Security Twits Vegas meetup

The SecurityTwits Meetup will be Tuesday, July 24th from 8:00 9:00 PM until around midnight at a suite at Caesars Palace suite 1032. A HUUUUUUUUGE thanks to Rocky DeStefano and Visible Risk for stepping up to sponsor and host the event…and to supply alcohol and food.

What is a Security Twit?

Are you an information security professional? Or are you involved in the information security space in an any capacity. Then you are a security twit. Well, at least you are if you are active on Twitter.

Who can attend?

The meetup is open to security twits and their guests. Midgets, escorts, and other acquaintances you’ve made in Vegas will be considered on a case by case basis.

Do I need a ticket? Do I need to be on the list?

No. But please RSVP via Eventbrite to help with planning the amount of alcohol and food to purchase.

How can I help?

Contact @stevewerby if you have any ideas about how we can make the meetup better. Or how we can ensure that hotel security doesn’t shut it down early. Or how we ensure they do. Also, please spread the word via Twitter, Facebook, Google+…Pinterest and every other conceivable mechanism available to you. Tweet Join us at the @SecurityTwits meetup Tue 8 PM at Caesars! Hosted by @visiblerisk. http://bit.ly/OSwMtB #securitytwitsmeetup.

Who should I thank for organizing this?

@jasonmoliver got the ball rolling by asking @securitytwits about a meetup. Since @securitytwits wasn’t organizing one this year, I put some feelers out and @rockyd volunteered to help make it happen.

How do I become an official SecurityTwit?

See the instructions for joining. The page also describes the history of SecurityTwits, lists members and answers all of life’s mysteries.

Update 7/23/12 16:44 (Vegas time):

The meetup start time has been changed from 8:00 to 9:00. Rumor has it this was the request of the NSA. Or because there was a problem with the tiger rental company. Maybe both.

Update 7/23/12 21:32 (Vegas time):

There have been 96 Security Twit reservations, 3 midget, escort or exotic dancer reservations, 1 Sexy Sax Man Sergio Flores reservation (sold out – sorry!), and 1 Gregory Evans registration (sold out – sorry!).

Craft beer and homebrew Vegas meetup

What?: Drink craft beer and homebrew with people who appreciate good beer
When?: Saturday, July 28, TBD (late evening / early night start) [Will be updated when finalized]
Where: See “When?”

Las Vegas may cater to a plethora of vices, but it does not cater to the craft beer drinker. With tens of thousands of people descending on Sin City from across the U.S. and all over the world for Black Hat, Defcon and BSidesLV, let’s rectify that by getting together to drink craft beer and homebrew. I’ll kick things off by listing a subset of the beer I’m bringing (I’ll also be bringing some homebrew and beers from outside of Texas).


  • Adelbert’s Naked Nun (Witbier) [Austin, TX]
  • Real Ale Anniversary Ale XV Russian Imperial Stout [Blanco, TX]
  • Real Ale Full Moon Pale Rye Ale [Blanco, TX]
  • Real Ale Rio Blanco Pale Ale [Blanco, TX]
  • Real Ale Brewhouse Brown Ale [Blanco, TX]
  • Saint Arnold Endeavor IPA (Double IPA) [Houston, TX]
  • Saint Arnold Homefront IPA [Houston, TX]
  • Ranger Creek La Bestia Aimable (Belgian Strong Dark Ale) [San Antonio, TX]
  • Ranger Creek Mesquite Smoked Porter [San Antonio, TX]
  • Ranger Small Batch Series #1: Oak-aged Rye Oatmeal Pale Ale [San Antonio, TX]


