Friday, 3 October 2014

Free, it's just costing too much!

One day I’ll write a blog post that isn't me moaning about something in the security industry. Unfortunately, today isn't that day. I do warn you that this is a long read; frankly, I just didn't have time to write something shorter.
So, you work a ridiculous amount of time, researching some obscure angle in some software application, looking for a vector to exploit a system, only to find out that in the end, you're the exploited one.
We've built a system in the security industry that allows people to supply 'bodies of works' to organisations and/or businesses, who then sell that 'work' onto their customers. These 'bodies of works' suppliers are not remunerated (normally). The organisations or businesses aren't really getting rich out of it either, so it must be the paying customers absorbing all the gains. Well, no, they’re not really getting anything out of this 'trade' either. I bet you're a little confused by all of that, aren’t you? Well, if we just say 'security conferences' are the 'organisations/businesses', the 'suppliers' are 'speakers', and the 'attendees' are the 'customers' then we've very roughly just described the security conference world.

Hang on, I’ve missed a party out, sponsors. Well, to be honest, I'm not too sure what their role is in the security conferences' universe. In the case of free conferences like BSides*, their role is clear. Sponsors are gods that give venues, t-shirts, venues, beers, venues, printing, venues, Club-Mate, support, and of course venues in that context. So, what do they give in a commercial conference? Do they give the same? I guess up until tickets are sold, they play exactly the same role in a commercial conference as they do in a free one, namely finance. However, if a conference can be put on without cost to the attendees, why do we even have paid conferences? The ticket money goes to what exactly? I can assure you it doesn't go to paying the speakers for their time and efforts. Are the sponsors subsidising the attendees' tickets? The more I think about it, the more it gets confusing. As the philosopher Christopher Wallace once said, 'mo money, mo problems' – and taking money from sponsors and attendees seems to 'null and void' a lot of conference organisers' views on reality; that they sell other people's research, which they don't own! Recently, I heard a report about a conference organiser laughing at not paying people for their talks, I don't know who, I asked and I was told the person didn't want to name them. I can only agree to respect that, but it's heartbreaking that some people are painfully aware of their abusive behaviour.

Few conferences pay their speakers. In my years of speaking I have never been physically paid by a security conference for my talks (I've excluded training from this, but I can assure training at conference is about the only way your getting paid at one). I've recently begun to question what it is I’m doing speaking at conference. For a short time I feel great, nothing quite beats that bit really, but it's not easy. I don't travel well, I enjoy being home, and changes in my environment can affect me greatly. I've made great friends, and I know I’ve helped some people do complicated jobs and make sense of what it is they're doing. In some cases I’ve made testing detection systems effective. Yet not once has a security conference paid me for my time, and the only time I was supposed to be paid for my work at conference they decided to ignore all the emails and not pay. I've had conferences be very late with paying back expenses, I’ve had a conference argue over a €10 taxi fare, the list goes on. That aside, the fact of the matter is, I’ve never earned any money from those talks. Is my work of no value? Or, in the end, is it me who doesn't value my work?

We all have experiences with people outside of the security conference universe who do professional conferences, except they tend to be a little different. They tend to get paid for their work. People look at you bizarrely when they find out you do this for free; I can imagine it's only matched by the face of a security researcher learning people get paid to talk about crowd funding or something. Those who don't get paid probably work in an industry that's about sharing and caring. If security is about that, then security vendors don't exist and we all charge the minimum wage for testing, right?

The elephant in the room is that countless other industries can hold conferences and manage to pay speakers for their time, yet for some reason the security industry seems to be incapable of managing to work out how to do it. Look, I know putting on a conference is expensive; that's why conference tickets are expensive, except in our industry. The security industry tries to move the costs of it from the attendees on to the speakers. If this stays the same, then you need to accept that conferences won't get better, they'll degrade. There is no value in showing you the latest and greatest iPhone hack in exchange for an economy class ticket to Uber1337CON, when the value to the market is far greater. Bug Bounties, love them or hate them, kind of highlight a point; that most people could earn from their research, they'd happily give for a living wage. Of course, knowing our industry I've just introduced the minimum wage for sec con speakers.

Now I know conferences in security are fun, it's where we all go to party and apparently learn new shit, but seriously, let's just go and holiday together instead. Also, how bizarre the market of security conferences has developed, we've managed to get to a point where organisers of conferences make demands of people supplying work to them at no cost. Such as: 'you haven't given away this research to someone else before me, have you?' or 'will you be supplying code that you are liable for, for free? If so, have you given that code away for free before giving it to me?' My new personal favourite is 'You must use our slide-deck, and try not to be too sales-oriented!' Seriously, you've got this backwards; if I’m doing you a favour, and giving you my work for free, isn't it me who should be making some conditions on my agreeing to support you and your dream of holding a security conference in your home city?

