Toolbox: After a Conference

Wow. Blackhat, Defcon, I didn’t even make the other conferences going on in Vegas. And coming back it seems like there’s a sea of things to follow up on. I think a little bit of organization is helping me manage better this year, and so I thought I’d share what’s in my post-conference toolbox. I’m also sharing because I don’t think my workflow is optimal, and would love to learn from how others are working through this in 2018 with its profusion of ways to stay in touch.

First, I have a stack of queues to process:

  1. Email. My inbox, but I also have a folder called “followup.” I move a lot out of my inbox to the followup folder so I can see it when I’m back from travel. (I also have a set of monthly sub-folders: followup/august, followup/september, they let me say “I’ll get back to you in three months.”)
  2. Signal
  3. iMessage. For both of these, I go back through the conversations I’ve had, see if I had followups or if I dropped the ball on someone.
  4. Linkedin. I get a lot of linkedin requests, and I’m a fairly open networker. Sadly, the UI works very poorly for me. I would love to hear about tools that allow me to effectively move messages to something other than a LIFO queue.
  5. Workflowy. I’m experimenting with this as a note taking tool, and it’s not bad. It’s a bit of a pain to extract the data (for example, I can’t email myself a branch of the tree), but copy and paste from the website is decent. It turns out the website has great export, but still learning.
  6. Business cards. I go through the whole stack of cards for todo items. I try to write notes on business cards. I discovered I did that on one of 6 cards where I remembered something. That’s not very good odds, and forces me to consider what I might have missed. Still exploring how to make best use of cards without notes. Advice really welcome here.
  7. Slack channels. Go through, look at DMs and channels. I suppose I should use some feature to note that I intend to followup. Is the Slack way to say “come back to this” to star a message?
  8. Calendar. For each meeting, think about the meeting, check my notes, see if I remember followups or things that didn’t make it to an email/workflowy note. And yes, there were several discussions that I know we discussed followups that I re-discovered by looking at my calendar.
  9. Photos. Photographs are the new note-taking, and so going back through pictures you took is important.
  10. Twitter, Facebook. I’m trying to break from Twitter, and don’t use Facebook, but I figured I’d include them here because they’re maybe worth remembering.

After the queues, as a consultant, I have customer work to get back to and sales contacts to followup on. I have expenses. I haven’t found an expense app that I really like, and so I stuff receipts in an envelope each evening, and then deal with them when I get home.

If I missed any followups, I’m sorry. Please reach out!

But more, I’m curious what works for you? What’s in your toolbox?

Photo: Patrick Perkins.

Threat Modeling Thursday: 2018

Since I wrote my book on the topic, people have been asking me “what’s new in threat modeling?” My Blackhat talk is my answer to that question, and it’s been taking up the time that I’d otherwise be devoting to the series.

As I’ve been practicing my talk*, I discovered that there’s more new than I thought, and I may not be able to fit in everything I want to talk about in 50 minutes. But it’s coming together nicely.


The current core outline is:

  • What are we working on
    • The fast moving world of cyber
    • The agile world
    • Models are scary
  • What can go wrong? Threats evolve!
    • STRIDE
    • Machine Learning
    • Conflict

And of course, because it’s 2018, there’s cat videos and emoji to augment logic. Yeah, that’s the word. Augment. 🤷‍♂️

Wednesday, August 8 at 2:40 PM.

* Oh, and note to anyone speaking anywhere, and especially large events like Blackhat — as the speaker resources say: practice, practice, practice.

Threat Modeling Thursday: 2018

So this week’s threat model Thursday is simply two requests:

  1. What would you like to see in the series?
  2. What would you like me to cover in my Blackhat talk, “Threat Modeling in 2018?”

“Attacks always get better, and that means your threat modeling needs to evolve. This talk looks at what’s new and important in threat modeling, organizes it into a simple conceptual framework, and makes it actionable. This includes new properties of systems being attacked, new attack techniques (like biometrics confused by LEDs) and a growing importance of threats to and/or through social media platforms and features. Take home ways to ensure your security engineering and threat modeling practices are up-to-date.”

