Former British Prime Minister Harold Wilson once said "A week is a long time in politics". He was referring to changes in the political landscape that come from left field and can have significant impacts to the order of things, often in a very short space of time.
Information Security holds a similar quality, however, in the case of our world we're talking about a day being a long time.
Where do we start?
Well, we start way back at BSides Manchester in 2017, where I was attending my first community infosec event and left feeling like an epiphany had occurred. It had and I've written about it. One detail of that day was that I attended Ian Thornton-Trump's talk on the future of our world and was blown away.
I came home and immediately followed him on Twitter (he courteously followed back) and I started to get a real feel for what was happening out in the hazardous ocean that is our industry. Winding forward a good few months, I was beginning to settle into the blogging life and starting to put out replies to various CfPs and was starting to get some acceptances.
I was also gaining confidence in interacting on Twitter, feeling more comfortable with sharing my thoughts, engaging in (sometimes robust) debates, while at the same time trying to keep things lighthearted and even fun.
This was the event that probably explains the origins of The Beer Farmers. I say event, it was a made up story that played out on Twitter, where I had delivered a really awful talk at a fictitious security conference in Mongolia, was being held against my will by the organisers and then my subsequent escape and Ian's attempts to rescue me from a horrible fate. This all happened in around July 2018.
As the story developed, John Opdenakker and Sean Wright started to chime in and apparently found the action packed yarn quite funny. This brought the four original members of the team together for the first time and ignited a dialogue (and friendship).
Origin of Beer Farming
Having become pals, we spent a lot of time discussing and often lamenting the negative vibe in the infosec community and began throwing about ideas of how we might help turn that situation around.
The Beer Farmers became a thing. I think I came up with the name, but I can't remember why. Sorry. I do remember that I looked at shit band names throughout history and decided that the name doesn't define you. The material / output does.
I gave a talk at BSides Manchester in August, by which time we already had a Twitter account and I was beginning to shitpost from it, with memes tailored to reflect current affairs (unhackable stuff, data breaches and whatnot) and it got some interest. We'd also appointed our then Head of Security, a certain Chrissy Morgan (having sacked the previous incumbent, Stu Peck) and our still employed manager, Bri Whelton.
We had a band and we had staff! But no real mission, to speak of.
What we did have though was an increasing following on Twitter, decent feedback on our online observations via the team account and we also saw an increase of our individual involvement via our personal accounts. It looked like we were gaining some validity as a 'thing'.
Around November time, we invited Andy Gill to join the band and thankfully he accepted. His arrival brought a perspective we didn't really have; life in the pen testing, red teaming world. Myself and the rest of the band know bits about it, but this is Andy's day job.
"Let's put a talk together and see if we get accepted at any cons" - greeted with "Yeah, sounds good".
So, with data breaches being a regular item in the news, it seemed sensible to consolidate our views and general observations on this topic into a talk and that's what we did.
'We take your security seriously'. This seemed like a suitable talk title, especially when the most used statement by firms after a data breach is telling users they do precisely that. The 'Or do we?' bit was added, for vaguely ironic effect.
Right, we had a talk theme and a title, but no content or structure. In keeping with most CfP replies, this was enough, so I submitted to BSides Leeds 2019. I'd applied individually to talk there at the 2018 event, but was unsuccessful. The great news was that Mark Carney (you know him better as Large Cardinal) gave me incredibly positive feedback, which meant that I'd really need to have been a complete spanner to have failed the cut another time. He liked the idea of The Beer Farmers, I pitched the CfP reply better and we got the talk.
With the nod from BSides Leeds, we had to actually put in some effort to prepare a talk that A. was worthy of a fine community conference, B. not seem like a shoddy gimmick (think BitFi) and C. delivered takeaways, or at least agitate thinking somehow.
Here's the video.
The talk went really well (you had to be there). It was a bit messy in places (the fucking infamous Voodoo People loop for a start) and the sound wasn't great, but there were five people stood around one microphone. That said, it was a packed room, people had a laugh, got involved and took stuff away.
We think it delivered against the stated objectives.
"OK, so this actually worked".
It had worked and a few people got in touch to actually ask us to submit to their conference CfPs. Quite astonishing really, especially for me. Prior to this talk, I'd done three previous public events, so to get effectively invited to things was seriously affirming.
So we put in replies to Dundee Abertay University Securi-Tay, Edinburgh Napier University Le Tour Du Hack, BSides Edinburgh, BSides London, BSides Bristol and BSides Liverpool. Oh and the much loved SteelCon in Sheffield.
We got those gigs. People had seen our manifesto and felt it chimed reasonably well with their events.
We also started to get involved with a Discord community known as The Many Hats Club and have delivered probably half a dozen live talks on there, some of which have been published as podcasts.
We gained momentum really quickly. Back in my music business life, I always judged a successful gig on whether the venue invited you back. We seem to be OK in that regard, at least for the time being.
