DEF CON 26 CFP Basic Statistics and Observations

This is the second blog in a series about DEF CON 26 CFP. The first:

A Look Into the DEF CON CFP Review Board (we’re actually really boring people)


First, this post is not sanctioned by DEF CON in any way. I am a member of the CFP team who decided to keep some rudimentary statistics on the submissions this year, as I did last year. I did this to give the team a feel for just how many submissions we got, how many talks we accepted, and primarily to track the way we voted. This greatly assists the powers that be (the amazing Nikita) to more quickly determine which talks are well-received. Due to time constraints, I was not able to track as much metadata, so this blog will be shorter than last years.

First, a few bits of information:

  • DEF CON 26 CFP opened on January 16, 2018
  • DEF CON 26 CFP closed on May 01, 2018
  • Two talks were submitted after closing date and were considered for various reasons
  • We received 551 submissions (up from 536 last year)
  • Four of the submissions were withdrawn by the submitters by the end of CFP
  • BlackHat received around 1,000 submissions this year for comparison

A recurring theme in these blogs and our Tweets throughout the CFP process is strong encouragement to submit early. While we did get a share of submissions in January and February, you can still the huge spike we experience in April (a majority a day before CFP closed), and May (on the day it closed). The two weeks between the end of CFP and the time when acceptance/rejection letters are sent out become stressful as we’re under deadline to review talks, try to get last minute feedback when we can, and make final decisions.

Of the 551 submissions, 107 were accepted (19.4%). There were 388 unique male submitters, 39 unique female submitters, and 14 anonymous submissions (note: we only catalog based on the gender, if known, of the primary speaker). Of those 14 anonymous submissions, 3 were trivially identified because the submitter didn’t scrub their submission properly or submitted work that had been presented before and was caught with a quick Google or Bing search.

Of the 551 submissions, 173 (31.40%) said they would release a new tool. 77 (13.97%) said they would release an exploit, up from 56 (10.53%) last year. Of all the submissions, 216 (39.20%) were also submitted to Black Hat and 51 (9.26%) said that speaking at DEF CON was contingent upon Black Hat accepting their talk. Only 73 (13.25%) submissions were also submitted to BSidesLV. Of the 551 submissions, 122 of the speakers had presented before at DEF CON, and an additional 28 had presented before at a DC Village or Workshop.

Unfortunately, time did not permit me to properly track ‘red’ vs ‘blue’ vs ‘black’ submissions, nor categorize the talks. That said, 11 talks were about ‘Artificial Intelligence’ and/or ‘Machine Learning’, even if some of them didn’t quite seem to know what those terms really mean. Ten submissions were on the topic of, or heavily related to, blockchain. Eight submissions came with the ultra creative title that included “for fun and profit”, four included “all your $blah belong to us”, two submissions used “pwned” in the title, and fortunately for our sanity, none wanted to make $blah great again.


That’s it! I realized this is a bit more brief than last year, but the time requirement of reviewing all of the submissions is crazy. Finding extra time to maintain the sheet is rough, and generating even more statistics or tracking additional metadata just can’t happen sometimes. Fortunately for me, this year Highwiz stepped up and did an incredible amount of work filling in data, especially while I was lost in the mountains for a few days. 

Advertisements

A Look Into the DEF CON CFP Review Board (we’re actually really boring people)

Written by Highwiz with contributions and editing from Jericho

Being on the DEF CON CFP Review Board can be as exciting as {something}; as frustrating as {something}; as thought provoking as {something}; and as enriching as {something}. It’s like mad libs, I hope you’ve filled in this section with something good.

Each year, myself and somewhere between 16 and 20 other reviewers take on the responsibility of selecting the best possible talks for DEF CON.

Oh, I should also apologize in advance as you read this first entry in the CFP Blog series. I apologize because I am not known for my brevity. In the “written word” and especially when it comes to something I’m passionate about, I tend to be wordy AF. [See, like that sentence: Could have just said “Hope you enjoy”, but nope – not me…].

I do genuinely hope that someone finds these blog postings helpful and that it will allow submitters (or potential submitters) some insight into the way we work so as to better prepare their submissions in the future.

In its original form, this post was about as dry as some of the white papers we read that were included in several submissions. Speaking of, white papers help tremendously when we’re reviewing your submissions, and if you include one, you’re already ahead of the pack. Sadly however, while White Papers do indeed help your chances during the CFP, they make for really shitty blog posts.

While we’re on this wildtangent of things that are related to the CFP Board but not actually part of the CFP Process itself, let’s talk about the term “CFP”. Above, I mentioned white papers; while the term CFP originally did mean “Call For Papers”, it doesn’t anymore. Most people don’t submit papers. When you think about the term CFP, you should really think of it as Call For Presentations. I know I’m not the first person to say that and I definitely won’t be the last, but still, it bears saying.

Alright, back to the topic at hand…

This year, the DEF CON Call for Presentations (CFP) Review board was made up of 16 “General Reviewers”,  six “Special Reviewers”, and two members of the DEF CON staff.

The DC CFP process is not “blind”, meaning reviewers can see each other’s votes, and we see who submitted it unless they specifically opt to stay anonymous (and properly scrub their submission). There are merits for both open review and blind review, but we’ve found that an open review significantly helps our process as there is a lot of good discussion about each individual submission. One reviewer may spend considerable time digging into the topic, researching prior disclosures or talks along the same lines, or offer their personal in-depth knowledge which typically helps several others better understand the topic and state of research.

If you submitted a talk to DEF CON this year, then all of the General Reviewers most likely reviewed and discussed your talk. While these reviewers tend to agree on many talks there are also submissions that cause arguments and intense heated discussions. Most of the review board members have a very extensive vocabulary and seem to enjoy finding new and creative ways to use the word “fuck” in a sentence (both in the positive and negative). Though, why the topic of vocabulary is at hand, let me say this to my fellow review board members: y’all motherfuckers need to find a new word besides “pedestrian“. I’ll leave it at that.

As reviewers, every year we’re often left wondering why certain people have chosen to submit to DEF CON and whether or not they actually understand what type of conference it is. A prevailing sentiment on many submissions is “This is not a DEF CON talk”. While the content may be of significant quality, the question we often ask ourselves is “is this talk right for DEF CON?”. Sometimes the answer is that while it would be good at a developer conference, RSA, or BlackHat, it simply wouldn’t be right on a main stage at DEF CON. DEF CON is, or at least it strives to be, a hacker con first and foremost.

TL;DR : This is DEF CON, please bring your “A” Game.

The Time Commitment

Often times people ask to be on the CFP Review Board because it is an honor and privilege to be among the group that selects the presentations for DEF CON… It’s also a giant time suck, which people sometimes fail to realize (or believe us when we tell them).

Now for the more formalized explanation of that so my “editor” doesn’t get pissed:

It’s been stated before, but being on the DEF CON CFP Review Board is an enormous time commitment. In the first few months, the average time a reviewer spends on talks is ten to twenty hours a week, depending on the volume of talks received. In the last two weeks, when everyone is rushing to submit before CFP closes, the time required rises to forty or more hours a week. The DEF CON CFP Review Board, like many other CFP Review Boards, is an entirely volunteer activity that many times becomes a second job. This is one of the big reasons we encourage people to submit earlier, and not wait until the last minute. Total time spent for a General Reviewer is probably in the range of 280 working hours.

The rule of the board for a General Reviewer is to do as many talks as you feel you are able to, but hit at least 70% of the talks. In practice and as far as the other general reviewers are concerned, you should be getting as close as you can to 100% of the talks. If the other reviewers feel that you’re not pulling your weight (so to speak) they will call you out. We’re like the fremen in that sense, crysknife and all. In less nerdy terms, no one wants to get shanked in the exercise yard because they didn’t review enough talks.

The topic of the exercise yard leads us into our next area, the prisons guards.. I mean, the DEF CON CFP Review Board staff.

