Guest Post - Adam Maxwell - "Popping my cherry - B-Sides London 2012"

[Today our guest post is by Adam Maxwell (@catalyst256). He registered for his first security conference, BSides London, and then decided to take it one step further and signed up to be a volunteer. This is a great example of how to make the most of a conference experience. 

This post originally published on Adam's personal blog, The IT Geek Chronicles.]

On April the 25th 2012 a group of crack InfoSec professionals, enthusiasts, hobbyist and newbies (that's me by the way), descended on the Barbican Centre in London for the security event of the year (in my opinion).

That's right; B-Sides London 2012 had arrived.

Most of you probably already know what the B-Sides events are all about, so I won't bore you with going over that, If you don't then you go find the main website here; http://www.securitybsides.com or the B-Sides London website is here; http://www.securitybsides.org.uk/.

This was going to be my first B-Sides event and as I was reading the website to find out as much as possible before the event, there were two comments on the front page that really stood out for me.

The first was this "built by the community for the community", I'm still trying to find my way in InfoSec, but what makes it easier (and more fun) is the people that have the passion, drive, commitment and wiliness to share their knowledge with people like me. Without community events like B-Sides (and there is others) trying to navigate your way around the world of InfoSec would be a lot harder.

The second comment was "So make BSidesLondon whatever you want it to be", for me this was really important I didn't want to attend an event and be anonymous. I have a tendency in new environments to be a little bit shy and I wanted to make the most of the day, meet new people and try to become part of the community rather than a lurker in the corner.

So with less than a week to the event, I volunteered to help out on the day, yes that's right I was now on the crew roster for B-Sides London 2012. Due to work commitments I wasn't able to get to the Barbican early to help out with setting up, but I would just like to say at this point a HUGE thank you to Iggy (@geekchickuk) and the rest of the B-Sides London crew for getting everything ready for the day and in fact for all their work during the day.

Working as crew on the day for me was awesome; I met a lot of new people and had a lot of fun. What did I do on the day?, well if you bought raffle tickets between 10:00 - 12:00 from the table in the corner next to the guys from SANS that was me (sorry about making you write out your own tickets), and in the afternoon (from about 14:30) I was on the swag desk. I may or may not have also been involved in the nerf rocket war between the B-Sides crew and the guys from MWR InfoSecurity.

In the end I only attended one talk which was by Robin Wood on "Breaking in to Security" (check out the B-Sides London website because a lot of the talks were videoed and will be available to watch), but for the me day was still a success. Would I help out again next year? Hell yeah, if fact I've already told Iggy I will, but next year I'm going to do a talk on Track 3 (that's the turn up and talk about something track), I have no idea what about yet, but I've got a year to work that out.

See you all next year...

Adam

Root the Box - April 7th, 2012 - Chandler, AZ

Today I talked with Zachary Julian, a student at the University of Advancing Technology, about a competition called Root the Box in Chandler, AZ this weekend, April 7th. Root the Box is a computer hacking (CTF) game that requires skill, speed and team work. Each team must scan and exploit systems on the attack network. If a team successfully obtains remote code execution they can upload a reporting service, which awards them points over time.

Check it out at rootthebox.com or on their FB page. There is still time to register for this weekend's event. Root the Box is put on once a semester.

-Who are you?
My name is Zach Julian, and I’m currently attending the University
of Advancing Technology for my Bachelors in Network Security. I
am also on the Root the Box organizing committee, where I serve
as the security officer for the competition. I have loved
computers for many years, and consider myself fortunate to have
found a good community of hackers here in Phoenix, Arizona.

-What's it like as an infosec student at University of Advancing Technology?
It’s a unique experience- Network Security is undoubtedly the best
program UAT has to offer. We have a pretty tight-knit group of
people within our major, which includes a wide range of skill
levels and specialities. If you’re serious about learning
security, UAT is definitely the place to come. Coming to UAT,
I’ve found the class material to be challenging and useful, my
peers extremely bright, and the opportunities to network
constant. I’m always inspired to attain higher levels of
hacker-fu.

-How did you get involved with Root the Box?
So far, I have competed in two Root the Box competitions. After
that, I felt it would be a worthwhile experience to help the
competition in some way. Since my current job consists of
Intrusion Detection analysis, I volunteered to set up and
monitor a Snort box during the competition. This is to ensure
that the participants stay within scope during their attacks. ;)

-How long has Root the Box been happening?
This will be Root the Box number 8. During that time, we’ve improved
on everything from the hacking challenges to the scoring engine.
After several years, the competition has matured quite a bit.

-What skills do you hope students get out of participating?
Each Root the Box is an excellent opportunity to refine and expand
your skills a little bit more. Hacking is the same as any skill
- reading and thinking about it will give you some knowledge,
but there’s no replacement for actual experience. That is why we
so strongly encourage people interested in security, at all
levels, to participate in Root the Box.
Newcomers to hacking will benefit the most - Root the Box features
challenges that draw from all types of digital security, from
reverse engineering to web applications. If security or
penetration testing is your intended career path, Root the Box
will show you what to expect and where to focus your learning.

