Skip navigation

Oklahoma Has Passed A Bill That Requires Women To Get Written Permission From A Man To Get An Abortion” read the headline.

As reported in various news media last week, The House Public Health Committee voted 5-2 in favor of a bill by Rep. Justin Humphrey that would require women to get written permission from the father of the child before a pregnancy could be terminated, despite objections from opponents that the measure is patently unconstitutional.

In reaction to this, on Twitter I remarked

Everyone who claims to fear “Sharia law” in the US but who supports this is an asinine hypocritical bastard.

The comment got some likes and RTs, and resulted in some conversation with like-minded associates.  But one fellow, Ian Hayes, took a more measured approach and wanted to tease out some of the subtlety of the matter.  He asked

Not a fan of anti-abortion law, but prior to this what voice did the father have in whether to abort or not?

When others explained that prior to this, no one else was ever required for consultation on such matters, he then followed up asking

So a more accurate version of this pearl-clutchy headline would change “a man” to “the father”, yes?

I will grant that the article’s wording in the headline could be construed as slightly sensationalist.  (I do not believe that Ian’s attempt to point this out was in the service of any views he might hold that put him greatly at odds with women’s rights supporters.  I’ll let him speak for himself, but by all initial appearances, Ian is one who appreciates measured discussion and wanted to unpack an idea, even on a firey topic.)  However, even if the headline was worded to be attention-grabbing, I thought that there was an important point to make here about whose place it is to have a say in these matters.  I responded

Most of us on this side of the debate do not make a distinction. Actually, going to write a quick blog post.

So here we are.  🙂


Allow me to open up with a rather unequivocal and direct statement summarizing my personal views on the matter, as far as the law is concerned:

I believe that in matters of reproductive health, as with all other matters pertaining to women’s health, the only party with whom ultimate authority should rest for all decisions is the woman herself.  In consult with her doctor(s) preferably (to which I hope she has adequate, affordable access) and with informed input from other close associates and sources of factual medical advice… but, ultimately, it is my belief that anyone’s personal life decisions should be theirs and theirs alone under the law.  Others with a vested stake or strong connection to her life may have a voice (in healthy interpersonal relationships, considering the feelings and thoughts and advice of others close to you is certainly not a bad thing) but that voice shouldn’t carry any legally-binding weight.  I believe that each one of us — and this goes for people of any gender, not just women — is the ultimate and final authority over what happens to our bodies.

Let’s examine a quote that has circulated quite a bit in the coverage of this law…

And you know when you enter into a relationship you’re going to be that host and so, you know … take all precautions and don’t get pregnant. … After you’re irresponsible then don’t claim, “well, I can just go and do this with another body,” when you’re the host and you invited that in.

This statement comes from Oklahoma State Rep. Justin Humphrey (who few folk will be surprised to learn was a career corrections officer before this, served as head of the FoP, is a drug prohibition crusader, and wears a bolo tie and ten-gallon hat when conducting business at the State Capitol) and it’s as repugnant on its face as your initial gut reaction tells you it is.  Women are not “hosts” and it’s infantilizing to finger-wag and scold them with language laden with terms like “irresponsible” etc etc.  However, even if we were to afford SR Humphrey a measure of charity to which he is barely entitled here and sanitize his language to something more professional and less blundering, I would still claim that this quote exposes a strong double-standard tilted squarely against women…

You know when you enter into an intimate relationship that the possibility exists that you may become pregnant.. … Whether by not practicing safer sex or by failure of birth control, let’s say you get pregnant… I don’t feel you can then just claim, “I want to make my own reproductive choices now [without consulting anyone else, such as the biological father],” when you’re the one who knew this was a possibility at the onset.

Again, for the more low-IQ readers out there or those who are determined to twist the words of other people, let me state that the above is nowhere close to my own views on the matter.  (See well above where I outlined those, and they haven’t changed in the past few paragraphs.)  I am merely adding a more professional polish to the original turd that was Humphrey’s argument.

Let’s take that argument, however, and flip it around.  SR Humphrey wants men to be consulted before any reproductive health care measures can be selected by pregnant women.  He views the matter as not entirely under the women’s field of authority because “they should have known that this might happen” when they first entered the relationship (or whatever form the sexual encounter was).

Pray tell me, then, Mr. Representative, how you would feel about men who knock people up and then demand standing in the subsequent decision-making process being lectured as follows…

You knew when you chose to engage in sex that there was a possibility of one of your little swimmers finding an egg at the end of the day. … Whether or not you were trying to make a baby, it sometimes will happen… I don’t feel you can then just claim, “I want a child!” (or, conversely, “I don’t want to be a father!”) and expect the partner whom you impregnated to go along with that decision.  You knew this was a possibility at the onset and still you chose to shoot between wind and water before you had known what the decisions of your partner might be should a pregnancy arise.

Ultimately, I think this argument makes far greater sense.  At least to me.  It is the man who is intruding into someone else’s life and space and field of existence, both in matters of intercourse as well as (more particularly) in matters of pregnancy.  And while pregnancies can take couples by surprise, the mechanism by which fetuses develop and are born is not a mystery.  Whether or not you were planning on a pregnancy, it’s no shock who is going to bare said pregnancy.  With that bit of information already well-established before anyone orders their third bourbon or exchanges hotel room keys, it should come as no surprise (in my view) that any unforseen baby is going to be on the lady’s turf.

It is the fellow who must accept the fact that he chose to get involved in someone else’s body.  Flipping Humphrey’s words around, I claim that no man can come around later and say, “Wait, wait, wait, this isn’t what I signed up for!”  No, it’s exactly what you signed up for:  to engage in some activities that would have uncertain outcomes for which you may or may not have to bear indeterminate future responsibility depending upon a set of decisions that are going to be made by someone wholly other than yourself.  If ceding all this authority to a woman sounds too risky for you, then for fuck’s sake keep your meat log out of the honey jar.


I have had a lot of sex in my life.  Much of it has been relatively safe sex.  And some of it has not been.  However, in all instances, I went in with eyes open (OK, sometimes slightly blearily open) to the following absolute truths…

  1. The person I was with knew I didn’t want to get them pregnant
  2. The person I was knew that she did not want to get pregnant
  3. Should something unforeseen occur, we had already discussed that we were had no intention of seeing a pregnancy come to term
  4. Ultimately, if we had to cross that bridge, despite having talked about it beforehand, the ultimate authority would rest with her

… that’s my personal definition of responsible sexual practices.

In my ideal world, no sexual decision is one-sided (unless you’re talking about sex with yourself, which is the safest of all.)  In my ideal world, both (or “all” depending on circumstance) individuals directly involved would know each others’ intentions well in advance of any deeply intimate encounters and would not have resorted to any deception or ruse in an effort to advance the course of intimacy.  In my ideal world, unforeseen pregnancies may be momentarily distressing but their outcomes shouldn’t come as a shock to the parties involved because they would have already been discussed and an understanding shared long before they arose.  And, yes, in my ideal world, despite often having a voice in the process, men would have absolutely zero authority over reproductive health decisions.

That goes for the men in the bedroom and the men in the statehouse.

There are a number of wonderful guides for getting the most out of attending the RSA security conference.  SpaceRogue and Violet Blue have written two that come to mind.  Here’s my take on the event thus far…


1. In keeping with all of my previous tradition, I am religiously avoiding the Moscone center with all of my might.  I haven’t been within 4 blocks of it this year.  That’s nothing in comparison to previous years, where I would travel to other cities or even other countries so as to celebrate being as far from the RSA conference as possible.  I’m not doing quite as well this year, having flown into the San Francisco for BSides, but I’m still earning my gold star and free pencil.


