Ad-hoc Charity Type Things

Last month, I decided to an ad-hoc charity drive via Twitter. I did it figuring I might get a handful of donations between $5 and $25 dollars and would help out some animal charities. Boy was I shocked.

Right out of the gate, Steve Syfuhs donated $35 to the ASPCA for directly helping them previously. Almost at the same time, Steve Ragan donated $130 to Greenwood Wildlife Rehabilitation to help over 3,000 wildlife they get there a year. Wildlife rehab shops are vanishing around the U.S. as they don’t receive any state or federal funding, and rely entirely on donations and fundraising. Along with Ragan’s donation, ‘Priest’ (@imyourpriestt) donated $75 to the Georgia Society of for the Prevention of Cruelty to Animals.

With the ‘Steves’ quickly donating, I decided that at least three people would receive something from me in return for their generous donations. Before that Tweet could land, Doc Panda showed that he donated $50 to the Tiny Paws Pug Rescue, which is epic because Pugs are epic. By this point, I was working on expanding the rewards and decided that first place would get a box, not an envelope, and kept baiting for more donations. Then it hit, someone donated over $300 to a charity as part of this ad-hoc contest.

That donation to Cavy Care is amazing, because it is run by two people out of their house, with help from volunteers on weekends primarily. In the past, they have had as many as 150 guinea pigs that needed care for various reasons, usually because they are adopted as a pet for children, and they aren’t suitable for kids despite that notion. Guinea pigs are rarely adopted from animal shelters as they tend to be adults with unknown provenance or age. Cavy Care provides a sanctuary for these guinea pigs, and adopts them out very cautiously to ensure that the gpiggie finds a forever home. Cavy Care was pleasantly surprised at the sudden huge donation!

One Friday night, five amazing people, and $623 donated to charity in exchange for stickers originally. I think I sent out three boxes of stuff to the top three, and large envelopes to the other two. I cannot thank these people enough, and I hope that more will follow in these footsteps. InfoSec tends to draw large salaries. We all love our toys and our lifestyles, me included. But I think it is important that we stop a few times a year and look to help others that could benefit from our generosity.

(Disclaimer: Lebowski was not included. I would not ship that glorious beast.)


Before you publish your end-of-year vulnerability statistics…

TL;DR – The CVE dataset does not allow you to determine how many vulnerabilities were disclosed in 2017.

I’ll try to keep this fairly short and to the point, but who am I kidding? Every year for a decade or more, we see the same thing over and over: companies that do not track or aggregate vulnerabilities decide to do their own review and analysis of disclosures for the prior year. Invariably, most do it based on the publicly available CVE/NVD data, and they do it without understanding what the dataset really represents. I know, it seems simple on the surface, but the CVE dataset is not easily understood. Even if you understand the individual contents of the export, you may not understand how it was created, what shortcomings there are, what is missing, and what statistical traps you face in digesting the data. Just doing the basic parsing and automated ‘analysis’ of that data via your tool of choice (be it grep or something fancier) means very little unless you can disclaim and properly explain your results. Either way, follow along with the advice below before you publish your ‘vulnerability stats for 2017’ please!

So let’s start with the basics of CVE data analysis. Begin by grabbing the latest CVE dump, a gzipped CSV file, that represents MITRE’s CVE dataset. Note, this is different than the exports NVD offers and welcome to the first hurdle. While the base vulnerability data is 100% equivalent between the two, NVD does additional analysis and creates metadata that is useful to many organizations. NVD provides CVSS scoring and CPE data for example. The relationship between CVE and NVD is interesting if you observe it over time, where it used to be a clear ‘MITRE publishes, a day later NVD publishes’ relationship. For the last year or two, NVD will sometimes open up a CVE ID before MITRE does for various reasons. This also gave way to Bill Ladd observing and writing about how the Chinese National Vulnerability Database (CNNVD) is actually opening up CVE IDs faster than both NVD and MITRE. Consider that for a minute and understand that the relationship between these three entities is not straightforward. Then consider the relationship between many other entities in the bigger picture, and it gets even more convoluted.

See? You start by grabbing a data dump, a paragraph later you have the start of disclaimers and oddities as pertains to the larger CVE ecosystem. Next, decompress the CVE dump so you have a CSV file to work with. Now, before you eagerly start to parse this data, stop for a moment. Did you do this same analysis last year? If so, great! Do you understand what has changed in the last 18 months with regards to CVE and more specifically MITRE? If you can’t quickly and readily answer that question definitively, the kind of changes that are the first in almost 19 years for the program, reconsider if you should be commenting on this data. In case you missed it, Steve Ragan published an article about MITRE / CVE’s shortcomings in September of 2016. The article pointed out that MITRE was severely deficient in vulnerability coverage, as it has been for a decade. Unlike other articles, or my repeated blogs, Ragan’s article along with additional pressure from the industry prompted the House Energy and Commerce Committee to write a letter to MITRE asking for answers on March 30, 2017. When a certain board member brought it up on the CVE Board list, and directly told MITRE that their response should be made public, MITRE did not respond to that mail in a meaningful manner and ultimately never shared their response to Congress with the CVE Board. It is important for you to understand that MITRE operates CVE as they wish and that any notion of oversight or ‘Board’ input is only as it is convenient to them. The board has little to no real influence over many aspects of MITRE’s operation of CVE other than when they set an official vote on a given policy. Additionally, if you point out how such a vote that impacts the industry is not adopted by certain entities such as CNAs, many years down the road? They don’t want to hear about that either. It’s up to the CNAs to actually care, and fortunately some of them care very much. Oh, you know what a CNA is, and why they matter, right? Good!

OK, so you have your data dump… you better understand the state of CVE and that it is so deficient that Congress is on MITRE’s case. Now, as experienced vulnerability professionals, you know what this means! The rubber-band effect, where MITRE responds quickly and disproportionately to Congress breathing down their neck, and their response impacts the entire CVE ecosystem… and not necessarily in a good way. So welcome to the second half of 2017! Because it took roughly a year for the Congressional oversight and subsequent fallout to strongly influence MITRE. What was their response? It certainly wasn’t to use their abundant taxpayer funded money to directly improve their own processes. That isn’t how MITRE works as I far as I have seen in my career. Instead, MITRE decided to use their resources to better create / enhance what they call a “federated” CNA system.

