SecurityBSides in San Francisco on March 2nd and 3rd held at Parisoma was an experience that those in attendance will not soon forget. This is not for the reasons of Andrew Hay’s opening slide with his pink dress, but for a community of security professionals sharing and collaborating in a fresh new way from the vendor is king conference that was across town. What makes this conference so very different is the interaction at a granular level that the attendees can have with the speakers and sponsors. Not only are the actual talks much more interactive, but the sponsors who are in attendance can actually interface with the attendees and understand their needs as well as have the opportunity to convey their message in a conversation, not an expo-floor 5 minute pitch.

Some of the talks that were covered over the 2 days of the event are listed here.

Media coverage of SecurityBSides here.

Thank you to the vendors & volunteers that made this event possible!

Upcoming SecurityBSides Events:

March 13, 2010 - BSidesAustin – “Keep Security Weird” – Coinciding with SxSW Interactive

April 24-25, 2010 - BSidesBoston – weekend after SOURCE Boston.

July 29-30, 2010 - BSidesLasVegas – coinciding with Black Hat / Defcon

Here are some highlights from SecurityBSides San Francisco acquired using the ancient art of screen capture from the Flickr streams of Jack Daniel and Vissago.

<Fade IN:>

A few weeks back, I was sitting in my office in the middle of a meeting with one of my Directors and my phone rings. It came through as one of our trunk lines, so I knew it was a transfer form the receptionist, I was in a good mood, so I answered it. Low and behold it was my first call from a Rapid7 Sales representative (First that I actually answered that is). Knowing that Rapid7 recently acquired Metasploit, I gave the gentleman a listen. He talked up the RSA party, HD Moore, and the products that Rapid7 is currently marketing compared to some of the competitors. All in all, it was a perfectly fine conversation and I did walk away with some value add. My only critique was that it was pretty long, and I’m pretty busy to spend that much time talking about a product that we aren’t yet seeking a new vendor for.

<Announcers Voice:> Later the same day

I receive another call from a Rapid7 sales representative who had no idea that I had just spoken with a gentleman earlier! I might have been a little curt on the phone, but please refer back to the fact that I am actually extremely busy, and had already invested 40 minutes on the phone with the previous representative.

Later the same day I asked my twitterverse for information about Rapid7 products, because I trust my colleagues who have used them more then I could EVER trust a demo. Thanks to the great social community of Security Twits I gathered a great deal of information. Additionally, I learned from someone close to internal Rapid7 that Rapid7 follows all the Rapid7 mentions on twitter... what fun would a day be without throwing a #Rapid7 after some tweets?

<evil-grin>

In all seriousness, Rapid7 is doing some very positive things for the industry in regards to sponsorship of the SecurityTwits event at SourceBoston, employing some AMAZING researchers, and advancing the MetaSploit project with commercial funding!

Rapid7, please work on a sales team lesson in positive versus negative social media networking. Here are my examples of Rapid7 Negative Social Media Marketing:

LinkedIN

• Requests to professionals who they have never met or never worked with:

TwitterNames Ommited: “ Anybody know what’s the bright idea with Rapid7‘s sales team suddenly trying to join people’s networks on linkedin??”

“ Ok @Rapid7, your salespeople’s newfound relentless addition of my linkedin have grown irritating & bothersome. Please DIAF.<- Ah :”

• The February 16th slew of LinkedIN Spam from “Business Developers” that most of my colleagues received. Not cool!

Twitter:

• Rapid7 twitter feed is just a Press Release reel, there is no interaction with the community, same can be said for the Facebook page!

Notable mention:

Having the “JR” account reps monitor twitter for Rapid7 mentions — Boiler Room meets Rapid7!

+

The RSA Party!

I’m sure everyone is thrilled that Rapid7 is hosting a party at RSA. But again, this is another marketing fail. They might not want to use the acronym “VIP” as it generally doesn’t mean invite everyone in the world, post it on twitter, then brag about having 1,000+ people at the party.

In case you didn’t RSVP… you can do so here http://www.rapid7.com/forms/rsarsvp.jsp

Come on Rapid7, you can do better then this!

I’m sure you are a great organization, it sure looks as if your employees have fun working there, but I have to say that Rapid7 Sales and Marketing gets the *first ever* Official SecBarbie FAILBarbie award of the month for doing bad all by themselves!

To quote the weather channel

“The storm may reach the top 3 of all-time in the Washington, D.C., area and may rival the record of 28″ from the

“Knickerbocker” storm of 1922.”

