The team over at Hacker House has recently released their first book, Hands on Hacking. The book is an incredibly accessible guide for learning pentesting and purple teaming and includes often-overlooked subjects like building a business case for hacking, ethical guidelines, and report writing.
Report writing, you say?
Needless to say, when authors Matthew Hickey and Jennifer Arcuri reached out to let us know they were featuring Dradis in the chapter on reporting, we were delighted. Since the book’s release, I’ve been able to chat with Matthew to ask about writing this book, his start in hacking and growing a career in the industry, and his favorite reads.
Hands on Hacking takes a holistic approach to hacking appropriate for those just getting started as well as for management and sysadmins wanting a deeper understanding of the attacks their organization and systems face.
Want to win a copy of Hands on Hacking?
The team over at Wiley sent us a few copies to giveaway. To enter, share your email address with us below. Winners will be selected at random on October 9, 2020 and contacted at the email address provided to collect shipping information.
Filtering content using OR and NOT hasn’t been possible until now! Now you can add OR and NOT operators to create a dizzying amount of control for your report output. As always, you can string together multiple filters to get the results you want to populate your report.
We’ve added the ability to upload an image anywhere the editing toolbar appears. Dragging and dropping into the editing area works too, saving you a few steps to add images in your project to show evidence, support your statement, or even add a meme to your comment.
Even More Validation
Validating your project before generating it has long been available as a good step to preventing some of the most common report errors. Now, view additional validation in summary views and a panel to help avoid those errors as you are working with report content to catch problems early.
For an at-a-glance way to see what needs a bit more work, the issues and evidence tables include a column showing if that item contains the correct information.
Issues, evidence, and content blocks now have a validation panel that will highlight problems as you work.
Add a validation panel for Issues, Evidence, and Content Blocks
Add a validation column for Issues and Evidence table
Auto upload attachments and screenshots without requiring the use of the staging area
Cards, Evidence, Issues, and Notes now have their own attachment support
Displays a notification badge in the browser tab when there are unread notifications
Editor: Allow drag & drop, copy & paste, and direct image uploading
Increase the node properties column size by changing it to LONGTEXT
Layout: Breadcrumbs have a fixed position
Upload Manager: better validation
Live filtering of templates (methodologies, notes & projects) via sidebar
Use absolute send times in notification emails instead of relative
Excel: Fix report generation exceeding the maximum cell limit
Word: Add NOT and OR operation for filtering content control
Word: Allow non-English localization documents to be exported
Automated reports, generate the same reports your clients know and love in a fraction of the time.
On March 2nd, 2020, we released Tylium, a new layout for Dradis projects replacing the long-lived Snowcrash layout. Let’s go into some of the details of the work that went into designing Tylium.
I’m Matt Budz, the product designer for Dradis, I help create new Dradis features and re-design some of the older ones that need some TLC.
First, let’s start with some background. Snowcrash has been the layout for Dradis projects since 2013. Some users may remember way back when it was released as part of v1.9. It was a shiny new UI built using the now-ancient Bootstrap 2 with a handful of 3rd-party plugin stylesheets sprinkled on top. Many new features were added over the years, but the look and feel of the app became dated.
My goal was to make the app look more modern and to update it to Bootstrap 4. But what does more modern entail?
I wanted to retain the long-used brand colors for both Dradis CE and Pro editions and adjust the remaining color palette to improve color contrast while ensuring the changes wouldn’t be too jarring for existing users. Increasing on-screen real-estate was a priority during the redesign. Adjusting spacing and incorporating a collapsable sidebar that could move out of the way provided more space. Snowcrash had some inconsistent visual hierarchy, especially around header & paragraph text sizes.
Some elements lacked visual cues to inform users that more information could be seen by scrolling. Additionally, Snowcrash had various cluttered views with a lot of information and action links that could be tucked away and accessed only when needed. I wanted to create an action menu (we call it the dots-menu) that could be used for any resource in virtually any view. I wanted this to have a specific look so that users would be able to recognize that there is something more they can do when they see this menu – like adding, editing, moving, and so on.
