Information security (InfoSec) is hard, a moving target that waits for no one, and so it is often reactive rather than preventive. Good InfoSec requires more than just experts toiling behind the scenes to protect us; it requires the involvement and input of the whole community.
The Security B-Sides DC conference is part of the B-Sides movement, which was created to provide a community framework to build events for and by information security practitioners. Alex Norman, the co-director of Security B-Sides DC, tells us how he wants to expand information security beyond security professionals, and to involve a larger, more diverse community.
How'd you end up with the job of co-director of B-Sides?
Four years ago, Mark and Bill, who are the founders of B-Sides DC, emailed Jack Daniel and said, "Hey why isn't there a B-Sides in Washington, DC?" And Jack said, "There is now, you guys are doing it." And they went, "Eh, OK."
At the time I was working in downtown DC and went to CapSecDC, which was a local security meetup. They came to that meeting and asked for help with the event. We spent about a year and a half planning that first event, and during the course of those meetings we started taking up positions on the board. Somebody needed to run the conference network, and I volunteered. So I did that for the first year, made sure we had the wireless network for the con and everything that entailed. Then for the second year, one of the original founders, Bill, took a position within the US Government. So that created a conflict of interest and he stepped down. At that time two or three of us put our names forward to be co-director. There was a vote, and that's how I ended up in the position—a series of standing up and saying, "I'll do it."
What are some of the things you've had to learn how to do to put on an event?
Dealing with venues, there are lots of little things. I like to compare it to planning a wedding. You don't realize all the little things you need to purchase to have a wedding—it's kind of the same thing with cons. And the different rules for different types of things. We did a talk last year with the organizers of B-Sides Delaware called, "So you want to host a B-Sides." So here are some of the things you have to be aware of—having the conference at a university versus a hotel, versus a convention center. Each type of venue has their own unique sets of rules. Getting sponsors, getting everything sponsors need, making sure those things get taken care of. And then there are the curveballs, things you may never have thought of.
Like today we had a speaker not show up, learning how to keep flexible with that.
For B-Sides, everything is volunteer-driven. So when working with volunteers you have to use different tactics and strategies than you do with employees. These people are donating their time.
B-SidesDC 2016 occupied the entire basement level of the Washington DC Renaissance hotel. Training sessions were on the upper level.
Sounds a bit like managing an open source project.
It can be that way sometimes.
So this is your fourth year now. How has your conference evolved?
It's gotten a lot bigger, and we've added things. Our first year was 400 people, second year was 600, third year was 850, this year we're sitting at about 1100.
The first year we were three days. We had training and talks and one Capture the Flag (CTF) and a lock-pick village, and that's it. The second year we added WiFi village and more talks. The third year we added Internet of Things (IoT) village and more CTFs and SANS NetWars.
So SANS came to us and said, "Hey, we'd like to host a NetWars at your event." Kind of how we add everything to our con, we say, "OK, so how do we do that?"
This year we added a hiring happy hour, which was a new thing that we wanted to give to the community. Everything we add to the con we say, "Is this something that would be helpful to the local security community and the community as a whole?" We said, "We're doing pretty good at letting people play with physical security, letting people play with IoT, letting people play with WiFi, but what about those people who are looking for a job? Or who just want to meet more people in the community?" The event for us is all about learning and about getting people together into a place where they can chat with like-minded individuals, which you may not get many chances to do during your workday.
You've got the CTF events, the IoT and WiFi villages, NetWars. A lot of opportunities for hands-on learning. It seems that these days attendees get more value from the small cons than the big vendor fests. Do you think that's the case?
It can be. For my day job I go to large cons, small cons, everything. The B-Sides movement is kind of a natural outgrowth from those larger cons. And sometimes it gets to be a knock on those larger cons that they're more mainstream, and a little more sedate. But there's a place for that in this community as well. It's difficult for those cons to change course very quickly. Our small cons fill that space. Oh, we're going to do this now, and we can change rapidly without having to please many masters.
We also try to see what the community wants. We put a call for papers (CFP) out and see, oh, there are a lot of talks on this thing this year.
What was that popular thing this year?
This year it was PowerShell. There's been quite a bit of research and publications on how PowerShell works. But then there are also subjects that are evergreen and stick around all the time. People want to take apart current attacks that are happening, current events, or even things they saw in their day jobs.
Komand hosted an Anonymous photo booth. My daughter was happy to pose.
I'll bet the Dyn DDoS has been a popular topic.
It has, but more in the halls. Our CFP closed some time ago, so obviously there weren't any proposals for that. But I hear it a lot in the hallways, so I imagine in the next year we'll see a lot more research into how IoT works and how to secure it.
Sometimes when I talk to my managers about cons, I frame it in as: "Is it a suits thing? Or a hoodie thing?"
B-Sides is kinda both. I did see on our Twitter that there's another legal conference going on, and people actually said things like, "Time to change out of my suit into my hoodie." So there are some going incognito. Industry-wide for InfoSec, I'm seeing the same thing that happened in IT more generally, where people are going from suits to more casual daily wear. But that said, my goal for B-Sides DC is that anyone is welcome to come in. We had a few speakers this year whose day job was not in IT or information security, so I'm wanting to encourage people to cross-pollinate ideas.
