Mark Loveless, aka Simple Nomad, is a researcher and hacker. He frequently speaks at security conferences around the globe, gets quoted in the press, and has a somewhat odd perspective on security in general.

Enigma 2019

Enigma 2019


2019 Jan 27, Sunday, 12:50pm CT. Travel day. Ever so glad that this government shutdown thing is resolved at least temporarily. The line at TSA PreCheck was short and sweet. I know I am supposed to care about the government and all, but as long as I can fly instead of drive, I am (for now) way less concerned. I’ll worry about Uncle Sam in three weeks when the temp fix is up.

3:00pm CT. Flight to SFO is completely packed, no empty seats. Ninety percent of my fellow passengers must be flying into the Bay Area as a part of their job - tons of geek nerds on board. The overhead bins filled up and I had to check my backpack, but no biggie. All of my tech and meds were in my laptop bag which fits in my backpack, so I just pulled out the laptop bag and was good to go. Risk planning always helps, even for travel.


5:30pm PT. Landed safe and arrived at hotel, checked in and room has a decent view. After some family phone calls I headed out to dinner with an old friend I hadn’t seen in a while - Rik Farrow. After dinner I get a bit of work done, have some hot tea, then call it an early night.

2019 Jan 28, Monday 5:55am PT. Up at butt o’clock, shower and did sink laundry. I pack light as a strong believer of one bag travel, so today and tomorrow will be laundry days. Checked email and had my morning tea.


7:30am PT. Checked into the conference, more hot tea with a muffin.

8:45am-5:30pm PT. The conference begins. A single-track conference, all talks at Enigma are 20 minutes long with 10 minutes of Q&A. On the first day there were 13 talks in the single track. All were excellent. The stand-outs for me were as follows:

  • Callisto: A Cryptographic Approach to #MeToo” by Anjana Rajan. This is a serious subject, so I hope no one finds it inappropriate that the Callisto project was so exciting for me. Anjana laid out the scenario, then explained the mathematical formula used to do the crypto. It was one of those algorithms that once you see it, you wonder why you didn’t think of it first since it is so easy. Overall this was one of the more inspiring talks.

  • Hardware Security Modules: The Ultimate Black Boxes” by Ryan Lackey. This was an overview of HSMs and was quite good. Ryan has been experimenting and implementing these things for years, so between his no-nonsense approach and experience he was able to lay things out. As key management seems to be back on the rise, and the security of certain types of high-value keys is needed to implement solutions (such as ZTN), this was a good talk for an overview of where the technology is emerging and where it is being applied. Security advantages and disadvantages were also covered. Very interesting stuff.

  • Using Architecture and Abstractions to Design a Security Layer for TLS” by Daniel Zappala. This was for me a classic USENIX-style talk. It started with a simple code sample, and then stated “wouldn’t it be great if we changed these two things and network communication was secured?” While we’d need all vendors of OSes to implement the “security layer” library being outlined (a tall order in itself), if done it would solve a lot of issues with implementation of TLS by developers. Again, one of those things that once outlined makes so much sense. The talk was about what would be needed to implement such a library and the usual pluses and minuses. With Callisto this was a conference highlight for me.

  • Grey Science” by Anita Nikolich. This was a fascinating talk covering the differences between how hackers and academics present their research to the public, and how they are similar. It points out the advantages of both sides working together, and was a great talk.

It should be noted that the other talks were really good, I enjoyed them, but these just struck a nerve and stood out to me.


5:30-7:00pm PT. Reception time. Like many there, I made a meal out of the reception food. It was a great networking opportunity and I enjoyed talking with friends I had not seen in a while. Afterwards I caught up on email and made a few tweaks to my presentation. Calls to the wife, and then an early night to bed.

2019 Jan 29, Tuesday 7:00am PT. Up early for shower and more sink laundry. Morning tea consisted of room brew - where you use the coffee maker to got hot water for tea, use ice from the ice machine, and make iced tea.

8:00am PT. Con breakfast with fruit and more tea. More fun conversations.



8:55am-5:00pm PT. My con world is altered when I discover that the espresso cart in the vendor area is serving up chai. Not the best chai, but decent and its free. I discovered this after lunch and over the next 24 hours visit them for a chai probably four more times. Another great day of talks. Again all are good, but there are a few that stood out for me:

  • Cybercrime Pays: Valuing Data on the Dark Web” by Munish Walther-Puri. The talk itself was interesting, talking about the valuation of various pieces of personal data on the dark web after it has been gathered or stolen. A great talk on its own, it was also interesting to sit next to Ryan Lackey as we commented on things that made it so interesting, with insights into some of the example real-world attacks Munish would bring up.

  • Where is the Web Closed?” by Sadia Afroz. Sadia discussed how closing portions of the web can occur because website owners or even governments decide to limit access based upon things besides censorship. This involved blocking the EU to avoid having to be GDPR compliant, blocking regions for “security” reasons, or blocking based upon a region itself. A fascinating talk covering a topic not often discussed.

  • The URLephant in the Room” by Emily Stark. Emily works on the Chrome project at Google, and the talk was on how it is not always easy for an end user, even a security expert, to tell if some web destination is dangerous with just the URL. Solutions with their strengths and limitations were discussed, a great talk.