Don't tell me, it's great exposure, right? That awesome line that is as fictitious as it is condescending. NO, it's not, it's great exposure for you! Speakers are the suppliers of the talks you sell for money. Also, when a talk sucks, it's the 'speaker' that sucked. In security we love to use the 'rock-star' tag, and for once I’m going to use it for good. So, let's play with an example a little. It's a bit like your local bar (let's call it 'The Four Corners Bar'), asking Jay-Z to come rap for them, for free, because the exposure he'll get from doing it is great for him. However 'The Four Corners Bar' must demand, as they're paying for an economy flight and accommodation, that it be stuff Jay-Z hasn't played before. He's lucky, too, because we know some conference organisers would gladly ask him to pay his own expenses if they could. The day that works out for 'The Four Corners Bar' is the day I’ll have 99 problems, and a CFP ain't one!

Here's another brilliantly framed issue: the attitude that speakers are getting paid because they're getting flights and accommodation. Firstly, the conference's organisers are flying the supplier of the goods they have sold to the location of their customers. It's one of the key ingredients of a conference: talks, supplied by people, that are there. How about I supply you the talk, but you give me the money for the flights, and I stay home. I'm sure a conference full of Skype chats would sell a lot of tickets, and the 'Sponsor gods' will be writing cheques in quick fashion. Secondly, it's no holiday either. You get to see airports and maybe get an evening out. My experience is that I’m shipped in from the night before the conference and my accommodation stops on the last day of the conference. So, for a 3 day conference, 3 nights accommodation – regardless of the time zone to adjust to. Trust me, though, there are conferences that consider that too many nights. Some would like to get you there for the day, give you a pass and if you could please leave once you've given your work, for free, so much the better. Don't tell me the payment for my research is the cost of my conference ticket. You have to be especially dense to consider that even a legitimate argument.

Now that I’ve managed to alienate commercial conferences, sponsors, attendees and 'The Four Corners Bar', I’ll draw my attention to free security conferences. Well, let's be honest, there is nothing I can really say that's bad about them. BSides as a whole does a great job. They work hard, and they deserve nothing but love and respect. In this 'trade' it's the conference organisers that are getting exploited the hardest, and they should know that at the very least I am, and always will be, in their debt for the work they do without recognition. The same goes for the 'almost' free conferences too. These people put on conferences at a very cheap price, that in the end are crowd funded. You guys rock too, and I’ll always have a space in my heart for you.

In a nutshell, no more free talks!

Yeah, I said it, you read it, now we'll start with the objections. When I say no more free talks, I don't mean no more talks at free conferences. What I mean is, if you charge people to see talks that I have worked on, and I’m not getting paid for it, then I’m not going to do it any more. Which probably means you're not going to see me talk at any more conferences, but this isn't actually about the money, it's about the motives. It has to stop! We can't keep on giving and not receiving, and be made to feel we should be grateful that your conference is giving us some fictitious 'chance'. A lot of people bitch about the quality of conferences but no one suggests ways in which it can be changed, apart from more stress being applied to the suppliers of the content being sold. We have too many conferences because in the end we have too many people willing to supply research for little or no return, bar travel. Today's rant was greatly inspired by OWASP's AppSec EU call for papers, but it's in no way just about them. Now, let's be honest: why should we blame OWASP for exploiting speakers when the vast majority of other commercial conferences have gladly been doing it for years? It is my opinion that in the case of this particular conference, it isn't about research, or making better security practitioners, it's about money. They'll charge an excessive amount to the attendees for the tickets, they don't even cover the speaker's expenses, and they'll be getting sponsorship money in addition to it. I mean, what on Earth are they actually paying for? Sponsors are subsidising, attendees are subsidising, and speakers are subsidising this conference. If I were a customer of theirs, I’d strongly consider shopping somewhere else. I've ranted on Twitter about this, but I’m going to try and shore up my issues. Firstly, if they weren't charging, I’d really have no gripe per se. But they will, and as far as I know it was expensive last year, so I can't see it being less this year. What value do you get when it's only companies that send their employees because they're sponsors, or it's researchers that are needing recognition so badly they need to pay to get it (I’ll make no further comment on this statement, especially seems as the conference is being held in Amsterdam). I mean, which hard working, undervalued, broke ass security researcher in their right mind is going to give them their work and pay for the hotel and flights on top? The answer is, probably quite a few. Especially if work is paying, amirite! Well, here's the second 'FU' from that CFP: they want you to use their slide-deck (frankly not going to happen from me, ever, your slide-deck, your presentation, and good luck) and limit the speaker to displaying two company logos per presentation. I accept that no one wants to pay lots of money to listen to a sales pitch, but what do they expect to happen here? If you can only justify your conference as being 'great exposure' – which is code for CUSTOMERS in business – you can't be that surprised if it's getting customer focused. Here's some guesses for you – I could be wrong, but – they have had issues in the past with their attendees not impressed with the talks that have been sales pitches, and instead of an invitation that promotes researchers to submit, they've made a rule. This is a security organisation establishing a policy on talks they're not paying for, but charging people for. Think about it this way, from their perspective: 'We sold your work for money, which we obtained for free, under the guise that it'll be great for the speaker's business, and we're as shocked as you that you got an hour long advertisement about how great the speaker's business is. If you do buy from them though, can you let us know because we think we're due at least some commission from that'.

