The Humanity of ShmooCon

I’m missing the ShmooCon hacker conference for the second year in a row because of family activities. But it remains a favorite of mine for several reasons. One is how its not afraid to explore how the human condition affects the security profession.

Mood music:

For starters, ShmooCon has given Johnny Long a platform.

Long, one of the world’s foremost hackers, has given presentations on why he started Hackers for Charity, a nonprofit organization using the skills of technologists to solve technology challenges for various non-profits and provide food, equipment, job training and computer education to the world’s poorest citizens.

Besides the obvious good that comes of this, the organization has done much to humanize hackers and help the world see them as more than introverts in basements using technology to break into networks for nefarious purposes. More than ever, hackers are seen as agents of positive change. Long deserves our thanks for that, and ShmooCon deserves thanks for giving him valuable exposure.

I also appreciate how ShmooCon has showcased the gifts of those who are different.

A powerful example of that was a talk renowned security engineer Marsh Ray gave at ShmooCon 2011, where he used the fragile mental condition as the basis of a talk called “A paranoid schizophrenia-based model of data security.”  In that talk, he described working in a psychiatric hospital more than 20 years ago and getting to know Keith, a fellow who usually sat on the park bench strumming his guitar for spare change.

“Sometimes I would take a break from reading microprocessor manuals and listen,” Ray said at the time. “Keith had paranoid schizophrenia. He could explain how the world worked: ‘There is a great international conspiracy…’ he would say. Electromagnetic fields, government satellites, resonant dinner plates, you name it: He had it all figured out.”

Ray noted how Keith couldn’t trust the conflicting information coming from different parts of the brain. He knew he was vulnerable and spent much time and energy thinking about it.

“Does this not also describe our current relationship with data security?” Ray asked. “Our architectures have become so complex that they are inherently susceptible to internal schism, leaving us vulnerable to sudden manipulation by shadowy external forces.”

Ray noted that many of the things Keith predicted have come to pass. For example, including radio transmissions being monitored by satellite and underground markets emerging for the purpose of trading information.

There are many more examples from previous years. But those are the ones that really stand out for me.

Sorry to miss it this year, but I wish those who are there a fabulous, enlightening weekend.

 

ShmooCon logo

A Hacker Walks Into a Vape Shop…

A while back, I wrote about my use of electronic cigarettes as a way to avoid tobacco products.

Since then, the phenomenon known as “vaping” has taken off. It’s especially popular in the security industry I work in. There’s some symbolism in that, as I’ll explain shortly. But first, a self-assessment.

Mood music:

http://youtu.be/53iekfJg4IY

E-cigs have gotten me over smoking. True, vaping looks like smoking, and even feels like it to an extent. But I’m using nicotine-free water vapor and have absolutely no interest in returning to the old-fashioned cigarettes. I now detest the smell of real cigarette smoke and how it hangs in the air like a bad dream. I don’t miss getting ashes all over my clothes, either.

I like how the vapor vanishes almost immediately after the exhale and how it makes no mess. My breathing is also ten times better since nixing the cigarettes. (OK, that last one isn’t a scientific measure, but you get the idea.)

I admit that I’m also using vapor to satisfy the need to have something in my hand and in my mouth. I’ve done far worse, though. I can live with this.

There is something else I enjoy about vaping: the creativity it brings out in my security peers.

Which brings me to the symbolism I mentioned earlier.

Hackers are thought of as people who break things, and that’s partly true. The good guys break things to uncover weaknesses in technology that can then be fixed. That work is potentially lifesaving, if you look at the late Barnaby Jack’s focus on finding and fixing security holes in medical devices.

But the thing that gets lost is that hackers are also master builders. In the process of breaking things, they help build stronger technology. And, in the case of some friends, they love to build devices that dispense vapor. Hell, there’s even a Facebook group dedicated to the craft.

There, folks show off the different liquid flavors they’re trying the same way foodies take pictures of all their meals. They also show off the myriad vaping devices they’ve concocted, many of which look like lightsabers. The pieces that are assembled into a pipe are like the paints an artist puts on canvas.

Some of us get carried away. Take my friend Boris, who started collecting and concocting devices some time ago and can’t stop. Look at the guy’s bathroom:

Boris's collection of vapor pipes and liquids

While some like to build their own, there are also folks who just like to collect different pipes the way kids collect baseball cards. Martin Bos has an impressive collection:

Martin Bos's vapor pipes

While the creativity that Boris and Martin demonstrate tickles me, I’ve mostly used the e-cigs you can find in most gas stations. I only recently upgraded to an eGo pipe, which so far has great battery life.

I don’t plan to maintain a vaping habit forever. But compared to some of my past habits, which caused plenty of physical and mental destruction, this is good clean fun.

For now.

The Courage of Brian Krebs

Brian Krebs has been kind enough to compliment me on this blog a few times, telling me I have courage for writing about the demons. Today I celebrate Krebs’ courage, which is far more formidable than anything I could ever hope to possess.

Mood music:

For years at The Washington Post (which foolishly cut him loose) and more recently through Krebs on Security, the man has relentlessly investigated online crime and written scores of groundbreaking articles on his findings.

Hackers lurking deep in the bowels of the Internet’s seedy underbelly have good reason to hate Krebs’ guts. This is the guy who broke news of the recent Target breach, not to mention most of the other big security stories that went mainstream in recent memory.

And the bad guys aren’t happy. In the past they have:

  • Sent poop and heroin to Krebs’ doorstep
  • Stolen his identity half a dozen times
  • Targeted his website with withering denial-of-service attacks
  • Triggered a SWAT team raid on his home just as his mom was arriving for dinner

None of it has stopped Krebs.