The Defcon CFP Review Board Staff

Nikita and Alex are the foundation of the Review Process. They post the talks, interact with the submitters, deal with the reviewers when we’re cranky and obstinate (we can really be bitches sometimes), reshape the feedback given by the reviewers and transmutate those turds into flowers and candy before the submitters view it. They are the fecal alchemists and without them, the process would not work.

Similarly, there is the non-official review board staff member in the form of Jericho who tracks our submissions, votes, and other information. He categorizes the talks for us while providing amazing feedback and insight into anything vulnerability disclosure related. Like Nikita and Alex, Jericho is an integral part of making the DEF CON CFP Review Board function and prosper.

The fourth person (another unofficial one) who deserves a great amount of credit for making sure that people keep up with their reviewing is our own special CFP Vocal Antagonizer in the form of Roamer. If a review board member is slacking they can be certain that Roamer will “gently” remind them that they need to review talks. This is an important role as we want as many of the review board to provide feedback and vote on a talk as possible. This ensures more reviewers see it, and provide commentary based on their diverse background. In other words, Roamer is like a shot caller; if you don’t sack up and do the tasks assigned to you, you’re going to wake up with a horse head in your bed.  

Both Jericho and Roamer are inspiring examples of what it means to truly care about the hacker and DEF CON communities. On a personal note, it’s also pretty cool that I get to call Nikita, Jericho, and Roamer, these amazing people, my friends. I say that because after all these years, they still talk to me, even though I can be a bit dramatic.

While we’re on the topic of dramatic people, let’s talk about our special reviewers. I’m just kidding, where drama is concerned all of them pale in comparison to yours truly.    

Special Reviewers

Our special reviewers are subject matter experts who specifically comment and give their feedback on talks in their “wheelhouse”. There are many talks where the “general reviewers” simply don’t feel fully qualified enough to make the necessary judgement of a “yes” or “no” vote. Sure, they are familiar with a topic to some degree, but just don’t spend their lives immersed in that corner of security.

Everyone in InfoSec “knows” about pen-testing and social engineering for example. However, unless that is their primary tradecraft and they have been doing it for a decade or more, they may not be keeping up with the latest tools and techniques. In such cases, the general reviewers will typically “defer” to the subject matter experts. The input provided by the Special Reviewers this year has been invaluable in helping shape what DEF CON 26 will be.

Discussions

The DEF CON CFP Review Board has a unique style in how they (we) review talks in contrast to many other CFP Review Boards. There is oftentimes a lot of discussion that goes on about individual talks that plays a key part in the process. The reviewers do not live in a vacuum when reviewing the individual talks, rather, they are encouraged to communicate with one another openly on the system so as to provide a higher quality of talk selection. Sometimes the discussions may turn heated, but at the end of the day it does improve the final selection. “Heated” is a really nice term. It’s a really nice term because when we say it, you may think we might mean like a “hot summer day” when it fact we mean the fires of Mordor, or whatever is causing a burning sensation in the nether regions.

The being said, on the Review Board, it’s very important to be open to new ideas and perspectives which such discussions strongly facilitate. I don’t think the DC CFP review board would work nearly as well under any other type of system. Conversely, what works for “us” may not necessarily work as well for other CFP Review Boards.

How do I get on the CFP Review Board?

First, are you really sure you want to? Do you really have the time? The numbers we posted before about the time commitment wasn’t an attempt to oversell things (in fact they are probably conservative estimates). As a review board member you will be dedicating that much time to reviewing talks over a three to five month period, with the final weeks being absolutely brutal. And if you don’t? You’ll find yourself being called out or greenlit by a shot caller. And then the best option there is you may not be asked back the following year. Remember, you are helping to shape the tone, feel, and content of DEF CON, the longest-running hacker convention now attended by over 25,000 people. That is an incredible responsibility and you are helping ensure that attendees get value from the talks they attend.

Still want to do it though? OK. Talk to some CFP Review Board members at DEF CON 26. That’s it… just do that. Judge for yourself based on how they describe it, the good and the bad. If any of them describe a breezy stroll through a nice park with flowers and chipmunks, walk away. They aren’t telling you the whole story.

Why don’t you have a CFP Review Board Panel at Defcon?

First, it would be super boring. Invariably the attendees are going to ask us a lot of questions that we can’t answer about specific submissions. While we may “vague” tweet or generally answer a question, we can’t and won’t provide specifics on submitted talks beyond what Nikita and Alex have provided as official feedback, and then only to the person that submitted the talk. So the panel would consist of a lot of jokes, high-level “CFP tips”, and not much more value. If you really want to “know” more about the CFP, just find out where some of us hangout at DEF CON.

Before we end this first entry in this series of three or four posts. I would like to take the opportunity thank you for reading along thus far. Jericho and myself worked on this entry, but he shouldn’t be held responsible for my tangents, side notes, and improper use of some punctuation.

Credit Roll

First and Foremost, we really need to thank those people around us (friends, family, significant others) that deal with us during the three to five month a year process of reviewing talks. They truly are the unsung heroes. They know we can’t go into specifics, but they’re there to listen to us bitch and moan about “that talk”. They understand us during this endeavor when we forgo plans to hangout with them or we’re not in bed until three hours past normal time. Without their support, we could never accomplish the task laid out in front of us.

General Reviewers

Jericho Roamer HighWiz Shaggy
bcrypt Vyrus Zoz Claviger
Suggy Wiseacre Secbarbie PWCrack
KingTuna Medic Dead Addict ZFasel

Special Reviewers

Andrea Matwyshyn w0nk Malware Unicorn
Snow Kodor Grifter

DEF CON Staff

Nikita Alex

DEF CON Founder

The Dark Tangent

Shoutouts

We’d also like to give a big shout out to the Workshops Review Board. While they are a separate entity from the CFP Review Board, their contributions to DEF CON are just as important.

Tottenkoph Munin Sethalump DaKahuna
CyberSulu Kodor SinderzNAshes SinderzNAshes
Kodor SinderzNAshes Wiseacre HighWiz

In part two of the series we will be covering the statistics, because that’s the type of thing that makes some of us (but especially Jericho) super wet.

With part three will come our thoughts, and comments on the Submission Form and the Questions we ask.

Part four will be some lessons we’ve learned along the way as well as ideas for improving things in the future.

One last thing, Jericho is totally the Jimmy McNulty of the CFP Review Board.


Continue reading the second blog in this series, “DEF CON 26 CFP Basic Statistics and Observations“.

Before you publish your end-of-year vulnerability statistics…

TL;DR – The CVE dataset does not allow you to determine how many vulnerabilities were disclosed in 2017.


I’ll try to keep this fairly short and to the point, but who am I kidding? Every year for a decade or more, we see the same thing over and over: companies that do not track or aggregate vulnerabilities decide to do their own review and analysis of disclosures for the prior year. Invariably, most do it based on the publicly available CVE/NVD data, and they do it without understanding what the dataset really represents. I know, it seems simple on the surface, but the CVE dataset is not easily understood. Even if you understand the individual contents of the export, you may not understand how it was created, what shortcomings there are, what is missing, and what statistical traps you face in digesting the data. Just doing the basic parsing and automated ‘analysis’ of that data via your tool of choice (be it grep or something fancier) means very little unless you can disclaim and properly explain your results. Either way, follow along with the advice below before you publish your ‘vulnerability stats for 2017’ please!

