Monday, September 19, 2016

Profession vs. Passion

Profession vs. Passion

While driving back from @BSidesAugusta this weekend, an interesting conversation was sparked about the difference between a "CON" and a conference.  We're often are asked "what is SkyDogCon and what makes it different?"  Though that question seems easy to answer, it really depends on the person who's asking as to whether or not they'll understand the answer!

So, some of you reading this know exactly what I'm getting at, while most of you are likely scratching your heads!  If you fall into the latter category, give this post by @thegrugq a read which may just add some context for you.  So, back to that "interesting conversation" I mentioned...

We came up with several ideas, definitions, and generalizations though the one that seemed to get at the spirit of the difference the most (at least to me) was a contrast of "Profession vs. Passion" as it relates to attendee's motivation for coming. It's not a small distinction and not one we take lightly when planning each year's event.  The question you should start with is, "would I go even if work didn't pay or assist with the cost of going?"

Focus on the Profession

Lets make a quick clarification, there is nothing wrong with professional conferences. One of the most amazing things about Security BSides events is they make quality security education accessible to professionals who otherwise may not have the opportunity to attend larger industry events.  That said, the demand for inexpensive "professional education" isn't really contributing to a more engaged and competent security workforce either!  It may feed the CPE monster, but sitting in lecture-style back-to-back talks for hours over a weekend isn't most people's idea of fun!

In the article referenced above by @thegrugq, he faults among other things cat memes, "infosec rockstars", and general business economics for limiting the quality of content available to smaller conferences. He's not all wrong! I have witnessed many a presentation where the speaker clearly spent more time finding memes and developing one-liners than developing their topic. Meanwhile, for every 8 presentations you attend, maybe 1 will resonate or improve you as a professional.

Focus on the Passion

If you're not getting it yet, maybe go watch the DEFCON Documentary and see if you catch on to the difference. Some may call it culture or community or passion and they're all correct! The difference between a "CON" and a "conference" is the context, the purpose. For those who have gone to CONs like DEFCON or CarolinaCon or Outerz0ne and others for years, education was a byproduct fueled by passion for learning and participating in community. A CON is for the enthusiast not just the professional!

I'd compare it as @thegrugq does to a "comic con" that many go to not because work pays them or provides for them to go. People go because its fun! It's their passion, hobby, creative outlet, or any combination of reasons that motivate them to participate regardless of who's paying.

So what's the difference?

SkyDog made the [SkyDogCon] to be "all the things he loves about a CON and none of the things he hates" or so he tells us.  So, it is true we often have amazing talks and presenters. Even still, one of the things we love most about SkyDogCon...the community! Hanging out with our friends we rarely get to see, often since DEFCON or the last SkyDogCon. Hearing a presentation on someone's passion project which may not get a slot at an industry conference but is of value, interest, and an audience (if for no other reason than one of our own is excited to share).   We value the opportunity to have an open dialogue (many times in the middle of a presentation) and share experience from both professional and personal perspective.

Ultimately, the "CON" is a gathering of a community focused on interest not a profession and is accessible to anyone interested in learning, participating,  and contributing. It may not look or feel "professional" because it inherently isn't and yet, I postulate, is even more critical to the development of knowledge and education than any "conference" or professional organization.  The "CON" differentiates itself in cultivating a passion above attendance, relationships over colleagues, and contribution over notoriety.  This is the hacker culture we seek to embody in SkyDogCon!

Originally published at - "The Con" vs "A Conference"
Read more »

Monday, September 12, 2016

VIDEOS: Security Onion Conf. 2016


It was my pleasure to record the 3rd Annual Security Onion Conference in Augusta, GA!  This is the first time this conference has been recorded and WOW would have non-attendee's missed out some awesome content if it wasn't!  Watch the full playlist below or click over to see an individual presentation and be sure to stay tuned to @SecurityOnion and @DougBurks for future events and updates.


