Profile picture
Jason Danner @jpdanner
, 128 tweets, 95 min read Read on Twitter
Its nearly #purplecon time with @kanocarra!
Front row with some of the #purplecon krew.

Almost showtime!

@pikelet @hipsterjazzbo
Some ace haikus.

And a @mangopdf
#purplecon
Majestic AF
@ryankurte @jsstott
#purplecon
YAS
#purplecon
Its @purpleconNZ time!

With @mangopdf @ryankurte @jsstott @__nolang

#purplecon
Why the purple aesthetic?

Hacker culture is about doing your own thing and rebelling.

But hacker cons seem to look the same.

#purplecon
#purplecon gives you a new standard to follow! Rebel!

@purpleconNZ
#purplecon is about positive, defensive, actionable security advice.

Let the experiment begin!

@purpleconNZ
Thank you @purpleconNZ sponsors!
@insomniasec @vendhq @Google FireEye Atlassian
#purplecon
Con complete with Bubble Tea!

#purplecon
Now its @Sereeena talking about the the intersection between security & humans

#purplecon
Everyone deserves security, but security is hard.

#purplecon
We abandon a whole scope of people who make the wrong security choices.

Is that right? That's your mom, dad, CEO, colleagues.

Do we abandon them?

#purplecon
Security is hard. So most people are bad at security.

#purplecon @Sereeena
The current system enables security problems

#purplecon @Sereeena
We have two personas:
- People who have no idea what to do
- People who know what to do, but not how to implement it
#purplecon @Sereeena
In security, the perfect is the enemy of the good.

Trying to force people to use the BEST security means they won't adopt anything at all

#purplecon @Sereeena
Security recommendations need to be personalised for each person. Where do their needs fall on these continuums?

#purplecon @Sereeena
Go @Sereeena
#purplecon
Effective security advice needs to be:

Incremental
Personalised
Habitual

#purplecon @Sereeena
Our current process for communicating security doesn't work.

We have a pervasive culture of shaming people and it DOESN'T WORK.

#purplecon @Sereeena
This means that people won't ask for advice. Then they can make REALLY bad decisions.

#purplecon @Sereeena
How do we teach people then?

Show them, don't tell them. Lead by example.

#purplecon @Sereeena
Who does this well?

YouTube Vloggers!

#purplecon @Sereeena
So @Sereeena made a YouTube security channel!

#purplecon
Now its @errbufferoverfl talking about the paper towns to stop pirates stealing maps.

#purplecon
Basically you put a fake town on your map. And if a competitor also puts this fake town on THEIR maps, then they're pirating your maps!

Ah ha!

#purplecon @errbufferoverfl
What do paper towns have to do with InfoSec?

#purplecon @errbufferoverfl
So you can use canary tokens to alert you of people doing nefarious things!
Maybe it's an attacker or maybe an insider threat.

#purplecon @errbufferoverfl
Canary tokens be like:
#purplecon @errbufferoverfl
Apparently Atlassian Space Crab makes mean canary (crab?) tokens for AWS

#purplecon @errbufferoverfl
You need to have good logging & alerting for these tokens.

Canarys are only useful if they sing!

#purplecon @errbufferoverfl
You can have URL tokens, AWS credentials tokens, DNS tokens.

Make them look juicy and interesting to attract the haxors

#purplecon @errbufferoverfl
Then it's the haxors denied!

#purplecon @errbufferoverfl
Very low signal to noise ratios*

*if deployed correctly

#purplecon @errbufferoverfl
Canary tokens alone won't keep you safe. Just part of a holistic security approach.

#purplecon @errbufferoverfl
Now its @mossnz talking about containers.

#purplecon
What are containers?

#purplecon @mossnz
Abstractions are our friends.

All good code needs a good problem to solve.

What about storing cloud limes?

Answer: Redis.

#purplecon @mossnz
Can fire up a local Redis container to test lime storage.

#purplecon @mossnz
But, but! How do I docker a node app?

#purplecon @mossnz
Multiple dockers? Need docker networking!

#purplecon @mossnz
Now we're at the stage where, if we were trying to draw an owl, we would have two intersecting ovals.

#purplecon @mossnz
How do we trust what we're running?

Need to trust the people building the tools.

Compilers can alter programs. Including the compiler that compiles the compiler. 😱
#purplecon @mossnz
But, if we can't trust public container, do we have to build I will all ourselves?

Must we rebuild the cosmos?