First, spend a minute looking at the ‘federated’ term in relation to CVE, then look at the use of that term in the recently edited CNA Rules. Notice how the use of ‘federated’ in their context appears to have grown exponentially? Now check the definition of ‘federated’ [, The Free Dictionary, Merriam Webster]. While sufficiently vague, there is a common theme among these definitions. In so many words, “enlist others to do the work for you“. That, is quite simply, what the CNA model is. That is how the CNA model has meant to work from day one, but this has become the saving grace and the crutch of MITRE as well as the broader CVE ecosystem in the last few months. On the surface this seems like a good plan, as more organizations and even independent researchers can do their own assignments. On the downside, if they don’t follow the CNA rules, assignments can get messy and not as helpful to organizations that rely on CVE data. One thing that you may conclude is that any increase in CVE assignments this year may be due, in part, to the increase of CNAs. Of course, it may be interesting to you that at least two of these CNAs have not made a single assignment, and not disclosed any vulnerabilities in prior years either. Curious why they would be tapped to become a CNA.

OK, so you have your data dump… you know of one potential reason that there may be an increase in vulnerabilities this year over last, but you also know that it doesn’t necessarily mean there were actually more disclosures. You only know that there are more CVE IDs being assigned than prior years. Next, you have to consider the simple numbers game when it comes to vulnerability statistics. All CVE IDs are created equal, right? Of course not. MITRE has rules for abstracting when it comes to disclosures. Certain criteria will mean a single ID can cover multiple distinct vulnerabilities, and other VDBs may do it differently. It is easy to argue the merit of both approaches, so I don’t believe one is necessarily right or wrong. Instead, different abstraction rules tend to help different types of users. That said, you will typically see MITRE assign a single CVE ID to a group of vulnerabilities where a) it is the same product and b) it is the same type of vulnerability (e.g. XSS). You can see an example in CVE-2017-16881, which covers XSS vulnerabilities in six different Java files. That is how they typically abstract. Search around for a couple minutes and you will find where they break from that abstraction rule. This may be due to the requesting party filling out separate requests and MITRE not adhering to their own rules, such as CVE-2017-15568, CVE-2017-15569, CVE-2017-15570, and CVE-2017-15571. Then you have to consider that while MITRE will largely assign a single ID to multiple scripts vulnerable to one class (e.g. CSRF, SQLi, XSS), their CNAs do not always follow these rules. You can see examples of this with IBM (CVE-2017-1632, CVE-2017-1549) and Cisco (CVE-2017-12356, CVE-2017-12358) who consistently assign in such a manner. If you think these are outliers that have minimal impact on the overall statistics you generate, reconsider that. In keeping with their abstraction policy, IBM issued two advisories [#1, #2] covering a total of nine CVE IDs for unspecified XSS issues. If MITRE had assigned per their usual abstraction rules, that would have been a single ID.

OK, so you have your data dump… and now you are aware that parsing that dump means very little. MITRE doesn’t follow their own abstraction rules and their CNAs largely follow different rules. So many hundreds, likely a thousand or more of the IDs you are about to parse, don’t mean the same thing when it comes to the number of distinct vulnerabilities. That is around 10% of the total public CVE IDs issued for 2017! OK, forgetting about that for a minute, now you need to consider what the first part of a CVE ID means. CVE-2017-1234 means what exactly? You might think that 2017 is the year the vulnerability was disclosed, and the 1234 is the unique identifier for that year. Perhaps. Or does 2017 mean the year the vulnerability was found and an ID requested? The answer is yes, to both, sometimes. This is another aspect where historically, MITRE made an effort to assign based on when the vulnerability was discovered and/or disclosed to a vendor, not when it was published. Under the old guard, that was an important aspect of CVE as that standard meant more reliable statistics. Under the new guard, basically in the last two years, that standard has disappeared. Not only do they assign a 2017 for a vulnerability discovered and disclosed to a vendor in 2016 but published in 2017, but also they assign a 2017 ID for a vulnerability discovered and disclosed in 2017. Worse? They are also now assigning 2017 IDs to issues discovered and disclosed in previous years. If you need examples, here are MITRE-assigned (as opposed to CNAs that do the same sometimes) 2017 CVE IDs for vulnerabilities disclosed prior to this year; 2016, 2015, 2014, 2013, 2011, 2010, 2008, 2004, and 2002. Notice the missing years? Some of the CNAs cover those gaps! Note that there are over 200 cases like this, and that is important when you start your stats. And we won’t even get into the problem of duplicate CVE assignments that haven’t been rejected, like the first two assignments here (both are invalid assignments and that CNA should know better).

OK, so you have your data dump… you’re ready! Let loose the scripts and analysis! While you do that, I’ll save you some time and math. As of December 24, 2017, there are 18,251 CVE identifiers. 7,436 of them are in RESERVED status, and 133 are REJECTed. As mentioned above, 238 of them have a 2017 ID but were actually disclosed prior to 2017. So a quick bit of math means 18,251 – 7,436 – 133 – 238 = 10,444 entries with 2017 CVE IDs that were disclosed in 2017. This is an important number that will be a bit larger if you parse with Jan 1, 2018 data. This should be your starting point when you look to compare aggregated disclosures, as captured by CVE, to prior years. Based on all of the above, you also now have a considerable list of disclaimers that must be included and explained along with whatever statistics you generate. Because MITRE also stopped using (1) consistent (2) formatting to (3) designate (4) distinct (5) vulnerabilities in a CVE ID, you have no way to parse this data to actually count how many vulnerabilities are present. Finally, know that Risk Based Security’s VulnDB tracked 7,815 distinct vulnerabilities in 2017 that do not have CVE coverage.

Cliff notes? The CVE dataset does not allow you to determine how many vulnerabilities were disclosed in 2017. Hopefully this information helps with your article on vulnerability statistics!

John Thomas Draper: Setting the Record Straight re: Blue Box

The tl;dr cliffnotes: John Draper was not invent the Blue Box.

In April of 2015, several years after Phil Lapsley published “Exploding the Phone” giving a detailed history of the early days of phreaking, I wrote a blog largely based on that book to clear up long-standing rumors and mistakes in a variety of publications. John Draper, despite reputation, had not been the first to discover the whistle in Cap’n Crunch cereal boxes in the late 1960s. Recently, an article by Kevin Collier stated that Draper “invented the ‘Little Blue Box,’ an electronic device to better imitate the signal. In 1971, Draper showed his design to two fans, Jobs and Wozniak, who, with Draper’s blessing, began selling an improved version.

