Shortly after I was convinced to join Twitter and get engaged with the security community, I started noticing patterns with the people I was meeting. Namely, I noticed that many were also musicians and that the vast majority played the electric bass. As a bass player myself, I understand that the general rule is, if you show up to an open-mic blues jam, you’ll get to play bass all night, and the guitarists will be relieved that none of them have to ‘do bass duty’. I became fascinated with how this pattern seems to reverse in the infosec/hacker community and started to see parallels between security and this particular instrument. I plan to share my research, ideas and theories that I’ve collected on my journey to understand this strange anomaly and look forward to hearing more.
10. Why does InfoSec play bass?
"We like the low, dark
and sinister. And
backbones.”
”We're not in it for glory
or props. Content in the
background.”
-- Eve Adams
11. Why does InfoSec play bass?
"Easy, we pull it
together. We keep
the drums on
tempo and support
the band :)”
-- Dave Lewis
12. Doubts – do we really play bass?
How could I be sure?
17. How accurate are my stats?
What
Statistics?
Dead on
balls
accurate
Accuracy Scale
18. So what? Why does any of this matter?
https://fsmontenegro.wordpress.com/2015/07/29/on-the-shortage-of-infosec-professionals/
@fsmontenegro Follow this guy on Twitter
3561 just in the USAF (cyber command)
2170 just in US Army
1560 Booz Allen Hamilton
1407 Deloitte
1257 US Navy
20. Would you like to take a survey?
Attackers 45%
Defenders 35%
IR/Forensics 25%
Male 90%
Female 10%
1 – Robot
Active on Social Media?
Nope – 13%
No, not allowed – 5%
Option 5 – 10%
Yes – 79%
Yes, but under an alias– 17%
21. I throw Information Security events
0%
I work full-time in the information
security industry
69%
I work overtime/double time/too much
time in Infosec. I need a vacation.
10%
I work part-time in the information
security industry
3%
I'm a hacker, security researcher, or do
something else in security, but it isn't
my day job
15%
Security student
1%
SysAdmin
1%
working toward
1%
How are you connected to InfoSec?
22. Who we are – trolls, pranksters, wiseasses
144 survey respondents, 2448 responses in total
I wasn’t able to count the vast number of wiseass responses.
• Getting kicked in the face by Jimmy Vo.
• I beat up CISOs in dark alleys for fun
• Option 5 typo was a favorite (x14)
• What do you do in the industry? Space Hitler < Thanks!
26. Survey results – Music
33% of respondents played an instrument
40% of those were multi-instrumentalists
Guitar 28
Bass 8
Violin 5
Drums 4
Saxophone 4
TOP 5
27. Survey Results – Martial Arts
• Aikido
• Boxing
• BJJ
• Karate
• Kickboxing
• Krav Maga
• MMA
• Tai Chi
• Tang Soo Do
• Goju
• Tae Kwon Do
• Muay Thai
• Shaolin Kempo
19% of respondents practice martial arts
28. Friends and strangers alike sent me photos of
them doing their hobbies.
Not a single photo scarred me for life or led me to
need therapy!
40. Who are we?
We’re a
post-dystopian,
neo-cyberpunk
travelling ren
faire!
41. Conclusions – we see the world differently
They see
• A car
• A door, a lock, a barrier
• Retail environment
• Trash bin
• Gobbletygook
We see
• Potential 80mph brick of death
• A challenge, a puzzle
• Hilariously insecure playground
• Intelligence
• Something to be decoded,
cracked, decrypted…
Both a gift and a curse…
43. Conclusions
“It was an accident…”
“Can’t remember when it started…”
“I had to decide between jail or an honest paycheck.”
“It's fun to break rules.”
“I like thinking I’m helping”
44. What’s Next?
What do you want to see? Do you have anything else you’d like to
share?
What direction should I take this?
Avery.Sawaba@gmail.com
@sawaba
Hinweis der Redaktion
Ask if there are any bass players in the audience. Ask them to raise their hands.
Look pensive and thoughtful for a moment to let the tension build
At this point, I either get to say “See, I told you so!” or “Either you guys are lying, or I’ve just discovered a massive, critical flaw in my talk!”
Agenda
Intro/Expectations (without giving too much of #3 or #4 away)
My Story
Casual observations vs. big picture and why this matters
Who we are – Survey results
Making sense of all this
Wrap-up, questions and feedback
A few directions I could have gone with this talk. I envisioned it as something I could give several times, evolving over time. I decided to go lighthearted and entertaining the first time out.
At a crossroads with this talk. That’s pretty.
There were a few directions I could have gone with this talk.
I could have gone serious: ADHD, Burnout, Alcohol – real issues affecting our industry.
But I decided to go lighthearted and entertaining for this one. Let me know if you’re interested in the more serious side.
Also, I’d love to update this talk and go deeper over time – let me know at the end if that is something you’d be interested in.
*** Pic of Oprah giving stuff away on one side, hacker stickers on the other
Anyone that participated in the survey, feel free to pick up your favorite hacker sticker (over on a table somewhere in the room)!
Pass out puzzles – two old school iron puzzles and one rubik’s cube < Have someone help with this stuff
Prizes will include two SNES carts and a Bsides Knoxville badge for whomever solves the puzzles. Anyone in addition to those, I’ll give an IOU for a tshirt or sticker once I’ve got them made
Let me tell you a story about a boy. AWWW, isn’t this sweet…
Tell the Sassy Ann’s story of me and Nick Morgan
Fast forward to 2009, when Shack talked me into getting on Twitter – yes, the Twitter fun gauge is directly responsible for all my tweets.
Go over the 10:1 Guitar:Bass rule and how I started to notice it seemed to be reversed for musicians in InfoSec. This intrigued me.
