The InfoSec Amnesty Q&A

Foreword (Lesley)

One of the hardest things to accept in information security is that we as individuals will simply never know everything there is to know about the field, or all of its many niches. Despite this absolute reality, we still often feel embarrassed to ask basic questions about topics we don’t understand, due to a misplaced fear of looking unknowledgeable.

The reality is that there are a number of subjects in information security which many people who are otherwise quite competent professionals in the field are confused by. To try to alleviate this problem, I anonymously polled hundreds of infosec students and professionals about what topics they’re still having trouble wrapping their heads around. A few subjects and concepts rose to the top immediately: Blockchain, the Frida framework, DNSSEC, ASLR (and various associated bypasses), and PKI.

Since information security has many areas of specialty, I’ve stepped aside today and asked people specifically working in each niche to tackle breaking down these topics. Where possible, I have provided two perspectives from people with different experiences with the subject matter. Each of these contributors was tremendously generous with his or her time and knowledge. Please visit their social media profiles and personal blogs!

ASLR (Skip Duckwall and Mohamed Shahat)

Perspective One: Skip

1) This is a pretty tough topic, so let’s start with an easy one. Can you tell us a little about yourself, and your expertise related to ASLR / ASLR bypassing?

Yikes, ask the easy ones first, eh?  I’m a former DOD Red team member (contractor) who did some stuff to some things somewhere at some point in time.  My biggest life achievement is being part of a group which got a multi-billion dollar MS client pissed off enough to call MS to the carpet and eventually MS wrote a whitepaper.  Now I’m a consultant.  My experiences with ASLR, etc are mostly from a “I have to explain why these are things to C-level folks and why they should care” standpoint.

2) ASLR bypasses are common in security news, but a lot of infosec folks don’t fully understand what ASLR does, and why bypassing it is a goal for attackers. Can you please give us a “500-words-or-less” explanation of the concepts? (Assume an audience with solid IT fundamentals)

Caveat:  This is a very technical question and in order to answer it in an easy to understand manner, I have to provide some background and gloss over a lot of very pertinent details.  My goal is to provide a GIST and context, not a dissertation ;-).
Ok, while I can assume people have solid IT fundamentals, I need to define a Computer Science fundamental, namely the concept of a stack.  A stack is a conceptual (or abstract) data structure where the last element in is the first element out (LIFO).  You put stuff into a stack by “pushing” it and you pull stuff out by “popping” them.  The wikipedia page for a stack ( ) is a good read.
This is relevant because stacks are used extensively as the means for an operating system to handle programs and their associated memory spaces.  Generally, the memory associated with a process has three areas (arranged in a stack), namely the Text area (generally the program’s machine code), the data area (used for static variables), and the process stack, which is used to handle the flow of execution through the process.  When a process executes and hits a subroutine, the current information for the process (variables, data, and a pointer to where the execution was last at) gets pushed onto the process stack.  This allows the subroutine to execute and do whatever it needs to do, and if further subroutines occur, the same thing happens.  When the subroutine is finished, the stack gets popped and the previous execution flow gets restored.

One of the earliest types of attacks against programming mistakes was called ‘stack smashing’ (seminal paper here: by Aleph One).  In this kind of attack, the attacker would try to stuff too much information into a buffer (a block of data which sits on the process stack) which would overwrite the stack pointer and force the process to execute attacker-generated code included in the buffer.  Given the generally linear nature of how the stacks were handled, once you found a buffer overflow, exploiting it to make bad stuff happen was fairly straightforward.

ASLR (Address Space Layout Randomization) is an attempt to make the class of bugs called buffer overflows much more difficult to exploit.  When a process executes, it is generally given virtual memory space all to itself to work with.  So the idea was, rather than try to have all the process stack be clumped together, what if we just spread it out somewhat randomly throughout the virtual memory space?  This would mean that if somebody did find a buffer overflow, they would not know where the stack pointer was in order to affect the flow of the process and inject their code, raising the bar for attackers. (in theory)

Obviously bypassing ASLR is a goal for attackers because it is a potential gate barring access to code execution 😉

3) What are two or three essential concepts for us to grasp about ASLR and the various  bypass techniques available?

So when it comes to ASLR bypasses there are really only a couple different categories of methods, brute force or information leakage.

In many cases, ASLR implementations were limited somehow.  For example, maybe there were only 16 bits (65535) of randomness, so if you were trying to exploit a service which would automatically restart if it crashed, you could keep trying until you got lucky.  Many ASLR implementation suffer from some problem or another.

Another common problem with ASLR is that there may be segments of code which DON’T use ASLR (think external libraries) which are called from code that is using ASLR. So it might be possible to jump into code at a well known location and then leverage that to further exploit.

Information leakage is the final issue that commonly arises.  The idea is that a different vulnerability (format string vulns are the most common) has to be exploited which will provide the attacker with a snapshot of memory, which can be analyzed to find the requisite information to proceed with the attack.

4) What would you tell somebody in infosec who’s having trouble grasping how ASLR works and how it is bypassed? (For example, what niches in security really need to “get it”? What other things could they study up on first to grasp it better?)

Honestly, unless you are an exploit developer, an application developer, or into operating systems memory design, a gist should be all you need to know. If you are a developer, there’s usually a compiler option somewhere which you’d need to enable to make sure that your program is covered. It is also worth noting that generally 64-bit programs have better ASLR because they can have more randomness in their address space.

5) What about somebody who has a solid grasp on the basics and wants to delve deeper? (Any self-study suggestions? Are there any open source projects that could benefit from their help?)

This topic rapidly reaches into the computer science scholarly paper area (Googling ASLR bypass pdfs will find you a lot of stuff). Also, look through Blackhat / DEF CON / other security conference archives, as many people will present their research. If you want to delve deeper, look into how the Linux kernel implements it, read through the kernel developer mailing lists, etc… lots of info available.

Perspective 2: Mohamed

1) Thank you for joining us! Would you mind telling us a little about yourself, and your expertise related to ASLR / ASLR bypassing?

Hi Lesley! My name is Mohamed, I’m a software engineer who has a lot of passion towards security. Some may know me from my blog ( where I write about various security concepts/challenges.

I currently work as an engineer on the Windows Security team where we design/implement security features and do other cool stuff.

2) ASLR bypasses are common in security news, but a lot of infosec folks don’t fully understand what ASLR does, and why bypassing it is a goal for attackers. Can you please give us a “500-words-or-less” explanation of the concepts? (Assume an audience with solid IT fundamentals)

Address space layout randomization (ASLR) is a security mitigation that aims to prevent an attacker from creating a reliable exploit. Its first implementation was over a decade and it became a stable in modern operating systems.

What it does is simple, the address space of a process is randomized on rerun/reboot depending on the implementation, this can be applied to the base address of the executable and libraries it loads as well as other data structures like the stack and the heap among other internal structures as well as the kernel (KASLR).

Executables are expected to be position-independent. In Windows, linking must be done with /DYNAMICBASE flag, while Linux requires -fPIE as a flag for gcc/ld.

How does that help? Well, exploits rely on knowledge about the address space to be able to manipulate the execution flow (I control EIP, where do I go next?) and with this information taken away, attackers can no longer depend on predictable addresses. When combined with other fundamental mitigations like DEP (Data Execution Prevention), exploiting memory corruption bugs becomes much harder.

Before we discuss the common bypassing techniques, it’s important to stress on that bypassing ASLR doesn’t directly enable code execution or pose a risk by itself as this is only a part of the exploit chain and you still need to trigger a vulnerability that results in code execution. Yet, finding an ASLR bypass mean that broken exploits can utilize that bypass again.

There are a few ways to bypass ASLR, some of these techniques are less likely to be applicable in modern OS/software than others:

  1.  Information Disclosure: Most commonly used method to bypass ASLR nowadays, the attacker aims to “trick” the application into leaking an address.

    Example: CVE-2012-0769

  2.  Abusing non-ASLR modules: The presence of a single non-ASLR module means an attacker has a reliable place to jump to. Nowadays, this is becoming less common.

    Example: CVE-2013-3893, CVE-2013-5057

  3.  Partial overwrite: Instead of overwriting EIP, overwrite the lower bytes only. This way you don’t have to deal with the higher bytes affected by ASLR.

    Example: CVE-2007-0038

  4. Brute-forcing: Keep trying out different addresses. This assumes that the target won’t crash, and the virtual memory area is small (ASLR on 64-bit > ASLR on 32-bit).

    Example: CVE-2003-0201

  5. Implementation flaws: Weak entropy, unexpected regression, logical mistakes or others. Lots of great research on this topic.

    Example: CVE-2015-1593, offset2lib

    In real world, attackers will need to bypass more than just ASLR.

3) What are two or three essential concepts for us to grasp about ASLR and the various bypass techniques available?

  1. For ASLR to be efficient, all memory regions within a process (at least the executable ones) must be randomized, otherwise attackers have a reliable location to jump to. It’s possible that not all objects are randomized with the same entropy (randomization), in a way the object with the lowest entropy is the weakest link.
  2. Bypassing ASLR doesn’t mean attackers can execute code. You still need an actual vulnerability that allows hijacking the execution flow.
  3. Some bypasses aim to reduce the effective entropy

4) What would you tell somebody in infosec who’s having trouble grasping how ASLR works and how it is bypassed? (For example, what niches in security really need to “get it”? What other things could they study up on first to grasp it better?)

  1. Understand the memory layout of a process for both Linux/Windows, see how they change on rerun/reboot.
  2. Write a simple C++ program that prints the address of local variables/heap allocations with and without ASLR. Fire up a debugger and check the process layout of various segments.
  3. Research past ASLR vulnerabilities and how they were used to bypass it and recreate them if possible.

5) What about somebody who has a solid grasp on the basics and wants to delve deeper? (Any self-study suggestions? Are there any open source projects that could benefit from their help?)

  1. Understand the implementation differences for ASLR in Windows and Linux.
  2. Familiarize yourself with other mitigations like DEP, stack cookies (Windows/Linux), AAAS, KSPP (Linux), policy-based mitigations like ACG/CIG (Windows). This list is in no way comprehensive but serves as a good start.
  3. Solve exploitation challenges from CTFs, recreate public exploits that rely on bypassing ASLR.
  4. Check PaX’s ASLR implementations.

Recommended reads:

  1. Differences Between ASLR on Windows and Linux
  2. On the effectiveness of DEP and ASLR
  3. The info leak era on software exploitation
  4. Exploiting Linux and PaX ASLR’s weaknesses on 32- and 64-bit systems

For hands-on experience I recommend the following:

  1. RPISEC’s MBE course
  3. CTFs

Blockchain (Tony Arcieri and Jesse Mundis)

Perspective One: Tony

1) Thanks for joining us. Would you mind telling us a little about your background, and your expertise with blockchain technology?

I’m probably most known in the space for the blog post: “On the dangers of a blockchain monoculture“, which covers both my (somewhat dated) views of blockchains and how alternative “next generation fintech” systems not based on blockchains might provide better alternatives. I spent the last year working for, an enterprise blockchain company targeting cryptographic ledgers-as-a-service, which I recently left to pursue other interests.

2) Would you please give us a 500-words-or-less explanation of what a blockchain is, and why the technology is important to us as security professionals? (Assume an audience with solid IT fundamentals)

“Blockchain” is a buzzword which loosely refers to the immutable, append-only log of transactions used by Bitcoin, collectively agreed upon in a distributed manner using a novel consensus algorithm typically referred to as “Nakamoto consensus”. Other systems have adopted some of the ideas from Bitcoin, often changing them radically, but still referring to their design as a “blockchain”, furthering a lack of clarity around what the word actually refers to.

A “blockchain” is more or less analogous to a Merkle Tree with some questionable tweaks by Satoshi[2], which authenticates a batch of transactions which consist of input and output cryptographic authorization programs that lock/unlock stored values/assets using digital signature keys.

Bitcoin in particular uses a proof-of-work function to implement a sort of by-lottery distributed leader election algorithm. Being a buzzword, it’s unclear whether the use of a proof-of-work function is a requirement of a blockchain (the Bitcoin paper refers to the idea of a blockchain as a “proof-of-work chain”, for example), but in colloquial usage several other systems claiming to be based on a “blockchain” have adopted alternative authorization mechanisms, namely ones based around digital signatures rather than a proof-of-work function.

As a bit of trivia: the term “blockchain” does not appear in the original Bitcoin whitepaper. It appears to be a term originally used by Hal Finney prior to Bitcoin which Satoshi adopted from Hal.

[2]: It really appears like Satoshi didn’t understand Merkle Trees very well:

3) What are a couple really critical concepts we should understand with regards to how blockchain technology functions?

Perhaps the most notable aspect of Bitcoin’s blockchain is its use of authorization programs as part of the “Nakamoto consensus” process: every transaction in Bitcoin involves two programs: an input program which has locked funds which will only unlock them if the authorization program’s requirements are met, and an output program which specifies how funds should be locked after being unlocked. Every validating node in the system executes every program to determine whether or not actions affecting the global state of the system are authorized.

This idea has been referred to as “smart contracts”, which get comparatively little attention with Bitcoin (versus, say, Ethereum) due to its restrictive nature of its scripting language, but every Bitcoin transaction involves unlocking and re-locking of stored value using authorization programs. In other words, “smart contracts” aren’t optional but instead the core mechanism by which the system transfers value. If there is one thing I think is truly notable about Bitcoin, it’s that it was the first wide-scale deployment of a system based on distributed consensus by authorization programs. I would refer to this idea more generally as “distributed authorization programs”.

Bitcoin in particular uses something called the “unspent transaction output” (UTXO) model. In this model, the system tracks a set of unspent values which have been locked by authorization programs/”smart contracts”. UTXOs once created are immutable and can only move from an unspent to spent state, at which point they are removed from the set. This makes the Bitcoin blockchain a sort of immutable functional data structure, which is a clean and reliable programming model.

Ethereum has experimented in abandoning this nice clean side effect-free programming model for one which is mutable and stateful. This has enabled much more expressive smart contracts, but generally ended in disaster as far as mutability/side effects allowing for new classes of program bugs, to the tune of the Ethereum system losing the equivalent of hundreds of millions of dollars worth of value.

4) What would you tell somebody in infosec who’s struggling to conceptualize how a blockchain works? (For example, does everybody in the field really need to “get it”? Why or why not? What other things could they study up on to grasp it better?)

There are other systems which are a bit more straightforward which share some of the same design goals as Bitcoin, but with a much narrower focus, a more well-defined threat model, and both a cleaner and more rigorous cryptographic design. These are so-called “transparency log” systems originally developed at Google, namely Certificate Transparency (CT), General Transparency (GT) a.k.a. Trillian, Key Transparency (KT), and Binary Transparency. These systems all maintain a “blockchain”-like append-only cryptographically authenticated log, but one whose structure is a pure Merkle Tree free of the wacky gizmos and doodads that Satoshi tried to add. I personally find these systems much easier to understand and consider their cryptographic design far superior to and far more elegant than what has been used in any extant “blockchain”-based system, to the point I would recommend anyone who is interested in blockchains study them first and use them as the basis of their cryptographic designs.

Links to information about the design of the “transparency log” systems I just mentioned:

5) What about somebody who has a solid grasp on the basics and wants to delve deeper? (Any self-study suggestions? Are there any open source projects that could benefit from their help?)

Here are some links to specific bits and pieces of Bitcoin I think are worth studying:
– Bitcoin Transactions (a.k.a. UTXO model):

Perspective Two: Jesse

1) Let’s start with the easy one. Would you please tell us a little about your background, and your expertise with blockchain technology?

I’m a C / Unix Senior Software Developer with a CISSP, who has worked with encryption and payment technologies throughout my career. I have a recently published paper on the possible implications of the GDPR (General Data Protection Regulation) on blockchain-based businesses, and have a pending patent application involving cryptographic keying material and cryptocurrencies. As an Info Sec professional, I enjoy the chance to share some knowledge with folks who wish to learn more about the field.

