This year’s conference in the beautiful city of San Francisco started off with a bang. Bright and early on a Sunday morning, a huge crowd gathered at the DNA Lounge to hear from industry leaders, innovators and aficionados.
It’s always inspiring to see how tight-knit and supportive the security community is, and BSides – an entirely volunteer-run event – is just one example of that.
Below is a quick recap of some of the sessions I was lucky to attend. A special thanks to Sunny from Kingman Ink, our graphic recording artist, who was there to visualize the talks in real-time.
A Declaration of the Independence of Cyberspace
Speaker: John Perry Barlow (@JPBarlow)
We began the day with an inspiring keynote by John Perry Barlow, founder of the Electronic Frontier Foundation (EFF) and author of the Declaration of the Independence of Cyberspace back in 1996.
Barlow discussed with the audience some of the reasons why he decided to write this piece and his motivations for starting the pro-privacy organization.
“I felt people needed to know what space they were in, in order to have a sense of their rights,” he said, recalling the time when he realized the federal government had discovered the Internet.
“Cyberspace had been invaded by not very bright, extremely well-armed and anti-clued people, and as such, our rights were in danger,” Barlow said.
He noted that behind the EFF was the objective to defend the first and fourth amendment – the first also applying to electronically transmitted material.
“The first amendment, along with the rest, was a set of local ordinances. Cyberspace was not going to be susceptible to those ordinances. The thing that made it so free was also the thing that made it so that rights could not be assured – in order to do so, you have to have the ability to take it away.”
Barlow also touched on the recent Apple vs. FBI debate, stating that the government was using these terrorists to “drive a wedge into the real security of the nation.”
Lastly, Barlow added that a cyber patriot is someone who believes that everybody, everywhere has the right to know.
“Cyberspace patriotism is very simply defending the open network – from the end to the end. You guys are the people who define where that end is,” he said.
The Tales of a Bug Bounty Hunter
Speaker: Arne Swinnen (@ArneSwinnen)
Next up was Arne Swinnen, an IT security consultant and co-founder of Cyber Security Challenge Belgium, who walked us through his discovery of several interesting vulnerabilities in Instagram.
A bug bounty hunter for fun and profit, Swinnen explained how he was able to rack up nearly $10,000 from responsibly disclosing nine flaws in the popular app.
From attempting to hijack the instagram.com subdomain on a local network to trying to take over an account via the “change email” feature, Swinnen reported numerous issues – some reaping higher rewards than others.
One clever hack involved Swinnen earning cash by requesting Instagram to call a premium rate phone number he had registered to verifying his account. When Facebook replied saying this was not a security vulnerability but rather intentional product behavior, Swinnen responded by calculating that generating calls for 100 accounts could make him $200 per hour, $2,800 per day and a total of $144,000 a month.
Facebook then said it would fine-tune its rate limits and awarded him $2,000 for reporting the bug.
Swinnen ended his talk with a few words of advice for other bug bounty hunters out there:
“If you’re hunting, try harder; if you’re reporting, be patient; if you’re disclosing, be responsible.”
Slides of his talk are available here.
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Information Security
Speakers: Matthew Hathaway (@TheWay99) & Alexandre Sieira (@AlexandreSieira)
Despite a few technical glitches, Matthew Hathaway and Alexandre Sieira gave an interesting talk on behavioral economics and how human behavior impacts the infosec world.
The duo drilled the idea that information security is really all about people, and it’s important to understand how users think in order to better understand your role as a security practitioner.
One of the points they discussed was when and why humans cheat – people will cheat as long as they are rational about it without feeling guilty. For online hackers, for example, distance makes cheating easier to justify, as they may feel the r information they are stealing is not a real thing.
A potential solution to this, the speakers suggested, would be to make cheating more concrete and make people understand that there are real-life consequences. They also mentioned studies showing that if you remind people about moral codes or the responsibility to act correctly, cheating can be reduced.
Hackers Hiring Hackers: How to Hack the Job Search and Hack Talent
Speaker: IrishMASMS (@IrishMASMS)
This session povided many great tips and takeaways for both applicants in the security field and hiring managers.
Actionable advice for applicants included:
- Ensure the experience on your resume reflects your background and the role you are applying for.
- Seek out a friend who is a journalist/wordsmith to help you perfect your resume.
- Be careful with the buzzwords, and don’t stretch the truth.
- File names make a difference.
- When applying through an Application Tracking System (ATS), be quick to apply (some selection processes give you a higher score if you’re early)
- Since we’re in infosec, digital signatures are a bonus.
- Do not put malicous code or trackers into your resume or cover letter.
- And lastly, use a professional-looking email address.
For hiring managers, a few things to keep in mind and good tips to follow:
- Intervews can be very anxiety-inducing (especially for introverts), try to keep it fair.
- “Stump the monkey” isn’t fun anymore and does nothing to convey how good an applicant is or how good they could be.
- Avoid close-ended questions.
- ‘Job hopping’ should not be a concern… things happen that are out of our control.
- For applicants that were not selected, provide feedback on issues or errors if HR/legal allows.
The speaker also made a great point on the importance of knowing your worth, especially the women in the information security field – do not sell yourself short!
“Employers forget that the impression they leave on their employees – past and present – influences income, reputation and business developemnt in ways unknown.” – @kjvalentine
Guest to Root: How to Hack Your Own Career Path and Stand Out
Speaker: Javvad Malik (@J4vv4D)
The last session I attended was by security blogger and vlogger Javvad Malik. He was enthusiastic to speak and shared with us his experiences in developing a career in the field.
He pointed out a few good habits of highly effective industry professionals, such as making others look good, instead of pulling them down; being a creator, not a consumer; and being known for the success of others, as well embracing one’s own limitations.
“What are you doing to get yourself noticed?” Malik aked. “When you leave a job, will you think about the projects that your worked on? Have you left behind enough legacy that they wouldn’t mind having you back?
He concluded by encouring us to find our niche, which he believes is the intersection between our expertise and one of our passions.
He also urged us to step outside our comfort zone, continue to acquire skills and protect your reputation.
“Your industry needs you… The only limits are your own.”