Winter was freestyle skiing - she just finished that this week. Summer will be French camp, a museum camp, and Defcon/r00tz this year.

Min

Err . . . how would this make it any different than Star Trek???

hawk

I disagree - I am a professional in the security space. I go to conferences for professional reasons.

I'd like the conference vendors to behave in a professional manner too and not insult my intelligence by implying that I'm more likely to sign off on a 6 figure deal because they have women dressed in biker leathers.

If I want to find scantily clad people of either gender, I can figure out where to look, trust me. I'm at a conference on my company's dollar, doing research on products we might want to invest in, I want to talk to someone who knows the bleedn product, not the woman they hired for the week because of her looks.

Min

Hopefully RSA carries this over to their booths at other conferences. They were often among the worst offenders at Blackhat.

Min

They tried that (http://www.washingtonpost.com/wp-dyn/content/article/2010/04/06/AR2010040600742.html) and the court said "You don't have authority to do that because internet isn't title II regulated". Therefore now internet is Title II regulated.

Min

This. My daughter knows that when Daddy starts counting down from 5 that she had better clean up her act NOW before the counter runs out. She knows this because I've consistently used that as a message to her that she has crossed the line since she was 2. Typically I only need to say 5, or hold up 5 fingers, and she changes her behavior (often she decides she needs a timeout and takes herself to her room).

That having been said, this is a technique that works with MY kid. Just like adults are different and if you interact with them assuming otherwise you're going to have issues, so are kids. Figure out what makes yours tick and use that knowledge and you'll both have an easier time of it.

Min

No! Rot 13 is broken. Hey, Triple DES made DES secure again! We'll do quadrupedal Rot 13! That'll fix em!

Min

Hey - if I had the choice to buy an iphone (I'm an android guy actually) and not have all the hassles and expenses of car ownership when I don't need them (there are days I don't drive, but my car still depreciates, gets one day closer to service, gets one day closer to breaking down, etc.). That'd be a trade I'd make.

I mentioned to my wife last night that it'd be great, I could nap with her and the kidlet, instead of being awake because they frown on napping while driving!

Min

A good coverage of the technical stuff, I'll add some of my personal thoughts on "how to get there".

1) There is a community out there, find your place in it. Go to conferences, look for local meetup groups.

2) Become comfortable with PEOPLE. Many technical people are not, but you will be a LOT better at your job if you are. People build systems, people break them. A computer never wakes up in the morning and decides to hack something. If you understand people, you can guess what shortcuts they'll take and know where to start poking.

3) Go watch past defcon videos. There's gold in there. Not in the "oooh exploit" sense (although it's true that some people never get around to patching the old ones) but more importantly to understand how the people in the videos found the holes, and how the people not in the video left the holes to be found.

4) Find a mentor. Someone who's traveled your path before and can help you avoid the potholes before you get there. This is (imo) especially important if pentesting is calling you, as the legal potholes there are many and deep. Someone who's local will know what particular quirks your jurisdiction has.

5) Get a get out of jail free card. Others have covered this to death, but it's worth mentioning again. O&E insurance if you're ever doing this freelance is something I'd also consider to be mandatory underwear.

6) Find a safe playground. There are places you can practice your craft safely. Think the google bug bounty program. Look for these places, read their rules and make sure you stay inside them. https://dcdark.net/ too.

Hope that helps. Enjoy the ride, it's been good to me over the years.

Min

Depends - maybe not if they use progressive for insurance:

http://www.forbes.com/sites/th...

Min

Well I believe KSP is using unity and it has a pretty big map:

www.kerbalspaceprogram.com

If you can simulate a solar system, that meets the requirements of big in my book :)

Min

Depends on your risk scenario planning. But yes, it does. A full rundown of our data integrity program would exceed the tl;dr scope on Slashdot, as well as violating NDAs :).

In general though I'd point out that disk based vaulting technologies have advanced considerably in the last few years and if I were providing advice to someone I'd point out that there are cloud based solutions which are write-only type solutions if your risk tolerance permits the use of third parties to store your data (e.g. CrashPlan). Avamar may also be an option depending on costs and resources.

That's where the professional part of IT professional comes in. You weigh your risks and have an honest discussion with your partners on the business side without fear mongering and you all decide on what your risk tolerance is, and have those discussions regularly (hint: Google's risk tolerance was different when they were in a garage then as a publicly traded company :)).

This. Even auditors have stopped blinking at me when I say "No tapes, we just have another data center like this one and a big ol pipe and XYZ data backup solution attached to the disks at the other end."

When auditors stop blinking, you know it's hit mainstream.

Min

We encrypt using GPG at the DB extraction point so that when the file is sitting on the SFTP server in the DMZ waiting to go out it's not in cleartext. Also it allows us to sign the file and our partner can confirm that it's not been tampered with prior to them opening it in whatever trusted environment they process in. We need encryption at rest, as well as in transit, using GPG allows us to leave the 'transit' part up to the systems architects/developers because we know that whatever they do past db extraction is not reverent from a security pov.

Didn't get into it in the first post because I didn't think anyone would be interested :)
Min

I partially agree with Moxie, GPG/PGP as an email encryption standard is never going to reach the "my mother uses it" point of say Skype. That doesn't mean its run its course. I also think it's disingenuous to imply that the number of keys on the public key servers is a useful proxy for utilization rates.

In my company we use GPG every day. Most people who work there have no idea that we do. It's used in sensitive communications at high levels between organizations, e.g. to send documents to auditors. It's also used in a huge number of automated processes to encrypt data during the DB extract process so we can move that data out of the DB network and send it to partners.

We don't send those keys to a public keyshare. That would provide attackers information and we don't do that (ya, security through obscurity sucks if it's your only line of protection. If you're using it to make life just a bit more difficult for an attacker tho, well I'm always for that!)

Now all that having been said, I have great respect for Moxie, and maybe he has the Next Great Thing up his sleeve. I hope to see it at Defcon :).

Min