#purplecon @mossnz
This is why we have CI pipelines!

#purplecon @mossnz
Building a CI pipeline with Circle CI

#purplecon @mossnz
Use Container Diff to see if anything upstream has changed

#purplecon @mossnz
The :latest tag in docker is not your friend.

Its NOT the latest build.

Extremely confusing.

#purplecon @mossnz
Build the container, check diff, scan for CVEs

#purplecon @mossnz
We've been on a container building journey

#purplecon @mossnz
Now its "Caring for our Pen Tester Friends" with @SparkleOps!

#purplecon
Hello @SparkleOps!

#purplecon
How to run a good penetration test. What we all need to succeed.

#purplecon @SparkleOps
Back when Brendan was young QA Tester, he tested software for gas pipelines provisioning.

#purplecon @SparkleOps
Back in the wonderful era of waterfall projects!

#purplecon @SparkleOps
Testing a new system?!

Much excite!

#purplecon @SparkleOps
Testing job done!

Or...

#purplecon @SparkleOps
Maybe not?

"This is full of P1 bugs"

But it was built to spec!

#purplecon @SparkleOps
What about duplication detection?

Not in the spec, but makes sense.

#purplecon @SparkleOps
Doesn't detect high pressure gas 'splosions.

Again, not in the spec.

#purplecon @SparkleOps
"Did you even test this at all?"

Vicious.

#purplecon @SparkleOps
Ouch. What happened?

#purplecon @SparkleOps
Brendan doesn't have any context!

Context means he knows what to actually look for.

#purplecon @SparkleOps
QA testing has gotten better.

#purplecon @SparkleOps
But pen testing still operates at the end with little context like... waterfall!

#purplecon @SparkleOps
Starting out means devs are surprised and there is poor handover.

Being pen tested can be scary for devs

#purplecon @SparkleOps
"Is this production environment ready for pen testers?"
"Don't worry! I turned off anything that can go wrong!"
Brendan: 😱

#purplecon @SparkleOps
At testing time we usually hand over the bare minimum.
We're not setting up our pen tester friends for success.

#purplecon @SparkleOps
How can we fix this?

Bring your pen testers into your team!

#purplecon @SparkleOps
The mindset we need:
#purplecon @SparkleOps
How do we scope the engagement?

#purplecon @SparkleOps
On-site engagement builds rapport

#purplecon @SparkleOps
Ensure you handover as much context as possible.

#purplecon @SparkleOps
Ensure you've budgeted resources for support & remediation

#purplecon @SparkleOps
Sharing is caring!

#purplecon @SparkleOps
How do we know we're getting better?

#purplecon @SparkleOps
I think @jsstott has something in his beard.

#purplecon
Bubble tea with @Sereeena!

#purplecon
I'm enjoying Mike's sticker game.

#purplecon
Now @mikeloss is telling us how to make pen testers sad

#purplecon
Who is this Mike jerk?

#purplecon @mikeloss
How to make your pen testers sad

#purplecon @mikeloss
What is your infrastructure?

#purplecon @mikeloss
Who is looking after your infrastructure?

#purplecon @mikeloss
How can we make @girlgerms happy and @mikeloss sad?

#purplecon @mikeloss
Things we can do:

Implement LAPS
Disable default local Admin
Remove passwords from GPO

#purplecon @mikeloss
What else?

- Implement a custom AD password filter
- Deal with default passwords
- Unfuck the passwords on service accounts

#purplecon @mikeloss
And...

- Kick stale RDP sessions
- set login type restrictions
- turn host-based firewall back on

#purplecon @mikeloss
- Set SMB signing to "Required"

#purplecon @mikeloss
Now for some not-so-low-hanging fruit:

- segmentation & segregation
- MFA ALL THE THINGS!
- Put vaults in the right place

#purplecon @mikeloss
If you can implement X for everyone, implement it for the people you CAN!

#purplecon @mikeloss
Security is like carving a sculpture. It doesn't happen all at once.

#purplecon @mikeloss
Now Sophie from @NZPrivacy is telling us about encoding privacy
#purplecon
Why Privacy?
#purplecon @NZPrivacy
Privacy principles:

#purplecon @NZPrivacy
Moar principles:

#purplecon @NZPrivacy
And...

#purplecon @NZPrivacy
We want information to be collected in a responsible manner in a way that does tweak people's creepy trousers.

