John has both consulted and taught hundreds of organizations in the areas of security, regulatory compliance, and penetration testing. He is a coveted speaker and much loved SANS teacher. John is a contributor to the industry shaping Penetration Testing Execution Standard and 20 Critical Controls frameworks.
Security Nation, Ep. 17
Shifting Security Conferences to Virtual: The New Face of Events in 2020 and Beyond with John Strand
April 08, 2020
On this week’s episode of Security Nation, we spoke with John Strand, CEO of Black Hills Information Security, about how his team works remote, how they created a virtual event in just three days amid the COVID-19 pandemic and now teach others to do the same, and his predictions on the future of events.
Stick around for our Rapid Rundown, where Tod explains why Zoom’s recent cybersecurity woes might not be as bad as recent news has made them seem.
Appears on This Episode:
Jen Ellis
Vice President, Community and Public Affairs
Jen Ellis is the vice president of community and public affairs at Rapid7. Jen’s primary focus is on creating positive social change to advance security for all. She believes that it is critical to build productive collaboration between those in the security community and those operating outside it, and to this end, she works extensively with security researchers, technology providers, operators, and influencers, and various government entities to help them understand and address cybersecurity challenges. She believes effective collaboration is our only path forward to reducing cyber attacks and protecting consumers and businesses. She has testified before Congress and spoken at a number of security industry events including SXSW, RSA, Derbycon, Shmoocon, SOURCE, UNITED, and various BSides.
Tod Beardsley
Research Director, Rapid7
Tod Beardsley is the director of research at Rapid7. He has over 20 years of hands-on security experience, stretching from in-band telephony switching to modern IoT implementations. He has held IT Ops and IT Security positions in large organizations such as 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Today, Tod directs the myriad security research programs and initiatives at Rapid7. He can be uniquely identified at https://keybase.io/todb.
John Strand
CEO, Black Hills Information Security
About the Security Nation Podcast
Security Nation is a podcast dedicated to celebrating the champions in the cybersecurity community who are advancing security in their own ways. We also cover the biggest events in security that you should know about. In each episode, host Jen Ellis (@infosecjen) sits down with a guest so they can share their stories, what worked, what didn’t, and what you can learn from their initiative so maybe we can inspire you to do something new, while Tod Beardsley breaks down the biggest security headlines of the week.
Podcast Transcript
Jen Ellis: Hi, and welcome to this episode of Security Nation, the podcast where we talk to interesting people doing cool things to advance security in some way. I'm your host, Jen Ellis, the VP of community and public affairs at Rapid7 and with me is my co-host, the amazing Tod Beardsley.
Show more Show lessTod Beardsley:
Amazing not guaranteed.
Jen Ellis:
But I don't know. You deliver pretty well from your garage where you're currently hanging out-
Tod Beardsley:
Listen, in America, we call them car holes.
Jen Ellis:
Yes, sorry. Your car hole. Delightful. So this is what? Is this our second or third COVID installment?
Tod Beardsley:
I believe it's our third.
Jen Ellis:
That sounds bad. It sounds like we're delivering an injection of COVID. No. All right. That means that I'm in an attic in your in a car hole. Awesome. All right, so I'm excited this week we have John Strand joining us. Who is the CEO, boss man, head head honcho at Black Hills Consulting. Hey John, how you doing?
John Strand:
Doing really well. It's not Black Hills Consulting. I think Black Hills consulting sells furniture. I'm not sure. But that's a completely different John Strand, which is not to be confused with male model John Strand. If you do a Google image search for me, I am not the male model that comes up.
Jen Ellis:
Now googling, please hold.
John Strand:
Oh yeah, it'll take a couple of seconds. It'll take a couple of seconds and you'll see.
Jen Ellis:
Wow. I mean, just the abs, they look painted on.
John Strand:
They're amazing. They're fantastic. You know what sucks is whenever I teach classes for Black Hills Information Security or when I used to teach for SANS, I'd have students come up to me and be like, "Dude, you really let yourself go."
Jen Ellis:
What you should do is get like a full-sized poster board just of his chest and just wear it on you.
John Strand:
I don't need that. My wife has that for me.
Jen Ellis:
I love that. Okay, so let me undo this because at the beginning-
John Strand:
No, no, no, no, no. Keep going. This is awesome. Black Hills Information Security. Yeah. Black Hills Information Security. That's okay. Just keep it. This is all great. This is what people like. They don't like polish. They like this. This is real world. This is great.
Jen Ellis:
No one who listens to this podcast like polish.
John Strand:
This is New York punk rock, 1979 go with it.
Jen Ellis:
What kind of furniture could we buy from Black Hills Consulting? Just out of curiosity?
John Strand:
I have no idea. It's like sales consulting. I don't know.
Jen Ellis:
Sorry about that. But you, you are in South Dakota, which is a state that I know nothing about and I was excited to ask you about. And then you told me that you live near Deadwood and I got really excited and I was a little bit overwhelmed. And then you told me a fun fact about Deadwood. Tell me again what your fun fact is.
John Strand:
So we were talking about Deadwood the TV series, right? And it's been very hard for me when people about Deadwood and I ask about the episodes and things like that and I ask if certain things that happened in Deadwood show up on the show. And I guess Seth Bullock is on the show and there was this thing we're Wyatt Earp showed up on the show too. But what didn't make it on the show, at least from what I've heard is Wyatt Earp and his brother were going to start a firewood company. They were going to deliver firewood, which was a thing. But Wyatt Earp is eyeing on becoming the sheriff of Deadwood, Seth Bullock already was. So Seth Bullock called him out in the street, kicked his ass up and down the street and then Wyatt Earp left. And Wyatt Earp then went to Tombstone, Arizona, and that's where we had Tombstone. So that's a little bit of background on how that whole entire thing went out. But I hear that the swearing on Deadwood is a little bit more reduced than it's not quite historically accurate.
