There’s been quite a bit of drama with regards to whether or not to boycott the RSA conference over a deal that the RSA security vendor had made with the NSA. I will not be rehashing it here.

What I will say is that I can respect individual decisions for principled reasons.

My own choice is also based on a calculus of my principles; I hope those who made a different choice can respect that.

I will be speaking at RSA – for a number of very nuanced reasons.

Of these, the clearest in my mind was simply this…

I research security to help people better defend themselves and things that matter.

Love or hate the RSA Conference, it is the annual heartbeat of the security industry and for many mainstream security professionals, this is their best chance to learn, challenge themselves and interact with the industry’s leading minds. I thought long and hard about all of the sides of this issue and decided that those most likely to be hurt by me boycotting were the very people I do this for.

Trust has been damaged on many fronts over the last year. I believe these issues cut to the core of the industry and our “community”. They will need hard discussion and debate – and I will be there to make sure that happens.

My Speaking Slots:

Both Sunday and Monday, February 23/24, 2:00 – 6:00 PM — BsidesSF at DNA Lounge 

“I am The Cavalry” @ #BSidesSF DNA Lounge is at 375 Eleventh Street San Francisco, CA 94103

Our dependence on technology is growing faster than our ability to defend it. The Cavalry isn’t coming. It falls to us… While its roots come from many places, a key moment for the @iamthecavalry movement was my #BSidesSF closing keynote last year. One year later, we have a large and growing movement of security professionals focussed on having impact on security of consequence. As our focus converges on technologies with the potential to impact human life and public safety, come hear what we’re doing regarding Auto, Medical, Home Electronics, and Public Infrastructure. The full agenda for our 2 days of working session is posted at the BSidesSF Website.

I am The Cavalry

Tuesday, February 25, 8:00 AM PM – RSA USA – South “Viewing Point” in Gateway Halls – Keynote Commentary

“Expert” Commentary for Day 1 Keynotes

RSA is always experimenting. This year in the “Viewing Point” in Moscone South, folks can watch the Tuesday  keynotes with some running commentary and play by play analysis. I’ll be joined by Hugh Thompson and Wendy Nather for what should be a bit of fun and analysis, but will hopefully help to frame the discussions and the rest of the week.

Tuesday, February 25, 3:00 – 3:30 PM – RSA USA – North Room 134 – Speaker

Call in the Cavalry – WHY We Need The Cavalry and Why It Falls to Us

Our dependence on IT has grown faster than our ability to protect it. What was once our hobby became our profession, and now permeates every aspect of our lives. In this swarming internet of things, vulnerable, connected technologies now permeate every aspect of our lives. While our best and brightest struggle to defend our enterprises, no one is even thinking about our growing dependence and exposure. The sad news is… the cavalry isn’t coming – it falls to us. We must be the adults in the room. We must ready ourselves to be ambassadors of technical literacy and the voice of reason. We have to be better… and we will be… starting now.

Much of RSA Conference is about protecting your enterprise. We are very pleased that RSA acknowledged the need also focus our best and brightest on security for the internet of things. My Tuesday “WHY the Cavalry” talk is the first of three 30 minute Cavalry talks at RSA. On Wednesday, Nicholas Percoco will explain WHAT the Cavalry must lead. On Thursday Katie Moussouris will outline HOW the Cavalry will affect change. All three #RSAC Cavalry talks are listed here.  Also, come talk about the mission at out booth in the Sandbox:

  • Tuesday 1:00-5:00pm
  • Wednesday 8:30am – 1:00pm
  • Thursday 8:30am – 1:00pm
Wednesday, February 26, 10:40 – 11:40 AM – RSA USA – West Room 2014 – Panelist

ASEC-W03 – DevOps/Security Myths Debunked

As DevOps has become more popular a lot of myths have arisen with regards to security and many opponents claiming that you can’t do security in a DevOps environment. This panel will address a number of those myths and demonstrate how you can embrace DevOps and maintain the appropriate security profile for your organization.

