Community Chat with Thom Langford and Javvad Malik

hello hello hello good morning good afternoon good evening wherever you are joining us from and welcome to besides delhi 2020 in a virtual world just like everything else in 2020 um so obviously why are we doing a virtual edition uh i think we can uh i think we know the answer to that really uh we're all stuck in our homes and uh stuck in our small bubbles and virtual offices etc um but the b-sides spirit lives on and we've not taken sponsorship this year uh as we normally do is we didn't want to uh as we didn't need to pull off a free virtual event for the for the community but we would like to thank uh support supporters

and other sponsors but from both previous events and hopefully future events uh more importantly uh so supporters such as uh esec forte uh publicist resources uh nulcon check marks not so secure toofin rah infotech uh should name just a few uh we would specifically like to call out issec forte and nalcon for their continued support uh as you know we've had some events that have been running over the last couple of days already um most well not even most notably but uh something we're going to come to in a minute the cfp um the cfp review panel um actually who the people who actually uh reviewed all of the the um submissions for talks uh would like to thank them

for their time and efforts that's uh uh a scene from paella to mario from cure53 vicky ray uh from the palo alto unit 42. so thank you very much for your time and effort in deciding who we will get to see over the next couple of days so what have we got lined up well obviously we've got lots and lots of talks uh we've had some workshops and the ctf that i mentioned earlier uh so we've had workshops uh the last couple of days we've had and i'm reading from a list here so excuse me uh defending docker implementations analyzing programs through dynamic instrumentation with qbdi uh and introduction to malware reverse engineering we've also had reverse

engineering malware's targeting top routinely exploited vulnerabilities uh finding security vulnerabilities and cyber war ops training red and blue team joint operations so some pretty uh pretty serious stuff going on there i mean i didn't even understand half of half of it and that was just the titles um so uh thank you very much for those of you who were running those uh those workshops uh and i hear they went off very very successfully we also ran a ctf uh which ran for 11 hours on the 10th of october and we have three winning teams uh so we have at number three uh warlock roots at number two zahiro that's zero with an h a three and a zero of course we're in

for sec we like to speak like that and in first place the uh team of hcs so congratulations all the teams who involved and specifically those three uh let's see some housekeeping questions obviously we don't have to worry about fire alarms or anything like that but uh during all of our sessions today if you have questions that you want to ask during the session that hopefully we can answer or hopefully we can get the uh speaker in question to answer then put them in the youtube chat which i believe is just to the right of your screen uh of or right here i think if that's about right um so put them in the youtube chat there

will be q a at the end and it's my job to try and collate those uh questions and see uh if we can put them to the speakers uh within the time frames of the talk uh for general chatter please head to the slack channel details uh will be on the b-side steli website um there will be a five minute gap between each talk so you've got time to get yourself the all-important cup of tea uh in between each talk uh and um there will be a couple of slightly longer breaks as well um and that's it for housekeeping that's it for the introduction now like every good uh every good conference things go wrong at the last

minute so we have a change to the uh published schedule uh and the first up for the first uh well now 25 minutes because i've rattled on long enough uh we're going to or i'm going to be having a conversation with a well-known uh contributor to the infosec community uh he has been an organizer of b-sides london he runs his own um youtube channels and blog sites well known he advertised the uh cissp sysp in his early days and then rebranded along with two other folks uh the system into the ci double sp uh very well known around the world uh very influential and i'm proud to say he's a very close someone i happen to know so um please

let me bring onto stage uh mr javad malik

hello tom look at that hello it's like it's magic there's people behind pulling all the strings and making the screens work and everything hello jeff how are you sir i'm very good thanks i'm very good you know just adjusting to life in in lockdown slowly my room has been converted into a a man dancer everything i need for life is in here i think i can live in this room for three months if need be absolutely absolutely just energy bars in the cupboards right that's all you need absolutely good so um as many of people who are watching this will know jav and i have known each other for many many years we've both been parts of various sort of

communities and what we want to um uh what we want to talk about today is actually the importance of community besides is a community event uh it's it's driven by uh created managed by a community of people and it's delivered to the infosec community it's not commercially driven it doesn't have an agenda outside of education and inclusiveness um so um it's it's not just a conference in reality it's almost a movement so javad what does what does b-sides mean to you yeah so as you said i was involved in setting up the first b-sides london which uh this year it was cancelled unfortunately in london because of the lockdown but it would have been its 10th year so

it was 10 years ago that we started it off and when i started it i when i was involved in citing it wasn't just me there was a whole team of us i really thought well this is just a another conference we're doing and these are talks that maybe are a bit fringe or they're not going to get accepted to the bigger conferences so we'll just host them here but it's not about the books for me at all it's it's really about that community it allows you to meet people to get to know people to network with them and to really share ideas in in in in an awesome way and and through that you you actually