2) Would you please give us a 500-words-or-less explanation of what a blockchain is, and why the technology is important to us as security professionals? (Assume an audience with solid IT fundamentals)

A blockchain is fundamentally a ledger of transactions, with each “block” or set of transactions hashed in such a way as to link it to the previous block, forming a “chain.” There are many blockchains, with varying implementations and design goals, but at their core, they all provide for continuity and integrity of an ever-growing ledger of transactions. They provide an unalterable(*) record of events, in a distributed fashion, verifiable by any participant, and can be an important tool for providing “Integrity” in the CIA triad. The Bitcoin blockchain is the most famous, providing a basis for the BTC currency, so I will use it as a blockchain example. However, please understand that blockchain transactions don’t have to be financial in nature – they could be hashes of timestamped signed documents, or just about anything else you might want to keep an unalterable, witnessed record of.

(*) “unalterable” – In this case means that the network integrity as a whole is only secured by substantial ongoing compute power in a proof-of-work blockchain. Without that, you lose the core assurance the technology is trying to provide.

In the proof-of-work bitcoin blockchain, transactions are effectively of the form “At time Z, wallet number X paid wallet number Y the sum of N bitcoins.” Imagine many of these messages being dumped on a common message bus worldwide. “Miners” (who should more descriptively be thought of as “notaries”) collect up a “block” of these transactions, and along with the digital hash of the previous block in the chain, begin searching for a nonce value, which when added to their block, will make the hash of their block have a required number of leading zeros to be considered successful. The winning miner announces this block with their nonce to the world. All other miners confirm the block is valid, throw their in-progress block away, and begin working on a new block, which must now contain the winning block’s hash, thus adding an other link to the chain.

Checking the hash of a block is trivial, but finding the right nonce to create a valid hash takes time inversely proportional to the miner’s computing power. Once the chain has a sufficiently large number of blocks, each chaining back to the previous block, it becomes impractical to refute, change, or delete any records deep enough in the chain, without re-doing all the computational work which follows. An attacker would require a substantial percentage of the entire computational capacity of the network to do this.

In summary, a “block” is a set or group of transactions or entries plus a nonce, and the “chain” is formed by including the hash of the previous block as part of the next block. The weight of all future computations to find nonces for future blocks collectively secure the integrity of all the previous records in the chain.

3) What are a couple really critical concepts we should understand with regards to how blockchain technology functions?

“Blockchain” is not magical security pixie dust, and many new startup businesses pitching blockchain haven’t thought it through. As mentioned above, proof-of-work blockchains need a lot of compute power to secure them. Bitcoin is a fascinating social hack, in that by making the transactions about a new currency, the algorithm was designed to incentivize participants to donate compute power to secure the network in return for being paid fees in the new currency. On the other hand, private blockchains, kept within a single company may be no more secure against tampering than other existing record keeping mechanisms. That is not to say blockchains are useless outside of cryptocurrencies. The blockchain is applicable to “The Byzantine Generals Problem” [1] in that it can create a distributed, trusted, ledger of agreement, between parties who don’t necessarily trust each other. I fully expect the basics of blockchain technology to soon be taught in CS classes, right alongside data structures and algorithms.


4) What would you tell somebody in infosec who’s struggling to conceptualize how a blockchain works? (For example, does everybody in the field really need to “get it”? Why or why not? What other things could they study up on to grasp it better?)

Keep it simple. A block is just a set of entries, and the next block is chained back to the previous block via inclusion of the previous block’s hash. The hash on each individual block is the integrity check for that block, and by including it in the next block, you get an inheritance of integrity. A change in any earlier block would be detected by the mismatched hash, and replacing it with a new hash would invalidate all the later blocks. Hashing is computationally easy, but finding a new nonce to make the altered hash valid in a proof-of-work scheme requires redoing all the work for all the blocks after the change. That’s really all you need to keep in mind.

Everyone in the security field does not need to understand blockchain to any deep level. You should have a basic understanding, like I’ve sketched out above, to understand if blockchain makes sense for your given use case. Again, using the more famous Bitcoin blockchain as an example, I’d strongly recommend everyone read the original 2008 Satoshi white paper initially describing Bitcoin[2]. It’s only eight pages, light on math, and very readable. It encapsulates many of the ideas all blockchains share, but I have to say again that while Bitcoin is implemented on the original blockchain, it is far from the only way to “do blockchains” today.


5) What about somebody who has a solid grasp on the basics and wants to delve deeper? (Any self-study suggestions? Are there any open source projects that could benefit from their help?)

Blockchain startups, projects, and new cryptocurrencies are all hot. Ethereum is getting a lot of press due to its “smart contracts” which provide compute actions executed on their blockchain. There are over ten thousand hits on github for “blockchain” right now, and over one hundred and fifty for books and videos at Safari Online. The challenge really is to narrow down your interest. What do you want to do with blockchain technology? That should guide your next steps. Just to throw out some ideas, how about finding a more power efficient way to do proof-of-work? Currently the Bitcoin network as a whole is estimated to be running at about 12 petaHashes per second, and consuming 30 TerraWatt-Hours per year. This is environmentally unsustainable. Or, examine some of the proof-of-stake alt-coins. Figure out what kinds of problems can we solve with this nifty, distributed, trust-out-of-trustlessness tool.

In my opinion, blockchain technologies really are a tool searching for the right problem. An alt-currency was an interesting first experiment, which may or may not stand the test of time. Smart contracts don’t seem ready for production business use to me just yet, but what do I know – Ethereum has a 45 billion dollar market cap, second only to Bitcoin right now. I personally don’t see how inventory tracking within an enterprise is really done better with a private blockchain than traditional methods, but I do see how one might be of use for recording land title deed transfers in a government setting. All of these, and many more activities are having blockchain technologies slapped on to them, to see what works. My advice is to find something which excites you, and try it.

The distributed, immutable ledger a blockchain provides feels like it is an important new thing to me for our industry. Maybe one of you will figure out what it’s really good for.

DNSSEC (Paul Ebersman)

1) Nice to meet you, Paul. Could you please tell us a little about yourself, and a bit about your work with DNSSEC?

I’ve been supporting internet connected servers since 1984, large scale DNS since 1990. I’ve been involved with the IETF development of DNS/DNSSEC standards and the DNS-OARC organization. For 3+ years, I was the DNS/DNSSEC SME for Comcast, one of the largest users of DNSSEC signing and validation.

2) Would you please give us a brief explanation of what DNSSEC is, and why it’s important?

The DNS is used to convert human friendly strings, like into the IP address or other information a computer or phone needs to connect a user to the desired service.

But if a malicious person can forge the DNS answer your device gets and give you the IP address of a “bad” machine instead of the server you think you’re connecting to, they can steal login information, infect your device with malware, etc.

DNSSEC is a technology that lets the owner of a domain, such as, put cryptographic signatures on DNS records. If the user then uses a DNS resolver that does DNSSEC validation, the resolver can verify that the DNS answer it passes to the end user really is exactly what the domain owner signed, i.e. that the IP address for is the IP address the owner wanted you to connect to.

That validation means that the user will know that this answer is correct, or that someone has modified the answer and that it shouldn’t be trusted.

3) What are a couple really critical concepts we should understand with regards to how DNSSEC functions?

DNSSEC means that a 3rd party can’t modify DNS answers without it being detected.

However, this protection is only in place if the domain owner “signs” the zone data and if the user is using a DNS resolver that is doing DNSSSEC validation.

4) What would you tell somebody in infosec who’s struggling to conceptualize how DNSSEC works?

DNSSEC is end to end data integrity only. It does raise the bar on how hard it is to hijack the DNS zone, modify data in that zone or modify the answer in transit.

But it just means you know you got whatever the zone owner put into the zone and signed. There are some caveats:

– It does not mean that the data is “safe”, just unmodified in transit.
– This is data integrity, not encryption. Anyone in the data path can
see both the DNS query and response, who asked and who answered.
– It doesn’t guarantee delivery of the answer. If the zone data is DNSSEC signed and the user uses a DNSSEC validating resolver and the data doesn’t validate,the user gets no answer to the DNS query at all, making this a potential denial of service attack.

Because it does work for end to end data integrity, DNSSEC is being used to distribute certificates suitable for email/web (DANE) and to hold public keys for various PKI (PGP keys). Use of DNSSEC along with TLS/HTTPS greatly increases the security and privacy of internet use, since you don’t connect to a server unless DNSSEC validation for your answer succeeds.

5) What about somebody who has a solid grasp on the basics and wants to delve deeper?

Start with the documentation for your DNS authoritative server for information on signing your zones. Similarly, read the documentation for your recursive resolver and enable DNSSEC validation on your recursive resolver (or use a public validating resolver, such as or

Here are some good online resources:

For debugging DNSSEC problems or seeing if a zone is correctly signed: https:/

For articles on DNSSEC:

PKI (Tarah M. Wheeler and Mohammed Aldoub)

Perspective One: Tarah

(Tarah Wheeler, principal security researcher at Red Queen Technologies, New America Cybersecurity Policy Fellow, author Women In Tech. Find her at @tarah on Twitter.)

1) Hi, Tarah! Why don’t we start off with you telling us a little about your background, and your expertise with PKI.

My tech journey started in academia, where I spent my time writing math in Java. As I transitioned more and more to tech, I ended up as the de facto PKI manager for several projects. I handled certificate management while I was at Microsoft Game Studios working on Lips for Xbox and Halo for Xbox, and debugged the cert management process internally for two teams I worked on. On my own projects and for two startups, I used a 2009 Thawte initiative that provided certificates free to open source projects, and then rolled my own local CA out of that experience. I managed certs from Entrust for one startup. I handled part of certificate management at Silent Circle, the company founded by Phil Zimmermann and Jon Callas, the creators of PGP. I was Principal Security Advocate at Symantec, and Senior Director of Engineering in Website Security—the certificate authority that owns familiar words like VeriSign, Thawte, GeoTrust, and others. I was one of the Symantec representatives to the CA/B (Certification Authority/Browser) Forum, the international body that hosts fora on standards for  certificates, adjudicates reliability/trustworthiness of certificate authorities, and provides a discussion ground for the appropriate issuance and implementation of certificates in browsers. Now, I use LetsEncrypt and Comodo certs for two WordPress servers. I have a varied and colorful, and fortunately broad experience with cert management, and it helped me get a perspective on the field and on good vs. bad policy.

2) Would you please give your best, “500 words or less” explanation of what PKIs are and what they’re used for today (assume an audience with solid IT fundamentals)?

PKI or public key infrastructure is about how two entities learn to trust each other in order to exchange messages securely. You may already know that Kerberos and the KDC (Key Distribution Center) work on a shared-secrets principle, where users can go to a central authority and get authorization to communicate and act in a given network. PKI is a more complex system that understands lots of different networks which may or may not share a common trust authority. In PKI, you’re negotiating trust with a root which then tells you all the other entities that you can trust by default. The central idea of public key infrastructure is that some keys you already trust can delegate their trust (and hence yours) to other keys you don’t yet know. Think of it as a very warm introduction by a friend to someone you don’t yet know!

There are five parts of certificate or web PKI.

  1. Certificate authorities, the granting bodies for public/private keys, are in practice a form of verification to grease those wheels when there’s no other method of demonstrating that you are who you say you are…a function of identity. Yeah, I know I said that two entities can trust each other without a common authority, but humans aren’t good at that kind of trust without someone vouching for them. So, we have CAs.
  2. Registration authorities have what is essentially a license to issue certificates based on being trusted by the CA, and dependent upon their ability to validate organizational identity in a trustworthy way. Certificate authorities may perform their own registration, or they might outsource it. CAs issue certificates, and RAs verify the information provided in those certificates.
  3. Certificate databases store requests for certificates as opposed to the certificates themselves.
  4. Certificate stores hold the actual certificates. I wasn’t in charge of naming these bloody things or I’d have switched this one with certificate databases because it’s not intuitive.
  5. Key archival servers are a possible backup to the certificate database in case of some kind of disaster. This is optional and not used by all CAs.

Keys work like this: a pair of keys is generated from some kind of cryptographic algorithm. One common algorithm is the RSA (Rivest-Shamir-Adleman) algorithm, and ECDSA (Elliptic Curve Digital Signature Algorithm) is coming into more common use. Think of those as wildly complicated algebraic equations that spit out an ‘x’ string and a ‘y’ string at the end that are interrelated. You can give the ‘x’ to anyone anywhere, and they can encrypt any message, ‘m’ with that x. Now, while they know the original message, only you can unencrypt the message using your ‘y’ key. That’s why you can send the ‘x’ key to anyone who wants to talk to you, but you should protect the secrecy of your ‘y’ key with your teeth and nails.

The two major uses for PKI are for email and web traffic. On a very high level, remember that traffic over the Internet is just a series of packets—little chunks of bits and bytes. While we think of email messages and web requests as philosophically distinct, at the heart, they’re just packets with different port addresses. We define the difference between messages and web requests arbitrarily, but the bits and bytes are transmitted in an identical fashion. So, encrypting those packets is conceptually the same in PKI as well.

If you want to secure email back and forth between two people, the two most common forms of PKI are PGP (Pretty Good Privacy) and S/MIME (Secure/Multipurpose Internet Mail Extensions). PGP is the first commonly used form of email encryption. Created by Phil Zimmermann and Jon Callas in the early 1990s, PGP is notoriously both secure and difficult to configure for actual human usage, but remains the standard for hyper-secure communication such as with journalists or in government usage. S/MIME is the outsourced version of PKI that your email provider almost certainly uses (once they’ve machine-read your email for whatever commercial/advertising purposes they have) to transmit your email to another person over open Internet traffic. While S/MIME is something most users don’t have to think about, you’ll want to think about whether you trust both your email provider and the provider of the person you’re sending your email to.

The other major use for PKI is a web server authenticating and encrypting communications back and forth between a client—an SSL/TLS certificate that’s installed and working when you see “https” instead of “http” at the beginning of a URL. Most of the time, when we’re talking about PKI in a policy sense or in industry, this is what we mean. Certificate authorities such as DigiCert, Comodo, LetsEncrypt, and others will create those paired keys for websites to use to both verify that they are who they say they are, and to encrypt traffic between a client who’s then been assured that they’re talking to the correct web server and not a visually similar fake site created by an attacker.

This is the major way that we who create the Internet protect people’s personal information in transit from a client to a server.

Quick tangent: I’m casually using the terms “identification” and “authentication,” and to make sure we’re on the same page: identification is making sure someone is who they say they are. Authentication is making sure they’re allowed to do what they say they’re allowed to do. If I’m a night-time security guard, I can demand ID and verify the identity of anybody with their driver’s license, but that doesn’t tell me if they’re allowed to be in the building they’re in. The most famous example in literature of authentication without identification is the carte blanche letter Cardinal de Richelieu wrote for Madame de Winter in “The Three Musketeers,” saying that “By My Hand, and for the good of the State, the bearer has done what has been done.” Notably, D’Artagnan got away with literal murder by being authenticated without proof of identification when he presented this letter to Louis XIII at the end of the novel. Also: yes, this is a spoiler, but Alexandre Dumas wrote it in 1844. You’ve had 174 years to read it, so I’m calling it fair game.

There are a few other uses for PKI, including encrypting documents in XML and some Internet Of Things applications (but far, far fewer IoT products are using PKI well than should be, if I can mount my saponified standing cube for a brief moment).

Why do we use PKI and why do information security experts continue to push people and businesses to use encryption everywhere? It’s because encryption is the key (pun absolutely intended) to increasing the expense in terms of time for people who have no business watching your traffic to watch your traffic. Simple tools like Wireshark can sniff and read your mail and web traffic in open wireless access points without it.

3) What are a couple really critical concepts we as infosec people should understand with regards to how a modern PKI functions?

The difference between identity and security/encryption. We as security people understand the difference, but most of the time, the way we explain it to people is to say “are you at PayPal? See the big green bar? That’s how you know you’re at PayPal” as opposed to “whatever the site is that you’re at, your comms are encrypted on the way to them and back.