Dwayne Melancon will once again moderate myself and fellow Rugged DevOps trailblazers: Gene KimDavid Mortman, and Nick Galbreath. The great news is that the ranks of security DevOps boundary spanners is growing to include folks like Neil MacDonald, Rich Mogull, Dan Kaminsky and others. If this is a new or threatening subject, my 30m RSA Europe 2013 Keynote was a good introduction:

Thursday, February 27, 8:00 – 9:00 AM – RSA USA – West Room 2020 – Co-Presenter

STR-R01 – Not Go Quietly: Surprising Strategies and Teammates to Adapt and Overcome

Nearly every aspect of our job as defenders has gotten more difficult and more complex—escalating threat, massive IT change, burdensome compliance reporting, all with stagnant security budgets and headcount. Rather than surrender, it’s now time to fight back. This session will provide new approaches to finding financial and operational support for information security across the organization.

I’ll ride once more with David Etue for Part 3 of our “Modern Security Strategy Trilogy” based on work we’ve together over several years.
NOTE: The slides and visuals came out WELL BEYOND my expectations. You do not want to miss this.
Friday, February 28, 9:00 – 10:00 AM – RSA USA – West Room 2014 – Co-Presenter

ASEC-F01 – Software Liability?: The Worst Possible Idea (Except for all Others)

Nearly While many had hoped that market competition would influence security improvements, customers are forced to accept software as is with no alternatives. Software is responsible for our critical infrastructure, cars, medical devices and is a part of our daily lives including our well-being. Will we be able to achieve better software security without vendors facing financial consequences?

I’ve not yet worked with Jake before but we have had spirited exchanges in the past. We have come into the topic of Software Liability from very different paths, but it has been a good complement and I really hope this advances what is often a thought terminating debate. Jake knows a ton about how the Insurance industry has been looking at the issues. He also has an interesting vantage point through his work with the Open Source Vulnerability Database (OSVDB).
I hope to meet new people and new teammates.

Echo: Did I fall asleep?

Topher: For a little while.

I haven’t written here for almost a year.

The short version is my mother died last January.

I may eventually write more about it, but here is a quick bit.

Few things can rock your world like losing a parent – especially so young.

Two things happened instantly:

  1. My priorities of what truly mattered to me were crystalized
  2. I became hyper-conscious of time

One way (of many) to describe how I look back at 2013…

…I feel like maybe a boxer might when they get hit really hard. I know I kept fighting. My vision was blurred. My hearing was muffled and my ears ringing. I don’t full remember all the details, but over time they slowly came back to me.

It turns out, I was actually doing a lot of great things. I hope to catch up on some of it here in the near future.

I was more raw and candid, but also more vulnerable – and in that vulnerability, I was able to make deeper and more authentic connections with people.

In fact, I came out a lot stronger and clarified – and accomplished quite a bit (both individually and with others).

My “year of 1sts” is now behind me. While I’ll never be fully “over it”, I believe I’ve crossed a major time/space/emotional boundary.

I’m back, so to speak. I hope to start blogging here more frequently.

Q: Are you going to RSA?

A: Of course. RSA is mandatory punishment for people like me.

Like I said just before RSA USA 2012, each year at RSA I want to quit security.

At the end of the day, like with most things…

…it is what you make of it. Make it matter this year. Demand better. I will be.

My suggestions on are worth re-reading :

  • People Value
  • Non-RSA Venue
  • The Bizarre Bazaar of the Exhibit Floor

Anticipated Buzz-Words:

Remember: Just because a buzzword is abused and/or nausiating, doesn’t mean all uses or the ideas/facts behind them are nonsense. The trick is to ask people to define their use, defend their use, and provide specifics.