get really stronger and i i'll sort of joke slightly at your expense here tom that you know you you um you got it um for my brothers and sisters they they'll understand what i'm talking about yeah communities are sort of like a strange word a thing that you have to develop but uh the the uh the um asian community um is a community and especially when when in the uk where i've been born and brought up it's a very strong community and you know there's been so many things growing up that you know have helped from like my parents generation and who came over there first generation immigrants and they bounded together and they helped each other

so much and i think everyone's life is so much richer because of that and what what you find is that it doesn't matter where someone's from it doesn't matter their background their education their religious beliefs or what have you but what what happens is that people connect on that intellectual level and that's what forms the community is that it breaks down all those boundaries of race and and uh religion and geography as well uh and and you know this is what i think something like b-sides or the security community really enables you to do and i i think you're aware as well that you can travel almost anywhere in the world and you can say

hey i'm here and you can connect with the local security community and it really makes you feel like it's it's a home away from home and um it's it's such a powerful thing so so that's why seeing things like uh b-sides all around the world crop up like like like here i think it's it's it's something we shouldn't take for granted it's something we really need to work on because it's it's such a fantastic opportunity no absolutely absolutely and i think i think the culture of b-sides as well it what it does it's not a generic conference that seems to just travel around the world it's a conference that actually absorbs the culture in which it was

in which it's hosted uh if you go to a a b-sides in san francisco or las vegas versus the b-sides in london and versus the b-sides in delhi they're very different conferences sure they have a common framework underneath but they are imbued really heavily with the local culture and that's the beauty of of b-sides is actually it's flexible enough to embrace a local community and help build its local community rather than just trying to say you need to be like us in this country where it started you're absolutely right you're absolutely right i think it's so important for people to to understand is that what you're building here is not to emulate anyone else don't try to be like

anyone else you you own it and and bring your own richness and value to it because that's something that is nowhere else in the world and i think if you if you you know if you try to imitate someone else then you're just going to be a cheap copy but you know you you want to be your own original self and there's there's so much value in it and you know it's one of those things and and tom knows because he's a lot older than me and most most of everyone i call him uncle tom most of the time but um hey uncle there's respect there there's respect there yes um so um you know it's it's one of those

things where um i lost my train of thought as you get older you you realize the uh oh i completely lost what i was saying there i'm so funny that i just forgot what i was saying what was your friend tom we got you on here because you're a professional jab but i tell you what let's move on i mean let's let's talk about some of the key parts of how you can be a part of the community and why it's important um i mean we've obviously chatted about this before we we talk about this you know we we chat virtually every day anyway you me but um you know when we when we're talking

seriously and not just telling each other jokes but you know we're talking about the power of the community you know what are some of the things that you know the actionable things that people out there could actually do you know that they can actually you know i want to be a play a bigger part in this community i want to do more i want to whatever what what are some of the things that we can actually um you know do today do tomorrow so i think the first thing to bear in mind is that uh communities typically they're not like your government if there's not a leader and a structure and followers or like an organization it's

not like that i think everyone equally uh needs to recognize that you can play a part an active part and you can shape and mold it you don't need to wait for permission or or uh or go through approval processes to do stuff so i think what one one is a thing of self-empowerment um you know so if you see something that you think ah this isn't working very well then don't try to write a petition to the whoever you think is in charge of stuff to do it just say okay what's my plan how am i gonna go about it what are things we need and then go to people and say hey this

is what i'm doing uh let's make this happen and as long as it's for the benefit it's not something that's detrimental to people it's not something that disrespectful or something people will help you you'll find your you you build your tribe so so i think number one is take taking that ownership taking that uh uh being empowered and and taking accountability of it um i i think it's it's also important that um you you invest within the community uh and that is means that you don't just show it once a year to a to a b sides and listen to some talks and go home and think that you're you're part of it i mean that's fine for some people but

um you know you really need to be part an active member within the these discussions and you need to put forward ideas and it doesn't mean you have to spend like you know 10 hours a week on this or anything like that it just means it just means you're there when it matters and you support support there the people who need it and you you you reach out to to others and you share the ideas and and you facilitate things that happen i mean this is really how how it all works this is how it all comes together and this is where you really get the value from yeah absolutely i mean really the the

the power of the community is or something like besides delhi there are a few sort of headline people of course there are we you know we'll certainly be mentioning them and thanking them up through the course of the of the two days but you know and it takes a lot of effort to do that you know you say 10 hours a week well actually probably in the last few weeks these people have probably been putting in about 30 or 40 hours a week plus their day jobs right but uh you know and it's great that that we have people and it you know we must we're really thankful that we have people that are dedicated