There’s a bit of a polite war on between people who think that CAs should help to verify identity and those who think it is solely a function of encryption/security. Extended validation (“EV certs”) certificates show up as those green bars in many desktop browsers, and are often used to show that a company is who they say they are, not just whether your traffic back and forth is safe.

Whether they *should* be used to identify websites and companies is a topic still up for debate and there are excellent arguments on both sides. An extended validation certificate can prove there’s a real company registered with the correct company name to own that site, but in rare cases, it may still not be the company you’re looking for. However, in practice and especially for nontechnical people, identifying the site is still a step up from being phished and is often the shortcut explanation we give our families at holidays when asked how to avoid bad links and giving out credit card info to the wrong site.

4) What would you tell somebody in infosec who’s struggling to conceptualize how PKI works? (For example, does everybody in the field really need to “get it”? Why or why not? What other things could they study up on to grasp it better?)

PKI has become an appliance with service providers and a functional oligopoly of certificate authorities that play well with the major browsers. That isn’t necessarily a bad thing; it’s simply how this technology evolved into its current form of staid usefulness and occasional security hiccups. In reality, most people would do better knowing how best to implement PKI, since vulnerabilities are in general about the endpoints of encryption, not in the encryption itself. For instance: don’t leave 777 perms on the directory with your private keys. If your security is compromised, it’s likely not because someone cracked your key encryption—they just snagged the files from a directory they shouldn’t have been allowed in. Most PKI security issues are actually sysadmin issues. A new 384-bit ECDSA key isn’t going to be cracked by the NSA brute forcing it. It’ll be stolen from a thumb drive at a coffee shop. PKI security is the same as all other kinds of security; if you don’t track your assets and keep them updated, you’ve got Schroedinger’s Vulnerability on your hands.

PKI isn’t the lowest-hanging fruit on the security tree, but having gaping network/system security holes is like leaving a convenient orchard ladder lying about.

5) What about somebody who has a solid grasp on the basics and wants to delve deeper? (Any self-study suggestions? Are there any open source projects that could benefit from their help?)

Roll your own certs and create your own CA. Do it for the practice. I was on Ubuntu years ago when I was rolling my own, and I used the excellent help docs. One best security practice is to regularly generate and use new keys, instead of keeping the same key for years and years, for the same reasons that changing your password regularly for high-security sites is a good idea—and that’s true whether you’re creating your own certs and local CA or if you’re simply purchasing a certificate from a CA. As with so much else, rolling your own crypto means that YMMV, so if you’re thinking of doing so formally and for a company or project that holds critical or personal information, get a pro to assess it. Think of this like a hobbyist building cars or airplanes at home. Most may be fine with riding in their own homebrewed contraptions, but wouldn’t put a child in it. If you don’t have the time to be a PKI professional, don’t keep other people’s data safe with your home-brewed certificate authority.

Most of the time, security issues aren’t with the encryption itself, but with how it’s been implemented and what happens on the endpoints—not with the math, but with the people. Focus on keeping your keys safe, your networks segmented, and your passwords unique, and you’ll be ok!

*I would like to thank Ryan Sleevi for feedback, and especially for providing the Kerberos/PKI analogy for comparison. All errors are mine.

Perspective Two: Mohammed

1) Thank you sharing your knowledge! When you reached out to me, you noted you had quite a unique perspective on PKI. Would you mind telling us a little about your background, and your expertise on the subject?

In my first information security job in the government of Kuwait, we had the opportunity to work on the country’s national PKI and Authentication project in its infancy, basically from the start, and together in a small team (5 at the time) we set out on a journey of ultra-accelerated and solid education, training and development for the country’s custom in-house solutions. Deciding that development of internal capability is far more useful, compliant with national security, and of course more fun, we began to develop our own tools and libraries for PKI, authentication, smartcards, and related technology. We produced our first version deployed to the public in 2010, much sooner than most (if not all) countries in the region, so it was for us a “throw them in the sea to learn swimming” type of experience. Developing certificate pinning in 2010 in C++ is not fun, but if there is one thing I learned, it’s this: chase the cutting edge, challenge yourself, and don’t belittle yourself or your background.

2) Would you please give your best, “500 words or less” explanation of what PKIs are and what they’re used for today (assume an audience with solid IT fundamentals)?

PKI (Public Key Infrastructure – ignore the name, it’s counterintuitive) is basically the set of technologies and standards/procedures that help you manage and utilize real-world cryptography.

PKI basically is a (major) field of applied cryptography.

If you ever took a cryptography course, while not being a total math nerd, and found out there’s lots of theory and math gibberish, then I can totally understand and sympathize. I personally believe math is one of the worst ways to get introduced to cryptography (just like grammar is a really bad way to start learning a new language). Cryptography should first be taught in an applied crypto fashion, then as one understands the main concepts and fundamentals, math can be slowly introduced when needed (You probably don’t need to understand Chinese Remainder Theorem to be able to use RSA!).

Ever visited an HTTPS website and wondered how you connected securely without having any shared keys to that website? That’s because of PKI.

Without asymmetric encryption, it would be impossible to create global-scale encrypted communication standards like SSL without presharing your keys with everyone in the world, and without PKI, managing global-scale asymmetric encryption deployments would be impossible at both the technical and management level.

So where is PKI in our world? Everywhere!

If you connected to HTTPS websites: PKI

Used Windows Update: PKI

Ran an application from a verified publisher: PKI

Email security? PKI

Connected through RDP or SSH? PKI

PKI encompasses technologies related to digital certificates, keys, encryption, signing, verification and procedures related to enrollment, registration, validation and other requirements that these technologies depend on.

Think of Let’s Encrypt. It’s now a Certificate Authority (entity that gives you certificates to put on your site and enable https/ssl/tls). To give you a certificate, they have certain procedures to check your identity and right to have a certificate issued to your domain name. This way anybody in the world can securely connect to your website without having to trust you personally through this delegated chain of trust.

For Let’s Encrypt to be trusted globally, proper application of PKI must be done, and must be verified by 3rd parties. If this trust is violated or abused through improper practices, compromise or negligence, you lose total or partial trust globally. DigitNotar went out of business after state actors compromised its CA and issued fake certificates to global websites, allowing them to have semi-automatic exploitation of wide scale communications. Symantec used improper certificate issuance practices and is now scheduled for full distrust in browser on September 2018 (They have already sold their PKI business to DigiCert).

The same idea applies to almost every popular software we run: It’s signed by trusted publishers to verify ownership. Software updates are, too.

Without PKI, you can’t boot your device with even a hint of security.

Fun exercise: Go check your device’s list of trusted Root Certificate authorities (Root CA: All powerful entities having -at least theoretical- power to compromise most of your communications and systems if their power is abused and targeted against you). You’d be surprised to find entries for so many foreign government CAs (sometimes even China) already trusted by your device!

3) What are a couple really critical concepts we as infosec people should understand with regards to how a modern PKI functions?

There are many concepts to understand in PKI, but I’ll list the ones I think are most important based on the mistakes I’ve seen in the wild:

– Learn the importance of securing and non-sharing of private keys (real world blunders: Superfish adware, VMWare VDP and Rapid7 Nexpose appliances )

– Know the secure and insecure protocol/algorithm configurations (real world blunders: Rapid7 CVE-2017-5243 SSH weak configs, Flame malware, FREAK vulnerability (using weak RSA_EXPORT configs) – Even NSA.GOV website was vulnerable!

– Don’t charge the bull; dance around it. Most PKI implementations can be attacked/bypassed not by trying to break the math involved but by abusing wrongly put trust, wide-open policies, bad management and wrong assumptions. Real world blunder: GoDaddy issued wrong certificates because they implemented a bad challenge-response method that was bypassed by 404 pages that reflected the requsted URL – so GoDaddy tool thought the server error was a valid response to their random code challenge:

4) What would you tell somebody in infosec who’s struggling to conceptualize how PKI works? (For example, does everybody in the field really need to “get it”? Why or why not? What other things could they study up on to grasp it better?)

Learn it in an applied fashion. No math. Take a look at your own setup. Check out the Digital Signature tab in any signed EXE that you have on your system. Open wireshark and checkout the SSL handshake, or wait till an OCSP request/response is made and check how it looks in wireshark. Get familiar a bit with PKI tools such as openssl.
Or write a small program that connects over SSL to some SSL port, then write a small program that listens on an SSL interface. Use ready-made libraries at first.

5) What about somebody who has a solid grasp on the basics and wants to delve deeper? (Any self-study suggestions? Are there any open source projects that could benefit from their help?)

Check out the following topics/ideas:

– Certificate Transparency.

– OCSP stapling.

– Code signing.

– Checkout The Update Framework ( ), to learn how to implement secure software updates.

– Implementing client certificates for server-to-server communications.

– Hardware security modules (HSMs). YubiHSM is an affordable such piece of hardware.

I believe understanding PKI is growing more important as we start automating more and more of our tools and workflows, and that using tools (such as certbot) is not a valid excuse to not learn the fundamentals.

Frida (Dawn Isabel and Jahmel [Jay] Harris)

Perspective One: Dawn

1) Thanks for taking the time to speak with us, Dawn. Would you mind telling us a little about yourself, and your expertise with Frida?

Thanks for the opportunity!  I’ve been in information security for around 12 years, and before that worked as a web application developer.  I currently work as a consultant, primarily testing web and mobile application security.  I’ve been using Frida for a little over a year, and most of my experience with it is on mobile platforms.  I regularly write scripts for Frida to automate testing tasks and to teach others about iOS internals.

2) Assume we work in infosec, but have never used Frida. How would you briefly explain the framework to us? Why is it useful for security professionals? (Assume an audience with solid IT fundamentals)

At a high level, Frida is a framework that enables you to inject your own code (JavaScript) into an application at runtime.  One of the simplest use cases for this is tracing or debugging – if you’ve ever sprinkled “print” statements in a program to debug it, you’ll immediately appreciate using Frida to inject logging into an application to see when and how functions and methods are called!  Security professionals will also use Frida to bypass security controls in an application – for instance, to make an iOS application think that a device is not jailbroken, or to force an application to accept an invalid SSL certificate.  On “jailed” platforms like stock iOS, Frida provides security professionals with a window into the application’s inner workings – you can interact with everything the application can, including the filesystem and memory.

3) What are a couple important things to know about Frida before we start using it?

I think the first thing to understand is that Frida is ultimately a framework for building tools.  Although it comes with several useful command-line tools for exploring applications (the Frida command-line interface (CLI) and frida-trace are both invaluable!), it isn’t a scanner or set-and-forget tool that will output a list of vulnerabilities.  If you are looking for a flexible, open-ended framework that will facilitate your runtime exploration, Frida might be for you! 

The second thing to keep in mind is that Frida is much more useful if you approach it with a specific goal, especially when you are starting out.  For instance, a good initial goal might be “figure out how the application interacts with the network”.  To use Frida to accomplish that goal, you would first need to do a little research around determining what libraries, classes, functions, and methods are involved in network communications in the application.  Once you have a list of those targets, you can use one of Frida’s tools (such as frida-trace) to get an idea of how they are invoked.  Because Frida is so flexible, the specifics of how you use it will vary greatly on the particular problem you are trying to solve.  Sometimes you’ll be able to rely on the provided command-line tools, and sometimes you’ll need to write your own scripts using Frida as a library.

4) What would you tell somebody in infosec who’s having trouble using Frida? (For example, what niches in security really need to “get it”? What other things could they study up on first to grasp it better?)

When I first started using Frida, I tried to jump right in writing scripts from scratch without having a clear idea of what I was trying to accomplish.  Figuring out all the moving parts at once ended up slowing me down, and felt overwhelming!  Based on those experiences, I usually recommend that people who are new to Frida get started by using frida-trace.  The neat thing about frida-trace is that it will generate stubs called “handlers” that print a simple log message when the functions and methods you specify are invoked.  These handlers are injected into the target process by frida-trace, which also handles details like receiving and formatting the log messages.  Editing the handlers is a great way to learn about Frida’s JavaScript API ( and gain visibility into specific areas of an application.  There is a nice walkthrough of the process of editing a handler script in the post “Hacking Android Apps With Frida I” (

Once you are comfortable editing the handler code, experiment with creating your own self-contained script that can be loaded into a process using the Frida CLI.  Start by loading some examples that are compatible with your platform, and then try using those as a template to write your own.  There are many example scripts you can try on Frida Codeshare ( – copy the code to a file so you can easily edit it, and load it into the Frida CLI using the “-l” flag.  Initially, aim to gain proficiency using Frida to invoke native methods in the application.  Then practice using the Interceptor to attach to and replace functions.  Incidentally, if you started out by using frida-trace then using the Interceptor will be very familiar – just compare the contents of a handler script to the Interceptor.attach() example shown at!

I don’t think you need to have a deep understanding of Frida’s internals to use it, but it is definitely helpful to understand the architecture at a high level.  Frida’s “Hacking” page has a nice diagram that lays out the different components (  You’ll also want to know enough JavaScript that you don’t spend a lot of time struggling with syntax and basic programming primitives.  If you’ve never written in a scripting language, running through some JavaScript tutorials will make it easier to use Frida with the provided command-line tools.

5) What about somebody who has a solid grasp on the basics and wants to delve deeper? (Any self-study suggestions? Are there any open source projects that could benefit from their help?)

If you want to dive deeper, there are several directions you can go!  Since Frida is an open-source project, there are many ways to contribute depending on your interests.  There are also a lot of great tools built with Frida, many of which take contributions.  For any level of interest, I suggest checking out as a starting point.  You’ll find blog posts and demos showing some concrete examples of Frida’s functionality, as well as links to some of the projects that use it.

If you want to contribute to Frida, or build more complex tools that leverage it, I’d recommend gaining a greater understanding of how it works.  One good starting point is “Getting fun with Frida” (, which discusses concepts in Dynamic Binary Instrumentation (DBI) and discusses prior work.  The 2015 presentation “The Engineering Behind the Reverse Engineering” (slides and video at is even more in-depth, and a good follow-up once you grasp the high-level concepts.

Perspective Two: Jay

1) Hi Jay! Thanks for taking the time to chat with us. Would you please tell us a little about yourself, and your expertise with Frida?

My name is Jahmel Harris but some people know me as Jay. I’m a freelance pentester in the UK ( and run Manchester Grey Hats ( – a group where we put on free workshops, ctfs etc to help teach practical cyber security skills to our members. We live stream so no need to be in the UK to attend! Also, feel free to join our Slack (invite link on Twitter).

I started using Frida when performing mobile application testing and found it worked much better than Xposed which I was using at the time. Although XPosed and Frida allows us to do similar things, Frida allows us to do it in a faster and more iterative way. A simple task could take several hours in Xposed can be done in minutes in Frida. More recently, i’ve been using Frida in bug bounties as many mobile apps go unlooked at due to some (fairly easy to bypass) client side security controls.

2) Assume we work in infosec but have never used Frida. How would you briefly explain the framework to us? Why is it useful for security professionals? (Assume an audience with solid IT fundamentals)

Frida allows us to inject JavaScript into a running application. Why is this useful? Well, it means we have the ability to change the behaviour of applications at runtime. By changing the behaviour of the application, we can add logging which can help us understand the flow, remove security controls or even dump secrets and keys. I find frida helps take testing one step further, especially where mobile apps are concerned. We can test assumptions easier, and change parts of the code without changing the signature. The other advantage is that as it becomes more difficult to jailbreak some devices, Frida can still allow us to perform a thorough test.

3) What are a couple important things to know about Frida before we start using it?

Frida is a great framework but there are some things I remind people:

  1. It is not very mature so you *will* discover bugs. Ole André V. Ravnås (the creator of Frida) is very friendly though and helps where he can so don’t be afraid to reach out to him.
  2. It’s not only for mobile application testing. For some reason I tend to only see Frida being used for Android and iOS application testing. It supports Windows and Linux so can be used for instrumenting Desktop applications too!
  3. Frida is bundled with a few tools such as frida-trace. This is where I start when trying to RE an application. Frida-trace will log functions that are called as well as generate the JavaScript handlers. This makes it super easy to start guessing interesting function names and tracing on them. As an example, if we’re looking at an IRC client, we can put traces on *send* or *irc* and we’re likely to get something interesting. Using Frida it’s then easy to start changing parameters to these functions or even change the behaviour of them *all at runtime without restarting the application!*

4) What would you tell somebody in infosec who’s having trouble using Frida? (For example, what niches in security really need to “get it”? What other things could they study up on first to grasp it better?)

