Monday, February 10, 2014

Review: Alyssa Milano's "Hacktivist"

When news hit that Archaia Entertainment would be releasing a title called "Hacktivist" the security community let out a collective groan.  The skepticism was not abated when Alyssa Milano was attributed to the project.  How can the Hollywood actress best known for her roles on the television series' "Who's the Boss?", "Melrose Place" and "Charmed" write a comic about a subject that is regularly misrepresented in the media?

In truth Ms. Milano is more than just an actress and author.  She is the Founding Ambassador for the Global Network for Neglected Tropical Diseases and a UNICEF Goodwill Ambassador for the United States.  Her trips to India, Kosovo, and Angola in support of these missions have at least given her some exposure to the regions portrayed in this story.  Ms. Milano had this to say about her inspiration:
"I’m very involved with global activism and philanthropy. I like the idea of everyday people doing good.  My inspiration for Hacktivist is actually Jack Dorsey, the creator of Twitter and Square. I picture him leaving the office at night and going home, where he locks himself in his room and starts hacking to change the world. 
"I felt Hacktivist was a strong story that I really wanted to tell visually.  Doing a graphic novel allowed me to dream big and it gave me the freedom to create without boundaries."
I can't say that I see Mr. Dorsey in the same light. There's a big difference in hacking to be innovative versus attacking companies and governments.

While the comic seems to be Ms. Milano's concept she is only listed as the creator.  The story is credited to Jackson Lanzing and Collin Kelly.  Both of these authors are relatively unknown so it remains to be seen how they will influence the narrative.


The publisher describes Hacktivist as:
"a fast-paced cyber-thriller about friendship and freedom in a time of war. The story follows Ed Hiccox and Nate Graft, the young founders of the world’s most innovative social media company who moonlight secretly as one of the most notorious black-hat hacker teams on the planet. When the U.S. government discovers their operation, they must face the real world beyond the code and choose between loyalty and what they believe to be is right."
Personality wise, the characters read as a blend of Mark Zuckerberg and Anonymous, but with personalities at either end of the spectrum.  Ed is a suit-wearing savant who would rather spend his free time memorizing traffic patterns.  Nate is a jeans-and-hoody-wearing non-conformist who would rather spend his evenings throwing a party that, "makes Gatsby look like a bounce house."

"Hacktivist" is a four issue mini-series so the story has yet to delve into the characters' motivations but the plot is interesting enough to warrant spending a couple of bucks on each issue.

Technical Merits

If you work in information security, don't read this comic expecting familiar jargon or novelty screenshots of nmap and Metasploit.  I doubt they consulted any experts when they wrote dialog such as, "and now they're plugging us into an onion router" and the verbal exchange depicted below:

click to enlarge
I tend not to get too worked up about trivial inaccuracies in entertainment media (movies, television, books, comics, etc.).  The purpose of these stories is to entertain the general public who doesn't particularly care if a scene is technically accurate.  No doubt doctors, lawyers and other professionals can point out issues with how their profession is portrayed.


Whether you are a comic book reader or not, the first issue of "Hacktivist" was entertaining.  Without giving anything away, the issue leaves the reader wanting to know what happens next.  "Hacktivist" is a fully contained story with a beginning, middle and end (not always the case with comics).  If you don't like cliff hangers, you can wait until all issues have been released or wait for the trade paperback to be published.

You can pick up a copy of "Hacktivist" at your local comic shop or a digital copy at

Controversy Around The Word "Hacktivist"

Back in July (2013) TechDirt obtained one of the 500 preview copies of Hacktivist that were distributed at San Diego ComiCon. They published an article where TechDirt noted that "HACKTIVIST™ is © and TM 2013 by Alyssa Milano."  As you can imagine this caused some stir in the Information Security community.  To her credit Alyssa Milano spoke up on Twitter and directed inquires to the publisher.  Archaia quickly followed up with a post clarifying their claim.  In it they state:
"Archaia and Ms. Milano do claim trademark and copyright protection, as appropriate, for the book, the title, the characters, and content included of The Hacktivist. However, no claim is made to other uses of the term ‘hacktivist.’ In accord with Ms. Milano’s wishes, we support the attention to the issues of philanthropy and activism."