2. I started my morning walking around town, checking out the quaint trolleys and enjoying the city.  I don’t think I could ever live here (or anywhere in California, your nutty politics are a bridge too far) but it’s wonderful to have an excuse to visit.


3. I basked in the lovely weather.  I sat in a city park and got stoned.  Then I bought far too many hot dogs from a local vendor.  Even while elevated, I managed to remain as low-carb as possible… enjoying only one of these bread-borne encased meat logs.  The rest went to local transients who always have the best stories and are interesting conversationalists.


4. I wandered back to the hotel, then prepared some steaks for in-room sous vide cooking.  With the meat and veg coming to temperature in the hot pot, I soaked in the hot tub.


5. The steaks and the such are close to ready.  While the rest of you are up to your eyeballs in bright colors, badly-suited hairdos fluent in douche-speak, and Cyber Cyber Cyber, i’m in a heavenly bed staying still enough to not tip over my wine glass while watching a downloaded episode of Murder She Wrote.


I think I’ve got this whole RSA thing on fucking lock.


I’ll see all of you over drinks and such in the evenings.  Friends and camaraderie… that’s what this event (or any big-dollar con, frankly) should be about.  If you can master that part, you’ll do just fine.



I was invited some time ago to dine at “churrascaria” by an associate.  I put the term in quotes because it is often mis-applied, or at the very least misunderstood.  So let me begin with a clarification for those who have heard two related, but distinct, restaurant terms muddled in the past…

Churrascaria – a “churrasqueira” is a style of BBQ grill used in the preparation of food (typically meats and other proteins) in South America… particularly in southern Brazil, which has a vibrant and venerable ranching culture.  A churrascaria is an eatery that caters to serving this style of meat.  In high-tone establishments of this nature, such as Fogo de Chão, the service is often performed by wait staff who dress in an homage to the “gaucho” rancher folk of southern Brasil.  That service, in an of itself however, is not requiste for an eatery to be a churrascaria.  See below…

Rodízio – when “gaucho” waiters proceed about an establishment offering meat (typically presented and served by means of swords) this is “rodízio” style dining.  Typically offered in an all-you-can eat fashion (many rodízio establishments utilize small cards with red and green opposing sides so that diners can indicate if they are ready for an additional helping) this is often what most consumers are thinking about when someone suggests dining at a “churrascaria.”

So, in a nutshell… churrascaria is a style of food preparation, rodízio is a style of food service.

And, of course, some establishments (particularly outside of South America) are often both.  In the United States in particular, it’s sometimes difficult to find a “Brazilian grill” (a.k.a. churrascaria) that is not a sit-down affair serviced by gauchos.  It is possible, however.  For a more economical evening, many patrons like to enjoy churrascaria food prepared and offered up cafeteria-style.  The Picanha Brazilian Grill in Philadelphia is such an establishment… where patrons order and are served at a walk-up counter and they pay by the pound.  (A article by a food reviewer still managed to confuse the terms there, with the author referencing the smell of “rodízio” meat being prepared on skewers.  If said meat were not merely cooked on but were also served on those same skewers, table-side, then that would be a rodízio.  But that’s not the case at the Picanha Grill in the northeast region of the City of Brotherly Love.)

Fogo de Chão is both.  They cook Brazilian BBQ-grilled meats over a traditional field setup as would have been common in the pastures down south (“fogo de chão” literally means “fire on the floor”) … making them a churrascaria.  And then they serve this food by means of gaucho-style waiters who zip about offering said meat via the very same swords … making them also a rodízio establishment.

Fogo is not the only place out there that serves churrascaria meat in rodízio style.  But, I submit, they happen to be the best.  Thus we return to the above anecdote… wherein I was invited to a “churrascaria” by an associate.  I presumed (since we were in a big city) that it might have been Fogo de Chão, but I didn’t get my hopes 100% up.  I was right to be cautious.  We were slated to dine at Chima.

Chima is a fine enough place, but it is also an exemplar of the very typical problem in the restaurant world wherein establishments attempting to compete with Fogo de Chão miss the mark, often badly.  Pretenders to the crown, as it were, make the incorrect assumption that all Fogo patrons are seeking is south american meat served on swords.  After all, isn’t that what I was going on and on about above?  Well, yes and no.

Fogo de Chão is a churrascaria.  Fogo de Chão brings the food around rodízio-style.  But, and here’s the real kicker, Fogo de Chão is also a high-tone establishment with super stellar service.  You literally get a 4 or higher Zagat-rated experience across the board.  It is fine dining, not just a gimmick.

Allow me to relate some notes about our experience at Chima…

  • We were not handed enough menus when they first sat us.  Not like many folk are ordering odd one-off items at a rodízio, but come on… you know how many of us are present when you prepare to walk us to the table.
  • The servers were constantly interrupting us.  They would approach, see us in conversation, and immediately ask a question or prompt us for something.  If you’re a waiter at a fine-dining establishment, let me clue you in:  If you approach a table and no patrons look up at you, wait silently for a few seconds for them to stop talking.  Even if the conversation doesn’t cease, often the person nearest to you will lean aside to see what you need.  If no one acknowledges you after 5 to 10 seconds… walk away silently and return in a minute or two.  It’s not hard.
  • Almost every dish or side or salad choice was presented with an overly-complicated discussion that no one could possibly follow.  If an establishment can’t convey what a dish or option is in one or two sentences, it doesn’t belong on a menu.
  • We actually didn’t opt for all-you-can eat service.  It was lunch so we each ordered a basic dish.  Our protiens were, we found out later, still going to be served on swords.  A nice touch, but… after we had finished our salads, a pseduo-gaucho waiter brought one person’s entree meat (on a sword) and discovered there was nowhere to plate it.  No clean dish was on the table.  The waiter stood there frozen for a while (I can only hope he didn’t expect one of us to go back to the salad bar to get a clean plate) until something like a minute later he wandered off and found someone who could bring a plate.
  • The table and chairs were wobbly.  If you think a restaurant manager at a high-tone place doesn’t know exactly how comfortable the seating is, you’re mad.  No care was taken here.
  • There was a large “screen” in the middle of the restaurant, projecting various video clips.  I am aghast that anyone felt that a bit of decor suited to a sports bar belonged in a sit-down white-tablecloth eatery.
  • Waiters were constantly plating and clearing dishes from the wrong side of patrons.  No rhyme or reason.
  • One server tried to clear my friend’s espresso mug when he had left the table.  The server looked at me quizzically when I stopped him, asking, “oh, are you not done with that?”  I think he didn’t even understand the coffee wasn’t mine.
  • Ordering additional coffee was an ordeal, with repeated requests necessary to convey that someone who already had enjoyed a coffee would somehow still want an additional coffee.
  • In the end, because of various expense accounts across the whole assembled group, we asked to split the bill.  Now, some very high-tone places do not like this… but here at Chima it was an ordeal just to explain to the waitstaff what we wanted to do.
In the end, everyone’s food was decent.  We enjoyed one another’s company.  But it surely solidified in my mind that Fogo de Chão is in a league of their own when it comes to high-tone churrascaria food served in rodízio style.
Eat well, my friends.  🙂

A recent Twitter spree with noise, Heidi, and many others (most prominently, Rob Jorgensen, Shawnfish, and Jack Gavigan) has me wanting to share a few thoughts (and lots of photos) about preparation of delicious food.  Specifically, steak.

