Moving Sucks

 And by the very nature of the business, moving companies suck.  The industry is in need of a re-invention.

We recently moved several states away from Virginia, where we've lived for a good 33 years.  Even in Virginia, we've moved several times, but many of those moves were handled either for us (thanks, military) or we just performed the move ourselves.  Each time, we packed items, hired movers for the heavy items like furniture and big boxes, and handled the rest by ourselves.

To quote a phrase, I'm getting too old for that shit.  So I hired a full-service mover for my out-of-state move.  When I did, I made a point to indicate that I wanted a direct move, because of known labor shortage in trucking, and concerns I had with my items being unpacked and repacked a number of times. 

I'm not going to name names on the mover I chose.  The whole experience with the numerous moving companies that we spoke with led me to believe that the whole industry is rife with problematic experiences for the consumer, and that my specific experience was only a sampling of the things that can go wrong.

Sales process:

• Sales professionals at every company had a lot to say about their competition and their competitors' processes.  They all wanted to warn me what to watch out for - and each company of course recommended that I go with a solution that they were aiming for.  I was assured by many of them that the moving company was a family business, and that the sales pro I was talking to was either the owner, or directly in touch with them.
• Summary: Sales people come across as sleazy. If one or two of them are indeed trustworthy, their actual advice and helpfulness gets washed out by how it comes across in the overall experience.
• Recommendation: Don't talk about your competition at ALL.  Not your problem, not your business. Professionalism dictates that you're there to sell yourself and what you're going to do for me.  Distinguishing characteristics should be to merely state the things you do that others don't WITHOUT mentioning that they don't. E.g. We will only charge you for up to 10% over our estimate weight.  We will guarantee a ceiling price.
• Variance in estimate methodology: I got quotes everywhere from 'single-price' to complex algebraic formulations over multiple pages. Estimate numbers ran from needing a 26' truck to needing a 53'. Weight estimates came in between 8.8k and 13.3k pounds - over 40% in variance.  [Actuals came out to 11.5k - so +/-3k].  Packing estimates were also highly variable for box counts - and all of them were WAAAY low!!! My wife and I packed 50 boxes before they arrived for packing and they still packed more boxes than they quoted.  They were short by more than 30%. Had I not pre-packed, my budget would have been shot.
• Summary:  The estimators are guessing. They're not very good at it. Those that guess high are going to lose business. Those that guess low are going to have unhappy customers at the delivery end.  It's a no-win.  
• Recommendation: Customers need to look at the cost per pound to compare quotes and not pay so much attention to the weights given, except to give them a high-low for where their actual weight is going to come in.  They should expect the high side of what they're given.  
• Similarity in estimates regarding breakdowns of costs.  From about 4 of 5 quotes I got complex listings of what the estimate included, and line-by-line breakdowns of costs by weight for the move....none of which mattered to me.  I only cared about the bottom line.  Is it $1/pound?  Is it $1.25 a pound, etc.   Even if there's 8 independent non-weight-specific fees - I don't need them listed out.
• Summary: Give me a Algebra I-level quote: f(x) = $Y(x) + $Z instead of 6 pages.
• Communication:  Overall
• Packing: Packers packed empty smaller boxes that they found in several rooms.  They did NOT carefully pack things that should have been obvious that they would break (ceramic swans with long necks). They failed to use bubble-wrap when it would have been effective. Over-reliance on 'wrapping paper' to provide effective buffering was wasteful in many areas, and contributed to weight when it didn't need to. It's cheap and usually efficient - but it's not the best solution for the customer in some situations.  Packing services were 'ok' - but could have been much better.
• Move Pick-Up:
• Transport: "The truck broke down".  My guess is the truck didn't break down - and they got caught for overweight. I hired for a direct move, but the 10,000 pound limit for smaller trucks almost certainly did them in. I received stuff in two shipments, which further tells me something went fishy.
  
• Delivery:

Retirement? Again?

 Retirement - what does that even mean?  I'm in my 50s, and that means my parents are over 70 years old.  My mother still works part-time jobs.  Not because she needs the money, but because, in her words, "after 6 months at home watching TV, I got up and opened the refrigerator, thought 'what am I even doing?' and decided to go back to work". She's been 'retired' for 20 years and still tells me about her 3 or 4 different jobs.

