Blinging Your DefCon 27 Badge

It’s the start of DefCon 27, which means that hackers are figuring out how to wear the official DefCon badge. This year’s badge has been much easier to wear than the famous record of DefCon 23, but many attendees have found ways to wear it beyond just the standard lanyard attachment. Here are some great versions we’ve seen so far- if you have a creative way you’ve set up your badge, please send them to us at VanitySec!

An improvised bolo tie:

The @defcon badge is clearly intended to be worn as a bolo tie. pic.twitter.com/PJknlcUYei

— Sean Gallagher (@thepacketrat) August 9, 2019

https://platform.twitter.com/widgets.js

And here’s the wrist watch variation:

Finally a year where I don’t have to wear a badge around my neck. pic.twitter.com/KVPiQQFvDB

— MU @ DEFCON (@malwareunicorn) August 8, 2019

https://platform.twitter.com/widgets.js

And a bedazzled badge!

Badge has been bedazzled. pic.twitter.com/gNgUZ1izaQ

— Sarah @defcon (@apiary) August 8, 2019

https://platform.twitter.com/widgets.js

Physical Pentest Wearables: Picks and Keys

Lock picks never go out of style. This article will provide options whether you want to look stylish or keep your tools concealed.

#1 Handcuff Earrings

#2 Uncuff link (see what they did there?)

#3 Angle Wing Shim Earrings

#4 Hidden Handcuff Key Clasp

Works great with paracord bracelets (as seen below in action shots)

#5 Escape Bracelet

This gummy bracelet can fit up to a 10” wrist but can be cut down to fit any size wrist, including child size wrists.

#6 Collar Stay Picks (coming soon)

Keep an eye on Colin Jackson’s Twitter account (@d1dymu5) for when these bad boys will be released on Kickstarter.

#7 Clothing Clip

#8 Escape Ring

#9 Bootlace Handcuff Key

#10 Lockpick Earrings

#11 Hidden Bogotas

#12 Patch with a hidden secret 

#13 Zipper-Pull Covert Handcuff Key

#14 Acid etched stainless steel chandelier lock pick earrings

#15 Bracelet Wallet

Action shots

(click the image to see which hacker it is):

Special thanks to all the awesome hackers who gave their input for this article: @darksim905, @JimyLongs, @SynapticRewrite, @dontlook, @nite0wl, @d1dymu5, @deviantollam, @Cannibal, @hacks4pancakes , and @3ncr1pt3d

What to Wear When You Don’t Know What to Wear

 

Do you have a big presentation or meeting coming up? Figuring out what to wear in infosec can actually be quite the challenge. For some of us, the stress on what to wear may even outweigh our concerns over our research or presentation (which we know is rock solid!). We want to be taken seriously, and unfortunately we still exist in a world where how we dress can undermine the content of what we say and how others perceive us.  Most guidance I’ve received tends to focus on what not to wear: never wear a skirt; always wear my hair back; don’t wear high heels; only wear neutral nail polish. It has taken me years to push aside the range of guidance that would have me dress like a man, while also recognizing the different nuances that do matter.

In many cases, the distinctions come down to differences in academic, government, or security industry settings, each of which have extremely different workplace cultures that influence the proper attire. It’s impossible to cover them all, but if suddenly you find yourself entering unknown territory for a conference, job talk, or interview, here are some quick tips for maintaining your own personality and style while respecting the unique characteristics of these settings.

Academia

During the day-to-day of the school year, almost anything goes for academics. Where academia becomes tricky is if you’re making a first impression. For a job interview, you should be one of the best dressed in the room. That may feel awkward, but in reality it gives you power. It signals your expertise, and that you are serious about the position. This doesn’t mean you need to go full-out boring, or dark and formal, but more so your favorite suit would be a better choice than your favorite jeans. The jeans are fine once you have the position, but generally aren’t appropriate for a job interview.

Unlike the job talk, academic conferences don’t necessarily require the suit, but for the presentation itself, it again is better to err on the side of dressing up. Choose a dress, or pants or skirt and fitted jacket, which is what I chose (pic below) at a recent conference The outfit should not be overly formal or stuffy, as that can be perceived as infringing on the academic pursuit of knowledge, but you still need to emit a professional vibe. When you’re not giving the presentation, it’s generally fine to network and attend talks in more casual leggings or jeans, dressed up with a blouse or jacket.

