A Note on the RSA Keynote Fiasco…

In the past day or two, The RSA Conference announced a few of the keynotes for the upcoming 2016 RSAC conference. The industry is largely scoffing at some of their choices, for obvious reasons. There are so many facets to this topic, one could write a book. Hopefully I will limit myself to the key points, as applies to the chatter in our industry. If a couple paragraphs are meh to you, skip down a few, as the point will likely change quite a bit.

First, let’s put this into perspective. This is the RSA conference. The Computer Dealers’ Exhibition (COMDEX) of the InfoSec industry. This conference is a weird mix of “OMG necessary” and “OMG I hate it“, and it has been for a decade or more. It’s the party everyone shows up to, and the one you want to be at, to ‘be seen’ and ‘catch up on the gossip’, even though you hate it. In our industry, it is the embodiment of reality T.V. in many ways. On the flip side, this conference hasn’t actually been relevant to our industry for a long time, where reality T.V. is sadly relevant in the worst ways. Sure, it is THE place to do a meet-and-greet, solicit new customers, solicit new employees, and show off your stupid “advances” in security technology. Advances in quotes for a blindingly obvious reason. But, if you feel RSAC is relevant in any meaningful way to our industry, you can stop reading here. You are not my intended audience, and do not meet the “you must have this IQ to ride this ride” criteria. Sorry =( I feel this point is almost entirely lost on the 2016 RSA keynote fiasco.

On the “keynote” angle, first… what is a “keynote” talk? You can’t even Google “keynote” and get the definition in the first few results. You actually have to qualify “keynote definition” which I can’t recall ever having to do for Google to get a definition. Even for some pretty obscure animal-related searches I have done while trying to learn as much about wildlife rehabilitation as I could. That is telling.

Now, I called this bit out in my BSidesDC “keynote” presentation in 2014, where I questioned what a keynote was, in my keynote. How very “meta”, and how very appropriate given I picked on RSAC back then. Look to slide 5 where I pointed out that RSAC had as many as four keynotes a day back then, 16 in total. So again… what is a keynote? For most conferences, it is very clear, per the definition. It “sets the intended tone of the conference” in so many words. For RSAC? It is more a game of how many “big” speakers can we cram into a multi-day event to fill the seats. [Remember, many of them may be in our industry, but it doesn’t mean they bring any value to the rest of us.]

This latest fiasco is no different. So… back to the controversy. RSA stacked the keynote deck with the usual nobodies (in the context of providing real value to our industry, or if an awesome person, not in the context of a 40 minute talk). This year, they went above and beyond, and are having three people in the keynote lineup that are more than questionable. I’m sure it isn’t the first time we have seen it, but it sticks in my mind… RSAC set up a “keynote panel”. For most conferences, that would be laughable, but in 2014 they had 16 keynotes. Compare that to this year, with 20 keynotes on the schedule so far! Two minorities, and one female, if you are keeping track after the last two years of our industry pointing out the lack of diversity. Maybe RSA will say it is a good sample representation to be politically correct, given the representation in the industry!! So… the three speakers making waves, well before the conference starts?

  • Charley Koontz, Actor, CSI: Cyber Panel
  • Shad Moss, Actor, CSI: Cyber Panel
  • Anthony E. Zuiker, Creator/Executive Producer of the CSI Franchise, Technology Visionary

It is honestly difficult to figure out how to approach this, in the sense of writing this blog. This show has been lambasted from day one within the InfoSec industry. Worse, it has deviated from the CSI franchise in ways that are arguably more harmful to the public than the predecessors. The last 15 years of the other CSI shows have created the “CSI Effect“, which has been a burden on our current legal system. It took many years of the original CSI franchise to give us that modern problem, that interferes with our judicial system on a daily basis. We are all arm-chair experts on DNA, trace matter, footprints, dark crime scenes, and flashlights. That is a T.V. show born out of a 30+ year scientific discipline. And it has serious backlash in the real world.

Now, we have CSI: Cyber, which is easily argued to be the worst of the franchise. Looking at ‘Rotten Tomatoes‘, well-known for providing real-world reviews of movies, what do they say about the entire CSI franchise?

rotten-tomatoes-csi

Wow… enough people hated CSI: Cyber to contribute their opinion, where the original CSI show that ran 15 years didn’t get enough feedback to rate. The original show was ground-breaking, in many ways. It introduced the average American household to the world of forensics, even if exaggerated and dramatized to some degree. Jump to today, and enough have spoken out against the new spinoff to give it a negative rating. That is telling.

OK OK, so jump back a bit, because this is not an easy blog to write. The entire CSI franchise is questionable; it has some serious value, but also has some serious pitfalls. So let’s try to focus on CSI: Cyber. Start by doing a Google search:

google-csi-cyber2

Woops, that is telling. It also reminds me that the series got renewed for season 2, which I bet would happen to an FBI agent I know (who refuses to watch the show, as does the entire ‘Cyber’ division in his city). If it gets renewed for season 3, I lose a dollar. OK, seriously sidetracked. Back to the latest drama..

Cliff notes: three people related to CSI: Cyber are part of the RSAC 2016 keynote clustermess this year. Two actors, and an executive producer putting himself forward as much more than that (or RSAC is), are part of a panel that is a keynote. Every bit of the InfoSec fiber is not happy with this, and they shouldn’t be. RSAC is grabbing what is popular, what is in the ‘mainstream’, and vomiting it on stage. No care, no concern, and most importantly, no consideration of what it means. Of the two actors, do either have any background in computers? Security? One is a very young rapper-turned-actor who I previously Tweeted to, because I felt his portrayal as an African American actor in the context of the Black Lives Matter movement was absolutely horrible. I’m a privileged white guy and I felt that episode was a disgrace to African Americans (do the math). The other is “sympathetic to the issues” according to Violet Blue, in an article she wrote on this topic. If Koontz is truly sympathetic, he should either back out of the talk accompanied by a public statement, or use the stage-time to go against the very reason he was invited. Embrace the fact he is a T.V. actor, that the show is lacking in technical detail or reality, and call out the technical advisors and/or producers, and let the world know why the show may be harmful. As for the producer, why? It could be argued there is value if one of the technical consultants to the show were to speak, not a producer.

