Timothy De Block

  • Blog
  • About
  • Technology
  • Media
  • EIS Podcast
  • EIS Archive

Finding my place

August 05, 2018 by Timothy De Block in Experiences

Two years ago I move to Tennessee.

We moved because I was taking my dream job as a senior software security engineer. I was sitting with developers as their security resource and improving their security in the software development life cycle. It was the culmination of two and half years of stress, frustration, and putting my family second. 

I went to my first BSides in November 2013. It was in beautiful Charleston, South Carolina. I remember it as an overcast day. I went with a buddy from work. The visit would kick of a five year tour of security conferences, two local user groups, and two podcasts. I've put a lot of time into the infosec community, because I knew it would help me advance my career. The reason I found my dream job was at one of the two local user groups I helped get started. The reason I got hired was because of the conferences I attended, the local user groups I helped start, and the podcasts I produced. My experience working with developers helped too.

After getting settled, I started to feel a little lost. For years I had pushed towards the goal of putting our family into a better situation financially. For me to find meaning and feel like I was making a difference. I accomplished both of those goals two years ago. For the past two years I've been struggling to figure out my next goal in the infosec community. I've been lost. I've spoken at multiple conference. I've given training. I've helped organize. Nothing has re-ignited that passion people say I have for the community.

I've thought about starting another local user group in middle Tennessee. I have talk ideas. I have new podcast ideas. I have training that I've started and thought I wanted to continue. None of that is keeping me engaged. I know a lot of good infosec people who aren't on Twitter. They're not going to multiple security conferences a year. They're still doing a damn good job. I envy them.

I've started to spend more time with my family. My kids are at the age where we can play board games. My wife loves playing Splendor. She recently went and saw The Ant-Man and The Wasp and thought it was a good movie. I think I can get her to watch Ironman and the other Marvel Cinematic Universe (MCU) movies.

We moved into a new house last year and we couldn't have asked for a better set of neighbors. Four households are hanging out regularly. We're barbecuing together. We're doing date nights together. We're planning future trips together. All of this is eating into the time I put into the infosec community. I missed putting out a podcast because I've started to focus on things outside of the community.

I'm starting to come to the realization that's okay. It's okay to to focus on things outside the community. I've never had a passion for the infosec community. I've had a passion to provide the best for my family. I could have done the same in another field. I almost joined the military as a paralegal. I believe I would have done just as well in the legal field as I've done in the infosec field.

Going forward, I plan to spend more of my time with family and friends. I still plan to be involved in the infosec community via the podcast, and conferences. The idea, is that the reason why I've struggled to find my place is because I've been focusing on meaning from the wrong area of my life.

August 05, 2018 /Timothy De Block
infosec, family, security conferences, podcast
Experiences
Comment
Picture 038.jpg

Exploring Information Security Newsletter

July 01, 2018 by Timothy De Block

Sign up for the Exploring Information Security Newsletter!

Squarespace has made a new feature available, email campaigns. I'm intrigued because it this could be a good opportunity to start up a newsletter for the podcast. I'm thinking I'll use the newsletter as a forum to announce things like new podcasts, conferences, and other things. I'd also like to provide something special for people who sign-up. I'm thinking behind the scenes type of stuff, maybe even some extra recorded audio. I sometimes have audio that doesn't quite fit the show but has something insightful or funny.

I'm going to start including a newsletter signup form on all the show notes and blog posts. If there are things you'd like to see hit me up on Twitter (@TimothyDeBlock) or email (timothy.deblock[@]gmail[.]com).

Subscribe

Sign up with your email address to receive news and updates.

We respect your privacy.

Thank you!
July 01, 2018 /Timothy De Block
podcast, EIS, Newsletter
Comment

ShowMeCon wrap-up and what's ahead

June 21, 2018 by Timothy De Block in Experiences

I know. I know. It's been two weeks since ShowMeCon. I've been busy! Within hours the neighbors wanted to hang out (I brought the St. Louis beer). The next day, I had a big case of the don't give a shits. I didn't get a podcast ready for that night's release.

I went to work Monday expecting to head home and work on some stuff (like get a podcast out). Instead I was informed the development team I work with was heading to Nashville Sounds game, because some people were in from out of town and I was invited. I went. Tuesday, I played soccer for two and half hours, because I like pain (I didn't regain full functionality of my legs until Saturday). Wednesday was a social night, because those same people were in town (yay!). I got home and got the podcast out, three days late. Thursday, I wrote about suicide. Friday, I wrote about password policy. Both very serious topics.