Now, Jack has already made this fine, famous video available and it covers some of the basics perfectly well.  In short: if you get a proper-quality meat, it doesn’t need much (if any) adulteration.  The first rule of cooking any fine food (especially good fish or good meat) is “do no harm” and that predominantly comes down to…

  • don’t over-season
  • don’t over-fire


For this reason, many of us in the above list now opt to sous-vide our steaks (and other protein) since it’s much harder (some would say, near-impossible… unless you’re a colossal assbutt) to over-cook and thus ruin great meat if you’re using a water immersion bath.  If you are not familiar with sous-vide cooking, this video conveys the key details pretty quickly.

Essentially, in conventional cooking, food is exposed to much higher temperatures (externally) than one needs.  In order to get a steak to 125°F internally, it’s over a fiery grill or on a hot stove at anywhere from 300° to 600° … if you don’t time things just right, you’re facing tragically over-cooked meat.  In sous-vide cooking, food is immersed in precision-heated water so that it reaches a target temperature without going over.  The food is placed in a sealed bag so that it’s not in direct contact with the water bath.  This allows the food to retain all its natural juices, vitamins, and flavors.  (Sous-vide prepared foods such as steak are finished in a hot pan for searing and generating a proper Maillard reaction, maximizing flavor)

Once only the domain of restaurants and high-class chefs (mostly due to the size and cost of immersion circulators) now home users can select from a number of very affordable and very easy-to-use sous-vide cookers.  Top among them are:


In addition to a sous-vide cooker, one wants a quality pan in which to finish (or, as you will see in a bit, sometimes prep) the meat in question.  While you can use almost any conventional large pan, it’s damn hard to beat cast iron.  Why?  This blog post summarizes it well…

Cast iron has a higher heat capacity than copper, so it takes more energy to heat a pound of cast iron to a given temperature than a pound of copper. More energy is stored in each pound of the cast iron. Aluminum has a higher heat capacity than iron (it stores more heat per pound) but is much less dense than iron. For a given volume, therefore, cast iron stores more heat than aluminum.

Because cast iron pans typically weigh much more and are thicker than the same size pan in another material, they tend to store more energy when heated. … A cast iron pan usually contains more thermal energy than other pans at the same temperature — a significant cooking advantage. Cast iron has unparalleled searing power because it has a lot of available thermal energy. …

Cast iron is slow to heat up, so it’s also slow to cool down. It is a good regulator. It retains its temperature longer than other materials and won’t produce temperature spikes.

So yeah… cast iron is hard as nails, has great volumetric heat capacity, and has utterly astonishing thermal emissivity (Stainless steel has an emissivity of around .07 while cast iron has an emissivity rating of something like .65) making it perfect for searing your meat.  One of the best (and most venerable) brands of cast iron is Lodge.  This terrific firm, located in America’s steel city of Pittsburgh, has been making cast iron for over a century and they are still the top name in the field, in my opinion.

Both sous-vide cookers and cast iron pans can all be bought on Amazon for as competitive a price as you’re likely to find anywhere.


A Handy Chart

Keep this in your kitchen, it will serve you well.

Meat Cooking Temps

On to the photos and stories! …



This was the scene of my very first sous-vide cooking of a steak.  


As you can see in the above chart, a medium-rare steak should be 135°F inside.  I wanted to try things more on the rare side, so I opted for 127° on the Anova.  At the time I did not have a vacuum sealer, so heavy ziplock bags with the air drawn out (cocktail straw in the bag, lung power to vacuum it, heh) is what I used to contain things in the pot.


The lodge cast iron was hot and I was using beef tallow from Fatworks.  A nice sear was had, but see here…


… i left the meat in the pan for just a little too long on one side and cooking action took place beneath the surface.  Remember, you are not cooking your meat in the pan at the end.  You’ve already cooked the meat, in the sous-vide pot.  All you need is a good sear.  30 seconds, tops, on each side in the hot pan should do it.


I still loved my dinner, as it was.  No sides, no veggies, no other courses.  Just steak and wine.  A fine first go.

Story Number Two


Not many photos of the process here, just the results.  A much more satisfying endeavor!  (And even some greenery on the plate, too!)


The next day, I thin-sliced the remaining steak and warmed it in the pan (with extra sear all around) and added it to breakfast…


“steak and eggs and eggs and steak… that’s what you should eat for breakfast!”



Third Story… My Finest Hour?


I started with a three-pound slab of bone-in ribeye.  This was about 2″ thick.  Awe, yeah.


I got it home to my girlfriend’s place, and prepared her cast iron.  Why heat the pan at this time?  Well, i was trying something that my buddy Babak encouraged: a double sear.  Instead of simply hitting the meat to the cast iron after the cooking process, he told me that sometimes he will start the whole process with a sear against the cold meat.  Then, after an initial Maillard reaction has taken place, the sous-vide bag and water bath can begin!


As you can see, the meat within that immersion cooker is already browned around the edges.  I’ve also dialed down the heat bath to 126°F


After about 2½ hours, the meat was done.  With the fat gelled and tender, we were ready for the finishing sear.  I sprinkled seasoning salt and black pepper on both sides of the meat as I heated the pan.


The pan was hot as hell and had a fine bottom layer of macadamia nut oil.  Just about any good fat will do, but any oils or fats that have a high smoke point work best simply because they don’t turn your kitchen into as much of a caliginous haze once the iron starts getting very hot.


Compare this to the “before final sear” photo and you’ll see the very increased bark around that outer surface.  That’s one fucking hell of a good sear!


And the inside, oh baby.  Two inches thick and pink 100% through.  The sear reaction was exclusively the outermost edge, all around.  That’s just incredible.


This was, and yet still may be even now, the greatest steak I have ever cooked in my life.  It was shared with the family and I had my first beer in months to pair with it.



Fourth Story – A full, ideal meal


I started right away with a hot pan.  Double-sear was the name of the game, yet again.  This time I opted for both macadamia nut oil and some bacon renderings from breakfast for a touch of different flavor.


20-ish seconds per side on a bone-in ribeye that was still cool from the butcher’s case was giving it a nice brown outer surface.


Into the water bath at 125°F with the browned edges all showing.


Side dish #1 for the meal was steakhouse mushrooms.  Sliced cremini mushrooms went into a saucepan containing kerrygold butter, olive oil, a thwack of bacon fat, balsamic vinegar, worcestershire sauce, black pepper, and seasoned salt.  They were left to saute for a while as i prepared…


Side dish #2, asparagus.  I chop off the bottom inch or two from the stalks to make things extra tender upon cooking.  They will be done in a skillet with olive oil, salt, and pepper.


With the immersion circulator going and the sides coming up to temperature, i opted to open some wine.  😉


The mushrooms were starting to give up their water, and more heat was applied with frequent stirring.


The asparagus was looking great and also (because I use a little more heat than maybe I need to) my tongs were employed liberally to stir and re-arrange them for even heating.


nearly two hours in, and that steak was seeming pretty done.  (it wasn’t nearly as thick as the huge cut in the previous story above.)


The steak came out of the sous-vide bag and got a rub of salt and pepper while I got the cast iron ready.