So let’s start with the basics of CVE data analysis. Begin by grabbing the latest CVE dump, a gzipped CSV file, that represents MITRE’s CVE dataset. Note, this is different than the exports NVD offers and welcome to the first hurdle. While the base vulnerability data is 100% equivalent between the two, NVD does additional analysis and creates metadata that is useful to many organizations. NVD provides CVSS scoring and CPE data for example. The relationship between CVE and NVD is interesting if you observe it over time, where it used to be a clear ‘MITRE publishes, a day later NVD publishes’ relationship. For the last year or two, NVD will sometimes open up a CVE ID before MITRE does for various reasons. This also gave way to Bill Ladd observing and writing about how the Chinese National Vulnerability Database (CNNVD) is actually opening up CVE IDs faster than both NVD and MITRE. Consider that for a minute and understand that the relationship between these three entities is not straightforward. Then consider the relationship between many other entities in the bigger picture, and it gets even more convoluted.

See? You start by grabbing a data dump, a paragraph later you have the start of disclaimers and oddities as pertains to the larger CVE ecosystem. Next, decompress the CVE dump so you have a CSV file to work with. Now, before you eagerly start to parse this data, stop for a moment. Did you do this same analysis last year? If so, great! Do you understand what has changed in the last 18 months with regards to CVE and more specifically MITRE? If you can’t quickly and readily answer that question definitively, the kind of changes that are the first in almost 19 years for the program, reconsider if you should be commenting on this data. In case you missed it, Steve Ragan published an article about MITRE / CVE’s shortcomings in September of 2016. The article pointed out that MITRE was severely deficient in vulnerability coverage, as it has been for a decade. Unlike other articles, or my repeated blogs, Ragan’s article along with additional pressure from the industry prompted the House Energy and Commerce Committee to write a letter to MITRE asking for answers on March 30, 2017. When a certain board member brought it up on the CVE Board list, and directly told MITRE that their response should be made public, MITRE did not respond to that mail in a meaningful manner and ultimately never shared their response to Congress with the CVE Board. It is important for you to understand that MITRE operates CVE as they wish and that any notion of oversight or ‘Board’ input is only as it is convenient to them. The board has little to no real influence over many aspects of MITRE’s operation of CVE other than when they set an official vote on a given policy. Additionally, if you point out how such a vote that impacts the industry is not adopted by certain entities such as CNAs, many years down the road? They don’t want to hear about that either. It’s up to the CNAs to actually care, and fortunately some of them care very much. Oh, you know what a CNA is, and why they matter, right? Good!

OK, so you have your data dump… you better understand the state of CVE and that it is so deficient that Congress is on MITRE’s case. Now, as experienced vulnerability professionals, you know what this means! The rubber-band effect, where MITRE responds quickly and disproportionately to Congress breathing down their neck, and their response impacts the entire CVE ecosystem… and not necessarily in a good way. So welcome to the second half of 2017! Because it took roughly a year for the Congressional oversight and subsequent fallout to strongly influence MITRE. What was their response? It certainly wasn’t to use their abundant taxpayer funded money to directly improve their own processes. That isn’t how MITRE works as I far as I have seen in my career. Instead, MITRE decided to use their resources to better create / enhance what they call a “federated” CNA system.

First, spend a minute looking at the ‘federated’ term in relation to CVE, then look at the use of that term in the recently edited CNA Rules. Notice how the use of ‘federated’ in their context appears to have grown exponentially? Now check the definition of ‘federated’ [dictionary.com, The Free Dictionary, Merriam Webster]. While sufficiently vague, there is a common theme among these definitions. In so many words, “enlist others to do the work for you“. That, is quite simply, what the CNA model is. That is how the CNA model has meant to work from day one, but this has become the saving grace and the crutch of MITRE as well as the broader CVE ecosystem in the last few months. On the surface this seems like a good plan, as more organizations and even independent researchers can do their own assignments. On the downside, if they don’t follow the CNA rules, assignments can get messy and not as helpful to organizations that rely on CVE data. One thing that you may conclude is that any increase in CVE assignments this year may be due, in part, to the increase of CNAs. Of course, it may be interesting to you that at least two of these CNAs have not made a single assignment, and not disclosed any vulnerabilities in prior years either. Curious why they would be tapped to become a CNA.

OK, so you have your data dump… you know of one potential reason that there may be an increase in vulnerabilities this year over last, but you also know that it doesn’t necessarily mean there were actually more disclosures. You only know that there are more CVE IDs being assigned than prior years. Next, you have to consider the simple numbers game when it comes to vulnerability statistics. All CVE IDs are created equal, right? Of course not. MITRE has rules for abstracting when it comes to disclosures. Certain criteria will mean a single ID can cover multiple distinct vulnerabilities, and other VDBs may do it differently. It is easy to argue the merit of both approaches, so I don’t believe one is necessarily right or wrong. Instead, different abstraction rules tend to help different types of users. That said, you will typically see MITRE assign a single CVE ID to a group of vulnerabilities where a) it is the same product and b) it is the same type of vulnerability (e.g. XSS). You can see an example in CVE-2017-16881, which covers XSS vulnerabilities in six different Java files. That is how they typically abstract. Search around for a couple minutes and you will find where they break from that abstraction rule. This may be due to the requesting party filling out separate requests and MITRE not adhering to their own rules, such as CVE-2017-15568, CVE-2017-15569, CVE-2017-15570, and CVE-2017-15571. Then you have to consider that while MITRE will largely assign a single ID to multiple scripts vulnerable to one class (e.g. CSRF, SQLi, XSS), their CNAs do not always follow these rules. You can see examples of this with IBM (CVE-2017-1632, CVE-2017-1549) and Cisco (CVE-2017-12356, CVE-2017-12358) who consistently assign in such a manner. If you think these are outliers that have minimal impact on the overall statistics you generate, reconsider that. In keeping with their abstraction policy, IBM issued two advisories [#1, #2] covering a total of nine CVE IDs for unspecified XSS issues. If MITRE had assigned per their usual abstraction rules, that would have been a single ID.

OK, so you have your data dump… and now you are aware that parsing that dump means very little. MITRE doesn’t follow their own abstraction rules and their CNAs largely follow different rules. So many hundreds, likely a thousand or more of the IDs you are about to parse, don’t mean the same thing when it comes to the number of distinct vulnerabilities. That is around 10% of the total public CVE IDs issued for 2017! OK, forgetting about that for a minute, now you need to consider what the first part of a CVE ID means. CVE-2017-1234 means what exactly? You might think that 2017 is the year the vulnerability was disclosed, and the 1234 is the unique identifier for that year. Perhaps. Or does 2017 mean the year the vulnerability was found and an ID requested? The answer is yes, to both, sometimes. This is another aspect where historically, MITRE made an effort to assign based on when the vulnerability was discovered and/or disclosed to a vendor, not when it was published. Under the old guard, that was an important aspect of CVE as that standard meant more reliable statistics. Under the new guard, basically in the last two years, that standard has disappeared. Not only do they assign a 2017 for a vulnerability discovered and disclosed to a vendor in 2016 but published in 2017, but also they assign a 2017 ID for a vulnerability discovered and disclosed in 2017. Worse? They are also now assigning 2017 IDs to issues discovered and disclosed in previous years. If you need examples, here are MITRE-assigned (as opposed to CNAs that do the same sometimes) 2017 CVE IDs for vulnerabilities disclosed prior to this year; 2016, 2015, 2014, 2013, 2011, 2010, 2008, 2004, and 2002. Notice the missing years? Some of the CNAs cover those gaps! Note that there are over 200 cases like this, and that is important when you start your stats. And we won’t even get into the problem of duplicate CVE assignments that haven’t been rejected, like the first two assignments here (both are invalid assignments and that CNA should know better).