It should be obvious that I do not think any of them are relevant, or should be keynoting a BSides, let alone RSAC. They are actors in a mid-ratings show, built on a 15 year-old franchise. A current iteration that isn’t really that popular or well-known… merely “what some people are watching”. RSAC is quite simply cashing in on a popular meme, in line with the profitable business.

So… let’s agree to agree, or agree to disagree! Yep, how is that for a blog plot twist, befitting that horrible T.V. show? Let’s focus on the small bit that actually got my attention in all this, that demanded all of the above as backstory and explanation. Let’s jump to the other fun bit of this mess. While most of the industry was somewhere between annoyed and outraged over these keynotes being announced, others quipped in ways that suggested the industry wouldn’t be so upset if it was “other” high-profile media-centric personalities that were keynoting.

rsac-fiasco-actors_from_hackers

I’d like to assume the ellipses were leading off to the obvious conclusion, “we would ridicule them just the same“. But I have a feeling that was not the intended argument. That movie is 20 years old, released on the fourth year of RSAC. Assuming you at least meant to compare the cast being keynotes at the 1995 RSAC… this is actually a more compelling comparison as far as a “timely” media publication being thrust upon our industry. Back then, I don’t think it would have been considered. I say that because some of us in the hacker circles back then joked about them speaking at DEFCON and how absurd it would have been.

rsac-fiasco-colbert_baldwin

This is a fascinating comment, because it puts two polar opposites as a single argument that somehow has the same merit, which is baffling to say the least (compare Colbert vs Baldwin in the context of ‘actor’ vs ‘comedian’). If your argument for comparison is “Stephen Colbert” (soft T), then I would argue you are beyond dense and completely oblivious to the genius of the persona Colbert (hard T) took on. The entire persona was designed around being a blind fanboy to an ‘industry’ (or political party in his case, which is basically an industry) in a manner that highlights how absurd the industry is in the first place. That is exactly the kind of persona that would help our industry realize how perverse it is, and show us through delicious irony how absurd and blind we are to our own problems. More importantly, Colbert did not claim any relevance to, or portray anyone in our industry in any way.

If your argument for comparison is Alec Baldwin? That is a valid argument I think! If the industry didn’t speak out against Baldwin in this context, while speaking out against CSI: Cyber actors, that seems hypocritical. I don’t recall Baldwin doing a RSAC keynote in the past, but it isn’t something I would have noticed unless there was an eruption of drama. Stick with this example for arguments against the CSI: Cyber cast.

rsac-fiasco-adam_savage

Really? This has to be the worst comparison possible. Adam Savage has made his career around breaking and building things, a cornerstone of the hacker ethos and mentality. Not only does he build and break things, he does it in the pursuit of truth and shares it with anyone willing to watch MythBusters. That embodies the hacker spirit in the minds of a significant portion of our industry. The cross-over from our largely digital world, to his largely analog world, makes complete sense. He is a rare case where the ‘reality’ in ‘Reality TV’ is actually true.

To come full circle, people still argue that RSAC has value because that is where the “trends” are announced. The problem is, RSA ‘trends’ are mostly buzzword rebrands of old technology, with a few ‘bleeding-edge’ adjectives thrown in to make them sound more sexy. I’ll leave this great Tweet as a tongue-in-cheek, but accurate, reminder of how a significant portion of our industry views the conference, regardless of keynote choices.

rsac-tic

Advertisements

Studies, articles, and social media activism are just a start.

I would imagine everyone reading this, who partakes of social media to any degree, is getting worn down with the social media activists. Like everything, there are some that are effecting change and doing great work. They use the media to spread the message while helping to enact change in other ways. Basically, doing more than just ‘awareness‘. You can Tweet and Facebook and Tumblr all day long about “help our vets”, and the sentiment is great. But until you turn that effort toward people who can effect change (e.g. politicians), it’s not likely to actually help a veteran. Oh, and you do occasionally promote charities that help the veterans and donate yourself… right?

Yesterday, “Spouse-gate” happened at the ASIS / ISC2 Congress event. In a nutshell, a female InfoSec professional is a speaker at the conference, and her InfoSec professional husband joined her as a regular attendee, but via her “plus one” that the conference provides for. Each “plus one” in the eyes of ISC2 is the spouse, which by definition is the husband or wife. So imagine his surprise when he goes to the registration desk and finds the staff “utterly confused how [he] could be a spouse and asks [him] four times how [he’s] a spouse“. Did the meaning of spouse change sufficiently in the past years, that it is only applied to females? He explains several times that his wife is speaking, and he is her “plus one”, and they finally understand. Next, they give him a con swag bag and information regarding ‘spouse events’ which include shopping trips. The bag included two bottles of hand lotion, an empty photo album, shopping coupons, a magazine, and the business card for Jay Claxton, the Director of Loss Prevention at Marriott Vacation Club International.