Macadamia nut oil up to smoking temperature…


…slab of beef in the pan, 30 seconds per side and all edges.  See that smoke, smell that flavor!


A magnificent finish and plating.  Perhaps the second sear was a little too long, or of not quite sufficiently a high enough temperature on the pan, since that final cooking process seemed to penetrate a little more deeply than one might require… but only slightly.  The fat was still soft and gelled and the bulk of the meat was perfectly pink.


I put on an old noir film as I ate and drank my wine.


I finished off the meal with a bit of fine dark chocolate.  😉


Perhaps the best part of an evening like that?  Getting all the dishes totally done, going to bed with a full belly, sleeping like the dead… and then upon waking the next morning, returning to the kitchen at breakfast time and having it still smell like deliciousness.  The smoke was almost still hanging in the air.  😀

This one is for my pal Edison, who sold me a terrific new receiver when I moved (at the old house I owned the speakers but my buddy owned the actual head end) and much to my dismay I learned that the antique furniture piece I had planned to use as the enclosure was just a hair too narrow…


Now that might look totally unfeasible, but as it turns out — upon closer inspection — we’re really talking about less than a quarter inch of difficulty.  Lining up one edge exactly and then inspecting the other confirms this…



Edison informed me that it was only out of sheer dumb luck that my old roommate’s receiver had fit in here.  Almost all modern units conform to a uniform size standard and I was going to be pretty screwed, no matter what model I selected.  I debated removing the face plate and trimming it down a bit, then hit on a better solution… it was time for me to break out the belt sander!



It might look ugly in the moment there, but actually once the job was done, very little of that additional craftsmanship is visible once the receiver is in place…




I have to say, overall I’m pretty pleased with how this all turned out.  One day I’ll probably get around to rubbing a bit of wood stain inside where I sanded down the inner side panel, but for now I’m just super happy that the old, wooden end table (which I found moldering in the corner of a used furniture shop back in Philly and then brought back from the dead) gets to still be with me in my living room.

Thanks for the great unit, Edison.  Got it all hooked up and I’ll be dialing in the speakers with the setup microphone this weekend, once I get a cable for the sub.


On twitter recently, a conversation arose between myself and some other lockpickers and locksmiths regarding everyone’s favorite pick tools for everyday carry, typical entry, etc.  I promised folk that I would document my personal gear, and no disrespect to Team #RockAdvocacy, the following are the lock tools that tend to be on or near my person all of the time…


My Main Pick Kit

This is what most folk would expect me to show if I were asked to take out my “pick kit”… it is a case made in the style of the HPC “Superior” kit, but the leather is far softer and I like that the inside is left as a natural suede.  It was obtained from my friend Ed, a locksmith in New Jersey… and hand crafted by a friend of his.  It’s been with me many years.


Unzipping it and looking inside, we find…



… an assortment of various things, certainly not all of which are picks and turning tools.  But every last item in this case has been useful enough to me (more or less) over the years that I keep it in this form pretty much all of the time now.  Let’s take a closer look and I’ll list what’s in there…


… going more or less in rows from the upper-left on down, my zippered leather case contains:

  • a Mini-Jim is at the top left, because why pick a lock if you can bypass a latch?
  • laying on the open case is a key decoder card, similar to these from Pro-Lok. useful while impressioning or just when you want to re-pin a lock or quickly learn key bittings
  • the red-tipped item is a chopped-down Grobet Swiss #2 file half round, for impressioning and other small work (like making a bump key or adjusting small parts or bitting cuts. I use it a lot actually)
  • LAB brand small-size pinning tweezers.  These were a gift from Clay, the owner of Lockmasters and S&G, when he couldn’t bear to keep watching me re-pin locks by hand with nothing but a half-diamond and my slotted wooden dowel follower.  I insist that I was doing just fine that way.  😉
  • a Peterson American Lock bypass driver is seen, with blue tape covering the spot where the plastic dipped handle has chipped away over the years.
  • the next row begins with a two-pronged Wishbone style turning tool.  Lots of folk don’t like them, and I seldom need it, but I like having it.  It doesn’t fit well next to the other turning tools, so off on the left wing it lives, next to…
  • my keyring full of wafer jigglers, warded lock tools, and the decoder for my convertible 7-pin/8-pin tubular pick (kept in my other kit, below)
  • a Traveler Hook (a.k.a. Shrum/Loiding tool) is seen with a green finish.  you won’t see that in anyone else’s kit because there are no others exactly like it (in green) but similar ones are available online.
  • starting the next row is a small wooden dowel that I use as a plug follower when servicing locks in a non-serious way.  solid core and no lip on either end, that makes it perfect for me.  i’ve carved a small notch slot in the wood (with the Grobet file) and that’s all i need most of the time.  One layer of blue painter’s tape made the surface smoother and fits it nice and snug into almost all typical plug housings
  • Bobby pins with the little balls cracked off of their tips are great for demos of improvised handcuff tools (or when you need to un-set a double lock on a handcuff)
  • Most of the time, the handcuff shims right next to those pins are all I need, however.
  • I also keep one of the tools that some outfits call an “EZ Decoder” but I simply refer to as the “Master 175 bypass blade”
  • A thin sliver of metal can be used to rear-shim a lock during disassembly, and next to that is a tiny S&G safe dial spline key… good to have when you really need one!
  • What remains in the kit photo, therefore, are my pick tools… and there aren’t a lot.  One medium-sized hook, a half-diamond, and three rakes (one classic Bogota and two long-handled faux-gota picks) are kept in there along with over a dozen turning tools… and each one is slightly different than all the others.  I find the best fitting turning tool possible in whatever scenario I’m facing and go from there.

Now, there are some times when it’s really useful to have a larger item that can’t fit in this case.  Hence, in my backpack (where this above-kit lives) I also have this auxiliary pouch…


Auxiilary Tool Pouch

This leather-ish velcro-flap case was probably originally for sunglasses or something like that…


… now it contains…05-aux_dumped

… so that is an assortment of items that are sometimes useful (both for entry work as well as field-servicing tasks) but I can’t fit them (or choose not to attempt to stuff them) into my “main” pick case.  In any event, the above items (both the main pick kit and the auxiliary tools kit) live in my backpack most of the time, and aren’t typically in my coat or in my pants pockets.  However, I will in all but the most RARE circumstances, always have picks on me.  Let’s move on to…


Pocket Carry Kit

The following item is almost always present in the hip pocket of any pants I’m wearing…


… fashioned from an old leather cigar case, I use this mostly to prevent my everyday-carry flashlight (a Klarus XT2C) from flipping sideways in my pocket and being uncomfortable.  This little leather case allows me to easily manage the flashlight, a small lip balm, and also what we’ve come to call my “golf bag” pick set…


… so-named because of how the beige tube (fashioned simply from gaffer’s tape with a tiny rare earth magnet in the bottom) looks with all the picks and turners sticking out the end.



… honestly, the “golf bag” pocket kit gets far more use from me than my “main” pick kit does.  Why reach into my backpack in order to open a lock when chances are I have all I need in my pocket?  This little kit contains…

  • one faux-gota pick (the only full-size pick in this little case)
  • a double-ended medium hook and snake rake (rarely used)
  • a chopped-down HPC half-diamond
  • a chopped-down thin stainless steel half-diamond
  • a chopped-down HPC medium rake
  • over a dozen turning tools in a wide range of thicknesses and styles (some unbent)

… yeah, 9 times out of 10, when I want to get something open, that little pocket kit is enough for me to do it.  I can always turn to the leather zippered case since my backpack is often around (especially at cons or on jobs) but I usually don’t need that.