Jen Ellis:
I really hope that's true, particularly the Al Swearengen character who swears so much he has it in his name.
John Strand:
If you ever come out here, you'll find out that that's actually real. We do talk like that. That's actually locals. We swear like sailors.
Jen Ellis:
Well, I love this story. I'm super happy that you could enlighten me and share this story with us. And did you know say that your office is in some way called Spearfish?
John Strand:
Yeah, that's also not a joke. So my office is in Spearfish, South Dakota. We bought a flower shop, which is weird. We wanted to buy a building and we were going around trying to find a building and we found this flower shop for something like $150,000. And it's this building that's a hundred years old this year. And I'm upstairs in that building right now. It's like 3,000 square feet, but it's old and decrepit. And the flower shop people, it was called Cora's Creations and they kept on trying to get us to buy the flower business, too. I'm like, "I'm not interested in the flowers, I'm not interested in the flower business." And they're like, "No, no. But it's a good business and you can buy the business from us as well." I'm like, "I'm not interested."
John Strand:
But still to this day we have people come in and they're looking for roses and things like that and they're confused. Like hella confused when they walk in it and there's like all this computer stuff all over their place. And they're like, "Do you have roses?" I'm like, "No. We're out of roses."
Jen Ellis:
Buy we have some guys in black hoodies, would that interest you?
John Strand:
We got black hoodie people. Is this a cult? Yes.
Tod Beardsley:
You can sell them artful GPU arrangements.
John Strand:
Yeah, exactly. All of our GPUs that are fried from doing password cracking for two years.
Jen Ellis:
I like that. I like the idea of like sort of a bespoke GPU arrangement. Just show the special someone that you care.
John Strand:
Yeah. We have to do some like artsy crap on the walls because I guess our walls are boring. So yeah, I'll just have roasted GPU remains on the wall in their arty format.
Tod Beardsley:
Very industrial.
John Strand:
Mm-hmm (affirmative).
Jen Ellis:
So I'm assuming, guessing perhaps would be better, but you didn't want to come on just to share with us fun facts about Deadwood.
John Strand:
I am here because Tod invited me and I actually felt bad because Tod has this really grand idea of all these pen testing companies sharing data with each other and trying to get a really good visibility on what attacks look like. And I'm all on board but I'm really busy and the world is ending right now. So I feel guilty. So this is me doing penance to Tod.
Jen Ellis:
Oh my god, I like this. We could get a lot of people on just by leveraging a little bit of blackmail. I think this could work out-
John Strand:
Guilt trip, the Tod guilt trip. Get them on. Yeah.
Jen Ellis:
I mean, it's pretty much why I come on as well.
Tod Beardsley:
So you guys do a bunch of pen testing and without delving into forward looking statements or whatever you have to do with investors if you have any, how's it going? I figure remotes are still okay. Right? So-
John Strand:
Yeah. Remotes, well, almost all of our work was remote. We didn't like going onsite. When I was working at Accenture and Anderson Consulting years ago, Anderson consulting was like, "Everything's got to be onsite," and Accenture's like the same thing. So because of the whole Enron debacle, they had to change their name. But I hated that. I absolutely hated traveling and I really wasn't doing my best work when I traveled. So when we started BHIS, we did our best to make sure that we didn't travel, which is weird because all my employees are like, "That's great. I can stay with my family, I don't have to get on an airplane. It's awesome."
John Strand:
And then they start working from home. And it's usually about three months later they call me up they're like, "Hey, do you have any remote gigs? I need to go. I need to get out of here. Is there someplace you could send me? But it has to look like I'm fighting with you. So my wife thinks it's okay or my husband or my significant other thinks it's okay." But periodically our testers are like, "Please for the love of god, send me to New York." And we can make that happen pretty easy.
Tod Beardsley:
So then you've been ahead of the curve then basically. Are you one of those irritating people on the internet who say like, "Oh, I've been working at home for years. It's this super cool, I love this thing."
John Strand:
I don't. I usually say that working from home is horrific if you don't know what you're doing. Because I remember when I first started working from home, this is like 10 years ago, back before it was cool. So I was working from home and I remember my wife was like, "Here's all the things that you can do. You can mow the lawn, you can do this, you can do this, you can do this." And of course, I didn't have time to do that, right? And she's like, "But you were home all day." I'm like, "But I was working." I think that it takes a while for people to get into a rhythm with their family members to let them know that it's kind of a job.
John Strand:
And this is kind of funny, we actually... where I was living, I had an attic, that's where my office was. It was up on the third floor of the house. And my wife would come up periodically. And I was working a forensics engagement. And the forensics engagement was a city employee that was surfing a tremendous amount of really crappy porn at work. And it was crappy porn because they had like Websense back in the day before it was Forcepoint. And he was going to the Wikipedia and doing a Wiki search for various anatomy parts.
Tod Beardsley:
Cool.
John Strand:
Like he's 13, right? And you know you've hit rock bottom, if you're going to Wikipedia for your porn. And so he did all of this-
Jen Ellis:
Maybe he was just curious.
John Strand:
He was truly curious a lot throughout the day. A lot of research in that Wiki studying his MCAT or whatever. But my wife comes upstairs and I have this big screen and there's porn all over the screen, right? It's just tons of porn all over. And she walks in and she's got this cup of soup, she sees the porn and she's like, "You're working, huh?" And I'm like, "Yeah, yeah, yeah. Working on this case. I'm trying to sensor these pictures for the report because the customer doesn't want to have porn in the report, like you can understand."