-How can people get involved?
Come compete! Anyone interested in volunteering for Root the Box will
be able to meet our staff and get a good idea of just what goes
into putting on this competition. More specifics are available
at http://rootthebox.com.

Thank you Zachary for filling us in on this very cool competition! Good luck this weekend!

Communicating the value of security

Whether your work has you speaking in front of the media or just championing your ideas internally, whether or not those ideas are heard has as much to do with how they are presented as what the ideas are. In Information Security, the most important task we do is communicating the value of security. For this to be successful, you need to ensure your personal brand has integrity, trustworthiness, and experience. These factors take entire careers to build, but there are also resources that can help.

One of those resources is SECore.info. This new website created by the Open Security Foundation brings verified security experts and reporters together, as well as a tool to help experts promote their ideas through presenting at security conferences.

I'll be speaking more about this topic of self-promotion during Security B-Sides PHX this weekend. Check out the B-Sides page for more information.

SECore is also providing a great opportunity to increase your communication skills on security topics by hosting a workshop during RSA in San Francisco this month. This one-on-one training is co-hosted by the technology PR firm LEWIS Pulse, and will help you with personalized training on how to effectively communicate about your work to the media and to your co-workers.

SECore Media Training for Security Professionals
Date: Wednesday, February 29
Time: 8:15am - 6:00pm (hour-long sessions)
Location: Marriott Marquis, 55 4th Street, San Francisco

Register at EventBrite.

InfoSecMentors @ BSides Byte Size

Just a quick note to tell our UK friends that the crew from BSides London is throwing a little meetup in Central London called BSides Byte Size! It's Saturday, January 7th, at a venue to-be-disclosed closer to the date. I'll be there as well, and I'll bring InfoSecMentors stickers to give out to anyone that attends!

From the BSides London website:

BSides Byte Size - The Acoustic Set Saturday 7th January 2012 Venue - TBC (A Pub in London) There are no invites, no sponsors, no projectors just you and beer. The Acoustic Set is a simple gathering of like minded people meeting, talking, listening, debating and drinking so come along and participate. So what makes this acoustic? Anyone speaking is not provided with any electronic assistance. If you want to talk you need to go low-tech. Who's speaking? We are going to have a few well known people come and speak but anyone can speak. Just turn up on the day. Tell people you're coming on Twitter by using #BSidesByteSize.

No tickets or RSVP is required, but please join us on the event's SECore.info profile and let everyone know that you're "interested" or "attending" and post comments.
So hopefully we'll see you there!

Happy Holidays!
-Marisa

InfoSecMentors @ BruCon 2011

Next week the InfoSecMentors team will be attending BruCon! We've been looking forward to this particular event all year because BruCon has been a valued supporter for the project. BruCon is a great conference not only because their slogan is "Hacking for Beer" but because they've captured that great balance between the black t-shirts and the suits. The trainings, presentations, and workshops are all very affordable (and a steal when you hear about the included after-party!) We're looking forward to learning a lot, meeting new friends, and drinking beer in amazing places.

This year, we're hosting a mentoring workshop on the second day. This workshop will tackle both sides of the mentoring relationship. For the mentees, we'll talk about ways to set yourself apart, how to efficiently do your homework, and what valuable benefits to expect from your mentorship. For the mentors, we'll go over different activity ideas, how to keep your mentee engaged, and the value mentors get out of the mentorship. After that, we'll put the question to the audience and try to define just what exactly counts as a successful mentoring relationship.

Our workshop panelists include David Rook (@securityninja), Chris Gates (@carnal0wnage), Wim Remes (@wimremes), and Marisa Fagan (@dewzi). We'll start at 19:30 Tuesday with a short presentation and open the floor for questions and experiences. Hope to see you there!

Exactly!

While The InfoSecMentors Project may be on a break until September, there are still plenty of conversations happening about mentoring! One blog post in particular has so correctly hit the nail on the head I wish I could copy and paste the whole thing! (But I won't. Remember kids, plagiarism is bad m'kay!)

This article comes from Ramit Sethi at iwillteachyoutoberich.com (not a security-related blog, but couldn't hurt to read it) called "Why Successful People Don't Want To Mentor You." His take is that these days so few people actually put in the work to be a good mentee that it has left a bad taste in everyone's mouth about being a mentor. So it's not entirely your fault that it is so hard to find a good mentor. Fortunately, those that really do want to put in the effort will be part of a very short list that gets catapulted to the top. Ramit explains exactly how to do just a few hours of work before you approach your ideal mentor to guarantee they will jump at the opportunity to work with you.

From the article:

• "Here is the 1-2-3 Choice Technique: “Hi Ramit, I love your book on blah blah. I noticed you said I should XYZ in chapter 5, and so I tried it. I’m stuck due to XYZ. So I’ve come up with 3 possible routes:
• blah blah1
• blah blah2
• blah blah3

Which do you think I should do?