OK, so you have your data dump… you’re ready! Let loose the scripts and analysis! While you do that, I’ll save you some time and math. As of December 24, 2017, there are 18,251 CVE identifiers. 7,436 of them are in RESERVED status, and 133 are REJECTed. As mentioned above, 238 of them have a 2017 ID but were actually disclosed prior to 2017. So a quick bit of math means 18,251 – 7,436 – 133 – 238 = 10,444 entries with 2017 CVE IDs that were disclosed in 2017. This is an important number that will be a bit larger if you parse with Jan 1, 2018 data. This should be your starting point when you look to compare aggregated disclosures, as captured by CVE, to prior years. Based on all of the above, you also now have a considerable list of disclaimers that must be included and explained along with whatever statistics you generate. Because MITRE also stopped using (1) consistent (2) formatting to (3) designate (4) distinct (5) vulnerabilities in a CVE ID, you have no way to parse this data to actually count how many vulnerabilities are present. Finally, know that Risk Based Security’s VulnDB tracked 7,815 distinct vulnerabilities in 2017 that do not have CVE coverage.

Cliff notes? The CVE dataset does not allow you to determine how many vulnerabilities were disclosed in 2017. Hopefully this information helps with your article on vulnerability statistics!

John Thomas Draper: Setting the Record Straight re: Blue Box

The tl;dr cliffnotes: John Draper was not invent the Blue Box.


In April of 2015, several years after Phil Lapsley published “Exploding the Phone” giving a detailed history of the early days of phreaking, I wrote a blog largely based on that book to clear up long-standing rumors and mistakes in a variety of publications. John Draper, despite reputation, had not been the first to discover the whistle in Cap’n Crunch cereal boxes in the late 1960s. Recently, an article by Kevin Collier stated that Draper “invented the ‘Little Blue Box,’ an electronic device to better imitate the signal. In 1971, Draper showed his design to two fans, Jobs and Wozniak, who, with Draper’s blessing, began selling an improved version.

Other articles and publications have varying takes on this, some more neutral and accurate, some even more outlandish. For example, recent articles covering John Draper’s sexual misconduct mention his history and why he is well-known. Ars Technica says that he “helped popularize the ‘Little Blue Box'” and the BBC says he “went on to create a ‘blue box’ that generated other tones“. In the case of Ars Technica, that is certainly accurate historically. In the case of BBC, the wording may be taken to some that he created it, as in he was the first to do so. Another example of wording that implies Draper was the first can be seen in a Computer World article from 2011, that says he “then built the phone phreaking tool called blue box that made free calls by making phone calls appear to be toll-free 800-number calls.” Interesting, to me at least, Wikipedia gives a general history of the device, but does not definitively say who invented it.

Perhaps worse, books about computer crime and security get it wrong, and worse than wrong. In “Cybercrime: Investigating High-Technology Computer Crime” by Robert Moore, he clearly states the blue box was “invented by John Draper“. Perhaps the worst example I have seen is in the book “Mobile Malware Attacks and Defense” by Ken Dunham in which he attributes not only the blue box to Draper, but also all of “telephone hacking” when he built it.

Like my blog two years ago, I turn back to ‘Exploding the Phone‘ by Phil Lapsley, a book that I cannot speak highly enough about. Through his extensive and exhaustive research, along with years of interviews, his history of phreaking is comprehensive and fascinating. By using a few key bits from the book, we can quickly see the real history and origin of the blue box. It also makes it crystal clear that John Draper did not invent the blue box. Like the whistle, he did it years later after friends told or showed him the basics.

From page 51, the start of a chapter titled “Blue Box”, it tells the story of a then 18-year-old named Ralph Barclay who read the November 1960 Bell System Technical Journal which contained an article titled “Signaling Systems for Control of Telephone Switching”. After reading the article, Barclay figured out that it had all of the information required to avoid using a pay phone to make a call, and that it could be done “directly”. By page 56, Lapsley describes how Barclay build his first box over a weekend, in an “unpainted metal enclosure about four inches on a side and perhaps two inches deep.” Barclay realized fairly quickly that he needed the box to do more, and as described on page 57, he built a new box because he “needed multifrequency“. “His new device was housed in a metal box, twelve by seven by three inches, that happened to be painted a lovely shade of blue. Barclay did not know it at the time, but the color of his device’s enclosure would eventually become synonymous with the device itself. The blue box had just been born.” This was in 1960 or 1961 and represents the origin of the blue box.

On page 87, Lapsley tells the story of Louis MacKenzie who also spotted the vulnerability based on the 1960 Bell Systems article. MacKenzie went to AT&T and offered to tell them how to fix the ‘blue box’ vulnerability, for a price. When AT&T declined, “MacKenzie’s attorney appeared on the CBS evening news, waving around a blue box and talking about the giant flaw in the telephone system.” By that point, advertisements for blue boxes could be found in some magazines, including the January 1964 issue of Popular Electronics. Thanks to AmericanRadioHistory.com, old issues of Popular Electronics are available including the January 1964 issue! On page 115, we can see the advertisement:

Further along in the history of phreaking, Lapsley covers John Draper’s story related to the blue box. On page 151 it sets the time frame: “Now it was 1969 and he was John Thomas Draper, a twenty-six-year-old civilian.” Page 154 tells the story of when Draper was asked by friends who had already been ‘blue boxing’ by using an electronic organ, to build them a box.

Teresi and Fettgather wanted to know if Draper could build them a multifrequency generator – an MFer, a blue box, a portable electronic gadget that would produce the same paris of tones they were making with Fettgather’s electronic organ. Draper said he could.

He returned home in a state of shock. “I had to build a blue box,” Draper recalls. And that night he did. It was a crude first effort that was difficult to use. It had seven switches: one for 2,600 Hz and six to generate the tones that made up multifrequency digits.

Draper’s first blue box was built in 1969, around eight years after Barclay had built his first unpainted ‘blue box’, and his second box that was actually “a lovely shade of blue“, giving the phreaking tool its iconic name.

Bonus:

To further set the record straight, Lapsley tells the story (p220 – 221) of Steve Wozniak, who “had his [blue box] design worked out” and “was particularly proud of a clever trick he used to keep the power consumption down so the battery would last longer” in 1972. After Wozniak had built his own blue box and refined it, he and Jobs then met John Draper for the first time. While the three traded “blue boxing techniques and circuit designs”, Draper did not show them how to do it, did not show them their first box, or introduce them to the concept.

A View Into DEF CON 25 CFP…

First, this post is not sanctioned by DEF CON in any way. I am a member of the CFP team who decided to keep some rudimentary statistics on the submissions this year. I did this to give the team a feel for just how many submissions we got, how many talks we accepted, and primarily to track the way we voted. This greatly assists the powers that be (the amazing Nikita) to more quickly determine which talks are well-received. Every day that I kept up on the spreadsheet, the more ideas I had on tracking. Other team members said “you should track…”, and I typically did. So this blog is to give some insight into the entire CFP process, with a solid slant on statistics about the submissions.

First, a few basics:

  • DEF CON 25 CFP opened on February 01, 2017
  • DEF CON 25 CFP closed on May 01, 2017
  • 17 talks were submitted after closing date and were considered for various reasons
  • We received 536 submissions
  • Three of the submissions were retracted by the end of CFP
  • BlackHat received 1,007 submissions this year for comparison

Next, who are we? There were technically 31 DC CFP reviewers this year, and you can read their fun profiles now (mouse over stuff here and there, call it an Easter egg)! Ten of them are considered ‘specialty reviewers’, where they typically review talks on a very specific topic such as ‘social engineering’ or ‘legal’. These are generally topics where the submissions are either too numerous and potentially murky to figure out if they are worth accepting (social engineering), or a topic that most of InfoSec aren’t really experts on, even when some of us are the #1 armchair lawyer in InfoSec. The specialty reviewers are expected to review their topic only usually, while a few are open to review multiple topics. That means there are 21 reviewers who are expected to review ‘as many talks as you can’, understanding that we may DEFER on a given submission if we feel it is out of our wheelhouse, and remembering that this is extremely time-consuming and we all have day jobs. Some of us have night jobs, and some of us have social lives (not me).

