Posts on Guy Barnhart-Magen

Pwrful Presentations

Fri, 10 Jun 2022 00:00:00 +0000

Making Powerful Presentations

I recently gave a small talk to the 2022 BSidesTLV speakers on how to make powerful presentations, unfortunately i did not record the session but i am sharing the PDF here for everyone

PDF

Keto

Mon, 14 Feb 2022 23:16:40 +0200

My Keto Journey

I have been on a Keto diet for the most part of the last two years (starting at February, 2020). While this has not always been easy, and I did occasionally fall og the wagon - i am happy with the journey and the results.

In the past, when i first tried the keto diet, i failed. I could not find the time and effort required to be prepared for a fully ketogenic diet, and as such, failed to adhere to the principals.

Hamagen App

Tue, 24 Mar 2020 00:00:00 +0000

Well, that blew up…

I decided to write a blog post to describe what we’ve done at Profero with the “Hamagen” (shield in hebrew) application, and I ended up writing an article. I translated it, and I am including it below.

We also gave some talks, webinars and posts relating to the app, organizing them all below

This article is also cross-posted on Medium

A million downloads in 4 days: How was the “Hamagen” application developed

Nothing about the development process of the “Hamagen” application looks like a development process in a government agency, starting with fast, agile development, including well-known privacy and security experts or ending with releasing the application as an open-source project. Guy Barnhart-Magen, The CTO who took part in the development process, talks about the path to a million downloads in less than a week.

Messaging

Fri, 31 Jan 2020 11:24:12 +0200

This is a rather funny example that Amazon sent out by mistake, but if you think about it - it is also a great example for a tempalte focusing on how to write great messaging format.

I am pretty sure this was thoroughly A/B tested :-)

Components

Some banner with your logo
600x200 pixel wide graphic, maybe including your headline buzzowrd
headline summary if this email
3 paragraph, detailing how many words in each sentence - very finely calibrated for user engagement
call to action, with a high contrast focus for the user
various links and legal lingo
footer to cleanly seprate the body of the messaging from the page itself

Can’t wait to try this myself…

Which security conferences do you recommend?

Fri, 31 Jan 2020 11:24:12 +0200

Every once in a while i am asked which security conference I recommend to attend, so I thought I would try to create a little guide that can help guide your decisions. I am somewhat biased, but feel free to take the principals here and rework the results based on your own data.

Ranking

You can find a lot of information in the online google spread sheet maintained by Inbar Raz

These ranking are based on my own personal experience, and the ranking is hugely biased toward my prefrences.

DC9723: Crypto Fails – from basics to advanced stuff

Thu, 30 Jan 2020 13:09:37 +0200

It was a lot of fun to return to DC9723 again as a speaker. I think i fulfilled my goal - to reach the younger, less experienced audience - at least if you measure the amount of questions i recieved

crypto talks

5 Years in Cyber

Sun, 26 Jan 2020 12:59:06 +0200

I had the oppurtunity to give a talk and participate in the panel at the recent HFN event hosting a delegation from Denemark, it was my pleasure to discuss the threats is see in the next 5 years for our field.

Lessons Learned from the NotPetya Cyber-Attack

Mon, 10 Jun 2019 00:00:00 +0000

My Personal Take on the Maersk Case Study

Some images of Mr. Banks presentation were recently shared by Alon Refali from CyberTogether. I didn’t get to see the actual presentation, and I am not sure that a video will follow - so I took the liberty of writing down the slides so I could better comment on them.

The threat landscape has changed fundamentally

the risk of us being caught up in Nation State activity is real

these sort of cyber weapons are orders of magnitude more damaging than traditional malware

Prevention is unlikely to be an effective strategy, automated detection and response is key Online back up (standard) is no longer a safe approach Patching is necessary but insufficient Privileged access management takes on an even higher importance

Singapore 2019

Wed, 10 Apr 2019 00:00:00 +0000

Travel to Singapore was more fun than just giving a talk…

SW Architecture 2017

Thu, 16 Nov 2017 00:00:00 +0000

My impressions from the ILTAM SW Architecture 2017 conference day

Value Added Presentations

Fri, 03 Nov 2017 00:00:00 +0000

My notes from a session on “Value Added Presentations”

DC9723 October Meeting

Tue, 24 Oct 2017 00:00:00 +0000

My impressions from the DC9723 October 2017 meeting where I gave a talk on the 2015 Ukraine Power Grid Attack

AppSecIL 2017 (OWASP IL)

Thu, 19 Oct 2017 00:00:00 +0000

My Impressions

This is my first time speaking at OWASP and I found the experience exhiliirating :-)

The venue was familiar from recent years (this was not the first time I attended OWASPs conference in Israel) but this year everything seemed to be much better organized.

