Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

9/9/2014
12:00 PM
Kerstyn Clover
Kerstyn Clover
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
0%
100%

Black Hat & DEF CON: 3 Lessons From A Newbie

Security conferences are a lot like metal concerts: Your parents are terrified you're going to die because everyone looks scary, but 98 percent of attendees are really nice people who want to help you learn.

I was lucky enough to receive one of several free passes to the recent Black Hat 2014 in Las Vegas from WhiteHat Security’s Robert Hansen (@rsnake) and Juniper Network’s Christofer Hoff (@beaker). The passes were distributed to young women like me who are new to the industry and have never had the opportunity to attend the storied annual event in the gambling capital of the world.

It was a whirlwind week that included DEF CON 22 -- because, after all, what is a trip to Black Hat without attending DEF CON? Here are a few things I learned.

Curiosity trumps fear
Believe it or not, there were many points before the show when I nearly surrendered my pass to allow someone more experienced or qualified to take my place. As I connected with the many amazing people who told me about the conferences and helped me attend, I started poring over forums and blogs trying to prepare myself for what on earth I was getting into.

What if I got flustered and hid out in my hotel room? What if I embarrassed myself in front of someone that's huge in the industry? I'd be a pariah forever! More than that, I grew concerned by the sheer number of jokes about deodorant and the lack thereof (at DEF CON more so than Black Hat).

The trip was overwhelming and in more ways than I could have wildly imagined -- even after all my research -- but in a great way. It took me days to sort through all of my new contacts, and I'm still reconnecting with people. There were more demonstrations, trainings, seminars, and talks than I think I could process in a year. Most importantly, the atmosphere was one of encouragement. My questions received helpful and enthusiastic answers rather than the laughter or criticism I so feared.

Pay it forward
I always hear people say "pay it forward." That implies being given something before you actually have something that you can pass on to someone else. Obviously, this was the sentiment shared by the many people who helped me (a total stranger) by funding my travel, sharing rooms, and providing free passes to the event.

In the same vein, I think the biggest smile I had on my face the entire week was about 10 minutes after I picked my very first lock with help from the Lockpick Village at DEF CON. There was a young girl hovering over my shoulder while I worked, and I offered her and her friend the loaner tools and what little knowledge I had just picked up.

All three of us were thrilled when one of them first popped a lock. That, to me, was the perfect example of overcoming the mindset that has held me back in the past: If I try to take the lead, people are going to find out I don't know what I'm doing! I now know that “faking” confidence, plus a cool demeanor, will get you far -- and eventually you will stop feeling like you are faking and start believing in your ability.

InfoSec rocks!
The third lesson is that this community is amazing. After my trip I've decided that security conferences like Black Hat and DEF CON are a lot like metal concerts: Your parents are terrified you're going to die because everyone looks scary. But 98 percent of the attendees are just really nice people (some with mohawks) ready to pick you up and dust you off if you fall or get knocked down.

As a staff consultant on the SecureState Attack and Defense Team, Kerstyn works with a broad range of organizations across a variety of industries on security assessments including incident response, forensic analysis, and social engineering.
View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TechPorVida
50%
50%
TechPorVida,
User Rank: Apprentice
1/21/2015 | 4:30:34 PM
Black Hat and Def Con
Good for you!  Def Con and is a must-do for me every year along with Microsoft Ignite (pka TechEd.)  I have yet to attend Black Hat.  What's holding me back? The entry fee. I invest in Ignite which is 2K.  Last time I checked Black Hat was equally as expensive.  After 30 years in technology and attending conferences the percentage of women in the industry is sadly very small. I think this would be a great opportunity for Black Hat (and others) to focus on ways to increase our numbers.

 

Def Con Tips:

Take plenty of cash. Lockpick Village and other events/vendors take cash only (as does registration.)

Get there early.  Last year I was in line at 5:30 a.m. and it took 2 hours to get to registration. They also ran out of schedules. I had to perform a "task" to get one of the few left. The task was to get a hug from anyone in less than 20 seconds. I managed but I almost didn't (shy crowd.)

Play with the gadgets.  Wear the 3-D glasses.  There are hidden messages all over the conference.  The human badge does way more than just grant you access.

Turn off your wifi and bluetooth.  Otherwise you'll end up on the Wall of Sheep.