I worked for the same company from mid 1992 to early 2016. That was 23 and a half years with a company that changed hands twice while I worked there. I am now taking an early retirement from my Federal position, which I started in 2016. I have been in the position for 7 years, and along with my military service, this provides me a small pension.  There's a number of different reasons for me to leave this position - and one of them is that I've driven myself quite hard in those years.  I have so much vacation that my cash-out will end up providing me 6 weeks of salary. Honestly, I just don't know how to 'not work'.  I've already lined up teaching jobs to supplement my pension and avoid collapsing my 401k before Social Security kicks in [if it kicks in! - allow me some small hyperbole]. 

After 40 years in tech - I want to relax. I want to be able to let go and do a job without stressing about everything that can (and usually does) go wrong. I want to make a difference, and at the same time, also sit on the couch and finish my The Muppet Show DVD collection. I want to play golf, work out at the gym, have long lunches and dinners with my wife, but also learn linear algebra all over and write the next great video game. I want a boat, a beautiful piano, piano lessons and about 20 different hobbies. I can't have all of those things unless I continue to push myself.  

We all want work-life balance - but none of us know where that balance lies.  I could wile away a week without 'working' or I could spend a week solving some insane esoteric problem at the office - and enjoy either one. Now that I've retired again - I can do anything. But apart from a month's vacation I spent doing nothing...I'm not sure what it'll be.  Here's to retirement - and to never retiring.

Tales from going Keto

About a year and a half ago, I went in for my annual physical, and I had a list of complaints ready for the doctor.  As I got up from the waiting room and went in to see the nurse, we stopped at the scale.  I stepped upon it and it weighed 225.  I was upset.  My bathroom scale only said something like 218, that's 7 pounds too heavy.  No way am I 225!! I'm wearing my winter coat - I should have taken it off...excuse, blame, denial...

I met with the doctor and told him several things that were bothering me, including the fact that I was fat.  By BMI standards, close to obese.  After taking my blood-work, the doctor also told me that I was getting close to diabetic.  He prescribed me a low-carb diet.  Not no-carb diet, but a low-carb diet.

But the problem, friends, is not the 7 pounds.  The problem is that it read more than 188 at all.  Why should I have been satisfied that I was ONLY 218 when the top range of my normal weight is 188?

Last week I got on a scale and it said 187.2 (after a hefty work-out, so that was a low).  How did I lose 31-38 pounds in a year?

I folowed a keto diet regimen - less than 20g carbs (except for fiber) per day.  Enough protein to keep my muscles from atrophy and fat to tide me over when I got hungry.  It worked, and I lost a lot of weight.  You'll be able to google this regimen, and find tons of information.
-----
And I'm finally finishing this post a year and a half after.  I'm back up to 205, and I need to get back on the bandwagon.  I've been cheating - chocolate and candies at work when I'm stressed.  A donut here, a brownie there...thinking I could control myself.  But I don't, I end up over-eating and stress-eating. 

What led to my success was tracking my calories in an app and being accountable.  When I stopped being accountable (when I reached normal weight), I started to put the pounds back on.  So, as of today, I'll be tracking my food again.

I'll update this post again next year, I hope with better news.

Is this Page Dead?

No, only resting. Blogging requires time, time that it turns out that I don't have because I've been keeping myself very busy. Unfortunately, it's been replaced with 'rapid updates' on my Facebook page or Twitter account, and I haven't taken the time to sit down and write out any considered opinions. It's ironic, because this loss of intellectual depth is exactly the type of thing that I may have railed against in the past.

To the Cloud

I've finally let my web host account that I've had for years lapse. It's been replaced with cloud services from Google. They've already consumed Blogger long ago, but the images on my site were still hosted by a web server provider, LunarPages, up until February. I failed to renew my account, and that broke all of the links. Instead of just paying for the account, I decided to use this opportunity to learn more about cloud services. This weekend, I created a bucket and claimed/verified my domain name on Google Cloud, and moved over those images still being linked to by img tags on my blog. The next step may be to do some deep-link analysis. There are definitely dead links throughout the site as I'd linked to services that have long gone defunct. I may try to come up with some automated way of going through and fixing those as a project.

Next Steps

I've reached a sort of capstone with my career.

