I am proud of my graduate. Grateful to the teachers who guided their students through unprecedented times. The celebrations may be small but the accomplishment is mighty. Covid does not get to take that too.
It’s some day, in a week, in some month after RSA. Without snow. 2020 has been brutal and relentless and it cannot end soon enough. Grateful as I am to live in a land with healthcare, government support and a closed border, the people I love and miss are on the other side of that border which massively sucks.
This year Defcon actually has been cancelled. It’s not funny when it’s for real. For many of us the annual pilgrimage to Vegas is like a massive family reunion. These have been long, hard and lonely months, even for a community of introverts.
Please follow the recommendations: stay 6 feet apart, wash your hands often, avoid big gatherings and wear a mask. We have all lost too much to go through this again.
I am going to share my space here with a host of wonderful and inspiring voices. This has needed to happen for a long time and I am so excited to see it in action and be able to support however I can.
Hell yes! For any talk I get to give I would hand that mic over with warmth and encouragement to a Person of Colour so that we all would get the benefit of truly diversifying this community, and broadening our thinking. This is how we grow together.
Understanding how systemic racism influences cybersecurity is integral to protecting the American people, deterring U.S. adversaries, and defending American businesses as the United States seeks to return to its position of international leadership.
— Read on www.cfr.org/blog/systemic-racism-cybersecurity-threat
Because there is more we can do. And we need to do more
BLACK LIVES MATTER
George Floyd was murdered. There were 4 cops involved. Arrest them all.
Systemic racism and police brutality must be called out and stopped. It is everyone’s problem because it is everywhere.
I am anti-fascist.
Peaceful protests are freedom of speech. They are not the problem. Bigoted officials who defend and empower tyranny and abuse are the problem.
America is literally burning as Trump puts cities under military control, turning soldiers on civilians while citing “law and order”.
8 minutes and 46 seconds. Press pause.
I mourn the lives lost, the families broken. I fear for the safety and well-being of my friends. I weep for a nation neglected and betrayed by those who were entrusted to govern with wisdom and compassion.
Stay safe. Wishing you peace.
I had a great time as a presenter on the Tactical Edge virtual event, sharing scary stories about IoT risks and attacks. This was a terrific and relaxed format, with Ed Rojas using his expert podcasting and interpersonal skills to engage each of the speakers in conversations on a range of topics. The virtual format made this affordable and accessible for the attendees, as the price was free and there was no travel involved. Perfect for students and those with no travel budgets and the learning opportunity – wow!
Wolfgang Goerhlich on Zero Trust
Cheryl Biswas (me) on attacking enterprise networks via IoT
Timothy de Block on Agile security teams
John Svazic and gamifying tabletop exercises
Adrian Sanabria on dwell time by attackers in networks
Andrea Little Limbago on the global factors driving data protection
Join me next for the Diana Initiative Leap Day event on Saturday Feb 29 at 11:00 est
I just got back from another great year at ShmooCon. While technically it is an information security conference, it’s a hacker con in the best sense of the term, a gathering of our friends and hacker family. We live, laugh, learn and love. We spend a lot of time working remote or facing screens, so it’s these special moments when we get actual face time that we can connect, talk long and late into the night, and come away feeling recharged.
Hackers are the most generous and caring people I know. There was a terrific event to support Mental Health Hackers early Saturday night with a big turnout and outpouring of generosity by those attending. It was great to meet some new people there and hug some dear friends. Thank you to Ray Redacted for organizing it, to Amanda Berlin for making this organization to create awareness and support, and to some very generous donors.
Hackers bond well over food and libations, and there were some great meet and eats. Things wrapped up with a grand Sunday brunch and a tableful of great conversations with Chris Kubecka, Helen Negre, Jim Troutman, “SniperBarbie” among others.
Shmoo is a rare time when I am an attendee only, so I indulge my love of learning and take in all the talks I want to see because some of the most cutting-edge and challenging talks are presented here. It’s a feast for my mind and I never leave hungry.
Some talks on my list:
A Firetalk by Jim Troutman on DNS and all we don’t really know. This talk won first prize this year out of all six excellent firetalks. There was so much useful info about where we are exposed and many helpful mitigations for more secure setups.
“Hack the Stars”. All about satellites, their vulnerabilities, juicy targets, so much data in the clear. Space debris and stuff that keeps me up at night. Scary good!
SBOM. A talk on why we need a software bill of materials legislated and enforced in healthcare by Josh Corman and Audie. Because time is a matter of life and death in healthcare. Supply chain, upstream dependencies, lack of visibility. The impact from exploit doesn’t stop at one hop.