I think it safe to say that the conference bag for spouses is a clear case of misogyny. Now, why am I posting about this? Peruse the bag contents and scroll down…

isc2-bag

I have been an outspoken critic of ISC2 for many years. In the last couple of years, I have toned down that criticism considerably, for various reasons. The biggest reason is that one of the board members, Wim Remes reached out to me and prompted many discussions over a year. He made an effort to get my feedback on how ISC2 could improve in their process, public perception, and get back on track (my words) with their intended purpose of making the security industry better. When someone in a position to effect change reaches out and demonstrates they want to make things better, it is time to help them rather than continue to criticize the organization. In that time, Wim has done an incredible job working to change the organization from the inside. Sorry for the diversion, but I feel it is important to give credit to those working very hard toward bettering our industry.

At some point in the last year or two, ISC2 has taken on a very public “pro-woman” stance (scroll through their Twitter feed). They have collectively called for more equality in the workforce in our industry. In fact, within one hour of ‘Spouse-gate’ starting, ISC2 was Tweeting about women remaining underrepresented in InfoSec. It’s hard to understand how an organization can promote a great cause while also devolving to the base levels of misogyny that are a root cause of the inequality.

isc2-tweet

Social media activism can do great things. But many of the great things that can be done get lost in the noise of people blindly re-posting feel-good messages that ultimately do very little to do actual good, and concretely support the cause. If organizations like ISC2 want to help effect real change, they need to “be the change that [they] wish to see in the world.” In short, more doing and less grandstanding.

You keep using that word… (a note on “bullying”)

As a tech editor who apparently hit the glass ceiling, perhaps my only value to the industry is reminding people what words mean. Usually that is done for the author before something is published but it is clear the industry could gain some value this time. With the terms “bully” and “bullying” being thrown around more liberally recently, it is important to remember what it really means. Like most words in the English language, that answer varies greatly. Not only with historical changes, but with social changes as words are used, reused, and co-opted. Let’s start with what Google tells us!

According to stopbullying.gov, the definition is:

Bullying is unwanted, aggressive behavior among school aged children that involves a real or perceived power imbalance. The behavior is repeated, or has the potential to be repeated, over time. Bullying includes actions such as making threats, spreading rumors, attacking someone physically or verbally, and excluding someone from a group on purpose.

Some readers are certainly homing in on this definition while glossing over an important qualifier. We are not “school-aged children” despite often acting like it on Twitter. This definition is custom-written to be suitable to kids in school that face bullies. Next up, Wikipedia defines it as:

Bullying is the use of force, threat, or coercion to abuse, intimidate, or aggressively impose domination over others. The behavior is often repeated and habitual. One essential prerequisite is the perception, by the bully or by others, of an imbalance of social or physical power.

Those same readers may now be homing in on this definition based on the last line, but it is important to note that is a two-way street. If we can arbitrarily call it “bullying” solely based on one side’s perception, then we’re all equally guilty of bullying. If I call you a jerk, and you call me an ass in return, we are both potentially guilty of it. In reality, I think we can all agree that is a bit absurd. I think if you drop that last line and focus on the first two lines the definition is pretty good, especially given the next choice. According to the dictionary:

  • 1 (archaic): sweetheart or a fine chap
  • 2a : a blustering browbeating person; especially one habitually cruel to others who are weaker
  • 2b : pimp
  • 3 : a hired ruffian
  • bully verb
  • : to frighten, hurt, or threaten (a smaller or weaker person)
  • : to act like a bully toward (someone) to cause (someone) to do something by making threats or insults or by using force
  • transitive verb
  • 1 : to treat abusively
  • 2 : to affect by means of force or coercion

We can certainly agree that the archaic definition isn’t what anyone means when using the term. Similarly, a pimp or hired ruffian is probably just as archaic and not intended. Focusing on the rest you have a variety of definitions that range from “treat abusively” to the more dominant that includes the purpose of the activity. The words threat, force, and coercion appear more than once in the definitions above and are the crux of what bullying is about. Everyone who is now equating the term “bullying” with anything less than a malicious, sustained campaigns of hatefulness with the intent of coercing/threatening is the worst sort of cowardice and dishonesty. They are doing a disservice to society and themselves.

Someone stating their opinion is just that. Calling someone a name or insulting them over appearance or action makes them an ass, nothing more. They aren’t trying to coerce you, they aren’t trying to force you to do something, and they aren’t threatening you. In this country they are simply exercising their first-amendment rights. As such, you have the right not to listen to them. If someone on Twitter is saying something you don’t like, stop following them. If they are including you in the messages, block them. Add their Twitter ID to a filter so it helps ensure you don’t read anything to, from, or about them. Remember, it is a push medium that you opt into. By using the service, by following people, by subscribing to lists, or by searching for specific words, you are specifically choosing to read it.

Cliff notes for the rest of you. Simple name calling or stating opinion on Twitter is not bullying, even if it is mean and you don’t like it. Those using the term in such a fashion are the real bullies here; they are capitalizing on a social stigma and social movement to brand what has been our way of life for hundreds of years as some new form of persecution. You are trying to use social pressure to coerce us into changing our behavior. Worse, by equating simple insults and jabs as bullying, you make it harder for those who have truly been bullied to be believed. Sorry, I won’t cave into bullies, something your crowd keeps telling us to do ironically enough.

To finish this post, I want to answer a question put forth by someone crying “bully”:

Can my daughter take criticism? Yes but not publicly. You got to have a pretty tough skin to be able to take criticism publicly. Most of us don’t have that tough skin. I think that’s good because that usually goes hand in hand with compassion. If I had to choose only one thing missing in this InfoSec community, it would be compassion. The nonconstructive criticism is so public and so vicious that you end up missing that one nice person who is trying to offer the constructive criticism that could really make a difference. And that’s sad. That person who is trying to help gets lumped in with the naysayers, and no one benefits. Is this really the InfoSec community you want?

