IMG_2442.JPGDEFCON 23 was an outstanding event this year.  I was not originally planning to attend Black Hat or DEFCON this year.  As it usually happens, the event begins to draw near, I start receiving the vendor invites.  Then my friends start making arrangements to meet.  At the last minute, I cave in, make reservations, book a flight, and I’m on my way.  I should know better by now and plan on attending Black HatDEFCON and RSA every year.

This is the first time I purchased tickets directly at DEFCON as opposed to purchasing them at Black Hat electronically.  When you purchase tickets at the event you must wait in line and it’s cash only.  The line took me about 1.5 hours or so.  I was surprised the line went so efficiently since there were about 14,000 attendees.  I also made a few friends in line.  Always love to talk to people and learn what interests them, listen to their security war stories.

IMG_2409.JPG

Photo 1: DEFCON Mosh Pit

The start of the conference was chaotic.  The halls were super crowed.  Goons (crowd control) were screaming at the top of their lungs to establish rules of the road for the hall ways, stay to the right, pass to the left.  Although within a short amount of time order was established and the crowds moved efficiently between sessions.  In previous years the event was held at the Rio.  This year DEFCON was held at Bally’s and Paris.  I expected some confusion but the event was very efficient given the changes and number of people.   The Caesars venue would be better but it would be tough to keep the prices of the tickets down.  A DEFCON 23 ticket this year sets you back $230 US, a bargain for a technology conference these days.

Most of the value of the conference to me is spending time with my friends.  I follow the news and current events pretty closely so there’s not a lot that surprises me at conferences these days.  However, I’m always learning new things from my colleagues.  If you ever think your an expert, and you may be, you will be humbled when you meet other experts in their field at these events.  This was the case for me when I got to meet Renderman this year.  Renderman presented on ADS-B, an air traffic telemetry protocol, in a DEFCON 20 session entitled, “DEFCON 20: Hacker + Airplanes = No Good Can Come Of This”.  His work was particularly interesting to me since I did a similar project on the Raspberry PI platform, “Tracking Aircraft on the Raspberry PI”.  At the time I did my project I didn’t know about Renderman’s project.  Anyway, I got to meet Renderman and he introduced me to his friends.  I was shit tons of fun to hang at his table for a few mins and meet his friends.  That’s what DEFCON’s all about to me.  Meeting old friends, making new friends, and learning some new stuff.  I made another new friend purely by chance, Adam Shostack, Photo 2.

IMG_2419.JPG

Photo 2: Adam Shostack

Adam was meeting one my friends from Oracle’s Java Platform team I happen to be having lunch with, Eric Costlow.  Adam has an incredible book on threat modeling, “Threat Modeling, Designing for Security”.  This is the go-to resource for threat modeling and reference.  I have a copy on my shelf.  Adam was working for Microsoft at the time when he wrote his book but he’s now striking off on his own business venture.
IMG_2402.JPG

Photo 3: Robert Hansen

I also meet several vendors like Whitehat, Denim, and Cigital, and more.  Robert HansenPhoto 3, works for Whitehat these days but I’ve know him for years.  Interesting to learn about the projects and challenges everyone’s working on.  In a conversation with another unnamed researcher, I mentioned how I didn’t appreciate the US government using security conferences as a platform to push their political security agendas.  The researcher mentioned that he understood but said that many of the researchers are working or have worked for the government.  In fact, darktangent, the conference founder works for DARPA a government group.  Also that the government is comprised of many different agencies, each with different viewpoints and moral compasses.  There really is no single point of view.  He makes a good point but I’m not sure I subscribe.  Still we can’t give up on our government and we can’t acquiesce.  Security and privacy is one of the largest unrecognized social concerns of today.

As I mentioned I did not attend Black Hat this year but I did find the keynote online.  Interesting listening to darktangent and Jennifer Granick talk about the larger social issues around security and privacy.

There also a DEFCON documentary you may want to see.  Next, is probably the worlds shittest horror movie ever.  After returning from the conference I turned on the TV.  Purely by chance my TV was tuned to Chiller Tv and Feast 3: The Happy Finish (jump to 26:00mins) was playing.  How do you unwatch something?  Please tell me.  ;o)

DEFCON 23 Online Receipts

I end this post with a few funny or interesting photos from the event.  Incidentally, an artist by the name of Mar Willams does most of the art work for DEFCON.  Check out his web site, sudux.com.