  • Big Data: This will be the least clear and most abused. It isn’t just having a hadoop cluster or *B or *flops of useless data.
  • Actionable Intelligence: Done right, this is becoming table stakes. Done wrong, this is a marketing retread. Ask for specifics. Most are offering a data feed. Good programs are combining and enriching from OSINT, HUMINT, SIGINT, pay-for feeds of various types, information sharing communities/pilots. This topic is worth sifting out Signal from Noise.
  • Offensive Security: For some, the term itself is “offensive”. This often is heard as “Hack Back”. Which is for most, a really, really bad idea. Aside from the legal or attribution debates… if you can’t consistently change default passwds or basic access control, why do you think you’ll win an escalating fisticuffs with your attacker? My Wed 1pm panel (END-W25) will try to clarify this.
  • Active DefenseThis is a less offensive spin on “Offense”, but definitions vary tremendously. It often means beginning to use deception, deterrence, increased work effort/work factor, increasing the entropy of the attack/er, etc. Again, my Wed 1pm panel (END-W25) will try to clarify this.
  • APT or APT1: Yes folks. The Kitten-Killing, Thought-Terminating Cliche’ is back. Given the one two punch of the Executive Order and the hotly debated APT1 materials put out by Mandiant; China, China, China will be discussed. Not all espionage is out of China. Lots is. Get past the groaning and try to get to substance.
  • Adversary: This is a good one I am pleased to see entering the lexicon. While many “thought leaders” dogmatically fight the inclusion of adversary analysis, they are wrong 😉 . The programs that are modernizing are trying to weave in the chaining of Adversaries -> Motivation Structures -> Preferred Assets Types -> Their Common/Range of TTPs (Tactics, Techniques & Procedures). Much like this artifact from our Adversary talk from RSA last year (slideshare here).


My Speaking Slots:

Monday, February 25, 3:30 PM – RSA USA – Innovators Sandbox – Room 134 – Facilitator

ISB-001 – Do You Know Your Enemy Enemies?: WHO & WHY do matter…

Much of RSA Conference will focus on WHAT & HOW; at Innovation Sandbox we will focus on WHO & WHY. From script kiddies to nation states (or chaotic actor/hacktivists to citizen soldier militias)… gone are the days where our adversaries are only financially driven. We now face a pantheon of adversaries – each with varying motivational structures, preferred asset type(s), capabilities and levels of skill/determination. This facilitated white boarding session will discuss the characteristics of modern adversaries and hopefully raise questions (and answers) on their implications to our risk management priorities.

This White Boarding session should be both fun and challenging – given the innovative crowd.

Monday, February 25, 4:00 – 5:30 PM — BsidesSF at DNA Lounge 

Closing Keynote: Joshua Corman

DNA Lounge is at 375 Eleventh Street San Francisco, CA 94103
I will be “taking the gloves off” in this audience of fellow digerati. We are not getting better (enough), fast enough. We are part of the problem. We need to level-up and we need to entertain some uncomfortable ideas. The pot will be stirred. If there is anything you’ve wished you could say to them, you have a few more days to load me up…It will be followed immediately by: “We Quit” – A Roast of the Infosec Business hosted by Jack Daniel, JadedSecurity, and Javvad Malik.

Tuesday, February 26, 3:50 – 4:50 PM – RSA USA – Room 132 – Panelist

ASEC-T19 – Making Rugged DevOps and Infosec Work

Because of widespread cloud adoption and the DevOps movement, information security has never been at more risk of being completely marginalized by development and the business. This panel will discuss how information security can integrate into these value streams, where agile businesses routinely conjure thousands of compute instances doing over 1000 deploys per day.

Dwayne Melancon will moderate myself and fellow Rugged DevOps trailblazers: Gene Kim, David Mortman, and Nick Galbreath.

Wednesday, February 27, 1:00 – 2:00 PM – RSA USA – Room 309 – Moderator

END-W25 – Offensive Security: Hope or Hype?

With the threat environment dramatically changing, there is a new consensus that it is almost impossible to keep targeted attackers out of any large-scale network. This panel will discuss new thinking around “Active Defense,” or what some would term “Offensive Activities.” We will explore the pros/cons of enacting an offensive security position in defending a company’s networks.

This one is going to be feisty. Born out of some hot offline debates, this clash of the titans needed to happen. I will have my hands full moderating, but I am up for the challenge – and for challenging them. Come watch George Kurtz (CEO of CrowdStrike), Chris Hoff (Juniper), Adam O’Donnell (Sourcefire) and Andrew Woods (Stanford) duke it out. Got anything you want asked?