Finally, if you are visiting a school to talk to students, and are representing your company or the infosec community, it can get a little tricky. The classrooms are casual, but at the same time, you still want to look put together and not get confused with the student who just rolled out of bed. Company shirts or sweatshirts are acceptable in these situations, but try to pair them with nicer jeans and flats.

Government

Almost a year ago, The Atlantic wrote a great style guide on what to wear when working for the federal government – but it was all from a male’s perspective. I could easily have used something similar years ago. The government is not monolithic, and the environments vary depending on federal, state, or local levels as well as departments. Since I know the national security apparatus best, I’ll focus on that. The Pentagon floors can be a challenge for heels (especially the ramps!), but it doesn’t mean it’s impossible. You’ll be in meetings with everyone from four star generals to contractors to civilians, each of which brings a range of styles. Generally, a suit is most appropriate in these situations, and you can then personalize it with various accessories and colors (Olivia Pope’s style is a good case in point, or check out these ‘cyber warriors’ for a range of ideas). As in all situations, don’t shy away from your individual style, but remember that most of these organizations likely have a dress code, and you should respect that.

However, context and purpose matter and should guide your fashion decisions for government outings.  If you’ll be in day-long meetings, or running an all-nighter training exercise, comfort may be the most important factor, but do still keep it professional.  Interestingly enough, the farther you get from DC, the more these quick rules of thumb change, especially OCONUS. I had meetings in Hawaii, where most of my colleagues wore their favorite Hawaiian shirt and khakis. Conversely, a trip to the Ministry of Defence in London required more formal attire. Basically, geography has a strong influence on what to wear in the government sector. To see how govvies dress at cons, check out the picture below for this year’s Meet the Fed panel at DEFCON, where women comprised 75% of panel! In general, when speaking at government conferences – whether in Tampa or Dayton or Newport – business casual is often a safe bet. And if you’re making an appearance on the Hill, step it up a notch further for business conservative, but be sure to maintain individuality among the sea of dark suits.

The Security Cons & Tech Meetings

As in the other situations, geography and attendees guide what to wear at these conferences. For the security cons, each has its own unique characteristics. For instance, the BSides conferences (such as the picture below, my  colleague Amanda Rousseau) tend to attract practitioners, so this is the place for anything edgy that you love or you can never go wrong with your nerdiest infosec shirt and jeans. On the other end of the spectrum, if you’re representing your company at a talk at RSA, this is a much more corporate environment. Business casual is a good rule of thumb, but if you have a suit that you love and nowhere to wear it, RSA could be the place for it. For any of these, I personally would add shorts into the section of what not to wear if you are giving a talk. I’ve seen this before, and it quite frankly seemed like the speaker was prepping for a barbecue, not a tech talk. Similarly, other than RSA, unless you want to throw off the ‘spot the Fed’ game, you can keep your suits at home.

This is generally relevant advice for meetings in the tech industry as well. I had a friend with an academic/military background who had a security meeting in Silicon Valley. She was surprised when I recommended she wear jeans, which could still be dressed up with a blazer and heels. When she returned, she was thankful for that advice. In some situations, wearing a formal suit is actually a distraction.

In general, there is one consistency across all of these environments – they tend to be overly generous in the use of air conditioning. If you’ll be sitting all day, bring a hoodie, jacket, pashmina, or whatever extra layers you need so you don’t have to constantly run outside to warm up.

I refuse to accept the assumptions that unless I abandon my own identity, my research, presentations and publications will not be taken seriously. At the same time, it is essential to take into account geographies and settings and their nuances. The key is to absolutely remain true to your own style, while respecting the unique characteristics in each of these environments. Most importantly, prep your favorite circuit board nails and get ready to rock the outfit that empowers you.