#purplecon @NZPrivacy
Privacy & security go hand in hand

#purplecon @NZPrivacy
"Nobody in their right mind reads all the GDPR privacy policies we get emailed"

#purplecon @NZPrivacy
Aim is to turn us all into "subversive privacy developers".

#purplecon @NZPrivacy
Encode privacy into your design to enable privacy by default.

Engineer and encourage people privacy options.

#purplecon @NZPrivacy
My favourite saying from Sophie:

"Delicious bucket of data"

#purplecon @NZPrivacy
Now its @petrajane talking about securing the meaty bits!

#purplecon
Here we go!

#purplecon @petrajane
Are oyr systems cables and drives and slack integrations?

No. Our systems are people!

#purplecon @petrajane
We try and solve people with technical solutions.

This isn't great.

#purplecon @petrajane
If your users are so stupid why do they keep outsmarting you?

#purplecon @petrajane
How do we secure the people who make up critical parts of our systems instead of just blaming them?

#purplecon @petrajane
Why aren't things working?

As a consultant you can give them the best possible advice but they may not take it.

#purplecon @petrajane
How do we get people to understand what we're saying?

Humans make sense of their world by making connections. They might have different reference points and interpret things differently.

#purplecon @petrajane
How do we bridge these gaps in communication?

We can tell stories. Facts may not fit into their mental scaffolding in the way we imagine. But if we spin a narrative we create our own scaffolding.

#purplecon @petrajane
We think that our brains work better than computers. So we think we're better than we are at things that computers do very well.

We're very bad at maintaining constant vigilance.

#purplecon @petrajane
We need to make it easier for people feel safe to ask questions and make mistakes. Can't do that if we insist on blame & shame.

#purplecon @petrajane
People are predictable. Its tough for people create truly secure and unique things (passwords, etc)

#purplecon @petrajane
When things change it can be difficult for people to accept new realities.

We need to take people on the journey as to WHY the reality/advice has changed.

#purplecon @petrajane
Pukeko are thriving because they take security seriously!

Form small groups of birds that all look after they group's eggs collectively.

#purplecon @petrajane
Pukekos all take their security roles seriously and they all have a role to play.

How can we turn humans into security pukekos?

We tend to view security as a secondary (or tertiary) priority. Find out why.

#purplecon @petrajane
If you want to walk in someone's shoes, don't take their shoes! Go talk to them! Don't just imagine what they might think/feel.

#purplecon @petrajane
Security is a cost centre. Find a way to flip that and deliver real value to the people you're trying to security.

Shouldn't be an adversarial relationship. Should be a symbiotic relationship.

#purplecon @petrajane
Find the people who are the implicit influencers and pitch them. Turn them into champions. Others will follow their example.

People are frightened of us. They think we're going to be mean.

#purplecon @petrajane
We should not try and get people to care about security. It's just a means to an end.

Small steps make us feel empowered to be part of the solution. Starts with simple gestures where people can show that they care.

#purplecon @petrajane
How do we do this right?

Security is a means to an end. We want to help make small gestures close to home. How do you secure your Facebook? Your home wifi? How do you backup?

Once they're invested, can see the businesses issues. Make everyone a champion

#purplecon @petrajane
Engaging with people is hard. But we need to be mindful.

Who am I protecting? How can I take them on this journey?

#purplecon @petrajane
All @petrajane's slides are available as a colouring book!

The slides are GORGEOUSLY illustrated.

#purplecon @petrajane
Now its happy happy food time!

Our regularly scheduled #purplecon tweeting will resume in an hour.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Jason Danner
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#purplecon

More from @jpdanner see all

Profile picture
Ready for #Kiwicon Day 2!

This will be an interesting angle... I blame @rafaelmagu

@kiwicon
I have JUST discovered that the #Kiwicon screens are rear projection.

@kiwicon
Now @Metlstorm is (finally) thanking the sponsors.

Starting with @InternetNZ!

#Kiwicon
Read 370 tweets
Profile picture
"If you're sitting in the front row beware your eyebrows. Apparently they're not 'pyrotechnics' they're 'flame-fans'"
@Metlstorm

#Kiwicon
Interpretive dancing from @Metlstorm

#Kiwicon
Now its @mjg59 talking about what fun you can have with electric scooters!

#Kiwicon
Read 263 tweets
Profile picture
Around the public sphere there is growing hostility towards voices of dissent.

We need a more participatory environment that listens to & empowers all views - Marianne

#Nethui
How do we co-design the future in a scalable way?