Yes! That is exactly what I want the industry to be. More importantly, that is exactly the type of industry our society needs. There are two aspects to this, and one of them is so entirely simple, but seems to be missed time after time.

First, the InfoSec industry has two fundamental sides; those who break things (attack), and those who fix things (defend). The entire attack (a.k.a red-teaming, tiger teaming, vulnerability assessment, or offense) side of it is built itself on the act of tearing others down. When you perform a penetration test, you are showing how the programmers and/or IT staff have failed in some way. In some cases, you are taking years of their work and shitting all over it in a PDF or by PowerPoint with pretty colors. That million lines of code to perform incredibly complex actions to make a seamless experience for their paying customers? You tell them it is Swiss cheese, that it shouldn’t be on a production network, and that they must go back and make it better while flippantly giving them the oh-so-helpful remediation instructions of “sanitize user input“. You get paid, handsomely even, to do just that day in and day out. Did you develop software that makes that process easier? Then you are facilitating colleagues so they can more easily tear down the work of other people. This is a simple fact and how our industry operates. You are offering what you think to be constructive criticism. The developers and admins receiving the report do not think it is constructive. You are a “naysayer” and yet both sides benefit ultimately. The notion that “no one benefits” is absurd.

Second, the more emotional answer. Our industry, and society at large, need more people that are not afraid to speak their mind, tell the truth, and demand better from everyone. That is how things get fixed, and that is how we improve as a society. Your friend being a douche-nozzle? Do you think they intend to act that way? No, so you tell them in whatever terms are needed so they stop acting like one. Your customer running insecure software that would allow little Bobby Tables to expose all of their client data? You tell them so they can fix it. Your report can soften the blow a bit, but ultimately you are telling them they have failed in a spectacular fashion. This isn’t some circle-jerk hug fest. This is an industry largely based on critique, which is a vehicle to improve.

When your day job is based on leveling criticism at other people, it is your responsibility to be able to take criticism. If you release software to the world, you are a vendor so to speak. Someone reporting a vulnerability in your software is not them “picking on you”. That is them making a sincere effort to help you improve your software, just as you are trying to help your customers (or students) improve. If you don’t understand how these are fundamentally the same, then you don’t belong in this industry. That is not a threat, force, or coercion. That is a fact.

(Courtesy of memegenerator.net)

(Courtesy of memegenerator.net)

To the guy calling himself “David Willson”, you don’t get it (was re: Active Defense)

Yesterday, I published a blog titled “Putting an end to ‘strike back’ / ‘active defense’ debate…”. While the title of the blog was tongue-in-cheek, the content certainly was not. Of course I don’t expect the debate to suddenly end over a single blog, but I did bring up a good great point about the idea of ‘strike back’. I know it is great because the only blog-response I got, completely ignored it. I assume because he simply couldn’t debate the merit of it.

Now, I don’t think I know this guy who calls himself “David Willson”. But everyone knows I am bad with names and faces and InfoSec plebeians that don’t show any indication they have tenure or a clue. Don’t get me wrong, I love InfoSec newbies that are eager and open minded, willing to learn and evolve; I take the time to answer any question they put to me. They are a different breed than the others that mysteriously appear one year, with a resume boasting many years of experience. No clue if David Willson is such a beast, but reading that blog sure seems like it.

I don’t like ego. I like a person that can not only admit, but fully appreciate when they are wrong. Admitting it shows character and a desire to improve themselves. Don’t take this paragraph as me showing ego, it really isn’t about that. Willson is blogging under Titan Info Security Group (@Titaninfosec), whose motto is “Information is the Key to Your Business“. Information you say? Perhaps it was just a completely shitty writing style David, or perhaps you just haven’t been around the InfoSec block. It doesn’t matter if you like me, dislike me, respect me, or want to fist me. Fact is, I have been here a long, long time. If you and your company’s intelligence doesn’t know who I am, or my relevance in the security world, then your intelligence is suitable for the girl scouts at best. Starting your blog with “a guy calling himself Jericho” is laughable. Not only is my real name all over the place, if you Google for “jericho attrition”, the second hit gives you my real name which has been published in media outlets for years in conjunction with my handle. You couldn’t link to my blog, my web site, my Wikipedia entry, or my Twitter feed? I’m sorry, do you claim you knew all this? Consider it when you write these shitty blogs for your over-billed customers. #protip

Titan

Now, on to the meat of the blog and the rebuttal! It’s late, I really want to have fun with this, but the bed is more inviting than you. So, you get the more brief and blunt treatment David.

chastises those who advocate Active Defense.

Read the blog again. I chastise those that use the term incorrectly. I specifically point out that ping, traceroute, and nmap are not “active defense”. I further point out that the entire term “active defense” is contradictory and absurd. Offense != defense. “The best defense is a good offense” is better left to movies.

He equates it to strike back and hack back.

No, I have entirely difference sections of that blog that deal with true strike back versus active defense. Is this the “intelligence” you charge your customers for?

I have to say, I agree with two of his points; many companies are now trying to capitalize on this new term, yes new term…

Oh so close David! You were doing well agreeing with me on that part. New term? No. New to newbs in the industry? Yes. You kind of outed yourself here. You can’t claim this term is new when there is a book on it written it in 2002. #newb

I disagree with is his characterization of Active Defense. I wish people would stop equating it to hack back.

HEY FUCKHEAD. I did not say that. Read the fucking blog again please. I specifically defined active defense as this nebulous area of remote reconnaissance, not strike back. I went out of my way to make it very clear there was a solid distinction between the two. The entire point is that companies are using the nebulous “active defense” (which is stupid to begin with) and then further blurring it into “strike back”, ala Kurtz and his Crowdstrike crap.