and passionate enough to do that and there are benefits that come with that as well obviously but but there are such small parts that people complain um the example i forgive is okay so you might be very new to security you might not have any you know enough experience or at least you think you don't have enough experience to contribute to a talk or whatever but you can still volunteer you can still volunteer to you know in a real event you know to set out the chairs to organize the catering to to do everything like that if you're a photographer if you're like photographer then be the b-sides photographer it doesn't even have to be infosec related

you're contributing to um to the event etc but the but the the other benefits are the people you will meet during the process of that organization that you know and actually frankly the the seniority if if that's the right word the seniority in the infosec industry that you will come across and be treated as an equal and be you know and and have access to that person's you know advice and thoughts etc will be unparalleled to virtually any other activity you could carry out yeah yeah exactly and you know i i when i first met tom i didn't think he'd ever treat me as an equal but hey today he does and well well maybe in about a year or so i don't

know when you're up to standards yes once you could stop getting me to carry your bags no but i have a lot of bags yeah very expensive bags but but no you're right um uh go go into this place so i i don't know if you you were part of that tom but after the first b-sides uh london where a few of us actually you know you get to know people and you you just get to know who which people you like as as friends as well or who you want to hang out with and there's a group of about 10 12 of us we'd ended up meeting up like you know over you know just maybe once or twice a year

outside of any conference just for a dinner or something like that and it became such a good thing and over the years i mean this was like i'm talking about 10 years ago nearly all of those people have progressed in their careers they're at senior places and what have you and today i know if i need anything about anything just just two days ago i needed uh some help with some 3d printing project and uh i i got in touch with someone who's the head of security at a at a 3d printing they have their own big lab there and i said hey mate working on this and he goes oh yes no problem ask them to send me the the file drop my

name and i'll get this printed and shipped off to you and and today it seems like oh you're so lucky you're well connected um but it's not like it's something you work on over a long long period of time no exactly and in fact uh you know we were talking before that uh i met you it was actually the second b sides yeah um you know it was the first uh first time i spoke at b-sides in fact it was the first time you spoke at b-sides as well uh and you know we we started to hang out and and get to know each other and as a result as i said you know setting up an event like this

you're always throwing a few surprises last minute and a few speaker cancellations um but i knew i was able to get on the phone to you and say hey jav can you do you know can you help us open the the conference tomorrow less than 24 hours notice um you know and uh um well and thankfully you said yes uh i mean obviously our first choice you know a person that i contacted couldn't make it so you know and second third fourth and we finally landed with you but uh but no no no i'm joking by the way folks um but um but the point is actually as you say it seems like almost luck

or oh yeah look at you you're so well connected but actually it's it's through um events like this it's through connecting with people and communicating with people and all that sort of stuff and actually generating that network that's important one thing um one thing i want to talk about is the community is not just b-sides the community is everything else around it you know what what are some of the activities again folks who are in the audience what are some of the activities that people could actually you know potentially do or just a simple a few simple steps that people can do to to you know help not only contribute to the community but feel that they are part of it

uh personally my my biggest thing that i i found has worked for me and i've been doing it for like 12 14 years is a set up your own blog somewhere and share your thoughts and yes and don't ever think that your thoughts aren't valuable even if say this is your first time attending a conference and you're at b-sides for the first time um write down how you felt say first time i had no idea what to expect i was nervous uh this was good this was bad i will or won't be going back next year and just put that down as a blog you will find so many people will read that and say you know what i felt exactly the

same way or maybe one of the organizers will read it or maybe one of the speakers will read it and say hey thanks for that feedback that was really good um let's have a discussion let's catch up what have you yeah and and the more you do that so so i i really believe it uh in in you know it's just so cheap and there's really only the time investment is needed in you can set up your own uh blog you can create a podcast with with a couple of other people you can uh record a video on your phone and you can post it on youtube or social media or of some sort um but but i think like that the more

you you give out the more you'll start getting back in return and what you will start figuring out is things that you're good at and things that you're passionate about and and and that will really help i mean i i started like making youtube videos about 11 years ago or something and it was only because i just really enjoyed watching youtube uh back in the time and i thought oh let me start making some some some videos that are comedic or just a bit chilled out but talk about information security in certain ways and that alone opened so many doors for me because people got to know me and they'd send me feedback even if it

was like hey you were completely wrong in that video i'd be like oh okay thanks for that can you help me learn how or point me in how i get better at that so i think sharing information is is is i think one of the key things but i think i think again one thing here is you're absolutely right because one i think the actual process of writing a blog or creating a video or making you know building some kind of content creating something allows you to formulate your own opinions about things and allows you to formulate their own thoughts that doesn't mean that they're set in stone it doesn't mean that they can't be