  • Freetail Buffalo Hump 1840 (Belgian IPA) [San Antonio, TX]
  • Freetail Old Bat Rastard (Winter Warmer) [San Antonio, TX]
  • Freetail Broken Treaty (Extra Strong Bitter) [San Antonio, TX]
  • Freetail Ananke (American Wild Ale) [San Antonio, TX]
  • Rahr Pecker Wrecker (Imperial Pilsner) [Fort Worth, TX]
  • Jester King Mad Meg Farmhouse Provision Ale [Austin, TX]
  • Jester King Noble King Hoppy Farmhouse Ale [Austin, TX]
  • Jester King Farmhouse Wytchmaker Rye IPA [Austin, TX]
  • Jester King Black Metal Farmhouse Imperial Stout (Russian Imperial Stout) [Austin, TX]
  • Jester King Boxer’s Revenge (American Wild Ale) [Austin, TX]

So, you want to know where and when, right? At this stage, that’s to be determined, but the meetup will happen. I didn’t try to to find out if there was any interest until I tweeted about this tonight so the details still need to be worked out. There’s already good early interest from Josh Sokol (@joshsokol), Pedro Munoz ‏(@m00nyos), Joseph Sokoly (@jsokoly), and Larry Whiteside (@LarryWhiteside) and some others who’ve contacted me directly.

If you’re interested in attending the craft beer and homebrew meetup, post a comment to this blog entry, DM me on Twitter, email me at HASHTAGBELOW@justifiableparanoia.com, or tweet using the hashtag #defconbeermeetup. Let me know if you plan on bringing beer (optionally what kind), what evenings/nights work for you and if you’d like to bring anyone else. This is only for logistics planning purposes. Also, if any of you are willing to host the event or have suggestions on location, let me know.

Check back here Monday for more details or follow me (@stevewerby) or the hashtag on Twitter.

Update 7/23/12 21:41 (Vegas time):

I packed a couple of boxes this morning with around 30 beers, mostly bombers. In addition to the beers above, I packed some homebrew and some beers from Virginia (Starr Hill and Hardywood) and Delaware (Dogfish Head). I was going to check the beer, but a generous local infosec professional offered to drive my beer to Vegas. It will arrive Wednesday. @m00nyos is bringing some beers from the San Francisco area.

Update 7/26/12 16:22 (Vegas time):

@pmelson flew in from Michigan and brought some beers. The meetup will be Saturday, July 28, time TBD, but we’re looking at starting late evening or early night. If you have a location to suggest or room to offer up, please let me know. Otherwise it’ll be my room in the Rio.

If you’re interested in attending the craft beer and homebrew meetup, DM me on Twitter, email me at HASHTAGBELOW@justifiableparanoia.com, or tweet using the hashtag #defconbeermeetup. Let me know if you plan on bringing beer (optionally what kind).

Update 7/28/12 14:12 (Vegas time):

The meetup will be tonight from 7 PM to 9 PM in a room on the 30th floor of the Masquerade Tower at the Rio. DM me for the room #. There will only be so much beer so if you don’t know me IRL or online, you may need to make a good snarky and entertaining case for yourself.

A huge thank you to @topsnooper for driving my beer just under over 959 miles so I didn’t have to pack it in checked bags and lug them around. A desk during Defcon is good for *something*. More beer will be joining it tonight.

An analysis of Attrition’s shipment

When I got home Wednesday I was greeted by a box shipped by Jericho from Attrition. My memory is a little foggy from my late-night July 3rd visit to downtown Denver, but I’m pretty sure it was payoff for a bet to see who could climb to the top of the Big Blue Bear the fastest. Or maybe I told him I’d give him money in exchange for Lazlo shirts. Who can be sure?


After I managed to get Mr. Wiggles out of the box, I poured myself an imperial stout and inspected the contents.