On the off chance that I don’t have my “pocket holster” as the above-seen brown leather item is sometimes lovingly called (maybe I’m in a suit at a formal affair, let’s say) I will always have my wallet on me…


Wallet Carry

Underneath my licenses and credit cards and other blah blah in my wallet, there are some other tools that I always keep beneath me when I’m seated.  😉  They tuck in small extra pockets, some of which I’ve stitched into the lining, etc…


… these last-ditch “wallet carried” tools include a TOOOL Emergency Pick card behind my credit cards and the following items slipped below my license…


  • A “Husky Head” tool – once available in the 70’s and 80’s, this awesome little item is sadly discontinued now.  Check eBay or vintage sites for them.  It was a keychain that would work well with large or small screws, both phillips and flat-head.  Is it as perfect as a proper screwdriver?  Of course not.  But it’s flat as flat gets.  And that’s enough to make it worthwhile.
  • A diamond wire blade – never needed to use it, but SERE pick sells a LOT of them for a good reason!
  • titanium Bogota pick (triple hump only)
  • titanium flat metal stock converted to a simple turning tool
  • titanium cuff shim (split pawl style)
  • S&G new style cuff key (which I should really get around to converting to a TOOOL universal key)


… so, there you are!  Those are my various “everyday carry” lock tools.  It’s more than most folk might tote around, but less than you see in a lot of “ultimate” kits that contain way too many items, in my view.

These items, carried in the way I have described, have pretty much always guaranteed that I never complain about wishing I had something but not finding it on me.  Well… every so often, I wish I had a plug spinner.  😉




While having a discussion with a close friend recently, the topic of bug bounties came up.  She asked me what I thought was a reasonable price range.  I learned from discussion with her as well as discussion with others that the physical security world is massively different from the IT world in this sense.

Often in our lectures and trainings, we draw a parallel between the physical and digital realms.  The same principles apply, the same kinds of errors lead to the same risks and the same lessons learned.  However — and there’s really no getting around this — the cost to repair/upgrade/patch physical systems tends to be much, much higher.

For this reason, manufacturers of locks, access controls, and other physical security technologies are much more loathe to even discuss (let alone disclose) vulnerabilities with the public.  Likewise, because of the very long persistence that physical bugs tend to have (even when they do become public), this sort of attack vector can be weaponized to much greater effect.

While bug bounties in the software world tend to float around the low four-figures (although occasional high-four-figures and five-figures do happen, and sometimes garner a bit of attention when they do… and six-figure bug bounties have existed very, very rarely) I took the position that just about anyone whom I know in the physical security world would scoff at numbers in the $1,000 to $5,000 range.  Well, perhaps not scoff, but most assuredly we would consider them almost comically low.

In the realm of physical security exploits and the development of tools that leverage such vulns (a development process that often entails far more cost and time than the writing of proof-of-concept code for software bugs) this kind of research often commands five-figures at a minimum.  Such deals also almost always entail NDAs and other very strongly-worded agreements to effectively never publicize said research.  Put plainly, if a physical security researcher finds a flaw in a high security lock, the market for that work tends to be either governments or private firms with deep and often shadowy connection to government operators.  A working tool that can be used to attack a physical security system often commands far more in the private realm than a designer would ever hope to recoup by bringing it to market publicly through retail channels.  Add that to the fact that most designers and vendors in the hardware and physical security space aren’t courting researchers with fiscal rewards, and this leads to a LOT of hardware bugs (lock flaws, access control system hacks, safe manipulation tools, etc) never being revealed to the public at large.

Let us make no mistake, the government and the law enforcement are interested in your data, too.  Their eyebrows perk up at the notion of software flaws and privilege escalation within networks or computers… but what really gets a lot of spooks and police salivating is the chance to surreptitiously enter physical relams.  Intelligence gathering, eavesdropping, sneak and peek work, etc… all of this is based greatly around physical access, and that means possessing attack vectors against supposedly high-security lock systems which the public believes to be immune from vulnerabilities.

Unless physical security vendors consider offering genuine bug bounties (something that is far from likely if they aren’t yet even interested in public disclosure of discovered flaws) the only avenues for researchers are going to be:

1. public disclosure simply for the sake of the community and for the fun of speaking at hacking and security conferences

2. private sale to governments who will undoubtedly use this knowledge for purposes of surveillance and covert entry

So, give a cheer for every hacker con which accepts a talk with a physical security angle.  The speaker may have turned down considerable funds in exchange for being able to present to you.  And the topic areas, while sometimes not-the-norm, are far better aired publicly than kept quiet.

NOTE – This post was not supposed to turn into a “let’s pat ourselves on the back here in the phys sec world” diatribe, so forgive me for that.  Still, I’m pleased to be able to report that — as of the time of this writing — The CORE Group has never accepted any offer of keeping research private in exchange for money, access, or favors.  Our works are always either portrayed publicly and/or disclosed to the original vendor so they may endeavor to correct said problems.

While road-tripping down to CarolinaCon, a few of us in the car were seeing the “hugs at hackercons” thread on Twitter.  It generated a bit of good discussion among us, but for the most part we were focused on getting to Raleigh and presenting and socializing and generally having a good time.  Of course, the hacker community’s drama-engine is fast-moving and mere days later, we seem to have moved on to RSA dress codes and the awful antics of BlueCoat.  So, while this blog post is hopelessly outdated now, I’m still offering my thoughts.  😉

Much of the HugGate drama on Twitter seemed to come down to the following arguments (often badly-expressed and hopelessly truncated by Twitter’s 140-character limit)…

“I don’t want to be hugged at conferences”
“So then tell people to not hug you”
“I shouldn’t have to tell others, they should just not hug people”
“Hugs are awesome, you’re just silly if you don’t like them”
“Hugs vs Handshakes is a clear-cut case in most of the world (link to this article)”
“The hacker world isn’t the business world, we’re a family”
“But some people are aspy and don’t like to be touched”
“No one should ever be touched if they don’t want it”
“So no one should hug anyone?”
“That’s not what I said!”
“I’m going to hug you!!”
“I like hugs, that’s fine!”
“So, are we still arguing?”

… and so on and so on.  The crux of these issues was distilled down by many into to two camps — pro-hug and anti-hug — but that’s an over-simplification.  A fairer pair of titles would be pro-hug-environment and anti-unwanted-contact and their positions could possibly be summarized thusly…

Pro-Hug-Environment: “We like to surround ourselves with friends and family in the hacker world and we value situations when the context allows for many hugs and close contact.  With much time spent in the cold and impersonal business world, it’s nice for us to create a space where people are much closer.”

Anti-Unwanted-Contact: “That’s great that you love being all friendly, but some folk take it too far… and when I’m at hacker events, I have to fend off unwanted hugs or other contact because of the environment that’s been cultivated.  The onus shouldn’t be on me to prevent what I see as harassment.”


Here’s the thing… both of those camps have elements to their arguments that are quite valid.  No one should ever be subject to touching or direct contact that they find unwelcome.  (Unlike speech, which I feel anyone should be able to express at just about any time, actions — such as direct contact — should never be forced on to another party.)  Alternately, if a group of people seeks to create an environment where they feel more at liberty to bond and be more casually intimate with liberal hugs, etc… that’s their right, too.  Let’s not forget that hacker cons are, by and large, private events and it’s fine for them to reflect the views and values of their creators and participants.

