Alcohol Update

It's been a while since I've posted about alcohol and my effort to reduce how much I'm consuming. I am still drinking more than I think I should. I'm trying out a couple techniques. The first is to not moralize my drinking. I should not feel bad for drinking, essentially. I don't drink a lot. Maybe 12-18 a week. Most of that occurring on the weekends. About once a week I'll drink during the week.

My first step to not moralizing my choices was to try and make drinking alcohol normal. That means when I feel like drinking, I should have some. Try not making alcohol the forbidden fruit. I'm still drinking the same amount. I am still moralizing my purchases of beer. So this technique is to be determined. That's the other thing I've realized and I'm trying to remember. This will take time. It took me several years to truly quit smoking. I scaled back very slowly over a long time period to finally quitting. I feel that approach was effective because I've had cigarettes with people since and the urge or desire to pick the habit up again hasn't reared it's ugly head.

The other technique I'm trying is to reward myself when I don't pick up a pack. I have a list of things I want that aren't essentially to my lively head. They're nice to have items. Every time I have the urge to purchase alcohol, but decide not to, I tally that. I give myself $10 for every situation like that. I've done that four times so far and purchased myself Overwatch loot boxes during the most recent special event. I have other things on the list ranging from $20 to $70. I feel like this gives me a choice between spending the night drinking or saving for something else that will bring enjoyment to my life. I've only been doing it for a few weeks now but it is helping.

I'll update when I feel I've made some progress. I'm trying to approach this as a troubleshooting exercise. See what works and what doesn't. Adjust as necessary. I think the hardest part at this point is seeing my successes and remembering that this will take time. When I purchase alcohol I'm buying things with less ABV. I'm kicking myself less when I wake up the night after drinking 6+ beers. That's a win in my view.

To cover letter or not to cover letter


Yes, write a cover letter. They will help you standout and express things about you that bullet points can not.

There is one scenario in which I don't write a resume. If I'm working through the process with someone I know or have an acquaintance with. Any other opportunity I am writing a cover letter to go along with a resume.

Why cover letters are important

Cover letters are a great opportunity to stand out from the pile of resumes sitting on a hiring managers desk. I recently heard some chatter that cover letters aren't relevant anymore. I would argue that they're rare. Which is exactly why you should write a cover letter for a job posting.

I used to not write cover letters. Writing a cover letter is hard. It requires inner reflection and an ability to write coherent sentences. For a non-writer that can seem daunting. I'll walk through how I write a cover letter below. I took chances in my cover letter and I was rewarded with at the very least a conversation. That's all we are looking for from a resume and cover letter, a chance for a conversation.

Cover letters are a great opportunity to show what you know and why you would be a good fit. Here are my two most recent cover letters.

Example one

You have to be very careful about pointing out issues in a website. It's like telling someone their baby is ugly. I ended up getting a call anyway. It was a short call. They were looking for someone who would jump in and start writing secure code. I was not that person. We both agreed it wasn't a great fit for them or myself.

Example two

In this example, I went much further in the interview process. I did several interviews and even made it to the sample security assessment on an application phase. This example is a little more standard. It highlights my desire to get into the appsec field and the activities I'm doing to accomplish that goal. I didn't get this role either. They were looking for someone more senior and I was looking for something closer to junior. Going deep into the process, though, was a valuable experience.

How to write a cover letter

Hopefully, those two examples are useful and provide ideas for writing a cover letter. Walking through both examples the first part of the cover letter is all the contact information. Your information and the companies information and the date.

If you have a name for the person who will review the cover letter address it to that person. I recommend not using "To whom it may concern," because there's something about the phrase that can rub people the wrong way. I like "Hiring Authority," because it empowers the person reading the letter. It provides them with a sense of importance that "to whom it may concern" doesn't. 

My first paragraph focuses on the role I'm applying for and what makes me a good fit for the role. In the first example, I'm focusing more on recommendations I can make in the role. The second example, I'm trying to say that I have a strong interest in appsec, despite a weak background in development. Re-reading both first paragraphs makes me want to throw up. However, I'm keeping them (and the rest unedited) to show that a cover letter doesn't have to be an amazing thing. Try to provide a little insight into your personality. Take chances. 

The middle paragraphs I'm focusing on me. What makes me a good candidate. What experience do I have. What activities I'm doing to help improve my skills in the field.

The final paragraph I focus back on the position and highlight what makes me a good fit for the role. Sort of summarizing the whole thing. Then finally sincerely your name. In example two I misspelled sincerely, which simply highlights making sure to re-read your cover letter for mistakes.

Write a cover letter to stand out

When I talk to people trying to fill a particular role, one of my questions is how many cover letters were submitted. The numbers I get from those people are very low. Cover letters give you an opportunity to standout and highlight your strengths as a candidate. Resumes are bullet points of accomplishments and responsibilities. They say very little about you as a person. 

Cover letters are frustrating to write. The more you write them, the easier they become to write. I would avoid using a template. For each job you're submitting to, write a fresh cover letter. Cover letters show a willingness to go the extra mile. Which is why you may be surprised to find more calls from potential employers.

Converge and BSides Detroit talks and slides

I had a great time at Converge and BSides Detroit.

This was my third attempt at going and I'm happy I finally got the opportunity to do so. The last two years I've had to cancel my plans due to life reasons. I did two talks this year. One at Converge and one at BSides. Both are linked below along with the slides for both talks.

How to kick start an application security program - Converge Detroit

I've given this talk at three other BSides prior to Converge. I feel like this is my best presentation of the talk so far. I will be giving it again at ShowMeCon in June.



The AppSec Starter Kit - BSides Detroit

This was my first time giving this talk. I thought it went well for it's first attempt. It still needs polish. It will probably be a while before I give this talk again at a security conference. I made this talk to present at developer conferences. It hasn't been picked up, yet. I'm hopeful it will for some talks later this year.


HipChat's Security Win


I was disappointed not to find any of the HipChat coverage in my Feedly reader this morning from the infosec news sites. It hit plenty of main stream sites like engadget. I'm sure there is coverage on some infosec sites. It's just not as wide spread as I see for other breaches. Why is this?

Well it might have to do with HipChat having a good response to their incident. Most of the detail for the breach comes from their own blog. Over the weekend the detected a security incident affecting their servers. The incident was the result of a vulnerability in a popular third-party library.  The attacker may have accessed user account information for everyone using the service. Because of that they invalidated everyone's password and asked them to setup a new one via the forgot password link.

They were reaching out to 0.05% of their users who were more seriously impacted by the breach. For those users messages and room content may have been accessed. For everyone else it was just (potentially) account information.

While this is an unfortunate incident to occur, this is a security win for HipChat.

They detected the incident and within days made an announcement. This led to a very small percent of users being impacted. They went ahead and invalidated everyone's password. I logged out and tried to get back in with my old password and it wouldn't work. I had to use forgot password. This meant that password didn't need to be changed immediately if people were still work or hadn't heard of the breach yet. Unfortunately, I don't think they accounted for the demand on their forgot password page. The page was essentially denial of serviced causing some frustration among users. I'm sure there will be plenty of lessons learned this week.

I wanted to write this post because I think we should highlight more security wins in our industry. The sites I use to keep up on infosec are focused on NSA backdoor detection, BrickerBot, among other nasty things. All still relevant and scary. However, we are seeing some positive things in security. HipChat is a good example of that and I applaud them.