This is a comprehensive inventory of the box’s contents (item count in square brackets):

  • Attrition Lazlo chainsaw t-shirt [15]
  • Attrition Defcon 20 badge – [1]
  • DataLossDB t-shirt – [1]
  • Nessus t-shirt [1]
  • Attrition Lazlo sticker [19]
  • SECore.info sticker [4]
  • OSVDB sticker [5]
  • DataLossDB sticker [2]
  • Attrition rubber bracelet [5]
  • J Crew button envelope…containing 2 buttons [1]
  • Plastic card with “INTENTIONALLY BLANK” on the front and nothing on the back [1]
  • Courtyard by Marriott room access key [1]
  • Attrition business card [1]
  • Ninja paratrooper [1]
  • Tenacity Solutions ball [1]
  • Core Security ball [1]
  • RSA pen [1]
  • Shavlik pen [1]
  • HACKER conference badge sticker [1]
  • McAfee card with USB dongle [1]
  • Victoria’s Secret rewards card [1]
  • W Hotels condom [1]
  • Scarlett’s Cabaret VIP pass [1]
  • MTA Metrocard [1]

That’s 68 items. I find anything less than 70 mildly insulting, but he gave me a couple of items at RVAsec in June and another item in Denver a few weeks ago so no worries.

Favorite item: Attrition Defcon 20 badge. @MakeItUrz did an awesome job with this badge. I just have to get it back from the cat.

Exploiting my OCD: 19 Attrition stickers? 19? Really!? Couldn’t Jericho have added a 20th so I could form a nice 4×5 grid?

Got my hopes up: Victoria’s Secret rewards card. Customer support told me it has no value. Liars!

Learned something new: The 954 area code is in southern Florida. Thanks for making me smarter, Scarlett’s Cabaret VIP card!

What, I’m not special enough for a gray one?: 5 black Attrition bracelets, but not one of the coveted gray bracelets. So, that’s how it’s going to be, eh!?

Should I trust it?: W Hotels condom. It expires June, 2015. Very nice. And it’s effective against pregnancy, AIDS and other STDs. What about APTs? Being manufactured in Thailand concerns me. And a man giving me a condom as a gift is…well…please keep Jericho away from me late at night in Vegas.

Thanks for the stuff, Jericho! If you’re attending Black Hat, be sure to catch Jericho’s talk, Errata Hits Puberty: 13 Years of Chagrin, July 25th at 3:30. If you aren’t attending, you can peruse his slides from his inaugural presentation of it at RVAsec in June.

2nd annual Security Twits NCAA tourney bracket contest

I created an NCAA basketball tournament bracket contest on Yahoo for members of the information security community. The winner gets bragging rights until next year (@rogueclown, your reign is almost up!), as well as a yet-to-be-determined prize (still owed to the very patient @rogueclown for her 2011 victory). The scoring format is a traditional 1/2/4/8/16/32 format with a twist – a bonus equal to the difference in seeds for each game in which you pick a lower-seeded winner.

To participate:

  1. Go to the tournament page.
  2. After logging, click “Join Group”.
  3. Enter Group ID 178984.
  4. Enter the password.

Since you’re a member of the information security community, I can’t just give you the password, right? You’ll have to guess it. It consists of lower case letters and numbers, with no spaces…and all 4 parts of the passwords are information security related.

  1. Part 1 – Short name of widely used app currently being targeted in 0-day attacks (also first name of Sci-Fi comic strip hero with last name “Gordon”)
  2. Part 2 – Worm that targeted Siemens SCADA systems in Iran
  3. Part 3 – Last name of former employee of HBGary Federal who isn’t all that anonymous (see what I did there!?)
  4. Part 4 – The number of minutes it takes LIGATT to train anyone to be a computer hacker

In case you’re still scratching your head…and are willing to admit it, DM me on Twitter…or send me smoke signals and I’ll tell you the password.

Your final picks must be submitted by the scheduled tip-off time of the first game in the tournament on Thursday, March 17 (the 4 play-in games on March 15 and March 16 aren’t part of the contest).