John Strand:
And she brings up the cup of soup and she sets it on the table and she's like, "Well, when you're ready to come on down, we've got the rest of dinner. And I'm going to lock the doors so the kids don't come up here." I'm like, "That's cool." And I realized that I was pushed through the working at home barrier where now my wife won't hit on me and if there's porn on both my screens, she assumes I'm working and it's no big deal and she keeps the kids away from what I'm doing.
Jen Ellis:
Amazing. So yeah. So the remote thing, you guys have really kind of embraced it and you've even gone as far as doing some events through the internet, this thing that I've heard of.
John Strand:
Yeah. The thing that works sometimes now that we've all broken. So we were running Wild West Hacking Fest or we call it Way West Hacking Fest in San Diego. We run two cons. While there's hacking fest in Deadwood, South Dakota, we have about a thousand people fly out to Deadwood for a hacking convention, which just blows the minds of the locals. They have no idea what's going on. But they're always like, "These people don't gamble." I'm like, "It's because they don't suck at math." "Then why are they constantly popping up calculators on their screen?" So San Diego was happening and the world's going to hell. I go to RSA and I present there and then I go to BSides San Diego and I get home and we decide that we're going to move our whole conference in three days, virtual.
John Strand:
Which is great because our content and community director, Jason Blanchard, was on a cruise when I made that decision, which just so many bad choices. And we managed to lift the entire conference, virtual, all the presenters, the training except Sans, they pulled their training out. And we basically pulled the whole thing and we put it all together. And the conference went off without a hitch and then we started helping other conferences make the lift, too. Because it's not easy. It's not easy to do it all, but it was great. We had a Discord channels, multiple rooms. We had lobby cons and it couldn't have gone much better, considering the circumstances.
Jen Ellis:
Wow. That's astonishing, actually. How do you make a lobby con work virtually?
John Strand:
You do it in Discord. So we found out in Discord we can... if you don't know what Discord is, it's like Slack. If you don't know what Slack is, it's like IRC and that should help people out.
Tod Beardsley:
Right.
Jen Ellis:
If you don't know what IRC is, you shouldn't be on the internet.
John Strand:
Welcome to computers. So we can set up different rooms in Discord for the actual track talks while people are talking. We had breakout rooms, now we're going to set those up for the vendors. And then we had a lobby con where people just talked about whatever struck their fancy and there was lots of pictures of cats and it worked out well.
Tod Beardsley:
I'll say like, so I went to PancakesCon that fateful Sunday morning. And the thing that struck me was the, honestly, the competence of the moderators. That seemed like that was the key is... and it felt like people had done this before, so like it was... from a consumer point of view, a good job for PancakesCon. I know you guys helped out with that quite a bit to the point where like all the email was originating from you somehow.
John Strand:
Yeah. That's because they used our platform. That was by accident. They ran on top of our platform. So we currently have like four or five GoToWebinar and GoToMeeting licenses because we hate money. And we just set those things up. And so anything that comes from them came from me and we're trying to fix that so it's more generic in the future. But you talk about doing it. We do webcasts every single week. And for BHIS like the free training webcasts that we do, we get anywhere between 1,500 to over 2,000 people registered. And then live, we get around 1,000 people to about 1,500. So we were very, very, very familiar with dealing with scale. And then we've also been doing some free training for like network threat hunting and things like that using open source and free tools and that's been popping at over 6,500 people.
John Strand:
So we have a really good solid experience-base with running virtual conferences and doing this at scale. And it's funny with Zoom, everyone's using Zoom and we're like, "Oh God, please don't use Zoom." But everyone loves Zoom because you can change your background and it looks cute. And now you're seeing this week, like vulnerabilities coming out for Zoom because every hacker in the world is using Zoom all the time. So we've kind of come on the platform of, we're using GoToWebinar. It's not 100% beautiful at the time, but it just is rock-solid for what we're doing and we're happy to share it with any con that wants to move virtual.
Jen Ellis:
I'm so impressed by that. I really am. So just going back to the first one that you did, you said you did that in like some staggeringly short amount of time. What was the amount of time between you and how did you do it?
John Strand:
Three days. Three to four days, yeah.
Jen Ellis:
Okay. That's what I thought you said. But I was like, "No. It's got to have been weeks."
John Strand:
No. No.
Jen Ellis:
That's insane. Bravo.
Tod Beardsley:
Well, but it's one of those things, right? Like it's three days and also at least a couple of years of having done a lot of similar things, right? So-
Jen Ellis:
Right. Right. It's amazing. It's a huge accomplishment I think honestly. A huge organizational accomplishment.
Tod Beardsley:
It was shocking. I was watching it unfold on Twitter. I was like, "Oh, they're actually doing it. Oh, it sounds like it's super rad. Oh, I'm going to totally go to PancakesCon because this one seemed to work out so well."
Jen Ellis:
This is a very important question, did you make pancakes to attend PancakesCon?
John Strand:
I did. I made pancakes that morning, but the pancakes were consumed by the time I got to White Russians. I cleaned off the table and then I set up the cameras to record White Russians. And it was funny because while we were eating pancakes, I'm setting up the camera on the table and everybody's kind of sitting around pulling out the whiskey and the vodka and setting it down and lining it up and kind of doing that whole thing. And it's just so bizarre because in my household, nobody blinked, no one asked any questions. I was like, "Hey, you kids got to go away today." And they're like, "Okay. Well, we'll go take care of the pigs and the cows and things like that." I'm, "All right." And that's normal in my house. Dad's got cameras in the kitchen again, so...
Tod Beardsley:
I also had pancakes for PancakesCon. I did not make them, my lovely wife made them, but since she's an attorney they were $600.
John Strand:
Oh my god.
Tod Beardsley:
$600 an hour pancakes.
