Shmoocon Again

2022 edition after it was cancelled last year.

As I said in the last entry, I’m really leaning towards not going again. I’ll probably do the Shmooze-a-student, and sell the ticket that comes with it at cost.

Physically, I just can’t do it anymore.

Reflecting on it, though, notably absent were both the detest of the “other side” of US politics, and the self-assured consensus that the participants’ political views were going to make everything okay.

One of the things from the last one was the whole Russian collusion narrative about President Trump. This was my thinking

There are many people who still believe that stuff.

But there’s still, too, people who believe that Trump won in 2020.

I think there’s something about admitting when your initial take on something was incorrect.

It’s probably not fair to expect a speaker at a convention to come back and say, “yeah, about that,” but continued silence from others makes me wonder.

I’m not saying that you come out and shit on previous speakers’ bits, but you can, at least, revisit a bit later.

But on to the individual talks’ reax….


First Up….

Log capture and analysis. If a bear splints in a forest, does anybody care? (That’s what I typed at the time, and I’m not sure if that was the correct word. MacBook Air doesn’t stay on my belly reliably.)

Part of what I’m doing in my current role is dealing with implementing a Commercial-Off-The-Shelf product to do log monitoring.

But, for my situation, there’s enough multi-layer security that these COTS products aren’t really useful.

At least, now, I’m not getting pressured to loosen layers of the security stack to let these commercial products work as designed.


Next up

I tend to use ProtonVPN because I’m cheap, and it’s included with my ProtonMail subscription.

(I went with ProtonMail because I felt better about the Swiss protecting customers’ privacy. The Swiss government’s response to Russia gives me a bit of pause, but I still feel better about it than anything in the US, EU, or Soviet Canuckistan…)

The tagline of this site works in reverse, too. Anytime you do something online, somebody can probably snoop on it. Deal with it.

Temporal connections are tougher to crack, but everything can be cracked.. It’s not a question of if, it’s a question of when.

The talk went into something about APIs, and I think I started to lose the handle on the talk(s). Maybe the next part was about a different presentation, altogether? I don’t know.

Use modern web API programming techniques for …?

ARM microcontrollers are ubiquitous.

You can tell from the headers of the binaries. Mix and match thereafter.

Stepped out because I didn’t think IU’d get a lot of benefit out of it, and I wasn’t feeling well.


Scheep.

Reading the description, it sounds a bit like a new form of a honeypot; something there just for people to fuck with to no avail.

I’m having flashbacks to when I put a GNU/Hurd box on a publicly-accessible IPv4 address to see how long it took someone to break in. With Telnet enabled.

It took a Navy Red Team friend several days, but he eventually cracked the password, get a command shell, then didn’t know what the fuck to do with it.

Due to technical difficulties, presentation didn’t start until nearly twenty minutes late.

This is an attempt to create a Web Service, not a regular binary on the host.

Good sandbox for both red and blue teams; tracks everything

Using a packet sniffer, the developer was able to capture HTTP packets, and assemble an HTTP session. From that assembled HTTP session, he could start figuring out some things.

Bulk command shove; no idea who ran which command.

The developer used remote shell over HTTP to sites around the world.

For the Windows stuff, he was operating on the WinSock DLL.

(When I did some programming, I found that DLL to be, ummm…ancient. Maybe it’s gotten better since I was plunking away on it in 2006.)

He is planning to “open source” the code, but Larry Ellison executing his jerk options again.

It does sound like neat tech. I’m not sure I completely understand how it’s used, but, then, I’m not a pen tester.


This one about broadcast satellites.

Yes, this is fascinating stuff for me, with my past in the broadcast industry.

I’m having flashbacks to cleaning fourteen inches of snow out of a C-Band reciever.

(I ended up buying every jug of windshield washer fluid at the 7-Eleven on the way to the transmitter site, and pouring that over the dish until I could get the dish clear enough to pull a signal again.)

The bit about the higher orbit for spent satellites is fascinating to me. I kind of had just figured they let them fall out of orbit. But that they send them higher, so they’re out-of-the-way explains the ring of space junk.


Discussion of odd WordPress plugins that might have security issues.

I understand it, but this, and the work call that had me watching this over the stream link from my hotel room, really reinforce my commitment to not using anything that’s not supported directly by a vendor.

Trying to do this stuff in-house is just too fraught with peril for my tasted.