  • Mobile App Privacy Analysis at Scale” by Serge Egelman. During the web session there were a couple of talks that discussed advances in browser blocking technology, and in spite of the fact that they were good talks, I found myself bitching. I was mainly bitching about how mobile apps are doing the old tracking methods and visiting the questionable sites that are blocked in most modern browsers. Then Serge gave his talk, and I could tell everyone “See?What was I just saying?” I really liked the talk and the approach taken to the research.

5:30-7:00pm PT. Reception time, more trying to make a meal out of reception food, which is kind of easy to do since so far the food has been pretty good. Later more room tea and email. catching up with family and checking in for my flight the next day.

7:00-8:00pm PT. Attended the EFF evening event, appropriately named “An Evening With EFF.” This was quite enjoyable as the EFF fielded questions and discussed things in a friendly manner. The only swag I picked up during the trip was an RFID-blocking leather passport wallet at their booth, which I got for a donation. Support the EFF!

2019 Jan 30, Wednesday 7:00am PT. Speaking and travel day. After a quick shower I pack everything up with everything I care about in the laptop bag as usual. The expendable stuff is in the backpack which is stored in the hotel cloak room after I check out.


8:00am-4:30pm PT. More con breakfast and free chai. More excellent talks. Standouts include the following:

  • Mr. Lord Goes to Washington, or Applying Security outside the Tech World” by Bob Lord. As Bob’s job is CSO for the Democratic National Committee, I already expected the talk to be good. Bob did not disappoint - he discussed how he tried to get security information in the hands of non-technical people in independent campaigns to help protect the democratic process. Not just a great example for dealing with small and medium businesses, but a great model for dealing with different departments in a large company. I don’t envy his job, but I am glad someone is doing it and he obviously enjoys the challenges he faces every day. Very inspiring.

  • Convincing the Loser: Securing Elections against Modern Threats“ by Ben Adida. Ben is one of the chairs of Enigma, and was a last-minute replacement for a missing speaker - a casualty of the government shutdown. Saying Ben discussed voting systems and saying it was interesting is such an understatement - it was interesting in that the discussion involved how certain simple technologies are “accepted” as working and what that means. Additionally he discussed how there can be no edge cases for voters, as for it to work it has to be inclusive for all voters and still be secure. Afterwards I understood the challenges faced with such things as electronic or online voting instead of just assuming a move forward with technology is always the right move.

  • Something You Have and Someone You Know - Designing for Interpersonal Security” by Periwinkle Doerfler. I had the pleasure of working with Peri and Amie Stepanovich (our session chair) on getting both Peri’s talk and my talk into shape for Enigma. Even without that, this would have been a favorite talk. People share their devices with others, whether it is briefly for setting up tunes for a party, a spouse or parent has access to the device, or an abusive partner demands it. All have an impact on the security and privacy of the device, mainly because vendors gear everything on devices to a single user model. Peri outlined all of this and gave some stark examples of how the model of the single user fails when the device is shared. An excellent talk.

I spoke at 3:30pm - second to last. It was an interesting experience, I was slightly nervous since I was doing what was previously a one hour talk that was now compressed to 20 minutes. During the talk I had mic issues, which threw me off a bit - I don’t think it was too obvious except to those that knew me, since friends did mention I seemed slightly distracted by it afterwards. As a result there were a couple of points I could have made better, but fortunately this is a smart audience and I had people asking me questions during the Q&A section where my answers helped clarify those points. Overall it seemed to go well and I had a number of people approach me afterward and thank me. As expected, I got a lot of people sharing what they do for personal safety when traveling - a few I hadn’t heard of before and may adopt!

It’s rough speaking near the end of a conference in the Bay Area midweek - you are watching all of the locals stream out of the conference after lunch to avoid the rush hour traffic and get home early, but even with that it was an excellent conference all the way through Peri’s talk at the very end.

5:30pm PT. On a hotel bus to the airport after emptying my pockets into my backpack, and sticking the laptop bag into the backpack as well (remember, one bag travel). No line at TSA again - good.

6:30pm PT. A fine meal of SFO airport gruel.

7:15pm PT. The connection flight to LAX is oversold. They have to ask for volunteers for a later flight, and again I have to check a bag - and again the laptop bag comes out of the backpack and the backpack is checked. At least when this happens you aren’t charged for it.

8:50-11:59pm PT. My layover in LAX is a joyous 3+ hours. Most of it is spent on social media and talking with my wife on the phone.

2019 Jan 31, Thursday 5:05am CT. My red eye flight arrives at DFW after a sleepless flight. No real reason for it being sleepless except I rarely sleep on planes. A Lyft and I am home and asleep by 6:30am.

If you are thinking about attending Enigma in the future, it will again be during the last week in January 2020 at the same location - the Hyatt Regency San Francisco Airport in Burlingame, CA. I highly recommend it, and I am going to try to be there again, either as a speaker or an attendee.

Offense vs Defense vs Offense

Offense vs Defense vs Offense

The End of the Landline

The End of the Landline