I volunteered at the “CV Review” workshop to assist people in reviewing and improving their CVs from my experience as a hiring manager, and I also gave talk - which unfortunately was the last talk of the day.

BIU Hackathon

Mon, 29 May 2017 00:00:00 +0000

I was asked to mentor at the BIU Cyber/Crypto Hackathon, these are some of my insights…

BlueHatIL 2017

Tue, 31 Jan 2017 00:00:00 +0000

UPDATE: I just learned today that Microsoft shared some of the decks and videos from BlueHat IL. They can be found here

Microsoft Israel has successfully launched the BlueHat IL conference in Israel for the first time. Unexpectedly, this conference was not focused on marketing or pushing their agenda but rather on security related topics from excellent speakers.

I attended the first day, and I am kind of sorry I missed the second day. Following are the talks I saw with some slides I took during the talks.

33C3 (CCC)

Sun, 01 Jan 2017 00:00:00 +0000

Personal Experience

This is the 5th year that I’ve attended the CCC’s major event. I spent 4 days at the 33rd CCC conference in Hamburg (Germany), where a somewhat over 60,000 people attended this year, Other than an opportunity to catch up with old friends, and learn what’s new in the hacking scene - there were awesome talks (just like any year).

I thought to dedicate this blog post to the best talks I saw, obviously this is very subjective (and suffers from a selection bias).

8200 EISP - Meet the Investors

Tue, 22 Nov 2016 00:00:00 +0000

Yesterday I attended a “Meet the investors” meetup in Tel-Aviv. The meeting was held at a bar (which was nice). The meetup followed a non-conventional format, where the investors gave a short introduction about themselves and the answered some warm-up questions from Facebook and then opened the floor to questions from the crowd.

I wanted to share my impressions and thoughts about their viewpoints and how that differed from the crowd’s expectations.

Docker in Production: A History of Failure (retort)

Sun, 20 Nov 2016 00:00:00 +0000

In a recent post (Docker in Production: A History of Failure ) I shared my thoughts about using Docker in production, based mainly on a widely spread blog post by the HFT guy.

His post really brought up a storm of responses, where i think the best captured one is the following post.

TL;DR: Docker can be used in production, if you take precautions and keep on top of tooling.

I think this the main issue of the two approaches - would you prefer to be “cutting edge” and have the most recent tooling (with all of their disadvantages) in your production? or would you prefer to have the most stable production environment around?

AllDayDevOps 2016

Sat, 19 Nov 2016 00:00:00 +0000

I “attended” the online AllDayDevOps conference today. This was a new experience for me as the entire conference was given remotely. This was interesting both from a logistical point of view as well as an academic one. The conference itself was massive (over 12,000 attendees) sharing three simultaneous tracks through live youtube streaming.

The track which i followed was security related (unsurprisingly). There were interesting conversations on slack as well as the chat feature of youtube, which helped keep people interested and focused on the conference itself.

Docker in Production: A History of Failure

Sat, 05 Nov 2016 00:00:00 +0000

I recently encountered a blog post about the troubles of usage of docker in a production environment. I have done some study into the meaning of using docker in a production environment and while it is very easy to get lost in the hype, glamour and overall excitement, the bottom line is that this post resonated well with me and my recent forays into the world of containers. I think the TL;DR of his blog post is:

Story Telling With Data

Mon, 24 Oct 2016 00:00:00 +0000

I have recently read a great book by Cole Nussbaumer Knaflic, named (amazon). what i liked most about this book is the scientific approach towards structuring visual data, if it’s for presentations, marketing, UI or anything else. i learned a lot from this book and reccomend to follow her blog.

Cybersecurity for Smart Buildings Podcast

Wed, 21 Sep 2016 00:00:00 +0000

I’ve been interviewed for the PSDCast podcast today by Alix Paultre of Power System Design.