This raises an interesting issue, though, because when it boils down to it, businesses have been supporting conferences for a very long time (yet not considered sponsors). I mean, the speaker, who isn't getting paid by the attendees, or the conference organiser, needs to be paid by someone, who tends to be an employer. That employer tends to lose an employee for a couple of days, and those precious things called 'billable hours' are lost. The justification that is used is 'acquisition' or 'PR'. Yet people take umbrage when talks are for the purpose of acquiring new customers. Who do they think is 'supporting' that talk they're watching? I mean, if they're not paying for the person's time, someone is.

I'm sorry to say this, but in the end, attendees of conferences are going to have to start paying more for conferences if you want excellence. If you want to have better conferences with better content, then people's time and effort needs to be remunerated. It's simple market dynamics. If you pay €300 for a two-day conference, you're paying around €9 a talk (let's just say two-track conference, 16 talks a day. I know you can't be in two places at once, but still you get the point). Now, yes, if that's multiplied by 100 people that's €900, but because 100 people buy a burger at a fast food place, it doesn't make the quality any better. It takes time and effort to make good talks, it takes practice, and more importantly, it takes research to make security talks. Yet none of that is being paid for – the venue and some flights are. If you want to have great talks that focus on areas the attendees value, then you need to actually pay for that. Otherwise, it's the research that is submitted that isn't going to lose revenue, and that some panel thinks you want to see.

Let's also raise the 'junk hacking' dynamic here too – in reality it was always going to come down to this. If the conditions are 'you supply to us, for free, works of new origin,' then this limits the supply of research. Firstly, if you believe a talk should have never been given for it to have value, then I guess you own no movies or music, because it has been done and been heard, it's old. Secondly, we still do the old things wrong. It's not like we're in a situation where we're looking for new problems as we've ran out of the old ones. Of course we are in the situation where we like to re-introduce old problems. Different blog post though. So, we require originality, we require it at no cost to conference organiser or conference attendee, then we're surprised that someone talks on hacking “Internet-connected bed-warmers” ( To be fair, Dave said this in reference to Blackhat, who I do believe actually pay). If the research paid, and the researcher or their employer invested time and resources, why would they give it to CouldNotCarelessCON for nothing? You see, there is no argument here, apart from, I want my peers to think I’m awesome. Look, let me save the environment a little, cut down your carbon footprint, do a little psychotherapy, I think you're awesome! I also think you're intelligent, witty, a ninja with slides and code so well that if Linus read your code he'd ask for you advice on coding and presenting.

I guess it boils down to why you conference – doesn't matter which part of the triangle you are. Do you conference to see friends and party? If so, does it matter if internet connected bed warmers got hacked? You went to party and a security conference broke out. There is nothing wrong with that, and I’m not judging; I’ve done conferences because of friends plenty of times. Are you there to be educated and learn? Then party hacking bed warmers probably not your thing then! If you're there to network with other industry people, you're probably a recruiter or not discovered Twitter :P (hang on, how did you find this blog post, then?) Joking aside, the same thing applies here too. You see, in the end, everyone has different wants and needs from a conference. For me, I wanted to meet new people and feel that my research would make a difference. 1 out of 2 isn't bad, right?

So, this is how I see it; if you're not paying speakers to speak for you, then no demands are ever acceptable. Seriously, I mean it. I'll try and be good, you try and be good, that's the only deal we have that I’ll honour. If you only cover expenses then I expect not to be out of pocket for speaking to your paying customers, everything covered from leaving the front door to coming back home. That's not unfair, IMHO, that if I catch a train to the airport that you pick up the cost of that up, or if I have a 3 hour layover in some godforsaken airport, because you won't pay for decent flights because 'budget', then I think it's fair you buy me a sandwich and a coke.

If you are paying me for my talk (or others), then you can make some demands as a 'customer' has the rights to do. If what I’m supplying isn't what you're after, then purchase from another supplier.

If you are a free conference, or 'almost' free, then please carry on and let me know what I can do to help and support you. You guys are the lifeblood of what we do and whatever I can do, just let me know. Please accept however that sometimes I’m not in a position to help but if I can I will.

To the speakers, I guess we do it ourselves! WE are the ones who allowed this to happen because WE couldn't say NO. We submit to conferences because we want to be heard, yet we value what we say very little, to the point we are just happy someone wanted to hear us speak (they don't, really; you'll very rarely see a con organiser in your talk). The fact is that for us to get better research and for us all to learn, we need to support people doing that. It shouldn't be the exception to the rule that we pay for what we consume. If you are a speaker, then do the conferences that you're bought into, that mean something to you, and value yourself enough not to submit or accept a conference that laughs at you for not getting paid.