OK, that sounds far grander than it actually is, but we effectively began a bit of a roadshow of our current talk, delivering to great audiences in Dundee, Edinburgh and Edinburgh again. I was born there, so that was particularly special.
It's important to point out that we were so well looked after at these talks, be it through organisation of lodgings or just on the day professionalism. It was knockout. It was the same at Leeds and to think these people run conferences on a (relative) shoestring, you wouldn't have known it. I couldn't do it. It's hard enough keeping The Beer Farmers in check.
Every vendor or sponsor you see at an InfoSec conference brings gear, flattering to their particular product or service. This is fair and is their opportunity to keep themselves in the consciousness of attendees, long after the event has finished.
We thought about this and decided that we should do something similar, but to remind people that The Beer Farmers are always #HereForYou. Just on the hashtag, I stole it from the Police, as it's used by many UK forces as a signature on their tweets. I'm sure they don't mind, because the sentiment by which we use it is the same as theirs - "We give a shit".
Because we're a 'band', musical things seemed sensible and because we pretended to be Blue Öyster Cult as part of our comedy PR machine, we thought cowbells and drumsticks were a fun thing to do. So, we produced a bunch and they were distributed at our earlier shows in the UK. They were very popular (if a little expensive to produce!)
Stickers. Techies <3 stickers, so we got a bunch of those made and continue to do so. It's lovely to see them adorning / defacing the laptops of people that have attended our talks and makes me feel very warm inside.
In terms of clothing, we had a bunch of t-shirts made and they were popular too, but the masterpiece, as far as I was concerned was the decision to have some hoodies done.
At BSides Edinburgh, we took to the stage directly after FBI Special Agent Todd Renner gave his opening keynote and happily he stuck around for our talk.
He also expertly trolled Ian and I (and The Beer Farmers generally) in his own talk. The reason for this was that in the pub on the evening before, we both playfully commented that (given his job) his talk would contain nothing more than a single slide, full of redacted information. His response was exceptional:
Now, everyone is familiar with the styling of authentic FBI fatigues, so we had a bunch of dark blue hoodies made that looked like this:
And here's a crap image of us wearing them in the company of BSides Edinburgh:
They were extremely popular and at the time of writing, only 20 exist in the wild.
Going forward, we'll likely just, er, stick to stickers as when we're funding everything out of our own pockets, it does become expensive. The whole swag thing has been fun though and hopefully people will remember it.
Because we've done so many conferences in the last six or so months, we've had the pleasure of meeting so many of the fantastic people that grace our community and industry at large. We've made a lot of friends and actually (this is important) opportunities have since presented themselves that would otherwise have simply not happened.
Quite literally, jobs have been created, careers advanced, business deals done and so on. Purely as a result of our involvement in the conference circuit and the friendships that has created. I'm about to take on five (paid!) interns in my team. This is in no small part because of the relationship founded in my attendance at BSides Leeds 2018.
Some of the people we've met have down right enriched us, challenged our assumptions, or simply become good mates; people we'll have a drink and a warm catch up with when we see them at the next event.
In one way or another, the story led to a mid-point in 2019 and an appointment in the UK's capital...
It's a tune by The Clash and its title harks back to radio callsigns used by the BBC during World War 2. The song itself is a dark tale of the breakdown of humanity, through various different scenarios. It's Armageddon-esque in its nature.
A possible analogue of information security, but I digress.
BSides London is probably the UK's largest community conference, attended by roughly 1000 people year in, year out. I delivered my first public talk ever there, back in 2018. It was a nerve-shredding experience, but one I'll never forget, for all the right reasons.
So, we got a slot at this year's event, by way of a public vote. Can't argue with that. We put in a CfP response, it got shortlisted and the people spoke. No election tampering involved. ;)
Meanwhile, we talked Chrissy into joining the band as a full time member, She accepted and we became a six piece outfit, strengthened further with additional experience and perspective.
We cracked on with our talk prep; slides were created, slides were binned, events came and went that we considered including, before abandoning them.
I also worked with Dan Card, our good mate on developing a Beer Farmers based CTF, which was fun, someone won it and got a hoodie on the day of the conference.
Beer Force Eight?
No, not one of our private aircraft - we only have Beer Force One.
Six members of the band on stage at the same time was gonna present a challenge to Cooper and his crew, we knew that. So, what did I do? Go and invite some more people to join us.
I knew Troy was in London that week (he was delivering a talk and collecting an award at InfoSec Europe), so I suggested we meet for beers. As it turned out, his 'down day' was June 5th - the day of the BSides London main conference. I then proposed he join us in our talk and he agreed. As Scott was accompanying Troy (they are an actual professional team these days), we got him thrown into the bargain. This was awesome.
We then set about working on how to bring them into the talk, make it not look like a gimmick and ultimately add value to what we were doing. We didn't really need to add much content tailored to those guys, as much of our content chimes with things they are already heavily involved with.