I currently manage about 20 people on a contract with a division of the Department of Justice.  While not necessarily the perfect man for the job, I do fairly well and I still get to involve myself in technical decisions on a day to day basis.  I get to preach from my pulpit about the way that things 'should be done' and complain about the lack of resources we have to do things properly.  In all, I like my job. I've also applied for the job of Chief Information Security Officer [CISO] at the same agency, and have completed the interviews, awaiting a decision and negotiation to see whether or not they wish to have me join the federal work force, and whether I can accept the job for their offer.  Let's assume, for the moment, that they give me the job.

What next?  What comes of my career, my hopes and dreams and everything else when I've met my life's goals?  To become an executive IT officer, to have a stable job, to be able to afford a reasonable middle-class lifestyle without amassing debt, to have opportunities to continue to learn about interesting things, to have a grown child of whom I'm proud.  It seems that I have accomplished all of these things and the question is going to require some thought about the nature of life, lifestyles and goal-driven life.

Willy Wonka: But Charlie, don't forget what happened to the man who suddenly got everything he always wanted.

Charlie Bucket: What happened?

Willy Wonka: He lived happily ever after.

Um, great...but I'm not done...and I know I'm not going to live 'ever after'.  I still have at least another 30 years to go on this Earth, 40 or more if I start taking care of myself a little bit better.  Now that I'm approaching the pinnacles of Maslow's pyramid, I find myself wondering what my contribution will be to the world.

Well --- I have a few ideas.....

1. Information Security - The world needs an easier way.  The more that Infosec has solidified itself as a discipline, the more I've noticed a struggle in the educational realm for thought above and beyond the mechanics of the field.  There is need for thinking above and beyond the vulnerability of the day and the wow factor of discovering yet another amplification attack buried in the hidden recesses of a long-forgotten protocol.  I have been thinking that what is needed is a visual model for applying information security to systems.  It has to be simple enough for systems analysts to actually use and understand, but flexible enough to delve deep into the multiple layers and facets of system design.  We need something formal, but something that can be taught in one semester.  

2. Self-sufficiency - The world has undergone a creeping change since the Industrial Revolution.  The change is pointing us away from mechanical life support and back to finding self-sufficient means, such as unplugging from 'the grid', growing our own food, taking care of ourselves instead of allowing the machined existence dictate our flavorless lives.  I'm just getting started in this field, but I have always been fascinated by how you can plant a seed and from it grows fruit and vegetables within a matter of a month or two.  Aquaponics is definitely something that I want to explore and may be able to eventually contribute to, and has the potential to ensure that we can continue to feed the human race even as our current farming methods become unsustainable.  They're doing amazing things in Japan with indoor hydroponic farming.  I'd like to replicate their successes on smaller scale and in a 'community' atmosphere.

3. Information Technology Education - IT is a large field and has many practice areas.  We used to think of Computer Science as one simple thing, but the field has exploded.  Of course, that means that the education that we provide to newcomers in the field is more spread out amongst the disciplines, and that we haven't had time to teach and focus on the importance of the basics.  I would love to contribute to a solution to this, and to find the time to develop and market these solutions to train the neophytes.  Making it interesting enough to keep their attention when the blinking lights and fun sounds of the web are grabbing their attention will likely be one of the greater challenges.

So, there's three things I've set for myself, and they're goals I couldn't have thought of spending time on until now.  I hope that everything turns out well with this potential change in my life and that I have the opportunity to change the world.

Reminded of my Blog

My life is extremely busy.  Not only do I find myself working a great deal, but I also have plenty of hobbies, some of which I have discussed on here.

I actually went for an interview today and when I mentioned how multi-faceted I was [thanks for the word, interviewer!], one of the interviewers asked if I had a blog.  I sheepishly turned and said that indeed I did, but that I hadn't updated it in a while.

Part of the reason that I haven't is that I consider the work that I do day to day to be sensitive in nature.  Not that it's hush-hush, but I certainly don't have my employer's permission to be posting the details of their network design or security implementations all over the web.  Because work has been consuming the better part of my life since Feb 2014, there is very little posted since then.  However, I have certainly had a lot of personal triumphs, changes, etc.  I mostly share these with my friends on Facebook, though, and have really stopped writing opinion pieces for random strangers to stop by and read.