Thursday, February 28, 8:00 – 9:00 AM – RSA USA – Room 135 – Panelist

HT-R31 – Mayans, Mayhem and Malware

This panel focuses on the persistent gaps and perennial conditions confronting organizations today, notably in areas of compliance and governance related to threat mitigation, education and awareness. Also, we examine the resurgence of advanced, malicious code & content intelligent enough to obfuscate, assess, re-assess and execute against a programmatic strategy.

Will Gragido, Brian Honan and I tried this at RSA Europe and it was surprisingly good – realistic and griity and honest… This time we’re adding two other dynamic characters.

Friday, March 01, 9:00 – 10:00 AM – RSA USA – Room 133 – Co-Presenter

GRC-F41 – Control Quotient: Adaptive Strategies for Gracefully Losing Control

Cloud, virtualization, mobility and consumerization have greatly changed how IT assets are owned and operated. Rather than focusing on loss of security control, the path forward is cultural change that finds serenity and harnesses the control we’ve kept. The Control Quotient is a model based on control and trust, allowing proper application of security controls, even in challenging environments.

I’m teaming up again with David Etue and we’ve been maturing this idea/approach over several years. A lot of my best concepts/models are born near the end of final content creation. This happened again this year with this talk. One of our new models has been sanity checked with a few of you and we’re excited that it will pack a real punch.

I regret this is so early on the last day but this is not one to miss.

The 6 minute RSA Podcast pre-interview of our talk is posted here.

The security challenges have REALLY stepped it up… it’s time we do.

This is not a book review.

This is a fork in the road for every IT security professional – and the clock is ticking:

We can make excuses; or we can make changes.

Security is hard – increasingly so. At times it feels as if we’re pre-ordained to failure. In our bones we know it doesn’t have to be this way. Yet year after year, we remain marginalized and at odds with the business. Thus far, we’ve struggled to find anything resembling a game changer.

Here is your game changer:

The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win


While we hate to admit it, we know our security “Best practices” aren’t – that “Good enough” isn’t.  Our dependence on IT is growing faster than our ability to secure it. Moreover, the consequences of our failures have grown more severe.

There has to be a better way. For those of you who know me, I am convinced our current approaches cannot scale and have dedicated myself to help get the security community un-stuck – to reframe the issues – to experiment – to find a better way.

In 2007, a mentor told me if I truly want to transform the way security is done, I must read The Goal. What the HECK could a novel about the failing US manufacturing industry have to do with security?! But Eli Goldratt’s Theory of Constraints and continuous process improvement fundamentally transformed and rescued manufacturing, as we know it.

As “The Goal’s” spiritual successor for IT, Gene’s “Phoenix Project” outlines our fundamental transformation. This sorely needed narrative meets us in our compliance-distracted, security-debt-saddled despair but credibly paints our journey of redemption through the “3 ways” – grounded in fact and real world successes.

While we focus upon (and wallow in) failure, Gene has been seeking and studying achievement. While we remain isolated within the security echo chamber, Gene has studied high performers outside of it. Gene’s seminal research in Visible Ops on high performers in IT was just the beginning. For the last few years, Gene has been a force of nature within the DevOps revolution. It has been my honor and privilege to collaborate with him.

Gene Kim is our quintessential boundary spanner. His novel puts our security struggle into the broader context of the conflict between IT and the Business. It is cathartic and uncomfortable, but also instructive and inspiring. IT is undergoing a transformation with DevOps; where Development and Operations have figured out how to work together in ways that not only eliminate conflict, but allow organizations to drive value and do things they didn’t think possible. It is their philosophy and attitude that are most essential and can serve as a blueprint for any of us – in any type or size of organization.

This IT revolution is the moment security has been waiting for; the likes of which we may not see again for 30 years. We have a singular opportunity to change with it. What’s more, the DevOps pioneers are embracing Rugged DevOps with open arms. Are we ready to evolve and be embraced? If not now, when? If not us, who? This revolution has started without us, but it is not too late. We can break out of this death spiral.

To this end, Gene has made the first half of the book free for security professionals to read and share.
Download link HERE.

Read this book, now. Give it to your boss, your CIO, your CEO, and your peers.
Don’t be surprised if you can’t put it down. You will not look at your role the same way again.

