NotAwful.Security

I have spoken about the importance of a Code of Conduct in the past. Since conversations have cropped up around several communities and events in technology regarding Codes of Conduct, I am going to discuss my experiences with them. Over the years I have spent a lot of time in and around gaming communities. During that time I realized that community guidelines and a code of conduct are an important tool. In watching these recent conversations, I feel some people have been too focused on their practical application. So I will talk about why a community should have a code of conduct, what you stand to gain by implementing one, and address some of the common arguments against them. I wrote a step-by-step guide to writing a code of conduct here , taken from an earlier blog post addressing another community that lacked a code of conduct. I'm not a bad person, why do I need one? I have not read the code of conduct for most communities I have been a part of one. I also do not know...

When we were children, we were told to apologize for saying mean things to each other. We were conditioned to accept those apologies regardless of whether those apologies were honest - they never were. I was bullied as a child and was forced to listen to false apologies often. I resented those bullies because the more of those false apologies I heard the more I realized they all managed to blame me for their actions. As I grew up I mimicked those structures to avoid admitting that I was an abusive friend. I was never taught how to issue a real apology, but like many things in my life I was able to infer it from what I had learned. Lately, I have seen that many people accept false apologies because they have never heard a meaningful apology. I am going to teach you what an apology looks like so that you can understand when someone is not apologizing to you. Anatomy of an Apology An apology is made up of four things: Subject of apology Admitting guilt The guilty part...

Today, Cloudflare's CEO Mathew Prince made a decision to stop serving The Daily Stormer, a neo-nazi website. Gizmodo's reporting on this leads with an odd sentiment: Internet companies typically take a hands-off approach to offensive content on their networks, erring on the side of maintaining an open internet. I find this to be an odd statement because it is categorically false. This decision by Mathew Prince follows decisions by other companies to stop serving neo-nazi and white supremacist customers. Google and GoDaddy recently refused domain services to The Daily Stormer over the past couple of days. Paypal has been closing the accounts of neo-nazis and white supremacists for some time, according to CNN . This has sparked many conversations about whether or not internet companies should police the content on their platform, or whether the internet should remain 'content-neutral.' This debate is a surprise to me because all companies already police the conte...

This is part two of my travel blog for going to BlackHatUSA and DEF CON. Part one covered travel and first-time-attender tips in point-form, and you can read it here . In this post I am going to speak about my experience at DEF CON and, without names, the people that I met there. The post will be broken up into topics rather than chronologically. This has been difficult to sit down and write because of a lot of interpersonal drama that happened on Twitter and in the convention halls that I, frankly, don't want to discuss again. I wanted to talk about things that did not have to do with the drama. First Impressions After I arrived at the Ceasers on Thursday, I met up with some people and had to deal with that . I had been explaining who I was to everyone that I already knew online for a couple days at BlackHatUSA and had become increasingly comfortable with the process. Approaching people, though, never got easier, but I learned to introduce myself and follow with my twitter...

I recently returned from a trip to Vegas to attend BlackHatUSA 2017 and DEF CON 25. While writing my travel blog I realized that I had a lot of stories, and a lot of travel advice. After working on it a little I decided it would be most useful to post the advice and stories separately. This post will contain all my advice for navigating your first DEF CON adventure. I will share stories in future posts. I am going to jump straight in because I have a lot to share here. Packing Never check bags if you can avoid it. Prevents loss, theft, or mishandling. If you check bags, keep all your valuables on you. Pack light; leave room for treasure. If you plan on collecting lots of treasure then pack an ultralight duffel in your carry-on. They pack small, you can check it on the trip home. Personal item should be a cross-body bag or backpack. Put your electronics and valuables in it. Carry-on item should be a frameless soft-bodied item. It’ll hold toiletries and clothes; all your valuab...

UPDATE 2017-07-29 This post previously stated that @BretMattingly was a member of the leadership of @InfosecN00bs. Just before Defcon BretMattingly stepped away from @InfosecN00bs for unstated reasons. After this blog post was originally published, he took the concerns to @Hacksforsnacks_ and @K_5m00th, who did not want to return funds raised, issue a statement regarding the matter, or take any corrective actions. The fundraiser was done under @Bretmattingly's name because he was being set up to be the fall guy for when everything toppled over. Original Post The twitter account @InfosecN00bs  has posted an official statement regarding their failed crowdfunding campaign after a few people publicly questioned where the money was being used.  The @InfosecN00bs group is run by @Hacksforsnacks_ , @K_5m00th . Official Statement: Part 1 Official Statement: Part 2 To be perfectly clear: This is a press release statement playing damage control. @InfosecN00bs...

This is a rather difficult post because it is addressing problems in a group that does not want to listen to criticism of their behavior if it is conveyed with a tone and, thanks to @hacksforsnacks_'s experience in public relations, created a reputation that at first glance seems welcoming and supportive of all people. There are likely people who will come to defend the group but I have found, anecdotally, more people that have stepped forwards with complaints. In my previous post I broke down a press release statement posted by the @InfosecN00bs account to discern what the statement actually says. Here, I will speak about moderating online communities and then call out specific problems with the way that @InfosecN00bs has, and for each problem I discuss I will provide constructive and actionable solutions. Disclaimer : I do not have a good history with this group. I am highly critical of members of their leadership. I do, however, think that highly technical fields are b...

When I am passionate about something I am almost always very loud about it. There are a lot of conversations about people "panhandling" for money to travel to BlackHatUSA 2017 and DEFCON 25. Most of the conversations I've seen are dominated by people being very vocal against people crowdfunding any part of their trip, right down to someone who paid travel, lodgings, and tickets out of pocket and couldn't afford food while in Vegas. " How dare they ask if anyone wants to give him some money so they eat? " - Aristocrats, probably I am going to talk about conference travel, barriers, and elitism. A Quick Note On Elitism I wrote a thread on twitter, here , regarding high-priced certificates being used as arbitrary barriers to entry into the field of information security. Halfway through that thread I talked about networking, here , and how the combination of high-barrier to entry and side-stepping traditional hiring processes through networking created...

I begin this blog post with an acknowledgment of the irony of the situation. But I'm taking the opportunity use this chance to highlight the social media snowball and how to use your momentum responsibly. This post is in no way an indictment of MalwareTechBlog, nor am I implying that they did anything wrong here . If I come across as petty it is intentional and not sincere. On May 26th, 2017, I tweeted about a bug with Microsoft Office in which a background task would flicker a command prompt briefly due to it being mistakenly registered as a user-context task. First! Thirty-seven hours later the Savior of the Internet, Slayer of Wcry, MalwareTechBlog posted a tweet that said basically the same thing . With no significant additional information. Second, more popular mouse gets the cheese Social media is all about visibility. After MalwareTech posted their tweet SwiftonSecurity retweeted it, and between both of their substantial platforms a very visible conversation ...

1. Don't hurt others 2. Protect those who cannot protect themselves 3. Strive to be better My name is ephemeral. I currently go by Amanda on Twitter , and by NotAwful in most other places. It will change in the future but for now I am comfortable and have no plans to change that. As of writing, I am a networking and telecom student studying information security on the side. I do not have much real-world experience but I am seeking it avidly and learning as much as I can until I get there. My primary interest in infosec is malware research and software reverse engineering, but before I get there I will likely be working within the realms of general IT. Expect me to post reviews and thoughts about things that I am learning in technology here. I have played a lot of tabletop roleplaying games such as Dungeons & Dragons, Dungeon World, Shadowrun, and a few others. I have also played many video games. I think critically about game design and while you won't see me break...