It’s official!  The OWASP organization announced my candidacy for 2015 Global Board of Directors.  If your an OWASP member vote for your candidates anytime between October 7th and October 23rd.  The results of the election are shared on October 28th.  To learn more about the election and process, see the OWASP site.

What’s OWASP?
OWASP (Online Web Application Security Project) is one of the world largest groups of web application security practitioners.  Essentially, we are people passionate about securing the software applications you use on the Internet everyday.  OWASP is most famous for the OWASP Top 10 Project which helps software developers understand common weaknesses when programming software applications.  Other projects like the ASVS Project provide a basis for testing web application technical security controls.  OWASP provides conferences and user groups throughout the world to educate the public on application security.  OWASP provides many resources for security and engineering professionals engaged in building and protecting software applications.

Who are the 2015 candidates?
Abbas Naderi Afooshteh
Tom Brennan
Jonathan Carter
Michael Coates
Bil Corry
Tobias Gondrom
Nigel Phair
Josh Sokol
(and me) Milton Smith

I am excited to be considered a candidate for the 2015 Global Board of Directors.  But most of all the opportunity serve the community of developers, security practitioners, and industry at large.

I wanted to make up a cool t-shirt to wear to DEFCON 23 this year.  The graphic is on the front of the t-shirt with a small cutout of the back.  I know it’s hard to read but it says, “In a time of universal deceit, telling the truth is a revolutionary act”, a quote by George Orwell.  I loosely designed the t-shirt based upon a graphic for an Intercept story, “The Computers Are Listening”.  I am not selling these t-shirts.  I made a single t-shirt for my own use only.

You can easily make your own t-shirt at customink.com.  This link is not sponsored but instead provided as a service to readers.

JavaOne is a software developers conference held each fall in San Francisco California.  The conference is held at the same time as Oracle’s larger product conference – OpenWorld.  Together both events bring in about 110,000 attendees to the city.  Many streets near the Moscone Center and O’Farrell are only open to foot traffic and serve snacks and beverages to attendees.  There’s something decadent about drinking a hot latte in a recliner on a blocked off street in the middle of San Francisco.

I thought a post was in order since many are surprised to learn Oracle’s JavaOne conference has a security track.  This year is the third year for the security track at JavaOne.  I can’t share too much about this years track just yet but I can share about last years track.  In previous years, the security track included around 40 sessions held over the course of the conference week.  Content covers various areas like open source projects, technologies, platform security, labs, and more.  Many industry verticals are covered like finance, insurance, banking, government, academia, as well as independent researchers.  A key differentiator for JavaOne is that that conference sessions are defensive in nature.  For example, we focus on defensive techniques developers use to strengthen software applications as opposed to offensive techniques to exploit software weaknesses.

JavaOne 2014 Security Sessions (Article)

The security track is not the focus of attention for JavaOne so we don’t have a keynote like other tracks but we provide an opening presentation that launches the track.  Following is the presentation I provided last year to give you some background.

One thing I will say about JavaOne 2015 security track and opening session – you will love it!  To launch the event I invited a security hero of mine.  He’s an early luminary in the security industry, a company founder, testified before Congress on security, interviewed on film, and more.  He will be doing most of the speaking this year and I’m looking forward to his presentation.
JavaOne 2014 USA, Security Track Amazeballs! (More information on JavaOne 2014 security track)
How interesting the security track at JavaOne is depends upon you!  JavaOne is community driven.  Got an interesting proposal on security for JavaOne?  We would love to hear about it.  The CFP is still open but closing soon.

Submit JavaOne 2015 Proposals (Oracle Speaker Registration)

See you at JavaOne!

Honored for invitation to OWASP AppSecUSA 2015 San Francisco conference Call for Papers(CFP) review team.  If you have an interesting security talk submit your proposal.  CFP closes on March 14, 2015.  In the event your not aware, OWASP is an organization of application security professionals and has many free resources to keep your software applications safe.