Perhaps I can change that.  I haven't written in a while, and I'm kind of rusty.  I'm going to try to pick up the personal pen and pick my pitiful brain to put it down on this page probably twice a month.  In two days time I will pick a topic, draft an opinion or a rant and type it out for you to read, if you're still there.  And I'll try to continue at that pace - twice a month, while sitting at the TV, instead of falling asleep.  See you then.

Developing for Android

If you're going to develop Android applications, and you've run into a problem with the Android Virtual Device Manager - as in, the emulator is just TOO DAMNED SLOW - I've got two tips for you I found elsewhere on the web:

0. If you're on Windows, even the program recommends setting the RAM to 768 - so do this first - I wasn't even able to get an AVD to run with more than that.

1. http://stackoverflow.com/questions/7430039/android-virtual-device-super-slow-pc-too-slow - Up the VM Heap Size available to apps - the default is just too damned small (I think mine was set to 48).  Edit that Virtual Device and give that VM Heap size 512 - Just this alone sped up the emulator to the point where it could boot for me.  It made a WORLD of difference.

2. http://software.intel.com/en-us/android/articles/speeding-up-the-android-emulator-on-intel-architecture - Install the Intel x86 Emulator Accelerator.  And not just install it from the Android SDK Manager.  This only downloads the tool to your PC.  You will need to go into the SDK's folder and find intelhaxm.exe and run it to actually install the Accelerator.

3. From that same Intel reference: Use the Intel Atom CPU/ABI and choose 'Use Host GPU' for the Emulation Options.

With those things, my emulator was up and running in less than a minute and ran smoothly.

Story Time - How Teachers Can Crush the Spirit of Young Learners

Art is a skill that has limited to no association with what I currently do for a living, but has been a quiet passion of mine for many, many years.  Most people that know me have no realization that within me burns a passion for artistic expression, because I have learned to quell this from coming to the fore.

There were two teachers in my middle and high schools that heavily influenced my artistic development, and neither of them for the good.  This is just a story that needs to be told, so I thought I'd share it here on my blog.

In sixth grade, I attended a single-grade annex school of I.S. 24 in New York.  One of the classes we took was an art class that covered a large variety of materials and artistic methods.  We did painting, mosaics using food-colored rice, paper mache', and drawing with watercolors and inks.  One drawing firmly in my mind is a project that we were doing in class where we had copied some artwork from a book using pencils and tracing methods, but were tasked with coloring it with watercolors.  We had to work at a table with other students, and I was stuck at a table where there was this one asshole kid who didn't give a shit about the class or the assignment.  During the class, he decided it would be fun to take his wet brush with watercolors and flick it at other people's artwork, spraying it and destroying the painting.  Of course, I had no choice but to tell the teacher he was destroying the artwork, and I would have expected that she would punish the little jerk-face and at least isolate me from him so that I could finish working on my piece.  However, I was shocked and amazed when she came over and expressed to both of us that his 'flicks' made my piece look more INTERESTING.  What the fuck!?! And then she turned off and went over to other tables!!  No punishment, only encouragement for the asshole's behavior!  Of course, the cackling little fucker took this to mean he could do whatever the hell he wanted.  He and I began a battle of flicks that destroyed both works of art, but of course he could care less about his.  And me, my spirit lay crushed, in the painting that I was proud of was now ruined by a little shit.

In ninth grade, I took a drafting class [mechanical drawing] at South Brunswick High School in New Jersey, led by an older black gentleman with a gruff demeanor and the scowl of Scrooge himself.  I didn't mind his demeanor and thought of him as a talented and experienced drafter who had given up his career to begin teaching and mentoring new students into THE WAY.  The class was glorious! I loved going to the class and developing highly precise drawings of objects in all three dimensions, using the T-Square and Triangles, precisely copying the fonts and measuring to ensure the diagrams were accurate blueprints.  It was fantastic up until the part where we had to ink the drawings.  Now, this was back in 1980/81, so inking drawings was done using ink-well pens.  I don't know if you've ever had to use one of these stupid things, but essentially the first thing you're going to do is blot your work.  Then, you're going to blot some more.  The solution to this is to ink a drawing over a thin see-through film, rather than right on the original.  If you blot, you start the inking process over.  I learned for the most part how to control the pen, but it was a difficult task, and even toward the end of the class, I would occasionally blot my inking and have to restart it.  I was still doing fine, and I certainly had the patience to restart when needed - it was part of the requirement, after all.