I embarked on this re-design journey knowing that I wanted to change the overall layout of the app but not completely re-design the individual partials that are rendered within the layout’s different views. I decided it would be best to work on those as the respective features got updated or other features got added.
Using my design tool of choice, Adobe Xd, I started on the main sidebar and the collapse/expand functionality. I designed this so that the user would expand the sidebar and once they navigated by clicking the links in the sidebar or clicked off the sidebar, it would collapse out of the way. With the sidebar opened, the rest of the view became faded out to bring attention to the floating sidebar. This came with subtle animations for the sidebar width transition, navigation link position, as well as opacity transitions for the node tree and sidebar header. At this point, I also added the new-to-Tylium Dashboard link, so users could easily navigate back to the initial view they are greeted with when they opened the project.
Next, I moved on to the top navbar. In Snowcrash it was becoming a bit full and offered very limited space for long project names as well as new nav items. It was also visually connected to the sidebar giving the illusion of a smaller workspace for everything else in the project. I wanted to completely separate the navbar from the sidebar so I moved away from using the edition color as the navbar’s background color. In order to save some space, I changed the less-used nav links to round buttons with icons to reduce the total width they took up. I also re-designed the way the search button expanded and behaved to match the new round nav buttons.
I worked on the sidebar and navbar while looking at the project dashboard, so naturally, I moved on to the main dashboard area next. I wanted to keep the panels the dashboard had in Snowcrash but with an updated look. Again, I didn’t want to completely re-design any of the partials but I did update things along the way so they would be more cohesive with the new layout. The page heading and the panel headings had to become more distinguishable for one another so I increased the size of the page headers to ensure they wouldn’t be lost with panel headers. I also noticed there was inconsistency with borders and dividers, both in terms of colors and usage. I ensured all borders and dividing lines got the same color and that they were used consistently regardless of the view for a better visual presentation. The panels got a subtle border with rounded corners along with matching underlines for the panel headers. Some other components that got a refresh were the list of issues and the list of recent activities.
For better user experience, I wanted the sidebar and navbar to always be visible regardless of the height and width of the view. This meant that only the view content would be scrollable. In order to keep a visual consistency throughout the layout, I used the changes I made to the dashboard to set the tone for all the other views.
At this point, I had a decent base for all views in the app but one major component that still needed work. Many of the views utilize a secondary sidebar that lists view-specific collections of items like, attachment uploads and import options. In design, we want the secondary sidebar to flow nicely with the main sidebar. I achieved this flow by making the secondary sidebar background color the same as the main sidebar active item background color. This would give the active sidebar item and the secondary sidebar a visual connection. The views that use a secondary-sidebar needed to match the rest of the app by having the view content sections neatly presented in panels. This meant that sections like Comments, Subscriptions, and so on got their own panel.
With the Bootstrap migration completed and out of the way, I was able to start coding the layout changes I’d designed in Adobe Xd. I implemented the design in roughly the same order as I designed it. I started with the sidebar and navbar, then moved to the main content areas of all views without a secondary-sidebar. I added the panel changes to each section of the views and adjusted things like header styles and font-sizes while utilized SASS variables for easy switching of colors between CE and Pro editions.
Last but not least, I worked on the secondary sidebar and adjusted all the view files that utilized this sidebar and updated panel styles, panel headers, page headers, etc . While coding the secondary-sidebar I quickly realized that it could be taller than the view content itself depending on the collection of items rendered within it. This would cause the view content to be unnecessarily scrollable. To solve this, I locked the secondary sidebar height to match the height of the browser window and made it scroll independently of the main view content. This would also be a more natural behavior in situations where both the secondary sidebar and view content have enough height that they both need to scroll vertically.
Another challenge I ran into was caused by a bug where the Bootstrap 4 modals appeared under the modal backdrop rendering all modals useless. After many hours of digging through the code, scratching my head, and growing new strands of grey hair, I turned to StackOverflow. It turns out this is a known Bootstrap 4 issue and the best way to solve it is to render all modals as direct children of the <body> tag. This required a refactor of the way we rendered modals in views.