Other articles and publications have varying takes on this, some more neutral and accurate, some even more outlandish. For example, recent articles covering John Draper’s sexual misconduct mention his history and why he is well-known. Ars Technica says that he “helped popularize the ‘Little Blue Box'” and the BBC says he “went on to create a ‘blue box’ that generated other tones“. In the case of Ars Technica, that is certainly accurate historically. In the case of BBC, the wording may be taken to some that he created it, as in he was the first to do so. Another example of wording that implies Draper was the first can be seen in a Computer World article from 2011, that says he “then built the phone phreaking tool called blue box that made free calls by making phone calls appear to be toll-free 800-number calls.” Interesting, to me at least, Wikipedia gives a general history of the device, but does not definitively say who invented it.

Perhaps worse, books about computer crime and security get it wrong, and worse than wrong. In “Cybercrime: Investigating High-Technology Computer Crime” by Robert Moore, he clearly states the blue box was “invented by John Draper“. Perhaps the worst example I have seen is in the book “Mobile Malware Attacks and Defense” by Ken Dunham in which he attributes not only the blue box to Draper, but also all of “telephone hacking” when he built it.

Like my blog two years ago, I turn back to ‘Exploding the Phone‘ by Phil Lapsley, a book that I cannot speak highly enough about. Through his extensive and exhaustive research, along with years of interviews, his history of phreaking is comprehensive and fascinating. By using a few key bits from the book, we can quickly see the real history and origin of the blue box. It also makes it crystal clear that John Draper did not invent the blue box. Like the whistle, he did it years later after friends told or showed him the basics.

From page 51, the start of a chapter titled “Blue Box”, it tells the story of a then 18-year-old named Ralph Barclay who read the November 1960 Bell System Technical Journal which contained an article titled “Signaling Systems for Control of Telephone Switching”. After reading the article, Barclay figured out that it had all of the information required to avoid using a pay phone to make a call, and that it could be done “directly”. By page 56, Lapsley describes how Barclay build his first box over a weekend, in an “unpainted metal enclosure about four inches on a side and perhaps two inches deep.” Barclay realized fairly quickly that he needed the box to do more, and as described on page 57, he built a new box because he “needed multifrequency“. “His new device was housed in a metal box, twelve by seven by three inches, that happened to be painted a lovely shade of blue. Barclay did not know it at the time, but the color of his device’s enclosure would eventually become synonymous with the device itself. The blue box had just been born.” This was in 1960 or 1961 and represents the origin of the blue box.

On page 87, Lapsley tells the story of Louis MacKenzie who also spotted the vulnerability based on the 1960 Bell Systems article. MacKenzie went to AT&T and offered to tell them how to fix the ‘blue box’ vulnerability, for a price. When AT&T declined, “MacKenzie’s attorney appeared on the CBS evening news, waving around a blue box and talking about the giant flaw in the telephone system.” By that point, advertisements for blue boxes could be found in some magazines, including the January 1964 issue of Popular Electronics. Thanks to, old issues of Popular Electronics are available including the January 1964 issue! On page 115, we can see the advertisement:

Further along in the history of phreaking, Lapsley covers John Draper’s story related to the blue box. On page 151 it sets the time frame: “Now it was 1969 and he was John Thomas Draper, a twenty-six-year-old civilian.” Page 154 tells the story of when Draper was asked by friends who had already been ‘blue boxing’ by using an electronic organ, to build them a box.

Teresi and Fettgather wanted to know if Draper could build them a multifrequency generator – an MFer, a blue box, a portable electronic gadget that would produce the same paris of tones they were making with Fettgather’s electronic organ. Draper said he could.

He returned home in a state of shock. “I had to build a blue box,” Draper recalls. And that night he did. It was a crude first effort that was difficult to use. It had seven switches: one for 2,600 Hz and six to generate the tones that made up multifrequency digits.

Draper’s first blue box was built in 1969, around eight years after Barclay had built his first unpainted ‘blue box’, and his second box that was actually “a lovely shade of blue“, giving the phreaking tool its iconic name.


To further set the record straight, Lapsley tells the story (p220 – 221) of Steve Wozniak, who “had his [blue box] design worked out” and “was particularly proud of a clever trick he used to keep the power consumption down so the battery would last longer” in 1972. After Wozniak had built his own blue box and refined it, he and Jobs then met John Draper for the first time. While the three traded “blue boxing techniques and circuit designs”, Draper did not show them how to do it, did not show them their first box, or introduce them to the concept.


New stickers! [Big Update!]

2017-10-12 Update: A kind benefactor and generous soul in the industry has sent $126 to me, to cover the cost of the entire sticker batch. Pretty sure this was their way of saying “you write too much, not reading your stupid blog”. In return, I am sending them an unsolicited envelope or box of shit (their address was part of the conditions of me accepting the money). Per their wishes, I am also now giving away the next ~ 100 stickers. I had already sold 33 and sent out an additional 26 to long-time supporters and friends. So… to share someone else’s wealth; email me your address if you’d like a sticker. Just one of the new attrition stickers, and I will probably throw in some other random sticker or two. First 100 or so to mail get them. email jericho@ my domain / twitter handle. If you can’t figure that out, no sticker for you.

In the last few weeks, I randomly poked Twitter to see who wanted stickers. A day later, I sent ~ 25 people an envelope of stickers, including an original Attrition sticker I made… 5 years ago? And a lot of hot new stickers from Risk Based Security. Long time fan of Attrition, Ming Chow, received an unsolicited Box of Shit. Once he received it, he posted a great video and some pictures of the unboxing so you can experience it too! I sent envelopes to Canada, the United Kingdom, Germany, Ethiopia, Australia, and Zimbabwe even! I also sent a large envelope of random flat junk to a con organizer in India, so he had a few give-aways for the attendees. That night of “i’ll mail a few stickers out…” ended up being ~ $70, but I am sure it brought a world of joy to the recipients! Long story short… the original stickers are finally gone.

So… I figured it was time to create a new batch, a better batch. Like last time, a somewhat limited batch, of only 300 stickers. I think the original batch was maybe 1,000 stickers, but B&W, so they lasted. This batch is smaller, but color (SCIENCE)! Due to recent changes in my life, I can’t throw money at drugs, hookers, and stickers so flagrantly. As such, I will be selling off part of this batch to recoup the cost of making them. This is good for everyone, especially me, but also means that if they go fast I am more likely to do this again. My goal is not to profit on this really, just to offset the cost so that I sell some and am free to give away the rest… likely five years down the road in a rum-fueled Twitter night. If you really want a sticker, best to grab one now. The last sticker give-away was over a couple hours one night, and many replied a day later “hey wait, I want some!” This is where you Google “race condition“.

