- This piece was written over a year ago. It may no longer accurately reflect my views now, or may be factually outdated.
Working in cyber security, and I know everyone in the room will understand, does make you shocked, disappointed, angry and sad on a fairly regular basis.
BSides Leeds took place this past Friday, and free tickets found themselves to me through the Lancaster University Ethical Hacking Group. Here are my thoughts on the event—my first (though hopefully not my last) experience of a cyber security conference.
Dr Jessica Barker & freakyclown, F**k You, FUD
Mine and José’s train arrived in Leeds too late for Mark Carney’s Opening Remarks, but we did make it in time for the vast majority of Barker & freakyclown’s keynote speech on moving beyond FUD—fear, uncertainty & doubt. At the beginning of what freakyclown referred to as
[his] first non-technical talk, Barker took aim at the narrative within the industry that
Barker went on to speak about personal FUD, and overcoming her fear of public speaking, after which freakyclown described besting his fears of both water and flying. That’s me walking across the stage at 11:14.
users are stupid, people are the problem [which] causes people to feel not particularly comfortable with us.
Three-quarters of the way through the presentation, they reached the topic of
Infosec FUD, as evidenced by the Y2K bug.
This happens a lot, and the public see this and think freakyclown went on to criticise the use of FUD in order to drive sales in the infosec industry, such as in the case of the upcoming GDPR. Barker went on claim that
well, why should we trust those infosec people?
optimism is more powerful than facts, and that the approaches that we as
infosec people tend to utilise
where we kind of shout at people with the threat, we give people lists of what not to do, is not working, and we’ve seen that over the past couple of decades.
Towards the end of the talk, freakyclown invited anybody who had a fear of public speaking to come to the front and address the audience. After a brief awkward pause, a guy who clearly had no issue with public speaking came up, plugged his company and got everyone to stand up and check under their chair for a
free gift. His point kind of petered out after that, and both Barker & freakyclown seemed as confused as their audience afterwards.
Chris Ratcliffe, What is Risk
I had hoped to see Robert Sell’s Exploits in Wetware first, but this turned out to be the only talk of the day to be cancelled. Instead, I went to Ratcliffe’s rescheduled talk about managing risk, subtitled
How I Learned to Stop Worrying and Plug Things Into the Internet. In a shorter talk, Ratcliffe covered the tradeoffs between security and convenience inherent in all walks of life, as illustrated by the concept of a gloriously unnecessary IoT BBQ. It was quite an enjoyable little talk, although a lot of it overlapped with the week of risk management lectures I had just sat through for my course.
Andy Gill, Hacker of All Trades
Gill used his half-hour to act as an aggressive Scottish careers advisor in one of the highlights of the day. With a slideshow written entirely in Comic Sans, Gill went through the skills required to work in penetration testing and infosec, and how to acquire them.
Tomnomnom, Passive-ish Recon Techniques
Tomnomnom gave a talk about the program he had created in order to passively scan large numbers of web hosts for vulnerable files left out in the clear. The scanning would appear, to each host, indistinguishable from legitimate traffic. I left the talk keen to dive into bug bounty programs, even if I’m not sure what I can hope to do to compete with the pre-established bounty hunters and their automated tools.
Ian Trump, Stories from the Cybercrime Battlefield
After lunch came my favourite talk of the day as ex-Mountie Trump rattled off a long list of cyber criminal anecdotes from all over the world. Not much to talk about afterwards (except for how dubious the US’ notion of the bounds of their own legal jurisdiction is), but thoroughly entertaining.
Rory McCune, Night of the Living Dead Pentest
McCune presented something of a sequel to his 2010 B-Sides London talk Penetration Testing Must Die. He talked about how the term
penetration testing has no agreed-upon meaning—one person may think of running an automated Nessus scan, whilst another conjures ideas of full Red-team tests. This disparity of approaches means that different people offer different products for different prices, but advertised using the same terms. In the absence of any way of comparing the contents of such products, customers will tend to go for the cheapest, making penetration testing a race to the bottom.
McCune went on to detail the 6 steps of security assessment that a business should perform, and who should carry each of them out. For example, a business can start by running its own automated scan. Only later, once the discovered vulnerabilities are patched, should they think about hiring in external testers.
McCune’s call for standardisation reminded me of a talk by Prof. Harold Thimbleby—one of my favourites—on medical technology UI design. At 37:00, he talks about the issues consumers found in comparing different types of tyres, and how these were alleviated once a standardised rating system was introduced. A similar idea can be seen in the traffic light boxes on food and drink, showing calories, fat content and so on. It strikes me that we could perhaps solve McCune’s problem by standardising the elements of security assessment, perhaps along the lines of his 6 steps, and thus allowing different proposed products to be better compared.
The event was well-organised and had some great talks. I realised, viscerally, just how small the UK cyber security field must be when I ran into 8 or so people that I recognised from a summer internship, who must have come independently from at least 4 separate universities. This is out of the 300 or so people at the event overall. I suspect I shall have to accept the fact that I will be seeing the same faces again and again as I go to future conferences.