At this point, the layout had come together nicely and everything was working as expected. Any bugs and quirks that came up along the way were resolved. Just as I was feeling good about it, all kinds of specs in the test suite were failing. I dove into the specs and updated what I knew needed updating based on the layout changes and Bootstrap migration but I noticed I wasn’t getting consistent failures. Some specs would fail sometimes and those same specs would pass other times. I had our developers, Aaron and Brian, step in to take a look. After many hours of debugging and researching, they finally realized the problem had to do with the sidebar toggle animation. The test suite was expecting the sidebar to be opened instantly so it could continue to go through the testing steps but the milliseconds of animation caused the test suite to intermittently break causing failures at different points. Ultimately, the solution was to disable animations for the test suite and all was well.
The last piece of the puzzle was to clean up all that old CSS. I ended up restructuring the CSS using a modified version of the SMACSS methodology. While tediously combing through each stylesheet, I removed unused, redundant, and unnecessary CSS. I was able to further reduce the amount of CSS by improving specificity.
Fun fact: Implementing Tylium modified 290 files and reduced the app’s code by 1871 lines.
Tylium was finally ready for release. Pleasantly, the new look was generally well-received and as more and more users started to use the updated version of Dradis, we started to get more constructive feedback. Both our internal team and our users realized that the auto-collapsing toolbar created a workflow issue in cases where users needed to frequently switch nodes or manually add many new nodes. I set out to fix this hindrance by eliminating the need to click the sidebar in order to create/navigate nodes. After discussing a few options with the team, the decision was made to have users toggle the sidebar manually. To enable users to keep working regardless of the state of the sidebar, I removed the overlay that faded out the rest of the view. This allowed users to chose if they would like to have the sidebar open or closed and we implemented some logic to remember the sidebar state so users wouldn’t have to toggle it each time they returned to a project. This also helped with seamless navigation between views.
Overall, the new layout improved the app by:
Increasing screen real-estate by 18-20%
Updating Bootstrap’s version from the historic 2.3.2 to a more current 4.3.1
Improving accessibility by updating the text colors to meet at least Level AA of WCAG 2.0 standards.
Providing users with an app that has a modern look and feel while also increasing their productivity
This entire endeavor started in Oct 2019 with very early rough sketches and spanned about 6 months until it was finally publicly released in March 2020. Huge thanks to the entire team for their help and input throughout the entire process. ✌️
Before Dradis Pro v3.8.0, Admins had access to everything and Authors had access to a subset of features. Now, you can give specific Author users permission to use the tools they need. And, you can give them just the level of access that they need.
Each Author can be given access to specific projects. And, for tools like the IssueLibrary, the Rules Engine, or premium tools like the Remediation Tracker, Authors can be given action-based permissions. Do you only want Author #1 to be able to Read IssueLibrary entries but not create, update, or destroy them? You can do that! Do you want Author #2 to have full control over the Rules Engine? You can do that too!
AffectedCount and AffectedList controls
We’ve had the Affected content control for a long time. The Affected control exports a de-duplicated list of comma-separated Nodes for a specific Issue. But, what about if you needed each de-duplicated Node on a new line or in a bullet list? Or, what if you need to count the number of affected Nodes for your Issue?
We’ve rolled out 2 new content controls: AffectedList and AffectedCount. As you can see in the before/after example below, the AffectedList will export the same data as the old Affected content control, just in a list format. And, the AffectedCount will output the number of unique Nodes that the Issue is associated with.
Do you need help updating your report template to use these new content controls? Email our support team and we’d be happy to help!
Project List table
We’ve also updated the Projects page to help you find that one Project you’re looking for. Your most recent projects will appear at the top of the screen as always. But, at the bottom, there’s now a sortable and filterable table. Click the column headings to sort the table by that field. Click the 2 columns dropdown to display different fields. And, type in a keyword to filter the table and display a subset of Projects.