This will get almost a 100% response rate, since you have actually done the work in your head…plus all I have to do is tell you which is best. GOOD JOB."

Brilliant!

I also thought the article had an interesting point about how as mentors we create these huge artificial barriers to intentionally make it difficult to contact us, perhaps without realizing it. Having your email address public may not be practical for other reasons, but at least consider making your LinkedIn profile public and be responsive there. And if you're a mentee, please be respectful of this direct access you have to the people in your industry. You may not realize it now but being "kooky," flakey, or lame is actually ruining it for the rest of us!

As part of the InfoSecMentors Project, I can vouch that everything in this article is true. The substantial majority of mentees are not doing the legwork, and so setting yourself apart is very doable (and totally worth it!) Look through past examples on this blog about the type of projects and jobs people get exposed to after they do the homework. Listen to the podcast at the end of Ramit's article for dozens more specific examples. Do this, and as Ramit said, "you will find people that LOVE helping other ambitious people who take action."

Good luck! (Not that you need it!)

Guest Post: Brandon Tansey "Practical Lessons"

Guest blogger Brandon Tansey is back this week to tell us about his experience as a mentee. He also has some suggestions for thing to do with your mentor, including setting up an at-home hacklab, and getting involved in the Security Community.

It's important to be clear that my last post isn't to say that practical lessons aren't great in a mentor/mentored relationship. My discussion with Marisa also included some thoughts I had on the practical aspects of working with a mentor. There were two main points I looked to get across: work with more than one mentee per mentor, and to focus on helping a mentee make the jump from methodology to practice. As I mentioned, my experience with Dan began when he started giving presentations at the group on campus. After each meeting he would come back to my apartment and work more closely with people who were interested. The setup we have is great! We're fortunate enough to have a Poweredge 2650 humming away in our apartment. We use it to virtualize all sorts of targets and services (ex: PFSense) and to practice taking down some machines. We used a mix of standard virtualized desktops/servers and some premade target distributions (Damn Vulnerable Linux, Damn Vulnerable Webapp, Metasploitable, etc) to bang on. Our setup makes having people over to practice easy, but having a big, loud server isn't the only way to safely practice on live targets. A desktop virtualization program like VirtualBox can be just as good! Boot up a VM with Metasploitable (or whatever you'd like to attack) and you've already got your own mini-hacklab! Some nights there were more people coming over than others, however there were two of us that made it week after week without fail. There was myself, and there was a junior networking major at Wentworth named Ian Abreu(@Ian_Abreu). Every week (and often in between) we'd meet up to work on something. Working as a trio was great; it allowed the dynamic to become less teacher/student like and more like a group of people working together. Everyone had something to bring to the group. I understand that not all mentors are able to devote the amount of time that Dan did. The trio is even better in these situations. Having multiple mentees in a group allows for dialogue even when the mentor is busy between talks. The mentees can help each other grow both their passion and technical ability. The other comment I had for Marisa was one that may have been more specific to my experiences, however I wouldn't be the least bit surprised to find that other students feel the same way. The comment I made was that it's incredibly handy for a mentor to help a mentee make the jump from methodology to practice. Before meeting Dan I had done quite a bit of reading. I think the most well-known book I read was Hacking Exposed. The book was an incredible way to learn principles. I feel that the main issue I face, however, isn't the principles. I personally had a hard time starting the jump from reading to doing. I felt that I could describe quite a few techniques and how they worked, but if you asked me how to actually do them I'd be stumped. Technology in general moves quickly, however InfoSec seems to move especially fast. It's because of this that a lot of the reading material out there is far outdated by the time people get to reading it. If I was to redo the last year's mentoring experiences, that is probably the one thing I'd change. I think it would've been incredibly handy to slowly step through a particular methodology and really learn how each step translates from theoretical to practical. There is one final tip that I feel is incredibly important to stress. Regardless of whether or not the pairing is local, getting mentees involved with the InfoSec community somehow is one of the best things you can do for them. Get them on twitter (or to start following the InfoSec crowd), get them on the mailing lists, if possible get them to local meetups and introduce them to people! The InfoSec community is a small one full of incredibly intelligent people. In my experience, many of these people are incredibly open (if not eager) to help people willing to take the time to learn. It is much easier to meet these people when you approach them with someone they already know! The best thing I personally got out of SOURCE was all of the incredible people I met, and I feel that was a direct result of volunteering for the conference which I did through the people I had already met at the local meetups! Overall, I'm incredibly glad I was able to find a mentor to work with. I'm not Dan, however I feel that Ian and I were able to give him something through working with him as well. I'd personally consider the InfoSecMentors Project a success for simply putting together a few mentors and mentees. Fortunately they're only limited by the amount of people that express interest! I really do advise you give it a try. You'll be incredibly glad you did regardless of which side of the relationship you sign up for!

You can find Brandon Tansey on his new blog at The Wormhole, on his Twitter feed, or on LinkedIn.