt shared it on twitter with a hearty endorsement, and I hugely agree. This isn't a tech talk, but if you work in infosec or with people who work in infosec... you need to see this talk. What happens to "infosec rockstars"? What is the real cost? What is the state of our community today?

 

Gray Hat PowerShell - by Ben Ten/@Ben0xA

Now this one IS a more technical talk, so if you already grok Powershell this one's for you (not for Powershell newbies). I couldn't get in to this as the line was out the door and around the hotel so... check it out.

 

The Metasploit Town Hall -- with todb, Egypt, thelightcosine & busterbcook

Back again to Derbycon, our High Priests of Metasploit give the community an update on what's new in Metasploit and take questions from those in attendance on what they'd like to see or improve.

 

Developers: Care and Feeding  -- by Bill Sempf

If you work with developers, and feel like you and they are speaking two very different languages and have massively different priorities, you need to hear this talk.

 

Other random things I learned at Derby:

  1. Some of you guys can drink a lot -- a LOT -- of bourbon and beer. Wow.
  2. It is entirely likely that you will walk in to the Hyatt bar on any Derbycon evening and see several Cards Against Humanity games going on concurrently
  3. I have now righted a GREAT wrong in my life and finally saw the "classic" 90s movie Hackers thanks to the 20th anniversary screening at Derby. (Yes, yes, I know, it's unfathomable that I hadn't seen it before. But now I can shout HACK THE PLANET!!!! with the best of them.)
  4. Judging by the references and fsociety shirts I saw, Mr Robot seems to be pretty popular in our scene -- and I'm glad, because I already can't wait for season 2.
  5. I know it's not the 90s anymore, but The Crystal Method can still really rock the house, and some of you look quite lovely in blinky cyberpunk headgear.
  6. If you are at all a light sleeper, make sure you book a hotel room above the 10th floor. I was on the 4th floor, and the parties were on the 2nd floor and, well, not much sleep was had.
  7. The Meme-Fu from some of the speakers at Derby was just so damn high:

'Til next year, Derbycon.  Let's keep that welcoming feeling going even outside of Louisville.

reddit_alien.png[update 3pm EST Sept 9] This AMA is now live! The direct link is here:  https://www.reddit.com/r/IAmA/comments/3ka38q/we_are_professional_iot_hackers_an d_researchers/

Join us and ask your questions!

 

 

Following up on their research on IoT baby monitor vulns, Mark Stanislav & Tod Beardsley will be doing an Ask Me Anything (AMA) on Reddit in r/IAMA this Wednesday, September 9, at 3:30pm EST.

 

They'll be answering any/all of your questions on Internet of Things (IoT) security, as well as their baby monitor security research findings. Make sure to join us in the subreddit right here: https://www.reddit.com/r/iama/

 

Need proof? Here you go:

First things first:

>> You must be registered & confirmed to be able to attend our 2015 Black Hat party.  <<

defconparties.jpgI can't emphasize this enough: Unlike previous years, we are not doing any kind of at-the-door registration for our party this year.

 

If your plan was to live in the spirit of utter spontaneity, roll up to the club and see if you can happen to get in without registering beforehand -- you're going to be disappointed, and we really don't want to see that happen! While we absolutely want to see you and welcome you to our legendary party, we need everyone who wants to come to please register in advance.


As I write this, we still have some space left before we hit capacity and have to close down registration, but we are getting awfully close to that point. So if you're thinking you'd like to party with us, please don't wait to sign up.

 

Image from @defconparties of last year's fantastic party!


Trey Ford's Black Hat Attendee Guide

This year I've been prepping for Black Hat a lot earlier than usual by reading Trey's Black Hat Attendee Guides very, very carefully. Speaking of, have you read my esteemed colleague's excellent Black Hat Attendee Guides yet?  There's lots here for pros and n00bs alike --

 

The Black Hat Attendee Guide

 

These posts are chock-full of useful information from a guy who really knows both our industry and the conference scene. Benefit from his wisdom and experience, folks!

In between packing this weekend/Monday night/Tuesday?, take the time to give these a read, and you'll get a lot more out of your week in Vegas. (I went out and bought some of the items he mentioned in part 7, because I barely made it through the week last year!)

 

A busy week in Vegas—come by and see us!

visitus.pngAnd of course, Hacker Summer Camp isn't just about parties -- thought it helps -- we'll be at Black Hat, BSidesLV and DEF CON next week.

 

Hear our experts present at Black Hat

    Wim Remes, August 5 @ 10:20AM, Mandalay Bay BDC

The underbelly of the Internet has been in a precarious condition for a while now. Even with all the knowledge about its weaknesses, we only make slow progress in implementing technology to secure it. We see BGP routing leaks on a regular basis. It almost feels like we take it for granted but at the same time it undermines our trust in the Internet. In this talk, we'll review the current situation for BGP, a foundational piece of the network we all rely on, and focus on the practical implementation of available countermeasures through live demos and examples. In and of itself, we launch a call to action for private organizations, government entities, and academia alike to roll up the sleeves and get cracking at fixing our Internet. If we want to keep trust in "The Internet of Things," we first have to build trust in the network that powers it.

 

    Trey Ford & Kevin Bankston & Rebekah Brown, August 5 @ 4:20pm, South Seas GH

Sharing information isn't hard - getting past backroom deals, NDAs and approval from general counsel is *very hard*. This topic is not two-dimensional, even if we are quick to weigh data sharing in the face of data breaches, and the US has several pieces of legislation in play on this *right now*.

Conservatively there are over 300,00 open jobs available in information security- efficiency, prioritization and alignment with IT has never been more important. Information sharing and threat intelligence offers hope that we can better inform priorities to align with real threats, however these solutions come with a new set of questions.


    Nick Percoco & Tim Wilson & Lee Kushner & Kevin Oswald, August 6 @ 3:40pm, Mandalay Bay Room J

The bad news is that enterprise data is at risk, and the attackers have the advantage. The good news is that this situation has created a boom market for IT security professionals. How can a skilled security pro take advantage of this lucrative marketplace? What's the best way to find new job opportunities and open positions? What skills and training are the best resume builders? Which positions offer the best salaries, and how can security pros find them? If you are doing the hiring, what positions are most in demand, and how can you identify potential candidates who have the special skills you need?

 

Visit us at Black Hat Booth 541

Our booth in the vendor hall is #541, conveniently right next to the Networking Lounge. We have the full schedule of booth events right here -- and in addition to product demos, we'll have a number of theater presentations happening on Wednesday and Thursday by the likes of Mark Stanislav (@markstanislav), Leon Johnson (@sho_luv), Christian Kirsch (@chris_kirsch), Mike Scutt (@omg_apt), Tod Beardsley (@todb) and Wim Remes (@wimremes). So come on by our booth to hear their nuggets o' wisdom, or to meet them and say hello!

 

Get your free Metasploit t-shirt

And as we do every year, we're giving out free Metasploit t-shirts at our Black Hat booth. Tod has more details on our fantastic community-contributed design this year, and for the first time in a while the shirt isn't black, white, or grey, but NAVY. *gasp*  And we'll also have women's sizes, hooray!  So while you're dropping by our booth to pick up your party badge, hear our theater talks, or get the scoop on the latest from us, don't forget your free t-shirt! Though judging by the lines we've had in past years, you probably won't be able to miss it

 

Meet our Recruiting Team at BSidesLV and Black Hat

Kate Launey (@kate_launey), a member of our recruiting team, will be on-site at BSidesLV both Tuesday and Wednesday, available to talk about our open roles and to answer any job-related questions you might have.  As proud BsidesLV sponsors this year, we'll also be participating in the Career Track on Wednesday. Kate will also be at our Black Hat booth on Thursday.

 

So if you're interested in joining our ever-growing team here at Rapid7, or are just poking around to see what's out there, feel free to talk to ANY of us about what it's like to work here (spoiler alert: it's awesome), and if you'd like to talk about open roles specifically, make sure to say hello to Kate!

 

opensourceismagic_DECAL2.png

 

Support the EFF at DEF CON, get cool stuff

Near and dear to my heart as always, and especially this year, is our DEF CON fundraiser to support the excellent folks at the EFF.

 

This year, we wanted to say it loud and proud: OPEN SOURCE IS MAGICWell, at least indistinguishable from magic, but you know what we mean.

 

Our t-shirt design, seen at right, is one that I'm happy to saw I drew myself, huzzah! /flexes

So I'm very excited to see it on our official DEF CON t-shirt! (I'll gladly sign your shirt if you'd like to make yours a limited-edition-artist-signed version, which I'm sure will go for a whole dang lot on Ebay one day. Right? Right?)

 

We'll have men's and women's sizes of the shirt available at DEF CON ($20), as well as laptop decal versions ($2) — all to support the EFF (we don't make a dime off of these). And we've already had requests for kids' sizes and onesies... we won't have them for DEF CON but we're looking in to having them made, if these shirts are as popular at DEF CON as we suspect they'll be.

 

Come see us in the DEF CON vendor hall, support the EFF, everybody wins!

 

BTW, a big thank you to Marshall Kirk McKusick for his blessing in letting us use the FreeBSD Daemon in my design. So yes, the BSD Daemon is used with permission.

 

I'll be spending most of my time between BsidesLV and DEF CON next week, so please say hello!

 

I'm looking forward to a very busy, crazy, insightful, blurry Vegas week next week—hopefully I'll remember some of it after it's all over!

@mvarmazis

Joining us for the first time? This post is part of a series that starts right here.

So this post is a bit of a bonus. I've asked my dear friend Quinton Jones to share some wisdom and inspiration on how he injects passion and energy into his introductions. He's simply unforgettable, one of the greatest customer champions and business development folks I know, thanks to his passion for people. Please enjoy this five-minute mental vacation, and get excited about the magic of meeting people next week! ~trey

 

I’m tickled to the core, from merely being invited by the super posable action figure Trey Ford (as I call him) to weigh in on this topic of talking.

 

On the authority of my own personal “spidey sense,” it seems to me that we’re on the course correction path as an industry, but it feels like we almost completely turned into a zoo for a minute there, and simply need to start over at the beginning.