I also had the chance to assist @IronGeek with BSides Augusta video which was much larger and had some excellent talks as well!  Go check them out @BSidesAugusta and IronGeek's website HERE!
Read more »

Thursday, December 31, 2015

2015 in CONs & Video


Wow...what a whirlwind this year has been!  Got to see so many friends and collegues at conferences & events near and far.  Quick shout out to all the events that I attended, presented, staffed, or recorded...

Chattanooga ISSA ChapterFEBX
BSides IowaAPRX
Southeast CCDC RedTeamAPRX
Palmetto CCDC RedTeamAPRX
Charlotte ISSA Annual SummitMAYX
BSides AugustaSEPX


BSides Iowa1212+~498315GB

In all, my favorite video from 2015 was recorded at SkyDogCon when Jayson Street gave a remote, pre-recorded, Skype presentation which was recorded in a SINGLE TAKE WITHOUT POST EDITING (except for the intro titles)!  We didn't rehearse...nothing!  It just worked! Even though a couple elements could have been better, it was completely on-the-fly & I had no idea how it would go, much less translate to video.  Check it out & tell me what you think.


Thanks for a great year & see you in 2016!

~Evan @pentestfail

Read more »

Tuesday, November 10, 2015

Preparing for BSidesCHS 2015

Status Update

Sorry for the lack of content over the past few months, but between family, work, and crazy "CON season" the blog has fallen to the backlog.  That said, I've been busy doing video at conferences with Irongeek (BSidesLV & DerbyCon) as well as recording conferences & posting videos for SkyDogCon, BSides Iowa, BSidesATL, BSidesCLT, & this weekend BSidesCHS!

BSidesCHS 2015

So, because I'm a glutton for punishment, I'm doing what I've sworn I would NEVER do again at a conference...speak and record 2 tracks of video simultaneously!

If you're in Charleston, SC, this weekend (14 NOV 2015) and want to see my last shreds of sanity vanish before your eyes then come on down to BSidesCHS (!

Going Nuclear: Exploiting Mass Emergency Notification Systems

You’ve received emergency notifications; had a storm warning interrupt the season finale; had your phone go berserk with an “amber alert” which annoyed yet somehow gave you a warm fuzzy the government is looking out for you.  You’ve driven under an interstate notification sign and cursed “traffic delays due to construction” when you’re already running late. But how did those messages get there and who REALLY sent them?  Easy to laugh off one warning of “ZOMBIES AHEAD” but what if the message also came over your phone and radio simultaneously?

With a footprint the size of nations, emergency notification systems stand ready for the worst disasters to the most localized emergencies, dangers, weather, and more.  These “system of systems” are held together by embedded devices, fragile protocols, and terrible implementations in an IoT nightmare so unreliable it fails as often as it succeeds.  But why does it persist?  Lets explore the government mandated backdoors into commercial & public communications networks ripe for exploitation!

This talk will demonstrate how messages are initiated & distributed as well as how an attacker could inject, modify, disrupt, or even take over major parts of the larger system with the click of a button!  We’ll explore the devices, their vulnerabilities, and the future of these systems in the US under the Integrated Public Warning & Alert System (IPAWS) as well as in other countries.  While walking the tightrope of legality, it will give you the background and tools along with multiple live demonstrations and invite you to participate in a “BSides Emergency Notification System”.  Even if you don't hack these systems (and I'm not saying you should), I'm sure you'll find the discussion eye opening and engaging in an area where RF hacking, IoT/SCADA, and critical infrastructure collide to create one hell of a mess!
Read more »

Monday, November 2, 2015

SkyDogCon 2015 Videos Posted!

Sorry it took so long guys, but the "CON Crud" kinda put a kink in getting these done this week.  That said...we're polishing up a couple of them that had issues but, as of right now, only 1 of the 18 recorded talks are pending (a few were not recorded at speaker request).  I'll update the playlist as they're ready but pay attention to Twitter for the individual talk links.