Frida can really help mobile application testers go beyond the basics of app tests. Frida is also invaluable as it allows us perform a lot of useful tests from non rooted and non jailbroken devices which is something we struggle with with each new release of iOS. It’s important to understand though that Frida isn’t an exploitation framework. We still need to know what we’re looking for in an application or the controls we’re trying to disable. As an example, when doing a mobile application test, I might discover the application uses Certificate Pinning. To bypass this using Frida I will need to reverse the application, figure out the Certificate Pinning logic before writing a Frida hook to bypass it which of course requires some basic coding knowledge.

5) What about somebody who has a solid grasp on the basics and wants to delve deeper? (Any self-study suggestions? Are there any open source projects that could benefit from their help?)

As Frida is a framework and not an application per se, anyone using Frida that wants to help should work on more high level tooling using Frida. For example, more general purpose Certificate Pinning bypassing tools or fuzzing tools. The code for Frida is very well written so it’s easy to understand how Frida works and to contribute with bug fixes. As you find bugs or missing functionality in Frida, raise bug reports as it’s likely the same issue will be faced by many people.

The Infosec Introvert Travel Blog

So, you’ve finally landed that infosec job of your dreams! The clouds have parted and angels have descended from the sky singing Aphex Twin.

Congratulations, I believed in you all along.

One small problem: they say you’re going to have to travel. Maybe to a customer site. Maybe to training. It doesn’t matter. You’re an introvert and haven’t traveled much, and you’re starting to panic.

Don’t worry – I’m here for you, friend! Let’s go over some basic travel tips for introverted infosec people.

Learn How and What to Pack

There are hundreds of great blogs on packing for travel you can seek out, so I’ll keep these tips fairly brief:

  • A decent suitcase is a really important investment. Cheap suitcases without proper roller wheels are frustrating to lug across airports and will break at incredibly inopportune times. I recommend that every traveler have one decent quality carry-on suitcase and one decent quality backpack or shoulder bag with a laptop pouch, at a minimum. The last thing you need is a strap, zipper, or wheel snapping in the middle of the airport. I see no particular advantage to either soft-side or hard-side bags – the most important things to me in a carry-on are a lightweight, sturdy bag that will fit in regional jet overhead bins even when full.
  • Learn to neatly and tightly fold or roll your clothes. Clean ones, and dirty ones upon your return. Packing cubes are a huge help by this. I personally like these ones. Some people prefer compression bags, but I’ve found them a lot more frustrating to use on the return trip, and they don’t last as long.
  • Choose clothes that don’t easily wrinkle, and stick to a common color scheme. The more pieces of clothing you can mix, match, reuse for a couple days, and layer, the easier your life will be on your trip.
  • Shoes and boots are some of the bulkiest and heaviest things you can pack, so choose a versatile pair of dress shoes and bring as few pairs as possible.
  • Pack a small towel.
  • When flying, always pack essential travel-size toiletries and one change of clothes (underwear and socks at a minimum) in your carry-on bag. Luggage does get lost, and flights get delayed (sometimes overnight).
  • On the same note, always have medication, contact lenses, underwear, and socks for one more day than you plan to travel.
  • Always carry a travel-size Ibuprofen, Benadryl, and antacid. Those are a few small things you do not want to have to take a walk for in a strange city when you really need them.
  • Consider your personal daily usage of toiletry items. A million bloggers will tell you a million different things about how much soap to pack. For the most part, travel-size items will last you 3-4 days. For longer trips, you’ll probably need more. However, if you have long hair like I do, you might need more than a 3oz / 100ml bottle of conditioner for even a three day trip. This is something you’ll learn with practice.
  • If you run out of your travel-size toiletry items, buying toiletries at your destination is usually by far the most economical option, particularly when flying. There are convenience stories or pharmacies almost anywhere. However, expensive cosmetics or skincare products are definitely an exception and may motivate you to pay $25 each way to check a suitcase. Your call.
  • One final note about toiletries and flying – learn what the TSA and similar international agencies consider a “liquid” and a “gel”. There are lots of alternative toiletries like face wipes and solid deodorants that are not controlled by liquid restrictions that can give you a bit more wiggle room.
  • Have two phone chargers – one in your suitcase or car, and one in your carry-on or laptop bag.
  • If traveling to a different country, ensure you have the correct power adapters or plugs for your electronics. Bring a power converter if necessary, but they’re bulky and becoming irrelevant. Most laptops and phones made in the last 10 years can handle either 110v or 220v AC, so all you’ll need to replace is the plug, not the power brick. Check yours and make sure.
    TIP: MacBook wall plugs side off the power brick and are trivial to swap at will!
  • Plan for a catastrophic laptop crash, with either a USB drive or a recovery partition.

Have a Passport

They last a decade and aren’t super-expensive, but they take quite a while to arrive unless you pay for them to be expedited. Every infosec person should have one for last minute work or conference travel. Pat notes that it’s a great idea to pay for a passport card as well, as secondary emergency ID, and for the smaller form factor.

Learn How To Fly

It’s okay if you’ve never flown on a plane before. Lots of great infosec people hadn’t before they got their first job.

Read up a bit on air travel regulations before getting on your first flight. Prepare to go through airport security. For instance, read up on liquid and gel restrictions, and keep this bag easily retrievable in your carry on. Be prepared to take your laptop out quickly in the security line. In most places, security also requires removing belts, jewelry, wallets, and shoes, then placing them in a bin.

US Residents – ensure your State ID or Driver’s License is still adequate to use at the airport. Some states’ will not be soon, and you may need to purchase an enhanced ID or use a federal ID card such as a passport or military ID card.

Domestically, check into your flight at least an hour prior to boarding time (not departure time) – longer if you intend to check a bag. (If you’re running late, checking in on your phone can sometimes get you on the plane after check-in closes at the airport.) International travel has a significantly longer lead time – check the airport’s website for details.

Check the gate on your boarding pass and find and verify it has not changed before going off for a washroom break or a coffee. Airports all over the world are full of signs and maps to help you. Make sure you’re back at the gate before boarding time. (Once again, this is not the same as departure time.)

Most economy-class domestic flights in the US no longer serve any meal, and some may not even serve drinks. Others offer packaged food at a pretty exorbitant cost. I recommend you grab a sandwich and a drink in the airport after you find your gate. In my experience, most other countries’ carriers still serve a light snack – your ticket will usually indicate this. International flights will usually serve at least one meal, but you might not get any choice of what it is (allergen free, vegetarian, etc).

A bit about boarding groups – you and I will probably never be in the oft fabled Boarding Group 1. That tends to be pay-to-play, or extremely frequent travelers, or business class. If you’re in a higher boarding group (3-5 on most airlines), the overhead bins may fill up, and you’ll be required to check your carry-on bag for free at the gate. Ensure your important documents, electronics, and medications are transferred to your person if this is required.

On the plane, follow all posted safety instructions and stay seated with your seatbelt fastened unless you go to the lavatory. Be polite to the crew and don’t be afraid to ask questions.

What I normally have on my person or under the seat (not in the overhead bin) on your average flight:

  • Phone in airplane mode
  • Headphones (most commercial aircraft now support standard ones)
  • Wallet
  • Earplugs
  • Sandwich (on domestic flights)
  • Water bottle
  • Book
  • Travel neck pillow
  • Pen (especially if I have to fill out international customs forms)
  • Melatonin (on international flights) – (please note different sleep aids are OTC-authorized in different countries; plan accordingly).
  • Vicks Vapor Inhaler or equivalent (no, it’s not a vape – it helps with the dry air.)

Congratulations, you’re now an airport pro.

Safety and Security

Once again, we’ve reached a topic on which there have been many great blogs and articles already written (I particularly love Stephen Northcutt‘s – he’s definitely had some adventures!)

A few small fundamentals:

  • Be aware of the threats you will face as an individual and as an information security employee of your company in the place you’re going, before you arrive.
  • Consider bringing loaner / disposable electronic devices. At the very least, update and encrypt your devices. (They should be already, but this becomes absolutely critical during travel.)
  • Do not carry large sums of cash on your person, and don’t carry all your money in one place. Consider a discreet money belt or anti-theft bag.
  • Ensure the locks, peephole, phone, and safe in your hotel room work properly and ask to change rooms immediately if they do not.
  • Never let a stranger into your hotel room.
  • Pay attention to your surroundings. It’s very easy in a strange city to get distracted by the sights or your map. Tourist areas all over the world often have heavy pickpocket activity and crazy traffic.
  • Consider sightseeing with a buddy, but don’t let eating or sightseeing alone stop you from getting out. (Just make sure somebody knows where you are.)
  • Don’t make yourself a target! Don’t wear clothing that identifies your point of origin or that you are a tourist (language, flags, distinct regional clothing styles, etc). Dress like a local whenever possible. Keep the camera in the bag until you’re ready to use it.
  • Addendum, AMERICANS: Yes, us! We stand out. We tend to be significantly louder and less professionally dressed than locals, especially in Europe. Please, just don’t.
  • If you’re leaving your country, understand what access foreign internet service providers and customs agents may have to your personal and work devices.
  • Evaluate your personal threat model and make an informed risk decision about what devices and data to bring with you, and how you plan to connect to the internet and authenticate to your accounts while traveling (private VPN? Yubikey?)
  • notes that when progressing through security, Immigration, or Customs, it’s never particularly wise to introduce yourself as as a “computer hacker”. “IT” or “computer security” is quite sufficient unless pressed for specifics. “Hacking” carries various legal and social connotations around the world.

We as Information Security professionals tend to be highly and often reasonably paranoid about our personal security, so I will simply leave you with a reminder that everyone is in fact not out to get you, and while you should always make sensible and informed risk decisions about your security, you should also not let them entirely prevent you from exploring a new place.

Before You Leave Your Country

For US Residents:

  • Check the State Department Website for travel safety information on the country you will be visiting:
  • Check the CDC website for information on vaccinations you require prior to travel:
    TIP: Doctor on Demand can provide you a cheap and easy vaccine referral via your phone or tablet when walk in clinic nurse practitioners cannot.
  • Consider enrolling in the US State Department STEP program.
  • comments that the TSA PreCheck and Global Entry programs are a huge benefit for frequent air travelers, especially travelers in a professional group. Those programs do come with significant background checks and biometric disclosure, so while I personally find them extremely time-saving, you will need to make your own privacy decision.

For Everyone:

  • Contact your personal and/or work mobile phone provider for information on international voice and data plans for the duration of your travel. If you do not purchase international data service, disable cellular data for the duration of the trip or you may unwittingly face extremely steep fees. T-Mobile One is my favorite pick  for frequent international travelers from the US, as it provides free 2G data service in dozens of countries with no plan modification or additional fees.  prefers GoogleFi for the faster global 3G speeds, but their plans contain a firm data cap and overage charges if you plan to tether. If your phone is unlocked, you can also consider buying a SIM card at your destination if you need to do a lot of local calling.
  • Consider purchasing a travel health insurance policy, particularly if you’re traveling somewhere without universal health coverage for non-residents, or if you might be participating in high risk activities. Do get your shots in advance.
  • Choose a chip-enabled credit card that is preferably not your primary bill auto-payment method to bring on your travel, and contact the provider in advance to inform them you will be traveling abroad. ( adds an great reminder that some credit cards carry not insignificant international transaction fees – ensure you check this with your bank).
  • Read up a little on your destination. Understand the general geography, weather, economy, customs and courtesies (like tipping), criminal statistics, food and water safety, corruption, and political climate. Learn the current exchange rate to your country’s currency. Learning a couple phrases in the local language, (particularly courtesies and greetings), is usually appreciated by locals.
  • Make a copy of your important travel documents to lock in your room safe for the duration of your trip, in case of a lost or stolen wallet.

Have a Good Attitude

So you’re going to training in Springfield, population 700, with nothing but cornfields for miles in every direction. Or maybe you’re going to a country you never wanted to visit and you don’t speak the language. Everything’s terrible, right?

Let me let you in on a secret: I have never in my life traveled anywhere I didn’t like something about! In the most remote, Midwestern town I’ve ever traveled to, I found an amazing Amish market with the best sandwich I’ve ever eaten! I had amazing traditional Central American chocolate and an incredible boat ride through the glaciers in Anchorage. I saw adorable meerkats at a private zoo in Germany. These are the things you will remember in 10 years. You will not remember the hotel room – they start to blend together.

It’s important to remember that people are complicated individuals with lives and hobbies, wherever you go. Life might be much faster paced or much slower paced than what you’re used to, but people still eat, have families, and find recreation. If you keep your spirits up and ask around, you’ll find something cool to do anywhere you’re sent.

Packing the Game Console?

I love gaming too, but try to leave the PS4 at home if at all possible on your first trip to a new place. Give the place a chance. If you still hate it after 3 days, I’ll give you a pass on watching cable and playing smartphone games.

Plan Outside Business Hours

Traveling for business is a very different experience than traveling for pleasure. Significantly – packing requirements will be different, and your schedule will be different. This shouldn’t be an excuse for you to stay in your hotel room. Particularly in large cities, there are plenty of sights to see after business hours. While museums may frequently be closed after 5PM, outdoor sights will likely remain open much later – and be less crowded! Many attractions and tour companies offer passes and tickets at discounted rates in the evenings. There are also musical and theatrical events, even on weeknights.

Tripadvisor and Viator are a great resource for finding interesting things to do prior to your travel. Keep in mind that lots of smaller attractions have active Facebook pages where you can seek additional information from locals or employees. I like to take some notes with operating hours, locations, and prices to bring with me.

Ask a Local, and Keep an Open Mind

Don’t be afraid to ask colleagues, employees, or the hotel concierge for recommendations of local stuff to do or places to eat. People usually love talking about their favorite things! Even if what they suggest isn’t normally your cup of tea, consider giving their recommendations a shot (with reasonable health, security, and safety considerations).

The absolute worst that is likely to happen in 99.5% of cases is you’ll be stuck ordering the plain tomato soup, or you’ll be bored and bemused for a few hours. Conversely, you might have a great time, and discover a new favorite food. Either way, you’ve had a new life experience and you’ve grown as an individual.

Be The Travel Agent

Traveling with a group can be tough – even deciding where to eat can take a while if everybody is polite and introverted. Don’t be afraid to make yourself the travel agent for a day. Once you’ve identified something cool to see or a great place to eat, do a little research and suggest it to your traveling companions, and you’ll probably be surprised how many people were just waiting for somebody else to take the initiative. If you can tell them how you’ll get there and what the entry fees and hours are, all the better!

Have An Escape Plan

It’s important for any introverted traveler to plan reliable places to recombobulate that frequently exist and are similar in any unfamiliar city. Two reasons:

1) When something goes wrong (hotel room not ready, plane delayed, etc), this will give you a place to spend an hour or two and rethink your plans, and

2) When you get fed up with being around the same coworkers or customers, it will  provide you something do to alone.

These places are unique to you and I can’t tell you exactly what yours are going to be. In general, they should:

  • Be open across a broad range of hours.
  • Have a place to sit with free WiFi.
  • Be safely and easily accessible by ride-share, walking, or taxi – even if your phone’s dead.
  • Have reasonably clean public washrooms.
  • Be reasonably secure.
  • Allow you to stay for an hour or two.
  • Have friendly employees or patrons who can give you directions or assistance.
  • Provide you something to do, even if it’s just read a map without disruption.
  • Outlets are a plus.

My personal choices are shopping malls and yoga studios. They exist pretty ubiquitously and it’s easy for a stranger to patronize them without a lot of discussion. They provide me with familiar surroundings and some peace and quiet to think about my next move. Any rideshare driver knows where one is. Some other suggestions that exist in nearly any medium to large town might be:

  • Gyms with drop-in rates.
  • Libraries
  • Coffee shops

Bars are great but I don’t recommend them for this purpose in specific.