 

What I mean is something I learned from one of the lesser-acknowledged-and-discussed-but-equally-credentialed other disciples of the Jesus of Nazareth—most call him Alex Stamos—basically, the narcissism in the room was strangely strong a minute ago, back when we somehow all agreed the aspirational finish line of the infosec discussion was when we identified the problem.  Which, admittedly, was highly strange and I’m as guilty as anyone.

 

But the simple, actual truth—like the zen economics of how we really got out of the game of counting our 9s and broke through to 100% uptime type phrases—began when we first admitted we were pretty dumb to have been aiming for 100% of anything in the first place. After all, it’s one of those paradoxically true things, you can’t try or think your way through into the “we did that now” place.  The last mile is only available as a path when you’re trying your best, and have tried every theory you could invent, and then give up and admit defeat. Only then do you find the actual finish line of anything, whether it be “a happy family” or “resilient computers” even “a brilliant Black Hat” or “less insecure and risk-calibrated appropriately-applied and fully-considered security”-types of things.

 

So when we similarly aim for the best practices in how to “connect with other humans” at—hilariously and ironically—a conference, in person, in Las Vegas, of an enclave of statistically-correlated introverts…. oddly, maybe the obvious is worth saying real quick.

 

The Black Hat experience that I feel contains the densest betterment moments for my career all year, every year, actually happens in the one-on-one, or small clusters of, say, three to six or sometimes ten “in-between the talks” moments.  In other words, the best bits are always with the other people attending.

 

Which therefore requires—if we aspire to fertilize and foster the spawn of those learning moments as well as we can—the simple sad-but-true truth that SOMEONE is going to have to shove their hand out at some point toward some stranger (while I know it’s super freaky to do this) and say, “hi” to some presumably highly-scary person, who is obviously scary due to their “stranger-danger!” qualities…

 

…who suddenly becomes “now not-a-stranger” once we say “Hi.”

 

So we talk to others, and that’s when the magic happens. And if—having zero personal cupid-esque qualities like archery skills, wing-ed, diaper-wearing, or even benevolent pudginess of cupid-like person (having no cupid-ism whatsoever) —we may have the role of introducing two of our girlfriends to one another, it’s absolutely imperative that you do something brazen at that moment.  Such as lying, breakdancing, or disclosing curious but true quips about them both, in each other’s ear-space, in other words anything that might help make the relationship spark you’re dropping on your gal pals memorable (in their post-conference brains, of course).

 

And in case this isn’t what some of you might aim for organically, it must clearly also be heartfelt, born of an altruistic region in your—not brain, nor mouth—heart zone within yourself. Not profit-seeking nor ego driven.

 

In my case, I readily offer to make a fool to myself to achieve the “WELL IT SHALL FEEL STRANGE FOR SOME TIME TO HAVE JUST SEEN THAT….  BUT AIN’T NO WAY I’LL SOON BE FORGETTING THIS PERSON” feeling in whoever just watched me breakdance. I promise you, it’s way worse than bad… it’s unapologetically unforgettably horrible.

 

Of course there’s the always-true shorter path, if available -- simply introduce the people you might know to one another, so they may speak fiercely and join our Internet unborking team and stuff, but then give them each a unicorn so they can always remember this new colleague of theirs.  If I see this thing in the wild myself, I typically put a comment card in the boss’s office and recommend the introducer for a promotion.  That right there is the righteous stuff that scales.

My name is Quinton Jones and I endorse this BCRA-Compliant message.


Want more? You can read all parts of the Black Hat Attendee's Guide series by clicking here.

This is the eighth and final post in our Black Hat Attendee Guide series—you can start from the beginning right here.

typing_brucealmighty.gif

Big gulps, if you've made it this far in the guide—you've arrived, this is the last post. When you get back from Vegas, you’ll probably have a couple of reports you’re staring in the face.

 

First is the expense report. (Pro-Tip: Take cell phone pictures of everything you spend a dime on!) Before you leave, double check the minimum dollar amount requiring receipts, and know how long you have to get your reports in… but you can’t start until you’re on the road.

 

Second is your trip report. Not all companies require them, but sending something to management is a smart move, and helps the company derive maximum benefit from the money invested… and you can start writing this right now. (Open a text editor now before you forget!)

 

Plan now (before the trip) or panic after, as details blur. This report must cover the Three Golden Questions, as it is going to management, so be answering these questions as you write:

  • What do I need to know?
  • Why do I care?
  • What do you need from me?

 

The Talks

We’ve given you a strategy for picking the can’t-miss-talks, so move them into your report now, Speaker, Bio, and Abstract—capture links too.

  • Whittle these down to explain the value or relevance to the business and team- and how you plan to pass on your learnings and observations.
  • Highlight What research you found most interesting or exciting personally, inspiring growth and personal development on your time.

 

The Workshops

You should have picked some of these out as well. Black Hat affords you opportunities to gain hands-on skills, helping you when you get back to work. Perspective, tips, tricks, lessons learned, and better ways to execute workflows will all come from those workshops. Take some notes, share them.

 

Arsenal

Open source tools in the Arsenal may be things your team uses daily, or things you should start using. You’ll have met the developers/maintainers or representatives of the teams that do. You also have a direct pathway to pass on feature requests for the team (knowns are heard with priority over unknowns.)

 

You also have an opportunity to learn about features you didn’t know existed, in a tool you already have, and might actually pay for, from a vendor you work with.

 

Sponsors/Vendors

You know the products you use today—meet your account rep, meet the sales engineer, and try to catch the product managers at the booth. Have an idea of what features are coming down the roadmap, and find out what is new or recent in products you already have. Odds are you are not using everything available, this raises return on investment (ROI) for dollars already spent.

 

Technologies you will be looking into—check those products out as well. Have them scan your badge, get information sent to you (white papers, data sheets—who wants to carry paper around?) and catch some demos.

Ask point blank what their strengths and weaknesses are, who they compete with, and how to differentiate them. (Pro-Tip: Know when your budget cycle is for those technologies so you can discuss meaningful time-frames for demo and testing!)

 

Check out the startup space on the show floor. If you’ve never heard of a company, find out who they are, and what they do.

 

Report back on all of this, use it for additional notes to discuss with your engineers and architects.

 

Networking

Does your organization have headcount? Do you know folks that are actively hiring? Are there referral bonuses for those positions? Know before you go. Have draft emails or at least links in your mobile notes app, be ready to connect and make referrals—and who to connect them with back home.

 

Talk to the team, identify key challenges or problem-areas you don’t have solved. Take notes during the day—the people you meet with similar challenges will have ideas and experience on how to overcome them—don’t spend the energy re-inventing the wheel.

 

At the vendor booth, ask for introductions to other folks that use the tools you do, compare notes on deployment, usage, or partnership.

 

Lessons Learned

1362199096800505415.gif

Remember: The trip should be seen as an investment, that you’ve executed in spades honoring the time and money spent for you to be away, so share the success stories. Make it a point to capture a few “I wish I would have” and “if I had another teammate to coordinate with” type items. Document things you didn't expect or hadn't prepared for, anything you would do differently next year. Experiences are best shared— refer back to this document so you will achieve and experience more next year.

 

These notes and observations, by themselves, will pay for your trip next year.

 

Plan early, execute quickly, profit.

So that’s it for this guide series. Thanks for reading it, and for your kind comments and additions on Twitter and beyond.

I hope at least some of the knowledge download here proved useful for you.

 

I’m tapping out, it’s time to start packing. Travel well, I’ll see you next week in Vegas!

~@treyford

If you're just joining us, this post is part of a Black Hat Attendee Guide series that starts right here.

When traveling to industry conferences, most people prepare their electronic companions (laptops, cell phones, etc) by asking: “Did I pack the right charger in my carry on?”

 

The premier gathering of the world's best and brightest hackers might be a great opportunity for you to up your travel security game. This post serves as a quick guide on how to keep your information safe from well-meaning researchers, prank-playing fellow attendees, and the occasional bad apple.

 

Keeping it simple, Black Hat and the surrounding hotel property will offer some of the most “accountable” networks you’ll use. Honestly, you should probably be operating year round at the level of electronic discipline outlined below; then again, you don’t want to drive the mechanic’s car.


Top Tier, Paranoia-at-Maximum Overkill Mode

People can’t steal what you don’t bring.

conspiracy.jpgLet's start off with the easiest solution to the problem at hand. When I touch down at McCarran International Airport, my laptop, cellphone, tablet, and most importantly, sensitive data are all locked up safely at home. I travel with a $20 pre-paid “burner phone” (as seen on TV crime shows) and a sub-$200 Google Chromebook. Both are fresh out of the box and contain no information or passwords. The number for my burner is circulated the week before to friends and coworkers, and I’ve configured call forwarding with my regular carrier just incase they forget it.

 

As for the Chromebook, it comes with Verified Boot, a feature allowing the device to be easily and quickly reset back to a new-out-of-the-box state if you suspect anything fishy might have happened.

 

A good password manager like LastPass and a physical two-factor authentication device like YubiKey or an RSA token will get you into your email and SaaS applications remotely. Of course, an out-of-office notification reminding people that--for security reasons--you have limited access to your phone and email will also free you up attend more parties.

 

On the return trip, the cell can be dropped off at any major phone retailer where it will usually be donated to a good cause or recycled for you. The Chromebook is relatively cheap and easy to find a good home for. Most importantly, neither should return to your home or office to avoid spreading any nasties they might have picked up to other electronics and networks you care about.

 

For the other 95% of you

“But I can’t live without Angry Birds!”

If you do bring your primary laptop or cell phone with you, remember that you will be subject to  attacks up to and including new and cutting edge research. While the vast majority of researchers are white hat hackers and might not be after your bank account details, the audience members are not vetted, and many are smart enough to duplicate the on-stage results within hours. Simply having up-to-date antivirus definitions isn’t going to protect you.

 

Talk to your corporate IT department before you leave, requesting a minimal-access VPN, similar to the VPN service used to work from home, but hosted outside your firewall (no direct access to the enterprise network).

 

If this isn’t available, consider a reputable service supporting your desktop and mobile operating systems (the EFF also has a good overview on picking one). This won’t guarantee end-to-end security, but it will keep your network traffic relatively safe until it gets far away from Las Vegas.