Things sort of got normal after that. I took the weekend to kind of dink around on stuff I wanted to do. Monday I got two of the four podcasts edited I needed to. I was invited over the neighbors Tuesday for beer and baseball. Finally, last night I got four podcasts scheduled. I'm heading to Asheville tomorrow for BSides Asheville (still looking for a ticket). Much beer (and maybe a podcast) will be involved. Tonight is the night for me to write something and hopefully get a little Overwatch in. Damn I've been busy. Didn't really realize that until writing it down.

Back to ShowMeCon. This was my third year and fantastic as always. It's the ideal security conference. The hackers think it's too businessy. The business people think it's two hackery. There are more women at this conference than any other security conference, I've been to combined. I love it!

I did my first ever podcast panel, which went really well for being the first time. They had a personal trainer there to talk about health and fitness. There were a lot of questions at the end. This might be something I need to write about. I do work at a wellness company after all!

During the conference I managed to get two interviews for the podcast recorded. I really like the idea of recording interviews at conferences. It's a much better vibe when the two people are in person. It flows better. There's the low rumble of the crowd. The low thud of doors smacking closed. It's fantastic. Those will be releasing over the next two weeks.

Now that ShowMeCon is over, I've been re-evaluating my desire and need for submitting to conferences. I've been speaking since 2015. It's a great challenge and a good career booster. Now that I'm at a company that I adore and in a role that continues to expand, I'm starting to wonder the value I'm getting out of submitting to conferences. I love sharing ideas and challenging myself to become a better speaker. The downside to speaking is that it takes time away from my family.

I have two kids still in the single digits. I'd like to spend more time with them. At one point I was slated to be at 12 conferences this year. With other obligations, conflicts, and one conference not happening this year, I'm down to eight. That's still quite a bit. I've presented at all five I've gone to this year. It's not just going to the conference that takes time. It's also the preparation leading up to the conference. I spend several hours putting the talk together. Then I spend the week leading up to the conference practicing the talk. This is on top of the weekly podcast I produce.

I spend a lot of time in the field. Because of my expanding role I'm spending more time at work now too. I'm trying to find that balance. I'd like to spend more time with my kids. I think that will be at the cost of the conferences I attend. If I do submit a talk, it'll be for a podcast panel. The preparation for that is much easier than a full blown talk. I'd like to say I'm cutting back on conferences, but I don't think it'll take much for me to go to a conference (someone asks). We'll see.

 

June 21, 2018 /Timothy De Block
ShowMeCon, infosec, security conferences, podcast
Experiences
Comment

How do you feel about NIST recommendation that passwords should no longer be rotated and instead have a longer minimum requirement?

— Timothy De Block (@TimothyDeBlock) June 14, 2018

Digging into the new NIST password policy recommendations

June 15, 2018 by Timothy De Block in Technology

I've had a few instances recently, where questions around the new NIST password policy recommendations have popped up. It first happened last week when I was at ShowMeCon. The second question for our panel was around the new NIST recommendation for passwords. Then I had someone ask me about it in the comment sections on this site. I feel like there was another instance, but I can't remember it.

I tweeted out the poll above on Twitter. As you can see two-thirds of infosec professionals like it. I am in that camp as well. There was some great discussion on why it's not a good recommendation in the replies to the poll. Dave Chronister was also against it on the panel at ShowMeCon. I decided I wanted to dig into it a little more.

My understanding of it is that NIST recommends increasing the minimum requirement for password complexity and ditching the rotation of passwords every 90 days. The idea being that people are more willing to remember longer and more complex passwords if they don't have to rotate it as often. I've asked some people at work about this and they are in favor of not having to change their password as much.

I know how easy it is to either crack or compromise someone's credentials via a phish. The question I have is if anyone on a penetration test has had their credentials stop working because that person's password was 90 days old (If you've had this experience I would love to hear about it in the comments). In my view this new recommendation improves the user experience while asking them to improve their password. Someone would still need to rotate their password if compromised.

Before we get to far down user experience, lets take a step back and look at what NIST actually recommends. The guideline is NIST 800-63b. This is my first time reading it as I'm writing this post (and having a delicious home-brewed chocolate milk stout).

