Stop! Or My Mom Will Shoot

What does a bad 90’s movie have to do with information security? Well, not a lot as it turns out, but it does give me an opportunity to introduce something that came up in conversation at work recently.

One of the names for my role around the company has been referred to as the Chief Naysayer. Now, rest assured, this name was given with the utmost respect, as our team has an understanding of the importance of security and know that when I raise a concern about a potential security issue, it is really something we need to consider.

This actually got me thinking about the view that many people have of their information security department and staff. I believe there are many situations where we are viewed as the IT Police. Instead of laws, we run around with policies and guidance forcing changes to meet those needs and sometimes we can be rather confrontational while doing it.

I was joking with my co-worker, I don’t want to be the IT Police, I’d rather be the concerned parent. Instead of constantly responding with policy notes and making vague threats about what violating the policy will do, I’d rather make users stop and think to reflect on their actions. I envisioned the following exchange in my head:

Security Department: We need to implement these changes to our systems to ensure, we can provide proper monitoring of our resources.

IT Engineers: Okay, but this will take a lot of time. We know our old colleagues at this other organization don’t do this, and they haven’t had any security incidents.

Security Department: Well, if you colleagues went and jumped off a bridge, would you join them?

I’m actually now waiting for the right opportunity in a business meeting to drop that line when we get into a conversation about implementing changes for security. So, why do I think this method of performing security is better?

  1. People do not respond well to being beaten over the head. Old methods used by some amount to clubbing individuals until they relent to the demands made by policy makers.
  2. The old methods usually entails presenting a series of worst case scenarios to the users or implementation team in attempts to scare them into adjusting their behavior or fixing an implementation.
  3. These kinds of relationships ultimately end up in others fearing you, hating you, or both.

By acting like the concerned parent, we can try to approach problems using the same kind of logic that our parents used on us as children. (Note: I am not saying that users or engineers are children.) The idea being to try to present problems to them in a way they can understand and help them come to the same conclusion we already have made based on the requirements of policy and years of experience.

In the end, the goal should be to act more as a partner, but when we need to take on a role of “authority” it is probably better to take on the persona of the concerned parent.

Star Wars even taught us that strength and fear are not the way to get compliance.


The (Not)Dating Game, Part 1

For several years, I toyed with the idea of doing a conference talk comparing job searching to dating. I never really fully fleshed out the ideas and basically let it slide onto a back burner; however, the more I think about it, the more I have determined that the idea is valid but may be best presented in a blog form.

Today, most of the job searches are performed entirely online. Nearly 45% of recent job seekers  have used online resources to perform that search [1]. While the percentage of people meeting their partners online is significantly smaller (~20% [2]), it is still the largest method of meeting a partner.

Look at LinkedIn compared to you average social media and dating website. On both platforms, you build a profile based on your background. You find a suitable picture to make yourself look attractive to those who may search you out. In fact, most of what you put onto your resume (and by extension your or Monster profile) are all built around attracting potential employers.

The similarities are so obvious to some people that someone had the idea to create a Tinder-style app for jobs searching, Switch.

Ultimately, the online dating and job search platforms are subject to the same sets of problems. Users of each are trying their best to make themselves look more attractive to their potential matches. This extends to the point of catfishing [3]. Where an individuals line is for lying to a potential mate versus a potential employer may be up for debate.

Obviously, there are means to avoid the catfish in employment (and in relationships), this is where the first date…oops, I mean, interview comes into play. We’ll get into those in the next part of this series.

Even with the extra steps, the online HR mill is designed to filter out candidates by pre-determined barriers, so it creates an incentive for people to stretch the truth (or blatantly lie) about their background, especially when many employers may never look into their applicant’s or employee’s backgrounds.

Is there a fix for any of the online job search problems? Vetting candidates is hard work, and while I suspect a decade or two ago recruiters did a lot of this work, the job hunt has really be reduced down to a method of seeing as many candidates as quickly as possible and hoping you find something worthwhile. This may result in some good candidates never be seen and definitely results in some horrible candidates occasionally getting hired.