Whatever you choose, make sure you have those factors in the back of your mind, and even consider looking up where your choices are on a map before you travel. You’ll have a fallback plan when something goes wrong (or you just need some time to yourself). Don’t spend all of your time there, but use them as needed to recharge.


No amount of Vitamin C in a pouch alone will reliably keep you from getting sick! The facts are simple – you will likely be in a confined space with a few sick people during any flight, class, or conference. The #1 best way to prevent con plague is adequate sleep, healthy meals, and washing your hands regularly with soap and warm water. Bring hand sanitizer, but don’t rely on it exclusively. Try to drink plenty of water and juice to moderate coffee and alcohol.

No Problem is Insurmountable

Everybody makes mistakes while traveling. I’ve been in 7 countries this year and have a go bag, and I still occasionally forget to pack basic stuff. Things are going to go wrong. You’re going to forget something important like deodorant or medication, or it’s going to rain your entire trip, or your luggage is going to get lost. Maybe your wallet will get stolen or misplaced.

Do your best to plan sensibly, but realize plans will sometimes go awry. There are very few places you will travel for an information security job where even these problems will be insurmountable or deadly. There are convenience stores, pharmacies, and Western Unions all over the world. Clothes can be replaced. Replacement credit cards can be overnight-ed to your hotel. Toiletries can be replaced. Cables and adapters can be same day delivered by Amazon. Even money, passports, and mobile phones can be replaced within a day in most places. Consider it a learning experience.

The first thing you must do when something goes massively awry is take a deep breath and think. The second thing you should do is contact the authorities if a crime has been committed. This may be local police, or your country’s consulate, or both. Your employer’s loss prevention, physical security, or travel team will probably be able to assist you with next steps. Your hotel can also provide assistance in many situations you might feel are impossible crises.

You can do this! Keep calm and carry on!

The Infosec of Ready Player One – A Review

A Ready Player One major motion picture directed by Steven Spielberg is scheduled for release in March 2018, resulting in a recent resurgence of popularity of the Ernest Cline cyberpunk novel which serves as its inspiration. So, this seems like as good a time as any for me to briefly revisit the 2011 novel and discuss my personal thoughts on the good, bad, and ugly of its information security content.

Despite an all-star crew (based a bit on extensive online commentary nerd rage from people who read early leaked scripts, but mostly based on the bombastic and wildly diverging contents of the trailer itself), I don’t have particularly high hopes for the movie to express the novel’s techno-philosophical depth in only a couple hours. Nonetheless, I hope to revisit it with the brilliantly apropos MayaofSansar of Linden Labs after release.

Firstly, let me make it abundantly clear that this blog is up to the elbows full of Ready Player One spoilers. If you haven’t read the book and have any desire at all to have the book’s twists and puzzles be a surprise, stop reading here. Really! I highly recommend you pick up a copy of the book. While I have a couple nits to pick with Cline’s character development and my personal interpretation of the plot, it is an iconic cyberpunk novel filled with unfortunately plausible social and technological predictions. It also contains references to pretty much every geek fandom and iconic classic game, ever, in it. Cool beans? Go forth to to and seek victory!


Okay. Now that they’re gone, fellow Gunters – let’s proceed!


IOI’s Infosec Sucks

Let’s first discuss Parzival/Wade’s daring intrusion into the malevolent IOI mega-corporation’s network. As you probably recall, Wade has a limited period of days to abruptly become an (indentured) employee of IOI so he can access their corporate intranet from a terminal inside their offices. Once inside, he uses a series of black market exploits (which he purchases in advance from disgruntled employees) to escalate privileges and access his target sensitive Sixer team servers.

What I found believable:

From the perspective of an author in 2011, insider threats were a pretty timely topic. Wade isn’t the only insider that factors into his successful exfiltration of sensitive data. He purchases sensitive IOI network data and system exploits from the black market before he enters the facility – ostensibly from (reasonably) disgruntled network technicians. None of this is particularly implausible.

We see few specifics of the exploits and back doors that Wade uses in his espionage, but most of his physical and digital measures are “living off the land”-style abuse of sanctioned network and business operations. No malware is involved. This is generally a smart intrusion tactic.

What I found less believable:

1) The entire McGuffin of IOI’s network being effectively airgapped. Obviously, it provides pivotal drama to see Wade trapped inside a hostile, dystopian corporation conducting espionage. Nonetheless, we see evidence throughout the book that it’s simply not possible that IOI’s office systems are even close to disconnected from the internet / OASIS. Aside from fundamental business operations that go along with running a telecommunications company, we see the Sixers regularly logging into the OASIS. We also see Wade take constant external support chats in his assumed employee identity.

Cline falls back to the unfortunately ubiquitous cyberpunk trope of impenetrable firewalls. In reality, firewalls were already a legacy defense when the book was written in 2011 and today they’re evaded through phishing, malvertising, watering holes, and poor engineering far more often than they are directly exploited.

Wade could potentially have avoided his torturous week of indenturement with a well placed phish or some social engineering. That wouldn’t have made a great story, though. 🙂

2) IOI’s network security really sucks, even by 2011 standards. Certainly, Wade’s tactics would work in plenty of environments today, but it’s far less believable that they all work for a week without any detection at a massively powerful global technology corporation storing ultra-sensitive, incriminating data.

Let’s think about all the times Wade’s activity should have been detected by a competent security monitoring team:

  • When he logged into his in-use sleeping quarters computer as a maintenance tech in the middle of the night, with no associated trouble ticket or physical entry.
  • When a privileged account was used from a sleeping quarters computer, regardless of the quality of privilege escalation Wade used to obtain access.
  • When he created new, highly privileged accounts on the IOI network.
  • When he accessed “crown jewel” ultra-sensitive Sixer servers from previously unknown administrative account, via a sleeping quarters computer.
  • When he inserted a removable drive without a known maintenance hardware ID into his sleeping quarters computer.
  • When he conducted a phenomenally massive transfer of sensitive files to a external drive across the network (it’s later equated to the size of the Library of Congress).
  • When he issues a network command for his ankle bracelet to release at night, in a sleeping unit, with no human or secondary check required.

We can actually learn a lot of solid infosec lessons from Wade’s intrusion and it’s consequently one of my favorite parts of the book. However, the premise that these well known attack vectors of 2017 are still not monitored in the most powerful corporation in the world in a technologically advanced 2044 is pretty unbearably dystopian for me. Raise a cheer, pessimistic friends!

Holy Crap! Encryption Backdoors!

Throughout the novel, GSS is presented as a relative bastion of corporate good in opposition to IOI’s faceless corporate greed. Indeed, for much of the novel, co-founder Ogden Morrow acts as a secret guardian for the Five. Morrow finally reveals himself when Art3mis, Parzival, and Aech, and Shoto are in dire straits on the run from IOI hired guns – by materializing as the Great Wizard Og inside Aech’s super-ultra-mega secret encrypted chatroom(!) While there’s some minor protest from the protagonists at this, it’s mostly glazed over in the book as administrative access exclusive to the GSS founders’ accounts, therefore not a concern.

That’s not how any of this works.

If the Og and Anorak (and ultimately Parzival) avatars have exclusive access to privately encrypted chat rooms in the OASIS, that means that there is a functioning crypto backdoor for the OASIS chatroom software. Given IOI’s cutthroat study and exploitation of OASIS software and staff, a backdoor for the server’s encryption and the associated cryptographic weakness would have been a juicy target for Sorrento and his IOI superiors, putting all Gunters at risk. To top that off, Morrow maintained his backdoor access even after leaving GSS – a weakness GSS’s security team might not even be aware of.

Wade’s Anti-Forensics

Zeroizing and melting drives. Not bad, kid.

Finding the Five

At the climax of the novel, Sorrento and his IOI Sixer team track down the Five in real life, to bribe, kidnap, and eventually attempt to kill them as they become increasingly successful in the Hunt for Halliday’s Egg. Let’s spend a little time considering the implications of how each of the Five is located:

Parzival is found because he makes a minor OPSEC mistake long before the contest begins (and he doesn’t draw this connection until it’s far too late). His private school transcripts, including his full home address, were linked to his OASIS account. IOI simply bribes a school adminstrator for the information after a rival student leaks the fact he’s in high school on a public message board. Of course, Wade improves his personal security substantially after this, creating and adopting a fake real-life identity.
Art3mis, Shoto, and Daito are presumably found and profiled a little later through a combination of similar OPSEC failures and their use of IOI subsidiary networks to connect to the OASIS. Services like anonymous VPNs don’t seem to exist in Cline’s 2044.  We might presume that Daito is the first one of them found as IOI operatives successfully murder him in his home during a critical battle.
Aech is the only one of the Five that IOI never successfully gains surveillance on. Helen’s unintentionally brilliant OPSEC includes her consistently faking her real name, race, and gender since childhood, even on school registration and among friends. She also lives in an RV and stays mobile, traveling from city to city. IOI is able to detect her logins on subsidiary wireless access points, but she moves too unpredictably for them to locate.

Once again, we have a portion of Ready Player One where Cline gives us quite a lot of food for thought about privacy and identity online in 2017 and beyond. The issue of internet service providers collecting browsing and location data and associating it us is an extremely relevant one today as debates over digital privacy and net neutrality rage globally. The potential abuse of internet activity data by advertising companies or by rogue employees certainly creates another incentive for privacy measures beyond simple TLS.

In addition, considering our OPSEC as our online personas, and the potential for those personas to be matched to our real life identities through legal or illegal means, is always timely.

The Stunning Lack of Reversing and Exploitation

There have been countless in-game and out-of-game MMORPG competitions in today’s world, with some substantial and coveted prizes and bounties at stake. However, nothing has ever come close in magnitude to the hunt for Halliday’s Egg. Competitive intelligence is real, and it’s not implausible that IOI would hire an entire staff and devote immense resources to winning the billions of dollars on the line.

What struck me as immersion-breaking unbelievable, throughout the book, was how little system exploitation was done in the course of the hunt. Decades of MMORPGs have built a multimillion dollar exploit, bot, and farming industry. There are minor mentions in the novel about GSS’ measures to ban cheating players and the pretty dire real-world consequences of a lifetime ban on citizens. However, with the utterly insane money at stake in the Hunt and the extreme measures that IOI is willing to go to to win, my tactics would have been quite different as a vile and unscrupulous Sorrento. I would have hired an army of reverse engineers to analyze the OASIS code, resources, and databases, searching for unusual locations and items by keyword and statistical anomalies – aided by paid spies at GSS with access to the back-end servers. It’s really pretty difficult to hide an implemented item, character, or environmental elements inside the resources and indexes of a modern game. Simply locating instances of Anorak’s avatar and voice samples would have been invaluable to narrowing the search.

Essentially the only consistent exploitation we see in the game even by the most desperate characters is IOI hacking their local biometric authentication hardware as a means to share biometrically locked characters. The Sixers mostly play by a twisted interpretation of in-game rules.

Since the Sixers are still certainly breaking the EULA of the OASIS, this can’t simply be written off as them wishing to avoid nullification of a victory for cheating. They seem to skip a rather trivial corporate espionage step with their extensive resources, proceeding directly to kidnapping and murder in the real world.

We’re STILL Using Unique One Word Handles in 2040??

No, no we are not. Not unless everybody wants to be named like randomly generated passwords or Sixer IDs.


This was infosec-specific commentary in which I didn’t delve into the abundant online gaming implications of the OASIS multi-world system or the extreme complexity of quest and skill-level balancing between technological, magical, and physical skills. (Or the horrifying implications of professional avatar permadeath.) I’ll leave that blog for my gaming industry pals. I’d love to hear your thoughts and interpretations of Ready Player One and cybersecurity in the comments. Until next time!


Whose Fault Is It? (A brief discussion on misconceptions about Equifax)

Our personal financial identities are exposed, and we’re mad. A sick, visceral, exhausted anger that hits us in the pit of our stomachs and makes us feel powerless.

People are understandably furious about the Equifax breach- to a degree that makes it tough to have a rational discussion about what happened. Unfortunately for information security professionals, anger is a luxury we don’t have right now. It’s now past time to have frank discussions about what went wrong and how to prevent it in our own environments. I’d like to take a moment to clear up a few exceptionally harmful  misconceptions about Equifax’s information security and security operations in similar practical environments.

Angry You Says: “I’m mad at Equifax for getting breached.”

It’s reasonable to be angry about Equifax’s existence, or their business model, or their retention of data. It makes no sense to be angry simply because they were breached. Any organization can, and likely will eventually be breached. What ultimately matters is their preparation, response, and risk mitigation.

You should be angry about Equifax executives selling stock before completing breach notifications.  You should be angry that Equifax was not prepared to respond to customer inquires about their breach in a timely manner.  You should be angry that the site Equifax put up in response to the breach was poorly branded and appeared hastily implemented. All these things could and should have been prepared for in advance.

Good incident response involves a lot more than simply performing forensics on an attack after the fact. It also involves solid communications plans, drilling for potential incidents, and procedures for plausible scenarios. To an experienced outside observer, Equifax’s incident response and breach notification plans were mediocre at best. Their DFIR team could be top notch at timelining attacker activity on servers, but that means little if they didn’t know who to call for hours.

We must remember to never base any of our metrics, good or bad, on attacker activity alone. Attackers are an unpredictable data point we cannot control. A sophisticated enough attacker can gain access to nearly any network given proper motivation and resources. You are not immune, and neither is any organization, huge or small. Every organization should plan like their most critical system will be hacked, tomorrow.

It may be Equifax’s fault that an individual attack worked due poor procedures, or that they weren’t prepared for an attack, but not simply that they were ultimately breached. It was their job to create the best defensive posture possible, and prepare for the worst case scenario.

Angry You Says: “The breach is Equifax’s fault for not patching.”

There are many scenarios in the corporate world that preclude or delay the application of software patches. Vendors go out of business or discontinue products. Responsible risk management decisions are made regarding critical application downtime vs. life and safety or preventing financial hardship.

The key phrase here is, “responsible risk management decision”. At the end of the line, there should be a clear audit trail leading back to risk managers who involved correct stakeholder teams and provided an analysis of patching versus not patching the system. The risks associated with not patching can be somewhat mitigated through other security practices, like adding defense in depth and monitoring solutions, or segregating vulnerable systems. In a healthy environment, all these things should occur. If Equifax didn’t make a responsible risk decision around not patching, and didn’t provide sensible mitigating controls, you can be angry about that.

Angry You Says: “The Equifax server admins are idiots for not patching, and I blame them!”

In most Fortune 1000 companies, if a system can be patched and isn’t, it is likely not the fault of “Joe or Sue admin”.

There are exceptions to this rule, such as malicious insiders. However in the vast majority of cases, the blame lies squarely with leadership – often C-level executives.

There are the cases where a server can’t be brought down for patching because the business refuses to accept the required downtime. In those scenarios it is the responsibility of management to have patching policies in place which account for limited and temporary exceptions given proper risk evaluation, with mitigating controls. These policies must have buy-in at executive levels so that an angry VP can’t override them merely by threatening a technician’s job.

Of course, there are also instances where organizations operate on unsupported software because leadership has decided to not expend the money or work hours necessary to upgrade them to a supported system. Once again, it falls to security and IT managers to make a case to  executives that the upgrade expenditure is a good risk management decision and financially responsible. If a sensible decision isn’t made by executives after being presented with this information, the blame lies squarely at the C-level.

Finally, there there are the cases in which a CIO or CISO fails to provide a policy or advocate for patching, and claims no knowledge of a server’s existence or of a threat. Ultimately, it’s the executives’ responsibility to hire savvy and articulate managers, who in turn hire subject matter experts who can generate comprehensive inventories and make reliable recommendations.

Do not make the mistake of comparing operational bureaucracy in a 50 person company with that of a 50,000 person company.

Angry You Says: “Equifax’s CISO was unqualified. She was a fine arts major!”