Every year we come up short on reviewers who are truly qualified to give solid feedback on a given topic. This year DC CFP put out a call for more volunteers and we hit a bit of gold, getting several new reviewers who are quality and put in a crazy amount of time. Next year? We know there are topics we need help on, so if you are sharp, kind of special(ty), or the top of your game in a popular field… come join us. I can’t stress how important this is. Instead of just working on a talk or doing a thing, you have the ability to help influence the presentations given at a conference with some 20,000+ attendees. That is a lot of power, a lot of influence, and the potential to do a lot of good. Personally, that is why I still sacrifice the incredible time I do.

Shout outs! The only way to start this paragraph is to call out Nikita for handling almost all CFP submission related emails. Incoming submissions, replies saying “you didn’t follow directions”, second-attempts, replies saying “no really you ‘brilliant hacker’, you didn’t read our guidelines”, posting them to the CFP platform, watching for the CFP team to say “I have questions” and us largely forgetting to flag it back to her, her following-up with the submitter, repeating several times in some cases, posting their replies, looking for the CFP team to ask more questions… hopefully you get the picture. The amount of work she fields in a three-month span, just related to CFP, is insane. I say that as someone who has worked more than 80 hours a week in this industry for the last twenty years. Oh, did I mention that she also voted on 60% of the talks? While five ‘full’ reviewers voted on less talks than her.

A plea! If you didn’t see the numerous Tweets and requests to get your talks in early, I cannot emphasize how much it benefits you, more than us. When a talk comes in during the first few weeks, it gives us plenty of time to not only review and ask questions, but to give feedback in the way of suggestions. In some cases, one of the team will break away from the board and work with the submitter to improve their submission. This year, I did that once with someone who’s original two submissions garnered a single yes vote. After working with them and giving feedback on how to combine the talks and hone in on the areas of interest, the re-submission received 12 yes votes and zero no votes. In an ideal world, that would happen for every submission, but a significant number of talks are submitted the last two days.

Meaningless numbers! Because our industry loves to work with statistics that they don’t fully understand or have little meaning without serious caveat and disclaimer (PPT), let me throw out a few. For the 536 submissions we received, the CFP team voted yes 1,223 times, no 3,555 times, maybe 186 times, deferred 945 times, and abstained 54 times. Again, we defer if we feel that a topic is not one we can fairly judge based on our expertise and rely on the rest of the team to review. We abstain when there is a potential conflict of interest: if we work with the submitter, we contributed to the submission, or have a negative personal past with the submitter.

Meaningful numbers! We requested feedback from the submitter 125 times and changed our votes 61 times. Working with us to answer our questions, willingness to accept our feedback, and work with us to build a better presentation benefits everyone. As Nikita tweeted, more than 60 of the accepted talks were from first-time DEF CON speakers. Given there were ~ 110 accepted talks (and 422 rejected), that is quite a lot. It is encouraging to see this many new speakers given some of the past submissions from egotistical industry veterans that felt they deserved a speaking slot on the back of a weak submission, simply because of “do you know who I am?!”

More meaningful numbers! Of the 536 submissions, 185 (34.77%) said they would release a new tool. Only 56 (10.53%) of those submissions said they would release a new exploit, and some of those claims were questionable. It is common for people submitting to DEF CON to also submit to BlackHat and/or BSidesLV. This year, 218 (40.98%) of those submissions were also submitted to BlackHat and 65 (12.22%) of them were also submitted to BSidesLV. For various reasons, often around the ability to get to Las Vegas, some submitting to BlackHat will submit to DEF CON but say that acceptable at DEF CON is contingent upon acceptance at BlackHat. This year, 36 (6.77%) talks were submitted to us with that caveat. In a somewhat arbitrary categorization, overall I felt that 200 (37.31%) of the talks were ‘red’ (offensive), 88 (16.41%) were ‘blue’ (defensive), and 38 (7.09%) were ‘black’. By ‘black’, I mean that the topic really had little merit or benefit for red-teaming and were really in the realm of criminals.

Even more meaningful numbers! Some of the most basic stats that can be generated for your ocular pleasure. First, these are arbitrary categories that were developed as we received submissions. Nothing formal and some talks were hard to classify:

From there, I broke it down further by some topics that aren’t necessarily specific to the red or blue domain. Again, kind of arbitrary and based on seeing the submissions as they came in and note that one talk may have been flagged as more than one topic:

When building a schedule over four days and across five tracks, while considering if it is better to suggest a talk for a village or alternative venue (e.g. Skytalks), Nikita has to play Tetris of sorts based on the accepted talks, the requested time, and the schedule. This is what she had to work with:

One of the more popular questions this year after an increased awareness and public discussion around diversity in InfoSec, is the gender breakdown for submissions:

Finally, a general picture of the submissions by month. Recall what it looked like for the April breakdown above and you once again get a good idea why we would like more submissions earlier in the process:

Finally, a quick note on a common perception for InfoSec conferences and talks in general. Given the drastic rise in the number of conferences popping up, there is a saturation that demands more submissions to fill the schedules. That means that veteran speakers can typically shop their talks around or be selective in where they submit based on the venue they find appealing. That also means more new speakers are submitting which results in a wide range of topic and quality of submissions. That led me to argue this Tweet and remind people that a conference can only work with what is submitted. Personally, I feel that the overall quality of submissions to DEF CON (and a couple other conferences I review for) have gone down this year and last. That means that DEF CON ended up accepting some talks that I personally did not care for.

Bottom line? If you are researching a cool topic, submit a talk on it. Have a unique perspective or done more digging on something? Share your work. Never submitted before? Submit early and let us work with you if you need it. If a security conference is lacking, it is due to the community as much as anything else.

A Note on the RSA Keynote Fiasco…

In the past day or two, The RSA Conference announced a few of the keynotes for the upcoming 2016 RSAC conference. The industry is largely scoffing at some of their choices, for obvious reasons. There are so many facets to this topic, one could write a book. Hopefully I will limit myself to the key points, as applies to the chatter in our industry. If a couple paragraphs are meh to you, skip down a few, as the point will likely change quite a bit.

First, let’s put this into perspective. This is the RSA conference. The Computer Dealers’ Exhibition (COMDEX) of the InfoSec industry. This conference is a weird mix of “OMG necessary” and “OMG I hate it“, and it has been for a decade or more. It’s the party everyone shows up to, and the one you want to be at, to ‘be seen’ and ‘catch up on the gossip’, even though you hate it. In our industry, it is the embodiment of reality T.V. in many ways. On the flip side, this conference hasn’t actually been relevant to our industry for a long time, where reality T.V. is sadly relevant in the worst ways. Sure, it is THE place to do a meet-and-greet, solicit new customers, solicit new employees, and show off your stupid “advances” in security technology. Advances in quotes for a blindingly obvious reason. But, if you feel RSAC is relevant in any meaningful way to our industry, you can stop reading here. You are not my intended audience, and do not meet the “you must have this IQ to ride this ride” criteria. Sorry =( I feel this point is almost entirely lost on the 2016 RSA keynote fiasco.

On the “keynote” angle, first… what is a “keynote” talk? You can’t even Google “keynote” and get the definition in the first few results. You actually have to qualify “keynote definition” which I can’t recall ever having to do for Google to get a definition. Even for some pretty obscure animal-related searches I have done while trying to learn as much about wildlife rehabilitation as I could. That is telling.

Now, I called this bit out in my BSidesDC “keynote” presentation in 2014, where I questioned what a keynote was, in my keynote. How very “meta”, and how very appropriate given I picked on RSAC back then. Look to slide 5 where I pointed out that RSAC had as many as four keynotes a day back then, 16 in total. So again… what is a keynote? For most conferences, it is very clear, per the definition. It “sets the intended tone of the conference” in so many words. For RSAC? It is more a game of how many “big” speakers can we cram into a multi-day event to fill the seats. [Remember, many of them may be in our industry, but it doesn’t mean they bring any value to the rest of us.]

