Converge and BSides Detroit talks and slides

I had a great time at Converge and BSides Detroit.

This was my third attempt at going and I'm happy I finally got the opportunity to do so. The last two years I've had to cancel my plans due to life reasons. I did two talks this year. One at Converge and one at BSides. Both are linked below along with the slides for both talks.

How to kick start an application security program - Converge Detroit

I've given this talk at three other BSides prior to Converge. I feel like this is my best presentation of the talk so far. I will be giving it again at ShowMeCon in June.



The AppSec Starter Kit - BSides Detroit

This was my first time giving this talk. I thought it went well for it's first attempt. It still needs polish. It will probably be a while before I give this talk again at a security conference. I made this talk to present at developer conferences. It hasn't been picked up, yet. I'm hopeful it will for some talks later this year.


HipChat's Security Win


I was disappointed not to find any of the HipChat coverage in my Feedly reader this morning from the infosec news sites. It hit plenty of main stream sites like engadget. I'm sure there is coverage on some infosec sites. It's just not as wide spread as I see for other breaches. Why is this?

Well it might have to do with HipChat having a good response to their incident. Most of the detail for the breach comes from their own blog. Over the weekend the detected a security incident affecting their servers. The incident was the result of a vulnerability in a popular third-party library.  The attacker may have accessed user account information for everyone using the service. Because of that they invalidated everyone's password and asked them to setup a new one via the forgot password link.

They were reaching out to 0.05% of their users who were more seriously impacted by the breach. For those users messages and room content may have been accessed. For everyone else it was just (potentially) account information.

While this is an unfortunate incident to occur, this is a security win for HipChat.

They detected the incident and within days made an announcement. This led to a very small percent of users being impacted. They went ahead and invalidated everyone's password. I logged out and tried to get back in with my old password and it wouldn't work. I had to use forgot password. This meant that password didn't need to be changed immediately if people were still work or hadn't heard of the breach yet. Unfortunately, I don't think they accounted for the demand on their forgot password page. The page was essentially denial of serviced causing some frustration among users. I'm sure there will be plenty of lessons learned this week.

I wanted to write this post because I think we should highlight more security wins in our industry. The sites I use to keep up on infosec are focused on NSA backdoor detection, BrickerBot, among other nasty things. All still relevant and scary. However, we are seeing some positive things in security. HipChat is a good example of that and I applaud them.

BSides Knoxville - May 5, 2017

I love BSides events. It's the simplest idea that has a tremendous impact on the information security. A lot of work goes into each BSides event and there are over 200 of them worldwide. I've been to two this year already in Huntsville and Indianapolis. It was my first time attending each of those conferences (one of the perks of moving to Nashville). I had an outstanding time at both. I was afforded the opportunity to speak and make some new connections with people in the industry. I will be attending Nashville next weekend and speaking at two more next month. Detroit and Knoxville.

What I love about BSides is that each one is unique. Huntsville is in rocket city. It is one of the simplest and well run conferences you can go to. The area is a lot like Augusta. Not much around, but a lot of really smart people. Indianapolis is similar in nature and a quite possibly the most laid back. It's located at a culinary school and I ate pastries all day. Nashville feeds its attendees with catered (YES CATERED!) barbecue from Martin's BBQ. I'd put the lunch up against any conference anywhere. I will be heading to Detroit next month for that BSides which coincides with Converge Detroit. I've bailed on the organizers two years in a row due to life changing events. Not this year, though! Flight and hotel are booked. 

Knoxville is another new conference for me this year. It's already turning out to be quite the unique experience for me. I am speaking at the event. Which is a bit of an outlier for me. I've submitted to three different conferences in Tennessee and BSides Knoxville is the only one that accepted my submission. It's fulfilling that dream and my dream to have a walk up song.