It can be hard for many people to sell themselves, and in many cases, people like that may wind up being the ones who suffer the most in this system.


Everyone else does it…

So why not me? Time for the annual set of #BadDefconAdvice and #GoodDefconAdvice to make the rounds, so I figured I should play the game in blog form.

Advice on Advice

“Be careful whose advice you buy, but be patient with those who supply it.
Advice is a form of nostalgia, dispensing it is a way of fishing the past from the disposal, wiping it off, painting over the ugly parts, and recycling it for more than it’s worth.”

Anyone who remembers that quote without Googling it is at least as old as I am. The reality is that advice takes many forms. We all have had our experiences that drive it, so what may have worked well for one person, may not work well for another. Be sure to take this into account when you decide what advice to follow and which to not follow.

Codes of Conduct and Behavior

  1. Be familiar with the conference Code of Conduct and Photo Policies:
  2. Since you may have skipped the links, most CoC boil down to:  
  3. If you see something say something. Please do not take action on your own.
  4. If you are a victim, I hope you will feel safe enough to report issues to the appropriate conference staff.


Personal Well-Being

  1. Follow the 3-2-1 rule
    • Get at least three hours of sleep
    • Eat at least two meals per day
    • Take at least one shower per day
    • These are minimums you may need more sleep, more food, or more showers
  2. Drink plenty of water
    • 2L (64oz) minimum, 3-4L recommended
    • Added extra water if you are drinking
  3. If you have anxiety, please take a break. They may be hard to find but there can be relatively quiet spots to go and not be surrounded by the hordes of people.
  4. If you are going to spend any amount of time outdoors, remember sunscreen.
  5. Be mindful of yourself, your surroundings, and those around you. (Keep your head up from the cell phone, keep moving in hallways, do not crowd together in choke points.)


This gets its own section because there is a lot of booze that flows during conferences.

  1. Know your limits and don’t let others pressure you into exceeding them.
  2. Maintain positive control of your drink. Never take drinks from strangers.
  3. Follow the buddy system (doesn’t matter who you are).
  4. Keep an eye on your buddy, and be willing to remove them from bad situations.
  5. Drink at least one glass (8-12oz) of water per drink, and preferably more.
  6. Don’t drink on an empty stomach.


Instead of a list of things to do and not to do, let’s look at what I plan on doing. I do not bring a laptop to the defcon floor with me. I have no need for one and unless you are doing a workshop or participating in a contest where one is required, you will not have much use for one.

I will be bringing my primary personal mobile device and take the following steps:

  • All traffic is pushed out via VPN (even on cellular networks)
  • My standard messaging app is Signal
  • I purge old apps that I’m not using anymore
  • I update all apps and the OS before leaving home
  • I turn off WiFi, Bluetooth, and NFC on my phone.
  • I disable bluetooth on my Garmin fitness tracker
  • I carry chargers (battery and wall) to keep the device alive. VPN and the network connectivity issues in general will drain my battery quickly.
  • I do sometimes bring a “backup device” in the event that my batteries are all drained, no charging is available, and I have an emergency. This is a very low risk item.


I am sure I am missing a lot of stuff. Feel free to look through the aforementioned hashtags. Remember my original statement on taking advice, but to steal more the original quote source, trust me on the sunscreen.

The Un-[blank]-able Thing

In information security and hacker culture, companies and individuals will sometimes throw around the idea they’ve create an “unhackable” thing. This sort of phrasing is always intended as a sort of marketing ploy to tout their product’s security. Ultimately, any product with this descriptor gains the extra attention of hackers, who laugh at this idea of a “perfectly secure” product.

This phenomenon is nothing new. Another related example we still hear about today is the unpickable lock. A quick Google Books search finds Supplement to Encyclopædia Britannica (ninth edition) from 1889[1]. Despite many of the “unpickable” locks being bypassed or picked in some way, we still see this phrase today.