you know wrong or just not right um but it allows you to actually formulate those thoughts and order those thoughts in your head and actually realize where it is that you stand on certain subjects be it encryption vulnerability testing risk or even business continuity it doesn't matter what what it is um but the the flip side and again something we've spoken about before is it's about the quality of that content you're producing not the quantity whilst it's you know there's a certain truth to just write it and get it out actually try and put a bit more thought into it and not worry about how big your audience might be for instance um you know and i'm sure that's

something you you found early on as well oh yeah definitely it's it's it's what what you're looking at is in there's a world of technology and then within technology there's information security and then with information security there's a specific field that you're you're interested in or you're good at so it's always going to be a very small uh fishbowl that you're that you're operating in but that's good uh i don't think there's anything wrong with it it's not an industry where you're going to get millions and millions of viewers on on your videos or your or podcast downloads but but that's not what you're that that shouldn't be the metric that which you're measuring by

uh success by it's it's it's all about quantity uh quality sorry as opposed to quantity and and again going back to the the regional aspects of of it um you know there are so many smart people all around the world um we shouldn't always just blindly rest and rely on some company sitting in silicon valley to tell us what is right and what is wrong or how we should be doing security because they don't understand your culture they don't understand your constraints you they don't i remember years ago you know this conversation someone's like oh you know we people should never share passwords they should never ever share passwords that that's you know that that's just wrong

and you should just make it policy and okay in certain countries that's fine if so if you're in the uk that's fine everyone's quite private and personal about their affairs and everything but i said if i went you know to to india or pakistan or something and i said uh and my and my mom or someone comes to me and says like give me your phone what's your password and i said i can't tell you because of security i'm going to get a bottle chopper over my head yeah but she's going to get the luckily out yeah exactly exactly so i think even just writing about constraints that you feel or or doing a gap analysis against like

what what um a certain international standard says and the challenges in implementing it and trying to figure out what are right ways or wrong ways to go about it i think even that is just super valuable so i think it's whatever you want to dive into you can and whatever you produce will be of value to to someone out there yeah and but the overarching thing here is be respectful there's you know there's enough uh toxic people in any community to ruin somebody's day don't be one of those people be respectful across the board now we've got just a few minutes left and i want to i want to move on to you know the last point um we

talk about this a lot i think you and i are certainly very passionate about this about the storytelling aspect um and actually you know our whole lives are influenced and we're educated through stories and the same is very true of info second the communities that we operate in so what's what's your view on on the role of storytelling with the community i i think for for me personally i think it's the absolute um underpinning of everything um you know it's just think of it like this you you go to a talk and there's some young 20 20 something year old guy there wearing ripped jeans a cool t-shirt and he's there and he's saying look how

great i am and i was able to break into this this system and look at me yeah and and okay technically you might learn a lot technically he might be fantastic but you know there's an attitude and a story there that doesn't always resonate with people um you know what's far more useful is like to to you know you can explain that same technical you can explain that same technical process through like the story which is like what are the challenges how you overcame them what was good about it how it made you feel you know introduce some humanity into into it and some uh personality into it and that's what people will remember they'll remember

more about that and they'll remember you more like that than as opposed to someone look how great i am i was able to to hack into so and so things and i think besides being in india it's a great example like um you guys have bollywood over there that it's it's one of the best um it's one of the best storytelling machines out there in the world i mean when you break it apart what what is a story it's uh you know you can you can take any bollywood film i i suppose like growing up you know boy loves girl parents uh you know parents don't agree they they run away there's some fighting and they they

live happily ever after you missed the dancing yeah you missed the dancing yeah but that's not why you go to see a film is it it's not because you know because you know what to expect you know what to expecting that it's the story it's like how they meet how they interact the dialogue the the the the the songs the the colors the everything that's what pulls you it's emotionally it drags you through and i think that's something in in security we could really learn a lot from from that so if you can i'm not saying make it all dramatic and you know have some fights and uh you know work out like salamanca or anything like that but you know make

it something that's interesting make it something that people can feel like they can relate to yeah and uh you know and be be inclusive in your stories uh i think that really hits home brilliant brilliant i think that comments about uh the cool t-shirt was definitely directed at me jab i'm afraid to say um you know uh my mind's mine's not corporate so uh anyway jeff thank you very much for your time uh this afternoon morning evening wherever you are um really appreciate your insights i hope uh everybody watching actually has learned something from this even those who are you know deeply embedded in the community anyway so javad thank you very much indeed and

what i'll speak to you later mate thank you so much tom okay we are swiftly moving on now to our first session