Hack back is the last 1% of Active Defense. See my definition here: http://www.titaninfosecuritygroup.com/_m1698/blog/Active-Defense-definition.

Great, you define Active Defense! Oh wait, that explains why you are blindly lashing out at what you don’t understand. From your definition:

“Active Defense” is incident response on steroids. Here is my definition: It is a method for companies who find themselves persistently attacked to collect the intelligence needed to evaluate the attacks, develop courses of action or options, and then enable the leadership to make well-informed decisions to move forward in an effort to protect the company. On a spectrum the options could be anywhere from do nothing or the other extreme of hack back to either find the attackers or disrupt or deny the server(s) being used to launch the attacks.

So a whole bunch of management bullshit, then you clearly say “active defense” includes “strike back”. Uh… you just said you wished people would stop equating it to hack back, and you fucking say exactly that in your definition. Seriously, get the fuck out of our industry. Only ignorant sales weasels can’t track their lies between two paragraphs.

Also, the fact that many people who write in opposition to Active Defense made broad statements about how it is illegal without defining Active Defense and detailing what they believe to be illegal or why.

I clearly stated what I see active defense is. Read my blog again, again. I said strike back is illegal; the activity of “hacking the person hacking you”. News flash: it is illegal in most countries. It is illegal in the United States, where I reside, and most of the countries the U.S. still has some form of ties to, economic or otherwise. As an ex-military weenie, you should really grok this.

First of all, if you’re not an attorney stop saying it is illegal because the legality of Active Defense is not black and white.

Tell that to anyone convicted under 18 USC § 1030 please. It is black and white enough to routinely convict people, even ones operating in areas many consider gray. While I am not a lawyer, I am fairly well read on the law. More so than most in our industry, and enough to be invited to be an honorary professor for a cybercrime seminar for a semester, to challenge their students on the notion of law. Yes, a respected university thought me suitable to challenge their students and staff on the law they teach, meaning I am the first to find the wiggle room and gray areas. What, you didn’t know this? was re: intelligence offering.

Jericho’s assertions strike me as hypocritical by jumping on the bandwagon of the Active Defense flurry, making broad assertions and offering NO solutions.

First, I am not hypocritical just because you didn’t actually read my blog. Second, I am not part of the flurry as I argued against this shit back in ~ 2000. Third, what the fuck solutions do you offer? By your definition, a vague HALULULUGGUHGUGHUGHGUH ESCALATE until you get to the strike back phase, which still doesn’t address the simple fact that it STILL WON’T STOP YOU FROM GETTING ATTACKED. Jesus fuck, get out of my industry already. Off my lawn and all that. If you don’t understand WHY I am so vehement about this, then you doubly need to get the fuck out of here. In a light-hearted rant against morons who blindly quote Sun Tzu, Steve Tornio (@steve_tornio) and I point out that trying to know your attacker is futile. Worse, even if you figure out who one is and stop them, then you are dealing with the other eleventy-billion. Are you really under some demented and perverse notion that a single attacker is a threat to you or your customers? That big-bad-APT you are fighting tooth-and-nail against, may just be the decoy while the real attacker is skullfucking your network blind. Sorry to be the bearer of that bad news, and judging by your blog, I certainly am.

If defense is so easy then provide the solution, a solution that hasn’t been tried and one that will work and not subverted by hackers within a few months.

Really? Again with the whole “not reading what I wrote” bit. I didn’t say it was easy. I was arguing for a minimum threshold on defense; that companies who do not focus on defense and put resources there, have no business trying to hack back. In fact, my entire ONE LINE ARGUMENT against all this boils down to that. If you failed Defense 101, then you have no business dabbling in Offense 101. Intelligence business huh?

You need a team of experts who know what they are doing, to include one or more attorneys who know what he/she is doing, but more than just an attorney you believe you can explain the technology to.

And this is where it gets good. You see, I am bad with names and faces, like I mentioned above (since you likely didn’t read it). But in all honesty, I do remember you. I respect(ed) the hell out of you for your presentation at BSides Denver 2010. And you should remember me, “that guy who calls himself Jericho”, as I was leading the mob against your naive but fun presentation titled “When Does Electronic Espionage Become an ‘Act of War’ and What Options Do Nations Have to Defend Their Networks?” Further, I was on the CFP review team for BSides Denver 2013 where I was adamant about having you back, because of your 2010 presentation despite the cute notions that simply weren’t real world. Why? Because you stood up to the heat, you debated it, and you did a good job of doing so from your losing side. The entire CFP review team was looking forward to your talk specifically, hoping it would re-create the passion and energy from years before.

So, what happened during BSides Denver 2013? Two things changed. First, you moved from the military to Titan Info Security Group. Second, you made people walk out of your talk, and it ended in zero debate. What’s the matter David, Titan got your balls all of a sudden? You went from a damn fined individual and debater that I respected, to … this. Part of me says this is cute. The other part of me says this is pathetic. I went to bat for you, saying you would be an outstanding speaker based on your last presentation. I was wrong. I failed BSides Denver attendees as a CFP reviewer, and I still kick myself over that. I don’t blame you, I really don’t. I blame myself for not seeing what you truly are.

You really don’t remember me? You really don’t remember talking to me during the 2010 conference, and again a couple months ago? That’s fine, I don’t blame you for not remembering me. I am not that interesting offline usually. I’m not in the general intelligence business, just the vulnerability intelligence business. I can get away with that. What’s your excuse?

This takes years of experience to understand the technology, apply the law and foresee the results or consequences.