Other Considerations:

  • Based on past talks and summaries of upcoming ones, anything that receives or transmits a signal is a potential target.
  • Leave gadgets--like wireless mice, headsets, others--at home.
  • Keep Bluetooth turned off.
  • Set your phone in Airplane mode when in the conference area, out to dinner, or not expecting a call. (Anyone who has been to Vegas before knows that you are unlikely to get a decent signal in and around the casinos.)


stallowned.jpeg.jpgCore Actions List:

  • If the OS isn’t current, and you aren’t planning on doing forensic studies on a fully Stall0wn3d machine, leave it at home.
  • Patch ALL THE THINGS. If you can’t patch the OS, applications, and browser plugins up to right-NOW-current, leave it.
  • This goes without saying, but if it isn't encrypted, leave it. Only Full-Disk Encryption or device encryption need apply.
  • If it communicates, unless you know what you’re doing, turn off:
    • WiFi
    • Bluetooth
  • Firewall ON.
  • VPN all the things. Refer to the EFF’s overview.
  • 2-Step Authentication on all the things. Stay away from stuff you can’t. Nuke sessions and rotate passwords when you get home, on devices you trust.
  • Keep track of your stuff. Anything of value can be physically stolen.
  • Honor OpSec: Be aware of your surrounds, eyes and ears. Loose lips sink ships, and everything in Vegas is recorded by someone, usually hotel security, and certainly not for you. Be careful in what you discuss, be aware of sensitive documents you discard.
  • When you leave your room or hardware, power off machines ALL THE WAY (not hibernate or sleep) to eliminate side channel opportunities.
  • Shut off cellular data, unless you need it. This will ration your battery and limit exposure.
  • USBs: If they aren’t yours, don’t trust theirs.
  • ATMs: Don’t use them near Black Hat (Mandalay Bay) or DEF CON (Paris/Bally’s). Seriously. No.
  • RFID shields: Leave work badges at home. Consider a shielding if you're worried about passports, room keys or anything else.
  • Use your own chargers for your devices, or make the USB port power-only, if you carry that kind of hardware.
  • Messaging—avoid unencrypted SMS. Use iMessage, Signal, Wickr, PQChat or some other way to communicate.


Mind the real threats

Even with reasonable electronic protections, your devices are still subject to good old fashioned crimes like physical theft. Beware of the usual pickpockets and hustlers that set up shop in any tourist destination if you leave the watchful eye of strip casino security.

 

If you meet a new friend in the bar, think twice before inviting them back to your room for another drink.

 

Also, when attending events after the sun goes down, try to not wear your passport and life savings around your neck in a fancy travel wallet. Instead make use of your in room safe (yes, they aren’t perfect) and keep a minimal number of cards and cash in your front pocket.

 

One final thing to be aware of is information solicitation. While not a direct attack on your devices themselves, learning more about your company's defenses over a drink or three is a great way to set up for a future attack.

 

Hopefully with a few basic precautions you can avoid ending up on the Wall of Sheep, or worse.

 

~@mikedamm

 

Want more? You can read all parts of the Black Hat Attendee's Guide series by clicking here.

Joining us for the first time? This post is part seven of a series that starts right here.

 

Hacker Summer Camp is no joke, and you’ve got to have a game plan when you head for Vegas. If you don't travel frequently, this is for you.

Ignoring sartorial conundrums and basic hygiene, this post is focused on keeping your body operating at peak… or at least somewhat operational.

 

Vegas: It’s nothing like home for most of us. Desert allergens, low humidity turning you into human jerky, scented and conditioned casino air probably provide more smoke particle density than you’re normally exposed to.

 

Conference super marathons bring you back-to-back if not double-booked days running from very-early to very-late, atypical stress loads, and more talking in 24 hours than your vocal chords probably offer in a month back home.

 

Then there is food, hydration, and rest. You’ll have less of all three, unless you plan and execute carefully.

 

What I’m about to break down is not medical advice, it’s my personal approach on staying at peak for the Week To End All Weeks that is Black Hat.

 

Fuel the Machine

hangry.jpg

When my body gets hungry, Trey gets hangry -- and that’s entirely my fault. I carry snacks, and try to keep them protein-based.

Two of my favorites:

  • I like almonds, @RSNAKE turned me Blue Diamond almonds. I prefer them raw, the wife likes sea salt. They aren’t heavy and they’re easy to share.
  • Justin’s Nut Butters are one of my favorite things in the world, the chocolate hazelnut is wonderful when you’re hurting.  One packet will bring me from hangry to genteel for an hour.

 

If you do a daily vitamin of some type, bring it and take it. You’ll be missing meals, distractions happen, and when you’re engaged you lose track of time SQUIRREL!

 

You know your body. Personally, I fear the carb crash, so I avoid energy bars and candy where possible… (@415 can tell you stories about feeding me until I fall asleep, foods like this do it fast).  In my case, I need to stay sharp and laser-focused at the event, but as always YMMV.

 

Hydrate or Die.

You’re in the desert, you’re going to be talking a lot, and you’ll be drinking coffee--a diuretic--as well as energy drinks, sweet carbonated drinks, and probably alcohol.

I need help ignoring that the water doesn’t taste like home, and bottled water costs a fortune.

  • Bring a water bottle of some type, keep it in your pack.
  • I like to use electrolyte tabs of some type to flavor the water. Bonus: Some of them have caffeine. I carry the stuff from Nuun, others love those vitamin C Emergen-C packets.

 

Moisture is the Essence of Beauty

essence.gifI figured if I referenced Zoolander, you’d remember this, but I’m serious about this point: Allergens are a serious consideration, not just due to the desert, but the hotel/casino air.

 

  • If you use antihistamines or decongestants, bring them, consult a medical professional if you have any questions.
  • Single-Use eye drops. Dry air, air conditioning, long nights, smoke… you’ll be glad you have them, and since they are single use, you can share with your friend sporting those questionable blood-shot eyes.
  • Chapstick. Ask Napoleon Dynamite if you have any questions, same thoughts as above.
  • Cough Drops, I like the one with honey. You’ll be talking, the air is dry, and your throat is going to hurt. Take some in your pocket at night, you’ll be glad have them after an hour of a shout-powered conversation at the parties.
  • *Ed.Note: If you have an inhaler you only use occasionally, especially for allergy-induced breathing troubles, do yourself a huge favor and bring it! - Maria*

 

Don’t do drugs

You’re an adult, and probably a hacker--punk rock and hard core, et cetera. I’m not telling you what to do. I am saying to be careful about what you put in your system, whether it is food or something else, and be prepared to deal with it.

  • Again, if you normally take vitamins, do that.
  • Montezuma’s revenge--you’re eating strange things, probably different than home… be ready for your gut to tell you about it.
  • If you foresee a need for pain/headache/hangover management, bring what you need to deal with that, whatever makes it stop. ’Nuff said.
  • Coffee in the morning. Starbucks will have an epic line. Meet people, or make some in your room. (Some of us aren’t human or humane until consuming the java.)
    • Pro grade: Some folks love the Aero-Press, it’s lovely coffee.
    • In a pinch, keep Starbucks VIA instant packets handy.

 

Fuel the Machines

Electronics need power, and we seem to be tied to them, so prepare for that.

  • Bring your USB battery pack, if you have one. Cell phones will die faster than normal, towers and bandwidth are a commodity.
  • Small power strips. Power outlets are at a premium, Murphy’s law dictates the only ones you’ll find will have campers using them. I carry one of these, and I make friends.

knowing-is-half-the-battle.jpg


It’s the way you carry it.

The adage rings true here, “It’s not the load that breaks you down, it’s the way you carry it.” I know Jack Bauer looked swag carrying his man-purse, but you’ll probably carry a laptop and more ALL DAY, despite my best warnings, so bring a backpack and use both straps!

  • Reconsider carrying your laptop, unless you really will be using it.
  • Wear comfortable and supportive shoes. You probably aren’t used to standing all day. No, they might not match, and that’s probably okay…  at least you can still mock people wearing their Vibram 5 Finger / hobbit shoes!
    • Of note- you'll walk a mile from your hotel room to the briefing rooms. Those of you counting steps may score closer to a long day at Disney Land...
  • Bring a layer to put on. It will be over 100 degrees Fahrenheit in Vegas, which means giant machines will be pumping cold air—and some rooms will be colder than others.
  • Bring a carabiner. I know this sounds silly, but that little gap in the curtains lets lights from the strip dance in your room. Carabiners are tiny, and you'll need anything to help you sleep.

 

Expert Mode

Managing your energy is a balancing act, and frankly you want to be at peak this week. Championship athletic teams peak for the playoffs and finals, top researchers have brought their best work to this event, you need to be on point.

  • Sleep. Prioritize it. There is a time to rage (pulling the all nighter), and there is a time not to. Careers are made and destroyed crossing this line.
  • Diet. Take care in getting real food. Whole Foods isn't far away.
  • Fitness. If you train regularly, and find it keeps you sharp, do some of that. There are gyms on property (I think they call them spas?), some people go run the strip early (find them on Twitter), while others of us will sneak off to CrossFit Max Effort about a mile away.

 

Everything in moderation, including moderation.

Bring your best, and bring it hard.

 

If you’ve got additions to the list, I’m all ears, tack it in here or on Twitter.

~@treyford

 

Want more? You can read all parts of the Black Hat Attendee's Guide series by clicking here.

If you are just joining us, the series starts here.

If you follow LinkedIn alerts, you’ll see a clean pattern where the musical chairs, that is InfoSec, pick up and move to the left. The first starts the week after RSAC in SF, the other is after Black Hat.

 

This isn’t because recruiting happens, even though it does.

It is because people go work for great companies, and leave bad people, circumstances, or have found an opportunity to grow somewhere else (for more coin!)

 

Keep your head on straight

cn4bCjv.gif

No one (in their right mind) likes talking (in public) about a job hunt while they’re employed. Obviously it’s an uncomfortable subject, and if word gets out you’re looking, your day job becomes a little less safe. Like it or not, networking leads to new gigs and a brighter future-- just be aware of how many people know that you’re looking or listening.

 

Keys to success in this venture, in my humble opinion, are found in perspective and transparency. Everyone, if honest, can see the gaps between what they dream of, their ideal, and what they have to offer.

 

Searching for where to start? Understand where you are today.

 

Carefully shape what you’d like to be doing in 3-5 years. Keep in mind that growth is part of every job you take, so you won’t be 100% qualified, or know how to do everything in your next role JUST YET. Successful candidates grow, and we expect it.