As a journalist, I always envied the man. You could say I hated him as much as the black hats of the underground. Too many times to count, I had to follow up on news stories he broke for the sake of getting headlines on my employers’ sites. It always frustrated me that he could sniff out the tough stuff. It often made me feel inferior.

This was the typical newsroom conversation:

Editor: Did you see that Krebs post? We have to have something on that.

Me, in standard reporter denial mode: Fuck Krebs. He’s not writing about where the security industry is headed. All he writes about is the latest cybercrime.

Editor: Yeah, and he’s winning. Follow it up.

Me: Fuuuuuuuuck.

But in time, I came to appreciate and admire him. I even started to see him as a hero.

Though still a writer, I’m no longer a reporter chasing news, and that has allowed me to shed the last of the biases I may have held against Krebs.

Or, maybe more to the point, it allows me to admit something I probably wouldn’t have acknowledged in those earlier roles — I was jealous of the man’s tenacity and balls. Jealous with a capital J.

Krebs’ boldness has captured a lot of headlines lately, including this one in The New York Times, whose editors were probably delighted to remind The Washington Post of how stupid it was to fire him.

He has also received a lot of awards lately. Tuesday, for example, the Messaging, Malware and Mobile Anti-Abuse Working Group awarded him its M3AAWG Mary Litynski Award at the organization’s meeting Tuesday in San Francisco. In announcing it, the group said:

With an intense passion and impressive self-taught technical skill, investigative journalist Brian Krebs has persistently and courageously shed a rare light on the dark underbelly of the Internet that has resulted in the disruption or shutdown of innumerable cybercrime operations.

The award and comments are well earned.

Congrats, my friend. The world is a better place because you’re in it.

Brian KrebsKrebs at work. Photo by Daniel Rosenbaum/New York Times News Service

Infosec’s Mental Health Role Models

This weekend some friends asked about the reaction this blog has had in my industry. Truth is, I was unprepared for what followed the blog’s launch four years ago. In hindsight it makes perfect sense.

Mood music:

Friends asked if my information security colleagues were weirded out by the blog and whether it had an adverse effect on my ability to interview people.

In fact, the opposite happened.

By the time I was done baring my soul, people I had known through my business life were sharing stories about their own run-ins with mental illness. I didn’t expect that because I had been accustomed to dealing with some pretty tough characters. But people who had previously intimidated me were opening up, and I made dear friends when I least expected to.

I shouldn’t have been surprised, because the security industry is full of high stress and paranoia. More importantly, those who are drawn to the world of hacking and infosec have complex personalities and brain chemistry and are given to depression, feelings of loneliness and self-destruction.

Obviously, this isn’t something limited to the infosec community. People from all walks of life are prone to these challenges. But infosec is the world in which I’ve had the most experience observing the human condition.

As someone who has struggled with plenty of mental trauma, I’m thankful as hell to be part of the infosec community. I’ve witnessed extraordinary resilience and honesty among my peers, and they have inspired me to be a better man, constantly working to deal with the ghosts that still haunt me on occasion.

I’m grateful to infosec friends who haven’t taken the scourge of mental illness lying down. There are those who started and maintain The Information Technology Burnout Project to help those suffering with work-induced emotional and psychological distress.

And there are people like Amber Baldet, who has taken her suicide hotline skills to another level with a presentation on suicide prevention tactics that she has given at least twice at security conferences. Her presentation can be viewed online, as well.

Now more than ever, I believe I’m in the right industry. I’ve learned a lot about the technology and culture. But more than that, I’ve learned a lot about how to carry on in a world of perpetual adversity.

Skeleton Headache

Assessing Suicide Risk and Learning Intervention Tactics

Having lost my best friend to suicide in 1996 and suffered my own bouts of depression over the years, I’m grateful for those who rise up to stem the tide of this often-misunderstood scourge. In my industry (information security) I’ve met a lot of good people who suffer in silence. Among them are folks who refuse to sit back and take it.

And so we’ve seen the rise of such endeavors as the Information Technology Burnout Project and talks at a series of hacker conferences on how to spot someone with depression and intervene before it’s too late. One such talk happened at the DEF CON 21 conference in Las Vegas last weekend. The talk was given by Amber Baldet, who has also given the talk at such events as SOURCE Boston.

Mood music:

Baldet wrote of last weekend’s experience on her Idiosyncratic Routine blog and has graciously shared her presentation with me and others who couldn’t make it to the talk. You can view the full slideshow here, but let me give you the highlights.

Early in the slideshow, Baldet describes suicidal behavior as a contagion that “directly or indirectly (via media) influences others to attempt suicide.” I never attempted suicide myself, but my experience is that the depression of a friend, colleague or loved one can rub off on those who inhabit the same environment. It can deepen someone else’s depression and, if that person is so inclined, it can make them suicidal. Media coverage adds fuel to that fire, as noted in this slide:

We're Doing It Wrong

Another slide focuses on the clinical aspects, conditions that lead to depression and, in some, suicide:

Clinical Stuff

There are a lot of traits in the security community and beyond that spark depression and suicidal behavior. One is the tendency of hackers to stay up all night as they follow one code-based rabbit hole after another. “I’ll sleep when I’m dead, too busy CRUSHING IT,” as Baldet puts it.

There’s also a high degree of paranoia in our community. Paranoia is a disease I know well. I’ve lived it and watched my best friend get eaten alive by it.

The most valuable slides focus on specific ways to help others:

Rethink Our Service Model

Indetifying Risk

Oh Shizz Now What

Building Rapport

Bringing 'It' Up

Threat Assessment

Action Plan & Next Steps

I highly recommend you check out the full presentation, Suicide Risk Assessment and Intervention Tactic.

Thanks for sharing, Amber.

DefCon 21