There is a better way. Join the tribe.


Joshua Corman


DEF CON 19 Whoever Fights Monsters Q&A

DEF CON 19 Whoever Fights Monsters Q&A [No. Josh is not a member of Anonymous]

Will you be headed out to Vegas for this year’s MegaHackerWeek ? If so, I’d love to meet you.

I know some people get fatigued with the scene and some of these conferences, but I personally find the week incredibly valuable. Like with most things, you get out what you put in. Much like the RSA Conference does for the corporate/commercial side of the industry, this week in the desert is the heartbeat of the research and hacker community for the year.

While our challenges in security are tremendous, the intellectual potential in the hallways and bars of Vegas is humbling and inspiring. I look at this week as an asymmetric window of opportunity to:

    • determine the thrust and Zeitgeist of our demographic (in the now)
    • help to frame and set the tone for the next 12 months
    • challenge my various colleagues and teammates (and myself) out of respective ruts and comfort zones
    • meet new people and get to know people better in meat space
    • find new collaborators
    • stimulate new research topics and insights
    • eat bacon wrapped, almond stuffed dates (#BWASD) with red wine reduction and bleu cheese crumble
Bacon-Wrapped, Almond Stuffed Dates with Red Wine Reduction and Bleu Cheese Crumble

Bacon-Wrapped, Almond Stuffed Dates with Red Wine Reduction and Bleu Cheese Crumble

Highlights of Last Year

Here are a few of the things I fondly remember from last year:


At #BsidesLV in 2011, a few of us launched the beginning of acknowledging and studying the levels of fatigue and burnout in our industry and demographic. The room was honest and cathartic and intense. Seeing we had clearly struck a nerve, we later invested in the formal Maslach Burnout Inventory and presented more data at the RSA 2012 conference this spring. While there is much more to do, we’ve brought some of the challenges and support gaps to the surface and have started something needed. You can follow @SecBurnOut on twitter and the expanded IT Burnout Project. Many thanks to Jack Daniel, Dr. Stacy Thayer, KC Yerrid, Martin McKeay, and Gal Shpantzer who helped to kick-start the initiative.

Confronting Anonymous:

At DEF CON 19, we braved our “Whoever Fights Monsters” panel where we tackled the rise of Anonymous in a substantive way – perhaps for the first time. After Aaron Barr was legal-threatened off the panel and another quit fearing retaliation, we pulled together:

    • Joshua Corman (@joshcorman) <- me
    • Brian Martin / Jericho (@attritionorg)
    • “Baron von Arrrr” / Scot Terban (@krypt3ia)
    • Paul Roberts (@paulfroberts) <- As Moderator

The video of our panel and the more intense and meaningful audio of our Q&A room are both posted in the conclusion of our Building a Better Anonymous Series – which Jericho and I researched and wrote over this past year. The exchanges were so intense – and the press/industry/community knowledge was so poor – that we felt we had to drive this dialectic forward.

Winning Hacker Pyramid:

Somehow I went from watching 10,000 cent Hacker Pyramid to joining Dan Kaminsky in defending the crown. While Rogue Clown and Jayson Street were impressive and fought admirably in the final round, Dan and I squeaked out the win. This year, they are “in it to win it” and all manner of smack talk has already begun.

DEFCON19_HackerPyramid_WINNERS via CoolAcid

DEFCON19 HackerPyramid WINNERS via CoolAcid

HDMoore’s Law:

While technically born during Metricon 6 in San Francisco the Tuesday after DEF CON 19… a concept like HDMoore’s Law can really only be born after spending a week in Vegas, surrounded by brilliant hackers and pentesters, getting the bartender at the 303 party to pour HD Moore some stiffer cocktails while listening to nerdcore and then turning your brain inside out with a bunch of statisticians and risk professionals at a Metrics conference. While my brain felt as if it had been through an unnatural act, HDMoore’s Law turns out to have been a pretty useful concept – and many a practitioner is putting it into action in their environments.