 

Many of you are actively looking, this post breaks down some of the discussions I keep having with folks.

 

“I’m not qualified, I’ve never done that before”

Almost everyone says this at some point, and for good reason, rooted in their humility, impostor syndrome, or Dunning Kruger-type things, and almost everyone worth their salt probably wrestles with these tendencies.

 

I’m going to say it again: Change your perspective.

You are not applying for a job where you need to do clearly defined work, like mowing a lawn, running a cash register, manning a post for a specified time—all of which fits nicely onto a timesheet. The work we do in this industry is very fluid, even if job definitions seem pretty straight forward.

 

Remember: People are hired for aptitude.

Jobs are chosen for growth potential.

 

If you can already execute the duties in a job description, managers aren’t worrying about hiring you—we worry you’ll be a pain in the rear as you get bored.

 

You’re qualified because you have the potential, the question you need to have is the gap: Is this something you can get up to speed fast enough to be a help to the team? That is the question you need to answer when you look at things on the job description.

 

So let’s look harder at that:

 

Reading the Job Description (JD)

The JD is not a tool to determine if you are qualified. Read it while asking yourself: “Is this what I want to be doing for the next three years?” and “Is there room to grow into this job?”

 

careercat.jpgFor those of you who haven’t directly managed humans, hiring and firing is a thing, and it is very different than managing systems. Rebooting (err, mis-hiring) hurts people, changing their lives in a painful way. Scaling systems is straightforward, even if tedious—cloud technology has helped dial us in, and configs are pretty structured—but there ‘s no Chef or Puppet config for adding humans to your team, so we use job descriptions.

 

Unlike system and application profiles, we can only attempt to describe the skill sets, attitudes, preferences, and special gifts or traits of what we think a successful candidate might embody.

 

Read that paragraph again. The JD is effectively guesswork.

 

There are bullets that aren’t negotiable, and there are bullets that are flexible. You won’t know which is which, so tread lightly and read thoughtfully.

 

As a hiring manager, I can’t tell you how many times we finished interviewing some people, only to realize there was absolutely NO WAY these people were work out. Moment of clarity, it wasn’t them, it was us—and the JD needed a re-write.

 

When you read the job description, try to read between the lines and be quick to ask questions while you have someone F2F at Black Hat.

  • What does the day-to-day workload look like?
  • What does the new hire need to ALREADY know how to do?
  • What can they learn on the job and grow in to?

(Another side-note: Even if you know how to do something, you can almost bet a prospective future employer does it differently, so there is always learning, growth, and adaptation required…)

 

You have a great resource available to you at events like RSA and Black Hat -- corporate recruiters and potential future teammates. So while at Black Hat, don’t avoid the recruiters—talk to them and find out who is hiring for what roles. Once you do, then talk to the folks on that team. I know a number of hiring managers coming to Black Hat with headcount they are looking to fill—immediately. Seek them out. I promise that you’ll learn farmore over coffee or a meal about the team and company than you will in 10 hours scouring their website.

 

Reading your resume

Let me state this again, determining if you are qualified is not your job. The hiring manager makes that determination.

 

You really want companies to find the right folks, and sometimes, you really are the right person with all the right attributes. Let’s break that down.

 

If the JD is a recipe, and resumes offer a list of available ingredients. Hiring managers know their culture, organization, and the specific needs of the team.

 

A great manager isn’t cooking food, they’re crafting cuisine. Building a team is tedious, takes considerable investment, and is a lot harder than it looks. Blind applications represents a numbers game, and the challenge you’ll face is having zero access to the hiring manager until you’ve made it past the recruiting/HR filters as they judge you on your resume alone… unless you are meeting them face-to-face at Black Hat or other live industry events.

 

What hiring managers look for in you

If you haven’t walked a mile in these shoes, think about anyone you’ve ever interviewed. Meeting face to face at Black Hat allows you to skip an initial resume screen and answer meaningful questions.

Questions being asked on both sides of the table might be:

  • Can we work together?
  • Laugh and pull pranks together?
  • Are you an eight-to-fiver, or are you in-it-to-win-it?
  • Would I look forward to lunch with this person several days a week?
  • Are you my particular brand of crazy?
  • Can we collaborate?

 

If things are going well, this evolves from the personal chemistry into a situation where you want to know they can actually do the job.

  • Can you hold a job?
  • Are you a leader or follower?
  • Are you self-directed, or need continual guidance?
  • Will your experience and expertise complement my team?

 

What you (the seeker) are looking for

You also need to ask, in earnest, if this is a company you want to work for. What is the reputation of the company, who works there, what are they doing, is the future of the company viable (read: will the company survive)?

 

Some folks prefer smaller companies they can bleed into, where they can stretch their wings and earn sweat equity. There are more unknowns and higher risk, but there may be a possible equity payback. Risk can bring rewards, and many thrive on the instability and flexibility found in these smaller companies.

 

Other folks aren’t in a place to take on the culture or the risk of a smaller company for whatever reason, and they find comfort in larger, safer and more established companies. Yes, there might be more bureaucracy and a slower pace, but some people that thrive in this environment  and need the trimmings that come with stability, like benefits, healthcare, and retirement considerations.

 

How would you describe the company’s philosophy?

You want to know what their ethics and belief system is—if they have one, and hopefully they do!—and what it means to them. Core values are important. If it’s just a marketing exercise, find out. Companies I love strive to honor their mission, check out Nike, Delta Airlines, and Zynga core values as examples.


My hopes for you

mondays.jpg

First and foremost, be grateful for the work we do: There are other industries hurting right now, and we have no shortage of jobs. For those of you employed and considering a jump, remember that you came here for a reason-- a big part of my income is that sense of purpose.

 

Second, be graceful as you move about the industry. Laugh as you might, and as excited as you may be to leave, don’t forget you may wind up working with many of your current team in a few years… so don’t burn bridges or bad-mouth people. People make mistakes, people change. Hopefully we all progress and grow from lessons learned.

 

Third, try not to focus on the money. What we do is lucrative, no doubt, but Lennon and McCartney put it best: “You can’t buy me love.” Join a team you enjoy, with people you love, at a company you believe in. You’ll have Mondays and happy-hour filled Fridays, and the occasional no-sleep work weeks. Warts and all, this is your chosen profession. At the end of the day, you need to believe in what you’re doing.

 

Finally, if at all possible, try to negotiate a bullet into your job description focused on community work. Maybe that’s focused on an OWASP project, leading a local ISSA chapter, mentoring locally, or organizing a BSides event. Make it something you are incentivized to do and your company supports in writing.

 

We’re building this industry together—do your part.

 

As always, your thoughts and comments are most welcome here on the blog, or out in the Twitterverse.

~@treyford

 

Want more? You can catch all the entries in the Black Hat Attendee's Guide series here.

4839102614_3264e38212_b.jpgIf you are just joining us, this is the sixth post in the series starting here.

Conferences are magical and serendipitous. YouTube can’t capture the electricity you remember in the room as you tell someone “I watched Barnaby jackpot an ATM,” as others echo back “I was there that year too!”

 

At technical conferences, the content leads the way—it is what brings us to the show. Catching up on that research and work being done at “the tip of the spear” helps re-align our focus, sanity check perceptions, and validate our thoughts about what might be possible in the near future.

 

This post is about what’s happening OUTSIDE the briefings you decided you just can't miss. There is a lot going on that you need to make time for, some of you should be registering and competing in NCCDC’s Panopoly, checking out the official Black Hat store, book store, buying the videos… and prioritizing attendance for the Pwnies

 

First up, let’s talk about Sponsor Things.

Sponsors are a catalyst, the investment they bring creates jobs, underwrites research and innovation, helps bring ideas and solution sets to market, and helps make events like Black Hat possible. Check out the evolution and involvement of sponsors at BSides — support is not only unavoidable, events depend on them.

 

There is always that hipster sentiment reminding us how much better things were years ago, in the most ironic terms available… and that’s cool. So enjoy their reminiscing, but remember that you are here to rock the industry today.

 

The Business Hall

Call it what you like, you’ll hear terms like sponsor floor, vendor floor, business hall, networking lounge… these labels all filter down to a very simple thing: It's where the companies are.

 

Ignore the hipsters for a moment and stay with me on this one, dear reader — keep in mind that these companies are underwriting the event. They have paid dearly to make sure the show happens, in hopes that you will come and that they can connect with you in a meaningful way.

 

When I say paying dearly, I do mean it. This event is a budget breaker. To be clear, and to understand in broad strokes what it costs to put on an event like this, skim the sponsor prospectus—the top tier buys in at ~$150,000 USD. Do some additional math on the back of your cocktail napkin, all five of those Diamond sponsors are also sending another ~50 people (conservatively $1,500, ignoring soft costs and food). The smallest companies get in for ~$30,000 USD, sending 10 people—so let's figure that the smaller booths are spending closer to $100k for the week.

 

That’s without picking up additional sponsorship opportunities, networking receptions, dinners, or throwing parties… which I can assure you cost a pretty penny in Las Vegas.

 

So why sponsor? To meet you. That doesn’t mean sell, I mean it simply—they want to connect. What for?

  • Hiringdwight.jpg
    • Don’t kid yourself: Everyone is hiring. They’re growing, building, and our industry has a fierce talent shortage.
    • Related—don’t run around handing out copies of your resume on the show floor… no one wants to hire that guy.

  That said, if you are looking for tips and advice on looking for a job at big events like Black Hat, I wrote a special post about it:

Part 6a - On Job Hunting & Recruiting at Black Hat

  • Brand Awareness
    • Companies (the good ones) spend a lot of time and money to build technology goods and services for you. That’s specific, I actually mean for you, the reader. They know you get it, and that’s why you’re at Black Hat.
    • “I am not a decision maker or control a budget, why me?” — If you are attending Black Hat (both an expensive and aspirational event) you are an influencer, and you will be controlling budgets before too long!
  • Product Direction and Validation
    • As an influencer, you are in touch with the needs of your business, the challenges of your security team, and are tasked with responding to threats to the business.

 

So that’s why they want to talk to me, but why do I want to talk to sponsors?

Glib answer: Because you’re polite, you want to thank them for making Black Hat possible, and investing in your week.

