DC26 Attrition Badge Round-up

This is the first DEF CON I am attending after a long break. For kicks I decided to make up a run of DC26 Attrition badges like prior years and conferences. Depending on who you ask, the badge is a decoration only, or it gets you into fabulous parties and amazing events. Anyone with a badge is encouraged to embellish.

Since the July 5 announcement of the badge, I increasingly focused on using them to raise money for charity. That, in turn, prompted several people to ask for details of the badges and the money raised. This blog will hopefully answer those questions and maybe inspire others to help out when they can. If you aren’t interested in the quick story, scroll down to the inspiration section please.

First, a link-heavy summary. On July 7, I did the first charity challenge looking to raise money for the ACLU, GLBT Community Center of Colorado (The Center), and Planned Parenthood. I also started giving out a a handful of personal challenges to random people expressing interest in a badge with fun results.

On July 10, I did a second charity drive bigger than the first. I also offered one badge up as part of an art challenge for the best original art featuring Lazlo. Deathjaw17 won that with this epic piece:

In addition to the art, I did a few other trades including for this slick challenge coin as well as a few other DC26 badges. At this point some of the winners of badges started posting pics, including with chickens, with epic beasts, and with bubbly! The Lazlo badge also got a tour of Philly and a sweet visit to the CompSci building in War Games. One badge went out and lead to a fun picture and backstory of a ‘dojo squirrel’. During this process, I got an unexpected care package from Kentaro, that he sent before I sent him a badge, and @Otterannihilation received a badge and sent back an amazing gift as a thanks. Meanwhile, pictures of badges kept coming:

    Inspiration and the Opposite

By this point, after two big charity drives, and several subsequent one-off drives, it was clear to me that raising money for charities was a great option. Badges were in demand and a lot of great people were willing to throw in money to help great causes. This also led to some other great opportunities that aren’t donations to charity, but amazing ways to help out. The level of inspiration and good-will in our industry is always refreshing, one of the few things that keep some of us from losing all hope. More on that later.

The opposite of inspiration came in two forms. First, while the badges w/ lanyards cost $298.60, but the postage to mail them out to x people cost $448.12, meaning the entire effort cost $746.72. This was due to the lanyards, which meant the badge couldn’t go as an envelope; they had to go as a package. Each envelope cost $3.50 domestic, $10 Canadian, and between $13.75 and $14.25 to mail international. This resulted in one fun trip to the post office that took around 30 minutes and produced a generous receipt.

The second came in the form of being questioned and challenged about my badges repeatedly, and being accused ofstrongly [reinforcing] exclusive cliques within infosec“. After assuring someone this was not “a dark stunt satirizing infosec exclusionism and signaling“, giving information on the charity contributions at the time, and reminding everyone that “the charity-driven badges are open to *anyone*. i have sent badges last week, and will send some this week, to people I don’t know and have had little to no interaction with“, I still faced questions about if I was reinforcing the exclusive cliques in infosec. I’ll say this definitively; I am not reinforcing cliques at all. This is trivial to see if you remember the definition of a ‘clique’, and consider that I don’t know half the people getting a badge other than a brief Twitter interaction.

OK, back to the inspiration. At the suggestion of Noah, with his input, two badges were given out to people who volunteered to provide InfoSec training for free. First, Jim Manico volunteered to give one of his well-known and appreciated AppSec classes in December on his birthday, for free, with the focus of recruiting women, LGBQT, and/or PoC for the class. Additionally, Bones volunteered to give design and give an infrastructure/cloud security pentesting course. I also suckered her into slipping in a not-so-subtle requirement.

An even bigger inspiration, and one that shocked me, was the community stepping up to donate to charity for a badge. Once I saw the generosity, I ran with it and focused on using a majority of the badges to continue raising money for charities I support, and ones that the donors support. The charities that received donations in return for badges included the ACLU, Cavy Care, Center for Genocide Research and Education, Colorado Animal Rescue, Electronic Frontier Foundation, Greenwood Wildlife Rehabilitation Center, Hawaiian Humane Society, Kids in Need Foundation, Planned Parenthood, Retriever Rescue of Colorado, SaveABunny, Special Operations Warrior Foundation, Sprout Therapeutic Riding and Education Center, The Wild Animal Sanctuary, and Women in Security and Privacy (WISP). A total of 69 donations from 67 heroes between 2018-07-06 and 2018-07-28, raised a total of $8453.47. I’m still happily shocked at this outcome.

I also want to thank Heidi for chatting and educating me about Women in Security and Privacy (WISP) and their initiative to help more women get to DEF CON. Over a week of chatting, it started out as “this is my first DEF CON and it is rough financially” to her being one of the recipients of the WISP grants. Even better, one of the people that donated and won a badge said to give it to someone else. I suggested Heidi and they said that was a good choice! So on top of getting help to DEF CON, she got a badge, and I threw in some stickers to round out the fun.