It all ended with the final exam.  You see, the final exam counted for half of our grade, and it had an inking in it.  That would have been fine except for two things:

• There was a time limit of the one hour class, so restarting or redoing the work would not be possible.
• Just as he handed out the final exam, he made the statement, "If you blot your final work, you will receive an F"

But, hey, no pressure, right?!?!  SHIT, when I got to the final ink, I was nervous as hell.  I got 90% of the way through the final inking before you can guess what happened.  The ink in a freshly welled tip spilled over the final draft, ruining the fine and precise lines I had spent 50 minutes making.

I cried like a little girl.  Yes, that's right, I cried, folks - I was ruined. I turned in what work I had finished (the pencil drawing), and sure enough - that [Edit: there was a REALLY bad word here.  When I wrote this, I passionately considered it and decided to write it anyway.  However, some people may find it very offensive, and they may end up judging me by that one word.  I do not have a career as a writer.  Were I Norman Mailer, I would have left it in.  I am not, it comes out.] failed me just like he said.  The emotional toil of failing a class that I absolutely LOVED and even had the majority of the skill-set for (apart from inking, apparently) was so devastating that I didn't touch a T-Square for 30 years.

I now own a drafting table.  I bought it when I moved into this house and saw a mechanical table on Craigslist.  Some guy had been using it as a mechanical lift in his garage and it was covered in grease and oils.  I cleaned it up and put a new surface on it from a local art store.  When I find time, I go downstairs and I draw using the drafting table for a surface.  I even have a T and triangle.  Of course, the actual art of mechanical drawing is now very computerized.  I like to play with Blender every now and again, but find very little time for those pursuits among all of the other things that grab my interest and require my time, but if I ever had lots of free time on my hands, it would be one of the things I love to do.

Foray into the Cryptocurrencies (BitCoins)

I was at DefCon 21 and a guy was there with a homemade Bitcoin vending machine/suitcase.  It had a coin slot in the side, and it cashed in your USD for some Bitcoin at the current MtGox exchange rate minus an (it turns out exorbitant) fee.  No matter, I was only curious to the tune of 5 quarters and I received a piece of paper with both the public and private key for a wallet that had been sent the .00810374 Bitcoins.  This week, I loaded up the key and peeked into what my piece of a Bitcoin was worth.  $5.70!  That's right, I had made 570% on my $1 investment in just two short months.  That piece of paper got smoothed out, touched up (it had begun to smear) and put somewhere a little bit safer.

Some of you reading this posting may not know what a Bitcoin is.  It's an alternate currency - an experiment in basing value of currency off of a share of work toward solving cryptographic algorithms.  Is it nerdy - yes, on the face of it, it's very nerdy and at the same time, interesting.  You see, Bitcoins are not created by a government, their value is set entirely through free market, and it is possible to trade Bitcoins anonymously.  A Bitcoin is an experiment in the ultimate barter system, out of reach of 'the man' - and the only value is dependent upon what someone else will decide to give you for it.

There are a lot of things that make Bitcoins cool.

• The complete lack of a centralized authority.  This makes Bitcoin automatically useful on a global scale as soon as there is a an acceptable market for the currency in other countries.  And now, the country with the largest population is on the Bitcoin ride.  
• The ability to create a Bitcoin 'wallet' anonymously and exchange coins between wallets without involving third parties in performing the actual transactions.
• This takes some care, since all transactions are essentially traceable through the blockchain from creation to current wallet.  It is important that one does not just register with a website, buy some coin and then promptly spend those on something that will get you into trouble.  To be truly anonymous, one needs to put some space between your name and the spending of the bitcoin.  Logically, sending the bitcoin to a vendor of some sort that handles a large number of clientele, without care for their identity, that will be willing to send the bitcoins back to a new address will be enough to break the link.  But I am not a lawyer, a policeman or an expert in money laundering.....
• The free market value of the bitcoin is linked to important economic indicators - such as how expensive it is to create/mine a bitcoin, how many vendors will actually take a bitcoin in payment and how liquid a bitcoin is (until EVERYONE will take bitcoin, you'll still need to be able to cash it out in your native currency).  A list of bitcoin vendors comes in handy and is growing quickly.  I was frankly amazed at the number of physical product vendors that are on the list - and now a University in Cyprus will let you pay tuition in bitcoin.
• There are numerous ways to store your bitcoin - with an online wallet service or exchange like coinbase or blockchain.info.  Probably the most famous exchange is Mt.Gox although they've had some problems in the past like the DHS freezing their funds at Dwolla. If you run the Bitcoin client (effectively becoming part of the bitcoin network), you can create a wallet on your own and will only need to get someone to send bitcoins to the created wallet address.  You can also back up your wallets to paper copies of the public and private key associated with it.  This is normally done via QR code to make them easier to input.
• Since bitcoin spending can't be controlled by anyone - spending them on things that would normally be against a government's desire is a very simple process. (although still traceable if not done properly to protect your anonymity!!)  This means there are a lot of casinos popping up online that take bitcoins.  Of course, I can't leave out the fact that some markets exist for the drug trade and that the creator of said marketplace is alleged to have arranged at least one hitman on that marketplace.