I am taking a little break in the festivities to let you all know that it has officially snowed pretty hard at ShmooCon VI. My flight has been canceled for Sunday, so with any luck at all I will be arriving back in Chicago (aka, the land that can handle 6″< of snow) sometime early next week.
With that, I have to say that the spirits of all the con goers is absolutely amazing! Trash-bag sleds are being used as well as certain individuals who have snowboards and snowshoes. The content of the event has started out with a bang, and the actual tracks tomorrow look exceptionally promising!

Thank you to @quine ‘s employer for hosting the Securitytwits meet-up this afternoon, it was VERY enjoyable! Syngress held a very nice happy-hour meet-up, and the DC949 party was absolutely killer! Festivities are still commencing as I type, but sometimes one must just call it an evening!

- A Facebook Privacy Memoir Part I

Facebook is so lovely, you can learn about what your friends who you don’t have time to keep up with are doing, look at their pictures, watch some of their videos and generally cyber-stalk them with their permission. Opps, we call that ‘being social’ not stalking now. In the last few years people have really enhanced the art of the me-me using social networks such as Facebook under the guise of “maintaining transparency”. This does beg the question, how much is too much?

In the last year Facebook has come a long way when it comes to the privacy settings, and nearly everyone is hiding something from the general population so we do have a start for some security.  If you want to be ubber technical about it, you can use friend lists and play with your privacy settings to create different views for each segment of your life, but who has time for this? Just like any system, add more complex controls and the users who should be using them the most will not.

I have used firewall graphical interfaces that are less complicated then the Facebook privacy settings. This is mostly due to the privacy settings for Facebook are not all in one place. There are the Privacy settings in the drop down, but then you have to customize your photo privacy settings in a whole different screen. Now add in the option to great groups for your contact and manage the settings by those groups as well. All of the technical minded people might think this is a piece of cake, but my aunt who isn’t that technical, can barely handle navigating from one profile to the next much less the privacy settings! Yet, she has no problem posting pictures, tagging me on the pictures, and sharing them with her friends.

As a Christopher Burgess wrote in his Cisco Security Blog about ‘Security – Who is Responsible’

“ When we wish to use an automobile, we are required to go through a number of steps even before we get the vehicle rolling.  During the drive, we adhere to the rules of the road (drive on the appropriate side, use our signals, stop at red-lights, go when green, etc.).  When the engine light illuminates, the brakes start to screech, or the steering pulls too far left, we take note and either perform the required maintenance or we take it to the garage shop for service. We correct. The mechanic isn’t sitting in the backseat providing telemetry surrounding your vehicle’s operation, and unless my grandmother is in your backseat, you’re probably not being told how to steer, accelerate or brake.  You are responsible.  All of these actions are the responsibility of the operator—the user.  You, the user, will decide “How do I maintain my vehicle and operate it?”  When you violate motor vehicle laws (and are caught), what occurs?  You receive a ticket and tickets carry consequences.  In the US the consequences might include a monetary fine, points on your license and, for some, a mandatory trip to court.  With choices and actions come consequences.

In the online world, we have the same basic responsibilities for security as a driver has in the physical world for safety.”

The unfortunate fact is that there is no education on the do’s and don’t of social media for people such as my aunt, nor would millions of high school students who are competing for the largest friend list and posting every little moment of their life even listen it it was! So here are my two tips for Facebook and a link to Cracked’s 10 Commandments of Facebook.

Don’t friend ANYONE you don’t know, and deny friend request if you don’t know them!

Don’t friend anyone you don’t know if you post anything to your Facebook that you wouldn’t post on a pubic or work bulletin board! You don’t really know who is on the other side of the profile.

If you don’t know the person, deny the friend request promptly! Unfortunately there is a bug in Facebook right now that allows people who request you as a friend to see your live feed while the friend request is pending. As of right now, there is not a privacy setting on the live feed. This is bound to change soon, but it is good measure to always deny friend request until you know that person.

Unless part of your job is using Facebook, don’t update your Facebook from work!

You don’t know who is really on the other side of your ‘Friends’, so unless part of your job is social media, don’t update your Facebook status from work. Wait for lunch, or after work. This is ESPECIALLY important if your organization doesn’t allow access to Facebook.

The 10 Commandments of Facebook

Until next time….

Thank you Mr. Jimmy Carter, I am blaming you for the demise of Business Sociability thanks to you condemning the practice of the three-martini lunches during your 1976 presidential campaign. Why is this your fault? Well, prior to the late 1970′s, it was socially acceptable to do many thing at work that fostered sociability such as drinking, long business lunches, and early happy hours.  By today’s standards all of these practices are unhealthy, and quite taboo in most organizations in the US. But what happened when we stopped drinking at lunch? We all stopped going to lunch!