In the interest of transparency, here are the numbers. You can figure out if this is a scam or if the stickers are overpriced.

300 Stickers
126 Base Cost (USD)

0.42 per sticker
0.03 per envelope
0.49 per stamp (domestic)
1.10 per stamp (international) =
0.94 base cost to mail one sticker domestically, or 1.55 to mail one sticker internationally

Like any legitimate retailer, I get to add “shipping and handling“! Since shipping costs are above, the ‘handling’ fee is where I get my real markup or something. If I sell 150 stickers for $2 each, then I will make $113 if half are domestic and half are international. Pretty sure more will be domestic, meaning I am closer to the $126 base cost of the stickers. To make this easier on me, since I still have to write out the envelope, get stamps, and curse you while doing it all… bottom line? I will sell 150 stickers at the following price points:

$2 for one new attrition sticker (domestic)
$3 for one new attrition sticker (international)

If you want additional stickers, I will do up to three per person, but each additional sticker is $1 though (greedy mofos). I’ll make a few bucks this way, but maybe not even enough to recoup the cost of sending out the last batch of stickers, boxes, and uber-envelopes. I’ll also be more prone to create a new batch of stickers in the future if this works. No promises. If you are still reading, then you get the information you really need! If you want new stickers, pictured below, here is the price guide:

$2 for one new attrition sticker (domestic)
$3 for two new attrition stickers (domestic)
$4 for three new attrition stickers (domestic)

$3 for one new attrition sticker (international)
$4 for two new attrition stickers (international)
$5 for three new attrition stickers (international)

If you are still interested, send the money to paypalus_at_attrition_dot_org with some indication this is for ‘stickers‘ as opposed to “hot cyber 1993 style“, and include a shipping address. If you are still concerned that I might make a few bucks, consider I also donated over $10,000 USD to charity in the last four years, so fuck you. Finally, if you do purchase any, they will get mailed out fairly quick, but I won’t be in line at the post office at 8am like a savage. Since I have no way to control this via a blog and Paypal, and I am too lazy to do this via eBay, if you are too late in ordering and I have already sold the first 150, I will refund your money. I’ll also try to update this blog to indicate the status of sales. If enough of you are crazy and I come home tomorrow night to way more than 150 stickers sold, I’ll probably send them all out and just order a 2nd batch of these.


I wanted to support the Red Cross during Harvey… (but I can’t, so I need alternatives…)

File this under “blogs I didn’t expect to, or want to write tonight”.

With hurricane Harvey causing incredible damage and distress to Texas, many of us are looking for ways to help. I’d love to be down there in a boat rescuing animals or humans, bringing free bottled water (as opposed to the horrible alternative), or other forms of support. For those not able to make that commitment, we fall back to supporting charities that are on the ground helping. Tonight started out simple enough:

08-29-2017 21:43:38 Lyger: have you donated anything to any hurricane relief fund?
08-29-2017 21:44:09 jericho: not yet
08-29-2017 21:44:17 jericho: if i do, likely Red Cross
08-29-2017 21:44:38 jericho: may do ASPCA, looks like they are doing relief efforts specifically for animals
08-29-2017 21:44:50 Lyger: was wondering about both of those
08-29-2017 21:45:03 jericho: RC is kind of ‘old faithful’ in that regard
08-29-2017 21:45:03 Lyger: let me know if you do. if reasonable, i’ll match

First, know that I am not only one who donates to charity who is careful where we donate, but I have learned the hard way that not all charities are created equal. I’ve also pointed out how so many of them waste considerable money trying to solicit more donations. I’ve advocated for everyone who will listen to tap into Amazon’s excellent program for giving to charity via your own purchases. I’ve also considered this at a slightly more abstract levels, on smaller amounts, because I really believe that people in a position to help should do so. Please, before you come down on me for warning someone away from charity or Red Cross specifically, I have been very clear it is about supporting charities doing the work you support. In this case, I just wanted to find which charities are specifically helping hurricane Harvey victims, and how.

I started by showing Lyger what Red Cross looks like under Charity Navigator, which is a 501c3 that I support too. With 90% going to program expenses, that is excellent, despite a 3/4 star rating (the CN star rating is more nuanced).

However, things went downhill after that. Start by Googling for “red cross harvey” and you get somewhat expected results:

Follow the links and you get the Red Cross donation page for Harvey:

Unfortunately, this is basically “give us money” with no supporting evidence for what they are doing during Harvey specifically. On the side bar we get a video though! Ignoring the culturally insensitive message suggesting that Hispanic kids have to read a book to figure out who their mother is, we see a building with cots and displaced families, but not a single Red Cross volunteer (the person speaking is almost certainly not a volunteer, as is the person filming them). The blankets and shots are strategic showing a good mix of people, Red Cross branded blankets, and… not much else. The man they briefly interview, I personally don’t think he fully understands if the person that saved him or his family were affiliated with the Red Cross, just that he is grateful that his family was rescued.

At the end of the video, the nice lady encourages you to visit their web site (see screenshot above, that is all the info I could find), or call 1-800-RED-CROSS (800-733-2717). Ignoring the web site issue, and I didn’t pay attention to the number, I called the first number I found on their site: 1-800-HELP NOW (1-800-435-7669). Since I called the ‘Help Now’ number, it wasn’t the intended line to find out more information on how Red Cross is helping during Harvey, which is my fault. But I called, and the nice gentleman I talked to tonight was confused why I would ask about the Red Cross relief efforts (?!). Once I explained and he understood, he told me to call their ‘main line’, 1-800-733-2767 (RED-CROSS). I called that and got an interesting voicemail/routing lineup:

1. Opens with ‘call 911’ or call Houston coast guard if in life threatening situation
2. If experiencing flooding, they give advice to avoid attics, etc.
3. If calling from TX visit or press 1
4. if calling from LA ..
5. To continue in español ..
6. Press 0 for all other inquiries
A. If you are calling about a blood donation, press 1
B. If inquiring on training and certification, press 2
C. To make a financial donation, press 3
a. For all other inquiries press 0 and you will be connected with to the next available representative, you can also visit for more information
b. press 0
c. Options for Red Cross / Armed Forces liason
d. Disaster Assistance
e. Else, call back during regular hours

I spent the time trying to find out what the Red Cross is doing during hurricane Harvey, and I am left confused and wanting more information. Again, before you start telling me that of course they are good, wait a minute. The Red Cross took in over half a billion dollars in 2015 via “Contributions, Gifts & Grants“, and ultimately $2,726,672,619 dollars total. That is 2.7 with a B.