The Susan Mauldin‘s degree in music composition is totally irrelevant to whether you should be angry with Susan Mauldin.

It is possible for the Equifax CISO to have performed poorly at her job, while also being similarly credentialed to numerous, very competent information security professionals. Her degree should be treated as a non-issue.

As I’ve written in previous blogs, information security academia is new and delightfully inconsistent in quality. The vast majority of professionals with a decade or more experience in security did not attend a security-centric degree program, because those programs simply did not exist prior to around 2006. Like many fast-paced technical fields, information security degree programs that exist now are often abysmally out of date and fail to teach relevant skills. Hiring authorities still see many ‘paper tigers’ who leave 2-4 year degree programs with no substantial real life knowledge.

While I personally do recommend a computer science degree for academically-focused people interested in pursuing a security career, degrees still function mostly as a means of gaining fundamental knowledge in a structured environment, and a stepping stone for career progression and salary increases. Useful intangibles gained by attending a university often tend towards report writing, business, and interpersonal skills. There are other valid ways to gain those skill sets. Many a lauded information security executive has a degree in business, unrelated engineering, or indeed, fine arts. A large percentage don’t have degrees at all (although they still increase promotion potential).

What really counts toward being a competent information security executive? Passion, drive, and business savvy. A firm understanding of high-level fundamentals encompassing a broad range of niches. The ability to hire the right subject matter experts and technical managers to advise him or her without requiring micromanaging. Excellent risk management skills. The ability to play a tough political game to advocate for good security practices and necessary money and headcount.

I don’t know more about Ms. Mauldin than what the internet bios say. It’s possible the blame for a majority of the mistakes made by Equifax lie with her. It’s also possible her input and reports were universally dismissed by the CIO or CEO, and more of the blame can be placed on them. These things may become more clear as more technical and operational details are released. For the time being, stop looking at degrees and certifications for answers, lest you unintentionally personally insult some of the best minds in security as a side effect.

Credit Card Security Infographic


I commissioned the very talented artist Bryan Ward to make a good quality version of my previous credit card security infographic. This is meant as a tool to educate and inform people who post photos of their credit cards on the internet, and you may link to or repost it accordingly. Please give credit and do not use it commercially without permission.

Click the image above to view a larger version in a new window. I can provide a PDF version for printing if requested.

Why NotPetya Kept Me Awake (& You Should Worry Too)

NotPetya may not have been the most sophisticated malware ever written. However, it was exceptionally effective due to the authors’ savvy exploitation of common security misconceptions and their deep understanding of poor security architecture. I want to briefly express my personal thoughts on why I found NotPetya particularly concerning and a bad omen for things to come for the digital world.

Living Off The Land

A lot of the news coverage on NotPetya is focusing heavily on the use of the stolen EternalBlue (MS17-010) exploit. In my opinion, this distracts from something more sinister, because patching Windows is in many cases a relatively clear and simple fix.

NotPetya has a choice of several means to move across a LAN once it is inside a perimeter. As well as exploiting MS17-010, it can also use PsExec and WMIC to move from system to system after using a stripped down version of the Mimikatz tool to steal passwords from the system it is on. PsExec and WMI are common methods of administering Windows systems and are provided by Microsoft.

I’m honestly a little surprised we haven’t seen worms taking advantage of these mechanisms so elegantly on a large scale until now. They are very popular tools in modern hacking. A good hacker avoids the use of malware and code exploits whenever possible. He or she may use them occasionally where no other practical option exists – for instance, exploits might be needed to escalate privileges on a system, or malware for initial phishing compromise – but every use of malicious code is one more potential detection point for traditional signature-based antivirus and Intrusion Prevention Systems (which are relied on exclusively far too often). There’s no sense in using malicious code when simpler and quieter means are available.

The use of WMI to move laterally across a network is increasingly trendy, and the use of PsExec to do so is nigh archaic now. Both methods remain stunningly effective, because they are popular avenues for systems administration and often inadequately monitored. Logging of WMI lateral movement was quite tricky until Windows 8, and with large swathes of Windows 7 (and older) still in use in business it’s still frequently neglected.

The use of these propagation methods alone is not likely to fire any built-in attack signature in traditional, signature-based security tools. There’s nothing to sandbox nor an unusual unique file hash to scan for. On the surface, this activity will look like administration, and might only be detected by more detailed behavioral analysis. With the speed that NotPetya was able to spread, this isn’t particularly practical.

Abusing Mandatory Software

One of the primary initial infection vectors of NotPetya was the compromise of the update package for a piece of Ukrainian financial software, M.E.Doc. According to reports, this software is one of only two software options Ukrainian businesses have to pay their taxes. This was a clever choice for three reasons:

  1. Attacks were constrained somewhat to Ukraine (and companies that have interests there).
  2. The distribution base within the country was extremely comprehensive. Ukrainian businesses would have a high chance to have this software on a computer.
  3. The software company was relatively small and may potentially have been compromised previously, indicating it was potentially under-equipped to rapidly respond to a sophisticated attack on this scale.

This is obviously not a new thought pattern – attackers have leveraged popular, commonly deployed software for exploitation for decades. Adobe Flash and Java were two of the more abused programs in recent history because they had extremely wide installation bases. However, that was within the context of commodity malware and crimeware which typically infect victims fairly indiscriminately. NotPetya delivery combined elements of a targeted watering hole attack we’ve traditionally seen used by nation states with traditional software exploitation to devastate a specific user base. Obviously, the potential of this avenue of attack can be explored further in the context of nearly any country or demographic.

Masquerading as Ransomware?

In both the case of WannaCry and NotPetya, we saw malware that was ostensibly ransomware end up not looking as much like it after a deep dive under the hood and into attacker behavior. WannaCry had lackluster response to handling actual payments, and NotPetya looked deceptively identical to the older ransomware Petya on the surface while functioning quite fundamentally differently (and not being particularly well designed to make money). This sowed confusion for responders, and eager security companies posted early misleading reports. Masking targeted attacks as crimeware is an interesting strategic choice which could indicate a number of very troubling things. I will leave further speculation on those to my natsec and threat intelligence colleagues.

Ransomware is loud. Until Cryptolocker in 2013, the majority of crimeware tended to be purposefully quiet – stealing data and performing other nefarious tasks without its victim’s knowledge. Ransomware is intentionally disruptive. Independent of anything “cyber” it is also a tremendously effective criminal enterprise model, so it has become increasingly popular. There is plenty of clear evidence in the form of money and news stories that demonstrates how much ransomware can impact victim organizations and individuals’ lives. This means ransomware is also a great pretense for groups with other motives. They know their attack will cause misery and lost money, and news organizations cover ransomware attacks enthusiastically (often without much further digging).

Abuse of Poor Network Security Architecture

Beyond the use of native tools, NotPetya’s lateral movement mechanisms were extremely effective because they exploited common weaknesses in many big networks. Of course, unpatched (or not recently rebooted) Windows hosts were vulnerable to MS17-010 exploitation. Beyond that,  lateral movement with WMI and PsExec is very effective in environments with poor network security architecture and implementation. Flat networks without segmentation were vulnerable. Networks where their use was permitted were vulnerable. Networks where desktop users commonly had workstation admin or domain admin permissions were vulnerable, and networks where these privileges were not restricted or tightly controlled were more so. Windows 10 credential guard was a potential mitigation against the theft of passwords from system memory, but it is infrequently deployed and not backwards compatible (or indeed, even compatible with every computer running Windows 10).

All of these design and implementation problems are woefully common, repeatedly bemoaned by security professionals auditing and consulting on those networks. They are not easy or cheap problems to fix in many cases, and this is likely not going to be the case that pushes a lot of vulnerable organizations over the edge in mitigation.

Yes, I’m Concerned

If you work outside Ukraine, you probably got really lucky, yesterday. Many enterprises were tremendously vulnerable to this type of attack, had they merely been targeted by the initial attack vector one time.

Blood is in the water. Not only have criminals found that ransomware is a great money-making scheme, but nation states and terrorist organizations have realized pseudo-ransomware makes a misleading and effective weapon. A weapon that can cause collateral damage, globally.

Things are going to get worse, and the attack landscape is going to deteriorate. Malware relying more on legitimate credentials and native tools may easily render signature-based and hash-based solutions fundamentally less effective defenses. Organizations must no longer rely on black boxes with good sales pitches to band-aid fundamental architectural failures and neglected security best practices like out of date operating systems, liberal administration policies, legacy protocols, or flat networks. Defense in depth, including human threat hunting and effective detection and prevention at many points, is key. This will involve policy and financial buy-in from many lagging organizations at a new level.




Edit: 6/28 10PM – Minor technical corrections to clarify the purpose of M.E. Doc, the debate over encryption issues in NotPetya, and grammatical errors. Thanks to MalwareTech, grugq, and Jim Moore for pointing out my omissions, and duplicate words!

7/5 3PM – A video was posted of the seizure of M.E.Doc’s equipment which shows the equipment and approximate number of employees at the firm.

This blog will be updated as further information is available.

Consolidated Malware Sinkhole List

A common practice of researchers studying a piece of malware is to seize control of its malicious command and control domains, then redirect traffic to them to benign research servers for analysis and victim notification. I always highly recommend monitoring for traffic to these sinkholes – it is frequently indicative of infection.

I’ve found no comprehensive public list of these sinkholes. There have been some previous efforts to compile a list, for instance by reverse engineering Emerging Threats Signatures (mikesxrs – I hope this answers your questions, a little late!). Some sinkholes are documented on the vendors’ sites, while others are clearly labeled in whois data, but undocumented. Still others are only detectable through behavior and hearsay.

Below, I share my personal list of publicly-noted sinkholes only. Please understand that with few exceptions I have not received any of this information from the vendors or organizations mentioned. It is possible there is some misattribution, and addresses in use do change over time. This is merely intended as a helpful aid for threat hunting, and there are no guarantees whatsoever.

Before we proceed, credit where credit is due:

I am certainly not claiming credit for this entire list. There are many smart people out there who provided partial data and clues. maintains fantastically useful lists of command and control servers for numerous botnets. Within those lists, a number of sinkholes are attributed to specific organizations, some of which I could and could not independently verify.

The extremely talented Miroslav Stampar has quite a few sinkholes identified within his maltrail malicious traffic detection tool.

Many, many Robtex, DomainTools, and VirusTotal queries and a lot of Google search hacking went into compiling and cross-checking this list. Michael B. Jacobs has written a terrific paper  which covers some of the methodologies I used to detect and confirm undocumented sinkhole servers through DNS and behavioral analysis.

There are more detailed databases of sinkholes, but they tend to be access-restricted and contain data I will not repost for confidentiality reasons. My list is fully OSINT-based and can be reproduced with time and effort.

Here’s the current list:

If you have any corrections to offer either as one of these organizations or an independent researcher, please contact me and I will give credit in this blog accordingly.


College and Infosec: To Degree or not to Degree?

So, you love to hack, and you’re going to get that dream job in infosec! Except, now what? A wide array of certification firms and colleges are willing to sell you an infosec program, with shiny advertisements and clever sales pitches. Unfortunately, college is massively expensive in the US, and the learning environment isn’t great for everybody. Is it worth the money and effort to get that Bachelor’s in Cybersecurity? Will a degree in an unrelated field do the trick? Will not getting a degree come back to bite you years later?


College degrees. I’ve found few topics aside from vulnerability disclosure in information security which raise so much raw emotion and fierce debate. In the interest of giving a well rounded and diplomatic answer about their value, I’ve once again asked several exceedingly qualified people to join me in sharing their time, experience, and ideas on the subject. Through a series of ten questions, each of us has weighed in on some hefty questions about the value of college education in learning about information security, getting an information security job, being promoted, and showing credibility.

Please allow me to introduce today’s contributors, who have generously contributed their time and thoughts:

Daniel Miessler, I’ve been in information security for around 18 years, with most of my time in technical testing (thick, app, web, mobile, IoT) and consulting. I lead OWASP’s Internet of Things security project and run a website, podcast, and newsletter where I talk about infosec, technology, and humans. More at

Tarah M. Wheeler, Tarah Wheeler (BA, MS, CSM, CSD) is Principal Security Advocate & Senior Director of Engineering, Website Security at Symantec. She is the lead author of the 2016 best selling Women In Tech: Take Your Career to The Next Level With Practical Advice And Inspiring Stories. She co-founded and now serves as board chair for Fizzmint, an end-to-end employee management company. She has led projects at Microsoft Game Studios (Halo and Lips), architected systems at encrypted mobile communications firm Silent Circle, and holds two agile development certifications through the Scrum Alliance. She founded Red Queen Technologies, LLC & Infosec Unlocked. She acquired her startup funds by cleaning out poker rooms in the Northwest and Las Vegas. Reach her at @tarah.

Robert Sheehy, @helpmerob. Helping “people” with “stuff” while holding a senior management role in infosec.

Space Rogue, Looks like everyone else is putting their corporate bio here, uggh. I’m just some guy, ya know? I’ve been around for a while and I’ve done some stuff. I currently work as a Strategist for Tenable, [@spacerog]

Chris Sanders, Chris Sanders is an information security author, trainer, and researcher. He is the founder of Applied Network Defense, a practitioner focused information security training company, and the Rural Technology Fund, a nonprofit devoted to providing technical education resources to rural and high poverty schools. He is the author of the best-selling security books Applied Network Security Monitoring and Practical Packet Analysis. He also hosts the Source Code Podcast., [@chrissanders88,]

Jessica Hebenstreit (@secitup),  I’ve been doing security for almost 17 years.  I got a lucky break early in my career at Motorola as an Intern and have been doing InfoSec ever since. I’ve done a lot of different roles in a few different verticals.  I always come back to Ops and IR. Creator of the DREAMR framework, speaker and volunteer.  I am active in the security community and enthusiastic about making the industry more inclusive and accessible.

Without further ado, let’s launch into some of the most contentious questions about career paths in the industry!


  1. First of all, the elephant in the room – did you go to college or university yourself? If so, did you get your degree before or after you started formally working in security?

    Jessica: In short yes.  However my academic career was varied, and longer than a traditional “4 years”.  I started at Iowa State University in the Computer Science program.  After a couple of major changes (because I am not great at coding and suck at math), along with study abroad experiences and transferring to Arizona State, I graduated with a Bachelor’s degree in Interdisciplinary studies with a focus on International Business and Spanish.  I was fortunate to start working in security as an Intern at Motorola for 3 years prior to graduation.  I was offered a full time role that I began prior to actual graduation.  I also have a Master’s degree that I obtained in 2012.

    Space Rogue: I started school like everyone else but quickly ran out of money despite the GI Bill.. I was able to get good paying IT jobs anyway and figured I didn’t need a degree. Then one of the many recessions in my career hit, I found myself out of work with few opportunities. I could almost always get an interview based on my resume and experience but on more than one occasion after the third or fourth interview I was asked, “So I don’t see a degree on your resume, do you have one?” I would answer truthfully, “No, but I have years of experience and have done all these great things, blah blah.” and I was told “Thank you very much, we’ll call you.” After the fourth time in a row that this happened I decided I needed to get a degree. It took me several years of online and night classes but I finally graduated.

    Chris: I had an opportunity out of high school to take a computer network consulting job that would have put me in the top 1% of earners in Mayfield, KY. Of course, that was making 40K/year as Mayfield is a very rural, high poverty area. I’m fortunate that I had a few teachers who really cared about me and got it through my head that my ceiling was much higher and a degree would help me realize that. I ended up completing my bachelor’s, master’s, and am currently working on my PhD. I couldn’t afford college and didn’t receive nearly enough financial aid to pay for it all, so I worked full time (and then some) while working through all of my degrees.

    Robert: I received a two year degree in computer programming, although I have been considered a hacker since my early teen years. I’ve undertaken a significant number of independent studies since getting my degree, most of which did not result in a formal credential. I’ve taken and passed well over three dozen various IT and infosec certification exams, with close to a dozen still being active. Most of them demonstrate a minimal understanding of baseline requirements and not of advanced expertise. I feel that some people are way too proud of their credentials and certifications.