Comment that there are some seriously pissed off clarinet players out there. “Why wasn’t my instrument included in his stupid survey!?!”
Well, hang on angry clarinet player, and give me a chance to redeem myself!
Oh, right, and there’s Dave Shackleford. Sorry, Dave. Seriously though, if you ever have Dave around a piano, try to convince him to play something for you. You won’t regret it!
Why was I attracted to bass?
#1 - Its electric cousin was no different – my actual plan if our old townhouse was ever broken into was to use my Hamer Cruisebass as a weapon.
Why was I attracted to bass?
#2 - If the electric guitar is a katana, the bass is a 2-handed axe. In Resident Evil, I prefer the shotgun. In Diablo 2 and 3, it was the Barbarian for me – dual-wielding giant fucking axes.
I started asking others about this odd pattern – why did they think so many of us played bass?
Put an image for each of them, with the quote, each in a different slide – 3 in all
I started asking others about this odd pattern – why did they think so many of us played bass?
I started asking others about this odd pattern – why did they think so many of us played bass?
Does InfoSec really play bass? How could I find out?
Ask for answers, opinions – what do you think? Bullshit?
Put multi-instrumentalist tweets here
Go go data scientist mode!
I decided on a two-pronged approach
Interwebs analytics
Surveys/interviews
What about everyone else? What about the non-musicians?
We’ve all heard people talk about the echo chamber – having discussions within the “security bubble” – we’re in it now!
Do I need this slide?
Sorry for the shitty quality here – especially to you Apple Retina users out there, this must be torture. Getting this slide together pushed my graphic design and powerpoint skills to the limit.
How big is our collective social media reach?
When we bitch about something on Twitter, how far does it go? How many ears does it reach in the grand scheme of things?
Note, there are some various discrepancies with this data, but I spent a long time making sure it was as accurate as I could get it.
Sorry to those of you that are like vampires with sunlight when CISSP is mentioned…
Well… On a scale from Donald Trump (who feels no need to use statistics) to Mona Lisa Vito (who, is dead-on-balls accurate), my stats are somewhere around the accuracy of Conan O’ Brien’s Clueless Gamer review system
Job Shortages in InfoSec – people are hiring, hiring, hiring!
Hiring and talent acquisition is HARD in InfoSec.
EXPERIENCE doesn’t tell you if someone is passionate about security or if they’ll fit in with a tightly knit assessment team or incident response group, for example.
CERTS don’t tell you a helluva lot, except for ones with practicals
RESUMES are full of hopes, dreams and carefully crafted lies
Basically, the only good way to find the people you’re looking for is by asking people you trust – networking. That’s really the most important benefit of a security conference, in my opinion.
If we understand why great InfoSec/Hacker talent is great, perhaps it could be easier to find/train/retain the talent!
Also vice versa – maybe we can make it easier for you to find your dream job!
Great post by Fernando Montenegro here (@fsmontenegro)
Jobs!
Jobs!
Jobs!
People want to hire you!
They want to throw money at your face!
It’s like Oprah in here! You get a job! You get a job! You get a job!
So I decided to do a survey to get a better idea of what was going on here
Gender – Exactly the same as my twitter split
How are you connected to InfoSec?
What do you do in the industry? Space Hitler
Do you actively discuss security/hacking-related stuff on social media? Option 5 (x14)
So, why does InfoSec play bass?
Ha, I wish! Just kidding.
Well, it turns out that sample sizes matter, and I didn’t have a huge sample size when I collected all that anecdotal data I showed at the beginning of this talk.
So, I did a survey. 144 of you wonderful people filled it out. Still a small sample size, but I intentionally made an attempt to get people outside the Twittersphere.
Want to know what instrument infosec actually plays?
The big reveal – infosec plays…. GUITAR. Cue sad trombone.
However, it ISN’T a 10 to 1 ratio – more like 3 to 1
Also, half the bass players that responded were like, “BASS, YEAH!”, whereas half the Guitar players that responded were ‘MEH’ about it
So, does the big reveal happen here? Or earlier, so that I can point out my mistake was all from this bubble I was in?
Also, am I really, really correct here, or am I still wrong?
Or is the point that certain aspects of our personalities just aren’t indicators of a greater whole?
Survey stats – there are two hobbies I felt needed their own dedicated questions in my survey, because of how often they seem to show up – the first of those two is music.
33% of respondents played an instrument – exactly a third.
Read some quotes
“No, but I have a perfect ear. (Which makes karaoke VERY painful)”
I own a bass that I promised my parents I would learn to play 15 years ago. SIR YOU ARE A DISGRACE
40% of these musicians are multi-instrumentalists
Summary of hobbies, stats
Now THAT’S the Cavalry!
Beau and Claus demonstrating non-hackable vehicles.
Nurburgring
Guillaume
Walt reviewing his novel
It’s okay, he’s at a stoplight
I think we’re all familiar with this sight…
And another familiar sight… Whiskey hackers anyone?
Some of us drink, and some of us can’t touch the stuff, but that’s a whole different potential talk, right?
Anyone know what this is?
The overwhelming majority of respondents are clearly passionate about this field – very few simply regard it as “just a job”
This is what ties it back to the bass – everyone that played the bass was like, FUCK YEAH, BASS! The vast majority of guitarists were, “meh, a little guitar…”
We stumble upon it < SO MANY!
We can’t recall not doing it
We had to make a choice
We enjoy it
Sense of service
Lots of anecdotal stuff, hit on some interesting points, but haven’t gone too deep
What’s next? Would like this to be the first in a series of talks about what makes us tick
If I dive deeper, where do I go? Dark or light? More job/career-relevant stuff, or more psychological side?