I'm also looking forward to the point getting raised that people can't afford to pay more for conference tickets, and you are absolutely right. Your company should be paying more, and then claim that back against taxes like the rest of the business world does. Don't tell me – your employer doesn't have a conference or training budget, it comes out of your own pocket, so I guess that means that things should stay the same. I'm sorry to say it, but this is an issue between you and your employer. If they take advantage of you and your passions without remuneration, then this whole blog post you should empathise with, because that same situation is happening every day of the week all over the planet in the guise of the security conference universe.

If you're a conference and you can't afford to pay your speakers, then consider if there is a business argument for your conference to even exist. Is it worth the stress each year to scrape by so your hometown can be an 'X' marked off some 'Info Sec Rockstar's™' atlas? Can you do better with local user groups and help home grown talent flourish? Think local, not global. When you fly speakers in, remember that you may very well have excellent talent in your own back yard. Support that, and help them. Are you a conference that is paying more for a venue than the people helping you facilitate it? Are security conferences just a support arm to the hotel and tourism industry now? You know it takes more than speakers to make conferences happen – there are volunteers there, too. Most of the time they're forgotten, overshadowed and over-stressed; they get even less than a speaker gets.

If you're a conference that spends thousands of Euros on your after party, just remember that you could have used that money to support research and help further promote education and knowledge. Some of your conferences have pathetic student discounts, yet drop stupid money on alcohol and other 'party' related costs. You need to consider: are you a conference or a party? The next time your attendees are hammering that 'free bar' and bitching about the quality of the talks, try remembering what you paid for didn't pay for them, right!

If you're a conference and your customers are expecting certain things such as original works, then you should help 'educate' them that there is a cost to that. Passing on the bullshit sandwich to people trying to promote security work doesn't help anyone. Also, where did they get that notion from, that you pay 300 bucks and get awesome research? That'll be you and your bullshit attempts at marketing.

Thursday, 21 August 2014

Hacking and McCarthyism

'You keep one eye on the past and you're blind in one eye, keep both eyes on the future, and you're blind in both'. It's not irony that I use an old Russian saying as the opening line to this blog post. I'm not going to lie, this has been one of the hardest blogs to start that I've ever known. I guess its mostly because I worry this blog post is a mix of sensationalism, and a misguided premise. Then I remember that I'm me, and of course it is! There is however, some honest concern pushing me to write this. Brace yourself though, this isn't the usual type of blog post from me I fear, the usual light-hearted style masking itself as a serious post is lost. Well, the first part of that statement is true anyway.

There is nothing new about security researchers using past events as a reference point to make comments about their observations on current events. I for one have been guilty of that crime in the past, and you can bet your 'blog-post-reading-ass' I'm going to be guilty of it again. I guess the real question is, “why on earth do I think that 'hacking' is the new McCarthyism?”. Well, I don't think hacking is anything other than love of natural methodological discovery, but what is clear is that the governments of the world don't agree with me. Sure, hacking can be used for wrongdoing, just as chemistry teachers can use their knowledge to cook meth (yeah, science bitches!). I, however, do think hacking is being used as a go to 'crime' that people can be accused of when governments need to silence or hinder people they find to be of annoyance. Within the definition of McCarthyism, you'll find reference to its use of the process of accusation as a means to inflict punishment on the accused. Although Kevin Mitnick pleaded guilty to the crimes he was accused of, you can only see the judicial process was used to punish prior to his guilt being established. Although you have to question if a man can launch nuclear missiles by whistling, surely he can open locks by winking! The same can be said of Chelsea Manning (save your rants about traitors for someone else that will listen to you, I say that to save your energy), who also bore extreme treatment in the guise of judicial process. So much so that in Manning's case Amnesty International raised concerns calling her treatment 'inhumane'. My understanding is that the treatment she is given now is in no way comparable to that of what she received as the accused. I guess that means when you're guilty you automatically become less of a security risk.

The initial crux of this McCarthyism argument was inspired by the news of a 30 year-old Russian gentleman (Roman Seleznev) being renditioned by the United States of America's Secret Service from Male in the Maldives, for the record a non-US airport, to Guam which is a US territory, for 'computer crimes'. From there he was then transferred to Seattle to stand trial. His father, Valery Seleznev, a lawmaker within the Russian government, was informed that the US government is accusing his son of being one of the biggest traffickers of stolen financial information in the world. In all fairness, this could be a completely legitimate accusation to make, what I question here though is the complete disregard for due legal process. Kidnapping people in general is one of those things likely to be frowned upon. However, this led to a train of thought for me, of all the crimes you could be accused of, hacking has to be one of the hardest to defend and certainly one of the easiest to frame someone of committing. The crimes are complex, the juries and judges are non-experts, and the prosecution and defence are in most cases, at best, take technical directions from individuals closely aligned with the case at hand. The reality of it is, speak to your average lay-person about a hacker and the description tends to be of someone spending vast quantities of time online and living in a basement. To be fair though, you've pretty much described gamers, indy-web-developers, developers at large, and in fact come to think of it, nearly every Twitter and Facebook user in the world. The reality of this is it's particularly easy to accuse someone of a crime, make it sound super uber hacker l33t, zomgwtfbbq. Case in point is someone stealing and then releasing AOL's customer data, or as the rest of us like to call it; 'using Google'. Aaron Swartz's basic crime was checking too many books out of a library, a crime he ultimately paid for with his life. Hammond, who to be fair I've been very unsympathetic to, entrapped by an individual under the direct control of Federal Bureau of Investigations. He got 10 years in jail for this! Long story short, accusing someone of being a hacker, is probably more dangerous than accusing someone of being a drug dealer.