Jen Ellis:
Right, right, right. And you can't actually discuss the money further than you already have.
Tod Beardsley:
I'm already dangerously close to the NDA, yeah.
Jen Ellis:
Awesome. Now I feel like I really want pancakes, frankly. I wonder if I can persuade the people I'm staying with. But like for less money hopefully than you.
John Strand:
Yeah those are expensive pancakes, man.
Jen Ellis:
Right. They better have been good. So you're basically saying, "Hey we will do this for anybody that wants to take their conference virtual." And have you got other ones-
John Strand:
Yeah we did. So anybody that wants to take... We've taken Colonel-Con virtual. They went earlier this week.
Jen Ellis:
Is that KFC's conference?
John Strand:
I like that. It's Nebraskans and they just crushed it. They used Zoom but we kind of walked them through setting up the Discord channel and doing that. And I can't remember what some of the other ones that we have set up. There's a Derp Con that's coming out of Denver. They want to go virtual so we're going to help them out. And then there was another BSides one in Florida and then another one up in Canada. So if you just want to get on the phone with us, shoot me an email and I'll get you in contact with Jason because he does all the work anyway. And it's my expendable labor so it's like, "Hey Jason do this." And he's like, "Okay that's great." But-
Tod Beardsley:
And by the way, I would be remiss if I didn't mention Lesley Carhartt is the motive force behind PancakesCon.
John Strand:
Oh yeah, no question. Well, when you think about it, BHIS we have Jason, we have Deb and we have Velda. And then we also had a whole bunch of people in system support from like D-Rock, Rick Wisser, one of our pen testers. Joffe was willing to help. So we had the support group of people that had done this before. And Leslie, just be full disclosure, like setting up the schedule, including all the organization and all of that logistics stuff. She did it all by herself like in a week. So amazing, amazing amount of work that she did. And she had great support and great people were helping her. But I know what she went through and it was a lot. That's a lot of work.
Jen Ellis:
For people who don't know Lesley, so her Twitter handle is @hacks4pancakes, conveniently enough. And it's definitely worth taking a look at her Twitter profile and saying hi.
Tod Beardsley:
Worth a follow!
Jen Ellis:
Yes, absolutely. And so you had mentioned people who want to chat with, you can reach out, what is your web address or how do you want to do that? How do you want people to reach-
John Strand:
Go to blackhillsinfosec.com and just contact us and it's all going to get routed to Jason and Deb-
Jen Ellis:
Not Black Hills Consulting. Do not go to Black Hills Consulting.
John Strand:
Not Black Hills Consulting. I think that's furniture and sales consulting.
Jen Ellis:
Not them. All right, so what did you learn along the way? I'm assuming it wasn't all smooth sailing, that there were probably some like, "Oopsies" at some point or some like, "Why the... what?" Moments.
John Strand:
I think, No. 1, I shouldn't have let Jason go on a cruise in the middle of a conference. That would've been really helpful.
Tod Beardsley:
Its just a bad idea regardless of whatever pandemic is happening. I mean, I don't understand why people are into like the stomach virus Petri dish.
John Strand:
Not even a pandemic. I mean, it's like every other week, they're like, "Oh, these people in this cruise it tipped over or this cruise they have Ebola and they're off the coast of Louisiana weighing their options." But anyway, that would be one thing.
John Strand:
But there was some other things about the layout of the Discord channels that would be very cool. There's also some things that we're trying to work out, especially in relation to vendors, right? Vendors are the lifeblood of conferences. A lot of people don't know this, but most vendors don't make their money to actually make the conference happen on ticket sales. They make it specifically off of vendors.
Tod Beardsley:
Like the sponsorships, right?
John Strand:
They do, right? And the vendors get treated like garbage at so many conferences. And I don't care what your opinions are of vendors at conferences and things like that. The mere fact that they're there shows that they're supporting that event and we should thank them, right? So trying to figure out to do that virtually is going to be a problem moving forward.
Jen Ellis:
I appreciate you bringing that up since we work for a vendor. And I will say from the point of view of somebody who has pursued getting marketing dollars to support small local events, if you're doing a small local event, the chances are that you are not putting money into a conference because you think it's going to get you lots and lots of sales leads, right? Like it's not like a cold cynical thing that you're doing. There is at least some element there about wanting to support the community that you're in. And so when that community then behaves in a toxic way as if like you're somehow evil by your presence, it is a little jarring, I will say.
John Strand:
There are absolutely vendors that look at it that way without question, right? I remember I was talking with a vendor, this was over dinner, and she was talking about how all of her success at a conference was purely based on the number of emails that she collected. And she was talking about how stressful that was. And my recommendation was, get a job at a different vendor. That's not the way that you should be looking at things. But there was a lot of vendors that look at things in purely those terms. And I'm still happy that they're supporting the event, but whenever we talk with people and they're like, "Exactly how many names am I going to get? Do I get a lead guarantee?" It's like, "No. I can't give that to you." But most of the... actually all of our vendors are great. We love working with them. They're, great to work with. And then the big thing that I like working with vendors is who's actually contributing to the community in a meaningful way.
John Strand:
People will be like, "Well, of course he's on Rapid7." But honestly, let's back up for a second. How many vendors actually contribute in the form of open source and webcasts and articles and in data at the level of like a Rapid7 type firm? And that's true. That's why I like showing up on some of these things. So I think that people need to recognize that and give some vendors some love. Because I think, once again, they're kind of the fuel that drives a lot of these conferences, and we do need them. And to be honest, we do need products, so it's a great opportunity for people to mix. And I hope it isn't shut down for like the next year because that's going to be a problem.
