Attending InfoSec Events
... and why it makes me feel part of something important.
Introduction
Before I go on, let me explain why I chose the header image that accompanies this post. For me, it's a representation of people from different places, or areas of similarity, but they're connected in exactly the same way, or by exactly the same thing, be it aspiration, anxiety, or whatever.
InfoSec events are exactly the same; people from completely diverse backgrounds travel to some sort of nexus point, because they all feel the same. They care about a common subject, or goal.
It's a draw, a pull. If you've seen Close Encounters of the Third Kind, you'll perhaps vaguely understand. You don't necessarily know why it's important, but you just know you have to be there.
OK, enough of the philosophy :)
What happened
In August 2017 I attended my first ever InfoSec event, which was BSides Manchester.
I signed up for it, because it was free to attend. That made it easy to book my place, but I still needed to explain to my boss why a day away from the job was justified.
At around the same time, my personal development was on the agenda and it was agreed that attending relevant industry events was appropriate to keep abreast of the goings on in information security. I'm still not entirely convinced by this, as many events are a mix of clever people opening your eyes, combined with companies selling you the solutions to all of your problems.
Going back to my time as an industrial automation sales engineer, I went to similar expos, I stood on those stands, gave out cheaply sourced 'swag' but it was with the express purpose of making money.
Hence my initial scepticism.
In any event, it was in my calendar and I was going. The conference was held at Manchester Metropolitan University's business school. As it was free, my expectations were pretty low; turn up, some people speak in rooms the Uni doesn't need and then we all go home.
I was completely wrong.
Upon arrival, I was quickly 'checked in' and sent to a row of tables, manned with people giving away said swag. A t-shirt, some booklets, some other bits and pieces, either flattering to the organisers or their various sponsors. From a brief wander about, I noticed that NCC Group, PortSwigger and indeed Netsparker were there, all promoting their products or services, all giving away free shit. No problem with that.
My bag was full, so off I went to the first talk.
Red Team
It was entitled 'A Year In The Red' and was presented by Dominic Chell & Vincent Yiu. These two guys do red teaming for a living, and so their talk was all about that. They talked about breaking into your Microsoft ecosystem, being who they aren't in Office365 and pretending to be your friend via Skype for Business. And then breaking into your business. All brilliant and informative stuff, delivered by a pair of blokes that care about your InfoSec wellbeing.
That set the theme of the day for me and I began to realise that me being there was important.
Responsible Disclosure
Next up was Victor Gevers, a Dutch chap that has built his profile by finding problems in information systems (everywhere!) and then telling the owners, rather than pasting it all over the internet. That's very cool and also very grown up. Hackers might not do that, but people like Victor will and it gave me plenty of ideas about how to invite responsible disclosure of web application vulnerabilities in our systems and it's something I'm working on right now.
Victor's cool, seems to keep flirting with the idea of retiring, but really shouldn't. He's helping keep the internet safe.
Echo Chambers in InfoSec
Colette Weston gave a talk and it was powerful and resonated with me. It wasn't a talk about information security per se, rather it was an investigation into the plight of individuals trying to get into the technology industry, in particular females, or anyone that frankly isn't a white male.
It took me back to my early days as an engineer, when men where men and women were receptionists.
There's a lot I'd like to write about on this subject, so I'll do so in another post, but for now I'll say this - poeple aren't respresented properly in technology and it's shit. It's men, men and more men (largely).
Bypassing Email Security with Malware
Let me introduce you to Neil Lines. He spends his days crafting malware that bypasses your Bastians, your SmartHosts and whatever other email filtering systems you have in place. He's fucking adept at it, as his presentation demonstrated. It was electric, partly because he's a fast moving guy, but also because he demonstrates the ease by which he does what he does.
If you think your email malware or spam filtering is awesome maybe speak to Neil, because he'll show you how it isn't and maybe offer up some great advice.
Ian and Charl
I've decided to compress this into one section, because Charl and Ian both gave similar testimonies, or at least both described our here and now and what we can expect next.
Ian was first, a Canadian with a great presence of mind and presenting capability. He took us far out into the future. He talked about ransomware, IoT chaos, nation state nastiness, a divided internet and fake news being the downfall of common sense. It was excellent and I think everyone in the room came away thinking one of two things:
A. We're doomed, I need my blanket.
OR
B. I'm not having this shit. Let's do something about it.
Here's Ian in action:
Charl's talk was similar, but included some signal examples of how our life is being changed and actually eroded by people on the wire, or off the wire, that want to distort our reality, ruin our security or pretend they care about us and want to protect our security, when they simply want to intrude.
Fake news. Look out for it, because it's all over your brain.
The detailed technical talks were superb, but the talks that made the connections with our life as humans were what made it special and for that the speakers and organisers deserve a lot of respect.
So, the importance?
With BSides being my first event, I had the aforementioned reservations about its value. Again, I missed the target.
Everyone I met was there for the same reason I was; making technology safer, making people safer, preserving privacy. It was my kinda gig.
I felt at home throughout the event. Every single individual I spoke with seemed to be in my gang, or I was in their gang, whether it was around a discussion about safer web apps, or email security or getting more people into the industry, I just felt part of a movement that I want to be in and help drive forward.
I'm now friends with a great deal of the people I met at BSides and I feel that's a testament to how much of an effect it had on all of us.
It was a day that shaped my life.
Mike.