Five years ago I changed course, changed my life, and discovered this community. It has been an incredible journey, and there is still so much more ahead to learn and explore. My holiday wish is not for me but for you all, this community and the people here I have come to know. I want to give you the gift in my heart, appreciation and gratitude for finding welcome and purpose here, the sense of wonder for what you know and share, delight in how each of you shine so distinctly like beautiful stars to light my tree.
You may not see this, but I do. You may not believe in yourself and your abilities, but I do. And I watch with wonder and delight as you share your discoveries online for others to learn from; as you reach for that next bar, one rung higher, and go after your goals be they OSCP, giving a talk, literally and figuratively learning to fly. I soar along with you in that vast expanse of clear blue sky, limitless in its possibilities.
I feel your words and hurt along with you when you are brave enough and open to share your pain and loss. I wish for your comfort and healing, conveying support in emojis and 140 characters but giving all the hugs and love I can when we get to meet up in real life. Because those times together are precious gifts, where we get to build friendships and strengthen those bonds.
So many of you have enriched my life in ways you cannot know, and opened doors for me so that I can learn, grow and keep exploring. You inspire me with your ideas and passion, so that I follow your threads and read your blogs to learn from you, with you. Your words push me to keep trying, to look deeper. You fill my heart with your compassion and care for others, recognizing the basic needs of others here, calling out wrongs and standing up for rights.
My wish is to honour you by paying it forward, seeking ways to help others find their way here, to lift up those around me so they can soar and then cheering you on until I am hoarse. I wish for you to follow your dreams and believe that you are more than good enough to go after what you want. You make a difference because you are here.
I will follow this up on Twitter and try to share as many handles of you as I can for a list of the wonderful guiding lights you are. ❤️
I would also like to personally thank and celebrate the wonderful people who are the founders, staff and volunteers at The Diana Initiative. I am so blessed to get to work along with you to make this event happen, and to support and encourage women in this amazing field.
Finally, I want to give my heartfelt thanks to those who have stood by me when the road was rocky, who rescued me to my first ShmooCon, encouraged me to submit my first talk, welcomed me at my first hacker con at Circle City. You know who you are and your love and friendship has carried me here. <333
I wish you all a very happy holiday however you are celebrating today, and may you have the love of friends and family to make this time warm and wonderful. You are the lights on my tree and the hope in my heart. Love and peace!
There was a recent twitter thread asking for a list of women-owned or led InfoSec businesses. I’m capturing that valuable content to share and signal-boost here. These are leaders, builders, breakers and change-makers. I have so much respect for all of them!
This list is by no means complete and I apologize for any oversights. Please help me continue to build it to share forward.
- Katie Moussouris @k8em0 Founder of @LutaSecurity
- Azeria @Fox0x01 CEO of @azeria_labs
- Jennifer Sunshine @SecureSun at @IOActive
- Alison Gianotto @snipeyhead Grokability
- Zuly Gonz @ZulyGonz Head of @LightPointSec
- Rachel Tobac @RachelTobac CEO @SocialProofSec
- Tanja Yanca @shehackspurple Founder WoSEC: Women of Security
- Mari Galloway @marigalloway CEO @WomenCyberjutsu
- Amber Schroader @gingerwondermom Head of @parabencorp
- Dr. Jessica Barker @drjessicabarker CEO @CygentaHQ
- @Jennifer_Arcuri @myhackerhouse
- @BadassBowden CEO & Founder @theBADASS_army
- Theresa Payton @TrackerPayton at Fortalice
- Nicola Golding @CyberGoGiver CSO Titania Ltd.
- Jane Frankland @JaneFrankland Entrepreneur, Speaker, CISO advisor
- Masha Sedova @modMasha co-Founder @hello_Elevate
- @0dd_ba1l CEO & Co-Founder of @th4ts3cur1ty
- Jennifer Arcuri @Jennifer_Arcuri Founder @myhackerhouse @innotechlive
- Dr. Magda Chelly @m49D4ch3lly Cyberfeminist and Founder of Woman in Cyber
- Lisa Forte @LisaForteUK Founder @redgoatcyber
- @Is_Vix Founder of Careerist Cyber Talk
- Keirsten Brager @KeirstenBrager
- Marcelle Lee @marcellelee
- Justine Bone @justinembone MedSec field
Badass #DFIR & infosec women generally:
- Ian Coldwater @IanColdwater
- Jessica Hyde @B1N2H3X
- Christa M. Miller @christammiller
- Yulia Samotekina @yulia_atola
It’s the constant question: what it will take to fill all the empty roles in cyber security? And the ongoing challenge to gain a strategic advantage as adversaries continue to up-the-game in tech and tactics. Let’s start here. Draw a bigger circle. Invite people in who don’t conform with traditional requirements because what we’ve been doing isn’t getting things done. Different experiences, cultures, backgrounds – these expand our field of vision in terms of understanding by widening the lens we see through. We need to look beyond what we expect to see to find what we’ve been looking for. The fact is, we con’t know what we don’t know – but you can bet there is someone out there who does. Have we opened the door to let them in?