Add all activity view
Give dynamic columns, sorting and filtering to project list table
New Per-Tool Permissions
Premier the new project permission panel for testers
Introduce permission management for Issue Library, Rules Engine, and Remediation Tracker
Remove inconsistent content blocks breadcrumb
Render markup inside table columns
Update top navigation link styles and collapsed menu
Upgraded gems: rack, sanitize, sassc
Removes the edit link while editing
Fixes lingering comment borders after deleting comments
Resolves broken OVA and DUP upgrades on VM’s running in ESXi
Prevent icon overlap of long headers in secondary sidebar
Fixes overflow of long unbroken table cell text
Prevent text overflow on to select areas
Word report generation no longer errors with extra document properties
IssueLib: markup rendered in columns
Excel: add Tag column
New AffectedCount content control
New AffectedList content control (one host per line)
Update exported tables to have 100% width by default
Not using Dradis Pro on your team?
Automated reports, generate the same reports your clients know and love in a fraction of the time.
Formatting text is even easier now with the editor toolbar. The toolbar makes it simple to enter and format text in an issue, evidence, notes, comments, and methodologies without needing to use Textile markup. The live preview updates with your formatting changes as you work.
Manually create issues and evidence using the form view, rather than using Textile field names and details. Name the form field and add in details for each item and the live preview updates as you work on the side.
If your project has a predefined template, using that template will create those form fields ready to populate.
Prefer to work with Textile? The source view is still available so you have the best of both worlds.
In order to make the most of the available screen space, some item options – including edit, delete, and subscribe – have been moved to a single “dots” menu. The dots menu is located to the top right of the item and includes the actions available for that item.
Cards in methodologies no longer require a due date. This is helpful for cards that are templates or hold information that doesn’t need to be locked to a specific date.
If a card has moved from one list to another, the original card link will redirect you to the card at its current location. Previously the link to the card would be broken, leaving you to hunt around until you found it (or didn’t and gave up looking).
Making it easier to find the board you are looking for, you can click on a methodology in the project dashboard or the board name in the activity feed to go to that board.
Add author to evidence and notes views
Add dynamic columns, sorting and filtering to Projects list
Add team name link to project navbar
Adjust Uploads layout to provide more visibility to the output console
Allow renaming and deleting boards through their dots menu
Avoid browser pre-populating password fields when editing users
Not require a mandatory due date
Redirect to new url if the card has changed lists
Show board name and link in the Activity Feed
Card, Evidence, Issue, and Note form data will not be lost even if the form is not saved
Clear the form when the “Cancel” link is clicked
Remove prompt to restore data and instead persist and restore any changes seamlessly
Add Textile markup
Not lose changes even if the comment is not saved
Update comments feed to show author’s name instead of email
Display note and evidence titles in breadcrumbs
Display the Dots-menu in all views
Formatting toolbar to help with markup
New form-view to edit each field individually
Side-by-side editor preview that auto-updates
Generate consistent URLs in emails
Increase the size of output console
Let Admins be added or removed after a project is created
Link to Methodology from project summary chart
Move resource action links to dots-menu in breadcrumbs
Persist the state of the navigation sidebar in projects while navigating across different views
Remove tag color from issue titles in issue summary
Update code element style
Use shared noscript partial
Use user model reference for activities instead of user email
Upgraded gems: puma, rack, rails, sass-rails
Allow Authors to set project permissions on project creation again
Fix Board partial broken structure
Fix ItemsTable extra whitespace causing unnecessary vertical scrolling
Fix Long items_table dropdown menus not scrollable
Fix Long project names interfering with search bar expansion
Fix breadcrumbs in cards under node boards
Fix textile preview not showing on issues with very long text
Prevent repetitive prompt when images are pasted after navigating multiple views.
Prevent report ‘Download’ button becoming a disabled ‘Processing…’ button once clicked
Render Textile preview of issues with very long text
We’ve introduced a new project theme for Dradis. Tylium* is more than sprucing up the design with sleek lines and modern styles. It incorporates thoughtful details to improve your workflow and provides us greater flexibility to address your UI feedback moving forward.
This is a big visual change, but you won’t have to hunt for the Dradis items you rely on since they haven’t gone too far from the previous theme, Snowcrash. We’ve minimized the impact on your day-to-day use of Dradis by keeping the feel and flow of the app familiar.
