BsidesDetroit – ConBlu, first try at presenting

 

I just got back from the BsidesDetroit trip and my first shot at giving a talk. I was wired for this trip for about a week before I went, worried about what would happen with me giving my first talk. Also, on the drive home I think I came down with “ConBlu”. Not the “ConFlu”  sickness most people talk about when they go to a conference and shake hands/hug a lot of people. This is more of a slight letdown that you get when you have to leave after having the chance to hang out with people who really “get you”. The people who are as geeked out as you are when you “pop a box” for the first time. You start to wish for next year’s conference as you’re walking to your car to leave.

On to my first try at speaking. I hadn’t tried to give a presentation since sophomore year in college. While I haven’t had the chance to watch the video and see how I did, I did get plenty of feedback on my first try. Many people felt that the topic was definitely good, and something that needs to be addressed in Information Security. For those of you who haven’t followed me lately, I collaborated on a talk with Len Isham on “Infosec Flameout”. My angle on the issue was that I was burned out in my current job, but I was working myself even harder trying to change careers.

Len and I worked on the slides and content for a couple months prior to the event, but Len wasn’t happy with how his part was going, so he spent a day or two before the event completely re-doing his slides/talk. My portion was about my career, how I got burned out, and what I have tried to do about it. Len’s was about socially engineering your career after you decided where you wanted to go.

When we first started going through the talk via Skype , I hit about 13 minutes for my section. I wanted to be closer to 20 or so, leaving time for questions at the end of the hour. Len & my wife both said I needed to slow down because I was talking too fast. The second try through it, I got just over 19 minutes. I was happy with how I was pacing myself and I liked how much detail I was giving for the time-frame.

So we start our talk, and I was definitely speaking too fast. I was very nervous and realized it too late, ending up with only about 9.5 minutes after hitting my last slide. Len realized this as well as he got up to do his talk, and he was able to stretch it out so we hit about 35-40 minutes total for both of us. The great thing about the people attending (and our industry as a whole) is that people attending were willing to share their thoughts and what they did to stave off burnout. By the time we finished the discussions, it was about 7 minutes before the hour. It actually turned out great with how everyone chimed in.
With all that said, I definitely need to slow down if I’m going to present again. I had a couple people suggest that I submit to DerbyCon with just my portion. I would definitely have to expand on everything in my talk. Hindsight is always 20/20 they say, and I think I needed to do the slides a little different for next time, as well as give quite a bit more information on what caused my burnout at different times in my career and how I worked through them. I guess I’ll mull that over in my head a bit and think on it.

The conference itself was awesome. I loved the venue, it was well laid out, there was quite a bit to do in the conference center itself, as well as having the hotel right there. The different tracks in different rooms made it easy to have hallway-con, as well as two tracks, a teaching area, and a lock-pick village. I really loved the set-up and the Detroit team did a great job with putting it together. The talks were awesome! The great thing about this industry is that people are willing to share their knowledge. I didn’t get to meet everyone I wanted to, and I didn’t get to see all the talks I wanted, but I got two classes in (Metasploit & Armitage), and saw quite a few really good talks.

The only issue I had with the con personally was with the hotels (Marriott & Courtyard by Marriott where I stayed). Both were very pricey and provided nothing I wanted for it. Breakfast for both hotels was extra, as was wi-fi in the Marriott.  I have some ideas to take back to my work which I’m sure my boss is going to appreciate, and maybe I can get him to pay part of the hotel. I guess I’ll see how good my social engineering skills are 😉

You’re wrong…and so am I

This is going to be a short post.

Watching the echo chamber in the last couple days as well as watching “Builder vs Breaker” from BsidesChicago on Ustream makes me realize…we’re all wrong. There are so many diverse views from all areas of the world in our profession, you’re going to have someone that disagrees with your “facts”. You could say “the sky is very blue right now” while living in the US, but someone in Europe could say “Actually it’s currently black and the stars are really out tonight”.

No matter what you believe someone believes the opposite and is willing to debate with you, and this goes for pretty much anything:

  • Certifications are good / Certifications are bad
  • Pentests are needed / Pentests only find known vulnerabilities
  • Company A / Company B

What we need to realize is that we are going to have differing opinions and we need to listen to others even when we think they’re dead wrong. You may just realize that your “facts” weren’t as solid as you thought.

Yeah so…

…maybe you’re smarter, or have been in infosec longer, or perhaps you had someone help you along. Those are all really great things to have. What they are not is a license to lord it over everyone else or use it as a personal ego trip.

There are a lot of great people in this industry. There are ones that are trying to help people like myself get to where they want to be because it’s better for the industry as a whole. If you are not helping others learn you are part of the problem. There are those who help by creating blog posts on how to use tools or provide targets for those of us trying to learn to use the tools. Those are the people who are the “rockstars” of this industry. Not the ones that discovered the latest 0-day du jour.

Jayson Street made a comment when we were hanging out before Thotcon that hit the nail on the head. There are people out there who say “I broke it. You’re welcome.” They don’t care if anyone can fix it, they don’t care if anyone else learned from it. They are just there to beat their chest and inflate their own ego. That’s not helping anyone.

There are quite a few people out there that want to help others out and want to answer questions or give advice. Unfortunately those are also the ones that are often berated and put down because someone disagrees with their thoughts or feels they are only talk. Bringing attention to security is what we need and what we want. If we can get more people to care about security our job will be that much easier.

Will I ever be the top pen-tester in the world? No. Will I ever be on the cover of a magazine for how brilliant I am? Probably not. The reason I want to take this road is because I want to make the company I’m working for just a little bit wiser on what their risks are, so they have the knowledge to make a decision. It’s not a grandiose goal and I will probably never get rich off of it, but I’ll love going to work and I’ll do my best to help out those that come to me for knowledge and advice.

So to the @jaysonstreet @elizmmartin @ben0xa @securityninja @jwgoerlich @coolacid and @davienthemoose of the world, thank you for your insight and encouragement from a guy trying to start anew in this arena.