 

Slightly-less-glib answer: The Booth Babes.

 

Yep, you read that right, but before you get out the pitchforks, I’m defining this differently from the standard, because I used to call myself a booth babe. (Fact.)

 

The folks attending Black Hat fought to be here—or couldn’t get out of it. Point blank, the people working the booths are smart, influential, and have something to offer you. They might have done your job, they might have faced similar challenges you did, or they work with people who do and have new perspectives for you to consider. (Those folks that couldn’t get out of coming? They are here because the company needed them to attend, which makes them both highly influential, and in-demand… you can’t lose!)

 

For the nerdy guys out there afraid of pretty girls, be warned—if you happen to see a pretty girl in a booth, make no assumptions about why she's there, or her intelligence levels just because of how she looks. She's probably smarter than you anyway. Flipside, companies bringing ‘hired help’ in questionable attire will have a hard time busting that reputation in the future, so buyer beware, and vote with your budget.

 

One caveat is that some booths will have a carnival act or arcade game needing staffed to manage that activity, badge scanning, and swag distribution. It’s really hard to justify putting a well paid sales engineer or product manager on duty doing this work. So be aware of the economic forces, and withhold judgement even if not everyone you interact with will be one of us, even if they all should be professional in appearance.

 

Life in the Booth

If you’ve never worked a booth, you need to know what’s going on there. It’s serious business (as you now appreciate the investment), and it is worth understanding who’s there, what they’re doing, and how to have a meaningful interaction in your time on the floor.

 

Marketing and PR

This is management, they are responsible for the booth, the staffing, messaging, visuals, and every aspect of what you’re seeing as you approach.

  • These folks work hard to support our industry—and some of them actually know how to code, even if they don’t consider themselves technical like we do.
  • Try to be self-aware, knowing there are different kinds of genius, not all of them are actually ‘technical’ the way you see it. The gift of communication, the ability to quantify and organize people, to design experience, and architect a live event is both art and science.

 

Sales and Business Development

If you’ve never worked in sales, you probably don’t respect sales people enough. You might scoff, but consider Einstein: “If you can’t explain something simply, you don’t understand it well enough.” Think about that as you consider the following.: When you meet sales people that sound like they have no idea, it may not be their fault. (Remember, not everyone on the floor can run Metasploit from the command line like you do, nor should they—it takes all types!)

 

dontbeajerkkruger.jpgThe sales person:

  • May be new to our industry
  • May be pitching something so bleeding edge, they’ve not figured out how to effectively describe it (it *does* happen)
  • May have not been trained (by someone like you or me) to effectively understand what they’re representing
  • May work for a company WHERE CLUE=0
  • Slept through new hire orientation (and won’t be employed that much longer…)

 

The bottom line is you’ll meet people in all industries that aren’t operating at 100% of peak, all the time, in any given role. For whatever reason, infosec loves to bag on sales people.

 

Don’t be a jerk, you’ve probably said stupid stuff too. Help them improve.

 

If you don’t like public speaking, you’d HATE making cold calls or selling. Just try selling something you don’t completely understand—it’s difficult and embarrassing. If you want to really make it in this industry, partner with the sales people you interact with, and help them do their two jobs effectively:

  • Manage the relationship
    • They are tasked with getting to know you and your company. This might surprise you, but I am still in touch with the coolest sales folks that I’ve worked with for the last 20 years- and many of them are close friends.
  • Help you buy
    • You’ll meet sales people you like, and you’ll meet some that give you the heebie-jeebies. You’ll know the folks who are honest about strengths and weaknesses, and you will honor them for their transparency. You’ll also never forgive the jerk that sold you snake oil, damaging your reputation.
    • If you've never watched a project fail due to a missing product- you will.


Good sales people will inform you about their offerings, and how to understand their competitors. GREAT sales people will help you manage the buying process, specification and procurement… you’d be surprised how hard it is to get some companies to take your money when you want to buy something!

 

Take the time to meet your company’s account executive if you’re both in town. The logo on your paychecks will change, friendships can last a life time.

 

Business development is a lot like sales, except focused on more strategic arrangements, product bundling, technology considerations, market access, joint development ventures, and plans hidden behind the NDAs of their employer and partners. You won’t see these folks much- they’re usually double booked at all hours, but man do they have the scoop on what’s going on.

 

Technical Sales, Sales Engineers, Product Management

So this collection (and they won’t like me grouping them this way at first) is what I think are some of the coolest folks out there. Here’s the deal: If you are amazing at what you do in your day job, odds are you’ll wind up working for a vendor at some point in your career.

 

First, you’ll get picked off by a recruiting sniper, because you know the pain points their customers face, and you know the product better than anyone because you have used it daily, for ages.  Eventually, as your ability to speak human approaches your comfort level on the command line, you’ll find your way from product specialist into technical sales, supporting the occasional sales call. Later, you’ll see the good technical sales folks move away from managing sales workflows and demo environments into full-fledged sales engineers, working closely with sales folks tied to a vertical or specified region. (Pro-Tip: The closer you work with sales and prospective customers, the better the food… yet another reason to meet with your account rep!)

 

Some sales engineers are customer champions, and they understand the customer need, the challenges you face, and can articulate it to their employer. Product Managers wear a great many hats, and (depending on their employer) will ultimately own the direction of a named product or development initiative.

 

The folks at every phase of this curve are smart, clever, amazing people. They are all growing, they have their fingers on the pulse and their ear to the ground. Ask them what they’re thinking on, what they are excited about—the good ones will break your brain. (Sidenote: Product Management training changed my life… and our PM team at Rapid7 is AWESOME. /biased)

 

Sponsored Content

Sponsors have a lot more going on than just folks hanging out in the booths—if you want to get hands on, or hear from some of the sharp folks at specific vendors, you’ve got some options.

  • Check out one of the 21 sponsored sessions. Be advised, this content, unlike the briefings, is pay to play. There was a vetting process whereby sales pitches should have been stripped out, and if it gets out of bounds, report it to event management (via email, no need to be a jerk on social media.)
  • Get hands on in one of the 10 workshops. These are opportunities to to learn new skills, sharpen your tool kit with the very latest, or test yourself in various contests.

 

Arsenal

This is near and dear to me, even if we don’t bother pitching Metasploit as an arsenal submission (and maybe we should?)

 

Arsenal this year is bigger, badder, and better than ever. This is Black Hat’s tool space where over 50 of the top open-source tool developers and independent researchers will be showcasing their latest features. So if you’ve got a tool you love, or can’t seem to get running, here’s your chance to meet someone to builds or maintains it face to face. Check the schedule for Wednesday and Thursday, try to catch your favorites, or find new ones to use (these are all open source, freely available.)

 

Badge Scanning

 

Before signing off, this is probably the elephant in the room that needs addressed. You will get a badge at check-in, and that is important—some cons use bar or QR codes, some are business card only, Black Hat uses RFID with basic info from your name badge (as printed) and a unique identifier.

 

08-11-06_1214.jpg

Remember when we discussed that companies spent a small fortune to meet you? They want to connect with you, and follow-up after the show. Yes, you will probably get emails and phone calls. That is how they justify spending their precious money on giving you an incredible week.

 

Security professionals are privacy conscious, and we don’t trust folks to protect our information. Believe me, I get it.

 

When it comes to badge scanning, can we be real about your OpSec? You’re defending your phone number and an email address. If you can’t create rules, you don’t belong. If you’re using your primary email for conference registration, you deserve the spam you’re complaining about. If you’re worried about your identity at the point of the badge scan, you’ve thought about it too late

 

You’re trading a scan for a piece of swag or access to a party. The company wants to build a relationship with you. The conference organizers want to make sure only paying attendees access the show content. You want to let them do this because you want a conference and a party next year.

 

I’d have written a shorter post if I had the time—I hope this gives you some inside baseball on the rest of the show. It's going to be a great week!

 

If you’ve got edits or feedback, say hi here or on Twitter.

~@treyford

 

Read a special supplemental post to this one - Part 6a: On Job Hunting & Recruiting at Black Hat

Read the next post in this series: Part 7 - Your Survival Kit

Want more? You can catch all the entries in the Black Hat Attendee's Guide series here.

If you are just joining us, this is the fifth post in the series starting here.

Making An Introduction

ENGAGE.gif

I might be wrong, but I’ll argue that networking is a transitive verb, so ENGAGE! The real magic starts happening as you progress:

  • Level 1-- Start with a “Hi, my name is… ” Yes, it’s that simple, thanks to Slim Shady
  • Level 2-- Demonstrate that you have an idea of the world the other person lives in, their passions and interests
  • Level 3-- Make a meaningful (and unforgettable) introduction

 

Connecting people is like a sport for me, and I enjoy it immensely. A good introduction might be the most wonderful gift you can give someone, I have been so endeared to those giving a graceful introduction. There is a fine line between grace and flattery (i.e., an unfounded and disingenuous compliment), so get it right, keep it real… or go so completely tangential—they’ll laugh as you run off to your pressing appointment.


Introductions serve a purpose, the motivation should be self-evident when you are done. I see the introduction as an event: You are investing energy and excitement into the lives of two people, regardless of how well you know them, or may be walking someone through the door of opportunity, changing their career path forever.


Make it a point to use people’s names when connecting them. Make sure you’re pronouncing their name correctlynever be afraid to ask, laughably mispronounce, or politely reaffirm if you’re not sure!

 

There is a chance they’ve already met and know each other well and you’re new to the party. Flipside, perhaps they’ve met and maybe don’t remember each other’s names (I’m THAT guy!). I’d recommend starting off with an “oh dear—Jim, have you met Ryan?” It’s a safe tactic: You’ll know instantly where you stand, and whether or not to charge into introductions.


Sometimes you have to neutralize an awkward air because someone is standing too close, maybe that killed a serious and sensitive conversation that was happening, so be aware of that when you approach.


