I got my first computer back in the mid-80’s, a few years after I started playing and programming in the back half of elementary school. It was a shiny new Commodore 64 a friend of my Mom’s gave me – we weren’t financially lucky enough to afford one ourselves.
In retrospect, I probably owe that man more than anyone else outside family.
I quickly fancied myself a ‘hacker’ because, after getting my first modem, I was mentally capable of logging into bulletin board systems with the word ‘hack’ in the title. As with most things in life, I had no idea what I was doing.
In college I played with tech, but emergency medicine, martial arts, NROTC, and other demands ate up my time. Even when I started working in tech professionally, in the mid-to-late 90’s, I never connected with the 303 crew or any of the real hackers surrounding me. I was living and working in a bubble. I knew I wasn’t a real hacker at that point, but you could call me “hacking curious”.
Fast forward to two weeks ago at Black Hat. Thursday morning at 8:22 I woke up, looked at my phone, and realized I had missed 2 calls and a text message from the Black Hat organizers. I spent the weekend and first part of the week teaching our cloud security class, and had, at some point, agreed to be a backup speaker after my session pitch didn’t make it through the process. I figured it was a sympathy invite to make me feel good about myself, that would never possibly come to fruition.
Nope. They offered me a slot at 10:15 if my demo and presentation were ready (based on this software defined security research). Another speaker had to pull out. I said yes, forgetting that it wasn’t ready, because I broke part of it in the class. Then I pulled up my slides and realized they were demo slides only, and not an actual session and concept narrative. Then I went to the bathroom. Three times. Number 2.
I managed to pull it together over the next 90 minutes, and made my very first Black Hat technical presentation on time. The slides worked, the demo worked, and after the session I got some major validation that this was good research on the leading edge of defensive security. To be honest, I was worried that it was so basic I would be laughed out of there.
It was a career highlight. A wannabee script kiddie from Jersey managed to hold his own on the stage at Black Hat, with 90 minutes warning. I can’t stop talking about it – not because of my prodigious ego but because I’m still insanely excited. It’s like being the smallest kid on the football team and, years later, finding yourself in the NFL. Except a lot more people have played in NFL games than have spoken at Black Hat.
I am a very lucky and thankful person.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Mike in SC Magazine on the Trusteer deal.
- Adrian on mainframe hacking at Dark Reading.
- Dave Lewis: Hitting The Panic Button.
- Mike and I are both quoted by Alan Shimel in this article about whether we would want our kids to work in infosec.
- Another one from Mike in Dark Reading on Innovation at Black Hat.
- Mike’s column in Dark Reading: Barnaby Jack & the Hacker Ethos.
Favorite Securosis Posts
- Mike Rothman: Is Privacy Now Illegal? It depends on who you ask, I guess. A thought-provoking post from Rich.
- David Mortman: Rich’s Incomplete Thought: Is the Cloud the Secproasaurus Extinction Event? And Are DevOps the Mammals? Betteridge’s law does not apply.
- Rich: Credibility and the CISO. Yup.
Other Securosis Posts
- Research Scratchpad: Outside Looking In
- Incite 8/14/2013: Tracking the Trends.
- HP goes past the TippingPoint of blogging nonsense.
- Incite 8/7/2013: Summer’s End.
- Continuous Security Monitoring: Migrating to CSM.
- Continuous Security Monitoring: Compliance.
- Continuous Security Monitoring: The Change Control Use Case.
Favorite Outside Posts
- Mike Rothman: Godin: More Gold on Human Behavior. “Your first mistake is assuming that people are rational.” LOL. He must be a part-time security person…
- David Mortman: “Big Filter”: Intelligence, Analytics and why all the hype about Big Data is focused on the wrong thing.
- Dave Lewis: NSA “touches” more of Internet than Google.
- Rich: Unsealed court-settlement documents reveal banks stole $trillions’ worth of houses. Crime takes all forms, and justice doesn’t apply equally.
- Mike Rothman: HowTo: Detecting Persistence Mechanisms. Figuring out how your Windows machines are pwned is critical. I learn a lot from this cool windowsir blog. This post deals with detecting new persistence mechanisms.
Research Reports and Presentations
- Defending Cloud Data with Infrastructure Encryption.
- Network-based Malware Detection 2.0: Assessing Scale, Accuracy and Deployment.
- Quick Wins with Website Protection Services.
- Email-based Threat Intelligence: To Catch a Phish.
- Network-based Threat Intelligence: Searching for the Smoking Gun.
- Understanding and Selecting a Key Management Solution.
- Building an Early Warning System.
- Implementing and Managing Patch and Configuration Management.
- Defending Against Denial of Service (DoS) Attacks.
- Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments.
Top News and Posts
- Every Important Person In Bitcoin Just Got Subpoenaed By New York’s Financial Regulator.
- 2003 Blackout: An Early Lesson in Planetary Scale?
- Cisco readies axe for 4,000 employees.
- Assessment of the BREACH vulnerability.
- ‘Next Big’ Banking Trojan Spotted In Cybercrime Underground.
- How the US (probably) spied on European allies’ encrypted faxes.
- Researcher finds way to commandeer any Facebook account from his mobile phone.
- Crimelords: Stolen credit cards… keep ‘em. It’s all about banking logins now.
Blog Comment of the Week
This week’s best comment goes to Marco, in response to Incomplete Thought: Is the Cloud the Secproasaurus Extinction Event? And Are DevOps the Mammals?
I think this is a valid point. My take on it is that whether we like it or not, external compliance requirements drive a majority of security initiatives. And seeing that e.g. PCI DSS is still trying to react to internal virtualization gives you an idea on how up to date that is. Simply no big driver from either of the big compliance reqs yet. Should we be ok with it? Obviously not and organizations that understand that security needs to be handled like any other business risk are working on setting up cloud usage in a secure way. But as we all know a lot of organizations ‘don’t get it’ and to be honest a lot of security professionals don’t either.