NotAwful.Security

UPDATE 2017-07-29 This post previously stated that @BretMattingly was a member of the leadership of @InfosecN00bs. Just before Defcon BretMattingly stepped away from @InfosecN00bs for unstated reasons. After this blog post was originally published, he took the concerns to @Hacksforsnacks_ and @K_5m00th, who did not want to return funds raised, issue a statement regarding the matter, or take any corrective actions. The fundraiser was done under @Bretmattingly's name because he was being set up to be the fall guy for when everything toppled over. Original Post The twitter account @InfosecN00bs  has posted an official statement regarding their failed crowdfunding campaign after a few people publicly questioned where the money was being used.  The @InfosecN00bs group is run by @Hacksforsnacks_ , @K_5m00th . Official Statement: Part 1 Official Statement: Part 2 To be perfectly clear: This is a press release statement playing damage control. @InfosecN00bs...

You have probably seen the twitter posts about the lasers and smoke machines on display at BlackHatUSA's Keynote speech on Wednesday. If you have not then I can give you the very quick run-down on that: Last-gen/old hackers, who are very anti-conformist and anti-corporate, turned their noses up because BlackHatUSA's keynote speech showed how much bank they made. Holla holla get dolla And why shouldn't they? The Briefings Pass, that would get you into all of the talks, runs for $2095 USD if you ordered before May 10th, and $2795 USD if you bought a ticket at the door. Trainings Passes were also expensive with additional costs for workshops you attended. Jeff Moss, the founder of BlackHatUSA and DEF CON, admitted that BlackHatUSA is a conference aimed at professionals and is premium-priced for large corporations because DEF CON's low barrier to entry made it harder for employees to sell to their bosses. While many old-school hackers stopped paying attention the m...

This is a rather difficult post because it is addressing problems in a group that does not want to listen to criticism of their behavior if it is conveyed with a tone and, thanks to @hacksforsnacks_'s experience in public relations, created a reputation that at first glance seems welcoming and supportive of all people. There are likely people who will come to defend the group but I have found, anecdotally, more people that have stepped forwards with complaints. In my previous post I broke down a press release statement posted by the @InfosecN00bs account to discern what the statement actually says. Here, I will speak about moderating online communities and then call out specific problems with the way that @InfosecN00bs has, and for each problem I discuss I will provide constructive and actionable solutions. Disclaimer : I do not have a good history with this group. I am highly critical of members of their leadership. I do, however, think that highly technical fields are b...

HackerSummerCamp is about a week away! I figure this is the perfect time to go over how I managed to get there. I'll cover where I succeeded, where I failed, and what lessons about fundraising I took away from this. I will also briefly go over what I plan to give back after all of your help to make it out there. Fundraiser Post Mortem Successes Raised funds for travel and expenses for BlackHatUSA  Extended trip to cover DEF CON  DEF CON ticket was supplied through a giveaway done by @justinengler Clearly indicated where donations would be allocated Caveat:  Estimations were off initially, they were adjusted to give a proper indication of the costs as the costs changed. Failures Ask only for enough to cover trip  How did this fail: Fundraiser was rushed before the specifics were ironed out  Why is this a failure: Initial launch costs were estimated on the high side of things, which turned off potential donators.  Solution, used: Adju...

There are a lot of useless security tools and applications. Their use cases are specific and might not match your threat model. They are complicated and create hurdles that turn away inexperienced users. There are a lot of good security tools that are not usable. If someone can't pick up your Good, usable security tools need to enforce consent, be widely applicable, and be easy to set up and easy to use. When I hear of a good tool I usually leave it to simmer and let other people test them, and if I hear good things then I test them out myself. I've found some excellent and usable tools that I'd love to share. Tools Discussed Boxcryptor Classic (Free) KeePass (Free) Mooltipass ($80 USD) YubiKey U2F ($18 USD, $24 CAD) Secure The Cloud: Boxcryptor Classic Annual Reminder: Use KeePass Use BoxCryptor — DEY! (@ronindey) July 11, 2017 I had never heard of BoxCryptor before so I did not know what it did or what it was for. Turns out it creates a folder in y...

When I am passionate about something I am almost always very loud about it. There are a lot of conversations about people "panhandling" for money to travel to BlackHatUSA 2017 and DEFCON 25. Most of the conversations I've seen are dominated by people being very vocal against people crowdfunding any part of their trip, right down to someone who paid travel, lodgings, and tickets out of pocket and couldn't afford food while in Vegas. " How dare they ask if anyone wants to give him some money so they eat? " - Aristocrats, probably I am going to talk about conference travel, barriers, and elitism. A Quick Note On Elitism I wrote a thread on twitter, here , regarding high-priced certificates being used as arbitrary barriers to entry into the field of information security. Halfway through that thread I talked about networking, here , and how the combination of high-barrier to entry and side-stepping traditional hiring processes through networking created...