We’ve heard the phrase unbreakable encryption thrown around in recent years when government entities have attacked the encryption methods used on electronic devices. Ironically, the items they claim are unbreakable are really, “Not broken yet.” People who understand cryptography know that the only mathematically proven unbreakable cipher is the one-time pad[2].

Despite all this historical background to support the lack of an un-[blank]-able device, we still see this technological perpetual motion machine[3] being pushed. This week John McAfee offered $100k to break his unhackable crypto-wallet.

Like many products that claim to be unhackable, the details around the technology are vague at best. Everyone always claims some ‘proprietary technology’ that makes their solution unique to every one in the past. Reading the vague concepts behind the product, you can see how the claim tries to stand up, but there isn’t enough detail to make such a definitive statement.

This is where I think the problem with the un-[blank]-able thing ultimately lies. The item may be un-[blank]-able now, because the idea is something new or different from what people have seen before. This has historically been the case with the unpickable lock. Sure, the device that John’s team created may be “unhackable” now, but there is no guarantee it will stay that way and using the unhackable phrase puts a target on the device.

If you are interested in crypto-currencies, hardware, or security, I’d recommend going and checking out the challenge. The device is $120 and assuming you don’t brick-it in your attempts to hack it, you’ll at least have a nifty new hardware crypto-wallet for your Bitcoin or Monero. If you just like to watch the world burn, take the $120 and send one to someone you think will enjoy breaking it.

Chopper reacts to the unhackable claims

So It Begins

Multiple times over the years, I have thought about writing a blog. The reasons have usually varied for why, but ultimately, I’ve always managed to find some way to talk myself out of ever producing any content.

There was always a different reason each time I failed to start anything, but the true reason always came down to some form of self-sabotage. My excuses piled up, and any attempts at trying to do something ultimately ended in futility or frustration. If I could remember half of the blog attempts and alternative Twitter accounts, the list would be enough to fill this post.

When I set out to start this again, I made the conscious effort to get out of my own way. This was not an easy tasks, as I nearly never got the web page created. I fought over what publishing method I wanted to use, how I wanted to host the site, and started on my typical path of another incomplete idea never quite executed.

I eventually decided to just do things as simple as possible. Stop getting bogged down in decisions about software and themes and focus on the writing. This got me pretty far but then some lingering thoughts came back. I started to hear some of the same self-doubt as before creeping in and saying some of the same things I had heard before:

  1. I don’t have anything interesting or new to share, what am I going to write about?
  2. There is so much time involved and work, why do I want to do this?
  3. There is too much work and unfinished projects, when are you going to do this?
  4. No one is going to read this, do you really think anyone cares about your opinions?

Finding something to write about shouldn’t be hard for me to do. Sure, I can easily focus on topics around information security, but I am not going to restrict myself to one topic. I will write about what has my attention and what feels important to me. There will probably be plenty of “off-topic” posts that will just be a way for me to clear my head.  This really started to address the self-doubting voice asking “Why?”.

It was clear that writing was a way for me to be expressive in ways that are sometimes harder for me to do verbally. I can take my thoughts, put them down, and share information and ideas with people in a way that allows me to focus my message on what I want to say.

Always that pesky voice (and the pile of junk from hobbies of years past) comes back asking me when I will do this. From my experience writing a weekly column for the student newspaper (15 years ago), I am aware of my need to capture thoughts when they occur. This may mean some weeks there will be five posts covering important topics and then there may be a week where there is no new post. My goal is to have one post per week, but I will not let that doubting voice creep in when I miss a week.

Doubt keeps yelling at me that no one cares about what I have to say, so what is the point in writing this. I decided that I was writing this for me. If other people read it, great! Even better, if the information I share winds up being useful to others. I am not going to worry about page views; I will feel better knowing I’ve said my peace on whatever topic it is I write about.

I’ve done the one thing my doubt never let me do before. I’ve made my first post. Get of out here, self-doubt.