This latest fiasco is no different. So… back to the controversy. RSA stacked the keynote deck with the usual nobodies (in the context of providing real value to our industry, or if an awesome person, not in the context of a 40 minute talk). This year, they went above and beyond, and are having three people in the keynote lineup that are more than questionable. I’m sure it isn’t the first time we have seen it, but it sticks in my mind… RSAC set up a “keynote panel”. For most conferences, that would be laughable, but in 2014 they had 16 keynotes. Compare that to this year, with 20 keynotes on the schedule so far! Two minorities, and one female, if you are keeping track after the last two years of our industry pointing out the lack of diversity. Maybe RSA will say it is a good sample representation to be politically correct, given the representation in the industry!! So… the three speakers making waves, well before the conference starts?

  • Charley Koontz, Actor, CSI: Cyber Panel
  • Shad Moss, Actor, CSI: Cyber Panel
  • Anthony E. Zuiker, Creator/Executive Producer of the CSI Franchise, Technology Visionary

It is honestly difficult to figure out how to approach this, in the sense of writing this blog. This show has been lambasted from day one within the InfoSec industry. Worse, it has deviated from the CSI franchise in ways that are arguably more harmful to the public than the predecessors. The last 15 years of the other CSI shows have created the “CSI Effect“, which has been a burden on our current legal system. It took many years of the original CSI franchise to give us that modern problem, that interferes with our judicial system on a daily basis. We are all arm-chair experts on DNA, trace matter, footprints, dark crime scenes, and flashlights. That is a T.V. show born out of a 30+ year scientific discipline. And it has serious backlash in the real world.

Now, we have CSI: Cyber, which is easily argued to be the worst of the franchise. Looking at ‘Rotten Tomatoes‘, well-known for providing real-world reviews of movies, what do they say about the entire CSI franchise?

rotten-tomatoes-csi

Wow… enough people hated CSI: Cyber to contribute their opinion, where the original CSI show that ran 15 years didn’t get enough feedback to rate. The original show was ground-breaking, in many ways. It introduced the average American household to the world of forensics, even if exaggerated and dramatized to some degree. Jump to today, and enough have spoken out against the new spinoff to give it a negative rating. That is telling.

OK OK, so jump back a bit, because this is not an easy blog to write. The entire CSI franchise is questionable; it has some serious value, but also has some serious pitfalls. So let’s try to focus on CSI: Cyber. Start by doing a Google search:

google-csi-cyber2

Woops, that is telling. It also reminds me that the series got renewed for season 2, which I bet would happen to an FBI agent I know (who refuses to watch the show, as does the entire ‘Cyber’ division in his city). If it gets renewed for season 3, I lose a dollar. OK, seriously sidetracked. Back to the latest drama..

Cliff notes: three people related to CSI: Cyber are part of the RSAC 2016 keynote clustermess this year. Two actors, and an executive producer putting himself forward as much more than that (or RSAC is), are part of a panel that is a keynote. Every bit of the InfoSec fiber is not happy with this, and they shouldn’t be. RSAC is grabbing what is popular, what is in the ‘mainstream’, and vomiting it on stage. No care, no concern, and most importantly, no consideration of what it means. Of the two actors, do either have any background in computers? Security? One is a very young rapper-turned-actor who I previously Tweeted to, because I felt his portrayal as an African American actor in the context of the Black Lives Matter movement was absolutely horrible. I’m a privileged white guy and I felt that episode was a disgrace to African Americans (do the math). The other is “sympathetic to the issues” according to Violet Blue, in an article she wrote on this topic. If Koontz is truly sympathetic, he should either back out of the talk accompanied by a public statement, or use the stage-time to go against the very reason he was invited. Embrace the fact he is a T.V. actor, that the show is lacking in technical detail or reality, and call out the technical advisors and/or producers, and let the world know why the show may be harmful. As for the producer, why? It could be argued there is value if one of the technical consultants to the show were to speak, not a producer.

It should be obvious that I do not think any of them are relevant, or should be keynoting a BSides, let alone RSAC. They are actors in a mid-ratings show, built on a 15 year-old franchise. A current iteration that isn’t really that popular or well-known… merely “what some people are watching”. RSAC is quite simply cashing in on a popular meme, in line with the profitable business.

So… let’s agree to agree, or agree to disagree! Yep, how is that for a blog plot twist, befitting that horrible T.V. show? Let’s focus on the small bit that actually got my attention in all this, that demanded all of the above as backstory and explanation. Let’s jump to the other fun bit of this mess. While most of the industry was somewhere between annoyed and outraged over these keynotes being announced, others quipped in ways that suggested the industry wouldn’t be so upset if it was “other” high-profile media-centric personalities that were keynoting.

rsac-fiasco-actors_from_hackers

I’d like to assume the ellipses were leading off to the obvious conclusion, “we would ridicule them just the same“. But I have a feeling that was not the intended argument. That movie is 20 years old, released on the fourth year of RSAC. Assuming you at least meant to compare the cast being keynotes at the 1995 RSAC… this is actually a more compelling comparison as far as a “timely” media publication being thrust upon our industry. Back then, I don’t think it would have been considered. I say that because some of us in the hacker circles back then joked about them speaking at DEFCON and how absurd it would have been.

rsac-fiasco-colbert_baldwin

This is a fascinating comment, because it puts two polar opposites as a single argument that somehow has the same merit, which is baffling to say the least (compare Colbert vs Baldwin in the context of ‘actor’ vs ‘comedian’). If your argument for comparison is “Stephen Colbert” (soft T), then I would argue you are beyond dense and completely oblivious to the genius of the persona Colbert (hard T) took on. The entire persona was designed around being a blind fanboy to an ‘industry’ (or political party in his case, which is basically an industry) in a manner that highlights how absurd the industry is in the first place. That is exactly the kind of persona that would help our industry realize how perverse it is, and show us through delicious irony how absurd and blind we are to our own problems. More importantly, Colbert did not claim any relevance to, or portray anyone in our industry in any way.

If your argument for comparison is Alec Baldwin? That is a valid argument I think! If the industry didn’t speak out against Baldwin in this context, while speaking out against CSI: Cyber actors, that seems hypocritical. I don’t recall Baldwin doing a RSAC keynote in the past, but it isn’t something I would have noticed unless there was an eruption of drama. Stick with this example for arguments against the CSI: Cyber cast.

rsac-fiasco-adam_savage

Really? This has to be the worst comparison possible. Adam Savage has made his career around breaking and building things, a cornerstone of the hacker ethos and mentality. Not only does he build and break things, he does it in the pursuit of truth and shares it with anyone willing to watch MythBusters. That embodies the hacker spirit in the minds of a significant portion of our industry. The cross-over from our largely digital world, to his largely analog world, makes complete sense. He is a rare case where the ‘reality’ in ‘Reality TV’ is actually true.

To come full circle, people still argue that RSAC has value because that is where the “trends” are announced. The problem is, RSA ‘trends’ are mostly buzzword rebrands of old technology, with a few ‘bleeding-edge’ adjectives thrown in to make them sound more sexy. I’ll leave this great Tweet as a tongue-in-cheek, but accurate, reminder of how a significant portion of our industry views the conference, regardless of keynote choices.

rsac-tic

Studies, articles, and social media activism are just a start.

I would imagine everyone reading this, who partakes of social media to any degree, is getting worn down with the social media activists. Like everything, there are some that are effecting change and doing great work. They use the media to spread the message while helping to enact change in other ways. Basically, doing more than just ‘awareness‘. You can Tweet and Facebook and Tumblr all day long about “help our vets”, and the sentiment is great. But until you turn that effort toward people who can effect change (e.g. politicians), it’s not likely to actually help a veteran. Oh, and you do occasionally promote charities that help the veterans and donate yourself… right?