I am not saying the Red Cross doesn’t do amazing work, I know they do. I have done the same level of digging tonight in prior years for other disasters and been content they do good things. I have seen videos, first-hand accounts, and a wealth of information showing how they helped. What I am saying is that the Red Cross has completely failed in their social media campaign during Harvey. They are letting down the people they are helping, their countless volunteers who do wonderful work, and their supporters looking to make sure that money donated today goes to help the crisis we’re facing today.

My advice is that Red Cross continue helping during Harvey, but seriously re-evaluate their social media and fundraising efforts afterwards. Consider that my go-to charity to learn about charities, gave a pop-up about how to support during Harvey. And if you scroll down any given page, when the pop-up appears, it shows how you can help in their eyes based on data:

This is clever and helpful and I honestly wish this was a banner at the top of their site right now. That said, clicking on it is revealing in the context of the above. Consider the charities they recommend and where Red Cross places on that list. Of course, verify those other charities ranked higher are actually helping the crisis we face today, just as I tried to do with the Red Cross tonight. Please… make sure that if you donate, your money goes as far as possible. Doesn’t matter if it is $1 or $1,000, just make sure it counts. In the mean time, I am going to keep researching to find a charity I feel will deliver the most good during this incredible time of need, and look to donate tomorrow. Thank you.


20 Seconds to Comply; 17+ Years to Get It Wrong. From “Roboguard” to “Steve”!

Recently, news broke of a robot security guard lovingly nicknamed “Steve” who drowned in a fountain in the lobby of the building he was sworn to protect. The various Tweets and news articles jumped all over it, with articles anthropomorphizing Steve and headlines such as “Security guard robot ends it all by throwing itself into a watery grave“.

No surprise, but workers in the building set up a “touching” memorial for Steve on his charging plate, further anthropomorphizing him. It’s hard not to care for and feel sorry for poor Steve, who likely roamed an empty building with modern access controls and no real threat, other than a wayward janitor who lost his RFID badge.

While the Internet is enjoying and mourning poor Steve, everyone seems to forget about old ‘Roboguard’! Unfortunately, like most media outlets, even “New Scientist” doesn’t preserve links and evidence like a scientist would. These asshats don’t even clearly list a date on their articles (posted to ISN on Aug 31, 2000). Thanks to the Internet Archive, if we go back far enough we see the article but without pictures, likely because “New Scientist” didn’t want to preserve anything back then, like they don’t today. I don’t think “science” means what they think it means.

Not sure if Asimov would be laughing or rolling in his grave.


A View Into DEF CON 25 CFP…

First, this post is not sanctioned by DEF CON in any way. I am a member of the CFP team who decided to keep some rudimentary statistics on the submissions this year. I did this to give the team a feel for just how many submissions we got, how many talks we accepted, and primarily to track the way we voted. This greatly assists the powers that be (the amazing Nikita) to more quickly determine which talks are well-received. Every day that I kept up on the spreadsheet, the more ideas I had on tracking. Other team members said “you should track…”, and I typically did. So this blog is to give some insight into the entire CFP process, with a solid slant on statistics about the submissions.

First, a few basics:

  • DEF CON 25 CFP opened on February 01, 2017
  • DEF CON 25 CFP closed on May 01, 2017
  • 17 talks were submitted after closing date and were considered for various reasons
  • We received 536 submissions
  • Three of the submissions were retracted by the end of CFP
  • BlackHat received 1,007 submissions this year for comparison

Next, who are we? There were technically 31 DC CFP reviewers this year, and you can read their fun profiles now (mouse over stuff here and there, call it an Easter egg)! Ten of them are considered ‘specialty reviewers’, where they typically review talks on a very specific topic such as ‘social engineering’ or ‘legal’. These are generally topics where the submissions are either too numerous and potentially murky to figure out if they are worth accepting (social engineering), or a topic that most of InfoSec aren’t really experts on, even when some of us are the #1 armchair lawyer in InfoSec. The specialty reviewers are expected to review their topic only usually, while a few are open to review multiple topics. That means there are 21 reviewers who are expected to review ‘as many talks as you can’, understanding that we may DEFER on a given submission if we feel it is out of our wheelhouse, and remembering that this is extremely time-consuming and we all have day jobs. Some of us have night jobs, and some of us have social lives (not me).

Every year we come up short on reviewers who are truly qualified to give solid feedback on a given topic. This year DC CFP put out a call for more volunteers and we hit a bit of gold, getting several new reviewers who are quality and put in a crazy amount of time. Next year? We know there are topics we need help on, so if you are sharp, kind of special(ty), or the top of your game in a popular field… come join us. I can’t stress how important this is. Instead of just working on a talk or doing a thing, you have the ability to help influence the presentations given at a conference with some 20,000+ attendees. That is a lot of power, a lot of influence, and the potential to do a lot of good. Personally, that is why I still sacrifice the incredible time I do.

Shout outs! The only way to start this paragraph is to call out Nikita for handling almost all CFP submission related emails. Incoming submissions, replies saying “you didn’t follow directions”, second-attempts, replies saying “no really you ‘brilliant hacker’, you didn’t read our guidelines”, posting them to the CFP platform, watching for the CFP team to say “I have questions” and us largely forgetting to flag it back to her, her following-up with the submitter, repeating several times in some cases, posting their replies, looking for the CFP team to ask more questions… hopefully you get the picture. The amount of work she fields in a three-month span, just related to CFP, is insane. I say that as someone who has worked more than 80 hours a week in this industry for the last twenty years. Oh, did I mention that she also voted on 60% of the talks? While five ‘full’ reviewers voted on less talks than her.

A plea! If you didn’t see the numerous Tweets and requests to get your talks in early, I cannot emphasize how much it benefits you, more than us. When a talk comes in during the first few weeks, it gives us plenty of time to not only review and ask questions, but to give feedback in the way of suggestions. In some cases, one of the team will break away from the board and work with the submitter to improve their submission. This year, I did that once with someone who’s original two submissions garnered a single yes vote. After working with them and giving feedback on how to combine the talks and hone in on the areas of interest, the re-submission received 12 yes votes and zero no votes. In an ideal world, that would happen for every submission, but a significant number of talks are submitted the last two days.