Of the many bitcoin sites I've seen today when poking around, most remind me of the early days of the web.  Horribly designed sights aimed at enticing the user with garish images and offers of FREE BTC!! If you've got a bitcoin wallet and would like some free bitcoin (less than a pennies worth on average) to start you off, go ahead and click there and give it your wallet address.

Download from B-Sides DC 2013

I went to my first DC-area security con, B-Sides DC, held yesterday and today, after attending Blackhat and Defcon earlier this year.  There's definitely a difference, going to a conference where you go home at night vs. one where you stay at the conference hotel and focus entirely on the con.  For one thing, you can't really give 100% of your attention to the conference contests and socializing. At the end of the day, you still have to commute back home, spend time with the family and deal with your normal responsibilities.  So, right off, attending Defcon was the better experience solely for this reason. On the other hand, B-Sides DC was $10 for two days of learning, and my travel costs were $12 for parking and $6-$9 for gas. Defcon still wins, because, hey - Vegas - but other than that, this was well worth my weekend.

After attending Defcon, I was asked to give some talks on what I've learned out in Vegas and I had prepared a slide deck that had several advantages.  One, I got to spread the knowledge to other people.  The talks I gave went from the very broad to the very technical in sharing the Blackhat/Defcon experience, and giving the talks helped to cement some of the knowledge from the whirlwind that is the con experience.  So I figured I should do a brain dump of sorts of my experience at B-Sides to cement some of the stuff I learned there, and organize some of the notes I've taken, links I picked up and Twitter accounts to add.  These notes are going to be rambling, and have referential information throughout that I needed to capture.  I'm only making a mild effort to make complete thoughts and sentences for the reader, and may not have even come to an assessment of what was important about each talk for me to take note of.

Day 1. Opening Talk - Bruce Potter - @gdead - Shmoo Group

I have in my notes that Bruce is an author - I remember him discussing that the first book he authored was with O'Reilly - I recall that SOMEONE (not necessarily Bruce) at B-Sides said that the entry point into signing up to write a book on technical subjects seemed to have a fairly low barrier and that writing a book on a subject you barely knew was not only possible, but something he had done.  Now that I think on it, I believe that was @grecs instead of Bruce (whomever it was, they had written a book on 802.11 and learned the subject while writing the book).

Bruce's talk was about education, skills, the difference that IT Security is from hard sciences, refocusing of the collective to the end goals of IT Security, and in the end, getting back to the roots of InfoSec by fucking shit up.  He had a lot of personal stories, but I think they were mainly to demonstrate that the path to becoming an InfoSec ninja is not a cookie-cutter career path.  In my notes I have written 'R U A WIZRD'? which refers to the Rock Star Syndrome he was discussing (not by name) of our over-inflated egos of thinking we're better than we really are just because we have the special skill of understanding how the magic smoke works.  He went on to rail against Certifications not necessarily being the answer to the irrelevant and outdated curriculum of university degrees in the fast paced industry of InfoSec.

Bruce also brought a three-year old to B-Sides (and told him he was about to learn some new words) - although I'm pretty sure he was being himself, and the kid had probably heard those words before (forgive me Bruce if I'm wrong). The talk was very humanizing and I think it really led to the audience being able to identify with the college-dropout, successful level 42 Wizard, author, industry leader.