Casual Attacker power grows at the rate of Metasploit

My Speaking Slots:

Tuesday, July 24 – 4:00 PM – Black Hat Executive Briefings (Caesars Palace)

Closing Panel – Analytical Response and Discussion

    • Joshua Corman
    • Rob Joyce
    • Rich Mogull
    • Kevin Overcash

After a full day of CISO briefings and discussions on this year’s Black Hat presentation themes, we’ll provide some broader context,  framing and friendly debate – to help enhance the CISOs’ experiences through out the rest of the week.

Tuesday, July 24 – 6:00 PM – CodenomiCON 2012 (Bellagio)

Unconventional Adversaries vs Conventional Wisdom

I’ll give give a short but hitting look at how two adversary classes have shattered a lot of security “conventional wisdom”.

Wednesday and Thursday, July 25 & 26 – #BSidesLV (The Artisan)

Interviews and Honey Badgers

Martin McKeay and I will be interviewing speakers and attendees on and off for most of the two days. I’ll also be giving away Honey Badger T-Shirts. There are far too few of you wearing Honey Badger T-Shirts. Find me or Martin.

Friday, July 27 – 8:00 PM (pretty sure) – Track 3 – DEFCON 20 (Rio)

25,000 cent Hacker Pyramid

Dan Kaminsky and I will attempt to retain the title.

Saturday, July 28 – 10:00 AM – Track 2 – DEFCON 20 (Rio)

World War 3.0 – Chaos, Control & The Battle for the Net

    • Michael J Gross – Moderator and author of World War 3.0 piece in Vanity Fair May 2012
    • Jeff Moss (The Dark Tangent)
    • Joshua Corman
    • Dan Kaminsky
    • Rod Beckstrom (playing the part of Vint Cerf)

This panel (FULL ABSTRACT) will build upon the Vanity Fair piece profiling these panelists and the escalating tension/conflict between forces of chaos and control – threatening a free and open internet. The December meetings of the ITU will likely bring these issues to a head. What role will the DEF CON community play in the coming months as this story and the fallout unfold?

Saturday, July 28 – 9:00 PM – Track 2 – DEFCON 20 (Rio)

FILM SCREENING and Q&A: We Are Legion by Brian Knappenberger

We’ll screen Brian’s documentary on Anonymous. I’ve seen an early cut and it was excellent. The film features several DEF CON speakers who will also do a Q&A after the film: Richard Theime, Chris Wysopal (WeldPond), Jericho, myself, Biella Coleman and loads of Anonymous members. Here is the Trailer.


Be sure to:

    • hydrate
    • pace yourself
    • hydrate
    • meet NEW people
    • hydrate
    • see NEW speakers
    • hydrate
    • be diligent about “how you can I bring this back with me and apply it?”

Hope to see you in Vegas!

Read the rest of this entry »

g0n3 ph1sh1ng

g0n3 ph1sh1ng

Gone Phishing…

It’s summer time here in the northern hemisphere. A friend is about to go on a camping and fishing trip and it got me a bit nostalgic about my youth. Below is a “starter list” of tweet-able phrases that came to mind.

Please add your own.


Remember when fishing was done with a rod & reel – finding quiet time in nature?


Remember when tweet was what the birds did in the trees along the water?


Remember when logs were for burning in the campfire?
Remember when flame was what you stared into for hours, like your ancestors did, contemplating the universe while you absorb its warmth and light?
Remember when flicker was what the flames did?


Remember when SPAM was a salty (but tasty), meaty, campfire treat?


Remember when Four Square was a game you played with chalk and other children on the pavement?


Remember when friends… were? when they were people you spent time with, who knew you better than you knew yourself?


Remember when clouds were what you’d assign animal shapes to – while you laid on a grassy hill – emptying your mind on an idle afternoon?


Remember when apt meant “quick at learning”? like apt at learning to whittle wood – or build a fire – or tie a lure?


Remember when anonymous simply meant “unnamed author” of the quote of wisdom or poem carved into the picnic table top?
Please take the time to get outside with loved ones once in a while.
Life is pretty short.
Be nostalgic.
Sometimes simpler is better.
[add your own in the comments and/or on twitter w/ HashTag #g0n3ph1sh1ng ]