There has been growing realization and appreciation for what collaboration and communication bring. Just look at the power of fusion groups, or when various international law enforcement agencies work together to take down dark web markets. Let’s talk about synergy, when two or more entities combine to create a result that is greater than the sum of their individual efforts. We’re limiting our potential when we set limits on others. You can hear my thoughts on this episode of the Insecurity Podcast by Cylance. Here’s some basic definitions to get us started.
Diversity: reflects the full spectrum of human differences to include race, ethnicity, gender identity, sexual orientation, age, social class, physical ability or attributes, religious beliefs, ethical values, national origin, political preferences and more. It’s time that panels, workplaces, boards reflected everyone in our society and on the basis of merit.
Inclusion: ensures there is involvement and encourages empowerment, to recognize the inherent worth and dignity of all. A sense of belonging is promoted and nurtured; respect is shown for everyone’s values and practices, talents, beliefs, backgrounds, and ways of living. It’s time to stop discarding people and ideas because we don’t like how they are different.
Equality: ensures that individuals or groups of individuals are not treated differently or less favourably because of their race, gender, disability, religious belief, sexual orientation and/or age. Think “Equal pay for equal work” and no more glass ceilings.
I am excited and honored to have been invited by Salesforce as a speaker at their feature event at BlackHat this August, “How to Make Equality a Priority in the Security Industry”. I aim to carry forward what’s been said by those in our security community, to represent and respect.
Go ahead – ask me how proud, how excited I am to be part of The Diana Initiative (TDI). We’re back for our third year in Vegas, right in the midst of all that is Hacker Summer Camp.
Yes! Everyone is welcome. We’re about inclusion and diversity. Let’s do a quick refresh on what those mean.
For those who don’t know what got us here, this is us:
Yes! You can still register online to come. At only $30 it’s a bargain, but you have to register to attend.
TDI is a smaller, comfortable, less-intense version of the big conferences going on around us, set in its own oasis at the Westin Las Vegas, just a short walk down from the Strip where Defcon is being held. This year we’ve gone above and beyond to offer all the good stuff attendees hope for:
Talks & Trainings. This speaker list is a wishlist of topics and expertise! Three tracks featuring technical and non-technical talks, as well as a separate training track. Outstanding contributors who’ve got amazing ideas and insights to share in a smaller, more intimate venue that will encourage and inspire some great conversations after.
CTF. Yes! In response to popular demand, we are having our first-ever capture the flag (CTF) event, involving some of the coolest, brightest folks in our community to plan it all out. We even have a CTF 4N00BZ training because everyone has to start somewhere, and this is an encouraging and supportive environment to make sure you do! This one you have to register for in advance and it’s FREE.
Lockpick Village: If you haven’t tried it, you’re in for a treat. From experience (really!) it is a life-skill, especially when you leave your keys 700 miles away and discover that at 2:00 am. It also brings people together as they share the fun of learning a new skill together, and encourage each other. It’s FREE. Plus, you can buy the picks and some fabulous lockpick earrings while there.
Soldering Village: Ohhh who does not love blinky badges?! You can learn how to make your own at our Soldering Village. We have a terrific instructor who will walk you through the process, set you up with the tools and supplies, and help you make your very own keepsake badge.
Career Village: Opportunities abound. TDI has always been about networking and mentoring. Attendees can meet with professionals to have their resumes reviewed, schedule a mock interview to gain interview skills, and meet in-person with company representatives who are hiring.
Let me leave you with this. I was recently a guest on the InSecurity Podcast by Cylance with Matt Stephenson, where we had a candid conversation about diversity and equality, how far we’ve come and the distance left to go. Have a listen and I hope you enjoy it as much as I did. When it comes to making the changes we need in diversity, inclusion and equality, there’s a lot more to be said and done and our journey is just getting underway.