We had an awesome year of talks and hope you enjoy catching up on ones you missed, revisiting the material, or tuning in if you weren't able to make it out to the CON.

Read more »

Saturday, July 11, 2015

Thursday, March 5, 2015

The Reporting Killchain


In 2013 at ISSA International in Nashville, TN, I gave a talk on using "big data" tools for security compliance and continuous monitoring over traditional security toolsets.  The talk pulled directly from a project I had been working on for a large US government agency that ultimately failed regardless of the agreed value it provided to the organization (I actually got an award from that agency for the work!).  The outputs and experience from that provided me some insights that ultimately have taken me the past couple of years to reconcile and mature into the "Reporting Killchain".

Obviously, the name is intended to be a "tongue & cheek" reference to the "Cyber Killchain" we often hear referenced in so many articles, blogs, and presentations.  By all means, I think it is one of many valid concepts to reference for developing a comprehensive security strategy.  But the reality is that so many organizations claiming they're "attacking the cyber killchain" is a more than just laughable...its downright sad!

My Experience...

In the project I mentioned above for that agency, we were tasked with implementing a continuous monitoring tool for FISMA and other security requirements.  A ton of tools were analyzed and ultimately none of them were purchased.  The money was reallocated to something else and we were left holding the responsibility to make something work.  We ended up turning to an existing project to leverage a "big data" tool (vendor is unimportant) which already had much of the data we might need being aggregated into it and which had zero cost for us to use.  Why didn't we use that in the first place...well...we'll to get more into that in a coming blog post.

Before we transition though, the reality was that "big data" tool "off the shelf" would not meet the requirements to provide the level of monitoring and reporting we were required to provide.  Though that tool had a "FISMA" app/plugin we could use, it only covered approximately 20 of the several hundred controls we were ultimately required to monitor!  That was only IF you sent the right sources into it.  We knew we had a lot of work to do!

"The Reporting Killchain"

The concept finds its roots in organizational behavior and by all accounts is very much a "thank you captain obvious" for many of you.  Still, this concept is meant to bridge the gap between security practitioners and "the organization" as well as to hopefully be point of reflection for those finding themselves unsuccessful or outright jaded in their efforts to improve their organization's security postures.  What I've tried to do is boil down some key points in the "reporting process" where needs, ideas, goals, etc. get shot down, bogged, down, and fail to move forward.

These breaking points have been described to me time and time again by countless other colleagues and professionals and are present in, if not directly responsible for, every single breach or security incident that I've ever seen!  I don't say that to be dramatic.  Almost every major breach I've read about had some point in its reporting killchain where the outcome could have been drastically different had the message passed through the chain transparently.

Over the next few blog posts, I'll drill down into each of the points of this "Reporting Killchain" in what I hope will be an engaging discussion on how we as security practitioners can break it for the sake of our sanity!
Read more »

"The Reporting Killchain: It's Killing Your Security"

Presented at Chattanooga ISSA, 3 March 2015


Think your organization is ready to attack the “Cyber Killchain”? Yeah right! You haven’t even tackled your Reporting Killchain!  What is that? It’s the process your organization takes to get information from the bottom to the top of your organization and back.  Chances are its like playing the old telephone game but even more pathetic and less direct!  Don’t be na├»ve enough to think you can begin to make your organization more secure until you put the information before the politics, bureaucracy, and mind numbing process.

Don’t worry, this isn’t a talk about organizational behavior, structure, or business best practice.  Nevermind that in doing so you’ll simultaneously improve organizational communication, morale, and security visibility. This is a discussion on methods you can use to hack your organizations reporting chain and put the power of the information before the process.  Lets look at how to use existing reporting tools to crunch more than just machine data.  Lets use them to further cultivate human generated data to create real organizational security intelligence! We’ll show you how to use existing reporting tools to do non-destructive analysis to create true multi-level reporting that can’t get shot down, watered down, or otherwise manipulated before it gets to the CEO! Lets attack the Reporting Killchain that’s keeping your organization from being more secure!

Read more »