Friday, February 7, 2014

Lessons Learned: Speaking at a Security Conferance

SOURCE Boston was kind enough to take a chance on me and on April 17, 2013 I gave my first talk at a security conference.  The video was finally released this week so I though it a good opportunity to run down my lessons learned.

I fully admit I was anxious and acknowledged I made quite a few mistakes.  I've given small presentations in the past however, I was always the subject matter expert in the room and felt confident I would be able to speak with authority and answer any questions.  This time I was speaking in front of my peers, many who are wiser and more experienced than I.  Looking back I recall seeing Jack Daniel, Andy Ellis, Josh Corman, Bob Rudis and Ed Skoudis (just to name a few).  The room was small, it could accommodate maybe 50 people and there were about 35 people in attendance.  I'm not sure if this made it easier or more difficult.  On one hand, if I embarrassed myself it would only be in front of a handful of people, however, the small venue made it more intimate.

Below are the lessons learned throughout the process.  Some of these I was able to incorporate before the talk, others I didn't think of until after the conference.

Submitting a Talk:  When you've chosen a topic make sure you give yourself plenty of time to submit. Deadlines can creep up on you.  Also, make sure you follow the instructions.  One thing I constantly hear from conference organizers is that they will reject quality talks if they do not follow the required formatting.

Start Working Right Away:  As soon as your talk is accepted start working on your presentation.  It may seem like you have plenty of time but life inevitably gets in the way.  Business trips, unexpected workload and family events can consume your time.  In my case, a death in the family monopolized a significant amount of time and drained a lot of my motivation to work on my talk.

Practice, Practice, Practice:  This one should be obvious.  Get your presentation done early so that you can rehearse your talk.  If you're anything like me you'll be surprised at how often you tweak the content.  Start with a written script, graduate to note cards and eventually your slide deck should be all you need to give your talk without thinking.

Slides:  Slides should not contain your entire talk.  These should be used to visually supplement your material. This is where you can add pictures, charts and graphs to illustrate your point.  Bullet points should be high level and the font should be large enough to read from the back of the room.  In most cases a talk should be able to stand on it's own so if there are technical difficulties you can continue without slides.

Dry Run:  If you have the opportunity, give a preview of your talk somewhere else.  Most cities have organizations that are looking for speakers (DefCon Groups, ISSA or ISACA chapters, local "city sec", etc.).  This is a great opportunity to practice your talk in front of a live audience and get honest feedback that you can incorporate later.  If you can't find a meeting, try to arrange a Skype call or Google Hangout where you can present in front of a small group.  You'll be surprised at how many people are willing to give you feedback.

Film Yourself:  No one is going to be as critical as you are to yourself.  Watching your own talk will help you work on your timing, get rid of the "ums" and "ahs" and get you to move about (this engages the audience and prevents you from looking stiff).  The dry run mentioned above is usually a great opportunity to film yourself.

Title:  It can be tempting to come up with a witty title for your talk.  This can draw attention and you may get a better turn out.  Just don't get too carried away.  You want people to still know what your talk is about.  In my case I went too far in the other direction.  I titled my talk, "Hacking Back Is A Bad Idea".  This gave away my opinion and may have dissuaded people from attending who did not share my view.  In retrospect, a more appropriate title may have been, "Hacking Back: Is It Right For You?"

Questions:  If you finish your talk early or plan to leave time at the end, you'll have the opportunity for questions.  In a large room you will want to repeat any questions asked.  You're the only one with a microphone and the rest of the audience may not hear the question.  In my case, the room was small enough and the discussion lively enough that I did not feel the need to interrupt to repeat comments and questions.  Unfortunately, this means they were not captured on the recording.

Hopefully you can learn from my mistakes.  I've embedded my video and slides below.

Please be gentle :)