Get your schedule figured out quickly.  Last year some lectures were so full you couldn't get in.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/11/2014 | 3:42:11 PM
Re: Good move for security industry to encourage newbies
Sounds like we have a plan! Any other activists in the Dark Reading community for this initiative? Raise your hand (or comment) here. 
Kerstyn Clover
50%
50%
Kerstyn Clover,
User Rank: Moderator
9/11/2014 | 3:35:38 PM
Re: Good move for security industry to encourage newbies
I agree completely. I'm also brewing plenty of ideas of my own :) There are a lot of information security conferences out there that I'm sure a lot of people could use some help getting attending and would give a great foot in the door to the industry!
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/11/2014 | 3:30:36 PM
Re: Good move for security industry to encourage newbies
Maybe a good idea for a more concerted effort by Black Hat for next year (hint- hint).

Nice to hear about the crowdfunding effort from Bugcrowd, as well. (Note to self: blog about the idea to promote more of same for Black Hat 2015).

 
Kerstyn Clover
50%
50%
Kerstyn Clover,
User Rank: Moderator
9/11/2014 | 2:27:38 PM
Re: Good move for security industry to encourage newbies
Marilyn,

As far as I know this wasn't part of a program - the first I heard about it was just Robert taking the initiative and sharing on Facebook. I think I did hear later that I guess the Black Hat board donated a couple of passes once Hoff (and maybe another person/people?) joined in and the idea caught some attention which I thought was very cool.

Edit to add: Marisa and Bugcrowd were a big help in starting a crowdfund venture for one attendee coming in from Colombia to afford airfare. Also not a formal program but a great effort!
Kerstyn Clover
100%
0%
Kerstyn Clover,
User Rank: Moderator
9/11/2014 | 2:24:41 PM
Re: good for you Kerstyn
Hello fellow Kirsten variant! Unfortunately I have to let my mom take credit for my spelling.

 

There were definitely a few times that I escaped off to hold up a wall and take a breather from all the people. I'm pretty extroverted but there is just so much going on. I think being in Vegas for the first time by itself would be overwhelming so the added conferences was just piling more on top.

 

At least embarrassing encounters are usually funny stories later. That's what I tell myself, at least....
 :)
Krenner
50%
50%
Krenner,
User Rank: Apprentice
9/9/2014 | 2:13:21 PM
good for you Kerstyn
Hey Kerstyn,

First of all, I love how you spell our name ;-)

Second – my first trip to DefCon I DID "[get] flustered and hide out in my hotel room?" (a little) AND "embarrass myself in front of someone that's huge in the industry" *see note below


*I literally walked up to Dark Tangent and said "you look familiar" while I was standing in his penthouse (and I was completely sober).
Haha

I'm so glad Robert did what he did. He also provided a pass for a friend of mine, an engineering entrepreneur.
And I agree, such a GREAT community. I hope I never have to do any other sort of recruiting – this is the crowd I want to stick with!

Congrats on your first tour – and your lock picking success (this was a highlight for my teenage son last year who DefCon embraced with open arms)!!

See you there next yr,

~Kirsten
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/9/2014 | 12:13:40 PM
Good move for security industry to encourage newbies
I'm so glad to hear that the security industry is being proactive about recruiting talented young women to Black Hat. Was this part of a larger program? 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
Another COVID-19 Side Effect: Rising Nation-State Cyber Activity
Stephen Ward, VP, ThreatConnect,  7/1/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15350
PUBLISHED: 2020-07-07
RIOT 2020.04 has a buffer overflow in the base64 decoder. The decoding function base64_decode() uses an output buffer estimation function to compute the required buffer capacity and validate against the provided buffer size. The base64_estimate_decode_size() function calculates the expected decoded ...
CVE-2019-19935
PUBLISHED: 2020-07-07
Froala Editor before 3.0.6 allows XSS.
CVE-2020-11882
PUBLISHED: 2020-07-07
The O2 Business application 1.2.0 for Android exposes the canvasm.myo2.SplashActivity activity to other applications. The purpose of this activity is to handle deeplinks that can be delivered either via links or by directly calling the activity. However, the deeplink format is not properly validated...
CVE-2020-15028
PUBLISHED: 2020-07-07
NeDi 1.9C is vulnerable to a cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Topology-Map.php xo parameter.
CVE-2020-15029
PUBLISHED: 2020-07-07
NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Assets-Management.php sn parameter.