    Tarah: I went to college before formally working in infosec, though I’d been doing hardware assembly and servicing since 16 and coding since I was about 19. I got degrees in international relations and political science with quantitative elements. I have a BA and an MS, and in my experience, no one at all cares if those degrees are in cybersecurity or not. They’re an absolutely indispensable box tick when it comes to getting past HR, however.

    Lesley: I hold two Associate’s degrees (Avionics and Electronics) which were more an accidental byproduct of completing a lot of coursework than anything else. My Bachelor’s is in Network Engineering. I received it before working in infosec formally and after joining the military (thank you, G.I. Bill!). There weren’t really any security specific degree programs yet at the time.

    Daniel: I did go to college, for four years, but I left before graduating to start my professional career in infosec without a degree. I’ll be completing my bachelors soon and moving on to a Masters. At this point it’ll be just to check the box and for the fun of it.

  2. Based on your experiences hiring entry to intermediate-level infosec professionals and working in the field yourself, where do you fall on the spectrum of extremely pro-college, somewhat pro-college, neutral, somewhat anti-college, or extremely anti-college?

    Chris: Somewhat pro-college. I think everyone can benefit from being surrounded by a group of people who are devoted to learning. However, I recognize that it isn’t for everyone and finding the right faculty/college/program is non-trivial. All things being equal, if I’m choosing between two candidates I will go with the person who has a college degree.

    Tarah: Somewhat pro-college. I don’t think in any way that college is a prerequisite for being in security. I think it’s a startling leveller when it comes to diversity in technology, and one of the challenges employers are always facing is how to justify hiring someone who doesn’t “look” like a hacker or coder. I have, in my several previous positions, had to fight like a dog to get a woman or a person of color or someone queer to get hired, and sometimes the only ammunition I have is that they have a degree, and the more stereotypical (and often less-well qualified or experienced person) doesn’t. When I’ve been the CEO, I could just say “you’re hired,” but when I’ve been in a hierarchy, I have had to, in the past,  justify my decisions to a structure that doesn’t always understand the hacker mindset.

    Space Rogue: Neutral. Personally I would rather hire someone with at least some experience than just a college degree. I am always looking for someone who has done something, anything, real as opposed to just book learning. But I also realize when it comes to hiring managers I’m probably a bit of an anomaly. As infosec as an industry matures it is becoming more and more difficult for entry level people to stand out amongst the crowd. There is a lot of talk about the talent shortage in infosec but that really only applies to the mid and high level. The entry level is awash with people just finishing college with their newly minted degrees all looking for some way to stand out.

    Robert: Neutral. There needs to be experience outside of school for anything beyond entry level. Without experience, a credential can help to demonstrate that the candidate can see through a formal curriculum program to completion.

    Jessica: Somewhat pro-college, I believe some are “late bloomers” and that college right out of high school may not be for everybody.  I think more doors are opened for college degrees. I also think college gives one a variety of experiences and challenges one might not encounter otherwise.  I also realize college is expensive, at least in the US and for that reason alone can be out of reach for some folks.  I am still deeply in debt for my degrees.

    Lesley: Somewhat pro-college. I see more benefits than negatives, but it’s not for everybody and it’s extremely expensive in the US.

    Daniel: Somewhat pro-college. There are skills you can get from university that you don’t usually get other places, but it shouldn’t be considered a must for most infosec positions. This is something Google figured out when they did their big study of what variables make people successful. They expected to find that great colleges produced the best workers. Or people with the best grades, or who interviewed best. But no–they found few correlations with any of this stuff, and they were forced to accept that there’s no magic variable to any of it. Their people who went to college or didn’t, or went to a small school vs. a big famous one, didn’t show much difference in their performance. It turned out to be all about the management of the team that made the difference, but that’s a story for another day.

  3. What are some skills, motivations, and credentials that stand out to you the most on a entry level infosec résumé (before the first phone screen)?

    Space Rogue: I look for anything done outside of school that is relevant to the job. I want to see some kind of passion for the work, at the entry level it doesn’t have to be much but something. If the resume is nothing but degrees and certs and zero extracurricular things they will unlikely get an interview from me. If a person has no relevant work history at all then I want to see non-relevant work history. To me work history, any history, beats formal education every time.

    Chris: I don’t expect much out of an entry-level resume and put very little stock in them. I rely much more heavily on the interview and wind up interviewing most of the people who apply to an entry-level posting. Hiring is the most important decision I make, so it’s well worth the time spent. As far as resume content, it’s an entry-level job, so I don’t expect them to be passionate or display that on the resume yet. I want them curious, and then as their manager it’s my job to help them evolve that into passion. That said, if someone has already started learning about the field I think it’s great to list what they’ve been learning, how they’ve been learning it, and who they’ve been learning it from. I also value resumes that show involvement in service projects. People who have a servant leadership mindset and are willing to give of themselves are the type of people I want to work with.

    Tarah: Have they built a computer from parts to booting? Have they contributed to an open source project…even so much as a pull request to fix a typo? Have they built a website? Have they tried to harden their home network? Have they ever demonstrated that they’re willing to help others by posting blogs or information or answers? I don’t much care if they feel like they’re good people or if they love animals. I care what they can *do*. No one can hire solely on potential; you must demonstrate some of your ability.

    Jessica: Passion for the industry is something I definitely look for.  Personal projects that one can speak to such as those on github, or a blog.  Competing in things like CTFs or other contests, volunteering and other involvement in conferences, competitions or other projects show a passion for industry.  

    Robert: Personal initiative and interest in information security. The best professionals are passionate about what they do.

    Lesley: Speaking, presenting, competing, or working at infosec conferences. Other participation in the security community through projects or meet-ups. Some type of dedicated coursework that demonstrates good systems and networking fundamentals, or equivalent work experience in another IT field. Some college is a plus, but the degree doesn’t have to be technical. Overall, I look for motivation to learn and succeed.

    Daniel: Having a website or other home for projects you’ve created or helped with. Projects show passion, and passion is a powerful force for improvement. If you’re actively working on projects in your field there are few things that are more compelling to a hiring manager than seeing actual fruit of that curiosity and skill.

  4. Can you think of a situation in which you might recommend that an entry-level person who is interested in security not get a degree?

    Space Rogue: I don’t think I could recommend anyone not get a degree ever, not in today’s job market. In the 90’s and early 2000’s almost nobody had an infosec degree because infosec degrees did not exist. Everyone was self taught so if you didn’t have an infosec degree you were no different than anyone else. Infosec or more accurately ’cyber’ degree programs exist at just about every college and university today. If you decide to not get a degree you will be at a pretty big disadvantage compared to everyone else competing for the same entry level job. That said, if your resume makes it to my inbox I won’t really care if you have a degree or not if your resume shows that you have the experience and or skills for the job. But then I’m probably not the hiring manager for the job you are applying for.

    Chris: I had to work 60+ hours a week to pay for college and even then I still have fond memories of standing in Wal-Mart calculating what foods had the best dollar/calorie ratio so I could spend as little on food as possible. You have to REALLY want it sometimes (or just be deathly afraid of failure). If you have hardship to deal with, whether financial or family, you have to figure out how much pain it will cause you and whether the upside reward is worth it. For some people, it simply isn’t.

    Tarah: No. Sure, save money and do some at a community college, do the GI Bill, do a state school and be a big fish in a little pond…but I simply cannot in good conscience knowing what today’s job market looks like and how overheated cybersecurity hiring is going to be for the next ten years recommend that someone not get a degree. Note here that I don’t give a damn what your degree is in. Neither will anyone else past possibly a couple of people in your first entry level jobs. Just get one. And get an MS if you can. It’ll pop your earnings drastically long term and is  a HUGE leveller for diversity in tech.

    Jessica : No, I’ve spent quite a bit of time thinking about this question recently and I really cannot come up with a scenario where I would recommend not getting a degree. Even if you have to go part time while you work and it takes years and years, I strongly believe you will be better off in the end with the degree.  I think there are definitely outliers that find vast success on skill and reputation alone, but those folks are few and far between (you know “outliers”).  I’m seeing more and more organizations that are putting in hard and fast degree requirements, particularly in healthcare and high education, without which you will quickly reach a ceiling.  I’ve seen this ceiling as low as not going past a Senior Analyst/Engineer without a degree.

    Robert: College degrees are only one way to show that you’re well rounded and take your professional development seriously. An individual’s personal situation and experience must be considered in respect to what is the best focus of their professional development efforts. Particularly if student loans are involved, the long term debt accumulation might not be worth it. Focusing instead on a certification could serve as a first helpful step towards gaining that first position in infosec.  If working as a contractor it might be wise then to defer schooling even further in your carrier until obtaining a permanent position that offers tuition assistance. With professional momentum and outside self study, you might get to the point in your career where your professional experience are accepted as substitute for the formal accreditation. World travel, for example, can be used to demonstrate educational sophistication in lieu of a degree.

    Lesley: If they’re only interested in the money or prestige as opposed to the work, or they haven’t done anything to learn about the field before launching into a degree. Also, if they already have a strong network of infosec contacts and going to school would interfere with taking a great opportunity immediately. Lastly, if it’s a significant long-term financial burden, college may simply be unfeasible.

    Daniel: If they already have some significant level of skill that makes them competitive and they’re being offered a job in the field similar to what they’d get when they graduated. Even then, if it would be relatively painless, I’d say get the degree just to have the checkbox, but if it’s overly difficult and you already have the skills required to get a job, go for it. It all depends what you’re looking for. If you just want to get into the field, you can do that. But if you want to make it to the top at a big company, you’ll probably need a bachelor’s and/or masters.

  5. If an entry or intermediate-level infosec person chooses not to get a degree, what are steps do you suggest he or she take to mitigate this when applying for jobs or promotions (which may state college as a requirement or preference)?

    Space Rogue: My first bit of advice is to realise that without a degree there are some jobs where your resume just won’t make it past the first level of HR. However if it is a job that I am hiring for and your resume can actually make it to my inbox then I will want to see some sort of experience. Something that says you are really interested in this line of work, volunteering at an infosec conference, a github project, contributions to an OSS project, participating in the local citysec meetup, something, anything.

    Chris: While this may be an unpleasant fact of life, not having a degree may affect your ceiling because some organizations value it. However, for the job seeker there is a benefit that infosec is in a skilled worker shortage. If you can develop skills in areas where need exists, you can find a job. However, you need to be able to show those skills in some way. For some people that might be a certification, for others it might be a github repo showing a project, and for others it might be a blog. Once you establish one or more of those things, focus on connecting with real people instead of relying on HR gatekeepers and automated systems. Do your research, find people working in or hiring for roles you want, and reach out to them. Even if it doesn’t lead to an immediate job, you might find a mentor or build a long-lasting relationship.

    Lesley: Network, network, network. You’re going to get blocked at a number of HR filters, which are automated and unforgiving. So, your hopes lie with name recognition with hiring managers who can tweak postings for you or somehow bypass the computer. This means proving your competence through projects, community participation, and being articulate. Currently we’re in a skill shortage, which plays in your favor in this scenario. This gap is decreasing, starting with entry level as more people graduate from cybersecurity training and degree programs. Certain geographic markets will take longer to catch up than others, so looking outside your local area may help.

    Robert: It is not a degree by itself that makes someone qualified for a senior position, rather they serves as a proxy to be used by the hiring managers to measure capability. This requirement can be substituted, but constructing the best argument to support your personal experience as a worthy substitution is completely on the individual. Non-traditional education can stand for formal degrees, but it may require a substantial effort to make the case for your specific goals, and are likely to require repeating every few years.  Always address any concerns about an educational deficiency in your resume head on when pursuing a new roll. It can go a long way to submit a well written statement in response to any concerns that you’re willing to obtain whatever credential is expected while working in the position, along with spelling out in detail how your specific personal accomplishments and experience directly address the traits your target is hoping are demonstrated by having the degree requirement.

    Tarah: Get good and get well-known for it. Get a CISSP, which is the bareass minimum you’d need to get past HR without a degree at some infosec jobs. Network your ass off because without a degree, you’ll suffer for recruiters contacting you. Figure out how to get some publicity. You must, must, must begin speaking and teaching widely.

    Jessica: First of all take a long hard look at where you want your career to go long term.    I think these decisions are made with a short to medium term outlook.  Come to peace with the fact that you are likely closing doors and limiting your upward mobility.  That said, get certs CISSP is a must to get past HR, I also recommend several SANS certs, maybe the OSCP, depending on which area in security you want to be.  Lastly, get your name out there, network, get on twitter volunteer and/or speak at every conference you can.

    Daniel: If they’re just starting out and don’t have a degree they’re going to need to show proof of existing skill. That usually means blogging and projects showing your abilities. Show vs. tell is a powerful concept in today’s market.

  6. Conversely, can you think of a situation where you might suggest to an infosec candidate that he or she should get a degree? If so, which skills would this most enhance?

    Daniel: I’d say get a degree if it’s at all easy for you to do so. If it’s paid for. If it’s an easy program. If your friends are there anyway. Etc. If it’s not going to put you out too much, or if you don’t have any skills at all and you need to learn fundamentals in a structured way. The other advantage is just rounding out your writing, general education, etc., which are important for advancing to later career stages.

    Space Rogue: Getting a degree is not going to hurt you. You will never be disqualified from a job because you have a degree. It is possible to get a degree without spending fortune and going into debt. You can either get a degree to actually learn something or you can just get the piece of paper. Either way a degree can only help you. If you are going to spend the time and money to get the degree you should try to actually learn something. I would focus on any hands on classes where you can actually work with production systems, even if they are simulated. Learn to code. Any class that allows, no, encourages you to break things.  

    Lesley: When you can’t fill more than half a page, single spaced on your resume with IT-relevant skills or experience, it’s definitely worth considering. Also, some companies and government agencies value degrees very highly as a corporate culture, and degrees may be tied fundamentally into future promotions or pay raises. If you’re looking to join one of those organizations, or you want to stay in one, it may be time to start planning ahead. Finally, if you have G.I. Bill or your employer pays a significant portion of tuition fees, it’s prudent to not waste free money.

    Chris: If you are capable of getting a degree, you should do it. There are immense benefits to being surrounded by people whose goal is to both teach and learn. Not only might you actually learn something, you’ll also learn how to think differently and be exposed to viewpoints differing from your own. In real life you have the option of filtering out people who you don’t agree with. In academia, that is a lot harder and it forces you to think about things you’re not used to thinking about. This also makes you better at debating, presenting information, and incorporating new information into your existing viewpoints.

    Robert: College can be fun, you can learn a lot, and start networking with other future professionals early. What degree you get likely does not matter for a career in infosec, but I would recommend sizing any opportunity to get a degree if it does not come with a significant debt burden.

    Tarah: Getting a degree cannot possibly hurt you. The Pareto-optimal solution is to get a bachelors in any field as cheaply and as rapidly as you can. Unless you are graduating top of your class in CS at Stanford or MIT, no one cares.

    Jessica: Getting a degree, any degree is not going to hold you back. If you have a desire to someday move into leadership a degree is going to help to facilitate that.  I know a lot of folks in security that do not have technical degrees; archaeology, accounting, psychology, business, women’s studies to name a few. I also know several folks that didn’t get a degree and are now finding roadblocks to advancement because of it and are now going back in their late 30’s and 40’s to get the degree while also now balancing a job,  spouse, kids, etc. which makes it that much more difficult.

  7. Assuming an entry or intermediate level infosec person has decided to get a degree, do you find more value in non-technical degrees or technical degrees? Is there any value in a minor in a different field? Does it matter at all from your perspective or management’s?

    Daniel: I think technical degrees are preferred. CS is preferred but CIS (what I did mine in) are also solid. The more you get away from those the less value it’ll have for infosec jobs. But keep in mind that many companies are just looking for the bachelors checkbox. This matters most if you’re looking to a formal hiring process at a very large or prestigious company, where CS and CE are preferred.

