The more I dig into #infosec the more I find that the really good people aren't people you've heard about on Twitter.
— Timothy De Block (@TimothyDeBlock) January 29, 2019

Some thoughts on infosec and social media

January 30, 2019 by Timothy De Block in Experiences

I posted the thought above on Twitter a couple nights ago.

Rereading it, I feel I need to expand upon my idea, because there are a couple motivators for the tweet. First, the tweet was not worded very well. It comes off as saying that people on Twitter are not as good as those not on Twitter. This wasn’t my intention. I think there are really good people both on and off Twitter. The idea is more about myself and evaluating whether or not I’d be a better infosec person if I were to stay off Twitter.

A majority of the people I work with on the security team are not on Twitter. All of them are really good at what they do. I know there are more of those types of people, because I’ve worked with others who are really good at what they do. Twitter is a very small subset of the people within the infosec field. I think it’s important that what is said and done on Twitter doesn’t necessarily reflect on the entire industry. I was also watching a YouTube video at the time of a buddy of mine who has a Twitter account, but doesn’t tweet a lot. He’s really smart and is doing some pretty amazing things in the field. I’ve wondered if I need to be spending more time being productive and less time on Twitter.

Twitter being just a small part of Twitter is also why I was a bit disappointed to hear that this year is DerbyCon’s last. I like to go to DerbyCon. I have a good time and I catch up with friends and make new ones. There’s a lot of positives to the conference. Unfortunately, there is also some drama, which gets amplified by Twitter. It’s draining on the conference organizers. I get it and I don’t have any ill feelings towards their decision. It’s their conference.

What I think it highlights to me is that sometimes we need to step out of our own little bubble and look around. Twitter, and social media, is our own little world. We create it and curate it to our beliefs and preferences. It can certainly be a useful tool for information, but it can also create our own bubble that consumes and drowns us.

Things that get our attention the most are on social media are controversial. It’s frustrating and depressing. I take solace in the fact that there’s a larger world with the those things but also a lot more good.

I did a thing!

January 04, 2019 by Timothy De Block

I bought a C922 Pro Stream Webcam at Best Buy last week (thanks for the price match!). I’ve always been intrigued by streaming, but was never able to pull the trigger. That changed last week. I figured why not! Plus, I can try using it for the podcast.

If I can get affiliated (need followers and interaction in chat), I can start making money. With that money I intend to donate it to a monthly charity. I’m guessing this could take a while as I build an audience, however, it’s something I consider a goal in 2019. If Twitch is your thing, I’d greatly appreciate that support!

Check out the Twitch channel.

2018-12-26 23_10_38-We are OSINTCurio.us – Helping the OSINT community stay curious.png

Curious about OSINT?

December 27, 2018 by Timothy De Block in Media

Check out https://osintcurio.us/. It’s a new site authored by several pretty well known names in the industry. How it got started is a mystery (how I got invited is even more of a mystery).

I’m really excited for the site. There are already 11 posts on the site (including my origin post), including one about Python and how to use it for OSINT purposes. As with other communities I’ve contributed to, there’s a lot of excitement to start. Then it dies off. I don’t think this is the case here. There’s a lot of people involved that are really into OSINT. Most of them are regular contributors. I hope I can match their energy for this site.

BSides Nashville 2014. One of the first pictures I took for the security community.

How to increase your chances of breaking into infosec

December 19, 2018 by Timothy De Block in Experiences

Get involved with the infosec community. That’s it. I’ll elaborate.

The best way to get hired for a security role is to know someone. The key part of that sentence is the, “know someone” part. That requires getting out there and doing things within the community. That can be a variety of things:

Contributing to open source projects.
Become an active member of a niche community in the field (OMG the slack channels out there). Writing a blog post.
Producing a podcast.
Attend a conference.
Shooting pictures at a conference.
Volunteer at a conference.
Speak at a conference.

These are all the things I’ve done. I also see people doing things like:

Twitch streaming.
Writing a book.
YouTube channels.
Singing.

Find something you’re really passionate about (not infosec) and bring it to the field. For me it started with photography. I’ve always liked taking photography. I have a media arts degree and took some photography courses (so I kind of not what I’m doing). I reached out to a BSides organizer to see if they’d be okay with me coming and shooting some pictures at the conference. That one contribution, eventually led me to my current place of employment (and I absolutely love what I’m doing).

It was BSides Nashville. One of the organizers works at the place I’m currently employed. They were looking for an AppSec guy, so told her AppSec guys. I luckily knew one of those AppSec guys and as a matter of fact had just started an OWASP Chapter with that AppSec guy. You never freaking know when things will connect for an opportunity*.

* I met my wife, because we saw someone we knew on the highway at 80 MPH. A story for another time.

Prior to that I would look for a job via online postings. At one point it took me 15 months to find a new job. I got into security via a job posting, so there is a path that way. It’s just not the most efficient. I got my next security role, because I had helped start a monthly local user group meetup. The CISO was looking for a few good security people. That local user group has gotten several other opportunities. Mostly because of who you know; partly because it looks really good on a resume. It looks like you’re engaged.

Everyone has a different path. What increases the chances is getting out there. Contributing without expecting anything in return. Showing that you can provide value to someone else. What are your strengths and passions? Now bring that to the infosec field.

Application Security resources for beginners

October 29, 2018 by Timothy De Block in Technology

This is a continuation of my resource series of posts. Application security is the field I found a lot of interest in. This despite coming from the operations side of IT not development. Using the resources below I was able to get a job in application security.

Websites:

I first realized I had an interest in appsec after reading a Troy Hunt post. Not only were things explained well, but I was also paying attention to every word in his blog posts. He has since branched out to more breach related content as the creator and maintainer of Have I Been Pwned. Still he has a lot of good appsec content. He has several courses on Pluralsight for beginners plus. He also does a weekly podcast that’s worth checking out.

The Open Web Application Security Project (OWASP) is the go to resource for AppSec. It’s a massive non-profit organization that has tons of projects, knowledge bases, cheat sheets, and more. There might even be a local OWASP chapter. There’s annual conferences to attend (I’ve never been). It’s the resource I recommend for people starting out.

Podcasts:

DevelopSec
Application Security Podcast

James Jardine puts on the DevelopSec podcast. The podcast is targeted at developers. It’s also consumable by security people. This podcast doesn’t release on a regular schedule. The Application Security podcast is also targeted at developers. It releases in seasons.

Training:

The first bit of AppSec training I got was the SANS SEC542 Web Application Penetration Testing and Ethical Hacking. It’s a lot of AppSec information, concluding with a Capture The Flag (CTF) exercise. I’d try to get your organization to pay for this as it’s several thousand dollars.

The Practical Web Application Penetration Testing course is a Tim Tomes course. He’s a former SANS instructor who puts on this training several times throughout the year in public and for organizations. It’s a great affordable course that Tim tries to keep up to date with relevant information.