Meaningless numbers! Because our industry loves to work with statistics that they don’t fully understand or have little meaning without serious caveat and disclaimer (PPT), let me throw out a few. For the 536 submissions we received, the CFP team voted yes 1,223 times, no 3,555 times, maybe 186 times, deferred 945 times, and abstained 54 times. Again, we defer if we feel that a topic is not one we can fairly judge based on our expertise and rely on the rest of the team to review. We abstain when there is a potential conflict of interest: if we work with the submitter, we contributed to the submission, or have a negative personal past with the submitter.

Meaningful numbers! We requested feedback from the submitter 125 times and changed our votes 61 times. Working with us to answer our questions, willingness to accept our feedback, and work with us to build a better presentation benefits everyone. As Nikita tweeted, more than 60 of the accepted talks were from first-time DEF CON speakers. Given there were ~ 110 accepted talks (and 422 rejected), that is quite a lot. It is encouraging to see this many new speakers given some of the past submissions from egotistical industry veterans that felt they deserved a speaking slot on the back of a weak submission, simply because of “do you know who I am?!”

More meaningful numbers! Of the 536 submissions, 185 (34.77%) said they would release a new tool. Only 56 (10.53%) of those submissions said they would release a new exploit, and some of those claims were questionable. It is common for people submitting to DEF CON to also submit to BlackHat and/or BSidesLV. This year, 218 (40.98%) of those submissions were also submitted to BlackHat and 65 (12.22%) of them were also submitted to BSidesLV. For various reasons, often around the ability to get to Las Vegas, some submitting to BlackHat will submit to DEF CON but say that acceptable at DEF CON is contingent upon acceptance at BlackHat. This year, 36 (6.77%) talks were submitted to us with that caveat. In a somewhat arbitrary categorization, overall I felt that 200 (37.31%) of the talks were ‘red’ (offensive), 88 (16.41%) were ‘blue’ (defensive), and 38 (7.09%) were ‘black’. By ‘black’, I mean that the topic really had little merit or benefit for red-teaming and were really in the realm of criminals.

Even more meaningful numbers! Some of the most basic stats that can be generated for your ocular pleasure. First, these are arbitrary categories that were developed as we received submissions. Nothing formal and some talks were hard to classify:

From there, I broke it down further by some topics that aren’t necessarily specific to the red or blue domain. Again, kind of arbitrary and based on seeing the submissions as they came in and note that one talk may have been flagged as more than one topic:

When building a schedule over four days and across five tracks, while considering if it is better to suggest a talk for a village or alternative venue (e.g. Skytalks), Nikita has to play Tetris of sorts based on the accepted talks, the requested time, and the schedule. This is what she had to work with:

One of the more popular questions this year after an increased awareness and public discussion around diversity in InfoSec, is the gender breakdown for submissions:

Finally, a general picture of the submissions by month. Recall what it looked like for the April breakdown above and you once again get a good idea why we would like more submissions earlier in the process:

Finally, a quick note on a common perception for InfoSec conferences and talks in general. Given the drastic rise in the number of conferences popping up, there is a saturation that demands more submissions to fill the schedules. That means that veteran speakers can typically shop their talks around or be selective in where they submit based on the venue they find appealing. That also means more new speakers are submitting which results in a wide range of topic and quality of submissions. That led me to argue this Tweet and remind people that a conference can only work with what is submitted. Personally, I feel that the overall quality of submissions to DEF CON (and a couple other conferences I review for) have gone down this year and last. That means that DEF CON ended up accepting some talks that I personally did not care for.

Bottom line? If you are researching a cool topic, submit a talk on it. Have a unique perspective or done more digging on something? Share your work. Never submitted before? Submit early and let us work with you if you need it. If a security conference is lacking, it is due to the community as much as anything else.


It’s 2016, why is rotating a video such a pain?

How many times have you quickly shot a video on your phone and not rotated it for landscape? It happens too often and we see these videos all over social media. I sometimes forget to do it as well, or portrait is more in line with what I am shooting. So, I want to quickly rotate a video 90 degrees sometimes. Should be easy, right?

I’ve asked friends and social media before, but I asked again last night and got a lot of great input. My criteria were very simple, but I did not specify platform; I want to load an MP4 video, rotate it 90 degrees, and save it. I didn’t qualify it, but my expectations are that it would not lose quality, it would keep the original MP4 format, and that the process was “one-click” (or close). While I have plenty of history using Linux, going back to CLI graphics tools to do this is not ideal for me, but I considered those options.

  • @cl suggested Windows Movie Maker – It will rotate trivially, but saves your MP4 as WMV and the quality drops noticeably.
  • @TCMBC suggested mencoder – A command line utility, part of MPlayer. So it is not trivial (download, configure, compile, figure out CLI syntax), but it does rotate. Yet, the quality drops noticeably.
  • @viss suggested ffmpeg – A command line utility and graphics library, not so trivial. It did rotate, but the quality drops noticeably.
  • @viss suggested The ‘Rotate My Video‘ web site – It is a bit slow for file upload and conversion, but very easy to use. It played the video correctly in my browser, but when I saved the video the final copy was not rotated.
  • @DeviantOllam suggested (in DM) the Rotate Video FX app for Android – I thought the UX wasn’t intuitive for starters. It did rotate the video for immediate playback, but no apparently way to save the new video back to the device. Sharing it brings up the usual Android options, but uploading the video to google drive and the video was not rotated.
  • @elkentaro suggested Apple’s QuickTime Player – Even with his reference which is outdated, there is no apparent rotation function. Even the ability to save a file is now ‘Pro’ only.
  • MegaManSec suggested ImageMagick ‘convert’ utility – this didn’t work and gave me a nice reminder of the old ‘terminal flash attacks’ from the early 90s.
  • @DeviantOllum suggested Virtual Dub but warned me that some versions handle MP4 and some don’t. Thus, I didn’t try it.
  • @Grifter801 suggested VLC but qualified it “just for viewing”.
  • @mehebner suggested Open Shot Video Player but said it is Linux only, which isn’t convenient.
  • @cl suggested iMovie but it is Mac OS X only, which isn’t convenient.
  • @cl suggested Facebook but he isn’t sure you can save after. I am fairly sure you lose quality though.

The final recommendation, and the one that worked the best for me, is Handbrake suggested by @bmirvine. The upside is I had it installed (but an old version) and am familiar with it to a degree. The best part about conversion is that the video does not lose any quality. The downside is trying to figure out the ‘Extra Option’ argument to rotate is a raging mess, as seen on this thread. I found that using “, –rotate=4” as the extra option worked for version 64-bit (latest as of this blog). The only other annoyance is that Windows won’t show a thumbnail of the newly saved video for some reason. [Update: with a newer version of the K-Lite codec pack, the thumbnails render fine.]