The working society went digital, we ‘streamlined’ our workplaces, created ‘efficiencies’, and continued to show ‘ROI’ on digital investments by cutting employees. We became so efficient, that instead of reducing the hours we work, we have increased them in order to produce more! Some people don’t stop to get to know people at work, they use them just as they would a copy machine. Let’s take for example an excerpt that Emily Lawton wrote about Drinking at work:

Consider this:

Professional A has an ongoing feud with Professional B, but they have to work in close concert with one another. For one year, Professional A and Professional B nurse a slowly-increasing

hatred of one another. They are snappish, and uncordial. Ultimately morale in Department X goes down. Others tiptoe around Professional A and Professional B, fearing an outburst. Employees call in sick, or linger at the coffeepot. Productivity suffers. Then one day Mr. W, the department supervisor, announces the birth of his first child and everyone in Department X celebrates with a case of champagne. Professional A and Professional B realize the folly of their ways. They giggle and slap one another on the back. Perhaps they even continue their bender through the rest of the night and wake up in an old shed somewhere, but that’s a bit much to hope for. Let’s just say they make up and become, if not pals, then at least amiable co-workers. As you can plainly see, much time and effort was wasted, when a small dose of alcohol could’ve smoothed things over.

And so you see, the value in drinking is not just for chatting up cute girls in bars. That same social lubricant is useful (I daresay necessary?) in the workplace. Do not look down upon those of us who can be both drunk and productive. It is not a talent of the many. Those of us who understand its power can harness it for good, not evil. Recognize and celebrate—employers of the world, the next round is yours.

Have you ever talked with an older person (over the age of 60), and have them try to relate to putting in 10 hours in the office a day, then another 3-4 hours a night, and doing this 5-6 days a week?  It just doesn’t make sense to many of them. Now, ask yourself how many of you know your neighbors, or still are friends with people you went to highschool or college with?  Welcome to social media! Since we have forgotten how to be social people in real life, our digital life has evolved to allow for us cultivate our relationships in small, digital quips! It is only a matter of time before all businesses begin forcing the technology and security departments to allow for more secure vehicles of social networking to broaden the digital reach of their product.

We do have a few things to learn from the martini lunches of the past though. Much like the business lunches that starts with the best of intentions, social media initiatives always start out the same as well. As social media is being cultivated without restraints, it has potential to allow employees to overindulge. Once people are comfortable, they begin letting out pieces of information, little-by-little the organization can end up with information leakage.

Create a sound Social Media policy by setting reasonable objectives, allow for growth and cultivate creativity, but set boundaries. After the policy is set, monitor, monitor, monitor. Make sure there is a set person or group with the job responsibility to know what is being said by employees in social media that can impact the organization.

Even though I see the resemblence to ‘Facebook’ meme’s in this, I think that Andrew Hay had a great idea with this! I’m going to keep mine a little more professional-ish related, but it’s a great way to learn oddities about people within my professional-social network.

Without further a due: The Andrew Hay “5 Things You Might Not Know About…” project.

The rules:

1. Create a blog post with the title “5 Things You Might Not Know About YOURNAME” (where YOURNAME is your first and last name).
2. List 5 things that people may or may not know about you (it can be anything really).
3. “Tag” 5 other people to do the same via the blog post, twitter, facebook, or all of the above.
4. See what happens.

So here are the 5 Things You Might Not Know About Erin ‘SecBarbie’ Jacobs:

1. I taught myself to read and type in HEX in college in order to talk about my professors while in class. (I’m not nearly as fluent as I used to be, but I should practice.)
2. I only function on 2 – 4 hours of sleep or 7-9 hours of sleep… anything in-between that and I’m worthless.
3. I used to write text files (stories <wink-wink>) to upload to BBS’s to gain DL credits. This was all well and good until my mother found some print-outs of them and told me after-school that she ‘disposed of some writings of mine’
4. I used to be a ballerina, took ballet, jazz, tap, and modern dance from age 3 until I was 15 (I hated it).
5. I don’t drink soda at all.

Hopefully this gets the ball rolling. I’m going to tag the following people in the hopes that they join in on the insanity: Damon Cortesi, Ed Bellis,  Zach Lanier, Nicolle Neulist, and Jack Daniel.

One might ask why would a Techie-geek security management person like myself would go to #140 Conference in New York? There are lThe security reason of interest to myself and to my organization is related to information leakage through twitter as well as furthering social education about new technology risks. 

