(Not Just) Another InfoSec Conference
So, I've written before about attending InfoSec conferences, how they roll and make me feel. Here's my take on BSidesLeeds.
Introduction
Back in August 2017, I attended BSidesMCR (Manchester, UK) and in the post I wrote about it, I described it as quite frankly a life changing event. And so it was. You can read all about why in that post.
High on the vibe that followed that event, I decided to submit a talk to BSidesLeeds (Leeds, UK) for consideration, that was subsequently unsuccessful. You can read about that in this post. I was going anyway, so the only difference was whether it was as a speaker, or a fee paying punter. Either way, I was looking forward to it.
A few of the friends I made at or after the Manchester event were speaking, so I had a pretty good idea what the day would be like. There were also a number of people I hadn't heard speak and I was excited to soak up their testimonies, too.
It was also an opportunity for me to bring along a colleague from my firm who's keen to become more involved in information security. Based on my own experience, a BSides gig seemed an obvious place for him to start.
The build up
After my application to speak was unsuccessful, the principle organiser Mark C. gave me some really helpful feedback, but also some insight into the size of the task involved in putting together such an event. To say it appeared challenging would be an understatement. Of course, for a conference to succeed you need a venue, speakers, sponsors, helping hands (g00ns), punters and then the equally important caterers, web developers, graphics people and so on. Logistically it's a real headache. It relies of course on great organisation, but also a hell of a lot of goodwill, patience and dedication.
In the weeks preceding the event, the chat ramped up and the mirth duly started flowing. I got the impression that any of the stress of organising such an occasion was slowly giving way to the more positive energy of eager anticipation. Some of the banter on Twitter was great.
A couple of days before the event itself, Mark contacted me with an invite to deliver a lightning talk at the pre-event party, which was incredible. The bad news was that I was unable to make it. This was frustrating, but I felt better knowing that I was still going along to the main event.
The day itself
A 06:15 start (from Manchester), because there was no way on Earth we were missing out on a Maccies breakfast ahead of proceedings. The M62 was relatively clear, so we arrived in good time to get properly rinsed by the carpark fees at Leeds city station. That aside, we descended on Maccies and enjoyed some McMuffin goodness.
The venue for the conference was literally a two minute walk from the station, which was excellent.
Even though I'm now Manchester based, I grew up in and around Leeds, so it was like coming home for the day and there were more than a few emotions. 35 years of memories sloshed about, some of joy and some otherwise. Anyway...
Coffee and last minute nicotine out of the way, it was into the Herringbone Suite for the first talk of the day. A packed room. 325 or so people, according to Mark, who dished out the housekeeping detail. "If there's a fire and the alarm sounds, keep up with me". It's a chestnut, but he pulled it off.
Jessica Barker and freakyclown (real name FC)
The topic of this keynote was fear, uncertainty and doubt, or 'FUD'. Specifically, it covered fear. What it is, how it paralysises and leads to inaction. In the context of InfoSec, the message was simply that scaring the shit out of people with what might happen isn't necessarily a useful method of getting them motivated to want to prevent it.
Early doors in my own career, I was heavily drilled in pragmatism, the actual likelihood of stuff happening and the realistic threats or outcomes should that something happen. What Jess talked about rang true and I hope it did for everyone else in the room. You have to assess risk. Don't overcook it, especially when you want people's attention and then emotional and ultimately physical investment.
Then FC stepped up and shared some fairly gritty (and frankly upsetting) parts of his life as a child:
-
A fear of water: From his father taking him out in a boat and holding his head under the surface of the lake.
-
A fear of heights: From his father hoofing him down a flight of concrete stairs. He has a part of his skull missing still, from that lesson in being a man.
I wept at that, although no one noticed. Mostly because I despise the 'justice' meted out by bullies and self-styled authoritarians, but also because I got a fair bit of whacking too as a kid, for having sticky out ears. I'm also a father to a beautiful bunch of children and the thought of them ever coming to harm makes me feel ill.
So, FC set out his stall with grim honesty, but he also demonstrated how he tackled his fears:
-
A fear of water: He got the hell in the water, swam and even had a picture taken.