Today, billions of smart devices interconnected through the Internet of Things (IoT). Smart buildings are facing significant threats that are exacerbated by two major factors: Firstly, the intricacy and interconnectedness of critical functions in smart buildings can possibly create a disastrous “domino effect” if attacked. Secondly, these risks are still not receiving enough attention or funding since they fall outside the scope of traditional IT.

Keeping Informed

Sun, 11 Sep 2016 00:00:00 +0000

I wanted to outline a list of the different channels I use everyday to keep informed (some of these blogs are in hebrew). I use the old reader to keep track of my RSS feeds.

Security and Cryptography

Cryptography And Coding Information - Thank you for Ava for pointing this out!
ICS-CERT Monitor RSS Feed
Corelan Team
ImperialViolet
Blog: Ivan Ristić
Google Online Security Blog
TaoSecurity
Roee-geist
I Am Security
Krebs on Security
fail0verflow’s blog excerpts feed
Naked Security - Sophos
Filippo.io
The Hacker News * [ THN ]
Schneier on Security
WhiteHat Security Blog
Roger Halbheer on Security
I hack, therefore I am
Securelist / All Updates
Cybergibbons Limited
ritter.vg
cr.yp.to blog
A Few Thoughts on Cryptographic Engineering

Management

Science

Software

The rest…

Keeping your Head Above the Waves

Sat, 10 Sep 2016 00:00:00 +0000

A colleague asked me today how do I manage to keep my head straight with all the different distraction and open issues I handle simultaneously on a daily basis. Although I have given this much thought over the years, when the question came up today I found a nice metaphor to explain this.

When personal computers just came out (DOS era…) most of them operated with a single “task” running in the CPU. You could be running the OS or a game, but not at the same time. This wasn’t very efficient as a lot of time was wasted waiting for user input, or hardware changes, etc.

Security Problems of an Eleven Year Old

Tue, 06 Sep 2016 00:00:00 +0000

I encountered a youtube video of a smart 11 year old by the name of Jake Sethi Reiner, that explains in very simple terms the methodical way a security researcher should think. Don’t be fooled by his age, i have spent time trying to teach people this exact way of thinking:

Identify the problem
Gather evidence
Hypothesize and analyze solutions
Carry out experiments, analyze the results

The problem he encounters at his home are no different than those encountered by professional security researchers - and his solutions are the exact steps one should follow through (learning to overcome different issues and concepts along the way).

Why The IoT Is Potentially The Most Dangerous Thing In The World

Thu, 14 Jul 2016 00:00:00 +0000

The Internet of Things (IoT) is an intersection of trends that brings motivation, innovation, money and opportunity together into one massive tool. However, in the race to build more and more IoT devices and units, security is often an oversight. While this phenomenon is often spoke of in security circles, most users just assume that the security is built-in and have no idea the vulnerabilities that they are exposing their organizations or homes to.

NIST: Agencies must prepare to get hacked

Mon, 20 Jun 2016 00:00:00 +0000

In a recent interview to FedScoop I was asked to comment my opinions on the recent NIST SP-800-184 draft publication, which is focused on Guide for Cyber security Event Recovery.

After reading the publication, and acknowledging its importance, i think we are still left with several issues. The IT industry at large has seen an evolutionary process where a lot of attacks had mitigation in place, in what is already a best practice. however, in the OT domain this process did not take place.

IoT security concerns plague executives

Thu, 02 Jun 2016 00:00:00 +0000

In a recent article in Smart Grid News I was asked to comment in the security concerns that executive face when dealing with IoT concerns.

I recommended that executive start with setting up a team of security specialists and incorporate best practices within the IoT product development process. While these measures are in no way simple, they offer a starting point to enhance an organization security posture.

Mon, 01 Jan 0001 00:00:00 +0000

Thoughts

offer some training oppurtunities
followup with Hemed and Mickey
attack crypto frameworks

Notes

DPAPI

@paulacqure
personal story
limited set of crypto to use, probably one of these
animated walkthrough of concepts
use of 3DES in chrome password store, password length?

whoami /priv

Andrea Pierini
@decoder_it

AWS Workshop

@Rzepsky
pawel.rezpa@security.pl
public access through ACL - should be deprectaed soon
encrypt your snapshots
lazys3 enumarate possible s3 bucket names