What is #140Conf : You can check it out in the words of Jeff Pulver on his ideas of creating the conference.

Having just spoke of the issue of adult social networking education last week, I feel that this will be a fantastic opportunity to get to the grass roots of how viral social networking can change personal brand definition and how information leakage impacts organizations. The magnitude of people getting fired, expelled from schools, and socially blacklisted due to lack of some forethought when using twitter is absolutely amazing, couple this with what information can be distributed with malicious intent and we have one powerful medium. Security Awareness needs to be outreached to better educate everyone on the impact of what they say today on the life they will live tomorrow. 

Please look forward to my photo-blog that I will be uploading daily through my trek through the #140conf jungle, as well as the recaps of key topics.

So you have people who blog, then they use Twitter (and other SocNet apps) to market their blogs and updates. Then you have people who follow and discuss issues on Twitter in a mini-debate type setting, and now I have found so many more blogs about the happenings in that blogger’s twitter universe. So are the new bloggers just social commentators on play-by-play activities in a segment of the security social networking world?

Wow, talk about a complete fast forward for the attention deficit people such as myself. My new goal is to find all the SecTwit Commentator blogs, and just read the Cliff’s notes of what’s actually happening. This seems like a large time saver from reading the actual blogs of the people who then debate the issues, and eventually have a portion of the content regurgitated onto these commentary blogs………  and now I just blogged about the blogs about twits and blogs…

Once upon a time in a galaxy far-far-away…. okay, not that long ago, and this is true.

Some people could interpret my actions in the beginning of my corporate life as completely immature. I did fun things like get to know people, organize social events, and generally have fun while working. These actions allowed me to get to know some FANTASTIC people along the way. I had fun, was frustrated with corporate politics, but overall had a great support system to fall upon. This all worked out as I climbed the ladder, but right before a transition period I met a person who I greatly respected in the corporate world and he told me that as a female that I needed to be a hard-ass. He complimented that I was already very ambition to have climbed the ladder this far, as well as that I was focused, but he highlighted that I was too compassionate to others in the workplace. I took this advice as gospel and adhered to it. This caused some problems and when you add some other politics to this type of approach, it doesn’t yield great results. At the end of the day, I was being someone that I just am not.

As a professional female, one thing we are not short of is advice about how to be a professional female. Now, nobody exactly has a good bible for the geeky-professional females that came from the past of male-dominated roles and a male-dominated career path. Us females in these fields, well, all have our quarks!

Through our journey in our professional lives, we all make our share of mistakes, we all stumble, we all fall. I’m sure we have all seen the following personality types:

(Thank you to Nari Kannan for these)

The Technical Prima Donna - This is the person who takes immense pride in his technical prowess. I am using He and His just to make the points across quickly and efficiently. It could very well be a She and Her! It will not be as much of a concern if the technical pride does not come in the way of matching technical solutions to business problems. That’s where quite often, technical prima donnas fall down on their face. They walk around like a person who has a hammer and everything looks like a nail to them.

The Interminable Planner – This is the person who spends more time planning things than doing them. I once had a colleague who had one of those thick Day Planners that had pages for Days of the Month, Project Wise Tasks, Program Wise Tasks, Task-Wise Detail Planner, Multiple Pages for Tracking Expenses, etc. This person spent the mornings just updating the planners and some of the afternoon was left for doing some things and then it is back to planning tomorrow’s activities! Planning is important but it is possible to get carried away by the planning at the expense of doing things.

The Conceptual Mountaineer – This is the person who never descends from the dizzying heights of analysis, design, programming, approaches, the latest in Xtreme Programming, writing code while sky diving since less oxygen is shown to be directly correlated to good code, etc. To him, mundane matters like users and the tasks they do are at best, irrelevant and at worst, a painful intrusion in their higher level thinking.

The Presence Meister - This is the person that is a gift to the team and even if they do not do any work, just their presence should be enough contribution for the day! They seem to be imagining mentor roles for themselves rather than contributors.

The Invisible Busybody – This is the person who lives in meetings and is never seen anywhere else. It’s one meeting after another and when done it’s time to be in meetings outside the company!

Although some of my antics of my past could be definitely construed as inappropriate behavior at best (Organizing cart-wheeling contests down the halls is not smiled upon, nor are the “Guess what color thong” contests on corporate posting boards), my cold and psydo-ubber professional behavior during the period of my ‘being a hard-ass’ was terrible. I am now just me.

I raise my glass to those who have spoken to me, and those to have given me tidbits of their professional life.