-
A fear of heights: He got in a plane and actually flew it. He also went up in a plane with 200 or so other shite scared flyers and came back to Earth safely.
Proactive steps to confront his fears and interestingly, he also looked up the actual risks associated with these activities and that helped confirm that despite the diabolical machinations of his father in a previous life, his risk of harm from both water and flying was and is actually quite remote.
His bravery in discussing some really dark parts of his life moved me, but also motivated me to stop fretting on the things I can no longer influence or change. My past. I can however make positive steps going forward.
This talk was in an InfoSec setting, but the narrative of it applies to all walks of life, no matter who you are or what you do.
It was great. Here are the pair of them, hanging out:
My kinda thing this: Clustering web attacks, using machine learning. More maths than I can usually get my head around, but the idea is that you use AI to discern and handle attacks based on what they are, where they're coming from and so on.
I do this as part of my job; I look at HTTP requests, dissect them down to user agent, URI, GeoIP location and target and then build rules that then get applied to your WAF technology. This all works fine, but the fleshy 40 something in the process makes it rather less than perfect. At the time of writing, I do this manually!
Gilad demonstrated how to effectively snare attacks and place them into categories, which in turn can be fed into whatever dynamic controls you have in place to bounce them off. All using maths.
It was a superb demonstration and I learned a bunch of things that I'll take straight into work next week. It'll shave half a day of my time away each week, if we can do what he talked about.
I know Ian reasonably well. I saw his talk at BSidesMCR last August, so I knew what to expect. He's a seasoned InfoSec standup, has plenty of energy and humour and he gets current issues well enough to deliver his views in a relevant and insightful way. His talk was entitled 'Stories From the Cybercrime Battlefield'.
Ian recounted a number of tales concerning 'hackers' that got caught, firms that got pwned and the general state of play out there in the World. He also made a few observations around the GDPR, which I found personally really interesting.
If you need a sensible overseer with a really exceptional view on all things InfoSec, then you could do far worse than invite Ian along to say his piece.
He also spilled a glass of water on the tech, but only the front row noticed. ;)
I missed a whole bunch of talks that I wanted to sit in on, but of course there's only one of us. The final talk I got to see was Phil Kimpton's.
Phil is ex-services. That immediately rang true with me, as I have a family full of ex-military types. Dad an ex-Navy officer, Mum a woman, cousins all Army and so on. I wanted to join the RAF, but failed down to having rubbish eyes.
Be that as it may, Phil's talk was all about leaving one life (or lives?) behind and getting on with a new one. It might seem simplistic, but actually if you've been in one job, or one relationship or whatever for a significant period of your life, then moving into something brand new can actually feel hellish. Like FC's testimony, this all rang true with me.
I've had a lot of jobs in my 40 odd years, had a number of relationships both personally and professionally and always found it really tough to put them behind me and move on when the time came.
I know for a fact that ex-military people find it hard to adjust to life post service, but they are just an example of people in general, when something they find as regular and reliable comes to an end. A day job, a significant other and so on. Sometimes they leave you and you have to cope, but you hold them dear and know nothing else.
Phil came across as a salutary example of a guy that recognises all of these things, but importantly found that there is life after the events (just like FC) and that where there's life, there's hope and opportunity. And a chance to flourish.
Conclusion
Andy and I came home after Phil's talk. My day was done and I got from the conference something I didn't expect.
BSidesMCR was (in my view) more about InfoSec, the things going on and what to do about them. BSidesLeeds was more about the people in the game, their anxieties and aspirations, their here and now and where they'd really like to be.
It was about us as humans. Our failings, our sense of worth and our desire to be better and do the right thing, putting bad or unecessary things behind us.
I heard the term "Imposter Syndrome" for the first time at this conference, at the end of Phil's talk. I looked it up and had my say earlier today. There were no imposters at BSidesLeeds.
The day would haven't have happened, had it not been for the exemplary organisation of Mark, his cast of millions, the speakers and the punters.
The whole point is that you take time out from your life to go to these shindigs and learn something, right?
I learned a lot, about others, myself and how to think and go about things differently in future.
BsidesLeeds you rocked.