OK expert, please tell us exactly when pure “strike back” is legal, in what contexts. You have this shit figured out obviously, so write a blog that summarizes it please. If you don’t, then you are full of shit and I am calling you on it. I want you to blog about it because one of three things will happen. One, you will write an incredibly insightful blog that clears up all this “legal confusion” over the concept of strike back, and I will apologize to you and learn a lot from it. Two, you will write an incredibly fun blog that clears up nothing, that many people will mock and deride at best. Three, you will not blog, and in doing so quietly admit that I am right. So, put up or shut up pretend-lawyer. Oh, and cite the fucking law, not your mystical snow globe.

Ask your lawyer if he/she would be willing to put their law license on the line and provide advice in cyber security, hack back, the CFAA, ECPA, trace back, open-source collection, etc.

Great, thanks! Let’s have you read this Wikipedia entry before we continue. Please re-read your definition of “active defense” which is arguably criminally negligent. You really want to put your license on the line after that crap? Not only do you completely miss the irony of your definition of “active DEFENSE“, you completely fail to see the legal implications of what you put forth, 1% or not.

I’m not going to quote the last paragraph of your blog, i’ll let my readers re-read it before they continue. You and your company appear to be the same scum I called out, attempting to mix “active defense” with “strike back”, for what appears to be your profit margin. The irony of you arguing this with me has multiple juicy layers of depth.

I mean come on, look at your fucking company’s logo. Ones and zeroes coming out of the planet, with that pathetic slogan? Nothing about your blog post screams “intelligence”. Nothing about it reminds me of the guy who calls himself David in 2010. It does remind me of the sell-out David who appeared in 2013 and bored a room of ~ 120. If you want to attack me and my points, feel free. I love a good debate, and I love challenging the industry to think beyond the current norms. Unfortunately, you failed to do that in a big way. You clearly didn’t read my blog, didn’t consider it before you fired off your own rebuttal, and didn’t consider that rebuttals are a FUCKING HOBBY OF MINE. At least play to my weak standards, or do better than my previous offerings. If not, you aren’t even advancing casual insults or banter, and for that, you should eat a bowl of dicks.

So, to throw the proverbial gauntlet down:

Based on David Willson’s reply to my blog, I personally think that Titan Info Security Group is not qualified to provide any security or legal consulting to anyone. Well, maybe to Paw’s Fishing Shack that just got that new-fangled Wi-Fi thing. I bet Paw wants some of that fancy threat intelligence, and he can trade you for it in fresh worms or stale candy. About all you are worth in my opinion. #getoffmylawn

– Some guy who calls himself “Jericho”

p.s. You tag your blog with “computer”, really? I guess I should follow suit.

A Holdout for Sanity

Last week, I blogged about the Adria Richards saga, and then linked it into similar activities from the ADA Initiative (AI). Days after, people are still divided on who was right and who reacted poorly. One thing almost everyone agrees on is that no one came out a winner.

In the wake of both incidents, there has been a shift to people being overly cautious, watching their wording carefully. Rather than speak freely as they usually do, they obsess over every word lest someone, anyone, take offense and drag them through the virtual mud. One joke that seems harmless or the use of a word that might be a “trigger” to someone, and you may find yourself a pariah, or worse.

I understand the issue, and I sympathize. I truly do. However, I also understand when something goes too far and recognize when overreaction dominates rational thought, as is common in our society after tragedy, or the perception of tragedy. I believe that time is here with the debate around equality in our industry. While my mind was mostly made up, after participating in the Exotic Liability podcast tonight, with guest Violet Blue, more information came out about recent events that angers me more. The BSidesSF incident that saw Val Aurora of the ADA Initiative get Blue’s talk cancelled, was planned in advance. Claims of her talk containing offensive ‘rape’ material was not only wrong, it was used to emotionally manipulate the conference organizer into getting her way.

If Aurora and AI had their way, every talk that might have controversial material would be cancelled or changed, so as not to offend anyone, ever. Worse, someone that has “triggers”, words that may cause them emotional distress, may knowingly attend a talk with such triggers and it is your fault. Basically, they stuck their hand on the hot stove, got burned, and it is your fault because you didn’t make the stove safe for them. They shouldn’t be responsible for knowing what the red light and excessive heat coming from the machine mean.

Moving past the obvious issue of free speech, there is the rational and realistic argument on how to handle all of this. Should the 99%+ majority only utter G-rated material in any public, semi-public, or private venue on the offchance the word “rape” or “clown” or “pancake” offends them? Or should the minority <1% who might be offended at something you said simply avoid a situation that might cause a problem for them?

Forget the stupidly simple and rational course of action for a minute, and think about the level of narcissism it takes to expect everyone else to dance on eggshells around you. Do you really think that any initiative will change society to the degree you want? If equality is what you are after, act like an equal to the masses. The masses aren’t forcing you to travel a thousand miles to a conference and attend a talk that you clearly know may trigger you. Don’t force the masses to be deprived of a valuable presentation that is all about harm reduction, something you claim to support. If pancakes are a trigger, don’t go out of your way to stop and loiter at IHOP or click this link.

While AI and others are pushing this G-rated agenda and demanding sensitivity above and beyond all rational reason, several of us opted to go the other way last night. On the award-winning Exotic Liability podcast, Ryan, Chris, GK, and I refused to cave in. After a disclaimer warning listeners of offensive content to come, we celebrated our freedom of speech, and our freedom to offend. Innuendo lasted all of a few minutes before truly offensive banter found its rightful place at the top. Our guest Violet Blue, a true advocate of equality and education, laughed with us and praised us for adding levity to the situation. She said she desperately needed it after the past weeks, as being dropped from a speaking engagement and not being able to educate was depressing.