Finally… are you sad you didn’t get a badge? Depressed that you didn’t get a chance to donate to charity to win one? Fortunately for you, there is one last chance! Jives reached out and we’re partnering for a big charity auction, with a couple days left! You can bid to win a DerbyCon ticket, a DC26 Attrition badge, and a custom box of shit! Bid now, bid often, win this sucker

A Personal Challenge

A personal challenge, as in, the kind where i challenge myself. Last year, I got my friend Tamba a birthday gift of entry into the Tough Mudder Colorado. Since I was not in appropriate shape, I signed up as a spectator and ended up photographing the event. Two nights before the event, Tamba broke his ankle. Undeterred, he iced it on the drive up, wrapped it, and ran the race. After seeing that, I figured I should challenge myself.

This year, I got him the same present and signed up myself to participate. If you aren’t familiar with the Tough Mudder, or similar events, it is designed to test your endurance and physical ability. It isn’t enough to run the course, which is 11 – 12 miles in Colorado. You face 20 or more obstacles, some of them quite brutalchallenging.

This morning we got out of Denver on time but ran into a slight problem. During our philosophical discussion of post-apocolyptic planning and survival options, we missed our exit. Before we realized it, we had overshot by some 25 miles (the next exit happened to be many miles from the last). Our 1:20P start time was looking grim. By the time we turned around, parked, took the shuttle, checked in, and dropped our bags, we joined the final starting group of the day at 2:00P. This was a concern to me because the Mudder has a ‘cut off’ time (4:30P this year) where you may get sent down the mountain a much quicker way, out of the event. This meant I had to do about 5 miles of uphill, from 7,400 feet to a summit of 9,600 feet, in 2.5 hours. Given my asthma, that didn’t look feasible. Having been sick the entire week with a bad cough and serious congestion, that didn’t bode well either. This also meant that I started the race on about 350 calories, as we didn’t have time to get a bit more food in Avon, CO as planned. Doh! Clearly not my ideal circumstances for running the Mudder, but I didn’t have any other option.

This year’s course:


Of the 11 miles, I ended up doing about 9.5 of them. At the top of obstacle 6 (The Gauntlet), because it was right at 4:30, we barely made the cutoff (or were minutes late). Instead of cutting us off, we got moved directly into the downhill part of that obstacle, going over huge snow/ice ‘ramps’. These were rough as the ice was jagged and cutting many hands trying to slide down them. Upon reaching water station 3, I was dizzy and light-headed, and it didn’t go away with rest and water. Over ten minutes later, it was clearing up a tad but not going away completely. I sent Tamba up a brutal half mile+ uphill while I cut over to where water station 4 is (but it wasn’t really there). This gave me another 20 minutes to recover so I could continue the course. While we were only at ~ 9,000 feet, the lack of oxygen was affecting me and I am sure it was mild altitude sickness as well as dehydration. By the time Tamba got around that loop, I was ready to go on. From water station 5 to obstacle 15 was the final uphill push of the course, or so I thought. I slowly made it up that one, but didn’t have the energy for the very last uphill between obstacle 17 and 18. From just past 17, I took the access road down to obstacle 19 before finishing the course.

Ultimately, the lack of food as well as the amount of uphill (more than last year) sapped me completely. My legs were a constant dull pain by halfway through the course, and my back had a sharp pain from mile 2. Usually a solid hike does not hit my back at all, even in similar trail conditions. While I didn’t quite do the full course and had to skip some obstacles, we were on the course for over 4.5 hours.

Starting at 2P, we were able to catch up to the other 2 people running from Tamba’s gym (Amy and Lecia) who started at 1:20P as planned. Despite my very slow pace on the uphill, we ultimately passed some people and finished about an hour before the final person. While recovering, we also watched as an 80-year-old man crossed the finish. That is hardcore. Team Up Gym:


An exhausted, hungry, bruised, and sick me:


The one upside to all this? Post-Mudder dinner! This was the first time I was able to eat a plate of Nachos without Tamba yelling at me about fat and calories. The other thing? Biggest plate of nachos i’ve seen in my life, from Dillon DAM Brewery (note the fork for size reference):


Twitter, the Ultimate Better Business Bureau

Over the last year, I have learned that Twitter has become the ultimate medium for getting a company’s attention. When you complain about a company and include their @ name, the potential for a lot of people to see it is there. As such, companies have quickly figured out to be very responsive, and very quick in responding to public complaints there. Personally, I have had good luck with this, and found many companies to be responsive and quickly fix, address, or promise to look into my issues. Today, I had another quick win.

ABC news sends out email-based news flashes for high profile happenings. I subscribe to them, as well as the blasts from CNN. ABC’s mail however, for a year+ now, has not carried a date header. This means that mail comes in, and if you sort by that date, it doesn’t sort well. It is also just bad etiquette not to follow a 30+ year old RFC that mandates that header in all emails. I took @ABC to task over it this morning before I went skiing:


By the time I got home, ABC had sent out another news blast, and this time it carried the date header! After over a year, all it took was a single Twitter complaint.