Jen Ellis:
I will say as well before I ended up in security, I worked in a lot of different tech fields, B2B tech fields. And security has more conferences and meetups than any other tech sector, B2B tech sector I've worked in by like a factor of like several thousand. It's sort of astonishing actually, which is actually nice. It's a lovely thing that the community wants to get together so much and to participate and engage and to teach each other. I think it is a really lovely great thing and it's part of what makes it a community. But when you're talking about vendors having a presence at these things you need to understand as an event organizer, the amount of sheer competition you have in getting dollars out of people are getting their participation or their engagement, there are just a lot. We reckon there's probably about 3,000 security conferences in North America that ask for our money every year. So that's a lot.
John Strand:
And it is a tremendous amount. And I think... we've realized, and this is just for BHIS, that whenever it comes to conferences, when you're talking about quality of conferences, and this is a horrible thing to say, but the value that I get as an attendee or as a vendor at places like Black Hat and RSA isn't nearly what you would think it would be. We tend to do much better at like the smaller BSides events. We do better at like our conferences and small conferences, DerbyCon when it was actually happening. And I just think that there's a lot more value for attendees and those because you're not so overwhelmed. It's like DEF CON this year. It was spread across 95 hotels in Vegas and it was impossible to see absolutely everything. It was like this overwhelming rat's nest, which is cool in its own way, but I don't feel like I was able to make that many connections with people. It was just basically running from event to event to event.
Jen Ellis:
And you're constantly competing for air time against 5,000 other shiny noisy distractions. I tend to agree with you. I will take a Schmoo over a DEF CON any day of the week. Although I do love the villages of DEF CON very, very much.
Tod Beardsley:
Yeah. I will come out on team DEF CON here. DEF CON is a kind of a class of its own. As we're talking about this, I just keep thinking like, well there is a difference between a trade show and a conference/meetup thing, right? And the DEF CON is it's own kind of thing, right?
Jen Ellis:
Maybe Black Hat would be a fairer comparison.
Tod Beardsley:
Yeah. Black Hat is a trade show at this point. And it kind of always has been.
Jen Ellis:
Yeah. No, absolutely. Yeah, yeah, yeah.
John Strand:
And it's like, honestly, we try to set up Wild West Hacking Fest. So it is a little bit overwhelming. Like when you show up, you have the talks, you have the, the workshops, you have the training, you have all of the different labs that are set up. We want people to say that there's no way they could've hit absolutely everything within that year and that's great. And that's one of the things I think that DEF CON is doing that I think helps, is they're breaking it up into these villages, right? So like you have the embedded device hacking village, you have the social engineering village, you have the hardware hacking village. And what's beautiful about those, because we're sponsors for the hardware hacking village, we go in there... actually we were right next to you guys last year. And it was really, really cool because the people that were there in that room, they wanted to learn that specific skill and it had that type of really nice tight-knit feel in that.
John Strand:
And that was awesome. But then I went to Whose Slide Is It Anyway with Danny and that was madness. Like thousands of people. There was a guy that was wearing a horse head that was serving up liquor. It was so bizarre. But I think that that's kind of that alternation that you get at DEF CON that you just don't get anywhere else. And thank god it's only one time a year.
Jen Ellis:
Right. Because then you can spend the rest of the year trying to guard yourself for the next one.
John Strand:
Mentally, I'm already trying to prepare myself, right? It's coming. It's coming. Brace yourselves.
Jen Ellis:
So do you think that it will be on the year or do you think that we will be still dealing with fallout from-
Tod Beardsley:
DEF CON is always canceled.
John Strand:
I was going to say, I just saw the email today that DEF CON was canceled.
Jen Ellis:
I've definitely heard that that's the... what I really relish as an idea is that they will legitimately cancel it and people won't believe it's canceled because-
Tod Beardsley:
No one will believe.
Jen Ellis:
And so everyone will turn up.
Tod Beardsley:
So I live in Austin and we had to cancel South by Southwest this year. And at the time this was in the before times, right? This was back in like March 2nd or-
John Strand:
The before times.
Tod Beardsley:
And it happened and I'm like, "Oh my God, this is a disaster because you're going to cancel South by, you're going to have no infrastructure, you're going to have nothing and you're still going to have like a zillion people show up and clog up my city and be dumb." That didn't happen. So we closed off South by and pretty much no one showed up so...
Jen Ellis:
I mean, by the time you closed off South by it was early doors but it was still late enough that a lot of the airlines were saying, "We will refund flights and that kind of stuff." A lot of a lot of hotels saying they would honor it, that kind of thing.
Tod Beardsley:
Now. Well, and there are years of lawsuits to be coming on who's on the hook for the convention center? That was a whole thing here in Austin. But at any rate, if DEF CON actually does get canceled, I do expect a cadre of die-hards and kind of dumbasses to show up. And-
John Strand:
I don't think it's going to get canceled. I think by August, I think that a lot of the restrictions will be up, but I think that there's going to be a huge hit to Black Hat and DEFCON. And I'm being optimistic, right?
Tod Beardsley:
It's hard to plan for it today. And we're already in April.
John Strand:
So are we ever going to go back to that at the level that we've seen or am I going to sit around and tell stories to my grandchildren? It's like, "We used to have conferences that had 46,000 people in the same room." And our kids will look at us and be like, grandkids will look at us and be like, "You did what?"
Tod Beardsley:
Their eyes will go wide over their permanent masks that they wear.
John Strand:
But do we ever get to go back to that? And I have this intense fear that that is gone.
Tod Beardsley:
I'm hopeful that it'll be a slow pickup.
John Strand:
I'm hopeful too that we can get back to it.
Jen Ellis:
I don't think it's gone permanently but I think it'll take a while.
Tod Beardsley:
It'll take a while.