Interesting aside that the totes-didn’t-used-to-do-evil search company downlinks sites that have WP vulgarities. I, generally, think that SEO is snake oil, but if that’s what that formerly not-evil company is doing, well…

Static front page that gets picked up, then escort users in after they land on the static site with tons of keywords in the HEAD element.

There’s been a big push the past couple of years to force everything behind SSL. Maybe it makes sense, now, to put most content back in a place where the search engines can’t capture it?

The tagline for this blog is, “everything gets deleted, eventually.” I’m sure there’s things on the Internet I wrote years ago that don’t reflect my views today. Whatever.

As more things get pushed behind paywalls, the less background you can find on someone. I’m okay with that.


EFF presentation on some recent SCOTUS decisions.

One of the things I’d wanted to write about is looking back at Shmoocons past regarding politics.

Obama was good for privacy.

Trump was elected due to Russian meddling in 2016.

(I touched about that a bit earlier in this entry; I really shouldn’t still be annoyed by the one thing from 2020, but I am. You have to admit you’ve been wrong when that happens. This kind of speaks to another thing that’s been bothering me, lately. I’d subscribed to the position that Russia wasn’t going to invade Ukraine. I was wrong. So were the people who helped me form that conclusion.)


Watching this about crypto.

Mubix, when he sees something new, he starts trying to figure out how to misuse something. (Props!)

If you don’t include “crypto is horrible,” or “crypto sucks” when you’re coding in encryption, it will fail.

Solarwinds was relatively easy to crack because they used old protections, that was probably what caused the problems.

You can’t spell cryptography without crime.


I didn’t write much about the final concluding presentations. I did watch those, because I’d already checked out of my hotel room.

Did I have a good time? Um…I guess?

I needed to do something like that. It felt good to get out of my apartment for the first time in basically two years.

Something to discuss with my “care team” soon. Back to work tomorrow. The Thursday to Saturday thing kind of works when there’s not a Monday holiday just after.

Next year’s is the week after MLK Day, which might make things a bit strange for people.

But that I’ve not really been going to an office regularly in years makes it kind of a yawner. I probably could have worked today, if needed. Whatever.

I’m just glad it’s not going to be like 2014, where I got laid off my first day back to work after the conference and the Monday holiday.

I’ll omit the curses for that company. They did sponsor Shmoocon this year. Needless to say, I didn’t care to stop by their booth.

Own The Con 16

Discussion of how long Bruce and Heidi have been married. Sixteen years this summer. My wife and I have been together fifteen in a few years (but only married for evelven).

I remember back in the day bringing my then-girlfriend with me just so they could come close to selling out. 2008-ish?

For potential speakers, you need to follow directions exactly. (I wrote the beginnings of a talk in probably about 2010. I had about 40 minutes of speaking, and half a slide deck. I started going through potential questions from an audience, and got to one I couldn’t answer….and it was a question that really related to the heart of the presentation….so I gave up, and just bought a ticket.)

The ticket sales glut has kind of ended after they put the kibosh on second-hand ticket sales.

That actually makes me feel a bit better about my tentative intention at this point to do the Shmooze-A-Student again. If I’m financially able, I’ll buy a ticket for a kid, and sell my ticket to someone else.

Physically, I can’t do this anymore. Much of what I did yesterday was sitting in my hotel room watching the stream.

Naturally when I was younger, I really appreciated the new experiences that came along with being in DC. The novelty has more than worn off.

They saved a lot of money this year by not having the drink-a-palooza on Saturday night.

You know, I don’t think I’ve ever been to one of those. But they’re really not earning money on any of this, and are paying taxes on it.

(I’ll avoid going in go off on my bit about income taxes. More than half of the people who file don’t pay any income taxes. Payroll taxes are not taxes; they are contributions to the bankrupt Ponzi schemes that are Social Security and Medicare)

Close up was a potential giveaway of a (Dude-your-gettin-a) Dell server.

I have no place for toys like that anymore, unfortunately. And if I was going to get a nondescript Dell server, I think I’d like something with an Italic processor.

But they’re loud as hell.

I swear I’ll get many of the notes on other talks up over the next few days. As I said, I really don’t have the energy to do this con stuff anymore.

More is coming

In between talks, I’ve been dealing with thoughts about the Central Bank Digital Currency (CBDC), which has been an ongoing issue of concern on several of the shows I consume.

My initial thought was that regardless of the type of currency you’re issued, it doesn’t matter. You can exchange it for whatever good, currency, or service you want.

But there’s also the issue where they can dictate what you can spend the digital currency on, and take it back retroactively.

