Category: 2600


This past weekend, i helped out with the special event station N2H at The Next HOPE. We worked everything from 2 to 20 meters, including FM, SSB, CW, PSK and RTTY. It was pretty cool doing digital modes for the first time. Here are some pictures of us setting up the antennas on the roof, as well as operating during the conference.

Risk Analysis for Dummies

Here’s the slides from my talk at The Next HOPE about how to conduct a risk analysis. I’ll follow this up with the audio and video once it’s available.

Presentation slides:
Risk Analysis for Dummies (PPTX)

View the PowerPoint online


Risk Analysis for Dummies (MP3 Audio)


Risk Analysis for Dummies (MKV Video)

Video on Vimeo


For more information on how to conduct a risk analysis and other resources on the field, visit the following websites:

SARMA: Security Analysis and Risk management Association
Professor McGill’s blog (he taught me everything I know)

I HIGHLY recommend the following books on the subject:

Peter Bernstein: Against the Gods
Nassimm Taleb: The Black Swan

On the schedule for The Next HOPE!

After speaking at The Last H.O.P.E. in 2008, I wanted to come up with another talk I could give on a topic that would interest the 2600 community. After racking my brain for some cool thing I had done that would interest them, I finally figured out what skill I possessed that I could pass on to these computer security enthusiasts, network administrators, IT professionals and people interested in security in general.

From The Full List of Talks:

Risk Analysis for Dummies

Nick Leghorn

We all get that “gut feeling” about what is risky, but how do we communicate that to managers or other people in a meaningful way? And how can we determine what risks are worse than others in a justifiable manner? How do you even define “risk?” In this talk, you’ll learn about the most up to date methods of identifying risk, evaluating risk, and communicating risk to others, as well as some models used by the U.S. government and others to identify attack targets, evaluate building security, diagram attacks, and more. And no math problems harder than simple addition, guaranteed.

Friday 2100 Bell

The synopsis doesn’t really capture what I hope this talk will be. It’s intended for IT professionals and aspiring penetration testers to understand how to take their experience and their intuition regarding what risks and vulnerabilities are int heir network and relate it in a quantifiable manner to managers and clients who may not either believe in their expertise or want to have to justify that new security staff and all those expensive security appliances. I plan to cover:

  • Probability
  • The equation for risk
  • How to scope a problem
  • How to show results of an analysis
  • Types of scales and how to use them
  • Factor based models and their use
  • The six questions of risk analysis and management

Here’s the list of other talks for Friday.

If anyone has any suggestions for topics to cover, drop me a comment.