Let's jump the ocean to the UK, God bless the Queen, and Betty Windsor. Now, I'm a loyal subject, but WTF love! Seriously upping the ante on hacking laws when your government, that operates in your name, are the biggest computer criminals on your glorious island is beyond me. I mean lets put this into context. Gary Glitter fucked children, yet if he hacked and defaced the Metropolitan Police Service's website whilst doing that, he'd get life in prison! Not for paedophilia as you may think, but for the defacement of a police website. Seriously you have to ask what the motivation is here. The fact of the matter is, you accuse an individual of a crime that is damn near impossible to argue against, you by virtue of a judicial process either get to keep them offline and/or under house arrest, or better yet in a maximum security prison.

Lets take hacktivists, or alleged hacktivists, and add intent. Intent to murder is pretty easy to prove or disprove, you either made physical plans to kill someone, or you vented in a bar with some dude. It's not a crime until you hand over the cash to your assassin for hire, or undercover agent Billy 'read-him-his-rights' McGee. However, computing crimes are very different, especially intent. Downloading a tool used by hackers to attack systems, reading hacker forums, and owning known hacktivist memorabilia. Or, from a different angle, downloading NMAP, visiting Linux Journal, and owning a Guy Fawkes mask. One of those two sentences sounds very like the ingredients for incarceration, the other sounds like an average day for someone doing computer networking.

I, like many others from the UK, have left my home island, to live in Germany. It seems every time I visit Berlin I meet more and more Brits and Americans living there. Some of these people (believe it or not) haven't moved to Germany's Capital for sausage and beer. What is interesting is in some of these cases, some of the Americans (and Brits) are technically in exile (I'll hazard a guess that a number of European cities have exiled individuals). Which is simply crazy; to be in a situation where you can no longer go back to your own country of birth. I bet you're wondering what horrid crimes they have committed, have they robbed, have they assaulted, were they a leader of a middle eastern country, have they killed? No, they've gained access to information, they've seen data, a crime punishable by decades in prison. Let's not forget we have the pseudo-exile issues, where people haven't technically committed any crime yet, but on their return to their own countries they know they will be detained and forced to answer questions, which if they refuse to answer could lead to prosecution. It's worth remembering even during the McCarthy questioning, taking the 5th Amendment didn't offer any protection to the after effects for those people, that ultimately got blacklisted. You have to question the damage that can happen to an individual that may have been cautioned and interviewed about a potential computer crime and how that will affect their long term future. With third party supplies consuming a massive amount of any governmental security budget, if an individual fails to get their security clearance then their future options may very well be limited. Not just with the Government contractor, but X goes and works for Y Security Company and they leave pretty shortly after they start, they interview somewhere else that might not require security clearance, that interviewer calls a friend they have within Y Security Company; 'Why didn't X last long?'. 'Between you and me, something popped up in their security check!'. Yeah, might have just been an interview because they happened to be in the same IRC channel as some anonymous or lulzsec hacker, but that's not how its going to look.

The truth of it, as far as I can see is, the government keeps on ramping up the pressure on hacking, hacktivists, computer security, but at large it's information control. Some people have information they don't want everyone else to have. You're left thinking about the old adage about 'information is power', yet I fear it is more a case of; whoever moves the legislator, rules the information.

So, with that being said I bring you to the end of this blog post. No doubt if you have nothing to hide, you have nothing to fear. As security researchers and practitioners just remember if we ever get arrested we can explain to the juries and judges; yes, I'm a hacker but I'm one of the good ones!

Wednesday, 21 May 2014

Stick by Your Guns – or Die by Your Marketing!

Stick by Your Guns – or Die by Your Marketing! 

'No more drama'; I clearly remember me saying this at the end of BsidesLondon.  I also remember saying that if 'you disagree with someone, then that's fine too'.  No more name calling though.  So, I get to live by my rants and stand by them. 

Let's get this out of the way; I disagree with F-Secure and Mikko Hypponen.

Now, just so we are all very clear, I actually have a lot of respect for Mikko, as do many in our industry.  However, what has played out IMHO over the last few months has been at best confusing, and at worst incredibly contradictory.  A short time-line of events that have led the way to this personal opinion of both Mikko and F-Secure are as follows: -


Let me connect the dots here.  Mikko and F-Secure took a stand about the allegations that RSA took money to purposely back-door some of their security products.  Mikko, as most of you will know was a regular speaker at the RSA conferences, took objection to what he and F-Secure thought was unacceptable and cancelled his talk(s) with them.  This engaged the 'cyber-media-firetrucks' and the circus came to town.  As that stood, I personally thought he had the right to do this and ask questions.  Let's say a win for Mikko and F-Secure here.  Now, you know what would be a good idea here?  Another bloody conference in San Francisco at the same time as RSA, because you know, we have the flights and shit we should totally go and hold some type of awesome conference in protest!  Errrr, guys you know BSidesSF is an awesome conference that is about people connecting and contributing?!?  That seemed to be a moot point, as another conference started its cyber-engines, in my personal opinion!