If there’s a stipulation that you can only spend the currency at certain places, might that contradict the idea that Federal Reserve Notes are good for all debts public or private. (If you have one nearby, look; it says that right on the bill)

Further, if previously-issued funds can be taken back, were you paid? Would that violate various employment laws? So, you’re making $42/hr., but you went to the capitol on January 6, 2021. Can money be taken from you because you were there? What if the retroactive taking bumps your compensation down to less than the agreed-upon $42/hr.?

Are labor unions okay with this: What if there was a stipulation that you could only spend those coins on things your employer or the state approves of: I mean, you might want to hit every single New York Jets road game in the upcoming season. I don’t know why you’d want to do that, but you should be able to. How about tithing a certain percentage to your church?

Still working through it all…..

I will finish up my Shmoocon write-ups after I get home.

Between Two Ferns

The final talk headed in to the closing.

These, plus discussions I had with friends afterward, kind of left me scratching my head.

A few things.

Bruce repeatedly implored people to try to get women and young people involved in the Infosec industry.

I think there was another instance where I really railed against predetermining outcomes in populations.

This is one of the areas where my frequent consumption of the Ancaps comes in. There’s no way to determine what the future IT labor force should look like.

Even more, it’s a waste of time to try.

Unfortunately, we’ve got this model that’s completely incapable of responding to whatever comes along.

I came from an industry, broadcasting, that’s nearly dead today. How many Boomers ended up in print journalism because they were really enamored with what Woodward and Berstein did with Watergate?

I knew a few of those folks when I was still in radio. They were making a career transition as the print media started dying. Most of them were ending up in sales.

Those lasted until the broadcast industry died, too.

A cynic might say, well, maybe it’s those people. No, I’m not going to go there. They’re good folk. But the audiences have changed, and they don’t have the stranglehold on the consumers the way that they used ot.

Higher education has a similar problem. I’ve talked about it, myself. I’m one of the last folks in Generation X. There weren’t very many of us to begin with, and with everyone worried about AIDS when we were reaching sexual maturity, we didn’t accidentally many babby.

So, those kids we didn’t have are filling up colleges. OK, Boomer, you’ve got tenure, and are planning on charging $100K for a BA in something?

Or how about a crash-course that lets you pass the minesweeper match to get letters after your name?

I also think of friends and acquaintanceship who paid a ton of money to buy a vendor’s certification.

I recall picking up a dated box from my old employer, and having a coworker absolutely amazed that it served as an email host for something like six domains without an expensive Microsoft license.

Uh, it runs FreeBSD, Exim, and Courier IMAP.

So you’re not running Exchange??!?

Uh, no.

I worry that pushing people towards security careers might be akin to pushing them towards careers in print journalism in 1996.

Would establishment higher even be able to produce people who can just pass multiple choice test, people who’ve the ability to adapt to whatever changes arrive on the scene?

I’m even more skeptical about that than I am about the idea that sparking interest in a particular part of an industry will increase the current interest in it, and entrench it for the future.

I was on the air when the millennium flipped with CBS Radio over a phone couplet.

I was ready to stay live if the communications failed when the clock flipped to 2000.

You might think that the experience I had, and the education I was recieving at the time would have me set up for life.

Yeah, about that.

The market will dictate demand. Whether or not that demand is met is not something that can be planned ahead of time.

So, there’s not a ton of young people terribly interested in locking down Windows servers.

Give me a minute to find the fuck I’m not giving. The company that employs me now have moved all that sort of stuff “to the cloud.”

So everyone who paid a ton of money to “obtain those skills” is now unemployable, in a ton of debt.

I got in a pretty passionate conversation for a few minutes, there.

But things are not designed the way they were in 2005. Or 2010. Or 2015.

Security is a part of everything.

The days of a squadron of firemen there to deal with problems introduced by designers not the least bit concerned about security isn’t a problem now, or in the future.

So why are we worried about the kids being interested?

About as interested as my millennial wife was when I showed her how to queue both a 45 and a 33 so they’d start cleanly. Just hit the triangle icon on the app you’re using.


Apologies for the rant. I did enjoy my time at Shmoocon.

I enjoyed being able to support a student’s attendance.

I enjoyed my time alone in the hotel where I could collect some of my thoughts and write.

Since I’m kind of beyond the point where I can really get around comfortably, I may just watch the stream next year, and write.

We’ll see.

Searching Your Jank

First Sunday talk.