Sometimes, we forget that all situations are different and every “event” or “gathering” or “space” has its own unique values and atmosphere.  Trying to map the values and behaviors associated with a workplace on to a hacker con or those of a music festival on to a public park is about as logical as trying to map the norms of one country’s citizenry on to those in a foreign land.

It’s important to consider the base-rate of behavior and the commonly-accepted norms in any circumstance and allow that to dictate our mores, norms, and rules of proper conduct.


I propose the following when it comes to hugs… think about the situations around you on a hug spectrum …

hug spectrum - 00 - scale

… for those who can’t read this easily (you can click any of these images for larger versions) it’s essentially a scale of how intimate the greetings tend to be between both (a) people known to one another and (b) people meeting when the don’t know each other very well.  Here’s a written breakdown of the various points on the axis…

+4 Big kisses for basically anyone who comes along

+3 Hugs liberally shared all the time. Small kisses common, too, even upon introduction

+2 Hugs typical as an introduction, little reservation shown among known folk

+1 Hugs common between all friends and acquaintances, sometimes hugs even during an introduction

+0 Hugs for family and very close friends only, handshakes upon introduction to new people

-1 Folk pretty reserved, usually shake hands even if known already. Handshake almost always as introduction to new folk

-2 Hugs are outright considered odd in public, even if known. During introduction, only handshakes are used

-3 People prefer to not have any  physical contact with unknown folk

-4 No acknowledgment of strangers out in public

… so, I’ve made this pretty wide-ranging.  I think that we can safely dismiss or at least not give much consideration to the environments at the +4 and -4 ends of the specturm.  You’re unlikely to see the +4 “Kiss basically anyone who comes along” as the norm outside of hippie gatherings, raves, or the declared end of a world war.  Likewise, the -4 “No acknowledgement of strangers out in public” standard doesn’t really apply anywhere outside of the most repressed dictatorial or religiously-fundamentalist regimes.


But almost all of the other points on this spectrum are fair game in some situations.  I think that the zero mark in the middle of the axis could be called “the United States societal standard.” We are a people who hug, but your typical American doesn’t go around embracing just anyone.  Our society’s normal method of introduction is the handshake.

hug spectrum - 01 - US society


On the hug spectrum, however, it’s important to consider both the base-rate for a given situation as well as the margins directly on either side of that mark.  A society or group can be thought of as supportive and inclusive if they are aware of others whose preferences and standards lay a little bit outside of the mean.  See here…

hug spectrum - 02 - US society margins

In the USA, it’s not uncommon to encounter +1 people who offer hugs as a form of introduction.  Alternately, there are plenty of  -1 people here who are reserved and don’t offer hugs often at all, even to people whom they know.  Being an accepting person means expecting to meet people like that with some regularity.  The red arrow folk should keep themselves open to social cues and indicators so that the yellow arrow folk do not have to offer a lengthy explanation of their slightly different position.  This is the kind of environment that we should aspire to have.  People on the margins should feel accepted and not like they are troubling others or in need of constantly explaining themselves to others.


Let’s apply this hug scale to the business world…

hug spectrum - 03 - business world

… where the norm is handshakes.  Handshakes are always the default when meeting new people, and for the most part they’re what’s shared even between people who know each other.  Of course, the rule of the margins applies…

hug spectrum - 04 - business world margins

… some people in the business world are comfortable hugging friends, even at the office.  Others in the business world consider any kinds of hugging in the office — even if family visits — to be unwarranted.  Again, these yellow arrow folk should not have to explain their position explicitly every time when meeting new people.  Most folk should just pick up on social cues and be able to tell whether someone’s preferences are slightly different and act accordingly.


This “rule of the margins” applies, no matter where the base-rate may be.  Consider a society that is very different from the USA, such as Brazil…

hug spectrum - 05 - brazil

While I’m sure there may be some citizens of the world’s fifth largest nation may disagree with the above chart, it’s quite definitive that they are a much more touchy-feely people than Americans are.  Embraces and even the customary Latino kiss-on-each-cheek are common for all sorts of greetings.  And, as the yellow arrows in the margins indicate: for some people there hugs are only “typical” and not absolute, or on the beaches of Rio during Carnival lots of kissing with strangers is abundant.


An inverse of this can be seen in many Muslim nations, where repressive religious values result in societies around -3 on my scale.  Instead of touching other people, many citizens opt for the salām… a greeting of peace which is often bestowed not with a hand outstretched, but rather simply held over one’s own chest.  Again, in such societies, one does well to be on the lookout for people on the margins… either those who do opt to shake hands or those who are strictly conservative and prefer almost no acknowledgement of strangers (this particularity usually only manifests itself when the interaction is between two people of differing genders.)


So where does this leave us with hacker cons?  Well, let’s turn again to the base-rate as far as hugs are concerned.

hug spectrum - 06 - hacker con

While there are many people who might disagree, I take the position that within the hacker community and at our cons, the norm tends to be the +2 mark on the hug spectrum.  While certainly not obligatory, hugs are typical when meeting new people.  So, when we apply our rule of the margins, what does that tell us?

hug spectrum - 07 - hacker con margins

Individuals whose preferences lay at the yellow arrows should not be made to feel like outsiders or oddballs at hacker cons.  The general attendee base, if they are truly interested in keeping our community a welcoming and accepting place, would interact with each other on the principle that most people are a +2 while at the same time keeping their eyes open to the possibility that a person they encounter could be a +1 or a +3 hugger… social cues and nonverbal communication should hopefully be sufficient most of the time to convey those nuances.


What about actual outliers, however?  At a hacker con, maybe some attendees are the type to simply only hug family and close friends.  Or, on the other end, maybe some folk are the type to be super liberal with passionate kisses for those around him or her.

hug spectrum - 08 - hacker con outlier hug spectrum - 09 - hacker con outlier

In each such case, I do not think it’s wrong for these people to be considered statistical outliers.  They are far-enough removed from the base-rate of that particular environment that it could surprise most others there.  This is not to say that there is anything wrong with someone such as this.  Again, I firmly believe that anyone may hold their own opinions and values when it comes to personal contact, and that they should be able to do so without shame or reprimand.

However, when a person is sufficiently removed from the base-rate, obligations under the social contract shift a bit.  I feel that no longer should it be considered the burden of the group to be on the lookout for and be able to subtly detect when this very different value is held.  If someone is an outlier, then the burden shifts further to them in terms of communicating their values and preferences when encountering other people.

Attire, stance, and demeanor go a long way to helping this communication, of course.  Wearing business-casual clothing and maintaining a respectable distance from others during a new introduction at a hacker con can help to signal that you’re more comfortable with the business-world standard of “handshakes are the norm” but I believe that no one should be thought of as a bad person if they fail to pick up on this.  A friendly but straightforward “hah, sorry, I’m not much of a hugger” can be communicated if someone leans in for an unexpected embrace.  No one should feel bad.  The 0 spectrum non-hugger is justified.  The +2 hug-desiring hacker shouldn’t feel dismissed or shunned.  And the con itself shouldn’t feel bad for cultivating an environment populated by predominantly +1 +2 +3 hug-spectrum folk.