Yesterday, “Spouse-gate” happened at the ASIS / ISC2 Congress event. In a nutshell, a female InfoSec professional is a speaker at the conference, and her InfoSec professional husband joined her as a regular attendee, but via her “plus one” that the conference provides for. Each “plus one” in the eyes of ISC2 is the spouse, which by definition is the husband or wife. So imagine his surprise when he goes to the registration desk and finds the staff “utterly confused how [he] could be a spouse and asks [him] four times how [he’s] a spouse“. Did the meaning of spouse change sufficiently in the past years, that it is only applied to females? He explains several times that his wife is speaking, and he is her “plus one”, and they finally understand. Next, they give him a con swag bag and information regarding ‘spouse events’ which include shopping trips. The bag included two bottles of hand lotion, an empty photo album, shopping coupons, a magazine, and the business card for Jay Claxton, the Director of Loss Prevention at Marriott Vacation Club International.

I think it safe to say that the conference bag for spouses is a clear case of misogyny. Now, why am I posting about this? Peruse the bag contents and scroll down…

isc2-bag

I have been an outspoken critic of ISC2 for many years. In the last couple of years, I have toned down that criticism considerably, for various reasons. The biggest reason is that one of the board members, Wim Remes reached out to me and prompted many discussions over a year. He made an effort to get my feedback on how ISC2 could improve in their process, public perception, and get back on track (my words) with their intended purpose of making the security industry better. When someone in a position to effect change reaches out and demonstrates they want to make things better, it is time to help them rather than continue to criticize the organization. In that time, Wim has done an incredible job working to change the organization from the inside. Sorry for the diversion, but I feel it is important to give credit to those working very hard toward bettering our industry.

At some point in the last year or two, ISC2 has taken on a very public “pro-woman” stance (scroll through their Twitter feed). They have collectively called for more equality in the workforce in our industry. In fact, within one hour of ‘Spouse-gate’ starting, ISC2 was Tweeting about women remaining underrepresented in InfoSec. It’s hard to understand how an organization can promote a great cause while also devolving to the base levels of misogyny that are a root cause of the inequality.

isc2-tweet

Social media activism can do great things. But many of the great things that can be done get lost in the noise of people blindly re-posting feel-good messages that ultimately do very little to do actual good, and concretely support the cause. If organizations like ISC2 want to help effect real change, they need to “be the change that [they] wish to see in the world.” In short, more doing and less grandstanding.

Compassion Fatigue in an industry largely devoid of compassion.

A few days ago, Bruce Schneier actually wrote a slightly interesting piece for Fusion. I say that with surprise because most of his articles are engaging and well-written, but he rarely shares new ideas or concepts. Most of my professional circle is already very familiar with a given topic, and Schneier largely enjoys a reputation for his insight because he has a considerable following and they read about it there first. In this case, it wasn’t so much that Schneier’s piece was new information (he did quote and cite a 1989 reference on the topic that was new to me), it was that he flirted with a much more interesting topic that is somewhat aligned with his point.

In ‘Living in Code Yellow’, Schneier quotes a handgun expert who described a specific mind-set. From his article:

In 1989, handgun expert Jeff Cooper invented something called the Color Code to describe what he called the “combat mind-set.” Here is his summary:
[..]
In Yellow you bring yourself to the understanding that your life may be in danger and that you may have to do something about it.

Reading on, Schneier brings up the psychological toll that such a mindset can have, and that concept should not be new to anyone that has been in InfoSec for a few years.

Cooper talked about remaining in Code Yellow over time, but he didn’t write about its psychological toll. It’s significant. Our brains can’t be on that alert level constantly. We need downtime.

While not new a concept, this one flirts with another type of psychological toll that some in the industry are not familiar with, based on my conversations over the last year. It only took a few minutes of Twitter discussion for others to recognize the same thing. While the point I want to bring up is similar to a degree, I want to stress that is also significantly different based on profession. I am not comparing InfoSec people to the people that typically face this condition. That said, quoting Wikipedia’s entry on ‘Compassion Fatigue‘:

Compassion fatigue, also known as secondary traumatic stress (STS), is a condition characterized by a gradual lessening of compassion over time. It is common among individuals that work directly with trauma victims such as, therapists (paid and unpaid) nurses, psychologists, first responders, health unit coordinators and anyone who helps out others.

This is another important aspect for some InfoSec professionals, but clearly not all (or most?) of them. Personally, I feel this is a condition that can manifest in people who truly care about their work, and as the article says, people who “help out others”. Many in our industry technically help, to some degree, but are driven by profit and fame. I do not think they suffer from, or will ever suffer from such a condition. On the other hand, there are certainly many InfoSec professionals who strive to help their clients, the public, and anyone they can. Money is a nice perk, but they are likely the ones that would do it even if it meant a paltry salary. Unfortunately, I think that many of them are newer to the industry as it speaks directly to compassion fatigue and the effects it can have on an individual. From Wikipedia again:

Sufferers can exhibit several symptoms including hopelessness, a decrease in experiences of pleasure, constant stress and anxiety, sleeplessness or nightmares, and a pervasive negative attitude. This can have detrimental effects on individuals, both professionally and personally, including a decrease in productivity, the inability to focus, and the development of new feelings of incompetency and self-doubt.

First, I don’t think our industry suffers from the last detrimental effect. It is brimming with egotistical idiots that never have those feelings, even if they should. Second, while I doubt anyone in our industry will suffer nightmares, the rest can and likely hold true to varying degrees. More specifically, hopelessness and a negative attitude. I will be the first to admit that I fall into this category when it comes to InfoSec. I have a serious level of apathy and disillusionment with the effectiveness of our industry. I have several draft blog posts on this topic and may finish one some day. All of the evidence is right there, showing we fail over and over in the bigger picture. Those who argue otherwise are idealists or new to the industry. Either they haven’t seen the evidence, or they refuse to believe it. It is easy to miss when you live the life. But there is a steady level of ‘systematic desensitization’ as @VRHax calls it, and that is spot on. For anecdotal comparison, think back to the frog in boiling water story, even if not true. It happens to us all, even if we aren’t fully cognizant of it.

While compassion fatigue can have a much more serious toll on some of the professions listed above, I believe that it likely has an interesting way to manifest for our industry. Rather than lose the desire to help, or feel it is hopeless, I think that it slowly wears down an individual in a different way. They lose that desire to help out of a truly noble cause, and inch toward doing it only for the salary and lifestyle that many of us enjoy. As such, they become hopeless as far as original intent, don’t enjoy their work as much, develop a base level of stress, and grow an increasingly negative attitude, yet do it because it pays well.

Unfortunately, when you join the industry, you aren’t warned about this to any degree.

If you volunteer at an animal rescue / rehabilitation shop, you are likely to be warned of this during your orientation on day one. And for good reason! When you spend your time trying to help a sick or wounded animal, do everything in your power to help it, and it doesn’t make it… it is devastating. That warning is what prompted me to read more on the topic originally, and it took Schneier’s blog to make me realize just how true it was in our industry, one that largely helps out of selfish gain rather than altruistic desire. So I am grateful for his blog missing the mark as usual, but doing so in a way that prompted this blog and discussion. Is there a solution to this, for InfoSec professionals? Not that I can figure out. Many that see the problem still operate under this assumption that we can magically fix things, if only we could figure out! They rarely give merit to the possibility we are in an untenable position and there is no way to win. Perhaps they should watch Star Trek again and consider the value of the Kabayashi Maru challenge. In the mean time, I will offer you a simple but slightly twisted way to help deal with compassion fatigue in our industry; by going outside of it. Dare to face it in another world while you help others unrelated to technology. I’ve found great reward in doing it every week, even if I may ultimately face the same problem.