John Strand:
I hope so. I hope it does come back because as insane as these things are and as I get older and the DEF CON parties are more and more insane and I'm in bed by like 8:00, 9:00 anytime I go to Vegas. That is a huge part of where I came from and it's a huge part of who we are. And I wish and I hope that that is continuing to be available for the younger and newer generation in security coming up because it's going to be really sad if that becomes extinct.
Tod Beardsley:
Yeah. I mean, and DEF CON is a young man's game and young person's game.
Jen Ellis:
Vegas.
Tod Beardsley:
Vegas is a young person's game. But honestly, one of the best parts of DEF CON, at least for me over the last couple of years is the streaming talks reliably in your room across hotels. When it worked, there was a lot of promises and it didn't really work out so well, but then it got good, right? So I feel like DEF CON is already on that track of virtual so it wouldn't be too too bad.
Jen Ellis:
I don't know. Because I think that there's a difference between when you want to consume content versus when you want to get hands on with things versus when you want to just engage in an informal setting. And I think-
Tod Beardsley:
And that's the other side, right? That's the villages.
Jen Ellis:
And John, when you talk about the way that you've been creating your virtual conferences, obviously you've really thought about how you leverage Discord and you make it so that you can create that lobby con effect. But humans ultimately, I don't think we're going to lose that quality where we like to gather. I think that's so ingrained in us as a species that virtual will only get us so far on that in the long run.
John Strand:
I agree. I hope, I hope. I hope. I really do.
Tod Beardsley:
Look, I am a big fan of cities. I think cities are one of the greatest inventions of all time. There are 10,000 years going strong.
Jen Ellis:
Do you have a bumper sticker that says that?
Tod Beardsley:
I do, yeah. I'm a big fan of the Holocene era where we built cities. If this may be the thing, right? That switches over. That's very somewhat pessimistic. But it has implications for real estate. It has implications for just like how people live their lives when it turns out... if virtual turns out awesome, and by the way, where are you Oculus Rift on this? Why are we not VRing everything already? But anyway, I think there is a small chance that this kind of shift can be somewhat permanent. We all got webcams, we've got little computers in our pockets. I'm with you. There is something very fundamental to the human experience of getting together in the same space-
Jen Ellis:
You put that so much more elegantly than I did.
Tod Beardsley:
But over the next year-ish or so we're going to be training on how to not do that. So...
John Strand:
Well, and that's also... let's tie this back to security, right? I've talked to a number of security firms. BHIS has been doing pretty well. We talked about a pre-show banter in the pre-pre show two days ago. But we've been doing okay, right? And there's going to be a cliff. I think the sales they're going to fall off whenever the horror starts settling in over the next few weeks, right? But whenever you talk about this fundamental shift, anytime that there's a dramatic shift in technology, security explodes, right? So whenever we did dramatic shifts and we started developing Active Directory and things like that, security was really far behind the curve. If you go back to like '99 timeframe, maybe we could even go back to the TCIC orange book series, but let's not. And there's these growths, right?
John Strand:
Worms, whenever you're talking about like 2003 03026 and you start moving up to 08067 and Conficker now, we just got through this cloud shift, which was huge and security still hasn't caught up with that, like we just haven't. And now we're in the midst of a massive shift that we can't even define cleanly and security is going to be at the forefront on that. So I think that people in security are in a great field for stability of jobs because there is going to be jobs scarcity. There's going to be problems, right? From the economic perspective. But ultimately security is a good place to be. Because as everything's changing, as everything new starts exploding, they're going to need us now more than they ever did before. And we were already understaffed before this began.
Jen Ellis:
I agree. And I think that is a lovely note to end on. A nice positive message to the security people while also talking about the gloom of our future, our dystopian future. Awesome. John, thank you so much for joining us. This is a really interesting talk. And I love what you guys have done with the virtual conferences and your offer to help the community is very inspiring. Thank you. Thank you for-
Tod Beardsley:
And hopefully we don't have to do them forever.
Jen Ellis:
Right. But if you all looking to do one, then check out Black Hills Information Security and check out the website and feel free to reach out to John. He made the offer. You heard it here. It's official. And they will help you figure it out, hopefully. All right. Thanks very much.
Jen Ellis:
Thanks again to our guest John Strand, who is obviously doing great work in helping people continue to socialize, but from a safe and self-distanced place. So Tod, it's time for the Rapid Rundown and the last I checked, we're still in the middle of a global pandemic, so that's awesome. Probably don't need to talk about that too much, but one thing I do want to talk about is, you wrote this really awesome blog on Zoom and all the security issues that's been banging on about. So I'd really like to hear your take on that.
Tod Beardsley:
Yeah. Zoom, it is apparently everyone's favorite punching bag. Zoom had some security issues, but on the whole, they are pretty minor. But you wouldn't know that by looking at all the breathless reporting, not just from security tech people who are usually breathless about this kind of thing, but I would say the volume got so pitched that mainstream media started picking it up. I heard a story about Zoom on On the Media, which is one of my favorite podcasts. They're great, but... Everybody I know has big but, and this one does too. It was all about Zoom... What was the story on On the Media? It was one of them. There were five of them over the last week, right, which was crazy. There was the one about leaking data to Facebook. Ah, that was the one, actually, that got coverage on On the Media. There was one about them not doing end-to-end encryption, which is accurate, and we can talk about that in a bit. There was one about them leaking Windows passwords, one about them hijacking the Mac OS system interface.
Jen Ellis:
My favorite was how they're in collusion with China. I was like, "I'm sorry, what now? Do you have an iPhone? Also manufactured in China."
