Tag Archives: conferences

n00bsec – but what is it to be a n00b in Infosec

So there was some minor drama at this year’s hacker summer camp (Defcon, BSidesLV, Blackhat).  It appears to have been around a possible con from the group @InfosecN00bs (#n00bsec).  You can read the full blog post on what went down here.

Essentially this started out as a group of “n00bs” trying to break into InfoSec.  If you dig around they are not the first group of this type but what is interesting is they tried to start a crowd funding campaign to pay for certain members to attend the big cons.  Well it was a big scam apparently, but we won’t go into that.  This whole thing got me thinking and it is one of those topics that grinds my gears!

What is it to be a n00b in InfoSec?  Well in truth, there really shouldn’t be too many.  Infosec is not an entry level career.  Many of us in the industry did not start here.  We stumbled, fell, or accidentally opened the wrong door.  But before all that we worked the help desks, built servers, created web sites, and told users to “turn it off and on again!”  We started our journey learning how to do all these things.  Some of us did them well enough to realize that these systems had flaws.  At that point we decided to switch those gears into a security focused career.  I still laugh at the fact that someone is paying me double to tell them the same things I told them years ago as a Sys Admin.

So what I am trying to get at is, that although we may have been new to the InfoSec industry, we were hardly inexperienced.  We had a good deal of base knowledge to work off of.  That is what is important when it comes to experience.  Now for those entering the scene today, there is a wealth of information available.  Many of the pros are willing to help new folks along, but they will not be there to hold your hand.  You will need to work a bit.  Do your own research, study the topics, and make your way out to the local community events.  You don’t need to head right to Defcon, but maybe try a local Security BSides event or a meetup activity.  This is not a career for those looking for a handout or in it just for the money.  It is for those who will throw up a learning lab at home or a virtual lab on AWS just to try things out.

And some final thoughts… You are ultimately on your own when it comes to building your skills.  But when you get stuck and google has failed you, reach out and someone will point you in the right direction.  You can also reference my previous post to get a list of places to start.  If a pro offers you guidance, accept it and thank them, maybe buy them a beer if you see them at a Con.  But don’t get pissed if you try to pump them for more than they are willing to provide.  They don’t have lots of free time to devote to mentoring.  Rather why not follow them on social media or subscribe to their podcast or blog.

Go out there and learn n00bs! 😀

 

 

 

AnyCon 2017 Review

I will preface this review by stating that putting on such events is by far not an easy task.  There is a ton of planning that goes into these.  On the day of the event not everything will go as planned and you will have to improvise.  Speakers will pull out, a sponsor may not deliver, or your CTF has a bunch of technical problems.  But you push through and rely on your team to help you through it.

On to the review…

This past weekend I was able to attend the first annual AnyCon security conference which took place at the Albany Capitol Center.  Overall, it was not a bad conference for a first time run.  It was the typical large conference setup with keynotes from Dave Kennedy (TrustedSec, Binary Defense, DerbyCon) and Sanjay Goel (University of Albany).  There were three tracks – Offensive, Defensive, and Educational.  For the full track listing you can hit the site up http://www.anycon.info/agenda/.  In between the talks you could head over to their onsite CTF, hardware hacking village, or play some ping pong.

The Content – As expected for a first run conference.

It was your typical set of conference talks.  Irongeek (Adrian Crenshaw) has them all posted up on his YouTube Channel.  I will let you be the judge of their quality.  Some of the talks certainly showed that pool of submitted content was not very deep and no real due diligence was done to vet the speakers.  One speaker, in fact, claimed during his talk that he single-handedly brought down the Teslacrypt C2 servers and forced the attackers to cease their DDoS attacks on his employer’s network.  That prompted some investigation by conference attendees on the legitimacy of the speaker, there is a pretty entertaining thread on Twitter.  But these things happen and will continue to happen so long as proper vetting isn’t done.  But as a first run conference, you can’t be too picky.  Speakers are not exactly knocking down your door to get accepted.  But that all comes with time.

It was pretty clear their target audience was not the seasoned professional, but that is ok.  In fact, you are hoping that those guys and gals will fill in your talk slots.  There were a good number of students attending which, I think, is great!  Hopefully they came away with more than I did from the conference and will continue to grow their skills and get out to some of the bigger conferences.

The Cost – No swag, no food, what did my 125 bucks get me?

When deciding to put on such an event, the topic of cost will be a big piece of the puzzle.  The goal should be to keep the cost low for the attendees.  Not many people are going to want shell out a ton of cash for a first run conference.  Even with the cost of $125 for a non-student, I still registered to attend as I am an avid supporter of furthering the education of the community and Albany is not a far drive.  Unfortunately, I left the conferencing wondering what I actually paid for?  I didn’t get any real swag besides what was available at the vendor tables, no free conference t-shirt, the badge was a basic plastic card badge, there was no breakfast or lunch provided on either day.  I’ve attended BSides events with a much lower cost to register ($20 or less) that included a t-shirt, breakfast, and lunch.  That is what your sponsors are for!  Your purpose for this first run conference should be to get people in the door so that they will come back next year.  As your conference grows you can bump the cost up as the demand to attend may increase.  Now, thankfully, not everyone had to pay the higher cost.  Students were offered a $50 ticket, still pretty high in my opinion.  Hopefully they pay attention to their feedback survey and work to bring the costs down or at least offer more to justify it.

Other thoughts…

Time management certainly needs some improvement.  It did not appear that any of the talks had a time keeper.  This caused the more long-winded speakers to go well over their allotted time which ate into the next speaker’s block.  Things like this can certainly throw off the whole schedule if your talks are tight.  But you will luck out during these first runs by the less experience speaker ending early.  After the keynote on Friday, there was little direction from the conference organizers on logistics.  There was no mentioning of lunch possibilities or plans for later that evening.  We were kind of left to figure that out on our own.  You need to assume that there may be a fair amount of people coming in from outside the area.  You don’t need to have a big party but you should look to the sponsors for possibly hosting a happy hour.  After the last talk, attendees just sort of went off on their own as they were not sure what else to do.  Again, if I was paying $20 bucks for a BSides event, it probably wouldn’t be a big deal, but this was close to the same price as DerbyCon but with a fraction of the content.

Summary of suggestions for next year:

  • Better time management.
  • Better vetting of speakers – don’t pollute the minds of the young by subjecting them to charlatans!
  • Swag bag – give me something to take back with me other than your event program!
  • Food, at least cover breakfast for those driving in the morning of the event.
  • Keep in contact with the attendees throughout the event, not just at the beginning and the end.
  • Look at adding a lock picking village separate from the Hardware hacking village.
  • Make the CTF an internet based one so people can work on it from their hotel rooms.