Tylium optimizes your workspace, keeping the purpose of each view in mind. It adds space where you need more real estate for updating findings and resizes or rearranges elements when you need to see the big picture. An example of this can be seen with the collapsible sidebar that adds roughly 20% more space and keeps all sections of the app quickly accessible, even adding a dashboard link to the project summary.
As always, we’re eager to hear what you think. If you have feedback on Tylium drop a comment here, send it via email, or share it in Slack.
*It is SOP at Security Roots that we honor our nerdoms where we can. Snowcrash, the previous theme, is a nod to Neal Stephenson’s cyberpunk novel of the same name. Our love of Battlestar Galactica continues on with the new theme, paying homage to the powerful fuel source used in the series – Tylium.
Report Generation Errors
Everyone knows that validating your report before generating it will save you a headache tracking down problems with the report later. Now, the validator is more helpful by providing additional context to help locate the problematic evidence. While we are preventing headaches if your report has errors that are detected during generation the option to download it won’t be displayed.
Update app to new Tylium layout
Add the ability for kits to update an instance’s Plugin Manager templates
Add revision history for cards
Updated support beacon. Legacy support was dropped for older versions
Fix errors on content overwrite flash messages
Fail and redirect to login instead of raising an error when attempting to log in as a user that has been removed
When a report export is invalid and errors we disable the download button to prevent further errors
Fix the mail initializer not finding existing configuration settings from the db
Fix Cancel link path for the Note Edit page
Fix services_extras not being excluded from Excel exports
Fix Rule checking for non-existent fields
CVSSv3 calculator provides access to all Temporal/Environmental fields
Add support for ellipsis
Better Evidence references on failed validations
REST/JSON API enhancements:
Add team (team id, team name, team_since) in the teams API endpoint
High: Authenticated author can no longer continue to make project changes and will be logged out after being disabled by an admin
Medium: Prevent admins from updating other user’s comments
When the WPScan team approached us in late 2019 offering to create an integration for Dradis, we were excited to work together. What goes together better than a WordPress security scanning tool and an easy way to turn those findings into a customized report? Maybe chocolate and peanut butter, but the Dradis WPScan integration is much more likely to result in a more secure website.
WordPress powers 35% of the Internet’s websites from hobby blogs to Fortune 50 companies. WordPress’ ease of use, well-established community, and extensive plugins offerings (55,457 as of this post) make it an attractive option for creating a presence online. Unfortunately, these same charms also make WordPress an easy and frequent target for attack.
In 2011, while investigating his own blog’s security, Ryan Dewhurst created a script that combined testing for WordPress’ vulnerabilities into a single tool. This script, now WPScan, enumerates usernames, plugins, and themes, performs brute force password attacks, and identifies the version of WordPress on a target.
WPScan contributors went on to create WPVulnDB to manage the ever-growing list of known WordPress vulnerabilities in an online database. When used together, WPScan and WPVulnDB API provide realtime detailed vulnerabilities and recommendations in your scan results.
This new Dradis WPScan integration makes it a snap for you to import the results of your WPScan directly to a Dradis Project. Each target maps to a node within your Dradis project, any vulnerabilities found in a plugin, theme, or setup become Dradis issues, and when evidence is available – like a list of enumerated usernames – it is pulled into Dradis as evidence.
Ready to get started with Dradis and WPScan?
The steps to add the Dradis WPScan integration to Dradis CE or Dradis Pro are similar for both editions.
Add or edit the Gemfile.plugins file. The file locations for each edition is listed below
How many Dradis projects did you create this year? How many Issues did you find? Which were the most commonly found Issues? What was the most common severity of the Issues that you found?
Credit for this script idea goes to Marc Ligthart. His teammate reached out via the support inbox to see if we could create a quick “Year in Review” script that would list out the following:
1. Count of Projects created this year 2. Total Critical/High/Medium/Low Issues (by Tag) 3. Top 10 most found Issues (by title) 4. Top 10 most found Critical/High/Medium Issues (by title)
You can already head over to our scripting repo and check out the Year in Review script. To use it:
1. SCP the file you your instance (e.g. to the /tmp folder)
2. Run the following in the command line as “dradispro”: $ cd /opt/dradispro/dradispro/current/ $ RAILS_ENV=production bundle exec rails runner /tmp/year_in_review.rb
The output will list out the yearly review for all of the projects present on your Dradis instance.