I'm a big baseball fan. My dream of coming out to a walk up song in professional baseball died a long time ago. In my adulthood, I've thought about what walk up song I would choose if I were given the opportunity. That day has arrived! Along with my presentation acceptance email were instructions on sending in my preferred walk up song. I only get 20 seconds, but that's all I need.

I started thinking about all my favorite songs. There were too many to make a choice from. I decided to take to Twitter to ask for suggestions. I got some really great responses. I also took the question to ColaSec a security user group in Columbia, SC. My talk is on kick starting an application security program, so I took the question to the development team I work with. I got some really weird and interesting response. I had about 20 potential songs, so I made a survey. From there I picked the top three and created a Twitter poll.

If you have Twitter I'd love for you to vote and share. I like all three songs in the poll, so I will absolutely use the poll winner for my walk up song. If you're going to BSides Knoxville I would highly recommend planning your schedule. It helps the organizers place talks in rooms and time slots. From talking to several organizers of security conferences scheduling is one of the most frustrating things. This will make scheduling easier for the organizers of Knoxville. They're putting on an awesome conference at a ridiculously good price. It's the least you can do.

If Knoxville is in your plans May 5, 2017, hit me up on Twitter and let me know you're attending. Or walk up and say "Hi!" (I don't Twitter at conferences anymore). I'm really excited for the conference and hope to see you there.

Sitting here with a beer

I'm staring at it longingly. I'm wondering if I should crack the top.

I've already had two and just cracked the top for another one and decided to write a post. I just completed a 12 week weight loss challenge at work. I won because I lost 15 pounds. I did it by adjusting my diet. Mostly more protein. I wouldn't to do less beer. Unfortunately, it didn't work out that way. I'm still at 12-18 beers a week.

Since my last post I poured out more beer on two different occasions. I don't think that part is working as well as I hoped. My wife is starting to get a bit annoyed with me about wasting money like that. This is life though. We learn by failing. For me it's the urge to drink and I'm wondering if I need to feed that urge, but do it in moderation. I think I'm going to try to limit myself in the evenings. Instead of doing a whole six pack. Stick to two or three. Enjoy the beer a little more. Mindful drinking, as I like to call it. Right now I'm drinking a Sam Adams Helles. It's pretty good and perfect for warmer weather.

Also since my last post, I spoke with a friend who read my post. It resonated with him because he felt that same urge I feel. It was a good conversation and I was glad that I could talk about it with someone. Alcohol is a big part of our society. It's glorified on TV and used as an excuse to cut loose. Again, I don't want to stop alcohol all together. I just want to feel more under control.

Pouring out and substituting alcohol

Captain's Log...

I really don't know how to start these types of posts. They're not meant to be depressing. I also don't want them to be too happy. There are others who are struggling with much worse than me.

I didn't drink Friday, but I drank Saturday. I did it because why not. I woke up this morning regretting the decision. Not because I was hungover (only slightly) but because I went to bed late and I got up later. I really like the mornings I wake up from not having drank the night before. Even a couple beers has a different feeling.

I can't seem to capture that feeling when I want to drink. Instead I feel that I want to cut loose. Have a little fun on Saturday night. Adding alcohol to last night's activities didn't add anything. I watched a couple shows with the wife. Then watched an episode of Iron Fist (loving it by the way). Then I played some Overwatch. I knew I should stop at midnight. Instead I poured another beer and then another. It was only as I started to nod off during The Grand Tour that I decided to go to bed.

I poured the remaining beers down the sink this morning. I've used this tactic before when trying to quit smoking. After floating a few packs of cigarettes I finally stopped getting them. I'm hoping I'm close to doing the same thing with beer. This is the second time I've burned several containers of beer.

I'm also trying to reward myself a little. If I can get through a week without drinking, I will by myself a graphic novel or comic book collection. I love reading and I love the Marvel universe. The only movies I go see now are usually Marvel movies. I used to read comic books, but at some point I stopped buying them. I'm hoping that at some point I'll prefer comic books to alcohol.