Nae bother. Another BSides!

I've written before about my experiences at InfoSec conferences, and last week I attended another. Here's my take on BSides Scotland.

Nae bother. Another BSides!

I've written before about my experiences at InfoSec conferences, and last week I attended another. Here's my take on BSides Scotland.

[Spoiler] It was a whopper.


If you've read my previous posts, you'll know that I first attended an InfoSec conference last August (BSides Manchester), I wrote about that here, but the key point is that it changed my life.

The reason for this was that having spent a few years in the industry, it was the first time I actually felt part of the community that lies inside it. I met some great people (many of whom are now friends I hold in high regard) and some of the things I learned really made me think and then operate differently.

Since then I have found the cojones to write these blog posts, become more engaged in social debate around InfoSec and indeed thrown in a bunch of applications to speak at conferences, thus far unsuccessfully, but I'll come to that in a bit.

So, imagine my delight, when I received an email from conference organiser Marion McCune letting me know that I had been selected as a reserve speaker for BSides Scotland. Now, I'd already had a close shave for selection by BSides Leeds (my talk didn't make the cut for the day, but I was invited by Large Cardinal to give a lightning talk at the pre-conference party). For me, all positive steps forward. I wrote about BSides Leeds here.

Anyway, armed with this nod from my fellow Scots, I actually finished up my slide deck and sent it to a few pals for their feedback. I got some great tips and took most of them onboard. My presentation was all set and I was happy with it.

I wasn't likely to be speaking, simply because I've learned that InfoSec gigs tend to have a low dropout rate (makes sense, as IMHO dropping out might cause an organiser to be disinclined to have you back!). That said, I put my head in the space where I might be and took my preparation seriously.

The run in

Of the things I was excited about, meeting my pals was up there, as was going home to Scotland, where I was born (albeit in the fairer city of Edinburgh ;)). I was of course also looking forward to meeting new people, hearing new stuff and having my assumptions challenged.

Anyway, to Glasgow!

I'd just like to call out my firm's Learning & Development crew and one colleague in particular, who smoothed out all the creases in terms of getting me there and back, as well as sorting me with accommodation and whatnot. A very clean operation, which allowed me to simply focus on the enjoying the event, rather than be distracted by logistics.

The evening before saw a pre-conference get together happen, at the Metropolitan Bar in Glasgow's Merchant City. I arrived a little early, so hung around outside until what appeared to be fellow BSiders rocked up. We seemed to recognise each other, which was great.

The evening was really enjoyable; an opportunity to meet the organisers Marion and Rory McCune, as well as Rory Alsop. As a reserve speaker I was extended all the courtesy of a first choice player and I won't lie, it felt superb. Like a step up for me. I got to meet some awesome new people, such as Paul Johnston / PAJ (whom features later), as well as catching up with folks that have become friends more recently, such as Jess, FC and Phil Kimpton (again, featuring later on).

Free beer n food and a good few chats later, I took my leave and returned to my lodgings.

P.S. Cooper (appears later) even recognised me "Oh, you're AppSecBloke". This made my evening.

BSides Scotland

Registration opened at 07:30, but I was having none of that, so got out of bed at that time. :D

All sorted, I took a nice walk along Argyle Street and then up Buchanan Street to the venue; The Royal Concert Hall.

Here's the view down Buchanan Street:


Strangely, the further North I travelled from home, the better the weather got and for the few days I was in Glasgow, it was mild and dry. That's the strange part.

Anyway, all booked in and with (speaker) swag in hand, I took myself into the Strathclyde Suite for the welcome speech and opening keynote.

Oh, and the swag:


A cool tee-shirt, a small bottle of whisky and a wee box of sweeties. There was also a can of Irn-Bru™ in there, but being in Scotland, I drank it at breakfast, as is the custom.

So, Rory McCune opened proceedings ably and then handed the baton to Paul Midian, CISO with a large UK retailer, who gave his insight into what it is to be in the role; difficulties in getting buy in around security concepts in organisations, the seemingly endless war of attrition that rages between 'the business' and those striving to keep it secure, inevitable budget pressures and so on. It was an interesting look through the keyhole at that operational level within InfoSec.