Fast forward to about two weeks ago; Mikko, F-Secure, and David Hasslehoff come to Berlin to talk about how the Hoff is a privacy campaigner and has been for twenty-years (I know, it surprised me too, but a man's gotta eat I guess) and they want to produce a 'Digital Freedom Manifesto', followed by a wee sing-song about 'Looking for Freedom'.  The only thing I'm looking for is why on earth you need a gimmick for a subject matter so large?  Still, I guess we can call it a win here for Mikko and F-Secure, although personally the cyber-media circus around the initiative is beyond me.  Hey, you know they don't build statues to critics, so I'll wind my neck in on this!

To recap, RSA bad for working with the NSA, Digital Freedom needed, and you know what else we need?  Malware scanning on Facebook!  Well yeah, I guess, I mean, Malware is bad voodoo and a lot should be done to fix it, but I thought you, Mikko and F-Secure, didn't like it when they worked with NSA partners!  You know, Digital Freedom, and what not? 

F-Secure announced today that they will be partnering up with Facebook to help its users scan for Malware and give them a scanner if they detect anything that could be malicious.  There is thus a real chance that mom and pops will actually have some protection from those evil malware authors (no, I don't mean the intelligence services around the world, I mean the bad dudes!).  I guess this is a win for Mikko and F-Secure also.  I might add, not bad business getting your brand out to that many Facebook users. 

In total, that adds up to three wins in the column for F-Secure and Mikko.  You see this is where it gets difficult for me, it just doesn't really add up.  The journey from RSA being the bad guys, and all the attention that came from that, to launching a digital freedom manifesto wrapped up nicely by working with Facebook.  I just can't get my head around RSA==BAD, FB==GOOD.  They've both taken flak from the Snowden leaks, they've both been accused of assisting the NSA to spy on foreigners (that's non-Americans like Mikko and myself, if you're wondering).  There are some differences though between the two organisations.

RSA and Facebook, both big names?  No, not really.  RSA is big in industry, but Facebook is a big name to EVERYONE.  Even those that know RSA, know Facebook.

Both RSA and Facebook have used customer data to make money?  Grey area here, Facebook is definitely not known for loving the gods of privacy and in fact, their business model sort of precludes them from it.  Whereas, RSA sell actual products for securing people (although this is the area of issue, back-dooring security products is just out and out wrong), although, I suppose selling back-door access could be argued as supplying customer data. 

Both RSA and Facebook have had relationships with the NSA.  Now here comes Mikko's response to this when I tweeted him about it:

'I have no proof of FB volunteering their data to any intelligence agencies.  Do you?'

To which I responded;
'So, did you use the Snowden leaks as proof for the payment to RSA'

Technically speaking, I'm wrong; Mikko didn't use the Snowden leaks as proof, he used Reuters, which referenced a Snowden leak.

'On December 20th, Reuters broke a story alleging that your company accepted a random number generator from the National Security Agency, and set it as the default option in one of your products, in exchange for $10 million.'

'Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a “back-door” in encryption products'

Now, to justify what I've said, and my burden of proof that Facebook also spied on people for the NSA doesn't come from Reuters, it comes from the New York Times I'm afraid, however Reuters reference them, so I'm sure it's cool for me

'The companies that negotiated with the government include Google, which owns YouTube; Microsoft, which owns Hotmail and Skype; Yahoo; Facebook; AOL; Apple; and Paltalk, according to one of the people briefed on the discussions. The companies were legally required to share the data under the Foreign Intelligence Surveillance Act.'

So to be fair, Facebook had to do it!  Yeah, well they could have joined Twitter and made it hard for them to spy on foreigners (like Mikko and me).  I guess you can argue either way on them 'volunteering' their data to intelligence agencies, but I'm going to go with; YES, I BLOODY DO!  If the burden of proof used to damn RSA was leaks, then the burden of proof for Facebook should be the same.

Now, I've gone a long way around to say this but here is crux of it;
If you damn one for the sin, then damn them all!  It's contradictory to attack RSA and yes, give Facebook a pass for the same thing.  RSA couldn't give a mailbox (I believe in some of the posts they call it a back-door) feature similar to the one offered by Facebook to the intelligence agencies, so a flawed encryption algorithm which acts like a back-door might have been their own choice too. 

It seems that the real argument is going to focus on what your definition for 'volunteering data' is.  For me, it's painfully simple that publicly attacking RSA for badness, whilst ignoring that data is being given, with the knowledge of Facebook, who didn't fight against it, unlike Twitter, is at best a confusing stance.  I fail to see how you can campaign for 'Digital Freedom' when you've partnered up with someone given a portal by Facebook to invade our privacy without our knowledge.    