There are my quick testing results. I hope it helps. I’d like to give a big round of thanks to all who contributed ideas late night. Reminds me that Twitter has some value and isn’t a cesspool of insipid political tripe. =)


The Problem with Facebook…

Maybe that was a bit of a ‘clickbait’ title, since the list of problems with Facebook is epic, tragic, and depressing. So let’s go with, “tonight’s example of an ongoing problem with Facebook”.

One of my biggest gripes about the social media platform is that after all this time, they still do not give us a simple way to view posts chronologically. At some point in the past, they introduced an option to supposedly to that, but it was done via a URL argument and not a user-friendly GUI widget. I’ve used that option to view Facebook to this day, and it is still horrible. Why? Because as you think you finally get the holy grail of simplicity, it is still weighted… just less so. Meaning you are more annoyed when some crappy post pops up four times that day.

OK, so they want weighting and control to deliver the posts your friends make, as they see fit. That means you never see some posts you absolutely want to see, while seeing other posts multiple times a day. Their algorithm has nothing to do with standard weighting, and everything to do with their weird formula that no one can seem to figure out. OK, fine…

Facebook has also been on a tear about ‘honesty’ in the form of user profiles. The last few years have seen nothing but drama and turmoil as Facebook tries to enforce their ‘real name’ policy. A policy that the Chief Product Officer at Facebook apologized for, ensnared a former employee or seven, unfairly targets the LGBT community, and has caused enough headache to warrant a Wikipedia entry. Oh, of course, that the “noble and charitableMark Zuckerberg defends. So… integrity and honesty and clarity is important, right?

That sets up the easiest of questions. Why is Facebook targeting their user base, who they profit off, regardless of a real name attached? Sure, they may make a few more pennies on the dollar if a real name is attached over a pseudonym, but still profitable. For years, it let them defend their absurdly high user count on top of the obvious ploys of ignoring idle accounts and such. Now, jump to tonight, which set up a perfect example of where Facebook shows they don’t care. A rather simple example, but one that should be trivial for them to programatically notice and warn against, in a variety of methods. If a single user is posting something that may be fraudulent, contradictory, or a basic scam (e.g. how many times have you been tagged in an image for Oakley sunglasses, even in 2016), why isn’t there a warning? Even when the account isn’t compromised, the user isn’t warned. When the same image of knock-off sunglasses is posted to hundreds of ‘friends’ from a compromised account, it comes with no warning, either from the subject matter, or the break from the normal behavior (e.g. that user with 87 friends tags one photo with 87 names, when never tagging more than 2 people the last 5 years). We’re not talking AlphaGo or Microsoft Tay, we’re talking a couple decades behind them as far as computer intelligence goes. The fact that one was an amazing success while the other was an amazing failure, speaks to my point. They are cutting edge, trying to solve ‘problems’ that are are incredibly complicated. Meanwhile, Facebook can’t figure out what boils down to mid 1990’s email spam patterns, implementing the most basic of statistical filtering.

That said, I would love to see Facebook answer how the following two posts, from the same user, within 40 minutes of each other, could be posted without a warning to them AND me. Compare them posts carefully, not that there is much to go on as far as the end-user sees. At some level, this is stupidly trivial and any half-assed program should notice. No, it isn’t trivial or worth ignoring, that such articles get posted with such discrepancy. That is how we end up with stupid rumors and lies spread around as if they are fact, and fundamentally why our political climate is like it is. When you stop ignoring the details, especially the obvious contradictions, you are buying into a system that doesn’t serve you; rather, one that only exploits you.




A Note on the RSA Keynote Fiasco…

In the past day or two, The RSA Conference announced a few of the keynotes for the upcoming 2016 RSAC conference. The industry is largely scoffing at some of their choices, for obvious reasons. There are so many facets to this topic, one could write a book. Hopefully I will limit myself to the key points, as applies to the chatter in our industry. If a couple paragraphs are meh to you, skip down a few, as the point will likely change quite a bit.

First, let’s put this into perspective. This is the RSA conference. The Computer Dealers’ Exhibition (COMDEX) of the InfoSec industry. This conference is a weird mix of “OMG necessary” and “OMG I hate it“, and it has been for a decade or more. It’s the party everyone shows up to, and the one you want to be at, to ‘be seen’ and ‘catch up on the gossip’, even though you hate it. In our industry, it is the embodiment of reality T.V. in many ways. On the flip side, this conference hasn’t actually been relevant to our industry for a long time, where reality T.V. is sadly relevant in the worst ways. Sure, it is THE place to do a meet-and-greet, solicit new customers, solicit new employees, and show off your stupid “advances” in security technology. Advances in quotes for a blindingly obvious reason. But, if you feel RSAC is relevant in any meaningful way to our industry, you can stop reading here. You are not my intended audience, and do not meet the “you must have this IQ to ride this ride” criteria. Sorry =( I feel this point is almost entirely lost on the 2016 RSA keynote fiasco.

On the “keynote” angle, first… what is a “keynote” talk? You can’t even Google “keynote” and get the definition in the first few results. You actually have to qualify “keynote definition” which I can’t recall ever having to do for Google to get a definition. Even for some pretty obscure animal-related searches I have done while trying to learn as much about wildlife rehabilitation as I could. That is telling.

Now, I called this bit out in my BSidesDC “keynote” presentation in 2014, where I questioned what a keynote was, in my keynote. How very “meta”, and how very appropriate given I picked on RSAC back then. Look to slide 5 where I pointed out that RSAC had as many as four keynotes a day back then, 16 in total. So again… what is a keynote? For most conferences, it is very clear, per the definition. It “sets the intended tone of the conference” in so many words. For RSAC? It is more a game of how many “big” speakers can we cram into a multi-day event to fill the seats. [Remember, many of them may be in our industry, but it doesn’t mean they bring any value to the rest of us.]

This latest fiasco is no different. So… back to the controversy. RSA stacked the keynote deck with the usual nobodies (in the context of providing real value to our industry, or if an awesome person, not in the context of a 40 minute talk). This year, they went above and beyond, and are having three people in the keynote lineup that are more than questionable. I’m sure it isn’t the first time we have seen it, but it sticks in my mind… RSAC set up a “keynote panel”. For most conferences, that would be laughable, but in 2014 they had 16 keynotes. Compare that to this year, with 20 keynotes on the schedule so far! Two minorities, and one female, if you are keeping track after the last two years of our industry pointing out the lack of diversity. Maybe RSA will say it is a good sample representation to be politically correct, given the representation in the industry!! So… the three speakers making waves, well before the conference starts?