OK, talk prepared (even rehearsed!), everyone ready. Let's go to London.
That Was The Week That Was
Tuesday was the start for my workmates and I. A train journey down to London from Manchester. All booked and sorted. A taxi ready to take us to Piccadilly at 14:30, bite to eat, train at 15:55. A bit of a push to get us to the EU Blogger Awards on time, but that was my bad. Then something happened.
One of my team urgently messaged me. I say urgently, because he used WhatsApp, Teams and also SMS to get the message through. He was already in London and decided to collect what he thought was only his return ticket to Manchester from a ticket machine. It was a block booking for four people. He collected all of our outbound and return tickets in one press of a button.
Fuck, but actually...
Cancel the tickets the three of us can no longer use and organise a refund. That was Lucas's mission. I then booked us new seats on an earlier train that got us into The Smoke at around 16:30. This was much better, as we then had the chance to make a chilled trip across from Euston to our hotel, freshen up a bit and then take a leisurely walk to the Hand and Flower on Hammersmith Road. The Beer Farmers renamed the pub the Cup and Balls, because we're puerile sometimes.
Anyway, we got there! The EU Blogger Awards bash. Christ it was warm. Anyone in the room will agree. We went along, because A. it looked like a great evening and we knew loads of our mates would be there and B. because a few of us were nominated to receive an award. Chrissy took home a gong, as did The Many Hats Club, Troy and of course loads of other great people.
I also got to meet Jenny Radcliffe, whom I have a tonne of respect for and as it happens graciously accepted the offer of the role of Head of Security for the band, once Chrissy joined as an instrumentalist.
Earlier that day, 02:50 BST in fact, Troy had sent me a message saying he had press commitments on the Wednesday that concluded at 14:00 - the time our talk was scheduled to start. This meant that it was in all likelihood gonna result in a late show for him. I worried about this, as we'd promoted his involvement and ultimately it may have looked like a gimmick that backfired. Happily, when he turned up at the Cup and Balls, his press commitment had vanished and both he and Scott would be at BSides London well ahead of our talk.
So, The Beer Farmers all converged on the ILEC conference centre at various times. I was there fairly early, as was Andy. Sean rocked up not long after, as did John (John took a train from Brussels that very morning). Chrissy and Ian showed up slightly later. Chrissy can explain why she turned up late in her own time [Spoiler: wazzed].
John, Sean and I went for a decent coffee down Lillie Road, while Andy went off to InfoSec Europe to catch up with his Pen Test Partners colleagues, but the instruction for all was this: be back at the venue for lunchtime. This was to allow us to spend some time with Cooper and his people, working out the sound, stage positions and the like.
We had a bit of a laugh doing this 'soundcheck' "Can I have more cowbell in my monitor please?" and stuff like that, but I was genuinely worried. We'll have up to eight people on stage at the same time, all chiming in with points and the video only has a portrait view of any given speaker. But then you realise that Cooper is the man with the cam and those worries just slip away.
After soundcheck, we went and ate lunch and then not long after that, Troy and Scott appeared. Beer Force Eight was assembled. A few pre-flight checks ensued and then it was time to go and do our thing.
Now, we knew that some of the appeal of our talk was the participation of both Troy and Scott, but we also knew that our previous talks had been delivered to fairly large audiences. Remember what I said earlier; their involvement was intended to add value to our messages, rather than to be a gimmick.
Have a look at the recording.
It went extremely well. A mixture of fun and serious messages. That's precisely what The Beer Farmers are all about. We're all InfoSec professionals in one shape or form, we all have anxieties and aspirations, and we're all on the same team. We also stick to our original philosophy that there's too much dark shit going on in our industry and we as a team want to help make things better, through a combination of giggles and focus.
We'll refine as we go, but will hold true to those principles. If you're wondering what the audience looked like, then here you are:
The place was rammed.
After our talk, we spotted some more of our friends, in the shape of Jess Barker, FC, Zoe Rose, the army that is The Many Hats Club, various people from the university hacking societies up North we'd done our talks at and we had beers. It was super cool.
Personally, and it may be my age, but I get a bit knackered after delivering talks, so made my apologies early evening and returned to the hotel with my colleagues. We ate and retired to our rooms. I spent the remainder of the evening reflecting on such an epic day in my InfoSec life, the life of The Beer Farmers and hope that what we're doing is making some kind of material difference to the World.
I sincerely hope it is. I cheekily think it is. We've had a busy six months, so now we're working out what to do next. We have further conference engagements and a fresh talk. We're not splitting up any time soon.
A day is a long time in information security.
Thanks for reading.
If there's an overarching feeling of pride and friendship that I can share, it's in these tweets:
The culmination of a lot of effort by a bunch of extremely dedicated and caring people and for that I will always be grateful.