A Place to Hang Our Hats: Intern Goes to Vegas
Why Even Present?
As professionals who aim to protect consumers’ data and privacy, security is always on the mind. When trying to share our zeal and vigor with those outside the community, our message comes coated in vendor-specific verbiage, decades of acronyms, and inner technical workings. These details can act as a hurdle for outsiders attempting to understand the importance and development of information security community.
It makes sense that the security community relies on a narrative model of computer security that relies heavily on analogy and storytelling. I also saw an opportunity to advance dialog on how to approach and communicate with people who have very little direct experience in security. My impetus to present at BSidesLV was driven by the goal of sharing the broad-picture version of the information security narrative.
A big part of a layman’s understanding of information security comes from media coverage of large breaches and “cybercrime.” In trying to understand how a customer understands the security narrative, I decided that it would be interesting to view how an outsider sees the narrative around security. Specifically, I chose to cover hackers and hacker culture because of the large percentage of tech coverage dedicated to “hacker” stories.
The next big step was to choose how to convey a newcomer’s take on hacking culture. I needed a fresh, well-read source that was still not an industry insider. I found the perfect candidate: a security research intern who was new to the fields of both security and computer science. This was me!
What follows is a brief summary of my presentation notes, thoughts, and post-conference observations. Feel free to listen to the talk below because my Slidedeck is very visually focused.
TL;DR
I figure that most interested non-insiders read about a few major hacking/hacktivism/cybercrime incidents a year. Instead of trying to present my subjective view on a few specific hackers or groups, I decided to pose the (admittedly overly-broad) guiding question, “Are we seeing significant changes and declines in hacker culture and the size of the hacking community?”
Over the course of the presentation, I theorized that growth of security as a product, increased governance of the Internet and its crimes, and an aging gen-0 of hackers has led to a restructuring of hacking culture and energy, if not the people behind it. Again, for more of a logical progression feel free to watch me bumble my way through it.
One of the more interesting facets of the “decay” of the hacking culture of yore I cited was the rise of the student/teenage entrepreneur. We are seeing increasing acceptance of pentesting, bug bounties, and internal audits as legitimate ways to make it as a hacker. Vast amounts of venture capital are available to the next Yo or student hackathon winner. With so many legal avenues of profit, black hat hacking for fun or for profit has fallen out of vogue.
Along the way, I tackled some big issues of the typical “OMG haXors” news story: the over-dramatization and adversarial hero-villain stratification, threat sensationalization, scare-factor reporting, attempts to package multiple events as one story or re-reporting old stories as new threats, and a distinct lack of tech-literacy in some major publications (thus the ubiquity of “cyber” prefixing).
Post-BSides Ruminations
Besides being my first speaker gig, BSidesLV, this year merged with PasswordsCon, was the first security conference I’ve fully attended. Being a relative outsider, I was worried about how I would come across to a rainbow haired, con-veteran audience. I can honestly say that I didn’t have a single negative experience with any attendees, conference workers, or fellow speakers. I was treated as a colleague, met with positive interest and given leads to great resources. Though often presenting a somewhat harsh exterior, even the more notorious community members were nothing but helpful and animated.
As an attendee, the talks were a blast to watch. The speakers, for the most part, were informative and entertaining. Topics ranged from hilarious closed door rants over Wild West days past to open workshops on social engineering informing on the best way to infiltrate Fortune 500 companies to a particularly animated panel that featured more alcohol consumption by the speakers than an average American will see in a month.
Overall, after attending BSidesLV, DEF CON, and Black Hat, my big takeaway was to be social. Conventions are a great chance to exchange and collaborate face-to-face. While it was a shame to see some people glued to their laptops the whole week, all of my best experiences came from sharing stories and new material with new peers. In the end, an eagerness to learn was all I needed to be openly accepted by the infosec community.