I have a specific and reckless strategy, unapologetically stolen and adapted from my good friend Quinton Jones—he’s something of a Yoda figure in my world who is basically a genius at this kind of thing. Quinton’s guidance might be summarized as follows:

  • Check your brain at the door.
    Analysis paralysis is a conversation killer, doubly so when surrounded by introverts at Black Hat!  How? (See this post.)
  • Say hello, and be slow to judge.
    Question, if not flat-out ignore convention, find comfort knowing that we all say stupid stuff. Ignore the mechanics, feed on the excitement of their world!
  • Speak from the heart, try to meet people where *they* are.
    Be genuine, be real, and be sensitive to the world/stress/distractions/interest of the folks standing before you.
  • In brokering an introduction, get their attention, be memorable, build intrigue ... or offer a bold-faced lie—more than memorable, be unforgettable!
    Never be guilty of the bland, one-sentence email intro… this is almost unforgivable in person. *YAWN* If you can’t find the angle, go hyperbolic and be obvious about it!


introducemyself.jpgYour introduction will address these three key questions:

1) What do I need to know?

A decent introduction must cover these basics at an absolute minimum.

  • Who is this person, what is their name, how did you meet them?
  • Where are they from, what do they do?
    • This could be their job, their field of expertise, a challenge they’re exploring at the show, tech needs they have, positions they are hiring for, hobbies the other person may find interesting, or how amazing their BBQ is

 

2) Why do I care?

A proper introduction will give the introducees some context to help ensure it doesn’t die the second you leave, as well as to help all parties remember each other a little better in the long-run.

  • They’ll care, even if only a little bit, because they respect you, and they’re being polite
  • Perhaps they are both from the same tribe (appsec, pen testing, etc), heading for the same talk, looking to hire similar people, or have a common passion


3) What do you need from me?

A really damn good introduction will have a call to action, setting conversational wheels in motion.

  • “You two should discuss <be pointed--THIS TOPIC>”
  • “Look, we just met, and this is my best friend, they’re my favorite human on this planet, so make nice!”
  • “One of you had an amazing perspective on something from this talk or booth we saw, or you destroyed the lab in this workshop -- tell us again!”

 

WOW! This person is cool, now what?

At some point, you’ll get introduced to someone amazing. Sometimes a card exchange is customary. You’ve got a fleeting moment to anchor that connection when appropriate, so have a plan to connect with them again via:

  • Twitter
    • Tweets and DMs make a great way to track folks down or invite them to gatherings later. A quick “@username Nice chatting with you about $topic today” can do wonders in keeping that conversation--and relationship--going. And serve as a handy reminder about who you just met.
    • Please consider putting a real face as your avatar (even if only during the event.)
    • Put a link in there to your LinkedIn profile.
    • @Gabe Bassett has some great thoughts on using Twitter in InfoSec
  • LinkedIn
    • Seriously, you should have a real profile, with a real picture. Seriously.
    • This page serves as a living CV/resume, so treat it with that same level of seriousness and respect.
  • Phone numbers
    • It’s kinda old-school, but it’s a thing that won’t go away. Some folks will have burner phones for the week, so make sure you know how to track them down in the longer term.
    • Pro-Tip: On my iPhone, I have a ‘Trey Ford’ entry with my contact information—work and personal email, phone, address, etc—that I can just tap “Share Contact” and send it on its way. If you have an iPhone, it saves time typing in all your info.
  • Email. (Duh!)
  • Business Cards
    • Approximately the worst option, but it is a formal tool.
    • Stop and write (on the card) how you met, and DO SOMETHING WITH IT to follow up before you misplace that card. (I am still guilty of this, striving to improve.)


Just to be thorough, let’s cover points of performance for introductions to an audience:

  • You don’t use the person's name until the very end. Period. You are building energy up to this point.
  • Do not cover the speaker’s material, but rather why you are excited to hear them. Share how the speaker is uniquely qualified or positioned to provide meaningful perspective.
  • Share a brief anecdote or story about the person, their achievements or credentials.
  • Be positive, and build the energy all the way up to: “Join me in welcoming Herbert OZWOLDO BLUMPERFARKEN!!!” (or somesuch)

 

Did that feel like a non-sequitur? Good. I’ve wrecked a mess of public introductions, so this is my penance, I think everyone should know Dale Carnegie’s recipe for public speaking introductions… you’ll know if Black Hat proctors took note.

 

Parting Shots

Black Hat USA attendance is a serious commitment and investment. Come well-rested, well-groomed, and well-prepared to meet some amazing people.

 

Be deliberate in your time and interactions, try to manage your energy levels. Bring your very best.

 

As always, I welcome additions, edits and feedback—comment here or say hi on Twitter!

~@treyford


Continue on to Part 6 of this series: The Sponsor Hall, Arsenal & more

...Or go back and read Part 4: Talking to the Media & Press


Want more? You can read the rest of the Black Hat Attendee's Guide series here.

My friend Miss @VioletBlue has shared some wisdom on connecting with the press at Black Hat in this guest post below. Enjoy!


limber-up.jpgSo, you're going to Black Hat 2015…  As Mr. Trey Ford succinctly described in the Black Hat Attendee Guide Part 1, you're going to Infosec Zombieland.

 

Infosec Zombieland is a unique apocalyptic landscape, besides which requiring comfortable shoes and a strong liver, hosts a range of undead creatures to interact with. You'll soon encounter the overwhelmed Booth Zombie, the dreaded Undead Recruiter, flocks of chattering PR Zombies, and the subject of this guide: Press and Media Zombies.

 

Major media outlets will infest Black Hat USA 2015 like never before. It's safe to say that no matter where you are at Black Hat, you'll always be near a reporter, blogger or journalist covering the conference, much of the time.

 

This means you’ll need to behave accordingly — loose lips and all — and also that you should plan for how you’ll proceed when one of my fellow zombies (I mean, colleagues) comes at you looking for brains.

 

Many readers will just decide that talking to the media is a no-go, and that’s fine. Even if this is you, it’s good to know the rules when it comes to you, the press and Black Hat, and photos and video.

 

Black Hat’s PR and Communications Senior Manager Meredith Corley tells us that its rules about photos and video are pretty tight. “In general, our rule is that you must have the express permission of any subject you are hoping to film or photograph. No zooming in on laptops.”

 

In addition, we’re told that anyone taking video must have a sticker visible on their badge signifying that they’re been approved for video, and that they agree to Black Hat’s video policies, like the ones about subject consent and shoulder surfing.

 

But what if you want to pitch a story?

 

Black Hat’s Ms. Corley tells us, “Black Hat journalists and analysts are very busy leading up to and during the show. For PR folks hoping to secure meetings with media onsite, I would highly encourage them to make sure their stories are around truly fresh/new tools or services, or even better, about exciting research coming out of their company.”

 

She advises, “Remember, a pitch should not only include the highlights of the news (brevity is always appreciated), but even more important – details on WHY the news matters. What is the big impact?”

 

The Black Hat PR Manager also pointed out that you don’t have to be interviewed in public if you don’t want to. “There will be two Media Centers for Black Hat USA 2015. Attendees are welcome to conduct their media interviews in the Media Registration and Interview Center (Reef A/B).”

 

Mandalay Bay = Dead Island

deadisland.jpg

Talking to reporters is one thing, but talking to security reporters is another beast entirely.

 

Information security reporting is pretty new in the grand scheme of things. At this time, a sector that still barely “gets” the internet is reporting on (and interpreting) technical issues, security subcultures, and is unaware of infosec history. That’s changing, but very slowly.

 

For some of the bigger outlets sending media to cover Black Hat, their writers are near-to-clueless about things you consider basic in your day-to-day tasks. If you’re tired of trendy security topics, pithy oversimplifications, and security rockstar worship, you risk blowing several gaskets in a short amount of time.

 

That means talking with reporters at Black Hat can be equal parts exciting, an amazing opportunity, a tedious chore in educating media, and an opsec risk that can be astonishing (or devastating).

 

Keep in mind that the digital operational security practices of many standard-grade reporters, bloggers (and media in general) is in its infancy, so the rules around other people’s opsec applies. I mean it when I say that the shoulder-surfing opportunities n some infosec conference press rooms are… scary.

 

If you ask a member of the media to adhere to your communication rules and they won’t, or don’t, or don’t understand why they should, drop them like a live grenade, and run. That opportunity, no matter what it is, isn’t worth it — and trust me, there will always been another opportunity. Their story will come and go, but damage to you can be forever.

 

Some of us are cutthroat. Know that unless you’re being interviewed by a patsy who regurgitates press releases, you will be socially engineered under the pressure of a rolling camera or recorded audio.

 

I have a lot of criticisms, and I’ve seen some members of the press treat hackers very badly over the years.

For that reason, I offer the following worst-case warnings when any hacker talks to the press:

  • Reporters are often careless with hacker anonymity
  • Some will publish your DMs and IMs without permission
  • Indie researchers (hackers!) face an entrenched assumption of criminality
  • Companies are perceived as more credible than you
  • Most of the time, you are part of a preplanned storyboard
  • No member of the media is your friend, and there is no such thing as “off the record”

 

That said, Black Hat understand the needs of its attendees. If you have a topic that’s sensitive in nature, or embargoed, or just want privacy when you talk to a member of the press, Ms. Corley elaborated saying, “depending on the nature of the need,” they’ll be happy to help you find a private space for the meeting to take place.

 

“In addition to the Media Registration and interview Center (Reef A/B), we have a private room for quiet filming that is available on a first-come first-served basis, and can help make recommendations about other spots throughout the conference center.” Black Hat’s Senior PR Manager added, “Any inquiries can be forwarded by email to BlackHatPR@ubm.com. The team will also be in Reef A/B to help in-person during the show.”

 

Have fun! And don’t forget to double-tap the recruiters.

 

About the author of this guest post:
Violet Blue (@violetblue) is a reporter for Engadget and ZDNet; her forthcoming book
The Smart Girl’s Guide to Privacy (No Starch Press) becomes available August 25th.

 

Continue on to Part 5 of this series: Meaningful Introductions

...Or go back and read Part 3: Networking at Black Hat like a boss

 


Want more? You can catch all the entries in the Black Hat Attendee's Guide series right here.

If you are just joining us, this is the third post in the series starting here.

dontbethatguy.jpgNetworking Like A Pro

Black Hat will clear 9,000 attendees this year, and it is really easy to feel really small in a crowd that big. The vast majority of folks you’ll see there will only know a few people at the show—it is your duty to change that for them.

 

This blog post won’t make you the best conversationalist at the conference, but it should be enough to get you off the bench and into the game.

