lit @ll1t@mastodon.social

"The next song's a cover!" Me First and the Gimme Gimmes were quite great entertainment for the evening. Side note: either the Ruhr area is to small or our parent company is too big. In any case I can no longer go to any venue without meeting arbitrary colleagues. This, or our company culture is too homogeneous. j/k
https://mastodon.social/media/cdbkYIzdaTMf3dfKi00

On the upside: I snuck in an hour in the nearest skatepark between end of work and packing. Had hoped for a miniramp or pipe, but turns out that park is small and street-only. Actually still managed to pull some small Ollies at least, felt scary on the fast Cruiser setup and I felt very rusty. I figured that I should try to do that more often and that it's ok to get a reasonable but cheap board for that. Deck arrived while I was away. I just built it up, had a little help. :)

Home from holidays. Missing France already. I must work on my language skills, it's fine to be able to order dinner and to actually get the vegetables I want on the market, but I'd really love to be able to have/follow a meaningful conversation in French. Anyway, taking a small skateboard with me was well worth the trunk space, also great as 2up ride for 1 well-balanced adult and 1 child to tired to walk back to the car. Conference schedule resumes tomorrow for 2 occasions in 3 days. :/

Yesterday I played the first gig since ~15 years at a friends birthday. Contrary to all earlier occasions, I didn't play guitar but Cajon, as the guitar was in more able hands. Got to play a bit after the 'official' part, though. We messed up the occasional song, but it was a lot of fun. 5/5, would buy again.

I have no idea how AppSecEU is going, but Allstars 2017 as a conference within a conference keeps its promise of high quality talks and at the same time a broad landscape of topics. Also: vendor logo presence yes, vendor bullshit bingo talks no.

In completely other news, weather was great yesterday and I got to ride my cruiser again after 2weeks of rain and/or no time to ride. I've been riding double-kingpin trucks for about 2 months now. Those are 9" longboard trucks fit to a 8.5" cruiser board, I lovingly call it Frankenboard as it looks a bit weird. However, it rides awesomely. Very narrow turn radius combined with high speed stability. I had to adjust the wheel base a bit to avoid wheelbite. Only drawback: board rides pretty high.

In its 2nd instantiation, RuhrSec developed in a conference worth attending, albeit to me primarily for the hallway track. I was totally tired before the conference dinner, having just returned to Bochum 1h ago, but walking into G DATA's Bistro and realizing that I knew about 70-80% of those in attendance plus getting lots of introductions to the rest made for a very enjoyable (and long) evening. Talk-wise I'm aware of a small minority that appeared low-effort. Let's see, if we can vet harder.

For me, 24th of April marked the beginning of a rather travel heavy time. Missed most of RuhrSec due to other obligations last week and would have missed even more, had I not agreed to chair the last two sessions. Talks in these sessions were pretty nice and each speaker encountered a lively discussion, so I didn't get to ask most of my questions, which is actually a pretty good sign.

Nice analogy. Quote from http://www.securityweek.com/if-cia-isnt-secure-who

"Even though mammography can’t cure cancer and traffic visibility can’t cure data breaches, they can do an amazing job at providing better situational awareness. And that’s the first step toward uncovering a potential problem and enabling other, purpose-built security and analytics tools to investigate further—much like a pathologist would—and determine if an anomaly is benign or malignant. And with a diagnosis made, companies can use that intelligence to inform a follow-up course of action."

I've just been pointed at When women stopped coding http://www.npr.org/sections/money/2016/07/22/487069271/episode-576-when-women-stopped-coding I have yet to listen to that episode, but the graph on the website is remarkable. Would like to see the absolute numbers behind the percentages, though.

http://www.vanityfair.com/news/2017/04/tech-start-up-women-brogrammers has valid points regarding culture and I generally support ditching whiteboard interviews, respectively never did them @ ADAN in the first place. However, I suppose increasing the diversity in the set of applicants one can choose from/the landscape one can recruit from is something that will take a critical mass in terms of pre-existing team diversity and time for a culture to be perceived from the outside, no?

If anyone ever does, they'll also stumble over things like computer tomographs running anything halfway stable btwn Windows NT and 7, with AV that gets signatures twice a year when the machine is serviced anyway.

In the end, hospital IT is often just poorly managed medium size enterprise IT. Many medical devices are badly patched Windows boxes with elaborate peripherals and poorly written drivers. And not a single attacker even had the need of discovering e.g., the attack surface of protocols spoken btwn imaging devices, their backends, and basically every medical terminal in the respective hospital.

There is really no need for a sophisticated attack to own a hospital. In almost all cases where we responded to an incident in a hospital, it was the classics of IIVs: a moderately good phishing run, some attachment, a drive-by download. Rarely someone spending manual effort on an exposed terminal server, but that too. Staff in healthcare does (rightly) not have a focus on plausibility checks of the mails they receive. They tend to have a tight schedule just taking care of patients.

"Hackers can tap into one weak point at a hospital — like an unsecured wireless printer — and access the entire system." http://thehill.com/policy/healthcare/328120-fda-industry-fear-wave-of-medical-device-hacks Hospitals' weak points aren't printers. Rather serious understaffing, flat network topologies and consultants that just recommend (and sell) a piece of expensive next-gen junk, instead of establishing proper processes and pushing for proper infrastructure design.