Tod Beardsley:
Yeah. That was published, I think, on Friday morning, this last Friday, April 3 or something. Yeah. So all of these, they sound scary. When you say them all in a row even like that, sounds super scary. I am here to tell you, Zoom is okay for you unless you fall into one of these categories: One, you are discussing top-secret stuff, literally top-secret clearance things, that spies want to get ahold of. Don't use Zoom for that. You are discussing intellectual property that Beijing proper wants to steal from you. You're an aeronautics company and you've got some cool anti-grav tech that you don't want Chinese government to have, don't use Zoom for that. Or you are planning a criminal conspiracy to execute against a fairly high-profile target, don't use Zoom for that. Those are basically your three categories of people who shouldn't be using Zoom. So if you're planning on stealing high tech anti-gravity while being a spy at the CIA, then don't don't use Zoom for this. That is a bad idea.
Jen Ellis:
Words to live by, frankly.
Tod Beardsley:
Yeah, that's the thing. And don't get me... I like talking about crypto. I'll talk about crypto all day long. Crypto as in cryptography, not as in cryptocurrency, though I'll talk about that, too. The cryptography in Zoom is not great. It's imperfect, but it's good enough for most people. There is a particular mode of cryptography that is being used in Zoom called ECB. It's electronic code book. It is super bad for things like video and pictures, but I haven't seen anyone actually... Right?
Jen Ellis:
I mean, that does seem to be quite a big part of Zoom.
Tod Beardsley:
ECB is good for very short text or binary messages, things that are super short, like a paragraph, like a tweet. It would be great for encrypting a tweet, but it's not good for streaming video. But I haven't seen any proof of concept about it. So I would think that if it's like, "Oh, it's so stupid and lame, and you should never use it on pictures." Where's the proof of concept? I don't see it. There are lots of people who really wanted to kick Zoom, and I would expect to see that, right, especially this last week. If it doesn't show up this week, I'm thinking the HBS wrapping... Also, they have some other weird crypto wrap around Zoom. It's probably good enough. If you can't extract that without key material, which is what Citizen Labs did. Citizen Labs was able to extract images, but they also had the key, so okay. I mean, weird flex. It was great. Good research. Good packet tear-down and everything, but-
Jen Ellis:
They have very, very small people doing lots of great things, but they also mainly are concerned with people who actually might fit into one of your categories, right? People who are activists in oppressed regimes and so have a very different risk model.
Tod Beardsley:
Yeah. Crime may include whistleblowing.
Jen Ellis:
Right, right, right. Right.
Tod Beardsley:
If you're hanging out in a place that is known to listen in on your telecommunications, then Zoom... And you're interesting enough. I can't stress that enough, because Zoom has 200 million unique users a day now, and if you're in... It still takes time to do that kind of intelligence and counter-intelligence work, so... Boy, even if you are committing crime over Zoom, probably no one's going to notice.
Jen Ellis:
This is not an endorsement. So, yeah. I guess, by the same token, that everyone loves an underdog, apparently people really want to gun for you if you're not the underdog, and are in fact a $35 billion company, or whatever it is.
Tod Beardsley:
They are. I assume they're still a $35 billion... I don't know. Their stock price moves around quite a bit.
Jen Ellis:
Don't they all at the moment? But yeah, so it does seem like people are gunning for them a little unfairly. That said, I do think it should be pointed out... You talked about the encryption thing. My understanding from reading your blog, which is great, and I cannot say this enough, check out Tod's blog, it's really good, but my understanding from reading that is that there are not a whole lot of video conferencing solutions that are necessarily doing that much better on the encryption thing, actually providing end-to-end, for example, which is part of the contentious piece.
Tod Beardsley:
Yeah, the only one that comes close is Apple's FaceTime. FaceTime, if you tick the boxes does do... or no, wait, it's probably default by now. FaceTime does do end-to-end encryption, which means only the participants of the FaceTime call can see the content. Apple doesn't get to see it. But that's the thing, it's Apple only, so it does not have the cross platformness of Zoom. It certainly doesn't have the scalability of Zoom. With FaceTime you only get, I think, 32 other participants, which is usually enough, right, if you want to talk to grandma or whatever, like that's great. And probably easier, too, if everyone-
Jen Ellis:
And her friend.
Tod Beardsley:
... has Apple. Yeah, grandma and her friend. If everyone has Apple, it's wonderful and it's free and it's great, but if you're using... Basically, if you're using any other technology, like a real laptop or a non-MacBook laptop or an Android phone or a Chromebook, anything like that, you are back into, let's say, Google Hangouts land, which does not support end-to-end encryption, or you're using Jitsi, which does not support end-to-end encryption. Curiously, they are very defensive about that, too. I don't know why. They're an open source project. People ask on their bug queue, it's like, "Do you support E2E?" And they're like, "Sort of," but that's not really an answer. So this whole issue of-
Jen Ellis:
Yeah, you're like, "This is a yes or no answer. It's final, it's not a..." Right.
Tod Beardsley:
Yeah, if you support E2E, you are screaming it from the rooftops, because it is hard, which is why Signal, for example, uses E2E for text, and they are very much in your face about that. Zoom's text messaging is E2E. If you're going to pass secrets, it would be, actually, a cool thing. It'd be like you have your fake Zoom call where you're discussing boring stuff but planning your crime on the E2E texts. Again, not condoning planning crimes, but you could do that. Or you could have... How about a less evil implementation? You could be having a boring conversation with your priest about basketball while confessing sins in the text chat, and no one will hear it but your priest.
Jen Ellis:
That is certainly how I use Zoom, yes. But then the flip side is, the thing that they did that basically invited a lot of the scorn on themselves is that they used misrepresentative language. They basically indicated... They used the term E2E, even though that's a pretty well-expected term, right?