 

Let me expound: As geeks, we have a time honored tradition and reputation to uphold, that of culturally-sensitive, socially-aware, well-groomed, charming, and social creatures.

 

No? Not yet?


We will, come the first week of August this year.

 

If you are attending Black Hat, you are in the hottest, most-sought-after, and one of the best-paid verticals in modern history. Next time you meet some random Joe and let slip you work in “cyber security,” just listen to them prattle on about how important that work is, and how badly we need to be successful. Boardrooms are paying more attention now than ever.

 

As a Black Hat delegate, you stand on the shoulders of giants, reaping the fruits of a hard working community, representing a profession in high demand that’s racing to mature. You are our diplomats and emissaries for security, research, and hacking. Much of the general public still sees our work as a dark art and witchcraft, your decisions and actions are critical to winning hearts and minds.

 

Nearly Zero Unemployment.

Think on that for a moment. Not only have the unemployed worked themselves into breathtaking niches, our profession cannot recruit, train, and groom talent fast enough. Everyone, ABSOLUTELY EVERYONE you will meet at the show is tied to the recruiting force, and only a handful of those folks have been in their jobs or at their current company for more than 5-7 years. Let me be clear - I am not telling you to find a new job. Unless you want one

 

We all have roles our teams that need to be filled, or have friends with specific needs. Even if you’re not looking, still make a point to meet people, and help connect them to others.

 

So, in light of that:

 

Be a connector.

So almost every company is hiring for something, we get it. The magic is the people, and everyone has a story: Many are looking for jobs, while others are looking for a way to get started. Some of the folks you meet love their jobs, others are mastering challenges they face, or are the verge of giving up. Others will be running low on life, beat down in their world, and have come to have their cups refilled by the energy and excitement of the community and breaking research.

 

Be a connector, not match-maker. If you’re hanging with a group, and have a discussion in play, pull the lurkers in. Peel off, say hi, ask where they’re from. (“Hey! We’re discussing <topic>— care to join us?”)

 

As mentioned above, everyone you will meet has a story. Let’s be honest though: We’re at Black Hat. People are afraid of the wireless, debated bringing a pencil and paper instead of mobile hardware, and are looking at everyone as though they’re some kind of double agent looking to steal corporate secrets or passwords from them.

 

Take a deep breath. Most of the APT buzz you’re hearing is out on the vendor floor, you can spot the offending booths. Some of the folks you’ll meet have real war stories from engagements with a determined adversary, others are telling tall tales, while some are running you through a Kobayashi Maru (like it or not), which may be an interview, so play nice!

 

Respect OpSec.

People may not want to talk about their employer, or they may not be comfortable with the idea.

Spoiler alert: Real spooks at the show aren’t going give you the “if I tell you, I’d have to kill you” line with their best “1,000 yard stare.” They’ll have a cover story, and it’ll be a simple one.

 

That said, lots of cool people work for HUGE companies, that as a matter of public policy “do not send their people to Black Hat or DEF CON”— and that’s a tough spot to be in. Here they are, they may have fought to get here, might have paid their own way (!!!) — and they very simply can’t tell you where they work, or what they do, and they feel ridiculous saying that. Even more painful for these kindred souls, they may not even have an explanation why corporate overlords have that policy. Amazing job, strong budget, interesting problem space … and the occasional policy that makes zero sense. It happens.

 

Be aware of special situations around corporate growth. Some startups are still in stealth mode, others may be approaching an S-1 filing, while others work for visible companies that may have a legal requirement to keep quiet after an IPO, merger, or acquisition. Watch for the awkward smile or brief “thanks” or “we are excited” response — some topics, for reasons that can’t be discussed, are off limits.

 

Be aware of corporate relationships, and the occasional slip-up. Companies may be consulting, partnering, customers or service providers, and that may all be under NDA. Just because you know what's going on doesn’t mean it is your business to disclose.

 

Look for those edge cases, and try to make life less awkward for them. Respect the rules of OpSec others may follow (even if against their will,) and try to warm things up. Be aware of human factors: People are jet lagged, sleep deprived, …hung over, stressing about a presentation or a meeting, afraid of large crowds, or are actively avoiding you because you forgot to brush your teeth or put on deodorant (don’t be that guy!)

 

Start Small.

My advice is to not start with “hi, where do you work” or “what do you do?” It’s a trap.c3b.jpg

 

Earn permission, and think of this as building social context or relational capital. We’re all excited, and we’re extremely passionate about our chosen profession… but we’re not giving it all away up front. It may be a waste of your time and mine to get into that, or you have somewhere to be, or as mentioned in the above section, these questions could be minefields anyway.

 

Polite company will find common ground, and start neutral:

  • Where are you from?
  • When did you get in to Las Vegas?
  • What’s the best session you’ve seen?
  • Which session are you looking forward to most?
  • What brings you to Black Hat this year?
  • How long have you been attending Black Hat?
  • Did you come here with a team or group?

 

It’s kind of unavoidable: The conversation will wander into our chosen profession, which is ultimately why you are in the desert this week, hiding from the angry and unforgiving Las Vegas sun. Offering up some of the answers to these questions before asking creates context and offers a safer conversational space.

  • How long have you been in InfoSec?
  • What line of work are you in?
  • What would you consider your speciality?
  • Is that what you do for your day job, or is that something you’re looking to do more of?

 

For many of you, this is kinda obvious. If you’re Canadian, you learned this by third grade… I was home schooled, so someone had to explain this to me.

And in any case, even if it’s new to you — that’s okay too! Consider me passing these random thoughts forward.

 

Connect the Dots.

I remember as a kid, my pastor always saying it isn’t always what you know, but who you know. There’s something to that. As you meet people, be present. The magic of events like Black Hat is the people, and you will miss out if you aren’t tuned in.

 

Slow down the mental hamster wheel and stay focused in the here and now. What happened in history, or what happens later today doesn’t matter.

As Gavin de Becker says, “Now is the only time anything ever happens—now is where the action is.” Strive to really connect with the neat people you meet. Identify their interests and passions, get to know them, and start building a network.

 

When I started traveling, I learned it was better to be somebody somewhere rather than a nobody everywhere. A big conference with 9,000 humans is less intimidating when you recognize a few faces in the crowd.  Where and when does this happen?

  • Right now, right where you are! (Bathrooms notwithstanding.)
  • In the elevator
  • Standing in line
  • Coffee
  • Lunch
  • Waiting for a session
  • In the booths on the vendor floor
  • If you are sitting next to a human (and the talk hasn’t started) say hello!

 

As you find people of your tribe, introduce them to each other. Don’t slack here.

img_0363.png?w=604If you’re more comfortable online/on social networks than in person, you’d be surprised how often you will find folks in your chosen sessions that you’ve interacted with on Twitter. And by the way, meeting IRL— especially after chatting for 10 minutes, only to realize you kind of already know of each other — is kinda magical.

Sidenote: The persona you have in your head for that cyberspace personality won’t always match the meatspace version, and bridging that gap can make for some interesting moments.

 

image credit: http://comicalconcept.com/illustrations/the-facebook-you

 

Ignore the nervous reflex to check your phone or scan Twitter. Stay present, stay put. To quote egyp7, "never leave a hallway conversation you know is good for a talk that might be."

 

There's so much more to networking at Black Hat that I didn't want to cram it all into one post, so we'll continue this thread part *five*, which will be all about the Art and Science of Making Introductions. So come on back here tomorrow for more on that -- same Bat-Time, same Bat-Channel.

 

As always, I welcome additions, edits and feedback - comment here or say hi on Twitter!

~@treyford

 


Continue on to Part 4 of this series: Talking to the Media & Press

...Or go back and read Part 2: Getting the Most Out of Black Hat Briefings

 


Want more? You can catch all the entries in the Black Hat Attendee's Guide series right here.

If you are just joining us, this is the second post in the series starting here.

blackhat.jpg

Content is king. Research is what binds us, and you should not be surprised that some of the best in the game focus their annual research calendar on the Black Hat USA CFP. Offensive security research is the tail that wags the dog—many vendors and architects spend the year trying to get back in front of some of the bombs dropped at Black Hat each year.

 

There’s a reason for the madness: Black Hat USA’s CFP is arguably the most competitive and grueling in the game. (I might be a bit biased on that one.) In the Black Hat USA CFP, there is a bias toward offensive, bleeding edge, innovative research, with a soft spot for 0day, code, and tool releases. And there’s going to be a lot of it.

 

Frankly, you will not catch it all.

You won’t even catch a fraction of it.

 

Here’s the kicker: Not all of it will be what you expected. When you’re out there on the edge of the envelope, some of the content will be years ahead of its time, and may not make sense. Some content may only be accessible to the most technical attendees, while other sessions are aimed at executive management—there is something for everyone.

 

Pick SOME sessions.

Be deliberate in your selection process. Some folks are driven (obligated?) to sit in a talk every hour … and that’s okay too.

 

Am I advocating you NOT doing that?

Yes—that is EXACTLY what I am advocating.

 

Someone has paid dearly for you to attend, and you should not be afraid to be fiercely protective of your time. (But please don't walk out in the middle of a session... if you can help it.)


ap-personalizing-dilbert-4_3.jpg

The boss might ask, so here is my reasoning:

  • Humans are rarely great presenters. These topics are extremely technical, and speakers may not share your native language. (To be clear, very few speakers are not fluent in English). Taking the rich combination of highly technical information, fired at you faster than you can type by a nervous presenter, with the occasional *what the heck did they just say* moment— you’ll need time after the talk to figure out what just happened. It may be weeks months or years before you completely unravel it. (It also may be that the speaker is half genius and half insane, which is also okay!)
  • Your tribe is as much around you as it is up at the podium (if not more so). Listen closely to the attendee murmur and questions - don’t just seek out the speaker with your questions, target attendees you found fascinating or informed. THOSE PEOPLE are your tribe. They know about things you care about, they chose a session you chose, and were discussing/asking questions you share. (That said, don’t spook them- more on this in an upcoming post…)
  • You need the time and mental space to capture what you’re hearing. That means you need to be able to jot down notes, clarify follow-up items, shoot an email, and participate in social media conversations. If you don’t fully grasp what you saw- you won’t be ready for an after-event speaking slot sharing what you experienced. (Sound scary? That’s a thing. Be ready. Expect it.)
  • You might hear about a phenomenon referred to as “Hallway Con” — i.e. meeting and mingling with peers in the hallways of the event — and it is a thing you should invest in. At no other time (ALL YEAR) will this many InfoSec brainiacs converge to share. Take or join them in sessions, or checking out other parts of the show.
  • THE TALKS ARE RECORDED. To be clear, that is NOT a reason not to go, you miss out on the people (seeing a pattern here yet?). Catch the talks you find most important or controversial— these stimulate conversation, and set the tone for the week, and many months to come. THIS is where you meet people. The stuff you found interesting you can watch back home with friends. Bet on yourself- buy the videos (or expense them, if you can)… or wait (what, 90 days?) until the videos get posted online.