So yes, this post is a bit trolling, I know, but hey, I thought you did the right thing with RSA, I just thought you were shitty with BsidesSF.  I personally think gimmicks are for other vendors incapable of making a lucid, valid argument, something I'm sure F-Secure is capable of doing.  Moreover, if you give a position publicly, then for the love of God, stand by it!  You have a chance to lead by example, and at best you've changed a position about working with people who break our trust in our privacy. 

You wouldn't want people to think that the steps taken over the past few months have been more about publicity than freedom.


Tuesday, 13 May 2014

Part Three - Linux Tag and Droidcon – Berlin

Bring forth the neckbeards and sandles! Well, maybe not the sandles! Actually very cool TBH with you, the Snowden privacy thing seems not to have poisoned our Linux brethren, well it has, but its not all about privacy. Some very cool talks, and some, well, err confusing and painful. For starters, slides, please think of your audience, we love you. Don't hurt us with slides and __VERY__ small terminal fonts. Come on peeps, you can do this, go to YouTube, you've worked so hard only to blind your audience with millions of bullet points, terminal screen shots and stuff that frankly makes no sense.

Still, in some cases I got to have a seat and update my twitter which let's be honest, is good.  All in all here's some notes, I actually found some KDE users. It had to be Berlin of course, but yeah, people still use it! I learned that OpenSUSE is actually still a thing, and I met all four users of it. Then I shocked the OwnCloud guy when I told him I used Arch in a work environment because it's more stable than Ubuntu. Amazon Linux has a goal of releasing security patches within 24 hours of disclosure, which I doubt is a service level agreement, but it is a real nice effort from them.  Also 4 hours from the HeartBleed disclosure to a patch being pushed out. Oh and again, can people stop using QR codes! I learned I am in no way suited for Android development. That some Android developers seem to think the internal network is safe and doesn't require security, even if it is bloody home automation. That Kinko could be a very good project for email security but my gut says wait and see. That patent trolls have struck again and have patented the term 'Crypto Stick©'.  Thank god they haven't patented a term I think about them that rhymes with it!

FX did a very interesting keynote, that I thoroughly enjoyed. If its been recorded, give it a watch.  Plus he throws some pain Cisco's way, which is always fun.

All in all a very enjoyable time.
Next Stop Re:Publica – Into The Wild – Berlin

Part Two

Social Media baby, it's what makes the world go round! No, it really does! I swear, I was at a conference and it was clear to me! Come on, give me a break! It's important! So yeah, I went to one of those social media things and you know what, it was actually interesting. Granted privacy was on the agenda (you'd be surprised if it wasn't). I'm glad that Snowden hasn't trademarked his name yet, otherwise that man would be uber-rich to say the very least. My conference started for me with Sarah Harrison and Alexa O'Brian doing some 'interview' sort of thing. ZOMG!!! Snowden, you know!!! The US, OMG WTF!!! I'm sorry, I found myself getting more vexed by this talk/interview than I had imagined, which trust me, is an achievement. Whoever told Sarah Harrison they're doing 'scientific journalism' at Wikileaks should maybe cover the scientific part as well as the journalism part. Causality and Reaction is not absolute fact, and because a government couldn't prove 'X' in a court of law doesn't make 'Y' a fact. If I followed their logic I could equally argue that snowploughs are responsible for snow, owing to the fact that cities with lots of snow have more snowploughs. Which is true, but correlation 'facts' don't mean anything other than correlation between items. Also if you're going to interview someone, you ask the questions and then wait for the answers. Still feel safe in the knowledge that these people have your thoughts at heart! Oh, I was going to go off on the whole 'redaction' thing, but seriously, I'm using LibreOffice and I'm not sure that Free Software can handle my RAGE!

This was followed by Jacob Jake Applebaum and his AIDs and Privacy talk; few could pull of something like this, and praise where it is due, Jacob Jake did a very good job. It comes from the time at 30C3 were he said something along the lines of; 'if you don't use encryption you're barebacking with the internet'. The crux of the talk is basically we could learn a lot from harm reduction strategies and then he linked that to privacy issues. Granted a condom is probably easier to use than PGP, but a point well raised. I've said for a good while, 'we don't do risk eradication, just risk reduction'.  The Hoff and Mikko! NO. JUST NO. NO, I mean NO!!!! Sorry, this was as craptastic as it sounds. You know if you can't find a decent train crash to watch then look for this talk. On stage was one person very comfortable with addressing large audiences, the other was David Hasslehoff.  I have no idea what prep Mikko gave The Hoff, but it wasn't enough, trust me! Also, when most of the audience leaves half way through, this is the cue for you to start singing 'Looking for Freedom'.