How do we co-design better processes that allow everyone to participate in government & public service? - Pia

#Nethui
What do we do about the ubiquity of big corporate presence in the education system & the lack of other products?

It is incumbent on the schools that students get a variety of choice.

We need to focus on the skill, not the product.

#Nethui
Read 77 tweets

Related threads

Profile picture
Random thread of pros and cons (in my experience, YMMV) of @CreationEnt Supernatural con locations I’ve been to. I'm only including locations that are currently on the circuit. Hopefully it's helpful to someone deciding which con they'd like!
Nashville pros:
Great sound
Good stage lighting
Opryland is its own little city
Hot tub/pool/spa/gym
Lots of restaurants
Convenience store had lots of stuff, including booze
Jensen usually sings at SNS
Nashville cons:
Easy to get lost in Opryland
Restaurants have long wait times & ain't cheap
Stage is high & far from audience (likely a pro for seats further back?)
Hard to find a quick food later Sun night
Rooms far from convention area
side SNS areas very far from stage
Read 24 tweets
Profile picture
there are plenty of rumors that spread around about park chanyeol, but no one really knows the supermodel that well. not as well as baekhyun does.

although he's merely a guy who drives chanyeol around to wherever he needs to go, he's the only one who knows how chanyeol truly is.
baekhyun is the only one who knows what chanyeol truly likes.

the jokes that make him laugh, the alcoholic drinks that would make him fall asleep in the car.

the songs that he prefers to listen to while he holds onto his girlfriend's hand in the backseat as baekhyun drives.
there are vile rumors that say he's an arrogant, manipulative model who lied his way into the modelling industry.

though, to him, chanyeol is kind to everyone.

there are fake rumors that spread with the intention to bring his career down.

an alleged child, a cheating scandal.
Read 288 tweets
Profile picture
It’s always amazing to see how non-NYers react to this vs those of us for whom #Showtime is an inconvenience and annoyance. 😂
These dudes been on Ellen and the whole nine and we on the train like...
The entertainers like to yell at passengers who aren’t engaged, which is ADDITIONALLY annoying. We’re a trapped audience just trying to get to our destination.
Read 5 tweets
Profile picture
A Majestic Message of Disclosure

1) Go back to July 4th 2001
2) Turn your TV on
3) 9/11 COMING TO A THEATER NEAR YOU
4) FUTURE PROVES PAST
When JFK was assassinated, Majestic 12 moved into the open within Government, essentially pressing START to begin creating the NWO as the Zeta's told us about. We were the Deep State. We propagandized Hollywood. We developed advanced alien technology in secret. We ran all crime.
When 9/11 came to a theater near you, Majestic 12 moved into the open.

STARGATE SG-1 was part of the equation.
Congressional Disclosure Hearings warranted a proper, Naval, Intelligence, Civilian approach to ET disclosure.
MJ12 opposed this at all costs.
Pentagon tried to fight.
Read 10 tweets
Profile picture
Damon gets the sudden urge to check to phone and demands Katherine give it back to him. YESSS READ YOUR DAMN MESSAGES. Its like he got this feeling something wasn't right
"You are going to get yourself killed. The Damon I remember wouldn't have been that stupid."
"I wouldn't have done it for you."
AAGSHD he will risk to life for Elena. We all been knew. But truthfully, he would have for Kat too. He did and he died in 1864.
He wouldn't do it for Katherine NOW, obviously.
Read 1273 tweets
Profile picture
Are you one of those people who's looked back on 2017 and convinced yourself that you haven't achieved anything? Worried about catching up with your mates who seem to have done much better?

Let me tell you a story about #time.

A thread 👇
A long #time ago, back when I was about twelve or thirteen years old, my parents travelled to Uyo.

Before leaving, my mother asked me to prepare Edikang ikong soup so she and my father would eat when they returned.
When I was finished with the soup, it was supposed to look something like this:

*photo credit: waiter foodies.
Read 32 tweets

Trending hashtags

#WinterSprinter #ToriAmos #visionsfestival #ThesePeopleAreSick #Party #Payseur #SaintEtienne #TheStormIsUponUs #SundayMorningReading #NationalSelfieDay #TRUST #organreframed #Winning #IronEagle #hhlitfest #Qaonn #AllAmericans #WeHaveItAll #eddowieframed #WhatMakesAMovieGood #QClock #PlaneCrash #KAG #YouCantDeleteTruth #Time

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!