We asked Pete Herzog to tell us more about what people can expect at his OSSTMM class at RVAsec and he provided us a great response!

As humans, we like secrets as long as they don’t harm us for knowing them. We like knowing the dirt on people and the stories behind things. We like to know we’re right and they’re wrong and justifiably so. That’s what this workshop is about. It’s that feel-good, bad-ass workshop full of secrets, dirt, and indignation. Here’s why:

You may have been thrown by the word OSSTMM in the full title, “Secrets of Security with the OSSTMM.” Don’t worry. It’s not about the OSSTMM the way you might be wary that it’s about the OSSTMM. What this workshop won’t do is show you OSSTMM slides and tell you about it. Because that wouldn’t be bad-ass. It’s more about the bad-ass stuff not in the OSSTMM and why we can’t put it in.

For a moment, let me re-introduce you to ISECOM, our organization. Our mission is to make sense of security but how we do it is by not limiting contributors or ideas and we take any profession or hobbyist who wants to partake. And that’s where it gets weird. We’re a research organization with people all over the world working virtually so there are very few constraints to what we can actually research. So we try to reign it in around our mission but sometimes we just do things because somebody was curious. It’s that last part where things get really bad-ass because there’s no context.

When there’s no context that means anything can happen since we’re not constraining it to test a specific theory for security. What happens then is we might learn something spooky or strange or strangely true. Even when we end up with a security truth it can’t just be disseminated as is. It takes a lot of eloquence to take it from from a finding to practical use that can go into one of our publications like the OSSTMM. So sometimes we can’t. That’s also why we struggle to release a coherent document full of cool stuff re-written as practical steps but then it reads like stereo instructions. So in the workshop I’ll show you the behind-the-scenes footage, the stuff we refer to as the “Dark OSSTMM” which is the stuff without context so you can be equally interested or freaked out. Then I’ll show you with context. This is a bit of what it looks like behind the scenes:


Topics Research Without Context Adding Context for Practical Use
Vulnerability Management What would a defense look like that blocked every kind of attack all the time? How to measure an attack surface. How to classify threats based on operations instead of risk.
Electromagnetic Waves How electromagnetic waves affect personality, behavior, and health. Best ways to test large spectrum EM waves. Using EM waves in Social Engineering. Correlating HR data with EM maps. Analyzing EM wave collisions with business processes also using EM frequencies.
Sound waves Using HF sound waves to cause visual hallucinations. Ways to test for HF sound waves. Visual mapping of sound waves. Implementing high frequency sound waves above human perception for machine to machine communication. Using sound waves to causing chaos, confusion, and disruption within the workplace for social engineering and physical attacks.
Neurohacking Using electric signals to modify brain function. ??? We’ve got nothing yet but there’s some pretty cool stuff we can do from enhancing vision contrast to improving working memory to learning skills really quickly.
Trust What are the logical reasons we have to trust someone or something? Testing and measuring trust in people, things, third parties like Vendors and Clouds. Improving social engineering tests to include manipulated trusts. Expanding attack surface calculations to include people.
Perception Can we manipulate how people experience time with external signals or electrical impulses? ??? We’ve got no security context here yet but in some tests we found with direct contact we can increase or decrease physiological responses to hunger, wakefullness, sex, and the speed in which we perceive something.


This research is so bad-ass that it’s sometimes too bad-ass to go in the OSSTMM until we can find further context. So we share it with team members, classes, and subscribers who like to know about stuff like this, groups like: NIST, NSA, NASA, the Whitehouse, CERN, and even the Vatican.

But the point of this workshop is to make you a better security professional as well as more aware of what’s being done out there in security that’s not afraid to challenge concepts we’ve grown up with. So you can expect there will be a good deal of discussion.

Think of it this way:

If doctors worked like today’s security professionals, they’d know everything about all the ways a person could be killed and still use blood letting and leeches to heal us.

And this is what can you do with the stuff from the workshop:

  1. Bring more value to a penetration test and vulnerability scans

a) vastly increase the length of validity for the snapshot
b) analyze points of interaction
c) manage operational security controls including devops

  1. Enhance vulnerability management
  2. Identify the points of attack or points where interactions can cause problems
  3. Increase office and network efficiency by identifying unnecessary interactions
  4. Analyze third party services and vendors, including cloud using trust
  5. Be more smug for having more security dirt to dish at the watercoolers than your colleagues.


Additionally, for fun, I’ll show you how Heartbleed attacks and the latest Target hack look like according to some of our older research.

Finally, I’ll bring some neurohacking gear for workshop attendees to play with. So over-all, I can tell you this will be a bad-ass workshop.

About the Instructor

Pete Herzog is the lead security researcher and creator of the OSSTMM. His analysis of security, hacking, trust, fraud, and neuro-hacking have shown up in thousands of research papers, books, and government documents around the world. He’s passionate about hacking and figuring out how things (and people) work.


Title: The Secrets of Security with the OSSTMM
Instructor: Pete Herzog
Date: 6/4/2014, 9AM-5PM
Cost: $250

Register for this Class