Monthly Archives: August 2019

Badges from security summer camp

Hacker Summer Camp 2019

Another Hacker Summer Camp is in the books. As always, there was a lot to see and do – more than any single human could hope to fit into a month, much less a week. Even so, I made it to Black Hat Tools Arsenal, BSides Las Vegas, DEF CON, and volunteered for the Diana Initiative. After a year and a half of working on the Security Roots team, I met Daniel in person and we promptly started talking shop in the middle of a Mandalay Bay hallway. I took a few hours to celebrate a milestone with a fantastic dinner and show. All of that in six days and though it was exhausting, I can’t wait to return.

Daniel and Tabatha snuck into this photo late. Photo credit to the Black Hat Tools Arsenal team.

My introduction to the hacker community was at BSides Orlando a few years back. Initially, I admit that was a bit intimidated to attend a hacker conference. Portrayed in the media as egotistical superbrains or criminals hiding beneath black hoodies ready to drain your bank account, hackers aren’t presented as a welcoming bunch. While those elements exist, what I found there and continue to experience was a group of people eager to share their knowledge and answer my constant questions. The energy and collaborative spirit of the community had me hooked. I was hungry to learn more and later that same year, I volunteered at BSides Las Vegas.

BSides Las Vegas

This year I returned to BSides Las Vegas as a volunteer with the Diana Initiative. Thanks to the generosity of BSides we had an early check-in table for Diana attendees. Much of my day I spent sharing details on the Diana Initiative from how it began, where to find tickets, to how to get involved. The overwhelmingly positive feedback was supportive of the need to increase diversity in information security. I didn’t much chance to check out the talks but there are a few on my list to watch.

Black Hat Tools Arsenal

Daniel presenting at Black Hat Tools Arsenal 2019

Black Hat is the corporate side of the whole week and had a slightly different energy. I joined Daniel for the Dradis presentation at the Tools Arsenal. In my mind, I would show up in my Dradis shirt, hand out a few stickers, and take pictures of Daniel showcasing Dradis CE. Once there, I embraced the opportunity to chat with customers and talk with people about Dradis. I found myself repeating, “If it has been a while, give Dradis CE another look – so much has changed.” 

DEF CON 27

Welcome to DEF CON 27

It can be challenging to make connections at a conference this size. Unlike other large events I’ve attended, smaller distinct groups within the con space allow you to focus your attention and find like-minded folks. No matter your interest, there is a group. There are villages, workshops, talks, meetups, parties, and one of my favorite spaces – hallcon. Finding someone to talk to is pretty easy since #badgelife has most attendees wearing roughly a pound of gear on a lanyard around Las Vegas. This year’s DEF CON badge game worked particularly well to strike up hallway conversations while asking to “boop” someone’s badge.

Tabatha’s badges. A small amount compared to some.

Our staff pirate Christoffer’s post piqued my interest in maritime security, so I made it a point to stop by the inaugural Hack the Sea village. There was a good bit of discussion about the security of our seas even in casual conversation outside of the village, ranging from ICS to the antiquated technologies observed or used onboard. I visited the IoT village long enough to swear off of my existing IoT devices (but not really). While I was there, I cheered on friends that were competing in the IoT CTF.

The evenings held additional opportunities to connect with other attendees, just as varied as the talk and villages. Who doesn’t love a blanket fort? Blanketfortcon has you covered (see what I did there?) with an adult size blanket fort and bounce pad. Hacker Jeopardy is always hilarious, but I laughed the hardest during “Whose Slide Is It Anyways” watching contestants present using a slide deck they had never seen. Parties ranged from bass-thumping events going long into the early morning to more subdued gatherings with board games and great conversation.

Diana Initiative

If I am up at 6 am in Las Vegas, it is for one of two reasons; I am still up from the night before or I am volunteering somewhere. These days it is 100% the latter option, and I was excited to join the Diana Initiate staff to run registration. It turns out I particularly enjoy running registration and check-in, which I can only attribute this to having a generally sunny disposition and a love of spreadsheets. After months of hard work with the rest of the team, it was a gift to greet attendees, speakers, and sponsors and to witness their excitement for the days ahead.

Lodrina Cherne and Tabatha with MaliciousLife swag for Diana Initiative. Photo credit Lodrina Cherne

Diana Initiative has grown from its initial years held in hotel suites and for the first time organized convention space at the Westin. This year Diana Initiative had 65 speakers across three tracks that covered both technical and non-technical skills, several villages, and a CTF. It was a nice break from the noise and crowds of the DEF CON and fostered a welcoming environment for attendees, many at Hacker Summer Camp for the first time. The quieter gathering, smaller size, and inclusivity made for an inviting atmosphere to new faces and established security professionals alike.

Do the thing.

Attending camp this year felt different than my last visit. There are noticeably more women in attendance, to the credit of organizations like WoSEC, WISP, Women’s Society of Cyberjustu, and Diana Initiative. There was plenty of evidence of the work that organizers and volunteers have put in to create an inclusive and safe week including the DEF CON support hotline and improved Code of Conduct. It was incredibly inspiring to connect with the many people that are elevating diversity and bringing change in this fantastic community.

Throughout the week, everyone I spoke with remarked that there is room for everyone in information security; quoting struggles finding qualified candidates and too-large workloads. Increasing the number of women not only brings more workers to the industry, but each person brings a unique lens to approach privacy and security challenges. No matter who you are or what your background, consider this your invitation. Show up, do the work, learn the things, and take your place. And then, share what you know. See you next year!

Tabatha at the Diana Initiative after party.

New in Dradis Pro v3.4

This post references an older release of Dradis Pro. You can find the most current version here:


Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.

Node Methodology

Add a methodology to a node containing the details appropriate for that node type. Create and apply methodology templates to ensure everyone on the team knows the next steps for that node. Project methodologies are still available; these new methodologies bring the same consistency to nodes.

Merging Nodes

If you have ended up duplicate nodes in your project, you can now merge them and preserve any findings related to that node. The new node merge action moves all associated Notes, Evidence, Attachment, and Activities from the source node into the target node.

Highlight Inside Code Blocks

Call attention to the most important details within a code block. Wrap the section with $${{ }}$$ to highlight it in yellow. The highlights transfer to your final report using styling updated in your report template.

Collapsable Sidebars

If your project has a long list of issues or attachments, it can be unwieldy to quickly access the import fields at the bottom to add more. The sidebars are now collapsable using the chevron at the top of the list and are expanded by default. Issues, Report content, and Nodes received this UI update to help you move through a cleaner interface.

Release Notes

  • Allow nodes to have an associated methodology
  • Highlight code snippets.
  • Better new board form empty name handling
  • Fix migration paths during database setup
  • Collapsable sidebar in issues
  • Collapsable sidebar in report content
  • Better placeholder syntax in Issuelib
  • Contributor dashboard redesign
  • Fix screenshot validator when Textile screenshot links have captions
  • Add Node merging feature
  • REST/JSON API:
    • New coverage: Tester users
  • Word reports:
    • Add CodeHighlight style support
  • Add-on enhancements:
    • Nexpose: Add risk-score attribute to nodes
    • Nmap: Add port.service.tunnel field to the port template
    • Remediation tracker: tickets can be assigned to testers and contributors, and contributors can see their tickets too.