Paul took a straw poll to establish who in the room (of probably 400+ people) aspired to the role of CISO and there weren't that many hands raised.

Next up was a talk that attracted me purely by its title: 'Internet of Death'. This was delivered in a double act style by Andy Gill and Brian Higgins. The talk looked at the feasibility of carrying out an actual murder using the internet as the primary weapon. A really novel concept, but with plenty of its roots in reality.

What made the talk really engaging was the combination of Andy's straight talking, sweary angst, blended with Brian's arch-criminal overtones, often dipping into the stream of consciousness delivery I recognised as a characteristic of Eddie Izzard. It just worked, it was fun, yet had a fundamentally important takeaway; this could actually happen, if it isn't already.

It was a packed talk and got a well-deserved reaction from the audience. If they give this talk at a conference you're attending in 2018, I highly recommend you go along.

My mate Phil Kimpton then gave his talk entitled 'Soldier to Cyber'. This is one I'd already seen at BSides Leeds back in January, but I wanted to see it again, as the key message Phil wants you to take away from it is that a career in InfoSec is there if you want it and that you just need to declutter your life in order to focus on getting there. This advice could apply in any context, but as the question "How do I get a foot on the InfoSec ladder?" is a very real thing, a talk like this is solid gold in helping provide some answers.

In my own firm I'm in the process of coaching / developing people into being 'InfoSec enabled', so this very much chimes with me.

Like me, Phil's relatively early on in his career in our industry, but he's hit the ground running and peddling his brand of wisdom will help many, I guarantee.

Andrew Scott then provided his clearly expert insight into what it takes for a wannabe H4X0R to become an effective pen-tester, on the payroll, doing cool stuff and earning big dollar. The talk didn't directly apply to me, but it is a question I get asked many times, so it provided me with plenty of helpful ways to answer it going forward.

Things to do. Things not to do. Like Phil's, it was basically a hack your career talk and I expect many in the room went away considering new strategies aimed toward securing gainful employment.

Paul Johnston / PAJ then gave a demo that rang true for me; how to hand back to a developer the results of a pen-test that allow them to replicate them. This happens all the time. "Well, we found a SQLi / XSS vuln during testing", only for the reply back from developers "Can't see it at our end, mate!"

PAJ took us through how Burp handles that by effectively packaging up the exploit into a tidy file that can then be shipped with the report back to the developers, allowing them to easily replicate it. Brilliant! I'm a Netsparker advocate (and yes, I know Burp and Netsparker do different things!), but I was so impressed by this I nicked it as an idea to put forward to Netsparker. :)

Paul also has an infectious personality and I found him really good company during the pre-conference shindig. He's clearly a popular member of our community.

I then went and did some work in the café, which someone (rightly) had a go at me about, but it was nearly lunch time and security never rests, right? :)

After lunch, I sat in on Dan Raywood's talk about the state of the InfoSec industry, in terms of bums on seats (people in position). Dan took us through myriad statistics about career interest areas and showed that the struggle to get people into our world is going on and on. And on.

As a side order, I gave a talk to a bunch of year 10 students (aged 14-15) on the cybers and the abovementioned inevitable question was asked - "How do I get a foot on the InfoSec ladder?". I answered in two parts; there are jobs aplenty, so don't worry about over-subscription or market saturation (the saturation is there, but it's vacancies!). The second part of the answer was basically to show passion in the subject, but use whatever vector is available to you; tech support, IS, cleaner whatever. Do some learning of the basics, gain some experience and then just dip your toe in. The rest will come!

OK, on to Neil Lines. I love Neil, he knows his stuff and has a unique presentation style.

He presented a talk called 'The Insider', which effectively covered a day in the life of a social engineering engagement. The difference is that it was a monologue backed up with slides, which felt like the InfoSec equivalent of Bob Dylan's 'Subterranean Homesick Blues' (Google dat).

Neil's previous talks have covered remote social engineering, but this time he walked the audience through physical attacks, how he plans and then executes them. It was fascinating stuff, delivered in his customary light speed way.