One of our talks was someone who was a crisis communications researcher. So I said a thought I've had in the last year or two is the concept of the echo chamber. And that can be used as a derisive term for the InfoSec community. If you get a group of pentesters in the room, talking about things, they're probably going to generally agree. So one of my things has been reaching out to conferences that are not InfoSec conferences in order to talk to them about information security. And also getting people from outside our area to come and talk to us about their topics, because we could all learn from other fields. When the young lady who did the crisis management talk reached out to me and said, "Would this be interesting," I said, "Absolutely!" Because what is InfoSec but a crisis? On the offensive side, if you're providing that service to a customer and they're actively trying to resist, you have to adjust. On the defensive side, if you're being DoSed or you find an infection or an intrusion, you are now in crisis mode. And we're seeing on breach notifications the amount of time that it's currently taking. I think at least exposing people to those ideas we can get them thinking about here's how we could do this faster, or better, or more clearly.
So this article is for Opensource.com, and obviously we care a lot about that. What role do you see open source playing in InfoSec going forward?
I think it's critical going forward. GitHub pages are very common in talks these days, and it's kind of become a social thing. Certain developers in the community get known for good things and people follow their GitHub page where they release everything from fully-developed projects to "Hey, I was thinking about this thing and I put together a proof of concept and here it is, do whatever you want with it." And it becomes a meritocracy. If it's a good idea and entirely fleshed out, people will start doing more with it. Or if it's not a good idea, or poorly executed, then maybe somebody can contribute and help out.
So you see the same thing as large company, large con, small company, small con. Open source can be a little more agile or niche-focused. If it's a large company making a tool that will be used by a hundred people, they might not do it because it's not profitable, which totally makes sense in that model. But to a single developer, it could be a very useful thing. We've seen frameworks like Metasploit go from being something small to being something large, so it's a little bit like kickstarting.
We talked about community involvement, and how having a community of volunteers is a bit like open source. How has that affected your show?
It involves a different approach. It's not like having employees where you can order people to do things because they're doing it for a paycheck. Although it is nice to see the volunteers getting involved. A lot of them are friends and family members. So it does get us a bit of an injection of the outside community. I have the occasional conversation with volunteers where they say, "Wow, this conference is really cool. I've never been to one of these." And some of those are people from outside the field, and some are people who are inside the field who are maybe in IT or something adjacent, or have maybe had a little more exposure. So it's a little grassroots. It's sometimes hard to find volunteers. Tell your friends! Tell your neighbors!
So if somebody wants to be a volunteer and get involved in B-Sides, what's the best way to do that?
They can send us an email to our info account, or hit us up on Twitter at @B-SidesDC. There's also a volunteers list that they can get to from the website. There's also a volunteers mailing list. Our website is B-SidesDC.org.
Are you on social at all? How can people follow you?
Yes, my Twitter handle is @webyeti.
You're one of the shows doing it right. Which other shows are doing it right? Name some of your favorites.
Ok, favorite conferences...
B-Sides Delaware was one of the original B-Sides. They're in their sixth year. And to give you an idea, there have been 290 B-Sides events now. B-Sides Charm City in Baltimore is growing very quickly. B-Sides Augusta in Georgia does an excellent job, they're growing very quickly as well.
The interesting thing you'll see at B-Sides events is that every one is different. They all have their own local flavor. For example, we do challenge coins because challenge coins are a thing in the DC area. Georgia's badge was a stress-ball peach, which makes sense.
As far as non-B-Sides events, DerbyCon is a popular one, I've gone to that one many times. Shmoocon in Washington, DC is one of our con siblings. Registration opens November 1, so happy F5 Day to everyone out there a Shmoocon is definitely a hard one to get a ticket to. B-Sides Las Vegas, of course. I would be completely remiss if I didn't mention them. Another one that goes on the same time as us is Skydog Con in Memphis Tennessee, a very good one, really good people, very friendly.
The Red Hat table at B-Sides DC 2016
There are tons of other good ones, and that's one of the really nice things. We're getting to the point that within three or four hours of you, there's probably an event going on somewhere. So having started off in computer security and hacking, just learning it on my own, when I first started it was like, I can't afford a plane ticket to Las Vegas, and a hotel. So I never went. Then I started volunteering at a few cons, but most of those took plane tickets, I had to fly places to do it. So now it's nice to see, even in South Dakota, Iowa, smaller places Huntsville, Alabama are really lowering those barriers to entry.
Another nice thing is lots of those places have biases to new speakers. So if you're new, it's a scary thing to submit a talk so Shmoocon, because you'd have a thousand people in the room looking at you. So from my perspective, I would hesitate to submit a talk because it's kind of scary. I don't know if I'm ready for that. But B-Sides events, you may have 20-50 people in the room listening to you, so that's not as hard as submitting to a major con. And those conferences will have much lower numbers of presentations proposed, so your chances are better. Shmoocon gets hundreds of CFP responses, BlackHat gets thousands. But we got 70. And even this year we decided to expand the con by an hour Saturday and Sunday to get a few more in.
Is the history of B-Sides documented anywhere? I've tried looking around, but haven't found much.
You could look on the main page, but otherwise, Jack Daniel is here. He was one of the founders of the original B-Sides in Las Vegas. Let's go talk to him!
Stay tuned for part two of our coverage of B-Sides DC.