The fine print:

And did I mention you have to be a member of the information security community to enter? To be eligible to win, I must be able to verify that you’re a member of the information security community. No more than 1 entry per person. Compromising the commissioner’s computer, compromising the commissioner’s account and exploiting vulnerabilities in Yahoo to do anything to affect the outcome of the contest are strictly prohibited. ;-)

The infosec QOTD: Famous quotes re-imagined (2010-05)

Date Re-imagined Quote
2010-05-13 “Your attackers have not failed. They’ve just found 10,000 ways that won’t work.” -Thomas Edison
2010-05-06 “All hackers by nature desire knowledge.” -Aristotle
2010-05-05 “I asked for WPA2, I got WEP. How’s that for being born under a bad sign?” -Ferris Bueller (from Ferris Bueller’s Day Off)
2010-05-04 “I find your lack of antivirus disturbing.” -Darth Vader (from Star Wars)
2010-05-03 “To succeed in information security it is necessary to make others see things as you see them.” -John H. Patterson

The infosec QOTD: Famous quotes re-imagined (2010-04)

Date Re-imagined Quote
2010-04-28 “The best remedy for a short password is a long passphrase.” -Joseph Joubert
2010-04-27 “Pray that DoS attacks will not come any faster than you are able to endure them.” -Nnamdi Azikiwe
2010-04-26 “A wise man changes his password, a fool never will.” -Spanish Proverb
2010-04-15 “The things most people want to know about are usually trivial to find on Facebook.” -George Bernard Shaw
2010-04-14 “What the world requires of naive users is that they should continue to be naive users.” -Albert Camus
2010-04-13 “A hacker who is not dangerous is unworthy of being called a hacker at all.” -Oscar Wilde
2010-04-12 “Fear is pain arising from the anticipation of a data breach.” -Aristotle

Security Twits NCAA tourney bracket contest – winner!

The Security Twits NCAA tourney bracket contest is over. And the winner is @rogueclown (AKA Nicolle Neulist)! @rogueclown DESTROYED her competitors by correctly picking Duke to win it all. Ugh, Duke. @jfug barely edged out @ramblinpeck for 2nd place. @stevewerby (yours truly) was a measly point behind. And @theharmonyguy and @infosecjerk probably wish I didn’t post this.

So until next year, @rogueclown has bragging rights. And I owe her “a yet-to-be-designed but guaranteed-to-be-awesome t-shirt” (it’s on my to-do list…but it could be several weeks…or more).

Security Twits NCAA tourney bracket contest

I created an NCAA basketball tournament bracket contest on Yahoo for members of the information security community. The winner gets bragging rights until next year, as well as a yet-to-be-designed but guaranteed-to-be-awesome t-shirt.

The scoring format is a traditional 1/2/4/8/16/32 format with a twist – a bonus equal to the difference in seeds for each game in which you pick a lower-seeded winner.

To participate:

  1. Go to the tournament page.
  2. After logging, click “Join Group”.
  3. Enter Group ID 82792.
  4. Enter the password.

Since you’re a member of the information security community, I can’t just give you the password, right? You’ll have to guess it. It consists of lower case letters and numbers, with no spaces…and all 4 parts of the passwords are information security related.

  1. Part 1 – Something that’s in the sky
  2. Part 2 – The 2010 information security acronym du jour
  3. Part 3 – The mascot of attrition.org
  4. Part 4 – The number of security risks found in the 2010 OWASP Top 10

In case you’re still scratching your head…and are willing to admit it, DM me on Twitter…or send me smoke signals and I’ll tell you the password.

Password hints added 2010-03-17:

  1. Part 1 – It’s fluffy and it’s stealing your org’s data
  2. Part 2 – It’s an anagram for an androgynous fictional character from the 1990s
  3. Part 3 – Really? Really?
  4. Part 4 – Really? Really?

Your final picks must be submitted by the scheduled tip-off time of the first game in the tournament on Thursday, March 18 (the play-in game on March 16 isn’t part of the contest).