We're looking at section 5.1.1.1. There it says password lengths, "...SHALL be at least 8 characters in length if chosen by the subscriber." It goes on to say later, "No other complexity requiremnets for memorized secrets SHOULD be impost." There is no mention, specifically, of rotating passwords. My assumption is that it was removed from the documentation. According to passwordping.com it added the requirement to screen for commonly used or easily guessable passwords. Which I see in 5.1.1.2.

Based on that NIST is suggesting we ditch password complexity and rotating passwords, but keeping an 8 character minimum. I'm not sure I'm on board with that. I'd prefer to require longer passwords and ditch complexity and rotation of passwords. I think there needs to be a give and take here with passwords. We'll require less rotation of passwords (they're just enumerating anyways) for longer passwords. That doesn't seem to be the case with the new NIST recommendation.

I like the idea of challenging some of our old ways of doing things in the industry. I recently talked to someone about passwords. They were complaining to me about how many passwords they had to remember. I asked if they were using a password manager. They were not. That was a red flag right there that they were probably using weaker passwords. That also meant they were probably enumerating their password by numbers or characters. Which meant that even if they rotated their password you could probably guess the new one.

I am a big believer in practical security. I think it's a good approach. It's a good balance between meeting people's needs and getting security most of what they want. If ditching the rotation of passwords results in longer and stronger passwords I'm all for it. I like the idea of checking for commonly used or easily guessable passwords. I really like the idea of checking for compromised passwords from a site like Have I Been Pwned?

June 15, 2018 /Timothy De Block
Passwords, Have I Been Pwned, NIST
Technology
Comment
2018-06-14 00_21_42-Titus S03EP09_ Errrr 3_3 - YouTube.png

ERRRR Suicide

June 14, 2018 by Timothy De Block in Experiences

Christopher Titus saved my life.

I graduated from high school in 2000. Right around that same time Titus appeared on Fox. I was instantly hooked. The show was funny and dealt with some deep dark emotional issues. It was the realist thing I could come to a comedy. In 2002 it ended up saving my life and to this day has abated any thoughts of suicide.

I was in the Navy at the time. I don't remember my exact reason for being in the lounge at our barracks, but I was having a pretty shitty day. I remember thinking, "Maybe I should just kill myself." That's when I found Titus on the TV I was flipping through in the lounge. The episode was, "Errrr." The premise of the episode was Titus catching his niece trying to commit suicide. He stops her and sits down for a chat about the time he tried to kill himself. The episode was hilarious and at the end of it I realized, how ridiculous the idea was.

I wanted to share this, because I recently had someone IM me about leaving work. They were concerned that I left agitated. I responded that I had a lot on my mind recently and I was working through it. They responded with encouraging words and let me know I could call a suicide hotline. I responded with a clip of the episode from YouTube. Suicide is not something that has crossed my mind, but I know it has crossed the minds of others.

Our industry is tough. We have a lot today and a lot of push back from people inside our organization. I'm blessed that the push back is minimal from my organization. We have our frustrations. Overall I realize I'm in a good situation. I have my good days and my bad days. I struggle to meet internal expectations.

I should drink less. I stay up to late. I should play video games less. I should spend more time with the kids and my wife. I should get this certification. I should blog more. I need to get another guest for the podcast. I need to edit these three podcasts. I should spend more time at work getting all this work done. I should. I should. I should.

I still struggle with internal expectations. I fail constantly. I go to bed too late. I don't spend enough time with the wife and kids. It's gotten better moving to Tennessee. I take them with me to some of the conferences I attend. Still I'm not with them. I'm attending the conference. I'm working late. I'm hitting the gym, because I need to relieve some stress and I want to show them the good habit of working out.

I'm still trying to figure it out. I mention this because I think a lot of us are. I've had conversation with people about alcohol after my alcohol posts. I think they're some of my most liked content on the site. I think that with social media we see a lot of the wins in people's lives. Not a lot of their loses. I'm hoping this post can change that. For all my success: the podcast; speaking engagements; a great job. I can show that we don't always have it together. Even the best of us still frown. Even the best of struggle and just try to make i through the day. It's okay.

After tomorrow is a new day. A new opportunity to do something great or learn from a failure.

2018-06-14 00_23_06-Titus S03EP09_ Errrr 3_3 - YouTube.png
June 14, 2018 /Timothy De Block
Mental Health, failure
Experiences
Comment
  • Newer
  • Older

Powered by Squarespace