Now, for the fun part? We want your feedback. If you like this idea, you’ll like version 2.0 even better. We want to include this functionality as part of the existing Business Intelligence Dashboard within Dradis. But first, we want to hear from you. What else would you like to see in a summary view like this in the BI Dashboard? What other metrics would be helpful for your team or what isn’t particularly useful about the current output? Please email our support team directly with feedback! We’re excited to continue working with you in 2020 and get you some more valuable insights into your Dradis usage along the way.
Now you can have your notifications emailed to you when you aren’t working in a Dradis project. Each user can adjust their notification settings to receive them individually as they happen, in a daily digest, or not at all. Get started using email notifications by configuring the mail server on your Dradis Pro instance.
A few @mention enhancements are in this release, including loading an @mentioned user’s profile photo or gravatar so you quickly spot who is in the conversation.
Burp Suite Issue severity
The way that Burp Suite handles severity is different than other integrations. Burp assigns severity to each instance of an issue as evidence and doesn’t assign severity to the issue directly. As a result, this was leading to several pieces of evidence with different severity levels for an issue with no assigned severity in Dradis. Now, Dradis will assign the issue severity using the highest evidence severity level.
Finding the information you are looking for in a long table is easier with table sorting. Tables in Dradis can be sorted by any column. Click on the column heading of your choice and presto, change-o the table is sorted.
Add notification settings to decide how often to get email notifications
Add a smtp.yml config file to handle the SMTP configuration
Preserve SMTP configuration on updates
Various mention related improvements:
Enhance the mentions box in comments to close when it is open and the page is scrolled.
Fix bug that prevents the mentions dialog from appearing after navigating through the app.
Fix elongated avatar images so they are round once again.
Added avatar images to mentions in comments.
Load Gravatars for users whose email has been set up with gravatar.
Add and update methodology download links to Dradis Portal
Enhancement when adding new nodes to copy node label data between the single and multiple node forms.
All tables can be sorted by column
Fix handling of pipe character in node property tables
Fix projects count not updating in teams view
Fix error on team page when showing primary team
Fix overflow issue where the content would expand out of view
Fix page jump when issues list is collapsed
Fix conflicting version message when updating records with ajax
Fix hamburger dropdown menu functionality.
Fix node merging bug when `services_extras` properties are present
Fix cross-project info rendering
Prevent content block group names to be whitespaces only
Fix displaying of content blocks with no block groups
Limit project name length when viewing a project
Removed bullet style in node modals
Validate parent node project
Burp: Make `issue.severity` available at the Issue level
Nessus: Fixed bullet points formatting to handle internal text column widths
Nexpose: Wrap ciphers in code blocks
Netsparker: Fix link parsing of issue.external_references
Jira: Loading custom (required) fields from JIRA by IssueType and Project
REST/JSON API enhancements:
Fix disappearing owner when assigning authors to a Project using the API
Set the “by” attribute for item revisions when using the API
Another Hacker Summer Camp is in the books. As always, there was a lot to see and do – more than any single human could hope to fit into a month, much less a week. Even so, I made it to Black Hat Tools Arsenal, BSides Las Vegas, DEF CON, and volunteered for the Diana Initiative. After a year and a half of working on the Security Roots team, I met Daniel in person and we promptly started talking shop in the middle of a Mandalay Bay hallway. I took a few hours to celebrate a milestone with a fantastic dinner and show. All of that in six days and though it was exhausting, I can’t wait to return.
My introduction to the hacker community was at BSides Orlando a few years back. Initially, I admit that was a bit intimidated to attend a hacker conference. Portrayed in the media as egotistical superbrains or criminals hiding beneath black hoodies ready to drain your bank account, hackers aren’t presented as a welcoming bunch. While those elements exist, what I found there and continue to experience was a group of people eager to share their knowledge and answer my constant questions. The energy and collaborative spirit of the community had me hooked. I was hungry to learn more and later that same year, I volunteered at BSides Las Vegas.