By going the opposite direction, we collectively said “fuck you” to Aurora, the AI, and people like Adria Richards. They seem to look for situations in which they can opportunistically take offense, and they ride it. In doing so, they traipse over good people doing good work, typically those with a noble and giving reason. They subjugate the masses to conform to their selfish rules, demanding change that ultimately will not effect the change they desire. So I will do what I feel is right, and nothing more;

You have been warned! Last night’s podcast is offensive. I don’t need to qualify it beyond that, because it is probably offensive to everyone. We did not hold back, we acted like immature kids, and we said whatever came to mind. If bad jokes, bad acts, or laughing at serious topics is a ‘trigger’ to you, don’t listen. If you do, it is on you, not us. We see your crazy, and counter with our sanity. Until you figure a better way to encourage that equality, consider people like us the holdout for sanity. Dare to listen and laugh with us.

All This Over a Dongle?!

As usual, someone is wrong on the Internet, and I just can’t help myself. Many will already be familiar with the incident at PyCon this week. During a talk, two men were talking to themselves, and a woman overheard it. She took offense to what they said, got the attention of convention staff, and had them talked to by staff. Because she used Twitter, and posted a photo of them, it led to one of the men getting fired from his job, presumably to avoid blowback on his company. The men spoke about two things that the woman took offense to. The first was a series of jokes about a “dongle“, and using the term in a sexual manner. The second was a series of jokes about “forking“. After the incident, everyone posted their stories to their blogs or somewhere public. According to one of the men, he admits that the dongle jokes may have been inappropriate, but clarifies that the forking jokes were not sexual at all.

There are several aspects of this saga that bother me, and I am not the only one. While I will start on the PyCon incident, this article will end on a bigger theme, and drag another recent incident into the mix to demonstrate what many see as a pattern of females being overly aggressive on wanting not only equality, but rights above and beyond the rest of us. That is the part that should bother you too. If you have read enough about the PyCon incident, I encourage you to skip down to the “Other, Ongoing Issue” below.

There are a lot of people adding to the discussion, especially on Twitter. In my casual brief search, I ran across two replies to the incident that show many are giving this topic serious thought. As with most things, the topic of sexism, feminism, and all things between is murky to say the least. I offer my opinion as someone who believes in a women’s right not to be sexually harassed, who believes that any rational person doesn’t need special programs or slogans to remind themselves not to do bad things to woman, but more importantly, someone who believes that it is a two-way street. While a woman should be not harassed just for being a woman, men should not be made to feel uncomfortable and second guess every word they speak on the off chance it might offend a woman, especially one who admits to having “triggers”. More on that later.

The woman in question is Adria Richards (@AdriaRichards on twitter), a self-described “blogger, video content creator, technology mentor” who is currently a “developer evangelist” at SendGrid (@SendGrid on Twitter). Until tonight, I had never heard of her, so my exposure to her is only based on skimming her Twitter feed, reading a couple of her blogs, and the other commentary mentioning her that I read while reading up on the incident. Her blog post outlining her side of the story about the PyCon incident is what led to me to write this though. In the process, I found a tie-in to another incident that bothered me, that is very similar to this one.

I read her blog to get her perspective on what happened, because everything is about perspective. Like one of the men saying the dongle jokes were inappropriate, but the forking jokes were actually complimentary and not sexual, it is important to get both sides. However, Richards’ comments about what happened disgusted me. Below are some quotes from her blog:

That would have been fine until the guy next to him… began making sexual forking jokes

Given that he admitted to inappropriate dongle jokes, I tend to believe him when he said that Richards took the forking jokes out of context, and read into them. I also seriously doubt the first jokes “were fine”, and suspect that Richards took offense to those and wouldn’t let it stand either way. Her complaints to PyCon via Twitter could have been the end of this, but after posting their picture and making accusations that now seem partially unfounded, it spiraled out of control.

I know I don’t have to be a hero in every situation.

This is perhaps one of the most disgusting, egotistical, and narcissistic comments I have read in some time. It is only compounded further when you read on. Richards isn’t a hero for overhearing an inappropriate joke that offended her, and ultimately complaining in such a way to getting someone fired. She isn’t a hero at all, and this comment suggesting she can be the hero of every situation is absurd.

I saw a photo on main stage of a little girl who had been in the Young Coders workshop. I realized I had to do something or she would never have the chance to learn and love programming because the ass clowns behind me would make it impossible for her to do so.

This is where Richards really goes off the deep end. Two people in a large crowd (picture courtesy of Richards) say something inappropriate, and it will somehow make a little girl pictured on stage to never have the chance to learn and love programming? Worse, Richards claims that the little girl couldn’t do all that because the two “assclowns” behind her would “make it impossible for her” to learn a programming language? That is textbook libel. Oh, and purely ignorant.

Accountability was important. These guys sitting right behind me felt safe in the crowd. I got that and realized that being anonymous was fueling their behaviour.

Richards then goes on a real stretch, suggesting that their activity was the result of Deindividuation. Apparently, in all of her reading on psychology, she missed the bit on Occam’s razor. Two guys talking to themselves, likely thought they were being quiet enough, and got overheard. It really can be that simple. Instead, Richards wants to prop this incident up and make it seem like they intentionally carried on like this, feeling like their actions were “safe” or “immune” from reaction. I side with Occam.

There is something about crushing a little kid’s dream that gets me really angry.

Me too. Except, neither of those men crushed a little kid’s dream. Richards is talking about a picture of a kid on a projector. Suggesting they shattered anyone’s dreams is absolutely ludicrous, and shows this entire matter has an agenda.

Yesterday the future of programming was on the line and I made myself heard.