In the end, though, Bruce had a point - he wanted us to try to figure out how to fix the education problem (where Youtube videos are better InfoSec teachers than instructurs), how to fix the qualifications problem (where who-you-know frequently passes for what-you-know and security certs are still testing whether you know outdated security models from the 1970s) and get to the business of ACTUALLY FIXING THE CUSTOMER'S PROBLEM - which is broken security.  And he had another point - Bruce asked for people to get back to the roots of InfoSec and maybe stop being so damned gentlemanly.  The bad guys aren't playing nice, and I think that he's a bit upset that everyone is being so damned nice to each other and respecting each other's boundaries at cons and other hacker battlegrounds.  Probably because it's dulling our senses and our abilities as a group.

Day 1 - Official Talk 1 - The Homunculus Problem - Why You Will Loose(sic) the Battle of BYOD - Michele Chubirka - Mrs. Y - @MrsYisWhy

B-Sides has two talk tracks (and one education track) - and it was this talk or a talk on why your corporate password policy is weak.  Since I'm already a soap-box candidate for preaching about password policies as a failed solution and I didn't want to learn what SANS 20 Security Controls were, I sat in on Michele's talk about why we'll fail the BYOD battle.  Of course, I was expecting a technical talk, not a psychology talk - which is what she ended up giving.  She explained the drug-like addiction properties of social media and the devices that we use, and encouraged empathy and embracing the user's wishes when it comes to BYOD [Sorry: that's Bring Your Own Device (to work) for the uninitiated].  She spoke about how Security [industry and policy] is seen as just a roadblock to users getting what they want.

My notes have three takeaways: 'Stoptional' - the optional stopping of a vehicle at a stop sign, presumably in Louisiana - a cute term someone behind me and to my right explained when comparing corporate security policy and the likelihood that your users will obey it to STOP signs and road laws. Empathy/working together - which summed up MrsYisWhy's point she wanted us to consider - key slide being 'Don't say No - say Yes, and....' (I personally prefer Yes, but... but I can see how that might make me out to be the bad guy) and www.healthyparanoia.net which appears to take me to the Packet Pushers Podcast page - a podcast I had previously been unaware of.

She then handed out T-Shirts to some random trivia questions and was upset that no one remembered that Solaris 2.6 marked the beginning of their shift to a 64-bit OS.  Her personality overall, by the way, seems to match very readily to the picture she's chosen as an avatar on Twitter - a bit on the spiritual/kooky side.

Day 1 - Official Talk 2 -  Malware Analysis: N00b to Ninja in 60 Minutes* - @grecs

@grecs' talk was full of useful information and links on Malware Analysis - a weak point for me since I haven't done much of it.  Not only did I take notes, but I actually used my phone to take some [screen]shots of his talk on the projection screen that I need to transcribe later.

I think @grecs is a recovering stutterer, or is developing one - but he pushed through it fairly well and only had a few seconds of touch and go fighting it off during his speech.  Talking in public is HARD, HARD, HARD for anyone - I can't imagine how much more difficult it must be when your brain just decides to lock up on you like that - not only do you feel some embarrassment, but that just adds to the problem and it can go into a death spiral...so good job pushing that stick forward and pulling out of the death spiral!

Grecs is actually a Twitter account I already follow, and I like some of the articles that recur on NOVA Infosec, his website.  It appears the Malware Analysis BSides DC slide deck has already been posted there from his talk (Thanks, Dude!!!!) Also, I should thank his sponsors @BulbSecurity and @PenTestTraining for bringing him to B-Sides DC and supporting his work.  It is people like @grecs who help the security industry's world go 'round and it can be hard to get paid to do work that benefits a community.

I also have a note that he takes in trade or pays cash for blog posts on NOVA InfoSec - the submission link was given at the talk.

Ok - for this talk I have THREE written pages of notes that are mostly a list of tools for the various aspects of setting up a Malware Analysis Lab, the step-by-step processes and alignment of the tools to those processes and relevant training websites.  Once he got going - this talk was probably the most STRUCTURED and INFORMATION DENSE talk of the conference.  The slides are up on SlideShare - use the link above on his website to essentially see what I've put down in my notes.  Knowing they're there - I'm not going to attempt to replicate the information here.

----Tired for now - will take a break and resume discussions of other talks later on ---------