2015-06-07-151123-Chip20150712_154604

BSidesLV, two boxes-of-shit up for charity auction…

For those not familiar, last year I created a new-and-improved Box-of-Shit that was put for charity auction at BSidesLV 2014. Wow, lot of dashes there, go Engrish! For those not familiar with the absolutely legendary attrition.org boxes-of-shit, take a minute to familiarize yourself with it. The box last year was the center of a heated bidding war, with a BSidesLV security staff member proxying bids from another room, as a bidder was also teaching a class or robbing a casino or something like that. Anyway, Nate the Hero (official title) donated $1,000 to the charities selected by BSides (EFF, Securing Change, and HFC). Outstanding!

This year, I doubled down. There are TWO boxes of shit up for auction…

First, the important part. I humbly ask that you read and focus on this bit, because it is the entire point of my effort and goal in doing this. BSidesLV 2015 auctions will raise money for OWASP, Electronic Frontier Foundation (EFF), Hackers for Charity (HFC), and Hak4Kidz. Supporting charity is always a good thing, right?

Remember, InfoSec is considered a “zero unemployment” industry, and our average salaries are ridiculous. While we are quick to do the Facebook “like-activism” to support minimum wage increases, many of us spend $6 on a coffee every morning. If you make solid money in our field, and you cannot go out of pocket for 1% of your salary, you should probably skip the next version of “h4ck1ng f0r l33t kidz” and read a book on personal finances. Live a little… give up a shred of luxury, and donate to the greater good. If you win, you will get to read some personal thoughts I have on the matter, and receive a challenge of sorts.

So… there are two boxes this year! You can troll my Twitter feed for a few random pictures that barely tease what are in each. Even better, you can use this blog to see the teaser page that is accompanied with each box! I’ve been told that there will be remote bidding this year, which is very cool. For the next two days, I will also answer questions about each box, in a manner that does not reveal how awesome, or how lame a box is. Rest assured, more time and energy was spent on these two boxes than all other boxes/envelopes I have ever sent out, combined. Each box comes with a ~ 4 page personal letter for the winner, among other things. That has to be worth a postage stamp at the least.

box-bad

box-good

Here you go! You get what the in-person bidders get, the same teaser PDF. If you are at keys, you can play 20 questions via Twitter, while they are throwing back a bud light and telling their new friends about how they found an unpatched WordPress CMS last week.

p.s. These are likely to be the last ever boxes I brew, for many reasons.
p.p.s. In the interest of exposure, I will spam this link several times the next couple of days. DEAL WITH IT

John Thomas Draper: Setting the Record Straight re: Cap’n Crunch Whistle

The tl;dr cliffnotes: John Draper was not the first to discover that a Cap’n Crunch whistle could be used for phreaking.


It is almost a ‘fact’ that John Draper, also known as Captain Crunch, discovered that a toy whistle in a box of cereal could be used to make free phone calls. I say ‘almost’ a fact, because so many people believe it, and so many people have written about it as if it were fact. Even recently, a magazine known for intelligent geeky facts parroted this falsehood:

Not long after Engressia shared this information with the other phreakers, John Draper discovered that a toy boatswain’s whistle that was included in boxes of Cap’n Crunch cereal in the late 1960s could blow a perfect 2600Hz tone.

Even going back to 1983, a book titled “Fighting Computer Crime” by Donn B. Parker carried the myth:

A young man just entering the U.S. Air Force to serve as a radio technician was fascinated with telephony and took courses on the subject at college and discovered the whistle that catapulted him to crime, infamy, and misfortune.

Google around for tales of Draper and the whistle will find a variety of sites that say he discovered it. These include the Snopes message board, a telephone tribute site, high school papers, and other archival sites. And this isn’t limited to more obscure sites, this ‘fact’ is still repeated by mainstream media articles.

While some in the industry have had doubts or heard tale that Draper did not discover the whistle’s significant tone, it wasn’t until last year that we finally got a definitive answer and story. Phil Lapsley wrote a book titled “Exploding the Phone” that gives an exhaustive history of phone phreaking and is a must read for anyone interested in the topic. Lapsley’s research put him in touch with many players of the time, and the real story emerged:

Page 155: Several years earlier a Los Angeles phone phreak named Sid Bernay had discovered you could generate a nice, clean 2,600 Hz tone simply by covering one of the holes in the plastic toy bosun whistle that was given away as a prize in boxes of Cap’n Crunch cereal. Armed with their Cap’n Crunch whistles Fettgather and Teresi and friends would cluster around pay phones at the airport and go nuts. [..] With Draper in the club the whistle trips expanded.

Page 166: (late summer of 1970) It was on one of those conference calls that John Draper discovered a new identity for himself. [..] One day Draper and Engressia were talking about using a Cap’n Crunch whistle to make their beloved 2,600 Hz tone, Engressia recalls, when Draper suddenly said, “You know, I think I’ll just call myself Captain Crunch. That’d be a good name.” Engressia immediately liked it. “It just fit him somehow,” he remembers. “It was just a good name for him. We called him ‘Captain’ a lot.” Captain Crunch was born.

Given that most of Draper’s modern reputation is based on his ‘discovery’ of the whistle, something he has done nothing to dispel or come clean about, I feel it is important to help set the record straight. While he may be an iconic figure in lore, even if undeserved, it is important to better understand what kind of person he was during this time.

Page 245: And as a rule universally agreed upon within their group, they avoided John Draper and his friends like the plague. “I tell you,” [David] Condon says, “Draper was the kiss of death. He was asking for it, he was looking for trouble.

Page 313: All this did not sit well with Steve Jobs and the other managers at Apple, who thought the Charley Board product was a bit too risky and, besides, they disliked Draper to begin with.

In addition to being disliked, Draper had a growing criminal record that included seven counts of violating 18 USC 1343 (Fraud by Wire, when he used a blue box to Australia, New York, and other places) in 1972, violating probation later in 1972, arrested in California in 1976, and indicted on three counts of 18 USC 1343 while on probation. To this day, Draper maintains it was a conspiracy:

Page 287: To this day, Draper maintains that he was framed. [..] “Well, it turns out that he had arranged with the FBI to tap that phone,” Draper says. “he told the FBI that I was going to be making a blue box call at that phone at that date and time.” The result was that the FBI now had a blue box call on tape with Draper’s voice on it. [..] You see, the informant that the Los Angeles office of the FBI sent up didn’t arrive in the Bay Area until Tuesday, February 24. The blue box telephone calls that Draper was eventually busted for occurred four days earlier, on Friday, February 20. And on that Friday the Los Angeles informant was still in Los Angeles, enjoying sunny southern California weather or breathing smog or whatever it is that LA phone phreak informants do when they’re off duty.

But this wasn’t the end of his crime. In New Jersey in 1977 he was arrested and charged with possession of a red box, which was later dropped. He was again arrested in 1977, this time in Pennsylvania, which led to him agreeing to a plea deal in 1978 to one count of possessing a device to steal telecom services. He was sentenced to 3 – 6 months in jail with credit for 1 month served. That charge and plea also meant he violated his federal probation for earlier crimes, sending him back to California to spend time in prison as well. During all of this time, two psychiatrists observed that Draper “tend[s] to pass himself off as the victim claiming that he has almost no control over all of the troubles that now beset him” and that he had “numerous paranoid delusions of being especially picked out for persecution because of his power and knowledge”. Both psychiatrists agreed that a jail would not be a good place for Draper, leading a judge to sentence him to a furlough program for one year. Finally, in 1987, he was caught forging tickets for the BART system which lead to a plea bargain, resulting in a misdemeanor.

I offer all of this up, courtesy of Exploding the Phone, as a reminder that many people in InfoSec consider him a hero of sorts, and feel that his history was beneficial to the world of phreaking. In reality, it was not. He was just another phreak at the time, did not discover the Cap’n Crunch whistle, was caught during his crimes several times, and then somehow became a telecom legend. To this day, Draper still tries to use his reputation to get handouts from the industry. If you want to support him, just be sure you understand who you are supporting, and why.