Because the picture of a kid wasn’t enough, now the future of programming was on the line. I am at a loss for words, except one that keeps coming to mind. Idiot. The crap Richards spews in this blog is worthy of disgusting politics, and nothing else. Top it all off with a subsequent Tweet, and to me it seems like she has delusions of grandeur. This entire ordeal, from her side, screams of a desperate attempt to better justify her overreaction.

adria-tweet2

If you stop for a minute and picture the situation, you should quickly realize that Richards’ portrayal of what happened is egotistical, overblown, and completely out of line. What really prompted all of this? Was it really a dongle joke, which has been around for over two decades, and even used in mainstream advertisements in a sexual manner? Is Richards’ frantically typing out an email to this site, the advertiser, and anyone else to get it yanked because it too is offensive? Or is there a more rational explanation, specific to Richards?

Because of my experiences growing up, I have triggers. This means that I’m always scanning for danger; for situations that seem like something from the past that could hurt me. When I recognize something that matches, I can overreact and feel intense fear, anger or anxiety.

That is a quote from Richards’ blog, titled “Success Against The Odds: Filling My Technology Knapsack From Scratch” and published on February 6, 2013, a month and a half before the PyCon incident. Richards clearly has an awful past, and she not only endured it, but she ‘beat’ it. Rather than letting her past dictate her future, she overcame it and became a successful person in technology. However, like she said, she has triggers that may cause her to overreact due to anxiety. Based on everything I have read, I think that is exactly what happened today. I am more sure of it when I skim her Twitter feed and see the following Tweet, just days before this incident:

adria-tweet1

The person she made this joke to tries to defend her comments after someone points out the hypocrisy of it. What he fails to see is that her joke between two people, in a public forum, was “overheard” (read) by many others. The two men at PyCon were talking among themselves, and someone overheard it. One of these situations isn’t magically more appropriate than the other.

While Richards may be offended at a dongle or forking joke, I am offended that any one person, male or female, has the power to get two people ejected from a conference, and one of them fired from his job, all based on their perception of an overheard conversation. Apparently, Richards’ company SendGrid ultimately decided to steer clear as well, as they announced she had been terminated today (statement on their site). That will undoubtedly cast enough gas on this fire to keep it going for a few more days.

The Other, Ongoing Issue

The PyCon incident follows on the heels of another incident a few weeks ago. Richards’ invocation of the PyCon Code of Conduct as justification to have the men removed actually provides the tie-in. At the bottom:

This Code of Conduct was forked from the example policy from the Geek Feminism wiki, created by the Ada Initiative and other volunteers. which is under a Creative Commons Zero license.

If you aren’t familiar with the Ada Initiative (@AdaInitiative on Twitter), it is a “non-profit organization supporting women in open technology and culture”. It is important to remember that both Richards and the Ada Initiative feel that women are under-represented in technology (true), and want to help facilitate women gaining growth in the field. That is what makes the following story from weeks ago more baffling.

The cliff notes: A woman named Violet Blue, an accomplished writer and sex educator, was to speak at BSidesSF. She was to give the exact same talk she gave at BSidesLV in 2012, a talk titled “sex +/- drugs: known vulns and exploits“. The content was not only public to some degree, but the abstract was clear on the content. Despite that, Valerie Aurora from the Ada Initiative lodged a complaint with BSidesSF staff, claiming that if Blue gave the talk and if it contained reference to rape, it may trigger her in a negative way. Blue’s talk had educational information about the drugs behind date rape, how to be better informed, so that such situations could be avoided. As Blue describes the talk, it is about harm reduction.

So we have a group that claims to support women in technology and culture, arbitrarily stopping a talk designed to educate and protect women, because it “might” have content that “triggers” her. One might wonder that if Aurora truly knew (or believed) it had such content, why not just avoid the talk? You may also wonder why Aurora made such unfounded claims, when the talk was already public, and the content of it is already out there and easy to verify. Of course, Aurora did not approach Blue to talk about it, just like Richards did not confront the inappropriate jokers. Violet Blue gives a detailed account from her perspective, and Aurora gives a detailed account from her perspective along with a “TRIGGER WARNING: RAPE” at the top. Note that the guide to giving such talks that the Ada Initiative touts, mentions rape, without the same trigger warning. Without consistency, your personal agenda shows.

The Ada blog goes on in an attempt to justify their actions by claiming that such talks are appropriate for their conference (AdaCamp), but not other conferences. A small group of feminists have taken it upon themselves to influence and dictate what happens at conferences, even at the risk of working against their own stated goals. While I do not have references, and I haven’t searched them out, several people have come to me in my role as a maintainer of the Errata project and asked about adding the Ada Initiative, saying that the Violet Blue incident was the tip of the iceberg.

The result of this overly aggressive behavior and self-important moral policing only has the opposite effect. Rather than improving the the industry for women and enabling them to better move forward, more people are left with the wrong impression. Richards and Ada do not come off as heroes of the feminist movement; instead, they come off as petty and over-sensitive. That remark has nothing to do with gender either. The Internet is a cesspool at times, and we are frequently subjected to a variety of ideas and pictures that are likely to offend most. Our friends warn us to have thick skin, especially if you choose to engage in certain places (e.g. Twitter, 4chan). Many joke that a DSL modem should come with a warning label about the perils of the Internet. To brave it, we all have to keep our sensitivity in check, lest we live miserable lives constantly subjected to random 1’s and 0’s that upset us at every turn.

My message to any activist, regardless of your cause. Pushing for equality is a good thing, and I support that. However, when you push so hard so as to tip the scales in your favor, you are alienating yourselves to the masses that you just struggled to educate and influence. Sometimes part of a battle is knowing when to avoid a fight, and doing so strategically. Showing up to a conference, seeking out a talk that might offend you, and pushing for it to be cancelled shows you do not understand that.