Quite a bit of discussion about Russian botnet influence in 2016 election.

I posted something in the Slack channel about her being unhinged at one point.

Nobody has provided any evidence that what the Russian botnets did changed a single vote.

Wired had the best synopsis of what Muller’s indictments included, but even that doesn’t show that anyone was convinced not to vote for Hillary.

The majority of people who voted in the 2016 election voted for someone other than Hillary (including me; no, I didn’t support the President, but I definitely voted against Mrs. Clinton.)

She also had an implicit contention that the rash of stories about evidence of governments being agencies being afflicted with ransomware induced people to not vote.

Wait, what?

The local water department got hacked, so I’m not going to vote.

Lots of skepticism, there.

The third thing was a forceful encouragement to go vote.

While I normally do vote, for most of my life, I’ve gone specifically to vote against a particular candidate (see 2016, where I went to vote against Hillary and Trump).

I’ve also heard Katherine Mangu-Ward make several compelling arguments against voting. She wrote about this back in 2012.

As someone with views that don’t neatly-align with either of the two major parties, I appreciate it more these days.

It leads me to give credence to the Ancaps’ argument that maybe we’d all be better off with less government.

I worry a lot about what’s going to happen to me, personally, if on eof the Medicaid For All (yes, I know they call it Medicare, but it’ll be Medicaid). People like me will just not be treated, aside from palliative care.

Solu-metrol is cheap. So are various oral analgesics. Add in anti-depressants, and all is good. Worry less about the long-term effects; maybe we’ll die sooner, and save money.

Any publicity is good publicity

Next up was this one.

I was thinking about it as I listened to some of the systems engineers go back and forth about application of statistical analysis over my cube wall.

I did do this sort of thing previously.

I know that I’ve avoided some companies that have paid big settlements due to data leaks/breeches.

In so many instances, there’s settlements — you’ll get free credit monitoring for 24 months!

But what does one of these incidents do to a company’s share price?

NOT MUCH.

Completely counter-intuitive, really.

I was wondering afterwards whether there might be some sort of window where there’d be a chance to make money on a short.

As I’ve considered that more, however, I don’t care. There’s no quick way where I could make a buck and feel okay with it.

Last of the night

Watched the panel my Twitter friend moderated.

I had three main takeaways from the talk, two of which are the same thing.

  1. There was a strong contention that information shared with the media prior to the polls closing negatively affected voter turnout, and;
  2. The contention that information problems in other parts of government negatively affected voter turnout.

To reference my fellow CNU alumnus, https://i2.kym-cdn.com/entries/icons/medium/000/001/865/wikipedian_protester.png

I can see how that it might be commonly-thought that this is true, but where is the evidence to substantiate it?

Find me five people who are dissuaded from voting because the water utility’s shit got caught up in ransomware hell. I’ll be waiting.

The idea about media surpression, of course, is a flashback to Florida in 2000, where the media outlets were reporting, before the polls closed in East Alabama, that Gore had won the state.

Except, of course, that doesn’t really fit the narrative, considering how Republican the voters there are. So if the media had said Gore had won, Bush would have won by less?

(I kid about East Alabama. My wife was downloaded in the panhandle, I along the Space Coast. Neither of us would ever willing claim any Florida heritage.)

The third one I took issue with was the never-ending “go vote” mantra.

Listen, for some people It doesn’t matter in the least based on where they live.

I write this from Washington, DC; when’s anything other than a Democrat ever going to win here?

Never.

I will admit that my views on this have been greatly influenced by another DC resident, Katherine Mangu-Ward. Essentially, she said that if government is legitimate because it has the consent of the governed, if you refuse to provide consent by not voting, it isn’t okay for that government to exercise power over you.

So, yeah, I was gesticulating wildly in the back.

Hillary lost. It wasn’t because of the Russians. It wasn’t because of suppression efforts. She lost because she was a horrible candidate.

Nothing can be done that will change that fact, and any attempts made to remedy a problem that doesn’t really exist, will only serve to make elections worse.

Even More Moose than ever

I did blast off earlier about the nonsense I head with the DNS over HTTPS (somewhat appropriately initialized as “DOH.”)

The speaker summed it up pretty well in a Tweet response.

But on to today since we’re on a lunch break.

I’m going to go in reverse order since I have my notes on the last one up and in front of me. First up, since it’s freshest in my mind is this.

I did speak to the speaker following the address. My comments in the Slack channel were met with both bemusement and curiosity.