  • Charley Koontz, Actor, CSI: Cyber Panel
  • Shad Moss, Actor, CSI: Cyber Panel
  • Anthony E. Zuiker, Creator/Executive Producer of the CSI Franchise, Technology Visionary

It is honestly difficult to figure out how to approach this, in the sense of writing this blog. This show has been lambasted from day one within the InfoSec industry. Worse, it has deviated from the CSI franchise in ways that are arguably more harmful to the public than the predecessors. The last 15 years of the other CSI shows have created the “CSI Effect“, which has been a burden on our current legal system. It took many years of the original CSI franchise to give us that modern problem, that interferes with our judicial system on a daily basis. We are all arm-chair experts on DNA, trace matter, footprints, dark crime scenes, and flashlights. That is a T.V. show born out of a 30+ year scientific discipline. And it has serious backlash in the real world.

Now, we have CSI: Cyber, which is easily argued to be the worst of the franchise. Looking at ‘Rotten Tomatoes‘, well-known for providing real-world reviews of movies, what do they say about the entire CSI franchise?


Wow… enough people hated CSI: Cyber to contribute their opinion, where the original CSI show that ran 15 years didn’t get enough feedback to rate. The original show was ground-breaking, in many ways. It introduced the average American household to the world of forensics, even if exaggerated and dramatized to some degree. Jump to today, and enough have spoken out against the new spinoff to give it a negative rating. That is telling.

OK OK, so jump back a bit, because this is not an easy blog to write. The entire CSI franchise is questionable; it has some serious value, but also has some serious pitfalls. So let’s try to focus on CSI: Cyber. Start by doing a Google search:


Woops, that is telling. It also reminds me that the series got renewed for season 2, which I bet would happen to an FBI agent I know (who refuses to watch the show, as does the entire ‘Cyber’ division in his city). If it gets renewed for season 3, I lose a dollar. OK, seriously sidetracked. Back to the latest drama..

Cliff notes: three people related to CSI: Cyber are part of the RSAC 2016 keynote clustermess this year. Two actors, and an executive producer putting himself forward as much more than that (or RSAC is), are part of a panel that is a keynote. Every bit of the InfoSec fiber is not happy with this, and they shouldn’t be. RSAC is grabbing what is popular, what is in the ‘mainstream’, and vomiting it on stage. No care, no concern, and most importantly, no consideration of what it means. Of the two actors, do either have any background in computers? Security? One is a very young rapper-turned-actor who I previously Tweeted to, because I felt his portrayal as an African American actor in the context of the Black Lives Matter movement was absolutely horrible. I’m a privileged white guy and I felt that episode was a disgrace to African Americans (do the math). The other is “sympathetic to the issues” according to Violet Blue, in an article she wrote on this topic. If Koontz is truly sympathetic, he should either back out of the talk accompanied by a public statement, or use the stage-time to go against the very reason he was invited. Embrace the fact he is a T.V. actor, that the show is lacking in technical detail or reality, and call out the technical advisors and/or producers, and let the world know why the show may be harmful. As for the producer, why? It could be argued there is value if one of the technical consultants to the show were to speak, not a producer.

It should be obvious that I do not think any of them are relevant, or should be keynoting a BSides, let alone RSAC. They are actors in a mid-ratings show, built on a 15 year-old franchise. A current iteration that isn’t really that popular or well-known… merely “what some people are watching”. RSAC is quite simply cashing in on a popular meme, in line with the profitable business.

So… let’s agree to agree, or agree to disagree! Yep, how is that for a blog plot twist, befitting that horrible T.V. show? Let’s focus on the small bit that actually got my attention in all this, that demanded all of the above as backstory and explanation. Let’s jump to the other fun bit of this mess. While most of the industry was somewhere between annoyed and outraged over these keynotes being announced, others quipped in ways that suggested the industry wouldn’t be so upset if it was “other” high-profile media-centric personalities that were keynoting.


I’d like to assume the ellipses were leading off to the obvious conclusion, “we would ridicule them just the same“. But I have a feeling that was not the intended argument. That movie is 20 years old, released on the fourth year of RSAC. Assuming you at least meant to compare the cast being keynotes at the 1995 RSAC… this is actually a more compelling comparison as far as a “timely” media publication being thrust upon our industry. Back then, I don’t think it would have been considered. I say that because some of us in the hacker circles back then joked about them speaking at DEFCON and how absurd it would have been.


This is a fascinating comment, because it puts two polar opposites as a single argument that somehow has the same merit, which is baffling to say the least (compare Colbert vs Baldwin in the context of ‘actor’ vs ‘comedian’). If your argument for comparison is “Stephen Colbert” (soft T), then I would argue you are beyond dense and completely oblivious to the genius of the persona Colbert (hard T) took on. The entire persona was designed around being a blind fanboy to an ‘industry’ (or political party in his case, which is basically an industry) in a manner that highlights how absurd the industry is in the first place. That is exactly the kind of persona that would help our industry realize how perverse it is, and show us through delicious irony how absurd and blind we are to our own problems. More importantly, Colbert did not claim any relevance to, or portray anyone in our industry in any way.

If your argument for comparison is Alec Baldwin? That is a valid argument I think! If the industry didn’t speak out against Baldwin in this context, while speaking out against CSI: Cyber actors, that seems hypocritical. I don’t recall Baldwin doing a RSAC keynote in the past, but it isn’t something I would have noticed unless there was an eruption of drama. Stick with this example for arguments against the CSI: Cyber cast.


Really? This has to be the worst comparison possible. Adam Savage has made his career around breaking and building things, a cornerstone of the hacker ethos and mentality. Not only does he build and break things, he does it in the pursuit of truth and shares it with anyone willing to watch MythBusters. That embodies the hacker spirit in the minds of a significant portion of our industry. The cross-over from our largely digital world, to his largely analog world, makes complete sense. He is a rare case where the ‘reality’ in ‘Reality TV’ is actually true.

To come full circle, people still argue that RSAC has value because that is where the “trends” are announced. The problem is, RSA ‘trends’ are mostly buzzword rebrands of old technology, with a few ‘bleeding-edge’ adjectives thrown in to make them sound more sexy. I’ll leave this great Tweet as a tongue-in-cheek, but accurate, reminder of how a significant portion of our industry views the conference, regardless of keynote choices.