BSides Las Vegas
This year I returned to BSides Las Vegas as a volunteer with the Diana Initiative. Thanks to the generosity of BSides we had an early check-in table for Diana attendees. Much of my day I spent sharing details on the Diana Initiative from how it began, where to find tickets, to how to get involved. The overwhelmingly positive feedback was supportive of the need to increase diversity in information security. I didn’t much chance to check out the talks but there are a few on my list to watch.
Black Hat Tools Arsenal
Black Hat is the corporate side of the whole week and had a slightly different energy. I joined Daniel for the Dradis presentation at the Tools Arsenal. In my mind, I would show up in my Dradis shirt, hand out a few stickers, and take pictures of Daniel showcasing Dradis CE. Once there, I embraced the opportunity to chat with customers and talk with people about Dradis. I found myself repeating, “If it has been a while, give Dradis CE another look – so much has changed.”
DEF CON 27
It can be challenging to make connections at a conference this size. Unlike other large events I’ve attended, smaller distinct groups within the con space allow you to focus your attention and find like-minded folks. No matter your interest, there is a group. There are villages, workshops, talks, meetups, parties, and one of my favorite spaces – hallcon. Finding someone to talk to is pretty easy since #badgelife has most attendees wearing roughly a pound of gear on a lanyard around Las Vegas. This year’s DEF CON badge game worked particularly well to strike up hallway conversations while asking to “boop” someone’s badge.
Our staff pirate Christoffer’s post piqued my interest in maritime security, so I made it a point to stop by the inaugural Hack the Sea village. There was a good bit of discussion about the security of our seas even in casual conversation outside of the village, ranging from ICS to the antiquated technologies observed or used onboard. I visited the IoT village long enough to swear off of my existing IoT devices (but not really). While I was there, I cheered on friends that were competing in the IoT CTF.
The evenings held additional opportunities to connect with other attendees, just as varied as the talk and villages. Who doesn’t love a blanket fort? Blanketfortcon has you covered (see what I did there?) with an adult size blanket fort and bounce pad. Hacker Jeopardy is always hilarious, but I laughed the hardest during “Whose Slide Is It Anyways” watching contestants present using a slide deck they had never seen. Parties ranged from bass-thumping events going long into the early morning to more subdued gatherings with board games and great conversation.
If I am up at 6 am in Las Vegas, it is for one of two reasons; I am still up from the night before or I am volunteering somewhere. These days it is 100% the latter option, and I was excited to join the Diana Initiate staff to run registration. It turns out I particularly enjoy running registration and check-in, which I can only attribute this to having a generally sunny disposition and a love of spreadsheets. After months of hard work with the rest of the team, it was a gift to greet attendees, speakers, and sponsors and to witness their excitement for the days ahead.
Diana Initiative has grown from its initial years held in hotel suites and for the first time organized convention space at the Westin. This year Diana Initiative had 65 speakers across three tracks that covered both technical and non-technical skills, several villages, and a CTF. It was a nice break from the noise and crowds of the DEF CON and fostered a welcoming environment for attendees, many at Hacker Summer Camp for the first time. The quieter gathering, smaller size, and inclusivity made for an inviting atmosphere to new faces and established security professionals alike.
Do the thing.
Attending camp this year felt different than my last visit. There are noticeably more women in attendance, to the credit of organizations like WoSEC, WISP, Women’s Society of Cyberjustu, and Diana Initiative. There was plenty of evidence of the work that organizers and volunteers have put in to create an inclusive and safe week including the DEF CON support hotline and improved Code of Conduct. It was incredibly inspiring to connect with the many people that are elevating diversity and bringing change in this fantastic community.
Throughout the week, everyone I spoke with remarked that there is room for everyone in information security; quoting struggles finding qualified candidates and too-large workloads. Increasing the number of women not only brings more workers to the industry, but each person brings a unique lens to approach privacy and security challenges. No matter who you are or what your background, consider this your invitation. Show up, do the work, learn the things, and take your place. And then, share what you know. See you next year!