People like Neil light up conferences, because you simply don't have time to think during his talk, he just sweeps you along in his story. It feels like mayhem, but you very much get everything he's saying. It's great.

What's in a dildo? Well, these days a lot more than just weapons grade plastics and a battery, I can confirm. Sex toys are internet enabled. That's right folks.

As Mikko said:

Hypponen's law:
Whenever an appliance is described as being "smart", it's vulnerable.

So, who better than Ken Munro and Andrew Tierney to take us through a rampant demo of how easily these things can be compromised and turned against the user (wearer?).

Take a seemingly harmless(!) butt-plug, hack it and then control when it's on and how powerful it can be ramped up to and you start to see an uncomfortable (if not dangerous) outcome for the user.

They hacked it, they turned it up to 11, they shorted it out and... well you get the idea.

As fun a demo as this was, the key message was clear. Vendors are giving little or no consideration whatsoever to the security of the 'smart' devices they're drenching the market with and unless they do, there are likely to be some pretty horrible consequences.

During QnA, Jess Barker asked a brilliant question about the legal considerations of hacking sex toys; basically should we expect legislation to be amended to acknowledge such an attack as being nothing less than a sexual assault. No one had the answer, but it's certainly a bloody good point.

OK, on to Jess's talk - the last of the day for me: 'The Importance of Being Ernest and Optimistic'.

I first saw Jess at BSides Leeds, where she talked about overcoming FUD, in order to move on in your life in a positive way, do the things you want to do, achieve great personal things and so on. This was along similar lines to that.

As I've said in previous posts, Jess comes at InfoSec from a behavioural perspective, trying to understand the psychology of the people in the industry (and those outside of it). She and FC form the consultancy outfit Redacted Firm, which essentially cover both the tech and human bases of what it is we all do.

Her talk was all around highlighting the positive aspects of life in InfoSec, rather than getting bogged down in the negatives.

"We beat the optimism out of people with facts".

Nope. Stop doing that.

"Optimism is more powerful than facts".

If we talk in these terms, we grow optimism, we earn engagement and we garner support to improve things. This is good, right?

When I talk about InfoSec at work, I always try to avoid using language that suggests impending doom, etc. It simply doesn't work. Frightening people into action does not work. It creates inertia. It feezes people. Years can pass!

Using positive language has a far better effect, in my own experience.

Jess's talk confirmed this for me, so I'll happily continue with this school of thought.

The end

Well, not quite.

After Jess departed the 'stage' there was just time for the closing remarks and prize giving. There had been a couple of challenges set by the organisers; decryption of some dodgy RC4 and hacking of a drone. So various people deservedly stepped up to collect their prizes. Just some fun to end the day with.

As I mentioned right up at the top of this post, my applications to talk at conferences have been whizzing in. In addition to my experience at BSides Scotland, I've since been offered gigs at Securi-Tay Dundee and BSides London. Needless to say, I'm over the moon! I'm not about the celebrity. I don't want to be an 'InfoSec Rockstar' but I do have plenty of experiences I want to share, that I think others might benefit from and that's what drives me.

What about Cooper?

Cooper is an ubiquitous presence at all of the great conferences I've attended in the last year and there's a reason for that. He's one switched on operator. He provides the A/V recording of talks and is the reason there are videos embedded in this post.

Conferences rely on the people (often an army) managing the planning, logistics, publicity and running of them, in order to be a success. If you are to prove your event ever happened and make its messages last a lifetime, you need someone like Cooper handling that. He does it well. Very well, so gets a well-deserved shout out for that.


I loved it. There you go.

More specifically, I loved the location, the vibe, the people, the talks, how amazingly welcome I was made to feel (even as a substitute), the fact I got face to face with people I only knew via social media and above all, the sense of community YET AGAIN that I took from my first BSides, back in August last year.

I have no plans to attend any of the 'big' conferences any time in the near future. I'm not being all dissident about that, it's simply that I feel I get all the nourishment I need from the community events, and as Billy Connolly would say... "That'll do me!"