Tod Beardsley:
Yeah. It is a technical term that means a specific thing, and it looks like they meant it in more of a hand-wavy way. It does apply to the chat, it doesn't apply to the video. You can mouse over... Who knows? Zoom is changing super fast, on the daily, so it may not even say that anymore. Last week, when you would mouse over the little green lock thing at the top corner it would say, "This is secured with end-to-end encryption," when the video that you're actually hovering over isn't. But it may have meant something... They probably meant not the technical thing. I don't think they were intentionally trying to trick people into it.
Jen Ellis:
Right. You don't think it was intentional false advertising. You think it was just that they were trying to describe a thing and using imperfect language?
Tod Beardsley:
Probably. That would be my guess, but that's up for attorneys to argue, which they will certainly argue.
Jen Ellis:
You're so much less cynical these days than you used to be about vendors. I like that.
Tod Beardsley:
Well, I've dealt with a bunch. I'm a coordinator vulnerability kind of guy, and I have seen vendors that have their heart in the right place, and I've seen vendors who don't. Zoom feels to me, based on nothing but anecdote, this seems to be people who have... They've had their turn in the barrel multiple times over the last week, and they're like, "Okay, we're trying to do the right thing." I mean, the CEO announced a feature freeze, which is now... We're on day three, I think, of the feature freeze. So the next 86, 87 days, don't expect any new features from Zoom, but expect lots of security goodness. So that's good. It's super easy for a CEO to say that. I am very excited to see what that actually manifests as. I don't know how much that percolates down. It's always easy for a C-level to say, "Security is our No. 1 priority," but it really comes down to the project managers and the product managers of prioritizing that. I mean, we'll see if that happens.
Jen Ellis:
Although, I suspect within the situation... The orders have come on from high saying, "No, no, no." In the same way that Microsoft so famously did when the Trustworthy Computing team was created. That was something that came from the very top of Microsoft all the way down, and it was like a, "Oh no, we are going to fix this problem before we move on to other things," moment. I think maybe Zoom will have one of those now.
Tod Beardsley:
Yep. And I know I risk sounding like a giant Zoom apologist and all that, but... The crypto, bad news. The other bugs, not that big of a deal, but they did have a chance last summer to deal with this. There was a big issue in Zoom. Big, in terms of, got a lot of press. It still was a lame bug, but it was a bug, it was for real, and they kind of blew off the researcher until the researcher went public. Then they fell all over themselves to fix it, which gives the signal of like, "Oh, well don't even bother reporting privately because nothing happens until reported publicly."
Tod Beardsley:
Now, I do think they've learned their lesson. The aforementioned Citizen Lab has a bug with Zoom right now that they have reported privately and they're working through it. So it would be... In fact, it sounds like it's an easy fix, but we don't know because there's no technical details, because this is what you're doing. It's still a little easy to say, "I have a bug," but fine. It's better than what we've been doing for the week, so I do expect that their private disclosure will get a lot better, especially over the next probably two or three weeks.
Jen Ellis:
Awesome. All right. Well, thank you so much for taking us through all of that, Tod, and you are keeping that blog updated as more comes out from Zoom and also about Zoom as well?
Tod Beardsley:
I am. I've already updated it once for the Citizen Lab stuff that published after the initial publish of the blog. There's an issue being talked about this morning about Zoom videos getting snarfed on the internet, but it's super not Zoom's fault. Again, it's another one of these things. If that gets any more coverage, I'll cover it, but I don't want to amplify it at this point. TLDR; if you save your Zoom recorded meetings somewhere where you don't have a password, people can find it, so... Right, pregnant pause. So if it's not stored on Zoom, right, proper, if you didn't store it local... So basically, if I take a file and I put it on the internet, people can find it. Okay.
Jen Ellis:
That's a little bit like blaming Amazon for open S3 buckets, right? You can't do that. That's a user-
Tod Beardsley:
It's even worse. It's a Google dork issue. Google dorking is where you find a certain file pattern or certain URL pattern and you just look for it, and Google will hopefully tell you about it. It's the easiest kind of Shodan at home basically, and this falls into that category. I can say the same thing about anything named .docx. It's like, "Oh, office? I can see all my office docs on the internet when I put them on the internet?" That's the story. So anyway, exclusive right now on the podcast, not in the blog, unless it gets more pickup today, then I'll cover it.
Jen Ellis:
Okay. So we're going to wrap up. As my final note though, and we are massively over our Rapid Rundown here, but as my final note I will just say, this is a time when people are embracing video conferencing who have not always done that. It's quite new to a lot of people, and there's a much heavier reliance on it than there has been before, and so things are going to happen. People are going to mess up, they're going to forget that they're on video. People are going to embarrass themselves in some ways. You're going to have lots of pictures of people looking not at their shining best. I would just remind people that we are in a situation where we really should be using our compassion as much as possible.
Tod Beardsley:
Yes.
Jen Ellis:
This is not a time when you should be rubbing your hands together, gleefully hitting record, and then sharing videos of people at their most embarrassing. It doesn't reflect well on you if you're the person doing that, so please don't be that person. All right. Here endeth the sermon, the lecture. Tod, thank you so much for taking us through all of this. If you guys want to read Tod's blog, your best bet is just into the Google machine, Tod Beardsley-
Tod Beardsley:
Rapid7, Zoom, Bugbear.
Jen Ellis:
... Rapid7 blog, Zoom. Yeah. You will get it. Yes, even if you just do Zoom and Bugbear, you will probably find it, and Tod will be very happy that you get to see his Bugbear picture.
Tod Beardsley:
Yes.
Jen Ellis:
Again, thank you to our special guest this week, John Strand of Black Hills Information Security. Nailed it. And to my cohost, Tod Beardsley, and as ever, thank you to our amazing producer, Bri Hand. Thank you so much, Bri. Have a great week. We will speak to you again probably next week, probably still from the attic.