DEF CON Be The Match

At DEF CON 22, I signed up at the Be The Match booth to be a bone marrow donor.  I didn’t really think much about it.  I noticed the booth while waiting in line for my Vegas 2.0 badge.  I attempted to participate in the Blood Kode, but was still recovering from a cold and was disqualified.  I’d never paid attention to bone marrow donation prior to this.  The sign up for Be The Match was a cheek swab.

Two months later, October, I received a call from Be The Match indicating I was potentially a match and they would like me to have a blood test to further determine my compatibility.  I had the test.  Two months later, December, I received a second call indicating I was a full match and if I was willing to go forward with the donation via hematopoietic stem cell transplantation.  I agreed.

The next step was a physical including more blood tests to make sure I was physically capable of donating.  After the physical results were returned, a donation was scheduled.  It was a 5 day process.  On each of the first 4 days, I had injections of Filgrastim.  On the fifth day is the donation.  During the first 4 days, I encountered joint pain in my hips and back.  That appears to be extremely common.

The fifth day was the donation.  I went to the hospital handling the donation.  It is basically dialysis for a few hours.  They hooked me up to the machine, then I sat there for 6 hours while the process occurred.  I still had joint pain for 24 hours after the donation, but the pain has gone away.

Am I the first DEF CON attendee to donate?  I don’t know.  I tweeted @_defcon_, but they haven’t responded.

Security Summer Camp 2014

This was an interesting Security Summer Camp.

I stayed at the Tuscany the entire week.  I can not stress how awesome the Tuscany is.  You’re right there for BSidesLV and then you have the shuttle that runs during DEF CON.  It is amazing.  The Las Vegas Strip is only a half mile walk as well.  The change of venue for DEF CON next year will make the Tuscany an even more attractive venue.

I really liked the DEF CON badge this year.  It is much nicer than the DEF CON 20 badge.  I don’t care for the Egyptian theme from DEF CON 20.  Of DEF CON badges though, 21 is still my favorite.  The playing card design on a circuit board is just awesome.  The DEF CON 20 badge is my favorite of any conference.

The BSidesLV badge from this year is also pretty cool.  I like the poker chip design.  It is way better than the chunk of metal from 2013.

Of swag, I planned to buy a copy of Adam Shostack’s book on Threat Modeling.  Given that he is being accused of rape, I decided to hold off.  I’d think that if I were accused of a crime, I’d at least offer some sort of response.  The silence is strange.

The BSidesLV pool parties were my favorite evening festivities.  I didn’t bother attending any Black Hat parties this year.  The pool party at the Tuscany was awesome.  theSummit benefit was fun, but BSidesLV beat them.  I wanted to participate in Bloodkode again this year, but I had the sniffles and was disqualified from giving blood.  I did finally participate in Be The Match though.

I enjoyed Jessy Irwin talk on education security at BSidesLV.  I’m use to the issues with manufacturing and patching.  You have to wait for downturns of processes for industrial control equipment.  It’s life.  I never considered that IT professionals in education have similar restrictions.  Patching has to be done during breaks and Apple’s release in September is amazingly inconvenient.

CustoDiet by Quadling and company seems like a nice idea for a tool.  I’d love for a platform for being able to provide security to my family networks.  Hopefully it is a successful project.

Security Summer Camp 2014 – Preview

Two weeks until Security Summer Camp 2014!

This should be an interesting year.  Last year, I stayed at the Tuscany for BSides and then moved to the Rio for DEF CON.  This year, I will be staying at the Tuscany the entire time.  It is cheaper and I don’t really think staying at the Rio offered much more convenience.

This will be my first year to attend theSummit.  I missed out on the event last year.

At BSidesLV, I am excited for the education security talk by Jessy Irwin.  I’m not familiar with the constraints of security in education.  It will be very new to me.

At both BSidesLV and DEF CON, this will be a talk on ‘Measuring the IQ of your Security Feeds.”  I’ve got security feeds.  How useful are they?  Meh.  Maybe this will help?

BSIdesLV has a talk on fixing IDS technology by Tony Robinson.  Once again, another technology I’ve got that is a mess.  Extra tips and tricks for managing alerts is always helpful.

BSidesPGH presenter Grecs will be giving a demonstration on Malware Analysis at BSidesLV.  Malware analysis isn’t something I do, so I’d like to get a better understanding of it.

There are some interesting looking talks at DEF CON this year, but my must see talks all appear to be at BSidesLV.  Hopefully I stumble in to some sleeper hits at DEF CON this year like I did last year.

Security Summer Camp 2013

DEF CON was awesome.  I had a somewhat negative outlook going in. Everyone complains about crowds and not being able to get in to talks.  I assumed DEF CON was going to be like Black Hat where I’d have trouble meeting people.  None of that ended up being true.

To keep costs down, I registered on the forums and found people to crash with.  It worked out great.  I’d do it again.  My regret is that I didn’t have time to participate in any of the activities.  I didn’t go to Toxic BBQ, DEF CON Shoot, Hacker Jeopardy, etc.  I need to go to some of that stuff next year.  I only participated in Blood Kode besides going to talks.

The top two talks I attended were BYO-Disaster: Corporate Wireless Still Sucks by James Snodgrass and Josh Hoover and the DNS May Be Hazardous To Your Health by Robert Stucke.  There were plenty of great talks, but those were the best for me.

The BYOD talk covered a range of exploits to get a mobile device to think it is connected to a corporate network.  From there, the rogue access point hits the user with a prompt and the user is guaranteed to enter their credentials.  The technical exploits were interesting and the social engineering was impressive.  In short, mobile devices will accept an authentication success to a wireless network even if authentication attempts hadn’t been attempted.  Most users probably wouldn’t even check their wireless settings in my opinion.  Those that do (like me) would probably just assume it was a proxy glitch or something and enter credentials at the prompt.

The second talk on DNS was all around amazing.  The presenter had a couple crazy DNS tricks.  First Robert covered DNS bit-flipping.  He registered domains that were off by a single bit from a target and captured traffic.  In his study, Google was the target and he managed to capture some traffic.  I couldn’t find any indication of this in my environment though.  Given the industrial nature, I was rather surprised.  The second part of his DNS study was registering improperly resolved network objects.  So for instance, a machine trying to find wpad for proxy settings should ask for wpad.domain.com.  An improperly configured machine may continue up the chain and ask for wpad.com.  His example organization was Accenture.  I can confirm that.  The final DNS game was registering old command and control servers to see if the botnets were still active.  He found the botnets were still active and speculates an attacker could register the old domains to gain control of the botnets.