BlackHat and Human Factors

As a member of the BlackHat Review Board, I would love to see more work on Human Factors presented there. The 2018 call for papers is open and closes April 9th. Over the past few years, I think we’ve developed an interesting track with good material year over year.

I wrote a short blog post on what we look for.

The BlackHat CFP calls for work which has not been published elsewhere. We prefer fully original work, but will consider a new talk that explains work you’ve done for the BlackHat audience. Oftentimes, Blackhat does not count as “Publication” in the view of academic program committees, and so you can present something at BlackHat that you plan to publish later. (You should of course check with the other venue, and disclose that you’re doing so to BlackHat.)

If you’re considering submitting, I encourage you to read all three recommendations posts at https://usa-briefings-cfp.blackhat.com/

IoT Security Workshop (Seattle, August)

Jean Camp and Yoshi Kohno are organizing an interesting workshop upcoming at the University of Washington on “Best Practices In The IoT:”

Our agenda begins with a presentation on the Federal Government initiatives in
the IoT. When collecting the reading materials for emerging standards, we found
nearly a thousand pages once all governmental materials are brought together…The product of the workshop will be a summary document identifying (i) a consensus set of graduated best practices for security and privacy for IoT in the home, and (ii) any gaps where best practices cannot yet be identified.

(I believe that the workshop organizers might agree with me regards the term “best practices,” but are driven by funders to use it.)

Also, they are searching for a few more sponsors if you can help in that department.

Humans in Security, BlackHat talks

This is a brief response to Steve Christey Coley, who wrote on Twitter, “but BH CFP reads mostly pure-tech, yet infosec’s more human-driven?” I can’t respond in 140, and so a few of my thoughts, badly organized:

  • BlackHat started life as a technical conference, and there’s certain expectations about topics, content and quality, which have changed and evolved over time.
  • The best talk in the world, delivered to the wrong audience, is not the best talk in the world. For example, there’s lots of interesting stuff happening with CRISPR. We probably wouldn’t even accept a talk on the security implications. Similarly, we probably wouldn’t take a talk on mosquito-zapping lasers, as much fun as it would be.
  • I and other members of the PC, work to change those expectations by getting good content that is at the edge of those expectations. Thus, there’s a human factors track again this year.
  • That track gets a lot of “buy a UPS uniform on ebay” submissions, and the audience doesn’t tend to like those. They’re not cutting edge.
  • I would love it if we got more SOUPS-like content, redone a little to meet audience expectations for a Blackhat talk, which are different than expectations for an academic talk.
  • So what I look for is something new, in a form that I believe will be close enough to the expectations of the audience that we drive and evolve change in useful directions.
  • Finding the right balance is hard.

So, what do you think a good BlackHat talk on human factors talk might be?

(I should be clear: I am one of many reviewers for BlackHat, and I do not speak for them, or any other reviewer. I cannot discuss specific submissions or the discussions we have around them.)

Update: Since this was written quickly, I forgot to link to “How to Get Accepted at Blackhat.” Read every word of that, ask yourself if your submission is a good one.

RSA Planning

Have a survival kit: ricola, Purell, gatorade, advil and antacids can be brought or bought on site.

Favorite talk (not by me): I look forward to Sounil Yu’s talk on “Understanding the Security Vendor Landscape Using the Cyber Defense Matrix.” I’ve seen an earlier version of this, and like the model he’s building a great deal.

Favorite talk I’m giving: “Securing the ‘Weakest Link’.”

A lot of guides, like this one, are not very comprehensive or strategic. John Masserini’s A CISO’s Guide to RSA Conference 2016 is a very solid overview if you’re new, or not getting good value from a conference.

While you’re there, keep notes for a trip report. Sending a trip report helps you remember what happened, helps your boss understand why they spent the money, and helps justify your next trip. I like trip reports that start with a summary, go directly to action items, then a a list of planned meetings and notes on them, followed by detailed and organized notes.

Also while you’re there, remember it’s infosec, and drama is common. Remember the drama triangle and how to avoid it.