You’re wrong…and so am I

This is going to be a short post.

Watching the echo chamber in the last couple days as well as watching “Builder vs Breaker” from BsidesChicago on Ustream makes me realize…we’re all wrong. There are so many diverse views from all areas of the world in our profession, you’re going to have someone that disagrees with your “facts”. You could say “the sky is very blue right now” while living in the US, but someone in Europe could say “Actually it’s currently black and the stars are really out tonight”.

No matter what you believe someone believes the opposite and is willing to debate with you, and this goes for pretty much anything:

  • Certifications are good / Certifications are bad
  • Pentests are needed / Pentests only find known vulnerabilities
  • Company A / Company B

What we need to realize is that we are going to have differing opinions and we need to listen to others even when we think they’re dead wrong. You may just realize that your “facts” weren’t as solid as you thought.

Yeah so…

…maybe you’re smarter, or have been in infosec longer, or perhaps you had someone help you along. Those are all really great things to have. What they are not is a license to lord it over everyone else or use it as a personal ego trip.

There are a lot of great people in this industry. There are ones that are trying to help people like myself get to where they want to be because it’s better for the industry as a whole. If you are not helping others learn you are part of the problem. There are those who help by creating blog posts on how to use tools or provide targets for those of us trying to learn to use the tools. Those are the people who are the “rockstars” of this industry. Not the ones that discovered the latest 0-day du jour.

Jayson Street made a comment when we were hanging out before Thotcon that hit the nail on the head. There are people out there who say “I broke it. You’re welcome.” They don’t care if anyone can fix it, they don’t care if anyone else learned from it. They are just there to beat their chest and inflate their own ego. That’s not helping anyone.

There are quite a few people out there that want to help others out and want to answer questions or give advice. Unfortunately those are also the ones that are often berated and put down because someone disagrees with their thoughts or feels they are only talk. Bringing attention to security is what we need and what we want. If we can get more people to care about security our job will be that much easier.

Will I ever be the top pen-tester in the world? No. Will I ever be on the cover of a magazine for how brilliant I am? Probably not. The reason I want to take this road is because I want to make the company I’m working for just a little bit wiser on what their risks are, so they have the knowledge to make a decision. It’s not a grandiose goal and I will probably never get rich off of it, but I’ll love going to work and I’ll do my best to help out those that come to me for knowledge and advice.

So to the @jaysonstreet @elizmmartin @ben0xa @securityninja @jwgoerlich @coolacid and @davienthemoose of the world, thank you for your insight and encouragement from a guy trying to start anew in this arena.