Hug if you want to.  Shake hands if you prefer.  Kiss loads of people or ignore strangers entirely… the choice is 100% yours.  But let this hug spectrum be a guide.  Familiarize yourself with whatever the base-rate is for any environment into which you proceed (people who know me are aware that I’m a huge supporter of travel and experiencing other cultures, the rule applies there, too) and then do the following…

1. expect that most people whom you encounter will probably have values and actions in accordance with the base-rate

2. be on the lookout for people who are just at the margins of the base-rate and let social cues guide you in those interactions so that these people needn’t explain themselves.  it is the responsibility of the group to help them feel included.

3. if you are not just different from the typical base-rate but actually well outside the margins of an environment, be prepared to communicate your feelings and values to others.  in those cases, the responsibility falls to you more than to the group.


Just because a person who is substantially different from the group around them feels the need to communicate that in order to have healthy interactions, that doesn’t imply that they can’t have a positive experience.  I remember reading a very inspiring story which transpired at the 29th Chaos Communication Congress.  One participant was reluctant to attend, due to her Asperger syndrome.  She knew that hackers are huggers and that the CCC events are often densely-packed with people of every stripe.  But instead of letting her fear get the best of her, she chose to attend anyway.  With the support of friends, this person wore a shirt announcing prominently that she didn’t care to be touched directly.

Her blog post was one of wondrous joy and happiness.  The author explained that by and large, the other attendees which she encountered were supportive and very respectful, making the CCC event accessible to even someone who was well outside the base-rate of the Hug Spectrum for hackers.  While the wearing of a prominently-worded shirt might be quite an extreme step to take, it’s just one example of how it is very possible to communicate your differences to those around you and everyone can come out better for it.


I’ll let this blog post speak for me.

I’m a hugger, through and through.  If you see me, feel free to hug me.  If I know you, chances are I’ll approve.  Even if I don’t know you, chances are high that I’ll smile and be happy about it all the same.

Just do me (and everyone else around you) a favor: smell nice.  A recent shower coupled with clothes that have been laundered goes a lot further in making me comfortable during an embrace than whether or not I know whose arms are around me.  😉




Years ago, I posted in a thread on the DEFCON Forums where folk were discussing travel tech.  What bags, what gear, what tools, and what must-have items made life on the road easier and better were all being shared.  In that thread, I posted a rundown of the backpack which I used for carry-on during all my flights.  An array of photos showed the backpack I used and the gear within.

I just re-read the thread and now so much of it is quaint from a time gone by.  A paper book for “take off and landing” times when the Kindle wasn’t permitted was in there.  I used to keep my laptop with me in carry-on.  But, most of all, a lot of things look the same.  What has changed the most is my bag.  I’ve moved to an even slimmer and smaller carry-on, and that’s probably the best advice I can give to anyone who is preparing things like this… GO SMALL.  You’ll force yourself to fit into a smaller space and you’ll carry less gear.

Even now, as I type this post, I am seeing some things that are in my frequent-flyer backpack which are seldom used.  I could prune down even more, I bet.  This post may inspire others to pack smart, but it’s likely going to inspire me to pack even lighter than I used to.  😀

So, without further ado, here is what accompanies me on every single one of my 100,000+ flight miles each year…



I now use a bag from 5.11 Tactical, their MOAB Rush 10 backpack.  It’s a single-strap design that slings over the shoulder and can be adapted for left-side or right-side use.  The single-strap allows the person wearing to spin the bag to their front for quick access to most pockets and it balances the load well, despite only resting on one side of my frame.


The bag has all the customary veclro areas for adding patches, which I have done.  Also the webbing straps allow for extra hooking of gear and other add-ons.  You don’t see it, but I always have a Kleen Kanteen water bottle on the outside, for quick fill-ups once I’m through TSA screening.  Opposite that is an extra pouch that a friend gave me…


This perfectly holds my Kindle.


The add-on pouch is super padded and keeps the Kindle (one of my most frequently-grabbed items) in the same spot 100% of the time.  I used to have a Nexus 7 tablet in there and it also worked perfectly for that.


Also through the outside loops of the bag are some markers and pens.  They are always useful and I keep them on the outside for fast access.  If I lose one, meh, they’re cheap.


The main pouch of the backpack contains four large things and one small envelope…


The main pouch contains a ziplock bag of some spare clothes, a travel wipes packet, a black zipper pouch, and a gray 1st class complimentary sundry kit that I’ve augmented over the years.


The spare clothes include boxers, a t-shirt, and both white and black socks.  I can get through basically any “day after misrouted luggage” whether it’s a meeting, a casual time, etc.  There is also a waffle-knit long-sleeve thermal shirt from Colombia.  I can wear this under (or over) anything I’m wearing on my flights and be comfortable in cold conditions.  Whether a plane is chilly or I’m stranded in Denver for the night, this will get me through the worst of it even without a coat.


The extra garments squish down into that ziplock bag and don’t take much room. They live at the very bottom of my carry-on.


The sundry bag has pretty much what you’d expect…


In addition to the typical things, i also have a spare toothbrush if I’m with a companion, plus eye drops (artificial tears only, NEVER Visene because it’s awful) and nasal spray.  A tiny tin of moisturizer and powder are also helpful in rough flight conditions.


The black zipper pouch is entertainment/relaxing/etc gear.  Lockpicks and a few practice locks are in there.  A BlueTooth game pad controller for emulated old NES and SNES games on my phone is fun sometimes.  Keeping spare spoons, knives, and chopsticks is very helpful for in-flight dining or “stranded in a hotel room and eating stuff from the gift shop” dining.


The envelope in the large pouch is a self-addressed flat rate envelope and some smaller envelopes with forever stamps, in case I ever have to mail something home.  I also have a free pair of slippers from a previous flight (they fold super flat) and some printed-out policies and correspondence from TSA and airlines clarifying policies.


The main pouch has two small additional pouches.


A deck of cards (which I almost never use but can’t seem to stop keeping on me) is in one such small pouch.  The other contains a little case of which I spoke in my earlier post years ago on the DEFCON Forums…


This used to be my “keep in the seatback pocket” case… it had basically anything I’d need while in-flight.  I rarely reach for it nowadays, however, and really just keep it in case someone else in my travel party needs something.  From meds to make you sleepy or settle a stomach or ease pain to gum for ear-popping to power/audio adapters, these are things that are good in a pinch but which I need less and less.  Nowadays, I just listen to my phone via earbuds or I read the Kindle or I sleep.


The tiny pouch built into the shoulder strap has a few things I like to access quickly.


USB charging cables (one 10′ one and one 1′ one) are in there along with my earbuds and a wet wipe.  The LEGO flat bricks are part of an old joke.  If you saw a talk of mine from CarolinaCon you’d understand.  😉


This small top pocket is designed for glasses.  I use it for that and a couple other odds and ends.


Sunglasses are up there, yes, and also some spare floss and a lighter and a USB drive.  It’s also the dumping-ground pocket for loose change, which I empty out after each trip.


This bag has a TERRIFIC additional pocket in the rear.  I use it as a food stash.


In addition to Cliff bars and similar things, I keep a small supply of heavy-duty ziplock bags in there.  I raid lounges for free things if I know I’m headed somewhere that might not have proper food options.  Yes, these little goldfish crackers or the carrot sticks are kind of crappy… but it beats being hungry when you are wheels-down in Moscow and checking in to a hotel at 2AM hours after everything is closed.


