Skip navigation

Monthly Archives: October 2018

I keep my Twitter DMs open and my email address is public.  This, plus the fact that I’m a recognizable face at conferences and generally like to answer folks’ questions means that I field a lot of inquiries… particularly about the hacker community and the world of physical security.

While I always want to give each person who reaches out an individual and specific answer unique to them, a recent utter flurry of contacts (due to a bout of mainstream press and wider attention) has made it harder to keep up with my inbox.  Consequently, I’m going to try posting something here.  It will effectively be an amalgam of various answers I’ve written to folk in the past week or more.  Some people have been asking about their own career path and job prospects.  Others have found that my explanation of security flaws hits home for them because they see these vulnerabilities in their own work environments and want to share this news with others.  Other folk simply want to know how to best apply their limited resources in a way that can lead to a more satisfying and interesting vocation or hobby.

 

At the risk of grossly over-simplifying things, I’m going to paraphrase this matter as…

Question: “I think what you do is awesome.  How can I do that sort of thing, too?”

 

Again, while I recognize that a one-size-fits all answer isn’t ideal, this is my best shot at responding to the above.  We’ll call it the “one-size-fits-most” answer.  We are close to Halloween costume shopping season, after all!

 

Answer: Hey!  Thanks for reaching out!  My answer will be 100% honest, but I hope very much that it doesn’t come across as disingenuous or self-serving… it’s a very tricky subject, and far too often companies don’t understand or value this kind of knowledge and skill set properly.

Far and away, the primary answer I have to give folk is one that is simple and also a hurdle at the same time:  training.  I am not one to kneel at the altar of Certifications for their own sake, however if someone has taken the time to successfully complete training courses and pass exams, etc, then that shows current as well as future employers that this individual values professional development and wants to apply their skills.

If you have an employer and you think they can possibly help support your education and would send you to training, that’s great.  If your firm is reluctant, however, or does not exactly understand the value of this kind of knowledge or how to leverage it properly, that’s more difficult.  If you are seeing security flaws in your own office or company facilities and want to report it… I urge caution.  Advice of this nature coming from internal voices sometimes is found to be unwelcome.  It might be best if you were to bring up some of the evidence put forth in perhaps some of my talks…

…and if you get any traction with any of those presentations (don’t overwhelm folk, just see if anyone watches or nods.  You can even queue up a clip in the middle and then let it play, etc) then you can suggest taking training.  If it feels like that may still result in a shrug, then suggest the company pursue advice from outside consultation.  Again, I know this sounds self-serving since this is one feature of my own firm’s work.  Still, if you value this kind of insight and want to see your company’s security posture improved, reaching out to us or to one of the handful of other businesses who are experts in this space may be a solid choice.  Doing so in a way where you serve as a point-of-contact overseeing a consulting task as opposed to the person doing it allows you to get credit for taking the initiative and generating the findings and also insulates you from the risk of being the scapegoat if people don’t like what’s learned during testing.

 

The tongue-in-cheek answer I tend to give during interviews and the like regarding “how did you get your start doing this sort of thing?” has always been, “I had a few of the right friends and a few of the wrong friends.”  It’s a good line.  It’s a snappy, easy delivery and makes for the kind of amusing copy that writers and editors like.  It’s also truthful, albeit an over-simplification.

If I didn’t have friends who were urban explorers and hackers with less respect for official rules and boundaries growing up, I might have not gotten interested in these kinds of skills myself.  From the very beginning I’ve considered Barry Wels (and the other Hippies from Hell) a tremendous inspiration and source of knowledge.  And I have to thank Mike Glasser for being so welcoming and willing to teach me (and for pulling me on stage at an early DEF CON during the single-digit years) when i was just getting a feel for lockpicking.  People who were willing to teach, including teaching things that were often considered forbidden knowledge, was instrumental to me.   Business owners who were willing to give me opportunities to participate in their work or in their training sessions if I would volunteer my time to assist or do other work that needed to be done on the side were also a benefit.  If you’re having trouble determining who among this cast of characters were the “right” versus the “wrong” people to know… you’re on the right track.  In truth, it’s a broad mix of voices from many diverse sources who contributed to me turning out like this.

(I will say that some of the “wrong” people were simply individuals and companies who are just woefully bad at business and folk who wouldn’t do emotional labor… Watching these persons and institutions flounder around as they failed to maintain healthy business relationships was also quite edifying, albeit disappointing.  But it’s a simple truth that if you can’t communicate well with others and aren’t willing to check your ego at the door and satisfy the real needs of those around you — as opposed to what you perceive they should need — then you’re going to have a Bad Time no matter what you try doing, business included.)

My life and current career (10 years in this field, as you see me now) are the product of at least the previous 10 years before that (a decade of unpaid or nearly-unpaid education, volunteering, and self-development while I was working to support myself via other means.)  I have been a student at Black Hat, SANS, Lockmasters, and more.  I double-majored in college when I returned to school later in life and hold a Bachelor of Science.  I hold a range of recognized certifications.  I have spoken over 200 times to audiences who were public, corporate, government, and military.  I have published books in my field.  And I still try to take at least one training course every year, even if it’s only tangentially related to my vocation.

Are all of these above steps necessary for someone to achieve success?  No.  Not a single one of them is a “do this or forever abandon your hopes of this career” point.  But every last one of them has played some part in all of the opportunities I’ve had and continue to have.  Choose from the above list (or see the TL:DR below) and try your best at such forms of self-improvement as you can handle.  That is the path to your own success.  There is no shortcut.  (But there are some poorly-locked doors along the way, and slipping by such obstacles is the kind of thing that Tarah detailed to a great degree in her own book.  Which I strongly recommend, no matter your age, gender, or industry.)

 

So…

For companies: Train your employees, ideally once per year.  Allow them to have a say in what training options they have.  Hire outside experts as needed.

For individuals: Seek out training, either paid by your employer or save up and do it out-of-pocket yourself (tips here include asking if conferences have volunteer programs for reduced or zero tuition and also asking trainers if they ever operate classes direct to the public as opposed to through intermediaries)

 

This may not sound 100% fair, particularly if you already have a significantly developed skill set.  But the world is full of folk with the same hunger and same good personality as you… even if you consider the result of training to be “just a piece of paper” it remains, in the business world, an important designator that can set you apart from many other candidates who are seeking the same opportunities you are seeking.

I have taken professional training just about every other year (sometimes more frequently) throughout the past decade or more via a variety of recognized and established institutions as well as smaller outfits, etc.

The benefit to me: I’ve managed to sharpen existing skills and also acquire new ones.  I’ve improved my own teaching style by learning what to do (and, far more often, what I’m glad I *don’t* do) in front of my own students

The benefit to my employers/clients/etc: They can quickly assess the fact that I most likely know what I’m talking about.  They have a way of sorting me versus other potential folk with whom they might engage.  I don’t begrudge them for using the fastest and most available tools to make these kinds of decisions.  We’re all busy and we want to maximize the impact of our limited resources, that includes time.

 

Make the most of your time… get training where you can and change minds when you can.  Call in outsider help when necessary.

 

Hope that helps, and good luck!