She got to the point of complete derangement toward the end. My initial question to her was whether the Russian disinformation campaign strategy she outlined actually makes a compelling argument agains “experience” candidates.

Though I didn’t vote for him in 2016, I find President Trump’s path to the White House fascinating.

Yet there’s a school of thought that says that he wouldn’t be there if the Russians hadn’t meddled.

Yes, that’s Sister Rachel The Woke’s line almost every single night on MSNBC.

There’s not a single thing that she, Chuck Todd, or anyone in the tech heads cabal can do to change that.

A magical meeting with Zuckerberg, et. al. won’t make sure the establishment’s anointed candidate is the plurality winner next time, either.

I could go on for hours about this, but what’s the point?

None of these be-all, end-all solutions is going to convince people that writing down passwords is a really bad idea, or that you would never get an email telling you where to change your password.

Immediately before that, I checked in to the hotel, and took a nap. I’m running on fumes. Maybe I should eat something. Or something.

But before check-in and nap, I watched this. Perhaps that influenced my thinking in the later one.

So much of what’s going on is conventional approaches to new problems.

Harkens back to one of Mouse’s presentations a few years ago about the Maginot Line.

Stop doing what you’ve always done, and be reactive in defense based on what the situation presents.

That is all for now. Off to watch more. More writing tonight, I’m sure.

Not doing myself any favors

I came home, and watched the rest of the presentations today.

I wasn’t feeling well. No, I don’t think I’ve got Coronavirus.

But the last firetalk was on this stupid stuff Mozilla’s (and others) have is doing with DNS-over-SSL.

The speaker brought up Cloud Flare as the DNS-over-SSL provider.

So I had to go look at the interview again.

Fuck the Neo-Nazis. But fuck guys like that, too.

Remember (or more Shmoo)

Cats hate people, and would kill them if they were big enough to do so.

Listening to this one, which ended up being more about ยง230 of the Communications Decency Act of 1996.

I’m not sure what to say about it. I get sidetracked by thinking about my idea that every law should expire after a fixed amount of time, and every regulation based on that law should similarly expire in a fixed period of time.

Then we wouldn’t have to worry about a law that’s nearly a quarter-century old in the case of the CDA.

Or care at all about any of the bad things that passed during the Wilson Administration. (See: The Jones Act, which is very bad for Hawaii and Puerto Rico).

Congress wants lots of content on the Intertubes. Well, the right content. You know, not bad stuff like prostitution ads, or kiddie pr0n.

Or Alex Jones; won’t someone think of the frogs??!?

Is there an answer? I’m skeptical, and it’s a lot easier for these 535 people to not work at all than to do anything that might not be permanent and effective.

Does there need to be protection for platforms? Yes. Are there some real problems with platforms? Yes. Have there been some instances where platforms are really overreacting due to both political and corporate pressure?

Absolutely.

The next one was this. As someone who’s not a professional code-slinger, I was having a bit of trouble following completely, and staying interested.

The commentary accompanying the livestream was fascinating.

I participated.

It is really incredible what people are doing with client-side code.

*slips on a-hole Sekurity Mastar pants*

You can fix a lot of that stuff with centralized management.

DoD, something which I am all too familiar, has managed to render nearly COTS browser basically unusable.

I’m actually okay with this.

And the next one. Very good talk, but I’m not sure I understand enough about where the “spam” calls are coming from to know whether this would actually be an effective solution.

It would seem to me that having a client/gateway setup would be nearly as effective. You could authenticate the device using something like a hardware token, then do the traffic over L2TP.

I understand there’s overhead there.

I also know that pure SIP voice traffic consumes very little bandwidth. Hell, I was doing GSM calls over a 9600bps INMARSAT connection nearly fifteen years ago.

Yes, the quality sucked.

But that was true of lots of things in 2006.

What this protocol does is encrypt the data channel, so very much like what would happen over L2TP.

Six of one, half-dozen of the other, I suppose.

Not going to write about the Firetalks. Just listen.

And the last one about robots storing data. Pepper and Mao isn’t a dish at your favorite Chinese joint.

Questions about privacy policy application; the robots are owned by someone else, and the data is sent offsite.

And you wonder why I don’t have an Alexa. Or why Siri is disabled on my Apple devices.

Her main point is she has concerns.

Maybe I’ll be feeling well enough to sit through things in person tomorrow.

I’m done for now. Hopefully I’ll be feeling well enough to venture in to the District for tomorrow’s talks.