    Space Rogue: If you just want to pass the first entry gate of HR then get a degree in basket weaving or creative writing or philosophy. The automatic system scanning your resume won’t care and will sort your resume into the ‘with degree’ pile. Assuming you focus on a ‘cyber’ degree your minor will depend on what your long term goals are. If you want that CSO/CIO job in 20 years then look at a business or even accounting minor but I wouldn’t discount an art history or western civ minor either. You might be surprised at what lessons from other fields can be applied to infosec.

    Lesley: What you gain from a degree is much more fundamental than technical minutiae, which becomes obsolete quickly. Lots of skills one learns in college are ubiquitous across majors. Business, language, and communication courses provide important insight in our field. From a technical degree, you should concentrate on gaining a solid understanding of how things work at a fundamental level: programming, the telecommunications infrastructure, attack vectors, and common system architectures. Learning how to use a specific tool is rarely helpful after a couple years, and I see few course curricula that aren’t already several years out of date. You should be learning how to think logically, continue learning, and express your thoughts professionally.

    Chris: The unfortunate fact of our industry is that most university degrees don’t actually teach the skills necessary to do the job well. There are a few pockets of excellence and great instructors scattered here and there, but they are rare. Traditional computer science is great at building engineers and programmers, but not information security practitioners. Dedicated programs for information security are often dramatically out of date and focus on the wrong things. For that primary reason, I urge people to get degrees in other things while studying infosec through non-traditional means. This also has an added benefit of bringing “outside” perspective into information security, which is much needed and helps set you apart. I perk up when I meet someone who has a degree in physics, psychology, engineering, english, or something completely unrelated to tech. I can’t wait for the day where I feel good recommending people pursue information security degrees, but that day isn’t today. You can come from anywhere and be an effective infosec practitioner, but the ability to think in a way that is unique from your peers will help you move up quicker in many cases.

    Tarah: There’s a hack here. The hack is to get your degree in whatever you can get paid for or most cheaply–and to take research methodology or EECS or applied math courses alongside. This is what I did. I have a decade and a half of technical coursework that bumped my skills to next level in math, data structures, computer science, electrical engineering, social network and complexity theory, etc. You can pick and choose what you emphasize as you speak to employers. I personally find that people with philosophy degrees make magnificent programmers, and people with math degrees make magnificent philosophers.

    Jessica:  Get any degree.  I think there is something to be said for applying ideas and learnings from one field to security.  I started out in a technical program (computer science), but had a hard time with programming classes (I took intro to C++ 3 times) and math classes (Calculus I 3 times as well!) and it wasn’t feasible for me to continue this path.  I went into my manager at Motorola where I was interning and she said something along the lines of:
    “Jessica – you have a job here but you have to graduate at some point.  I can’t hire you without your degree and you can’t continue as an intern without being in school. You work for a multinational corporation get ANY degree that could be applicable.”

    I then scoured the course catalog and settled on International Business and Spanish.  There is a lot to be said about being well rounded and not having all of your knowledge in one basket.  I’ve also never had an interviewer ask “why International Business and Spanish; not CS/CIS/MIS/etc.?”

    Robert: Since any degree is unlikely to actually provide you the core skills you need to be successful in infosec, the degree pursued is insignificant. I’d recommend taking a topic you find interesting that you will see through to completion.

  8. Considering candidates you’ve interviewed and current cybersecurity curricula at a variety of institutions, would you recommend cybersecurity-specific degrees at all? What would you consider some indicators of a good and/or a bad infosec degree program?

    Daniel: I generally judge programs by big vs. unidentifiable names. If it’s a big name school, or a big CS school, that’s a plus. If it’s a no-name school then it’s just a CS checkbox, which is still positive. Most of the benefit of someone from a big name school is the fact that they got accepted in the first place.

    Space Rogue: To be honest I am not super familiar with the various programs that are out there. I know some are a lot more hands on than others but if I am looking at a resume I am unlikely to research your school to see how good of a program they have because frankly I don’t care. However, if you are looking to actually learn something then look for a program that has additional certifications. Something like the NSA’s National Centers of Academic Excellence in Cyber Defense or other certification.

    Lesley: I see too much focus in most “cyber” programs on specific tools and minutiae, as opposed to critical IT fundamentals which are so important to being a good hacker or defender. Also, I see an unfortunate tendency to gravitate towards the cool, theoretical, and “sexy” as opposed to less exciting but more relevant skills. For instance, my ongoing gag gripe is about every Forensics major I meet doing their thesis on steganography, which is relatively rarely seen in real practice. The same people often aren’t comfortable with memory forensics or timelining. There’s a lot of pragmatism in real life infosec. Overall, ensure that the program has plenty of general IT courses that build a good understanding of how systems work, and references real life cases.

    Chris: Our industry is really good at building excitement around topics like breaking and hacking. Unfortunately, those aren’t the skills you learn first and they aren’t the areas where the most jobs exist. Most cyber security programs gravitate towards those areas and skip over the fundamentals. The ones that do see a need for the fundamentals often think those fundamentals are computer science. While computer science is foundational, you don’t need to be an expert in mathematics or embedded systems to be successful in the vast majority of infosec jobs. For these reasons, I have a hard time recommending cyber security degree programs. I’m hopeful this will change at some point when more experienced practitioners find their way to academia, which is happening. Universities needs more instructors who have been in the trenches, but also understand academics and what foundational knowledge is critical for our field.

    Tarah: Only the power of your alma mater’s network matters here. Unless you’re going to UW, CMU, Stanford, MIT, Berkeley, or a similar program known for tech, your best  move is to learn what you love and add tech as tools for you to use. That will be reflected later in your work and career.

    Jessica: I feel like a lot of the “cyber” programs are reminiscent of the MCSE bootcamps from the early 2000’s and other certification mills.  If that is the program you want, then find a quality one.  Otherwise go for another degree.  Cyber programs also need more folks that have been actual practitioners to teach actual skills that will be used.  Having a good foundation, rooted in theory is fine and in some cases needed; however  I see too many candidates now that can memorize the buzzwords and talk very shallowly about a concept but cannot apply it in a meaningful way.  Additionally, critical thinking and analysis skills are sorely lacking.  Those are hard to teach but it’s really hard to be a good Security practitioner (particularly in a role like SOC or DFIR or Red Team) without those skills.

  9. At this time, (or in the near future), do you foresee any potential benefits in the infosec field in going on to get a graduate degree?

    Daniel: Yes, if you’re interested in working in any sort of formal field. Like government, or a big company in a specific department, like data science. Other than that, the bachelors is usually quite sufficient. The other thing a Masters is good for is that it’s somewhat important for senior roles in big companies, or top roles (CISO) at any company, if you think you might want that later on.

    Space Rogue: If you really want to differentiate yourself in the job market then yes, get a graduate degree. But this really depends on your own personal long term goals. If you really want to be a scapegoa^H^H^H CIO/CSO than a graduate degree will be a big help in achieving that.

    Lesley: I can see two situations where this would be desirable. The first is when it is likely to be required for a desired promotion in the future (I do see Master’s Degrees, especially MBAs, preferred for senior leadership positions). The second is when one’s intention is to stay in academia or dedicated advanced research. I rarely see graduate degrees greatly preferred over a Bachelor’s degree in entry-to-intermediate level infosec hiring.

    Chris: If you are thinking about a masters degree then you should have a sense of how much you enjoy your current work and where you want to go with it. For example, if you want to get into business leadership then something like an MBA might be helpful. The thing here is that you shouldn’t just pursue another degree because you feel it’s a requirement to get someone you want to go. Chances are, with persistence you might be able to get there anyway. You should pursue another degree because it will introduce you to new ways of thinking and teach you things that will be more fulfilling to you on a personal or professional level. I pursued a master’s degree in homeland security because I was interested in national defense and public policy. That provided valuable perspective that I apply in multiple areas of my life. The more successful people I’ve seen often pursue master’s degrees in things a bit outside their normal comfort zone. The key is that it should be about learning, not about checking a box.

    Tarah: Hell, yes. It’s definitely put me at the top of lists. And my MS is in political science, don’t forget. It’s just a box to check. Get a law degree or an MA in English–it just doesn’t functionally matter.

    Jessica: some industries are now requiring this in order to be in a management/leadership position.  I would not have gotten my job at Mayo Clinic without my master’s degree, they require it for Director level positions.  I think there is going to continue to be more rigor there. I know my Master’s has opened other doors for me as well.  I do wish I would have gotten a JD or MBA instead of my MSIT.

  10. Anything further you’d like to add on the topic?

    Space Rogue: In the ongoing twitter debate there have been a lot of comments about the cost of college. While a traditional name brand four year school will cost a pretty penny there are ways to get an accredited degree without going into huge debt and spending a fortune. Without going into super detail here are some thing for you to google on your own.  Look at your state school, often much less expensive than a private institution. Don’t forget you can start out at a local community college and transfer the credits later. Also depending on what program you are looking at many schools will offer credit for life experience, if you know who to ask. One of the best ways to get credits for little money is the College Level Examination Program, again depending on your school you can get up to two years worth of credits for $80 per class. Anyway if all you’re looking for is to check a box and get a degree cost is not a valid excuse.

    Tarah: Either the hiring manager wants to bring you aboard or they don’t. If they do, they might need extra ammunition for their choice of you over someone else. Make it easy on them by sticking every letter you can behind your name (on LinkedIn, not in your Twitter bio). I want to emphasize one last time: degrees and certifications are the big leveler in diversity. I have a growing body of anecdata that is burnishing my now gold-plated theory that women, POC, and queer people benefit disproportionately from getting degrees and certs. That typically manifests itself as a drastic uptick in recruiter approaches at each career level when you update your LinkedIn in a way that doesn’t seem to happen for people who stereotypically look like the media’s conception of hackers. If the hiring manager doesn’t want to hire you (based mostly on the first fifteen seconds of your impression on them) no degree will help you. But chocolate and career coaching might.  🙂

    Jessica:  College is expensive in the US, and the cost is only going to continue to increase.  It will open more doors than would otherwise be opened.  Think of it as future proofing.  I’ve always known I want to be in leadership, but I have colleagues that came to that conclusion later in their careers and are now going school to check the boxes.  Set yourself up for success and an easier path now.  I think as our profession matures it is only going to become a more steadfast requirement, like many professions there are some minimum requirements and I see ours continuing in that direction.  We’ve moved past the infancy of the infosec profession; along with that comes a threshold, which often times and more in the future, means a degree.

    Chris: Most knowledge-based professions have a really well prescribed paths for getting into the field and finding success. If you want to get into medicine, accounting, or law you know exactly what you need to do. Our field couldn’t be farther from that — there is no single path. The beauty of that is you don’t have to go to college. However, like those other professions, you do have to learn how to think. Being aware of how you think and effectively applying that (aka metacognition) is the most critical part of gaining expertise and ensuring you are capable of learning effectively. The beauty of college is that it is the perfect environment for your metacognitive ability to flourish…if you let it. If you view college as an opportunity to do this and seize it you will benefit tremendously. If you view it as merely a checkbox to get a piece of paper, you’ll be disappointed in how far that paper gets you.

    Daniel: Credentials have the value that others place on them. Understand that and you’ll understand a lot about degrees. Make a clear distinction between the education and the credential, and realize that while you can self-educate you can’t self-credential. Understand that you’ll find a full spectrum of respect for degrees in various populations, countries, verticals, sectors, etc. Some will not even notice if you have a degree or not, and others won’t take you seriously unless you do. That being the case, it’s always better to have it than not, so the question is really about what you’re sacrificing to get it, and whether or not that’s worth it.

What’s in my (Hacking Con) bag?

A number of people have asked about what I carry at a typical hacking con. In the blog below, I provide a brief overview. This article isn’t meant to be an endorsement and was in no way sponsored. Use what works for you, but I have included links for things when I can remember where I got them.

First, let me show you my bag, itself:


My bag is a Grunt Style tactical messenger bag. I like it because of the small form factor, it has lots of interior and external pockets, and has a variety of attachment points – carabiners, molle, ties, and velcro. It also happens to be configured for CCW, if that’s your cup of tea.

I’ve used various styles of backpacks, but I found myself with a tired back by the end of the day and I prefer the security of a cross body I can keep an eye on. This one fits my 13″ MBP in a clamshell. I believe that’ s the biggest notebook one could fit in it (but I highly advise against carrying a 15 pound desktop replacement to a con, if you must carry a laptop at all).

There are lots of vendors that carry similar bags, and each manufacturer has dogmatic followers who will regale you with the merits of their choice. Try them out and see what works for your computer and body.

Now to the important part – the contents of my bag:

The “Must Haves”

Item Purpose
Printed Ticket Because your phone will die or not scan at a really inopportune time.
Phone & Fob-Sized Faraday Bag An alternative option is carrying a burner phone, but for the most part I see people with their personal or work phones at cons. Sometimes you’re in a situation where you want to stop transmitting everything, that minute. Usually it’s because an antenna is pointed at you and somebody is grinning. It’s a cheap and important thing to have.
Wallet with ID, and Adequate Cash
The RFID wallet fad is pretty irrelevant. Just avoid bringing credit cards if possible, and don’t bring a debit card within several miles of the con. Cash whenever possible, and don’t use an ATM once you’re there!
Phone and Charger Self-explanatory.
Earplugs Because con parties, shared lodging, and airplanes can be too loud for the most die-hard rocker.
Wet Wipes or Hand Sanitizer Con plague is real.
Insulated Water Bottle It’s really important to stay hydrated at *any* big event. Alcohol, coffee, and energy drinks don’t count – bring a refillable bottle to drink lots of water, and have some juice with vitamin C daily. There are two types of bottles I like for cons – insulated bottles that keep water cool or coffee warm, and filtered bottles when the water there is less palatable.
Pens, Pencils, Sharpie Self-explanatory.
SyncStop A must-have if you would even consider charging a device off any USB port that does not belong to you.
Power Bank Outlets are in high demand.
Mini First Aid Kit & Prescriptions I have rarely gotten through a con without myself or a friend needing an OTC painkiller or a band-aid. I would recommend having those, at a minimum.
Mini Toiletry Bag On your person, for long days – not the one in your hotel room. I “militantly encourage” deodorant, and recommend a disposable toothbrush, as well as contact lens stuff and hair ties (as applicable).

The “Nice To Haves”

Item Purpose
Business Card Case Not only will you want to give out cards, but you will likely be handed cards you do not want to lose.
Bag of Holding‘ (with cables, adapters, dongles, USB drives, assorted antennae) Lots of vendors make cable organizers for travel that have spots for cables and USB devices. In mine, I carry video adapters for my laptop, presentation remote, charging cables, wifi and bluetooth antennas, hacktools, and USB drives. It really beats them tangled about in the bottom of the bag.
Properly-Imaged Laptop If you decide to bring a laptop, do not bring one with personal or work data on it. Swap the drive, or reimage. It is very possible you do not need a laptop.
Multi-Tool Don’t leave home without one. (Except through airport security.)
Pelican 1010 With Essential Lockpicks I have bigger Pelican cases with my practice locks and full set of physical intrusion tools that I can pack in my suitcase. On my person, I carry a few favorites to use in Lockpick Village, lobby con, or at vendor challenges. Mine are pretty assorted (see the image above), but Toool sells a good beginner set. Check out Deviant’s blog and Red Team Tools regarding other useful locksport tools (which he can properly name much better than I).
Warcollar DopeScope  For CTFs, challenges, and just finding weird stuff wireless stuff around the con to impress drunk people.
Hak5 Rubber Ducky  Too small not to, and can come in handy in  assorted challenge land. (No, I don’t have a Bash Bunny, yet.)
Small Screwdriver  I almost put this in the “must have” list. You should never travel with electronics without an appropriate screwdriver. Most multitools don’t have a tiny one, either.
Snacks Always a good idea to throw a few granola or protein bars in your bag. Schedules can get packed, and lines at local eateries and coffee shops can get very long.
Sweatshirt Conference rooms get miserably cold.
RTFM The pen testing book you are most likely to loudly scoff at now and sing praises of when Google isn’t available and man isn’t relevant.

I hope you found this list and explanation helpful.