We Are Not What We Wear

Within the InfoSec community, we have numerous diverse positions. Some that require formal business attire on a daily basis. Several that only necessitate this form of dress when we are client facing. Still yet, with others it is never relevant what we wear outside of the hiring process. Our outward appearance for professions are based upon the established dress code, be it official or simply a social expectation dictated by the definition of the situation. When we move towards styles chosen for conference attendance, we get to see the preferred manner of dress. We see largely three camps, when it comes to these gatherings; the Casuals, the Suits and the Adaptive. In public settings, the deviant manifestation is that which clashes with the set norm. However, during conferences we have two sets of social norms, each with interesting clashes. I should note here, that in this context, I am only considering the manageable fashion; style of dress, hair, makeup, accessories. This does not consider the range of appearance that an individual has no control of; skin color, deformities, gender, attractiveness and so on.

Our superficial style communicates for us long before we ever articulate statements in a conversation. It has long been used as an external technique of establishing in-group members; even when they are a stranger to us. This likewise, influences the definition of the situation regarding how others carry themselves and interact with us. When the other person does not verbalize their acceptance, we must gauge what they perceive. When we enter a new situation with others this is the only choice the individual has.

I feel the need to define the Casuals, as many within this camp can be extravagant in their appearance as well. This includes everything from the jeans and tee-shirts types to those donning vibrant hair, costumes and so on. The “comfort is key” crowd all the way to the “let your freak-flag fly” crowd and those in between. Absent the typical hacker personification of the black hoodie, these are the types often imagined when outsiders hear the word “hacker.”

Due to the diverse nature of this category, those within it are often adept in dealing with the negative interactions in traditional societal settings. The jeans and tee-shirts types tend to blend more in conventional society, as this is considered norm for the “working class.” The more extravagant personas often have a more challenging time in customary social settings as they are deviating from the set norm. Those in this subcategory are often met with reactions ranging from glares to mocking to physical violence, based solely on their appearance. The more one deviates from the cultural norm of fashion, the harsher the reactions become. All within this category will be determined to be middle class or below by out-group members regardless of what their income may be.  The jeans and tee-shirts are often regarded as more approachable while the more extravagant types are more likely to be avoided by society’s “normal.”

During conferences, the Casuals regardless of where on the spectrum they lay, are considered approachable and are inclined to feel more accepted in the setting. Interestingly, in many cases the Suits will view this group as more of the hobbyists than professionals. Others that are not conference attendees yet, share the space through coincidence will react as they would in any other setting, though are often shocked by the sheer number of this type.

The Suits require less definition than the previous. It would be business or formal attire. In traditional public settings, this group would be viewed as middle-upper to upper class citizens and treated as such. In day to day lives they are afforded a higher level of respect than others. Often, their outward appearance dictates an interpretation of them being an “important” person and presumed to be constantly “busy.” These are more likely to be approached less in a common setting as others will interpret themselves as lesser than the Suits. An exception is that this group is more likely to be approached by homeless as they will be viewed as having the means to give freely.

A curious shift is seen during conference attendance as The Suits are often viewed rather harshly. They can frequently be seen as “sell-outs,” viewed as less approachable and are often targets during “spot the Fed.” However, this group blends more easily with the coincidental others in the conference areas. More than likely not being associated with the conference itself. The external style of this group does not make them any less of a hacker than the next, but it is often interpreted as such. The Suits are also regarded as “intimidating” by the Casuals, even when they do not openly admit it.

As one example, I look back to my first Defcon. I had brought a fabulous dress and had intended on going full glam. However, I was advised against doing this as it would make the others feel uncomfortable. That Defcon, I heeded the advice and remained in my casual attire for the duration. Though, that eventually changed and I opt for semi-glam at the more recent events, there were some noticeable reactions but nothing too unreasonable. I do however, see the common social avoidance and hear the whispers about being a groupie (regardless of the glammed person’s actual technical abilities) or other equally pejorative comments. This cattiness derived from our own insecurities is something that we need to work on.

While anyone can change their outward appearance by simply changing their clothes, hair, and accessories; many fail to be comfortable with that switch. This discomfort becomes painfully obvious to others. Of course, this is not to say that the individual does not make minor adjustments to become more accepted, they just cannot “sell” the persona that they are attempting to externally exhibit. Those successful in their switch go unnoticed between the two groups, these chameleons are the Adaptive. This is well practiced among the social engineers within InfoSec and known as part of their pretext. Given, this is simply one element of “playing the part.” This is a concept that the Adaptive understand, be it naturally or through conditioning. This group easily transitions between the two, experiencing aspects of the positives and negatives associated with both the Casuals and the Suits. However, they choose to be viewed in either way. They are acknowledging the perceived view of the other, internalizing it and then accepting or rejecting it.