 

So don’t feel bad about inevitably missing talks. It’s going to happen, either by accident or by design.

Sold? I hope so. Still debating? Fine. You’re an adult, you’ll do the right thing and play some hooky anyway (and we won’t tell anyone—it is Vegas after all!)

 

How to pick the right sessions.

Several schools of thought, and I’ll try to be brief explaining two of them.

  • The first and most obvious is capturing what is important to your day job and personal development (to prepare for your trip report,) justifying your trip this year, and hopefully in the future. We’ll call this “Pragmatic Selection”
  • The second is a bit more opportunistic, based on what’s available, looks interesting AND is feasible in your schedule. I’ll give an inside look into how I tried to organize the schedule… just in case some inside baseball helps. We’ll call this “Reverse Engineering the Schedule.”

 

Pragmatic Selection

When in doubt, this tends to be the session-picking criteria that a lot of people fall back on, and that’s fine. To do this, there are a few key questions you’ll need to answer here:

  • Which sessions at Black Hat will affect my employer and day job most?
  • The week after, when I get back to the office, which sessions will give me new perspective, making me more effective?
  • If my boss is a fan of specific work, what can I see that will give them FOMO for next year? (FOMO == Fear Of Missing Out, which might help guarantee your return trip, allocating budget for your boss and other teammates… you’ll be a hero. Trust me.)
  • Are there talks your team is already interested in?
  • What (talks|speakers|sessions) will inspire me or challenge my way of thinking, leading to personal growth?
  • <added> Go to a talk you are CERTAIN you won't understand. Osmosis learning is a good thing.

B2B-Decision-Making-Process.jpg

Answering these questions will narrow your selection quickly.

 

No doubt about it, this is a herculean task, so be absolutely ruthless in picking your 4 favorite talks.

 

Ruthlessness is important in the face of a dizzying array of options: The keynote, 13 hours of briefings content over two days, 9 tracks wide (not counting sponsored content, the Arsenal, and workshops!)

 

Point of performance: When you commit to a session, carefully choose a backup for that hour. PUT IT ON YOUR CALENDAR, including the backup and room info, with the abstract, and speaker bio in the notes.

 

Why all this talk about a backup? You’ll be prepared for the curveball others weren’t expecting—when two of your “must-see” talks land in the same hour, or when you show up for a talk to find it full. (Bet on it happening, more often than you’d think.)

 

Reverse Engineering the Schedule

By answering the question “What’s hot this year?” you can choose sessions using predictive migratory patterns.

 

TL;DR for this section: Figure out which rooms are the biggest. The talks you find interesting in the big rooms will probably be the hottest talks.

 

Look at the scheduling grid, the ‘x’ axis tracks rooms in any given hour, the rooms start small and get larger as ‘x’ increases. The bigger rooms are the talks the conference organizers are betting have the strongest draw, most interest— due to the size of the associated research tribe, star power, or the controversial nature of the content.

 

The ‘y’ axis represents the hour. Where possible, your content type (let’s say Exploit Development) should have only one session per hour. This is almost impossible to achieve with content types that have overlap, like Mobile and WebApp Sec.

 

On Content Tracks

Think of content types as “conference tracks” — they just move from room to room. (In smaller events, you’d have a dedicated room for conference tracks, but not at Black Hat).

 

I keep talking about finding your tribe. If there is a very specific piece of research, that matters to your work or interests you in a unique way, there will be others drawn for that exact reason. GO TO THAT TALK.

 

Conference organizers take the track selections (let’s say 10-15 selected talks) and stack rank them for popularity, then move to the schedule grid.

 

Any given venue will rooms ranging in size based on the needs of the event. Caesar's Palace, the previous venue, had 3 super large room options. Mandalay Bay, the 'new' venue, affords considerably more flexibility. At Caesar's, we placed the hottest talks in the large rooms, then populated the rest of the ‘tracks’ through the hours, based on their relative stack rank.

 

Asking Questions.jpg

What about the “Power Hour”?

On occasion, you’ll have unavoidable conflicts where several hot talks, with strong presenters offering similar content types, hitting during the same hour. Colloquially this phenomenon is called a “Power Hour”- speakers love and hate them, and feel like they are competing with  friends, and missing talks THEY wanted to see.

 

Some say this is done on purpose, I leave that to your deliberation. As much as possible, organizers work with the Review Board to estimate the relative draw.

 

When one of the talks you want to see will hit during a “Power Hour” —get there early.

Seriously.

Fire code is the limiting factor, and safety is serious business.

 

Asking Questions

Questions asked should support the speaker, improve clarity, reduce ambiguity, and improve the audience relationship with the speaker. If you are new to this whole conference thing—and you’re not already there with 500 of your closest friends— I urge you strongly to think twice before speaking up.

 

  • If you aren’t 100% confident in the question you want to ask, you may be wise taking note of the presenter’s Twitter handle & email address.
  • Maybe ask the question of the speaker privately afterwards the session ends.
  • Consider using your question to start conversations with other attendees.

 

In parting, I leave you the idiot’s guide to asking questions during a presentation (author unknown), see image at right:

 

If I’ve missed something, you have sage wisdom to add, or want to join the conversation—or even ask a question!—please comment or hit me up on Twitter.

~@treyford


Continue on to Part 3 of this series: Networking at Black Hat Like A Boss

...Or go back and read Part 1: How to Survive Black Hat


Want more? You can catch all the entries in the Black Hat Attendee's Guide series here.

Last week I attended a SINET event in NYC- one of those rare crossings of technology talent from Silicon Valley and other tech hubs, Wall Street security executives, and DC beltway leadership. Lots of thoughts, but this one has been on my mind for some time. Those that caught my BSides Nashville keynote have heard these thoughts.

 

A question was posed by a gentleman from DHS, “How do we establish and build upon a standard of due care?” His question is one that we as an industry are proving can be hard to answer.


I submit, for your consideration, that two forces will mature information security (or cyber security—choose your own lexicon adventure):

  • Information Sharing - Very specifically root cause analysis (try to picture the NTSB and aviation investigation report levels of transparency,) and
  • Insurance - Actuarial backed, data science powered case law, defining standards of “due care”


I, for one, am extremely excited to hear Mudge is headed to build a #CyberUL for the White House. (Read more on the CyberUL here.)

Good luck, let us know how to help!

 

As always, I'd love to hear your thoughts and feedback!

~@treyford

rapid7fire2013.jpgThe topics: Controversial. The answers: Unfiltered. The alcohol: Plentiful.

 

I'm talking about Rapid7 Rapid Fire -- it's happening for a third time this June in Boston. Bonus: This year, It's totally free and open to the public, so please join us!

 

What is it?

It's a panel debate where we ask some big names in infosec to argue for or against a number of controversial topics in our field. To make things interesting, the panelists are often asked to debate a side of the argument they might not even agree with. These folks are smart and opinionated as it is, but to take things even further, we also ply our esteemed thought leaders with alcohol, because that's how we roll.  (Photo to the right is from Rapid7 Rapid Fire at UNITED 2013.)

 

Who's on the debate panel this year?

  • Josh Corman (CTO, Sonatype)
  • David Kennedy (CEO & Founder, TrustedSec)
  • HD Moore (Chief Research Officer, Rapid7)
  • Chris Wysopal (Co-Founder, CTO & CISO, Veracode)
  • Moderator: Paul F. Roberts (The Security Ledger, Security of Things forum)

 

Where & when: Boston Seaport Hotel (Boston MA), June 16 2015, 6 - 8pm (more venue info)

Cost: None, and no need to register or get tickets. Just show up!

 

More details:

Debate topics and the winners of the debate are decided by you, the audience, and the losers have to drink. (But let's be honest, the winners often join in anyway.)

 

Last time we did Rapid7 Rapid Fire (2013), some of the topics up for debate included:

  • The Wikileaks sentencing was fair/unfair
  • Vendors should/shouldn't be held liable for software vulnerabilities
  • Passwords as a control are/aren't obsolete
  • Anonymous (ala Lulzsec) is/isn't dead
  • The NSA is/isn't being unfairly demonized in regards to Snowden

Remember: Panelists may have to play devil's advocate and argue for a position they don't agree with!

 

DSC_5330.JPG.jpg

 

This debate has been a crowd favorite both times we've done it at our UNITED Security Summit. And yes, we are holding our UNITED Summit again this June -- and would LOVE for you to join us for the whole thing -- but Rapid7 Rapid Fire has been such a breakout hit that we're opening it up for free to anyone who wants to come, no registration required.

 

That's right: We're opening our doors to the security community and invite everyone to join us for at the opening night our UNITED conference for Rapid7 Rapid Fire, completely free. Did I mention there will be food and drinks, too?

 

Really? What's the catch?

None. Seriously. No, you don't need to pay anything or register for anything, nor will we subject to you a sneaky sales pitch somewhere. We also won't ask you to register or sign up on any kind of list, either. This is our way of trying to give something back to the local security community and to help foster robust discussions.

 

So come and network with your peers, grab a bite and a drink, and see a spirited panel debate that's sure to be fun and engaging. And this is in Boston in June, so we might not even have any snow! (No promises though.)

 

I leave you with the most important question of all: What should the panel drink this year?  We've had scotch and sake in previous years. For this year -- vodka? Rum? ...Jagerbombs!? Yikes.  Tweet your ideas at us using the hashtag #UNITEDsummit or send 'em directly to us at @UNITEDsummit -- we'll retweet the ideas and serve the booze choice based on your feedback. Things could get very interesting.

 

Cheers and hope to see you at Rapid7 Rapid Fire!

~ @mvarmazis

Filter Blog

By date: By tag: