Greg Otto: Welcome to Securiosity. I am Greg Otto.
Jen O'Daniel: And I'm Jen O'Daniel. Greg, we have a really interesting podcast this week.
Greg Otto: Yeah. So look we generally keep things lighthearted around here but there's been some controversy that has come up around DerbyCon a popular security conference that recently announced it's shutting down after this year's event. In the aftermath, there has been a lot of mudslinging going around, particularly around some harassment that's been waged in private Facebook group. We're going to talk to somebody who has faced repeated harassment that she's endured since DerbyCon's announcement. And we're also going to talk to somebody who has had firsthand access to that private Facebook group as well as DerbyCon. So furthermore the interviews highlight how poor behavior of a few is bringing down the stature of everybody no matter their race gender or sexual orientation. Some really interesting stuff. Look forward to getting into it.
Jen O'Daniel: First we speak to Georgia Weidman, who is the CTO of Shevirah which is a portfolio company of mine that also went through Mach 37 and also the author of a well-known penetration testing book. Georgia has been in the news due to some controversy over DerbyCon shutting down and some incidents that have taken place at past DerbyCons because it led her to being harassed when the current news went live.
Jen O'Daniel: We also talk to Joshua Marpet from Red Lion consulting. Josh also was part of Mach 37 with his last startup. He's a member of the Facebook group known as illmob and has also been head of security at DerbyCon. illmob, filled with numerous infosec experts has been in the news because a number of the group members were shown to be misogynistic or hostile towards women in infosec, including Georgia. The interviews are long, but we wanted to give equal time so everyone could get a full snapshot of what's going on.
Greg Otto: OK joining us now is Georgia Weidman, the founder and CEO of Shevirah. Thanks for joining us. And let's talk about what Shevirah does. Talk to me about your company.
Georgia Weidman: Well thank you very much for having me on. I appreciate it.
Georgia Weidman: Well, Shevirah does a lot of things, as most startups do. But our main focus is testing the effectiveness of security around mobility and the Internet of Things. So if you have preventative products that you're buying, mobile threat defense, enterprise mobility management, things like that, seeing whether they actually provide you any value. You'd be surprised how much some of it actually doesn't provide you a lot of value. We also do know the entire penetration testing spectrum so we're more on the testing side. We're not really a preventative technology. We help you find your vulnerabilities and figure out what you need to do to fix them. But particularly around mobility and the Internet of Things.
Jen O'Daniel: What types of issues you're finding when you're testing mobile devices.
Georgia Weidman: Well there's a lot of different things. I mean everything from phishing, you know phishing is still really big on the email side certainly, that's the number one way to get in. And we're starting to see a lot with text messages for things like Twitter and WhatsApp. You know we've got some stuff in our product with near field communication and QR codes as well. But the biggest part is I think people aren't getting any security awareness training around, a lot of people know don't click on links in emails.
Georgia Weidman: They may not know don't click and links and WhatsApp or text message. So we really need to you know bridge that gap. There's also a lot with mobile applications that are malicious. You know it's really hard to get for like an antivirus type product to the side it was malicious and what not. It's really hard for an end user as well. So simulating malicious apps is a lot of what we do as well to see what they can steal off the device.
Georgia Weidman: If it's on the local network can it pivot on to other machines could it get on your laptop if we were on the same network right now and you know you had an unpatched vulnerability on your machine and the user's phone may just have you know their corporate e-mail and things like that. You might have you know the customer database so you know using a phone as a pivot point you know there's you know we saw the FaceTime vulnerability yesterday. You know a lot of the chips in there can have vulnerabilities in them as well. So we do work with malicious cell towers and malicious Bluetooth and things like that.
Georgia Weidman: And finally vulnerabilities and you know how they can affect your organization. I mean a lot of people like to wave their hands and be like 'Well nobody's actually doing that' but I mean we have seen, particularly like state sponsored actors doing that for sure, and it's just going to become more pervasive as the pieces and things like that become more secure.
Jen O'Daniel: So how did you get your start in cyber security?
Georgia Weidman: Well I went to college early. I went at 14 instead of the usual 18 or so. And I did a math degree and I really didn't want to be a computer scientist because my mother was one and what teenager wants to be like their parents.
Georgia Weidman: But then I couldn't really find a job at 18 with a bachelor's degree and no work experience so I got asked to do a master's degree in computer science and they were going to give me money which was better than having to live with my parents. You see a theme here.
Georgia Weidman: And so I did that and they had a cyber defense club. And Michael Wellman hates it when I say this but the captain of the cyber defense club was really hot and I wanted to get close to him. So knowing nothing about cybersecurity I joined the cyber defense club and we competed in the mid-Atlantic cyber defense competition and I didn't get the guy but the next year I was the captain and found what I wanted to do with my life.
Greg Otto: So I'm interested to hear a little bit more on the [?] because you put out a book that's been pretty well regarded in the pen testing space so kind of talk me a little bit about the evolution of that.
Georgia Weidman: Well I was approached by the publisher No Starch Press about doing a book since my primary research interest is mobility. I think they probably expected I was going to do a mobile book but I insisted I wanted to do introduction to penetration testing, very hands on very forgiving of people who don't have a lot of background with like using Linux or programming, starting at the very beginning and working our way up. And luckily they were down with it. And yeah. So I wrote a book: 'Penetration Testing: A Hands on Introduction to Hacking', had to think for a second there. And it's been, I've been very lucky that a lot of people have really liked it.
Georgia Weidman: A lot of people have said that is the reason that they were able to get into this industry.
Georgia Weidman: I kind of wanted to write the book that I wished I had had when I was starting out as I was trying to learn this stuff and so much of what was online.
Georgia Weidman: It was just like you had to know so much background that a lot of it I didn't have and I asked questions as you got a lot of you know get off new kind of things. So I really wanted to be able to fill in that gap and you know I'm currently working on the second edition of that book.
Georgia Weidman: So look out for an update sometime in the near future.
Jen O'Daniel: Yeah you gave me instant credibility at Blackhat last year I was having lunch with a bunch of guys from NSA and one of them said the thing they were most looking forward to was meeting you, and doing your book signing. And I was like oh gosh she's one of my portfolio company CEOs or CEOs.
Jen O'Daniel: I got like credibility there.
Georgia Weidman: They should have us in, you know if they think that I'm cool they should have us into to demo Shevirah. We would love to help the NSA.
Greg Otto: So on the Shevirah front you were just saying there that you'd look for really the value in mobility products and Io to space and you said that sometimes they don't really have the value that everybody thinks that they do. Can you expound upon that a little bit.
Georgia Weidman: Well I think you know when for your own device started happening when a CEO got an iPhone and wanted to put it on the network and I mean we already had BlackBerry BES.
Georgia Weidman: Even so there was even a line item for something to control mobile even though BlackBerries were getting phased out in favor of iPhones and Androids.
Georgia Weidman: But I think a lot of people you know rightfully people who are more business savvy than certainly I was when I came into Mach 37 realized they could just put the word mobile in front of their product for PC you know deuce hand wavy something without ever really one understanding what the market needed and to actually having to build something that worked because who was going to say and then they could sell you know to each employee instead of you know one license for theirP.C. now get there I've had and their Android phone. So I think there's a lot of that I think the market is waking up to it. You know there is Gartner for mobile threat defense now.
Georgia Weidman: I think you know just based on my clientele until I'm getting a fair number of people who are like I don't really know if this is working. Maybe we should test it. So I think the market is starting to wake up that just because a preventative product - and this isn't just in Mobile, I mean we see like Equifax and all these other people getting breached, you can't tell me that those people didn't have you know every preventative product under the sun that told them if you install this you don't have to worry about security anymore. So you know they don't patch. They don't do security awareness training because their vendors told them they didn't have to anymore. So it's a real problem. I'm hoping to fix it in my small way. Right.
Greg Otto: Another thing that we wanted to talk about here beyond your company that's come up over the past week. We can a half is the noise around DerbyCon and the conversations around DerbyCon particularly within infosec community on some private groups on Facebook that have taken into account and really have some directed some comments your way about what has gone on at these cons and then you also fired off on Twitter about what has happened at some of these cars. So we wanted to talk to you about what has happened and whether we can clear the air and talk about some of the behavior that has gone on at some of these counts because I feel like within the community it's been a really big sticking point to the maturation of the way that the infosec community behaves at some of these cons. So I would love to give you the floor to sort of talk about the background of how we got here and what can we do moving forward.
Greg Otto: So let's take a moment to back up DerbyCon is a popular infosec conference based in Louisville, Kentucky. Twenty nineteen would have been the ninth year for the conference until the organizers released an announcement earlier this month saying that this year would be the last. This announcement was vague as to what exactly caused the organizers to shut it down.
Greg Otto: The blog post reading that there is a small yet vocal group of people creating negativity polarization and disruption.
Greg Otto: The primary intent of self promotion to advance a career for personal gain or for more social media followers. That announcement led to a number of people to turn to private Facebook groups to voice their displeasure overture because closing comments veered from people venting to misogynistic attacks. On top of that there was some back and forth on Twitter between past DerbyCon attendees which only poured more fuel on the fire.
Greg Otto: OK back to Georgia.
Georgia Weidman: So I mean my initial distaste with the whole situation was how dare become chose to write their blog post if you will about how they were shutting down. They couldn't have done better to incite a riot against women and infosec and at the same time make themselves look like victims and I mean these are media savvy individuals there on the TV all the time. They can't say they didn't know.
Georgia Weidman: I don't buy it for a second.
Georgia Weidman: And they could have just said they need to focus on other endeavors. You know the professional thing to do when you shut something down.
Greg Otto: Could you summarize for us exactly like what they said.
Georgia Weidman: Actually that's that's next. I actually brought in a couple quotes from there.
Georgia Weidman: And so this isn't the whole post you go to DerbyCon.org if you want to read the whole post but a couple quotes from it. "There is a small yet vocal group of people creating negativity polarization and disruption with the primary intent of self promotion to advance a career for personal gain or for more more social media followers." And another quote, "To put it in perspective we had to deal with an individual that was verbally and mentally abusive to a number of our volunteer staff and security to the point where they were in tears."
Georgia Weidman: So I do have to give them some props for that many men would be a shame to admit they shut down their con because it girl made them cry.
Greg Otto: If you want to divulge any more details if you have any more information on that we can talk about it but talk about a little bit you know the behind the scenes to that statement from the DerbyCon blog post seems to be very vague.
Greg Otto: So I'm wondering what exactly is that they're talking about here. Because it does seem that there's a little bit of both sides 'ism' there and that doesn't seem to be helping things at all.
Georgia Weidman: Well they've not been willing to talk about exactly what they're talking about which you know might be part of the problem. But what ended up happening you know as one would expect in kind of a GamerGate fashion if you will a bunch of people started attacking women particularly any woman who had ever said anything about DerbyCon. I mean last year DerbyCon someone went so far as to tweet their distaste about a sexist slur at DerbyCon.
Georgia Weidman: And so she became a meme on the Internet called "Battle Cunt" among other 'screw you for ruining our con, you'll never work in this town again' type rhetoric.
Georgia Weidman: And this is someone who's like trying to break into infosec and she's being mobbed on the Internet.
Greg Otto: Why was there such derision towards this person. What exactly caused the community to turn around and make her some like meme on the Internet.
Georgia Weidman: What did she do. Well she wrote, last year at DerbyCon there was something in front of the mental health village about like what makes you feel better.
Georgia Weidman: And then people wrote you know like 'boobies' and '#metoo' and things like that I don't it you know which is you know and it's not like anybody tried to burn the con down it's like you know these are we're in a time finally where we can talk about things that are not appropriate. And you know it's hardly worthy of you know getting this much hate.
Georgia Weidman: But since I guess she was the last one who complained about DerbyCon she got you know most of the flak. But I mean there were plenty of "women in general ruined our Con. This was our favorite con and now we can't have it anymore because the women are too sensitive" which is you know if you remember GamerGate exactly how that started and I really don't want to see my industry turn into that.
Georgia Weidman: So it made me sort of upset to see this going on.
Jen O'Daniel: That hashtag '#metoo' below 'boobies' which I think sort of started this off just seems to me a little bit insignificant to really like cause a riot. Right. It just seems it just seems ridiculous that that's something that would set people off and really cause a con to close, right? There's just it's just an insignificant thing. We've seen much bigger things happen at other cons to the extent that like a DEF CON every year reports the number of rapes, the number of sexual assaults, and stuff at the end of it. So to have someone you know tweet out something written on a board seems kind of ridiculous to close down a con.
Georgia Weidman: Yeah. And I'm sure there is more to it than that. But I mean people are not that smart when on the Internet, I guess it seems so it's like this is the person we're going to attack. But yeah I mean that wasn't it wasn't it was a tweet. Big deal. I mean you're going to run. I mean I get hate everybody gets hate. So DerbyCon got some hate and you know they ran away with their tail between their legs.
Greg Otto: Now part of the controversy came from a tweet that you said that you felt unsafe or maybe you didn't feel unsafe that you just had a problem at 2013 DerbyCon and that paled in comparison almost to sexual assault try that you went through. Can you talk about what happened at DerbyCon that specific incident and what made you so uncomfortable.
Georgia Weidman: Well sure. So yeah I did post something a bit provocative on Twitter. I mean it was kind of a 'jump on the grenade' kind of thing. You know despite the fact that I'm a startup founder and I have to be nice to everyone always because they may one day be in a position to buy, invest, you know, you name it. But I guess I realized that this you know 'women in infosec' thing is actually way more important than me. So I can't just stand by and watch my industry get torn apart over this 'women in tech' thing.
Georgia Weidman: So anyway the tweet I said I said DerbyCon in 2013 did more damage to my career and my life than Confidence 2013 which is another conference where I had to bash a guy in the face with a coffee cup to keep him from raping me. OK.
Georgia Weidman: Yes a little provocative there. If folks are going to put a target on me you know I'm fine that we use it as a learning opportunity to advance our industry and society. But you know. Confidence you know that was kind of open and shut, dude tried to to rape me, I hit him in the head that was that. But at DerbyCon, it was kind of the whole community it felt like turned on me. The people I thought were my peers accused me of making the whole thing up. I mean this was a few months after your Confidence.
Georgia Weidman: Being 'too ugly' to bother raping. This to me was more traumatic than the actual assault and I was in sort of a post-traumatic spiral if you will. I mean the #metoo movement has really helped me understand that it's completely normal to kind of go off the rails a little bit after you know an experience like that and it's not anything to be ashamed of.
Georgia Weidman: And you know I, people were being actively hostile to me, and you know the thing they want to talk about is that you know I was drinking on stage and, look these cons they hand out drinks up to speakers on the stage or while you're presenting and they brag about out-drinking the Kentucky Derby.
Georgia Weidman: If a man gets drunk presenting it's epic. But as a woman my getting tipsy demonstrates I was unprofessional.
Georgia Weidman: I mean they want to go on to you know I had spikes on my jacket which is true I did. But I mean this is an event where people literally show up dressed as storm troopers. So it's such a double standard for I think women and minorities. You know I think for a lot of time I I didn't want to believe you know and isms the sexism and the racism. I wanted it to be just about me because then I could fix it.
Georgia Weidman: But you know in talking to other women and minorities it really seems like there's such a double standard. I mean we all know this but you know we're finally in a time I think with #metoo and #timesup where you know we can realize that you know these aren't fair and they need to be changed and it should be equality for all.
Greg Otto: Yeah. So let's back up a second there are you talking. So the 2013 DerbyCon you were tweeting about that was the con where you gave the talk where you were drinking on stage.
Georgia Weidman: Yeah.
Greg Otto: So and so basically were you actually drunk during the talk. Or like was it just oh ok. I mean I've been to these cons too, like I know that like it's open where there's just you want to hang out and have a beer while you were talking about some stuff that that happens. So I agree with you that there shouldn't be anything wrong with that. So, like, were you?
Georgia Weidman: So let's say for the sake of argument that I was falling down drunk, find me you know any one who has never done a talk or a training or a VC pitch or a media interview or anything else that didn't go well and wasn't well received especially you know while they were recovering from the trauma of a sexual assault. And I'll find you someone who isn't trying very hard OK.
Greg Otto: OK so moving forward I mean DerbyCon is just one con. Is this something that you have seen across the board. Talk to me about other cons that you've been to. Look how pervasive is this type of behavior or at least or how pervasive is this behavior that you've witnessed.
Georgia Weidman: Well I guess we've been lucky in that since you know the Confidence thing where you know I kind of got a reputation for smashing people's faces if they bother me. I have not had any other sexual assault type situations. But I mean I hear about them like almost constantly at every con. It certainly happens. But in terms of you know harassment towards women I mean just at ShmooCon just a couple of weeks ago. You know I I wasn't witness to this I wasn't even there but you know there were reports that at a vendor booth you know someone was telling women that you know they shouldn't work in infosec.
Georgia Weidman: You know this whole 'girls can't computer' thing as you know. I feel like it's played itself out. But I mean it's certainly it's still a problem. And I mean we see I mean I know you mentioned those Facebook groups, which I'm sure we'll get to. But I mean a lot of those people who are speaking up in those groups saying those awful things are you know the staff that you're supposed to go to if you have a problem at these events.
Jen O'Daniel: Yeah. So. So speaking of 'illmob' which is one of those facebook groups I imagine you know I know a few people in it for sure. I imagine you know a lot of people in it.
Greg Otto: So let's back up one more time. Illmob. Remember those Facebook groups we mentioned last time. That's Illmob. The Facebook group mirrors a hacking group that has been around for some time. Filled with about 500 members who talk about all sorts of infosec related things. However after the DerbyCon announcement some of those comments got ugly and disparaged a bunch of women.
Greg Otto: Those comments were sent to a reporter at [VICE] Motherboard and the following article set off a further firestorm. Georgia was part of that article so we wanted to talk to Georgia in order to get a better view of how she feels. Back to her.
Jen O'Daniel: Do you sort of find that their online personality sort of matches who they are in person?
Georgia Weidman: Sometimes yes I mean a lot of it.
Georgia Weidman: I mean in particular you know a journalist at Motherboard sent me some screenshots from it particularly about me and a lot of it. Yes. I was not at all surprised you. These are the same sort of people who go around saying you know 'Georgia's a train wreck. Georgia is no good don't hire Georgia don't read your book don't this that the other' and for other women who are vocal in the infosec community.
Georgia Weidman: But I was particularly surprised that I mean there were a few people who I thought were my friends who were on there saying I was a train wreck and in this whole train wreck thing it's funny because you know the founder of DerbyCon said to me that I was a train wreck at DerbyCon 2013 and turned around and told everybody you could possibly find. He can deny it but this is the only word people ever used about me. Obviously came from somewhere like the entire illmob group was, 'Georgia the train wreck, Georgia's a train wreck at every con'.
Georgia Weidman: So I mean I got a very small amount of it. The stuff that came out of those screenshots.
Georgia Weidman: You know I got some hate but you know there are other women in security who are getting it a lot more. And I think you know part of it is that you know I haven't really been vocal on women in tech issues for a long time. I really wanted to 'stay on the party line' if you will. And you know because I knew that nobody, you know, 'the men don't want to hear about that' is a general rule, it's a good way to become the enemy you know as we see in this DerbyCon situation. But you know over time I guess as I've matured as a person I guess I've realized that it's more important than you know being in or trying to be in the cool crowd to try and fix these things for the women who come after me.
Jen O'Daniel: I mean I think we watched, in the Illmob group I think we watched you know someone. Who I assume associates herself with them comment on something that happened to her at a party around one of the cons and in that group her peers certainly would not want to talk to her too. And I think she was. She appeared to just be giving like that, "Guys is actually does happen and this isn't like just you know made up of people's heads and got to talk". So it's kind of interesting to watch but even, I saw you tweet out a picture I think yesterday, of yourself at a book signing. I think Blackhat or DEF CON.
Georgia Weidman: That was at DEF CON.
Jen O'Daniel: DEF CON. Yeah I mean it just seemed like you were - you have this like I mean epic book that has a cult following. Right. A lot people will credit your book with how they sort of got their start in penetration testing and then I saw the picture, the other two titles of the books that you really sort of sitting with. And I just thought well you're not really in the same category there. So that sort of surprised me too, you're sort of lumped in with like other female authors that maybe weren't talking about something technical.
Georgia Weidman: That's true. I mean I like I said I mean I've kind of for a long time did steer away even from you know some of the women in tech issues. You know for fear I'd be blackballed by the community. Joke's on me, it happened anyway! So you know it kind of opened the door for me to to be more involved in those areas. But yeah I mean I've always been you know very technical but I mean especially in light of stuff like this. I think I do have to raise my voice for women in tech issues more I don't necessarily know if I'm going to write a book about it but maybe a blog post will say.
Jen O'Daniel: What do you think needs to happen at the cons going forward to make it sort of a safer, more friendly environment towards women and minorities?
Georgia Weidman: You know that is the million dollar question and the little you know conversation I had with the DerbyCon founders after you know I gave my tweet and they got mad is you know they're like, 'you know women need to tell us how to fix this'.
Georgia Weidman: And I don't necessarily, you know I personally know nothing about running cons. You know I'm not a great people person.
Georgia Weidman: Maybe that's why I'm technical. I couldn't do it on the best of days or do it well but I definitely think it's going to take more than just you know the women and minorities you know doing the labor of trying to fix this problem. I think it's something that you know we're going to have to all come together and fix. But I'm certainly not going to volunteer to sit on that board because I don't have any ex- I've never even volunteered at a con. I know I'm not good at it.
Greg Otto: I want to back up to something a little bit about your mom because I've seen some conversation since the Motherboard article came online that the way that this this Facebook group runs is they generally talk about infosec things and then there's five or six people that act like assholes and that- and then people rush to defend them and they defend illmob and they say, 'say well OK well that's not everybody there are assholes and not everybody is an asshole'. Has anybody from the group since the article has come online to come out and say, 'well I'm really sorry I shouldn't have said that'. Have they been conciliatory or apologizing in any sort of way?
Georgia Weidman: I've not seen anybody who has said anything you know bad in there come out and say that I have seen people say they were sorry that they stood by which I think is important is that I mean a real part of the rhetoric about it right now is that like you said you know most of it's technical discussion. But I mean if if the barrier to getting to see this technical discussion is if you are a woman or minority is you know having to look at this stuff you know. I mean that's terrible. It just makes it that much harder and to get the technical knowledge that you need. But I've not seen anybody say that.
Georgia Weidman: I mean I, I mentioned that you know a couple of people I thought were my friends were on there you know talking about me and you know I said something to about em about it and you know, they act like they didn't do anything wrong. So I mean I think the people who really believe that you know women don't belong in infosec or women can't computer or you know people who aren't white can't computer. You know they're gonna take a lot to change their mind. But I think the bigger issue is that so many people stood by and and just let it happen, because it doesn't have to be a majority of people who think these sorts of things, I mean look at history it doesn't start big it starts small.
Georgia Weidman: So I think we have a lot of work to do.
Greg Otto: Great. So Georgia, also curiosity. We end every interview with one random question, out of nowhere. But we were talking earlier about horses. So I wouldn't even frame it as a question.
Greg Otto: Just talk to me about this hobby that you have with horse riding.
Georgia Weidman: Hobby is... It doesn't even begin to describe it. It's like a second job now. So actually when I came to the Mach 37 program I was told by one of the advisers that I really needed to do something besides work all the time because I have a pretty bad habit of burning myself out and I had rode horses as a kid so I decided I would know take a riding lesson and it snowballed and now I have a horse who I love very much.
Georgia Weidman: His name is Tempo but he eats all my money literally all of it. I never buy anything for myself you know, Jen always has nice jewelry and I'm like well, 'Tempo got a new blanket'.
Georgia Weidman: Yeah we uh we compete in local horse shows on the weekends when we can around the startup stuff. I always bring work with me and rarely get it done. Yeah he's wonderful, he's my best friend. Cause he doesn't care you know if I didn't land the deal. You know I didn't you know raise the money from that VC or anything like that. Yeah I absolutely love Tempo to death. So shout out to Tempo.
Greg Otto: Great Georgia, thank you very much for taking the time to talk to us about this.
Jen O'Daniel: Thank you Georgia.
Greg Otto: Really appreciate it.
Georgia Weidman: Thank you. I appreciate it as well.
Greg Otto: So now we're going to talk to Joshua Marpet. Joshua is part of Illmob. And also head of security for DerbyCon. We talked to him about the announcement. We also talked to him about Illmob. And we talk about the scenarios that Georgia spoke about during her interview.
Greg Otto: Check it out.
Greg Otto: OK. Now we are talking to Joshua Marpet from Red Lion consulting.
Greg Otto: Joshua, really appreciate you coming on board to speak with us today. First off talk to us a little bit about Red Lion and what exactly that entails and what you've been doing.
Joshua Marpet: So thank you for having me. Very much appreciate it. Red Lion is our compliance consulting company. Friend of mine, Scott Lyons and myself, decided we could screw up compliance no more than anybody else so we might as well try it. With that we started a company about we're going on three years now and it's been wildly successful and just happy as heck to have it. We do compliance and advisory services so effectively we come in. We do HIPAA, FISMA, FedRAMP, 800-171. We've been doing a lot of advisory services recently which is why we sort of added that to the tagline, if you will, everything from blockchain to cryptocurrency to just cryptography.
Joshua Marpet: Interesting things that are happening in the world, people [are] like, what should I know about this. And we literally have been holding seminars on 'what should people know'. It's kind of interesting. Anyway. So that's what we do.
Jen O'Daniel: So what should people know about blockchain?
Joshua Marpet: Oh OK well so there's a couple of pieces of that. So there's blockchain and cryptocurrency they are very very distinct. Let's be clear on that. Cryptocurrency is based on blockchain in most circumstances. And I'll start having some zealots scream at me about you know acyclic graphs and all this stuff. It's like just just chill for a minute guys. Most cryptocurrency right now is a very very very horrible idea to invest in. If you're using it for fun any money you want to put in cryptocurrency my personal opinion this is just me counted as Vegas money you go to Vegas and you have gambling money that is money you don't care if you lose.
Joshua Marpet: Go for go for broke. Have fun. If it's money you care about like at this point don't take out a second mortgage for bitcoin. Okay seriously. And in terms of blockchain blockchain is a fascinating technology. It's actually brilliant in its own way. Will it however cure cancer homelessness and, no. Come on it's not snake oil. What it is is is quite simply it is you know just it's a technology. It has a use cases that it's amazing for and it has plenty of use cases that it is totally the wrong solution for. So if you want to build the next blockchain you know for for for music probably a horrible idea. OK.
Joshua Marpet: Now that being said I should I should qualify with the disclaimer. Scott and I are also building a blockchain based product. So that's still in stealth. I'm not going to talk about it too much but we're utilizing what parts of blockchain are actually great use cases. Again it's a tool. If it's the right use case great. But if you use blockchain like the guy who only has a hammer and sees everything as a nail. That's a problem.
Greg Otto: I agree. I would I would definitely go with there and I one question about some of the advisory services that you have because we have a lot of listeners based here in D.C. and the FedRAMP stuff. Talk to me a little bit about what you've been doing with FedRAMP because I've been covering FedRAMP I feel like longer than I've actually run CyberScoop so I'd love to clear out that has sort of matured in your eyes and whether it's matured at all and whether the process has sort of changed for the good because I know that a lot of companies have complained that the process is very very long. So I'm wondering whether that has changed at all in your eyes.
Joshua Marpet: You know it's it's the process has changed because we're seeing more and more providers CSP cloud service providers actually do a lot of the work for them. Okay providing FedRamp-compliant hosting FedRamp-compliant colocation FedRAMP-compliant platforms frameworks blub, you get the idea.
Joshua Marpet: And in every stage of that model and we're talking cloud for a moment here just just bear with me. For every cloud service provider there whether they're infrastructure as a service, platform as a service, whatever, they're providing a different amount of the services and pieces and bits and bobs if you will of what you need to be FedRAMP compliant. The problem is and I'm just gonna go into a little sort of tension here. The problem is that a lot of people go oh it's FedRA MP- compliant colocation, I'm done - No try again, because while any compliance standard can sort of and this is really rough this is just something I came up with to explain things. It can be divided into two chunks one chunk is the datacenter chunks that that's the pieces of the standard the datacenter or the data infrastructure operator has to handle right.
Joshua Marpet: Then there's the chunks that I call the data custodian chunk the data custodian standards are the pieces that the person who is the custodian of the data. Normally the company operating the the application the platform whatever has to handle if it's your software those pieces of that compliance standard are yours. So whether you have federal complaint code location doesn't matter for the data custodian pieces you still have to perform those those pieces of it. Does that make sense. Absolutely. And so that little tangent is to explain that a lot of people are. I'm not going to say getting lazy. But what I'm going to say is they're not thinking it through. They're not thinking through the idea of 'hey I still have work to do' so.
Joshua Marpet: And honestly right now a lot of people are asking what's the right way to put this.
Joshua Marpet: Considering that 800-171 compliance is so bad right now in terms of there's not many companies that are 171 compliant and they're required to be as of, oh I don't know, a year and a quarter ago now, every federal contractors required to be 800-171 compliant. So do you really think that every place that they need to be FedRAMP compliant they are. Or do you think that every place they need to be FedRAMP compliant to show that they are FedRAMP compliant to a prospect they are.
Joshua Marpet: That was a very very carefully pointed question so that being said I see a lot of companies going for FedRAMP only when they believe that it's going to matter for this contract for this prospect for this agency but they're not doing it as what it was intended to be which is as a matter of course anything that might go government just make it FedRAMP. And it was supposed to be a fairly I'm not going say I'm supposed to be simple but it was supposed to be a a non-threatening compliance standard. You know what I mean.
Greg Otto: Right. Exactly.
Joshua Marpet: And unfortunately because if you say government like like if you say wedding around flowers the price goes up by 10 times you know if you say government around around anything I.T. related that the price just went up and the complexity goes through the roof. It's become a threatening sort of standard. And people are just not willing to go through the trouble. It's not hugely difficult if you're doing the proper compliance standards to make your data private and secure and proper you don't have that far to go to be FedRAMP. But they get scared and so they don't do it unless forced to. That's the wrong attitude and it's not the one that they originally wanted for FedRAMP. I'm sorry and I'm not sure if that really answered your question. I sort of vent that I apologize.
Greg Otto: No no no no. Hey that's OK. You're not the first person in the world that has ever vented on FedRAMP.
Joshua Marpet: Probably true.
Greg Otto: Right. So With that being said the reason that we wanted to have you on is we know that you have been following the drama so to speak around what has gone on with DerbyCon and the DerbyCon shut down, this being its final year, and sort of the conversation that has developed online particularly around the gr- the private Facebook group Illmob. Yes so I wated to talk to you I have it first lead it off by saying I know that you are part of this group but talk to me about your interactions with this group and what you've seen in the wake of DerbyCon being shut down after this year.
Joshua Marpet: Well very bluntly Illmob was - it's no longer there doesn't exist anymore - Illmob was an industry group that was there and I was a member of it for years. I honestly don't even recall how long I've been in it. And it was there because people were able to find interesting information. I was one of my best sources for who's been breached.
Joshua Marpet: What's what interesting new hacks are out there. Yeah. I mean you find out a lot of this stuff at conferences all the different conferences around the country and world. Interesting new hacks zero days etc. I mean don't get me wrong they're wonderful.
Joshua Marpet: I run one. But it's it's also that on a daily basis it used to be everybody got their information from Twitter but Twitter became a firehose beyond belief. And it was actually hard to filter down and it was really a time suck.
Joshua Marpet: So now I've got to place it in a quick Facebook group. I can see oh look you know this company that company this group that group got hacked breached. Here's the password dump I can pull it down I can take a look and see if anybody that any of our clients are in it. I can see if anything's going on I can provide value to my clients. That's useful.
Joshua Marpet: Now in terms of you know the question is oh my god it's a horrible horrible group. And the answer is no not really. Were there a lot of people in it. There were five hundred people in it as I understand and so 500 people they're all horrible scumbags. The answer is No. No of course not. In any group of people you have you know effectively a quotient of idiots. Okay. In any group of people I don't care. Every single person on this podcast listening to this podcast near someone listening to this podcast knows an idiot in their friend group.
Joshua Marpet: OK let's just be clear on that. When I went through police academy one of our instructors looked around and said look guys you're all cops now. You all have dumb ass friends you've got to be careful with them because you're cops. OK. And the truth is simple. Everybody has dumb ass friends. All right. Idiot friends call them what you will.
Joshua Marpet: And so did some of these people make horrible statements online. Yes. And in a closed Facebook group it's a place where we can say hey that was probably not right. Do you really want to say it that way. And sometimes some of them would go Yeah. You know I vented I raged I was upset and that sucked and I'm sorry.
Joshua Marpet: And some of them didn't. But like am I supposed to abandon the group because of one two three four people. Maybe. Am I supposed to abandon access to that information, was supposed to abandon access to the four hundred and ninety six other people who were in the group.
Joshua Marpet: Give me a break. That's ridiculous.
Jen O'Daniel: So, Josh I know I get your perspective but then you know you're part of my Mach 37 family, as is Georgia. And you know certainly we saw Georgia get commented on in sort of a negative way within that group. Yep and she's your extended family given the Mach 37 connection. What were your sort of thoughts on that?
Joshua Marpet: What you don't see is because the screenshots that were taken were extraordinarily focused shall we say were times that I went hey hey hey chill. That's that's not bad behavior. You're seeing her through sort of the opposite of rose colored glasses if you know what I mean. So I'm sure everybody who's been in a relationship where at times you're annoyed with your significant other and everything they do they can breathe and it annoys you. You know I mean.
Jen O'Daniel: Yeah.
Joshua Marpet: So there are times when some of these people would be like, "aaaaah", and it's like really? She walked across the hall and I'm making it up. You get the idea. Yeah like seriously chill.
Joshua Marpet: And that was the case sometimes.
Jen O'Daniel: I'm gonna jump us out of discussion on Illmob for just a second. Sort of back to DerbyCon. So I mean you're a conference organizer of BSides Delaware, where I imagine that you have come across sort of the same problem, similar complaints that I imagine DerbyCon has seen over the years.
Jen O'Daniel: For your perspective why do you think DerbyCon actually is in their last year and then maybe your thoughts on how again I assume that you know BSides Delaware faced similar things right?
At any conference, heck at any group or gathering of people there's going to be some kind of drama whether it's you know and at every conference you've been to whether it's financial whether it's venture capital whether it's infosec whether it's you know a family reunion there's there's always you know Aunt Mary or uncle George who who has a couple of extra drinks and causes some drama right and I'm not claiming that that's what happened. I'm just explaining that this is a normal thing. Now the smaller the group the less likely it is to cause drama. Let's be blunt. Bsides Delaware is about 500 people. DerbyCon is about twenty five hundred people. So again I go back to my point that there are idiot friends in every group and idiots in every group. And the more the more people you have the more of those you'll have in that group.
Joshua Marpet: Right. So at DerbyCon we had some drama happen and let's be blunt it was drama and was it wrong. No I'm not saying that. I'm not saying it was wrong or right or justified or not.
Joshua Marpet: I'm just saying it was drama.
Jen O'Daniel: What specific drama are we referring to here around DerbyCon?
Joshua Marpet: Oh it just in general the DerbyCon this past year we had a couple of people get drunk at night and we had to work on them. We had somebody get you know somebody who got transported to the hospital and it was a medical issue wasn't drinking or anything like that but it was just like you know just getting briefed on that in the morning is terrifying. You know what I mean and there's all sorts of things that go on.
Joshua Marpet: But I mean effectively if it's not fun why are we doing the conference's and that's kind of the point we don't make money on these things that we trust me. Oh dear God. We don't make money. I could probably count on the tens of thousands of fingers. How many dollars we're out for BSides Delaware over the years. Let's let's put it this way in the eighth or ninth one we just had the ninth one and November is the first time that we actually broke even effectively. If I recall correctly. OK so four years before that we were at thousands of dollars a year to run that conference but you know for some kids it's their Christmas. It's their it's their New Year's. We can't stop so yeah it's it's it's difficult. And I think that this the DerbyCon got to the point where it wasn't fun and that's why Dave said I'm done.
Greg Otto: So on that and this can just be in your professional opinion since you do happen to run events. Is there anything that could have been done to necessarily refrain from pulling the plug on this because was there anything else in prior DerbyCons that would lead you guys to just throw your hands up and go this isn't worth it anymore. Because I feel like it to me in my opinion and I do not know all the background I will say that off top. It sounds like this is a little bit of a cop out because I do feel that yeah it's supposed to be fun.
Greg Otto: But don't you think that there could have been something else done that could have kept the con running and kept the fun running and it didn't have to result in everybody losing out because five or 10 people were causing drama in whatever way they were causing it.
Joshua Marpet: Absolutely absolutely something could have been done. But it's not the question of if it could have been done. The question is is it worth it to the con organizers to do it. Look when you're running a business OK you have something called opportunity cost. And when I am I have to balance that opportunity cost of the time I spend running the conference handling the conference writing up policies for the conference doing all these things versus the you know the business I could be running. And my guess is and this is just my personal guess is that that opportunity cost calculation just well. OK. Without the level of fun that it is without the level of interest and excitement and fun again I'm sorry I'm repeating myself that opportunity cost calculation goes you know what. Not happening anymore.
Joshua Marpet: So yeah. Could there have been stuff done. Absolutely. There could have been stuff done. We could run DerbyCon another year no problem. We could run DerbyCon you know another ten years. Well I don't know about that. That's a pretty far in the future nothing I'm saying we couldn't. I'm just saying I can't predict you know what I mean but is it something that meets that calculation.
Joshua Marpet: Look Jen at Mach 37 I learned the only thing that is priceless is time. You don't get any more so you have to balance what you're doing. I decided to be on this podcast. This takes a half an hour of my time or an hour of my time or how long we go. You know earlier today I've been on the phone most of the day. My butt hasn't left this chair except for about 45 minutes to snark food and cuddle my little one because my wife is sick.
Joshua Marpet: So I mean you know it's it's a calculation every time and I decided this podcast was worth it because Jen I know you and you only do things that are worthwhile.
Greg Otto: You're a very shrewd calculator and you do things that are interesting and worthwhile. I'm like It's Jen I'm going to do it. Period end of story.
Jen O'Daniel: Oh thank you.
Joshua Marpet: So you're welcome.
Greg Otto: I mean can we talk about the Illmob stuff again just real quick because I want to get your opinion on sort of the way you've seen just the conversations going in that group overall because look I am not part of the group but I was given an array of screenshots and conversations that went into the group and it reminds me of the way that GamerGate started in that it talked a lot about at least the framing in GamerGate was this wasn't about a gender thing.
Greg Otto: This was about quote 'ethics in gaming journalism' and I see some of the parallels there in some of the comments in the Illmob and what's going on particularly towards some of the women in saying OK this isn't about just gender.
Greg Otto: This is about the meritocracy and then not having the skills to be on par with the rest of the community. And I wanted to get your thoughts on that and whether that whether you see that as the same way or am I just wildly off base.
Joshua Marpet: So that's an interesting point you raise and I'm going to I'm going to sort of boil it down a little bit. If you have a group of very very highly skilled people talented skilled a little crazy people. OK hackers right. And you say I'm going to bring a whole group of people in that aren't as skilled, they're gonna look down on them whether they're male female green purple African-American white. Doesn't matter. Okay.
Joshua Marpet: If you tell them these people over here are just as skilled as you or even more skilled and you can learn from them they're going to look up to them whether they're male female green purple African-American white. Doesn't matter. It's literally that simple.
Joshua Marpet: Now if you want to tell me that there's people in that group that didn't like women I'll probably tell you you're right. If you're gonna tell me that there's people that group didn't like men probably tell you you're right. I don't know.
Joshua Marpet: I'm not going to say that I knew all five hundred people in there intimately down to a psychological level, if you know what I mean. What I'm going to tell you is that there were some people that put some unpleasant things in discussions.
Joshua Marpet: Most of those discussions I stayed away from. Some of the discussions I got into. There's there's one that I was talking to a gentleman about. You know he's like, "If somebody did that to my wife I'd slap them". I'm like, "Your wife is a very capable lady. You wouldn't slap them. She would, OK you wouldn't need to. She'd take care of it and then tell you about it later." And that made him feel better because like, "Yeah you're right my wife is extremely capable".
Joshua Marpet: I mean you know there's things that. (Sigh) Look it's not about - For some of them, it might have been about women. I absolutely I don't have any argument there. For the most of them it was about a specific individual whether male or female.
I mean ask anybody in infosec, a serious person in infosec, about Gregory Evans, the self-proclaimed number one hacker in the world. They'll tell you, after they finish falling off their chair laughing, you know, they'll tell you he's not. OK. He's male. He's just not at that level.
Joshua Marpet: My point is, are there people that hate women in there. Probably. Are other people that hate, name any race, creed, color, doesn't matter. Yeah. Probably. Were there people that espoused some of that. Yes OK.
Joshua Marpet: And the rest of us went "Dude. Lady. Seriously you know, stop that, it's rude."
Greg Otto: I would push back on that because I - I - I'm not I'm not calling you specifically out but I mean the group overall, I didn't see a lot of pushback and I get the sense that there wasn't a lot of pushback from other people that I talked to there and I think that's why so many people are (?).
Joshua Marpet: Let me let me ask you a question. Where do you get that impression?
Greg Otto: That impression that I got came from the fact that I talked to sources that were in the group and I also saw screenshots that were in the group particularly around these conversations and I didn't see any of that blowback from the group that said "Whoa, that that's not OK. Don't don't do that don't get down in the muck and start talking about people like that". It would be one thing.
Joshua Marpet: I know I did.
Greg Otto: Yes I know you did not do that. I'm talking collectively.
Joshua Marpet: No no no I'm saying I did. I did go and say, "Hey stop that that's rude. Don't say those things don't do that don't say those things don't be rude like that". "Don't be an asshole" is what I actually would say.
Jen O'Daniel: So. I don't know exactly what thread this was on but I certainly saw a thread where a group people were going after someone, I don't remember who it was and then I saw a comment from you that wasn't really in defense of anyone other than - actually it was in defense of the people saying the bad things - it was like hey what they're mad about is that they waited X weeks or X months after whatever conference this subject was to come out and say they were harassed versus like (?)
Joshua Marpet: Yeah it's it's if I know the comment you're talking about it's it feels weird seeing a report of a criminal act three weeks after the conference on Facebook. It's very unusual in my opinion and in my experience I've dealt with significant numbers of people who have been harassed, attacked, and it's not pleasant. It's very common that people who delay reporting. I get that. They don't want to make it public. They they they they don't want to be like open about it if that makes sense.
Joshua Marpet: But it's very unusual to delay reporting and then do it on Facebook. That's in my personal experience. I do not claim to be an expert. This is just my personal experience but I've dealt with people with that kind of issue before and I've never seen it done that way that the reporting done that way if that makes sense.
Joshua Marpet: You know somebody who holds onto something to report to to hold onto it and report about it later if they ever do. Some people never do. Let's be honest and it's horrible.
They should nev- First off it should never happen. Nobody should be harassed. Nobody should be assaulted. Nobody should be taken advantage of. It's horrifying. But if somebody is and then they don't report it, to me, what I have seen in my experience is that they'll either report it to - and not necessarily report it but talk about it - to someone they trust, a psychologist, a sibling, a parent, a very very close friend slash confidant, or they'll go to the police. Normally if somebody can convince them to do that.
Joshua Marpet: But it's very rare to have it happen and be out on Facebook. I've seen some people have the mental fortitude and strength and I respect them immensely that they come right out after it happens with with sort of a you know here. This is what happened and it's public and it's blatant and it's you know and it can be on Facebook. But in my experience it's rare that the two coincide. In other words delay reporting and then put it on Facebook. That was strange to me and that's what I pointed out. Again I'm not an expert.
Jen O'Daniel: I'm going off of my personal experience so you know another one of our Mach 37 family members, I actually think from your cohort, Marcus Carey, tweeted earlier this week sort of being discriminated against in the community. What could we be doing to sortof change it. So things like that don't happen. I mean Marcus is not somebody that I would even consider for a moment. That not everything it comes out of his mouth is true.
Joshua Marpet: Marcus is an incredibly ethical person. I love him dearly. He's a great guy. Marcus absolutely has been discriminated against. He's talked to me about it before. Vyrus who is another African-American male in the infosec community who's been discriminated against. And you know Danyelle Davis who's a good friend of mine, Lady Nikon, she just tweeted or sorry Facebooked, I think about how. And by the way she was another member of Illmob. How she's been discriminated against in the community and you know things like that.
Joshua Marpet: And so what can we do to make it better. We can make the availability of knowledge and information more extensive and more available and more free so that it's easier for people to get into it. But you know that's not enough. You can't just leave it there and expect people to find it. You have to lead them to it and go look look opportunity, "Grab it man, grab it lady. Grab on! You know".
And so to that end, you know there are things like, you want to make sure that you're making these things not just available but that you're pushing the knowledge that they are there out which is why we have a conference in Delaware which is typically a very low income state and has a high proportion of - We hold it in Wilmington, which is I think - don't quote me on this. Eighty percent African-American, and we get significant amounts of people from various minorities and obviously multiple genders to show up and be there.
Joshua Marpet: We love when we can get the students from the local colleges all the way down to the students from the local high schools. And we've had them, we've had local high schools bring groups to come in and be part of the conference. It's why we have such a big spawn camp. I don't know if you've heard of our spawn camp.
Greg Otto: I have not.
Joshua Marpet: We have spawn camp which we love. It's awesome. We get about like 70 or 80 kids every year ranging from 3 to... And then they can come younger than that if they want they're just not gonna get much out of it, you know. All the way up to high school and we have god I forget we have like seven potato clocks you know. You plug the pins into the potatoes and it powers the clock type of thing. We have snap circuits which the kids freaking love. We've bought either five or 10 pounds of Legos. You can buy Legos bulk on eBay. Really awesome. Did not know this terrifyingly bad for for for my budget but amazing for my little one. Let's put it that way. And we have raspberry pi's where we teach them the program in Scratch and we let them play Minecraft and we we have fun with it you know. But yeah every year we have 70 or 80 kids.
Joshua Marpet: That's one of the reasons we hold it on a college campus every year. It's a dry campus. There's no alcohol allowed at the conference. OK. It makes it very easy for the parents, for the kids, for everybody there. We're a very family friendly conference. People fly from across the world to come to our conference. Weird. Never thought it would happen but hey I'm not going to complain. We're really proud of it.
Jen O'Daniel: So why do you think that given that I think everybody sort of recognizes there are some discrimination within the infosec community, like really most communities. Why do you think a group like Illmob exists where people are making such negative comments and everyone who reads them doesn't jump on it to be like, "Hey, don't say things like that".
Joshua Marpet: Well I think you have two questions there. Well let me answer them both. The first one was "Why does Illmob exist". And the second one was -.
Jen O'Daniel: I got your explanation from the beginning, I know you guys you know do some really interesting work. And you were saying earlier there are some subsect that are bad actors.
Joshua Marpet: Some of them are just frustrated.
Jen O'Daniel: But it seems like some of the guys that raised eyebrows. I want to not kick them now. Why not?
Joshua Marpet: I want to I want to actually point out a couple of things. While very few people are what you might consider. Well, kindof bad actors. Quite a few of them are just very frustrated. Tell me where it's safe to vent. About a boss.
Jen O'Daniel: Not on Facebook or someone could take screenshots and treat them out.
Joshua Marpet: In a closed secret group. Yeah I recognize that that did happen.
Joshua Marpet: But for a long time in a closed secret group it was safe.
Joshua Marpet: You know, it only got tweeted out or put out there because there were some of that bad stuff going on and that caught the attention of people that could make money on that or could you know do unpleasant things with it. I mean the screenshots got tweeted out because of a reporter OK. And that reporter, you know, was not supposed to do that but yeah the reporters do what reporters are gonna do.
Joshua Marpet: Where can you vent about your boss? Where can you vent about the people you work with? Where can you vent about...? You know, we all live in cyberspace. It's not like we go to a bar and call out "Hey Norm". And vent to the guy next to me who has no connection with my business. Quite literally a lot of the stuff we do we can't talk about you know.