The very front pocket is where all of my essential tech resides…


In here we have:

  • A backup power supply for charging phone/etc
  • A universal power adapter for foreign plugs
  • A cigarette lighter adapter for charging in rental cars
  • An orange power splitter which makes me VERY popular in airports sometimes
  • Spare reading glasses (my main ones travel in checked baggage in my laptop bag)
  • Small bag of chargers and adapters (fitbit charger, etc)
  • Pens, screwdriver, little tools
  • Cash Can (google it, it’s great to have a spare $100 bill tucked away somewhere)
  • Notebook (which also holds all receipts and scraps of paper as needed)
  • a backup phone…


EDIT: I’m making a new addition to this post in order to mention the newest addition to my travel bag.  This backup phone is 110% what I’ve been seeking for a while.  Made by BLU, it’s built in the rugged “candybar” style of the classic Nokia brick phones.  It’s a quad-band device, good for coverage in basically ANY place on earth that has GSM networks.  It comes factory-unlocked, so any SIM card should work.  (the model I purchased is actually DUAL SIM, just for the hell of it) the SIM slots are full-size, so including an adapter set is a smart move.  Just leave the adapters sitting in the SIM slots.  The phone supports a microSD card and can do a few extra little things like play MP3s or even tune in FM radio.  In short: if I ever for any reason break or lose my smartphone while traveling, I can have at least basic comms back up quickly, no matter where I am in the world.

This phone costs $23 on Amazon.  For heaven’s sake, order one.  🙂




All of that packs into a bag which is small enough to fit under any airline seat (although I prefer using overhead space, of course) and which is “squishy” and capable of being wedged into overhead bins on both large and small airframe craft.  I can sling it and carry it a variety of ways (even wearing it comfortably on my chest if I have a larger bag behind me somehow) and it sees me through just about anything.

The bag currently weighs 15 lbs.  I’m pretty happy with this setup, and will continue to strive toward reducing its weight and size more and more over time.

Travel well, people.  I’ll see you when I see you.




In a recent podcast interview (The Social Engineer podcast, run by Chris Hadnagy and his team) the topic of DerbyCon came up, and naturally all participants enthusiastically recommended that the listeners attend.  During this chatter, I spouted the oft-heard remark “DerbyCon is the new DEFCON” (a phrase that I didn’t originate but which I have been heard to utter from time to time) and all heads nodded.

In some follow-up on Twitter with nick8ch, we realized that this is a perhaps-controversial phrase and could benefit from some clarification.  So here goes…


“DerbyCon is the new DEFCON” – This is not to denigrate or snipe at DEFCON in any way.  I love that massive Vegas hacker gathering and will keep attending forever.  However, the size of DEFCON and the fact that it’s no longer in small (often seedy) hotels means that having intimate and casual meetings with close friends is challenging and also some antics are harder to pull off than they used to be.  You don’t find yourself just chatting in hallways or hanging out on the hotel roof anymore like was the norm in the past at DEFCON.  DerbyCon, however, has a very very high signal-to-noise ratio and it’s held at a much smaller venue than DEFCON.  Many of the old guard are present, as are enthusiastic up-and-comers.  Folk chill in the lobby bar and it’s not uncommon to see massive penis art in the elevators.  DerbyCon most closely captures the vibe, in my opinion, of the earlier days of DEFCON… but, of course, in truth nothing could ever really be equivalent to that particular place and time in history.  And what’s more, DerbyCon has developed their own wonderful and unique energy that is distinct and vibrant in its own right.

IMG_20140927_225252this kind of thing you just don’t see at on-strip hotels at DEFCON anymore


“DEFCON is the new Black Hat” – This is also a slightly questionable statement, but one that sometimes follows the previous one.  Why?  Well, while DEFCON used to be 100% focused on the friends you knew who were there and the antics/catching-up you could do with them, now there’s a much more significant element of going to DEFCON in order to see people whom you don’t know.  The idea of rubbing shoulders with the latest INFOSEC rockstar or, similarly, getting your research out in front of people who might hire you or invest with you… those are very BlackHat-ish elements that now are common at DEFCON.  I’m not saying that what makes DEFCON great isn’t still there… but there’s a new vibe.  As someone like SpaceRogue or SimpleNomad would say, “the Money that has changed the industry has found its way into DEFCON.”  People take specific steps to “be seen” and portray their efforts at DEFCON in a way that could positively affect their business the rest of the year.  In the past, you went to DEFCON with a “don’t give a damn” attitude about the fact that it could negatively impact your professional reputation the rest of the year.  😉

blah05this is what a “DEFCON party” used to look like

blah06who else remembers the purple fountains? think this could happen at a Caesar’s property?

blah07before it was an official, professional event… the Wall of Sheep was just people being d0x’d or having creds dropped on paper plates on the wall of the hotel

blah08poolside fun and general chill.  i can’t remember the last time i could just chill out at DEFCON.  well, maybe at the Beer Cooling Contraption Contest ever since Uncle Enzo took it over.  😉


“Black Hat is now RSA” – Even more folk might agree with this somewhat unfortunate turn of events.  Full Disclosure: i still appear at Black Hat since my company trains there.  Most of my friends’ companies also train there.  However, the event has ceased to be about the hacker community in any real way other than name only.  Much of the best information is still there, yes.  But the community feel is not.  Put another way: when is the last time you stuck around at Black Hat in the evenings to go to any of the parties?  For me, it’s been years.  Plenty of sponsors host parties when Black Hat is in town, but now the whole INFOSEC core community is either at BSides or the 303 house or just gearing up for DEFCON itself.  Black Hat’s pricing has continued to grow and scale upward with the influx of money in the industry and this has made it a lot harder to find smaller voices among that crowd.  Black Hat was never an event where folk would streak naked into pools or wander through DJ-pumping halls high on a galaxy of drugs, but even those of us who have been appearing there for years know that it’s somewhat more “corporate” nowadays.  The size of the vendor expo area has grown as much as the admission price… but it’s not going away any time soon.  Hence, the RSA comparison.

blah04Black Hat… way back when.

“So if Black Hat is now RSA… What has RSA become?” – COMDEX.  RSA is now COMDEX.  It’s 100% trade show, and any “talks” or other speeches are little more than veiled sales pitches.   A giant sea of marketing with little to no real value to anyone who is key to the industry, most INFOSEC pros whom I know now avoid RSA like the plague.  Confession: when our company was still new, we did a brief presentation at RSA.  It was one of the saddest things I’ve ever been a part of.  I felt like we were just one more piece of a massive dog-and-pony show.  Besides the event itself having awful security and the participants having awful OpSec and privacy practices, the whole affair just reeked of circle-jerk.  I am sure that I’ll piss some people off here and maybe one day I’ll pay the price for that professionally… but perhaps that’s just the old-DEFCON side of me showing through.  🙂

blah01we used a FedEx Kinko’s to mod our badges for access outside of regular hours. we did this at the on-site FedEx, right on that floor of the hotel.  no one noticed or seemed to care.

blah02i can’t even.  “prevents tampering, spoofing, & hacking” … well alright, then.  seems legit.

blah03even Babak couldn’t believe we were there, talking to this goofball 


Feel free to share your thoughts below in comments or just share a drink with me when you see me.  I’ll be at DerbyCon in the fall.  And DEFCON before that… but you can’t find me for so much as a free second at that event.  😉