Why, Oh Why, did I go to a 'security' talk at non-security conference? I'll tell you; understanding how people talk about security not in a security arena is a good thing. Be prepared, however, for me to question some premises if you do this, such as; 'Open Source software is MORE secure'! The many eyes, shallow bugs line! I love that one, it's beautiful in it's honesty. Yes, more people looking at code will probably make it less buggy, this doesn't mean jack when it comes to security though.  You know OpenSSL (_*starts singing heartbeat*_), you know, many eyes yeah! Also, OpenSSH, bloody thing has a SDL, each line of code is verified, and its got 'Secure' in the title. Well, it still gets exploitable bugs in it from time to time. Also, be very prepared for me to ask you; 'many eyes yeah? You run Linux I guess, ever read the 10 million lines plus of code?”. What I particularly loved about this was then being told that I had made the common mistake of thinking that 'Open Source Software was MORE secure'. Which was strange given it felt like I had asked why they said that, in fact I was pretty sure that's exactly their opening gambit in the first 5 minutes of the talk.  This was also followed by; 'well I prefer having access to the code', so to this Vodka is more secure than Gin because I like it, and I have access to it. However, the overall message was a good one IMHO. Keep your important data on systems you control. This is a message that is very much needed at social media related conferences.

Lets not talk about QR codes, lets just say the message hasn't got out about QR codes. Scan all teh thingz at conference. NO, for the love of god, NO!

Lots of other pretty cool stuff happened too. The crypto currencies talk, was well, errr about BitCoins. Enough said. The Craftvisim talk was thought inspiring, and I enjoyed it very much. All in all pretty cool tbh with you. Now, let's wrap the whole thing of with a great big singsong of “Bohemian Rhapsody” and we have the makings of a pretty cool conference! Superiorly, it was cool.

Part Three To Follow
Four Conferences Later

Security, Social Media, Linux and Android – Part 1

As a good friend once said to me, “Your industry is basically built out of conferences!”. Hard to argue with the logic, given the fact that I had just completed a two week trip away from home that covered two European capitals, four conferences, and exposure to countless geeks of all kinds talking about a variety of subjects! In this trip I learned a lot, not all  intentionally, not all of it practical, but educational none the less.

So, my journey starts back in the UK at BSidesLondon; a must for anyone in the European Security community. In one way, shape, or form, I have been involved with BSidesLondon since it started 4 years ago. 3 talks, 2 Rookie tracks, and a workshop later, I've watched the conference grow, and boy has it grown! Bigger doesn't always mean better, but in this case, its hard to say that it isn't.  Two years of 'officially' being crew has been both rewarding and educational. For me, the most rewarding aspect of BSidesLondon has been the 'Rookie Track'. Sometimes (and just sometimes!), really good things can come from ranting and this is a case in point. Taking people who have never given a talk, and giving them the platform, coupled with the correct support, has gone on to produce not only excellent talks, but speakers who  understand how to help new, fellow speakers of the future. Yet again, this year's rookies set a standard showing that just because you've never spoken before doesn't mean you can't own the stage like you were born for it.

My day at BsidesLondon started off as a speaker with a lightning talk, a very under prepared lightning talk I might add, but nonetheless I stood up and talked about Crypto Parties (and no, the 90's didn't call and ask for their keys signed!). I know a lot of people find it surprising that someone with my cynical nature would be involved with them, but personally I believe that hands on grassroots help for people not involved in security is a must. Put simply, our industry must roll its sleeves up and help. I then followed the talk with a short workshop on presentations, or moreover, how not to kill your audience by slide deck (Death by Powerpoint anyone?). I'll put this out there for the record; “Our industry SUCKS at presentations”. Granted it's a difficult task, but if you want to deliver a message to people and in doing so poke them in the eyes with a horrible PPT don't moan that no-one took anything from it! This theme of “let's stop sucking at slides” is a theme you're going to see played throughout these posts for a while. Back to the workshop though, this seemed to go down very well, and like all good experiences, I learned from it too. It seems there is salvation for our 'sucky' slide deck community after all! Finally, the workshop was followed by my talk on detection system fails. Yeah, I'm still talking about that subject, you know why? We still fail!

London was then wrapped up with 44Cafe, followed by the EU Security Bloggers Awards. I'm going to put this out there as well; “STOP PLAYING HEARTBEAT WHEN YOU TALK ABOUT HEART BLEED!!!!!”. I don't want to hate you, but you make it bloody hard not too! The EU Security Bloggers Awards were fun, this year we beat last years record and managed to come third in a one horse race, which for me is personal best. Congratulations to Martin McKay, and his NetSec Podcast. To the Eurotrash guys; 'Mwhahahahaha, that's how it feels boys!'. I also managed to grab dinner with the 'grandfather' of British Security Mr Pete 'Grandpapa' Wood, which is always a pleasure. He didn't talk about the war, or being on any sinking boats for the navy which is a win, but we had such a laugh. I always love spending time with him, he's been a great friend over the years and frankly a good role model for any young upstart in security. Also, Dan Raywood of IT SecGuru coined the 'before and after look' whilst 'Grandpapa' Wood and  myself were at the bar.  Thanks Dan ;)