Humans, in general, place a dangerous amount of judgment on the outward appearance. When you consider the fundamental aspects of preconceived beliefs and prejudices’ that every person in society carries with them, you start to place more weight on those types of decisions. This aspect is how we react to each other’s attendance based on superficial appearance. Our community houses some of the most intelligent individuals, they just may not wear what you would expect them to. How can we keep it balanced so that we draw some information from the visible; but the majority from the inner being? Whether they are rocking their favorite hacker tee, their best Louis Vuitton or just some cat ears; try to see them for who they are, not what they are wearing.  Whether we are entirely casual or full glam we should be accepting of each other. We need to curb our own biases on how a hacker should look. The media does that enough for us. At the end of the day, we are all just naked. There are no in-group markers, no out-group shaming, just…us.

Best Leggings for B&E

The fall season is upon us and it’s time to think about keeping warm during physical engagements, without sacrificing style. Here’s a roundup of the best leggings for scaling walls and crawling through ventilation ducts.

MeMoi offers over a hundred styles of durable leggings including shaper, capri, sequin, lace, pocketed, and more. Cute, fashionable, and practical for those quick trips to the data center.

Lululemon offers tons of rugged styles (both leggings and pants) sure to match nearly everything in your closet. Flatters most body types while offering durable flexibility for those long crawls over ceiling tiles.

Ashmei leggings feature comfort and thermo-regulation around the thighs, and a compressive, water resistant nylon on the calves. A phone-sized rear zipper pocket provides storage for lock pick kit. 

ZVD x SP Galactic Leggings The go-to for the girl who loves to break into buildings (with signed authorization, of course), these leggings are breathable, sweat-wicking and UV protective. An all purpose legging that won’t cause chafing when your run from security.

Saucony tights in either women’s or men’s cut will keep you warm while wicking away sweat, and have a pocket big enough for your RFID cloner. Cutest when paired with empire waist top or dress, and sure to get you past the guard with all your concealed gear in tow.

 

Stay warm and be safe, and remember to keep a signed authorization on you at all times!

Stylish Headphones to Let Coworkers Know You’re in the Zone

1.Taylor Headphones by Frends

2.Furry Headphones by Oscar de la Renta x Beats by Dr Dre

3. Black Queen

4. Monster Diesel VEKTR

5. SuperSonic Digital Spiked Headphones

6. FRENDS X BAUBLEBAR

7. Razer Cat Ear Addons

8. Monster Crystal

9. Molami Headset

Fall Bags To Conceal Your RFID Reader

Look stylish while operating a RFID  reading device? Yes, please. These bags are some of Fall’s cutest styles in a range of sizes. Whether you’re utilizing a RFIDler, Proxmark, or your own custom reader you can kept it hidden, while looking chic.

#1 TOM FORD – Large Alix Tote Bag

#2 Alexander McQueen – Glitter Ombre Flat Knuckle Clutch Bag

#3 kate spade new york – Watson Lane Hartley Backpack

#4 MICHAEL Michael Kors – Sylvie Stud Large Satchel

#5 Fossil – Kinley Small Crossbody

#6 Charming Charlie – Tassel Grommet Hobo

#7 Loungefly – Disney Villains Tattoo

Shout out to Kateo (@vajkat) who successfully read and cloned her first card this week ❤ You go Glenn Coco!

 

Cute Hand Warmers for Debugging

If your hands are always glued to the keyboard either coding or debugging, chances are they are probably freezing in your tech company office. Here are 8 quick removal hand warmers that are not only functional but fashionably reasonable.

1. Portolano
Fox Fur Pom-Pom Honeycomb-Knit Cashmere Fingerless Gloves

2. Valentino Studded Gloves

3. ASOS Lace Cuffs

4. Coco’s Closet

Faux fur fingerless mittens

5. Short Black Lace Fingerless Gloves

6. Pale Petals

7. Fingerless Glove with raccoon fur Pom Pom  

8. Black Sequin Fingerless Gloves

Welcome to VanitySec

Many of the fashionistas in the InfoSec industry has come together on VanitySec to provide both fashion, beauty, and infosec content that appeals to other fashionistas. Enjoy.