The fine print:

And did I mention you have to be a member of the information security community to enter? To be eligible to win, I must be able to verify that you’re a member of the information security community. No more than 1 entry per person. Compromising the commissioner’s computer, compromising the commissioner’s account and exploiting vulnerabilities in Yahoo to do anything to affect the outcome of the contest are strictly prohibited. ;-)

The infosec QOTD: Famous quotes re-imagined (2010-03)

Date Re-imagined Quote
2010-03-24 “Nothing is more difficult, and therefore more precious, than to be able to change users’ behavior.” -Napoleon Bonaparte
2010-03-22 “They’ve done studies, you know. 60% of the time antivirus software works, every time.” -Brian Fantana (from Anchorman)
2010-03-18 “Data loss happens to everybody sooner or later if there is time enough.” -George Bernard Shaw
2010-03-17 “A person who never made a mistake never tried writing code.” -Albert Einstein
2010-03-15 “FUD is the art of convincing people to spend money they don’t have for security solutions they don’t need.” -Will Rogers
2010-03-12 “We do not quit hacking because we grow old, we grow old because we quit hacking.” -Oliver Wendell Holmes
2010-03-11 “It’s hard to beat a hacker who never gives up.” -Babe Ruth
2010-03-10 “It is an unfortunate fact that we can secure critical infrastructure only by preparing for cyberwar.” -John F. Kennedy
2010-03-09 “What we’ve got here is a failure to remediate.” -Luke (from Cool Hand Luke)
2010-03-08 “You can avoid security, but you cannot avoid the consequences of avoiding security.” -Ayn Rand
2010-03-05 “I can’t believe I gave my password to a geek.” -Samantha Baker (from Sixteen Candles)
2010-03-04 “From there to here, and here to there, vulnerable things are everywhere.” -Dr. Seuss
2010-03-03 “The elevator to security is out of order. You’ll have to use the stairs…one step at a time.” -Joe Girard
2010-03-02 “IT security is like war – offensive weapons are developed first and it always takes a while for the defense to catch up.” -Red Auerbach
2010-03-01 “The pain of the exploit is worse than the pain of the patch.” -Publilius Syrus

Last month’s quotes

We will, we will RockYou: A list of firsts

Last December, a hacker acquired the password list for RockYou by exploiting a SQL injection vulnerability which revealed the usernames, email addresses and passwords of a whopping 32.6 million users. And worst of all (besides the company’s attempt to first cover up the incident, then downplay it), the passwords were stored in plain text! Not that hashing would have slowed an attacker down much. Most users’ passwords consisted of short, common words or were all-numeric.

I ranked the 14.3 million unique case-sensitive RockYou passwords by frequency and reviewed the top 2,000 uniques (accounting for 4.7 million users’ passwords) to identify the top passwords by category, some of which are shared below.

Eminem is more popular than Jesus as a password for RockYou users? Who knew? 7,241 uniques of “eminem” versus 5,866 for “jesus”. When case-sensitivity is ignored the same holds true. 7,594 uniques for 7 variations of “Eminem” versus 6,449 for 9 variations of “Jesus”.

Category Password Rank
Numeric sequence 123456 1
Passphrase iloveyou 5
Female name nicole 11
Male name daniel 12
Animal monkey 14
Fictional character tigger 25
Food chocolate 27
Sport soccer 29
Color purple 33
Profanity fuckyou 39
Palindrome hannah 50
Magazine playboy 59
Slang hottie 62
Entertainer eminem 75
Religious figure jesus 103
Place america 121
Non-English word sakura 114
Band blink182 165
Website name myspace 182
Non-English passphrase mahalkita 198
Month september 200
Zodiac astriological symbols gemini 211
Company name samsung 255
City barcelona 273
American city orlando 275
Country portugal 301
Auto manufacturer mercedes 353
Repeating letter sequence aaaaaa 374
Sports team steaua 400
Drink cocacola 471
Sports team (American) lakers 480
Musical instrument guitar 550
Celebrity (female) shakira 569
Drugs maryjane 597
ALL-CAPS PASSWORD 800
Contains special character iloveyou! 984
First letter capitalized only Password 1856
Follow me on Twitter!Follow me on Twitter! Subscribe to RSS Feed Follow me on Twitter!